================================================================== BUG: KASAN: use-after-free in take_option security/selinux/hooks.c:2619 [inline] BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674 Write of size 10 at addr ffff8801a0288000 by task syz-executor5/14604 CPU: 0 PID: 14604 Comm: syz-executor5 Not tainted 4.9.96-g8c01d00 #11 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cc6c7490 ffffffff81eb0b69 ffffea000680a200 ffff8801a0288000 0000000000000001 ffff8801a0288000 000000000000000a ffff8801cc6c74c8 ffffffff8156540b ffff8801a0288000 000000000000000a 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [] kasan_report_error mm/kasan/report.c:355 [inline] [] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [] check_memory_region_inline mm/kasan/kasan.c:318 [inline] [] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:325 [] memcpy+0x37/0x50 mm/kasan/kasan.c:361 [] take_option security/selinux/hooks.c:2619 [inline] [] selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674 [] security_sb_copy_data+0x7b/0xb0 security/security.c:283 [] parse_security_options+0x36/0x90 fs/btrfs/super.c:1493 [] btrfs_mount+0x2f3/0x2bc0 fs/btrfs/super.c:1572 [] mount_fs+0x28c/0x370 fs/super.c:1206 [] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:991 [] vfs_kern_mount+0x40/0x60 fs/namespace.c:973 [] mount_subvol fs/btrfs/super.c:1395 [inline] [] btrfs_mount+0x40b/0x2bc0 fs/btrfs/super.c:1566 [] mount_fs+0x28c/0x370 fs/super.c:1206 [] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:991 [] vfs_kern_mount fs/namespace.c:973 [inline] [] do_new_mount fs/namespace.c:2513 [inline] [] do_mount+0x3c9/0x2740 fs/namespace.c:2835 [] C_SYSC_mount fs/compat.c:810 [inline] [] compat_SyS_mount+0x4fc/0xff0 fs/compat.c:775 [] do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] [] do_fast_syscall_32+0x2f7/0x870 arch/x86/entry/common.c:387 [] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 Allocated by task 13857: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xbe/0x290 mm/slub.c:2728 getname_flags+0xc7/0x580 fs/namei.c:137 getname+0x19/0x20 fs/namei.c:208 SYSC_execve fs/exec.c:1911 [inline] SyS_execve+0x23/0x50 fs/exec.c:1906 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 13857: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xbe/0x310 mm/slub.c:2980 putname+0xdb/0x110 fs/namei.c:258 do_execveat_common.isra.40+0x1851/0x1f30 fs/exec.c:1797 do_execve fs/exec.c:1830 [inline] SYSC_execve fs/exec.c:1911 [inline] SyS_execve+0x42/0x50 fs/exec.c:1906 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the object at ffff8801a0288000 which belongs to the cache names_cache of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [ffff8801a0288000, ffff8801a0289000) The buggy address belongs to the page: page:ffffea000680a200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x8000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801a0287f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a0287f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801a0288000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a0288080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a0288100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================