==================================================================
BUG: KASAN: use-after-free in take_option security/selinux/hooks.c:2619 [inline]
BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674
Write of size 10 at addr ffff8801d48eb000 by task syz-executor0/13222

CPU: 1 PID: 13222 Comm: syz-executor0 Not tainted 4.9.124-g09eb2ba #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d79874c8 ffffffff81eb95e9 ffffea0007523ac0 ffff8801d48eb000
 0000000000000001 ffff8801d48eb000 000000000000000a ffff8801d7987500
 ffffffff8156c35e ffff8801d48eb000 000000000000000a 0000000000000001
Call Trace:
 [<ffffffff81eb95e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eb95e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8156c35e>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff8156c768>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff8156c768>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff8153e94f>] check_memory_region_inline mm/kasan/kasan.c:318 [inline]
 [<ffffffff8153e94f>] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:325
 [<ffffffff8153efa7>] memcpy+0x37/0x50 mm/kasan/kasan.c:361
 [<ffffffff81d0e6ad>] take_option security/selinux/hooks.c:2619 [inline]
 [<ffffffff81d0e6ad>] selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674
 [<ffffffff81cf021b>] security_sb_copy_data+0x7b/0xb0 security/security.c:283
 [<ffffffff81980846>] parse_security_options+0x36/0x90 fs/btrfs/super.c:1493
 [<ffffffff81991873>] btrfs_mount+0x2f3/0x2bc0 fs/btrfs/super.c:1572
 [<ffffffff81582a3c>] mount_fs+0x28c/0x370 fs/super.c:1206
 [<ffffffff815e2321>] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:1000
 [<ffffffff815e2660>] vfs_kern_mount+0x40/0x60 fs/namespace.c:982
 [<ffffffff8199198b>] mount_subvol fs/btrfs/super.c:1395 [inline]
 [<ffffffff8199198b>] btrfs_mount+0x40b/0x2bc0 fs/btrfs/super.c:1566
 [<ffffffff81582a3c>] mount_fs+0x28c/0x370 fs/super.c:1206
 [<ffffffff815e2321>] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:1000
 [<ffffffff815e9b49>] vfs_kern_mount fs/namespace.c:982 [inline]
 [<ffffffff815e9b49>] do_new_mount fs/namespace.c:2537 [inline]
 [<ffffffff815e9b49>] do_mount+0x3c9/0x2740 fs/namespace.c:2859
 [<ffffffff815ec89e>] SYSC_mount fs/namespace.c:3075 [inline]
 [<ffffffff815ec89e>] SyS_mount+0xfe/0x110 fs/namespace.c:3052
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff83a019d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 12249:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 __kmalloc+0x11d/0x300 mm/slub.c:3741
 kmalloc_array include/linux/slab.h:582 [inline]
 kcalloc include/linux/slab.h:593 [inline]
 iter_file_splice_write+0x143/0xb30 fs/splice.c:711
 do_splice_from fs/splice.c:870 [inline]
 direct_splice_actor+0x128/0x190 fs/splice.c:1037
 splice_direct_to_actor+0x2c1/0x7e0 fs/splice.c:992
 do_splice_direct+0x1a3/0x270 fs/splice.c:1080
 do_sendfile+0x4f0/0xc60 fs/read_write.c:1393
 SYSC_sendfile64 fs/read_write.c:1454 [inline]
 SyS_sendfile64+0x144/0x160 fs/read_write.c:1440
 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 12249:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 iter_file_splice_write+0x512/0xb30 fs/splice.c:795
 do_splice_from fs/splice.c:870 [inline]
 direct_splice_actor+0x128/0x190 fs/splice.c:1037
 splice_direct_to_actor+0x2c1/0x7e0 fs/splice.c:992
 do_splice_direct+0x1a3/0x270 fs/splice.c:1080
 do_sendfile+0x4f0/0xc60 fs/read_write.c:1393
 SYSC_sendfile64 fs/read_write.c:1454 [inline]
 SyS_sendfile64+0x144/0x160 fs/read_write.c:1440
 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the object at ffff8801d48eb000
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
 256-byte region [ffff8801d48eb000, ffff8801d48eb100)
The buggy address belongs to the page:
page:ffffea0007523ac0 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d48eaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d48eaf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801d48eb000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8801d48eb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d48eb100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================