================================================================== BUG: KASAN: use-after-free in __schedule+0x21e3/0x3590 Write of size 8 at addr ffff8880414e14d8 by task (tmpfiles)/8013 CPU: 1 UID: 0 PID: 8013 Comm: (tmpfiles) Tainted: G W 6.17.0-rc3-next-20250829 #1 PREEMPT(voluntary) Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: dump_stack_lvl+0xca/0x120 print_report+0xcb/0x610 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1b0 __schedule+0x21e3/0x3590 schedule+0xdb/0x390 schedule_timeout+0x244/0x280 do_wait_for_common+0x1b2/0x440 wait_for_completion+0x4a/0x60 synchronize_rcu_normal+0x168/0x200 rcu_sync_enter+0x14a/0x310 percpu_down_write+0x59/0x370 cgroup_procs_write_start+0x154/0x670 __cgroup_procs_write+0xda/0x770 cgroup_procs_write+0x26/0x60 cgroup_file_write+0x1ee/0x790 kernfs_fop_write_iter+0x347/0x510 vfs_write+0xbe9/0x1150 ksys_write+0x121/0x240 do_syscall_64+0xbf/0x360 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3ec4bf7f6f Code: Unable to access opcode bytes at 0x7f3ec4bf7f45. RSP: 002b:00007ffd07f6c660 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f3ec4bf7f6f RDX: 0000000000000005 RSI: 00007ffd07f6c85a RDI: 0000000000000003 RBP: 00007ffd07f6c85a R08: 0000000000000000 R09: 00007ffd07f6c6e0 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000005 R13: 000055e246d7abf0 R14: 0000000000000005 R15: 00007f3ec4cc88a0 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x414e1 flags: 0x100000000000000(node=0|zone=1) raw: 0100000000000000 ffffea0001053848 ffffea0001053848 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880414e1380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880414e1400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880414e1480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880414e1500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880414e1580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== BUG: Bad rss-counter state mm:00000000d8341ceb type:MM_FILEPAGES val:195 Comm:syz-executor.6 Pid:8060 BUG: Bad rss-counter state mm:00000000d8341ceb type:MM_ANONPAGES val:1149841729 Comm:syz-executor.6 Pid:8060 BUG: Bad rss-counter state mm:00000000d8341ceb type:MM_SWAPENTS val:210 Comm:syz-executor.6 Pid:8060 BUG: Bad rss-counter state mm:00000000f3332897 type:MM_FILEPAGES val:1236844564 Comm:syz-fuzzer Pid:253 BUG: Bad rss-counter state mm:00000000f3332897 type:MM_ANONPAGES val:210 Comm:syz-fuzzer Pid:253 BUG: Bad rss-counter state mm:000000007aac311b type:MM_FILEPAGES val:2751554885 Comm:systemd-udevd Pid:8074 BUG: Bad rss-counter state mm:000000007aac311b type:MM_ANONPAGES val:404 Comm:systemd-udevd Pid:8074 BUG: Bad rss-counter state mm:000000007aac311b type:MM_SWAPENTS val:-1 Comm:systemd-udevd Pid:8074