==================================================================
BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:803 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
BUG: KASAN: slab-use-after-free in reweight_entity+0x248/0x2b8 kernel/sched/fair.c:3660
Read at addr f2ff0000039b4f70 by task sshd/3067
Pointer tag: [f2], memory tag: [fe]

CPU: 0 PID: 3067 Comm: sshd Not tainted 6.6.0-rc6-syzkaller #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x108/0x618 mm/kasan/report.c:475
 kasan_report+0x88/0xac mm/kasan/report.c:588
 report_tag_fault arch/arm64/mm/fault.c:334 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:346 [inline]
 __do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393
 do_bad_area arch/arm64/mm/fault.c:493 [inline]
 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:770
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:846
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:590
 __update_min_deadline kernel/sched/fair.c:803 [inline]
 min_deadline_update kernel/sched/fair.c:819 [inline]
 min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
 reweight_entity+0x248/0x2b8 kernel/sched/fair.c:3660
 update_cfs_group+0x80/0x98 kernel/sched/fair.c:3826
 dequeue_task_fair+0x114/0x2a8 kernel/sched/fair.c:6646
 dequeue_task kernel/sched/core.c:2122 [inline]
 deactivate_task kernel/sched/core.c:2141 [inline]
 __schedule+0x58c/0x8a8 kernel/sched/core.c:6649
 schedule+0x5c/0xc4 kernel/sched/core.c:6771
 do_wait+0x14c/0x274 kernel/exit.c:1636
 kernel_wait4+0xa0/0x18c kernel/exit.c:1780
 __do_sys_wait4+0xb4/0x114 kernel/exit.c:1808
 __se_sys_wait4 kernel/exit.c:1804 [inline]
 __arm64_sys_wait4+0x24/0x30 kernel/exit.c:1804
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595

Allocated by task 3074:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 save_stack_info+0x38/0x118 mm/kasan/tags.c:104
 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138
 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x150/0x2b8 mm/slub.c:3523
 alloc_task_struct_node kernel/fork.c:173 [inline]
 dup_task_struct kernel/fork.c:1110 [inline]
 copy_process+0x1b4/0x147c kernel/fork.c:2327
 kernel_clone+0x64/0x360 kernel/fork.c:2909
 __do_sys_clone+0x70/0xa8 kernel/fork.c:3052
 __se_sys_clone kernel/fork.c:3020 [inline]
 __arm64_sys_clone+0x20/0x2c kernel/fork.c:3020
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595

Freed by task 3076:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 save_stack_info+0x38/0x118 mm/kasan/tags.c:104
 kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:143
 ____kasan_slab_free.constprop.0+0x180/0x1c8 mm/kasan/common.c:236
 __kasan_slab_free+0x10/0x1c mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0xac/0x1c4 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0x18c/0x314 mm/slub.c:3831
 free_task_struct kernel/fork.c:178 [inline]
 free_task+0x54/0x80 kernel/fork.c:627
 __put_task_struct+0x100/0x154 kernel/fork.c:981
 put_task_struct include/linux/sched/task.h:136 [inline]
 delayed_put_task_struct+0x7c/0xa8 kernel/exit.c:226
 rcu_do_batch kernel/rcu/tree.c:2139 [inline]
 rcu_core+0x250/0x638 kernel/rcu/tree.c:2403
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2420
 __do_softirq+0x10c/0x284 kernel/softirq.c:553

The buggy address belongs to the object at ffff0000039b4ec0
 which belongs to the cache task_struct of size 4032
The buggy address is located 176 bytes inside of
 4032-byte region [ffff0000039b4ec0, ffff0000039b5e80)

The buggy address belongs to the physical page:
page:00000000c9817e01 refcount:1 mapcount:0 mapping:0000000000000000 index:0xf2ff0000039b4ec0 pfn:0x439b0
head:00000000c9817e01 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: 0xffffffff()
raw: 01ffc00000000840 f5ff000002c39300 fffffc00000db600 dead000000000004
raw: f2ff0000039b4ec0 0000000080080007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000039b4d00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
 ffff0000039b4e00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 fe fe fe fe
>ffff0000039b4f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                        ^
 ffff0000039b5000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff0000039b5100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================