================================================================== BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline] BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:110 [inline] BUG: KASAN: use-after-free in unaccount_page_cache_page+0x9dc/0xac0 mm/filemap.c:175 Read of size 4 at addr ffff888118d9a470 by task syz.2.1984/7419 CPU: 1 PID: 7419 Comm: syz.2.1984 Tainted: G W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:77 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:435 [inline] kasan_report+0x100/0x140 mm/kasan/report.c:452 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline] cleancache_invalidate_page include/linux/cleancache.h:110 [inline] unaccount_page_cache_page+0x9dc/0xac0 mm/filemap.c:175 __delete_from_page_cache+0xc3/0x470 mm/filemap.c:243 __remove_mapping+0x581/0x6b0 mm/vmscan.c:985 shrink_page_list+0x21ee/0x4160 mm/vmscan.c:1498 shrink_inactive_list+0x90c/0xef0 mm/vmscan.c:2075 shrink_list mm/vmscan.c:2294 [inline] shrink_lruvec+0x2806/0x2d70 mm/vmscan.c:5473 shrink_node_memcgs mm/vmscan.c:5660 [inline] shrink_node+0xee0/0x2690 mm/vmscan.c:5690 shrink_zones mm/vmscan.c:5896 [inline] do_try_to_free_pages+0x602/0x1590 mm/vmscan.c:5954 try_to_free_mem_cgroup_pages+0x261/0x610 mm/vmscan.c:6272 try_charge+0x426/0x1580 mm/memcontrol.c:2745 __mem_cgroup_charge+0x148/0x6d0 mm/memcontrol.c:6871 mem_cgroup_charge include/linux/memcontrol.h:458 [inline] shmem_add_to_page_cache+0x569/0xe10 mm/shmem.c:699 shmem_getpage_gfp+0x907/0x20f0 mm/shmem.c:1952 shmem_getpage mm/shmem.c:161 [inline] shmem_file_read_iter+0x286/0x870 mm/shmem.c:2574 call_read_iter include/linux/fs.h:2060 [inline] generic_file_splice_read+0x3ea/0x5f0 fs/splice.c:311 do_splice_to fs/splice.c:791 [inline] splice_direct_to_actor+0x40a/0xb20 fs/splice.c:870 do_splice_direct+0x1c2/0x2d0 fs/splice.c:979 do_sendfile+0x8df/0x1040 fs/read_write.c:1257 __do_sys_sendfile64 fs/read_write.c:1318 [inline] __se_sys_sendfile64 fs/read_write.c:1304 [inline] __x64_sys_sendfile64+0x199/0x1f0 fs/read_write.c:1304 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f54955eae59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5494045028 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f5495863fa0 RCX: 00007f54955eae59 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004 RBP: 00007f5495680d6f R08: 0000000000000000 R09: 0000000000000000 R10: 000000007e78a6f1 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5495864038 R14: 00007f5495863fa0 R15: 00007fffb7169708 The buggy address belongs to the page: page:ffffea0004636680 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x118d9a flags: 0x4000000000000000() raw: 4000000000000000 ffffea0004823f48 ffffea000467a7c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 7306, ts 267558493401, free_ts 267592715101 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2456 [inline] prep_new_page+0x176/0x190 mm/page_alloc.c:2462 get_page_from_freelist+0x225f/0x23f0 mm/page_alloc.c:4254 __alloc_pages_nodemask+0x29a/0x640 mm/page_alloc.c:5384 __vmalloc_area_node mm/vmalloc.c:-1 [inline] __vmalloc_node_range+0x388/0x7a0 mm/vmalloc.c:2629 vmalloc_user+0x73/0x80 mm/vmalloc.c:2758 kcov_mmap+0x2b/0x130 kernel/kcov.c:465 call_mmap include/linux/fs.h:2071 [inline] mmap_file+0x60/0xb0 mm/util.c:1085 __mmap_region mm/mmap.c:1884 [inline] mmap_region+0x11fd/0x19c0 mm/mmap.c:3075 do_mmap+0x85f/0xf50 mm/mmap.c:1661 vm_mmap_pgoff+0x1f4/0x350 mm/util.c:543 ksys_mmap_pgoff+0x16f/0x1e0 mm/mmap.c:1712 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __x64_sys_mmap+0xfa/0x110 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xcb page last free stack trace: reset_page_owner include/linux/page_owner.h:28 [inline] free_pages_prepare mm/page_alloc.c:1349 [inline] free_pcp_prepare mm/page_alloc.c:1421 [inline] free_unref_page_prepare+0x2b7/0x2d0 mm/page_alloc.c:3336 free_unref_page mm/page_alloc.c:3391 [inline] free_the_page mm/page_alloc.c:5443 [inline] __free_pages+0x146/0x390 mm/page_alloc.c:5454 __vunmap+0x801/0x980 mm/vmalloc.c:2307 __vfree mm/vmalloc.c:2356 [inline] vfree+0x61/0x90 mm/vmalloc.c:2387 kcov_mmap+0x8f/0x130 kernel/kcov.c:489 call_mmap include/linux/fs.h:2071 [inline] mmap_file+0x60/0xb0 mm/util.c:1085 __mmap_region mm/mmap.c:1884 [inline] mmap_region+0x11fd/0x19c0 mm/mmap.c:3075 do_mmap+0x85f/0xf50 mm/mmap.c:1661 vm_mmap_pgoff+0x1f4/0x350 mm/util.c:543 ksys_mmap_pgoff+0x16f/0x1e0 mm/mmap.c:1712 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __x64_sys_mmap+0xfa/0x110 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xcb Memory state around the buggy address: ffff888118d9a300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888118d9a380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888118d9a400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888118d9a480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888118d9a500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================