bisecting fixing commit since 2f7b98d1e55ccd34e4998bf5f321ec7b9d6b451b
building syzkaller on 7e2b734bac96c22086fedd1b18135da06d5e4054
testing commit 2f7b98d1e55ccd34e4998bf5f321ec7b9d6b451b with gcc (GCC) 10.2.1 20210217
kernel signature: 6dcedb5559249ae466c589a7b7366855521d1993d96746d872cbe8313cee7ba8
run #0: crashed: KASAN: use-after-free Write in ext4_put_super
run #1: crashed: KASAN: use-after-free Write in ext4_put_super
run #2: crashed: KASAN: use-after-free Write in ext4_put_super
run #3: crashed: KASAN: use-after-free Write in ext4_put_super
run #4: crashed: KASAN: use-after-free Write in ext4_put_super
run #5: crashed: KASAN: use-after-free Write in ext4_put_super
run #6: crashed: KASAN: use-after-free Write in ext4_put_super
run #7: crashed: KASAN: use-after-free Write in ext4_put_super
run #8: crashed: KASAN: use-after-free Write in ext4_put_super
run #9: crashed: KASAN: use-after-free Write in ext4_put_super
run #10: crashed: KASAN: use-after-free Write in ext4_put_super
run #11: crashed: KASAN: use-after-free Write in ext4_put_super
run #12: crashed: KASAN: use-after-free Write in ext4_put_super
run #13: crashed: KASAN: use-after-free Write in ext4_put_super
run #14: crashed: INFO: task hung in ext4_put_super
run #15: crashed: KASAN: use-after-free Write in ext4_put_super
run #16: crashed: KASAN: use-after-free Write in ext4_put_super
run #17: crashed: KASAN: use-after-free Write in ext4_put_super
run #18: OK
run #19: OK
testing current HEAD d07f6ca923ea0927a1024dfccafc5b53b61cfecc
testing commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc with gcc (GCC) 10.2.1 20210217
kernel signature: 189530f39093c896d090ad790975855e6cee30afd9abcc2dd00ce76da16ab3a4
run #0: crashed: KASAN: use-after-free Write in ext4_put_super
run #1: crashed: KASAN: use-after-free Write in ext4_put_super
run #2: crashed: KASAN: use-after-free Write in ext4_put_super
run #3: crashed: KASAN: use-after-free Write in ext4_put_super
run #4: crashed: KASAN: use-after-free Write in ext4_put_super
run #5: crashed: INFO: task hung in ext4_put_super
run #6: crashed: INFO: task hung in ext4_put_super
run #7: crashed: INFO: task hung in ext4_put_super
run #8: crashed: INFO: task hung in ext4_put_super
run #9: crashed: KASAN: use-after-free Write in ext4_put_super
revisions tested: 2, total time: 34m15.306277033s (build: 13m19.369840716s, test: 20m6.095655698s)
the crash still happens on HEAD
commit msg: Linux 5.13-rc2
crash: KASAN: use-after-free Write in ext4_put_super
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: use-after-free in get_task_struct include/linux/sched/task.h:104 [inline]
BUG: KASAN: use-after-free in kthread_stop+0x58/0x4f0 kernel/kthread.c:637
Write of size 4 at addr ffff888010728028 by task syz-executor.2/8801

CPU: 0 PID: 8801 Comm: syz-executor.2 Not tainted 5.13.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xa5/0xe6 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
 __refcount_add include/linux/refcount.h:193 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_task_struct include/linux/sched/task.h:104 [inline]
 kthread_stop+0x58/0x4f0 kernel/kthread.c:637
 ext4_put_super+0x76c/0xe20 fs/ext4/super.c:1249
 generic_shutdown_super+0x12e/0x330 fs/super.c:465
 kill_block_super+0x90/0xd0 fs/super.c:1395
 deactivate_locked_super+0x7b/0x130 fs/super.c:335
 cleanup_mnt+0x324/0x4d0 fs/namespace.c:1136
 task_work_run+0xc0/0x160 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x272/0x280 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301
 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:57
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4678b7
Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe40255448 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004678b7
RDX: 00007ffe4025551b RSI: 0000000000000002 RDI: 00007ffe40255510
RBP: 00007ffe40255510 R08: 00000000ffffffff R09: 00007ffe402552e0
R10: 000000000337b8e3 R11: 0000000000000246 R12: 00000000004bebb2
R13: 00007ffe402565e0 R14: 000000000337b810 R15: 00007ffe40256620

Allocated by task 2:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:428 [inline]
 __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:461
 kasan_slab_alloc include/linux/kasan.h:236 [inline]
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:2912 [inline]
 kmem_cache_alloc_node+0x269/0x3e0 mm/slub.c:2948
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct kernel/fork.c:865 [inline]
 copy_process+0x4a8/0x67c0 kernel/fork.c:1947
 kernel_clone+0xb8/0x7f0 kernel/fork.c:2503
 kernel_thread+0xa3/0xe0 kernel/fork.c:2555
 create_kthread kernel/kthread.c:336 [inline]
 kthreadd+0x495/0x6e0 kernel/kthread.c:679
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 13579:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368
 kasan_slab_free include/linux/kasan.h:212 [inline]
 slab_free_hook mm/slub.c:1581 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1606
 slab_free mm/slub.c:3166 [inline]
 kmem_cache_free+0x8a/0x740 mm/slub.c:3182
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 rcu_core+0x7ab/0x13b0 kernel/rcu/tree.c:2793
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:559

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3038 [inline]
 call_rcu+0xb1/0x750 kernel/rcu/tree.c:3113
 context_switch kernel/sched/core.c:4342 [inline]
 __schedule+0x8eb/0x23a0 kernel/sched/core.c:5147
 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:5307
 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35
 __raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline]
 _raw_spin_unlock+0x36/0x40 kernel/locking/spinlock.c:183
 spin_unlock include/linux/spinlock.h:394 [inline]
 lockref_put_or_lock+0x43/0x60 lib/lockref.c:178
 fast_dput fs/dcache.c:750 [inline]
 dput+0x2f2/0x890 fs/dcache.c:875
 shmem_unlink+0x168/0x2a0 mm/shmem.c:2968
 shmem_rename2+0xeb/0x680 mm/shmem.c:3063
 vfs_rename+0xb66/0x1480 fs/namei.c:4541
 do_renameat2+0x5d2/0xa50 fs/namei.c:4696
 __do_sys_rename fs/namei.c:4745 [inline]
 __se_sys_rename fs/namei.c:4743 [inline]
 __x64_sys_rename+0x78/0x90 fs/namei.c:4743
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3038 [inline]
 call_rcu+0xb1/0x750 kernel/rcu/tree.c:3113
 context_switch kernel/sched/core.c:4342 [inline]
 __schedule+0x8eb/0x23a0 kernel/sched/core.c:5147
 schedule+0xcf/0x270 kernel/sched/core.c:5226
 freezable_schedule include/linux/freezer.h:172 [inline]
 futex_wait_queue_me+0x292/0x520 kernel/futex.c:2606
 futex_wait+0x19f/0x550 kernel/futex.c:2708
 do_futex+0x1c7/0x1240 kernel/futex.c:3732
 __do_sys_futex kernel/futex.c:3805 [inline]
 __se_sys_futex kernel/futex.c:3786 [inline]
 __x64_sys_futex+0x177/0x450 kernel/futex.c:3786
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888010728000
 which belongs to the cache task_struct of size 6976
The buggy address is located 40 bytes inside of
 6976-byte region [ffff888010728000, ffff888010729b40)
The buggy address belongs to the page:
page:ffffea000041ca00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10728
head:ffffea000041ca00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888140005140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888010727f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888010727f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888010728000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff888010728080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888010728100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================