ci starts bisection 2025-08-14 12:58:55.000076946 +0000 UTC m=+70.090742633
bisecting cause commit starting from 931e46dcbc7e6035a90e9c4a27a84b660e083f0a
building syzkaller on 22ec1469fe8c0ba256de07e8f97fa7b375b522bd
ensuring issue is reproducible on original commit 931e46dcbc7e6035a90e9c4a27a84b660e083f0a

testing commit 931e46dcbc7e6035a90e9c4a27a84b660e083f0a gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 0bc948ec58bf786c033cd4c9c6127089acbbab2ad7e887b29a449b94fa31a74d
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
check whether we can drop unnecessary instrumentation
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit 931e46dcbc7e6035a90e9c4a27a84b660e083f0a gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: af4f6efe56f6362893fc1f3e41ea3fc027a9d533318e84c441721c6509bdcb40
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
the bug reproduces without the instrumentation
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
kconfig minimization: base=4099 full=8513 leaves diff=2193
split chunks (needed=false): <2193>
split chunk #0 of len 2193 into 5 parts
testing without sub-chunk 1/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 931e46dcbc7e6035a90e9c4a27a84b660e083f0a gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 36cf87405f61709872fbbc3cb93c64db12b374e71136c698afe40bdb9a140fab
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit 931e46dcbc7e6035a90e9c4a27a84b660e083f0a gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: a6a265641068353adc3975024d7eb63116dc3b549cfa5cfb367552e02cd931a5
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit 931e46dcbc7e6035a90e9c4a27a84b660e083f0a gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: dd99068e8a1e9cd9a0d63785222ec17bc4854275a3c22fe4224f574b54590e55
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 931e46dcbc7e6035a90e9c4a27a84b660e083f0a gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 78b84b24316f4d65f3520c5f4d8af3b87ece911e90a2ebd0042fd7d4c1077bbd
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 931e46dcbc7e6035a90e9c4a27a84b660e083f0a gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: e06ebd0bd70c9c52226dea42362c7b3cd056d44416c4cfa23c65b8b95fc066e3
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
picked [v6.16 v6.15 v6.14 v6.12 v6.10 v6.8 v6.6 v6.4 v6.1 v5.18 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 39 release tags
testing release v6.16
testing commit 038d61fd642278bab63ee8ef722c50d10ab01e8f gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 66bce38f3d5bfcab4772ebfe8d644dd6c9399b26d4475b2ef97b6e34451ea317
all runs: OK
false negative chance: 0.000
# git bisect start 931e46dcbc7e6035a90e9c4a27a84b660e083f0a 038d61fd642278bab63ee8ef722c50d10ab01e8f
Bisecting: 7640 revisions left to test after this (roughly 13 steps)
[63eb28bb1402891b1ad2be02a530f29a9dd7f1cd] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

testing commit 63eb28bb1402891b1ad2be02a530f29a9dd7f1cd gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 0c282dd854aaf5a365d59b00f3c2b8b027877cf517aecab9ad2ed673b1dd3ea8
all runs: OK
false negative chance: 0.000
# git bisect good 63eb28bb1402891b1ad2be02a530f29a9dd7f1cd
Bisecting: 3905 revisions left to test after this (roughly 12 steps)
[0905809b38bda1fa0b206986c44d846e46f13c1d] Merge tag 'parisc-for-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux

testing commit 0905809b38bda1fa0b206986c44d846e46f13c1d gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 178903342c6f58bd31523e22a202108468701fc6d19d293252552af7bdbb816e
all runs: OK
false negative chance: 0.000
# git bisect good 0905809b38bda1fa0b206986c44d846e46f13c1d
Bisecting: 1915 revisions left to test after this (roughly 11 steps)
[9bb1d45fff61743c12665886b06990b88199da07] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux.git

testing commit 9bb1d45fff61743c12665886b06990b88199da07 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 58dacf6c57f7e4a059214116f160ebac9cd40d81247fb141d8f1f0be46ef53be
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad 9bb1d45fff61743c12665886b06990b88199da07
Bisecting: 994 revisions left to test after this (roughly 10 steps)
[e8214ed59b75fa794126686370a5e47cb7da5b12] Merge tag 'vfio-v6.17-rc1-v2' of https://github.com/awilliam/linux-vfio

testing commit e8214ed59b75fa794126686370a5e47cb7da5b12 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 962b580de8722f834004810ae49011dc85f1e29d6bdf8677982dd719f40d7781
all runs: OK
false negative chance: 0.000
# git bisect good e8214ed59b75fa794126686370a5e47cb7da5b12
Bisecting: 497 revisions left to test after this (roughly 9 steps)
[0a3335b5c1069c676ddfa4c0f1d56abbebfe3b6f] mm/mincore: use a helper for checking the swap cache

testing commit 0a3335b5c1069c676ddfa4c0f1d56abbebfe3b6f gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 434ed10ec9e6f4e781d484f2a74caf16294661c02b666b97bf27b0ad36161e95
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad 0a3335b5c1069c676ddfa4c0f1d56abbebfe3b6f
Bisecting: 247 revisions left to test after this (roughly 8 steps)
[09aae3ecf8f10c60e2ba43ee97f4d6364d8dd2fe] Merge tag 'xtensa-20250808' of https://github.com/jcmvbkbc/linux-xtensa

testing commit 09aae3ecf8f10c60e2ba43ee97f4d6364d8dd2fe gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 2baca8ff492e6f8607dbf94530f4e86c7332f6b5cd2b2b3fc120430cad2c3075
all runs: OK
false negative chance: 0.000
# git bisect good 09aae3ecf8f10c60e2ba43ee97f4d6364d8dd2fe
Bisecting: 128 revisions left to test after this (roughly 7 steps)
[b96ddbc5c88791260ab202e835425dfddbdd60d9] Merge tag 'smp_urgent_for_v6.17_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit b96ddbc5c88791260ab202e835425dfddbdd60d9 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 13938ae0c2ab8737ea74cf4ee4f5bbd228952772e71a1034b006fc5c32bcc4fc
all runs: OK
false negative chance: 0.000
# git bisect good b96ddbc5c88791260ab202e835425dfddbdd60d9
Bisecting: 64 revisions left to test after this (roughly 6 steps)
[36ce755eb092edaa968039f3b0e1ba717a739d1e] mm/mremap: allow multi-VMA move when filesystem uses thp_get_unmapped_area

testing commit 36ce755eb092edaa968039f3b0e1ba717a739d1e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 63ad08bda0d6acf1624a1755c93d29bf83a3d578fd3dcf4c1266960aef208a4f
all runs: OK
false negative chance: 0.000
# git bisect good 36ce755eb092edaa968039f3b0e1ba717a739d1e
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[8dcfc2521e0a4fa070525d7b9b90f48b38e755bd] mm, swap: prefer nonfull over free clusters

testing commit 8dcfc2521e0a4fa070525d7b9b90f48b38e755bd gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 4bf08ef32edef8d7c53731b5c5f349702f9e98bdb23db15d5b2b61d070fbcd23
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad 8dcfc2521e0a4fa070525d7b9b90f48b38e755bd
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[8c33b3bfd95ee36ca78a0d0f83456b8857e98c15] selftest/mm: fix ksm_funtional_test failures

testing commit 8c33b3bfd95ee36ca78a0d0f83456b8857e98c15 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 2c5e3f8ffd22af0cd2714295bc2018b7db86690a9d8b77ff2d5726e68a0a07d8
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad 8c33b3bfd95ee36ca78a0d0f83456b8857e98c15
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[c6532b661bce4cc1cdac9503bc77c6197f9f5307] mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE

testing commit c6532b661bce4cc1cdac9503bc77c6197f9f5307 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: d773b6176e9572db7fb30968049b98a05264721433900cb0994d54d7a33ab968
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad c6532b661bce4cc1cdac9503bc77c6197f9f5307
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[c4db92bc98522f9ad220b26bfff0458b29659dda] selftests/damon: fix selftests by installing drgn related script

testing commit c4db92bc98522f9ad220b26bfff0458b29659dda gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 99be00c50bae11a852ec4819bb9cc633b0fe8c9ecfb276eead41181c8cdc76ff
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad c4db92bc98522f9ad220b26bfff0458b29659dda
Bisecting: 1 revision left to test after this (roughly 1 step)
[7b183cfe2459033e527dd0ff9f0470d60744c4bf] selftests/mm: add test for invalid multi VMA operations

testing commit 7b183cfe2459033e527dd0ff9f0470d60744c4bf gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 3db61c7b442c70ce7201117e679464fda998c6f1fbbd8cbd2f4289437b34dd75
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad 7b183cfe2459033e527dd0ff9f0470d60744c4bf
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[d50dabff4d1f2c815b2faf184f5d6db40596e2cc] mm/mremap: catch invalid multi VMA moves earlier

testing commit d50dabff4d1f2c815b2faf184f5d6db40596e2cc gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 34f0294fa6a4f687faebe7668f07e8686278993e978964dbc50ea4bcf3eaa83a
all runs: crashed: KASAN: slab-use-after-free Read in mremap
representative crash: KASAN: slab-use-after-free Read in mremap, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad d50dabff4d1f2c815b2faf184f5d6db40596e2cc
d50dabff4d1f2c815b2faf184f5d6db40596e2cc is the first bad commit
commit d50dabff4d1f2c815b2faf184f5d6db40596e2cc
Author: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Date:   Sun Aug 3 12:11:22 2025 +0100

    mm/mremap: catch invalid multi VMA moves earlier
    
    Previously, any attempt to solely move a VMA would require that the
    span specified reside within the span of that single VMA, with no gaps
    before or afterwards.
    
    After commit d23cb648e365 ("mm/mremap: permit mremap() move of multiple
    VMAs"), the multi VMA move permitted a gap to exist only after VMAs.
    This was done to provide maximum flexibility.
    
    However, We have consequently permitted this behaviour for the move of
    a single VMA including those not eligible for multi VMA move.
    
    The change introduced here means that we no longer permit non-eligible
    VMAs from being moved in this way.
    
    This is consistent, as it means all eligible VMA moves are treated the
    same, and all non-eligible moves are treated as they were before.
    
    This change does not break previous behaviour, which equally would have
    disallowed such a move (only in all cases).
    
    Link: https://lkml.kernel.org/r/2b5aad5681573be85b5b8fac61399af6fb6b68b6.1754218667.git.lorenzo.stoakes@oracle.com
    Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
    Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
    Cc: David Hildenbrand <david@redhat.com>
    Cc: Jann Horn <jannh@google.com>
    Cc: Liam Howlett <liam.howlett@oracle.com>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Mike Rapoport <rppt@kernel.org>
    Cc: Suren Baghdasaryan <surenb@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 mm/mremap.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

accumulated error probability: 0.00
culprit signature: 34f0294fa6a4f687faebe7668f07e8686278993e978964dbc50ea4bcf3eaa83a
parent  signature: 63ad08bda0d6acf1624a1755c93d29bf83a3d578fd3dcf4c1266960aef208a4f
revisions tested: 22, total time: 10h8m33.990928668s (build: 4h59m51.69876223s, test: 3h35m31.114509544s)
first bad commit: d50dabff4d1f2c815b2faf184f5d6db40596e2cc mm/mremap: catch invalid multi VMA moves earlier
recipients (to): ["akpm@linux-foundation.org" "lorenzo.stoakes@oracle.com" "vbabka@suse.cz"]
recipients (cc): []
crash: KASAN: slab-use-after-free Read in mremap
==================================================================
BUG: KASAN: slab-use-after-free in vma_multi_allowed mm/mremap.c:1623 [inline]
BUG: KASAN: slab-use-after-free in remap_move mm/mremap.c:1884 [inline]
BUG: KASAN: slab-use-after-free in do_mremap mm/mremap.c:1923 [inline]
BUG: KASAN: slab-use-after-free in __do_sys_mremap mm/mremap.c:1987 [inline]
BUG: KASAN: slab-use-after-free in __se_sys_mremap+0x838/0xda0 mm/mremap.c:1955
Read of size 8 at addr ffff8881270b62d8 by task syz.2.227/4777

CPU: 1 UID: 0 PID: 4777 Comm: syz.2.227 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xf4/0x170 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 vma_multi_allowed mm/mremap.c:1623 [inline]
 remap_move mm/mremap.c:1884 [inline]
 do_mremap mm/mremap.c:1923 [inline]
 __do_sys_mremap mm/mremap.c:1987 [inline]
 __se_sys_mremap+0x838/0xda0 mm/mremap.c:1955
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3626e8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3626cff038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
RAX: ffffffffffffffda RBX: 00007f36270b5fa0 RCX: 00007f3626e8ebe9
RDX: 0000000000002000 RSI: 0000000000002000 RDI: 0000200000041000
RBP: 00007f3626f11e19 R08: 00002000004c3000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f36270b6038 R14: 00007f36270b5fa0 R15: 00007ffedd290738
 </TASK>

Allocated by task 1920:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:330 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:356
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_noprof+0x1b1/0x400 mm/slub.c:4236
 vm_area_dup+0x22/0x490 mm/vma_init.c:122
 dup_mmap+0x79a/0x15b0 mm/mmap.c:1780
 dup_mm kernel/fork.c:1485 [inline]
 copy_mm+0x119/0x400 kernel/fork.c:1537
 copy_process+0xffa/0x3080 kernel/fork.c:2175
 kernel_clone+0x176/0x680 kernel/fork.c:2605
 __do_sys_clone kernel/fork.c:2748 [inline]
 __se_sys_clone kernel/fork.c:2732 [inline]
 __x64_sys_clone+0x186/0x1e0 kernel/fork.c:2732
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 798:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free_after_rcu_debug+0x131/0x290 mm/slub.c:4730
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xbdf/0x1570 kernel/rcu/tree.c:2861
 handle_softirqs+0x19d/0x500 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x48/0x140 kernel/softirq.c:680
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x92/0xb0 arch/x86/kernel/apic/apic.c:1050
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 slab_free_hook mm/slub.c:2378 [inline]
 slab_free mm/slub.c:4680 [inline]
 kmem_cache_free+0x2b5/0x460 mm/slub.c:4782
 remove_vma mm/vma.c:468 [inline]
 vms_complete_munmap_vmas+0x390/0x680 mm/vma.c:1293
 do_vmi_align_munmap+0x307/0x350 mm/vma.c:1536
 do_vmi_munmap+0x192/0x210 mm/vma.c:1584
 do_munmap+0xdb/0x130 mm/mmap.c:1068
 mremap_to+0x2e7/0x7b0 mm/mremap.c:1372
 remap_move mm/mremap.c:1879 [inline]
 do_mremap mm/mremap.c:1923 [inline]
 __do_sys_mremap mm/mremap.c:1987 [inline]
 __se_sys_mremap+0x813/0xda0 mm/mremap.c:1955
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8881270b6280
 which belongs to the cache vm_area_struct of size 256
The buggy address is located 88 bytes inside of
 freed 256-byte region [ffff8881270b6280, ffff8881270b6380)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1270b6
memcg:ffff8881272d3e81
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff888100ec3b40 ffffea000429f400 dead000000000002
raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff8881272d3e81
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3414, tgid 3414 (modprobe), ts 90326800439, free_ts 90279010524
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x168/0x1a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x2889/0x2a40 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x26b/0x460 mm/page_alloc.c:5148
 alloc_pages_mpol+0xcb/0x270 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x320 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0x9c6/0x10a0 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 kmem_cache_alloc_noprof+0x26e/0x400 mm/slub.c:4236
 vm_area_alloc+0x1f/0x130 mm/vma_init.c:31
 __mmap_new_vma mm/vma.c:2461 [inline]
 __mmap_region mm/vma.c:2669 [inline]
 mmap_region+0xcf6/0x1b90 mm/vma.c:2739
 do_mmap+0x930/0xc30 mm/mmap.c:558
 vm_mmap_pgoff+0x1c0/0x370 mm/util.c:580
 ksys_mmap_pgoff+0x2be/0x3f0 mm/mmap.c:604
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 23 tgid 23 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x9fc/0xb60 mm/page_alloc.c:2895
 pagetable_free include/linux/mm.h:2898 [inline]
 pagetable_dtor_free include/linux/mm.h:2996 [inline]
 __tlb_remove_table+0x1c3/0x2a0 include/asm-generic/tlb.h:220
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x6e/0xd0 mm/mmu_gather.c:290
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xbdf/0x1570 kernel/rcu/tree.c:2861
 handle_softirqs+0x19d/0x500 kernel/softirq.c:579
 run_ksoftirqd+0x28/0x40 kernel/softirq.c:968
 smpboot_thread_fn+0x3f7/0x7d0 kernel/smpboot.c:160
 kthread+0x59b/0x690 kernel/kthread.c:463
 ret_from_fork+0x136/0x2d0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff8881270b6180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881270b6200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881270b6280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8881270b6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881270b6380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================