NOTE: dmesg was trimmed by Syzkaller

==================================================================
BUG: KASAN: use-after-free in __handle_mm_fault+0x2410/0x2750
Read of size 8 at addr ffff800039cadfb8 by task syz-executor1/1463

CPU: 0 PID: 1463 Comm: syz-executor1 Not tainted 4.13.0-rc6-00050-g98b9f8a #1
Hardware name: linux,dummy-virt (DT)
Call trace:
[<ffff200008090b08>] dump_backtrace+0x0/0x490
[<ffff2000080912c0>] show_stack+0x20/0x30
[<ffff200009a9feb0>] dump_stack+0xd0/0x120
[<ffff200008432df0>] print_address_description+0x60/0x250
[<ffff2000084332d8>] kasan_report+0x238/0x2f8
[<ffff200008433410>] __asan_report_load8_noabort+0x18/0x20
[<ffff2000083c4ce8>] __handle_mm_fault+0x2410/0x2750
[<ffff2000083c5350>] handle_mm_fault+0x328/0x658
[<ffff2000080b01f4>] do_page_fault+0x44c/0x6c8
[<ffff20000808160c>] do_mem_abort+0xac/0x1c0
Exception stack(0xffff800009d7fdb0 to 0xffff800009d7fee0)
fda0:                                   0000000000000000 0000600015b69000
fdc0: ffffffffffffffff 000000000041f918 0000000020000000 0000000000000020
fde0: 0000000082000007 000000000041f918 0000000040000001 ffff200008969b08
fe00: 0000000041b58ab3 ffff20000a1e9cf0 ffff200008081560 ffff80001994b100
fe20: ffff800009d7fe80 ffff2000081e84e4 ffff80001994b100 ffff200008083e6c
fe40: ffff80001994b100 00000000004087e8 0000000000000000 0000000000000015
fe60: 0000000000000124 dfff200000000000 ffff800009d7fe80 ffff20000808f78c
fe80: ffff800009d7feb0 ffff2000081e86a8 0000000000000000 0000600034b71000
fea0: ffffffffffffffff 00000000004087e8 0000000000000000 ffff200008083e6c
fec0: 00000000004ad290 000000000041f918 0000000000000348 0000000000000000
[<ffff200008083bd0>] el0_ia+0x18/0x1c

Allocated by task 1439:
 save_stack_trace_tsk+0x0/0x378
 save_stack_trace+0x20/0x30
 kasan_kmalloc+0xd8/0x188
 kasan_slab_alloc+0x14/0x20
 kmem_cache_alloc+0x124/0x208
 get_empty_filp+0x8c/0x328
 path_openat+0xb8/0x1c20
 do_filp_open+0x138/0x1f0
 do_open_execat+0xcc/0x3e8
 do_execveat_common.isra.15+0x5c0/0x1490
 SyS_execve+0x48/0x60
 el0_svc_naked+0x24/0x28

Freed by task 0:
 save_stack_trace_tsk+0x0/0x378
 save_stack_trace+0x20/0x30
 kasan_slab_free+0x88/0x188
 kmem_cache_free+0x88/0x230
 file_free_rcu+0x6c/0x80
 rcu_process_callbacks+0x3e4/0x958
 __do_softirq+0x304/0x6c4

The buggy address belongs to the object at ffff800039cade00
 which belongs to the cache filp of size 456
The buggy address is located 440 bytes inside of
 456-byte region [ffff800039cade00, ffff800039cadfc8)
The buggy address belongs to the page:
page:ffff7e0000e72b00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4fffc00000008100(slab|head)
raw: 4fffc00000008100 0000000000000000 0000000000000000 0000000100190019
raw: 0000000000000000 0000000300000001 ffff80001a053000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff800039cade80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff800039cadf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff800039cadf80: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
                                        ^
 ffff800039cae000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff800039cae080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================