==================================================================
BUG: KASAN: slab-use-after-free in shrink_folio_list+0x141d/0x37d0
Read of size 8 at addr ffff8880200790d1 by task syz-executor.4/8989

CPU: 1 PID: 8989 Comm: syz-executor.4 Not tainted 6.4.0-next-20230706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x91/0xf0
 print_report+0xcc/0x620
 kasan_report+0xbe/0xf0
 kasan_check_range+0x39/0x1b0
 shrink_folio_list+0x141d/0x37d0
 reclaim_folio_list+0xc4/0x300
 reclaim_pages+0x377/0x520
 madvise_cold_or_pageout_pte_range+0xc9c/0xf90
 walk_pgd_range+0xcc3/0x1740
 __walk_page_range+0x5f6/0x720
 walk_page_range+0x316/0x4b0
 madvise_pageout+0x30b/0x580
 madvise_vma_behavior+0x413/0x20a0
 do_madvise.part.0+0x39a/0x650
 __x64_sys_madvise+0x10c/0x160
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7fcf54dd1b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcf52347188 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fcf54ee4f60 RCX: 00007fcf54dd1b19
RDX: 0000000000000015 RSI: 0000000000004000 RDI: 0000000020ffa000
RBP: 00007fcf54e2bf6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd405e68af R14: 00007fcf52347300 R15: 0000000000022000
 </TASK>

Allocated by task 103:
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 __kasan_slab_alloc+0x59/0x70
 kmem_cache_alloc+0x17b/0x390
 vm_area_dup+0x20/0xa0
 dup_mmap+0x78f/0x1250
 copy_process+0x3e68/0x7320
 kernel_clone+0xeb/0x7d0
 __do_sys_clone+0xba/0x100
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

The buggy address belongs to the object at ffff8880200790d0
 which belongs to the cache vm_area_struct of size 144
The buggy address is located 1 bytes inside of
 freed 144-byte region [ffff8880200790d0, ffff888020079160)

The buggy address belongs to the physical page:
page:00000000b8a7f708 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880200795b0 pfn:0x20079
memcg:ffff888019992001
flags: 0x100000000000200(slab|node=0|zone=1)
page_type: 0xffffffff()
raw: 0100000000000200 ffff8880087a2c80 ffff8880084d4e88 ffffea0000801b50
raw: ffff8880200795b0 000000000013000b 00000001ffffffff ffff888019992001
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888020078f80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
 ffff888020079000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888020079080: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb
                                                 ^
 ffff888020079100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888020079180: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
general protection fault, probably for non-canonical address 0xf41ffbfd40009669: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xa0ffffea0004b348-0xa0ffffea0004b34f]
CPU: 1 PID: 8989 Comm: syz-executor.4 Tainted: G    B              6.4.0-next-20230706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:filemap_release_folio+0x1cd/0x290
Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 00 00 00 49 8b 9e e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 97 00 00 00 48 8b 5b 48 48 85 db 74 2a e8 ab e9
RSP: 0018:ffff88800f2b71f8 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: a0ffffea0004b301 RCX: ffffffff816255a9
RDX: 141ffffd40009669 RSI: 0000000000000008 RDI: a0ffffea0004b349
RBP: ffffea000118f480 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000cc0 R14: ffff888020078ee1 R15: ffff8880200790d1
FS:  00007fcf52347700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005569445aadb8 CR3: 0000000041dca000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 shrink_folio_list+0x26af/0x37d0
 reclaim_folio_list+0xc4/0x300
 reclaim_pages+0x377/0x520
 madvise_cold_or_pageout_pte_range+0xc9c/0xf90
 walk_pgd_range+0xcc3/0x1740
 __walk_page_range+0x5f6/0x720
 walk_page_range+0x316/0x4b0
 madvise_pageout+0x30b/0x580
 madvise_vma_behavior+0x413/0x20a0
 do_madvise.part.0+0x39a/0x650
 __x64_sys_madvise+0x10c/0x160
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7fcf54dd1b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcf52347188 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fcf54ee4f60 RCX: 00007fcf54dd1b19
RDX: 0000000000000015 RSI: 0000000000004000 RDI: 0000000020ffa000
RBP: 00007fcf54e2bf6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd405e68af R14: 00007fcf52347300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_release_folio+0x1cd/0x290
Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 00 00 00 49 8b 9e e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 97 00 00 00 48 8b 5b 48 48 85 db 74 2a e8 ab e9
RSP: 0018:ffff88800f2b71f8 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: a0ffffea0004b301 RCX: ffffffff816255a9
RDX: 141ffffd40009669 RSI: 0000000000000008 RDI: a0ffffea0004b349
RBP: ffffea000118f480 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000cc0 R14: ffff888020078ee1 R15: ffff8880200790d1
FS:  00007fcf52347700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005569445aadb8 CR3: 0000000041dca000 CR4: 0000000000350ee0
------------[ cut here ]------------
WARNING: CPU: 1 PID: 8989 at kernel/exit.c:818 do_exit+0x1ba7/0x2740
Modules linked in:
CPU: 1 PID: 8989 Comm: syz-executor.4 Tainted: G    B D            6.4.0-next-20230706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:do_exit+0x1ba7/0x2740
Code: 00 00 31 f6 e8 aa 68 ff ff e9 09 f6 ff ff e8 20 b4 33 00 4c 89 ee bf 05 06 00 00 e8 e3 e3 02 00 e9 3a e9 ff ff e8 09 b4 33 00 <0f> 0b e9 20 e6 ff ff e8 fd b3 33 00 0f 0b e9 d8 e4 ff ff e8 f1 b3
RSP: 0018:ffff88800f2b7e40 EFLAGS: 00010246
RAX: 0000000000040000 RBX: ffff888043a221c0 RCX: ffffc900039ec000
RDX: 0000000000040000 RSI: ffffffff81188ac7 RDI: ffff888042624800
RBP: ffff888042623680 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff85d40217 R11: 0000000000000001 R12: ffff888042623ea8
R13: 000000000000000b R14: ffff88804342b780 R15: 0000000000000001
FS:  00007fcf52347700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005569445aadb8 CR3: 0000000041dca000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 make_task_dead+0x175/0x3b0
 rewind_stack_and_make_dead+0x17/0x20
RIP: 0033:0x7fcf54dd1b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcf52347188 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fcf54ee4f60 RCX: 00007fcf54dd1b19
RDX: 0000000000000015 RSI: 0000000000004000 RDI: 0000000020ffa000
RBP: 00007fcf54e2bf6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd405e68af R14: 00007fcf52347300 R15: 0000000000022000
 </TASK>
irq event stamp: 299
hardirqs last  enabled at (299): [<ffffffff8460144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (298): [<ffffffff84544865>] __do_softirq+0x665/0x7d4
softirqs last  enabled at (226): [<ffffffff8118db33>] irq_exit_rcu+0x93/0xc0
softirqs last disabled at (217): [<ffffffff8118db33>] irq_exit_rcu+0x93/0xc0
---[ end trace 0000000000000000 ]---
general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#2] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
CPU: 0 PID: 8989 Comm: syz-executor.4 Tainted: G    B D W          6.4.0-next-20230706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:blk_mq_flush_plug_list+0x46e/0x1e00
Code: 7b ff 48 0f a3 1d b2 5a ce 03 0f 92 c3 31 ff 89 de e8 26 93 46 ff 84 db 0f 85 9a 06 00 00 e8 59 97 46 ff 4c 89 f0 48 c1 e8 03 <42> 80 3c 20 00 0f 85 a0 16 00 00 4c 8b ad 48 01 00 00 e8 fb 27 30
RSP: 0018:ffff88800f2b7a68 EFLAGS: 00010212
RAX: 0000000000000029 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888042623680 RSI: ffffffff8205a777 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff888042623ea0 R14: 0000000000000148 R15: ffff88800f2b7e60
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8e7d2fd718 CR3: 0000000041dca000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 __blk_flush_plug+0x28d/0x420
 schedule+0xb0/0x1a0
 schedule_preempt_disabled+0x10/0x20
 rwsem_down_read_slowpath+0x5ae/0xdc0
 down_read+0xed/0x470
 do_exit+0x88d/0x2740
 make_task_dead+0x175/0x3b0
 rewind_stack_and_make_dead+0x17/0x20
RIP: 0033:0x7fcf54dd1b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcf52347188 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fcf54ee4f60 RCX: 00007fcf54dd1b19
RDX: 0000000000000015 RSI: 0000000000004000 RDI: 0000000020ffa000
RBP: 00007fcf54e2bf6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd405e68af R14: 00007fcf52347300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_release_folio+0x1cd/0x290
Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 00 00 00 49 8b 9e e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 97 00 00 00 48 8b 5b 48 48 85 db 74 2a e8 ab e9
RSP: 0018:ffff88800f2b71f8 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: a0ffffea0004b301 RCX: ffffffff816255a9
RDX: 141ffffd40009669 RSI: 0000000000000008 RDI: a0ffffea0004b349
RBP: ffffea000118f480 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000cc0 R14: ffff888020078ee1 R15: ffff8880200790d1
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8e7d2fd718 CR3: 0000000041dca000 CR4: 0000000000350ef0
Fixing recursive fault but reboot is needed!
BUG: scheduling while atomic: syz-executor.4/8989/0x00000000
INFO: lockdep is turned off.
Modules linked in:
CPU: 0 PID: 8989 Comm: syz-executor.4 Tainted: G    B D W          6.4.0-next-20230706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xc1/0xf0
 __schedule_bug+0xb9/0x100
 __schedule+0x1d51/0x2b00
 do_task_dead+0xd5/0x100
 make_task_dead+0x36e/0x3b0
 rewind_stack_and_make_dead+0x17/0x20
RIP: 0033:0x7fcf54dd1b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcf52347188 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fcf54ee4f60 RCX: 00007fcf54dd1b19
RDX: 0000000000000015 RSI: 0000000000004000 RDI: 0000000020ffa000
RBP: 00007fcf54e2bf6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd405e68af R14: 00007fcf52347300 R15: 0000000000022000
 </TASK>
BUG: unable to handle page fault for address: ffffffff811bb4af
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD 5485067 P4D 5485067 PUD 5486063 PMD 10001a1 
Oops: 0003 [#3] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 8984 Comm: syz-executor.4 Tainted: G    B D W          6.4.0-next-20230706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:wake_q_add+0x2b/0xe0
Code: 0f 1f 00 41 55 41 54 4c 8d a6 50 09 00 00 55 48 89 fd 4c 89 e7 53 48 89 f3 be 08 00 00 00 e8 3c 03 5d 00 31 c0 ba 01 00 00 00 <f0> 48 0f b1 93 50 09 00 00 48 85 c0 75 69 48 b8 00 00 00 00 00 fc
RSP: 0018:ffff88801d967b20 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffffffff811bab5f RCX: ffffffff8123ac54
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff811bb4af
RBP: ffff88801d967cb8 R08: 0000000000000001 R09: fffffbfff0237696
R10: ffffffff811bb4b6 R11: 0000000000000000 R12: ffffffff811bb4af
R13: ffff88801d967cb8 R14: 1ffff11003b2cf70 R15: ffff88804404e448
FS:  0000555557072400(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff811bb4af CR3: 0000000041dca000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 rwsem_mark_wake+0x56c/0xb40
 rwsem_down_write_slowpath+0x11b7/0x14a0
 down_write_killable+0x1e0/0x230
 vm_mmap_pgoff+0x15d/0x270
 ksys_mmap_pgoff+0x7d/0x500
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7fcf54dd1b62
Code: 00 00 00 00 00 0f 1f 00 41 f7 c1 ff 0f 00 00 75 27 55 48 89 fd 53 89 cb 48 85 ff 74 3b 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 66 5b 5d c3 0f 1f 00 48 c7 c0 bc ff ff ff 64
RSP: 002b:00007ffd405e6838 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000020022 RCX: 00007fcf54dd1b62
RDX: 0000000000000000 RSI: 0000000000021000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000020022 R11: 0000000000000246 R12: 00007ffd405e6a30
R13: 00007fcf52b48700 R14: 0000000000000000 R15: 0000000000022000
 </TASK>
Modules linked in:
CR2: ffffffff811bb4af
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_release_folio+0x1cd/0x290
Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 00 00 00 49 8b 9e e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 97 00 00 00 48 8b 5b 48 48 85 db 74 2a e8 ab e9
RSP: 0018:ffff88800f2b71f8 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: a0ffffea0004b301 RCX: ffffffff816255a9
RDX: 141ffffd40009669 RSI: 0000000000000008 RDI: a0ffffea0004b349
RBP: ffffea000118f480 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000cc0 R14: ffff888020078ee1 R15: ffff8880200790d1
FS:  0000555557072400(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff811bb4af CR3: 0000000041dca000 CR4: 0000000000350ef0
note: syz-executor.4[8984] exited with irqs disabled
note: syz-executor.4[8984] exited with preempt_count 2
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 b3 00 00 00    	jne    0xc1
   e:	49 8b 9e e8 01 00 00 	mov    0x1e8(%r14),%rbx
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	48 8d 7b 48          	lea    0x48(%rbx),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 97 00 00 00    	jne    0xcb
  34:	48 8b 5b 48          	mov    0x48(%rbx),%rbx
  38:	48 85 db             	test   %rbx,%rbx
  3b:	74 2a                	je     0x67
  3d:	e8                   	.byte 0xe8
  3e:	ab                   	stos   %eax,%es:(%rdi)
  3f:	e9                   	.byte 0xe9