================================================================== BUG: KASAN: use-after-free in __rb_insert lib/rbtree.c:115 [inline] BUG: KASAN: use-after-free in __rb_insert_augmented+0xaa/0x670 lib/rbtree.c:459 Read of size 8 at addr ffff8881c0000008 by task syz-executor.0/17308 CPU: 0 PID: 17308 Comm: syz-executor.0 Tainted: G W 5.15.75-syzkaller-00546-gd9d889009b78 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3d0 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:435 [inline] kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309 __rb_insert lib/rbtree.c:115 [inline] __rb_insert_augmented+0xaa/0x670 lib/rbtree.c:459 rb_insert_augmented include/linux/rbtree_augmented.h:50 [inline] rb_insert_augmented_cached include/linux/rbtree_augmented.h:60 [inline] vma_interval_tree_insert+0x2f3/0x310 mm/interval_tree.c:23 __vma_link_file mm/mmap.c:674 [inline] vma_link+0x18a/0x1f0 mm/mmap.c:700 mmap_region+0x16dd/0x1af0 mm/mmap.c:1853 do_mmap+0x785/0xe40 mm/mmap.c:1584 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554 vm_mmap+0x8d/0xb0 mm/util.c:574 elf_map+0x1b1/0x310 fs/binfmt_elf.c:392 load_elf_binary+0x101c/0x27c0 fs/binfmt_elf.c:1141 search_binary_handler fs/exec.c:1739 [inline] exec_binprm+0x2a8/0xbc0 fs/exec.c:1780 bprm_execve+0x4f0/0x7f0 fs/exec.c:1849 do_execveat_common+0xa92/0xc80 fs/exec.c:1954 do_execve fs/exec.c:2024 [inline] __do_sys_execve fs/exec.c:2100 [inline] __se_sys_execve fs/exec.c:2095 [inline] __x64_sys_execve+0x92/0xb0 fs/exec.c:2095 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x4ae0d6 Code: Unable to access opcode bytes at RIP 0x4ae0ac. RSP: 002b:000000c00336b288 EFLAGS: 00000206 ORIG_RAX: 000000000000003b RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004ae0d6 RDX: 000000c01319c960 RSI: 000000c00b5e6048 RDI: 000000c01bcbe318 RBP: 000000c00336b430 R08: 0000000000000008 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 00000000004a4aef R13: 0000000000000001 R14: 000000c0004bb040 R15: ffffffffffffffff The buggy address belongs to the page: page:ffffea0007000000 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1c0000 flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0007010008 ffffea0006ff0008 0000000000000000 raw: 0000000000000000 000000000000000a 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff8881bfffff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881bfffff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881c0000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881c0000080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881c0000100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================