device gre0 entered promiscuous mode skbuff: bad partial csum: csum=98/65532 len=113 ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801a357096c BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a357096c PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex Read of size 4 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Not tainted 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12d[ 43.772057] PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex ffff8801a357096c ffff8801cdc6f720 ffffffff8153a3fc ffffed00346ae12d ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] [] do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801a3570978 BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a3570978 Read of size 8 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12f ffff8801a3570978 ffff8801cdc6f720 ffffffff8153a3fc ffffed00346ae12f ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] [] do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801a3570970 BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a3570970 Read of size 4 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12e ffff8801a3570970 ffff8801cdc6f720 ffffffff8153a3fc ffffed00346ae12e ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] [] do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] at addr ffff8801a3570970 BUG: KASAN: use-after-free in do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801a3570970 Write of size 4 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12e ffff8801a3570970 ffff8801cdc6f720 ffffffff8153a3fc ffffed00346ae12e ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:334 [inline] [] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334 [] debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] [] do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] at addr ffff8801a3570978 BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801a3570978 Write of size 8 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12f ffff8801a3570978 ffff8801cdc6f720 ffffffff8153a3fc ffffed00346ae12f ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:335 [inline] [] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335 [] debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] [] do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] inode_free_security security/selinux/hooks.c:343 [inline] [] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __list_del_entry+0x184/0x1d0 lib/list_debug.c:57 at addr ffff8801a3570958 Read of size 8 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f720 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12b ffff8801a3570958 ffff8801cdc6f748 ffffffff8153a3fc ffffed00346ae12b ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __list_del_entry+0x184/0x1d0 lib/list_debug.c:57 [] list_del_init include/linux/list.h:145 [inline] [] inode_free_security security/selinux/hooks.c:344 [inline] [] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 at addr ffff8801a3570960 Read of size 8 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f720 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12c ffff8801a3570960 ffff8801cdc6f748 ffffffff8153a3fc ffffed00346ae12c ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 [] list_del_init include/linux/list.h:145 [inline] [] inode_free_security security/selinux/hooks.c:344 [inline] [] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:272 [inline] at addr ffff8801a3570958 BUG: KASAN: use-after-free in __list_del include/linux/list.h:90 [inline] at addr ffff8801a3570958 BUG: KASAN: use-after-free in __list_del_entry+0x173/0x1d0 lib/list_debug.c:65 at addr ffff8801a3570958 Write of size 8 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f720 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12b ffff8801a3570958 ffff8801cdc6f748 ffffffff8153a3fc ffffed00346ae12b ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:335 [inline] [] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335 [] __write_once_size include/linux/compiler.h:272 [inline] [] __list_del include/linux/list.h:90 [inline] [] __list_del_entry+0x173/0x1d0 lib/list_debug.c:65 [] list_del_init include/linux/list.h:145 [inline] [] inode_free_security security/selinux/hooks.c:344 [inline] [] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] at addr ffff8801a357096c BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a357096c Read of size 4 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12d ffff8801a357096c ffff8801cdc6f730 ffffffff8153a3fc ffffed00346ae12d ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] [] do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a3570968 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a3570968 BUG: KASAN: use-after-free in queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] at addr ffff8801a3570968 BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] at addr ffff8801a3570968 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570968 Read of size 4 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12d ffff8801a3570968 ffff8801cdc6f730 ffffffff8153a3fc ffffed00346ae12d ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] [] debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] [] do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] at addr ffff8801a3570978 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570978 Read of size 8 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12f ffff8801a3570978 ffff8801cdc6f730 ffffffff8153a3fc ffffed00346ae12f ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] [] do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] at addr ffff8801a3570970 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570970 Read of size 4 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12e ffff8801a3570970 ffff8801cdc6f730 ffffffff8153a3fc ffffed00346ae12e ffff8801da0013c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] [] do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] at addr ffff8801a3570978 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570978 Write of size 8 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12f ffff8801a3570978 ffff8801cdc6f730 ffffffff8153a3fc ffffed00346ae12f ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:335 [inline] [] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335 [] debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] [] do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] at addr ffff8801a3570970 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570970 Write of size 4 by task syz-executor1/3818 CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0 ffff8801a35709c0 ffffed00346ae12e ffff8801a3570970 ffff8801cdc6f730 ffffffff8153a3fc ffffed00346ae12e ffff8801da0013c0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:334 [inline] [] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334 [] debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] [] do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] inode_free_security security/selinux/hooks.c:345 [inline] [] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845 [] security_inode_free+0x50/0x90 security/security.c:356 [] __destroy_inode+0x2e/0x220 fs/inode.c:235 [] destroy_inode+0x4e/0x120 fs/inode.c:262 [] evict+0x329/0x4f0 fs/inode.c:570 [] iput_final fs/inode.c:1516 [inline] [] iput+0x47b/0x900 fs/inode.c:1543 [] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170 [] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a35708c0, in cache kmalloc-256 size: 256 Allocated: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] superblock_alloc_security security/selinux/hooks.c:387 [inline] selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602 security_sb_alloc+0x6d/0xa0 security/security.c:273 alloc_super fs/super.c:197 [inline] sget_userns+0x27c/0xb70 fs/super.c:503 sget+0xd2/0x120 fs/super.c:555 mount_nodev+0x37/0x100 fs/super.c:1137 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x27f/0x350 fs/super.c:1202 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x3e1/0x28b0 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3802 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 superblock_free_security security/selinux/hooks.c:407 [inline] selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607 security_sb_free+0x48/0x80 security/security.c:278 destroy_super+0x36/0x170 fs/super.c:167 __put_super.part.5+0x56/0x70 fs/super.c:274 __put_super fs/super.c:272 [inline] put_super+0x53/0x70 fs/super.c:288 deactivate_locked_super+0xb0/0xd0 fs/super.c:321 deactivate_super+0x91/0xd0 fs/super.c:341 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140 task_work_run+0x115/0x190 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7e7/0x2a40 kernel/exit.c:833 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x4d4/0x14e0 kernel/signal.c:2315 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== mmap: syz-executor1 (3947) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. binder: 3945:3948 ioctl c08c5335 209dcf74 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=36287 sclass=netlink_route_socket pig=3956 comm=syz-executor2 binder: 3945:3966 ioctl c08c5335 209dcf74 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=36287 sclass=netlink_route_socket pig=3987 comm=syz-executor2 netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. IPVS: Creating netns size=2536 id=9 netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. IPVS: Creating netns size=2536 id=10 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode PF_BRIDGE: RTM_SETLINK with unknown ifindex device lo left promiscuous mode netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'. device lo entered promiscuous mode netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'. device lo left promiscuous mode PF_BRIDGE: RTM_SETLINK with unknown ifindex netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device lo entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=4360 comm=syz-executor2 sock: sock_set_timeout: `syz-executor7' (pid 4361) tries to set negative timeout device lo left promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. sock: sock_set_timeout: `syz-executor7' (pid 4383) tries to set negative timeout SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=4382 comm=syz-executor2 device lo entered promiscuous mode device lo entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. device lo left promiscuous mode IPVS: Creating netns size=2536 id=11