==================================================================
BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:54 [inline]
BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:108 [inline]
BUG: KASAN: use-after-free in unaccount_page_cache_page+0x639/0x6b0 mm/filemap.c:169
Read of size 4 at addr ffff8881deb17488 by task syz-executor.3/20812

CPU: 1 PID: 20812 Comm: syz-executor.3 Not tainted 5.4.233-syzkaller-00030-ga6b5274af71b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 cleancache_fs_enabled_mapping include/linux/cleancache.h:54 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:108 [inline]
 unaccount_page_cache_page+0x639/0x6b0 mm/filemap.c:169
 __delete_from_page_cache+0xc3/0x510 mm/filemap.c:237
 __remove_mapping+0x46e/0x550 mm/vmscan.c:978
 shrink_page_list+0x2467/0x3e70 mm/vmscan.c:1482
 shrink_inactive_list+0x4f6/0xfd0 mm/vmscan.c:2001
 shrink_list mm/vmscan.c:2293 [inline]
 shrink_node_memcg+0xc42/0x2430 mm/vmscan.c:2623
 shrink_node+0x396/0x12b0 mm/vmscan.c:2836
 shrink_zones mm/vmscan.c:3053 [inline]
 do_try_to_free_pages+0x625/0x1280 mm/vmscan.c:3111
 try_to_free_mem_cgroup_pages+0x3f6/0x9b0 mm/vmscan.c:3412
 memory_high_write+0x16a/0x1b0 mm/memcontrol.c:6173
 cgroup_file_write+0x275/0x5c0 kernel/cgroup/cgroup.c:3898
 kernfs_fop_write+0x2e2/0x3e0 fs/kernfs/file.c:315
 __vfs_write+0x103/0x750 fs/read_write.c:494
 __kernel_write+0x10f/0x350 fs/read_write.c:515
 write_pipe_buf+0x14a/0x1d0 fs/splice.c:794
 splice_from_pipe_feed fs/splice.c:500 [inline]
 __splice_from_pipe+0x2a0/0x830 fs/splice.c:624
 splice_from_pipe fs/splice.c:659 [inline]
 default_file_splice_write+0x19c/0x260 fs/splice.c:806
 splice_direct_to_actor+0x497/0xae0 fs/splice.c:976
 do_splice_direct+0x27f/0x3c0 fs/splice.c:1064
 do_sendfile+0x854/0xee0 fs/read_write.c:1464
 __do_sys_sendfile64 fs/read_write.c:1525 [inline]
 __se_sys_sendfile64 fs/read_write.c:1511 [inline]
 __x64_sys_sendfile64+0x1ce/0x230 fs/read_write.c:1511
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Allocated by task 17036:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x130/0x1d0 mm/kasan/common.c:529
 __kmalloc_node include/linux/slab.h:422 [inline]
 kmalloc_node include/linux/slab.h:599 [inline]
 kvmalloc_node+0x7e/0xf0 mm/util.c:596
 kvmalloc include/linux/mm.h:759 [inline]
 kvmalloc_array include/linux/mm.h:777 [inline]
 alloc_fdtable+0xcb/0x240 fs/file.c:115
 dup_fd+0x718/0xaa0 fs/file.c:310
 copy_files+0xe1/0x1f0 kernel/fork.c:1474
 copy_process+0x11e3/0x3230 kernel/fork.c:2029
 _do_fork+0x197/0x900 kernel/fork.c:2391
 __do_sys_clone kernel/fork.c:2549 [inline]
 __se_sys_clone kernel/fork.c:2530 [inline]
 __x64_sys_clone+0x26b/0x2c0 kernel/fork.c:2530
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 20180:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x178/0x230 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kfree+0xeb/0x320 mm/slub.c:4071
 __free_fdtable fs/file.c:31 [inline]
 put_files_struct+0x291/0x330 fs/file.c:420
 do_exit+0xc78/0x2bc0 kernel/exit.c:854
 do_group_exit+0x138/0x300 kernel/exit.c:982
 get_signal+0xd94/0x13f0 kernel/signal.c:2735
 do_signal+0xb0/0x11f0 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0xc0/0x1a0 arch/x86/entry/common.c:159
 prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the object at ffff8881deb17000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1160 bytes inside of
 2048-byte region [ffff8881deb17000, ffff8881deb17800)
The buggy address belongs to the page:
page:ffffea00077ac400 refcount:1 mapcount:0 mapping:ffff8881f5c0c000 index:0xffff8881deb17000 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 ffffea0006e2b408 ffffea0007aeca08 ffff8881f5c0c000
raw: ffff8881deb17000 0000000000080006 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2ce8/0x2d70 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x5a/0x90 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 __kmalloc_track_caller+0x168/0x290 mm/slub.c:4449
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0xb4/0x4d0 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1079 [inline]
 nlmsg_new include/net/netlink.h:888 [inline]
 inet6_ifinfo_notify+0x69/0x110 net/ipv6/addrconf.c:5952
 addrconf_notify+0xb3b/0xe50 net/ipv6/addrconf.c:3660
 notifier_call_chain kernel/notifier.c:98 [inline]
 __raw_notifier_call_chain kernel/notifier.c:399 [inline]
 raw_notifier_call_chain+0x95/0x110 kernel/notifier.c:406
 __dev_notify_flags+0x26e/0x510 net/core/dev.c:1670
 dev_change_flags+0xe7/0x190 net/core/dev.c:8001
 do_setlink+0xc4c/0x3b70 net/core/rtnetlink.c:2520
 __rtnl_newlink net/core/rtnetlink.c:3163 [inline]
 rtnl_newlink+0x1666/0x2010 net/core/rtnetlink.c:3289
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x83d/0x940 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4959
 __free_slab+0x221/0x2e0 mm/slub.c:1774
 free_slab mm/slub.c:1789 [inline]
 discard_slab mm/slub.c:1795 [inline]
 unfreeze_partials+0x14e/0x180 mm/slub.c:2288
 put_cpu_partial+0xb4/0x150 mm/slub.c:2324
 __slab_free+0x288/0x350 mm/slub.c:2971
 qlist_free_all+0x43/0xb0 mm/kasan/quarantine.c:167
 quarantine_reduce+0x174/0x190 mm/kasan/quarantine.c:260
 __kasan_kmalloc+0x43/0x1d0 mm/kasan/common.c:507
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 __kmalloc+0x100/0x2b0 mm/slub.c:3909
 kmalloc include/linux/slab.h:561 [inline]
 kzalloc include/linux/slab.h:690 [inline]
 fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:154
 ip6_route_info_create+0x458/0x1500 net/ipv6/route.c:3659
 ip6_route_add+0x22/0x120 net/ipv6/route.c:3755
 addrconf_add_mroute net/ipv6/addrconf.c:2491 [inline]
 addrconf_add_dev+0x41f/0x610 net/ipv6/addrconf.c:2509
 addrconf_dev_config+0x1a7/0x320 net/ipv6/addrconf.c:3394
 addrconf_notify+0x9d2/0xe50 net/ipv6/addrconf.c:3638

Memory state around the buggy address:
 ffff8881deb17380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881deb17400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881deb17480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8881deb17500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881deb17580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================