audit: type=1326 audit(1674585823.327:14): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=7714 comm="syz-executor.7" exe="/syz-executor.7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f95f4505b19 code=0x0
general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 1 PID: 7720 Comm: syz-executor.2 Not tainted 6.2.0-rc5-next-20230124 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:pause_prepare_data+0x5e/0x410
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 0e 03 00 00 48 8d 7d 40 44 8b 63 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 03 00 00 48 8b 45 40 4c 89 ea 48 c1 ea 03 48
RSP: 0018:ffff88803e6ef270 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff888016a86d00 RCX: ffffc90006a08000
RDX: 0000000000000008 RSI: ffffffff83702020 RDI: 0000000000000040
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff85d11e17
R10: fffffbfff0ba23c2 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88801caf3880 R14: ffffffff83702000 R15: ffff88803d470580
FS:  00007f1670ea6700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c122000 CR3: 000000003edfe000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 ethnl_default_dumpit+0x43d/0xdf0
 netlink_dump+0x585/0x1070
 __netlink_dump_start+0x652/0x910
 genl_family_rcv_msg_dumpit+0x2bf/0x310
 genl_rcv_msg+0x419/0x7e0
 netlink_rcv_skb+0x15d/0x450
 genl_rcv+0x28/0x40
 netlink_unicast+0x552/0x800
 netlink_sendmsg+0x923/0xe20
 sock_sendmsg+0x1b6/0x200
 ____sys_sendmsg+0x74e/0x980
 ___sys_sendmsg+0x110/0x1b0
 __sys_sendmsg+0xf7/0x1d0
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f1673930b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1670ea6188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f1673a43f60 RCX: 00007f1673930b19
RDX: 0000000000000000 RSI: 0000000020000e80 RDI: 0000000000000003
RBP: 00007f167398af6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe4139b99f R14: 00007f1670ea6300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pause_prepare_data+0x5e/0x410
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 0e 03 00 00 48 8d 7d 40 44 8b 63 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 03 00 00 48 8b 45 40 4c 89 ea 48 c1 ea 03 48
RSP: 0018:ffff88803e6ef270 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff888016a86d00 RCX: ffffc90006a08000
RDX: 0000000000000008 RSI: ffffffff83702020 RDI: 0000000000000040
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff85d11e17
R10: fffffbfff0ba23c2 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88801caf3880 R14: ffffffff83702000 R15: ffff88803d470580
FS:  00007f1670ea6700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c122000 CR3: 000000003edfe000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
syz-executor.1 uses obsolete (PF_INET,SOCK_PACKET)
audit: type=1326 audit(1674585823.546:15): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=7721 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f0b754dbb19 code=0x0
==================================================================
BUG: KASAN: use-after-free in __mutex_lock+0x1462/0x14c0
Read of size 4 at addr ffff88803f4b0034 by task syz-executor.2/7744

CPU: 0 PID: 7744 Comm: syz-executor.2 Tainted: G      D            6.2.0-rc5-next-20230124 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x8f/0xb7
 print_report+0x175/0x478
 kasan_report+0xc0/0x100
 __mutex_lock+0x1462/0x14c0
 ethnl_default_dumpit+0xb6/0xdf0
 netlink_dump+0x585/0x1070
 __netlink_dump_start+0x652/0x910
 genl_family_rcv_msg_dumpit+0x2bf/0x310
 genl_rcv_msg+0x419/0x7e0
 netlink_rcv_skb+0x15d/0x450
 genl_rcv+0x28/0x40
 netlink_unicast+0x552/0x800
 netlink_sendmsg+0x923/0xe20
 sock_sendmsg+0x1b6/0x200
 ____sys_sendmsg+0x74e/0x980
 ___sys_sendmsg+0x110/0x1b0
 __sys_sendmsg+0xf7/0x1d0
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f1673930b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1670e64188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f1673a440e0 RCX: 00007f1673930b19
RDX: 0000000000000000 RSI: 0000000020000e80 RDI: 0000000000000003
RBP: 00007f167398af6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe4139b99f R14: 00007f1670e64300 R15: 0000000000022000
 </TASK>

Allocated by task 7712:
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 __kasan_slab_alloc+0x59/0x70
 kmem_cache_alloc_node+0x187/0x310
 copy_process+0x3ac/0x7390
 kernel_clone+0xeb/0x8c0
 __do_sys_clone+0xba/0x100
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Freed by task 7732:
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2e/0x50
 __kasan_slab_free+0x10a/0x190
 kmem_cache_free+0xff/0x510
 delayed_put_task_struct+0x1c9/0x310
 rcu_core+0x802/0x1c00
 __do_softirq+0x274/0x8ff

Last potentially related work creation:
 kasan_save_stack+0x22/0x50
 __kasan_record_aux_stack+0x95/0xb0
 __call_rcu_common.constprop.0+0x6a/0xa00
 put_task_struct_rcu_user+0x83/0xd0
 __schedule+0xbb8/0x2b20
 preempt_schedule_common+0x45/0xb0
 __cond_resched+0x1b/0x30
 unmap_page_range+0x11b3/0x2d90
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x225/0x370
 exit_mmap+0x158/0x6a0
 mmput+0xd5/0x390
 do_exit+0x9c8/0x2780
 do_group_exit+0xd4/0x2a0
 get_signal+0x2255/0x2390
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0xf5/0x190
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Second to last potentially related work creation:
 kasan_save_stack+0x22/0x50
 __kasan_record_aux_stack+0x95/0xb0
 __call_rcu_common.constprop.0+0x6a/0xa00
 put_task_struct_rcu_user+0x83/0xd0
 __schedule+0xbb8/0x2b20
 schedule+0xde/0x1b0
 futex_wait_queue+0xf9/0x1f0
 futex_wait+0x292/0x690
 do_futex+0x303/0x380
 __x64_sys_futex+0x1ca/0x4d0
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

The buggy address belongs to the object at ffff88803f4b0000
 which belongs to the cache task_struct of size 6592
The buggy address is located 52 bytes inside of
 6592-byte region [ffff88803f4b0000, ffff88803f4b19c0)

The buggy address belongs to the physical page:
page:00000000ca4c1f42 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3f4b0
head:00000000ca4c1f42 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88800dc534c1
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 ffff88800876e640 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff88800dc534c1
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88803f4aff00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff88803f4aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88803f4b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88803f4b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88803f4b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	03 0f                	add    (%rdi),%ecx
   2:	b6 04                	mov    $0x4,%dh
   4:	02 84 c0 74 08 3c 03 	add    0x33c0874(%rax,%rax,8),%al
   b:	0f 8e 0e 03 00 00    	jle    0x31f
  11:	48 8d 7d 40          	lea    0x40(%rbp),%rdi
  15:	44 8b 63 10          	mov    0x10(%rbx),%r12d
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 21 03 00 00    	jne    0x355
  34:	48 8b 45 40          	mov    0x40(%rbp),%rax
  38:	4c 89 ea             	mov    %r13,%rdx
  3b:	48 c1 ea 03          	shr    $0x3,%rdx
  3f:	48                   	rex.W