audit: type=1400 audit(1548943040.417:586): avc: denied { create } for pid=26329 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:218 [inline] BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] BUG: KASAN: use-after-free in __atomic_add_unless arch/x86/include/asm/atomic.h:211 [inline] BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:437 [inline] BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1745 [inline] BUG: KASAN: use-after-free in sk_dst_check+0x347/0x380 net/core/sock.c:546 Read of size 4 at addr ffff8800a3a90940 by task syz-executor0/26321 CPU: 1 PID: 26321 Comm: syz-executor0 Not tainted 4.4.172+ #13 0000000000000000 64269e74bef24720 ffff8801bf4bf718 ffffffff81aacde1 0000000000000000 ffffea00028ea400 ffff8800a3a90940 0000000000000004 0000000000000000 ffff8801bf4bf750 ffffffff8148fedd 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:428 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] __atomic_add_unless arch/x86/include/asm/atomic.h:211 [inline] [] atomic_add_unless include/linux/atomic.h:437 [inline] [] sk_dst_get include/net/sock.h:1745 [inline] [] sk_dst_check+0x347/0x380 net/core/sock.c:546 [] udp_sendmsg+0x114f/0x1c60 net/ipv4/udp.c:1019 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x369/0x890 net/socket.c:1975 [] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060 [] SYSC_sendmmsg net/socket.c:2090 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2085 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Allocated by task 26321: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628 [] dst_alloc+0xf3/0x1b0 net/core/dst.c:210 [] ipv4_blackhole_route+0x30/0x720 net/ipv4/route.c:2396 [] make_blackhole net/xfrm/xfrm_policy.c:2161 [inline] [] xfrm_lookup_route net/xfrm/xfrm_policy.c:2331 [inline] [] xfrm_lookup_route+0xf4/0x140 net/xfrm/xfrm_policy.c:2322 [] ip_route_output_flow+0x93/0xa0 net/ipv4/route.c:2437 [] udp_sendmsg+0x1537/0x1c60 net/ipv4/udp.c:1040 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x369/0x890 net/socket.c:1975 [] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060 [] SYSC_sendmmsg net/socket.c:2090 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2085 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Freed by task 14698: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xbe/0x350 mm/slub.c:2881 [] dst_destroy+0x26f/0x330 net/core/dst.c:270 [] dst_gc_task+0x1be/0x530 net/core/dst.c:89 [] process_one_work+0x825/0x1720 kernel/workqueue.c:2064 [] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196 [] kthread+0x273/0x310 kernel/kthread.c:211 [] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537 The buggy address belongs to the object at ffff8800a3a908c0 which belongs to the cache ip_dst_cache of size 208 The buggy address is located 128 bytes inside of 208-byte region [ffff8800a3a908c0, ffff8800a3a90990) The buggy address belongs to the page: audit: type=1400 audit(1548943041.347:587): avc: denied { sigchld } for pid=2120 comm="syz-executor2" scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=0 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access[ 655.260073] ------------[ cut here ]------------ WARNING: CPU: 0 PID: 2120 at kernel/sched/core.c:7941 __might_sleep+0x138/0x1a0 kernel/sched/core.c:7941() do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_wait+0x265/0xa00 kernel/exit.c:1503