bisecting cause commit starting from ef78e5ec9214376c5cb989f5da70b02d0c117b66 building syzkaller on 4b6d14f266bcae8f1856f987c2194f36eadef83b testing commit ef78e5ec9214376c5cb989f5da70b02d0c117b66 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in trailing_symlink run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in trailing_symlink run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in trailing_symlink run #6: crashed: KASAN: use-after-free Read in trailing_symlink run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in trailing_symlink run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in trailing_symlink run #3: crashed: KASAN: use-after-free Read in trailing_symlink run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in trailing_symlink run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in trailing_symlink run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in trailing_symlink run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in trailing_symlink run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in trailing_symlink run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in trailing_symlink run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in trailing_symlink run #3: crashed: KASAN: use-after-free Read in trailing_symlink run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in trailing_symlink run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in trailing_symlink run #6: crashed: KASAN: use-after-free Read in trailing_symlink run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in trailing_symlink run #9: crashed: KASAN: use-after-free Read in trailing_symlink testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in trailing_symlink run #3: crashed: KASAN: use-after-free Read in trailing_symlink run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in trailing_symlink run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in trailing_symlink run #8: crashed: KASAN: use-after-free Read in trailing_symlink run #9: crashed: KASAN: use-after-free Read in trailing_symlink testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in trailing_symlink run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in trailing_symlink run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in trailing_symlink run #7: crashed: KASAN: use-after-free Read in trailing_symlink run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in trailing_symlink run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 all runs: OK # git bisect start v4.10 v4.9 Bisecting: 7099 revisions left to test after this (roughly 13 steps) [f4000cd99750065d5177555c0a805c97174d1b9f] Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit f4000cd99750065d5177555c0a805c97174d1b9f with gcc (GCC) 5.5.0 run #0: OK run #1: crashed: KASAN: use-after-free Read in path_lookupat run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in trailing_symlink run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in trailing_symlink run #6: crashed: KASAN: use-after-free Read in trailing_symlink run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in trailing_symlink run #9: crashed: KASAN: use-after-free Read in link_path_walk # git bisect bad f4000cd99750065d5177555c0a805c97174d1b9f Bisecting: 3731 revisions left to test after this (roughly 12 steps) [7079efc9d3e7f1f7cdd34082ec58209026315057] Merge tag 'fbdev-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux testing commit 7079efc9d3e7f1f7cdd34082ec58209026315057 with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in trailing_symlink run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in trailing_symlink run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in trailing_symlink # git bisect bad 7079efc9d3e7f1f7cdd34082ec58209026315057 Bisecting: 1709 revisions left to test after this (roughly 11 steps) [669bb4c58c3091cd54650e37c5f4e345dd12c564] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/egtvedt/linux-avr32 testing commit 669bb4c58c3091cd54650e37c5f4e345dd12c564 with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in trailing_symlink run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk # git bisect bad 669bb4c58c3091cd54650e37c5f4e345dd12c564 Bisecting: 852 revisions left to test after this (roughly 10 steps) [7a8bca043cf1bb0433aa43d008b6c4de6c07d6a2] Merge branch 'sfc-tso-v2' testing commit 7a8bca043cf1bb0433aa43d008b6c4de6c07d6a2 with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in trailing_symlink run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in trailing_symlink # git bisect bad 7a8bca043cf1bb0433aa43d008b6c4de6c07d6a2 Bisecting: 424 revisions left to test after this (roughly 9 steps) [4cb551a100bcd7cbe810c57ae551bf89312bc0d3] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next testing commit 4cb551a100bcd7cbe810c57ae551bf89312bc0d3 with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in trailing_symlink # git bisect bad 4cb551a100bcd7cbe810c57ae551bf89312bc0d3 Bisecting: 214 revisions left to test after this (roughly 8 steps) [c17ef430b9fd5f58074f5cdc0128d06a5ae92304] i40e: Fix bit logic error in failure case testing commit c17ef430b9fd5f58074f5cdc0128d06a5ae92304 with gcc (GCC) 5.5.0 all runs: OK # git bisect good c17ef430b9fd5f58074f5cdc0128d06a5ae92304 Bisecting: 100 revisions left to test after this (roughly 7 steps) [0a6ce1e3c1ab71c7b889fae3359c9c3ff3a43aab] Merge tag 'shared-for-4.10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/leon/linux-rdma testing commit 0a6ce1e3c1ab71c7b889fae3359c9c3ff3a43aab with gcc (GCC) 5.5.0 all runs: OK # git bisect good 0a6ce1e3c1ab71c7b889fae3359c9c3ff3a43aab Bisecting: 49 revisions left to test after this (roughly 6 steps) [c5870942fc20a879ba47e23d6a18a2d0b7b02c7c] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit c5870942fc20a879ba47e23d6a18a2d0b7b02c7c with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in trailing_symlink run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in trailing_symlink run #7: crashed: KASAN: use-after-free Read in trailing_symlink run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk # git bisect bad c5870942fc20a879ba47e23d6a18a2d0b7b02c7c Bisecting: 24 revisions left to test after this (roughly 5 steps) [17a032b7bfc0997682923509b70f9466940124bb] Merge branch 'bridge-PIM-hello' testing commit 17a032b7bfc0997682923509b70f9466940124bb with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in trailing_symlink run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in link_path_walk # git bisect bad 17a032b7bfc0997682923509b70f9466940124bb Bisecting: 12 revisions left to test after this (roughly 4 steps) [89d9123e8ee28cb380ce5532038e89fc19471a77] solos-pci: use permission-specific DEVICE_ATTR variants testing commit 89d9123e8ee28cb380ce5532038e89fc19471a77 with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in link_path_walk run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in link_path_walk run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in trailing_symlink run #9: crashed: KASAN: use-after-free Read in link_path_walk # git bisect bad 89d9123e8ee28cb380ce5532038e89fc19471a77 Bisecting: 6 revisions left to test after this (roughly 3 steps) [8d059b0f6f5b1d3acf829454e1087818ad660058] net: Add sysfs value to determine queue traffic class testing commit 8d059b0f6f5b1d3acf829454e1087818ad660058 with gcc (GCC) 5.5.0 all runs: OK # git bisect good 8d059b0f6f5b1d3acf829454e1087818ad660058 Bisecting: 3 revisions left to test after this (roughly 2 steps) [04f762e8f2e5e0605331871e382a68c6550f4d4f] Merge branch 'xps-DCB' testing commit 04f762e8f2e5e0605331871e382a68c6550f4d4f with gcc (GCC) 5.5.0 all runs: OK # git bisect good 04f762e8f2e5e0605331871e382a68c6550f4d4f Bisecting: 1 revision left to test after this (roughly 1 step) [0f98621bef5d2b7ad41f6595899660af344f5016] bpf, inode: add support for symlinks and fix mtime/ctime testing commit 0f98621bef5d2b7ad41f6595899660af344f5016 with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in link_path_walk run #1: crashed: KASAN: use-after-free Read in trailing_symlink run #2: crashed: KASAN: use-after-free Read in link_path_walk run #3: crashed: KASAN: use-after-free Read in link_path_walk run #4: crashed: KASAN: use-after-free Read in trailing_symlink run #5: crashed: KASAN: use-after-free Read in link_path_walk run #6: crashed: KASAN: use-after-free Read in link_path_walk run #7: crashed: KASAN: use-after-free Read in link_path_walk run #8: crashed: KASAN: use-after-free Read in link_path_walk run #9: crashed: KASAN: use-after-free Read in trailing_symlink # git bisect bad 0f98621bef5d2b7ad41f6595899660af344f5016 Bisecting: 0 revisions left to test after this (roughly 0 steps) [8778b276645bb156b00d72275541a4e4b188d6dc] ldmvsw: tx queue stuck in stopped state after LDC reset testing commit 8778b276645bb156b00d72275541a4e4b188d6dc with gcc (GCC) 5.5.0 all runs: OK # git bisect good 8778b276645bb156b00d72275541a4e4b188d6dc 0f98621bef5d2b7ad41f6595899660af344f5016 is the first bad commit commit 0f98621bef5d2b7ad41f6595899660af344f5016 Author: Daniel Borkmann Date: Sat Oct 29 02:30:46 2016 +0200 bpf, inode: add support for symlinks and fix mtime/ctime While commit bb35a6ef7da4 ("bpf, inode: allow for rename and link ops") added support for hard links that can be used for prog and map nodes, this work adds simple symlink support, which can be used f.e. for directories also when unpriviledged and works with cmdline tooling that understands S_IFLNK anyway. Since the switch in e27f4a942a0e ("bpf: Use mount_nodev not mount_ns to mount the bpf filesystem"), there can be various mount instances with mount_nodev() and thus hierarchy can be flattened to facilitate object sharing. Thus, we can keep bpf tooling also working by repointing paths. Most of the functionality can be used from vfs library operations. The symlink is stored in the inode itself, that is in i_link, which is sufficient in our case as opposed to storing it in the page cache. While at it, I noticed that bpf_mkdir() and bpf_mkobj() don't update the directories mtime and ctime, so add a common helper for it called bpf_dentry_finalize() that takes care of it for all cases now. Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller kernel/bpf/inode.c | 45 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 6 deletions(-) revisions tested: 26, total time: 4h12m52.489261525s (build: 1h57m54.25553356s, test: 2h9m19.424447106s) first bad commit: 0f98621bef5d2b7ad41f6595899660af344f5016 bpf, inode: add support for symlinks and fix mtime/ctime cc: ["ast@kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"] crash: KASAN: use-after-free Read in trailing_symlink 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 ================================================================== BUG: KASAN: use-after-free in get_link fs/namei.c:1048 [inline] at addr ffff88005d723540 BUG: KASAN: use-after-free in trailing_symlink+0x768/0x780 fs/namei.c:2241 at addr ffff88005d723540 Read of size 1 by task syz-executor0/14737 CPU: 1 PID: 14737 Comm: syz-executor0 Not tainted 4.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ffff88004c7afaa8 ffffffff82aa3bb6 ffff88006c000100 ffff88005d723540 ffff88005d723560 ffff88004c7afc88 ffff88004c7afad0 ffffffff8177725c ffff88004c7afb60 ffff88005d723540 ffff88004c7afca8 ffff88004c7afb50 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:321 [] get_link fs/namei.c:1048 [inline] [] trailing_symlink+0x768/0x780 fs/namei.c:2241 [] path_lookupat+0x13c/0x410 fs/namei.c:2269 [] filename_lookup+0x166/0x350 fs/namei.c:2302 [] user_path_at_empty+0x31/0x40 fs/namei.c:2556 [] user_path include/linux/namei.h:60 [inline] [] do_mount+0xfc/0x2a90 fs/namespace.c:2703 [] SYSC_mount fs/namespace.c:2974 [inline] [] SyS_mount+0x90/0xd0 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88005d723540, in cache kmalloc-32 size: 32 Allocated: PID = 14740 [ 131.893001] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 131.895270] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 131.897378] [] set_track mm/kasan/kasan.c:507 [inline] [ 131.897378] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 131.899042] [] __do_kmalloc mm/slab.c:3733 [inline] [ 131.899042] [] __kmalloc_track_caller+0x185/0x760 mm/slab.c:3748 [ 131.900910] [] kstrdup+0x2c/0x50 mm/util.c:53 [ 131.902870] [] bpf_symlink+0x20/0x110 kernel/bpf/inode.c:198 [ 131.904836] [] vfs_symlink+0x31e/0x520 fs/namei.c:4085 [ 131.906366] [] SYSC_symlinkat fs/namei.c:4112 [inline] [ 131.906366] [] SyS_symlinkat fs/namei.c:4092 [inline] [ 131.906366] [] SYSC_symlink fs/namei.c:4125 [inline] [ 131.906366] [] SyS_symlink+0x165/0x1d0 fs/namei.c:4123 [ 131.908548] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14741 [ 131.911046] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 131.912321] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 131.914228] [] set_track mm/kasan/kasan.c:507 [inline] [ 131.914228] [] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:571 [ 131.916273] [] __cache_free mm/slab.c:3511 [inline] [ 131.916273] [] kfree+0xcf/0x2c0 mm/slab.c:3828 [ 131.918108] [] bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:359 [ 131.919749] [] evict+0x203/0x470 fs/inode.c:553 [ 131.920913] [] iput_final fs/inode.c:1515 [inline] [ 131.920913] [] iput+0x56b/0x880 fs/inode.c:1542 [ 131.922046] [] do_unlinkat+0x30b/0x640 fs/namei.c:4027 [ 131.923335] [] SYSC_unlink fs/namei.c:4068 [inline] [ 131.923335] [] SyS_unlink+0x11/0x20 fs/namei.c:4066 [ 131.924531] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88005d723400: 00 01 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723480: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc >ffff88005d723500: 00 02 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88005d723580: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723600: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in link_path_walk+0x1438/0x1760 fs/namei.c:2043 at addr ffff88005d723540 Read of size 1 by task syz-executor0/14737 CPU: 1 PID: 14737 Comm: syz-executor0 Tainted: G B 4.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ffff88004c7afa00 ffffffff82aa3bb6 ffff88006c000100 ffff88005d723540 ffff88005d723560 ffff88004c7afc94 ffff88004c7afa28 ffffffff8177725c ffff88004c7afab8 ffff88005d723540 ffffed00098f5f92 ffff88004c7afaa8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:321 [] link_path_walk+0x1438/0x1760 fs/namei.c:2043 [] path_lookupat+0x14f/0x410 fs/namei.c:2267 [] filename_lookup+0x166/0x350 fs/namei.c:2302 [] user_path_at_empty+0x31/0x40 fs/namei.c:2556 [] user_path include/linux/namei.h:60 [inline] [] do_mount+0xfc/0x2a90 fs/namespace.c:2703 [] SYSC_mount fs/namespace.c:2974 [inline] [] SyS_mount+0x90/0xd0 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88005d723540, in cache kmalloc-32 size: 32 Allocated: PID = 14740 [ 131.999713] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 132.001909] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 132.003934] [] set_track mm/kasan/kasan.c:507 [inline] [ 132.003934] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 132.006110] [] __do_kmalloc mm/slab.c:3733 [inline] [ 132.006110] [] __kmalloc_track_caller+0x185/0x760 mm/slab.c:3748 [ 132.008539] [] kstrdup+0x2c/0x50 mm/util.c:53 [ 132.010462] [] bpf_symlink+0x20/0x110 kernel/bpf/inode.c:198 [ 132.013007] [] vfs_symlink+0x31e/0x520 fs/namei.c:4085 [ 132.015107] [] SYSC_symlinkat fs/namei.c:4112 [inline] [ 132.015107] [] SyS_symlinkat fs/namei.c:4092 [inline] [ 132.015107] [] SYSC_symlink fs/namei.c:4125 [inline] [ 132.015107] [] SyS_symlink+0x165/0x1d0 fs/namei.c:4123 [ 132.017262] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14741 [ 132.020282] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 132.021597] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 132.023107] [] set_track mm/kasan/kasan.c:507 [inline] [ 132.023107] [] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:571 [ 132.024458] [] __cache_free mm/slab.c:3511 [inline] [ 132.024458] [] kfree+0xcf/0x2c0 mm/slab.c:3828 [ 132.025949] [] bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:359 [ 132.027619] [] evict+0x203/0x470 fs/inode.c:553 [ 132.028765] [] iput_final fs/inode.c:1515 [inline] [ 132.028765] [] iput+0x56b/0x880 fs/inode.c:1542 [ 132.029832] [] do_unlinkat+0x30b/0x640 fs/namei.c:4027 [ 132.031058] [] SYSC_unlink fs/namei.c:4068 [inline] [ 132.031058] [] SyS_unlink+0x11/0x20 fs/namei.c:4066 [ 132.032322] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88005d723400: 00 01 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723480: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc >ffff88005d723500: 00 02 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88005d723580: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723600: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in link_path_walk+0xf7d/0x1760 fs/namei.c:2060 at addr ffff88005d723540 Read of size 1 by task syz-executor0/14737 CPU: 1 PID: 14737 Comm: syz-executor0 Tainted: G B 4.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ffff88004c7afa00 ffffffff82aa3bb6 ffff88006c000100 ffff88005d723540 ffff88005d723560 fefefefefefefeff ffff88004c7afa28 ffffffff8177725c ffff88004c7afab8 ffff88005d723540 ffff88004a4f8580 ffff88004c7afaa8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:321 [] link_path_walk+0xf7d/0x1760 fs/namei.c:2060 [] path_lookupat+0x14f/0x410 fs/namei.c:2267 [] filename_lookup+0x166/0x350 fs/namei.c:2302 [] user_path_at_empty+0x31/0x40 fs/namei.c:2556 [] user_path include/linux/namei.h:60 [inline] [] do_mount+0xfc/0x2a90 fs/namespace.c:2703 [] SYSC_mount fs/namespace.c:2974 [inline] [] SyS_mount+0x90/0xd0 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88005d723540, in cache kmalloc-32 size: 32 Allocated: PID = 14740 [ 132.083403] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 132.084655] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 132.085867] [] set_track mm/kasan/kasan.c:507 [inline] [ 132.085867] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 132.087326] [] __do_kmalloc mm/slab.c:3733 [inline] [ 132.087326] [] __kmalloc_track_caller+0x185/0x760 mm/slab.c:3748 [ 132.088873] [] kstrdup+0x2c/0x50 mm/util.c:53 [ 132.089909] [] bpf_symlink+0x20/0x110 kernel/bpf/inode.c:198 [ 132.091120] [] vfs_symlink+0x31e/0x520 fs/namei.c:4085 [ 132.092354] [] SYSC_symlinkat fs/namei.c:4112 [inline] [ 132.092354] [] SyS_symlinkat fs/namei.c:4092 [inline] [ 132.092354] [] SYSC_symlink fs/namei.c:4125 [inline] [ 132.092354] [] SyS_symlink+0x165/0x1d0 fs/namei.c:4123 [ 132.093447] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14741 [ 132.095671] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 132.096982] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 132.098398] [] set_track mm/kasan/kasan.c:507 [inline] [ 132.098398] [] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:571 [ 132.100558] [] __cache_free mm/slab.c:3511 [inline] [ 132.100558] [] kfree+0xcf/0x2c0 mm/slab.c:3828 [ 132.101788] [] bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:359 [ 132.103057] [] evict+0x203/0x470 fs/inode.c:553 [ 132.104502] [] iput_final fs/inode.c:1515 [inline] [ 132.104502] [] iput+0x56b/0x880 fs/inode.c:1542 [ 132.105771] [] do_unlinkat+0x30b/0x640 fs/namei.c:4027 [ 132.107200] [] SYSC_unlink fs/namei.c:4068 [inline] [ 132.107200] [] SyS_unlink+0x11/0x20 fs/namei.c:4066 [ 132.108675] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88005d723400: 00 01 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723480: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc >ffff88005d723500: 00 02 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88005d723580: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723600: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in link_path_walk+0x1339/0x1760 fs/namei.c:2088 at addr ffff88005d723544 Read of size 1 by task syz-executor0/14737 CPU: 1 PID: 14737 Comm: syz-executor0 Tainted: G B 4.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ffff88004c7afa00 ffffffff82aa3bb6 ffff88006c000100 ffff88005d723540 ffff88005d723560 fefefefefefefeff ffff88004c7afa28 ffffffff8177725c ffff88004c7afab8 ffff88005d723544 0000000000000000 ffff88004c7afaa8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:321 [] link_path_walk+0x1339/0x1760 fs/namei.c:2088 [] path_lookupat+0x14f/0x410 fs/namei.c:2267 [] filename_lookup+0x166/0x350 fs/namei.c:2302 [] user_path_at_empty+0x31/0x40 fs/namei.c:2556 [] user_path include/linux/namei.h:60 [inline] [] do_mount+0xfc/0x2a90 fs/namespace.c:2703 [] SYSC_mount fs/namespace.c:2974 [inline] [] SyS_mount+0x90/0xd0 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88005d723540, in cache kmalloc-32 size: 32 Allocated: PID = 14740 [ 132.209083] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 132.210346] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 132.211537] [] set_track mm/kasan/kasan.c:507 [inline] [ 132.211537] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 132.219527] [] __do_kmalloc mm/slab.c:3733 [inline] [ 132.219527] [] __kmalloc_track_caller+0x185/0x760 mm/slab.c:3748 [ 132.220923] [] kstrdup+0x2c/0x50 mm/util.c:53 [ 132.222054] [] bpf_symlink+0x20/0x110 kernel/bpf/inode.c:198 [ 132.223245] [] vfs_symlink+0x31e/0x520 fs/namei.c:4085 [ 132.224457] [] SYSC_symlinkat fs/namei.c:4112 [inline] [ 132.224457] [] SyS_symlinkat fs/namei.c:4092 [inline] [ 132.224457] [] SYSC_symlink fs/namei.c:4125 [inline] [ 132.224457] [] SyS_symlink+0x165/0x1d0 fs/namei.c:4123 [ 132.225661] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14741 [ 132.227794] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 132.229095] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 132.230277] [] set_track mm/kasan/kasan.c:507 [inline] [ 132.230277] [] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:571 [ 132.231462] [] __cache_free mm/slab.c:3511 [inline] [ 132.231462] [] kfree+0xcf/0x2c0 mm/slab.c:3828 [ 132.244875] [] bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:359 [ 132.253014] [] evict+0x203/0x470 fs/inode.c:553 [ 132.253988] [] iput_final fs/inode.c:1515 [inline] [ 132.253988] [] iput+0x56b/0x880 fs/inode.c:1542 [ 132.254994] [] do_unlinkat+0x30b/0x640 fs/namei.c:4027 [ 132.255997] [] SYSC_unlink fs/namei.c:4068 [inline] [ 132.255997] [] SyS_unlink+0x11/0x20 fs/namei.c:4066 [ 132.257069] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88005d723400: 00 01 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723480: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc >ffff88005d723500: 00 02 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88005d723580: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723600: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in lookup_last fs/namei.c:2247 [inline] at addr ffff88005d723544 BUG: KASAN: use-after-free in path_lookupat+0x3b4/0x410 fs/namei.c:2268 at addr ffff88005d723544 Read of size 1 by task syz-executor0/14737 CPU: 1 PID: 14737 Comm: syz-executor0 Tainted: G B 4.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ffff88004c7afae8 ffffffff82aa3bb6 ffff88006c000100 ffff88005d723540 ffff88005d723560 ffff88004c7afc94 ffff88004c7afb10 ffffffff8177725c ffff88004c7afba0 ffff88005d723544 ffffed00098f5f92 ffff88004c7afb90 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:321 [] lookup_last fs/namei.c:2247 [inline] [] path_lookupat+0x3b4/0x410 fs/namei.c:2268 [] filename_lookup+0x166/0x350 fs/namei.c:2302 [] user_path_at_empty+0x31/0x40 fs/namei.c:2556 [] user_path include/linux/namei.h:60 [inline] [] do_mount+0xfc/0x2a90 fs/namespace.c:2703 [] SYSC_mount fs/namespace.c:2974 [inline] [] SyS_mount+0x90/0xd0 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88005d723540, in cache kmalloc-32 size: 32 Allocated: PID = 14740 [ 132.310670] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 132.311998] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 132.313212] [] set_track mm/kasan/kasan.c:507 [inline] [ 132.313212] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 132.315184] [] __do_kmalloc mm/slab.c:3733 [inline] [ 132.315184] [] __kmalloc_track_caller+0x185/0x760 mm/slab.c:3748 [ 132.317523] [] kstrdup+0x2c/0x50 mm/util.c:53 [ 132.319431] [] bpf_symlink+0x20/0x110 kernel/bpf/inode.c:198 [ 132.320862] [] vfs_symlink+0x31e/0x520 fs/namei.c:4085 [ 132.322101] [] SYSC_symlinkat fs/namei.c:4112 [inline] [ 132.322101] [] SyS_symlinkat fs/namei.c:4092 [inline] [ 132.322101] [] SYSC_symlink fs/namei.c:4125 [inline] [ 132.322101] [] SyS_symlink+0x165/0x1d0 fs/namei.c:4123 [ 132.323368] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14741 [ 132.325664] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 132.326951] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 132.328111] [] set_track mm/kasan/kasan.c:507 [inline] [ 132.328111] [] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:571 [ 132.329387] [] __cache_free mm/slab.c:3511 [inline] [ 132.329387] [] kfree+0xcf/0x2c0 mm/slab.c:3828 [ 132.330396] [] bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:359 [ 132.331564] [] evict+0x203/0x470 fs/inode.c:553 [ 132.332751] [] iput_final fs/inode.c:1515 [inline] [ 132.332751] [] iput+0x56b/0x880 fs/inode.c:1542 [ 132.333867] [] do_unlinkat+0x30b/0x640 fs/namei.c:4027 [ 132.335064] [] SYSC_unlink fs/namei.c:4068 [inline] [ 132.335064] [] SyS_unlink+0x11/0x20 fs/namei.c:4066 [ 132.336219] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88005d723400: 00 01 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723480: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc >ffff88005d723500: 00 02 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88005d723580: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005d723600: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc ================================================================== device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves