KASAN: use-after-free Read in relay_switch

similar bugs (3):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in relay_switch_subbuf	C	done	error	93	102d	1596d	0/24	upstream: reported C repro on 2018/09/26 07:41
linux-4.19	KASAN: use-after-free Read in relay_switch_subbuf				10	957d	1381d	0/1	auto-closed as invalid on 2020/10/24 01:02
linux-4.19	KASAN: use-after-free Read in relay_switch_subbuf (2)				22	11d	478d	0/1	upstream: reported on 2021/10/17 18:33

devpts: called with bogus options
devpts: called with bogus options
relay: one or more items not logged [item size (56) > sub-buffer size (9)]
devpts: called with bogus options
==================================================================
BUG: KASAN: use-after-free in relay_switch_subbuf+0x87c/0x8e0 kernel/relay.c:754
Read of size 8 at addr ffff88809a3d6778 by task kworker/0:2/2601

CPU: 0 PID: 2601 Comm: kworker/0:2 Not tainted 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events __blk_release_queue
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 relay_switch_subbuf+0x87c/0x8e0 kernel/relay.c:754
 relay_flush kernel/relay.c:882 [inline]
 relay_flush+0x1ae/0x270 kernel/relay.c:866
 blk_trace_startstop+0x203/0x5c0 kernel/trace/blktrace.c:657
 blk_trace_shutdown+0x47/0x60 kernel/trace/blktrace.c:727
 __blk_release_queue+0x22e/0x4d0 block/blk-sysfs.c:830
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 6850:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
 __d_alloc+0x2d/0x9f0 fs/dcache.c:1623
 d_alloc+0x4d/0x270 fs/dcache.c:1710
 __lookup_hash fs/namei.c:1570 [inline]
 __lookup_hash+0x58/0x180 fs/namei.c:1562
 lookup_one_len+0x27b/0x3a0 fs/namei.c:2538
 start_creating fs/debugfs/inode.c:314 [inline]
 start_creating+0xa6/0x1b0 fs/debugfs/inode.c:290
 __debugfs_create_file+0x53/0x3d0 fs/debugfs/inode.c:353
 debugfs_create_file+0x5a/0x70 fs/debugfs/inode.c:404
 blk_create_buf_file_callback+0x33/0x40 kernel/trace/blktrace.c:445
 relay_create_buf_file+0xf1/0x160 kernel/relay.c:427
 relay_open_buf.part.0+0x6a9/0x9e0 kernel/relay.c:456
 relay_open_buf kernel/relay.c:448 [inline]
 relay_open kernel/relay.c:598 [inline]
 relay_open+0x4e7/0x920 kernel/relay.c:562
 do_blk_trace_setup+0x3ca/0xb10 kernel/trace/blktrace.c:533
 blk_trace_setup+0xbd/0x140 kernel/trace/blktrace.c:579
 blk_trace_ioctl+0x147/0x270 kernel/trace/blktrace.c:694
 blkdev_ioctl+0x100/0x1860 block/ioctl.c:580
 block_ioctl+0xde/0x120 fs/block_dev.c:1881
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 __d_free+0x20/0x30 fs/dcache.c:270
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x7b8/0x12b0 kernel/rcu/tree.c:2946
 __do_softirq+0x244/0x9a0 kernel/softirq.c:288

The buggy address belongs to the object at ffff88809a3d6720
 which belongs to the cache dentry of size 288
The buggy address is located 88 bytes inside of
 288-byte region [ffff88809a3d6720, ffff88809a3d6840)
The buggy address belongs to the page:
page:ffffea000268f580 count:1 mapcount:0 mapping:ffff88809a3d6040 index:0xffff88809a3d6300
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88809a3d6040 ffff88809a3d6300 0000000100000008
raw: ffffea000251b0a0 ffffea000251a9e0 ffff88821f8b5680 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809a3d6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809a3d6680: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff88809a3d6700: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff88809a3d6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809a3d6800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets	Title
ci2-linux-4-14	2019/11/05 19:01	linux-4.14.y	ddef1e8e3f6e	af5c522d	.config	console log	report	syz	C
ci2-linux-4-14	2022/09/12 16:47	linux-4.14.y	65640c873dcf	f371ed7e	.config	console log	report			info	[disk image] [vmlinux]	KASAN: use-after-free Read in relay_switch_subbuf
ci2-linux-4-14	2020/07/11 02:33	linux-4.14.y	b850307b279c	18d18b59	.config	console log	report
ci2-linux-4-14	2019/11/21 05:55	linux-4.14.y	f56f3d0e65ad	8098ea0f	.config	console log	report
ci2-linux-4-14	2019/11/05 16:36	linux-4.14.y	ddef1e8e3f6e	af5c522d	.config	console log	report