device gre0 entered promiscuous mode
skbuff: bad partial csum: csum=98/65532 len=113
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801a357096c
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a357096c
PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex
Read of size 4 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Not tainted 4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12d[   43.772057] PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex
 ffff8801a357096c ffff8801cdc6f720
 ffffffff8153a3fc ffffed00346ae12d ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff8124638c>] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 [<ffffffff8124638c>] do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801a3570978
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a3570978
Read of size 8 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12f ffff8801a3570978 ffff8801cdc6f720
 ffffffff8153a3fc ffffed00346ae12f ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa59>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153aa59>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff812463b3>] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline]
 [<ffffffff812463b3>] do_raw_spin_lock+0x1d3/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801a3570970
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112 at addr ffff8801a3570970
Read of size 4 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12e ffff8801a3570970 ffff8801cdc6f720
 ffffffff8153a3fc ffffed00346ae12e ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81246382>] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 [<ffffffff81246382>] do_raw_spin_lock+0x1a2/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] at addr ffff8801a3570970
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801a3570970
Write of size 4 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12e ffff8801a3570970 ffff8801cdc6f720
 ffffffff8153a3fc ffffed00346ae12e ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab1c>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153ab1c>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff81246399>] debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline]
 [<ffffffff81246399>] do_raw_spin_lock+0x1b9/0x1e0 kernel/locking/spinlock_debug.c:114
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] at addr ffff8801a3570978
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114 at addr ffff8801a3570978
Write of size 8 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f6f8 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12f ffff8801a3570978 ffff8801cdc6f720
 ffffffff8153a3fc ffffed00346ae12f ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab4c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153ab4c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff812463a6>] debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline]
 [<ffffffff812463a6>] do_raw_spin_lock+0x1c6/0x1e0 kernel/locking/spinlock_debug.c:114
 [<ffffffff838a8b5e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff838a8b5e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81be5446>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81be5446>] inode_free_security security/selinux/hooks.c:343 [inline]
 [<ffffffff81be5446>] selinux_inode_free_security+0xc6/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x184/0x1d0 lib/list_debug.c:57 at addr ffff8801a3570958
Read of size 8 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f720 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12b ffff8801a3570958 ffff8801cdc6f748
 ffffffff8153a3fc ffffed00346ae12b ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa59>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153aa59>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff81df77e4>] __list_del_entry+0x184/0x1d0 lib/list_debug.c:57
 [<ffffffff81be544e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be544e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be544e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 at addr ffff8801a3570960
Read of size 8 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f720 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12c ffff8801a3570960 ffff8801cdc6f748
 ffffffff8153a3fc ffffed00346ae12c ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa59>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153aa59>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff81df77f6>] __list_del_entry+0x196/0x1d0 lib/list_debug.c:60
 [<ffffffff81be544e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be544e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be544e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:272 [inline] at addr ffff8801a3570958
BUG: KASAN: use-after-free in __list_del include/linux/list.h:90 [inline] at addr ffff8801a3570958
BUG: KASAN: use-after-free in __list_del_entry+0x173/0x1d0 lib/list_debug.c:65 at addr ffff8801a3570958
Write of size 8 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f720 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12b ffff8801a3570958 ffff8801cdc6f748
 ffffffff8153a3fc ffffed00346ae12b ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab4c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153ab4c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff81df77d3>] __write_once_size include/linux/compiler.h:272 [inline]
 [<ffffffff81df77d3>] __list_del include/linux/list.h:90 [inline]
 [<ffffffff81df77d3>] __list_del_entry+0x173/0x1d0 lib/list_debug.c:65
 [<ffffffff81be544e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff81be544e>] inode_free_security security/selinux/hooks.c:344 [inline]
 [<ffffffff81be544e>] selinux_inode_free_security+0xce/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] at addr ffff8801a357096c
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a357096c
Read of size 4 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12d ffff8801a357096c ffff8801cdc6f730
 ffffffff8153a3fc ffffed00346ae12d ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81246664>] debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline]
 [<ffffffff81246664>] do_raw_spin_unlock+0x1d4/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a3570968
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a3570968
BUG: KASAN: use-after-free in queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] at addr ffff8801a3570968
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] at addr ffff8801a3570968
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570968
Read of size 4 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12d ffff8801a3570968 ffff8801cdc6f730
 ffffffff8153a3fc ffffed00346ae12d ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff8124665a>] __read_once_size include/linux/compiler.h:243 [inline]
 [<ffffffff8124665a>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<ffffffff8124665a>] queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline]
 [<ffffffff8124665a>] debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline]
 [<ffffffff8124665a>] do_raw_spin_unlock+0x1ca/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] at addr ffff8801a3570978
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570978
Read of size 8 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12f ffff8801a3570978 ffff8801cdc6f730
 ffffffff8153a3fc ffffed00346ae12f ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa59>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153aa59>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff8124668b>] debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline]
 [<ffffffff8124668b>] do_raw_spin_unlock+0x1fb/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] at addr ffff8801a3570970
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570970
Read of size 4 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12e ffff8801a3570970 ffff8801cdc6f730
 ffffffff8153a3fc ffffed00346ae12e ffff8801da0013c0 0000000000000000
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153aa29>] kasan_report mm/kasan/report.c:329 [inline]
 [<ffffffff8153aa29>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329
 [<ffffffff81246671>] debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline]
 [<ffffffff81246671>] do_raw_spin_unlock+0x1e1/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] at addr ffff8801a3570978
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570978
Write of size 8 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12f ffff8801a3570978 ffff8801cdc6f730
 ffffffff8153a3fc ffffed00346ae12f ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab4c>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153ab4c>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff81246698>] debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline]
 [<ffffffff81246698>] do_raw_spin_unlock+0x208/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] at addr ffff8801a3570970
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134 at addr ffff8801a3570970
Write of size 4 by task syz-executor1/3818
CPU: 0 PID: 3818 Comm: syz-executor1 Tainted: G    B           4.9.65-gea83e4a #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc6f708 ffffffff81d90469 ffff8801da0013c0 ffff8801a35708c0
 ffff8801a35709c0 ffffed00346ae12e ffff8801a3570970 ffff8801cdc6f730
 ffffffff8153a3fc ffffed00346ae12e ffff8801da0013c0 0000000000000001
Call Trace:
 [<ffffffff81d90469>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a3fc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a6bc>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a6bc>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a6bc>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab1c>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153ab1c>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff8124667e>] debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline]
 [<ffffffff8124667e>] do_raw_spin_unlock+0x1ee/0x210 kernel/locking/spinlock_debug.c:134
 [<ffffffff838a8ea2>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff838a8ea2>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff81be5496>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff81be5496>] inode_free_security security/selinux/hooks.c:345 [inline]
 [<ffffffff81be5496>] selinux_inode_free_security+0x116/0x1b0 security/selinux/hooks.c:2845
 [<ffffffff81bcce40>] security_inode_free+0x50/0x90 security/security.c:356
 [<ffffffff815c5d1e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
 [<ffffffff815c5f5e>] destroy_inode+0x4e/0x120 fs/inode.c:262
 [<ffffffff815c6359>] evict+0x329/0x4f0 fs/inode.c:570
 [<ffffffff815c6e0b>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff815c6e0b>] iput+0x47b/0x900 fs/inode.c:1543
 [<ffffffff81642701>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff81643a7c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff81641482>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff81646947>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff8157182c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81571d05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81193675>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113a507>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113a507>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff81140c18>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81163a44>] get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 [<ffffffff81052c87>] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 [<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff838a97e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8801a35708c0, in cache kmalloc-256 size: 256
Allocated:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 superblock_alloc_security security/selinux/hooks.c:387 [inline]
 selinux_sb_alloc_security+0x49/0x210 security/selinux/hooks.c:2602
 security_sb_alloc+0x6d/0xa0 security/security.c:273
 alloc_super fs/super.c:197 [inline]
 sget_userns+0x27c/0xb70 fs/super.c:503
 sget+0xd2/0x120 fs/super.c:555
 mount_nodev+0x37/0x100 fs/super.c:1137
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
 mount_fs+0x27f/0x350 fs/super.c:1202
 vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0x3e1/0x28b0 fs/namespace.c:2834
 SYSC_mount fs/namespace.c:3050 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3802
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 superblock_free_security security/selinux/hooks.c:407 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2607
 security_sb_free+0x48/0x80 security/security.c:278
 destroy_super+0x36/0x170 fs/super.c:167
 __put_super.part.5+0x56/0x70 fs/super.c:274
 __put_super fs/super.c:272 [inline]
 put_super+0x53/0x70 fs/super.c:288
 deactivate_locked_super+0xb0/0xd0 fs/super.c:321
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1133
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1140
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801a3570800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801a3570880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801a3570900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8801a3570980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801a3570a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
mmap: syz-executor1 (3947) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
binder: 3945:3948 ioctl c08c5335 209dcf74 returned -22
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=36287 sclass=netlink_route_socket pig=3956 comm=syz-executor2
binder: 3945:3966 ioctl c08c5335 209dcf74 returned -22
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=36287 sclass=netlink_route_socket pig=3987 comm=syz-executor2
netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'.
IPVS: Creating netns size=2536 id=9
netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'.
IPVS: Creating netns size=2536 id=10
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
PF_BRIDGE: RTM_SETLINK with unknown ifindex
device lo left promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'.
device lo entered promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'.
device lo left promiscuous mode
PF_BRIDGE: RTM_SETLINK with unknown ifindex
netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
device lo entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=4360 comm=syz-executor2
sock: sock_set_timeout: `syz-executor7' (pid 4361) tries to set negative timeout
device lo left promiscuous mode
netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'.
sock: sock_set_timeout: `syz-executor7' (pid 4383) tries to set negative timeout
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=4382 comm=syz-executor2
device lo entered promiscuous mode
device lo entered promiscuous mode
netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'.
device lo left promiscuous mode
IPVS: Creating netns size=2536 id=11