bisecting fixing commit since 3c8c23092588a23bf1856a64f58c37f477a413be building syzkaller on a343ba6b077a3efe7feb57783dcbb7496d2c3572 testing commit 3c8c23092588a23bf1856a64f58c37f477a413be compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: f6f2d405fc78c4c747dec9a728fba30e005b240d3b7c099535551be05947dc12 run #0: crashed: kernel BUG in iput run #1: crashed: kernel BUG in corrupted run #2: crashed: kernel BUG in iput run #3: crashed: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop1] run #4: crashed: kernel BUG in iput run #5: crashed: kernel BUG in iput run #6: crashed: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop4] run #7: crashed: kernel BUG in iput run #8: crashed: kernel BUG in iput run #9: crashed: kernel BUG in iput run #10: crashed: kernel BUG in corrupted run #11: crashed: kernel BUG in iput run #12: crashed: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop3] run #13: crashed: kernel BUG in iput run #14: crashed: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop3] run #15: crashed: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop4] run #16: crashed: kernel BUG in iput run #17: crashed: kernel BUG in iput run #18: crashed: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop0] run #19: crashed: kernel BUG in iput testing current HEAD 59456c9cc40c8f75b5a7efa0fe1f211d9c6fcaf1 testing commit 59456c9cc40c8f75b5a7efa0fe1f211d9c6fcaf1 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 3a4b6769260c7411ff1c578a146e8be0763e0654a80ceb0e4b85d04ebf94be39 run #0: crashed: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop4] run #1: crashed: kernel BUG in iput run #2: crashed: kernel BUG in corrupted run #3: crashed: kernel BUG in iput run #4: crashed: kernel BUG in iput run #5: crashed: kernel BUG in iput run #6: crashed: kernel BUG in corrupted run #7: crashed: kernel BUG in corrupted run #8: crashed: kernel BUG in corrupted run #9: crashed: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop4] revisions tested: 2, total time: 24m23.165280074s (build: 17m9.787044663s, test: 6m45.378574726s) the crash still happens on HEAD commit msg: Linux 4.19.204 crash: BUG: Dentry ADDR{i=NUM,n=/} still in use (-NUM) [unmount of erofs loop4] alloc_inode+0x56/0x150 fs/inode.c:211 new_inode_pseudo+0xc/0xd0 fs/inode.c:911 new_inode+0x14/0x30 fs/inode.c:940 erofs_init_managed_cache drivers/staging/erofs/super.c:317 [inline] erofs_read_super drivers/staging/erofs/super.c:386 [inline] erofs_fill_super+0xd02/0x1168 drivers/staging/erofs/super.c:499 mount_bdev+0x26f/0x330 fs/super.c:1158 BUG: Dentry 00000000c89d4b3e{i=0,n=/} still in use (-128) [unmount of erofs loop4] erofs_mount+0x6a/0x90 drivers/staging/erofs/super.c:512 mount_fs+0x7f/0x2b0 fs/super.c:1261 vfs_kern_mount.part.11+0x58/0x3d0 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2483 [inline] do_mount+0x376/0x2630 fs/namespace.c:2813 ksys_mount+0xb1/0xd0 fs/namespace.c:3029 __do_sys_mount fs/namespace.c:3043 [inline] __se_sys_mount fs/namespace.c:3040 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3040 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x467afa Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f15c4064fa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 0000000000467afa RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f15c4065000 RBP: 00007f15c4065040 R08: 00007f15c4065040 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f15c4065000 R15: 0000000020010a00 ------------[ cut here ]------------ ------------[ cut here ]------------ kernel BUG at fs/inode.c:1571! WARNING: CPU: 0 PID: 10018 at fs/dcache.c:1518 umount_check fs/dcache.c:1518 [inline] WARNING: CPU: 0 PID: 10018 at fs/dcache.c:1518 umount_check.cold.19+0xe0/0x149 fs/dcache.c:1499 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 10018 Comm: syz-executor.4 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x17c/0x226 lib/dump_stack.c:118 panic+0x1cd/0x375 kernel/panic.c:186 __warn.cold.7+0x1b/0x36 kernel/panic.c:541 report_bug+0x1a1/0x200 lib/bug.c:183 fixup_bug arch/x86/kernel/traps.c:178 [inline] fixup_bug arch/x86/kernel/traps.c:173 [inline] do_error_trap+0x200/0x350 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1038 RIP: 0010:umount_check fs/dcache.c:1518 [inline] RIP: 0010:umount_check.cold.19+0xe0/0x149 fs/dcache.c:1499 Code: 75 7f 49 8b 54 24 40 41 55 4d 89 f1 41 89 d8 48 89 f1 48 c7 c7 e0 8b 13 88 e8 87 05 ff ff 48 c7 c7 20 8b 13 88 e8 7b 05 ff ff <0f> 0b 58 e9 b2 99 16 fa 48 89 75 d8 e8 9d 24 08 fa 48 8b 75 d8 e9 RSP: 0018:ffff8880b0c1fa60 EFLAGS: 00010286 RAX: 0000000000000024 RBX: 00000000ffffff80 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff8bada720 RBP: ffff8880b0c1fa90 R08: ffffed1017443d03 R09: ffffed1017443d02 R10: ffffed1017443d02 R11: ffff8880ba21e817 R12: 0000000000000000 R13: ffff8880afb49150 R14: ffffffff88d2b460 R15: ffff88808feb8280 d_walk.part.6+0x151/0x6e0 fs/dcache.c:1253 d_walk fs/dcache.c:1246 [inline] do_one_tree+0x1f/0x40 fs/dcache.c:1525 shrink_dcache_for_umount+0x56/0x120 fs/dcache.c:1541 generic_shutdown_super+0x61/0x330 fs/super.c:441 kill_block_super+0x96/0xe0 fs/super.c:1185 erofs_kill_sb+0x9/0x10 drivers/staging/erofs/super.c:518 deactivate_locked_super+0x77/0xd0 fs/super.c:329 mount_bdev+0x2cb/0x330 fs/super.c:1160 erofs_mount+0x6a/0x90 drivers/staging/erofs/super.c:512 mount_fs+0x7f/0x2b0 fs/super.c:1261 vfs_kern_mount.part.11+0x58/0x3d0 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2483 [inline] do_mount+0x376/0x2630 fs/namespace.c:2813 ksys_mount+0xb1/0xd0 fs/namespace.c:3029 __do_sys_mount fs/namespace.c:3043 [inline] __se_sys_mount fs/namespace.c:3040 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3040 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x467afa Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007febcb121fa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 0000000000467afa RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007febcb122000 RBP: 00007febcb122040 R08: 00007febcb122040 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000100 R14: 00007febcb122000 R15: 0000000020010a00 Kernel Offset: disabled Rebooting in 86400 seconds.. ---------------- Code disassembly (best guess): 0: 48 c7 c2 bc ff ff ff mov $0xffffffffffffffbc,%rdx 7: f7 d8 neg %eax 9: 64 89 02 mov %eax,%fs:(%rdx) c: b8 ff ff ff ff mov $0xffffffff,%eax 11: eb d2 jmp 0xffffffe5 13: e8 b8 04 00 00 callq 0x4d0 18: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 1f: 00 20: 49 89 ca mov %rcx,%r10 23: b8 a5 00 00 00 mov $0xa5,%eax 28: 0f 05 syscall 2a: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 c7 c1 bc ff ff ff mov $0xffffffffffffffbc,%rcx 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W