bisecting fixing commit since 2f7b98d1e55ccd34e4998bf5f321ec7b9d6b451b
building syzkaller on 7e2b734bac96c22086fedd1b18135da06d5e4054
testing commit 2f7b98d1e55ccd34e4998bf5f321ec7b9d6b451b with gcc (GCC) 10.2.1 20210217
kernel signature: 6dcedb5559249ae466c589a7b7366855521d1993d96746d872cbe8313cee7ba8
run #0: crashed: KASAN: use-after-free Write in ext4_put_super
run #1: crashed: KASAN: use-after-free Write in ext4_put_super
run #2: crashed: KASAN: use-after-free Write in ext4_put_super
run #3: crashed: KASAN: use-after-free Write in ext4_put_super
run #4: crashed: KASAN: use-after-free Write in ext4_put_super
run #5: crashed: KASAN: use-after-free Write in ext4_put_super
run #6: crashed: INFO: task hung in ext4_put_super
run #7: crashed: KASAN: use-after-free Write in ext4_put_super
run #8: crashed: INFO: task hung in ext4_put_super
run #9: crashed: INFO: task hung in ext4_put_super
run #10: crashed: INFO: task hung in ext4_put_super
run #11: crashed: KASAN: use-after-free Write in ext4_put_super
run #12: crashed: KASAN: use-after-free Write in ext4_put_super
run #13: crashed: KASAN: use-after-free Write in ext4_put_super
run #14: crashed: INFO: task hung in ext4_put_super
run #15: crashed: KASAN: use-after-free Write in ext4_put_super
run #16: crashed: KASAN: use-after-free Write in ext4_put_super
run #17: crashed: KASAN: use-after-free Write in ext4_put_super
run #18: crashed: KASAN: use-after-free Write in ext4_put_super
run #19: OK
testing current HEAD 94f0b2d4a1d0c52035aef425da5e022bd2cb1c71
testing commit 94f0b2d4a1d0c52035aef425da5e022bd2cb1c71 with gcc (GCC) 10.2.1 20210217
kernel signature: a59ec1f3bbda71433d7e61e9bb2312e68b3bccb3ec4aaefc5160a78d6458608d
run #0: crashed: KASAN: use-after-free Write in ext4_put_super
run #1: crashed: KASAN: use-after-free Write in ext4_put_super
run #2: crashed: KASAN: use-after-free Write in ext4_put_super
run #3: crashed: KASAN: use-after-free Write in ext4_put_super
run #4: crashed: KASAN: use-after-free Write in ext4_put_super
run #5: crashed: KASAN: use-after-free Write in ext4_put_super
run #6: crashed: KASAN: use-after-free Write in ext4_put_super
run #7: crashed: KASAN: use-after-free Write in ext4_put_super
run #8: crashed: INFO: task hung in ext4_put_super
run #9: crashed: KASAN: use-after-free Write in ext4_put_super
revisions tested: 2, total time: 35m14.959010886s (build: 13m53.719504968s, test: 20m31.026512471s)
the crash still happens on HEAD
commit msg: proc: only require mm_struct for writing
crash: KASAN: use-after-free Write in ext4_put_super
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: use-after-free in get_task_struct include/linux/sched/task.h:104 [inline]
BUG: KASAN: use-after-free in kthread_stop+0x58/0x4f0 kernel/kthread.c:637
Write of size 4 at addr ffff888019f21c68 by task syz-executor.3/8800

CPU: 1 PID: 8800 Comm: syz-executor.3 Not tainted 5.13.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xa5/0xe6 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
 __refcount_add include/linux/refcount.h:193 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_task_struct include/linux/sched/task.h:104 [inline]
 kthread_stop+0x58/0x4f0 kernel/kthread.c:637
 ext4_put_super+0x76c/0xe20 fs/ext4/super.c:1249
 generic_shutdown_super+0x12e/0x330 fs/super.c:465
 kill_block_super+0x90/0xd0 fs/super.c:1395
 deactivate_locked_super+0x7b/0x130 fs/super.c:335
 cleanup_mnt+0x324/0x4d0 fs/namespace.c:1136
 task_work_run+0xc0/0x160 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x281/0x290 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:57
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4678b7
Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff402d678 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004678b7
RDX: 00007ffff402d74c RSI: 0000000000000002 RDI: 00007ffff402d740
RBP: 00007ffff402d740 R08: 00000000ffffffff R09: 00007ffff402d510
R10: 00000000025a28e3 R11: 0000000000000246 R12: 00000000004bebb2
R13: 00007ffff402e810 R14: 00000000025a2810 R15: 00007ffff402e850

Allocated by task 2:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:428 [inline]
 __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:461
 kasan_slab_alloc include/linux/kasan.h:236 [inline]
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:2913 [inline]
 kmem_cache_alloc_node+0x269/0x3e0 mm/slub.c:2949
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct kernel/fork.c:865 [inline]
 copy_process+0x4a8/0x67c0 kernel/fork.c:1947
 kernel_clone+0xb8/0x7f0 kernel/fork.c:2503
 kernel_thread+0xa3/0xe0 kernel/fork.c:2555
 create_kthread kernel/kthread.c:336 [inline]
 kthreadd+0x495/0x6e0 kernel/kthread.c:679
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 53:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368
 kasan_slab_free include/linux/kasan.h:212 [inline]
 slab_free_hook mm/slub.c:1582 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1607
 slab_free mm/slub.c:3167 [inline]
 kmem_cache_free+0x8a/0x740 mm/slub.c:3183
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 rcu_core+0x7ab/0x13b0 kernel/rcu/tree.c:2793
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:559

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3038 [inline]
 call_rcu+0xb1/0x750 kernel/rcu/tree.c:3113
 context_switch kernel/sched/core.c:4342 [inline]
 __schedule+0x8eb/0x23a0 kernel/sched/core.c:5147
 schedule+0xcf/0x270 kernel/sched/core.c:5226
 io_schedule+0xba/0x130 kernel/sched/core.c:7215
 wait_on_page_bit_common+0x406/0xa30 mm/filemap.c:1301
 wait_on_page_bit_killable mm/filemap.c:1369 [inline]
 wait_on_page_locked_killable include/linux/pagemap.h:695 [inline]
 filemap_read_page+0x1e0/0x360 mm/filemap.c:2330
 filemap_update_page mm/filemap.c:2394 [inline]
 filemap_get_pages+0xb2e/0x1430 mm/filemap.c:2490
 filemap_read+0x261/0xb90 mm/filemap.c:2550
 blkdev_read_iter+0xfb/0x180 fs/block_dev.c:1730
 call_read_iter include/linux/fs.h:2108 [inline]
 new_sync_read+0x35a/0x5f0 fs/read_write.c:415
 vfs_read+0x264/0x470 fs/read_write.c:496
 ksys_read+0xf4/0x1d0 fs/read_write.c:634
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3038 [inline]
 call_rcu+0xb1/0x750 kernel/rcu/tree.c:3113
 context_switch kernel/sched/core.c:4342 [inline]
 __schedule+0x8eb/0x23a0 kernel/sched/core.c:5147
 schedule+0xcf/0x270 kernel/sched/core.c:5226
 io_schedule+0xba/0x130 kernel/sched/core.c:7215
 bit_wait_io+0x12/0xd0 kernel/sched/wait_bit.c:209
 __wait_on_bit+0x60/0x190 kernel/sched/wait_bit.c:49
 out_of_line_wait_on_bit+0xd5/0x110 kernel/sched/wait_bit.c:64
 wait_on_buffer include/linux/buffer_head.h:356 [inline]
 write_mmp_block+0x3b0/0x560 fs/ext4/mmp.c:56
 kmmpd+0x621/0x9a0 fs/ext4/mmp.c:245
 kthread+0x36f/0x450 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff888019f21c40
 which belongs to the cache task_struct of size 6976
The buggy address is located 40 bytes inside of
 6976-byte region [ffff888019f21c40, ffff888019f23780)
The buggy address belongs to the page:
page:ffffea000067c800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19f20
head:ffffea000067c800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888140005140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888019f21b00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff888019f21b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888019f21c00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                                                          ^
 ffff888019f21c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888019f21d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================