netlink: 'syz-executor.2': attribute type 2 has an invalid length. overlayfs: missing 'lowerdir' overlayfs: filesystem on './file0' not supported as upperdir ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193 [inline] BUG: KASAN: use-after-free in lockdep_register_key+0x3b9/0x490 kernel/locking/lockdep.c:1023 Read of size 8 at addr ffff88805bfb4e58 by task syz-executor.4/8820 CPU: 1 PID: 8820 Comm: syz-executor.4 Not tainted 5.0.0+ #14 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __read_once_size include/linux/compiler.h:193 [inline] lockdep_register_key+0x3b9/0x490 kernel/locking/lockdep.c:1023 wq_init_lockdep kernel/workqueue.c:3444 [inline] alloc_workqueue+0x427/0xe70 kernel/workqueue.c:4263 xfs_init_mount_workqueues+0x20c/0x660 fs/xfs/xfs_super.c:856 xfs_fs_fill_super+0x749/0x1670 fs/xfs/xfs_super.c:1658 mount_bdev+0x307/0x3c0 fs/super.c:1159 xfs_fs_mount+0x35/0x40 fs/xfs/xfs_super.c:1834 mount_fs+0x106/0x3ff fs/super.c:1258 vfs_kern_mount.part.0+0x6f/0x410 fs/namespace.c:959 vfs_kern_mount fs/namespace.c:949 [inline] do_new_mount fs/namespace.c:2515 [inline] do_mount+0x581/0x2d30 fs/namespace.c:2847 ksys_mount+0xdb/0x150 fs/namespace.c:3063 __do_sys_mount fs/namespace.c:3077 [inline] __se_sys_mount fs/namespace.c:3074 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a99a Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 2d 8e fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 0a 8e fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:00007f692d2afa88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f692d2afb30 RCX: 000000000045a99a RDX: 00007f692d2afad0 RSI: 0000000020000400 RDI: 00007f692d2afaf0 RBP: 0000000020000400 R08: 00007f692d2afb30 R09: 00007f692d2afad0 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003 R13: 0000000000000000 R14: 00000000004dbee0 R15: 00000000ffffffff Allocated by task 30545: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc mm/kasan/common.c:497 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511 kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3621 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] tomoyo_find_next_domain+0xe4/0x1f8a security/tomoyo/domain.c:708 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] tomoyo_bprm_check_security+0x12a/0x1b0 security/tomoyo/tomoyo.c:97 security_bprm_check+0x69/0xb0 security/security.c:751 search_binary_handler+0x77/0x570 fs/exec.c:1644 exec_binprm fs/exec.c:1698 [inline] __do_execve_file.isra.0+0x1394/0x23f0 fs/exec.c:1818 do_execveat_common fs/exec.c:1865 [inline] do_execve fs/exec.c:1882 [inline] __do_sys_execve fs/exec.c:1958 [inline] __se_sys_execve fs/exec.c:1953 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1953 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 30545: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3821 tomoyo_find_next_domain+0x776/0x1f8a security/tomoyo/domain.c:880 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] tomoyo_bprm_check_security+0x12a/0x1b0 security/tomoyo/tomoyo.c:97 security_bprm_check+0x69/0xb0 security/security.c:751 search_binary_handler+0x77/0x570 fs/exec.c:1644 exec_binprm fs/exec.c:1698 [inline] __do_execve_file.isra.0+0x1394/0x23f0 fs/exec.c:1818 do_execveat_common fs/exec.c:1865 [inline] do_execve fs/exec.c:1882 [inline] __do_sys_execve fs/exec.c:1958 [inline] __se_sys_execve fs/exec.c:1953 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1953 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88805bfb4d40 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 280 bytes inside of 512-byte region [ffff88805bfb4d40, ffff88805bfb4f40) The buggy address belongs to the page: page:ffffea00016fed00 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0xffff88805bfb4d40 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea0002992288 ffffea0002913648 ffff88812c3f0940 raw: ffff88805bfb4d40 ffff88805bfb40c0 0000000100000004 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88805bfb4d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff88805bfb4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88805bfb4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88805bfb4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88805bfb4f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================