==================================================================
BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:803 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
BUG: KASAN: slab-use-after-free in reweight_entity+0x248/0x2b8 kernel/sched/fair.c:3660
Read at addr f8ff00000387eef0 by task syz-executor.1/13531
Pointer tag: [f8], memory tag: [fe]

CPU: 1 PID: 13531 Comm: syz-executor.1 Not tainted 6.6.0-rc6-syzkaller-00182-gce55c22ec8b2 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x108/0x618 mm/kasan/report.c:475
 kasan_report+0x88/0xac mm/kasan/report.c:588
 report_tag_fault arch/arm64/mm/fault.c:334 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:346 [inline]
 __do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393
 do_bad_area arch/arm64/mm/fault.c:493 [inline]
 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:770
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:846
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:590
 __update_min_deadline kernel/sched/fair.c:803 [inline]
 min_deadline_update kernel/sched/fair.c:819 [inline]
 min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
 reweight_entity+0x248/0x2b8 kernel/sched/fair.c:3660
 update_cfs_group+0x80/0x98 kernel/sched/fair.c:3826
 entity_tick kernel/sched/fair.c:5317 [inline]
 task_tick_fair+0x64/0x280 kernel/sched/fair.c:12392
 scheduler_tick+0xcc/0x170 kernel/sched/core.c:5657
 update_process_times+0xa0/0xb4 kernel/time/timer.c:2076
 tick_sched_handle+0x34/0x58 kernel/time/tick-sched.c:254
 tick_sched_timer+0x50/0xa8 kernel/time/tick-sched.c:1492
 __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
 __hrtimer_run_queues+0x138/0x1d8 kernel/time/hrtimer.c:1752
 hrtimer_interrupt+0xe8/0x244 kernel/time/hrtimer.c:1814
 timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
 arch_timer_handler_phys+0x2c/0x44 drivers/clocksource/arm_arch_timer.c:692
 handle_percpu_devid_irq+0x84/0x130 kernel/irq/chip.c:942
 generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
 handle_irq_desc kernel/irq/irqdesc.c:672 [inline]
 generic_handle_domain_irq+0x2c/0x44 kernel/irq/irqdesc.c:728
 gic_handle_irq+0x44/0xc8 drivers/irqchip/irq-gic.c:373
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:886
 do_interrupt_handler+0x80/0x84 arch/arm64/kernel/entry-common.c:276
 __el1_irq arch/arm64/kernel/entry-common.c:502 [inline]
 el1_interrupt+0x34/0x64 arch/arm64/kernel/entry-common.c:517
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:522
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:591
 raw_atomic_try_cmpxchg include/linux/atomic/atomic-arch-fallback.h:2123 [inline]
 raw_atomic_fetch_add_unless include/linux/atomic/atomic-arch-fallback.h:2409 [inline]
 raw_atomic_add_unless include/linux/atomic/atomic-arch-fallback.h:2433 [inline]
 atomic_add_unless include/linux/atomic/atomic-instrumented.h:1508 [inline]
 should_fail+0x0/0x20 lib/fault-inject.c:156
 _copy_from_user include/linux/uaccess.h:147 [inline]
 copy_from_user include/linux/uaccess.h:183 [inline]
 input_event_from_user+0x40/0x174 drivers/input/input-compat.c:31
 evdev_write+0xb4/0x170 drivers/input/evdev.c:524
 vfs_write+0xc4/0x300 fs/read_write.c:582
 ksys_write+0xe8/0x104 fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x1c/0x28 fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595

Allocated by task 2915:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 save_stack_info+0x38/0x118 mm/kasan/tags.c:104
 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138
 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x150/0x2b8 mm/slub.c:3523
 alloc_task_struct_node kernel/fork.c:173 [inline]
 dup_task_struct kernel/fork.c:1110 [inline]
 copy_process+0x1b4/0x147c kernel/fork.c:2327
 kernel_clone+0x64/0x360 kernel/fork.c:2909
 __do_sys_clone+0x70/0xa8 kernel/fork.c:3052
 __se_sys_clone kernel/fork.c:3020 [inline]
 __arm64_sys_clone+0x20/0x2c kernel/fork.c:3020
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595

Freed by task 3328:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 save_stack_info+0x38/0x118 mm/kasan/tags.c:104
 kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:143
 ____kasan_slab_free.constprop.0+0x180/0x1c8 mm/kasan/common.c:236
 __kasan_slab_free+0x10/0x1c mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0xac/0x1c4 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0x18c/0x314 mm/slub.c:3831
 free_task_struct kernel/fork.c:178 [inline]
 free_task+0x54/0x80 kernel/fork.c:627
 __put_task_struct+0x100/0x154 kernel/fork.c:981
 put_task_struct include/linux/sched/task.h:136 [inline]
 delayed_put_task_struct+0x7c/0xa8 kernel/exit.c:226
 rcu_do_batch kernel/rcu/tree.c:2139 [inline]
 rcu_core+0x250/0x638 kernel/rcu/tree.c:2403
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2420
 __do_softirq+0x10c/0x284 kernel/softirq.c:553

The buggy address belongs to the object at ffff00000387ee40
 which belongs to the cache task_struct of size 4032
The buggy address is located 176 bytes inside of
 4032-byte region [ffff00000387ee40, ffff00000387fe00)

The buggy address belongs to the physical page:
page:000000000b5b8a73 refcount:1 mapcount:0 mapping:0000000000000000 index:0xf8ff00000387ee40 pfn:0x43878
head:000000000b5b8a73 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:fbff0000069d4e01
flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: 0xffffffff()
raw: 01ffc00000000840 f2ff000002c0cf00 fffffc00000df600 dead000000000006
raw: f8ff00000387ee40 0000000080080006 00000001ffffffff fbff0000069d4e01
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff00000387ec00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
 ffff00000387ed00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
>ffff00000387ee00: f2 f2 f2 f2 fe fe fe fe fe fe fe fe fe fe fe fe
                                                                ^
 ffff00000387ef00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff00000387f000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================