==================================================================
BUG: KASAN: use-after-free in relay_switch_subbuf+0x8c0/0x930 kernel/relay.c:755
Read of size 8 at addr ffff888095df81f8 by task syz-executor.3/13201

CPU: 1 PID: 13201 Comm: syz-executor.3 Not tainted 5.1.0-rc5+ #72
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 relay_switch_subbuf+0x8c0/0x930 kernel/relay.c:755
 relay_reserve include/linux/relay.h:261 [inline]
 trace_note.isra.0+0x5b8/0x6e0 kernel/trace/blktrace.c:93
 trace_note_tsk kernel/trace/blktrace.c:124 [inline]
 __blk_add_trace+0xb70/0xe10 kernel/trace/blktrace.c:264
 blk_add_trace_rq+0x185/0x1f0 kernel/trace/blktrace.c:819
 blk_add_trace_rq_complete+0x17a/0x1e0 kernel/trace/blktrace.c:848
 trace_block_rq_complete include/trace/events/block.h:116 [inline]
 blk_update_request+0x812/0xba0 block/blk-core.c:1434
 scsi_end_request+0x7f/0x850 drivers/scsi/scsi_lib.c:579
 scsi_io_completion+0x20a/0x1420 drivers/scsi/scsi_lib.c:964
 scsi_finish_command+0x3ba/0x670 drivers/scsi/scsi.c:232
 scsi_softirq_done+0x33b/0x3e0 drivers/scsi/scsi_lib.c:1464
 blk_done_softirq+0x304/0x4d0 block/blk-softirq.c:37
 __do_softirq+0x266/0x95a kernel/softirq.c:293
 invoke_softirq kernel/softirq.c:374 [inline]
 irq_exit+0x180/0x1d0 kernel/softirq.c:414
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 do_IRQ+0x114/0x1d0 arch/x86/kernel/irq.c:258
 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:583
 </IRQ>
RIP: 0010:lock_release+0x68/0xa00 kernel/locking/lockdep.c:4220
Code: 48 8d 14 03 48 c7 45 80 93 bd 57 88 65 4c 8b 34 25 00 ee 01 00 49 8d be 7c 08 00 00 48 c7 45 88 10 8c 57 81 c7 02 f1 f1 f1 f1 <c7> 42 04 04 f3 f3 f3 48 89 fa 65 48 8b 34 25 28 00 00 00 48 89 75
RSP: 0018:ffff88805a4d75c0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffffdd
RAX: dffffc0000000000 RBX: 1ffff1100b49aebe RCX: ffffffff815ecff4
RDX: ffffed100b49aebe RSI: 0000000000000001 RDI: ffff8880551baf7c
RBP: ffff88805a4d7678 R08: 1ffff11015d25bc7 R09: ffffed1015d25bc8
R10: ffffed1015d25bc7 R11: ffff8880ae92de3b R12: ffffffff889a5980
R13: ffffffff81ae0783 R14: ffff8880551ba700 R15: ffff88805a4d7650
 rcu_lock_release include/linux/rcupdate.h:215 [inline]
 rcu_read_unlock include/linux/rcupdate.h:649 [inline]
 __unlock_page_memcg+0x70/0x100 mm/memcontrol.c:1944
 unlock_page_memcg+0x2c/0x40 mm/memcontrol.c:1953
 page_remove_file_rmap mm/rmap.c:1251 [inline]
 page_remove_rmap+0x57b/0x12c0 mm/rmap.c:1302
 zap_pte_range mm/memory.c:1091 [inline]
 zap_pmd_range mm/memory.c:1193 [inline]
 zap_pud_range mm/memory.c:1222 [inline]
 zap_p4d_range mm/memory.c:1243 [inline]
 unmap_page_range+0xd70/0x2330 mm/memory.c:1264
 unmap_single_vma+0x19d/0x300 mm/memory.c:1309
 unmap_vmas+0x115/0x250 mm/memory.c:1340
 exit_mmap+0x2c2/0x530 mm/mmap.c:3138
 __mmput kernel/fork.c:1046 [inline]
 mmput+0x15f/0x4c0 kernel/fork.c:1067
 exit_mm kernel/exit.c:546 [inline]
 do_exit+0x816/0x2fa0 kernel/exit.c:863
 do_group_exit+0x135/0x370 kernel/exit.c:980
 get_signal+0x399/0x1d50 kernel/signal.c:2577
 do_signal+0x87/0x1940 arch/x86/kernel/signal.c:816
 exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458c29
Code: Bad RIP value.
RSP: 002b:00007f48f8182cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000073bf08 RCX: 0000000000458c29
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000073bf08
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000073bf0c
R13: 0000000000a4fb5f R14: 00007f48f81839c0 R15: 000000000073bf0c

Allocated by task 32191:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc mm/kasan/common.c:497 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc mm/slab.c:3394 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3556
 __d_alloc+0x2e/0x8c0 fs/dcache.c:1622
 d_alloc+0x4d/0x2b0 fs/dcache.c:1701
 __lookup_hash+0xcd/0x190 fs/namei.c:1540
 filename_create+0x1a7/0x4f0 fs/namei.c:3635
 user_path_create fs/namei.c:3692 [inline]
 do_symlinkat+0xf3/0x290 fs/namei.c:4145
 __do_sys_symlink fs/namei.c:4171 [inline]
 __se_sys_symlink fs/namei.c:4169 [inline]
 __x64_sys_symlink+0x59/0x80 fs/namei.c:4169
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 132:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3500 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3766
 __d_free+0x20/0x30 fs/dcache.c:269
 __rcu_reclaim kernel/rcu/rcu.h:227 [inline]
 rcu_do_batch kernel/rcu/tree.c:2475 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2788 [inline]
 rcu_core+0x916/0x13a0 kernel/rcu/tree.c:2769
 __do_softirq+0x266/0x95a kernel/softirq.c:293

The buggy address belongs to the object at ffff888095df81a0
 which belongs to the cache dentry(65:syz2) of size 288
The buggy address is located 88 bytes inside of
 288-byte region [ffff888095df81a0, ffff888095df82c0)
The buggy address belongs to the page:
page:ffffea0002577e00 count:1 mapcount:0 mapping:ffff88808e2a5e00 index:0xffff888095df85c0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0001312b48 ffffea000127fd08 ffff88808e2a5e00
raw: ffff888095df85c0 ffff888095df8040 0000000100000007 ffff88805ea90c00
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88805ea90c00

Memory state around the buggy address:
 ffff888095df8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888095df8100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff888095df8180: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff888095df8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888095df8280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================