[Android 5.15] KASAN: use-after-free Read in selinux_inode_follow_link

0 views
Skip to first unread message

syzbot

unread,
Jun 28, 2026, 5:07:30 PMJun 28
to syzkaller-a...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: c85054db4618 Merge 64ee49df839f ("s390/xor: Fix xor_xc_2()..
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=103277ae580000
kernel config: https://syzkaller.appspot.com/x/.config?x=30048ef22650d7ee
dashboard link: https://syzkaller.appspot.com/bug?extid=cc7dd53909213a452a18
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1448fa1e580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12ddfbae580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c74b28885c5a/disk-c85054db.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/09d149ced009/vmlinux-c85054db.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a0fb16f3ab0e/bzImage-c85054db.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cc7dd5...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in selinux_inode security/selinux/include/objsec.h:164 [inline]
BUG: KASAN: use-after-free in __inode_security_revalidate security/selinux/hooks.c:270 [inline]
BUG: KASAN: use-after-free in inode_security_rcu security/selinux/hooks.c:298 [inline]
BUG: KASAN: use-after-free in selinux_inode_follow_link+0x134/0x370 security/selinux/hooks.c:3162
Read of size 8 at addr ffff888131d61f28 by task syz.1.3461/10735

CPU: 0 PID: 10735 Comm: syz.1.3461 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<TASK>
__dump_stack+0x21/0x30 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0x10f/0x150 mm/kasan/report.c:444
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
selinux_inode security/selinux/include/objsec.h:164 [inline]
__inode_security_revalidate security/selinux/hooks.c:270 [inline]
inode_security_rcu security/selinux/hooks.c:298 [inline]
selinux_inode_follow_link+0x134/0x370 security/selinux/hooks.c:3162
security_inode_follow_link+0xb4/0x110 security/security.c:1323
pick_link+0x544/0xe00 fs/namei.c:1768
step_into+0xac8/0xce0 fs/namei.c:1840
walk_component+0x263/0x460 fs/namei.c:1990
link_path_walk+0x688/0xde0 fs/namei.c:-1
path_parentat fs/namei.c:2510 [inline]
__filename_parentat+0x254/0x690 fs/namei.c:2534
filename_parentat fs/namei.c:2552 [inline]
do_unlinkat+0xeb/0x6c0 fs/namei.c:4327
__do_sys_unlinkat fs/namei.c:4399 [inline]
__se_sys_unlinkat fs/namei.c:4392 [inline]
__x64_sys_unlinkat+0xd8/0xf0 fs/namei.c:4392
x64_sys_call+0x4c0/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:264
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fc8bf25ee59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc8bf0a0028 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 00007fc8bf4d8090 RCX: 00007fc8bf25ee59
RDX: 0000000000000000 RSI: 00002000000001c0 RDI: 0000000000000004
RBP: 00007fc8bf2f4e6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc8bf4d8128 R14: 00007fc8bf4d8090 R15: 00007ffc75f2d6c8
</TASK>

Allocated by task 10729:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:433 [inline]
__kasan_slab_alloc+0xb7/0xe0 mm/kasan/common.c:466
kasan_slab_alloc include/linux/kasan.h:217 [inline]
slab_post_alloc_hook+0x4f/0x2b0 mm/slab.h:550
slab_alloc_node mm/slub.c:3245 [inline]
slab_alloc mm/slub.c:3255 [inline]
kmem_cache_alloc+0xf7/0x260 mm/slub.c:3260
alloc_inode fs/inode.c:266 [inline]
new_inode_pseudo+0x7a/0x210 fs/inode.c:1011
new_inode+0x28/0x1e0 fs/inode.c:1040
bpf_get_inode kernel/bpf/inode.c:116 [inline]
bpf_symlink+0x65/0x270 kernel/bpf/inode.c:394
vfs_symlink+0x29e/0x470 fs/namei.c:4437
do_symlinkat+0x24a/0x5d0 fs/namei.c:4466
__do_sys_symlinkat fs/namei.c:4483 [inline]
__se_sys_symlinkat fs/namei.c:4480 [inline]
__x64_sys_symlinkat+0x99/0xb0 fs/namei.c:4480
x64_sys_call+0x74b/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:267
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 10729:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4a/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0x125/0x160 mm/kasan/common.c:365
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
kasan_slab_free include/linux/kasan.h:193 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1754
slab_free mm/slub.c:3526 [inline]
kmem_cache_free+0x100/0x320 mm/slub.c:3544
free_inode_nonrcu+0x1c/0x20 fs/inode.c:245
bpf_destroy_inode+0x14a/0x170 kernel/bpf/inode.c:621
destroy_inode fs/inode.c:314 [inline]
evict+0x790/0x8b0 fs/inode.c:665
iput_final fs/inode.c:1779 [inline]
iput+0x651/0x7e0 fs/inode.c:1805
do_unlinkat+0x380/0x6c0 fs/namei.c:4363
__do_sys_unlinkat fs/namei.c:4399 [inline]
__se_sys_unlinkat fs/namei.c:4392 [inline]
__x64_sys_unlinkat+0xd8/0xf0 fs/namei.c:4392
x64_sys_call+0x4c0/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:264
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff888131d61ef0
which belongs to the cache inode_cache of size 752
The buggy address is located 56 bytes inside of
752-byte region [ffff888131d61ef0, ffff888131d621e0)
The buggy address belongs to the page:
page:ffffea0004c75800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x131d60
head:ffffea0004c75800 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 ffffea0004c75d00 0000000300000003 ffff8881001c4180
raw: 0000000000000000 0000000000120012 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 455, ts 29567507938, free_ts 0
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x192/0x1b0 mm/page_alloc.c:2607
prep_new_page+0x1c/0x110 mm/page_alloc.c:2613
get_page_from_freelist+0x2c3a/0x2cd0 mm/page_alloc.c:4487
__alloc_pages+0x1a2/0x460 mm/page_alloc.c:5824
alloc_slab_page mm/slub.c:-1 [inline]
allocate_slab mm/slub.c:1937 [inline]
new_slab+0xa0/0x4d0 mm/slub.c:2000
___slab_alloc+0x3ac/0x840 mm/slub.c:3033
__slab_alloc+0x49/0x90 mm/slub.c:3120
slab_alloc_node mm/slub.c:3211 [inline]
slab_alloc mm/slub.c:3255 [inline]
kmem_cache_alloc+0x138/0x260 mm/slub.c:3260
alloc_inode fs/inode.c:266 [inline]
new_inode_pseudo+0x7a/0x210 fs/inode.c:1011
new_inode+0x28/0x1e0 fs/inode.c:1040
simple_fill_super+0xd1/0x5c0 fs/libfs.c:630
bpf_fill_super+0xb1/0x790 kernel/bpf/inode.c:769
vfs_get_super fs/super.c:1172 [inline]
get_tree_nodev+0xb3/0x160 fs/super.c:1202
bpf_get_tree+0x1c/0x20 kernel/bpf/inode.c:785
vfs_get_tree+0x89/0x260 fs/super.c:1530
vfs_fsconfig_locked+0x236/0x3f0 fs/fsopen.c:238
page_owner free stack trace missing

Memory state around the buggy address:
ffff888131d61e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
ffff888131d61e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fa fb
>ffff888131d61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888131d61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888131d62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages