==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005
Read of size 8 at addr ffff88805a422810 by task syz-executor.3/22933

CPU: 1 PID: 22933 Comm: syz-executor.3 Not tainted 6.9.0-syzkaller-01049-g8815da98e06a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:553 [inline]
 try_to_wake_up+0xb0/0x1470 kernel/sched/core.c:4262
 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793
 expire_timers kernel/time/timer.c:1844 [inline]
 __run_timers kernel/time/timer.c:2418 [inline]
 __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429
 run_timer_base kernel/time/timer.c:2438 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448
 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0xaad/0xfd0 kernel/printk/printk.c:2985
Code: ff ff e8 46 a0 1f 00 90 0f 0b 90 e9 d8 f8 ff ff e8 38 a0 1f 00 e8 83 1d 01 0a 4d 85 f6 74 b6 e8 29 a0 1f 00 fb 48 8b 44 24 70 <42> 0f b6 04 38 84 c0 48 8b 7c 24 30 0f 85 22 02 00 00 0f b6 1f 31
RSP: 0018:ffffc9000606f200 EFLAGS: 00000283
RAX: 1ffff92000c0de8c RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc900104b8000 RSI: 000000000001932b RDI: 000000000001932c
RBP: ffffc9000606f3b0 R08: ffffffff81767294 R09: 1ffffffff25e02a0
R10: dffffc0000000000 R11: fffffbfff25e02a1 R12: ffffffff8eb03b78
R13: ffffffff8eb03b20 R14: 0000000000000200 R15: dffffc0000000000
 console_unlock+0x13b/0x4d0 kernel/printk/printk.c:3048
 vprintk_emit+0x5a6/0x770 kernel/printk/printk.c:2348
 _printk+0xd5/0x120 kernel/printk/printk.c:2373
 _btrfs_printk+0x59c/0x5c0 fs/btrfs/messages.c:246
 btrfs_check_options+0x410/0x4d0 fs/btrfs/super.c:666
 open_ctree+0x10ed/0x2a00 fs/btrfs/disk-io.c:3324
 btrfs_fill_super fs/btrfs/super.c:938 [inline]
 btrfs_get_tree_super fs/btrfs/super.c:1858 [inline]
 btrfs_get_tree+0xe7a/0x1920 fs/btrfs/super.c:2084
 vfs_get_tree+0x90/0x2a0 fs/super.c:1779
 fc_mount+0x1b/0xb0 fs/namespace.c:1125
 btrfs_get_tree_subvol fs/btrfs/super.c:2047 [inline]
 btrfs_get_tree+0x652/0x1920 fs/btrfs/super.c:2085
 vfs_get_tree+0x90/0x2a0 fs/super.c:1779
 do_new_mount+0x2be/0xb40 fs/namespace.c:3352
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb9a3e7f46a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb9a4b3fef8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fb9a4b3ff80 RCX: 00007fb9a3e7f46a
RDX: 00000000200055c0 RSI: 0000000020005600 RDI: 00007fb9a4b3ff40
RBP: 00000000200055c0 R08: 00007fb9a4b3ff80 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020005600
R13: 00007fb9a4b3ff40 R14: 000000000000559d R15: 0000000020000440
 </TASK>

Allocated by task 2:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3871 [inline]
 slab_alloc_node mm/slub.c:3918 [inline]
 kmem_cache_alloc_node+0x194/0x390 mm/slub.c:3961
 alloc_task_struct_node kernel/fork.c:176 [inline]
 dup_task_struct+0x57/0x7d0 kernel/fork.c:1107
 copy_process+0x5d1/0x3df0 kernel/fork.c:2220
 kernel_clone+0x223/0x870 kernel/fork.c:2797
 kernel_thread+0x1bc/0x240 kernel/fork.c:2859
 create_kthread kernel/kthread.c:411 [inline]
 kthreadd+0x60d/0x810 kernel/kthread.c:764
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 5153:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xa6/0xe0 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2121 [inline]
 slab_free mm/slub.c:4353 [inline]
 kmem_cache_free+0x10b/0x2d0 mm/slub.c:4417
 put_task_struct include/linux/sched/task.h:138 [inline]
 delayed_put_task_struct+0x125/0x2f0 kernel/exit.c:229
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 context_switch kernel/sched/core.c:5412 [inline]
 __schedule+0x179e/0x4a00 kernel/sched/core.c:6746
 __schedule_loop kernel/sched/core.c:6823 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6838
 io_schedule+0x8d/0x110 kernel/sched/core.c:9044
 bit_wait_io+0x12/0xd0 kernel/sched/wait_bit.c:209
 __wait_on_bit+0xb0/0x2f0 kernel/sched/wait_bit.c:49
 out_of_line_wait_on_bit+0x1d5/0x260 kernel/sched/wait_bit.c:64
 wait_on_buffer include/linux/buffer_head.h:389 [inline]
 jbd2_journal_commit_transaction+0x3545/0x6760 fs/jbd2/commit.c:815
 kjournald2+0x463/0x850 fs/jbd2/journal.c:201
 kthread+0x2f0/0x390 kernel/kthread.c:388
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88805a421e00
 which belongs to the cache task_struct of size 7424
The buggy address is located 2576 bytes inside of
 freed 7424-byte region [ffff88805a421e00, ffff88805a423b00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5a420
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88801cfbd101
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888015ee6500 ffffea0000842000 dead000000000002
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff88801cfbd101
head: 00fff00000000840 ffff888015ee6500 ffffea0000842000 dead000000000002
head: 0000000000000000 0000000000040004 00000001ffffffff ffff88801cfbd101
head: 00fff00000000003 ffffea0001690801 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 2, tgid 2 (kthreadd), ts 1204270276764, free_ts 1204151516358
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0x3410/0x35b0 mm/page_alloc.c:3317
 __alloc_pages+0x256/0x6c0 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page+0x5f/0x160 mm/slub.c:2190
 allocate_slab mm/slub.c:2353 [inline]
 new_slab+0x84/0x2f0 mm/slub.c:2406
 ___slab_alloc+0xb07/0x12e0 mm/slub.c:3592
 __slab_alloc mm/slub.c:3682 [inline]
 __slab_alloc_node mm/slub.c:3735 [inline]
 slab_alloc_node mm/slub.c:3908 [inline]
 kmem_cache_alloc_node+0x24a/0x390 mm/slub.c:3961
 alloc_task_struct_node kernel/fork.c:176 [inline]
 dup_task_struct+0x57/0x7d0 kernel/fork.c:1107
 copy_process+0x5d1/0x3df0 kernel/fork.c:2220
 kernel_clone+0x223/0x870 kernel/fork.c:2797
 kernel_thread+0x1bc/0x240 kernel/fork.c:2859
 create_kthread kernel/kthread.c:411 [inline]
 kthreadd+0x60d/0x810 kernel/kthread.c:764
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 21880 tgid 21880 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x97b/0xaa0 mm/page_alloc.c:2347
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
 discard_slab mm/slub.c:2452 [inline]
 __put_partials+0xeb/0x130 mm/slub.c:2920
 put_cpu_partial+0x17c/0x250 mm/slub.c:2995
 __slab_free+0x2ea/0x3d0 mm/slub.c:4224
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x5e/0xc0 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3871 [inline]
 slab_alloc_node mm/slub.c:3918 [inline]
 kmem_cache_alloc+0x174/0x350 mm/slub.c:3925
 getname_flags+0xbd/0x4f0 fs/namei.c:139
 getname fs/namei.c:218 [inline]
 __do_sys_unlink fs/namei.c:4447 [inline]
 __se_sys_unlink fs/namei.c:4445 [inline]
 __x64_sys_unlink+0x3c/0x60 fs/namei.c:4445
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805a422700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805a422780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805a422800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88805a422880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805a422900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	e8 46 a0 1f 00       	call   0x1fa04b
   5:	90                   	nop
   6:	0f 0b                	ud2
   8:	90                   	nop
   9:	e9 d8 f8 ff ff       	jmp    0xfffff8e6
   e:	e8 38 a0 1f 00       	call   0x1fa04b
  13:	e8 83 1d 01 0a       	call   0xa011d9b
  18:	4d 85 f6             	test   %r14,%r14
  1b:	74 b6                	je     0xffffffd3
  1d:	e8 29 a0 1f 00       	call   0x1fa04b
  22:	fb                   	sti
  23:	48 8b 44 24 70       	mov    0x70(%rsp),%rax
* 28:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2d:	84 c0                	test   %al,%al
  2f:	48 8b 7c 24 30       	mov    0x30(%rsp),%rdi
  34:	0f 85 22 02 00 00    	jne    0x25c
  3a:	0f b6 1f             	movzbl (%rdi),%ebx
  3d:	31                   	.byte 0x31