================================================================== BUG: KFENCE: use-after-free read in memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 Use-after-free read at 0xffff88823bdfc020 (in kfence-#253): memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 memcpy include/linux/fortify-string.h:191 [inline] __d_alloc+0x19c/0x960 fs/dcache.c:1775 d_alloc+0x4a/0x240 fs/dcache.c:1823 __lookup_hash+0xc8/0x180 fs/namei.c:1554 kern_path_locked+0x17e/0x320 fs/namei.c:2567 handle_remove+0xa2/0x5fe drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x1ba/0x2ab drivers/base/devtmpfs.c:437 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 kfence-#253: 0xffff88823bdfc000-0xffff88823bdfcfff, size=4096, cache=names_cache allocated by task 22 on cpu 0 at 320.186395s: getname_kernel+0x4e/0x370 fs/namei.c:226 kern_path_locked+0x71/0x320 fs/namei.c:2558 handle_remove+0xa2/0x5fe drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x1ba/0x2ab drivers/base/devtmpfs.c:437 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 freed by task 22 on cpu 0 at 320.186411s: putname.part.0+0xe9/0x130 fs/namei.c:270 putname include/linux/err.h:41 [inline] filename_parentat fs/namei.c:2547 [inline] kern_path_locked+0xc2/0x320 fs/namei.c:2558 handle_remove+0xa2/0x5fe drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x1ba/0x2ab drivers/base/devtmpfs.c:437 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 CPU: 0 PID: 22 Comm: kdevtmpfs Not tainted 5.14.0-rc6-next-20210819-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55 Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe RSP: 0018:ffffc90000dcfad0 EFLAGS: 00010202 RAX: ffff88806c8661e8 RBX: ffffc90000dcfc08 RCX: 0000000000000005 RDX: 0000000000000005 RSI: ffff88823bdfc020 RDI: ffff88806c8661e8 RBP: ffff88806c8661e8 R08: 0000000000000001 R09: ffff88806c8661ec R10: ffffed100d90cc3d R11: 0000000000086089 R12: ffff88814014a000 R13: ffffc90000dcfc0c R14: 0000000000000005 R15: ffff88806c866178 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bdfc020 CR3: 000000000b68e000 CR4: 00000000001506f0 Call Trace: memcpy include/linux/fortify-string.h:191 [inline] __d_alloc+0x19c/0x960 fs/dcache.c:1775 d_alloc+0x4a/0x240 fs/dcache.c:1823 __lookup_hash+0xc8/0x180 fs/namei.c:1554 kern_path_locked+0x17e/0x320 fs/namei.c:2567 handle_remove+0xa2/0x5fe drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x1ba/0x2ab drivers/base/devtmpfs.c:437 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ================================================================== ---------------- Code disassembly (best guess): 0: cc int3 1: cc int3 2: cc int3 3: cc int3 4: eb 1e jmp 0x24 6: 0f 1f 00 nopl (%rax) 9: 48 89 f8 mov %rdi,%rax c: 48 89 d1 mov %rdx,%rcx f: 48 c1 e9 03 shr $0x3,%rcx 13: 83 e2 07 and $0x7,%edx 16: f3 48 a5 rep movsq %ds:(%rsi),%es:(%rdi) 19: 89 d1 mov %edx,%ecx 1b: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) 1d: c3 retq 1e: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 24: 48 89 f8 mov %rdi,%rax 27: 48 89 d1 mov %rdx,%rcx 2a: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction 2c: c3 retq 2d: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 34: 48 89 f8 mov %rdi,%rax 37: 48 83 fa 20 cmp $0x20,%rdx 3b: 72 7e jb 0xbb 3d: 40 38 fe cmp %dil,%sil