"Dentry still in use" splats in v5.2-rc3

From: Mark Rutland
Date: Wed Jun 05 2019 - 09:58:09 EST


Hi All,

While fuzzing arm64 v5.2-rc3, Syzkaller started hitting splats of the
form:

BUG: Dentry (____ptrval____){i=1,n=/} still in use (2) [unmount of bpf bpf]

... which I can reliably reproduce with the following C program
(partially minimized from what Syzkaller auto-generated).

It looks like any filesystem will do. I've seen splats with "bpf",
"hugetlbfs", "rpc_pipefs", and "tmpfs", and can reproduce the problem
with any of these.

Any ideas?

I'm using the config from my fuzzing/5.2-rc3 branch on kernel.org [1].

Thanks,
Mark.

----
#include <unistd.h>
#include <sys/syscall.h>

/*
* NOTE: these are the arm64 numbers
*/
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif

int main(void)
{
int fs, mnt;

fs = syscall(__NR_fsopen, "bpf", 0);
syscall(__NR_fsconfig, fs, 6, 0, 0, 0);
mnt = syscall(__NR_fsmount, fs, 0, 0);
fchdir(mnt);

close(fs);
close(mnt);
}

----

----
[ 29.746323][ T245] BUG: Dentry (____ptrval____){i=1,n=/} still in use (2) [unmount of bpf bpf]
[ 29.748645][ T245] WARNING: CPU: 3 PID: 245 at fs/dcache.c:1529 umount_check+0x170/0x1b8
[ 29.750313][ T245] CPU: 3 PID: 245 Comm: repro Not tainted 5.2.0-rc3-00004-gff694e8 #1
[ 29.752165][ T245] Hardware name: linux,dummy-virt (DT)
[ 29.753406][ T245] pstate: 80400005 (Nzcv daif +PAN -UAO)
[ 29.754640][ T245] pc : umount_check+0x170/0x1b8
[ 29.755708][ T245] lr : umount_check+0x170/0x1b8
[ 29.756821][ T245] sp : ffff8000647b7ac0
[ 29.757730][ T245] x29: ffff8000647b7ac0 x28: ffff20001073dc38
[ 29.759047][ T245] x27: ffff8000666f4788 x26: ffff800064732040
[ 29.760428][ T245] x25: ffff10000c8e6325 x24: ffff200014f62500
[ 29.761755][ T245] x23: 0000000000000001 x22: ffff200015041e80
[ 29.763061][ T245] x21: ffff8000647aec80 x20: 0000000000000002
[ 29.764441][ T245] x19: ffff8000666f4788 x18: 0000000000000000
[ 29.765764][ T245] x17: 0000000000000000 x16: 0000000000000000
[ 29.767064][ T245] x15: 0000000000000000 x14: ffff200014f70788
[ 29.768445][ T245] x13: 00000000f2000000 x12: ffff10000d566546
[ 29.769774][ T245] x11: 1ffff0000d566545 x10: ffff10000d566545
[ 29.771098][ T245] x9 : 1ffff0000d566545 x8 : dfff200000000000
[ 29.772484][ T245] x7 : ffff10000d566546 x6 : ffff80006ab32a2f
[ 29.773820][ T245] x5 : ffff10000d566546 x4 : ffff10000d566546
[ 29.775155][ T245] x3 : 1fffe40002d30afc x2 : 24cbddc7f4015a00
[ 29.776539][ T245] x1 : 0000000000000000 x0 : 000000000000004c
[ 29.777868][ T245] Call trace:
[ 29.778598][ T245] umount_check+0x170/0x1b8
[ 29.779574][ T245] d_walk.part.2+0x100/0x6a0
[ 29.780610][ T245] do_one_tree+0x34/0x58
[ 29.781577][ T245] shrink_dcache_for_umount+0x60/0x110
[ 29.782752][ T245] generic_shutdown_super+0x68/0x360
[ 29.783913][ T245] kill_anon_super+0x44/0x70
[ 29.784932][ T245] kill_litter_super+0x4c/0x60
[ 29.786054][ T245] deactivate_locked_super+0x8c/0xf0
[ 29.787214][ T245] deactivate_super+0xd8/0xf8
[ 29.788278][ T245] cleanup_mnt+0x90/0x128
[ 29.789388][ T245] __cleanup_mnt+0x1c/0x28
[ 29.790362][ T245] task_work_run+0x124/0x198
[ 29.791374][ T245] do_notify_resume+0x664/0x778
[ 29.792440][ T245] work_pending+0x8/0x14
[ 29.793439][ T245] irq event stamp: 1502
[ 29.794374][ T245] hardirqs last enabled at (1501): [<ffff2000102afd48>] console_unlock+0x700/0xcc0
[ 29.796424][ T245] hardirqs last disabled at (1502): [<ffff200010082110>] do_debug_exception+0x118/0x438
[ 29.798605][ T245] softirqs last enabled at (1498): [<ffff200010083574>] __do_softirq+0xbc4/0x10c8
[ 29.800639][ T245] softirqs last disabled at (1443): [<ffff20001019f96c>] irq_exit+0x2c4/0x338
[ 29.802581][ T245] ---[ end trace cd8baed7622b7c8b ]---
[ 29.804034][ T245] VFS: Busy inodes after unmount of bpf. Self-destruct in 5 seconds. Have a nice day...
----

[1] git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git fuzzing/5.2-rc3