==================================================================
BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:805 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
BUG: KASAN: slab-use-after-free in reweight_entity+0x720/0x888 kernel/sched/fair.c:3660
Read of size 8 at addr ffff00000af180b0 by task syz-fuzzer/3103

CPU: 1 PID: 3103 Comm: syz-fuzzer Not tainted 6.6.0-rc6-syzkaller-00045-g7cf4bea77ab6 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:233
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x74/0xd4 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xd8/0x598 mm/kasan/report.c:475
 kasan_report+0xc8/0x108 mm/kasan/report.c:588
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 __update_min_deadline kernel/sched/fair.c:805 [inline]
 min_deadline_update kernel/sched/fair.c:819 [inline]
 min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
 reweight_entity+0x720/0x888 kernel/sched/fair.c:3660
 update_cfs_group+0x144/0x214 kernel/sched/fair.c:3826
 entity_tick kernel/sched/fair.c:5317 [inline]
 task_tick_fair+0xd8/0x8e0 kernel/sched/fair.c:12392
 scheduler_tick+0x218/0x4f8 kernel/sched/core.c:5657
 update_process_times+0x180/0x1f8 kernel/time/timer.c:2076
 tick_sched_handle+0x68/0x12c kernel/time/tick-sched.c:254
 tick_sched_timer+0x74/0x120 kernel/time/tick-sched.c:1492
 __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
 __hrtimer_run_queues+0x580/0xb14 kernel/time/hrtimer.c:1752
 hrtimer_interrupt+0x2a4/0x768 kernel/time/hrtimer.c:1814
 timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
 arch_timer_handler_phys+0x40/0x6c drivers/clocksource/arm_arch_timer.c:692
 handle_percpu_devid_irq+0x19c/0x30c kernel/irq/chip.c:942
 generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
 handle_irq_desc kernel/irq/irqdesc.c:672 [inline]
 generic_handle_domain_irq+0x78/0xa4 kernel/irq/irqdesc.c:728
 gic_handle_irq+0x54/0x188 drivers/irqchip/irq-gic.c:373
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:886
 do_interrupt_handler+0x12c/0x150 arch/arm64/kernel/entry-common.c:276
 el0_interrupt+0x68/0x1cc arch/arm64/kernel/entry-common.c:760
 __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:768
 el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:773
 el0t_64_irq+0x190/0x194 arch/arm64/kernel/entry.S:596

Allocated by task 3103:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 kasan_set_track+0x2c/0x40 mm/kasan/common.c:52
 kasan_save_alloc_info+0x24/0x34 mm/kasan/generic.c:511
 __kasan_slab_alloc+0x8c/0x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x168/0x2d4 mm/slub.c:3523
 alloc_task_struct_node kernel/fork.c:173 [inline]
 dup_task_struct kernel/fork.c:1110 [inline]
 copy_process+0x360/0x5520 kernel/fork.c:2327
 kernel_clone+0x140/0x7e8 kernel/fork.c:2909
 __do_sys_clone+0xb8/0xfc kernel/fork.c:3052
 __se_sys_clone kernel/fork.c:3020 [inline]
 __arm64_sys_clone+0xa4/0xfc kernel/fork.c:3020
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x58/0x140 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

Freed by task 3103:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 kasan_set_track+0x2c/0x40 mm/kasan/common.c:52
 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x120/0x1b8 mm/kasan/common.c:200
 __kasan_slab_free+0x18/0x24 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook mm/slub.c:1826 [inline]
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0x14c/0x4e8 mm/slub.c:3831
 free_task_struct kernel/fork.c:178 [inline]
 free_task+0xd4/0x11c kernel/fork.c:627
 __put_task_struct+0x1e4/0x27c kernel/fork.c:981
 put_task_struct include/linux/sched/task.h:136 [inline]
 put_task_struct include/linux/sched/task.h:123 [inline]
 delayed_put_task_struct+0x138/0x314 kernel/exit.c:226
 rcu_do_batch kernel/rcu/tree.c:2139 [inline]
 rcu_core+0x950/0x1c3c kernel/rcu/tree.c:2403
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2420
 __do_softirq+0x2e4/0xe1c kernel/softirq.c:553

Last potentially related work creation:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xb4/0xe4 mm/kasan/generic.c:492
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502
 __call_rcu_common.constprop.0+0x9c/0x8c0 kernel/rcu/tree.c:2653
 call_rcu+0x10/0x1c kernel/rcu/tree.c:2767
 put_task_struct_rcu_user kernel/exit.c:232 [inline]
 put_task_struct_rcu_user kernel/exit.c:229 [inline]
 release_task+0xbc8/0x1520 kernel/exit.c:282
 wait_task_zombie kernel/exit.c:1210 [inline]
 wait_consider_task+0xf14/0x2a5c kernel/exit.c:1437
 do_wait_pid kernel/exit.c:1568 [inline]
 do_wait+0x490/0x994 kernel/exit.c:1610
 kernel_wait4+0xec/0x258 kernel/exit.c:1780
 __do_sys_wait4+0xac/0x1e8 kernel/exit.c:1808
 __se_sys_wait4 kernel/exit.c:1804 [inline]
 __arm64_sys_wait4+0x88/0xc8 kernel/exit.c:1804
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x58/0x140 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

Second to last potentially related work creation:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xb4/0xe4 mm/kasan/generic.c:492
 kasan_record_aux_stack+0x14/0x20 mm/kasan/generic.c:497
 task_work_add+0x94/0x298 kernel/task_work.c:48
 task_tick_mm_cid+0xfc/0x14c kernel/sched/core.c:12023
 scheduler_tick+0x22c/0x4f8 kernel/sched/core.c:5662
 update_process_times+0x180/0x1f8 kernel/time/timer.c:2076
 tick_sched_handle+0x68/0x12c kernel/time/tick-sched.c:254
 tick_sched_timer+0x74/0x120 kernel/time/tick-sched.c:1492
 __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
 __hrtimer_run_queues+0x580/0xb14 kernel/time/hrtimer.c:1752
 hrtimer_interrupt+0x2a4/0x768 kernel/time/hrtimer.c:1814
 timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
 arch_timer_handler_phys+0x40/0x6c drivers/clocksource/arm_arch_timer.c:692
 handle_percpu_devid_irq+0x19c/0x30c kernel/irq/chip.c:942
 generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
 handle_irq_desc kernel/irq/irqdesc.c:672 [inline]
 generic_handle_domain_irq+0x78/0xa4 kernel/irq/irqdesc.c:728
 gic_handle_irq+0x54/0x188 drivers/irqchip/irq-gic.c:373

The buggy address belongs to the object at ffff00000af18000
 which belongs to the cache task_struct of size 6848
The buggy address is located 176 bytes inside of
 freed 6848-byte region [ffff00000af18000, ffff00000af19ac0)

The buggy address belongs to the physical page:
page:00000000d085eb2f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4af18
head:00000000d085eb2f order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 01ffc00000000840 ffff000009c80dc0 fffffc00002d6600 dead000000000002
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff00000af17f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff00000af18000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff00000af18080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff00000af18100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff00000af18180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================