================================================================== BUG: KASAN: use-after-free in shmem_free_inode.isra.1+0x83/0x90 mm/shmem.c:214 Read of size 8 at addr ffff8801cc484ce0 by task syz-executor4/12839 CPU: 0 PID: 12839 Comm: syz-executor4 Not tainted 4.9.125+ #37 ffff8801d1007bb0 ffffffff81af0ae9 ffffea0007312100 ffff8801cc484ce0 0000000000000000 ffff8801cc484ce0 ffff8801cb430a08 ffff8801d1007be8 ffffffff814e0e1d ffff8801cc484ce0 0000000000000008 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [] kasan_report_error mm/kasan/report.c:355 [inline] [] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 [] shmem_free_inode.isra.1+0x83/0x90 mm/shmem.c:214 [] shmem_evict_inode+0x1ad/0x5c0 mm/shmem.c:1067 [] evict+0x22e/0x4f0 fs/inode.c:553 [] iput_final fs/inode.c:1516 [inline] [] iput+0x371/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x263/0x700 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x10c/0x180 kernel/task_work.c:116 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:161 [] prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline] [] syscall_return_slowpath arch/x86/entry/common.c:260 [inline] [] do_syscall_64+0x35d/0x480 arch/x86/entry/common.c:287 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 12845: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594 kmem_cache_alloc_trace+0x117/0x2e0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] shmem_fill_super+0x55/0x940 mm/shmem.c:3576 mount_nodev+0x5b/0x100 fs/super.c:1146 shmem_mount+0x2c/0x40 mm/shmem.c:3785 mount_fs+0x28c/0x370 fs/super.c:1206 vfs_kern_mount.part.8+0xd1/0x3d0 fs/namespace.c:1000 vfs_kern_mount fs/namespace.c:982 [inline] do_new_mount fs/namespace.c:2537 [inline] do_mount+0x3c9/0x2790 fs/namespace.c:2859 SYSC_mount fs/namespace.c:3075 [inline] SyS_mount+0xea/0x100 fs/namespace.c:3052 do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 12845: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xfb/0x310 mm/slub.c:3878 shmem_put_super+0x47/0x90 mm/shmem.c:3565 generic_shutdown_super+0x149/0x300 fs/super.c:437 kill_anon_super fs/super.c:968 [inline] kill_litter_super+0x72/0x90 fs/super.c:978 deactivate_locked_super+0x75/0xd0 fs/super.c:310 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1143 __cleanup_mnt+0x16/0x20 fs/namespace.c:1150 task_work_run+0x10c/0x180 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:161 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline] syscall_return_slowpath arch/x86/entry/common.c:260 [inline] do_syscall_64+0x35d/0x480 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the object at ffff8801cc484c80 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 96 bytes inside of 512-byte region [ffff8801cc484c80, ffff8801cc484e80) The buggy address belongs to the page: page:ffffea0007312100 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cc484b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cc484c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801cc484c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801cc484d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cc484d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb SELinux: unrecognized netlink message: protocol=0 nlmsg_type=62976 sclass=netlink_route_socket pig=12866 comm=syz-executor3 ==================================================================