================================================================== BUG: KASAN: use-after-free in relay_switch_subbuf+0x8cc/0x940 kernel/relay.c:755 Read of size 8 at addr ffff888085e59be0 by task syz-executor.5/13112 CPU: 0 PID: 13112 Comm: syz-executor.5 Not tainted 5.7.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 relay_switch_subbuf+0x8cc/0x940 kernel/relay.c:755 relay_flush kernel/relay.c:883 [inline] relay_flush+0x1bb/0x280 kernel/relay.c:867 __blk_trace_startstop+0x26f/0x6a0 kernel/trace/blktrace.c:664 blk_trace_ioctl+0x1e4/0x2b0 kernel/trace/blktrace.c:724 blkdev_common_ioctl+0x663/0x1770 block/ioctl.c:651 compat_blkdev_ioctl+0x33d/0x860 block/ioctl.c:787 __do_compat_sys_ioctl fs/ioctl.c:857 [inline] __se_compat_sys_ioctl fs/ioctl.c:808 [inline] __ia32_compat_sys_ioctl+0x23d/0x2b0 fs/ioctl.c:808 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x270/0xe90 arch/x86/entry/common.c:396 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Allocated by task 7036: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x11b/0x740 mm/slab.c:3484 __d_alloc+0x2b/0x8e0 fs/dcache.c:1690 d_alloc_pseudo+0x19/0x70 fs/dcache.c:1819 alloc_file_pseudo+0xc6/0x250 fs/file_table.c:225 sock_alloc_file+0x4f/0x190 net/socket.c:411 sock_map_fd net/socket.c:435 [inline] __sys_socket+0x13d/0x200 net/socket.c:1530 __do_compat_sys_socketcall net/compat.c:760 [inline] __se_compat_sys_socketcall net/compat.c:735 [inline] __ia32_compat_sys_socketcall+0x372/0x660 net/compat.c:735 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x270/0xe90 arch/x86/entry/common.c:396 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 7036: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kmem_cache_free+0x7f/0x320 mm/slab.c:3694 __d_free fs/dcache.c:271 [inline] dentry_free fs/dcache.c:348 [inline] dentry_free+0xde/0x160 fs/dcache.c:336 __dentry_kill+0x442/0x5d0 fs/dcache.c:593 dentry_kill fs/dcache.c:686 [inline] dput+0x80c/0xdf0 fs/dcache.c:859 __fput+0x461/0x880 fs/file_table.c:293 task_work_run+0xf4/0x1b0 kernel/task_work.c:123 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x2fa/0x360 arch/x86/entry/common.c:165 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_32_irqs_on arch/x86/entry/common.c:340 [inline] do_fast_syscall_32+0xbef/0xe90 arch/x86/entry/common.c:396 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 The buggy address belongs to the object at ffff888085e59b80 which belongs to the cache dentry of size 304 The buggy address is located 96 bytes inside of 304-byte region [ffff888085e59b80, ffff888085e59cb0) The buggy address belongs to the page: page:ffffea0002179640 refcount:1 mapcount:0 mapping:00000000270bee8a index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00022a9c08 ffffea00021796c8 ffff88821bc50540 raw: 0000000000000000 ffff888085e59000 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888085e59a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888085e59b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888085e59b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888085e59c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888085e59c80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc 00 00 ==================================================================