======================================
| xx__-> [  194.388853][  T126] ==================================================================
| [ 194.389143][ T126] BUG: KASAN: slab-use-after-free in ovl_path_real (fs/overlayfs/ovl_entry.h:103 fs/overlayfs/util.c:244 fs/overlayfs/util.c:288) 
| [  194.389409][  T126] Read of size 8 at addr ffff888001926720 by task systemd-udevd/126
| [  194.389659][  T126]
[  194.389760][  T126] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  194.389762][  T126] Call Trace:
[  194.389764][  T126]  <TASK>
[ 194.389766][ T126] dump_stack_lvl (lib/dump_stack.c:123) 
[ 194.389774][ T126] print_address_description.constprop.0 (mm/kasan/report.c:409) 
[ 194.389780][ T126] ? ovl_path_real (fs/overlayfs/ovl_entry.h:103 fs/overlayfs/util.c:244 fs/overlayfs/util.c:288) 
[ 194.389783][ T126] print_report (mm/kasan/report.c:522) 
[ 194.389786][ T126] ? ovl_path_real (fs/overlayfs/ovl_entry.h:103 fs/overlayfs/util.c:244 fs/overlayfs/util.c:288) 
[ 194.389789][ T126] ? kasan_addr_to_slab (./include/linux/mm.h:1178 mm/kasan/../slab.h:211 mm/kasan/common.c:38) 
[ 194.389793][ T126] ? ovl_path_real (fs/overlayfs/ovl_entry.h:103 fs/overlayfs/util.c:244 fs/overlayfs/util.c:288) 
[ 194.389796][ T126] kasan_report (mm/kasan/report.c:636) 
[ 194.389800][ T126] ? ovl_path_real (fs/overlayfs/ovl_entry.h:103 fs/overlayfs/util.c:244 fs/overlayfs/util.c:288) 
[ 194.389805][ T126] ovl_path_real (fs/overlayfs/ovl_entry.h:103 fs/overlayfs/util.c:244 fs/overlayfs/util.c:288) 
[ 194.389808][ T126] ovl_getattr (fs/overlayfs/inode.c:171) 
[ 194.389812][ T126] ? __debug_check_no_obj_freed (lib/debugobjects.c:1110) 
[ 194.389818][ T126] ? __pfx_ovl_getattr (fs/overlayfs/inode.c:158) 
[ 194.389823][ T126] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[ 194.389829][ T126] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:104 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) 
[ 194.389834][ T126] ? __debug_check_no_obj_freed (lib/debugobjects.c:1110) 
[ 194.389836][ T126] ? find_held_lock (kernel/locking/lockdep.c:5353) 
[ 194.389844][ T126] ? __pfx___debug_check_no_obj_freed (lib/debugobjects.c:1070) 
[ 194.389849][ T126] ? trace_rcu_segcb_stats (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:745 ./include/trace/events/rcu.h:537) 
[ 194.389856][ T126] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:745) 
[ 194.389859][ T126] ? kasan_quarantine_put (mm/kasan/quarantine.c:234 (discriminator 1)) 
[ 194.389864][ T126] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[ 194.389868][ T126] vfs_getattr_nosec (fs/stat.c:215) 
[ 194.389874][ T126] vfs_fstat (./include/linux/file.h:62 ./include/linux/file.h:84 fs/stat.c:278) 
[ 194.389878][ T126] __do_sys_newfstat (fs/stat.c:556) 
[ 194.389882][ T126] ? __pfx___do_sys_newfstat (fs/stat.c:551) 
[ 194.389891][ T126] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:745) 
[ 194.389894][ T126] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:199 arch/x86/entry/syscall_64.c:90) 
[ 194.389899][ T126] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[ 194.389902][ T126] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  194.389906][  T126] RIP: 0033:0x7f0dcd77a0bb
[ 194.389909][ T126] Code: 0f 1e fa 48 89 f2 31 c9 48 89 fe bf 9c ff ff ff e9 5a 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 05 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 11 ad 0b 00 f7 d8
All code
========
   0:	0f 1e fa             	nop    %edx
   3:	48 89 f2             	mov    %rsi,%rdx
   6:	31 c9                	xor    %ecx,%ecx
   8:	48 89 fe             	mov    %rdi,%rsi
   b:	bf 9c ff ff ff       	mov    $0xffffff9c,%edi
  10:	e9 5a 00 00 00       	jmp    0x6f
  15:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  1c:	00 00 00 
  1f:	f3 0f 1e fa          	endbr64
  23:	b8 05 00 00 00       	mov    $0x5,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 05                	ja     0x37
  32:	c3                   	ret
  33:	0f 1f 40 00          	nopl   0x0(%rax)
  37:	48 8b 15 11 ad 0b 00 	mov    0xbad11(%rip),%rdx        # 0xbad4f
  3e:	f7 d8                	neg    %eax

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 05                	ja     0xd
   8:	c3                   	ret
   9:	0f 1f 40 00          	nopl   0x0(%rax)
   d:	48 8b 15 11 ad 0b 00 	mov    0xbad11(%rip),%rdx        # 0xbad25
  14:	f7 d8                	neg    %eax
[  194.389912][  T126] RSP: 002b:00007ffe04fcc518 EFLAGS: 00000202 ORIG_RAX: 0000000000000005
[  194.389916][  T126] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f0dcd77a0bb
[  194.389918][  T126] RDX: 0000000000000000 RSI: 00007ffe04fcc630 RDI: 000000000000000d
[  194.389920][  T126] RBP: 00007ffe04fcc700 R08: 0000000000000003 R09: 0000000000000020
[  194.389921][  T126] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003


Finger prints:
print_report:kasan_report:ovl_path_real:ovl_getattr:vfs_getattr_nosec