==================================================================
BUG: KASAN: use-after-free in d_inode include/linux/dcache.h:516 [inline]
BUG: KASAN: use-after-free in relay_switch_subbuf+0x298/0x6b0 kernel/relay.c:676
Read of size 8 at addr ffff88803c6d47c0 by task ksoftirqd/0/13

CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.17.0-rc1-syzkaller-00436-g24f4db1f3a27 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
 print_address_description+0x65/0x3a0 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report+0x19a/0x1f0 mm/kasan/report.c:459
 d_inode include/linux/dcache.h:516 [inline]
 relay_switch_subbuf+0x298/0x6b0 kernel/relay.c:676
 relay_reserve include/linux/relay.h:248 [inline]
 trace_note+0x54b/0x6f0 kernel/trace/blktrace.c:95
 trace_note_tsk kernel/trace/blktrace.c:126 [inline]
 __blk_add_trace+0xb2e/0xe80 kernel/trace/blktrace.c:267
 blk_add_trace_rq+0x2b2/0x330 kernel/trace/blktrace.c:836
 trace_block_rq_complete+0x22f/0x280 include/trace/events/block.h:115
 blk_update_request+0x36/0x1190 block/blk-mq.c:780
 blk_mq_end_request+0x39/0x70 block/blk-mq.c:928
 blk_complete_reqs block/blk-mq.c:999 [inline]
 blk_done_softirq+0x119/0x160 block/blk-mq.c:1004
 __do_softirq+0x392/0x7a3 kernel/softirq.c:558
 run_ksoftirqd+0xc1/0x120 kernel/softirq.c:921
 smpboot_thread_fn+0x533/0x9d0 kernel/smpboot.c:164
 kthread+0x2a3/0x2d0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 11053:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x1c9/0x310 mm/slub.c:3243
 __d_alloc+0x2a/0x700 fs/dcache.c:1769
 d_alloc fs/dcache.c:1848 [inline]
 d_alloc_parallel+0xd3/0x15c0 fs/dcache.c:2600
 __lookup_slow+0x110/0x3d0 fs/namei.c:1692
 lookup_one_len+0x186/0x2c0 fs/namei.c:2736
 start_creating+0x184/0x330 fs/debugfs/inode.c:352
 __debugfs_create_file+0x74/0x550 fs/debugfs/inode.c:397
 kvm_create_vm_debugfs arch/x86/kvm/../../../virt/kvm/kvm_main.c:995 [inline]
 kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:4770 [inline]
 kvm_dev_ioctl+0x146b/0x2150 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4797
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 19:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x126/0x180 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:236 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1754
 slab_free mm/slub.c:3509 [inline]
 kmem_cache_free+0xb6/0x1c0 mm/slub.c:3526
 rcu_do_batch kernel/rcu/tree.c:2527 [inline]
 rcu_core+0xa85/0x1700 kernel/rcu/tree.c:2778
 __do_softirq+0x392/0x7a3 kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0x1c4/0xa70 kernel/rcu/tree.c:3106
 __dentry_kill+0x4f8/0x660 fs/dcache.c:621
 dput+0x44e/0x6e0 fs/dcache.c:913
 find_next_child fs/libfs.c:264 [inline]
 simple_recursive_removal+0x2bf/0x860 fs/libfs.c:279
 debugfs_remove+0x45/0x60 fs/debugfs/inode.c:732
 kvm_destroy_vm_debugfs arch/x86/kvm/../../../virt/kvm/kvm_main.c:941 [inline]
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1186 [inline]
 kvm_put_kvm+0x108/0x10e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250
 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273
 __fput+0x3fc/0x870 fs/file_table.c:311
 task_work_run+0x146/0x1c0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0x63b/0x2140 kernel/exit.c:806
 do_group_exit+0x2af/0x2b0 kernel/exit.c:935
 __do_sys_exit_group+0x13/0x20 kernel/exit.c:946
 __ia32_sys_exit_group+0x0/0x40 kernel/exit.c:944
 __x64_sys_exit_group+0x37/0x40 kernel/exit.c:944
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0x1c4/0xa70 kernel/rcu/tree.c:3106
 __dentry_kill+0x4f8/0x660 fs/dcache.c:621
 dput+0x44e/0x6e0 fs/dcache.c:913
 do_unlinkat+0x508/0xa10 fs/namei.c:4221
 __do_sys_unlink fs/namei.c:4266 [inline]
 __se_sys_unlink fs/namei.c:4264 [inline]
 __x64_sys_unlink+0x45/0x50 fs/namei.c:4264
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88803c6d4758
 which belongs to the cache dentry of size 312
The buggy address is located 104 bytes inside of
 312-byte region [ffff88803c6d4758, ffff88803c6d4890)
The buggy address belongs to the page:
page:ffffea0000f1b500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c6d4
head:ffffea0000f1b500 order:1 compound_mapcount:0
memcg:ffff888019ea1201
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000ef4e00 dead000000000002 ffff888140007640
raw: 0000000000000000 0000000000150015 00000001ffffffff ffff888019ea1201
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 3628, ts 466611675606, free_ts 466439127917
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x729/0x9e0 mm/page_alloc.c:4165
 __alloc_pages+0x255/0x580 mm/page_alloc.c:5389
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab+0xce/0x3f0 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0x3fe/0xc30 mm/slub.c:3018
 __slab_alloc mm/slub.c:3105 [inline]
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x276/0x310 mm/slub.c:3243
 __d_alloc+0x2a/0x700 fs/dcache.c:1769
 d_alloc_pseudo+0x19/0x70 fs/dcache.c:1898
 alloc_file_pseudo+0x13f/0x300 fs/file_table.c:256
 sock_alloc_file+0xb4/0x240 net/socket.c:463
 sock_map_fd net/socket.c:487 [inline]
 __sys_socket+0x198/0x380 net/socket.c:1565
 __do_sys_socket net/socket.c:1570 [inline]
 __se_sys_socket net/socket.c:1568 [inline]
 __x64_sys_socket+0x76/0x80 net/socket.c:1568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0xd1c/0xe00 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x7d/0x580 mm/page_alloc.c:3404
 do_slab_free mm/slub.c:3497 [inline]
 ___cache_free+0x107/0x160 mm/slub.c:3516
 qlist_free_all mm/kasan/quarantine.c:176 [inline]
 kasan_quarantine_reduce+0x169/0x1f0 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x1c9/0x310 mm/slub.c:3243
 getname_flags+0xba/0x650 fs/namei.c:138
 user_path_at_empty+0x2a/0x1a0 fs/namei.c:2850
 user_path_at include/linux/namei.h:57 [inline]
 vfs_statx+0x10f/0x3b0 fs/stat.c:221
 vfs_fstatat fs/stat.c:243 [inline]
 __do_sys_newfstatat fs/stat.c:412 [inline]
 __se_sys_newfstatat+0xc8/0x760 fs/stat.c:406
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff88803c6d4680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88803c6d4700: 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb fb
>ffff88803c6d4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88803c6d4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88803c6d4880: fb fb fc fc fc fc fc fc fc fc 00 00 00 00 00 00
==================================================================