Re: general protection fault in kernfs_kill_sb (2)

2018-05-14 Thread Stephen Rothwell 
Hi Al,

On Mon, 14 May 2018 05:04:15 +0100 Al Viro  wrote:
>
> On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote:
> 
> > But there remains a refcount bug because deactivate_locked_super() from
> > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via
> > sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount()
> > if kernfs_mount_ns() returned an error.  
> 
> Trivial:
> 
> unfuck sysfs_mount()
> 
> Signed-off-by: Al Viro 

I noticed this turn up in linux-next today.  Can I ask that you please
add an actual commit message to it before sending it on to Linus.
-- 
Cheers,
Stephen Rothwell


pgpt80ZhcWVlk.pgp
Description: OpenPGP digital signature

Re: general protection fault in kernfs_kill_sb (2)

2018-05-14 Thread Stephen Rothwell 
Hi Al,

On Mon, 14 May 2018 05:04:15 +0100 Al Viro  wrote:
>
> On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote:
> 
> > But there remains a refcount bug because deactivate_locked_super() from
> > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via
> > sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount()
> > if kernfs_mount_ns() returned an error.  
> 
> Trivial:
> 
> unfuck sysfs_mount()
> 
> Signed-off-by: Al Viro 

I noticed this turn up in linux-next today.  Can I ask that you please
add an actual commit message to it before sending it on to Linus.
-- 
Cheers,
Stephen Rothwell


pgpt80ZhcWVlk.pgp
Description: OpenPGP digital signature

Re: general protection fault in kernfs_kill_sb (2)

2018-05-13 Thread Al Viro 
On Mon, May 14, 2018 at 05:04:15AM +0100, Al Viro wrote:
> diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
> index b428d317ae92..92682fcc41f6 100644
> --- a/fs/sysfs/mount.c
> +++ b/fs/sysfs/mount.c
> @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type 
> *fs_type,
>  {
>   struct dentry *root;
>   void *ns;
> - bool new_sb;
> + bool new_sb = false;
>  
>   if (!(flags & SB_KERNMOUNT)) {
>   if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
> @@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type 
> *fs_type,
>   ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET);
>   root = kernfs_mount_ns(fs_type, flags, sysfs_root,
>   SYSFS_MAGIC, _sb, ns);
> - if (IS_ERR(root) || !new_sb)
> + if (!new_sb)
>   kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
> - else if (new_sb)
> + else if (!IS_ERR(root))
>   root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE;
>  
>   return root;

What we want for that kobj_ns_drop() is "no fs instances created" (== no
->kill_sb(), be it now or later, to drop that kobj reference); for setting
->s_iflags - "new instance successfully set up".

That's it; all we need is new_sb that would be accurate on its own.
The problem is with kludging over the cases when it's left uninitialized
(early exits from kernfs_mount_ns()) with IS_ERR(root), which happens to
grab the cases when new_sb *was* set to true.  So the fix is to initialize
new_sb properly and get rid of that kludge.  Which turns the whole thing
into
if (!new_sb)
...
if (!IS_ERR(root) && new_sb)
...
i.e.
if (!new_sb)
...
else if (!IS_ERR(root))
...

Re: general protection fault in kernfs_kill_sb (2)

2018-05-13 Thread Al Viro 
On Mon, May 14, 2018 at 05:04:15AM +0100, Al Viro wrote:
> diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
> index b428d317ae92..92682fcc41f6 100644
> --- a/fs/sysfs/mount.c
> +++ b/fs/sysfs/mount.c
> @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type 
> *fs_type,
>  {
>   struct dentry *root;
>   void *ns;
> - bool new_sb;
> + bool new_sb = false;
>  
>   if (!(flags & SB_KERNMOUNT)) {
>   if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
> @@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type 
> *fs_type,
>   ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET);
>   root = kernfs_mount_ns(fs_type, flags, sysfs_root,
>   SYSFS_MAGIC, _sb, ns);
> - if (IS_ERR(root) || !new_sb)
> + if (!new_sb)
>   kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
> - else if (new_sb)
> + else if (!IS_ERR(root))
>   root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE;
>  
>   return root;

What we want for that kobj_ns_drop() is "no fs instances created" (== no
->kill_sb(), be it now or later, to drop that kobj reference); for setting
->s_iflags - "new instance successfully set up".

That's it; all we need is new_sb that would be accurate on its own.
The problem is with kludging over the cases when it's left uninitialized
(early exits from kernfs_mount_ns()) with IS_ERR(root), which happens to
grab the cases when new_sb *was* set to true.  So the fix is to initialize
new_sb properly and get rid of that kludge.  Which turns the whole thing
into
if (!new_sb)
...
if (!IS_ERR(root) && new_sb)
...
i.e.
if (!new_sb)
...
else if (!IS_ERR(root))
...

Re: general protection fault in kernfs_kill_sb (2)

2018-05-13 Thread Al Viro 
On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote:

> But there remains a refcount bug because deactivate_locked_super() from
> kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via
> sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount()
> if kernfs_mount_ns() returned an error.

Trivial:

unfuck sysfs_mount()

Signed-off-by: Al Viro 
---
diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
index b428d317ae92..92682fcc41f6 100644
--- a/fs/sysfs/mount.c
+++ b/fs/sysfs/mount.c
@@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type 
*fs_type,
 {
struct dentry *root;
void *ns;
-   bool new_sb;
+   bool new_sb = false;
 
if (!(flags & SB_KERNMOUNT)) {
if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
@@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type 
*fs_type,
ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET);
root = kernfs_mount_ns(fs_type, flags, sysfs_root,
SYSFS_MAGIC, _sb, ns);
-   if (IS_ERR(root) || !new_sb)
+   if (!new_sb)
kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
-   else if (new_sb)
+   else if (!IS_ERR(root))
root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE;
 
return root;

Re: general protection fault in kernfs_kill_sb (2)

2018-05-13 Thread Al Viro 
On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote:

> But there remains a refcount bug because deactivate_locked_super() from
> kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via
> sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount()
> if kernfs_mount_ns() returned an error.

Trivial:

unfuck sysfs_mount()

Signed-off-by: Al Viro 
---
diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
index b428d317ae92..92682fcc41f6 100644
--- a/fs/sysfs/mount.c
+++ b/fs/sysfs/mount.c
@@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type 
*fs_type,
 {
struct dentry *root;
void *ns;
-   bool new_sb;
+   bool new_sb = false;
 
if (!(flags & SB_KERNMOUNT)) {
if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
@@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type 
*fs_type,
ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET);
root = kernfs_mount_ns(fs_type, flags, sysfs_root,
SYSFS_MAGIC, _sb, ns);
-   if (IS_ERR(root) || !new_sb)
+   if (!new_sb)
kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
-   else if (new_sb)
+   else if (!IS_ERR(root))
root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE;
 
return root;

Re: general protection fault in kernfs_kill_sb (2)

2018-05-13 Thread Al Viro 
On Sun, May 13, 2018 at 11:19:46AM +0900, Tetsuo Handa wrote:

> This is what I reported at
> https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ .
> 
> We are currently waiting for comments from Al Viro.

1) the damn thing is unusable without javashit.  Which gets about
the same reaction as sending something.doc in attachment.  Please,
find a less obnoxious way to archive the thing (or to generate
URLs that would work without that garbage).

2) deactivate_locked_super() *WILL* be called when fill_super() fails.
Live with it; it allows to simplify a whole lot of cleanup logics
in various filesystems.  Again, we are not going for a model where
->kill_sb() is not called for something returned by sget().
Rationale: rarely exercised paths tend to rot, so anything that increases
the duplication of bits and pieces of normal teardown into failure exits
of foo_fill_super() is a bloody bad idea.  If anything, we want to take
a lot of stuff out of ->put_super() instances directly into ->kill_sb()
ones, precisely because ->put_super() is only called for fully set up
filesystems.

3) kernfs needs to be fixed.  The rest of the dropped commits were
made redundant by 8e04944f0ea8; this one wasn't.  Mea culpa.

Re: general protection fault in kernfs_kill_sb (2)

2018-05-13 Thread Al Viro 
On Sun, May 13, 2018 at 11:19:46AM +0900, Tetsuo Handa wrote:

> This is what I reported at
> https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ .
> 
> We are currently waiting for comments from Al Viro.

1) the damn thing is unusable without javashit.  Which gets about
the same reaction as sending something.doc in attachment.  Please,
find a less obnoxious way to archive the thing (or to generate
URLs that would work without that garbage).

2) deactivate_locked_super() *WILL* be called when fill_super() fails.
Live with it; it allows to simplify a whole lot of cleanup logics
in various filesystems.  Again, we are not going for a model where
->kill_sb() is not called for something returned by sget().
Rationale: rarely exercised paths tend to rot, so anything that increases
the duplication of bits and pieces of normal teardown into failure exits
of foo_fill_super() is a bloody bad idea.  If anything, we want to take
a lot of stuff out of ->put_super() instances directly into ->kill_sb()
ones, precisely because ->put_super() is only called for fully set up
filesystems.

3) kernfs needs to be fixed.  The rest of the dropped commits were
made redundant by 8e04944f0ea8; this one wasn't.  Mea culpa.

Re: general protection fault in kernfs_kill_sb (2)

2018-05-12 Thread Tetsuo Handa 
On 2018/05/13 2:01, syzbot wrote:
> Call Trace:
>  __list_del_entry include/linux/list.h:117 [inline]
>  list_del include/linux/list.h:125 [inline]
>  kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361
>  sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50
>  deactivate_locked_super+0x97/0x100 fs/super.c:316
>  kernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335
>  sysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36
>  mount_fs+0xae/0x328 fs/super.c:1267
>  vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
>  vfs_kern_mount fs/namespace.c:1027 [inline]
>  do_new_mount fs/namespace.c:2518 [inline]
>  do_mount+0x564/0x3070 fs/namespace.c:2848
>  ksys_mount+0x12d/0x140 fs/namespace.c:3064
>  __do_sys_mount fs/namespace.c:3078 [inline]
>  __se_sys_mount fs/namespace.c:3075 [inline]
>  __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
>  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4426a9
> RSP: 002b:7ffc558bd1b8 EFLAGS: 0246 ORIG_RAX: 00a5
> RAX: ffda RBX:  RCX: 004426a9
> RDX: 20c0 RSI: 2080 RDI: 2040
> RBP: 7ffc558bda60 R08:  R09: 0003
> R10:  R11: 0246 R12: 
> R13: 0004 R14: 1380 R15: 7ffc558bd2f8
> Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5 00 
> 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 5f 
> 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8
> RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: 
> 8801aca6f860
> ---[ end trace d148f307a34e229f ]---

This is what I reported at
https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ .

We are currently waiting for comments from Al Viro.

Re: general protection fault in kernfs_kill_sb (2)

2018-05-12 Thread Tetsuo Handa 
On 2018/05/13 2:01, syzbot wrote:
> Call Trace:
>  __list_del_entry include/linux/list.h:117 [inline]
>  list_del include/linux/list.h:125 [inline]
>  kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361
>  sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50
>  deactivate_locked_super+0x97/0x100 fs/super.c:316
>  kernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335
>  sysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36
>  mount_fs+0xae/0x328 fs/super.c:1267
>  vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
>  vfs_kern_mount fs/namespace.c:1027 [inline]
>  do_new_mount fs/namespace.c:2518 [inline]
>  do_mount+0x564/0x3070 fs/namespace.c:2848
>  ksys_mount+0x12d/0x140 fs/namespace.c:3064
>  __do_sys_mount fs/namespace.c:3078 [inline]
>  __se_sys_mount fs/namespace.c:3075 [inline]
>  __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
>  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4426a9
> RSP: 002b:7ffc558bd1b8 EFLAGS: 0246 ORIG_RAX: 00a5
> RAX: ffda RBX:  RCX: 004426a9
> RDX: 20c0 RSI: 2080 RDI: 2040
> RBP: 7ffc558bda60 R08:  R09: 0003
> R10:  R11: 0246 R12: 
> R13: 0004 R14: 1380 R15: 7ffc558bd2f8
> Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5 00 
> 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 5f 
> 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8
> RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: 
> 8801aca6f860
> ---[ end trace d148f307a34e229f ]---

This is what I reported at
https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ .

We are currently waiting for comments from Al Viro.

general protection fault in kernfs_kill_sb (2)

2018-05-12 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:f0ab773f5c96 Merge branch 'akpm' (patches from Andrew)
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=140ce81780
kernel config:  https://syzkaller.appspot.com/x/.config?x=fcce42b221691ff9
dashboard link: https://syzkaller.appspot.com/bug?extid=481ad819c717f6b78df9
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15078e9780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12bf369780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+481ad819c717f6b78...@syzkaller.appspotmail.com

RBP: 7ffc558bda60 R08:  R09: 0003
R10:  R11: 0246 R12: 
R13: 0004 R14: 1380 R15: 7ffc558bd2f8
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4540 Comm: syz-executor884 Not tainted 4.17.0-rc4+ #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:__list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51
RSP: 0018:8801aca6f860 EFLAGS: 00010246
RAX: dc00 RBX: 8801ac528498 RCX: 
RDX:  RSI:  RDI: 8801ac5284a0
RBP: 8801aca6f878 R08: fbfff11cc855 R09: fbfff11cc854
R10: 8801aca6f878 R11: 88e642a7 R12: 
R13:  R14: 8801aca6f908 R15: 8801ac528498
FS:  00f86880() GS:8801daf0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 004b6f3c CR3: 0001d973 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361
 sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50
 deactivate_locked_super+0x97/0x100 fs/super.c:316
 kernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335
 sysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36
 mount_fs+0xae/0x328 fs/super.c:1267
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4426a9
RSP: 002b:7ffc558bd1b8 EFLAGS: 0246 ORIG_RAX: 00a5
RAX: ffda RBX:  RCX: 004426a9
RDX: 20c0 RSI: 2080 RDI: 2040
RBP: 7ffc558bda60 R08:  R09: 0003
R10:  R11: 0246 R12: 
R13: 0004 R14: 1380 R15: 7ffc558bd2f8
Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5  
00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00  
75 5f 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8
RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP:  
8801aca6f860

---[ end trace d148f307a34e229f ]---


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

general protection fault in kernfs_kill_sb (2)

2018-05-12 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:f0ab773f5c96 Merge branch 'akpm' (patches from Andrew)
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=140ce81780
kernel config:  https://syzkaller.appspot.com/x/.config?x=fcce42b221691ff9
dashboard link: https://syzkaller.appspot.com/bug?extid=481ad819c717f6b78df9
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15078e9780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12bf369780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+481ad819c717f6b78...@syzkaller.appspotmail.com

RBP: 7ffc558bda60 R08:  R09: 0003
R10:  R11: 0246 R12: 
R13: 0004 R14: 1380 R15: 7ffc558bd2f8
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4540 Comm: syz-executor884 Not tainted 4.17.0-rc4+ #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:__list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51
RSP: 0018:8801aca6f860 EFLAGS: 00010246
RAX: dc00 RBX: 8801ac528498 RCX: 
RDX:  RSI:  RDI: 8801ac5284a0
RBP: 8801aca6f878 R08: fbfff11cc855 R09: fbfff11cc854
R10: 8801aca6f878 R11: 88e642a7 R12: 
R13:  R14: 8801aca6f908 R15: 8801ac528498
FS:  00f86880() GS:8801daf0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 004b6f3c CR3: 0001d973 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361
 sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50
 deactivate_locked_super+0x97/0x100 fs/super.c:316
 kernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335
 sysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36
 mount_fs+0xae/0x328 fs/super.c:1267
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4426a9
RSP: 002b:7ffc558bd1b8 EFLAGS: 0246 ORIG_RAX: 00a5
RAX: ffda RBX:  RCX: 004426a9
RDX: 20c0 RSI: 2080 RDI: 2040
RBP: 7ffc558bda60 R08:  R09: 0003
R10:  R11: 0246 R12: 
R13: 0004 R14: 1380 R15: 7ffc558bd2f8
Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5  
00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00  
75 5f 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8
RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP:  
8801aca6f860

---[ end trace d148f307a34e229f ]---


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.