bisecting cause commit starting from 171d4ff79f965c1f164705ef0aaea102a6ad238b
building syzkaller on 54289b0835634ca07a8117613c48b73e9e647d13
testing commit 171d4ff79f965c1f164705ef0aaea102a6ad238b with gcc (GCC) 8.1.0
kernel signature: 9db764812227052763a0c622c7a66a202940cb3530d4224e31b482950881a8db
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_deactivate_cell
run #1: crashed: general protection fault in afs_proc_cell_remove
run #2: crashed: WARNING: ODEBUG bug in __do_softirq
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_deactivate_cell
run #4: crashed: general protection fault in afs_proc_cell_setup
run #5: crashed: WARNING in __xlate_proc_name
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_manage_cell
run #7: crashed: WARNING: proc registration bug in afs_manage_cell
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_proc_cell_remove
run #9: crashed: WARNING in __proc_create
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 5ea3e81ce8f79bc4f821b9c1848dc11a3323177aaad6af3614759e4f5d7929f8
run #0: crashed: BUG: Dentry still in use [unmount of afs afs]
run #1: crashed: WARNING in __proc_create
run #2: crashed: WARNING: ODEBUG bug in __do_softirq
run #3: crashed: WARNING in __xlate_proc_name
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_manage_cell
run #5: crashed: BUG: unable to handle kernel paging request in afs_proc_cell_setup
run #6: crashed: WARNING in __proc_create
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_proc_cell_remove
run #8: crashed: general protection fault in afs_deactivate_cell
run #9: crashed: WARNING in __proc_create
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 12f23d420e223cacd89f296ecbfc28162dd3e9da1df7f847e41388ce32981f0c
run #0: crashed: KASAN: use-after-free Write in afs_manage_cell
run #1: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #2: crashed: KASAN: use-after-free Write in afs_manage_cell
run #3: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #4: crashed: KASAN: use-after-free Write in afs_manage_cell
run #5: crashed: KASAN: use-after-free Write in afs_manage_cell
run #6: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Read in afs_manage_cell
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 4033d4af1df42509c1eb4f1f1ffe3dd9a9c2cb73b102768c047695f79366f2e6
run #0: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #1: crashed: KASAN: use-after-free Write in afs_manage_cell
run #2: crashed: KASAN: use-after-free Read in __xlate_proc_name
run #3: crashed: KASAN: use-after-free Write in afs_manage_cell
run #4: crashed: WARNING: ODEBUG bug in __do_softirq
run #5: crashed: KASAN: use-after-free Write in afs_manage_cell
run #6: crashed: WARNING: ODEBUG bug in __do_softirq
run #7: crashed: KASAN: use-after-free Read in __xlate_proc_name
run #8: crashed: KASAN: use-after-free Write in afs_manage_cell
run #9: crashed: KASAN: use-after-free Read in fscache_alloc_cookie
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 38b4c60fd8bf3c81f3f97f54f3940450a8ed96bcdcf971dc02ddef3ebdaab05e
run #0: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #1: crashed: KASAN: use-after-free Write in afs_manage_cell
run #2: crashed: KASAN: use-after-free Write in afs_manage_cell
run #3: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #4: crashed: WARNING: ODEBUG bug in __do_softirq
run #5: crashed: WARNING: ODEBUG bug in __do_softirq
run #6: crashed: KASAN: use-after-free Write in afs_manage_cell
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 600e245b60d82067ff3ff0b8082e34212e4dfe58de767d58a39d85929f3b8d3d
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: crashed: KASAN: use-after-free Read in afs_manage_cell
run #2: crashed: KASAN: use-after-free Read in fscache_alloc_cookie
run #3: crashed: KASAN: use-after-free Write in afs_manage_cell
run #4: crashed: KASAN: use-after-free Write in afs_manage_cell
run #5: crashed: KASAN: use-after-free Write in afs_manage_cell
run #6: crashed: KASAN: use-after-free Read in afs_dynroot_rmdir
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Write in afs_manage_cell
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 73957f261135caf32df2252497ec799a4413ac814143b094ed35c49c6430149b
run #0: crashed: KASAN: use-after-free Write in afs_manage_cell
run #1: crashed: KASAN: use-after-free Read in __proc_create
run #2: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #3: crashed: KASAN: use-after-free Read in __proc_create
run #4: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #5: crashed: WARNING: ODEBUG bug in afs_cell_destroy
run #6: crashed: KASAN: use-after-free Write in afs_manage_cell
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: a0d926afd4ef51cb332fe1dcf855e480be3d65a38446c62d3e432a335d123ba6
run #0: crashed: KASAN: use-after-free Write in afs_manage_cell
run #1: crashed: KASAN: use-after-free Write in afs_manage_cell
run #2: crashed: KASAN: use-after-free Write in afs_manage_cell
run #3: crashed: KASAN: use-after-free Read in __proc_create
run #4: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #5: crashed: KASAN: use-after-free Write in afs_manage_cell
run #6: crashed: KASAN: use-after-free Write in afs_manage_cell
run #7: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #8: crashed: WARNING: ODEBUG bug in afs_cell_destroy
run #9: crashed: KASAN: use-after-free Read in afs_deactivate_cell
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 35ce30c64568c484ac35594f76218ca45455823304ee38704ed30b2495ba4391
run #0: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #1: crashed: KASAN: use-after-free Write in afs_manage_cell
run #2: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #3: crashed: KASAN: use-after-free Read in afs_manage_cell
run #4: crashed: KASAN: use-after-free Write in afs_manage_cell
run #5: crashed: KASAN: use-after-free Write in afs_manage_cell
run #6: crashed: KASAN: use-after-free Write in afs_manage_cell
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #9: crashed: KASAN: use-after-free Read in afs_deactivate_cell
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 3a99eb6bf795759fd55794aabfddf03d70dc3347ebb0235b447973fa85ec418a
all runs: OK
# git bisect start e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd 1c163f4c7b3f621efff9b28a47abb36f7378d783
Bisecting: 7074 revisions left to test after this (roughly 13 steps)
[b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew)
testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0
kernel signature: f95cecad11c1b62cb9e31d713eee2ab6b007b16a4fc0f2c9e39dbf1718b1faab
all runs: OK
# git bisect good b5dd0c658c31b469ccff1b637e5124851e7a4a1c
Bisecting: 3573 revisions left to test after this (roughly 12 steps)
[4f0237062ca70c8e34e16e518aee4b84c30d1832] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
testing commit 4f0237062ca70c8e34e16e518aee4b84c30d1832 with gcc (GCC) 8.1.0
kernel signature: bd0d159108aab97dd7906b00c6dd339140c92a05d9518efea89dd3187891bd5b
all runs: OK
# git bisect good 4f0237062ca70c8e34e16e518aee4b84c30d1832
Bisecting: 1796 revisions left to test after this (roughly 11 steps)
[345077c8e172c255ea0707214303ccd099e5656b] KVM: PPC: Book3S: Protect memslots while validating user address
testing commit 345077c8e172c255ea0707214303ccd099e5656b with gcc (GCC) 8.1.0
kernel signature: b6087f65362c068ee05dcec386f6a78ae687976ad633e8091804cd2c2b9676ee
run #0: crashed: KASAN: use-after-free Write in afs_manage_cell
run #1: crashed: KASAN: use-after-free Write in afs_manage_cell
run #2: crashed: KASAN: use-after-free Read in __d_alloc
run #3: crashed: KASAN: use-after-free Read in fscache_alloc_cookie
run #4: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #5: crashed: KASAN: use-after-free Read in afs_manage_cell
run #6: crashed: KASAN: use-after-free Read in afs_manage_cell
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: WARNING: ODEBUG bug in afs_cell_destroy
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
# git bisect bad 345077c8e172c255ea0707214303ccd099e5656b
Bisecting: 880 revisions left to test after this (roughly 10 steps)
[f3ca4c55a6581c46e9f4a592dd698a7c67a713dd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit f3ca4c55a6581c46e9f4a592dd698a7c67a713dd with gcc (GCC) 8.1.0
kernel signature: 991aa420b25061205e1b523e784ed8325230aa3ef4030cc76c3fc182b5b1e152
run #0: crashed: WARNING: ODEBUG bug in afs_cell_destroy
run #1: crashed: KASAN: use-after-free Read in afs_manage_cell
run #2: crashed: WARNING: ODEBUG bug in afs_cell_destroy
run #3: crashed: WARNING: ODEBUG bug in afs_cell_destroy
run #4: crashed: WARNING: ODEBUG bug in afs_cell_destroy
run #5: crashed: KASAN: use-after-free Write in afs_manage_cell
run #6: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Read in afs_manage_cell
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
# git bisect bad f3ca4c55a6581c46e9f4a592dd698a7c67a713dd
Bisecting: 441 revisions left to test after this (roughly 9 steps)
[a5adcfcad55d5f034b33f79f1a873229d1e77b24] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
testing commit a5adcfcad55d5f034b33f79f1a873229d1e77b24 with gcc (GCC) 8.1.0
kernel signature: 4d8d3c81e117cac9bfced104a2e28770d47299b37acf7bc20c743e9162e8e07c
run #0: crashed: KASAN: use-after-free Write in afs_manage_cell
run #1: crashed: KASAN: use-after-free Write in afs_manage_cell
run #2: crashed: KASAN: use-after-free Write in afs_manage_cell
run #3: crashed: KASAN: use-after-free Write in afs_manage_cell
run #4: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #5: crashed: KASAN: use-after-free Read in afs_manage_cell
run #6: crashed: KASAN: use-after-free Read in fscache_alloc_cookie
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Write in afs_manage_cell
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
# git bisect bad a5adcfcad55d5f034b33f79f1a873229d1e77b24
Bisecting: 225 revisions left to test after this (roughly 8 steps)
[5f739e4a491ab63730ef3b7464171340c689fbff] Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
testing commit 5f739e4a491ab63730ef3b7464171340c689fbff with gcc (GCC) 8.1.0
kernel signature: 22b40cd95dd264170f2434c6f8cbbf7256c5899519fd4dd372a3ef74de1675d8
all runs: OK
# git bisect good 5f739e4a491ab63730ef3b7464171340c689fbff
Bisecting: 134 revisions left to test after this (roughly 7 steps)
[4d6c671ace569d4b0d3f8d92ab3aef18a5d166bc] SUNRPC: Take the transport send lock before binding+connecting
testing commit 4d6c671ace569d4b0d3f8d92ab3aef18a5d166bc with gcc (GCC) 8.1.0
kernel signature: 50313e42ae6b4ab510f780180712b2cbf6d0eeb3f74cba689f455607c4a34e81
all runs: OK
# git bisect good 4d6c671ace569d4b0d3f8d92ab3aef18a5d166bc
Bisecting: 63 revisions left to test after this (roughly 6 steps)
[dfee9c257b102d7c0407629eef2ed32e152de0d2] Merge tag 'fuse-update-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
testing commit dfee9c257b102d7c0407629eef2ed32e152de0d2 with gcc (GCC) 8.1.0
kernel signature: 9ff654bb390baa9d1fe514c66cbe62b42cb08275b6fc16dc0e120b0c5e940d0e
run #0: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #1: crashed: KASAN: use-after-free Write in afs_manage_cell
run #2: crashed: KASAN: use-after-free Write in afs_manage_cell
run #3: crashed: KASAN: use-after-free Write in afs_manage_cell
run #4: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #5: crashed: KASAN: use-after-free Read in afs_manage_cell
run #6: crashed: WARNING: ODEBUG bug in afs_cell_destroy
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Write in afs_manage_cell
run #9: crashed: KASAN: use-after-free Write in afs_deactivate_cell
# git bisect bad dfee9c257b102d7c0407629eef2ed32e152de0d2
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[32021982a324dce93b4ae00c06213bf45fb319c8] hugetlbfs: Convert to fs_context
testing commit 32021982a324dce93b4ae00c06213bf45fb319c8 with gcc (GCC) 8.1.0
kernel signature: 7ae640a02aaa30b28c360736142326cff20e639902c24de3678c6e7020425c17
all runs: OK
# git bisect good 32021982a324dce93b4ae00c06213bf45fb319c8
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[75126f5504524dd0f24753d8815db42d9ab23614] fuse: use atomic64_t for khctr
testing commit 75126f5504524dd0f24753d8815db42d9ab23614 with gcc (GCC) 8.1.0
kernel signature: ba377778b61d723c085c8dc02b572ab79330b00383029071da090c158b9c84c5
all runs: OK
# git bisect good 75126f5504524dd0f24753d8815db42d9ab23614
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[7b47a9e7c8f672b6fb0b77fca11a63a8a77f5a91] Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
testing commit 7b47a9e7c8f672b6fb0b77fca11a63a8a77f5a91 with gcc (GCC) 8.1.0
kernel signature: 70f1415fce704f98a42e32b39542eaf9169c1221cd1691ae350846ea2989740d
run #0: crashed: KASAN: use-after-free Read in __proc_create
run #1: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #2: crashed: KASAN: use-after-free Write in afs_manage_cell
run #3: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #4: crashed: KASAN: use-after-free Write in afs_manage_cell
run #5: crashed: KASAN: use-after-free Read in afs_manage_cell
run #6: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #7: crashed: KASAN: use-after-free Read in fscache_alloc_cookie
run #8: crashed: KASAN: use-after-free Read in fscache_alloc_cookie
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
# git bisect bad 7b47a9e7c8f672b6fb0b77fca11a63a8a77f5a91
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[13fcc6837049f1bd76d57e9abc217a91fdbad764] afs: Add fs_context support
testing commit 13fcc6837049f1bd76d57e9abc217a91fdbad764 with gcc (GCC) 8.1.0
kernel signature: f099192db06807a791f6dbd9273b096422e90f110085b1aed5fd50ef9f0e94d5
all runs: OK
# git bisect good 13fcc6837049f1bd76d57e9abc217a91fdbad764
Bisecting: 2 revisions left to test after this (roughly 1 step)
[6daef95b8c914866a46247232a048447fff97279] iov_iter: optimize page_copy_sane()
testing commit 6daef95b8c914866a46247232a048447fff97279 with gcc (GCC) 8.1.0
kernel signature: 5090218853d4ab67029583181b8a80908c0859eb7e2ec61e43e86db7153efada
all runs: OK
# git bisect good 6daef95b8c914866a46247232a048447fff97279
Bisecting: 1 revision left to test after this (roughly 1 step)
[c99c2171fc61476afac0dfb59fb2c447a01fb1e0] afs: Use fs_context to pass parameters over automount
testing commit c99c2171fc61476afac0dfb59fb2c447a01fb1e0 with gcc (GCC) 8.1.0
kernel signature: 6322a6d585ff757085911e31f8cdd2d848495d2fa7569b3b0fe9f601a2070294
run #0: crashed: KASAN: use-after-free Read in afs_manage_cell
run #1: crashed: KASAN: use-after-free Read in afs_deactivate_cell
run #2: crashed: KASAN: use-after-free Write in afs_manage_cell
run #3: crashed: KASAN: use-after-free Write in afs_manage_cell
run #4: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #5: crashed: KASAN: use-after-free Write in afs_deactivate_cell
run #6: crashed: KASAN: use-after-free Write in afs_manage_cell
run #7: crashed: KASAN: use-after-free Write in afs_manage_cell
run #8: crashed: KASAN: use-after-free Write in afs_manage_cell
run #9: crashed: KASAN: use-after-free Write in afs_manage_cell
# git bisect bad c99c2171fc61476afac0dfb59fb2c447a01fb1e0
c99c2171fc61476afac0dfb59fb2c447a01fb1e0 is the first bad commit
commit c99c2171fc61476afac0dfb59fb2c447a01fb1e0
Author: David Howells <dhowells@redhat.com>
Date:   Thu Nov 1 23:07:27 2018 +0000

    afs: Use fs_context to pass parameters over automount
    
    Alter the AFS automounting code to create and modify an fs_context struct
    when parameterising a new mount triggered by an AFS mountpoint rather than
    constructing device name and option strings.
    
    Also remove the cell=, vol= and rwpath options as they are then redundant.
    The reason they existed is because the 'device name' may be derived
    literally from a mountpoint object in the filesystem, so default cell and
    parent-type information needed to be passed in by some other method from
    the automount routines.  The vol= option didn't end up being used.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Eric W. Biederman <ebiederm@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/afs/internal.h |   1 -
 fs/afs/mntpt.c    | 148 ++++++++++++++++++++++++++++--------------------------
 fs/afs/super.c    |  40 ++-------------
 3 files changed, 80 insertions(+), 109 deletions(-)
culprit signature: 6322a6d585ff757085911e31f8cdd2d848495d2fa7569b3b0fe9f601a2070294
parent  signature: f099192db06807a791f6dbd9273b096422e90f110085b1aed5fd50ef9f0e94d5
revisions tested: 24, total time: 5h8m58.814275175s (build: 2h30m25.261320478s, test: 2h35m25.913623951s)
first bad commit: c99c2171fc61476afac0dfb59fb2c447a01fb1e0 afs: Use fs_context to pass parameters over automount
recipients (to): ["dhowells@redhat.com" "dhowells@redhat.com" "linux-afs@lists.infradead.org" "viro@zeniv.linux.org.uk"]
recipients (cc): ["linux-kernel@vger.kernel.org"]
crash: KASAN: use-after-free Write in afs_manage_cell
FS-Cache: O-key=[10] '5e5d245b2b255d30247b'
FS-Cache: N-cookie c=000000000f51eb3f [p=000000005b05de74 fl=2 nc=0 na=1]
FS-Cache: N-cookie d=0000000009db64ee n=000000003724c62b
FS-Cache: N-key=[10] '5e5d245b2b255d30247b'
==================================================================
BUG: KASAN: use-after-free in afs_activate_cell fs/afs/cell.c:547 [inline]
BUG: KASAN: use-after-free in afs_manage_cell+0xc67/0xe50 fs/afs/cell.c:633
Write of size 8 at addr ffff8880947e70f8 by task kworker/0:2/2920

CPU: 0 PID: 2920 Comm: kworker/0:2 Not tainted 5.0.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: afs afs_manage_cell
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x165/0x21a lib/dump_stack.c:113
 print_address_description.cold.3+0x9/0x211 mm/kasan/report.c:187
 kasan_report.cold.4+0x1b/0x37 mm/kasan/report.c:317
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
 afs_activate_cell fs/afs/cell.c:547 [inline]
 afs_manage_cell+0xc67/0xe50 fs/afs/cell.c:633
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
 kthread+0x324/0x3e0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 8764:
 save_stack mm/kasan/common.c:73 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x66/0x100 mm/kasan/common.c:496
 __kasan_kmalloc.constprop.1+0xb5/0xc0 mm/kasan/common.c:477
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
 kmem_cache_alloc_trace+0x15b/0x3d0 mm/slab.c:3609
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 afs_alloc_cell fs/afs/cell.c:141 [inline]
 afs_lookup_cell+0x14a/0xb70 fs/afs/cell.c:229
 afs_parse_source fs/afs/super.c:272 [inline]
 afs_parse_param+0x32d/0x7c0 fs/afs/super.c:308
 vfs_parse_fs_param+0x228/0x470 fs/fs_context.c:147
 vfs_parse_fs_string+0xb8/0x110 fs/fs_context.c:190
 generic_parse_monolithic+0x117/0x190 fs/fs_context.c:230
 parse_monolithic_mount_data+0x5c/0x83 fs/fs_context.c:641
 do_new_mount fs/namespace.c:2618 [inline]
 do_mount+0x10e4/0x2ae0 fs/namespace.c:2942
 ksys_mount+0xba/0xe0 fs/namespace.c:3151
 __do_sys_mount fs/namespace.c:3165 [inline]
 __se_sys_mount fs/namespace.c:3162 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3162
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9:
 save_stack mm/kasan/common.c:73 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x13c/0x220 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x220 mm/slab.c:3806
 afs_cell_destroy+0xd3/0x110 fs/afs/cell.c:438
 __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
 rcu_do_batch kernel/rcu/tree.c:2452 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline]
 rcu_process_callbacks+0x8a7/0x12e0 kernel/rcu/tree.c:2754
 __do_softirq+0x25e/0x958 kernel/softirq.c:292

The buggy address belongs to the object at ffff8880947e7080
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 120 bytes inside of
 512-byte region [ffff8880947e7080, ffff8880947e7280)
The buggy address belongs to the page:
page:ffffea000251f9c0 count:1 mapcount:0 mapping:ffff88812c3f6940 index:0xffff8880947e7d00
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002a28a88 ffffea000253d0c8 ffff88812c3f6940
raw: ffff8880947e7d00 ffff8880947e7080 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880947e6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880947e7000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880947e7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8880947e7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880947e7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================