[moderation] [selinux?] KCSAN: data-race in selinux_cred_prepare / selinux_inode_permission
6 views
Skip to first unread message
syzbot
Jun 26, 2025, 1:33:32 PM6/26/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ee88bddf7f2f Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1259db70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=39acdbb3c95d37e5
dashboard link: https://syzkaller.appspot.com/bug?extid=1bda53d1be2c7e599411
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
CC: [linux-...@vger.kernel.org omos...@redhat.com pa...@paul-moore.com sel...@vger.kernel.org stephen.sm...@gmail.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/822314423c29/disk-ee88bddf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a8440c28d00a/vmlinux-ee88bddf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/75d342039457/bzImage-ee88bddf.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1bda53...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in selinux_cred_prepare / selinux_inode_permission
write to 0xffff888101fb35a0 of 4 bytes by task 19474 on cpu 0:
task_avdcache_search security/selinux/hooks.c:3146 [inline]
selinux_inode_permission+0x31b/0x620 security/selinux/hooks.c:3216
security_inode_permission+0x6d/0xb0 security/security.c:2324
inode_permission+0x106/0x310 fs/namei.c:601
may_open+0x255/0x350 fs/namei.c:3486
do_open fs/namei.c:3894 [inline]
path_openat+0x1b4a/0x2170 fs/namei.c:4055
do_filp_open+0x109/0x230 fs/namei.c:4082
io_openat2+0x272/0x390 io_uring/openclose.c:142
io_openat+0x1b/0x30 io_uring/openclose.c:179
__io_issue_sqe+0xfe/0x2e0 io_uring/io_uring.c:1738
io_issue_sqe+0x53/0x970 io_uring/io_uring.c:1761
io_queue_sqe io_uring/io_uring.c:1968 [inline]
io_submit_sqe io_uring/io_uring.c:2224 [inline]
io_submit_sqes+0x667/0xfd0 io_uring/io_uring.c:2337
__do_sys_io_uring_enter io_uring/io_uring.c:3404 [inline]
__se_sys_io_uring_enter+0x1c1/0x1b70 io_uring/io_uring.c:3338
__x64_sys_io_uring_enter+0x78/0x90 io_uring/io_uring.c:3338
x64_sys_call+0x28c8/0x2fb0 arch/x86/include/generated/asm/syscalls_64.h:427
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff888101fb3580 of 100 bytes by task 19482 on cpu 1:
selinux_cred_prepare+0x60/0x70 security/selinux/hooks.c:4139
security_prepare_creds+0xbb/0x120 security/security.c:3246
prepare_creds+0x34a/0x4c0 kernel/cred.c:242
install_thread_keyring security/keys/process_keys.c:249 [inline]
lookup_user_key+0x12a/0xd10 security/keys/process_keys.c:635
__do_sys_add_key security/keys/keyctl.c:126 [inline]
__se_sys_add_key+0x263/0x350 security/keys/keyctl.c:74
__x64_sys_add_key+0x67/0x80 security/keys/keyctl.c:74
x64_sys_call+0x1d0d/0x2fb0 arch/x86/include/generated/asm/syscalls_64.h:249
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 19482 Comm: syz.7.5661 Not tainted 6.16.0-rc3-syzkaller-00072-gee88bddf7f2f #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ee88bddf7f2f Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1259db70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=39acdbb3c95d37e5
dashboard link: https://syzkaller.appspot.com/bug?extid=1bda53d1be2c7e599411
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
CC: [linux-...@vger.kernel.org omos...@redhat.com pa...@paul-moore.com sel...@vger.kernel.org stephen.sm...@gmail.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/822314423c29/disk-ee88bddf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a8440c28d00a/vmlinux-ee88bddf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/75d342039457/bzImage-ee88bddf.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1bda53...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in selinux_cred_prepare / selinux_inode_permission
write to 0xffff888101fb35a0 of 4 bytes by task 19474 on cpu 0:
task_avdcache_search security/selinux/hooks.c:3146 [inline]
selinux_inode_permission+0x31b/0x620 security/selinux/hooks.c:3216
security_inode_permission+0x6d/0xb0 security/security.c:2324
inode_permission+0x106/0x310 fs/namei.c:601
may_open+0x255/0x350 fs/namei.c:3486
do_open fs/namei.c:3894 [inline]
path_openat+0x1b4a/0x2170 fs/namei.c:4055
do_filp_open+0x109/0x230 fs/namei.c:4082
io_openat2+0x272/0x390 io_uring/openclose.c:142
io_openat+0x1b/0x30 io_uring/openclose.c:179
__io_issue_sqe+0xfe/0x2e0 io_uring/io_uring.c:1738
io_issue_sqe+0x53/0x970 io_uring/io_uring.c:1761
io_queue_sqe io_uring/io_uring.c:1968 [inline]
io_submit_sqe io_uring/io_uring.c:2224 [inline]
io_submit_sqes+0x667/0xfd0 io_uring/io_uring.c:2337
__do_sys_io_uring_enter io_uring/io_uring.c:3404 [inline]
__se_sys_io_uring_enter+0x1c1/0x1b70 io_uring/io_uring.c:3338
__x64_sys_io_uring_enter+0x78/0x90 io_uring/io_uring.c:3338
x64_sys_call+0x28c8/0x2fb0 arch/x86/include/generated/asm/syscalls_64.h:427
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff888101fb3580 of 100 bytes by task 19482 on cpu 1:
selinux_cred_prepare+0x60/0x70 security/selinux/hooks.c:4139
security_prepare_creds+0xbb/0x120 security/security.c:3246
prepare_creds+0x34a/0x4c0 kernel/cred.c:242
install_thread_keyring security/keys/process_keys.c:249 [inline]
lookup_user_key+0x12a/0xd10 security/keys/process_keys.c:635
__do_sys_add_key security/keys/keyctl.c:126 [inline]
__se_sys_add_key+0x263/0x350 security/keys/keyctl.c:74
__x64_sys_add_key+0x67/0x80 security/keys/keyctl.c:74
x64_sys_call+0x1d0d/0x2fb0 arch/x86/include/generated/asm/syscalls_64.h:249
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 19482 Comm: syz.7.5661 Not tainted 6.16.0-rc3-syzkaller-00072-gee88bddf7f2f #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 12, 2025, 10:45:28 AM10/12/25
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages