==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801d19a71ec
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801d19a71ec
Read of size 4 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Not tainted 4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a76f8 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3d ffff8801d19a71ec ffff8801ce6a7720
 ffffffff8153c1bc ffffed003a334e3d ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c7e9>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153c7e9>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff812488bc>] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 [<ffffffff812488bc>] do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a971e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a971e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be6736>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be6736>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be6736>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801d19a71f8
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801d19a71f8
Read of size 8 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a76f8 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3f ffff8801d19a71f8 ffff8801ce6a7720
 ffffffff8153c1bc ffffed003a334e3f ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c819>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153c819>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff812488e3>] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline]
 [<ffffffff812488e3>] do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a971e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a971e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be6736>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be6736>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be6736>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801d19a71f0
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801d19a71f0
Read of size 4 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a76f8 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3e ffff8801d19a71f0 ffff8801ce6a7720
 ffffffff8153c1bc ffffed003a334e3e ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c7e9>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153c7e9>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff812488b2>] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 [<ffffffff812488b2>] do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a971e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a971e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be6736>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be6736>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be6736>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] at addr ffff8801d19a71f0
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801d19a71f0
Write of size 4 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a76f8 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3e ffff8801d19a71f0 ffff8801ce6a7720
 ffffffff8153c1bc ffffed003a334e3e ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c8dc>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153c8dc>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff812488c9>] debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline]
 [<ffffffff812488c9>] do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114
 [<ffffffff838a971e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a971e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be6736>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be6736>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be6736>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] at addr ffff8801d19a71f8
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801d19a71f8
Write of size 8 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a76f8 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3f ffff8801d19a71f8 ffff8801ce6a7720
 ffffffff8153c1bc ffffed003a334e3f ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c90c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153c90c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff812488d6>] debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline]
 [<ffffffff812488d6>] do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114
 [<ffffffff838a971e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a971e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be6736>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be6736>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be6736>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x184/0x1d0 lib/list_debug.c:57 at addr ffff8801d19a71d8
Read of size 8 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7720 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3b ffff8801d19a71d8 ffff8801ce6a7748
 ffffffff8153c1bc ffffed003a334e3b ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c819>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153c819>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff81df8734>] __list_del_entry+0x184/0x1d0 lib/list_debug.c:57
 [<ffffffff81be673e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be673e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be673e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 at addr ffff8801d19a71e0
Read of size 8 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7720 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3c ffff8801d19a71e0 ffff8801ce6a7748
 ffffffff8153c1bc ffffed003a334e3c ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c819>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153c819>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff81df8746>] __list_del_entry+0x196/0x1d0 lib/list_debug.c:60
 [<ffffffff81be673e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be673e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be673e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:272 [inline] at addr ffff8801d19a71d8
BUG: KASAN: use-after-free in __list_del include/linux/list.h:90 [inline] at addr ffff8801d19a71d8
BUG: KASAN: use-after-free in __list_del_entry+0x173/0x1d0 lib/list_debug.c:65 at addr ffff8801d19a71d8
Write of size 8 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7720 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3b ffff8801d19a71d8 ffff8801ce6a7748
 ffffffff8153c1bc ffffed003a334e3b ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c90c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153c90c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff81df8723>] __write_once_size include/linux/compiler.h:272 [inline]
 [<ffffffff81df8723>] __list_del include/linux/list.h:90 [inline]
 [<ffffffff81df8723>] __list_del_entry+0x173/0x1d0 lib/list_debug.c:65
 [<ffffffff81be673e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be673e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be673e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] at addr ffff8801d19a71ec
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801d19a71ec
Read of size 4 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7708 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3d ffff8801d19a71ec ffff8801ce6a7730
 ffffffff8153c1bc ffffed003a334e3d ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c7e9>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153c7e9>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81248b94>] debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline]
 [<ffffffff81248b94>] do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a9a62>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a9a62>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be6786>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be6786>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be6786>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801d19a71e8
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801d19a71e8
BUG: KASAN: use-after-free in queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] at addr ffff8801d19a71e8
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] at addr ffff8801d19a71e8
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801d19a71e8
Read of size 4 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7708 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3d ffff8801d19a71e8 ffff8801ce6a7730
 ffffffff8153c1bc ffffed003a334e3d ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c7e9>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153c7e9>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81248b8a>] __read_once_size include/linux/compiler.h:243 [inline]
 [<ffffffff81248b8a>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<ffffffff81248b8a>] queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline]
 [<ffffffff81248b8a>] debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline]
 [<ffffffff81248b8a>] do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a9a62>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a9a62>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be6786>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be6786>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be6786>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] at addr ffff8801d19a71f8
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801d19a71f8
Read of size 8 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7708 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3f ffff8801d19a71f8 ffff8801ce6a7730
 ffffffff8153c1bc ffffed003a334e3f ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c819>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153c819>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff81248bbb>] debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline]
 [<ffffffff81248bbb>] do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a9a62>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a9a62>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be6786>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be6786>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be6786>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] at addr ffff8801d19a71f0
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801d19a71f0
Read of size 4 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7708 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3e ffff8801d19a71f0 ffff8801ce6a7730
 ffffffff8153c1bc ffffed003a334e3e ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c7e9>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153c7e9>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81248ba1>] debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline]
 [<ffffffff81248ba1>] do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a9a62>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a9a62>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be6786>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be6786>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be6786>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] at addr ffff8801d19a71f8
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801d19a71f8
Write of size 8 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7708 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3f ffff8801d19a71f8 ffff8801ce6a7730
 ffffffff8153c1bc ffffed003a334e3f ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c90c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153c90c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff81248bc8>] debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline]
 [<ffffffff81248bc8>] do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a9a62>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a9a62>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be6786>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be6786>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be6786>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] at addr ffff8801d19a71f0
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801d19a71f0
Write of size 4 by task syz-executor4/9790
CPU: 1 PID: 9790 Comm: syz-executor4 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce6a7708 ffffffff81d91589 ffff8801da0013c0 ffff8801d19a7140
 ffff8801d19a7240 ffffed003a334e3e ffff8801d19a71f0 ffff8801ce6a7730
 ffffffff8153c1bc ffffed003a334e3e ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c8dc>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153c8dc>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff81248bae>] debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline]
 [<ffffffff81248bae>] do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a9a62>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a9a62>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be6786>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be6786>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be6786>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bce130>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c77be>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c79fe>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c7df9>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c88ab>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c88ab>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81644151>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff816454cc>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81642ed2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81648397>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811439f8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811665e4>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838aa3a6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801d19a7140, in cache kmalloc-256 size: 256
Allocated:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 9742
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1960 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d19a7080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc
 ffff8801d19a7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d19a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8801d19a7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801d19a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'.
binder: 9958:9963 ioctl 541b 20005ffc returned -22
tmpfs: No value for mount option '‹'
device gre0 entered promiscuous mode
tmpfs: No value for mount option '‹'
device gre0 left promiscuous mode
device gre0 entered promiscuous mode
binder: 9958:9963 ioctl 541b 20005ffc returned -22
device gre0 entered promiscuous mode
keychord: Insufficient bytes present for keycount 35
keychord: Insufficient bytes present for keycount 35
device gre0 entered promiscuous mode
?: renamed from tunl0
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=25 sclass=netlink_tcpdiag_socket pig=10090 comm=syz-executor3
binder: 10109:10111 ioctl 4b32 1 returned -22
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=25 sclass=netlink_tcpdiag_socket pig=10090 comm=syz-executor3
binder: 10109:10113 ioctl 4b32 1 returned -22
device gre0 entered promiscuous mode
: renamed from ?
device  entered promiscuous mode
binder: 10358:10362 ioctl 4b4c 208e6000 returned -22
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
binder: 10358:10369 ioctl 4b4c 208e6000 returned -22
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=9 sclass=netlink_audit_socket pig=10372 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=10372 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=10372 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=10372 comm=syz-executor7
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=10372 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=10372 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=9 sclass=netlink_audit_socket pig=10397 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=10397 comm=syz-executor7
device gre0 entered promiscuous mode
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801da0d6240
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801da0d6240
BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801da0d6240
BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801da0d6240
BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801da0d6240
BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801da0d6240
Read of size 8 by task syz-executor1/10475
CPU: 1 PID: 10475 Comm: syz-executor1 Tainted: G    B           4.9.61-g904c79c #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a8487d88 ffffffff81d91589 ffff8801da155140 ffff8801da0d61f0
 ffff8801da0d62a8 ffffed003b41ac48 ffff8801da0d6240 ffff8801a8487db0
 ffffffff8153c1bc ffffed003b41ac48 ffff8801da155140 0000000000000000
Call Trace:
 [<ffffffff81d91589>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91589>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c819>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153c819>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff810e0b10>] __read_once_size include/linux/compiler.h:243 [inline]
 [<ffffffff810e0b10>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<ffffffff810e0b10>] static_key_count include/linux/jump_label.h:174 [inline]
 [<ffffffff810e0b10>] static_key_false include/linux/jump_label.h:184 [inline]
 [<ffffffff810e0b10>] perf_sw_event include/linux/perf_event.h:1039 [inline]
 [<ffffffff810e0b10>] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438
 [<ffffffff810e0c27>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ab4d8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
Object at ffff8801da0d61f0, in cache vm_area_struct size: 184
Allocated:
PID = 10475
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
 kmem_cache_zalloc include/linux/slab.h:626 [inline]
 mmap_region+0x587/0xfd0 mm/mmap.c:1662
 do_mmap+0x57b/0xbe0 mm/mmap.c:1473
 do_mmap_pgoff include/linux/mm.h:2014 [inline]
 vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
 SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
 SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10477
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980
 remove_vma+0x11d/0x160 mm/mmap.c:175
 remove_vma_list mm/mmap.c:2482 [inline]
 do_munmap+0x7ff/0xeb0 mm/mmap.c:2705
 mmap_region+0x14d/0xfd0 mm/mmap.c:1635
 do_mmap+0x57b/0xbe0 mm/mmap.c:1473
 do_mmap_pgoff include/linux/mm.h:2014 [inline]
 vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
 SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
 SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801da0d6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801da0d6180: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb
>ffff8801da0d6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801da0d6280: fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb
 ffff8801da0d6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
sock: sock_set_timeout: `syz-executor7' (pid 10593) tries to set negative timeout
: renamed from ?
device  entered promiscuous mode