On Mon, May 4, 2026 at 4:07 PM Ryan Lee <[email protected]> wrote: > > On Sat, May 2, 2026 at 11:55 PM Zygmunt Krynicki <[email protected]> wrote: > > > > aa_unix_file_perm() has an outer plabel variable that is released at > > function exit. The only assignment re-declares plabel in an inner scope, > > thus shadowing the variable from an outer scope. The reference returned by > > aa_get_label_rcu() is then assigned to the inner scope variable and leaks > > when that scope ends. > > > > Use the outer plabel so the existing exit-path aa_put_label() releases the > > peer label reference and the successful cache update sees the same label. > > > > Fixes: 88fec3526e84 ("apparmor: make sure unix socket labeling is correctly > > updated.") > > > > Signed-off-by: Zygmunt Krynicki <[email protected]> > > --- > > security/apparmor/af_unix.c | 2 -- > > 1 file changed, 2 deletions(-) > > > > diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c > > index fdb4a9f212c3b..d7b1461a69635 100644 > > --- a/security/apparmor/af_unix.c > > +++ b/security/apparmor/af_unix.c > > @@ -758,7 +758,6 @@ int aa_unix_file_perm(const struct cred *subj_cred, > > struct aa_label *label, > > unix_fs_perm(op, request, subj_cred, label, > > is_unix_fs(peer_sk) ? &peer_path : > > NULL)); > > } else if (!is_sk_fs) { > > - struct aa_label *plabel; > > struct aa_sk_ctx *pctx = aa_sock(peer_sk); > > Also of interest is that the only assignments to a variable named > "plabel" occur inside this else-if block, which means that the > update_sk_ctx call in the cleanup also always did nothing because it > is always being called with a null plabel. Might there have been other > latent bugs being caused here besides of the resource leak? > > > > > rcu_read_lock(); > > @@ -796,4 +795,3 @@ int aa_unix_file_perm(const struct cred *subj_cred, > > struct aa_label *label, > > > > return error; > > } > > - > > -- > > 2.53.0 > > > > > > It might make sense to try to move the cleanups around given that > plabel is only really used inside one of the if-else branches. > However, as this is a minimal patch fixing the issue: > > Reviewed-by: Ryan Lee <[email protected]>
Unfortunately, after performing further testing, I have determined that this patch (as applied against the Ubuntu-hwe-6.17-6.17.0-35.35_24.04.1 kernel) causes KASAN use-after-free errors, so I will have to retract my reviewed-by tag. Attached is the decoded stack trace that I got from KASAN.
[ 82.133058] ------------[ cut here ]------------ [ 82.133071] AppArmor WARN aa_label_kref: ((((label)->flags & FLAG_PROFILE) && (!list_empty(&label->vec[0]->base.list) && (&label->vec[0]->base.list)->prev != ((void *) 0x122 + (0xdead000000000000UL))))): [ 82.133167] WARNING: CPU: 0 PID: 1903 at security/apparmor/label.c:392 aa_label_kref (security/apparmor/label.c:392 (discriminator 1)) [ 82.133261] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore xt_conntrack xt_MASQUERADE bridge stp llc xfrm_user xfrm_algo xt_set ip_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_addrtype nft_compat nf_tables overlay intel_rapl_msr intel_rapl_common kvm_amd ccp kvm irqbypass i2c_i801 polyval_clmulni i2c_smbus ghash_clmulni_intel aesni_intel i2c_mux lpc_ich virtiofs qrtr input_leds serio_raw binfmt_misc sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid psmouse ahci virtio_rng libahci bochs [ 82.133610] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 82.133618] RIP: 0010:aa_label_kref (security/apparmor/label.c:392 (discriminator 1)) [ 82.133630] Code: 0f 85 85 00 00 00 48 b8 22 01 00 00 00 00 ad de 49 39 44 24 18 74 15 48 c7 c6 60 0e 4f 99 48 c7 c7 a0 ed 4e 99 e8 d3 33 c0 fe <0f> 0b 48 8d 7b 20 48 c7 c6 60 da f3 96 e8 71 93 ee fe 5b 41 5c 41 All code ======== 0: 0f 85 85 00 00 00 jne 0x8b 6: 48 b8 22 01 00 00 00 movabs $0xdead000000000122,%rax d: 00 ad de 10: 49 39 44 24 18 cmp %rax,0x18(%r12) 15: 74 15 je 0x2c 17: 48 c7 c6 60 0e 4f 99 mov $0xffffffff994f0e60,%rsi 1e: 48 c7 c7 a0 ed 4e 99 mov $0xffffffff994eeda0,%rdi 25: e8 d3 33 c0 fe call 0xfffffffffec033fd 2a:* 0f 0b ud2 <-- trapping instruction 2c: 48 8d 7b 20 lea 0x20(%rbx),%rdi 30: 48 c7 c6 60 da f3 96 mov $0xffffffff96f3da60,%rsi 37: e8 71 93 ee fe call 0xfffffffffeee93ad 3c: 5b pop %rbx 3d: 41 5c pop %r12 3f: 41 rex.B Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 48 8d 7b 20 lea 0x20(%rbx),%rdi 6: 48 c7 c6 60 da f3 96 mov $0xffffffff96f3da60,%rsi d: e8 71 93 ee fe call 0xfffffffffeee9383 12: 5b pop %rbx 13: 41 5c pop %r12 15: 41 rex.B [ 82.133637] RSP: 0018:ffff88803d3df920 EFLAGS: 00010246 [ 82.133655] RAX: 0000000000000000 RBX: ffff8881164f2d70 RCX: 0000000000000000 [ 82.133662] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 82.133668] RBP: ffff88803d3df948 R08: 0000000000000000 R09: 0000000000000000 [ 82.133674] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881164f2c00 [ 82.133680] R13: ffff8881164f2c10 R14: ffff8881164f2db0 R15: ffff8881164f2c20 [ 82.133688] FS: 0000000000000000(0000) GS:ffff8881bd7a3000(0000) knlGS:0000000000000000 [ 82.133695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 82.133701] CR2: 00007bc7ee2829d0 CR3: 000000010aa59000 CR4: 0000000000750ef0 [ 82.133715] PKRU: 55555558 [ 82.133721] Call Trace: [ 82.133727] <TASK> [ 82.133742] apparmor_file_free_security (security/apparmor/lsm.c:694) [ 82.133753] ? hook_file_free_security (security/landlock/fs.c:1846) [ 82.133766] security_file_free (security/security.c:2869 (discriminator 11)) [ 82.133789] __fput (fs/file_table.c:72 fs/file_table.c:481) [ 82.133836] ____fput (fs/file_table.c:497) [ 82.133848] task_work_run (kernel/task_work.c:234) [ 82.133878] ? __pfx_task_work_run (kernel/task_work.c:202) [ 82.133891] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.133908] ? __kasan_check_write (mm/kasan/shadow.c:38) [ 82.133922] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.133929] ? switch_task_namespaces (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/nsproxy.h:117 (discriminator 4) kernel/nsproxy.c:241 (discriminator 4)) [ 82.133950] do_exit (kernel/exit.c:963) [ 82.133964] ? do_group_exit (include/linux/spinlock.h:402 kernel/exit.c:1100) [ 82.134004] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134011] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91 (discriminator 2)) [ 82.134042] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134049] ? sched_clock_noinstr (arch/x86/kernel/tsc.c:272) [ 82.134068] ? __pfx_do_exit (kernel/exit.c:894) [ 82.134075] ? _raw_spin_unlock_irq (arch/x86/include/asm/paravirt.h:671 include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202) [ 82.134091] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134099] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.134106] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134114] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.134131] do_group_exit (kernel/exit.c:1084) [ 82.134147] __x64_sys_exit_group (kernel/exit.c:1112) [ 82.134157] x64_sys_call (/home/ryan-lee/Documents/code/linux-ubuntu-noble/build_distro_6_17/./arch/x86/include/generated/asm/syscalls_64.h:61) [ 82.134176] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 82.134183] ? __sys_recvmsg (net/socket.c:2909 (discriminator 1)) [ 82.134206] ? __pfx___sys_recvmsg (net/socket.c:2894) [ 82.134213] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.134221] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134228] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.134263] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134270] ? debug_smp_processor_id (lib/smp_processor_id.c:59) [ 82.134280] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 82.134290] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134297] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.134305] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134312] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.134322] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134329] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:101 arch/x86/entry/syscall_64.c:109) [ 82.134338] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134349] ? __pfx_set_user_sigmask (kernel/signal.c:3273) [ 82.134367] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134374] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.134382] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134402] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134409] ? __x64_sys_ppoll (fs/select.c:1116 (discriminator 1) fs/select.c:1095 (discriminator 1) fs/select.c:1095 (discriminator 1)) [ 82.134435] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134451] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134458] ? debug_smp_processor_id (lib/smp_processor_id.c:59) [ 82.134471] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 82.134481] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134488] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.134495] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134503] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.134512] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.134520] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:101 arch/x86/entry/syscall_64.c:109) [ 82.134527] ? exc_page_fault (arch/x86/mm/fault.c:1536) [ 82.134540] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 82.134547] RIP: 0033:0x7c9934d15136 [ 82.134557] Code: Unable to access opcode bytes at 0x7c9934d1510c. Code starting with the faulting instruction =========================================== [ 82.134563] RSP: 002b:00007fffb9719938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 82.134574] RAX: ffffffffffffffda RBX: 00007fffb9729e30 RCX: 00007c9934d15136 [ 82.134580] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 82.134587] RBP: 00007fffb9729b10 R08: 00000000000000e7 R09: fffffffffffff948 [ 82.134593] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffb9719ae0 [ 82.134599] R13: 00000a70000d9040 R14: 0000000000000003 R15: 00007fffb9719ac0 [ 82.134637] </TASK> [ 82.134643] irq event stamp: 88361 [ 82.134649] hardirqs last enabled at (88367): __up_console_sem (arch/x86/include/asm/paravirt.h:671 arch/x86/include/asm/irqflags.h:159 kernel/printk/printk.c:344) [ 82.134673] hardirqs last disabled at (88372): __up_console_sem (kernel/printk/printk.c:342 (discriminator 3)) [ 82.134681] softirqs last enabled at (87380): __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680) [ 82.134691] softirqs last disabled at (87375): __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680) [ 82.134699] ---[ end trace 0000000000000000 ]--- [ 82.134738] ------------[ cut here ]------------ [ 82.134744] refcount_t: underflow; use-after-free. [ 82.134772] WARNING: CPU: 0 PID: 1903 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28 (discriminator 1)) [ 82.134798] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore xt_conntrack xt_MASQUERADE bridge stp llc xfrm_user xfrm_algo xt_set ip_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_addrtype nft_compat nf_tables overlay intel_rapl_msr intel_rapl_common kvm_amd ccp kvm irqbypass i2c_i801 polyval_clmulni i2c_smbus ghash_clmulni_intel aesni_intel i2c_mux lpc_ich virtiofs qrtr input_leds serio_raw binfmt_misc sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid psmouse ahci virtio_rng libahci bochs [ 82.135134] Tainted: [W]=WARN [ 82.135140] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 82.135146] RIP: 0010:refcount_warn_saturate (lib/refcount.c:28 (discriminator 1)) [ 82.135154] Code: eb 97 0f b6 1d 3f 73 6d 04 80 fb 01 0f 87 3b 95 60 fe 83 e3 01 75 82 48 c7 c7 a0 64 54 99 c6 05 23 73 6d 04 01 e8 62 e0 8d fe <0f> 0b e9 68 ff ff ff 0f b6 1d 11 73 6d 04 80 fb 01 0f 87 f8 94 60 All code ======== 0: eb 97 jmp 0xffffffffffffff99 2: 0f b6 1d 3f 73 6d 04 movzbl 0x46d733f(%rip),%ebx # 0x46d7348 9: 80 fb 01 cmp $0x1,%bl c: 0f 87 3b 95 60 fe ja 0xfffffffffe60954d 12: 83 e3 01 and $0x1,%ebx 15: 75 82 jne 0xffffffffffffff99 17: 48 c7 c7 a0 64 54 99 mov $0xffffffff995464a0,%rdi 1e: c6 05 23 73 6d 04 01 movb $0x1,0x46d7323(%rip) # 0x46d7348 25: e8 62 e0 8d fe call 0xfffffffffe8de08c 2a:* 0f 0b ud2 <-- trapping instruction 2c: e9 68 ff ff ff jmp 0xffffffffffffff99 31: 0f b6 1d 11 73 6d 04 movzbl 0x46d7311(%rip),%ebx # 0x46d7349 38: 80 fb 01 cmp $0x1,%bl 3b: 0f .byte 0xf 3c: 87 f8 xchg %edi,%eax 3e: 94 xchg %eax,%esp 3f: 60 (bad) Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: e9 68 ff ff ff jmp 0xffffffffffffff6f 7: 0f b6 1d 11 73 6d 04 movzbl 0x46d7311(%rip),%ebx # 0x46d731f e: 80 fb 01 cmp $0x1,%bl 11: 0f .byte 0xf 12: 87 f8 xchg %edi,%eax 14: 94 xchg %eax,%esp 15: 60 (bad) [ 82.135161] RSP: 0018:ffff88803d3df938 EFLAGS: 00010246 [ 82.135172] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 82.135178] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 82.135184] RBP: ffff88803d3df948 R08: 0000000000000000 R09: 0000000000000000 [ 82.135190] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000003 [ 82.135196] R13: ffff8881029f0940 R14: ffff8881029f09c8 R15: ffff8881029f0940 [ 82.135204] FS: 0000000000000000(0000) GS:ffff8881bd7a3000(0000) knlGS:0000000000000000 [ 82.135211] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 82.135217] CR2: 00007bc7ee2829d0 CR3: 000000010aa59000 CR4: 0000000000750ef0 [ 82.135225] PKRU: 55555558 [ 82.135231] Call Trace: [ 82.135236] <TASK> [ 82.135247] apparmor_file_free_security (security/apparmor/lsm.c:694) [ 82.135255] ? hook_file_free_security (security/landlock/fs.c:1846) [ 82.135267] security_file_free (security/security.c:2869 (discriminator 11)) [ 82.135280] __fput (fs/file_table.c:72 fs/file_table.c:481) [ 82.135306] ____fput (fs/file_table.c:497) [ 82.135315] task_work_run (kernel/task_work.c:234) [ 82.135331] ? __pfx_task_work_run (kernel/task_work.c:202) [ 82.135344] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135351] ? __kasan_check_write (mm/kasan/shadow.c:38) [ 82.135358] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135366] ? switch_task_namespaces (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/nsproxy.h:117 (discriminator 4) kernel/nsproxy.c:241 (discriminator 4)) [ 82.135382] do_exit (kernel/exit.c:963) [ 82.135390] ? do_group_exit (include/linux/spinlock.h:402 kernel/exit.c:1100) [ 82.135401] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135408] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91 (discriminator 2)) [ 82.135416] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135423] ? sched_clock_noinstr (arch/x86/kernel/tsc.c:272) [ 82.135438] ? __pfx_do_exit (kernel/exit.c:894) [ 82.135445] ? _raw_spin_unlock_irq (arch/x86/include/asm/paravirt.h:671 include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202) [ 82.135455] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135463] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.135470] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135477] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.135495] do_group_exit (kernel/exit.c:1084) [ 82.135510] __x64_sys_exit_group (kernel/exit.c:1112) [ 82.135520] x64_sys_call (/home/ryan-lee/Documents/code/linux-ubuntu-noble/build_distro_6_17/./arch/x86/include/generated/asm/syscalls_64.h:61) [ 82.135529] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 82.135536] ? __sys_recvmsg (net/socket.c:2909 (discriminator 1)) [ 82.135547] ? __pfx___sys_recvmsg (net/socket.c:2894) [ 82.135554] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.135562] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135569] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.135603] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135611] ? debug_smp_processor_id (lib/smp_processor_id.c:59) [ 82.135621] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 82.135631] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135638] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.135645] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135652] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.135662] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135669] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:101 arch/x86/entry/syscall_64.c:109) [ 82.135678] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135689] ? __pfx_set_user_sigmask (kernel/signal.c:3273) [ 82.135702] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135709] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.135717] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135734] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135742] ? __x64_sys_ppoll (fs/select.c:1116 (discriminator 1) fs/select.c:1095 (discriminator 1) fs/select.c:1095 (discriminator 1)) [ 82.135760] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135776] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135783] ? debug_smp_processor_id (lib/smp_processor_id.c:59) [ 82.135793] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 82.135803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135810] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.135817] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135824] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.135834] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.135842] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:101 arch/x86/entry/syscall_64.c:109) [ 82.135849] ? exc_page_fault (arch/x86/mm/fault.c:1536) [ 82.135862] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 82.135869] RIP: 0033:0x7c9934d15136 [ 82.135878] Code: Unable to access opcode bytes at 0x7c9934d1510c. Code starting with the faulting instruction =========================================== [ 82.135884] RSP: 002b:00007fffb9719938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 82.135894] RAX: ffffffffffffffda RBX: 00007fffb9729e30 RCX: 00007c9934d15136 [ 82.135901] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 82.135907] RBP: 00007fffb9729b10 R08: 00000000000000e7 R09: fffffffffffff948 [ 82.135913] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffb9719ae0 [ 82.135919] R13: 00000a70000d9040 R14: 0000000000000003 R15: 00007fffb9719ac0 [ 82.135956] </TASK> [ 82.135962] irq event stamp: 89373 [ 82.135988] hardirqs last enabled at (89381): __up_console_sem (arch/x86/include/asm/paravirt.h:671 arch/x86/include/asm/irqflags.h:159 kernel/printk/printk.c:344) [ 82.135996] hardirqs last disabled at (89386): __up_console_sem (kernel/printk/printk.c:342 (discriminator 3)) [ 82.136003] softirqs last enabled at (87380): __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680) [ 82.136011] softirqs last disabled at (87375): __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680) [ 82.136019] ---[ end trace 0000000000000000 ]--- [ 82.141726] ------------[ cut here ]------------ [ 82.141741] AppArmor WARN aa_policy_destroy: (((!list_empty(&policy->list) && (&policy->list)->prev != ((void *) 0x122 + (0xdead000000000000UL))))): [ 82.141769] WARNING: CPU: 0 PID: 14 at security/apparmor/lib.c:535 aa_policy_destroy (security/apparmor/lib.c:535 (discriminator 1)) [ 82.141790] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore xt_conntrack xt_MASQUERADE bridge stp llc xfrm_user xfrm_algo xt_set ip_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_addrtype nft_compat nf_tables overlay intel_rapl_msr intel_rapl_common kvm_amd ccp kvm irqbypass i2c_i801 polyval_clmulni i2c_smbus ghash_clmulni_intel aesni_intel i2c_mux lpc_ich virtiofs qrtr input_leds serio_raw binfmt_misc sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid psmouse ahci virtio_rng libahci bochs [ 82.142297] Tainted: [W]=WARN [ 82.142305] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 82.142314] RIP: 0010:aa_policy_destroy (security/apparmor/lib.c:535 (discriminator 1)) [ 82.142326] Code: 00 0f 85 c7 00 00 00 48 b8 22 01 00 00 00 00 ad de 48 39 43 18 74 15 48 c7 c6 c0 30 4e 99 48 c7 c7 20 30 4e 99 e8 2b 61 c5 fe <0f> 0b 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea All code ======== 0: 00 0f add %cl,(%rdi) 2: 85 c7 test %eax,%edi 4: 00 00 add %al,(%rax) 6: 00 48 b8 add %cl,-0x48(%rax) 9: 22 01 and (%rcx),%al b: 00 00 add %al,(%rax) d: 00 00 add %al,(%rax) f: ad lods %ds:(%rsi),%eax 10: de 48 39 fimuls 0x39(%rax) 13: 43 18 74 15 48 sbb %sil,0x48(%r13,%r10,1) 18: c7 c6 c0 30 4e 99 mov $0x994e30c0,%esi 1e: 48 c7 c7 20 30 4e 99 mov $0xffffffff994e3020,%rdi 25:* e8 2b 61 c5 fe call 0xfffffffffec56155 <-- trapping instruction 2a: 0f 0b ud2 2c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 33: fc ff df 36: 48 8d 7b 08 lea 0x8(%rbx),%rdi 3a: 48 89 fa mov %rdi,%rdx 3d: 48 rex.W 3e: c1 .byte 0xc1 3f: ea (bad) Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 9: fc ff df c: 48 8d 7b 08 lea 0x8(%rbx),%rdi 10: 48 89 fa mov %rdi,%rdx 13: 48 rex.W 14: c1 .byte 0xc1 15: ea (bad) [ 82.142335] RSP: 0018:ffff888100ab7ad8 EFLAGS: 00010246 [ 82.142351] RAX: 0000000000000000 RBX: ffff8881164f2c00 RCX: 0000000000000000 [ 82.142359] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 82.142368] RBP: ffff888100ab7ae8 R08: 0000000000000000 R09: 0000000000000000 [ 82.142377] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881164f2c10 [ 82.142385] R13: ffff888159c06540 R14: ffff8881164f2c00 R15: 0000000000000002 [ 82.142401] FS: 0000000000000000(0000) GS:ffff8881bd7a3000(0000) knlGS:0000000000000000 [ 82.142411] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 82.142420] CR2: 0000744584240000 CR3: 000000010645e000 CR4: 0000000000750ef0 [ 82.142430] PKRU: 55555554 [ 82.142439] Call Trace: [ 82.142454] <TASK> [ 82.142468] aa_free_profile.part.0 (security/apparmor/policy.c:332 (discriminator 2)) [ 82.142483] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.142495] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.142507] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.142517] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472 (discriminator 16)) [ 82.142531] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.142546] ? rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.142570] aa_free_profile (security/apparmor/policy.c:371) [ 82.142583] label_free_switch (security/apparmor/label.c:367) [ 82.142600] label_free_rcu (security/apparmor/label.c:376) [ 82.142616] rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.142636] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.142646] ? trace_sched_exit_tp (include/trace/events/sched.h:886 (discriminator 2)) [ 82.142676] ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2529) [ 82.142693] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.142704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.142714] ? lock_is_held_type (kernel/locking/lockdep.c:470 (discriminator 4) kernel/locking/lockdep.c:5941 (discriminator 4)) [ 82.142731] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.142753] rcu_core (kernel/rcu/tree.c:2863) [ 82.142780] rcu_core_si (kernel/rcu/tree.c:2879) [ 82.142792] handle_softirqs (kernel/softirq.c:579) [ 82.142821] ? __pfx_handle_softirqs (kernel/softirq.c:537) [ 82.142835] ? trace_irq_disable (include/trace/events/preemptirq.h:36 (discriminator 2)) [ 82.142877] run_ksoftirqd (kernel/softirq.c:436 kernel/softirq.c:969 kernel/softirq.c:960) [ 82.142889] smpboot_thread_fn (kernel/smpboot.c:160) [ 82.142903] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.142922] ? __pfx_smpboot_thread_fn (kernel/smpboot.c:103) [ 82.142936] kthread (kernel/kthread.c:463) [ 82.142956] ? __pfx_kthread (kernel/kthread.c:412) [ 82.145111] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.145130] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.145140] ? _raw_spin_unlock_irq (arch/x86/include/asm/preempt.h:104 (discriminator 1) include/linux/spinlock_api_smp.h:160 (discriminator 1) kernel/locking/spinlock.c:202 (discriminator 1)) [ 82.145153] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.145165] ? __pfx_kthread (kernel/kthread.c:412) [ 82.145184] ret_from_fork (arch/x86/kernel/process.c:158) [ 82.145209] ? __pfx_kthread (kernel/kthread.c:412) [ 82.145228] ret_from_fork_asm (arch/x86/entry/entry_64.S:255) [ 82.145279] </TASK> [ 82.145288] irq event stamp: 332270 [ 82.145296] hardirqs last enabled at (332276): __up_console_sem (arch/x86/include/asm/paravirt.h:671 arch/x86/include/asm/irqflags.h:159 kernel/printk/printk.c:344) [ 82.145308] hardirqs last disabled at (332281): __up_console_sem (kernel/printk/printk.c:342 (discriminator 3)) [ 82.145319] softirqs last enabled at (331078): run_ksoftirqd (kernel/softirq.c:436 kernel/softirq.c:969 kernel/softirq.c:960) [ 82.145330] softirqs last disabled at (331081): run_ksoftirqd (kernel/softirq.c:436 kernel/softirq.c:969 kernel/softirq.c:960) [ 82.145341] ---[ end trace 0000000000000000 ]--- [ 82.381812] ================================================================== [ 82.382851] BUG: KASAN: slab-use-after-free in apparmor_cred_free (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/kref.h:64 (discriminator 4) security/apparmor/include/label.h:430 (discriminator 4) security/apparmor/include/label.h:427 (discriminator 4) security/apparmor/lsm.c:88 (discriminator 4)) [ 82.383846] Write of size 4 at addr ffff8881164f2d70 by task swapper/2/0 [ 82.384791] [ 82.385056] Tainted: [W]=WARN [ 82.385057] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 82.385061] Call Trace: [ 82.385063] <IRQ> [ 82.385069] dump_stack_lvl (lib/dump_stack.c:123) [ 82.385087] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 82.385092] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385097] ? __virt_addr_valid (arch/x86/include/asm/preempt.h:104 (discriminator 1) include/linux/rcupdate.h:955 (discriminator 1) include/linux/mmzone.h:2172 (discriminator 1) arch/x86/mm/physaddr.c:65 (discriminator 1)) [ 82.385109] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385112] ? kasan_complete_mode_report_info (mm/kasan/report_generic.c:179 (discriminator 14)) [ 82.385118] kasan_report (mm/kasan/report.c:597) [ 82.385121] ? apparmor_cred_free (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/kref.h:64 (discriminator 4) security/apparmor/include/label.h:430 (discriminator 4) security/apparmor/include/label.h:427 (discriminator 4) security/apparmor/lsm.c:88 (discriminator 4)) [ 82.385127] ? apparmor_cred_free (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/kref.h:64 (discriminator 4) security/apparmor/include/label.h:430 (discriminator 4) security/apparmor/include/label.h:427 (discriminator 4) security/apparmor/lsm.c:88 (discriminator 4)) [ 82.385136] kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) [ 82.385140] __kasan_check_write (mm/kasan/shadow.c:38) [ 82.385144] apparmor_cred_free (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/kref.h:64 (discriminator 4) security/apparmor/include/label.h:430 (discriminator 4) security/apparmor/include/label.h:427 (discriminator 4) security/apparmor/lsm.c:88 (discriminator 4)) [ 82.385149] security_cred_free (security/security.c:3203 (discriminator 11)) [ 82.385155] ? rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.385159] put_cred_rcu (kernel/cred.c:79) [ 82.385164] ? rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.385167] rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.385176] ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2529) [ 82.385181] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.385185] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385188] ? lock_is_held_type (kernel/locking/lockdep.c:470 (discriminator 4) kernel/locking/lockdep.c:5941 (discriminator 4)) [ 82.385192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385198] rcu_core (kernel/rcu/tree.c:2863) [ 82.385205] rcu_core_si (kernel/rcu/tree.c:2879) [ 82.385209] handle_softirqs (kernel/softirq.c:579) [ 82.385217] ? __pfx_handle_softirqs (kernel/softirq.c:537) [ 82.385225] __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680) [ 82.385230] irq_exit_rcu (kernel/softirq.c:698) [ 82.385234] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 47) arch/x86/kernel/apic/apic.c:1050 (discriminator 47)) [ 82.385238] </IRQ> [ 82.385239] <TASK> [ 82.385242] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:574) [ 82.385247] RIP: 0010:pv_native_safe_halt (arch/x86/kernel/paravirt.c:82) [ 82.385251] Code: 22 df 31 ff e9 21 a0 73 fc 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 eb 07 0f 00 2d 77 5d 2a 00 fb f4 <e9> fb 9f 73 fc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 All code ======== 0: 22 df and %bh,%bl 2: 31 ff xor %edi,%edi 4: e9 21 a0 73 fc jmp 0xfffffffffc73a02a 9: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: 90 nop 1b: 90 nop 1c: 90 nop 1d: 90 nop 1e: 90 nop 1f: eb 07 jmp 0x28 21: 0f 00 2d 77 5d 2a 00 verw 0x2a5d77(%rip) # 0x2a5d9f 28: fb sti 29: f4 hlt 2a:* e9 fb 9f 73 fc jmp 0xfffffffffc73a02a <-- trapping instruction 2f: 90 nop 30: 90 nop 31: 90 nop 32: 90 nop 33: 90 nop 34: 90 nop 35: 90 nop 36: 90 nop 37: 90 nop 38: 90 nop 39: 90 nop 3a: 90 nop 3b: 90 nop 3c: 90 nop 3d: 90 nop 3e: 90 nop 3f: 83 .byte 0x83 Code starting with the faulting instruction =========================================== 0: e9 fb 9f 73 fc jmp 0xfffffffffc73a000 5: 90 nop 6: 90 nop 7: 90 nop 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 83 .byte 0x83 [ 82.385254] RSP: 0018:ffff888100bafdb8 EFLAGS: 00000246 [ 82.385258] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 82.385260] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 82.385262] RBP: ffff888100bafdc0 R08: 0000000000000000 R09: 0000000000000000 [ 82.385264] R10: 0000000000000000 R11: 0000000000000000 R12: ffffed10201747f8 [ 82.385268] R13: ffff888100ba3fc0 R14: ffffffff9b98b1e0 R15: 0000000000000000 [ 82.385280] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385283] ? default_idle (arch/x86/include/asm/paravirt.h:107 arch/x86/kernel/process.c:767) [ 82.385287] arch_cpu_idle (arch/x86/kernel/process.c:805) [ 82.385291] default_idle_call (include/linux/cpuidle.h:143 (discriminator 1) kernel/sched/idle.c:123 (discriminator 1)) [ 82.385295] do_idle (kernel/sched/idle.c:191 kernel/sched/idle.c:330) [ 82.385303] ? asm_sysvec_call_function_single (arch/x86/include/asm/idtentry.h:574) [ 82.385308] ? __pfx_do_idle (kernel/sched/idle.c:258) [ 82.385318] cpu_startup_entry (kernel/sched/idle.c:427) [ 82.385322] start_secondary (arch/x86/kernel/smpboot.c:203 (discriminator 10) arch/x86/kernel/smpboot.c:283 (discriminator 10)) [ 82.385330] ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:233) [ 82.385338] common_startup_64 (arch/x86/kernel/head_64.S:419) [ 82.385356] </TASK> [ 82.385358] [ 82.425097] Allocated by task 585: [ 82.425722] [ 82.425966] Freed by task 14: [ 82.426530] [ 82.426770] Last potentially related work creation: [ 82.427554] [ 82.427795] The buggy address belongs to the object at ffff8881164f2c00 [ 82.427795] which belongs to the cache kmalloc-512 of size 512 [ 82.429524] The buggy address is located 368 bytes inside of [ 82.429524] freed 512-byte region [ffff8881164f2c00, ffff8881164f2e00) [ 82.431209] [ 82.431456] The buggy address belongs to the physical page: [ 82.432310] [ 82.432554] Memory state around the buggy address: [ 82.433232] ffff8881164f2c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.434248] ffff8881164f2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.435315] >ffff8881164f2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.436427] ^ [ 82.437504] ffff8881164f2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.438635] ffff8881164f2e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.439750] ================================================================== [ 82.381812] ================================================================== [ 82.382851] BUG: KASAN: slab-use-after-free in apparmor_cred_free (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/kref.h:64 (discriminator 4) security/apparmor/include/label.h:430 (discriminator 4) security/apparmor/include/label.h:427 (discriminator 4) security/apparmor/lsm.c:88 (discriminator 4)) [ 82.383846] Write of size 4 at addr ffff8881164f2d70 by task swapper/2/0 [ 82.385056] Tainted: [W]=WARN [ 82.385057] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 82.385061] Call Trace: [ 82.385063] <IRQ> [ 82.385069] dump_stack_lvl (lib/dump_stack.c:123) [ 82.385087] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 82.385092] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385097] ? __virt_addr_valid (arch/x86/include/asm/preempt.h:104 (discriminator 1) include/linux/rcupdate.h:955 (discriminator 1) include/linux/mmzone.h:2172 (discriminator 1) arch/x86/mm/physaddr.c:65 (discriminator 1)) [ 82.385109] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385112] ? kasan_complete_mode_report_info (mm/kasan/report_generic.c:179 (discriminator 14)) [ 82.385118] kasan_report (mm/kasan/report.c:597) [ 82.385121] ? apparmor_cred_free (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/kref.h:64 (discriminator 4) security/apparmor/include/label.h:430 (discriminator 4) security/apparmor/include/label.h:427 (discriminator 4) security/apparmor/lsm.c:88 (discriminator 4)) [ 82.385127] ? apparmor_cred_free (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/kref.h:64 (discriminator 4) security/apparmor/include/label.h:430 (discriminator 4) security/apparmor/include/label.h:427 (discriminator 4) security/apparmor/lsm.c:88 (discriminator 4)) [ 82.385136] kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) [ 82.385140] __kasan_check_write (mm/kasan/shadow.c:38) [ 82.385144] apparmor_cred_free (arch/x86/include/asm/atomic.h:93 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:949 (discriminator 4) include/linux/atomic/atomic-instrumented.h:401 (discriminator 4) include/linux/refcount.h:389 (discriminator 4) include/linux/refcount.h:432 (discriminator 4) include/linux/refcount.h:450 (discriminator 4) include/linux/kref.h:64 (discriminator 4) security/apparmor/include/label.h:430 (discriminator 4) security/apparmor/include/label.h:427 (discriminator 4) security/apparmor/lsm.c:88 (discriminator 4)) [ 82.385149] security_cred_free (security/security.c:3203 (discriminator 11)) [ 82.385155] ? rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.385159] put_cred_rcu (kernel/cred.c:79) [ 82.385164] ? rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.385167] rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.385176] ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2529) [ 82.385181] ? __this_cpu_preempt_check (lib/smp_processor_id.c:65) [ 82.385185] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385188] ? lock_is_held_type (kernel/locking/lockdep.c:470 (discriminator 4) kernel/locking/lockdep.c:5941 (discriminator 4)) [ 82.385192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385198] rcu_core (kernel/rcu/tree.c:2863) [ 82.385205] rcu_core_si (kernel/rcu/tree.c:2879) [ 82.385209] handle_softirqs (kernel/softirq.c:579) [ 82.385217] ? __pfx_handle_softirqs (kernel/softirq.c:537) [ 82.385225] __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680) [ 82.385230] irq_exit_rcu (kernel/softirq.c:698) [ 82.385234] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 47) arch/x86/kernel/apic/apic.c:1050 (discriminator 47)) [ 82.385238] </IRQ> [ 82.385239] <TASK> [ 82.385242] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:574) [ 82.385247] RIP: 0010:pv_native_safe_halt (arch/x86/kernel/paravirt.c:82) [ 82.385251] Code: 22 df 31 ff e9 21 a0 73 fc 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 eb 07 0f 00 2d 77 5d 2a 00 fb f4 <e9> fb 9f 73 fc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 All code ======== 0: 22 df and %bh,%bl 2: 31 ff xor %edi,%edi 4: e9 21 a0 73 fc jmp 0xfffffffffc73a02a 9: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: 90 nop 1b: 90 nop 1c: 90 nop 1d: 90 nop 1e: 90 nop 1f: eb 07 jmp 0x28 21: 0f 00 2d 77 5d 2a 00 verw 0x2a5d77(%rip) # 0x2a5d9f 28: fb sti 29: f4 hlt 2a:* e9 fb 9f 73 fc jmp 0xfffffffffc73a02a <-- trapping instruction 2f: 90 nop 30: 90 nop 31: 90 nop 32: 90 nop 33: 90 nop 34: 90 nop 35: 90 nop 36: 90 nop 37: 90 nop 38: 90 nop 39: 90 nop 3a: 90 nop 3b: 90 nop 3c: 90 nop 3d: 90 nop 3e: 90 nop 3f: 83 .byte 0x83 Code starting with the faulting instruction =========================================== 0: e9 fb 9f 73 fc jmp 0xfffffffffc73a000 5: 90 nop 6: 90 nop 7: 90 nop 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 83 .byte 0x83 [ 82.385254] RSP: 0018:ffff888100bafdb8 EFLAGS: 00000246 [ 82.385258] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 82.385260] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 82.385262] RBP: ffff888100bafdc0 R08: 0000000000000000 R09: 0000000000000000 [ 82.385264] R10: 0000000000000000 R11: 0000000000000000 R12: ffffed10201747f8 [ 82.385268] R13: ffff888100ba3fc0 R14: ffffffff9b98b1e0 R15: 0000000000000000 [ 82.385280] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:183) [ 82.385283] ? default_idle (arch/x86/include/asm/paravirt.h:107 arch/x86/kernel/process.c:767) [ 82.385287] arch_cpu_idle (arch/x86/kernel/process.c:805) [ 82.385291] default_idle_call (include/linux/cpuidle.h:143 (discriminator 1) kernel/sched/idle.c:123 (discriminator 1)) [ 82.385295] do_idle (kernel/sched/idle.c:191 kernel/sched/idle.c:330) [ 82.385303] ? asm_sysvec_call_function_single (arch/x86/include/asm/idtentry.h:574) [ 82.385308] ? __pfx_do_idle (kernel/sched/idle.c:258) [ 82.385318] cpu_startup_entry (kernel/sched/idle.c:427) [ 82.385322] start_secondary (arch/x86/kernel/smpboot.c:203 (discriminator 10) arch/x86/kernel/smpboot.c:283 (discriminator 10)) [ 82.385330] ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:233) [ 82.385338] common_startup_64 (arch/x86/kernel/head_64.S:419) [ 82.385356] </TASK> [ 82.425097] Allocated by task 585: [ 82.425609] kasan_save_stack (mm/kasan/common.c:49) [ 82.425623] kasan_save_track (arch/x86/include/asm/current.h:25 (discriminator 1) mm/kasan/common.c:61 (discriminator 1) mm/kasan/common.c:70 (discriminator 1)) [ 82.425629] kasan_save_alloc_info (mm/kasan/generic.c:563) [ 82.425634] __kasan_kmalloc (mm/kasan/common.c:389 mm/kasan/common.c:406) [ 82.425640] __kmalloc_cache_noprof (mm/slub.c:4428) [ 82.425652] aa_alloc_profile (include/linux/slab.h:905 include/linux/slab.h:1039 security/apparmor/policy.c:390) [ 82.425659] unpack_profile (security/apparmor/policy_unpack.c:1137) [ 82.425664] aa_unpack (security/apparmor/policy_unpack.c:1778) [ 82.425669] aa_replace_profiles (security/apparmor/policy.c:1189 (discriminator 1)) [ 82.425674] policy_update (security/apparmor/apparmorfs.c:510) [ 82.425682] profile_replace (security/apparmor/apparmorfs.c:545) [ 82.425687] vfs_write (fs/read_write.c:684) [ 82.425693] ksys_write (fs/read_write.c:738) [ 82.425698] __x64_sys_write (fs/read_write.c:746) [ 82.425703] x64_sys_call (arch/x86/entry/syscall_64.c:41) [ 82.425710] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 82.425717] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 82.425966] Freed by task 14: [ 82.426413] kasan_save_stack (mm/kasan/common.c:49) [ 82.426419] kasan_save_track (arch/x86/include/asm/current.h:25 (discriminator 1) mm/kasan/common.c:61 (discriminator 1) mm/kasan/common.c:70 (discriminator 1)) [ 82.426425] kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1)) [ 82.426430] __kasan_slab_free (mm/kasan/common.c:283) [ 82.426435] kfree (mm/slub.c:4714 (discriminator 3) mm/slub.c:4913 (discriminator 3)) [ 82.426440] kfree_sensitive (mm/slab_common.c:1228) [ 82.426454] aa_free_profile.part.0 (security/apparmor/policy.c:371) [ 82.426459] aa_free_profile (security/apparmor/policy.c:371) [ 82.426463] label_free_switch (security/apparmor/label.c:367) [ 82.426469] label_free_rcu (security/apparmor/label.c:376) [ 82.426475] rcu_do_batch (kernel/rcu/tree.c:2605) [ 82.426481] rcu_core (kernel/rcu/tree.c:2863) [ 82.426489] rcu_core_si (kernel/rcu/tree.c:2879) [ 82.426494] handle_softirqs (kernel/softirq.c:579) [ 82.426501] run_ksoftirqd (kernel/softirq.c:436 kernel/softirq.c:969 kernel/softirq.c:960) [ 82.426506] smpboot_thread_fn (kernel/smpboot.c:160) [ 82.426512] kthread (kernel/kthread.c:463) [ 82.426518] ret_from_fork (arch/x86/kernel/process.c:158) [ 82.426525] ret_from_fork_asm (arch/x86/entry/entry_64.S:255) [ 82.426770] Last potentially related work creation: [ 82.427467] kasan_save_stack (mm/kasan/common.c:49) [ 82.427474] kasan_record_aux_stack (mm/kasan/generic.c:548 (discriminator 1)) [ 82.427479] __call_rcu_common (arch/x86/include/asm/paravirt.h:660 arch/x86/include/asm/paravirt.h:678 kernel/rcu/tree.c:3125) [ 82.427484] call_rcu (kernel/rcu/tree.c:3244) [ 82.427489] aa_label_kref (security/apparmor/label.c:397) [ 82.427494] apparmor_file_free_security (security/apparmor/lsm.c:694) [ 82.427499] security_file_free (security/security.c:2869 (discriminator 11)) [ 82.427509] __fput (fs/file_table.c:72 fs/file_table.c:481) [ 82.427514] ____fput (fs/file_table.c:497) [ 82.427519] task_work_run (kernel/task_work.c:234) [ 82.427525] do_exit (kernel/exit.c:963) [ 82.427530] do_group_exit (kernel/exit.c:1084) [ 82.427535] __x64_sys_exit_group (kernel/exit.c:1112) [ 82.427540] x64_sys_call (/home/ryan-lee/Documents/code/linux-ubuntu-noble/build_distro_6_17/./arch/x86/include/generated/asm/syscalls_64.h:61) [ 82.427545] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 82.427550] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 82.427795] The buggy address belongs to the object at ffff8881164f2c00 which belongs to the cache kmalloc-512 of size 512 [ 82.429524] The buggy address is located 368 bytes inside of freed 512-byte region [ffff8881164f2c00, ffff8881164f2e00) [ 82.431456] The buggy address belongs to the physical page: [ 82.432240] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1164f0 [ 82.432250] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 82.432256] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) [ 82.432273] page_type: f5(slab) [ 82.432279] raw: 0017ffffc0000040 ffff8881000431c0 ffffea0004593410 ffffea000431c010 [ 82.432284] raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000 [ 82.432289] head: 0017ffffc0000040 ffff8881000431c0 ffffea0004593410 ffffea000431c010 [ 82.432293] head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000 [ 82.432298] head: 0017ffffc0000003 ffffea0004593c01 00000000ffffffff 00000000ffffffff [ 82.432302] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 82.432306] page dumped because: kasan: bad access detected [ 82.432554] Memory state around the buggy address: [ 82.433232] ffff8881164f2c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.434248] ffff8881164f2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.435315] >ffff8881164f2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.436427] ^ [ 82.437504] ffff8881164f2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.438635] ffff8881164f2e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.439750] ================================================================== [ 82.440832] Disabling lock debugging due to kernel taint
