================================================================== BUG: KASAN: slab-out-of-bounds in ovl_check_fb_len+0x171/0x1a0 fs/overlayfs/namei.c:89 Read of size 1 at addr ffff888093a2f64d by task syz-executor.4/8402 CPU: 0 PID: 8402 Comm: syz-executor.4 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 ovl_check_fb_len+0x171/0x1a0 fs/overlayfs/namei.c:89 ovl_check_fh_len fs/overlayfs/overlayfs.h:358 [inline] ovl_fh_to_dentry+0x18d/0x804 fs/overlayfs/export.c:809 exportfs_decode_fh+0x11f/0x717 fs/exportfs/expfs.c:434 do_handle_to_path fs/fhandle.c:152 [inline] handle_to_path fs/fhandle.c:207 [inline] do_handle_open+0x2b5/0x770 fs/fhandle.c:223 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ca29 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f182e884c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 RAX: ffffffffffffffda RBX: 00000000004f6d00 RCX: 000000000045ca29 RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000077b R14: 00000000004ca4e6 R15: 00007f182e8856d4 Allocated by task 8402: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x161/0x7a0 mm/slab.c:3665 kmalloc include/linux/slab.h:560 [inline] handle_to_path fs/fhandle.c:192 [inline] do_handle_open+0xfd/0x770 fs/fhandle.c:223 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 9: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kfree+0x109/0x2b0 mm/slab.c:3757 security_cred_free+0xa5/0x100 security/security.c:1599 put_cred_rcu+0x122/0x4a0 kernel/cred.c:114 rcu_do_batch kernel/rcu/tree.c:2206 [inline] rcu_core+0x59f/0x1370 kernel/rcu/tree.c:2433 __do_softirq+0x26c/0x9f7 kernel/softirq.c:292 The buggy address belongs to the object at ffff888093a2f640 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 13 bytes inside of 32-byte region [ffff888093a2f640, ffff888093a2f660) The buggy address belongs to the page: page:ffffea00024e8bc0 refcount:1 mapcount:0 mapping:0000000032647a5c index:0xffff888093a2ffc1 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002a02f48 ffffea000298b388 ffff8880aa0001c0 raw: ffff888093a2ffc1 ffff888093a2f000 0000000100000033 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888093a2f500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff888093a2f580: 00 00 00 02 fc fc fc fc fb fb fb fb fc fc fc fc >ffff888093a2f600: fb fb fb fb fc fc fc fc 00 02 fc fc fc fc fc fc ^ ffff888093a2f680: 00 00 00 fc fc fc fc fc 00 03 fc fc fc fc fc fc ffff888093a2f700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================