ci starts bisection 2022-07-19 12:41:53.809868111 +0000 UTC m=+1985.910489085
bisecting cause commit starting from cb71b93c2dc36d18a8b05245973328d018272cdf
building syzkaller on ff988920cbabff061e582d566b7f9b99bb9e7d1f
testing commit cb71b93c2dc36d18a8b05245973328d018272cdf
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: beaa9ffdb253c51c245de5ecc9d2f1004c2f11073509da23272dffc0c86fb36e
all runs: crashed: KASAN: invalid-free in free_prealloced_shrinker
testing release v5.18
testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7bc17927562530ccf3e374297d34a252d4a36d1b4c013d05b1a18530811f4211
all runs: OK
# git bisect start cb71b93c2dc36d18a8b05245973328d018272cdf 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
Bisecting: 10621 revisions left to test after this (roughly 13 steps)
[9d004b2f4fea97cde123e7f1939b80e77bf2e695] Merge tag 'cxl-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl

testing commit 9d004b2f4fea97cde123e7f1939b80e77bf2e695
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d4686192917d47093351ee0441faf4b895958b2de3257074c1c9cd417b87d3ab
all runs: OK
# git bisect good 9d004b2f4fea97cde123e7f1939b80e77bf2e695
Bisecting: 5301 revisions left to test after this (roughly 12 steps)
[b4c48ce837dc0122ed62b423c334b620cf8ff81b] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux.git

testing commit b4c48ce837dc0122ed62b423c334b620cf8ff81b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d529e5a64e501d09fc6af8bf8d87c90d23e6915a06d802e28f98fe0d2973d181
all runs: OK
# git bisect good b4c48ce837dc0122ed62b423c334b620cf8ff81b
Bisecting: 2582 revisions left to test after this (roughly 11 steps)
[c2e609e496f8195af2b789511f24a00546bb976e] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git

testing commit c2e609e496f8195af2b789511f24a00546bb976e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 89347c3ac18aa6d744344afb029de7bb451aa78bc86ff92f3107df1f2ff87684
all runs: OK
# git bisect good c2e609e496f8195af2b789511f24a00546bb976e
Bisecting: 1245 revisions left to test after this (roughly 10 steps)
[f38c55f14bf7f4b2abc621e53d4f2ec05693b8d9] Merge branch 'tty-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git

testing commit f38c55f14bf7f4b2abc621e53d4f2ec05693b8d9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 82bee8472c5336dd2ff15c6fa31fb1e81b7c045054512a36553e8eceff007086
all runs: OK
# git bisect good f38c55f14bf7f4b2abc621e53d4f2ec05693b8d9
Bisecting: 621 revisions left to test after this (roughly 9 steps)
[f0b534a439397a673ea84327da9a89b557417d20] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl.git

testing commit f0b534a439397a673ea84327da9a89b557417d20
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: afe677804064edf74a0fb8964f96f8ced729c52bd1c91eb9948b2aab9b4d2c1d
all runs: OK
# git bisect good f0b534a439397a673ea84327da9a89b557417d20
Bisecting: 307 revisions left to test after this (roughly 8 steps)
[ee8804b7b3e6c5f45ddeafa3273f673bd4524110] Merge branch 'mm-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

testing commit ee8804b7b3e6c5f45ddeafa3273f673bd4524110
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c229ea860b74334c7f23062653c7189633ccdbf83c729bea98afed919799a228
all runs: OK
# git bisect good ee8804b7b3e6c5f45ddeafa3273f673bd4524110
Bisecting: 153 revisions left to test after this (roughly 7 steps)
[e6369794355535a6ede873c3633dfc91bf1932b9] mm/damon/schemes: add 'LRU_PRIO' DAMOS action

testing commit e6369794355535a6ede873c3633dfc91bf1932b9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 797a6566ea34045ea120958ff3efb021e3883df1af86f6c0ba6ad847c227f68d
all runs: crashed: KASAN: invalid-free in free_prealloced_shrinker
# git bisect bad e6369794355535a6ede873c3633dfc91bf1932b9
Bisecting: 76 revisions left to test after this (roughly 6 steps)
[e23cb70bcbef5c189790042d1d6d89e33308c386] mm: remove the vma linked list

testing commit e23cb70bcbef5c189790042d1d6d89e33308c386
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 05ac7f160e113686705fce1f91137883507b0b3d4b30338f95848a29faded8f5
all runs: OK
# git bisect good e23cb70bcbef5c189790042d1d6d89e33308c386
Bisecting: 38 revisions left to test after this (roughly 5 steps)
[4288dc18c528527cf6831cf5bbfbc049865d2684] tools: add memcg_shrinker.py

testing commit 4288dc18c528527cf6831cf5bbfbc049865d2684
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e4a4ec46b394d1da191d7df6d1c98985e9477e23078cc9a28b8479ca7cc9ea66
all runs: crashed: KASAN: invalid-free in free_prealloced_shrinker
# git bisect bad 4288dc18c528527cf6831cf5bbfbc049865d2684
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[d77caf9f77627bd9914cda314cb8b4f24e047310] tools: add hmm gup tests for device coherent type

testing commit d77caf9f77627bd9914cda314cb8b4f24e047310
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: fe48c52df336b8c3b4beba1c71b2f59853ebe87c85e22c3148131849f2a1ee43
all runs: OK
# git bisect good d77caf9f77627bd9914cda314cb8b4f24e047310
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[1b11f6a82f0fcb42408a940245e47ae2a66a6bfe] mm: introduce clear_highpage_kasan_tagged

testing commit 1b11f6a82f0fcb42408a940245e47ae2a66a6bfe
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2c7f9b4d577a6363cfed27ffd4470d0449165379d0d60ee90a58bf77dba381c6
all runs: OK
# git bisect good 1b11f6a82f0fcb42408a940245e47ae2a66a6bfe
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[2f8077984564d94011d5e5f4d6c3e516f0f73f90] mm: memcontrol: introduce mem_cgroup_ino() and mem_cgroup_get_from_ino()

testing commit 2f8077984564d94011d5e5f4d6c3e516f0f73f90
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b7f4317d01f4689abc32763fb5dcb85b8b6c81267a99b2296c90de5a93ba03f5
all runs: OK
# git bisect good 2f8077984564d94011d5e5f4d6c3e516f0f73f90
Bisecting: 2 revisions left to test after this (roughly 1 step)
[2b42671ce78610029f683a1257fcbc2139a44883] mm-shrinkers-introduce-debugfs-interface-for-memory-shrinkers-fix

testing commit 2b42671ce78610029f683a1257fcbc2139a44883
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1d152fd4e3cff944625b21c45e0e61a3bfb98ffc1972d22582f1b60db08d60cc
all runs: OK
# git bisect good 2b42671ce78610029f683a1257fcbc2139a44883
Bisecting: 0 revisions left to test after this (roughly 1 step)
[f16e7e450d297b411353cfd17c1d74992a844a54] mm: docs: document shrinker debugfs

testing commit f16e7e450d297b411353cfd17c1d74992a844a54
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 635763faf697995256611f1f647ed43a690c28d57a9d742ba95c789a22ddec2b
all runs: crashed: KASAN: invalid-free in free_prealloced_shrinker
# git bisect bad f16e7e450d297b411353cfd17c1d74992a844a54
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[bec0918551a79c3c6b63a493a80e35e8b402804f] mm: shrinkers: provide shrinkers with names

testing commit bec0918551a79c3c6b63a493a80e35e8b402804f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c6ce63adb908188cdef7ac8cfab901fd09b4eff771345920a7e0a0631fb7646a
all runs: crashed: KASAN: invalid-free in free_prealloced_shrinker
# git bisect bad bec0918551a79c3c6b63a493a80e35e8b402804f
bec0918551a79c3c6b63a493a80e35e8b402804f is the first bad commit
commit bec0918551a79c3c6b63a493a80e35e8b402804f
Author: Roman Gushchin <roman.gushchin@linux.dev>
Date:   Tue May 31 20:22:24 2022 -0700

    mm: shrinkers: provide shrinkers with names
    
    Currently shrinkers are anonymous objects.  For debugging purposes they
    can be identified by count/scan function names, but it's not always
    useful: e.g.  for superblock's shrinkers it's nice to have at least an
    idea of to which superblock the shrinker belongs.
    
    This commit adds names to shrinkers.  register_shrinker() and
    prealloc_shrinker() functions are extended to take a format and arguments
    to master a name.
    
    In some cases it's not possible to determine a good name at the time when
    a shrinker is allocated.  For such cases shrinker_debugfs_rename() is
    provided.
    
    The expected format is:
        <subsystem>-<shrinker_type>[:<instance>]-<id>
    For some shrinkers an instance can be encoded as (MAJOR:MINOR) pair.
    
    After this change the shrinker debugfs directory looks like:
      $ cd /sys/kernel/debug/shrinker/
      $ ls
        dquota-cache-16     sb-devpts-28     sb-proc-47       sb-tmpfs-42
        mm-shadow-18        sb-devtmpfs-5    sb-proc-48       sb-tmpfs-43
        mm-zspool:zram0-34  sb-hugetlbfs-17  sb-pstore-31     sb-tmpfs-44
        rcu-kfree-0         sb-hugetlbfs-33  sb-rootfs-2      sb-tmpfs-49
        sb-aio-20           sb-iomem-12      sb-securityfs-6  sb-tracefs-13
        sb-anon_inodefs-15  sb-mqueue-21     sb-selinuxfs-22  sb-xfs:vda1-36
        sb-bdev-3           sb-nsfs-4        sb-sockfs-8      sb-zsmalloc-19
        sb-bpf-32           sb-pipefs-14     sb-sysfs-26      thp-deferred_split-10
        sb-btrfs:vda2-24    sb-proc-25       sb-tmpfs-1       thp-zero-9
        sb-cgroup2-30       sb-proc-39       sb-tmpfs-27      xfs-buf:vda1-37
        sb-configfs-23      sb-proc-41       sb-tmpfs-29      xfs-inodegc:vda1-38
        sb-dax-11           sb-proc-45       sb-tmpfs-35
        sb-debugfs-7        sb-proc-46       sb-tmpfs-40
    
    Link: https://lkml.kernel.org/r/20220601032227.4076670-4-roman.gushchin@linux.dev
    Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
    Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Cc: Dave Chinner <dchinner@redhat.com>
    Cc: Hillf Danton <hdanton@sina.com>
    Cc: Kent Overstreet <kent.overstreet@gmail.com>
    Cc: Muchun Song <songmuchun@bytedance.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 arch/x86/kvm/mmu/mmu.c                           |  2 +-
 drivers/android/binder_alloc.c                   |  2 +-
 drivers/gpu/drm/i915/gem/i915_gem_shrinker.c     |  3 +-
 drivers/gpu/drm/msm/msm_gem_shrinker.c           |  2 +-
 drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c |  2 +-
 drivers/gpu/drm/ttm/ttm_pool.c                   |  2 +-
 drivers/md/bcache/btree.c                        |  2 +-
 drivers/md/dm-bufio.c                            |  3 +-
 drivers/md/dm-zoned-metadata.c                   |  4 +-
 drivers/md/raid5.c                               |  2 +-
 drivers/misc/vmw_balloon.c                       |  2 +-
 drivers/virtio/virtio_balloon.c                  |  2 +-
 drivers/xen/xenbus/xenbus_probe_backend.c        |  2 +-
 fs/btrfs/super.c                                 |  2 +
 fs/erofs/utils.c                                 |  2 +-
 fs/ext4/extents_status.c                         |  3 +-
 fs/f2fs/super.c                                  |  2 +-
 fs/gfs2/glock.c                                  |  2 +-
 fs/gfs2/main.c                                   |  2 +-
 fs/jbd2/journal.c                                |  3 +-
 fs/mbcache.c                                     |  2 +-
 fs/nfs/nfs42xattr.c                              |  7 +--
 fs/nfs/super.c                                   |  2 +-
 fs/nfsd/filecache.c                              |  2 +-
 fs/nfsd/nfscache.c                               |  3 +-
 fs/quota/dquot.c                                 |  2 +-
 fs/super.c                                       |  6 ++-
 fs/ubifs/super.c                                 |  2 +-
 fs/xfs/xfs_buf.c                                 |  3 +-
 fs/xfs/xfs_icache.c                              |  2 +-
 fs/xfs/xfs_qm.c                                  |  3 +-
 include/linux/shrinker.h                         | 12 ++++-
 kernel/rcu/tree.c                                |  2 +-
 mm/huge_memory.c                                 |  4 +-
 mm/shrinker_debug.c                              | 47 ++++++++++++++++++-
 mm/vmscan.c                                      | 58 ++++++++++++++++++++++--
 mm/workingset.c                                  |  2 +-
 mm/zsmalloc.c                                    |  3 +-
 net/sunrpc/auth.c                                |  2 +-
 39 files changed, 165 insertions(+), 45 deletions(-)

culprit signature: c6ce63adb908188cdef7ac8cfab901fd09b4eff771345920a7e0a0631fb7646a
parent  signature: 1d152fd4e3cff944625b21c45e0e61a3bfb98ffc1972d22582f1b60db08d60cc
revisions tested: 17, total time: 4h31m45.04365646s (build: 1h59m27.148763724s, test: 2h30m11.642662356s)
first bad commit: bec0918551a79c3c6b63a493a80e35e8b402804f mm: shrinkers: provide shrinkers with names
recipients (to): ["adilger.kernel@dilger.ca" "agruenba@redhat.com" "airlied@linux.ie" "akpm@linux-foundation.org" "akpm@linux-foundation.org" "anna@kernel.org" "anton@enomsg.org" "arnd@arndb.de" "arve@android.com" "boris.ostrovsky@oracle.com" "brauner@kernel.org" "ccross@android.com" "chao@kernel.org" "christian.koenig@amd.com" "chuck.lever@oracle.com" "clm@fb.com" "cluster-devel@redhat.com" "daniel@ffwll.ch" "davem@davemloft.net" "david@redhat.com" "djwong@kernel.org" "dri-devel@lists.freedesktop.org" "dsterba@suse.com" "edumazet@google.com" "freedreno@lists.freedesktop.org" "gregkh@linuxfoundation.org" "hridya@google.com" "intel-gfx@lists.freedesktop.org" "jaegeuk@kernel.org" "jani.nikula@linux.intel.com" "jasowang@redhat.com" "jgross@suse.com" "joel@joelfernandes.org" "joonas.lahtinen@linux.intel.com" "josef@toxicpanda.com" "keescook@chromium.org" "kuba@kernel.org" "linux-arm-msm@vger.kernel.org" "linux-btrfs@vger.kernel.org" "linux-erofs@lists.ozlabs.org" "linux-ext4@vger.kernel.org" "linux-f2fs-devel@lists.sourceforge.net" "linux-mm@kvack.org" "linux-nfs@vger.kernel.org" "linux-xfs@vger.kernel.org" "maco@android.com" "minchan@kernel.org" "mst@redhat.com" "namit@vmware.com" "netdev@vger.kernel.org" "ngupta@vflare.org" "pabeni@redhat.com" "ray.huang@amd.com" "robdclark@gmail.com" "robh@kernel.org" "rodrigo.vivi@intel.com" "roman.gushchin@linux.dev" "rpeterso@redhat.com" "sean@poorly.run" "surenb@google.com" "tkjos@android.com" "tomeu.vizoso@collabora.com" "tony.luck@intel.com" "trond.myklebust@hammerspace.com" "tvrtko.ursulin@linux.intel.com" "tytso@mit.edu" "virtualization@lists.linux-foundation.org" "xen-devel@lists.xenproject.org" "xiang@kernel.org"]
recipients (cc): ["agk@redhat.com" "alyssa.rosenzweig@collabora.com" "andrii@kernel.org" "ast@kernel.org" "bp@alien8.de" "bpf@vger.kernel.org" "ckoenig.leichtzumerken@gmail.com" "colyli@suse.de" "daniel@iogearbox.net" "dave.hansen@linux.intel.com" "dm-devel@redhat.com" "frederic@kernel.org" "hpa@zytor.com" "jack@suse.com" "jiangshanlai@gmail.com" "jmattson@google.com" "john.fastabend@gmail.com" "joro@8bytes.org" "josh@joshtriplett.org" "kafai@fb.com" "kent.overstreet@gmail.com" "kpsingh@kernel.org" "kvm@vger.kernel.org" "linux-bcache@vger.kernel.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "linux-mtd@lists.infradead.org" "linux-raid@vger.kernel.org" "maarten.lankhorst@linux.intel.com" "mathieu.desnoyers@efficios.com" "matthew.auld@intel.com" "matthew.d.roper@intel.com" "mingo@redhat.com" "paulmck@kernel.org" "pbonzini@redhat.com" "pv-drivers@vmware.com" "quic_abhinavk@quicinc.com" "quic_neeraju@quicinc.com" "rcu@vger.kernel.org" "richard@nod.at" "rostedt@goodmis.org" "seanjc@google.com" "senozhatsky@chromium.org" "snitzer@kernel.org" "song@kernel.org" "sstabellini@kernel.org" "steven.price@arm.com" "tglx@linutronix.de" "thomas.hellstrom@linux.intel.com" "viro@zeniv.linux.org.uk" "vkuznets@redhat.com" "wanpengli@tencent.com" "x86@kernel.org" "yhs@fb.com"]
crash: KASAN: invalid-free in free_prealloced_shrinker
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3536 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xd6/0x4d0 mm/slub.c:4584

CPU: 0 PID: 11656 Comm: syz-executor.2 Not tainted 5.19.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report_invalid_free.cold+0x71/0x16d mm/kasan/report.c:458
 ____kasan_slab_free+0x186/0x1a0 mm/kasan/common.c:346
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1754 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780
 slab_free mm/slub.c:3536 [inline]
 kfree+0xd6/0x4d0 mm/slub.c:4584
 free_prealloced_shrinker+0x2d/0x130 mm/vmscan.c:663
 destroy_unused_super.part.0+0xc2/0x120 fs/super.c:185
 destroy_unused_super fs/super.c:278 [inline]
 alloc_super+0x839/0xa10 fs/super.c:277
 sget_fc+0x10e/0x700 fs/super.c:530
 vfs_get_super fs/super.c:1134 [inline]
 get_tree_nodev+0x20/0x1b0 fs/super.c:1169
 vfs_get_tree+0x7f/0x2c0 fs/super.c:1501
 do_new_mount fs/namespace.c:3040 [inline]
 path_mount+0x7e8/0x1a40 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x1f5/0x260 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f13a5e89199
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f13a7038168 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f13a5f9bf60 RCX: 00007f13a5e89199
RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000000000000
RBP: 00007f13a70381d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffc5805a0bf R14: 00007f13a7038300 R15: 0000000000022000
 </TASK>

Allocated by task 3989:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 apparmor_sk_alloc_security+0x69/0xf0 security/apparmor/lsm.c:812
 security_sk_alloc+0x44/0x80 security/security.c:2273
 sk_prot_alloc+0x178/0x200 net/core/sock.c:1978
 sk_alloc+0x30/0x600 net/core/sock.c:2028
 inet_create net/ipv4/af_inet.c:319 [inline]
 inet_create+0x2a4/0xd60 net/ipv4/af_inet.c:245
 __sock_create+0x23e/0x590 net/socket.c:1515
 sock_create net/socket.c:1566 [inline]
 __sys_socket_create net/socket.c:1603 [inline]
 __sys_socket_create net/socket.c:1588 [inline]
 __sys_socket+0x10f/0x1c0 net/socket.c:1636
 __do_sys_socket net/socket.c:1649 [inline]
 __se_sys_socket net/socket.c:1647 [inline]
 __x64_sys_socket+0x6a/0xb0 net/socket.c:1647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 11656:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1754 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780
 slab_free mm/slub.c:3536 [inline]
 kfree+0xd6/0x4d0 mm/slub.c:4584
 prealloc_shrinker+0x14a/0x180 mm/vmscan.c:649
 alloc_super+0x7e4/0xa10 fs/super.c:268
 sget_fc+0x10e/0x700 fs/super.c:530
 vfs_get_super fs/super.c:1134 [inline]
 get_tree_nodev+0x20/0x1b0 fs/super.c:1169
 vfs_get_tree+0x7f/0x2c0 fs/super.c:1501
 do_new_mount fs/namespace.c:3040 [inline]
 path_mount+0x7e8/0x1a40 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x1f5/0x260 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff88801c2d8ac0
 which belongs to the cache kmalloc-16 of size 16
The buggy address is located 0 bytes inside of
 16-byte region [ffff88801c2d8ac0, ffff88801c2d8ad0)

The buggy address belongs to the physical page:
page:ffffea000070b600 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801c2d8ee0 pfn:0x1c2d8
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000001 ffff888010c413c0
raw: ffff88801c2d8ee0 000000008080007f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3986, tgid 3986 (syz-executor.4), ts 75392567358, free_ts 75387516016
 prep_new_page mm/page_alloc.c:2452 [inline]
 get_page_from_freelist+0x19d2/0x3b30 mm/page_alloc.c:4194
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5411
 __alloc_pages_node include/linux/gfp.h:583 [inline]
 alloc_slab_page mm/slub.c:1826 [inline]
 allocate_slab+0x80/0x3c0 mm/slub.c:1969
 new_slab mm/slub.c:2029 [inline]
 ___slab_alloc+0x9bc/0xe10 mm/slub.c:3031
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
 slab_alloc_node mm/slub.c:3209 [inline]
 __kmalloc_node+0x2cb/0x390 mm/slub.c:4490
 xt_jumpstack_alloc net/netfilter/x_tables.c:1354 [inline]
 xt_replace_table+0x165/0x740 net/netfilter/x_tables.c:1393
 __do_replace+0x191/0x900 net/ipv6/netfilter/ip6_tables.c:1084
 do_replace net/ipv6/netfilter/ip6_tables.c:1157 [inline]
 do_ip6t_set_ctl+0x79d/0xc20 net/ipv6/netfilter/ip6_tables.c:1639
 nf_setsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:101
 tcp_setsockopt+0x10d/0x1f80 net/ipv4/tcp.c:3675
 __sys_setsockopt+0x1fd/0x550 net/socket.c:2259
 __do_sys_setsockopt net/socket.c:2270 [inline]
 __se_sys_setsockopt net/socket.c:2267 [inline]
 __x64_sys_setsockopt+0xb5/0x150 net/socket.c:2267
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1367 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1417
 free_unref_page_prepare mm/page_alloc.c:3339 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3434
 __vunmap+0x66d/0xb40 mm/vmalloc.c:2658
 free_work+0x4b/0x70 mm/vmalloc.c:97
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

Memory state around the buggy address:
 ffff88801c2d8980: fb fb fc fc fb fb fc fc fa fb fc fc fa fb fc fc
 ffff88801c2d8a00: fa fb fc fc fa fb fc fc fb fb fc fc fa fb fc fc
>ffff88801c2d8a80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
                                           ^
 ffff88801c2d8b00: fa fb fc fc fa fb fc fc fb fb fc fc fa fb fc fc
 ffff88801c2d8b80: fb fb fc fc 00 00 fc fc fb fb fc fc fa fb fc fc
==================================================================