==================================================================
BUG: KASAN: slab-use-after-free in afs_dynroot_test_super+0x56/0xc0
Read of size 8 at addr ffff888018ebe300 by task syz-executor.7/6773

CPU: 1 PID: 6773 Comm: syz-executor.7 Not tainted 6.5.0-rc2-syzkaller-00050-g345a5c4a0b63 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 dump_stack_lvl+0x1e7/0x2d0
 print_report+0x163/0x540
 kasan_report+0x175/0x1b0
 afs_dynroot_test_super+0x56/0xc0
 sget_fc+0x140/0x630
 afs_get_tree+0x39c/0x1120
 vfs_get_tree+0x8c/0x280
 do_new_mount+0x28f/0xae0
 __se_sys_mount+0x2d9/0x3c0
 do_syscall_64+0x41/0xc0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f9c88a7cba9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9c897750c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f9c88b9bf80 RCX: 00007f9c88a7cba9
RDX: 0000000020000440 RSI: 0000000020000400 RDI: 0000000000000000
RBP: 00007f9c88ac847a R08: 0000000020000480 R09: 0000000000000000
R10: 0000000002010800 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f9c88b9bf80 R15: 00007fff54187c88
 </TASK>

Allocated by task 6770:
 kasan_set_track+0x4f/0x70
 __kasan_kmalloc+0x98/0xb0
 afs_get_tree+0xbb/0x1120
 vfs_get_tree+0x8c/0x280
 do_new_mount+0x28f/0xae0
 __se_sys_mount+0x2d9/0x3c0
 do_syscall_64+0x41/0xc0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 6770:
 kasan_set_track+0x4f/0x70
 kasan_save_free_info+0x28/0x40
 ____kasan_slab_free+0xd6/0x120
 __kmem_cache_free+0x25f/0x3b0
 deactivate_locked_super+0xa5/0x200
 cleanup_mnt+0x426/0x4c0
 task_work_run+0x24a/0x300
 exit_to_user_mode_loop+0xd9/0x100
 exit_to_user_mode_prepare+0xb1/0x140
 syscall_exit_to_user_mode+0x64/0x280
 do_syscall_64+0x4d/0xc0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888018ebe300
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 freed 32-byte region [ffff888018ebe300, ffff888018ebe320)

The buggy address belongs to the physical page:
page:ffffea000063af80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x18ebe
anon flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000200 ffff888012841500 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 47, tgid 47 (kworker/u4:3), ts 3403610085, free_ts 0
 post_alloc_hook+0x1e6/0x210
 get_page_from_freelist+0x31e8/0x3370
 __alloc_pages+0x255/0x670
 alloc_slab_page+0x6a/0x160
 new_slab+0x84/0x2f0
 ___slab_alloc+0xade/0x1100
 __kmem_cache_alloc_node+0x1af/0x270
 __kmalloc+0xa8/0x230
 tomoyo_encode+0x26f/0x530
 tomoyo_realpath_from_path+0x598/0x5e0
 tomoyo_path_number_perm+0x210/0x840
 tomoyo_path_chown+0x42/0xb0
 security_path_chown+0xdd/0x130
 chown_common+0x4b2/0x850
 init_chown+0x11a/0x180
 do_name+0x30a/0x3d0
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888018ebe200: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc
 ffff888018ebe280: 00 00 00 00 fc fc fc fc 00 00 00 fc fc fc fc fc
>ffff888018ebe300: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
                   ^
 ffff888018ebe380: 00 00 00 00 fc fc fc fc 00 00 01 fc fc fc fc fc
 ffff888018ebe400: 00 00 00 00 fc fc fc fc 00 00 00 fc fc fc fc fc
==================================================================
