audit: type=1400 audit(2000000154.690:11184): avc: denied { write } for pid=16318 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 ip6_tunnel: 6tnl0 xmit: Local address not yet configured! ================================================================== audit: type=1400 audit(2000000154.850:11185): avc: denied { map } for pid=16323 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 BUG: KASAN: slab-out-of-bounds in __ptr_ring_produce include/linux/ptr_ring.h:109 [inline] BUG: KASAN: slab-out-of-bounds in ptr_ring_produce include/linux/ptr_ring.h:132 [inline] BUG: KASAN: slab-out-of-bounds in skb_array_produce include/linux/skb_array.h:48 [inline] BUG: KASAN: slab-out-of-bounds in tun_net_xmit+0xe09/0xed0 drivers/net/tun.c:916 Read of size 8 at addr ffff8881d4b90f20 by task syz-executor5/30105 CPU: 1 PID: 30105 Comm: syz-executor5 Not tainted 4.14.91+ #3 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x10e lib/dump_stack.c:53 audit: type=1400 audit(2000000154.850:11186): avc: denied { map } for pid=16323 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 print_address_description+0x60/0x226 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393 audit: type=1400 audit(2000000154.860:11187): avc: denied { map } for pid=16327 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(2000000154.860:11188): avc: denied { map } for pid=16323 comm="modprobe" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(2000000154.860:11189): avc: denied { map } for pid=16323 comm="modprobe" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(2000000154.870:11190): avc: denied { map } for pid=16327 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(2000000154.870:11191): avc: denied { map } for pid=16327 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(2000000154.880:11192): avc: denied { map } for pid=16327 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Allocated by task 16331: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551 __kmalloc+0x143/0x340 mm/slub.c:3760 __kmalloc_node include/linux/slab.h:356 [inline] kmalloc_node include/linux/slab.h:530 [inline] kvmalloc_node+0x43/0xd0 mm/util.c:397 kvmalloc include/linux/mm.h:531 [inline] kvmalloc_array include/linux/mm.h:547 [inline] __ptr_ring_init_queue_alloc include/linux/ptr_ring.h:455 [inline] ptr_ring_resize_multiple include/linux/ptr_ring.h:613 [inline] skb_array_resize_multiple include/linux/skb_array.h:200 [inline] tun_queue_resize drivers/net/tun.c:2815 [inline] tun_device_event+0x461/0xd70 drivers/net/tun.c:2833 notifier_call_chain+0x10c/0x1a0 kernel/notifier.c:93 Freed by task 14842: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1410 [inline] slab_free mm/slub.c:2966 [inline] kfree+0xf5/0x310 mm/slub.c:3897 avc_dump_query security/selinux/avc.c:157 [inline] avc_audit_post_callback+0x310/0x3d0 security/selinux/avc.c:727 common_lsm_audit+0x532/0x1ce0 security/lsm_audit.c:462 slow_avc_audit+0x14b/0x1e0 security/selinux/avc.c:771 avc_audit security/selinux/include/avc.h:141 [inline] avc_has_perm+0x2d1/0x350 security/selinux/avc.c:1146 inode_has_perm security/selinux/hooks.c:1771 [inline] selinux_mmap_file+0x209/0x360 security/selinux/hooks.c:3621 The buggy address belongs to the object at ffff8881d4b90f00 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes to the right of 32-byte region [ffff8881d4b90f00, ffff8881d4b90f20) The buggy address belongs to the page: page:ffffea000752e400 count:1 mapcount:0 mapping: (null) index:0xffff8881d4b90450 flags: 0x4000000000000100(slab) raw: 4000000000000100 0000000000000000 ffff8881d4b90450 0000000180550054 raw: ffffea0007415040 0000000300000003 ffff8881da803800 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d4b90e00: fc fc 00 00 00 fc fc fc 00 00 00 00 fc fc fb fb ffff8881d4b90e80: fb fb fc fc fb fb fb fb fc fc 00 00 00 00 fc fc >ffff8881d4b90f00: 00 00 00 00 fc fc fb fb fb fb fc fc fb fb fb fb ^ ffff8881d4b90f80: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fc fc ffff8881d4b91000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================