==================================================================
BUG: KASAN: use-after-free in d_inode include/linux/dcache.h:522 [inline]
BUG: KASAN: use-after-free in relay_switch_subbuf+0x8d5/0x940 kernel/relay.c:761
Read of size 8 at addr ffff888017814f18 by task syz-executor.4/11848

CPU: 1 PID: 11848 Comm: syz-executor.4 Not tainted 5.10.207 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x167 lib/dump_stack.c:118
 print_address_description.constprop.0+0x1c/0x220 mm/kasan/report.c:377
 __kasan_report mm/kasan/report.c:537 [inline]
 kasan_report.cold+0x37/0x7c mm/kasan/report.c:554
 d_inode include/linux/dcache.h:522 [inline]
 relay_switch_subbuf+0x8d5/0x940 kernel/relay.c:761
 relay_reserve include/linux/relay.h:261 [inline]
 trace_note.constprop.0+0x42f/0x550 kernel/trace/blktrace.c:95
 trace_note_tsk kernel/trace/blktrace.c:126 [inline]
 __blk_add_trace.constprop.0+0xa7a/0xbd0 kernel/trace/blktrace.c:266
 blk_add_trace_rq.constprop.0+0x3bd/0x4f0 kernel/trace/blktrace.c:844
 trace_block_rq_issue include/trace/events/block.h:204 [inline]
 blk_mq_start_request+0x20e/0x3f0 block/blk-mq.c:738
 scsi_queue_rq+0x1048/0x27f0 drivers/scsi/scsi_lib.c:1688
 blk_mq_dispatch_rq_list+0x372/0x1c30 block/blk-mq.c:1373
 __blk_mq_sched_dispatch_requests+0x263/0x450 block/blk-mq-sched.c:315
 blk_mq_sched_dispatch_requests+0xfb/0x180 block/blk-mq-sched.c:348
 __blk_mq_run_hw_queue+0x12c/0x290 block/blk-mq.c:1522
 __blk_mq_delay_run_hw_queue+0x4f1/0x550 block/blk-mq.c:1599
 blk_mq_run_hw_queue+0x170/0x2f0 block/blk-mq.c:1652
 blk_mq_sched_insert_request+0x384/0x440 block/blk-mq-sched.c:476
 blk_execute_rq+0xd4/0x1c0 block/blk-exec.c:86
 sg_scsi_ioctl+0x530/0x7b0 block/scsi_ioctl.c:496
 sg_ioctl_common+0xdf7/0x2570 drivers/scsi/sg.c:1104
 sg_ioctl+0x8f/0x120 drivers/scsi/sg.c:1158
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7fc5678e0b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc564e56188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc5679f3f60 RCX: 00007fc5678e0b19
RDX: 00000000200002c0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007fc56793af6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc3e6cd2ef R14: 00007fc564e56300 R15: 0000000000022000

Allocated by task 103:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc9/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:532 [inline]
 slab_alloc_node mm/slub.c:2896 [inline]
 slab_alloc mm/slub.c:2904 [inline]
 kmem_cache_alloc+0x13b/0x310 mm/slub.c:2909
 __d_alloc+0x2a/0x990 fs/dcache.c:1709
 d_alloc fs/dcache.c:1788 [inline]
 d_alloc_parallel+0x111/0x1bc0 fs/dcache.c:2540
 __lookup_slow+0x193/0x490 fs/namei.c:1541
 lookup_slow fs/namei.c:1573 [inline]
 walk_component+0x41e/0x6a0 fs/namei.c:1868
 link_path_walk.part.0+0x699/0xbf0 fs/namei.c:2191
 link_path_walk fs/namei.c:2120 [inline]
 path_openat+0x25a/0x26e0 fs/namei.c:3427
 do_filp_open+0x190/0x3e0 fs/namei.c:3458
 do_sys_openat2+0x171/0x420 fs/open.c:1186
 do_sys_open fs/open.c:1202 [inline]
 __do_sys_openat fs/open.c:1218 [inline]
 __se_sys_openat fs/open.c:1213 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1213
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x62/0xc7

Last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_record_aux_stack+0xa2/0xb0 mm/kasan/generic.c:346
 __call_rcu kernel/rcu/tree.c:2976 [inline]
 call_rcu+0x8a/0x9c0 kernel/rcu/tree.c:3050
 dentry_free+0x134/0x160 fs/dcache.c:342
 __dentry_kill+0x47d/0x5c0 fs/dcache.c:593
 dentry_kill fs/dcache.c:717 [inline]
 dput+0x6d1/0xc90 fs/dcache.c:878
 handle_mounts fs/namei.c:1401 [inline]
 step_into+0xe1c/0x1ce0 fs/namei.c:1698
 walk_component+0x171/0x6a0 fs/namei.c:1874
 link_path_walk.part.0+0x699/0xbf0 fs/namei.c:2191
 link_path_walk fs/namei.c:2120 [inline]
 path_openat+0x25a/0x26e0 fs/namei.c:3427
 do_filp_open+0x190/0x3e0 fs/namei.c:3458
 do_sys_openat2+0x171/0x420 fs/open.c:1186
 do_sys_open fs/open.c:1202 [inline]
 __do_sys_openat fs/open.c:1218 [inline]
 __se_sys_openat fs/open.c:1213 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1213
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x62/0xc7

Second to last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_record_aux_stack+0xa2/0xb0 mm/kasan/generic.c:346
 __call_rcu kernel/rcu/tree.c:2976 [inline]
 call_rcu+0x8a/0x9c0 kernel/rcu/tree.c:3050
 dentry_free+0xc3/0x160 fs/dcache.c:350
 __dentry_kill+0x47d/0x5c0 fs/dcache.c:593
 dentry_kill fs/dcache.c:717 [inline]
 dput+0x6d1/0xc90 fs/dcache.c:878
 handle_mounts fs/namei.c:1401 [inline]
 step_into+0xe1c/0x1ce0 fs/namei.c:1698
 walk_component+0x171/0x6a0 fs/namei.c:1874
 lookup_last fs/namei.c:2319 [inline]
 path_lookupat+0x1ba/0x860 fs/namei.c:2343
 filename_lookup+0x1b1/0x570 fs/namei.c:2376
 user_path_at include/linux/namei.h:60 [inline]
 do_faccessat+0x11b/0x8a0 fs/open.c:423
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x62/0xc7

The buggy address belongs to the object at ffff888017814eb0
 which belongs to the cache dentry of size 312
The buggy address is located 104 bytes inside of
 312-byte region [ffff888017814eb0, ffff888017814fe8)
The buggy address belongs to the page:
page:00000000ee1c72e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888017814eb0 pfn:0x17814
head:00000000ee1c72e8 order:1 compound_mapcount:0
flags: 0x100000000010200(slab|head)
raw: 0100000000010200 ffffea00002daf88 ffffea00002d9d08 ffff8880083f9000
raw: ffff888017814eb0 0000000000150014 00000001ffffffff ffff88800ef93001
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88800ef93001

Memory state around the buggy address:
 ffff888017814e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
 ffff888017814e80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
>ffff888017814f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888017814f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff888017815000: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00
==================================================================
general protection fault, probably for non-canonical address 0xdffffc000000000a: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057]
CPU: 1 PID: 11848 Comm: syz-executor.4 Tainted: G    B             5.10.207 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:relay_switch_subbuf+0x216/0x940 kernel/relay.c:761
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 d3 06 00 00 48 ba 00 00 00 00 00 fc ff df 4c 8b 73 68 49 8d 7e 50 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 92 06 00 00 49 8b 55 28 49 8b 5e 50 48 b9 00 00
RSP: 0018:ffff8880529f7560 EFLAGS: 00010016
RAX: 0000000000000001 RBX: ffff888017814eb0 RCX: 000000000000000a
RDX: dffffc0000000000 RSI: ffffffff83d8d8fe RDI: 0000000000000050
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000040
R13: ffff88800cfe8e00 R14: 0000000000000000 R15: 00000000000000f8
FS:  00007fc564e56700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2cc21000 CR3: 000000005270c000 CR4: 0000000000350ee0
Call Trace:
 relay_reserve include/linux/relay.h:261 [inline]
 trace_note.constprop.0+0x42f/0x550 kernel/trace/blktrace.c:95
 trace_note_tsk kernel/trace/blktrace.c:126 [inline]
 __blk_add_trace.constprop.0+0xa7a/0xbd0 kernel/trace/blktrace.c:266
 blk_add_trace_rq.constprop.0+0x3bd/0x4f0 kernel/trace/blktrace.c:844
 trace_block_rq_issue include/trace/events/block.h:204 [inline]
 blk_mq_start_request+0x20e/0x3f0 block/blk-mq.c:738
 scsi_queue_rq+0x1048/0x27f0 drivers/scsi/scsi_lib.c:1688
 blk_mq_dispatch_rq_list+0x372/0x1c30 block/blk-mq.c:1373
 __blk_mq_sched_dispatch_requests+0x263/0x450 block/blk-mq-sched.c:315
 blk_mq_sched_dispatch_requests+0xfb/0x180 block/blk-mq-sched.c:348
 __blk_mq_run_hw_queue+0x12c/0x290 block/blk-mq.c:1522
 __blk_mq_delay_run_hw_queue+0x4f1/0x550 block/blk-mq.c:1599
 blk_mq_run_hw_queue+0x170/0x2f0 block/blk-mq.c:1652
 blk_mq_sched_insert_request+0x384/0x440 block/blk-mq-sched.c:476
 blk_execute_rq+0xd4/0x1c0 block/blk-exec.c:86
 sg_scsi_ioctl+0x530/0x7b0 block/scsi_ioctl.c:496
 sg_ioctl_common+0xdf7/0x2570 drivers/scsi/sg.c:1104
 sg_ioctl+0x8f/0x120 drivers/scsi/sg.c:1158
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7fc5678e0b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc564e56188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc5679f3f60 RCX: 00007fc5678e0b19
RDX: 00000000200002c0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007fc56793af6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc3e6cd2ef R14: 00007fc564e56300 R15: 0000000000022000
Modules linked in:
---[ end trace 5335cac2063c95c6 ]---
RIP: 0010:relay_switch_subbuf+0x216/0x940 kernel/relay.c:761
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 d3 06 00 00 48 ba 00 00 00 00 00 fc ff df 4c 8b 73 68 49 8d 7e 50 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 92 06 00 00 49 8b 55 28 49 8b 5e 50 48 b9 00 00
RSP: 0018:ffff8880529f7560 EFLAGS: 00010016
RAX: 0000000000000001 RBX: ffff888017814eb0 RCX: 000000000000000a
RDX: dffffc0000000000 RSI: ffffffff83d8d8fe RDI: 0000000000000050
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000040
R13: ffff88800cfe8e00 R14: 0000000000000000 R15: 00000000000000f8
FS:  00007fc564e56700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2cc21000 CR3: 000000005270c000 CR4: 0000000000350ee0
note: syz-executor.4[11848] exited with preempt_count 6
BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49
in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 11848, name: syz-executor.4
INFO: lockdep is turned off.
irq event stamp: 292
hardirqs last  enabled at (291): [<ffffffff83e610d8>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last  enabled at (291): [<ffffffff83e610d8>] _raw_spin_unlock_irqrestore+0x38/0x40 kernel/locking/spinlock.c:191
hardirqs last disabled at (292): [<ffffffff83e60edf>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (292): [<ffffffff83e60edf>] _raw_spin_lock_irqsave+0x4f/0x60 kernel/locking/spinlock.c:159
softirqs last  enabled at (244): [<ffffffff836deb1c>] do_ipv6_setsockopt.constprop.0+0xf0c/0x4150 net/ipv6/ipv6_sockglue.c:982
softirqs last disabled at (242): [<ffffffff8310f18b>] spin_lock_bh include/linux/spinlock.h:359 [inline]
softirqs last disabled at (242): [<ffffffff8310f18b>] release_sock+0x1b/0x1b0 net/core/sock.c:3096
CPU: 1 PID: 11848 Comm: syz-executor.4 Tainted: G    B D           5.10.207 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x167 lib/dump_stack.c:118
 ___might_sleep.cold+0x141/0x16f kernel/sched/core.c:7301
 percpu_down_read include/linux/percpu-rwsem.h:49 [inline]
 cgroup_threadgroup_change_begin include/linux/cgroup-defs.h:734 [inline]
 exit_signals+0x23/0x8b0 kernel/signal.c:2836
 do_exit+0x27f/0x2600 kernel/exit.c:814
 make_task_dead+0x6c/0x70 kernel/exit.c:935
 rewind_stack_and_make_dead+0x17/0x20 arch/x86/entry/entry_64.S:1521
RIP: 0033:0x7fc5678e0b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc564e56188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc5679f3f60 RCX: 00007fc5678e0b19
RDX: 00000000200002c0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007fc56793af6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc3e6cd2ef R14: 00007fc564e56300 R15: 0000000000022000
kauditd_printk_skb: 48 callbacks suppressed
audit: type=1326 audit(1705604633.724:3425): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11841 comm="syz-executor.0" exe="/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff469b85b19 code=0x7ffc0000
audit: type=1326 audit(1705604633.725:3426): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11843 comm="syz-executor.1" exe="/syz-executor.1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f68ba5d4b19 code=0x7ffc0000
audit: type=1326 audit(1705604633.725:3427): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11843 comm="syz-executor.1" exe="/syz-executor.1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f68ba5d4b19 code=0x7ffc0000
audit: type=1326 audit(1705604633.729:3428): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11843 comm="syz-executor.1" exe="/syz-executor.1" sig=0 arch=c000003e syscall=189 compat=0 ip=0x7f68ba5d4b19 code=0x7ffc0000
audit: type=1326 audit(1705604633.729:3429): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11843 comm="syz-executor.1" exe="/syz-executor.1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f68ba5d4b19 code=0x7ffc0000
EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue
audit: type=1326 audit(1705604633.731:3430): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11841 comm="syz-executor.0" exe="/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff469b85b19 code=0x7ffc0000
audit: type=1326 audit(1705604633.755:3431): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11841 comm="syz-executor.0" exe="/syz-executor.0" sig=0 arch=c000003e syscall=83 compat=0 ip=0x7ff469b85b19 code=0x7ffc0000
audit: type=1326 audit(1705604633.756:3432): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11841 comm="syz-executor.0" exe="/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff469b85b19 code=0x7ffc0000
audit: type=1326 audit(1705604633.756:3433): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11841 comm="syz-executor.0" exe="/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff469b85b19 code=0x7ffc0000
audit: type=1326 audit(1705604633.757:3434): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=11841 comm="syz-executor.0" exe="/syz-executor.0" sig=0 arch=c000003e syscall=189 compat=0 ip=0x7ff469b85b19 code=0x7ffc0000
----------------
Code disassembly (best guess):
   0:	48 89 fa             	mov    %rdi,%rdx
   3:	48 c1 ea 03          	shr    $0x3,%rdx
   7:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   b:	0f 85 d3 06 00 00    	jne    0x6e4
  11:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  18:	fc ff df
  1b:	4c 8b 73 68          	mov    0x68(%rbx),%r14
  1f:	49 8d 7e 50          	lea    0x50(%r14),%rdi
  23:	48 89 f9             	mov    %rdi,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
* 2a:	80 3c 11 00          	cmpb   $0x0,(%rcx,%rdx,1) <-- trapping instruction
  2e:	0f 85 92 06 00 00    	jne    0x6c6
  34:	49 8b 55 28          	mov    0x28(%r13),%rdx
  38:	49 8b 5e 50          	mov    0x50(%r14),%rbx
  3c:	48                   	rex.W
  3d:	b9                   	.byte 0xb9