==================================================================
BUG: KASAN: use-after-free in __rb_change_child include/linux/rbtree_augmented.h:173 [inline]
BUG: KASAN: use-after-free in __rb_erase_augmented include/linux/rbtree_augmented.h:227 [inline]
BUG: KASAN: use-after-free in rb_erase_augmented include/linux/rbtree_augmented.h:303 [inline]
BUG: KASAN: use-after-free in rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
BUG: KASAN: use-after-free in vma_interval_tree_remove+0x4f3/0xba0 mm/interval_tree.c:23
Read of size 8 at addr ffff8881c0000010 by task syz.6.3640/10997

CPU: 0 PID: 10997 Comm: syz.6.3640 Not tainted 5.15.176-syzkaller-00972-g829d9f138569 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1c0 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
 __rb_change_child include/linux/rbtree_augmented.h:173 [inline]
 __rb_erase_augmented include/linux/rbtree_augmented.h:227 [inline]
 rb_erase_augmented include/linux/rbtree_augmented.h:303 [inline]
 rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
 vma_interval_tree_remove+0x4f3/0xba0 mm/interval_tree.c:23
 __remove_shared_vm_struct mm/mmap.c:159 [inline]
 unlink_file_vma+0xd9/0xf0 mm/mmap.c:174
 free_pgtables+0x13f/0x280 mm/memory.c:490
 exit_mmap+0x47c/0x990 mm/mmap.c:3235
 __mmput+0x95/0x310 kernel/fork.c:1180
 mmput+0x5b/0x170 kernel/fork.c:1203
 exit_mm kernel/exit.c:554 [inline]
 do_exit+0xb9c/0x2ca0 kernel/exit.c:867
 do_group_exit+0x141/0x310 kernel/exit.c:1002
 get_signal+0x7a3/0x1630 kernel/signal.c:2907
 arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:214
 irqentry_exit_to_user_mode+0x9/0x10 kernel/entry/common.c:320
 irqentry_exit+0x12/0x40 kernel/entry/common.c:411
 exc_page_fault+0x47a/0x7f0 arch/x86/mm/fault.c:1568
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:606
RIP: 0033:0x7f395fc3d717
Code: Unable to access opcode bytes at RIP 0x7f395fc3d6ed.
RSP: 002b:00007f395e3c7120 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 000000000000000b RCX: 00007f395fd7bd29
RDX: 00007f395e3c7140 RSI: 00007f395e3c7270 RDI: 000000000000000b
RBP: 00007f395fdfd2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f395ff94fa0 R15: 00007ffe6a54b688
 </TASK>

The buggy address belongs to the page:
page:ffffea0007000000 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1c0000
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0006ff8008 ffffea0007008008 0000000000000000
raw: 0000000000000000 0000000000000007 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 7275, ts 307057038308, free_ts 310413815809
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2605
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2611
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4485
 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5780
 __alloc_pages_node include/linux/gfp.h:591 [inline]
 alloc_pages_node include/linux/gfp.h:605 [inline]
 alloc_pages include/linux/gfp.h:618 [inline]
 __get_free_pages+0x10/0x30 mm/page_alloc.c:5817
 kasan_populate_vmalloc_pte+0x39/0x130 mm/kasan/shadow.c:266
 apply_to_pte_range mm/memory.c:2642 [inline]
 apply_to_pmd_range mm/memory.c:2686 [inline]
 apply_to_pud_range mm/memory.c:2722 [inline]
 apply_to_p4d_range mm/memory.c:2758 [inline]
 __apply_to_page_range+0x8dd/0xbe0 mm/memory.c:2792
 apply_to_page_range+0x3b/0x50 mm/memory.c:2811
 kasan_populate_vmalloc+0x65/0x70 mm/kasan/shadow.c:297
 alloc_vmap_area+0x192f/0x1a80 mm/vmalloc.c:1576
 __get_vm_area_node+0x158/0x360 mm/vmalloc.c:2439
 get_vm_area_caller mm/vmalloc.c:2492 [inline]
 vmap+0xbb/0x280 mm/vmalloc.c:2782
 bpf_ringbuf_area_alloc kernel/bpf/ringbuf.c:109 [inline]
 bpf_ringbuf_alloc+0x1a9/0x380 kernel/bpf/ringbuf.c:136
 ringbuf_map_alloc+0x202/0x320 kernel/bpf/ringbuf.c:176
 find_and_alloc_map kernel/bpf/syscall.c:129 [inline]
 map_create+0x411/0x2050 kernel/bpf/syscall.c:857
 __sys_bpf+0x296/0x760 kernel/bpf/syscall.c:4620
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1472 [inline]
 free_pcp_prepare mm/page_alloc.c:1544 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3534
 free_unref_page+0xe8/0x750 mm/page_alloc.c:3616
 free_the_page mm/page_alloc.c:805 [inline]
 __free_pages+0x61/0xf0 mm/page_alloc.c:5856
 free_pages+0x7c/0x90 mm/page_alloc.c:5867
 kasan_depopulate_vmalloc_pte+0x6a/0x90 mm/kasan/shadow.c:354
 apply_to_pte_range mm/memory.c:2642 [inline]
 apply_to_pmd_range mm/memory.c:2686 [inline]
 apply_to_pud_range mm/memory.c:2722 [inline]
 apply_to_p4d_range mm/memory.c:2758 [inline]
 __apply_to_page_range+0x8dd/0xbe0 mm/memory.c:2792
 apply_to_existing_page_range+0x38/0x50 mm/memory.c:2825
 kasan_release_vmalloc+0x9a/0xb0 mm/kasan/shadow.c:464
 __purge_vmap_area_lazy+0x154a/0x1690 mm/vmalloc.c:1715
 try_purge_vmap_area_lazy+0x38/0x50 mm/vmalloc.c:1734
 free_vmap_area_noflush+0x9df/0xa20 mm/vmalloc.c:1776
 free_unmap_vmap_area mm/vmalloc.c:1789 [inline]
 remove_vm_area+0x1d9/0x200 mm/vmalloc.c:2544
 vm_remove_mappings mm/vmalloc.c:2573 [inline]
 __vunmap+0x247/0x940 mm/vmalloc.c:2642
 vunmap+0x46/0x60 mm/vmalloc.c:2750
 bpf_ringbuf_free kernel/bpf/ringbuf.c:193 [inline]
 ringbuf_map_free+0x83/0x120 kernel/bpf/ringbuf.c:204
 bpf_map_free_deferred+0x10d/0x1e0 kernel/bpf/syscall.c:481

Memory state around the buggy address:
 ffff8881bfffff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881bfffff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881c0000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                         ^
 ffff8881c0000080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881c0000100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
general protection fault, probably for non-canonical address 0xff1f1b1f1f1f1f22: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xf8f8f8f8f8f8f910-0xf8f8f8f8f8f8f917]
CPU: 0 PID: 10997 Comm: syz.6.3640 Tainted: G    B             5.15.176-syzkaller-00972-g829d9f138569 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:vma_interval_tree_augment_compute_max mm/interval_tree.c:23 [inline]
RIP: 0010:vma_interval_tree_augment_propagate mm/interval_tree.c:23 [inline]
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:295 [inline]
RIP: 0010:rb_erase_augmented include/linux/rbtree_augmented.h:303 [inline]
RIP: 0010:rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
RIP: 0010:vma_interval_tree_remove+0x6d3/0xba0 mm/interval_tree.c:23
Code: 0d 00 4d 8d 74 1f ff 49 8b 5d 00 48 85 db 74 35 e8 62 fb ca ff 48 83 c3 18 48 89 d8 48 c1 e8 03 49 bd 00 00 00 00 00 fc ff df <42> 80 3c 28 00 74 08 48 89 df e8 4e 60 0d 00 48 8b 03 4c 39 f0 4c
RSP: 0018:ffffc90000b375d0 EFLAGS: 00010a06
RAX: 1f1f1f1f1f1f1f22 RBX: f8f8f8f8f8f8f910 RCX: ffff88810ec2bb40
RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff8881c0000010
RBP: ffffc90000b37638 R08: ffffffff8141a99b R09: 0000000000000003
R10: fffffbfff0e9a84c R11: dffffc0000000001 R12: ffff8881c0000000
R13: dffffc0000000000 R14: f8f8f8f8f8f8f8f7 R15: f8f8f8f8f8f8f8f8
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c2d008d CR3: 000000011d2a0000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 __remove_shared_vm_struct mm/mmap.c:159 [inline]
 unlink_file_vma+0xd9/0xf0 mm/mmap.c:174
 free_pgtables+0x13f/0x280 mm/memory.c:490
 exit_mmap+0x47c/0x990 mm/mmap.c:3235
 __mmput+0x95/0x310 kernel/fork.c:1180
 mmput+0x5b/0x170 kernel/fork.c:1203
 exit_mm kernel/exit.c:554 [inline]
 do_exit+0xb9c/0x2ca0 kernel/exit.c:867
 do_group_exit+0x141/0x310 kernel/exit.c:1002
 get_signal+0x7a3/0x1630 kernel/signal.c:2907
 arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:214
 irqentry_exit_to_user_mode+0x9/0x10 kernel/entry/common.c:320
 irqentry_exit+0x12/0x40 kernel/entry/common.c:411
 exc_page_fault+0x47a/0x7f0 arch/x86/mm/fault.c:1568
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:606
RIP: 0033:0x7f395fc3d717
Code: Unable to access opcode bytes at RIP 0x7f395fc3d6ed.
RSP: 002b:00007f395e3c7120 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 000000000000000b RCX: 00007f395fd7bd29
RDX: 00007f395e3c7140 RSI: 00007f395e3c7270 RDI: 000000000000000b
RBP: 00007f395fdfd2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f395ff94fa0 R15: 00007ffe6a54b688
 </TASK>
Modules linked in:
---[ end trace 3c4945a7d044c1d7 ]---
RIP: 0010:vma_interval_tree_augment_compute_max mm/interval_tree.c:23 [inline]
RIP: 0010:vma_interval_tree_augment_propagate mm/interval_tree.c:23 [inline]
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:295 [inline]
RIP: 0010:rb_erase_augmented include/linux/rbtree_augmented.h:303 [inline]
RIP: 0010:rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
RIP: 0010:vma_interval_tree_remove+0x6d3/0xba0 mm/interval_tree.c:23
Code: 0d 00 4d 8d 74 1f ff 49 8b 5d 00 48 85 db 74 35 e8 62 fb ca ff 48 83 c3 18 48 89 d8 48 c1 e8 03 49 bd 00 00 00 00 00 fc ff df <42> 80 3c 28 00 74 08 48 89 df e8 4e 60 0d 00 48 8b 03 4c 39 f0 4c
RSP: 0018:ffffc90000b375d0 EFLAGS: 00010a06
RAX: 1f1f1f1f1f1f1f22 RBX: f8f8f8f8f8f8f910 RCX: ffff88810ec2bb40
RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff8881c0000010
RBP: ffffc90000b37638 R08: ffffffff8141a99b R09: 0000000000000003
R10: fffffbfff0e9a84c R11: dffffc0000000001 R12: ffff8881c0000000
R13: dffffc0000000000 R14: f8f8f8f8f8f8f8f7 R15: f8f8f8f8f8f8f8f8
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f64e9e5b000 CR3: 00000001234d2000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	4d 8d 74 1f ff       	lea    -0x1(%r15,%rbx,1),%r14
   5:	49 8b 5d 00          	mov    0x0(%r13),%rbx
   9:	48 85 db             	test   %rbx,%rbx
   c:	74 35                	je     0x43
   e:	e8 62 fb ca ff       	call   0xffcafb75
  13:	48 83 c3 18          	add    $0x18,%rbx
  17:	48 89 d8             	mov    %rbx,%rax
  1a:	48 c1 e8 03          	shr    $0x3,%rax
  1e:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
  25:	fc ff df
* 28:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2d:	74 08                	je     0x37
  2f:	48 89 df             	mov    %rbx,%rdi
  32:	e8 4e 60 0d 00       	call   0xd6085
  37:	48 8b 03             	mov    (%rbx),%rax
  3a:	4c 39 f0             	cmp    %r14,%rax
  3d:	4c                   	rex.WR