==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x9a4/0x1104 lib/iov_iter.c:820
Read of size 4096 at addr ffff0000d7bd1000 by task kworker/u4:5/1610

CPU: 1 PID: 1610 Comm: kworker/u4:5 Not tainted 6.1.61-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: loop3 loop_workfn
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x174/0x4c0 mm/kasan/report.c:395
 kasan_report+0xd4/0x130 mm/kasan/report.c:495
 kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
 memcpy+0x48/0x90 mm/kasan/shadow.c:65
 copy_page_from_iter_atomic+0x9a4/0x1104 lib/iov_iter.c:820
 generic_perform_write+0x2fc/0x55c mm/filemap.c:3762
 __generic_file_write_iter+0x168/0x388 mm/filemap.c:3882
 generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:3914
 do_iter_write+0x534/0x964 fs/read_write.c:861
 vfs_iter_write+0x88/0xac fs/read_write.c:902
 lo_write_bvec drivers/block/loop.c:249 [inline]
 lo_write_simple drivers/block/loop.c:271 [inline]
 do_req_filebacked drivers/block/loop.c:495 [inline]
 loop_handle_cmd drivers/block/loop.c:1882 [inline]
 loop_process_work+0x15fc/0x256c drivers/block/loop.c:1917
 loop_workfn+0x54/0x68 drivers/block/loop.c:1941
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

The buggy address belongs to the physical page:
page:00000000a69a0c09 refcount:1 mapcount:-512 mapping:0000000000000000 index:0x0 pfn:0x117bd1
memcg:ffff0000d9061e02
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 ffff0000d49bcde0 00000001fffffdff ffff0000d9061e02
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d7bd0f00: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000d7bd0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d7bd1000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffff0000d7bd1080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000d7bd1100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Unable to handle kernel paging request at virtual address dfff800000000005
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000005] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 1610 Comm: kworker/u4:5 Tainted: G    B              6.1.61-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: loop3 loop_workfn
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : fsnotify_parent include/linux/fsnotify.h:62 [inline]
pc : fsnotify_file include/linux/fsnotify.h:99 [inline]
pc : fsnotify_modify include/linux/fsnotify.h:317 [inline]
pc : do_iter_write+0x640/0x964 fs/read_write.c:865
lr : fsnotify_file include/linux/fsnotify.h:96 [inline]
lr : fsnotify_modify include/linux/fsnotify.h:317 [inline]
lr : do_iter_write+0x5fc/0x964 fs/read_write.c:865
sp : ffff8000224b7680
x29: ffff8000224b7780 x28: 1ffff00004496ee4 x27: ffff700004496edc
x26: ffff8000224b7708 x25: 1fffe0001935b00f x24: 0000000000001000
x23: 0000000000000028 x22: dfff800000000000 x21: ffff0001290545e0
x20: 0000000000000000 x19: ffff0000c9ad8000 x18: 1fffe000368b0776
x17: ffff80001580d000 x16: ffff80001213619c x15: ffff0001b4583bbc
x14: ffff0001b4583bb8 x13: 1fffe000368b0776 x12: 0000000000000001
x11: ff80800008a41540 x10: 0000000000000000 x9 : ffff0000cf33b780
x8 : 0000000000000005 x7 : 1fffe000368b0777 x6 : 0000000000000000
x5 : fffffc0004af81c0 x4 : 0000000000001000 x3 : ffff8000082fecf0
x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 fsnotify_parent include/linux/fsnotify.h:62 [inline]
 fsnotify_file include/linux/fsnotify.h:99 [inline]
 fsnotify_modify include/linux/fsnotify.h:317 [inline]
 do_iter_write+0x640/0x964 fs/read_write.c:865
 vfs_iter_write+0x88/0xac fs/read_write.c:902
 lo_write_bvec drivers/block/loop.c:249 [inline]
 lo_write_simple drivers/block/loop.c:271 [inline]
 do_req_filebacked drivers/block/loop.c:495 [inline]
 loop_handle_cmd drivers/block/loop.c:1882 [inline]
 loop_process_work+0x15fc/0x256c drivers/block/loop.c:1917
 loop_workfn+0x54/0x68 drivers/block/loop.c:1941
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Code: 97fcd0a5 f9400294 9100a297 d343fee8 (38766908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	97fcd0a5 	bl	0xfffffffffff34294
   4:	f9400294 	ldr	x20, [x20]
   8:	9100a297 	add	x23, x20, #0x28
   c:	d343fee8 	lsr	x8, x23, #3
* 10:	38766908 	ldrb	w8, [x8, x22] <-- trapping instruction