================================================================== BUG: KASAN: use-after-free in take_option security/selinux/hooks.c:2619 [inline] BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674 Write of size 10 at addr ffff8801cb208000 by task syz-executor3/7797 CPU: 0 PID: 7797 Comm: syz-executor3 Not tainted 4.9.120-gf85543b #76 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a2df74c8 ffffffff81eb8049 ffffea00072c8200 ffff8801cb208000 0000000000000001 ffff8801cb208000 000000000000000a ffff8801a2df7500 ffffffff8156ab7f ffff8801cb208000 000000000000000a 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [] kasan_report_error mm/kasan/report.c:355 [inline] [] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [] check_memory_region_inline mm/kasan/kasan.c:318 [inline] [] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:325 [] memcpy+0x37/0x50 mm/kasan/kasan.c:361 [] take_option security/selinux/hooks.c:2619 [inline] [] selinux_sb_copy_data+0x1cd/0x380 security/selinux/hooks.c:2674 [] security_sb_copy_data+0x7b/0xb0 security/security.c:283 [] parse_security_options+0x36/0x90 fs/btrfs/super.c:1493 [] btrfs_mount+0x2f3/0x2bc0 fs/btrfs/super.c:1572 [] mount_fs+0x28c/0x370 fs/super.c:1206 [] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:1000 [] vfs_kern_mount+0x40/0x60 fs/namespace.c:982 [] mount_subvol fs/btrfs/super.c:1395 [inline] [] btrfs_mount+0x40b/0x2bc0 fs/btrfs/super.c:1566 [] mount_fs+0x28c/0x370 fs/super.c:1206 [] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:1000 [] vfs_kern_mount fs/namespace.c:982 [inline] [] do_new_mount fs/namespace.c:2537 [inline] [] do_mount+0x3c9/0x2740 fs/namespace.c:2859 [] SYSC_mount fs/namespace.c:3075 [inline] [] SyS_mount+0xfe/0x110 fs/namespace.c:3052 [] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the page: page:ffffea00072c8200 count:0 mapcount:-127 mapping: (null) index:0xffff8801cb209f80 flags: 0x8000000000000000() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cb207f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801cb207f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801cb208000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cb208080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cb208100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================