FS-Cache: O-key=[10] '5e5d375b2b255d28247b' FS-Cache: N-cookie c=0000000012d4d2a6 [p=00000000bfe85683 fl=2 nc=0 na=1] FS-Cache: N-cookie d=0000000008a5e808 n=0000000097ea05d3 FS-Cache: N-key=[10] '5e5d375b2b255d28247b' ================================================================== BUG: KASAN: use-after-free in memcpy include/linux/string.h:352 [inline] BUG: KASAN: use-after-free in __d_alloc+0x164/0x8a0 fs/dcache.c:1630 Read of size 10 at addr ffff8880a84051b1 by task kworker/1:3/7432 CPU: 1 PID: 7432 Comm: kworker/1:3 Not tainted 5.0.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ------------[ cut here ]------------ Workqueue: afs afs_manage_cell proc_dir_entry 'afs/^]7[+%](${' already registered Call Trace: WARNING: CPU: 0 PID: 12 at fs/proc/generic.c:360 proc_register+0x2c3/0x490 fs/proc/generic.c:359 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x165/0x21a lib/dump_stack.c:113 Kernel panic - not syncing: panic_on_warn set ... print_address_description.cold.3+0x9/0x211 mm/kasan/report.c:187 kasan_report.cold.4+0x1b/0x37 mm/kasan/report.c:317 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x13c/0x1b0 mm/kasan/generic.c:191 memcpy+0x23/0x50 mm/kasan/common.c:130 memcpy include/linux/string.h:352 [inline] __d_alloc+0x164/0x8a0 fs/dcache.c:1630 d_alloc+0x43/0x250 fs/dcache.c:1678 d_alloc_parallel+0xf3/0x1570 fs/dcache.c:2421 __lookup_slow+0x18d/0x3f0 fs/namei.c:1654 lookup_one_len+0x132/0x160 fs/namei.c:2543 afs_dynroot_mkdir+0x12b/0x1f0 fs/afs/dynroot.c:206 afs_activate_cell fs/afs/cell.c:570 [inline] afs_manage_cell+0x534/0xe50 fs/afs/cell.c:633 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.0.0-rc2-syzkaller #0 Allocated by task 23116: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 save_stack mm/kasan/common.c:73 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x66/0x100 mm/kasan/common.c:496 Workqueue: afs afs_manage_cell __kasan_kmalloc.constprop.1+0xb5/0xc0 mm/kasan/common.c:477 Call Trace: kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x165/0x21a lib/dump_stack.c:113 kmem_cache_alloc_trace+0x15b/0x3d0 mm/slab.c:3609 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] afs_alloc_cell fs/afs/cell.c:141 [inline] afs_lookup_cell+0x14a/0xb70 fs/afs/cell.c:229 panic+0x212/0x40b kernel/panic.c:214 afs_parse_source fs/afs/super.c:280 [inline] afs_parse_param+0x322/0x9f0 fs/afs/super.c:332 vfs_parse_fs_param+0x228/0x470 fs/fs_context.c:147 __warn.cold.7+0x1b/0x38 kernel/panic.c:571 vfs_parse_fs_string+0xb8/0x110 fs/fs_context.c:190 generic_parse_monolithic+0x117/0x190 fs/fs_context.c:230 parse_monolithic_mount_data+0x5c/0x83 fs/fs_context.c:641 report_bug+0x1a4/0x200 lib/bug.c:186 do_new_mount fs/namespace.c:2618 [inline] do_mount+0x10e4/0x2ae0 fs/namespace.c:2942 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 ksys_mount+0xba/0xe0 fs/namespace.c:3151 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 __do_sys_mount fs/namespace.c:3165 [inline] __se_sys_mount fs/namespace.c:3162 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3162 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:proc_register+0x2c3/0x490 fs/proc/generic.c:359 Freed by task 16: Code: 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 c1 01 00 00 49 8b b4 24 c8 00 00 00 48 c7 c7 60 84 55 87 e8 d0 06 82 ff <0f> 0b 48 c7 c7 c0 95 86 88 e8 9f ec 45 05 4c 89 ea 48 b8 00 00 00 save_stack mm/kasan/common.c:73 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x13c/0x220 mm/kasan/common.c:458 RSP: 0018:ffff8880a984fa88 EFLAGS: 00010282 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466 RAX: 0000000000000000 RBX: ffffed1013fcbaf2 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffffffff878b6d60 RDI: ffffffff8a3add60 __cache_free mm/slab.c:3487 [inline] kfree+0xcf/0x220 mm/slab.c:3806 RBP: ffff8880a984fad8 R08: ffffed1015d05029 R09: ffffed1015d05028 R10: ffffed1015d05028 R11: ffff8880ae828147 R12: ffff8882163e8300 afs_cell_destroy+0xd3/0x110 fs/afs/cell.c:438 R13: ffff88809fe5d744 R14: ffff88809fe5d788 R15: ffff88809fe5d6c0 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2452 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline] rcu_process_callbacks+0x8a7/0x12e0 kernel/rcu/tree.c:2754 __do_softirq+0x25e/0x958 kernel/softirq.c:292 proc_mkdir_data+0x13a/0x220 fs/proc/generic.c:473 The buggy address belongs to the object at ffff8880a8405080 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 305 bytes inside of 512-byte region [ffff8880a8405080, ffff8880a8405280) The buggy address belongs to the page: page:ffffea0002a10140 count:1 mapcount:0 mapping:ffff88812c3f6940 index:0xffff8880a8405d00 proc_net_mkdir include/linux/proc_fs.h:124 [inline] afs_proc_cell_setup+0x92/0x170 fs/afs/proc.c:613 flags: 0xfffe0000000200(slab) afs_activate_cell fs/afs/cell.c:553 [inline] afs_manage_cell+0x42f/0xe50 fs/afs/cell.c:633 raw: 00fffe0000000200 ffffea0002585688 ffffea000258b9c8 ffff88812c3f6940 raw: ffff8880a8405d00 ffff8880a8405080 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 Memory state around the buggy address: ffff8880a8405080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a8405100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a8405180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb worker_thread+0x85/0xb60 kernel/workqueue.c:2296 ^ ffff8880a8405200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb kthread+0x324/0x3e0 kernel/kthread.c:246 ffff8880a8405280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds..