================================================================== BUG: KASAN: use-after-free in link_path_walk+0x1198/0x18e0 fs/namei.c:2063 Read of size 1 at addr ffff8801d1793282 by task syz-executor3/31766 CPU: 0 PID: 31766 Comm: syz-executor3 Not tainted 4.13.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x145/0x1e1 lib/dump_stack.c:52 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.8+0x121/0x2da mm/kasan/report.c:408 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:426 link_path_walk+0x1198/0x18e0 fs/namei.c:2063 path_lookupat.isra.39+0x1a1/0xc00 fs/namei.c:2301 filename_lookup+0x22e/0x480 fs/namei.c:2336 user_path_at_empty+0x31/0x40 fs/namei.c:2590 user_path include/linux/namei.h:61 [inline] do_mount+0x119/0x2c20 fs/namespace.c:2721 SYSC_mount fs/namespace.c:2992 [inline] SyS_mount+0xb8/0xd0 fs/namespace.c:2969 entry_SYSCALL_64_fastpath+0x23/0xc2 RIP: 0033:0x4576b9 RSP: 002b:00007fb8e2ed1c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004576b9 RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000 RBP: 0000000000000082 R08: 0000000020000340 R09: 0000000000000000 R10: 0000000000200000 R11: 0000000000000246 R12: 000000000072bf0c R13: 00007ffc5d5c192f R14: 00007fb8e2ed29c0 R15: 0000000000000000 Allocated by task 31776: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:551 __do_kmalloc mm/slab.c:3725 [inline] __kmalloc_track_caller+0x143/0x7a0 mm/slab.c:3740 kstrdup+0x2c/0x60 mm/util.c:56 bpf_symlink+0x1e/0x100 kernel/bpf/inode.c:200 vfs_symlink+0x2f4/0x520 fs/namei.c:4107 SYSC_symlinkat fs/namei.c:4134 [inline] SyS_symlinkat fs/namei.c:4114 [inline] SYSC_symlink fs/namei.c:4147 [inline] SyS_symlink+0x1a9/0x210 fs/namei.c:4145 entry_SYSCALL_64_fastpath+0x23/0xc2 Freed by task 31781: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x270 mm/slab.c:3820 bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:375 evict+0x452/0x9d0 fs/inode.c:553 iput_final fs/inode.c:1514 [inline] iput+0x52c/0xad0 fs/inode.c:1541 do_unlinkat+0x5f8/0x910 fs/namei.c:4049 SYSC_unlink fs/namei.c:4090 [inline] SyS_unlink+0x11/0x20 fs/namei.c:4088 entry_SYSCALL_64_fastpath+0x23/0xc2 The buggy address belongs to the object at ffff8801d1793280 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 2 bytes inside of 32-byte region [ffff8801d1793280, ffff8801d17932a0) The buggy address belongs to the page: page:ffffea000745e4c0 count:1 mapcount:0 mapping:ffff8801d1793000 index:0xffff8801d1793fc1 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801d1793000 ffff8801d1793fc1 0000000100000020 raw: ffffea00074161a0 ffffea000740b9a0 ffff8801da8001c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d1793180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff8801d1793200: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc >ffff8801d1793280: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc ^ ffff8801d1793300: 05 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff8801d1793380: 00 01 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================