==================================================================
BUG: KASAN: slab-use-after-free in set_pending kernel/locking/qspinlock_paravirt.h:112 [inline]
BUG: KASAN: slab-use-after-free in pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:429 [inline]
BUG: KASAN: slab-use-after-free in __pv_queued_spin_lock_slowpath+0x90b/0xdb0 kernel/locking/qspinlock.c:508
Write of size 1 at addr ffff888031786c61 by task syz.4.214/6530

CPU: 0 UID: 0 PID: 6530 Comm: syz.4.214 Not tainted 6.13.0-rc1-next-20241205-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 set_pending kernel/locking/qspinlock_paravirt.h:112 [inline]
 pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:429 [inline]
 __pv_queued_spin_lock_slowpath+0x90b/0xdb0 kernel/locking/qspinlock.c:508
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline]
 queued_spin_lock_slowpath+0x42/0x50 arch/x86/include/asm/qspinlock.h:51
 queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
 do_raw_spin_lock+0x272/0x370 kernel/locking/spinlock_debug.c:116
 spin_lock include/linux/spinlock.h:351 [inline]
 __pte_offset_map_lock+0x1ba/0x300 mm/pgtable-generic.c:402
 pte_offset_map_lock include/linux/mm.h:3027 [inline]
 finish_fault+0x707/0x11d0 mm/memory.c:5240
 do_read_fault mm/memory.c:5397 [inline]
 do_fault mm/memory.c:5527 [inline]
 do_pte_missing mm/memory.c:4048 [inline]
 handle_pte_fault+0x3a13/0x5ee0 mm/memory.c:5872
 __handle_mm_fault mm/memory.c:6015 [inline]
 handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6183
 faultin_page mm/gup.c:1200 [inline]
 __get_user_pages+0x1b31/0x4370 mm/gup.c:1495
 populate_vma_page_range+0x264/0x330 mm/gup.c:1933
 __mm_populate+0x27a/0x460 mm/gup.c:2036
 mm_populate include/linux/mm.h:3389 [inline]
 vm_mmap_pgoff+0x303/0x430 mm/util.c:585
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f726e57ff19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f726f2d0058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f726e746080 RCX: 00007f726e57ff19
RDX: b635773f06ebbeef RSI: 0000000000b36000 RDI: 0000000020000000