==================================================================
BUG: KASAN: use-after-free in link_path_walk+0x137a/0x14f0 fs/namei.c:1948
Read of size 4 at addr ffff8800b9e5e6e0 by task syz-executor0/22799

CPU: 1 PID: 22799 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 c561a146805af6d3 ffff8800b9667890 ffffffff81d067bd
 ffffea0002e79780 ffff8800b9e5e6e0 0000000000000000 ffff8800b9e5e6e0
 ffff8800b9e5e6e0 ffff8800b96678c8 ffffffff814fea83 ffff8800b9e5e6e0
Call Trace:
 [<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fea83>] print_address_description+0x73/0x260 mm/kasan/report.c:252
 [<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814ff0d4>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:428
 [<ffffffff8154a34a>] link_path_walk+0x137a/0x14f0 fs/namei.c:1948
 [<ffffffff8154cbef>] path_openat+0x19f/0x3940 fs/namei.c:3357
 [<ffffffff81553017>] do_filp_open+0x197/0x290 fs/namei.c:3392
 [<ffffffff8151cab9>] do_sys_open+0x369/0x660 fs/open.c:1038
 [<ffffffff8161d98d>] C_SYSC_openat fs/compat.c:1101 [inline]
 [<ffffffff8161d98d>] compat_SyS_openat+0x2d/0x40 fs/compat.c:1099
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17

Allocated by task 22799:
 [<ffffffff81035d76>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fdaf3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fddbd>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fddbd>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
 [<ffffffff814fe392>] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554
 [<ffffffff814f9a6a>] slab_post_alloc_hook mm/slub.c:1349 [inline]
 [<ffffffff814f9a6a>] slab_alloc_node mm/slub.c:2615 [inline]
 [<ffffffff814f9a6a>] slab_alloc mm/slub.c:2623 [inline]
 [<ffffffff814f9a6a>] kmem_cache_alloc+0xba/0x290 mm/slub.c:2628
 [<ffffffff8156b24e>] __d_alloc+0x2e/0x7b0 fs/dcache.c:1589
 [<ffffffff8156bc74>] d_make_root+0x44/0x90 fs/dcache.c:1934
 [<ffffffff81840cef>] ramfs_fill_super+0x35f/0x4a0 fs/ramfs/inode.c:232
 [<ffffffff81527c49>] mount_nodev+0x59/0x100 fs/super.c:1086
 [<ffffffff8184019c>] ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:242
 [<ffffffff81529aef>] mount_fs+0x27f/0x350 fs/super.c:1146
 [<ffffffff81581570>] vfs_kern_mount.part.21+0xd0/0x3e0 fs/namespace.c:991
 [<ffffffff8158909e>] vfs_kern_mount fs/namespace.c:2508 [inline]
 [<ffffffff8158909e>] do_new_mount fs/namespace.c:2516 [inline]
 [<ffffffff8158909e>] do_mount+0xe8e/0x2900 fs/namespace.c:2832
 [<ffffffff8161c286>] C_SYSC_mount fs/compat.c:824 [inline]
 [<ffffffff8161c286>] compat_SyS_mount+0x106/0x1180 fs/compat.c:789
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17

Freed by task 22809:
 [<ffffffff81035d76>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fdaf3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fe412>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fe412>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
 [<ffffffff814fab57>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff814fab57>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff814fab57>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff814fab57>] kmem_cache_free+0xc7/0x320 mm/slub.c:2881
 [<ffffffff81562c55>] __d_free fs/dcache.c:257 [inline]
 [<ffffffff81562c55>] dentry_free+0xd5/0x150 fs/dcache.c:333
 [<ffffffff815649f1>] __dentry_kill+0x491/0x620 fs/dcache.c:576
 [<ffffffff81568e58>] dentry_kill fs/dcache.c:603 [inline]
 [<ffffffff81568e58>] dput.part.19+0x638/0x760 fs/dcache.c:818
 [<ffffffff8156a743>] dput fs/dcache.c:782 [inline]
 [<ffffffff8156a743>] do_one_tree+0x43/0x50 fs/dcache.c:1473
 [<ffffffff8156b147>] shrink_dcache_for_umount+0x67/0x140 fs/dcache.c:1487
 [<ffffffff8152526d>] generic_shutdown_super+0x6d/0x340 fs/super.c:413
 [<ffffffff81525b42>] kill_anon_super fs/super.c:914 [inline]
 [<ffffffff81525b42>] kill_litter_super+0x72/0x90 fs/super.c:924
 [<ffffffff8184015f>] ramfs_kill_sb+0x3f/0x50 fs/ramfs/inode.c:248
 [<ffffffff81526008>] deactivate_locked_super+0x88/0xd0 fs/super.c:301
 [<ffffffff81526971>] deactivate_super+0x91/0xd0 fs/super.c:332
 [<ffffffff81580312>] cleanup_mnt+0xb2/0x160 fs/namespace.c:1118
 [<ffffffff81580446>] __cleanup_mnt+0x16/0x20 fs/namespace.c:1125
 [<ffffffff8118bd44>] task_work_run+0x104/0x180 kernel/task_work.c:115
 [<ffffffff8100361d>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff8100361d>] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:252
 [<ffffffff81007084>] prepare_exit_to_usermode arch/x86/entry/common.c:283 [inline]
 [<ffffffff81007084>] syscall_return_slowpath arch/x86/entry/common.c:348 [inline]
 [<ffffffff81007084>] do_syscall_32_irqs_on arch/x86/entry/common.c:398 [inline]
 [<ffffffff81007084>] do_fast_syscall_32+0x614/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17

The buggy address belongs to the object at ffff8800b9e5e6e0
 which belongs to the cache dentry of size 288
The buggy address is located 0 bytes inside of
 288-byte region [ffff8800b9e5e6e0, ffff8800b9e5e800)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 22808 Comm: syz-executor5 Not tainted 4.4.125-g38f41ec #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d89f9800 task.stack: ffff8801d24f8000
RIP: 0010:[<ffffffff81d675e4>]  [<ffffffff81d675e4>] lookup_object lib/debugobjects.c:120 [inline]
RIP: 0010:[<ffffffff81d675e4>]  [<ffffffff81d675e4>] __debug_object_init+0x184/0xc30 lib/debugobjects.c:318
RSP: 0018:ffff8801d24ffc00  EFLAGS: 00010803
RAX: 1d2000dbb71d0164 RBX: 0000000000000003 RCX: dffffc0000000000
RDX: 1ffffffff0af5d38 RSI: ffff8801d89fa0e0 RDI: e90006ddb8e80b27
RBP: ffff8801d24ffcc0 R08: 0000000000000001 R09: ffffffff8512f880
R10: 0000000000000001 R11: 1ffff1003a49ff46 R12: 0000000000048f80
R13: ffff8801d24ffd28 R14: e90006ddb8e80b0f R15: ffffffff857ae9c0
FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:0000000008b55900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000008118a0c CR3: 00000001d99c4000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff812370bb 0000000000000286 ffffffff00000001 ffffffff842c6460
 1ffff1003a49ff87 0000000000000296 ffffffff857ae9c8 0000000041b58ab3
 ffffffff83fd042e ffffffff81d67460 ffff8801d89f9800 0000000000000000
Call Trace:
 [<ffffffff81d680c9>] debug_object_init_on_stack+0x19/0x20 lib/debugobjects.c:378
 [<ffffffff812b1343>] hrtimer_init_on_stack kernel/time/hrtimer.c:429 [inline]
 [<ffffffff812b1343>] hrtimer_nanosleep+0x143/0x550 kernel/time/hrtimer.c:1569
 [<ffffffff813051b9>] C_SYSC_nanosleep kernel/compat.c:254 [inline]
 [<ffffffff813051b9>] compat_SyS_nanosleep+0x279/0x390 kernel/compat.c:239
Initializing cgroup subsys cpuset
Initializing cgroup subsys cpu
Initializing cgroup subsys cpuacct
Initializing cgroup subsys schedtune
Linux version 4.4.125-g38f41ec (syzkaller@ci) (gcc version 7.1.1 20170620 (GCC) ) #21 SMP PREEMPT Thu Mar 29 11:51:28 UTC 2018
Command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=120
KERNEL supported cpus:
  Intel GenuineIntel
  AMD AuthenticAMD
  Centaur CentaurHauls
x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
x86/fpu: Supporting XSAVE feature 0x01: 'x87 floating point registers'
x86/fpu: Supporting XSAVE feature 0x02: 'SSE registers'
x86/fpu: Supporting XSAVE feature 0x04: 'AVX registers'
x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
x86/fpu: Using 'eager' FPU context switches.
e820: BIOS-provided physical RAM map:
BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
BIOS-e820: [mem 0x0000000000100000-0x00000000bfff2fff] usable
BIOS-e820: [mem 0x00000000bfff3000-0x00000000bfffffff] reserved
BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
BIOS-e820: [mem 0x0000000100000000-0x000000021fffffff] usable
bootconsole [earlyser0] enabled
NX (Execute Disable) protection: active
SMBIOS 2.4 present.
Hypervisor detected: KVM
e820: last_pfn = 0x220000 max_arch_pfn = 0x400000000
x86/PAT: Configuration [0-7]: WB  WC  UC- UC  WB  WC  UC- WT  
e820: last_pfn = 0xbfff3 max_arch_pfn = 0x400000000
found SMP MP-table at [mem 0x000f23d0-0x000f23df] mapped at [ffff8800000f23d0]
Scanning 1 areas for low memory corruption
Using GB pages for direct mapping
ACPI: Early table checksum verification disabled
ACPI: RSDP 0x00000000000F2390 000014 (v00 Google)
ACPI: RSDT 0x00000000BFFF3430 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
ACPI: FACP 0x00000000BFFFCF60 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
ACPI: DSDT 0x00000000BFFF3470 0017B2 (v01 Google GOOGDSDT 00000001 GOOG 00000001)
ACPI: FACS 0x00000000BFFFCF00 000040
ACPI: FACS 0x00000000BFFFCF00 000040
ACPI: SSDT 0x00000000BFFF65F0 00690D (v01 Google GOOGSSDT 00000001 GOOG 00000001)
ACPI: APIC 0x00000000BFFF5D10 000076 (v01 Google GOOGAPIC 00000001 GOOG 00000001)
ACPI: WAET 0x00000000BFFF5CE0 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
ACPI: SRAT 0x00000000BFFF4C30 0000C8 (v01 Google GOOGSRAT 00000001 GOOG 00000001)
kvm-clock: Using msrs 4b564d01 and 4b564d00
kvm-clock: cpu 0, msr 2:1fffd001, primary cpu clock
kvm-clock: using sched offset of 2464327918 cycles
clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
Zone ranges:
  DMA      [mem 0x0000000000001000-0x0000000000ffffff]
  DMA32    [mem 0x0000000001000000-0x00000000ffffffff]
  Normal   [mem 0x0000000100000000-0x000000021fffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x0000000000001000-0x000000000009efff]
  node   0: [mem 0x0000000000100000-0x00000000bfff2fff]
  node   0: [mem 0x0000000100000000-0x000000021fffffff]
Initmem setup node 0 [mem 0x0000000000001000-0x000000021fffffff]
kasan: KernelAddressSanitizer initialized
ACPI: PM-Timer IO Port: 0xb008
ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
Using ACPI (MADT) for SMP configuration information
smpboot: Allowing 2 CPUs, 0 hotplug CPUs
PM: Registered nosave memory: [mem 0x00000000-0x00000fff]
PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
PM: Registered nosave memory: [mem 0x000a0000-0x000effff]
PM: Registered nosave memory: [mem 0x000f0000-0x000fffff]
PM: Registered nosave memory: [mem 0xbfff3000-0xbfffffff]
PM: Registered nosave memory: [mem 0xc0000000-0xfffbbfff]
PM: Registered nosave memory: [mem 0xfffbc000-0xffffffff]
e820: [mem 0xc0000000-0xfffbbfff] available for PCI devices
Booting paravirtualized kernel on KVM
clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
setup_percpu: NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:2 nr_node_ids:1
PERCPU: Embedded 42 pages/cpu @ffff8801db200000 s134024 r8192 d29816 u1048576
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 1935227
Kernel command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=120
PID hash table entries: 4096 (order: 3, 32768 bytes)
Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes)
Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes)
Memory: 6581380K/7863876K available (40445K kernel code, 6140K rwdata, 8816K rodata, 1852K init, 23632K bss, 1282496K reserved, 0K cma-reserved)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Kernel/User page tables isolation: enabled
Running RCU self tests
Preemptible hierarchical RCU implementation.
	RCU lockdep checking is enabled.
	Build-time adjustment of leaf fanout to 64.
	RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=2.
RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=2
NR_IRQS:4352 nr_irqs:440 16
console [ttyS0] enabled
console [ttyS0] enabled
bootconsole [earlyser0] disabled
bootconsole [earlyser0] disabled
Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
... MAX_LOCKDEP_SUBCLASSES:  8
... MAX_LOCK_DEPTH:          48
... MAX_LOCKDEP_KEYS:        8191
... CLASSHASH_SIZE:          4096
... MAX_LOCKDEP_ENTRIES:     32768
... MAX_LOCKDEP_CHAINS:      65536
... CHAINHASH_SIZE:          32768
 memory used by lock dependency info: 8159 kB
 per task-struct memory footprint: 1920 bytes
tsc: Detected 2300.000 MHz processor
Calibrating delay loop (skipped) preset value.. 4600.00 BogoMIPS (lpj=23000000)
pid_max: default: 32768 minimum: 301
ACPI: Core revision 20150930
ACPI: 2 ACPI AML tables successfully acquired and loaded
Security Framework initialized
SELinux:  Initializing.
AppArmor: AppArmor disabled by boot time parameter
Mount-cache hash table entries: 16384 (order: 5, 131072 bytes)
Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes)
Initializing cgroup subsys io
Initializing cgroup subsys freezer
Initializing cgroup subsys hugetlb
Initializing cgroup subsys debug
CPU: Physical Processor ID: 0
mce: CPU supports 32 MCE banks
Last level iTLB entries: 4KB 1024, 2MB 1024, 4MB 1024
Last level dTLB entries: 4KB 1024, 2MB 1024, 4MB 1024, 1GB 4
Spectre V2 : Vulnerable: Minimal generic ASM retpoline
Freeing SMP alternatives memory: 44K
..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.30GHz (family: 0x6, model: 0x3f, stepping: 0x0)
Performance Events: unsupported p6 CPU model 63 no PMU driver, software events only.
x86: Booting SMP configuration:
.... node  #0, CPUs:      #1
kvm-clock: cpu 1, msr 2:1fffd041, secondary cpu clock
x86: Booted up 1 node, 2 CPUs
smpboot: Total of 2 processors activated (9200.00 BogoMIPS)
devtmpfs: initialized
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
futex hash table entries: 512 (order: 4, 65536 bytes)
xor: automatically using best checksumming function:
kworker/u4:0 (21) used greatest stack depth: 27944 bytes left
   avx       : 21113.200 MB/sec
RTC time:  2:40:51, date: 04/19/18
NET: Registered protocol family 16
schedtune: init normalization constants...
schedtune: no energy model data
schedtune: disabled!
cpuidle: using governor ladder
cpuidle: using governor menu
ACPI: bus type PCI registered
acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5
PCI: Using configuration type 1 for base access
kworker/u4:1 (43) used greatest stack depth: 27448 bytes left
kworker/u4:2 (284) used greatest stack depth: 27080 bytes left