==================================================================
BUG: KASAN: use-after-free in smc_fback_error_report+0x96/0xa0 net/smc/af_smc.c:664
Read of size 8 at addr ffff888049343028 by task kworker/1:33/31463

CPU: 1 PID: 31463 Comm: kworker/1:33 Not tainted 5.17.0-rc3-syzkaller-00125-g525de9a79349 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events pwq_unbound_release_workfn
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 smc_fback_error_report+0x96/0xa0 net/smc/af_smc.c:664
 sk_error_report+0x35/0x310 net/core/sock.c:340
 tcp_write_err net/ipv4/tcp_timer.c:71 [inline]
 tcp_write_timeout net/ipv4/tcp_timer.c:276 [inline]
 tcp_retransmit_timer+0x20c2/0x3320 net/ipv4/tcp_timer.c:512
 tcp_write_timer_handler+0x5e6/0xbc0 net/ipv4/tcp_timer.c:622
 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:642
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:lockdep_unregister_key+0x1c9/0x250 kernel/locking/lockdep.c:6328
Code: 00 00 00 48 89 ee e8 46 fd ff ff 4c 89 f7 e8 4e c9 ff ff e8 f9 cb ff ff 9c 58 f6 c4 02 75 26 41 f7 c4 00 02 00 00 74 01 fb 5b <5d> 41 5c 41 5d 41 5e 41 5f e9 99 4d 08 00 0f 0b 5b 5d 41 5c 41 5d
RSP: 0000:ffffc9000b45fcb8 EFLAGS: 00000206
RAX: 0000000000000046 RBX: ffff8880291a2c98 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88805154e928 R08: 0000000000000001 R09: ffffffff8f213696
R10: fffffbfff1ff7b1b R11: 000000000002804b R12: 0000000000000246
R13: 0000000000000000 R14: ffffffff8ffbb908 R15: ffffffff90143428
 wq_unregister_lockdep kernel/workqueue.c:3508 [inline]
 pwq_unbound_release_workfn+0x254/0x340 kernel/workqueue.c:3746
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the page:
page:ffffea000124d0c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x49343
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea000124d108 ffffea000124d088 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 29704, ts 2674089458734, free_ts 2674305866099
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
 __get_free_pages+0x8/0x40 mm/page_alloc.c:5438
 kasan_populate_vmalloc_pte mm/kasan/shadow.c:271 [inline]
 kasan_populate_vmalloc_pte+0x25/0x160 mm/kasan/shadow.c:262
 apply_to_pte_range mm/memory.c:2541 [inline]
 apply_to_pmd_range mm/memory.c:2585 [inline]
 apply_to_pud_range mm/memory.c:2621 [inline]
 apply_to_p4d_range mm/memory.c:2657 [inline]
 __apply_to_page_range+0x686/0x1030 mm/memory.c:2691
 alloc_vmap_area+0xa7a/0x1dc0 mm/vmalloc.c:1571
 __get_vm_area_node.constprop.0+0x128/0x380 mm/vmalloc.c:2436
 __vmalloc_node_range+0x150/0x1060 mm/vmalloc.c:3092
 __vmalloc_node+0x6f/0x90 mm/vmalloc.c:3157
 kvmalloc_node+0xd7/0x100 mm/util.c:593
 kvmalloc include/linux/slab.h:732 [inline]
 xt_alloc_table_info+0x3c/0xa0 net/netfilter/x_tables.c:1192
 do_replace net/ipv4/netfilter/ip_tables.c:1125 [inline]
 do_ipt_set_ctl+0x500/0xb80 net/ipv4/netfilter/ip_tables.c:1630
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ip_setsockopt+0x3c3/0x3a90 net/ipv4/ip_sockglue.c:1444
 tcp_setsockopt+0x136/0x2520 net/ipv4/tcp.c:3694
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:380
 apply_to_pte_range mm/memory.c:2541 [inline]
 apply_to_pmd_range mm/memory.c:2585 [inline]
 apply_to_pud_range mm/memory.c:2621 [inline]
 apply_to_p4d_range mm/memory.c:2657 [inline]
 __apply_to_page_range+0x686/0x1030 mm/memory.c:2691
 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:490
 __purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1710
 try_purge_vmap_area_lazy mm/vmalloc.c:1729 [inline]
 free_vmap_area_noflush+0xa57/0xd00 mm/vmalloc.c:1771
 free_unmap_vmap_area mm/vmalloc.c:1784 [inline]
 remove_vm_area+0x1ca/0x230 mm/vmalloc.c:2530
 free_vm_area mm/vmalloc.c:3551 [inline]
 __vmalloc_area_node mm/vmalloc.c:2955 [inline]
 __vmalloc_node_range+0xe98/0x1060 mm/vmalloc.c:3107
 __vmalloc_node+0x6f/0x90 mm/vmalloc.c:3157
 kvmalloc_node+0xd7/0x100 mm/util.c:593
 kvmalloc include/linux/slab.h:732 [inline]
 xt_alloc_table_info+0x3c/0xa0 net/netfilter/x_tables.c:1192
 do_replace net/ipv4/netfilter/ip_tables.c:1125 [inline]
 do_ipt_set_ctl+0x500/0xb80 net/ipv4/netfilter/ip_tables.c:1630
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ip_setsockopt+0x3c3/0x3a90 net/ipv4/ip_sockglue.c:1444
 tcp_setsockopt+0x136/0x2520 net/ipv4/tcp.c:3694

Memory state around the buggy address:
 ffff888049342f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888049342f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888049343000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffff888049343080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888049343100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 48 89             	add    %cl,-0x77(%rax)
   5:	ee                   	out    %al,(%dx)
   6:	e8 46 fd ff ff       	callq  0xfffffd51
   b:	4c 89 f7             	mov    %r14,%rdi
   e:	e8 4e c9 ff ff       	callq  0xffffc961
  13:	e8 f9 cb ff ff       	callq  0xffffcc11
  18:	9c                   	pushfq
  19:	58                   	pop    %rax
  1a:	f6 c4 02             	test   $0x2,%ah
  1d:	75 26                	jne    0x45
  1f:	41 f7 c4 00 02 00 00 	test   $0x200,%r12d
  26:	74 01                	je     0x29
  28:	fb                   	sti
  29:	5b                   	pop    %rbx
* 2a:	5d                   	pop    %rbp <-- trapping instruction
  2b:	41 5c                	pop    %r12
  2d:	41 5d                	pop    %r13
  2f:	41 5e                	pop    %r14
  31:	41 5f                	pop    %r15
  33:	e9 99 4d 08 00       	jmpq   0x84dd1
  38:	0f 0b                	ud2
  3a:	5b                   	pop    %rbx
  3b:	5d                   	pop    %rbp
  3c:	41 5c                	pop    %r12
  3e:	41 5d                	pop    %r13