FS-Cache: O-key=[10] '5e5d245b2b255d30247b' FS-Cache: N-cookie c=000000000f51eb3f [p=000000005b05de74 fl=2 nc=0 na=1] FS-Cache: N-cookie d=0000000009db64ee n=000000003724c62b FS-Cache: N-key=[10] '5e5d245b2b255d30247b' ================================================================== BUG: KASAN: use-after-free in afs_activate_cell fs/afs/cell.c:547 [inline] BUG: KASAN: use-after-free in afs_manage_cell+0xc67/0xe50 fs/afs/cell.c:633 Write of size 8 at addr ffff8880947e70f8 by task kworker/0:2/2920 CPU: 0 PID: 2920 Comm: kworker/0:2 Not tainted 5.0.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: afs afs_manage_cell Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x165/0x21a lib/dump_stack.c:113 print_address_description.cold.3+0x9/0x211 mm/kasan/report.c:187 kasan_report.cold.4+0x1b/0x37 mm/kasan/report.c:317 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140 afs_activate_cell fs/afs/cell.c:547 [inline] afs_manage_cell+0xc67/0xe50 fs/afs/cell.c:633 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 8764: save_stack mm/kasan/common.c:73 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x66/0x100 mm/kasan/common.c:496 __kasan_kmalloc.constprop.1+0xb5/0xc0 mm/kasan/common.c:477 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504 kmem_cache_alloc_trace+0x15b/0x3d0 mm/slab.c:3609 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] afs_alloc_cell fs/afs/cell.c:141 [inline] afs_lookup_cell+0x14a/0xb70 fs/afs/cell.c:229 afs_parse_source fs/afs/super.c:272 [inline] afs_parse_param+0x32d/0x7c0 fs/afs/super.c:308 vfs_parse_fs_param+0x228/0x470 fs/fs_context.c:147 vfs_parse_fs_string+0xb8/0x110 fs/fs_context.c:190 generic_parse_monolithic+0x117/0x190 fs/fs_context.c:230 parse_monolithic_mount_data+0x5c/0x83 fs/fs_context.c:641 do_new_mount fs/namespace.c:2618 [inline] do_mount+0x10e4/0x2ae0 fs/namespace.c:2942 ksys_mount+0xba/0xe0 fs/namespace.c:3151 __do_sys_mount fs/namespace.c:3165 [inline] __se_sys_mount fs/namespace.c:3162 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3162 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack mm/kasan/common.c:73 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x13c/0x220 mm/kasan/common.c:458 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466 __cache_free mm/slab.c:3487 [inline] kfree+0xcf/0x220 mm/slab.c:3806 afs_cell_destroy+0xd3/0x110 fs/afs/cell.c:438 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2452 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline] rcu_process_callbacks+0x8a7/0x12e0 kernel/rcu/tree.c:2754 __do_softirq+0x25e/0x958 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880947e7080 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 120 bytes inside of 512-byte region [ffff8880947e7080, ffff8880947e7280) The buggy address belongs to the page: page:ffffea000251f9c0 count:1 mapcount:0 mapping:ffff88812c3f6940 index:0xffff8880947e7d00 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002a28a88 ffffea000253d0c8 ffff88812c3f6940 raw: ffff8880947e7d00 ffff8880947e7080 0000000100000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880947e6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880947e7000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880947e7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880947e7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880947e7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================