[Android 5.4] VFS: Busy inodes after unmount (use-after-free)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 66c3e3ab77a2 ANDROID: incremental fs: Move throttling to o..
git tree: android12-5.4
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17eb3c08c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e270749e5a0ba365
dashboard link: https://syzkaller.appspot.com/bug?extid=753d245e8fa96e237679
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=176dd650c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f4c2b0c80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/029d1aebaf93/disk-66c3e3ab.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ff5b0997f038/vmlinux-66c3e3ab.xz
kernel image: https://storage.googleapis.com/syzbot-assets/58aab7df3af3/bzImage-66c3e3ab.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+753d24...@syzkaller.appspotmail.com

VFS: Busy inodes after unmount of ramfs. Self-destruct in 5 seconds. Have a nice day...


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 416c4356f372 Merge 5.10.161 into android12-5.10-lts
git tree: android12-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1053ab3b480000
kernel config: https://syzkaller.appspot.com/x/.config?x=ba29236d2f217808
dashboard link: https://syzkaller.appspot.com/bug?extid=ded3c39db7eda48031d9
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b61350c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d16874c80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0149809cf436/disk-416c4356.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2bf0b26aed77/vmlinux-416c4356.xz
kernel image: https://storage.googleapis.com/syzbot-assets/224b4978be5c/bzImage-416c4356.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+ded3c3...@syzkaller.appspotmail.com

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 5448b2fda85f Merge 5.15.94 into android13-5.15-lts
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1113507f480000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb55b12f877ddc70
dashboard link: https://syzkaller.appspot.com/bug?extid=c437f56eb02121c8b076
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161050c0c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1199963cc80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/24924398a010/disk-5448b2fd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e244d5b44fff/vmlinux-5448b2fd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bc13eddc3000/bzImage-5448b2fd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+c437f5...@syzkaller.appspotmail.com

[syzbot]

syzbot has bisected this issue to:

commit 3e45af8a72c01c7e00c26e9df6089f7412ab3ec2
Author: Tadeusz Struk <tadeus...@linaro.org>
Date: Wed Mar 9 01:20:15 2022 +0000

ANDROID: incremental-fs: limit mount stack depth

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=141ea1a8c80000
start commit: 416c4356f372 Merge 5.10.161 into android12-5.10-lts
git tree: android12-5.10-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=161ea1a8c80000
console output: https://syzkaller.appspot.com/x/log.txt?x=121ea1a8c80000

kernel config: https://syzkaller.appspot.com/x/.config?x=ba29236d2f217808
dashboard link: https://syzkaller.appspot.com/bug?extid=ded3c39db7eda48031d9

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b61350c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d16874c80000

Reported-by: syzbot+ded3c3...@syzkaller.appspotmail.com
Fixes: 3e45af8a72c0 ("ANDROID: incremental-fs: limit mount stack depth")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 2a6853c0ea03029ba56af757ca008c3e49d29b91
Author: Paolo Abeni <pab...@redhat.com>
Date: Tue Feb 7 13:04:15 2023 +0000

mptcp: fix locking for in-kernel listener creation

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11a00de4a80000
start commit: 5448b2fda85f Merge 5.15.94 into android13-5.15-lts
git tree: android13-5.15-lts

kernel config: https://syzkaller.appspot.com/x/.config?x=cb55b12f877ddc70
dashboard link: https://syzkaller.appspot.com/bug?extid=c437f56eb02121c8b076

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161050c0c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1199963cc80000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: mptcp: fix locking for in-kernel listener creation

[syzbot]

[syzbot]