syzbot

==================================================================
BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
BUG: KASAN: use-after-free in unaccount_page_cache_page+0x9e0/0xac0 mm/filemap.c:175
Read of size 4 at addr ffff88810f0d7470 by task syz.9.4668/18191

CPU: 0 PID: 18191 Comm: syz.9.4668 Tainted: G        W         syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
 unaccount_page_cache_page+0x9e0/0xac0 mm/filemap.c:175
 __delete_from_page_cache+0xc4/0x460 mm/filemap.c:243
 __remove_mapping+0x562/0x690 mm/vmscan.c:985
 shrink_page_list+0x2109/0x4120 mm/vmscan.c:1498
 shrink_inactive_list+0x4f4/0xe80 mm/vmscan.c:2075
 shrink_list mm/vmscan.c:2294 [inline]
 shrink_lruvec+0x2246/0x2770 mm/vmscan.c:5473
 shrink_node_memcgs mm/vmscan.c:5660 [inline]
 shrink_node+0xf0c/0x2690 mm/vmscan.c:5690
 shrink_zones mm/vmscan.c:5896 [inline]
 do_try_to_free_pages+0x5db/0x1560 mm/vmscan.c:5954
 try_to_free_mem_cgroup_pages+0x233/0x5b0 mm/vmscan.c:6272
 try_charge+0x42b/0x14e0 mm/memcontrol.c:2745
 __mem_cgroup_charge+0x14c/0x6d0 mm/memcontrol.c:6871
 mem_cgroup_charge include/linux/memcontrol.h:458 [inline]
 shmem_add_to_page_cache+0x55e/0xe10 mm/shmem.c:703
 shmem_getpage_gfp+0x8e8/0x2110 mm/shmem.c:1956
 shmem_getpage mm/shmem.c:165 [inline]
 shmem_write_begin+0xce/0x1b0 mm/shmem.c:2501
 generic_perform_write+0x2be/0x510 mm/filemap.c:3509
 __generic_file_write_iter+0x24b/0x480 mm/filemap.c:3638
 generic_file_write_iter+0xa9/0x1d0 mm/filemap.c:3670
 __kernel_write+0x55a/0x910 fs/read_write.c:550
 dump_emit+0x240/0x360 fs/coredump.c:855
 dump_user_range+0x6a/0x1a0 fs/coredump.c:908
 elf_core_dump+0x278a/0x2bc0 fs/binfmt_elf.c:2290
 do_coredump+0x1ac9/0x27f0 fs/coredump.c:817
 get_signal+0xf23/0x12e0 kernel/signal.c:2779
 arch_do_signal_or_restart+0xbf/0x10f0 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop+0xa2/0xe0 kernel/entry/common.c:169
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 irqentry_exit_to_user_mode+0x9/0x10 kernel/entry/common.c:287
 irqentry_exit+0x12/0x60 kernel/entry/common.c:375
 exc_general_protection+0x1ca/0x250 arch/x86/kernel/traps.c:557
 asm_exc_general_protection+0x1e/0x30 arch/x86/include/asm/idtentry.h:565
RIP: 0033:0x7f5dd46426d1
Code: 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 48 3d 01 f0 ff ff 73 01 <c3> 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
RSP: 002b:00002000000003c0 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007f5dd4898fa0 RCX: 00007f5dd46426c9
RDX: 0000200000000140 RSI: 00002000000003c0 RDI: 0000000080202400
RBP: 00007f5dd46c4f91 R08: 0000200000000400 R09: 0000200000000400
R10: 0000200000000180 R11: 0000000000000206 R12: 0000000000000000
R13: 00007f5dd4899038 R14: 00007f5dd4898fa0 R15: 00007ffd915bd108

Allocated by task 15813:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:430 [inline]
 ____kasan_kmalloc mm/kasan/common.c:509 [inline]
 __kasan_kmalloc+0xda/0x110 mm/kasan/common.c:518
 kasan_kmalloc include/linux/kasan.h:254 [inline]
 __kmalloc+0x1a7/0x330 mm/slub.c:4038
 __kmalloc_node include/linux/slab.h:418 [inline]
 kmalloc_node include/linux/slab.h:575 [inline]
 kvmalloc_node+0x88/0x130 mm/util.c:612
 kvmalloc include/linux/mm.h:833 [inline]
 kvmalloc_array include/linux/mm.h:851 [inline]
 alloc_fdtable+0xea/0x2a0 fs/file.c:150
 dup_fd+0x792/0xa90 fs/file.c:360
 copy_files+0xc9/0x160 kernel/fork.c:1541
 copy_process+0x10d7/0x32c0 kernel/fork.c:2256
 kernel_clone+0x23f/0x940 kernel/fork.c:2650
 __do_sys_clone kernel/fork.c:2776 [inline]
 __se_sys_clone kernel/fork.c:2760 [inline]
 __x64_sys_clone+0x176/0x1d0 kernel/fork.c:2760
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Last potentially related work creation:
 kasan_save_stack+0x3a/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd2/0x100 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:2980 [inline]
 call_rcu+0x10e/0x1050 kernel/rcu/tree.c:3054
 netlink_release+0x1288/0x1690 net/netlink/af_netlink.c:795
 __sock_release net/socket.c:597 [inline]
 sock_close+0xe0/0x270 net/socket.c:1286
 __fput+0x2fb/0x770 fs/file_table.c:281
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Second to last potentially related work creation:
 kasan_save_stack+0x3a/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd2/0x100 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 insert_work+0x52/0x310 kernel/workqueue.c:1352
 __queue_work+0x923/0xca0 kernel/workqueue.c:1518
 queue_work_on+0xd5/0x130 kernel/workqueue.c:1545
 queue_work include/linux/workqueue.h:515 [inline]
 schedule_work include/linux/workqueue.h:576 [inline]
 destroy_super_rcu+0xd1/0xe0 fs/super.c:172
 rcu_do_batch+0x4df/0xa80 kernel/rcu/tree.c:2494
 rcu_core+0x55f/0xd60 kernel/rcu/tree.c:2735
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2748
 __do_softirq+0x255/0x563 kernel/softirq.c:309

The buggy address belongs to the object at ffff88810f0d7000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1136 bytes inside of
 2048-byte region [ffff88810f0d7000, ffff88810f0d7800)
The buggy address belongs to the page:
page:ffffea00043c3400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810f0d1000 pfn:0x10f0d0
head:ffffea00043c3400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 ffffea000472c608 ffffea0004887408 ffff888100042d80
raw: ffff88810f0d1000 0000000000080001 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 815, ts 39260824204, free_ts 39258283509
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x179/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2235/0x23d0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x268/0x5f0 mm/page_alloc.c:5370
 alloc_slab_page mm/slub.c:-1 [inline]
 allocate_slab mm/slub.c:1813 [inline]
 new_slab+0x84/0x3f0 mm/slub.c:1874
 new_slab_objects mm/slub.c:2632 [inline]
 ___slab_alloc+0x2a6/0x450 mm/slub.c:2796
 __slab_alloc+0x63/0xa0 mm/slub.c:2836
 slab_alloc_node mm/slub.c:2918 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 __kmalloc+0x201/0x330 mm/slub.c:4034
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:664 [inline]
 __register_sysctl_table+0xeb/0x1250 fs/proc/proc_sysctl.c:1323
 register_net_sysctl+0x2c/0x40 net/sysctl_net.c:121
 __addrconf_sysctl_register+0x26e/0x3d0 net/ipv6/addrconf.c:7062
 addrconf_sysctl_register+0x147/0x1a0 net/ipv6/addrconf.c:7109
 ipv6_add_dev+0xbaf/0x10a0 net/ipv6/addrconf.c:450
 addrconf_notify+0x582/0xe90 net/ipv6/addrconf.c:3571
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0x90/0x100 kernel/notifier.c:410
 call_netdevice_notifiers_info net/core/dev.c:2054 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:2066 [inline]
 call_netdevice_notifiers+0x111/0x190 net/core/dev.c:2080
 register_netdevice+0x1043/0x13c0 net/core/dev.c:10087
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 __free_pages_ok+0x7fc/0x820 mm/page_alloc.c:1629
 free_the_page mm/page_alloc.c:5431 [inline]
 __free_pages+0xdd/0x380 mm/page_alloc.c:5440
 __free_slab+0xcf/0x190 mm/slub.c:1899
 free_slab mm/slub.c:1914 [inline]
 discard_slab mm/slub.c:1920 [inline]
 unfreeze_partials+0x15f/0x190 mm/slub.c:2415
 put_cpu_partial+0xc1/0x180 mm/slub.c:2451
 __slab_free+0x2c9/0x3a0 mm/slub.c:3100
 do_slab_free mm/slub.c:3196 [inline]
 ___cache_free+0x111/0x130 mm/slub.c:3215
 qlink_free+0x50/0x90 mm/kasan/quarantine.c:157
 qlist_free_all+0x5f/0xb0 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x14a/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xf0 mm/kasan/common.c:440
 kasan_slab_alloc include/linux/kasan.h:244 [inline]
 slab_post_alloc_hook+0x5d/0x2f0 mm/slab.h:580
 slab_alloc_node mm/slub.c:2952 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 kmem_cache_alloc_trace+0x160/0x2e0 mm/slub.c:2977
 kmalloc include/linux/slab.h:552 [inline]
 netdev_name_node_alloc net/core/dev.c:241 [inline]
 netdev_name_node_head_alloc net/core/dev.c:255 [inline]
 register_netdevice+0x22b/0x13c0 net/core/dev.c:9980
 veth_newlink+0x853/0xbb0 drivers/net/veth.c:1387
 __rtnl_newlink net/core/rtnetlink.c:3482 [inline]
 rtnl_newlink+0x11bd/0x1640 net/core/rtnetlink.c:3530

Memory state around the buggy address:
 ffff88810f0d7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810f0d7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810f0d7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff88810f0d7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810f0d7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syz.9.4668 invoked oom-killer: gfp_mask=0xcc0(GFP_KERNEL), order=0, oom_score_adj=0
CPU: 1 PID: 18191 Comm: syz.9.4668 Tainted: G    B   W         syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 dump_stack+0x15/0x1c lib/dump_stack.c:135
 dump_header+0xdd/0x650 mm/oom_kill.c:508
 oom_kill_process+0x1fa/0x2c0 mm/oom_kill.c:1038
 out_of_memory+0x94a/0xd70 mm/oom_kill.c:1181
 mem_cgroup_out_of_memory+0x260/0x310 mm/memcontrol.c:1736
 mem_cgroup_oom mm/memcontrol.c:1971 [inline]
 try_charge+0xf61/0x14e0 mm/memcontrol.c:2796
 __mem_cgroup_charge+0x14c/0x6d0 mm/memcontrol.c:6871
 mem_cgroup_charge include/linux/memcontrol.h:458 [inline]
 shmem_add_to_page_cache+0x55e/0xe10 mm/shmem.c:703
 shmem_getpage_gfp+0x8e8/0x2110 mm/shmem.c:1956
 shmem_getpage mm/shmem.c:165 [inline]
 shmem_write_begin+0xce/0x1b0 mm/shmem.c:2501
 generic_perform_write+0x2be/0x510 mm/filemap.c:3509
 __generic_file_write_iter+0x24b/0x480 mm/filemap.c:3638
 generic_file_write_iter+0xa9/0x1d0 mm/filemap.c:3670
 __kernel_write+0x55a/0x910 fs/read_write.c:550
 dump_emit+0x240/0x360 fs/coredump.c:855
 dump_user_range+0x6a/0x1a0 fs/coredump.c:908
 elf_core_dump+0x278a/0x2bc0 fs/binfmt_elf.c:2290
 do_coredump+0x1ac9/0x27f0 fs/coredump.c:817
 get_signal+0xf23/0x12e0 kernel/signal.c:2779
 arch_do_signal_or_restart+0xbf/0x10f0 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop+0xa2/0xe0 kernel/entry/common.c:169
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 irqentry_exit_to_user_mode+0x9/0x10 kernel/entry/common.c:287
 irqentry_exit+0x12/0x60 kernel/entry/common.c:375
 exc_general_protection+0x1ca/0x250 arch/x86/kernel/traps.c:557
 asm_exc_general_protection+0x1e/0x30 arch/x86/include/asm/idtentry.h:565
RIP: 0033:0x7f5dd46426d1
Code: 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 48 3d 01 f0 ff ff 73 01 <c3> 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
RSP: 002b:00002000000003c0 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007f5dd4898fa0 RCX: 00007f5dd46426c9
RDX: 0000200000000140 RSI: 00002000000003c0 RDI: 0000000080202400
RBP: 00007f5dd46c4f91 R08: 0000200000000400 R09: 0000200000000400
R10: 0000200000000180 R11: 0000000000000206 R12: 0000000000000000
R13: 00007f5dd4899038 R14: 00007f5dd4898fa0 R15: 00007ffd915bd108
memory: usage 307188kB, limit 307200kB, failcnt 12810
memory+swap: usage 422144kB, limit 9007199254740988kB, failcnt 0
kmem: usage 0kB, limit 9007199254740988kB, failcnt 0
Memory cgroup stats for /syz9:
anon 229376
file 309669888
kernel_stack 0
percpu 0
sock 0
shmem 309534720
file_mapped 0
file_dirty 0
file_writeback 0
anon_thp 0
inactive_anon 312729600
active_anon 1622016
inactive_file 0
active_file 57344
unevictable 0
slab_reclaimable 0
slab_unreclaimable 0
slab 0
workingset_refault_anon 0
workingset_refault_file 0
workingset_activate_anon 0
workingset_activate_file 0
workingset_restore_anon 0
workingset_restore_file 0
oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=syz9,mems_allowed=0,oom_memcg=/syz9,task_memcg=/syz9,task=syz.9.4668,pid=18204,uid=0
Memory cgroup out of memory: Killed process 18204 (syz.9.4668) total-vm:90104kB, anon-rss:1196kB, file-rss:45760kB, shmem-rss:0kB, UID:0 pgtables:164kB oom_score_adj:0