==================================================================
BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
BUG: KASAN: use-after-free in unaccount_page_cache_page+0x6d8/0x750 mm/filemap.c:167
Read of size 4 at addr ffff88812ec55470 by task kswapd0/46

CPU: 0 PID: 46 Comm: kswapd0 Tainted: G        W         5.15.173-syzkaller-00213-gaf461d0249a8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1c0 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
 unaccount_page_cache_page+0x6d8/0x750 mm/filemap.c:167
 __delete_from_page_cache+0xc6/0x5b0 mm/filemap.c:235
 __remove_mapping+0x566/0x690 mm/vmscan.c:1201
 shrink_page_list+0x2723/0x5c50 mm/vmscan.c:1798
 shrink_inactive_list mm/vmscan.c:2305 [inline]
 shrink_list mm/vmscan.c:2550 [inline]
 shrink_lruvec+0x17ec/0x4580 mm/vmscan.c:5755
 shrink_node_memcgs mm/vmscan.c:5947 [inline]
 shrink_node+0x1083/0x2550 mm/vmscan.c:5977
 kswapd_shrink_node mm/vmscan.c:6727 [inline]
 balance_pgdat+0x15e1/0x2f50 mm/vmscan.c:6917
 kswapd+0x698/0xd60 mm/vmscan.c:7176
 kthread+0x421/0x510 kernel/kthread.c:337
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 921:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 ____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:512
 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:521
 kasan_kmalloc include/linux/kasan.h:227 [inline]
 __kmalloc_track_caller+0x13e/0x2c0 mm/slub.c:4954
 kmalloc_reserve net/core/skbuff.c:357 [inline]
 __alloc_skb+0x10c/0x550 net/core/skbuff.c:428
 alloc_skb include/linux/skbuff.h:1183 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 fdb_notify+0x77/0x120 net/bridge/br_fdb.c:800
 br_fdb_update+0x505/0x660 net/bridge/br_fdb.c:624
 br_handle_frame_finish+0x2d3/0x12b0 net/bridge/br_input.c:106
 nf_hook_bridge_pre net/bridge/br_input.c:264 [inline]
 br_handle_frame+0x8ea/0xf70 net/bridge/br_input.c:384
 __netif_receive_skb_core+0x11af/0x3640 net/core/dev.c:5395
 __netif_receive_skb_one_core net/core/dev.c:5499 [inline]
 __netif_receive_skb+0x11c/0x530 net/core/dev.c:5615
 process_backlog+0x31c/0x650 net/core/dev.c:6492
 __napi_poll+0xc4/0x5a0 net/core/dev.c:7051
 napi_poll net/core/dev.c:7118 [inline]
 net_rx_action+0x47d/0xc50 net/core/dev.c:7208
 handle_softirqs+0x25e/0x5c0 kernel/softirq.c:565
 __do_softirq+0xb/0xd kernel/softirq.c:603

Freed by task 921:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:193 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0xbd/0x190 mm/slub.c:1749
 slab_free mm/slub.c:3521 [inline]
 kfree+0xcc/0x270 mm/slub.c:4583
 skb_free_head net/core/skbuff.c:656 [inline]
 skb_release_data+0x8a9/0xa80 net/core/skbuff.c:678
 skb_release_all net/core/skbuff.c:743 [inline]
 __kfree_skb net/core/skbuff.c:757 [inline]
 consume_skb+0xac/0x250 net/core/skbuff.c:930
 netlink_broadcast_filtered+0x10f4/0x1220 net/netlink/af_netlink.c:1525
 netlink_broadcast net/netlink/af_netlink.c:1547 [inline]
 nlmsg_multicast include/net/netlink.h:1033 [inline]
 nlmsg_notify+0x101/0x1c0 net/netlink/af_netlink.c:2536
 rtnl_notify+0x9c/0xd0 net/core/rtnetlink.c:759
 fdb_notify+0xcb/0x120 net/bridge/br_fdb.c:811
 br_fdb_update+0x505/0x660 net/bridge/br_fdb.c:624
 br_handle_frame_finish+0x2d3/0x12b0 net/bridge/br_input.c:106
 nf_hook_bridge_pre net/bridge/br_input.c:264 [inline]
 br_handle_frame+0x8ea/0xf70 net/bridge/br_input.c:384
 __netif_receive_skb_core+0x11af/0x3640 net/core/dev.c:5395
 __netif_receive_skb_one_core net/core/dev.c:5499 [inline]
 __netif_receive_skb+0x11c/0x530 net/core/dev.c:5615
 process_backlog+0x31c/0x650 net/core/dev.c:6492
 __napi_poll+0xc4/0x5a0 net/core/dev.c:7051
 napi_poll net/core/dev.c:7118 [inline]
 net_rx_action+0x47d/0xc50 net/core/dev.c:7208
 handle_softirqs+0x25e/0x5c0 kernel/softirq.c:565
 __do_softirq+0xb/0xd kernel/softirq.c:603

The buggy address belongs to the object at ffff88812ec55400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 112 bytes inside of
 512-byte region [ffff88812ec55400, ffff88812ec55600)
The buggy address belongs to the page:
page:ffffea0004bb1500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12ec54
head:ffffea0004bb1500 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 921, ts 491054497184, free_ts 490134023083
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2605
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2611
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4485
 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5780
 allocate_slab mm/slub.c:1932 [inline]
 new_slab+0x9a/0x4e0 mm/slub.c:1995
 ___slab_alloc+0x39e/0x830 mm/slub.c:3028
 __slab_alloc+0x4a/0x90 mm/slub.c:3115
 slab_alloc_node mm/slub.c:3206 [inline]
 slab_alloc mm/slub.c:3250 [inline]
 __kmalloc_track_caller+0x171/0x2c0 mm/slub.c:4949
 kmalloc_reserve net/core/skbuff.c:357 [inline]
 __alloc_skb+0x10c/0x550 net/core/skbuff.c:428
 alloc_skb include/linux/skbuff.h:1183 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 fdb_notify+0x77/0x120 net/bridge/br_fdb.c:800
 br_fdb_update+0x505/0x660 net/bridge/br_fdb.c:624
 br_handle_frame_finish+0x2d3/0x12b0 net/bridge/br_input.c:106
 nf_hook_bridge_pre net/bridge/br_input.c:264 [inline]
 br_handle_frame+0x8ea/0xf70 net/bridge/br_input.c:384
 __netif_receive_skb_core+0x11af/0x3640 net/core/dev.c:5395
 __netif_receive_skb_one_core net/core/dev.c:5499 [inline]
 __netif_receive_skb+0x11c/0x530 net/core/dev.c:5615
 process_backlog+0x31c/0x650 net/core/dev.c:6492
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1472 [inline]
 free_pcp_prepare mm/page_alloc.c:1544 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3534
 free_unref_page+0xe8/0x750 mm/page_alloc.c:3616
 free_the_page mm/page_alloc.c:805 [inline]
 __free_pages+0x61/0xf0 mm/page_alloc.c:5856
 __vunmap+0x7bc/0x8f0 mm/vmalloc.c:2652
 __vfree mm/vmalloc.c:2700 [inline]
 vfree+0x7f/0xb0 mm/vmalloc.c:2731
 kcov_put kernel/kcov.c:417 [inline]
 kcov_close+0x2b/0x50 kernel/kcov.c:519
 __fput+0x228/0x8c0 fs/file_table.c:280
 ____fput+0x15/0x20 fs/file_table.c:308
 task_work_run+0x129/0x190 kernel/task_work.c:188
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0xc48/0x2ca0 kernel/exit.c:880
 do_group_exit+0x141/0x310 kernel/exit.c:1002
 get_signal+0x7a3/0x1630 kernel/signal.c:2907
 arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:307

Memory state around the buggy address:
 ffff88812ec55300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88812ec55380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812ec55400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff88812ec55480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812ec55500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================