random: crng reseeded on system resumption
==================================================================
BUG: KASAN: use-after-free in anon_vma_interval_tree_remove+0xc71/0xf20
Read of size 8 at addr ffff88801ba8ad68 by task syz-executor.1/14451

CPU: 0 PID: 14451 Comm: syz-executor.1 Not tainted 5.19.0-rc7-next-20220719 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x8b/0xb3
 print_report.cold+0x5e/0x5e5
 kasan_report+0xb1/0x1c0
 anon_vma_interval_tree_remove+0xc71/0xf20
 unlink_anon_vmas+0x1b7/0x6f0
 free_pgtables+0x24d/0x420
 exit_mmap+0x1b4/0x680
 mmput+0xd1/0x390
 do_exit+0xb44/0x2940
 do_group_exit+0xd0/0x2a0
 get_signal+0x2205/0x24b0
 arch_do_signal_or_restart+0x89/0x1be0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x19/0x40
 do_syscall_64+0x48/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fdc28570b19
Code: Unable to access opcode bytes at RIP 0x7fdc28570aef.
RSP: 002b:00007fdc25ae6218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fdc28683f68 RCX: 00007fdc28570b19
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fdc28683f6c
RBP: 00007fdc28683f60 R08: 0000000000000016 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 00007fdc28683f6c
R13: 00007fffd64767ff R14: 00007fdc25ae6300 R15: 0000000000022000
 </TASK>

Allocated by task 14451:
 kasan_save_stack+0x1e/0x40
 __kasan_slab_alloc+0x66/0x80
 kmem_cache_alloc+0x1b1/0x4a0
 vm_area_dup+0x7f/0x230
 copy_vma+0x34b/0x7f0
 move_vma.constprop.0+0x918/0xfa0
 __do_sys_mremap+0xe69/0x1520
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 14451:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_set_free_info+0x20/0x40
 __kasan_slab_free+0x108/0x190
 kmem_cache_free+0xfb/0x610
 copy_vma+0x698/0x7f0
 move_vma.constprop.0+0x918/0xfa0
 __do_sys_mremap+0xe69/0x1520
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88801ba8ad00
 which belongs to the cache vm_area_struct of size 144
The buggy address is located 104 bytes inside of
 144-byte region [ffff88801ba8ad00, ffff88801ba8ad90)

The buggy address belongs to the physical page:
page:000000009b836b1a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ba8a
memcg:ffff88800d241e01
flags: 0x100000000000200(slab|node=0|zone=1)
raw: 0100000000000200 dead000000000100 dead000000000122 ffff888008473c80
raw: 0000000000000000 0000000080130013 00000001ffffffff ffff88800d241e01
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88801ba8ac00: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
 ffff88801ba8ac80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88801ba8ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff88801ba8ad80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb
 ffff88801ba8ae00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================
random: crng reseeded on system resumption
random: crng reseeded on system resumption
random: crng reseeded on system resumption
random: crng reseeded on system resumption
random: crng reseeded on system resumption
random: crng reseeded on system resumption