==================================================================
BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x13c/0x418 virt/kvm/guest_memfd.c:303
Write of size 8 at addr 0df000001d4a47d8 by task syz.3.67/4026
Pointer tag: [0d], memory tag: [fe]

CPU: 0 UID: 0 PID: 4026 Comm: syz.3.67 Not tainted syzkaller #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xac/0x288 mm/kasan/report.c:378
 print_report+0x84/0xa0 mm/kasan/report.c:482
 kasan_report+0xb0/0x110 mm/kasan/report.c:595
 kasan_tag_mismatch+0x28/0x3c mm/kasan/sw_tags.c:176
 __hwasan_tag_mismatch+0x30/0x60 arch/arm64/lib/kasan_sw_tags.S:55
 kvm_gmem_release+0x13c/0x418 virt/kvm/guest_memfd.c:303
 __fput+0x4ac/0x980 fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1bc/0x254 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xfc/0x178 kernel/entry/common.c:43
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:103 [inline]
 el0_svc+0x170/0x234 arch/arm64/kernel/entry-common.c:747
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

Allocated by task 4026:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:56
 save_stack_info+0x30/0x138 mm/kasan/tags.c:106
 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:142
 poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
 __kasan_kmalloc+0x8c/0x90 mm/kasan/common.c:417
 kasan_kmalloc include/linux/kasan.h:262 [inline]
 __kmalloc_cache_noprof+0x388/0x5b4 mm/slub.c:5763
 kmalloc_noprof include/linux/slab.h:957 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 kvm_set_memory_region+0x738/0xb88 virt/kvm/kvm_main.c:2104
 kvm_vm_ioctl_set_memory_region+0x88/0xe0 virt/kvm/kvm_main.c:2154
 kvm_vm_ioctl+0x7d8/0x9a8 virt/kvm/kvm_main.c:5201
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __arm64_sys_ioctl+0x18c/0x244 fs/ioctl.c:583
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x90/0x238 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x180/0x2f4 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x58/0x74 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x234 arch/arm64/kernel/entry-common.c:746
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

Freed by task 4026:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:56
 save_stack_info+0x30/0x138 mm/kasan/tags.c:106
 __kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:147
 kasan_save_free_info mm/kasan/kasan.h:406 [inline]
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x64/0x68 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2539 [inline]
 slab_free mm/slub.c:6630 [inline]
 kfree+0x154/0x578 mm/slub.c:6837
 kvm_set_memory_region+0x9e4/0xb88 virt/kvm/kvm_main.c:2130
 kvm_vm_ioctl_set_memory_region+0x88/0xe0 virt/kvm/kvm_main.c:2154
 kvm_vm_ioctl+0x7d8/0x9a8 virt/kvm/kvm_main.c:5201
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __arm64_sys_ioctl+0x18c/0x244 fs/ioctl.c:583
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x90/0x238 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x180/0x2f4 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x58/0x74 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x234 arch/arm64/kernel/entry-common.c:746
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

The buggy address belongs to the object at fff000001d4a4700
 which belongs to the cache kmalloc-cg-256 of size 256
The buggy address is located 216 bytes inside of
 256-byte region [fff000001d4a4700, fff000001d4a4800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d4a4
memcg:4cf000001d509d81
anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: f5(slab)
raw: 01ffc00000000000 95f000000cc03c00 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080100010 00000000f5000000 4cf000001d509d81
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 fff000001d4a4500: 9e 9e 9e 9e 9e 9e 9e 9e 9e 9e 9e 9e 9e 9e 9e 9e
 fff000001d4a4600: 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45
>fff000001d4a4700: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                                          ^
 fff000001d4a4800: b9 b9 b9 b9 b9 b9 b9 b9 b9 b9 b9 b9 b9 b9 b9 fe
 fff000001d4a4900: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
==================================================================