==================================================================
BUG: KFENCE: use-after-free read in task_work_run+0x4c/0x80 kernel/task_work.c:178

Use-after-free read at 0xffff888236e9cf00 (in kfence-#77):
 task_work_run+0x4c/0x80 kernel/task_work.c:178
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x365/0xb80 kernel/exit.c:820
 do_group_exit+0x32/0xa0 kernel/exit.c:950
 get_signal+0x8d6/0x910 kernel/signal.c:2858
 arch_do_signal_or_restart+0x43/0x720 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
 exit_to_user_mode_prepare+0xc3/0x180 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x17/0x40 kernel/entry/common.c:296
 ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:299

kfence-#77: 0xffff888236e9caa8-0xffff888236e9cfff, size=1368, cache=perf_event

allocated by task 10801 on cpu 1 at 184.032531s:
 perf_event_alloc+0x5b/0xf40 kernel/events/core.c:11662
 inherit_event.constprop.0+0x46/0x260 kernel/events/core.c:13131
 inherit_group kernel/events/core.c:13236 [inline]
 inherit_task_group.isra.0+0x61/0x140 kernel/events/core.c:13301
 perf_event_init_context kernel/events/core.c:13370 [inline]
 perf_event_init_task+0x1df/0x340 kernel/events/core.c:13423
 copy_process+0x996/0x1b40 kernel/fork.c:2227
 kernel_clone+0xaa/0x460 kernel/fork.c:2671
 __do_sys_clone+0x6c/0x90 kernel/fork.c:2812
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x64/0xce

freed by task 19 on cpu 1 at 184.322723s:
 rcu_do_batch kernel/rcu/tree.c:2250 [inline]
 rcu_core+0x2fa/0x730 kernel/rcu/tree.c:2510
 __do_softirq+0x122/0x3ae kernel/softirq.c:571
 run_ksoftirqd kernel/softirq.c:934 [inline]
 run_ksoftirqd+0x25/0x30 kernel/softirq.c:926
 smpboot_thread_fn+0x175/0x220 kernel/smpboot.c:164
 kthread+0xd2/0xf0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

CPU: 1 PID: 10802 Comm: syz-executor.0 Not tainted 6.1.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:task_work_run+0x4c/0x80 kernel/task_work.c:178
Code: f0 48 0f b1 95 48 08 00 00 75 48 48 85 db 74 3e 4c 8d a5 e0 08 00 00 4c 89 e7 e8 5f 9c a2 00 4c 89 e7 e8 77 9e a2 00 48 89 d8 <48> 8b 1b 48 89 c7 ff 50 08 e8 36 2a a2 00 48 85 db 75 ea eb b0 f6
RSP: 0018:ffffc90005147d50 EFLAGS: 00010286
RAX: ffff888236e9cf00 RBX: ffff888236e9cf00 RCX: 0000000000000094
RDX: 0000000080000000 RSI: ffffffff8228f5bc RDI: ffffffff822a5605
RBP: ffff888104bb8000 R08: 0000000000000000 R09: 0000000000000001
R10: ffff888105ae1910 R11: dead000000000100 R12: ffff888104bb88e0
R13: ffff888100fbab01 R14: ffff88810572e8e8 R15: ffff888104bb88a0
FS:  0000000000000000(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888236e9cf00 CR3: 0000000103394000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x365/0xb80 kernel/exit.c:820
 do_group_exit+0x32/0xa0 kernel/exit.c:950
 get_signal+0x8d6/0x910 kernel/signal.c:2858
 arch_do_signal_or_restart+0x43/0x720 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
 exit_to_user_mode_prepare+0xc3/0x180 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x17/0x40 kernel/entry/common.c:296
 ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:299
RIP: 0033:0x7f02e6039ce9
Code: Unable to access opcode bytes at 0x7f02e6039cbf.
RSP: 002b:00007f02e5bbc078 EFLAGS: 00000206 ORIG_RAX: 0000000000000038
RAX: 0000000000000000 RBX: 00007f02e6158f80 RCX: 00007f02e6039ce9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000200
RBP: 00007f02e608647a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000006 R14: 00007f02e6158f80 R15: 00007ffcf503bf38
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	f0 48 0f b1 95 48 08 	lock cmpxchg %rdx,0x848(%rbp)
   7:	00 00
   9:	75 48                	jne    0x53
   b:	48 85 db             	test   %rbx,%rbx
   e:	74 3e                	je     0x4e
  10:	4c 8d a5 e0 08 00 00 	lea    0x8e0(%rbp),%r12
  17:	4c 89 e7             	mov    %r12,%rdi
  1a:	e8 5f 9c a2 00       	call   0xa29c7e
  1f:	4c 89 e7             	mov    %r12,%rdi
  22:	e8 77 9e a2 00       	call   0xa29e9e
  27:	48 89 d8             	mov    %rbx,%rax
* 2a:	48 8b 1b             	mov    (%rbx),%rbx <-- trapping instruction
  2d:	48 89 c7             	mov    %rax,%rdi
  30:	ff 50 08             	call   *0x8(%rax)
  33:	e8 36 2a a2 00       	call   0xa22a6e
  38:	48 85 db             	test   %rbx,%rbx
  3b:	75 ea                	jne    0x27
  3d:	eb b0                	jmp    0xffffffef
  3f:	f6                   	.byte 0xf6