• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Test that we strip the report after "Kernel panic - not syncing" line.
2TITLE: KASAN: invalid-free in selinux_tun_dev_free_security
3
4clock_gettime(0x0, &(0x7f0000475000-0x10)={<r2=>0x0, <r3=>0x0})
5write$sndseq(0xffffffffffffffff, &(0x7f0000929000-0x150)=[{0x3197a6bf, 0x0, 0x4, 0x100, @tick=0x6, {0x7, 0x6c}, {0x2, 0x9}, @connect={{0x1ff, 0x1}, {0x3ff, 0x118c}}}, {0x100000000, 0x2, 0xfffffffffffffffa, 0x2, @tick=0x5d0, {0xf556, 0x7}, {0x3, 0x1000}, @quote={{0x5, 0xfffffffffffffff7}, 0x401, &(0x7f000084a000)={0x10000, 0x9d, 0x8, 0x4, @tick=0x336f, {0x5, 0x1d}, {0x8, 0x7}, @time=@time={0x0, 0x989680}}}}, {0x200, 0x0, 0x99a, 0x6, @tick=0x1, {0x1, 0x158}, {0x200, 0x5}, @connect={{0x8, 0x4}, {0xf2, 0x100000000}}}, {0x40, 0xfffffffffffffffa, 0x100000000, 0x5, @time={r2, r3+10000000}, {0x7, 0x5}, {0x3, 0x0}, @raw32={[0x2, 0x225, 0x1]}}, {0x75f, 0x8, 0x80, 0x80, @tick=0x6, {0x9, 0x9}, {0x1, 0x6}, @queue={0x7, {0x7, 0x6}}}, {0x80, 0x6, 0x3f, 0x80000001, @time={0x0, 0x0}, {0x3f, 0x9}, {0x96, 0xfffffffffffff800}, @raw8={"e5660e9238e6f58b35448e94"}}, {0x6, 0x6f8, 0x3, 0x6, @time={0x77359400, 0x0}, {0x100000001, 0x0}, {0xe870, 0x7}, @connect={{0x4, 0x80}, {0x7ff, 0xfffffffffffffffa}}}], 0x150)
6open$dir(&(0x7f0000265000-0x8)="2e2f66696c653000", 0x400, 0x44)
7[   96.237449] blk_update_request: I/O error, dev loop0, sector 0
8[   96.255274] ==================================================================
9[   96.262735] BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20
10[   96.271481]
11[   96.273098] CPU: 0 PID: 11514 Comm: syz-executor5 Not tainted 4.12.0-rc7+ #2
12[   96.280268] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
13[   96.289602] Call Trace:
14[   96.292180]  dump_stack+0x194/0x257
15[   96.295796]  ? arch_local_irq_restore+0x53/0x53
16[   96.300454]  ? load_image_and_restore+0x10f/0x10f
17[   96.305299]  ? selinux_tun_dev_free_security+0x15/0x20
18[   96.310565]  print_address_description+0x7f/0x260
19[   96.315393]  ? selinux_tun_dev_free_security+0x15/0x20
20[   96.320656]  ? selinux_tun_dev_free_security+0x15/0x20
21[   96.325919]  kasan_report_double_free+0x55/0x80
22[   96.330577]  kasan_slab_free+0xa0/0xc0
23[   96.334450]  kfree+0xd3/0x260
24[   96.337545]  selinux_tun_dev_free_security+0x15/0x20
25[   96.342636]  security_tun_dev_free_security+0x48/0x80
26[   96.347822]  __tun_chr_ioctl+0x2cc1/0x3d60
27[   96.352054]  ? tun_chr_close+0x60/0x60
28[   96.355925]  ? lock_downgrade+0x990/0x990
29[   96.360059]  ? lock_release+0xa40/0xa40
30[   96.364025]  ? __lock_is_held+0xb6/0x140
31[   96.368213]  ? check_same_owner+0x320/0x320
32[   96.372530]  ? tun_chr_compat_ioctl+0x30/0x30
33[   96.377005]  tun_chr_ioctl+0x2a/0x40
34[   96.380701]  ? tun_chr_ioctl+0x2a/0x40
35[   96.385099]  do_vfs_ioctl+0x1b1/0x15c0
36[   96.388981]  ? ioctl_preallocate+0x2d0/0x2d0
37[   96.393378]  ? selinux_capable+0x40/0x40
38[   96.397430]  ? SyS_futex+0x2b0/0x3a0
39[   96.401147]  ? security_file_ioctl+0x89/0xb0
40[   96.405547]  SyS_ioctl+0x8f/0xc0
41[   96.408912]  entry_SYSCALL_64_fastpath+0x1f/0xbe
42[   96.413651] RIP: 0033:0x4512c9
43[   96.416824] RSP: 002b:00007fc65827bc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010
44[   96.424603] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004512c9
45[   96.431863] RDX: 000000002053c000 RSI: 00000000400454ca RDI: 0000000000000005
46[   96.439133] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
47[   96.446389] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004baa97
48[   96.453647] R13: 00000000ffffffff R14: 0000000020124ff3 R15: 0000000000000000
49[   96.460931]
50[   96.462552] Allocated by task 11514:
51[   96.466258]  save_stack_trace+0x16/0x20
52[   96.470212]  save_stack+0x43/0xd0
53[   96.473649]  kasan_kmalloc+0xaa/0xd0
54[   96.477347]  kmem_cache_alloc_trace+0x101/0x6f0
55[   96.481995]  selinux_tun_dev_alloc_security+0x49/0x170
56[   96.487250]  security_tun_dev_alloc_security+0x6d/0xa0
57[   96.492508]  __tun_chr_ioctl+0x16bc/0x3d60
58[   96.496722]  tun_chr_ioctl+0x2a/0x40
59[   96.500417]  do_vfs_ioctl+0x1b1/0x15c0
60[   96.504282]  SyS_ioctl+0x8f/0xc0
61[   96.507630]  entry_SYSCALL_64_fastpath+0x1f/0xbe
62[   96.512367]
63[   96.513973] Freed by task 11514:
64[   96.517323]  save_stack_trace+0x16/0x20
65[   96.521276]  save_stack+0x43/0xd0
66[   96.524709]  kasan_slab_free+0x6e/0xc0
67[   96.528577]  kfree+0xd3/0x260
68[   96.531666]  selinux_tun_dev_free_security+0x15/0x20
69[   96.536747]  security_tun_dev_free_security+0x48/0x80
70[   96.541918]  tun_free_netdev+0x13b/0x1b0
71[   96.545959]  register_netdevice+0x8d0/0xee0
72[   96.550260]  __tun_chr_ioctl+0x1bae/0x3d60
73[   96.554475]  tun_chr_ioctl+0x2a/0x40
74[   96.558169]  do_vfs_ioctl+0x1b1/0x15c0
75[   96.562035]  SyS_ioctl+0x8f/0xc0
76[   96.565385]  entry_SYSCALL_64_fastpath+0x1f/0xbe
77[   96.570116]
78[   96.571724] The buggy address belongs to the object at ffff8801d5961a40
79[   96.571724]  which belongs to the cache kmalloc-32 of size 32
80[   96.584186] The buggy address is located 0 bytes inside of
81[   96.584186]  32-byte region [ffff8801d5961a40, ffff8801d5961a60)
82[   96.595775] The buggy address belongs to the page:
83[   96.600686] page:ffffea00066b8d38 count:1 mapcount:0 mapping:ffff8801d5961000 index:0xffff8801d5961fc1
84[   96.610118] flags: 0x200000000000100(slab)
85[   96.614335] raw: 0200000000000100 ffff8801d5961000 ffff8801d5961fc1 000000010000003f
86[   96.622292] raw: ffffea0006723300 ffffea00066738b8 ffff8801dbc00100
87[   96.628675] page dumped because: kasan: bad access detected
88[   96.634373]
89[   96.635978] Memory state around the buggy address:
90[   96.640884]  ffff8801d5961900: 00 00 01 fc fc fc fc fc 00 00 00 fc fc fc fc fc
91[   96.648222]  ffff8801d5961980: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
92[   96.655567] >ffff8801d5961a00: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
93[   96.663255]                                            ^
94[   96.668685]  ffff8801d5961a80: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
95[   96.676022]  ffff8801d5961b00: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
96[   96.683357] ==================================================================
97[   96.690692] Disabling lock debugging due to kernel taint
98[   96.696117] Kernel panic - not syncing: panic_on_warn set ...
99[   96.696117]
100[   96.703470] CPU: 0 PID: 11514 Comm: syz-executor5 Tainted: G    B           4.12.0-rc7+ #2
101[   96.711847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
102[   96.721354] Call Trace:
103[   96.723926]  dump_stack+0x194/0x257
104[   96.727539]  ? arch_local_irq_restore+0x53/0x53
105[   96.732366]  ? kasan_end_report+0x32/0x50
106[   96.736497]  ? lock_downgrade+0x990/0x990
107[   96.740631]  panic+0x1e4/0x3fb
108[   96.743807]  ? percpu_up_read_preempt_enable.constprop.38+0xae/0xae
109[   96.750194]  ? add_taint+0x40/0x50
110[   96.753723]  ? selinux_tun_dev_free_security+0x15/0x20
111[   96.758976]  ? selinux_tun_dev_free_security+0x15/0x20
112[   96.764233]  kasan_end_report+0x50/0x50
113[   96.768192]  kasan_report_double_free+0x72/0x80
114[   96.772843]  kasan_slab_free+0xa0/0xc0
115[   96.776711]  kfree+0xd3/0x260
116[   96.779802]  selinux_tun_dev_free_security+0x15/0x20
117[   96.784886]  security_tun_dev_free_security+0x48/0x80
118[   96.790061]  __tun_chr_ioctl+0x2cc1/0x3d60
119[   96.794285]  ? tun_chr_close+0x60/0x60
120[   96.798152]  ? lock_downgrade+0x990/0x990
121[   96.802803]  ? lock_release+0xa40/0xa40
122[   96.806763]  ? __lock_is_held+0xb6/0x140
123[   96.810829]  ? check_same_owner+0x320/0x320
124[   96.815137]  ? tun_chr_compat_ioctl+0x30/0x30
125[   96.819611]  tun_chr_ioctl+0x2a/0x40
126[   96.823306]  ? tun_chr_ioctl+0x2a/0x40
127[   96.827181]  do_vfs_ioctl+0x1b1/0x15c0
128[   96.831057]  ? ioctl_preallocate+0x2d0/0x2d0
129[   96.835450]  ? selinux_capable+0x40/0x40
130[   96.839494]  ? SyS_futex+0x2b0/0x3a0
131[   96.843200]  ? security_file_ioctl+0x89/0xb0
132[   96.847590]  SyS_ioctl+0x8f/0xc0
133[   96.850941]  entry_SYSCALL_64_fastpath+0x1f/0xbe
134[   96.855676] RIP: 0033:0x4512c9
135[   96.859020] RSP: 002b:00007fc65827bc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010
136[   96.866708] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004512c9
137[   96.873956] RDX: 000000002053c000 RSI: 00000000400454ca RDI: 0000000000000005
138[   96.881208] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
139[   96.888461] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004baa97
140[   96.895708] R13: 00000000ffffffff R14: 0000000020124ff3 R15: 0000000000000000
141[   96.903943] Dumping ftrace buffer:
142[   96.907460]    (ftrace buffer empty)
143[   96.911148] Kernel Offset: disabled
144[   96.914753] Rebooting in 86400 seconds..
145
146REPORT:
147blk_update_request: I/O error, dev loop0, sector 0
148==================================================================
149BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20
150
151CPU: 0 PID: 11514 Comm: syz-executor5 Not tainted 4.12.0-rc7+ #2
152Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
153Call Trace:
154 dump_stack+0x194/0x257
155 print_address_description+0x7f/0x260
156 kasan_report_double_free+0x55/0x80
157 kasan_slab_free+0xa0/0xc0
158 kfree+0xd3/0x260
159 selinux_tun_dev_free_security+0x15/0x20
160 security_tun_dev_free_security+0x48/0x80
161 __tun_chr_ioctl+0x2cc1/0x3d60
162 tun_chr_ioctl+0x2a/0x40
163 do_vfs_ioctl+0x1b1/0x15c0
164 SyS_ioctl+0x8f/0xc0
165 entry_SYSCALL_64_fastpath+0x1f/0xbe
166RIP: 0033:0x4512c9
167RSP: 002b:00007fc65827bc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010
168RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004512c9
169RDX: 000000002053c000 RSI: 00000000400454ca RDI: 0000000000000005
170RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
171R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004baa97
172R13: 00000000ffffffff R14: 0000000020124ff3 R15: 0000000000000000
173
174Allocated by task 11514:
175 save_stack_trace+0x16/0x20
176 save_stack+0x43/0xd0
177 kasan_kmalloc+0xaa/0xd0
178 kmem_cache_alloc_trace+0x101/0x6f0
179 selinux_tun_dev_alloc_security+0x49/0x170
180 security_tun_dev_alloc_security+0x6d/0xa0
181 __tun_chr_ioctl+0x16bc/0x3d60
182 tun_chr_ioctl+0x2a/0x40
183 do_vfs_ioctl+0x1b1/0x15c0
184 SyS_ioctl+0x8f/0xc0
185 entry_SYSCALL_64_fastpath+0x1f/0xbe
186
187Freed by task 11514:
188 save_stack_trace+0x16/0x20
189 save_stack+0x43/0xd0
190 kasan_slab_free+0x6e/0xc0
191 kfree+0xd3/0x260
192 selinux_tun_dev_free_security+0x15/0x20
193 security_tun_dev_free_security+0x48/0x80
194 tun_free_netdev+0x13b/0x1b0
195 register_netdevice+0x8d0/0xee0
196 __tun_chr_ioctl+0x1bae/0x3d60
197 tun_chr_ioctl+0x2a/0x40
198 do_vfs_ioctl+0x1b1/0x15c0
199 SyS_ioctl+0x8f/0xc0
200 entry_SYSCALL_64_fastpath+0x1f/0xbe
201
202The buggy address belongs to the object at ffff8801d5961a40
203 which belongs to the cache kmalloc-32 of size 32
204The buggy address is located 0 bytes inside of
205 32-byte region [ffff8801d5961a40, ffff8801d5961a60)
206The buggy address belongs to the page:
207page:ffffea00066b8d38 count:1 mapcount:0 mapping:ffff8801d5961000 index:0xffff8801d5961fc1
208flags: 0x200000000000100(slab)
209raw: 0200000000000100 ffff8801d5961000 ffff8801d5961fc1 000000010000003f
210raw: ffffea0006723300 ffffea00066738b8 ffff8801dbc00100
211page dumped because: kasan: bad access detected
212
213Memory state around the buggy address:
214 ffff8801d5961900: 00 00 01 fc fc fc fc fc 00 00 00 fc fc fc fc fc
215 ffff8801d5961980: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
216>ffff8801d5961a00: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
217                                           ^
218 ffff8801d5961a80: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
219 ffff8801d5961b00: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
220==================================================================
221