==================================================================
BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
BUG: KASAN: use-after-free in unaccount_page_cache_page+0x9e0/0xac0 mm/filemap.c:175
Read of size 4 at addr ffff88810ecfa470 by task syz.9.1757/7251

CPU: 0 PID: 7251 Comm: syz.9.1757 Not tainted 5.10.240-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/14/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
 unaccount_page_cache_page+0x9e0/0xac0 mm/filemap.c:175
 __delete_from_page_cache+0xc4/0x460 mm/filemap.c:243
 __remove_mapping+0x562/0x690 mm/vmscan.c:985
 shrink_page_list+0x2109/0x4120 mm/vmscan.c:1498
 shrink_inactive_list+0x4f4/0xe80 mm/vmscan.c:2075
 shrink_list mm/vmscan.c:2294 [inline]
 shrink_lruvec+0x2246/0x2770 mm/vmscan.c:5473
 shrink_node_memcgs mm/vmscan.c:5660 [inline]
 shrink_node+0xf0c/0x2690 mm/vmscan.c:5690
 shrink_zones mm/vmscan.c:5896 [inline]
 do_try_to_free_pages+0x5db/0x1560 mm/vmscan.c:5954
 try_to_free_mem_cgroup_pages+0x233/0x5b0 mm/vmscan.c:6272
 try_charge+0x42b/0x14e0 mm/memcontrol.c:2745
 __mem_cgroup_charge+0x14c/0x6d0 mm/memcontrol.c:6871
 mem_cgroup_charge include/linux/memcontrol.h:458 [inline]
 shmem_add_to_page_cache+0x55e/0xe10 mm/shmem.c:703
 shmem_getpage_gfp+0x8e8/0x2110 mm/shmem.c:1956
 shmem_getpage mm/shmem.c:165 [inline]
 shmem_write_begin+0xce/0x1b0 mm/shmem.c:2501
 generic_perform_write+0x2be/0x510 mm/filemap.c:3509
 __generic_file_write_iter+0x24b/0x480 mm/filemap.c:3638
 generic_file_write_iter+0xa9/0x1d0 mm/filemap.c:3670
 __kernel_write+0x55a/0x910 fs/read_write.c:550
 dump_emit+0x240/0x360 fs/coredump.c:855
 dump_user_range+0x6a/0x1a0 fs/coredump.c:908
 elf_core_dump+0x278a/0x2bc0 fs/binfmt_elf.c:2290
 do_coredump+0x1ac9/0x27f0 fs/coredump.c:817
 get_signal+0xf23/0x12e0 kernel/signal.c:2779
 arch_do_signal_or_restart+0xbf/0x10f0 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop+0xa2/0xe0 kernel/entry/common.c:169
 exit_to_user_mode_prepare kernel/entry/common.c:199 [inline]
 irqentry_exit_to_user_mode+0x4e/0x80 kernel/entry/common.c:287
 irqentry_exit+0x12/0x60 kernel/entry/common.c:375
 exc_page_fault+0x67/0xc0 arch/x86/mm/fault.c:1487
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:571
RIP: 0033:0x4d30b1ae
Code: Unable to access opcode bytes at RIP 0x4d30b184.
RSP: 002b:0000200000000128 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007f8d4da4a090 RCX: 00007f8d4d812be9
RDX: 0000200000000140 RSI: 0000200000000120 RDI: 0000000000000000
RBP: 00007f8d4d895e19 R08: 00002000000001c0 R09: 00002000000001c0
R10: 0000200000000180 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8d4da4a128 R14: 00007f8d4da4a090 R15: 00007ffe54bb0be8

The buggy address belongs to the page:
page:ffffea00043b3e80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ecfa
flags: 0x4000000000000000()
raw: 4000000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 6614, ts 260369818412, free_ts 261024975523
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x179/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2235/0x23d0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x268/0x5f0 mm/page_alloc.c:5357
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 __get_free_pages+0xe/0x30 mm/page_alloc.c:5400
 kasan_populate_vmalloc_pte+0x29/0x120 mm/kasan/shadow.c:266
 apply_to_pte_range mm/memory.c:2504 [inline]
 apply_to_pmd_range mm/memory.c:2540 [inline]
 apply_to_pud_range mm/memory.c:2568 [inline]
 apply_to_p4d_range mm/memory.c:2596 [inline]
 __apply_to_page_range+0x74e/0x9e0 mm/memory.c:2623
 apply_to_page_range+0x3b/0x50 mm/memory.c:2641
 kasan_populate_vmalloc+0x60/0x70 mm/kasan/shadow.c:297
 alloc_vmap_area+0x1734/0x1870 mm/vmalloc.c:1238
 __get_vm_area_node+0x147/0x450 mm/vmalloc.c:2093
 __vmalloc_node_range+0xe0/0x780 mm/vmalloc.c:2592
 __vmalloc_node mm/vmalloc.c:2683 [inline]
 vzalloc+0x78/0x90 mm/vmalloc.c:2736
 xt_counters_alloc+0x44/0x50 net/netfilter/x_tables.c:1344
 __do_replace+0xae/0xac0 net/ipv4/netfilter/arp_tables.c:893
 do_replace net/ipv4/netfilter/arp_tables.c:988 [inline]
 do_arpt_set_ctl+0xa20/0xee0 net/ipv4/netfilter/arp_tables.c:1428
 nf_setsockopt+0x272/0x2a0 net/netfilter/nf_sockopt.c:101
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare mm/page_alloc.c:1421 [inline]
 free_unref_page_prepare+0x2b7/0x2d0 mm/page_alloc.c:3336
 free_unref_page mm/page_alloc.c:3391 [inline]
 free_the_page mm/page_alloc.c:5416 [inline]
 __free_pages+0x14b/0x380 mm/page_alloc.c:5427
 free_pages+0x82/0x90 mm/page_alloc.c:5438
 kasan_depopulate_vmalloc_pte+0x6b/0x90 mm/kasan/shadow.c:354
 apply_to_pte_range mm/memory.c:2504 [inline]
 apply_to_pmd_range mm/memory.c:2540 [inline]
 apply_to_pud_range mm/memory.c:2568 [inline]
 apply_to_p4d_range mm/memory.c:2596 [inline]
 __apply_to_page_range+0x74e/0x9e0 mm/memory.c:2623
 apply_to_existing_page_range+0x38/0x50 mm/memory.c:2874
 kasan_release_vmalloc+0x97/0xb0 mm/kasan/shadow.c:464
 __purge_vmap_area_lazy+0x133b/0x1470 mm/vmalloc.c:1376
 try_purge_vmap_area_lazy+0x38/0x50 mm/vmalloc.c:1395
 free_vmap_area_noflush+0x269/0x290 mm/vmalloc.c:1431
 free_unmap_vmap_area mm/vmalloc.c:1444 [inline]
 remove_vm_area+0x1bf/0x1e0 mm/vmalloc.c:2199
 vm_remove_mappings mm/vmalloc.c:2226 [inline]
 __vunmap+0x267/0x9d0 mm/vmalloc.c:2292
 __vfree mm/vmalloc.c:2350 [inline]
 vfree+0x61/0x90 mm/vmalloc.c:2381
 __do_replace+0x92f/0xac0 net/ipv4/netfilter/arp_tables.c:-1
 do_replace net/ipv4/netfilter/arp_tables.c:988 [inline]
 do_arpt_set_ctl+0xa20/0xee0 net/ipv4/netfilter/arp_tables.c:1428
 nf_setsockopt+0x272/0x2a0 net/netfilter/nf_sockopt.c:101

Memory state around the buggy address:
 ffff88810ecfa300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88810ecfa380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88810ecfa400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                             ^
 ffff88810ecfa480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88810ecfa500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================