==================================================================
kasan: CONFIG_KASAN_INLINE enabled
BUG: KASAN: use-after-free in do_shrink_slab+0xbd4/0xcb0 mm/vmscan.c:456
Read of size 8 at addr ffff8801979dc2d8 by task syz-executor7/22508

CPU: 1 PID: 22508 Comm: syz-executor7 Not tainted 4.18.0+ #198
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan: GPF could be caused by NULL-ptr deref or user memory access
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 do_shrink_slab+0xbd4/0xcb0 mm/vmscan.c:456
general protection fault: 0000 [#1] SMP KASAN
CPU: 0 PID: 22511 Comm: syz-executor4 Not tainted 4.18.0+ #198
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
RIP: 0010:list_lru_from_memcg_idx mm/list_lru.c:55 [inline]
RIP: 0010:list_lru_count_one+0x156/0x460 mm/list_lru.c:194
Code: 08 3c 03 0f 8e b5 02 00 00 4d 63 bd d8 0a 00 00 e8 4f c0 d1 ff 48 8d 7b 50 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d8 02 00 00 49 8d 46 c0 4c 8b 6b 50 48 ba 00 00
RSP: 0018:ffff8801cf02f288 EFLAGS: 00010206
 shrink_slab_memcg mm/vmscan.c:600 [inline]
 shrink_slab+0x7b7/0x990 mm/vmscan.c:673
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff81aba3c8
RDX: 000000000000000a RSI: ffffffff81aba151 RDI: 0000000000000050
RBP: ffff8801cf02f318 R08: ffff8801be22e3c0 R09: ffffed003b6046d6
R10: ffffed003b6046d6 R11: ffff8801db0236b3 R12: 1ffff10039e05e52
 shrink_node+0x429/0x16a0 mm/vmscan.c:2734
R13: ffff8801b6302a00 R14: ffff8801cf02f2f0 R15: 0000000000000005
FS:  0000000001525940(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ec2f000 CR3: 00000001a068a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 list_lru_shrink_count include/linux/list_lru.h:122 [inline]
 xfs_buftarg_shrink_count+0x6e/0x90 fs/xfs/xfs_buf.c:1729
 shrink_zones mm/vmscan.c:2963 [inline]
 do_try_to_free_pages+0x3e7/0x1290 mm/vmscan.c:3025
 do_shrink_slab+0x192/0xcb0 mm/vmscan.c:463
 try_to_free_mem_cgroup_pages+0x49d/0xc90 mm/vmscan.c:3323
 shrink_slab_memcg mm/vmscan.c:600 [inline]
 shrink_slab+0x7b7/0x990 mm/vmscan.c:673
 reclaim_high.constprop.71+0x137/0x1e0 mm/memcontrol.c:2061
 shrink_node+0x429/0x16a0 mm/vmscan.c:2734
 mem_cgroup_handle_over_high+0x8d/0x130 mm/memcontrol.c:2086
 tracehook_notify_resume include/linux/tracehook.h:195 [inline]
 exit_to_usermode_loop+0x287/0x380 arch/x86/entry/common.c:166
 shrink_zones mm/vmscan.c:2963 [inline]
 do_try_to_free_pages+0x3e7/0x1290 mm/vmscan.c:3025
 prepare_exit_to_usermode+0x342/0x3b0 arch/x86/entry/common.c:197
 try_to_free_mem_cgroup_pages+0x49d/0xc90 mm/vmscan.c:3323
 retint_user+0x8/0x18
RIP: 0033:0x43e471
Code: 2e 0f 1f 84 00 00 00 00 00 48 83 fa 20 48 89 f8 73 77 f6 c2 01 74 0b 0f b6 0e 88 0f 48 ff c6 48 ff c7 f6 c2 02 74 12 0f b7 0e <66> 89 0f 48 83 c6 02 48 83 c7 02 0f 1f 40 00 f6 c2 04 74 0c 8b 0e
RSP: 002b:00007ffd6620db98 EFLAGS: 00010202
RAX: 0000000020753000 RBX: fffffffffffffffe RCX: 000000000000736d
RDX: 0000000000000006 RSI: 0000000000731288 RDI: 0000000020753000
RBP: 0000000000930aa0 R08: 0000000000000000 R09: 0000000000000001
 reclaim_high.constprop.71+0x137/0x1e0 mm/memcontrol.c:2061
R10: 00007ffd6620dc70 R11: 0000000000000246 R12: 00000000000003e8
R13: 00000000009300ac R14: 00000000000c3edd R15: 00000000000c3eb0

 mem_cgroup_handle_over_high+0x8d/0x130 mm/memcontrol.c:2086
Allocated by task 21626:
 tracehook_notify_resume include/linux/tracehook.h:195 [inline]
 exit_to_usermode_loop+0x287/0x380 arch/x86/entry/common.c:166
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x14e/0x760 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 kmem_alloc+0xbc/0x1f0 fs/xfs/kmem.c:24
 prepare_exit_to_usermode+0x342/0x3b0 arch/x86/entry/common.c:197
 kmem_zalloc fs/xfs/kmem.h:73 [inline]
 xfs_alloc_buftarg+0x28/0x2c0 fs/xfs/xfs_buf.c:1790
 xfs_open_devices+0x403/0x720 fs/xfs/xfs_super.c:770
 xfs_fs_fill_super+0x855/0x1710 fs/xfs/xfs_super.c:1614
 mount_bdev+0x30c/0x3e0 fs/super.c:1177
 retint_user+0x8/0x18
 xfs_fs_mount+0x34/0x40 fs/xfs/xfs_super.c:1787
RIP: 0033:0x43e499
 mount_fs+0xae/0x328 fs/super.c:1280
Code: b7 0e 66 89 0f 48 83 c6 02 48 83 c7 02 0f 1f 40 00 f6 c2 04 74 0c 8b 0e 89 0f 48 83 c6 04 48 83 c7 04 f6 c2 08 74 0e 48 8b 0e <48> 89 0f 48 83 c6 08 48 83 c7 08 81 e2 f0 00 00 00 74 1f 0f 1f 40
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1046
RSP: 002b:00007ffda108c058 EFLAGS: 00010202
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2542 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2872
 ksys_mount+0x12d/0x140 fs/namespace.c:3088
RAX: 0000000020d04000 RBX: fffffffffffffffe RCX: 0030656c69662f2e
 __do_sys_mount fs/namespace.c:3102 [inline]
 __se_sys_mount fs/namespace.c:3099 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3099
RDX: 0000000000000008 RSI: 0000000000730e40 RDI: 0000000020d04000
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
RBP: 0000000000930aa0 R08: 0000000000000000 R09: 0000000000000001
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
R10: 00007ffda108c130 R11: 0000000000000246 R12: 00000000000003e8

R13: 00000000009300ac R14: 00000000000c3ede R15: 00000000000c3eb1
Freed by task 21626:
Modules linked in:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
Dumping ftrace buffer:
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
   (ftrace buffer empty)
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
---[ end trace e6f4843ac05ad9d5 ]---
 kvfree+0x61/0x70 mm/util.c:442
 kmem_free fs/xfs/kmem.h:66 [inline]
 xfs_free_buftarg+0x3e/0x50 fs/xfs/xfs_buf.c:1743
 xfs_close_devices+0xf4/0x240 fs/xfs/xfs_super.c:695
RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
RIP: 0010:list_lru_from_memcg_idx mm/list_lru.c:55 [inline]
RIP: 0010:list_lru_count_one+0x156/0x460 mm/list_lru.c:194
 xfs_fs_fill_super+0xa31/0x1710 fs/xfs/xfs_super.c:1741
 mount_bdev+0x30c/0x3e0 fs/super.c:1177
 xfs_fs_mount+0x34/0x40 fs/xfs/xfs_super.c:1787
Code: 08 3c 03 0f 8e b5 02 00 00 4d 63 bd d8 0a 00 00 e8 4f c0 d1 ff 48 8d 7b 50 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d8 02 00 00 49 8d 46 c0 4c 8b 6b 50 48 ba 00 00
 mount_fs+0xae/0x328 fs/super.c:1280
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2542 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2872
RSP: 0018:ffff8801cf02f288 EFLAGS: 00010206
 ksys_mount+0x12d/0x140 fs/namespace.c:3088
 __do_sys_mount fs/namespace.c:3102 [inline]
 __se_sys_mount fs/namespace.c:3099 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3099
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801979dc280
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 88 bytes inside of
 256-byte region [ffff8801979dc280, ffff8801979dc380)
The buggy address belongs to the page:
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff81aba3c8
page:ffffea00065e7700 count:1 mapcount:0 mapping:ffff8801dac007c0 index:0xffff8801979dcdc0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0007530d48 ffffea0006c73a08 ffff8801dac007c0
RDX: 000000000000000a RSI: ffffffff81aba151 RDI: 0000000000000050
raw: ffff8801979dcdc0 ffff8801979dc000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

RBP: ffff8801cf02f318 R08: ffff8801be22e3c0 R09: ffffed003b6046d6
Memory state around the buggy address:
 ffff8801979dc180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801979dc200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8801979dc280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
R10: ffffed003b6046d6 R11: ffff8801db0236b3 R12: 1ffff10039e05e52
                                                    ^
 ffff8801979dc300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801979dc380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
R13: ffff8801b6302a00 R14: ffff8801cf02f2f0 R15: 0000000000000005