==================================================================
BUG: KASAN: slab-out-of-bounds in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
BUG: KASAN: slab-out-of-bounds in cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
BUG: KASAN: slab-out-of-bounds in unaccount_page_cache_page+0x99f/0xa80 mm/filemap.c:175
Read of size 4 at addr ffff8881075a2470 by task syz.6.1431/6213

CPU: 1 PID: 6213 Comm: syz.6.1431 Not tainted 5.10.232-syzkaller-00746-g49e8ba0a684f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x81/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
 unaccount_page_cache_page+0x99f/0xa80 mm/filemap.c:175
 __delete_from_page_cache+0xd0/0x5d0 mm/filemap.c:243
 __remove_mapping+0x567/0x690 mm/vmscan.c:978
 shrink_page_list+0x1f38/0x4c60 mm/vmscan.c:1491
 shrink_inactive_list+0x591/0x1150 mm/vmscan.c:2068
 shrink_list mm/vmscan.c:2287 [inline]
 shrink_lruvec+0xced/0x3860 mm/vmscan.c:5466
 shrink_node_memcgs mm/vmscan.c:5653 [inline]
 shrink_node+0xded/0x2000 mm/vmscan.c:5683
 shrink_zones mm/vmscan.c:5889 [inline]
 do_try_to_free_pages+0x652/0x1630 mm/vmscan.c:5947
 try_to_free_mem_cgroup_pages+0x369/0x830 mm/vmscan.c:6265
 try_charge+0x4b8/0x15f0 mm/memcontrol.c:2742
 __mem_cgroup_charge+0x147/0x6e0 mm/memcontrol.c:6868
 mem_cgroup_charge include/linux/memcontrol.h:458 [inline]
 shmem_add_to_page_cache+0x6a9/0x10c0 mm/shmem.c:699
 shmem_getpage_gfp+0xa65/0x2480 mm/shmem.c:1952
 shmem_getpage mm/shmem.c:161 [inline]
 shmem_write_begin+0xca/0x1b0 mm/shmem.c:2497
 generic_perform_write+0x2cd/0x570 mm/filemap.c:3509
 __generic_file_write_iter+0x23c/0x560 mm/filemap.c:3638
 generic_file_write_iter+0xaf/0x1c0 mm/filemap.c:3670
 __kernel_write+0x5ab/0x9d0 fs/read_write.c:550
 dump_emit+0x261/0x3a0 fs/coredump.c:849
 dump_user_range+0x71/0x1a0 fs/coredump.c:902
 elf_core_dump+0x33bd/0x3c10 fs/binfmt_elf.c:2290
 do_coredump+0x1eb8/0x2d60 fs/coredump.c:811
 get_signal+0x102c/0x1410 kernel/signal.c:2779
 arch_do_signal_or_restart+0xbd/0x17c0 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop+0x9b/0xd0 kernel/entry/common.c:169
 exit_to_user_mode_prepare kernel/entry/common.c:199 [inline]
 irqentry_exit_to_user_mode+0x4e/0x80 kernel/entry/common.c:287
 irqentry_exit+0x12/0x60 kernel/entry/common.c:375
 exc_page_fault+0x33d/0x5b0 arch/x86/mm/fault.c:1487
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:571
RIP: 0033:0x7fd29afa5d31
Code: 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 48 3d 01 f0 ff ff 73 01 <c3> 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
RSP: 002b:0000000000000030 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007fd29b196080 RCX: 00007fd29afa5d29
RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000002000600
RBP: 00007fd29b021b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fd29b196080 R15: 00007ffe7140aa28

Allocated by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8881075a0000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1136 bytes to the right of
 8192-byte region [ffff8881075a0000, ffff8881075a2000)
The buggy address belongs to the page:
page:ffffea00041d6800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1075a0
head:ffffea00041d6800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042a80
raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5888, ts 220593905245, free_ts 217182466234
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x166/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5348
 allocate_slab mm/slub.c:1808 [inline]
 new_slab+0x80/0x400 mm/slub.c:1869
 new_slab_objects mm/slub.c:2627 [inline]
 ___slab_alloc+0x302/0x4b0 mm/slub.c:2791
 __slab_alloc+0x63/0xa0 mm/slub.c:2831
 slab_alloc_node mm/slub.c:2913 [inline]
 slab_alloc mm/slub.c:2955 [inline]
 __kmalloc_track_caller+0x1f8/0x320 mm/slub.c:4536
 __kmalloc_reserve net/core/skbuff.c:144 [inline]
 pskb_expand_head+0x12b/0x1180 net/core/skbuff.c:1653
 __skb_cow include/linux/skbuff.h:3246 [inline]
 skb_cow_head include/linux/skbuff.h:3280 [inline]
 ip_tunnel_xmit+0x1c88/0x2760 net/ipv4/ip_tunnel.c:815
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x7f8/0xb80 net/ipv4/ip_gre.c:664
 __netdev_start_xmit include/linux/netdevice.h:4858 [inline]
 netdev_start_xmit include/linux/netdevice.h:4872 [inline]
 xmit_one net/core/dev.c:3607 [inline]
 dev_hard_start_xmit+0x228/0x620 net/core/dev.c:3623
 __dev_queue_xmit+0x154e/0x28a0 net/core/dev.c:4209
 dev_queue_xmit+0x17/0x20 net/core/dev.c:4242
 __bpf_tx_skb net/core/filter.c:2120 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2154 [inline]
 __bpf_redirect+0x665/0xde0 net/core/filter.c:2177
 ____bpf_clone_redirect net/core/filter.c:2461 [inline]
 bpf_clone_redirect+0x24d/0x390 net/core/filter.c:2433
 0xffffffffa003a966
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare mm/page_alloc.c:1421 [inline]
 free_unref_page_prepare+0x2ae/0x2d0 mm/page_alloc.c:3336
 free_unref_page mm/page_alloc.c:3391 [inline]
 free_the_page+0x9e/0x370 mm/page_alloc.c:5407
 __free_pages+0x67/0xc0 mm/page_alloc.c:5418
 __vunmap+0x7bc/0x8f0 mm/vmalloc.c:2301
 __vfree mm/vmalloc.c:2349 [inline]
 vfree+0x5c/0x80 mm/vmalloc.c:2380
 kcov_mmap+0x93/0x130 kernel/kcov.c:489
 call_mmap include/linux/fs.h:2063 [inline]
 mmap_file+0x5f/0xb0 mm/util.c:1085
 __mmap_region mm/mmap.c:1872 [inline]
 mmap_region+0x149f/0x1cd0 mm/mmap.c:3063
 do_mmap+0x800/0xeb0 mm/mmap.c:1649
 vm_mmap_pgoff+0x201/0x390 mm/util.c:543
 ksys_mmap_pgoff+0x16f/0x1f0 mm/mmap.c:1700
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff8881075a2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881075a2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881075a2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                             ^
 ffff8881075a2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881075a2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================