Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=1363b7bb400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link:
https://syzkaller.appspot.com/bug?extid=2c8dd047d66cbaae0ae2
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=130db3ab400000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=1084fbbb400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+2c8dd0...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 4340 Comm: syz-executor388 Not tainted 4.9.141+ #1
task: ffff8801cce5af80 task.stack: ffff8801cb1b0000
RIP: 0010:[<ffffffff81a17f12>] [<ffffffff81a17f12>]
ebitmap_destroy+0x32/0x100 security/selinux/ss/ebitmap.c:331
RSP: 0018:ffff8801cb1b73e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801cbaa3240 RCX: ffffed00399cb705
RDX: 0000000000000001 RSI: ffffffff81a17f01 RDI: 0000000000000008
RBP: ffff8801cb1b7408 R08: ffff8801cce5b830 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 1ffff10039636e89 R14: 0000000000000008 R15: ffff8801cb1b74a8
FS: 00007faf93ad4700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006dd0a0 CR3: 00000001cd368000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801cbaa3240 0000000000000000 1ffff10039636e89 00000000ffffffea
ffff8801cb1b7428 ffffffff81a20997 ffff8801cb1b7908 ffff8801cbaa3240
ffff8801cb1b74d0 ffffffff81a2124e ffff8801cbaf1ea0 0000000000000004
Call Trace:
[<ffffffff81a20997>] sens_destroy+0x47/0x90
security/selinux/ss/policydb.c:729
[<ffffffff81a2124e>] sens_read+0x1de/0x360
security/selinux/ss/policydb.c:1630
[<ffffffff81a2b1ea>] policydb_read+0xdba/0x2390
security/selinux/ss/policydb.c:2367
[<ffffffff81a3ba84>] security_load_policy+0x264/0x9b0
security/selinux/ss/services.c:2067
[<ffffffff81a1233b>] sel_write_load+0x19b/0xfa0
security/selinux/selinuxfs.c:522
[<ffffffff81508085>] __vfs_write+0x115/0x580 fs/read_write.c:507
[<ffffffff8150ab97>] vfs_write+0x187/0x520 fs/read_write.c:557
[<ffffffff8150e9c9>] SYSC_write fs/read_write.c:604 [inline]
[<ffffffff8150e9c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:596
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 89 fe 41 55 41 54 53 e8 6d 3b 90 ff 4d 85 f6 0f 84 a6 00 00 00 e8 5f
3b 90 ff 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00
0f 85 a5 00 00 00 49 8b 1e 48 85 db 74 32 49 bd 00
RIP [<ffffffff81a17f12>] ebitmap_destroy+0x32/0x100
security/selinux/ss/ebitmap.c:331
RSP <ffff8801cb1b73e8>
---[ end trace 6fa09ee25ed1a4e3 ]---