==================================================================
BUG: KASAN: use-after-free in take_option security/selinux/hooks.c:2619 [inline]
BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674
Write of size 10 at addr ffff8801d4c0f000 by task syz-executor3/8166

CPU: 0 PID: 8166 Comm: syz-executor3 Not tainted 4.9.124-g09eb2ba #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a00874c8 ffffffff81eb95e9 ffffea00075303c0 ffff8801d4c0f000
 0000000000000001 ffff8801d4c0f000 000000000000000a ffff8801a0087500
 ffffffff8156c35e ffff8801d4c0f000 000000000000000a 0000000000000001
Call Trace:
 [<ffffffff81eb95e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eb95e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8156c35e>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff8156c768>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff8156c768>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff8153e94f>] check_memory_region_inline mm/kasan/kasan.c:318 [inline]
 [<ffffffff8153e94f>] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:325
 [<ffffffff8153efa7>] memcpy+0x37/0x50 mm/kasan/kasan.c:361
 [<ffffffff81d0e6ad>] take_option security/selinux/hooks.c:2619 [inline]
 [<ffffffff81d0e6ad>] selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674
 [<ffffffff81cf021b>] security_sb_copy_data+0x7b/0xb0 security/security.c:283
 [<ffffffff81980846>] parse_security_options+0x36/0x90 fs/btrfs/super.c:1493
 [<ffffffff81991873>] btrfs_mount+0x2f3/0x2bc0 fs/btrfs/super.c:1572
 [<ffffffff81582a3c>] mount_fs+0x28c/0x370 fs/super.c:1206
 [<ffffffff815e2321>] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:1000
 [<ffffffff815e2660>] vfs_kern_mount+0x40/0x60 fs/namespace.c:982
 [<ffffffff8199198b>] mount_subvol fs/btrfs/super.c:1395 [inline]
 [<ffffffff8199198b>] btrfs_mount+0x40b/0x2bc0 fs/btrfs/super.c:1566
 [<ffffffff81582a3c>] mount_fs+0x28c/0x370 fs/super.c:1206
 [<ffffffff815e2321>] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:1000
 [<ffffffff815e9b49>] vfs_kern_mount fs/namespace.c:982 [inline]
 [<ffffffff815e9b49>] do_new_mount fs/namespace.c:2537 [inline]
 [<ffffffff815e9b49>] do_mount+0x3c9/0x2740 fs/namespace.c:2859
 [<ffffffff815ec89e>] SYSC_mount fs/namespace.c:3075 [inline]
 [<ffffffff815ec89e>] SyS_mount+0xfe/0x110 fs/namespace.c:3052
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff83a019d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 6857:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xbe/0x290 mm/slub.c:2728
 dst_alloc+0xb5/0x1a0 net/core/dst.c:210
 rt_dst_alloc+0x78/0x430 net/ipv4/route.c:1486
 __mkroute_output net/ipv4/route.c:2145 [inline]
 __ip_route_output_key_hash+0x9ac/0x23c0 net/ipv4/route.c:2355
 __ip_route_output_key include/net/route.h:123 [inline]
 ip_route_output_flow+0x29/0xa0 net/ipv4/route.c:2442
 udp_sendmsg+0x13cd/0x1c50 net/ipv4/udp.c:1025
 udpv6_sendmsg+0x127d/0x2430 net/ipv6/udp.c:1086
 inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:648 [inline]
 sock_sendmsg+0xcc/0x110 net/socket.c:658
 ___sys_sendmsg+0x47a/0x840 net/socket.c:1982
 __sys_sendmmsg+0x161/0x3d0 net/socket.c:2072
 SYSC_sendmmsg net/socket.c:2103 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2098
 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 17:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 dst_destroy+0x200/0x360 net/core/dst.c:270
 dst_destroy_rcu+0x15/0x40 net/core/dst.c:295
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
 __do_softirq+0x210/0x940 kernel/softirq.c:288

The buggy address belongs to the object at ffff8801d4c0f000
 which belongs to the cache ip_dst_cache of size 216
The buggy address is located 0 bytes inside of
 216-byte region [ffff8801d4c0f000, ffff8801d4c0f0d8)
The buggy address belongs to the page:
page:ffffea00075303c0 count:1 mapcount:0 mapping:          (null) index:0xffff8801d4c0fdc0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
netlink: 20 bytes leftover after parsing attributes in process `syz-executor7'.
 ffff8801d4c0ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d4c0ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801d4c0f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8801d4c0f080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff8801d4c0f100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================