RBP: 000000000076bfa0 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 0000000000000074 R14: 00000000004c3103 R15: 000000000000003d
==================================================================
BUG: KASAN: use-after-free in put_pid_ns+0x75/0x80 kernel/pid_namespace.c:202
Read of size 8 at addr ffff888092c5aa38 by task syz-executor.2/15870

CPU: 0 PID: 15870 Comm: syz-executor.2 Not tainted 4.14.174-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
 put_pid_ns+0x75/0x80 kernel/pid_namespace.c:202
 free_nsproxy+0xf7/0x1f0 kernel/nsproxy.c:182
 switch_task_namespaces+0x8f/0xb0 kernel/nsproxy.c:229
 copy_process.part.0+0x3c67/0x6a70 kernel/fork.c:1971
 copy_process kernel/fork.c:1586 [inline]
 _do_fork+0x180/0xc80 kernel/fork.c:2070
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c849
RSP: 002b:00007f6efb2eec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007f6efb2ef6d4 RCX: 000000000045c849
RDX: 9999999999999999 RSI: 0000000000000000 RDI: 0000000030120100
RBP: 000000000076bfa0 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 0000000000000074 R14: 00000000004c3103 R15: 000000000000003d

CPU: 1 PID: 15882 Comm: syz-executor.3 Not tainted 4.14.174-syzkaller #0
Allocated by task 15870:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
Call Trace:
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
 kmem_cache_zalloc include/linux/slab.h:651 [inline]
 create_pid_namespace kernel/pid_namespace.c:116 [inline]
 copy_pid_ns+0x1b2/0xa70 kernel/pid_namespace.c:186
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold+0x10a/0x14b lib/fault-inject.c:149
 create_new_namespaces+0x25f/0x730 kernel/nsproxy.c:94
 copy_namespaces+0x27b/0x310 kernel/nsproxy.c:165
 should_failslab+0xd6/0x130 mm/failslab.c:32
 copy_process.part.0+0x2603/0x6a70 kernel/fork.c:1774
 copy_process kernel/fork.c:1586 [inline]
 _do_fork+0x180/0xc80 kernel/fork.c:2070
 slab_pre_alloc_hook mm/slab.h:421 [inline]
 slab_alloc mm/slab.c:3376 [inline]
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x2e9/0x7c0 mm/slab.c:3729
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 0:
 kmalloc include/linux/slab.h:493 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 register_shrinker+0xb8/0x210 mm/vmscan.c:284
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 sget_userns+0x9c5/0xc30 fs/super.c:535
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x792/0x1190 kernel/rcu/tree.c:2946
 __do_softirq+0x254/0x9bf kernel/softirq.c:288
 mount_ns+0x65/0x180 fs/super.c:1044

 mount_fs+0x92/0x2a0 fs/super.c:1237
The buggy address belongs to the object at ffff888092c5a200
 which belongs to the cache pid_namespace of size 2264
 vfs_kern_mount.part.0+0x5b/0x3c0 fs/namespace.c:1046
The buggy address is located 2104 bytes inside of
 2264-byte region [ffff888092c5a200, ffff888092c5aad8)
The buggy address belongs to the page:
 vfs_kern_mount fs/namespace.c:1036 [inline]
 kern_mount_data+0x51/0xb0 fs/namespace.c:3329
page:ffffea00024b1680 count:1 mapcount:0 mapping:ffff888092c5a200 index:0xffff888092c5ab58
 pid_ns_prepare_proc+0x1a/0x80 fs/proc/root.c:222
 compound_mapcount: 0
 alloc_pid+0x9be/0xc40 kernel/pid.c:324
flags: 0xfffe0000008100(slab|head)
 copy_process.part.0+0x272f/0x6a70 kernel/fork.c:1785
raw: 00fffe0000008100 ffff888092c5a200 ffff888092c5ab58 0000000100000002
raw: ffffea000153c320 ffffea0001663b20 ffff8880a6466680 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888092c5a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888092c5a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 copy_process kernel/fork.c:1586 [inline]
 _do_fork+0x180/0xc80 kernel/fork.c:2070
>ffff888092c5aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff888092c5aa80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff888092c5ab00: fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb
==================================================================