syzbot

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in membarrier_switch_mm kernel/sched/sched.h:3721 [inline]
BUG: KASAN: slab-use-after-free in context_switch kernel/sched/core.c:5265 [inline]
BUG: KASAN: slab-use-after-free in __schedule+0xc8d/0x6000 kernel/sched/core.c:6907
Read of size 4 at addr ffff888079038d00 by task kworker/1:1/29

CPU: 1 UID: 0 PID: 29 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue:  0x0 (mld)
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x156/0x4c9 mm/kasan/report.c:482
 kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:186 [inline]
 kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 membarrier_switch_mm kernel/sched/sched.h:3721 [inline]
 context_switch kernel/sched/core.c:5265 [inline]
 __schedule+0xc8d/0x6000 kernel/sched/core.c:6907
 __schedule_loop kernel/sched/core.c:6989 [inline]
 schedule+0xdd/0x390 kernel/sched/core.c:7004
 worker_thread+0x526/0xe40 kernel/workqueue.c:3436
 kthread+0x370/0x450 kernel/kthread.c:467
 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 5934:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 unpoison_slab_object mm/kasan/common.c:340 [inline]
 __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:366
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_noprof+0x2ad/0x780 mm/slub.c:5270
 dup_mm kernel/fork.c:1520 [inline]
 copy_mm kernel/fork.c:1582 [inline]
 copy_process+0x72ff/0x79b0 kernel/fork.c:2223
 kernel_clone+0xfc/0x930 kernel/fork.c:2654
 __do_sys_clone+0xd9/0x120 kernel/fork.c:2795
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5842:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6674 [inline]
 kmem_cache_free+0x143/0x720 mm/slub.c:6789
 mmdrop include/linux/sched/mm.h:55 [inline]
 mmdrop_sched include/linux/sched/mm.h:83 [inline]
 mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline]
 finish_task_switch.isra.0+0x779/0xb80 kernel/sched/core.c:5177
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x102b/0x6000 kernel/sched/core.c:6907
 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7234
 irqentry_exit+0x17b/0x670 kernel/entry/common.c:239
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

The buggy address belongs to the object at ffff888079038c40
 which belongs to the cache mm_struct of size 2968
The buggy address is located 192 bytes inside of
 freed 2968-byte region [ffff888079038c40, ffff8880790397d8)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79038
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff8880797da001
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ff35b40 ffffea0000c49600 0000000000000005
raw: 0000000000000000 00000000800a000a 00000000f5000000 ffff8880797da001
head: 00fff00000000040 ffff88813ff35b40 ffffea0000c49600 0000000000000005
head: 0000000000000000 00000000800a000a 00000000f5000000 ffff8880797da001
head: 00fff00000000003 ffffea0001e40e01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5649, tgid 5649 (dhcpcd-run-hook), ts 72540809104, free_ts 72457553960
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1e1/0x250 mm/page_alloc.c:1884
 prep_new_page mm/page_alloc.c:1892 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3945
 __alloc_frozen_pages_noprof+0x26c/0x2410 mm/page_alloc.c:5240
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2486
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab mm/slub.c:3248 [inline]
 new_slab+0x2c4/0x440 mm/slub.c:3302
 ___slab_alloc+0xdb3/0x1cb0 mm/slub.c:4656
 __slab_alloc.isra.0+0x63/0x110 mm/slub.c:4779
 __slab_alloc_node mm/slub.c:4855 [inline]
 slab_alloc_node mm/slub.c:5251 [inline]
 kmem_cache_alloc_noprof+0x4ec/0x780 mm/slub.c:5270
 dup_mm kernel/fork.c:1520 [inline]
 copy_mm kernel/fork.c:1582 [inline]
 copy_process+0x72ff/0x79b0 kernel/fork.c:2223
 kernel_clone+0xfc/0x930 kernel/fork.c:2654
 __do_sys_clone+0xd9/0x120 kernel/fork.c:2795
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5656 tgid 5656 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x822/0x1130 mm/page_alloc.c:2973
 discard_slab mm/slub.c:3346 [inline]
 __put_partials+0x127/0x160 mm/slub.c:3886
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_noprof+0x2ad/0x780 mm/slub.c:5270
 mt_alloc_one lib/maple_tree.c:174 [inline]
 mas_alloc_nodes+0x280/0x390 lib/maple_tree.c:1110
 mas_preallocate+0x39c/0xf10 lib/maple_tree.c:5194
 vma_iter_prealloc mm/vma.h:505 [inline]
 commit_merge+0x3e3/0xbd0 mm/vma.c:751
 vma_expand+0x7c3/0xd50 mm/vma.c:1200
 relocate_vma_down+0x259/0x4d0 mm/vma_exec.c:58
 setup_arg_pages+0x536/0xb60 fs/exec.c:690
 load_elf_binary+0xb75/0x5110 fs/binfmt_elf.c:1028
 search_binary_handler fs/exec.c:1664 [inline]
 exec_binprm fs/exec.c:1696 [inline]
 bprm_execve fs/exec.c:1748 [inline]
 bprm_execve+0x8fb/0x1620 fs/exec.c:1724
 do_execveat_common.isra.0+0x4a5/0x580 fs/exec.c:1846
 __do_sys_execve fs/exec.c:1930 [inline]
 __se_sys_execve fs/exec.c:1924 [inline]
 __x64_sys_execve+0x93/0xd0 fs/exec.c:1924

Memory state around the buggy address:
 ffff888079038c00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
 ffff888079038c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888079038d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888079038d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888079038e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================