syzbot

==================================================================
BUG: KASAN: use-after-free in link_path_walk+0x104f/0x1220 fs/namei.c:2085
Read of size 4 at addr ffff8801cde66dc0 by task syzkaller724721/5985

CPU: 1 PID: 5985 Comm: syzkaller724721 Not tainted 4.9.77-ge12a9c4 #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cf6f7900 ffffffff81d941c9 ffffea0007379980 ffff8801cde66dc0
 0000000000000000 ffff8801cde66dc0 ffff8801cf6f7cc0 ffff8801cf6f7938
 ffffffff8153db93 ffff8801cde66dc0 0000000000000004 0000000000000000
Call Trace:
 [<ffffffff81d941c9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d941c9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153db93>] print_address_description+0x73/0x280 mm/kasan/report.c:252
 [<ffffffff8153e0b5>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8153e0b5>] kasan_report+0x275/0x360 mm/kasan/report.c:408
 [<ffffffff8153e1f4>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:428
 [<ffffffff815a006f>] link_path_walk+0x104f/0x1220 fs/namei.c:2085
 [<ffffffff815a03fa>] path_lookupat+0x6a/0x3f0 fs/namei.c:2280
 [<ffffffff815a2140>] do_o_path fs/namei.c:3491 [inline]
 [<ffffffff815a2140>] path_openat+0x19c0/0x2910 fs/namei.c:3520
 [<ffffffff815a6887>] do_filp_open+0x197/0x290 fs/namei.c:3566
 [<ffffffff8156b082>] do_sys_open+0x352/0x4c0 fs/open.c:1072
 [<ffffffff8167b2ad>] C_SYSC_openat fs/compat.c:1090 [inline]
 [<ffffffff8167b2ad>] compat_SyS_openat+0x2d/0x40 fs/compat.c:1088
 [<ffffffff81006fc7>] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
 [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
 [<ffffffff838b44b4>] entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127

Allocated by task 5983:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
 __d_alloc+0x2e/0x8f0 fs/dcache.c:1593
 d_make_root+0x3f/0x80 fs/dcache.c:1882
 ramfs_fill_super+0x35f/0x4a0 fs/ramfs/inode.c:233
 mount_nodev+0x59/0x100 fs/super.c:1142
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 C_SYSC_mount fs/compat.c:810 [inline]
 compat_SyS_mount+0xd0/0x1070 fs/compat.c:775
 do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
 do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
 entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127

Freed by task 5983:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xc7/0x300 mm/slub.c:2980
 __d_free fs/dcache.c:265 [inline]
 dentry_free+0xd5/0x150 fs/dcache.c:341
 __dentry_kill+0x343/0x480 fs/dcache.c:579
 dentry_kill fs/dcache.c:606 [inline]
 dput.part.23+0x680/0x7b0 fs/dcache.c:818
 dput fs/dcache.c:780 [inline]
 do_one_tree+0x43/0x50 fs/dcache.c:1476
 shrink_dcache_for_umount+0x67/0x160 fs/dcache.c:1490
 generic_shutdown_super+0x6d/0x340 fs/super.c:422
 kill_anon_super fs/super.c:964 [inline]
 kill_litter_super+0x72/0x90 fs/super.c:974
 ramfs_kill_sb+0x3f/0x50 fs/ramfs/inode.c:249
 deactivate_locked_super+0x88/0xd0 fs/super.c:310
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:259 [inline]
 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
 do_fast_syscall_32+0x5de/0x890 arch/x86/entry/common.c:384
 entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127

The buggy address belongs to the object at ffff8801cde66dc0
 which belongs to the cache dentry of size 288
The buggy address is located 0 bytes inside of
 288-byte region [ffff8801cde66dc0, ffff8801cde66ee0)
The buggy address belongs to the page:
page:ffffea0007379980 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cde66c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cde66d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cde66d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff8801cde66e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cde66e80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================