capability: warning: `syz-executor3' uses 32-bit capabilities (legacy support in use) ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1aa/0x1e0 kernel/locking/spinlock_debug.c:112 Read of size 4 at addr ffff8801c5b1ddec by task syz-executor6/3887 CPU: 1 PID: 3887 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #136 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x1aa/0x1e0 kernel/locking/spinlock_debug.c:112 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline] _raw_spin_lock+0x32/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:316 [inline] inode_free_security security/selinux/hooks.c:346 [inline] selinux_inode_free_security+0x12a/0x410 security/selinux/hooks.c:2873 security_inode_free+0x50/0x90 security/security.c:442 __destroy_inode+0x287/0x650 fs/inode.c:236 destroy_inode+0xe7/0x200 fs/inode.c:263 evict+0x57e/0x920 fs/inode.c:570 iput_final fs/inode.c:1515 [inline] iput+0x7b9/0xaf0 fs/inode.c:1542 fsnotify_put_mark+0x4d0/0x730 fs/notify/mark.c:237 fsnotify_clear_marks_by_group+0x19a/0x5f0 fs/notify/mark.c:691 fsnotify_destroy_group+0xde/0x3f0 fs/notify/group.c:70 inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:280 __fput+0x327/0x7e0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:112 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x9b5/0x1ad0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73f/0x16d0 kernel/signal.c:2334 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath+0x42f/0x510 arch/x86/entry/common.c:266 entry_SYSCALL_64_fastpath+0xbc/0xbe RIP: 0033:0x452779 RSP: 002b:00007f6815b25ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00000000007581a0 RCX: 0000000000452779 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007581a0 RBP: 00000000007581a0 R08: 000000000000018e R09: 0000000000758180 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000a6f7ff R14: 00007f6815b269c0 R15: 000000000000001e Allocated by task 3873: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627 kmalloc include/linux/slab.h:493 [inline] kzalloc include/linux/slab.h:666 [inline] superblock_alloc_security security/selinux/hooks.c:390 [inline] selinux_sb_alloc_security+0x93/0x2e0 security/selinux/hooks.c:2630 security_sb_alloc+0x6d/0xa0 security/security.c:356 alloc_super fs/super.c:196 [inline] sget_userns+0x36a/0xe20 fs/super.c:505 sget+0xd2/0x120 fs/super.c:557 mount_nodev+0x37/0x100 fs/super.c:1160 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:253 mount_fs+0x66/0x2d0 fs/super.c:1222 vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0xea1/0x2bb0 fs/namespace.c:2840 SYSC_mount fs/namespace.c:3056 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3033 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 3873: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kfree+0xca/0x250 mm/slab.c:3820 superblock_free_security security/selinux/hooks.c:410 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2635 security_sb_free+0x48/0x80 security/security.c:361 destroy_super+0x93/0x200 fs/super.c:167 __put_super.part.6+0x1a4/0x2a0 fs/super.c:272 __put_super fs/super.c:270 [inline] put_super+0x53/0x70 fs/super.c:286 deactivate_locked_super+0xb0/0xd0 fs/super.c:319 deactivate_super+0x141/0x1b0 fs/super.c:339 cleanup_mnt+0xb2/0x150 fs/namespace.c:1173 __cleanup_mnt+0x16/0x20 fs/namespace.c:1180 task_work_run+0x199/0x270 kernel/task_work.c:112 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x9b5/0x1ad0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73f/0x16d0 kernel/signal.c:2334 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath+0x42f/0x510 arch/x86/entry/common.c:266 entry_SYSCALL_64_fastpath+0xbc/0xbe The buggy address belongs to the object at ffff8801c5b1dd40 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 172 bytes inside of 256-byte region [ffff8801c5b1dd40, ffff8801c5b1de40) The buggy address belongs to the page: page:ffffea000716c740 count:1 mapcount:0 mapping:ffff8801c5b1d0c0 index:0x0 flags: 0x200000000000100(slab) raw: 0200000000000100 ffff8801c5b1d0c0 0000000000000000 000000010000000c raw: ffffea0007155de0 ffffea0007130ae0 ffff8801dac007c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c5b1dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c5b1dd00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801c5b1dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c5b1de00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801c5b1de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================