Warning: Permanently added '[localhost]:37781' (ECDSA) to the list of known hosts. 2019/03/24 20:28:15 parsed 1 programs 2019/03/24 20:28:16 executed programs: 0 [ 112.145352] IPVS: Creating netns size=2720 id=2 [ 112.146096] IPVS: ftp: loaded support on port[0] = 21 [ 112.170536] IPVS: Creating netns size=2720 id=3 [ 112.171802] IPVS: ftp: loaded support on port[0] = 21 [ 112.200907] IPVS: Creating netns size=2720 id=4 [ 112.202180] IPVS: ftp: loaded support on port[0] = 21 [ 112.239050] IPVS: Creating netns size=2720 id=5 [ 112.239879] IPVS: ftp: loaded support on port[0] = 21 [ 112.312117] IPVS: Creating netns size=2720 id=6 [ 112.312922] IPVS: ftp: loaded support on port[0] = 21 [ 112.340373] IPVS: Creating netns size=2720 id=7 [ 112.341866] IPVS: ftp: loaded support on port[0] = 21 [ 112.668917] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.672716] bridge0: port 1(bridge_slave_0) entered disabled state [ 112.674954] device bridge_slave_0 entered promiscuous mode [ 112.682532] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.683606] bridge0: port 1(bridge_slave_0) entered disabled state [ 112.686932] device bridge_slave_0 entered promiscuous mode [ 112.713180] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.714710] bridge0: port 2(bridge_slave_1) entered disabled state [ 112.716409] device bridge_slave_1 entered promiscuous mode [ 112.719960] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.721020] bridge0: port 2(bridge_slave_1) entered disabled state [ 112.723424] device bridge_slave_1 entered promiscuous mode [ 112.727473] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.728819] bridge0: port 1(bridge_slave_0) entered disabled state [ 112.732446] device bridge_slave_0 entered promiscuous mode [ 112.764446] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.789194] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.798496] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.799481] bridge0: port 2(bridge_slave_1) entered disabled state [ 112.802285] device bridge_slave_1 entered promiscuous mode [ 112.832245] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.834219] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.853680] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.880338] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.947586] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.954297] ip (5521) used greatest stack depth: 23752 bytes left [ 112.962093] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.963184] bridge0: port 1(bridge_slave_0) entered disabled state [ 112.965806] device bridge_slave_0 entered promiscuous mode [ 112.968663] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.979908] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.981458] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.984635] bridge0: port 1(bridge_slave_0) entered disabled state [ 112.988264] device bridge_slave_0 entered promiscuous mode [ 113.000909] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.001991] bridge0: port 2(bridge_slave_1) entered disabled state [ 113.005650] device bridge_slave_1 entered promiscuous mode [ 113.010181] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 113.016649] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 113.018718] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.019812] bridge0: port 2(bridge_slave_1) entered disabled state [ 113.021661] device bridge_slave_1 entered promiscuous mode [ 113.039376] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 113.042635] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 113.044259] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 113.066271] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.067475] bridge0: port 1(bridge_slave_0) entered disabled state [ 113.069655] device bridge_slave_0 entered promiscuous mode [ 113.074267] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 113.086930] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.088163] bridge0: port 2(bridge_slave_1) entered disabled state [ 113.092656] device bridge_slave_1 entered promiscuous mode [ 113.097643] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 113.113679] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 113.145226] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.147913] team0: Port device team_slave_0 added [ 113.149499] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 113.164464] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 113.177078] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.178339] team0: Port device team_slave_0 added [ 113.188641] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 113.195039] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.199064] team0: Port device team_slave_0 added [ 113.202232] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 113.205816] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.207356] team0: Port device team_slave_1 added [ 113.210744] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.216147] team0: Port device team_slave_1 added [ 113.224445] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 113.228997] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.232629] team0: Port device team_slave_1 added [ 113.251335] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.253671] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.260310] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 113.270594] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.274828] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.277752] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.286816] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 113.293756] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.305132] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.309078] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.341472] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 113.343072] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 113.357006] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.372713] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 113.383338] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.385842] team0: Port device team_slave_0 added [ 113.389888] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.392164] team0: Port device team_slave_0 added [ 113.414695] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.417038] team0: Port device team_slave_1 added [ 113.422216] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.427372] team0: Port device team_slave_0 added [ 113.431451] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.432989] team0: Port device team_slave_1 added [ 113.459214] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.460705] team0: Port device team_slave_1 added [ 113.466142] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.481366] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.490139] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.505851] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.512398] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.515513] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.524817] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.536097] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 113.541567] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.550784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 113.569359] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.592160] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 113.635575] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.639849] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.641455] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.642545] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.672428] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.673444] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.674531] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.675523] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.712378] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.713648] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.715080] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.716741] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.806005] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.807173] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.808270] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.809350] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.834583] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.835719] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.837073] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.838856] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.930243] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.931901] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.933146] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.934039] bridge0: port 1(bridge_slave_0) entered forwarding state [ 114.897654] 8021q: adding VLAN 0 to HW filter on device bond0 [ 114.913796] 8021q: adding VLAN 0 to HW filter on device bond0 [ 114.920957] 8021q: adding VLAN 0 to HW filter on device bond0 [ 114.989352] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 115.009374] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 115.013418] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 115.034473] 8021q: adding VLAN 0 to HW filter on device bond0 [ 115.042634] 8021q: adding VLAN 0 to HW filter on device bond0 [ 115.046450] 8021q: adding VLAN 0 to HW filter on device bond0 [ 115.078831] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 115.080664] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 115.112510] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 115.123712] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 115.128439] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 115.134073] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 115.165307] 8021q: adding VLAN 0 to HW filter on device team0 [ 115.195155] 8021q: adding VLAN 0 to HW filter on device team0 [ 115.199031] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 115.202815] 8021q: adding VLAN 0 to HW filter on device team0 [ 115.224997] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 115.248430] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 115.277377] 8021q: adding VLAN 0 to HW filter on device team0 [ 115.330904] 8021q: adding VLAN 0 to HW filter on device team0 [ 115.341763] 8021q: adding VLAN 0 to HW filter on device team0 2019/03/24 20:28:21 executed programs: 92 2019/03/24 20:28:26 executed programs: 450 2019/03/24 20:28:31 executed programs: 759 2019/03/24 20:28:36 executed programs: 1064 2019/03/24 20:28:41 executed programs: 1387 2019/03/24 20:28:46 executed programs: 1702 2019/03/24 20:28:51 executed programs: 2029 2019/03/24 20:28:56 executed programs: 2377 2019/03/24 20:29:01 executed programs: 2721 2019/03/24 20:29:06 executed programs: 3071 2019/03/24 20:29:11 executed programs: 3485 2019/03/24 20:29:16 executed programs: 3894 2019/03/24 20:29:21 executed programs: 4330 2019/03/24 20:29:26 executed programs: 4736 2019/03/24 20:29:31 executed programs: 5118 2019/03/24 20:29:36 executed programs: 5505 2019/03/24 20:29:41 executed programs: 5938 2019/03/24 20:29:46 executed programs: 6344 2019/03/24 20:29:51 executed programs: 6755 2019/03/24 20:29:59 executed programs: 7143 2019/03/24 20:30:04 executed programs: 7527 2019/03/24 20:30:09 executed programs: 7937 2019/03/24 20:30:14 executed programs: 8351 2019/03/24 20:30:19 executed programs: 8758 2019/03/24 20:30:24 executed programs: 9165 2019/03/24 20:30:29 executed programs: 9558 [ 246.073165] ================================================================== [ 246.075566] BUG: KASAN: use-after-free in link_path_walk+0xf7d/0x1760 at addr ffff88005e75f380 [ 246.078278] Read of size 1 by task syz-executor5/13961 [ 246.079314] CPU: 1 PID: 13961 Comm: syz-executor5 Not tainted 4.9.0-rc3+ #1 [ 246.080222] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 246.081459] ffff8800646f7a00 ffffffff82aa3bb6 ffff88006c000100 ffff88005e75f380 [ 246.082528] ffff88005e75f3a0 fefefefefefefeff ffff8800646f7a28 ffffffff8177725c [ 246.083599] ffff8800646f7ab8 ffff88005e75f380 ffff88005f54c600 ffff8800646f7aa8 [ 246.084683] Call Trace: [ 246.085024] [] dump_stack+0xe6/0x120 [ 246.085761] [] kasan_object_err+0x1c/0x70 [ 246.086576] [] kasan_report_error+0x1b0/0x480 [ 246.087430] [] ? generic_permission+0x23c/0x2f0 [ 246.088310] [] __asan_report_load1_noabort+0x3e/0x40 [ 246.089245] [] ? link_path_walk+0xf7d/0x1760 [ 246.090084] [] link_path_walk+0xf7d/0x1760 [ 246.090922] [] ? walk_component+0x1090/0x1090 [ 246.091772] [] ? trailing_symlink+0x173/0x780 [ 246.092620] [] path_lookupat+0x14f/0x410 [ 246.093410] [] filename_lookup+0x166/0x350 [ 246.094229] [] ? filename_parentat+0x3d0/0x3d0 [ 246.095092] [] ? getname_flags+0xfd/0x500 [ 246.095886] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 246.096829] [] user_path_at_empty+0x31/0x40 [ 246.097655] [] do_mount+0xfc/0x2a90 [ 246.098391] [] ? cache_grow_end+0x81/0xd0 [ 246.099192] [] ? copy_mount_string+0x20/0x20 [ 246.100028] [] ? copy_mount_options+0x5c/0x2d0 [ 246.100887] [] ? rcu_read_lock_sched_held+0x9e/0x120 [ 246.101821] [] ? kmem_cache_alloc_trace+0x38e/0x760 [ 246.102750] [] ? copy_mount_options+0x5c/0x2d0 [ 246.103611] [] SyS_mount+0x90/0xd0 [ 246.104313] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.105217] Object at ffff88005e75f380, in cache kmalloc-32 size: 32 [ 246.106112] Allocated: [ 246.106453] PID = 13965 [ 246.106808] [ 246.107021] [] save_stack_trace+0x16/0x20 [ 246.107823] [ 246.108036] [] save_stack+0x46/0xd0 [ 246.108765] [ 246.108978] [] kasan_kmalloc+0xad/0xe0 [ 246.109745] [ 246.109958] [] __kmalloc_track_caller+0x185/0x760 [ 246.110854] [ 246.111068] [] kstrdup+0x2c/0x50 [ 246.111789] [ 246.112003] [] bpf_symlink+0x20/0x110 [ 246.112761] [ 246.112974] [] vfs_symlink+0x31e/0x520 [ 246.113745] [ 246.113958] [] SyS_symlink+0x165/0x1d0 [ 246.114739] [ 246.114952] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.115865] Freed: [ 246.116161] PID = 13967 [ 246.116531] [ 246.116744] [] save_stack_trace+0x16/0x20 [ 246.117548] [ 246.117760] [] save_stack+0x46/0xd0 [ 246.118500] [ 246.118713] [] kasan_slab_free+0x70/0xb0 [ 246.119506] [ 246.119719] [] kfree+0xcf/0x2c0 [ 246.120401] [ 246.120614] [] bpf_evict_inode+0xe8/0x120 [ 246.121416] [ 246.121628] [] evict+0x203/0x470 [ 246.122328] [ 246.122540] [] iput+0x56b/0x880 [ 246.123226] [ 246.123438] [] do_unlinkat+0x30b/0x640 [ 246.124183] [ 246.124394] [] SyS_unlink+0x11/0x20 [ 246.125143] [ 246.125356] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.126277] Memory state around the buggy address: [ 246.126977] ffff88005e75f280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.127988] ffff88005e75f300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.129001] >ffff88005e75f380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.130012] ^ [ 246.130480] ffff88005e75f400: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 246.131490] ffff88005e75f480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.132504] ================================================================== [ 246.133521] Disabling lock debugging due to kernel taint [ 246.136152] ================================================================== [ 246.137203] BUG: KASAN: use-after-free in link_path_walk+0x1339/0x1760 at addr ffff88005e75f384 [ 246.138421] Read of size 1 by task syz-executor5/13961 [ 246.139143] CPU: 1 PID: 13961 Comm: syz-executor5 Tainted: G B 4.9.0-rc3+ #1 [ 246.140277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 246.141440] ffff8800646f7a00 ffffffff82aa3bb6 ffff88006c000100 ffff88005e75f380 [ 246.142570] ffff88005e75f3a0 fefefefefefefeff ffff8800646f7a28 ffffffff8177725c [ 246.143675] ffff8800646f7ab8 ffff88005e75f384 0000000000000000 ffff8800646f7aa8 [ 246.144778] Call Trace: [ 246.145134] [] dump_stack+0xe6/0x120 [ 246.145870] [] kasan_object_err+0x1c/0x70 [ 246.146691] [] kasan_report_error+0x1b0/0x480 [ 246.147497] [] __asan_report_load1_noabort+0x3e/0x40 [ 246.148420] [] ? link_path_walk+0x1339/0x1760 [ 246.149259] [] link_path_walk+0x1339/0x1760 [ 246.150072] [] ? walk_component+0x1090/0x1090 [ 246.150918] [] ? trailing_symlink+0x173/0x780 [ 246.151758] [] path_lookupat+0x14f/0x410 [ 246.152539] [] filename_lookup+0x166/0x350 [ 246.153298] [] ? filename_parentat+0x3d0/0x3d0 [ 246.154161] [] ? getname_flags+0xfd/0x500 [ 246.154953] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 246.155818] [] user_path_at_empty+0x31/0x40 [ 246.156647] [] do_mount+0xfc/0x2a90 [ 246.157366] [] ? cache_grow_end+0x81/0xd0 [ 246.158124] [] ? copy_mount_string+0x20/0x20 [ 246.158903] [] ? copy_mount_options+0x5c/0x2d0 [ 246.159749] [] ? rcu_read_lock_sched_held+0x9e/0x120 [ 246.160670] [] ? kmem_cache_alloc_trace+0x38e/0x760 [ 246.161542] [] ? copy_mount_options+0x5c/0x2d0 [ 246.162397] [] SyS_mount+0x90/0xd0 [ 246.163104] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.164000] Object at ffff88005e75f380, in cache kmalloc-32 size: 32 [ 246.164884] Allocated: [ 246.165223] PID = 13965 [ 246.165574] [ 246.165786] [] save_stack_trace+0x16/0x20 [ 246.166605] [ 246.166815] [] save_stack+0x46/0xd0 [ 246.167536] [ 246.167746] [] kasan_kmalloc+0xad/0xe0 [ 246.168503] [ 246.168713] [] __kmalloc_track_caller+0x185/0x760 [ 246.169600] [ 246.169810] [] kstrdup+0x2c/0x50 [ 246.170500] [ 246.170710] [] bpf_symlink+0x20/0x110 [ 246.171455] [ 246.171665] [] vfs_symlink+0x31e/0x520 [ 246.172422] [ 246.172631] [] SyS_symlink+0x165/0x1d0 [ 246.173390] [ 246.173598] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.174504] Freed: [ 246.174796] PID = 13967 [ 246.175146] [ 246.175356] [] save_stack_trace+0x16/0x20 [ 246.176149] [ 246.176360] [] save_stack+0x46/0xd0 [ 246.177083] [ 246.177293] [] kasan_slab_free+0x70/0xb0 [ 246.178075] [ 246.178286] [] kfree+0xcf/0x2c0 [ 246.178959] [ 246.179167] [] bpf_evict_inode+0xe8/0x120 [ 246.179958] [ 246.180167] [] evict+0x203/0x470 [ 246.180852] [ 246.181059] [] iput+0x56b/0x880 [ 246.181728] [ 246.181937] [] do_unlinkat+0x30b/0x640 [ 246.182710] [ 246.182919] [] SyS_unlink+0x11/0x20 [ 246.183639] [ 246.183848] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.184744] Memory state around the buggy address: [ 246.185420] ffff88005e75f280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.186422] ffff88005e75f300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.187400] >ffff88005e75f380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.188394] ^ [ 246.188850] ffff88005e75f400: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 246.189847] ffff88005e75f480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.190859] ================================================================== [ 246.192973] ================================================================== [ 246.193993] BUG: KASAN: use-after-free in path_lookupat+0x3b4/0x410 at addr ffff88005e75f384 [ 246.195165] Read of size 1 by task syz-executor5/13961 [ 246.195850] CPU: 1 PID: 13961 Comm: syz-executor5 Tainted: G B 4.9.0-rc3+ #1 [ 246.196984] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 246.198152] ffff8800646f7ae8 ffffffff82aa3bb6 ffff88006c000100 ffff88005e75f380 [ 246.199253] ffff88005e75f3a0 ffff8800646f7c94 ffff8800646f7b10 ffffffff8177725c [ 246.200298] ffff8800646f7ba0 ffff88005e75f384 ffffed000c8def92 ffff8800646f7b90 [ 246.201393] Call Trace: [ 246.201746] [] dump_stack+0xe6/0x120 [ 246.202480] [] kasan_object_err+0x1c/0x70 [ 246.203266] [] kasan_report_error+0x1b0/0x480 [ 246.204100] [] ? walk_component+0x1090/0x1090 [ 246.204934] [] __asan_report_load1_noabort+0x3e/0x40 [ 246.205853] [] ? path_lookupat+0x3b4/0x410 [ 246.206660] [] path_lookupat+0x3b4/0x410 [ 246.207436] [] filename_lookup+0x166/0x350 [ 246.208237] [] ? filename_parentat+0x3d0/0x3d0 [ 246.209082] [] ? getname_flags+0xfd/0x500 [ 246.209839] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 246.210763] [] user_path_at_empty+0x31/0x40 [ 246.211574] [] do_mount+0xfc/0x2a90 [ 246.212292] [] ? cache_grow_end+0x81/0xd0 [ 246.213078] [] ? copy_mount_string+0x20/0x20 [ 246.213857] [] ? copy_mount_options+0x5c/0x2d0 [ 246.214709] [] ? rcu_read_lock_sched_held+0x9e/0x120 [ 246.215624] [] ? kmem_cache_alloc_trace+0x38e/0x760 [ 246.216527] [] ? copy_mount_options+0x5c/0x2d0 [ 246.217372] [] SyS_mount+0x90/0xd0 [ 246.218043] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.218937] Object at ffff88005e75f380, in cache kmalloc-32 size: 32 [ 246.219813] Allocated: [ 246.220134] PID = 13965 [ 246.220484] [ 246.220695] [] save_stack_trace+0x16/0x20 [ 246.221487] [ 246.221689] [] save_stack+0x46/0xd0 [ 246.222385] [ 246.222594] [] kasan_kmalloc+0xad/0xe0 [ 246.223349] [ 246.223559] [] __kmalloc_track_caller+0x185/0x760 [ 246.224444] [ 246.224654] [] kstrdup+0x2c/0x50 [ 246.225340] [ 246.225548] [] bpf_symlink+0x20/0x110 [ 246.226303] [ 246.226514] [] vfs_symlink+0x31e/0x520 [ 246.227270] [ 246.227480] [] SyS_symlink+0x165/0x1d0 [ 246.228239] [ 246.228449] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.229350] Freed: [ 246.229642] PID = 13967 [ 246.229993] [ 246.230213] [] save_stack_trace+0x16/0x20 [ 246.231005] [ 246.231215] [] save_stack+0x46/0xd0 [ 246.231936] [ 246.232146] [] kasan_slab_free+0x70/0xb0 [ 246.232929] [ 246.233139] [] kfree+0xcf/0x2c0 [ 246.233816] [ 246.234025] [] bpf_evict_inode+0xe8/0x120 [ 246.234822] [ 246.235032] [] evict+0x203/0x470 [ 246.235719] [ 246.235929] [] iput+0x56b/0x880 [ 246.236603] [ 246.236811] [] do_unlinkat+0x30b/0x640 [ 246.237581] [ 246.237791] [] SyS_unlink+0x11/0x20 [ 246.238540] [ 246.238749] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 246.239647] Memory state around the buggy address: [ 246.240316] ffff88005e75f280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.241317] ffff88005e75f300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.242309] >ffff88005e75f380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.243263] ^ [ 246.243703] ffff88005e75f400: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 246.244655] ffff88005e75f480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 246.245610] ================================================================== [ 251.954402] device bridge_slave_1 left promiscuous mode [ 251.957754] bridge0: port 2(bridge_slave_1) entered disabled state [ 251.994585] device bridge_slave_0 left promiscuous mode [ 251.995887] bridge0: port 1(bridge_slave_0) entered disabled state [ 252.082504] team0 (unregistering): Port device team_slave_1 removed [ 252.086059] team0 (unregistering): Port device team_slave_0 removed [ 252.089270] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 252.136573] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 252.204037] bond0 (unregistering): Released all slaves