==================================================================
BUG: KASAN: slab-use-after-free in sched_mm_cid_remote_clear+0x271/0x470
Write of size 8 at addr ffff888041f0a0b0 by task syz-executor.5/3941

CPU: 1 UID: 0 PID: 3941 Comm: syz-executor.5 Tainted: G        W           6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary) 
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xca/0x120
 print_report+0xcb/0x610
 kasan_report+0xca/0x100
 kasan_check_range+0x39/0x1b0
 sched_mm_cid_remote_clear+0x271/0x470
 task_mm_cid_work+0x39f/0x840
 task_work_run+0x172/0x280
 exit_to_user_mode_loop+0xef/0x110
 do_syscall_64+0x2f7/0x360
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2065110b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2062665108 EFLAGS: 00000202 ORIG_RAX: 00000000000001a9
RAX: 0000000000000004 RBX: 00007f2065224020 RCX: 00007f2065110b19
RDX: 0000000020ffd000 RSI: 0000000020000240 RDI: 0000000000003cfc
RBP: 0000000020000240 R08: 0000000020000300 R09: 0000000020000300
R10: 00000000200002c0 R11: 0000000000000202 R12: 0000000020000300
R13: 0000000020ffd000 R14: 00000000200002c0 R15: 0000000020ffd000
 </TASK>

Allocated by task 114:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 __kasan_slab_alloc+0x59/0x70
 kmem_cache_alloc_noprof+0x205/0x690
 alloc_empty_file+0x58/0x1e0
 path_openat+0xe0/0x2880
 do_filp_open+0x1e8/0x450
 do_sys_openat2+0x104/0x1b0
 __x64_sys_openat+0x142/0x200
 do_syscall_64+0xbf/0x360
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 114:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 __kasan_save_free_info+0x3a/0x60
 __kasan_slab_free+0x3f/0x50
 slab_free_after_rcu_debug+0xd6/0x290
 rcu_core+0x7c8/0x1800
 handle_softirqs+0x1b1/0x770
 __irq_exit_rcu+0xc4/0x100
 irq_exit_rcu+0x9/0x20
 sysvec_apic_timer_interrupt+0x70/0x80
 asm_sysvec_apic_timer_interrupt+0x1a/0x20

Last potentially related work creation:
 kasan_save_stack+0x24/0x50
 kasan_record_aux_stack+0x89/0xa0
 kmem_cache_free+0x148/0x540
 __fput+0x67b/0xb50
 fput_close_sync+0x10f/0x240
 __x64_sys_close+0x8f/0x120
 do_syscall_64+0xbf/0x360
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888041f0a000
 which belongs to the cache filp of size 360
The buggy address is located 176 bytes inside of
 freed 360-byte region [ffff888041f0a000, ffff888041f0a168)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x41f0a
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88800b7c0e01
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888009415500 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000120012 00000000f5000000 ffff88800b7c0e01
head: 0100000000000040 ffff888009415500 dead000000000122 0000000000000000
head: 0000000000000000 0000000000120012 00000000f5000000 ffff88800b7c0e01
head: 0100000000000001 ffffea000107c281 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888041f09f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888041f0a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888041f0a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff888041f0a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff888041f0a180: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================
kmemleak: Found object by alias at 0x607f1a63dae8
CPU: 1 UID: 0 PID: 3937 Comm: syz-executor.3 Tainted: G    B   W           6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary) 
Tainted: [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xca/0x120
 __lookup_object+0x94/0xb0
 delete_object_full+0x27/0x70
 free_percpu+0x30/0x1160
 futex_hash_free+0x38/0xc0
 mmput+0x2d3/0x390
 do_exit+0x79d/0x2970
 do_group_exit+0xd3/0x2a0
 __x64_sys_exit_group+0x3e/0x50
 x64_sys_call+0x18c5/0x18d0
 do_syscall_64+0xbf/0x360
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f91cebfcb19
Code: Unable to access opcode bytes at 0x7f91cebfcaef.
RSP: 002b:00007ffc34da8e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007f91cebfcb19
RDX: 00007f91cebaf72b RSI: ffffffffffffffbc RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000001b2d1211e8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000001 R15: 00007ffc34da8f50
 </TASK>
kmemleak: Object (percpu) 0x607f1a63dae0 (size 16):
kmemleak:   comm "syz-executor.3", pid 285, jiffies 4294772959
kmemleak:   min_count = 1
kmemleak:   count = 0
kmemleak:   flags = 0x21
kmemleak:   checksum = 0
kmemleak:   backtrace:
 pcpu_alloc_noprof+0x87a/0x1170
 mm_init+0x99b/0x1170
 copy_process+0x3ab7/0x73c0
 kernel_clone+0xea/0x7f0
 __do_sys_clone+0xce/0x120
 do_syscall_64+0xbf/0x360
 entry_SYSCALL_64_after_hwframe+0x77/0x7f