================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801a57b05ac BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a57b05ac Read of size 4 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Not tainted 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf6f8 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b5 ffff8801a57b05ac ffff8801cbfaf720 ffffffff8153c1bc ffffed0034af60b5 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] [] do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801a57b05b8 BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a57b05b8 Read of size 8 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf6f8 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b7 ffff8801a57b05b8 ffff8801cbfaf720 ffffffff8153c1bc ffffed0034af60b7 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] [] do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801a57b05b0 BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a57b05b0 Read of size 4 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf6f8 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b6 ffff8801a57b05b0 ffff8801cbfaf720 ffffffff8153c1bc ffffed0034af60b6 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] [] do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] at addr ffff8801a57b05b0 BUG: KASAN: use-after-free in do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801a57b05b0 Write of size 4 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf6f8 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b6 ffff8801a57b05b0 ffff8801cbfaf720 ffffffff8153c1bc ffffed0034af60b6 ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:334 [inline] [] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334 [] debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] [] do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] at addr ffff8801a57b05b8 BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801a57b05b8 Write of size 8 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf6f8 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b7 ffff8801a57b05b8 ffff8801cbfaf720 ffffffff8153c1bc ffffed0034af60b7 ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:335 [inline] [] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335 [] debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] [] do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __list_del_entry+0x184/0x1d0 lib/list_debug.c:57 at addr ffff8801a57b0598 Read of size 8 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf720 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b3 ffff8801a57b0598 ffff8801cbfaf748 ffffffff8153c1bc ffffed0034af60b3 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __list_del_entry+0x184/0x1d0 lib/list_debug.c:57 [] list_del_init include/linux/list.h:145 [inline] [] inode_free_security security/selinux/hooks.c:344 [inline] [] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 at addr ffff8801a57b05a0 Read of size 8 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf720 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b4 ffff8801a57b05a0 ffff8801cbfaf748 ffffffff8153c1bc ffffed0034af60b4 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 [] list_del_init include/linux/list.h:145 [inline] [] inode_free_security security/selinux/hooks.c:344 [inline] [] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:272 [inline] at addr ffff8801a57b0598 BUG: KASAN: use-after-free in __list_del include/linux/list.h:90 [inline] at addr ffff8801a57b0598 BUG: KASAN: use-after-free in __list_del_entry+0x173/0x1d0 lib/list_debug.c:65 at addr ffff8801a57b0598 Write of size 8 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf720 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b3 ffff8801a57b0598 ffff8801cbfaf748 ffffffff8153c1bc ffffed0034af60b3 ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:335 [inline] [] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335 [] __write_once_size include/linux/compiler.h:272 [inline] [] __list_del include/linux/list.h:90 [inline] [] __list_del_entry+0x173/0x1d0 lib/list_debug.c:65 [] list_del_init include/linux/list.h:145 [inline] [] inode_free_security security/selinux/hooks.c:344 [inline] [] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] at addr ffff8801a57b05ac BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a57b05ac Read of size 4 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf708 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b5 ffff8801a57b05ac ffff8801cbfaf730 ffffffff8153c1bc ffffed0034af60b5 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] [] do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a57b05a8 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a57b05a8 BUG: KASAN: use-after-free in queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] at addr ffff8801a57b05a8 BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] at addr ffff8801a57b05a8 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a57b05a8 Read of size 4 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf708 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b5 ffff8801a57b05a8 ffff8801cbfaf730 ffffffff8153c1bc ffffed0034af60b5 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] [] debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] [] do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] at addr ffff8801a57b05b8 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a57b05b8 Read of size 8 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf708 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b7 ffff8801a57b05b8 ffff8801cbfaf730 ffffffff8153c1bc ffffed0034af60b7 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] [] do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] at addr ffff8801a57b05b0 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a57b05b0 Read of size 4 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf708 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b6 ffff8801a57b05b0 ffff8801cbfaf730 ffffffff8153c1bc ffffed0034af60b6 ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] [] do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] at addr ffff8801a57b05b8 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a57b05b8 Write of size 8 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf708 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b7 ffff8801a57b05b8 ffff8801cbfaf730 ffffffff8153c1bc ffffed0034af60b7 ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:335 [inline] [] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335 [] debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] [] do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] at addr ffff8801a57b05b0 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a57b05b0 Write of size 4 by task syz-executor7/9062 CPU: 1 PID: 9062 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbfaf708 ffffffff81d91589 ffff8801da0013c0 ffff8801a57b0500 ffff8801a57b0600 ffffed0034af60b6 ffff8801a57b05b0 ffff8801cbfaf730 ffffffff8153c1bc ffffed0034af60b6 ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:334 [inline] [] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334 [] debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] [] do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a57b0500, in cache kmalloc-256 size: 256 Allocated: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8978 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a57b0480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a57b0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801a57b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a57b0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801a57b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== CPU: 0 PID: 8999 Comm: syz-executor3 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdb47930 ffffffff81d91589 ffff8801cdb47c10 0000000000000000 ffff8801a9326d10 ffff8801cdb47b00 ffff8801a9326c00 ffff8801cdb47b28 ffffffff8165fe47 0000000000005d9e ffff8801c876d0f0 ffff8801c876d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=9101 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9101 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=9101 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9104 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9109 comm=syz-executor7 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 9100 Comm: syz-executor4 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d93af930 ffffffff81d91589 ffff8801d93afc10 0000000000000000 ffff8801a3eb1c10 ffff8801d93afb00 ffff8801a3eb1b00 ffff8801d93afb28 ffffffff8165fe47 ffff8801c9efe000 ffff8801d93afa80 00000001cce8e067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 9112 Comm: syz-executor4 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c5177940 ffffffff81d91589 ffff8801c5177c20 0000000000000000 ffff8801a3eb1c10 ffff8801c5177b10 ffff8801a3eb1b00 ffff8801c5177b38 ffffffff8165fe47 0000000000000000 ffff8801c5177a90 00000001cce8e067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9107 Comm: syz-executor3 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a951f8b0 ffffffff81d91589 ffff8801a951fb90 0000000000000000 ffff8801a3eb1910 ffff8801a951fa80 ffff8801a3eb1800 ffff8801a951faa8 ffffffff8165fe47 ffff8801a951f940 ffff8801a951fa00 00000001a4098067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9094 Comm: syz-executor3 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8f37890 ffffffff81d91589 ffff8801c8f37b70 0000000000000000 ffff8801a3eb1910 ffff8801c8f37a60 ffff8801a3eb1800 ffff8801c8f37a88 ffffffff8165fe47 ffff8801d9b7b000 ffff8801c8f379e0 00000001a4098067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] getname+0x19/0x20 fs/namei.c:208 [] do_sys_open+0x21d/0x4c0 fs/open.c:1066 [] SYSC_openat fs/open.c:1099 [inline] [] SyS_openat+0x30/0x40 fs/open.c:1093 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9116 Comm: syz-executor3 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d93a7930 ffffffff81d91589 ffff8801d93a7c10 0000000000000000 ffff8801a9326410 ffff8801d93a7b00 ffff8801a9326300 ffff8801d93a7b28 ffffffff8165fe47 ffff8801cdab1800 ffff8801d93a7a80 00000001a4098067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9107 Comm: syz-executor3 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a951f8b0 ffffffff81d91589 ffff8801a951fb90 0000000000000000 ffff8801a9326410 ffff8801a951fa80 ffff8801a9326300 ffff8801a951faa8 ffffffff8165fe47 ffff8801a951f940 ffff8801a951fa00 00000001a4098067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9094 Comm: syz-executor3 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8f37890 ffffffff81d91589 ffff8801c8f37b70 0000000000000000 ffff8801a9326410 ffff8801c8f37a60 ffff8801a9326300 ffff8801c8f37a88 ffffffff8165fe47 ffff8801d9b7b000 ffff8801c8f379e0 00000001a4098067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] getname+0x19/0x20 fs/namei.c:208 [] do_sys_open+0x21d/0x4c0 fs/open.c:1066 [] SYSC_openat fs/open.c:1099 [inline] [] SyS_openat+0x30/0x40 fs/open.c:1093 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9252 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=38839 sclass=netlink_route_socket pig=9263 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=38839 sclass=netlink_route_socket pig=9268 comm=syz-executor5 netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. keychord: invalid keycode count 0 netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3803 sclass=netlink_route_socket pig=9337 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3803 sclass=netlink_route_socket pig=9337 comm=syz-executor4 netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'. device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 9516 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a627f8f0 ffffffff81d91589 ffff8801a627fbd0 0000000000000000 ffff8801c9223910 ffff8801a627fac0 ffff8801c9223800 ffff8801a627fae8 ffffffff8165fe47 0000000000000000 ffff8801a627fa40 00000001a4ecc067 Call Trace: FAULT_FLAG_ALLOW_RETRY missing 30 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 9531 Comm: syz-executor1 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6d47940 ffffffff81d91589 ffff8801d6d47c20 0000000000000000 ffff8801a3eb1d90 ffff8801d6d47b10 ffff8801a3eb1c80 ffff8801d6d47b38 ffffffff8165fe47 0000000000000000 ffff8801d6d47a90 00000001c6ccb067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9531 Comm: syz-executor1 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6d47940 ffffffff81d91589 ffff8801d6d47c20 0000000000000000 ffff8801c9223790 ffff8801d6d47b10 ffff8801c9223680 ffff8801d6d47b38 ffffffff8165fe47 0000000000000000 ffff8801d6d47a90 00000001a63a5067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396