syzbot

==================================================================
BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
BUG: KASAN: use-after-free in unaccount_page_cache_page+0x9e0/0xac0 mm/filemap.c:175
Read of size 4 at addr ffff8881071d7470 by task syz.1.2478/10374

CPU: 0 PID: 10374 Comm: syz.1.2478 Tainted: G        W         5.10.237-syzkaller-00010-gcf6ed0f1511d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
 unaccount_page_cache_page+0x9e0/0xac0 mm/filemap.c:175
 __delete_from_page_cache+0xc4/0x460 mm/filemap.c:243
 __remove_mapping+0x562/0x690 mm/vmscan.c:985
 shrink_page_list+0x2109/0x4120 mm/vmscan.c:1498
 shrink_inactive_list+0x4f4/0xe80 mm/vmscan.c:2075
 shrink_list mm/vmscan.c:2294 [inline]
 shrink_lruvec+0x2246/0x2770 mm/vmscan.c:5473
 shrink_node_memcgs mm/vmscan.c:5660 [inline]
 shrink_node+0xf0c/0x2690 mm/vmscan.c:5690
 shrink_zones mm/vmscan.c:5896 [inline]
 do_try_to_free_pages+0x5db/0x1560 mm/vmscan.c:5954
 try_to_free_mem_cgroup_pages+0x233/0x5b0 mm/vmscan.c:6272
 try_charge+0x42b/0x14e0 mm/memcontrol.c:2747
 __mem_cgroup_charge+0x14c/0x6d0 mm/memcontrol.c:6873
 mem_cgroup_charge include/linux/memcontrol.h:458 [inline]
 shmem_add_to_page_cache+0x55e/0xe10 mm/shmem.c:703
 shmem_getpage_gfp+0x8e8/0x2110 mm/shmem.c:1956
 shmem_getpage mm/shmem.c:165 [inline]
 shmem_write_begin+0xce/0x1b0 mm/shmem.c:2501
 generic_perform_write+0x2be/0x510 mm/filemap.c:3509
 __generic_file_write_iter+0x24b/0x480 mm/filemap.c:3638
 generic_file_write_iter+0xa9/0x1d0 mm/filemap.c:3670
 __kernel_write+0x55a/0x910 fs/read_write.c:550
 dump_emit+0x240/0x360 fs/coredump.c:849
 dump_user_range+0x6a/0x1a0 fs/coredump.c:902
 elf_core_dump+0x278a/0x2bc0 fs/binfmt_elf.c:2290
 do_coredump+0x1ac9/0x27f0 fs/coredump.c:811
 get_signal+0xf23/0x12e0 kernel/signal.c:2779
 arch_do_signal_or_restart+0xbf/0x10f0 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop+0xa2/0xe0 kernel/entry/common.c:169
 exit_to_user_mode_prepare kernel/entry/common.c:199 [inline]
 irqentry_exit_to_user_mode+0x4e/0x80 kernel/entry/common.c:287
 irqentry_exit+0x12/0x60 kernel/entry/common.c:375
 exc_page_fault+0x67/0xc0 arch/x86/mm/fault.c:1487
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:571
RIP: 0033:0x4a4509
Code: Unable to access opcode bytes at RIP 0x4a44df.
RSP: 002b:0000200000000098 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007ff833cdafa0 RCX: 00007ff833ab3969
RDX: 0000200000000140 RSI: 0000200000000090 RDI: 0000000020000000
RBP: 00007ff833b35ab1 R08: 00002000000002c0 R09: 00002000000002c0
R10: 0000200000000180 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff833cdafa0 R15: 00007fff63990618

Allocated by task 9925:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:430 [inline]
 ____kasan_kmalloc mm/kasan/common.c:509 [inline]
 __kasan_kmalloc+0xda/0x110 mm/kasan/common.c:518
 kasan_kmalloc include/linux/kasan.h:254 [inline]
 __kmalloc+0x1a7/0x330 mm/slub.c:4033
 __kmalloc_node include/linux/slab.h:418 [inline]
 kmalloc_node include/linux/slab.h:575 [inline]
 kvmalloc_node+0x88/0x130 mm/util.c:612
 kvmalloc include/linux/mm.h:822 [inline]
 kvzalloc include/linux/mm.h:830 [inline]
 kvm_dup_memslots virt/kvm/kvm_main.c:1241 [inline]
 kvm_set_memslot+0xc5/0x1440 virt/kvm/kvm_main.c:1258
 __kvm_set_memory_region+0x9e9/0xbc0 virt/kvm/kvm_main.c:1448
 kvm_set_memory_region virt/kvm/kvm_main.c:1469 [inline]
 kvm_vm_ioctl_set_memory_region+0x6f/0xa0 virt/kvm/kvm_main.c:1481
 kvm_vm_ioctl+0x776/0xa10 virt/kvm/kvm_main.c:3829
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0x121/0x1a0 fs/ioctl.c:739
 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 10243:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4a/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x125/0x160 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
 kasan_slab_free include/linux/kasan.h:220 [inline]
 slab_free_hook mm/slub.c:1595 [inline]
 slab_free_freelist_hook+0xc5/0x190 mm/slub.c:1621
 slab_free mm/slub.c:3203 [inline]
 kfree+0xc0/0x270 mm/slub.c:4191
 skb_free_head net/core/skbuff.c:606 [inline]
 skb_release_data+0x532/0x670 net/core/skbuff.c:626
 skb_release_all net/core/skbuff.c:680 [inline]
 __kfree_skb net/core/skbuff.c:694 [inline]
 consume_skb+0xab/0x1f0 net/core/skbuff.c:851
 veth_xdp_rcv_skb drivers/net/veth.c:710 [inline]
 veth_xdp_rcv drivers/net/veth.c:821 [inline]
 veth_poll+0x10f2/0x2c80 drivers/net/veth.c:852
 napi_poll net/core/dev.c:6874 [inline]
 net_rx_action+0x432/0xdd0 net/core/dev.c:6944
 __do_softirq+0x255/0x563 kernel/softirq.c:309

Last potentially related work creation:
 kasan_save_stack+0x3a/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd2/0x100 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 insert_work+0x52/0x310 kernel/workqueue.c:1352
 __queue_work+0x923/0xca0 kernel/workqueue.c:1518
 queue_work_on+0xd5/0x130 kernel/workqueue.c:1545
 queue_work include/linux/workqueue.h:515 [inline]
 schedule_work include/linux/workqueue.h:576 [inline]
 destroy_super_rcu+0xd1/0xe0 fs/super.c:172
 rcu_do_batch+0x4df/0xa80 kernel/rcu/tree.c:2494
 rcu_core+0x55f/0xd60 kernel/rcu/tree.c:2735
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2748
 __do_softirq+0x255/0x563 kernel/softirq.c:309

Second to last potentially related work creation:
 kasan_save_stack+0x3a/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd2/0x100 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:2976 [inline]
 call_rcu+0x105/0x1040 kernel/rcu/tree.c:3050
 __put_super+0x254/0x2b0 fs/super.c:299
 put_super fs/super.c:313 [inline]
 deactivate_locked_super+0xd4/0x100 fs/super.c:346
 mount_bdev+0x2a9/0x3a0 fs/super.c:1444
 f2fs_mount+0x34/0x40 fs/f2fs/super.c:4548
 legacy_get_tree+0xed/0x190 fs/fs_context.c:593
 vfs_get_tree+0x89/0x260 fs/super.c:1572
 do_new_mount+0x25a/0xa20 fs/namespace.c:2918
 path_mount+0x572/0xc80 fs/namespace.c:3248
 do_mount fs/namespace.c:3261 [inline]
 __do_sys_mount fs/namespace.c:3469 [inline]
 __se_sys_mount+0x318/0x380 fs/namespace.c:3446
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3446
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff8881071d7000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1136 bytes inside of
 2048-byte region [ffff8881071d7000, ffff8881071d7800)
The buggy address belongs to the page:
page:ffffea00041c7400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1071d0
head:ffffea00041c7400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042d80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 276, ts 21588443755, free_ts 21586134177
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x179/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2235/0x23d0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x268/0x5f0 mm/page_alloc.c:5349
 alloc_slab_page mm/slub.c:-1 [inline]
 allocate_slab mm/slub.c:1808 [inline]
 new_slab+0x84/0x3f0 mm/slub.c:1869
 new_slab_objects mm/slub.c:2627 [inline]
 ___slab_alloc+0x2a6/0x450 mm/slub.c:2791
 __slab_alloc+0x63/0xa0 mm/slub.c:2831
 slab_alloc_node mm/slub.c:2913 [inline]
 slab_alloc mm/slub.c:2955 [inline]
 __kmalloc_track_caller+0x1ef/0x320 mm/slub.c:4536
 __kmalloc_reserve net/core/skbuff.c:144 [inline]
 pskb_expand_head+0x123/0x1110 net/core/skbuff.c:1653
 netlink_trim+0x193/0x230 net/netlink/af_netlink.c:1289
 netlink_broadcast_filtered+0x75/0x1290 net/netlink/af_netlink.c:1494
 netlink_broadcast net/netlink/af_netlink.c:1539 [inline]
 nlmsg_multicast include/net/netlink.h:1033 [inline]
 nlmsg_notify+0xed/0x1b0 net/netlink/af_netlink.c:2528
 rtnl_notify net/core/rtnetlink.c:737 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:3868 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:3883 [inline]
 rtnetlink_event+0x13a/0x1a0 net/core/rtnetlink.c:5661
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0x90/0x100 kernel/notifier.c:410
 call_netdevice_notifiers_info net/core/dev.c:2054 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:2066 [inline]
 call_netdevice_notifiers net/core/dev.c:2080 [inline]
 dev_set_mac_address+0x318/0x420 net/core/dev.c:8795
 dev_set_mac_address_user+0x31/0x50 net/core/dev.c:8809
 do_setlink+0x695/0x3ab0 net/core/rtnetlink.c:2687
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 __free_pages_ok+0x7fc/0x820 mm/page_alloc.c:1629
 free_the_page mm/page_alloc.c:5410 [inline]
 __free_pages+0xdd/0x380 mm/page_alloc.c:5419
 __free_slab+0xcf/0x190 mm/slub.c:1894
 free_slab mm/slub.c:1909 [inline]
 discard_slab mm/slub.c:1915 [inline]
 unfreeze_partials+0x15f/0x190 mm/slub.c:2410
 put_cpu_partial+0xc1/0x180 mm/slub.c:2446
 __slab_free+0x2c9/0x3a0 mm/slub.c:3095
 do_slab_free mm/slub.c:3191 [inline]
 ___cache_free+0x111/0x130 mm/slub.c:3210
 qlink_free+0x50/0x90 mm/kasan/quarantine.c:157
 qlist_free_all+0x5f/0xb0 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x14a/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xf0 mm/kasan/common.c:440
 kasan_slab_alloc include/linux/kasan.h:244 [inline]
 slab_post_alloc_hook+0x5d/0x2f0 mm/slab.h:583
 slab_alloc_node mm/slub.c:2947 [inline]
 slab_alloc mm/slub.c:2955 [inline]
 kmem_cache_alloc_trace+0x160/0x2e0 mm/slub.c:2972
 kmalloc include/linux/slab.h:552 [inline]
 kmalloc_array include/linux/slab.h:591 [inline]
 rtnl_newlink+0x103/0x1640 net/core/rtnetlink.c:3526
 rtnetlink_rcv_msg+0x9db/0xb90 net/core/rtnetlink.c:5610
 netlink_rcv_skb+0x1e0/0x430 net/netlink/af_netlink.c:2485

Memory state around the buggy address:
 ffff8881071d7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881071d7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881071d7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8881071d7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881071d7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================