VFS: Busy inodes after unmount of ramfs. Self-destruct in 5 seconds.  Have a nice day...
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801c82405ac
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801c82405ac
Read of size 4 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Not tainted 4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9a0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b5 ffff8801c82405ac ffff8801a285f9c8
 ffffffff8153a3fc ffffed00390480b5 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff8124638c>] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 [<ffffffff8124638c>] do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801c82405b8
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801c82405b8
Read of size 8 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9a0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b7 ffff8801c82405b8 ffff8801a285f9c8
 ffffffff8153a3fc ffffed00390480b7 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa59>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153aa59>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff812463b3>] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline]
 [<ffffffff812463b3>] do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801c82405b0
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801c82405b0
Read of size 4 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9a0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b6 ffff8801c82405b0 ffff8801a285f9c8
 ffffffff8153a3fc ffffed00390480b6 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81246382>] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 [<ffffffff81246382>] do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] at addr ffff8801c82405b0
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801c82405b0
Write of size 4 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9a0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b6 ffff8801c82405b0 ffff8801a285f9c8
 ffffffff8153a3fc ffffed00390480b6 ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab1c>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153ab1c>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff81246399>] debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline]
 [<ffffffff81246399>] do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] at addr ffff8801c82405b8
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801c82405b8
Write of size 8 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9a0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b7 ffff8801c82405b8 ffff8801a285f9c8
 ffffffff8153a3fc ffffed00390480b7 ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab4c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153ab4c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff812463a6>] debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline]
 [<ffffffff812463a6>] do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x184/0x1d0 lib/list_debug.c:57 at addr ffff8801c8240598
Read of size 8 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9c8 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b3 ffff8801c8240598 ffff8801a285f9f0
 ffffffff8153a3fc ffffed00390480b3 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa59>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153aa59>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff81df77e4>] __list_del_entry+0x184/0x1d0 lib/list_debug.c:57
 [<ffffffff81be544e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be544e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be544e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 at addr ffff8801c82405a0
Read of size 8 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9c8 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b4 ffff8801c82405a0 ffff8801a285f9f0
 ffffffff8153a3fc ffffed00390480b4 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa59>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153aa59>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff81df77f6>] __list_del_entry+0x196/0x1d0 lib/list_debug.c:60
 [<ffffffff81be544e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be544e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be544e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:272 [inline] at addr ffff8801c8240598
BUG: KASAN: use-after-free in __list_del include/linux/list.h:90 [inline] at addr ffff8801c8240598
BUG: KASAN: use-after-free in __list_del_entry+0x173/0x1d0 lib/list_debug.c:65 at addr ffff8801c8240598
Write of size 8 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9c8 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b3 ffff8801c8240598 ffff8801a285f9f0
 ffffffff8153a3fc ffffed00390480b3 ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab4c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153ab4c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff81df77d3>] __write_once_size include/linux/compiler.h:272 [inline]
 [<ffffffff81df77d3>] __list_del include/linux/list.h:90 [inline]
 [<ffffffff81df77d3>] __list_del_entry+0x173/0x1d0 lib/list_debug.c:65
 [<ffffffff81be544e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be544e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be544e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] at addr ffff8801c82405ac
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801c82405ac
Read of size 4 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9b0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b5 ffff8801c82405ac ffff8801a285f9d8
 ffffffff8153a3fc ffffed00390480b5 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81246664>] debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline]
 [<ffffffff81246664>] do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c82405a8
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c82405a8
BUG: KASAN: use-after-free in queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] at addr ffff8801c82405a8
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] at addr ffff8801c82405a8
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801c82405a8
Read of size 4 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9b0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b5 ffff8801c82405a8 ffff8801a285f9d8
 ffffffff8153a3fc ffffed00390480b5 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff8124665a>] __read_once_size include/linux/compiler.h:243 [inline]
 [<ffffffff8124665a>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<ffffffff8124665a>] queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline]
 [<ffffffff8124665a>] debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline]
 [<ffffffff8124665a>] do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] at addr ffff8801c82405b8
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801c82405b8
Read of size 8 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9b0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b7 ffff8801c82405b8 ffff8801a285f9d8
 ffffffff8153a3fc ffffed00390480b7 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa59>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153aa59>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff8124668b>] debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline]
 [<ffffffff8124668b>] do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] at addr ffff8801c82405b0
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801c82405b0
Read of size 4 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9b0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b6 ffff8801c82405b0 ffff8801a285f9d8
 ffffffff8153a3fc ffffed00390480b6 ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81246671>] debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline]
 [<ffffffff81246671>] do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] at addr ffff8801c82405b8
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801c82405b8
Write of size 8 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9b0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b7 ffff8801c82405b8 ffff8801a285f9d8
 ffffffff8153a3fc ffffed00390480b7 ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab4c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153ab4c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff81246698>] debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline]
 [<ffffffff81246698>] do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] at addr ffff8801c82405b0
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801c82405b0
Write of size 4 by task syz-executor7/6855
CPU: 0 PID: 6855 Comm: syz-executor7 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a285f9b0 ffffffff81d90469 ffff8801da0013c0 ffff8801c8240500
 ffff8801c8240600 ffffed00390480b6 ffff8801c82405b0 ffff8801a285f9d8
 ffffffff8153a3fc ffffed00390480b6 ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab1c>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153ab1c>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff8124667e>] debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline]
 [<ffffffff8124667e>] do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81140e4d>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801c8240500, in cache kmalloc-256 size: 256
Allocated:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6858
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801c8240480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8240500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c8240580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801c8240600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c8240680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
device gre0 entered promiscuous mode
PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex
PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex
FAULT_FLAG_ALLOW_RETRY missing 30
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 7008 Comm: syz-executor5 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d8a978f0 ffffffff81d90469 ffff8801d8a97bd0 0000000000000000
 ffff8801a972e410 ffff8801d8a97ac0 ffff8801a972e300 ffff8801d8a97ae8
 ffffffff8165e417 0000000000000038 ffff8801d8a97a40 00000001c9d2b067
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e417>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd6c1>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd6c1>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd6c1>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd6c1>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd447>] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396
 [<ffffffff810ddc27>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838aa918>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
CPU: 1 PID: 7019 Comm: syz-executor5 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d0537860 ffffffff81d90469 ffff8801d0537b40 0000000000000000
 ffff8801a972e410 ffff8801d0537a30 ffff8801a972e300 ffff8801d0537a58
 ffffffff8165e417 ffffffff811b6f61 ffff8801d05379b0 00000001c9d2b067
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e417>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd6c1>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd6c1>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd6c1>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd6c1>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd447>] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396
 [<ffffffff810ddc27>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838aa918>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff8116789d>] SyS_rt_sigtimedwait+0x2d/0x40 kernel/signal.c:2819
 [<ffffffff838a9745>] entry_SYSCALL_64_fastpath+0x23/0xc6
sg_write: data in/out 327644/28 bytes for SCSI command 0x0-- guessing data in;
   program syz-executor7 not setting count and/or reply_len properly
binder: 7135:7138 ioctl 541c 20647000 returned -22
binder: 7135:7138 ioctl 541c 20647000 returned -22
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
device gre0 entered promiscuous mode
nla_parse: 11 callbacks suppressed
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=769 sclass=netlink_audit_socket pig=7434 comm=syz-executor1
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=7434 comm=syz-executor1
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=7458 comm=syz-executor1
binder: 7569:7571 ioctl c08c5335 209dcf74 returned -22
binder: 7569:7571 ioctl 80084502 2099ffaa returned -22
binder: 7569:7571 ioctl c08c5335 209dcf74 returned -22
binder: 7569:7571 ioctl 80084502 2099ffaa returned -22
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7772 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7772 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7772 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7775 comm=syz-executor4