general protection fault in fuse_ctl_remove_conn

From: syzbot
Date: Fri Apr 27 2018 - 12:00:20 EST


syzbot hit the following crash on upstream commit
0644f186fc9d77bb5bd198369e59fb28927a3692 (Thu Apr 26 23:36:11 2018 +0000)
Merge tag 'for_linus' of git://
syzbot dashboard link:

So far this crash happened 2 times on upstream.
C reproducer:
syzkaller reproducer:
Raw console output:
Kernel config:
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+32c236387d66c4516827@xxxxxxxxxxxxxxxxxxxxxxxxx
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.

RBP: 0030656c69662f2e R08: 0000000020000300 R09: 0000000000003833
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe5dea3810
R13: ffffffffffffffff R14: 006c746365737566 R15: 0000000000000044
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4504 Comm: syz-executor777 Not tainted 4.17.0-rc2+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:fuse_ctl_remove_conn+0xc8/0x1b0 fs/fuse/control.c:286
RSP: 0018:ffff8801b0ee7968 EFLAGS: 00010202
RAX: 0000000000000075 RBX: ffff8801ac6dc2c0 RCX: ffffffff82645bb7
RDX: 0000000000000000 RSI: ffffffff82645bda RDI: 00000000000003a8
RBP: ffff8801b0ee7990 R08: ffff8801b1cd2740 R09: ffffed003b5c46c2
R10: ffffed003b5c46c2 R11: ffff8801dae23613 R12: 0000000000000001
R13: ffff8801d0bb5410 R14: dffffc0000000000 R15: 0000000000000000
FS: 00000000026bc880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001471000 CR3: 00000001b1137000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
fuse_ctl_add_conn+0x261/0x280 fs/fuse/control.c:269
fuse_ctl_fill_super+0xf7/0x160 fs/fuse/control.c:307
mount_single+0xfb/0x170 fs/super.c:1236
fuse_ctl_mount+0x2c/0x40 fs/fuse/control.c:322
mount_fs+0xae/0x328 fs/super.c:1267
vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
vfs_kern_mount fs/namespace.c:1027 [inline]
do_new_mount fs/namespace.c:2518 [inline]
do_mount+0x564/0x3070 fs/namespace.c:2848
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
RIP: 0033:0x440579
RSP: 002b:00007ffe5dea3808 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440579
RDX: 00000000200002c0 RSI: 0000000020000280 RDI: 0000000020000240
RBP: 0030656c69662f2e R08: 0000000020000300 R09: 0000000000003833
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe5dea3810
R13: ffffffffffffffff R14: 006c746365737566 R15: 0000000000000044
Code: 8b 5d 00 48 8d 7b 58 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 cc 00 00 00 4c 8b 7b 58 49 8d bf a8 03 00 00 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 a5 00 00 00 48 89 df 41 83 ec 01 49 83 ed
RIP: fuse_ctl_remove_conn+0xc8/0x1b0 fs/fuse/control.c:286 RSP: ffff8801b0ee7968
---[ end trace d64f1dab46c839a5 ]---

This bug is generated by a dumb bot. It may contain errors.
See for details.
Direct all questions to syzkaller@xxxxxxxxxxxxxxxxx

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug report.
Note: all commands must start from beginning of the line in the email body.