FS-Cache: O-key=[10] '0200020000807f000008'
FS-Cache: N-cookie c=0000000075957f87 [p=00000000fa538f39 fl=2 nc=0 na=1]
FS-Cache: N-cookie d=00000000bf5ef13b n=00000000b2fea5c6
FS-Cache: N-key=[10] '0200020000807f000008'
==================================================================
BUG: KASAN: use-after-free in rpc_make_runnable+0x153/0x190 net/sunrpc/sched.c:349
Read of size 2 at addr ffff888094f446a4 by task kworker/u5:0/18928

CPU: 1 PID: 18928 Comm: kworker/u5:0 Not tainted 5.0.0-rc7+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: xprtiod xs_udp_setup_socket
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:133
 rpc_make_runnable+0x153/0x190 net/sunrpc/sched.c:349
 __rpc_do_wake_up_task_on_wq net/sunrpc/sched.c:444 [inline]
 rpc_wake_up_task_on_wq_queue_action_locked+0x5e5/0xcd0 net/sunrpc/sched.c:461
 rpc_wake_up_task_on_wq_queue_locked net/sunrpc/sched.c:473 [inline]
 rpc_wake_up_task_queue_locked net/sunrpc/sched.c:481 [inline]
 rpc_wake_up+0x94/0xe0 net/sunrpc/sched.c:657
 xprt_wake_pending_tasks+0x14/0x20 net/sunrpc/xprt.c:507
 xs_udp_setup_socket+0x9f/0x6a0 net/sunrpc/xprtsock.c:2103
 process_one_work+0x835/0x16b0 kernel/workqueue.c:2173
 worker_thread+0x85/0xb60 kernel/workqueue.c:2319
kobject: 'loop4' (00000000281a755c): fill_kobj_path: path = '/devices/virtual/block/loop4'
 kthread+0x327/0x3f0 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 19424:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.9+0xcb/0xd0 mm/kasan/common.c:496
 kasan_kmalloc mm/kasan/common.c:504 [inline]
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:411
 kmem_cache_alloc+0x130/0x730 mm/slab.c:3543
 mempool_alloc_slab+0x3a/0x50 mm/mempool.c:505
 mempool_alloc+0x11b/0x320 mm/mempool.c:385
 rpc_alloc_task net/sunrpc/sched.c:1014 [inline]
 rpc_new_task+0x4fa/0x660 net/sunrpc/sched.c:1026
 rpc_run_task+0x19/0x670 net/sunrpc/clnt.c:1057
 rpc_call_sync+0xa3/0x140 net/sunrpc/clnt.c:1095
 rpc_ping net/sunrpc/clnt.c:2529 [inline]
 rpc_create_xprt+0x25b/0x3d0 net/sunrpc/clnt.c:480
 rpc_create+0x2ba/0x4f0 net/sunrpc/clnt.c:588
 nfs_create_rpc_client+0x32d/0x550 fs/nfs/client.c:517
 nfs_init_client+0x53/0xd0 fs/nfs/client.c:629
 nfs_get_client+0x783/0x1160 fs/nfs/client.c:419
 nfs_init_server+0x1fd/0xcf0 fs/nfs/client.c:665
 nfs_create_server+0x72/0x4f0 fs/nfs/client.c:949
 nfs_try_mount+0x15c/0x790 fs/nfs/super.c:1873
 nfs_fs_mount+0x13bc/0x21f0 fs/nfs/super.c:2691
 mount_fs+0xd3/0x341 fs/super.c:1258
 vfs_kern_mount.part.35+0x58/0x3d0 fs/namespace.c:959
 vfs_kern_mount fs/namespace.c:949 [inline]
 do_new_mount fs/namespace.c:2513 [inline]
 do_mount+0x3ba/0x2890 fs/namespace.c:2847
 ksys_mount+0xba/0xe0 fs/namespace.c:3063
 __do_sys_mount fs/namespace.c:3077 [inline]
 __se_sys_mount fs/namespace.c:3074 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3074
 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 19424:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3749
 mempool_free_slab+0x12/0x20 mm/mempool.c:512
 mempool_free+0xcb/0x310 mm/mempool.c:494
 rpc_free_task+0x10b/0x140 net/sunrpc/sched.c:1064
 rpc_final_put_task+0xe9/0x120 net/sunrpc/sched.c:1090
 rpc_do_put_task+0x34/0x40 net/sunrpc/sched.c:1097
 rpc_put_task+0xb/0x10 net/sunrpc/sched.c:1103
 rpc_call_sync+0x119/0x140 net/sunrpc/clnt.c:1099
 rpc_ping net/sunrpc/clnt.c:2529 [inline]
 rpc_create_xprt+0x25b/0x3d0 net/sunrpc/clnt.c:480
 rpc_create+0x2ba/0x4f0 net/sunrpc/clnt.c:588
 nfs_create_rpc_client+0x32d/0x550 fs/nfs/client.c:517
 nfs_init_client+0x53/0xd0 fs/nfs/client.c:629
 nfs_get_client+0x783/0x1160 fs/nfs/client.c:419
 nfs_init_server+0x1fd/0xcf0 fs/nfs/client.c:665
 nfs_create_server+0x72/0x4f0 fs/nfs/client.c:949
 nfs_try_mount+0x15c/0x790 fs/nfs/super.c:1873
 nfs_fs_mount+0x13bc/0x21f0 fs/nfs/super.c:2691
 mount_fs+0xd3/0x341 fs/super.c:1258
 vfs_kern_mount.part.35+0x58/0x3d0 fs/namespace.c:959
 vfs_kern_mount fs/namespace.c:949 [inline]
 do_new_mount fs/namespace.c:2513 [inline]
 do_mount+0x3ba/0x2890 fs/namespace.c:2847
 ksys_mount+0xba/0xe0 fs/namespace.c:3063
 __do_sys_mount fs/namespace.c:3077 [inline]
 __se_sys_mount fs/namespace.c:3074 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3074
 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888094f445c0
 which belongs to the cache rpc_tasks of size 240
The buggy address is located 228 bytes inside of
 240-byte region [ffff888094f445c0, ffff888094f446b0)
The buggy address belongs to the page:
page:ffffea000253d100 count:1 mapcount:0 mapping:ffff888219c28c40 index:0xffff888094f44e80
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00025d62c8 ffffea000254b008 ffff888219c28c40
raw: ffff888094f44e80 ffff888094f440c0 000000010000000a 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888094f44580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff888094f44600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888094f44680: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff888094f44700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888094f44780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
==================================================================