================================================================== BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:311 [inline] BUG: KASAN: use-after-free in fuse_dev_do_read.isra.10.constprop.14+0x10c7/0x1220 fs/fuse/dev.c:1303 Read of size 8 at addr ffff8801cc268de0 by task syz-executor0/10728 CPU: 1 PID: 10728 Comm: syz-executor0 Not tainted 4.9.124+ #32 ffff8801d73e7968 ffffffff81af4529 ffffea0007309a00 ffff8801cc268de0 0000000000000000 ffff8801cc268de0 ffff8801d37eee40 ffff8801d73e79a0[ 915.176382] input: syz0 as /devices/virtual/input/input653 ffffffff814f31c5 ffff8801cc268de0 0000000000000008 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [] kasan_report_error mm/kasan/report.c:355 [inline] [] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 [] constant_test_bit arch/x86/include/asm/bitops.h:311 [inline] [] fuse_dev_do_read.isra.10.constprop.14+0x10c7/0x1220 fs/fuse/dev.c:1303 [] fuse_dev_read+0x156/0x1f0 fs/fuse/dev.c:1345 [] new_sync_read fs/read_write.c:439 [inline] [] __vfs_read+0x3d4/0x560 fs/read_write.c:451 [] vfs_read+0x124/0x390 fs/read_write.c:472 [] SYSC_read fs/read_write.c:588 [inline] [] SyS_read+0xd9/0x1c0 fs/read_write.c:581 [] do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 10719: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x280 mm/slub.c:2728 __fuse_request_alloc+0x27/0xe0 fs/fuse/dev.c:58 fuse_request_alloc+0x18/0x20 fs/fuse/dev.c:86 fuse_fill_super+0xcd3/0x1550 fs/fuse/inode.c:1141 mount_nodev+0x5b/0x100 fs/super.c:1146 fuse_mount+0x2c/0x40 fs/fuse/inode.c:1198 mount_fs+0x28c/0x370 fs/super.c:1206 vfs_kern_mount.part.8+0xd1/0x3d0 fs/namespace.c:1000 vfs_kern_mount fs/namespace.c:982 [inline] do_new_mount fs/namespace.c:2537 [inline] do_mount+0x3c9/0x2790 fs/namespace.c:2859 SYSC_mount fs/namespace.c:3075 [inline] SyS_mount+0xea/0x100 fs/namespace.c:3052 do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 10719: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xbe/0x310 mm/slub.c:2980 fuse_request_free+0x8b/0xa0 fs/fuse/dev.c:101 fuse_put_request+0x259/0x300 fs/fuse/dev.c:288 request_end+0x183/0x610 fs/fuse/dev.c:398 end_requests+0xd8/0x140 fs/fuse/dev.c:2045 fuse_abort_conn+0x850/0xae0 fs/fuse/dev.c:2137 fuse_put_super+0xb8/0x1e0 fs/fuse/inode.c:401 generic_shutdown_super+0x149/0x300 fs/super.c:437 kill_anon_super+0x3c/0x50 fs/super.c:968 fuse_kill_sb_anon+0x90/0xb0 fs/fuse/inode.c:1211 deactivate_locked_super+0x75/0xd0 fs/super.c:310 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1143 __cleanup_mnt+0x16/0x20 fs/namespace.c:1150 task_work_run+0x10c/0x180 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:161 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline] syscall_return_slowpath arch/x86/entry/common.c:260 [inline] do_syscall_64+0x35d/0x480 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the object at ffff8801cc268db0 which belongs to the cache fuse_request of size 456 The buggy address is located 48 bytes inside of 456-byte region [ffff8801cc268db0, ffff8801cc268f78) The buggy address belongs to the page: page:ffffea0007309a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cc268c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cc268d00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc >ffff8801cc268d80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb ^ ffff8801cc268e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cc268e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== input: syz0 as /devices/virtual/input/input654 loop7: p1 p2 < p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19 p20 p21 p22 p23 p24 p25 p26 p27 p28 p29 p30 p31 p32 p33 p34 p35 p36 p37 p38 p39 p40 p41 p42 p43 p44 p45 p46 p47 p48 p49 p50 p51 p52 p53 p54 p55 p56 p57 p58 p59 p60 p61 p62 p63 p64 p65 p66 p67 p68 p69 p70 p71 p72 p73 p74 p75 p76 p77 p78 p79 p80 p81 p82 p83 p84 p85 p86 p87 p88 p89 p90 p91 p92 p93 p94 p95 p96 p97 p98 p99 p100 p101 p102 p103 p104 p105 p106 p107 p108 p109 p110 p111 p112 p113 p114 p115 p116 p117 p118 p119 p120 p121 p122 p123 p124 p125 p126 p127 p128 p129 p130 p131 p132 p133 p134 p135 p136 p137 p138 p139 p140 p141 p142 p143 p144 p145 p146 p147 p148 p149 p150 p151 p152 p153 p154 p155 p156 p157 p158 p159 p160 p161 p162 p163 p164 p165 p166 p167 p168 p169 p170 p171 p172 p173 p174 p175 p176 p177 p178 p179 p180 p181 p182 p183 p184 p185 p186 p187 p188 p189 p190 p191 p192 p193 p194 p195 p196 p197 p198 p199 p200 p201 p202 p203 p204 p205 p206 p207 p208 p209 p210 p211 p212 p213 p214 p215 p216 p217 p218 p21 loop7: p2 size 2 extends beyond EOD, truncated loop7: p3 start 201 is beyond EOD, truncated loop7: p4 start 301 is beyond EOD, [ 916.463437] input: syz0 as /devices/virtual/input/input655 truncated loop7: p5 start 1 is beyond EOD, truncated loop7: p6 start 1 is beyond EOD, truncated loop7: p7 start 1 is beyond EOD, truncated loop7: p8 start 1 is beyond EOD, truncated loop7: p9 start 1 is beyond EOD, truncated loop7: p10 start 1 is beyond EOD, truncated loop7: p11 start 1 is beyond EOD, truncated loop7: p12 start 1 is beyond EOD, truncated loop7: p13 start 1 is beyond EOD, truncated loop7: p14 start 1 is beyond EOD, truncated loop7: p15 start 1 is beyond EOD, truncated loop7: p16 start 1 is beyond EOD, truncated loop7: p17 start 1 is beyond EOD, truncated loop7: p18 start 1 is beyond EOD, truncated loop7: p19 start 1 is beyond EOD, truncated