(In reply to 0599jiangyc from comment #0)
> Created attachment 305240 [details]
> poc
> 
> ==================================================================
> BUG: KASAN: slab-use-after-free in __update_min_deadline
> kernel/sched/fair.c:805 [inline]
> BUG: KASAN: slab-use-after-free in min_deadline_update
> kernel/sched/fair.c:819 [inline]
> BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate
> kernel/sched/fair.c:825 [inline]
> BUG: KASAN: slab-use-after-free in reweight_entity+0x9d5/0xcd0
> kernel/sched/fair.c:3660
> Read of size 8 at addr ffff888004b96830 by task systemd-udevd/100
> 
> CPU: 0 PID: 100 Comm: systemd-udevd Not tainted 6.6.0-rc6 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1
> 04/01/2014
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x50/0x70 lib/dump_stack.c:106
>  print_address_description mm/kasan/report.c:364 [inline]
>  print_report+0xd0/0x620 mm/kasan/report.c:475
>  kasan_report+0xb6/0xf0 mm/kasan/report.c:588
>  __update_min_deadline kernel/sched/fair.c:805 [inline]
>  min_deadline_update kernel/sched/fair.c:819 [inline]
>  min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
>  reweight_entity+0x9d5/0xcd0 kernel/sched/fair.c:3660
>  entity_tick kernel/sched/fair.c:5317 [inline]
>  task_tick_fair+0xb3/0x710 kernel/sched/fair.c:12392
>  scheduler_tick+0x133/0x360 kernel/sched/core.c:5657
>  update_process_times+0xe4/0x120 kernel/time/timer.c:2076
>  tick_sched_handle.isra.0+0xf8/0x140 kernel/time/tick-sched.c:254
>  tick_sched_timer+0xce/0x100 kernel/time/tick-sched.c:1492
>  __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
>  __hrtimer_run_queues+0x2d0/0x6c0 kernel/time/hrtimer.c:1752
>  hrtimer_interrupt+0x2cd/0x6e0 kernel/time/hrtimer.c:1814
>  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1063 [inline]
>  __sysvec_apic_timer_interrupt+0x7d/0x290 arch/x86/kernel/apic/apic.c:1080
>  sysvec_apic_timer_interrupt+0x33/0x90 arch/x86/kernel/apic/apic.c:1074
>  asm_sysvec_apic_timer_interrupt+0x1a/0x20
> arch/x86/include/asm/idtentry.h:645
> RIP: 0033:0x7ff04eb7ed6f
> Code: 85 46 01 00 00 48 85 ff 0f 88 1d 01 00 00 48 8d 47 17 31 db 48 83 f8
> 1f 0f 87 7d 00 00 00 4c 8b 25 0e 80 14 00 64 49 8b 04 24 <48> 85 c0 0f 84 80
> 00 00 00 48 3b 1d 51 85 14 00 0f 82 ab 00 00 00
> RSP: 002b:00007ffe54f63260 EFLAGS: 00000203
> RAX: 000055d9dcece010 RBX: 0000000000000802 RCX: 00007ffe54f632b0
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000008030
> RBP: 0000000000008030 R08: 0000000000000001 R09: 000055d9dd73d350
> R10: 0000000000000000 R11: 0000000000000246 R12: fffffffffffffe30
> R13: 0000000000000001 R14: 000055d9dd73d350 R15: 000055d9dd710a30
>  </TASK>
> 
> Allocated by task 50:
>  kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
>  kasan_set_track+0x25/0x30 mm/kasan/common.c:52
>  __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328
>  kasan_slab_alloc include/linux/kasan.h:188 [inline]
>  slab_post_alloc_hook mm/slab.h:762 [inline]
>  slab_alloc_node mm/slub.c:3478 [inline]
>  kmem_cache_alloc_node+0x106/0x270 mm/slub.c:3523
>  alloc_task_struct_node kernel/fork.c:173 [inline]
>  dup_task_struct kernel/fork.c:1110 [inline]
>  copy_process+0x529/0x6800 kernel/fork.c:2327
>  kernel_clone+0xc6/0x7c0 kernel/fork.c:2909
>  user_mode_thread+0xb1/0xf0 kernel/fork.c:2987
>  call_usermodehelper_exec_sync kernel/umh.c:133 [inline]
>  call_usermodehelper_exec_work+0x5f/0x160 kernel/umh.c:164
>  process_one_work kernel/workqueue.c:2630 [inline]
>  process_scheduled_works+0x252/0xe10 kernel/workqueue.c:2703
>  worker_thread+0x56c/0xc10 kernel/workqueue.c:2784
>  kthread+0x2c8/0x3c0 kernel/kthread.c:388
>  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304
> 
> Freed by task 4107:
>  kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
>  kasan_set_track+0x25/0x30 mm/kasan/common.c:52
>  kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
>  ____kasan_slab_free mm/kasan/common.c:236 [inline]
>  ____kasan_slab_free mm/kasan/common.c:200 [inline]
>  __kasan_slab_free+0x10e/0x190 mm/kasan/common.c:244
>  kasan_slab_free include/linux/kasan.h:164 [inline]
>  slab_free_hook mm/slub.c:1800 [inline]
>  slab_free_freelist_hook mm/slub.c:1826 [inline]
>  slab_free mm/slub.c:3809 [inline]
>  kmem_cache_free+0xa5/0x380 mm/slub.c:3831
>  put_task_struct include/linux/sched/task.h:136 [inline]
>  delayed_put_task_struct+0x145/0x190 kernel/exit.c:226
>  rcu_do_batch kernel/rcu/tree.c:2139 [inline]
>  rcu_core+0x629/0x1930 kernel/rcu/tree.c:2403
>  __do_softirq+0x162/0x52a kernel/softirq.c:553
> 
> Last potentially related work creation:
>  kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
>  __kasan_record_aux_stack+0x8e/0xa0 mm/kasan/generic.c:492
>  __call_rcu_common.constprop.0+0x6b/0x8b0 kernel/rcu/tree.c:2653
>  put_task_struct_rcu_user+0x69/0xb0 kernel/exit.c:232
>  wait_task_zombie kernel/exit.c:1210 [inline]
>  wait_consider_task+0x24ca/0x2d80 kernel/exit.c:1437
>  do_wait_pid kernel/exit.c:1568 [inline]
>  do_wait+0x4f2/0xa10 kernel/exit.c:1610
>  kernel_wait+0xa0/0x140 kernel/exit.c:1797
>  call_usermodehelper_exec_sync kernel/umh.c:137 [inline]
>  call_usermodehelper_exec_work+0xd8/0x160 kernel/umh.c:164
>  process_one_work kernel/workqueue.c:2630 [inline]
>  process_scheduled_works+0x252/0xe10 kernel/workqueue.c:2703
>  worker_thread+0x56c/0xc10 kernel/workqueue.c:2784
>  kthread+0x2c8/0x3c0 kernel/kthread.c:388
>  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304
> 
> Second to last potentially related work creation:
>  kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
>  __kasan_record_aux_stack+0x8e/0xa0 mm/kasan/generic.c:492
>  task_work_add+0x7e/0x270 kernel/task_work.c:48
>  scheduler_tick+0x149/0x360 kernel/sched/core.c:5662
>  update_process_times+0xe4/0x120 kernel/time/timer.c:2076
>  tick_sched_handle.isra.0+0xf8/0x140 kernel/time/tick-sched.c:254
>  tick_sched_timer+0xce/0x100 kernel/time/tick-sched.c:1492
>  __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
>  __hrtimer_run_queues+0x2d0/0x6c0 kernel/time/hrtimer.c:1752
>  hrtimer_interrupt+0x2cd/0x6e0 kernel/time/hrtimer.c:1814
>  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1063 [inline]
>  __sysvec_apic_timer_interrupt+0x7d/0x290 arch/x86/kernel/apic/apic.c:1080
>  sysvec_apic_timer_interrupt+0x69/0x90 arch/x86/kernel/apic/apic.c:1074
>  asm_sysvec_apic_timer_interrupt+0x1a/0x20
> arch/x86/include/asm/idtentry.h:645
> 
> The buggy address belongs to the object at ffff888004b96780
>  which belongs to the cache task_struct of size 4160
> The buggy address is located 176 bytes inside of
>  freed 4160-byte region [ffff888004b96780, ffff888004b977c0)
> 
> The buggy address belongs to the physical page:
> page:00000000117e0ccf refcount:1 mapcount:0 mapping:0000000000000000
> index:0x0 pfn:0x4b90
> head:00000000117e0ccf order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0x100000000000840(slab|head|node=0|zone=1)
> page_type: 0xffffffff()
> raw: 0100000000000840 ffff88800117b140 ffffea0000136600 dead000000000002
> raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> 
> Memory state around the buggy address:
>  ffff888004b96700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff888004b96780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff888004b96800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                                      ^
>  ffff888004b96880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff888004b96900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================

How can above bug be triggered?

Have you checked the patch?

I cannot reproduce it stably. More details at https://syzkaller.appspot.com/bug?extid=3908cdfd655fd839c82f.

Fixed by

  d2929762cc3f ("sched/eevdf: Fix heap corruption more")