[  541.735499][  T192] ==================================================================
[  541.736025][  T192] BUG: KASAN: slab-use-after-free in remove_vm_area+0x2ab/0x360
[  541.736416][  T192] Read of size 8 at addr ffff888001926738 by task bash/192
[  541.736704][  T192] 
[  541.736807][  T192] CPU: 3 UID: 0 PID: 192 Comm: bash Not tainted 6.16.0-rc2-virtme #1 PREEMPT(full) 
[  541.736812][  T192] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  541.736815][  T192] Call Trace:
[  541.736817][  T192]  <TASK>
[  541.736820][  T192]  dump_stack_lvl+0x82/0xd0
[  541.736830][  T192]  print_address_description.constprop.0+0x2c/0x400
[  541.736836][  T192]  ? remove_vm_area+0x2ab/0x360
[  541.736839][  T192]  print_report+0xb4/0x270
[  541.736842][  T192]  ? remove_vm_area+0x2ab/0x360
[  541.736844][  T192]  ? kasan_addr_to_slab+0x25/0x80
[  541.736851][  T192]  ? remove_vm_area+0x2ab/0x360
[  541.736853][  T192]  kasan_report+0xca/0x100
[  541.736856][  T192]  ? remove_vm_area+0x2ab/0x360
[  541.736861][  T192]  remove_vm_area+0x2ab/0x360
[  541.736865][  T192]  vfree+0x6b/0x8f0
[  541.736867][  T192]  ? down_write+0x152/0x210
[  541.736873][  T192]  ? __pfx_down_write+0x10/0x10
[  541.736876][  T192]  ? rcu_is_watching+0x12/0xc0
[  541.736885][  T192]  n_tty_close+0x7e/0xd0
[  541.736891][  T192]  tty_ldisc_kill+0x72/0x110
[  541.736895][  T192]  tty_ldisc_hangup+0x2fc/0x630
[  541.736900][  T192]  __tty_hangup.part.0+0x308/0x7a0
[  541.736905][  T192]  ? _raw_spin_unlock_irqrestore+0x46/0x80
[  541.736911][  T192]  disassociate_ctty.part.0+0x88/0x5e0
[  541.736915][  T192]  do_exit+0x50b/0xe90
[  541.736924][  T192]  ? __pfx_do_exit+0x10/0x10
[  541.736927][  T192]  ? do_group_exit+0x183/0x260
[  541.736930][  T192]  ? __lock_release+0x5d/0x170
[  541.736936][  T192]  ? rcu_is_watching+0x12/0xc0
[  541.736941][  T192]  do_group_exit+0xb8/0x260
[  541.736945][  T192]  __x64_sys_exit_group+0x3e/0x50
[  541.736948][  T192]  x64_sys_call+0xf76/0x18a0
[  541.736954][  T192]  do_syscall_64+0xc1/0x380
[  541.736960][  T192]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  541.736964][  T192] RIP: 0033:0x7f0e66091abd
[  541.736968][  T192] Code: Unable to access opcode bytes at 0x7f0e66091a93.
[  541.736970][  T192] RSP: 002b:00007fff55be9d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[  541.736974][  T192] RAX: ffffffffffffffda RBX: 00007f0e6616e9c0 RCX: 00007f0e66091abd
[  541.736977][  T192] RDX: 00000000000000e7 RSI: ffffffffffffff80 RDI: 0000000000000000
[  541.736979][  T192] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000030
[  541.736980][  T192] R10: 00007fff55be9c20 R11: 0000000000000246 R12: 00007f0e6616e9c0
[  541.736982][  T192] R13: 00007f0e66173ee0 R14: 0000000000000001 R15: 00007f0e66173ec8
[  541.736989][  T192]  </TASK>
[  541.736990][  T192] 
[  541.745846][  T192] Allocated by task 3745:
[  541.745996][  T192]  kasan_save_stack+0x24/0x50
[  541.746198][  T192]  kasan_save_track+0x14/0x30
[  541.746397][  T192]  __kasan_kmalloc+0x7f/0x90
[  541.746594][  T192]  __kmalloc_noprof+0x1d4/0x470
[  541.746792][  T192]  virtqueue_add_split+0x6a3/0x1920
[  541.746992][  T192]  virtqueue_add_sgs+0x143/0x270
[  541.747191][  T192]  virtio_fs_enqueue_req+0x58c/0xfe0
[  541.747392][  T192]  virtio_fs_send_req+0x13a/0x710
[  541.747588][  T192]  __fuse_simple_request+0x22a/0xb50
[  541.747788][  T192]  fuse_readlink_folio+0x20b/0x400
[  541.747987][  T192]  fuse_get_link+0x12d/0x350
[  541.748183][  T192]  pick_link+0x7a2/0x1160
[  541.748334][  T192]  step_into+0x85a/0xfc0
[  541.748482][  T192]  link_path_walk+0x3c2/0xa10
[  541.748687][  T192]  path_openat+0x14d/0x380
[  541.748882][  T192]  do_filp_open+0x1d7/0x420
[  541.749077][  T192]  do_sys_openat2+0xd4/0x160
[  541.749275][  T192]  __x64_sys_openat+0x122/0x1e0
[  541.749469][  T192]  do_syscall_64+0xc1/0x380
[  541.749665][  T192]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  541.749906][  T192] 
[  541.750006][  T192] Freed by task 280:
[  541.750152][  T192]  kasan_save_stack+0x24/0x50
[  541.750349][  T192]  kasan_save_track+0x14/0x30
[  541.750545][  T192]  kasan_save_free_info+0x3b/0x60
[  541.750740][  T192]  __kasan_slab_free+0x38/0x50
[  541.750936][  T192]  kfree+0x144/0x320
[  541.751086][  T192]  detach_buf_split+0x48d/0x6f0
[  541.751285][  T192]  virtqueue_get_buf_ctx_split+0x294/0x7f0
[  541.751529][  T192]  virtio_fs_requests_done_work+0x231/0x890
[  541.751774][  T192]  process_one_work+0xe43/0x1660
[  541.751973][  T192]  worker_thread+0x591/0xcf0
[  541.752175][  T192]  kthread+0x37b/0x600
[  541.752372][  T192]  ret_from_fork+0x243/0x320
[  541.752572][  T192]  ret_from_fork_asm+0x1a/0x30
[  541.752773][  T192] 
[  541.752875][  T192] The buggy address belongs to the object at ffff888001926720
[  541.752875][  T192]  which belongs to the cache kmalloc-96 of size 96
[  541.753362][  T192] The buggy address is located 24 bytes inside of
[  541.753362][  T192]  freed 96-byte region [ffff888001926720, ffff888001926780)
[  541.753850][  T192] 
[  541.753950][  T192] The buggy address belongs to the physical page:
[  541.754187][  T192] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1926
[  541.754536][  T192] flags: 0x80000000000000(node=0|zone=1)
[  541.754737][  T192] page_type: f5(slab)
[  541.754891][  T192] raw: 0080000000000000 ffff888001042340 ffffea000009ff10 ffffea0000278690
[  541.755244][  T192] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[  541.755591][  T192] page dumped because: kasan: bad access detected
[  541.755831][  T192] 
[  541.755929][  T192] Memory state around the buggy address:
[  541.756119][  T192]  ffff888001926600: fc fc fc fc 00 00 00 00 00 00 00 00 00 fc fc fc
[  541.756409][  T192]  ffff888001926680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  541.756694][  T192] >ffff888001926700: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb
[  541.756979][  T192]                                         ^
[  541.757218][  T192]  ffff888001926780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  541.757498][  T192]  ffff888001926800: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 fc
[  541.757782][  T192] ==================================================================
[  541.758124][  T192] Disabling lock debugging due to kernel taint
[  541.762800][  T192] Oops: general protection fault, probably for non-canonical address 0xdffffc0001a9b400: 0000 [#1] SMP KASAN NOPTI
[  541.763236][  T192] KASAN: probably user-memory-access in range [0x000000000d4da000-0x000000000d4da007]
[  541.763579][  T192] CPU: 3 UID: 0 PID: 192 Comm: bash Tainted: G    B               6.16.0-rc2-virtme #1 PREEMPT(full) 
[  541.763950][  T192] Tainted: [B]=BAD_PAGE
[  541.764090][  T192] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  541.764320][  T192] RIP: 0010:vfree+0x17b/0x8f0
[  541.764519][  T192] Code: 41 8b 57 2c 44 39 f2 0f 86 fa 03 00 00 41 80 3c 24 00 0f 85 b9 04 00 00 49 8b 57 20 49 63 c6 48 8d 04 c2 48 89 c2 48 c1 ea 03 <80> 3c 2a 00 0f 85 ac 04 00 00 48 8b 38 48 85 ff 75 87 90 0f 0b 90
[  541.765183][  T192] RSP: 0018:ffffc90000997c88 EFLAGS: 00010206
[  541.765416][  T192] RAX: 000000000d4da000 RBX: ffff88800192674c RCX: ffffffff8646537c
[  541.765690][  T192] RDX: 0000000001a9b400 RSI: 0000000000000008 RDI: ffff888001926740
[  541.765968][  T192] RBP: dffffc0000000000 R08: 0000000000000000 R09: fffffbfff1440c5a
[  541.766244][  T192] R10: ffffffff8a2062d7 R11: ffffc900009976d8 R12: ffffed1000324ce8
[  541.766517][  T192] R13: ffffed1000324ce9 R14: 0000000000000000 R15: ffff888001926720
[  541.766794][  T192] FS:  0000000000000000(0000) GS:ffff8880ab01c000(0000) knlGS:0000000000000000
[  541.767122][  T192] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  541.767356][  T192] CR2: 00007f0e65f75258 CR3: 0000000025736003 CR4: 0000000000772ef0
[  541.767636][  T192] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  541.767914][  T192] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  541.768191][  T192] PKRU: 55555554
[  541.768330][  T192] Call Trace:
[  541.768468][  T192]  <TASK>
[  541.768564][  T192]  ? __pfx_down_write+0x10/0x10
[  541.768752][  T192]  ? rcu_is_watching+0x12/0xc0
[  541.768940][  T192]  n_tty_close+0x7e/0xd0
[  541.769082][  T192]  tty_ldisc_kill+0x72/0x110
[  541.769264][  T192]  tty_ldisc_hangup+0x2fc/0x630
[  541.769445][  T192]  __tty_hangup.part.0+0x308/0x7a0
[  541.769633][  T192]  ? _raw_spin_unlock_irqrestore+0x46/0x80
[  541.769860][  T192]  disassociate_ctty.part.0+0x88/0x5e0
[  541.770044][  T192]  do_exit+0x50b/0xe90
[  541.770185][  T192]  ? __pfx_do_exit+0x10/0x10
[  541.770369][  T192]  ? do_group_exit+0x183/0x260
[  541.770551][  T192]  ? __lock_release+0x5d/0x170
[  541.770735][  T192]  ? rcu_is_watching+0x12/0xc0
[  541.770917][  T192]  do_group_exit+0xb8/0x260
[  541.771106][  T192]  __x64_sys_exit_group+0x3e/0x50
[  541.771286][  T192]  x64_sys_call+0xf76/0x18a0
[  541.771469][  T192]  do_syscall_64+0xc1/0x380
[  541.771651][  T192]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  541.771876][  T192] RIP: 0033:0x7f0e66091abd
[  541.772065][  T192] Code: Unable to access opcode bytes at 0x7f0e66091a93.
[  541.772321][  T192] RSP: 002b:00007fff55be9d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[  541.772613][  T192] RAX: ffffffffffffffda RBX: 00007f0e6616e9c0 RCX: 00007f0e66091abd
[  541.772909][  T192] RDX: 00000000000000e7 RSI: ffffffffffffff80 RDI: 0000000000000000
[  541.773191][  T192] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000030
[  541.773479][  T192] R10: 00007fff55be9c20 R11: 0000000000000246 R12: 00007f0e6616e9c0
[  541.773762][  T192] R13: 00007f0e66173ee0 R14: 0000000000000001 R15: 00007f0e66173ec8
[  541.774050][  T192]  </TASK>
[  541.774291][  T192] Modules linked in: netconsole netdevsim
[  541.774490][  T192] ---[ end trace 0000000000000000 ]---
[  541.774674][  T192] RIP: 0010:vfree+0x17b/0x8f0
[  541.774866][  T192] Code: 41 8b 57 2c 44 39 f2 0f 86 fa 03 00 00 41 80 3c 24 00 0f 85 b9 04 00 00 49 8b 57 20 49 63 c6 48 8d 04 c2 48 89 c2 48 c1 ea 03 <80> 3c 2a 00 0f 85 ac 04 00 00 48 8b 38 48 85 ff 75 87 90 0f 0b 90
[  541.775614][  T192] RSP: 0018:ffffc90000997c88 EFLAGS: 00010206
[  541.775953][  T192] RAX: 000000000d4da000 RBX: ffff88800192674c RCX: ffffffff8646537c
[  541.776226][  T192] RDX: 0000000001a9b400 RSI: 0000000000000008 RDI: ffff888001926740
[  541.776501][  T192] RBP: dffffc0000000000 R08: 0000000000000000 R09: fffffbfff1440c5a
[  541.776872][  T192] R10: ffffffff8a2062d7 R11: ffffc900009976d8 R12: ffffed1000324ce8
[  541.777144][  T192] R13: ffffed1000324ce9 R14: 0000000000000000 R15: ffff888001926720
[  541.777414][  T192] FS:  0000000000000000(0000) GS:ffff8880ab01c000(0000) knlGS:0000000000000000
[  541.777834][  T192] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  541.778070][  T192] CR2: 00007f0e65f75258 CR3: 0000000025736003 CR4: 0000000000772ef0
[  541.778442][  T192] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  541.778714][  T192] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  541.778993][  T192] PKRU: 55555554
[  541.779135][  T192] Kernel panic - not syncing: Fatal exception
[  541.779666][  T192] Kernel Offset: 0x4600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[  541.780092][  T192] ---[ end Kernel panic - not syncing: Fatal exception ]---