================================================================== BUG: KASAN: use-after-free in link_path_walk+0xf7d/0x1760 fs/namei.c:2060 at addr ffff88005e75f380 Read of size 1 by task syz-executor5/13961 CPU: 1 PID: 13961 Comm: syz-executor5 Not tainted 4.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ffff8800646f7a00 ffffffff82aa3bb6 ffff88006c000100 ffff88005e75f380 ffff88005e75f3a0 fefefefefefefeff ffff8800646f7a28 ffffffff8177725c ffff8800646f7ab8 ffff88005e75f380 ffff88005f54c600 ffff8800646f7aa8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:321 [] link_path_walk+0xf7d/0x1760 fs/namei.c:2060 [] path_lookupat+0x14f/0x410 fs/namei.c:2267 [] filename_lookup+0x166/0x350 fs/namei.c:2302 [] user_path_at_empty+0x31/0x40 fs/namei.c:2556 [] user_path include/linux/namei.h:60 [inline] [] do_mount+0xfc/0x2a90 fs/namespace.c:2703 [] SYSC_mount fs/namespace.c:2974 [inline] [] SyS_mount+0x90/0xd0 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88005e75f380, in cache kmalloc-32 size: 32 Allocated: PID = 13965 [ 246.107021] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 246.108036] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 246.108978] [] set_track mm/kasan/kasan.c:507 [inline] [ 246.108978] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 246.109958] [] __do_kmalloc mm/slab.c:3733 [inline] [ 246.109958] [] __kmalloc_track_caller+0x185/0x760 mm/slab.c:3748 [ 246.111068] [] kstrdup+0x2c/0x50 mm/util.c:53 [ 246.112003] [] bpf_symlink+0x20/0x110 kernel/bpf/inode.c:198 [ 246.112974] [] vfs_symlink+0x31e/0x520 fs/namei.c:4085 [ 246.113958] [] SYSC_symlinkat fs/namei.c:4112 [inline] [ 246.113958] [] SyS_symlinkat fs/namei.c:4092 [inline] [ 246.113958] [] SYSC_symlink fs/namei.c:4125 [inline] [ 246.113958] [] SyS_symlink+0x165/0x1d0 fs/namei.c:4123 [ 246.114952] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 13967 [ 246.116744] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 246.117760] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 246.118713] [] set_track mm/kasan/kasan.c:507 [inline] [ 246.118713] [] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:571 [ 246.119719] [] __cache_free mm/slab.c:3511 [inline] [ 246.119719] [] kfree+0xcf/0x2c0 mm/slab.c:3828 [ 246.120614] [] bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:359 [ 246.121628] [] evict+0x203/0x470 fs/inode.c:553 [ 246.122540] [] iput_final fs/inode.c:1515 [inline] [ 246.122540] [] iput+0x56b/0x880 fs/inode.c:1542 [ 246.123438] [] do_unlinkat+0x30b/0x640 fs/namei.c:4027 [ 246.124394] [] SYSC_unlink fs/namei.c:4068 [inline] [ 246.124394] [] SyS_unlink+0x11/0x20 fs/namei.c:4066 [ 246.125356] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88005e75f280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff88005e75f300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc >ffff88005e75f380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88005e75f400: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005e75f480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in link_path_walk+0x1339/0x1760 fs/namei.c:2088 at addr ffff88005e75f384 Read of size 1 by task syz-executor5/13961 CPU: 1 PID: 13961 Comm: syz-executor5 Tainted: G B 4.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ffff8800646f7a00 ffffffff82aa3bb6 ffff88006c000100 ffff88005e75f380 ffff88005e75f3a0 fefefefefefefeff ffff8800646f7a28 ffffffff8177725c ffff8800646f7ab8 ffff88005e75f384 0000000000000000 ffff8800646f7aa8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:321 [] link_path_walk+0x1339/0x1760 fs/namei.c:2088 [] path_lookupat+0x14f/0x410 fs/namei.c:2267 [] filename_lookup+0x166/0x350 fs/namei.c:2302 [] user_path_at_empty+0x31/0x40 fs/namei.c:2556 [] user_path include/linux/namei.h:60 [inline] [] do_mount+0xfc/0x2a90 fs/namespace.c:2703 [] SYSC_mount fs/namespace.c:2974 [inline] [] SyS_mount+0x90/0xd0 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88005e75f380, in cache kmalloc-32 size: 32 Allocated: PID = 13965 [ 246.165786] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 246.166815] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 246.167746] [] set_track mm/kasan/kasan.c:507 [inline] [ 246.167746] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 246.168713] [] __do_kmalloc mm/slab.c:3733 [inline] [ 246.168713] [] __kmalloc_track_caller+0x185/0x760 mm/slab.c:3748 [ 246.169810] [] kstrdup+0x2c/0x50 mm/util.c:53 [ 246.170710] [] bpf_symlink+0x20/0x110 kernel/bpf/inode.c:198 [ 246.171665] [] vfs_symlink+0x31e/0x520 fs/namei.c:4085 [ 246.172631] [] SYSC_symlinkat fs/namei.c:4112 [inline] [ 246.172631] [] SyS_symlinkat fs/namei.c:4092 [inline] [ 246.172631] [] SYSC_symlink fs/namei.c:4125 [inline] [ 246.172631] [] SyS_symlink+0x165/0x1d0 fs/namei.c:4123 [ 246.173598] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 13967 [ 246.175356] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 246.176360] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 246.177293] [] set_track mm/kasan/kasan.c:507 [inline] [ 246.177293] [] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:571 [ 246.178286] [] __cache_free mm/slab.c:3511 [inline] [ 246.178286] [] kfree+0xcf/0x2c0 mm/slab.c:3828 [ 246.179167] [] bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:359 [ 246.180167] [] evict+0x203/0x470 fs/inode.c:553 [ 246.181059] [] iput_final fs/inode.c:1515 [inline] [ 246.181059] [] iput+0x56b/0x880 fs/inode.c:1542 [ 246.181937] [] do_unlinkat+0x30b/0x640 fs/namei.c:4027 [ 246.182919] [] SYSC_unlink fs/namei.c:4068 [inline] [ 246.182919] [] SyS_unlink+0x11/0x20 fs/namei.c:4066 [ 246.183848] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88005e75f280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff88005e75f300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc >ffff88005e75f380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88005e75f400: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005e75f480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in lookup_last fs/namei.c:2247 [inline] at addr ffff88005e75f384 BUG: KASAN: use-after-free in path_lookupat+0x3b4/0x410 fs/namei.c:2268 at addr ffff88005e75f384 Read of size 1 by task syz-executor5/13961 CPU: 1 PID: 13961 Comm: syz-executor5 Tainted: G B 4.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ffff8800646f7ae8 ffffffff82aa3bb6 ffff88006c000100 ffff88005e75f380 ffff88005e75f3a0 ffff8800646f7c94 ffff8800646f7b10 ffffffff8177725c ffff8800646f7ba0 ffff88005e75f384 ffffed000c8def92 ffff8800646f7b90 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:321 [] lookup_last fs/namei.c:2247 [inline] [] path_lookupat+0x3b4/0x410 fs/namei.c:2268 [] filename_lookup+0x166/0x350 fs/namei.c:2302 [] user_path_at_empty+0x31/0x40 fs/namei.c:2556 [] user_path include/linux/namei.h:60 [inline] [] do_mount+0xfc/0x2a90 fs/namespace.c:2703 [] SYSC_mount fs/namespace.c:2974 [inline] [] SyS_mount+0x90/0xd0 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88005e75f380, in cache kmalloc-32 size: 32 Allocated: PID = 13965 [ 246.220695] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 246.221689] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 246.222594] [] set_track mm/kasan/kasan.c:507 [inline] [ 246.222594] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 246.223559] [] __do_kmalloc mm/slab.c:3733 [inline] [ 246.223559] [] __kmalloc_track_caller+0x185/0x760 mm/slab.c:3748 [ 246.224654] [] kstrdup+0x2c/0x50 mm/util.c:53 [ 246.225548] [] bpf_symlink+0x20/0x110 kernel/bpf/inode.c:198 [ 246.226514] [] vfs_symlink+0x31e/0x520 fs/namei.c:4085 [ 246.227480] [] SYSC_symlinkat fs/namei.c:4112 [inline] [ 246.227480] [] SyS_symlinkat fs/namei.c:4092 [inline] [ 246.227480] [] SYSC_symlink fs/namei.c:4125 [inline] [ 246.227480] [] SyS_symlink+0x165/0x1d0 fs/namei.c:4123 [ 246.228449] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 13967 [ 246.230213] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 246.231215] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 246.232146] [] set_track mm/kasan/kasan.c:507 [inline] [ 246.232146] [] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:571 [ 246.233139] [] __cache_free mm/slab.c:3511 [inline] [ 246.233139] [] kfree+0xcf/0x2c0 mm/slab.c:3828 [ 246.234025] [] bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:359 [ 246.235032] [] evict+0x203/0x470 fs/inode.c:553 [ 246.235929] [] iput_final fs/inode.c:1515 [inline] [ 246.235929] [] iput+0x56b/0x880 fs/inode.c:1542 [ 246.236811] [] do_unlinkat+0x30b/0x640 fs/namei.c:4027 [ 246.237791] [] SYSC_unlink fs/namei.c:4068 [inline] [ 246.237791] [] SyS_unlink+0x11/0x20 fs/namei.c:4066 [ 246.238749] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88005e75f280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff88005e75f300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc >ffff88005e75f380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88005e75f400: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88005e75f480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ================================================================== device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves