==================================================================
BUG: KASAN: use-after-free in tcp_probe_timer net/ipv4/tcp_timer.c:378 [inline]
BUG: KASAN: use-after-free in tcp_write_timer_handler net/ipv4/tcp_timer.c:624 [inline]
BUG: KASAN: use-after-free in tcp_write_timer_handler+0x998/0x9f0 net/ipv4/tcp_timer.c:594
Read of size 1 at addr ffff88801fb52225 by task syz-executor.4/9484

CPU: 0 PID: 9484 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00545-gc3f760ef1287 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 tcp_probe_timer net/ipv4/tcp_timer.c:378 [inline]
 tcp_write_timer_handler net/ipv4/tcp_timer.c:624 [inline]
 tcp_write_timer_handler+0x998/0x9f0 net/ipv4/tcp_timer.c:594
 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:637
 call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
 __run_timers kernel/time/timer.c:1768 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
 __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:filter_irq_stacks+0x5b/0x90 kernel/stacktrace.c:394
Code: 72 18 48 3d 90 0e a0 89 73 10 44 8d 63 01 48 83 c4 08 44 89 e0 5b 5d 41 5c c3 48 3d 00 00 c0 89 72 08 48 3d c6 09 c0 89 72 e0 <83> c3 01 48 83 c7 08 41 39 dc 75 b4 48 83 c4 08 44 89 e0 5b 5d 41
RSP: 0000:ffffc9000376f830 EFLAGS: 00000287
RAX: ffffffff81b579e4 RBX: 0000000000000004 RCX: 0000000000000001
RDX: 0000000000140dca RSI: 0000000000000009 RDI: ffffc9000376f908
RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 000000000008c07c R12: 0000000000000009
R13: 0000000000140dca R14: ffffc9000376f8e8 R15: ffffea00017cf4c0
 __stack_depot_save+0x35/0x500 lib/stackdepot.c:422
 save_stack+0x15e/0x1e0 mm/page_owner.c:128
 __set_page_owner+0x2e/0x50 mm/page_owner.c:192
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
 __folio_alloc+0x12/0x40 mm/page_alloc.c:5546
 vma_alloc_folio+0xf9/0x790 mm/mempolicy.c:2231
 alloc_page_vma include/linux/gfp.h:290 [inline]
 do_anonymous_page mm/memory.c:4084 [inline]
 handle_pte_fault mm/memory.c:4909 [inline]
 __handle_mm_fault+0x1784/0x39b0 mm/memory.c:5053
 handle_mm_fault+0x1c8/0x780 mm/memory.c:5151
 do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1397
 handle_page_fault arch/x86/mm/fault.c:1488 [inline]
 exc_page_fault+0x94/0x170 arch/x86/mm/fault.c:1544
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f12b0834e7d
Code: e0 04 8b 44 02 08 85 c0 0f 85 d0 0a 00 00 31 c0 b9 40 42 0f 00 ba 81 00 00 00 c7 06 01 00 00 00 bf ca 00 00 00 e8 e3 43 05 00 <83> 05 7c b1 56 00 01 80 bc 24 d8 00 00 00 00 0f b6 05 ff 04 0a 01
RSP: 002b:00007ffe103df010 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007f12b099bf8c RCX: 00007f12b0889279
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f12b099bf88
RBP: 00007f12b099bf80 R08: 00007f12b1968700 R09: 0000000000000000
R10: 00007f12b1968700 R11: 0000000000000246 R12: 00007f12b099bf8c
R13: 00007f12b09a0080 R14: 00007f12b099bf80 R15: 0000000000000000
 </TASK>

Allocated by task 6412:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:470
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:727 [inline]
 slab_alloc_node mm/slub.c:3243 [inline]
 slab_alloc mm/slub.c:3251 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3258 [inline]
 kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3268
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 net_alloc net/core/net_namespace.c:404 [inline]
 copy_net_ns+0x125/0x760 net/core/net_namespace.c:459
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:227
 ksys_unshare+0x445/0x920 kernel/fork.c:3183
 __do_sys_unshare kernel/fork.c:3254 [inline]
 __se_sys_unshare kernel/fork.c:3252 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3252
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88801fb51b80
 which belongs to the cache net_namespace of size 6784
The buggy address is located 1701 bytes inside of
 6784-byte region [ffff88801fb51b80, ffff88801fb53600)

The buggy address belongs to the physical page:
page:ffffea00007ed400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801fb51b80 pfn:0x1fb50
head:ffffea00007ed400 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff8880788ff2c1
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001f9e208 ffff8880119db288 ffff8881400073c0
raw: ffff88801fb51b80 0000000000040003 00000001ffffffff ffff8880788ff2c1
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3638, tgid 3638 (syz-executor.2), ts 177820097567, free_ts 177818869806
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270
 alloc_slab_page mm/slub.c:1824 [inline]
 allocate_slab+0x27e/0x3d0 mm/slub.c:1969
 new_slab mm/slub.c:2029 [inline]
 ___slab_alloc+0x7f1/0xe10 mm/slub.c:3031
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
 slab_alloc_node mm/slub.c:3209 [inline]
 slab_alloc mm/slub.c:3251 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3258 [inline]
 kmem_cache_alloc+0x38c/0x3b0 mm/slub.c:3268
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 net_alloc net/core/net_namespace.c:404 [inline]
 copy_net_ns+0x125/0x760 net/core/net_namespace.c:459
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:227
 ksys_unshare+0x445/0x920 kernel/fork.c:3183
 __do_sys_unshare kernel/fork.c:3254 [inline]
 __se_sys_unshare kernel/fork.c:3252 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3252
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1449 [inline]
 free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
 free_unref_page_prepare mm/page_alloc.c:3380 [inline]
 free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
 skb_free_head+0xac/0x110 net/core/skbuff.c:658
 skb_release_data+0x5f1/0x870 net/core/skbuff.c:687
 skb_release_all net/core/skbuff.c:752 [inline]
 __kfree_skb net/core/skbuff.c:766 [inline]
 consume_skb net/core/skbuff.c:931 [inline]
 consume_skb+0xc2/0x160 net/core/skbuff.c:925
 netlink_recvmsg+0x598/0xe50 net/netlink/af_netlink.c:1998
 sock_recvmsg_nosec net/socket.c:995 [inline]
 sock_recvmsg net/socket.c:1013 [inline]
 sock_recvmsg net/socket.c:1009 [inline]
 ____sys_recvmsg+0x2c7/0x600 net/socket.c:2701
 ___sys_recvmsg+0xf2/0x180 net/socket.c:2743
 __sys_recvmsg+0xf0/0x1c0 net/socket.c:2773
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff88801fb52100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801fb52180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801fb52200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88801fb52280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801fb52300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	72 18                	jb     0x1a
   2:	48 3d 90 0e a0 89    	cmp    $0xffffffff89a00e90,%rax
   8:	73 10                	jae    0x1a
   a:	44 8d 63 01          	lea    0x1(%rbx),%r12d
   e:	48 83 c4 08          	add    $0x8,%rsp
  12:	44 89 e0             	mov    %r12d,%eax
  15:	5b                   	pop    %rbx
  16:	5d                   	pop    %rbp
  17:	41 5c                	pop    %r12
  19:	c3                   	retq
  1a:	48 3d 00 00 c0 89    	cmp    $0xffffffff89c00000,%rax
  20:	72 08                	jb     0x2a
  22:	48 3d c6 09 c0 89    	cmp    $0xffffffff89c009c6,%rax
  28:	72 e0                	jb     0xa
* 2a:	83 c3 01             	add    $0x1,%ebx <-- trapping instruction
  2d:	48 83 c7 08          	add    $0x8,%rdi
  31:	41 39 dc             	cmp    %ebx,%r12d
  34:	75 b4                	jne    0xffffffea
  36:	48 83 c4 08          	add    $0x8,%rsp
  3a:	44 89 e0             	mov    %r12d,%eax
  3d:	5b                   	pop    %rbx
  3e:	5d                   	pop    %rbp
  3f:	41                   	rex.B