On Mon, May 11, 2020 at 11:55:16PM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: This is like https://lore.kernel.org/linux-nfs/0000000000005016dd05a5e6b308@xxxxxxxxxx/ in that we're discovering the drc is corrupt while destroying it. I don't see the problem yet. --b. > > HEAD commit: 6e7f2eac Merge tag 'arm64-fixes' of git://git.kernel.org/p.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=14567034100000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b0212dbee046bc1f > dashboard link: https://syzkaller.appspot.com/bug?extid=a29df412692980277f9d > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+a29df412692980277f9d@xxxxxxxxxxxxxxxxxxxxxxxxx > > general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN > KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] > CPU: 0 PID: 27932 Comm: kworker/u4:4 Not tainted 5.7.0-rc4-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Workqueue: netns cleanup_net > RIP: 0010:nfsd_reply_cache_free_locked+0x2d/0x380 fs/nfsd/nfscache.c:122 > Code: 56 41 55 41 54 49 89 fc 55 48 89 f5 53 48 89 d3 e8 08 c0 2f ff 48 8d 7d 61 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a7 02 00 00 > RSP: 0018:ffffc90008bb7b70 EFLAGS: 00010202 > RAX: dffffc0000000000 RBX: ffff888000026000 RCX: dffffc0000000000 > RDX: 0000000000000002 RSI: ffffffff82436ea8 RDI: 0000000000000011 > RBP: ffffffffffffffb0 R08: ffff888093792400 R09: fffffbfff185cf3e > R10: ffffffff8c2e79ef R11: fffffbfff185cf3d R12: ffff888000100000 > R13: ffff888000100008 R14: 0000000000000000 R15: ffff888000100000 > FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000001b2c531000 CR3: 00000000685a2000 CR4: 00000000001426f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > nfsd_reply_cache_shutdown+0x150/0x350 fs/nfsd/nfscache.c:203 > nfsd_exit_net+0x189/0x4c0 fs/nfsd/nfsctl.c:1504 > ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186 > cleanup_net+0x511/0xa50 net/core/net_namespace.c:603 > process_one_work+0x965/0x16a0 kernel/workqueue.c:2268 > worker_thread+0x96/0xe20 kernel/workqueue.c:2414 > kthread+0x388/0x470 kernel/kthread.c:268 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > Modules linked in: > ---[ end trace 54f06072fc6a1afa ]--- > RIP: 0010:nfsd_reply_cache_free_locked+0x2d/0x380 fs/nfsd/nfscache.c:122 > Code: 56 41 55 41 54 49 89 fc 55 48 89 f5 53 48 89 d3 e8 08 c0 2f ff 48 8d 7d 61 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a7 02 00 00 > RSP: 0018:ffffc90008bb7b70 EFLAGS: 00010202 > RAX: dffffc0000000000 RBX: ffff888000026000 RCX: dffffc0000000000 > RDX: 0000000000000002 RSI: ffffffff82436ea8 RDI: 0000000000000011 > RBP: ffffffffffffffb0 R08: ffff888093792400 R09: fffffbfff185cf3e > R10: ffffffff8c2e79ef R11: fffffbfff185cf3d R12: ffff888000100000 > R13: ffff888000100008 R14: 0000000000000000 R15: ffff888000100000 > FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000001b2c531000 CR3: 0000000094cfb000 CR4: 00000000001426f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.