IPVS: Creating netns size=2536 id=1
==================================================================
BUG: KASAN: use-after-free in take_option security/selinux/hooks.c:2634 [inline]
BUG: KASAN: use-after-free in selinux_sb_copy_data+0x25f/0x390 security/selinux/hooks.c:2689
Write of size 10 at addr ffff8801b9a3b000 by task syz-executor0/3792

CPU: 1 PID: 3792 Comm: syz-executor0 Not tainted 4.9.92-g13b40d3 #72
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d89574e0 ffffffff81d95109 ffffea0006e68ec0 ffff8801b9a3b000
 0000000000000001 ffff8801b9a3b000 dffffc0000000000 ffff8801d8957518
 ffffffff8153d5d3 ffff8801b9a3b000 000000000000000a 0000000000000001
Call Trace:
 [<ffffffff81d95109>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d95109>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153d5d3>] print_address_description+0x73/0x280 mm/kasan/report.c:256
 [<ffffffff8153dad5>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff8153dad5>] kasan_report+0x255/0x380 mm/kasan/report.c:412
 [<ffffffff8153c407>] check_memory_region_inline mm/kasan/kasan.c:318 [inline]
 [<ffffffff8153c407>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:325
 [<ffffffff8153ca57>] memcpy+0x37/0x50 mm/kasan/kasan.c:361
 [<ffffffff81bebb2f>] take_option security/selinux/hooks.c:2634 [inline]
 [<ffffffff81bebb2f>] selinux_sb_copy_data+0x25f/0x390 security/selinux/hooks.c:2689
 [<ffffffff81bcd455>] security_sb_copy_data+0x75/0xb0 security/security.c:283
 [<ffffffff8196e1f6>] parse_security_options+0x36/0x90 fs/btrfs/super.c:1493
 [<ffffffff81980272>] btrfs_mount+0xa02/0x2c00 fs/btrfs/super.c:1572
 [<ffffffff8157ac2f>] mount_fs+0x27f/0x350 fs/super.c:1206
 [<ffffffff815d8c90>] vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 [<ffffffff815d8fe0>] vfs_kern_mount+0x40/0x60 fs/namespace.c:973
 [<ffffffff8197fb5e>] mount_subvol fs/btrfs/super.c:1395 [inline]
 [<ffffffff8197fb5e>] btrfs_mount+0x2ee/0x2c00 fs/btrfs/super.c:1566
 [<ffffffff8157ac2f>] mount_fs+0x27f/0x350 fs/super.c:1206
 [<ffffffff815d8c90>] vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 [<ffffffff815e0401>] vfs_kern_mount fs/namespace.c:2509 [inline]
 [<ffffffff815e0401>] do_new_mount fs/namespace.c:2512 [inline]
 [<ffffffff815e0401>] do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 [<ffffffff815e322b>] SYSC_mount fs/namespace.c:3050 [inline]
 [<ffffffff815e322b>] SyS_mount+0xab/0x120 fs/namespace.c:3027
 [<ffffffff81006504>] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282
 [<ffffffff838b8593>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 2104:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
 ptlock_alloc+0x24/0x70 mm/memory.c:4105
 ptlock_init include/linux/mm.h:1638 [inline]
 pgtable_page_ctor include/linux/mm.h:1672 [inline]
 pte_alloc_one+0x62/0x100 arch/x86/mm/pgtable.c:31
 do_fault_around mm/memory.c:3123 [inline]
 do_read_fault mm/memory.c:3169 [inline]
 do_fault mm/memory.c:3309 [inline]
 handle_pte_fault mm/memory.c:3510 [inline]
 __handle_mm_fault mm/memory.c:3597 [inline]
 handle_mm_fault+0x2160/0x2460 mm/memory.c:3634
 __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407
 do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470
 page_fault+0x28/0x30 arch/x86/entry/entry_64.S:951

Freed by task 2104:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xc7/0x300 mm/slub.c:2980
 ptlock_free+0x38/0x50 mm/memory.c:4114
 pte_lock_deinit include/linux/mm.h:1648 [inline]
 pgtable_page_dtor include/linux/mm.h:1680 [inline]
 ___pte_free_tlb+0x43/0x1a0 arch/x86/mm/pgtable.c:57
 __pte_free_tlb arch/x86/include/asm/pgalloc.h:59 [inline]
 free_pte_range mm/memory.c:409 [inline]
 free_pmd_range mm/memory.c:427 [inline]
 free_pud_range mm/memory.c:461 [inline]
 free_pgd_range+0x562/0xa30 mm/memory.c:537
 free_pgtables+0x270/0x330 mm/memory.c:569
 exit_mmap+0x21a/0x400 mm/mmap.c:2990
 __mmput kernel/fork.c:878 [inline]
 mmput+0xf3/0x2d0 kernel/fork.c:900
 exit_mm kernel/exit.c:514 [inline]
 do_exit+0x70a/0x2a40 kernel/exit.c:820
 do_group_exit+0x108/0x320 kernel/exit.c:937
 SYSC_exit_group kernel/exit.c:948 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the object at ffff8801b9a3b000
 which belongs to the cache page->ptl of size 56
The buggy address is located 0 bytes inside of
 56-byte region [ffff8801b9a3b000, ffff8801b9a3b038)
The buggy address belongs to the page:
page:ffffea0006e68ec0 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801b9a3af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801b9a3af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801b9a3b000: fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb
                   ^
 ffff8801b9a3b080: fb fb fc fc fc fc fb fb fb fb fb fb fb fc fc fc
 ffff8801b9a3b100: fc fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
==================================================================