1# Test that we strip the report after "Kernel panic - not syncing" line. 2TITLE: KASAN: invalid-free in selinux_tun_dev_free_security 3 4clock_gettime(0x0, &(0x7f0000475000-0x10)={<r2=>0x0, <r3=>0x0}) 5write$sndseq(0xffffffffffffffff, &(0x7f0000929000-0x150)=[{0x3197a6bf, 0x0, 0x4, 0x100, @tick=0x6, {0x7, 0x6c}, {0x2, 0x9}, @connect={{0x1ff, 0x1}, {0x3ff, 0x118c}}}, {0x100000000, 0x2, 0xfffffffffffffffa, 0x2, @tick=0x5d0, {0xf556, 0x7}, {0x3, 0x1000}, @quote={{0x5, 0xfffffffffffffff7}, 0x401, &(0x7f000084a000)={0x10000, 0x9d, 0x8, 0x4, @tick=0x336f, {0x5, 0x1d}, {0x8, 0x7}, @time=@time={0x0, 0x989680}}}}, {0x200, 0x0, 0x99a, 0x6, @tick=0x1, {0x1, 0x158}, {0x200, 0x5}, @connect={{0x8, 0x4}, {0xf2, 0x100000000}}}, {0x40, 0xfffffffffffffffa, 0x100000000, 0x5, @time={r2, r3+10000000}, {0x7, 0x5}, {0x3, 0x0}, @raw32={[0x2, 0x225, 0x1]}}, {0x75f, 0x8, 0x80, 0x80, @tick=0x6, {0x9, 0x9}, {0x1, 0x6}, @queue={0x7, {0x7, 0x6}}}, {0x80, 0x6, 0x3f, 0x80000001, @time={0x0, 0x0}, {0x3f, 0x9}, {0x96, 0xfffffffffffff800}, @raw8={"e5660e9238e6f58b35448e94"}}, {0x6, 0x6f8, 0x3, 0x6, @time={0x77359400, 0x0}, {0x100000001, 0x0}, {0xe870, 0x7}, @connect={{0x4, 0x80}, {0x7ff, 0xfffffffffffffffa}}}], 0x150) 6open$dir(&(0x7f0000265000-0x8)="2e2f66696c653000", 0x400, 0x44) 7[ 96.237449] blk_update_request: I/O error, dev loop0, sector 0 8[ 96.255274] ================================================================== 9[ 96.262735] BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20 10[ 96.271481] 11[ 96.273098] CPU: 0 PID: 11514 Comm: syz-executor5 Not tainted 4.12.0-rc7+ #2 12[ 96.280268] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 13[ 96.289602] Call Trace: 14[ 96.292180] dump_stack+0x194/0x257 15[ 96.295796] ? arch_local_irq_restore+0x53/0x53 16[ 96.300454] ? load_image_and_restore+0x10f/0x10f 17[ 96.305299] ? selinux_tun_dev_free_security+0x15/0x20 18[ 96.310565] print_address_description+0x7f/0x260 19[ 96.315393] ? selinux_tun_dev_free_security+0x15/0x20 20[ 96.320656] ? selinux_tun_dev_free_security+0x15/0x20 21[ 96.325919] kasan_report_double_free+0x55/0x80 22[ 96.330577] kasan_slab_free+0xa0/0xc0 23[ 96.334450] kfree+0xd3/0x260 24[ 96.337545] selinux_tun_dev_free_security+0x15/0x20 25[ 96.342636] security_tun_dev_free_security+0x48/0x80 26[ 96.347822] __tun_chr_ioctl+0x2cc1/0x3d60 27[ 96.352054] ? tun_chr_close+0x60/0x60 28[ 96.355925] ? lock_downgrade+0x990/0x990 29[ 96.360059] ? lock_release+0xa40/0xa40 30[ 96.364025] ? __lock_is_held+0xb6/0x140 31[ 96.368213] ? check_same_owner+0x320/0x320 32[ 96.372530] ? tun_chr_compat_ioctl+0x30/0x30 33[ 96.377005] tun_chr_ioctl+0x2a/0x40 34[ 96.380701] ? tun_chr_ioctl+0x2a/0x40 35[ 96.385099] do_vfs_ioctl+0x1b1/0x15c0 36[ 96.388981] ? ioctl_preallocate+0x2d0/0x2d0 37[ 96.393378] ? selinux_capable+0x40/0x40 38[ 96.397430] ? SyS_futex+0x2b0/0x3a0 39[ 96.401147] ? security_file_ioctl+0x89/0xb0 40[ 96.405547] SyS_ioctl+0x8f/0xc0 41[ 96.408912] entry_SYSCALL_64_fastpath+0x1f/0xbe 42[ 96.413651] RIP: 0033:0x4512c9 43[ 96.416824] RSP: 002b:00007fc65827bc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010 44[ 96.424603] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004512c9 45[ 96.431863] RDX: 000000002053c000 RSI: 00000000400454ca RDI: 0000000000000005 46[ 96.439133] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 47[ 96.446389] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004baa97 48[ 96.453647] R13: 00000000ffffffff R14: 0000000020124ff3 R15: 0000000000000000 49[ 96.460931] 50[ 96.462552] Allocated by task 11514: 51[ 96.466258] save_stack_trace+0x16/0x20 52[ 96.470212] save_stack+0x43/0xd0 53[ 96.473649] kasan_kmalloc+0xaa/0xd0 54[ 96.477347] kmem_cache_alloc_trace+0x101/0x6f0 55[ 96.481995] selinux_tun_dev_alloc_security+0x49/0x170 56[ 96.487250] security_tun_dev_alloc_security+0x6d/0xa0 57[ 96.492508] __tun_chr_ioctl+0x16bc/0x3d60 58[ 96.496722] tun_chr_ioctl+0x2a/0x40 59[ 96.500417] do_vfs_ioctl+0x1b1/0x15c0 60[ 96.504282] SyS_ioctl+0x8f/0xc0 61[ 96.507630] entry_SYSCALL_64_fastpath+0x1f/0xbe 62[ 96.512367] 63[ 96.513973] Freed by task 11514: 64[ 96.517323] save_stack_trace+0x16/0x20 65[ 96.521276] save_stack+0x43/0xd0 66[ 96.524709] kasan_slab_free+0x6e/0xc0 67[ 96.528577] kfree+0xd3/0x260 68[ 96.531666] selinux_tun_dev_free_security+0x15/0x20 69[ 96.536747] security_tun_dev_free_security+0x48/0x80 70[ 96.541918] tun_free_netdev+0x13b/0x1b0 71[ 96.545959] register_netdevice+0x8d0/0xee0 72[ 96.550260] __tun_chr_ioctl+0x1bae/0x3d60 73[ 96.554475] tun_chr_ioctl+0x2a/0x40 74[ 96.558169] do_vfs_ioctl+0x1b1/0x15c0 75[ 96.562035] SyS_ioctl+0x8f/0xc0 76[ 96.565385] entry_SYSCALL_64_fastpath+0x1f/0xbe 77[ 96.570116] 78[ 96.571724] The buggy address belongs to the object at ffff8801d5961a40 79[ 96.571724] which belongs to the cache kmalloc-32 of size 32 80[ 96.584186] The buggy address is located 0 bytes inside of 81[ 96.584186] 32-byte region [ffff8801d5961a40, ffff8801d5961a60) 82[ 96.595775] The buggy address belongs to the page: 83[ 96.600686] page:ffffea00066b8d38 count:1 mapcount:0 mapping:ffff8801d5961000 index:0xffff8801d5961fc1 84[ 96.610118] flags: 0x200000000000100(slab) 85[ 96.614335] raw: 0200000000000100 ffff8801d5961000 ffff8801d5961fc1 000000010000003f 86[ 96.622292] raw: ffffea0006723300 ffffea00066738b8 ffff8801dbc00100 87[ 96.628675] page dumped because: kasan: bad access detected 88[ 96.634373] 89[ 96.635978] Memory state around the buggy address: 90[ 96.640884] ffff8801d5961900: 00 00 01 fc fc fc fc fc 00 00 00 fc fc fc fc fc 91[ 96.648222] ffff8801d5961980: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc 92[ 96.655567] >ffff8801d5961a00: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc 93[ 96.663255] ^ 94[ 96.668685] ffff8801d5961a80: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc 95[ 96.676022] ffff8801d5961b00: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc 96[ 96.683357] ================================================================== 97[ 96.690692] Disabling lock debugging due to kernel taint 98[ 96.696117] Kernel panic - not syncing: panic_on_warn set ... 99[ 96.696117] 100[ 96.703470] CPU: 0 PID: 11514 Comm: syz-executor5 Tainted: G B 4.12.0-rc7+ #2 101[ 96.711847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 102[ 96.721354] Call Trace: 103[ 96.723926] dump_stack+0x194/0x257 104[ 96.727539] ? arch_local_irq_restore+0x53/0x53 105[ 96.732366] ? kasan_end_report+0x32/0x50 106[ 96.736497] ? lock_downgrade+0x990/0x990 107[ 96.740631] panic+0x1e4/0x3fb 108[ 96.743807] ? percpu_up_read_preempt_enable.constprop.38+0xae/0xae 109[ 96.750194] ? add_taint+0x40/0x50 110[ 96.753723] ? selinux_tun_dev_free_security+0x15/0x20 111[ 96.758976] ? selinux_tun_dev_free_security+0x15/0x20 112[ 96.764233] kasan_end_report+0x50/0x50 113[ 96.768192] kasan_report_double_free+0x72/0x80 114[ 96.772843] kasan_slab_free+0xa0/0xc0 115[ 96.776711] kfree+0xd3/0x260 116[ 96.779802] selinux_tun_dev_free_security+0x15/0x20 117[ 96.784886] security_tun_dev_free_security+0x48/0x80 118[ 96.790061] __tun_chr_ioctl+0x2cc1/0x3d60 119[ 96.794285] ? tun_chr_close+0x60/0x60 120[ 96.798152] ? lock_downgrade+0x990/0x990 121[ 96.802803] ? lock_release+0xa40/0xa40 122[ 96.806763] ? __lock_is_held+0xb6/0x140 123[ 96.810829] ? check_same_owner+0x320/0x320 124[ 96.815137] ? tun_chr_compat_ioctl+0x30/0x30 125[ 96.819611] tun_chr_ioctl+0x2a/0x40 126[ 96.823306] ? tun_chr_ioctl+0x2a/0x40 127[ 96.827181] do_vfs_ioctl+0x1b1/0x15c0 128[ 96.831057] ? ioctl_preallocate+0x2d0/0x2d0 129[ 96.835450] ? selinux_capable+0x40/0x40 130[ 96.839494] ? SyS_futex+0x2b0/0x3a0 131[ 96.843200] ? security_file_ioctl+0x89/0xb0 132[ 96.847590] SyS_ioctl+0x8f/0xc0 133[ 96.850941] entry_SYSCALL_64_fastpath+0x1f/0xbe 134[ 96.855676] RIP: 0033:0x4512c9 135[ 96.859020] RSP: 002b:00007fc65827bc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010 136[ 96.866708] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004512c9 137[ 96.873956] RDX: 000000002053c000 RSI: 00000000400454ca RDI: 0000000000000005 138[ 96.881208] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 139[ 96.888461] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004baa97 140[ 96.895708] R13: 00000000ffffffff R14: 0000000020124ff3 R15: 0000000000000000 141[ 96.903943] Dumping ftrace buffer: 142[ 96.907460] (ftrace buffer empty) 143[ 96.911148] Kernel Offset: disabled 144[ 96.914753] Rebooting in 86400 seconds.. 145 146REPORT: 147blk_update_request: I/O error, dev loop0, sector 0 148================================================================== 149BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20 150 151CPU: 0 PID: 11514 Comm: syz-executor5 Not tainted 4.12.0-rc7+ #2 152Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 153Call Trace: 154 dump_stack+0x194/0x257 155 print_address_description+0x7f/0x260 156 kasan_report_double_free+0x55/0x80 157 kasan_slab_free+0xa0/0xc0 158 kfree+0xd3/0x260 159 selinux_tun_dev_free_security+0x15/0x20 160 security_tun_dev_free_security+0x48/0x80 161 __tun_chr_ioctl+0x2cc1/0x3d60 162 tun_chr_ioctl+0x2a/0x40 163 do_vfs_ioctl+0x1b1/0x15c0 164 SyS_ioctl+0x8f/0xc0 165 entry_SYSCALL_64_fastpath+0x1f/0xbe 166RIP: 0033:0x4512c9 167RSP: 002b:00007fc65827bc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010 168RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004512c9 169RDX: 000000002053c000 RSI: 00000000400454ca RDI: 0000000000000005 170RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 171R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004baa97 172R13: 00000000ffffffff R14: 0000000020124ff3 R15: 0000000000000000 173 174Allocated by task 11514: 175 save_stack_trace+0x16/0x20 176 save_stack+0x43/0xd0 177 kasan_kmalloc+0xaa/0xd0 178 kmem_cache_alloc_trace+0x101/0x6f0 179 selinux_tun_dev_alloc_security+0x49/0x170 180 security_tun_dev_alloc_security+0x6d/0xa0 181 __tun_chr_ioctl+0x16bc/0x3d60 182 tun_chr_ioctl+0x2a/0x40 183 do_vfs_ioctl+0x1b1/0x15c0 184 SyS_ioctl+0x8f/0xc0 185 entry_SYSCALL_64_fastpath+0x1f/0xbe 186 187Freed by task 11514: 188 save_stack_trace+0x16/0x20 189 save_stack+0x43/0xd0 190 kasan_slab_free+0x6e/0xc0 191 kfree+0xd3/0x260 192 selinux_tun_dev_free_security+0x15/0x20 193 security_tun_dev_free_security+0x48/0x80 194 tun_free_netdev+0x13b/0x1b0 195 register_netdevice+0x8d0/0xee0 196 __tun_chr_ioctl+0x1bae/0x3d60 197 tun_chr_ioctl+0x2a/0x40 198 do_vfs_ioctl+0x1b1/0x15c0 199 SyS_ioctl+0x8f/0xc0 200 entry_SYSCALL_64_fastpath+0x1f/0xbe 201 202The buggy address belongs to the object at ffff8801d5961a40 203 which belongs to the cache kmalloc-32 of size 32 204The buggy address is located 0 bytes inside of 205 32-byte region [ffff8801d5961a40, ffff8801d5961a60) 206The buggy address belongs to the page: 207page:ffffea00066b8d38 count:1 mapcount:0 mapping:ffff8801d5961000 index:0xffff8801d5961fc1 208flags: 0x200000000000100(slab) 209raw: 0200000000000100 ffff8801d5961000 ffff8801d5961fc1 000000010000003f 210raw: ffffea0006723300 ffffea00066738b8 ffff8801dbc00100 211page dumped because: kasan: bad access detected 212 213Memory state around the buggy address: 214 ffff8801d5961900: 00 00 01 fc fc fc fc fc 00 00 00 fc fc fc fc fc 215 ffff8801d5961980: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc 216>ffff8801d5961a00: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc 217 ^ 218 ffff8801d5961a80: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc 219 ffff8801d5961b00: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc 220================================================================== 221