RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416421 RDX: 0000000000000000 RSI: 0000000000001f5d RDI: 0000000000000005 RBP: 0000000000000001 R08: 00000000d383bf61 R09: 0000000000000000 R10: 00007ffef907b6f0 R11: 0000000000000293 R12: 0000000000790360 R13: 000000000004dcf0 R14: ffffffffffffffff R15: 000000000078c04c ---[ end trace 80c129b4782c14a8 ]--- ================================================================== BUG: KASAN: use-after-free in dname_external fs/dcache.c:283 [inline] BUG: KASAN: use-after-free in dentry_free+0x5d/0x150 fs/dcache.c:339 Read of size 8 at addr ffff8881d38108a8 by task syz-executor.2/16200 CPU: 0 PID: 16200 Comm: syz-executor.2 Tainted: G W 5.4.39-syzkaller-00066-g8c464aedacd3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x14a/0x1ce lib/dump_stack.c:118 print_address_description+0x93/0x620 mm/kasan/report.c:374 __kasan_report+0x16d/0x1e0 mm/kasan/report.c:506 kasan_report+0x34/0x60 mm/kasan/common.c:634 dname_external fs/dcache.c:283 [inline] dentry_free+0x5d/0x150 fs/dcache.c:339 dentry_kill fs/dcache.c:673 [inline] dput+0x2e1/0x5e0 fs/dcache.c:859 put_fs_context+0x6c/0x6b0 fs/fs_context.c:495 fscontext_release+0x61/0x80 fs/fsopen.c:73 __fput+0x27d/0x6c0 fs/file_table.c:280 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x416421 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffef907b600 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416421 RDX: 0000000000000000 RSI: 0000000000001f5d RDI: 0000000000000005 RBP: 0000000000000001 R08: 00000000d383bf61 R09: 0000000000000000 R10: 00007ffef907b6f0 R11: 0000000000000293 R12: 0000000000790360 R13: 000000000004dcf0 R14: ffffffffffffffff R15: 000000000078c04c Allocated by task 16201: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2766 [inline] slab_alloc mm/slub.c:2774 [inline] kmem_cache_alloc+0x1d5/0x260 mm/slub.c:2779 __d_alloc+0x2a/0x6b0 fs/dcache.c:1688 d_alloc_anon fs/dcache.c:1786 [inline] d_make_root+0x46/0xd0 fs/dcache.c:1987 kernfs_fill_super fs/kernfs/mount.c:244 [inline] kernfs_get_tree+0x45e/0x690 fs/kernfs/mount.c:317 cgroup_do_get_tree+0xef/0x5a0 kernel/cgroup/cgroup.c:2101 cgroup1_get_tree+0x81a/0x9c0 kernel/cgroup/cgroup-v1.c:1221 vfs_get_tree+0x85/0x260 fs/super.c:1547 vfs_fsconfig_locked fs/fsopen.c:232 [inline] __do_sys_fsconfig fs/fsopen.c:445 [inline] __se_sys_fsconfig+0xcd1/0x1140 fs/fsopen.c:314 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 9: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x181/0x230 mm/kasan/common.c:471 slab_free_hook mm/slub.c:1424 [inline] slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1457 slab_free mm/slub.c:3014 [inline] kmem_cache_free+0xac/0x600 mm/slub.c:3030 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2158 [inline] rcu_core+0xbf0/0x1360 kernel/rcu/tree.c:2378 __do_softirq+0x2d5/0x725 kernel/softirq.c:292 The buggy address belongs to the object at ffff8881d3810880 which belongs to the cache dentry of size 208 The buggy address is located 40 bytes inside of 208-byte region [ffff8881d3810880, ffff8881d3810950) The buggy address belongs to the page: page:ffffea00074e0400 refcount:1 mapcount:0 mapping:ffff8881da8ee500 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 ffffea00072e2240 0000000600000006 ffff8881da8ee500 raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d3810780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881d3810800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8881d3810880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881d3810900: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc ffff8881d3810980: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3014 [inline] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0xac/0x600 mm/slub.c:3030 CPU: 1 PID: 16200 Comm: syz-executor.2 Tainted: G B W 5.4.39-syzkaller-00066-g8c464aedacd3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x14a/0x1ce lib/dump_stack.c:118 print_address_description+0x93/0x620 mm/kasan/report.c:374 kasan_report_invalid_free+0x54/0xc0 mm/kasan/report.c:468 __kasan_slab_free+0x102/0x230 mm/kasan/common.c:459 slab_free_hook mm/slub.c:1424 [inline] slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1457 slab_free mm/slub.c:3014 [inline] kmem_cache_free+0xac/0x600 mm/slub.c:3030 dentry_kill fs/dcache.c:673 [inline] dput+0x2e1/0x5e0 fs/dcache.c:859 put_fs_context+0x6c/0x6b0 fs/fs_context.c:495 fscontext_release+0x61/0x80 fs/fsopen.c:73 __fput+0x27d/0x6c0 fs/file_table.c:280 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x416421 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffef907b600 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416421 RDX: 0000000000000000 RSI: 0000000000001f5d RDI: 0000000000000005 RBP: 0000000000000001 R08: 00000000d383bf61 R09: 0000000000000000 R10: 00007ffef907b6f0 R11: 0000000000000293 R12: 0000000000790360 R13: 000000000004dcf0 R14: ffffffffffffffff R15: 000000000078c04c Allocated by task 16201: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2766 [inline] slab_alloc mm/slub.c:2774 [inline] kmem_cache_alloc+0x1d5/0x260 mm/slub.c:2779 __d_alloc+0x2a/0x6b0 fs/dcache.c:1688 d_alloc_anon fs/dcache.c:1786 [inline] d_make_root+0x46/0xd0 fs/dcache.c:1987 kernfs_fill_super fs/kernfs/mount.c:244 [inline] kernfs_get_tree+0x45e/0x690 fs/kernfs/mount.c:317 cgroup_do_get_tree+0xef/0x5a0 kernel/cgroup/cgroup.c:2101 cgroup1_get_tree+0x81a/0x9c0 kernel/cgroup/cgroup-v1.c:1221 vfs_get_tree+0x85/0x260 fs/super.c:1547 vfs_fsconfig_locked fs/fsopen.c:232 [inline] __do_sys_fsconfig fs/fsopen.c:445 [inline] __se_sys_fsconfig+0xcd1/0x1140 fs/fsopen.c:314 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 9: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x181/0x230 mm/kasan/common.c:471 slab_free_hook mm/slub.c:1424 [inline] slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1457 slab_free mm/slub.c:3014 [inline] kmem_cache_free+0xac/0x600 mm/slub.c:3030 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2158 [inline] rcu_core+0xbf0/0x1360 kernel/rcu/tree.c:2378 __do_softirq+0x2d5/0x725 kernel/softirq.c:292 The buggy address belongs to the object at ffff8881d3810880 which belongs to the cache dentry of size 208 The buggy address is located 0 bytes inside of 208-byte region [ffff8881d3810880, ffff8881d3810950) The buggy address belongs to the page: page:ffffea00074e0400 refcount:1 mapcount:0 mapping:ffff8881da8ee500 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 ffffea00072e2240 0000000600000006 ffff8881da8ee500 raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d3810780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881d3810800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8881d3810880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881d3810900: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc ffff8881d3810980: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================