netlink: 9 bytes leftover after parsing attributes in process `syz-executor.3'.
==================================================================
BUG: KASAN: slab-out-of-bounds in get_unaligned_le64 include/asm-generic/unaligned.h:37 [inline]
BUG: KASAN: slab-out-of-bounds in bch2_varint_decode_fast+0x1b5/0x1e0 fs/bcachefs/varint.c:114
Read of size 8 at addr ffff88805877517b by task syz-executor.3/11373

CPU: 0 PID: 11373 Comm: syz-executor.3 Not tainted 6.9.0-rc7-syzkaller-00023-g6d7ddd805123 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 get_unaligned_le64 include/asm-generic/unaligned.h:37 [inline]
 bch2_varint_decode_fast+0x1b5/0x1e0 fs/bcachefs/varint.c:114
 bch2_inode_unpack_v3+0xf3d/0x2060 fs/bcachefs/inode.c:270
 bch2_inode_unpack fs/bcachefs/inode.c:323 [inline]
 __bch2_inode_invalid+0x1a2/0x4d0 fs/bcachefs/inode.c:449
 bch2_inode_v3_invalid+0x1f1/0x2e0 fs/bcachefs/inode.c:529
 bch2_bkey_val_invalid+0x1cb/0x290 fs/bcachefs/bkey_methods.c:140
 bch2_bkey_invalid+0x86/0x90 fs/bcachefs/bkey_methods.c:231
 __bch2_trans_commit+0xad1/0x7840 fs/bcachefs/btree_trans_commit.c:1008
 bch2_trans_commit fs/bcachefs/btree_update.h:168 [inline]
 bch2_extent_update+0x494/0xa40 fs/bcachefs/io_write.c:318
 bch2_write_index_default+0x8c9/0xb60 fs/bcachefs/io_write.c:366
 __bch2_write_index+0x5ee/0xa60 fs/bcachefs/io_write.c:520
 bch2_write_data_inline fs/bcachefs/io_write.c:1538 [inline]
 bch2_write+0x106e/0x1330 fs/bcachefs/io_write.c:1606
 bch2_writepages+0x136/0x200 fs/bcachefs/fs-io-buffered.c:660
 do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2612
 filemap_fdatawrite_wbc mm/filemap.c:397 [inline]
 filemap_fdatawrite_wbc+0x148/0x1c0 mm/filemap.c:387
 __filemap_fdatawrite_range+0xba/0x100 mm/filemap.c:430
 file_write_and_wait_range+0xd0/0x140 mm/filemap.c:788
 bch2_fsync+0xa1/0x2a0 fs/bcachefs/fs-io.c:197
 vfs_fsync_range+0x141/0x230 fs/sync.c:188
 generic_write_sync include/linux/fs.h:2795 [inline]
 bch2_buffered_write fs/bcachefs/fs-io-buffered.c:1136 [inline]
 bch2_write_iter+0x756/0x3180 fs/bcachefs/fs-io-buffered.c:1144
 call_write_iter include/linux/fs.h:2110 [inline]
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0x6db/0x1100 fs/read_write.c:590
 ksys_write+0x12f/0x260 fs/read_write.c:643
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x75/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf72a7579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f5e575ac EFLAGS: 00000292 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020000300
RDX: 0000000000000020 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Allocated by task 11373:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3972 [inline]
 __kmalloc_node_track_caller+0x220/0x480 mm/slub.c:3992
 __do_krealloc mm/slab_common.c:1192 [inline]
 krealloc+0x5d/0x100 mm/slab_common.c:1225
 __bch2_trans_kmalloc+0x467/0xb50 fs/bcachefs/btree_iter.c:2831
 bch2_trans_kmalloc_nomemzero fs/bcachefs/btree_iter.h:537 [inline]
 __bch2_bkey_make_mut_noupdate fs/bcachefs/btree_update.h:223 [inline]
 __bch2_bkey_get_mut_noupdate fs/bcachefs/btree_update.h:282 [inline]
 bch2_bkey_get_mut_noupdate fs/bcachefs/btree_update.h:293 [inline]
 bch2_extent_update_i_size_sectors+0x907/0xb20 fs/bcachefs/io_write.c:219
 bch2_extent_update+0x3db/0xa40 fs/bcachefs/io_write.c:314
 bch2_write_index_default+0x8c9/0xb60 fs/bcachefs/io_write.c:366
 __bch2_write_index+0x5ee/0xa60 fs/bcachefs/io_write.c:520
 bch2_write_data_inline fs/bcachefs/io_write.c:1538 [inline]
 bch2_write+0x106e/0x1330 fs/bcachefs/io_write.c:1606
 bch2_writepages+0x136/0x200 fs/bcachefs/fs-io-buffered.c:660
 do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2612
 filemap_fdatawrite_wbc mm/filemap.c:397 [inline]
 filemap_fdatawrite_wbc+0x148/0x1c0 mm/filemap.c:387
 __filemap_fdatawrite_range+0xba/0x100 mm/filemap.c:430
 file_write_and_wait_range+0xd0/0x140 mm/filemap.c:788
 bch2_fsync+0xa1/0x2a0 fs/bcachefs/fs-io.c:197
 vfs_fsync_range+0x141/0x230 fs/sync.c:188
 generic_write_sync include/linux/fs.h:2795 [inline]
 bch2_buffered_write fs/bcachefs/fs-io-buffered.c:1136 [inline]
 bch2_write_iter+0x756/0x3180 fs/bcachefs/fs-io-buffered.c:1144
 call_write_iter include/linux/fs.h:2110 [inline]
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0x6db/0x1100 fs/read_write.c:590
 ksys_write+0x12f/0x260 fs/read_write.c:643
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x75/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

The buggy address belongs to the object at ffff888058775100
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 123 bytes inside of
 allocated 128-byte region [ffff888058775100, ffff888058775180)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x58775
anon flags: 0x4fff00000000800(slab|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 04fff00000000800 ffff888014c428c0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5218, tgid -460735162 (syz-executor.0), ts 5218, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2180 [inline]
 allocate_slab mm/slub.c:2343 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2396
 ___slab_alloc+0x670/0x16d0 mm/slub.c:3530
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3615
 __slab_alloc_node mm/slub.c:3668 [inline]
 slab_alloc_node mm/slub.c:3841 [inline]
 __do_kmalloc_node mm/slub.c:3971 [inline]
 __kmalloc_node_track_caller+0x372/0x480 mm/slub.c:3992
 kmemdup+0x29/0x60 mm/util.c:131
 mpls_dev_sysctl_register+0xd1/0x330 net/mpls/af_mpls.c:1407
 mpls_add_dev net/mpls/af_mpls.c:1478 [inline]
 mpls_dev_notify+0x498/0xa10 net/mpls/af_mpls.c:1618
 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1950
 call_netdevice_notifiers_extack net/core/dev.c:1988 [inline]
 call_netdevice_notifiers net/core/dev.c:2002 [inline]
 register_netdevice+0x157d/0x1c40 net/core/dev.c:10316
 veth_newlink+0x363/0xa10 drivers/net/veth.c:1828
 rtnl_newlink_create net/core/rtnetlink.c:3494 [inline]
 __rtnl_newlink+0x119c/0x1960 net/core/rtnetlink.c:3714
 rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3727
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888058775080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888058775100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888058775180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888058775200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888058775280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	10 06                	adc    %al,(%rsi)
   2:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
   6:	10 07                	adc    %al,(%rdi)
   8:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   c:	10 08                	adc    %cl,(%rax)
   e:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1e:	00 51 52             	add    %dl,0x52(%rcx)
  21:	55                   	push   %rbp
  22:	89 e5                	mov    %esp,%ebp
  24:	0f 34                	sysenter
  26:	cd 80                	int    $0x80
* 28:	5d                   	pop    %rbp <-- trapping instruction
  29:	5a                   	pop    %rdx
  2a:	59                   	pop    %rcx
  2b:	c3                   	ret
  2c:	90                   	nop
  2d:	90                   	nop
  2e:	90                   	nop
  2f:	90                   	nop
  30:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  37:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi