bisecting cause commit starting from 49e7e3e905e437a02782019570f70997e2da9101 building syzkaller on 5abc3f1ab298244473b613c289f1536e366fcf04 testing commit 49e7e3e905e437a02782019570f70997e2da9101 with gcc (GCC) 8.1.0 kernel signature: 372546b4037585b8fc3f3877331ad892bbcca1cc33c451033bf50de2ffdc8e83 run #0: crashed: general protection fault in afs_proc_cell_remove run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_deactivate_cell run #2: crashed: BUG: Dentry still in use [unmount of afs afs] run #3: crashed: general protection fault in afs_proc_cell_remove run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_deactivate_cell run #5: crashed: WARNING in __proc_create run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_manage_cell run #7: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor012354351" "root@10.128.10.0:./syz-executor012354351"]: exit status 1 ssh: connect to host 10.128.10.0 port 22: Connection timed out lost connection run #8: crashed: no output from test machine run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor879624386" "root@10.128.0.39:./syz-executor879624386"]: exit status 1 ssh: connect to host 10.128.0.39 port 22: Connection timed out lost connection testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 6f18190947f3496de6b943f0b89f6f198efe8da8f79e56ea168db601c5be373a run #0: crashed: BUG: Dentry still in use [unmount of afs afs] run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_deactivate_cell run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_deactivate_cell run #3: crashed: general protection fault in afs_dns_query run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_manage_cell run #5: crashed: WARNING: ODEBUG bug in __do_softirq run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_proc_cell_remove run #7: crashed: WARNING in __proc_create run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in afs_manage_cell run #9: crashed: INFO: rcu detected stall in sys_mount testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: df9c1f721f39f71727e7c9ede4d8f6aad1c0194053b09bcc89437bb2275a9892 run #0: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #1: crashed: KASAN: use-after-free Write in afs_manage_cell run #2: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #3: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #4: crashed: WARNING: ODEBUG bug in __do_softirq run #5: crashed: KASAN: use-after-free Write in afs_manage_cell run #6: crashed: INFO: rcu detected stall in corrupted run #7: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #8: crashed: KASAN: use-after-free Write in afs_manage_cell run #9: crashed: WARNING: ODEBUG bug in __do_softirq testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 8d7bad6828c7d8dfb62467a8079e27b7586ada4e87607e5b797c9e78ccf4c0c5 run #0: crashed: KASAN: use-after-free Write in afs_manage_cell run #1: crashed: WARNING: ODEBUG bug in __do_softirq run #2: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #3: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #4: crashed: KASAN: use-after-free Write in afs_manage_cell run #5: crashed: KASAN: use-after-free Write in afs_manage_cell run #6: crashed: KASAN: use-after-free Write in afs_manage_cell run #7: crashed: KASAN: use-after-free Write in afs_manage_cell run #8: crashed: KASAN: use-after-free Read in __proc_create run #9: boot failed: can't ssh into the instance testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 7721ac9b925157070f724adfe1d1820385cb5af24698bc28441712da12cde5b8 run #0: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #1: crashed: KASAN: use-after-free Write in afs_manage_cell run #2: crashed: KASAN: use-after-free Write in afs_manage_cell run #3: crashed: KASAN: use-after-free Write in afs_manage_cell run #4: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #5: crashed: KASAN: use-after-free Write in afs_manage_cell run #6: crashed: KASAN: use-after-free Read in afs_manage_cell run #7: crashed: KASAN: use-after-free Read in afs_manage_cell run #8: crashed: KASAN: use-after-free Read in fscache_alloc_cookie run #9: crashed: KASAN: use-after-free Write in afs_manage_cell testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 00192178dd7196815b5e4ca32686e41ccaf3c673f57ac7f228376fd9f696ff70 run #0: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #1: crashed: WARNING: ODEBUG bug in __do_softirq run #2: crashed: KASAN: use-after-free Write in afs_manage_cell run #3: crashed: WARNING: ODEBUG bug in __do_softirq run #4: crashed: KASAN: use-after-free Write in afs_manage_cell run #5: crashed: KASAN: use-after-free Write in afs_manage_cell run #6: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #7: crashed: KASAN: use-after-free Read in afs_manage_cell run #8: crashed: KASAN: use-after-free Write in afs_manage_cell run #9: crashed: KASAN: use-after-free Write in afs_manage_cell testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 9426904eca92465ab4f1326fab264c8217dd60d7405b3612eeee8364784c3eb2 run #0: crashed: KASAN: use-after-free Write in afs_manage_cell run #1: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #2: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #3: crashed: KASAN: use-after-free Write in afs_manage_cell run #4: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #5: crashed: KASAN: use-after-free Write in afs_manage_cell run #6: crashed: KASAN: use-after-free Write in afs_manage_cell run #7: crashed: KASAN: use-after-free Read in __proc_create run #8: crashed: KASAN: use-after-free Write in afs_manage_cell run #9: crashed: KASAN: use-after-free Write in afs_manage_cell testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: a62f3a5236b35d9fafb3808088ce5526e1ea8f0a36f462f3fd7fb4b5d16337b2 run #0: crashed: KASAN: use-after-free Write in afs_manage_cell run #1: crashed: WARNING: ODEBUG bug in afs_cell_destroy run #2: crashed: KASAN: use-after-free Write in afs_manage_cell run #3: crashed: WARNING: ODEBUG bug in afs_cell_destroy run #4: crashed: KASAN: use-after-free Write in afs_manage_cell run #5: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #6: crashed: KASAN: use-after-free Write in afs_manage_cell run #7: crashed: KASAN: use-after-free Write in afs_manage_cell run #8: crashed: KASAN: use-after-free Write in afs_manage_cell run #9: crashed: KASAN: use-after-free Write in afs_deactivate_cell testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: c14a95013827f14aacb8e14b0bcfbc88034dc9466db4ba0a3e4cfa3fe445e2be run #0: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #1: crashed: KASAN: use-after-free Write in afs_manage_cell run #2: crashed: KASAN: use-after-free Write in afs_manage_cell run #3: crashed: KASAN: use-after-free Write in afs_manage_cell run #4: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #5: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #6: crashed: KASAN: use-after-free Write in afs_manage_cell run #7: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #8: crashed: KASAN: use-after-free Write in afs_manage_cell run #9: crashed: KASAN: use-after-free Write in afs_manage_cell testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 4bc6ec715c5b3c9b5cb8ceb50ff64c8a0100207425fdcb4d6113628616dab193 all runs: OK # git bisect start e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd 1c163f4c7b3f621efff9b28a47abb36f7378d783 Bisecting: 7074 revisions left to test after this (roughly 13 steps) [b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew) testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0 kernel signature: f37a0de274639e7ee99cfd176e1429f3f712d586d631a7b8c46a942ebd94a9ed all runs: OK # git bisect good b5dd0c658c31b469ccff1b637e5124851e7a4a1c Bisecting: 3573 revisions left to test after this (roughly 12 steps) [4f0237062ca70c8e34e16e518aee4b84c30d1832] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input testing commit 4f0237062ca70c8e34e16e518aee4b84c30d1832 with gcc (GCC) 8.1.0 kernel signature: 4bb379fbcfd74b409d0851d1e1b7c4be72d8f9134ea9f44f651eb068aaefabfb all runs: OK # git bisect good 4f0237062ca70c8e34e16e518aee4b84c30d1832 Bisecting: 1796 revisions left to test after this (roughly 11 steps) [345077c8e172c255ea0707214303ccd099e5656b] KVM: PPC: Book3S: Protect memslots while validating user address testing commit 345077c8e172c255ea0707214303ccd099e5656b with gcc (GCC) 8.1.0 kernel signature: 229044f137383af058816f97d92f1307e82d2a513c73679797d2e45db73137b3 run #0: crashed: KASAN: use-after-free Write in afs_manage_cell run #1: crashed: KASAN: use-after-free Read in afs_manage_cell run #2: crashed: WARNING: ODEBUG bug in afs_cell_destroy run #3: crashed: KASAN: use-after-free Write in afs_manage_cell run #4: crashed: KASAN: use-after-free Write in afs_manage_cell run #5: crashed: KASAN: use-after-free Write in afs_manage_cell run #6: crashed: KASAN: use-after-free Write in afs_manage_cell run #7: crashed: KASAN: use-after-free Write in afs_manage_cell run #8: crashed: KASAN: use-after-free Write in afs_manage_cell run #9: crashed: KASAN: use-after-free Read in afs_manage_cell # git bisect bad 345077c8e172c255ea0707214303ccd099e5656b Bisecting: 880 revisions left to test after this (roughly 10 steps) [f3ca4c55a6581c46e9f4a592dd698a7c67a713dd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit f3ca4c55a6581c46e9f4a592dd698a7c67a713dd with gcc (GCC) 8.1.0 kernel signature: 092de215a57e674701318f96380a4bd15e70f13ddb265d795490b9b14b9b38a2 run #0: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Write in afs_manage_cell run #3: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #4: crashed: KASAN: use-after-free Read in fscache_alloc_cookie run #5: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #6: crashed: KASAN: use-after-free Read in fscache_alloc_cookie run #7: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #8: crashed: KASAN: use-after-free Read in afs_manage_cell run #9: crashed: KASAN: use-after-free Read in __d_alloc # git bisect bad f3ca4c55a6581c46e9f4a592dd698a7c67a713dd Bisecting: 441 revisions left to test after this (roughly 9 steps) [a5adcfcad55d5f034b33f79f1a873229d1e77b24] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit a5adcfcad55d5f034b33f79f1a873229d1e77b24 with gcc (GCC) 8.1.0 kernel signature: 10253874565837ca62da13ba31487166f8395faab7ba79ee57917b6aaa657994 run #0: crashed: KASAN: use-after-free Read in afs_manage_cell run #1: crashed: KASAN: use-after-free Write in afs_manage_cell run #2: crashed: KASAN: use-after-free Write in afs_manage_cell run #3: crashed: KASAN: use-after-free Read in __proc_create run #4: crashed: KASAN: use-after-free Write in afs_manage_cell run #5: crashed: KASAN: use-after-free Write in afs_manage_cell run #6: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #7: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #8: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #9: crashed: KASAN: use-after-free Write in afs_manage_cell # git bisect bad a5adcfcad55d5f034b33f79f1a873229d1e77b24 Bisecting: 225 revisions left to test after this (roughly 8 steps) [5f739e4a491ab63730ef3b7464171340c689fbff] Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 5f739e4a491ab63730ef3b7464171340c689fbff with gcc (GCC) 8.1.0 kernel signature: b79f6bc34e00955a70be150d468892dda08ee6d5043e11009c535a559b5c1b64 all runs: OK # git bisect good 5f739e4a491ab63730ef3b7464171340c689fbff Bisecting: 134 revisions left to test after this (roughly 7 steps) [4d6c671ace569d4b0d3f8d92ab3aef18a5d166bc] SUNRPC: Take the transport send lock before binding+connecting testing commit 4d6c671ace569d4b0d3f8d92ab3aef18a5d166bc with gcc (GCC) 8.1.0 kernel signature: 2e11d3164d5bb31fd6c9acca88d4b450d22ec1c6606ac99b86bc8218c80e8cc8 all runs: OK # git bisect good 4d6c671ace569d4b0d3f8d92ab3aef18a5d166bc Bisecting: 63 revisions left to test after this (roughly 6 steps) [dfee9c257b102d7c0407629eef2ed32e152de0d2] Merge tag 'fuse-update-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse testing commit dfee9c257b102d7c0407629eef2ed32e152de0d2 with gcc (GCC) 8.1.0 kernel signature: dd62c0021dc5c1482889b4ffe563b88ef3065a524c7897dcbf049c4a1909de8b run #0: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #1: crashed: KASAN: use-after-free Write in afs_manage_cell run #2: crashed: KASAN: use-after-free Read in afs_manage_cell run #3: crashed: KASAN: use-after-free Write in afs_manage_cell run #4: crashed: KASAN: use-after-free Read in __proc_create run #5: crashed: KASAN: use-after-free Write in afs_manage_cell run #6: crashed: KASAN: use-after-free Read in afs_manage_cell run #7: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #8: crashed: KASAN: use-after-free Write in afs_manage_cell run #9: crashed: KASAN: use-after-free Write in afs_manage_cell # git bisect bad dfee9c257b102d7c0407629eef2ed32e152de0d2 Bisecting: 35 revisions left to test after this (roughly 5 steps) [32021982a324dce93b4ae00c06213bf45fb319c8] hugetlbfs: Convert to fs_context testing commit 32021982a324dce93b4ae00c06213bf45fb319c8 with gcc (GCC) 8.1.0 kernel signature: 1010d3fa0cccb28b185218f44d68d02984d6cd8289e0e6bcefaa8fee4c8a35e8 all runs: OK # git bisect good 32021982a324dce93b4ae00c06213bf45fb319c8 Bisecting: 17 revisions left to test after this (roughly 4 steps) [75126f5504524dd0f24753d8815db42d9ab23614] fuse: use atomic64_t for khctr testing commit 75126f5504524dd0f24753d8815db42d9ab23614 with gcc (GCC) 8.1.0 kernel signature: fb3115888e7d2112318a9ee884b622866a973dda6f95fa6f4f537b1d5b3740c0 all runs: OK # git bisect good 75126f5504524dd0f24753d8815db42d9ab23614 Bisecting: 7 revisions left to test after this (roughly 3 steps) [7b47a9e7c8f672b6fb0b77fca11a63a8a77f5a91] Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 7b47a9e7c8f672b6fb0b77fca11a63a8a77f5a91 with gcc (GCC) 8.1.0 kernel signature: ead8b3fa06fe84181860081246eccf03ee47bfe55f2c1cfd133a06621f8bd961 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Write in afs_manage_cell run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in afs_manage_cell run #4: crashed: KASAN: use-after-free Write in afs_manage_cell run #5: crashed: WARNING: ODEBUG bug in afs_cell_destroy run #6: crashed: KASAN: use-after-free Write in afs_manage_cell run #7: crashed: KASAN: use-after-free Write in afs_deactivate_cell run #8: crashed: KASAN: use-after-free Read in afs_deactivate_cell run #9: crashed: KASAN: use-after-free Read in __d_alloc # git bisect bad 7b47a9e7c8f672b6fb0b77fca11a63a8a77f5a91 Bisecting: 4 revisions left to test after this (roughly 2 steps) [13fcc6837049f1bd76d57e9abc217a91fdbad764] afs: Add fs_context support testing commit 13fcc6837049f1bd76d57e9abc217a91fdbad764 with gcc (GCC) 8.1.0 kernel signature: fc50fe1c4f49de6b57621508cb9e54822c035df94875253618814379885e74d2 run #0: crashed: WARNING: proc registration bug in afs_manage_cell run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 13fcc6837049f1bd76d57e9abc217a91fdbad764 Bisecting: 2 revisions left to test after this (roughly 1 step) [5fe1890d0e200a3b01f74ca380688f7e4b641013] vfs: Provide documentation for new mount API testing commit 5fe1890d0e200a3b01f74ca380688f7e4b641013 with gcc (GCC) 8.1.0 kernel signature: 8c7fa7f6257ba4f3a2a4e797b616bb1f700c32c702a819374ff56e89651a68d4 all runs: OK # git bisect good 5fe1890d0e200a3b01f74ca380688f7e4b641013 Bisecting: 0 revisions left to test after this (roughly 1 step) [06a2ae56b5b88fa57cd56e0b99bd874135efdf58] vfs: Add some logging to the core users of the fs_context log testing commit 06a2ae56b5b88fa57cd56e0b99bd874135efdf58 with gcc (GCC) 8.1.0 kernel signature: 7bd2a3a6eab245c673a306d3d559948c32708d5d5cbe750cbfbe490729a10643 all runs: OK # git bisect good 06a2ae56b5b88fa57cd56e0b99bd874135efdf58 13fcc6837049f1bd76d57e9abc217a91fdbad764 is the first bad commit commit 13fcc6837049f1bd76d57e9abc217a91fdbad764 Author: David Howells Date: Thu Nov 1 23:07:27 2018 +0000 afs: Add fs_context support Add fs_context support to the AFS filesystem, converting the parameter parsing to store options there. This will form the basis for namespace propagation over mountpoints within the AFS model, thereby allowing AFS to be used in containers more easily. Signed-off-by: David Howells Signed-off-by: Al Viro fs/afs/internal.h | 8 +- fs/afs/mntpt.c | 1 + fs/afs/super.c | 460 ++++++++++++++++++++++++++++++------------------------ fs/afs/volume.c | 4 +- 4 files changed, 259 insertions(+), 214 deletions(-) culprit signature: fc50fe1c4f49de6b57621508cb9e54822c035df94875253618814379885e74d2 parent signature: 7bd2a3a6eab245c673a306d3d559948c32708d5d5cbe750cbfbe490729a10643 revisions tested: 24, total time: 5h37m57.156582337s (build: 2h34m19.490444355s, test: 3h0m23.507837972s) first bad commit: 13fcc6837049f1bd76d57e9abc217a91fdbad764 afs: Add fs_context support recipients (to): ["dhowells@redhat.com" "dhowells@redhat.com" "linux-afs@lists.infradead.org" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in __d_alloc FS-Cache: O-key=[10] '5e5d375b2b255d28247b' FS-Cache: N-cookie c=0000000012d4d2a6 [p=00000000bfe85683 fl=2 nc=0 na=1] FS-Cache: N-cookie d=0000000008a5e808 n=0000000097ea05d3 FS-Cache: N-key=[10] '5e5d375b2b255d28247b' ================================================================== BUG: KASAN: use-after-free in memcpy include/linux/string.h:352 [inline] BUG: KASAN: use-after-free in __d_alloc+0x164/0x8a0 fs/dcache.c:1630 Read of size 10 at addr ffff8880a84051b1 by task kworker/1:3/7432 CPU: 1 PID: 7432 Comm: kworker/1:3 Not tainted 5.0.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ------------[ cut here ]------------ Workqueue: afs afs_manage_cell proc_dir_entry 'afs/^]7[+%](${' already registered Call Trace: WARNING: CPU: 0 PID: 12 at fs/proc/generic.c:360 proc_register+0x2c3/0x490 fs/proc/generic.c:359 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x165/0x21a lib/dump_stack.c:113 Kernel panic - not syncing: panic_on_warn set ... print_address_description.cold.3+0x9/0x211 mm/kasan/report.c:187 kasan_report.cold.4+0x1b/0x37 mm/kasan/report.c:317 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x13c/0x1b0 mm/kasan/generic.c:191 memcpy+0x23/0x50 mm/kasan/common.c:130 memcpy include/linux/string.h:352 [inline] __d_alloc+0x164/0x8a0 fs/dcache.c:1630 d_alloc+0x43/0x250 fs/dcache.c:1678 d_alloc_parallel+0xf3/0x1570 fs/dcache.c:2421 __lookup_slow+0x18d/0x3f0 fs/namei.c:1654 lookup_one_len+0x132/0x160 fs/namei.c:2543 afs_dynroot_mkdir+0x12b/0x1f0 fs/afs/dynroot.c:206 afs_activate_cell fs/afs/cell.c:570 [inline] afs_manage_cell+0x534/0xe50 fs/afs/cell.c:633 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.0.0-rc2-syzkaller #0 Allocated by task 23116: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 save_stack mm/kasan/common.c:73 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x66/0x100 mm/kasan/common.c:496 Workqueue: afs afs_manage_cell __kasan_kmalloc.constprop.1+0xb5/0xc0 mm/kasan/common.c:477 Call Trace: kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x165/0x21a lib/dump_stack.c:113 kmem_cache_alloc_trace+0x15b/0x3d0 mm/slab.c:3609 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] afs_alloc_cell fs/afs/cell.c:141 [inline] afs_lookup_cell+0x14a/0xb70 fs/afs/cell.c:229 panic+0x212/0x40b kernel/panic.c:214 afs_parse_source fs/afs/super.c:280 [inline] afs_parse_param+0x322/0x9f0 fs/afs/super.c:332 vfs_parse_fs_param+0x228/0x470 fs/fs_context.c:147 __warn.cold.7+0x1b/0x38 kernel/panic.c:571 vfs_parse_fs_string+0xb8/0x110 fs/fs_context.c:190 generic_parse_monolithic+0x117/0x190 fs/fs_context.c:230 parse_monolithic_mount_data+0x5c/0x83 fs/fs_context.c:641 report_bug+0x1a4/0x200 lib/bug.c:186 do_new_mount fs/namespace.c:2618 [inline] do_mount+0x10e4/0x2ae0 fs/namespace.c:2942 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 ksys_mount+0xba/0xe0 fs/namespace.c:3151 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 __do_sys_mount fs/namespace.c:3165 [inline] __se_sys_mount fs/namespace.c:3162 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3162 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:proc_register+0x2c3/0x490 fs/proc/generic.c:359 Freed by task 16: Code: 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 c1 01 00 00 49 8b b4 24 c8 00 00 00 48 c7 c7 60 84 55 87 e8 d0 06 82 ff <0f> 0b 48 c7 c7 c0 95 86 88 e8 9f ec 45 05 4c 89 ea 48 b8 00 00 00 save_stack mm/kasan/common.c:73 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x13c/0x220 mm/kasan/common.c:458 RSP: 0018:ffff8880a984fa88 EFLAGS: 00010282 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466 RAX: 0000000000000000 RBX: ffffed1013fcbaf2 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffffffff878b6d60 RDI: ffffffff8a3add60 __cache_free mm/slab.c:3487 [inline] kfree+0xcf/0x220 mm/slab.c:3806 RBP: ffff8880a984fad8 R08: ffffed1015d05029 R09: ffffed1015d05028 R10: ffffed1015d05028 R11: ffff8880ae828147 R12: ffff8882163e8300 afs_cell_destroy+0xd3/0x110 fs/afs/cell.c:438 R13: ffff88809fe5d744 R14: ffff88809fe5d788 R15: ffff88809fe5d6c0 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2452 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline] rcu_process_callbacks+0x8a7/0x12e0 kernel/rcu/tree.c:2754 __do_softirq+0x25e/0x958 kernel/softirq.c:292 proc_mkdir_data+0x13a/0x220 fs/proc/generic.c:473 The buggy address belongs to the object at ffff8880a8405080 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 305 bytes inside of 512-byte region [ffff8880a8405080, ffff8880a8405280) The buggy address belongs to the page: page:ffffea0002a10140 count:1 mapcount:0 mapping:ffff88812c3f6940 index:0xffff8880a8405d00 proc_net_mkdir include/linux/proc_fs.h:124 [inline] afs_proc_cell_setup+0x92/0x170 fs/afs/proc.c:613 flags: 0xfffe0000000200(slab) afs_activate_cell fs/afs/cell.c:553 [inline] afs_manage_cell+0x42f/0xe50 fs/afs/cell.c:633 raw: 00fffe0000000200 ffffea0002585688 ffffea000258b9c8 ffff88812c3f6940 raw: ffff8880a8405d00 ffff8880a8405080 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 Memory state around the buggy address: ffff8880a8405080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a8405100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a8405180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb worker_thread+0x85/0xb60 kernel/workqueue.c:2296 ^ ffff8880a8405200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb kthread+0x324/0x3e0 kernel/kthread.c:246 ffff8880a8405280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds..