audit: type=1400 audit(1567424350.964:7): avc: denied { map } for pid=1769 comm="syz-executor612" path="/root/syz-executor612500582" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 audit: type=1400 audit(1567424350.964:8): avc: denied { prog_load } for pid=1769 comm="syz-executor612" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1567424351.014:9): avc: denied { prog_run } for pid=1769 comm="syz-executor612" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 ================================================================== BUG: KASAN: slab-out-of-bounds in bpf_skb_proto_xlat net/core/filter.c:2151 [inline] BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_proto net/core/filter.c:2189 [inline] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xcc2/0x1080 net/core/filter.c:2164 Read of size 2 at addr ffff8881d0836eb8 by task syz-executor612/1769 CPU: 1 PID: 1769 Comm: syz-executor612 Not tainted 4.14.141+ #40 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xca/0x134 lib/dump_stack.c:53 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 bpf_skb_proto_xlat net/core/filter.c:2151 [inline] ____bpf_skb_change_proto net/core/filter.c:2189 [inline] bpf_skb_change_proto+0xcc2/0x1080 net/core/filter.c:2164 ___bpf_prog_run+0x2478/0x5510 kernel/bpf/core.c:1086 Allocated by task 269: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495 slab_post_alloc_hook mm/slab.h:439 [inline] slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2800 [inline] kmem_cache_alloc+0xee/0x360 mm/slub.c:2805 prepare_creds+0x25/0x370 kernel/cred.c:255 selinux_setprocattr+0x2a3/0x870 security/selinux/hooks.c:6049 security_setprocattr+0x7a/0xb0 security/security.c:1274 proc_pid_attr_write+0x1cb/0x290 fs/proc/base.c:2590 __vfs_write+0xf9/0x5a0 fs/read_write.c:482 vfs_write+0x17f/0x4d0 fs/read_write.c:546 SYSC_write fs/read_write.c:594 [inline] SyS_write+0x102/0x250 fs/read_write.c:586 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0xffffffffffffffff Freed by task 347: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1407 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3039 [inline] kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x59f/0xf60 kernel/rcu/tree.c:2946 __do_softirq+0x234/0x9ec kernel/softirq.c:288 The buggy address belongs to the object at ffff8881d0836e00 which belongs to the cache cred_jar of size 168 The buggy address is located 16 bytes to the right of 168-byte region [ffff8881d0836e00, ffff8881d0836ea8) The buggy address belongs to the page: page:ffffea0007420d80 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000200(slab) raw: 4000000000000200 0000000000000000 0000000000000000 0000000100100010 raw: dead000000000100 dead000000000200 ffff8881da823c00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d0836d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff8881d0836e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881d0836e80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881d0836f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881d0836f80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ==================================================================