syzbot

RBP: 000000000000d341 R08: 00000000ffffffff R09: 0000000100000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402360
R13: 00000000004023f0 R14: 0000000000000000 R15: 0000000000000000
proc_fill_super: allocate dentry failed
==================================================================
BUG: KASAN: use-after-free in put_pid_ns+0x100/0x110 kernel/pid_namespace.c:202
Read of size 8 at addr ffff88809977b510 by task syz-executor316/7239

CPU: 1 PID: 7239 Comm: syz-executor316 Not tainted 4.14.138 #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x19c lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 put_pid_ns+0x100/0x110 kernel/pid_namespace.c:202
 free_nsproxy+0x103/0x200 kernel/nsproxy.c:182
 switch_task_namespaces+0x98/0xb0 kernel/nsproxy.c:229
 exit_task_namespaces+0x18/0x20 kernel/nsproxy.c:234
 copy_process.part.0+0x3b59/0x6a00 kernel/fork.c:1986
 copy_process kernel/fork.c:1595 [inline]
 _do_fork+0x19e/0xce0 kernel/fork.c:2085
 SYSC_clone kernel/fork.c:2195 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2189
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441549
RSP: 002b:00007ffc71bf82a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441549
RDX: 9999999999999999 RSI: 0000000000000000 RDI: 88bd14a7b286b957
RBP: 000000000000d337 R08: 00000000ffffffff R09: 0000000100000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402360
R13: 00000000004023f0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 7239:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
 kmem_cache_zalloc include/linux/slab.h:651 [inline]
 create_pid_namespace kernel/pid_namespace.c:116 [inline]
 copy_pid_ns+0x1ae/0xa40 kernel/pid_namespace.c:186
 create_new_namespaces+0x267/0x720 kernel/nsproxy.c:94
 copy_namespaces+0x284/0x310 kernel/nsproxy.c:165
 copy_process.part.0+0x2603/0x6a00 kernel/fork.c:1783
 copy_process kernel/fork.c:1595 [inline]
 _do_fork+0x19e/0xce0 kernel/fork.c:2085
 SYSC_clone kernel/fork.c:2195 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2189
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 delayed_free_pidns+0x89/0xb0 kernel/pid_namespace.c:166
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x7b8/0x12b0 kernel/rcu/tree.c:2946
 __do_softirq+0x244/0x9a0 kernel/softirq.c:288

The buggy address belongs to the object at ffff88809977acd8
 which belongs to the cache pid_namespace of size 2264
The buggy address is located 2104 bytes inside of
 2264-byte region [ffff88809977acd8, ffff88809977b5b0)
The buggy address belongs to the page:
page:ffffea000265de80 count:1 mapcount:0 mapping:ffff88809977a380 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffff88809977a380 0000000000000000 0000000100000003
raw: ffffea000264f220 ffffea0002647aa0 ffff8880a87f2640 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809977b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809977b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809977b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88809977b580: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff88809977b600: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
==================================================================