==================================================================
BUG: KASAN: slab-out-of-bounds in smc_fback_error_report+0x96/0xa0 net/smc/af_smc.c:670
Read of size 8 at addr ffff888022df70a8 by task swapper/3/0

CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.17.0-rc8-syzkaller-00045-g551acdc3c3d2 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 smc_fback_error_report+0x96/0xa0 net/smc/af_smc.c:670
 sk_error_report+0x35/0x310 net/core/sock.c:340
 tcp_write_err net/ipv4/tcp_timer.c:71 [inline]
 tcp_write_timeout net/ipv4/tcp_timer.c:276 [inline]
 tcp_retransmit_timer+0x20c2/0x3320 net/ipv4/tcp_timer.c:512
 tcp_write_timer_handler+0x5e6/0xbc0 net/ipv4/tcp_timer.c:622
 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:642
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:default_idle+0xb/0x10 arch/x86/kernel/process.c:734
Code: f8 e9 8c fd ff ff 4c 89 f7 e8 11 09 70 f8 e9 3a fd ff ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d 07 c1 57 00 fb f4 <c3> 0f 1f 40 00 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 70 02 00
RSP: 0018:ffffc9000067fdf8 EFLAGS: 00000206
RAX: 000000000025ac2d RBX: ffff88801192a200 RCX: ffffffff894c0751
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000001 R09: ffff88802cd3acd3
R10: ffffed10059a759a R11: 0000000000000000 R12: ffffed1002325440
R13: 0000000000000003 R14: ffffffff8d93f310 R15: 0000000000000000
 default_idle_call+0x87/0xd0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:194 [inline]
 do_idle+0x401/0x590 kernel/sched/idle.c:306
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:403
 start_secondary+0x265/0x340 arch/x86/kernel/smpboot.c:272
 secondary_startup_64_no_verify+0xc3/0xcb
 </TASK>

Allocated by task 13948:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:270 [inline]
 __do_kmalloc mm/slab.c:3694 [inline]
 __kmalloc_track_caller+0x206/0x4d0 mm/slab.c:3709
 kmemdup+0x23/0x50 mm/util.c:128
 kmemdup include/linux/fortify-string.h:304 [inline]
 __devinet_sysctl_register+0x98/0x280 net/ipv4/devinet.c:2569
 devinet_sysctl_register net/ipv4/devinet.c:2621 [inline]
 devinet_sysctl_register+0x160/0x230 net/ipv4/devinet.c:2611
 inetdev_init+0x286/0x580 net/ipv4/devinet.c:278
 inetdev_event+0xa8a/0x15d0 net/ipv4/devinet.c:1532
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919
 call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
 call_netdevice_notifiers net/core/dev.c:1945 [inline]
 register_netdevice+0x10df/0x1580 net/core/dev.c:9698
 veth_newlink+0x405/0xa90 drivers/net/veth.c:1694
 __rtnl_newlink+0x107c/0x1760 net/core/rtnetlink.c:3483
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3531
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5596
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2413
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888022df6000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 168 bytes to the right of
 4096-byte region [ffff888022df6000, ffff888022df7000)
The buggy address belongs to the page:
page:ffffea00008b7d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22df6
head:ffffea00008b7d80 order:1 compound_mapcount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea000098ac88 ffffea000071a708 ffff888010c40900
raw: 0000000000000000 ffff888022df6000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 13948, ts 318338079968, free_ts 317912106886
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages_slowpath.constprop.0+0x2eb/0x20d0 mm/page_alloc.c:4934
 __alloc_pages+0x412/0x500 mm/page_alloc.c:5402
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x390 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 __do_cache_alloc mm/slab.c:3267 [inline]
 slab_alloc mm/slab.c:3308 [inline]
 __do_kmalloc mm/slab.c:3692 [inline]
 __kmalloc_track_caller+0x3b0/0x4d0 mm/slab.c:3709
 kmemdup+0x23/0x50 mm/util.c:128
 kmemdup include/linux/fortify-string.h:304 [inline]
 __devinet_sysctl_register+0x98/0x280 net/ipv4/devinet.c:2569
 devinet_sysctl_register net/ipv4/devinet.c:2621 [inline]
 devinet_sysctl_register+0x160/0x230 net/ipv4/devinet.c:2611
 inetdev_init+0x286/0x580 net/ipv4/devinet.c:278
 inetdev_event+0xa8a/0x15d0 net/ipv4/devinet.c:1532
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919
 call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
 call_netdevice_notifiers net/core/dev.c:1945 [inline]
 register_netdevice+0x10df/0x1580 net/core/dev.c:9698
 veth_newlink+0x405/0xa90 drivers/net/veth.c:1694
 __rtnl_newlink+0x107c/0x1760 net/core/rtnetlink.c:3483
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 slab_destroy mm/slab.c:1630 [inline]
 slabs_destroy+0x89/0xc0 mm/slab.c:1650
 cache_flusharray mm/slab.c:3410 [inline]
 ___cache_free+0x303/0x600 mm/slab.c:3472
 qlink_free mm/kasan/quarantine.c:157 [inline]
 qlist_free_all+0x50/0x1a0 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slab.c:3253 [inline]
 kmem_cache_alloc_node+0x2ea/0x590 mm/slab.c:3591
 __alloc_skb+0x215/0x340 net/core/skbuff.c:414
 alloc_skb include/linux/skbuff.h:1158 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 inet_netconf_notify_devconf+0xdd/0x260 net/ipv4/devinet.c:2096
 __devinet_sysctl_unregister net/ipv4/devinet.c:2608 [inline]
 devinet_sysctl_unregister net/ipv4/devinet.c:2632 [inline]
 inetdev_destroy net/ipv4/devinet.c:326 [inline]
 inetdev_event+0xcd9/0x15d0 net/ipv4/devinet.c:1600
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919
 call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
 call_netdevice_notifiers net/core/dev.c:1945 [inline]
 unregister_netdevice_many+0x964/0x18d0 net/core/dev.c:10415
 default_device_exit_batch+0x2fa/0x3c0 net/core/dev.c:10945
 ops_exit_list+0x125/0x170 net/core/net_namespace.c:173

Memory state around the buggy address:
 ffff888022df6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888022df7000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888022df7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                  ^
 ffff888022df7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888022df7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	f8                   	clc
   1:	e9 8c fd ff ff       	jmpq   0xfffffd92
   6:	4c 89 f7             	mov    %r14,%rdi
   9:	e8 11 09 70 f8       	callq  0xf870091f
   e:	e9 3a fd ff ff       	jmpq   0xfffffd4d
  13:	cc                   	int3
  14:	cc                   	int3
  15:	cc                   	int3
  16:	cc                   	int3
  17:	cc                   	int3
  18:	cc                   	int3
  19:	cc                   	int3
  1a:	cc                   	int3
  1b:	cc                   	int3
  1c:	cc                   	int3
  1d:	cc                   	int3
  1e:	cc                   	int3
  1f:	eb 07                	jmp    0x28
  21:	0f 00 2d 07 c1 57 00 	verw   0x57c107(%rip)        # 0x57c12f
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	c3                   	retq <-- trapping instruction
  2b:	0f 1f 40 00          	nopl   0x0(%rax)
  2f:	41 54                	push   %r12
  31:	be 08 00 00 00       	mov    $0x8,%esi
  36:	53                   	push   %rbx
  37:	65 48 8b 1c 25 00 70 	mov    %gs:0x27000,%rbx
  3e:	02 00