audit: type=1326 audit(1751320482.020:699): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=20106 comm="syz-executor.3" exe="/syz-executor.3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f746ffb1b19 code=0x0
==================================================================
BUG: KASAN: slab-use-after-free in flush_tlb_func+0x24d/0x560
Write of size 8 at addr ffff888016f05b80 by task kauditd/31

CPU: 1 UID: 0 PID: 31 Comm: kauditd Not tainted 6.16.0-rc4-next-20250630 #1 PREEMPT(voluntary) 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0xca/0x120
 print_report+0xcb/0x670
 kasan_report+0xca/0x100
 kasan_check_range+0x39/0x1b0
 flush_tlb_func+0x24d/0x560
 __flush_smp_call_function_queue+0x20d/0x740
 __sysvec_call_function_single+0x6d/0x360
 sysvec_call_function_single+0xa1/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20
RIP: 0010:console_flush_all+0x8c1/0xb70
Code: 01 4c 89 e8 48 c1 e8 03 42 80 3c 30 00 0f 85 6c 02 00 00 49 89 6f 58 e9 3a ff ff ff e8 b8 46 1f 00 e8 c3 70 27 00 fb 4c 89 e8 <48> c1 e8 03 42 80 3c 30 00 0f 84 19 ff ff ff 4c 89 ef e8 a8 a7 5a
RSP: 0018:ffff888009a379c0 EFLAGS: 00000202
RAX: ffffffff85f35e38 RBX: 0000000000000001 RCX: 0000000000000040
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81544fcd
RBP: 0000000000000200 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff86438657 R11: 0000000000000001 R12: 0000000000000000
R13: ffffffff85f35e38 R14: dffffc0000000000 R15: ffffffff85f35de0
 console_unlock+0xc2/0x1f0
 vprintk_emit+0x437/0x680
 _printk+0xbe/0xf0
 kauditd_hold_skb+0x205/0x250
 kauditd_send_queue+0x233/0x290
 kauditd_thread+0x607/0xa80
 kthread+0x3c8/0x740
 ret_from_fork+0x34b/0x430
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Allocated by task 16121:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 __kasan_slab_alloc+0x59/0x70
 kmem_cache_alloc_noprof+0x13c/0x470
 copy_process+0x6f3a/0x73e0
 kernel_clone+0xea/0x820
 __do_sys_clone+0xce/0x120
 do_syscall_64+0xbf/0x360
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 20096:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3a/0x60
 __kasan_slab_free+0x38/0x50
 kmem_cache_free+0x2a1/0x460
 mmput+0x305/0x390
 do_exit+0x79d/0x2970
 do_group_exit+0xd3/0x2a0
 get_signal+0x2315/0x2340
 arch_do_signal_or_restart+0x80/0x790
 exit_to_user_mode_loop+0x8b/0x100
 do_syscall_64+0x2f7/0x360
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888016f05200
 which belongs to the cache mm_struct of size 2456
The buggy address is located 2432 bytes inside of
 freed 2456-byte region [ffff888016f05200, ffff888016f05b98)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16f00
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88800dcedf81
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888008c4bc80 ffffea0000689000 dead000000000002
raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff88800dcedf81
head: 0100000000000040 ffff888008c4bc80 ffffea0000689000 dead000000000002
head: 0000000000000000 00000000000c000c 00000000f5000000 ffff88800dcedf81
head: 0100000000000003 ffffea00005bc001 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888016f05a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888016f05b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888016f05b80: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888016f05c00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff888016f05c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
audit: type=1326 audit(1751320482.096:700): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=20106 comm="syz-executor.3" exe="/syz-executor.3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f746ffb1b19 code=0x0
audit: type=1326 audit(1751320482.790:701): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=20093 comm="syz-executor.7" exe="/syz-executor.7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f63859dfb19 code=0x0
----------------
Code disassembly (best guess):
   0:	01 4c 89 e8          	add    %ecx,-0x18(%rcx,%rcx,4)
   4:	48 c1 e8 03          	shr    $0x3,%rax
   8:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1)
   d:	0f 85 6c 02 00 00    	jne    0x27f
  13:	49 89 6f 58          	mov    %rbp,0x58(%r15)
  17:	e9 3a ff ff ff       	jmpq   0xffffff56
  1c:	e8 b8 46 1f 00       	callq  0x1f46d9
  21:	e8 c3 70 27 00       	callq  0x2770e9
  26:	fb                   	sti
  27:	4c 89 e8             	mov    %r13,%rax
* 2a:	48 c1 e8 03          	shr    $0x3,%rax <-- trapping instruction
  2e:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1)
  33:	0f 84 19 ff ff ff    	je     0xffffff52
  39:	4c 89 ef             	mov    %r13,%rdi
  3c:	e8                   	.byte 0xe8
  3d:	a8 a7                	test   $0xa7,%al
  3f:	5a                   	pop    %rdx