==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2dd6/0x3b30 kernel/locking/lockdep.c:5005
Read of size 8 at addr ffff8880557a9c18 by task kworker/u32:8/1101

CPU: 0 PID: 1101 Comm: kworker/u32:8 Not tainted 6.10.0-rc7-syzkaller-00231-ge091caf99f3a #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 __lock_acquire+0x2dd6/0x3b30 kernel/locking/lockdep.c:5005
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
 p9_tag_remove net/9p/client.c:397 [inline]
 p9_req_put net/9p/client.c:405 [inline]
 p9_req_put+0xca/0x250 net/9p/client.c:402
 req_done+0x1e7/0x2f0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2595 [inline]
 vring_interrupt+0x31b/0x400 drivers/virtio/virtio_ring.c:2570
 __handle_irq_event_percpu+0x229/0x7c0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x263/0xd10 kernel/irq/chip.c:831
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:247 [inline]
 call_irq_handler arch/x86/kernel/irq.c:259 [inline]
 __common_interrupt+0xdf/0x250 arch/x86/kernel/irq.c:285
 common_interrupt+0x52/0xd0 arch/x86/kernel/irq.c:278
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:handle_softirqs+0x1da/0x8f0 kernel/softirq.c:540
Code: 89 44 24 18 48 89 6c 24 10 48 c7 c7 60 5a 2b 8b e8 cb aa 89 09 65 66 c7 05 59 df b0 7e 00 00 e8 6c d8 42 00 fb bb ff ff ff ff <49> c7 c6 c0 a0 80 8d 41 0f bc dc 83 c3 01 0f 85 a7 00 00 00 e9 b4
RSP: 0018:ffffc90000007f30 EFLAGS: 00000216
RAX: 00000000004b4460 RBX: 00000000ffffffff RCX: 1ffffffff283f565
RDX: 0000000000000000 RSI: ffffffff8b2cb9e0 RDI: ffffffff8b8ff860
RBP: ffff8880203fc880 R08: 0000000000000001 R09: fffffbfff283f458
R10: ffffffff941fa2c7 R11: 0000000000000006 R12: 0000000000000202
R13: 000000000000000a R14: 0000000000000001 R15: 0000000000000000
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu kernel/softirq.c:637 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0xa19/0xd70 kernel/printk/printk.c:2985
Code: e8 7c 44 26 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 7a fc 1e 00 48 85 db 0f 85 8b 01 00 00 e8 3c 01 1f 00 fb 48 8b 04 24 <4c> 89 fa 83 e2 07 0f b6 00 38 d0 7f 08 84 c0 0f 85 a9 02 00 00 41
RSP: 0018:ffffc90006e97578 EFLAGS: 00000293
RAX: fffff52000dd2ed6 RBX: 0000000000000000 RCX: ffffffff816f8dd6
RDX: ffff8880203fc880 RSI: ffffffff816f8de4 RDI: 0000000000000007
RBP: dffffc0000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000007 R12: 0000000000000200
R13: ffffffff8e7c2c98 R14: ffffffff8e7c2c40 R15: ffffc90006e976b0
 console_unlock+0xae/0x290 kernel/printk/printk.c:3048
 vprintk_emit kernel/printk/printk.c:2348 [inline]
 vprintk_emit+0x11a/0x5a0 kernel/printk/printk.c:2303
 vprintk+0x7f/0xa0 kernel/printk/printk_safe.c:45
 _printk+0xc8/0x100 kernel/printk/printk.c:2373
 __netdev_printk+0x376/0x500 net/core/dev.c:11633
 netdev_info+0xe5/0x120 net/core/dev.c:11680
 __dev_set_promiscuity+0x170/0x590 net/core/dev.c:8570
 dev_set_promiscuity+0x52/0x150 net/core/dev.c:8608
 hsr_del_port+0x2aa/0x390 net/hsr/hsr_slave.c:225
 hsr_del_ports+0x30/0xb0 net/hsr/hsr_device.c:413
 hsr_dellink+0x4e/0x80 net/hsr/hsr_netlink.c:136
 default_device_exit_batch+0x648/0x9b0 net/core/dev.c:11755
 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
 process_one_work+0x958/0x1ad0 kernel/workqueue.c:3248
 process_scheduled_works kernel/workqueue.c:3329 [inline]
 worker_thread+0x6c8/0xf30 kernel/workqueue.c:3409
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 6612:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kmalloc_noprof include/linux/slab.h:660 [inline]
 p9_client_create+0xcf/0x11b0 net/9p/client.c:983
 v9fs_session_init+0x1f8/0x1a80 fs/9p/v9fs.c:410
 v9fs_mount+0xc6/0xaa0 fs/9p/vfs_super.c:122
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x8f/0x380 fs/super.c:1789
 do_new_mount fs/namespace.c:3352 [inline]
 path_mount+0x6e1/0x1f10 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount fs/namespace.c:3875 [inline]
 __ia32_sys_mount+0x295/0x320 fs/namespace.c:3875
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Freed by task 6612:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4438 [inline]
 kfree+0x12a/0x3b0 mm/slub.c:4559
 p9_client_create+0x9ca/0x11b0 net/9p/client.c:1054
 v9fs_session_init+0x1f8/0x1a80 fs/9p/v9fs.c:410
 v9fs_mount+0xc6/0xaa0 fs/9p/vfs_super.c:122
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x8f/0x380 fs/super.c:1789
 do_new_mount fs/namespace.c:3352 [inline]
 path_mount+0x6e1/0x1f10 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount fs/namespace.c:3875 [inline]
 __ia32_sys_mount+0x295/0x320 fs/namespace.c:3875
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

The buggy address belongs to the object at ffff8880557a9c00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 24 bytes inside of
 freed 512-byte region [ffff8880557a9c00, ffff8880557a9e00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x557a8
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 04fff00000000040 ffff888015442c80 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000001ffffefff 0000000000000000
head: 04fff00000000040 ffff888015442c80 0000000000000000 dead000000000001
head: 0000000000000000 0000000080100010 00000001ffffefff 0000000000000000
head: 04fff00000000002 ffffea000155ea01 ffffffffffffffff 0000000000000000
head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5649, tgid 5649 (syz-executor), ts 168856436021, free_ts 152434272666
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x1353/0x2e50 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x56/0x110 mm/slub.c:2265
 allocate_slab mm/slub.c:2428 [inline]
 new_slab+0x84/0x260 mm/slub.c:2481
 ___slab_alloc+0xdac/0x1870 mm/slub.c:3667
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3990 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x37f/0x420 mm/slub.c:4136
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x337/0x1ae0 net/ipv6/route.c:3763
 addrconf_f6i_alloc+0x393/0x670 net/ipv6/route.c:4590
 ipv6_add_addr+0x538/0x2090 net/ipv6/addrconf.c:1120
 addrconf_add_linklocal+0x2a6/0x650 net/ipv6/addrconf.c:3314
 addrconf_addr_gen+0x37b/0x3d0 net/ipv6/addrconf.c:3445
 addrconf_dev_config net/ipv6/addrconf.c:3491 [inline]
 addrconf_init_auto_addrs+0x446/0x820 net/ipv6/addrconf.c:3569
 addrconf_notify+0x6ef/0x19e0 net/ipv6/addrconf.c:3742
page last free pid 5634 tgid 5633 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_page+0x64a/0xe40 mm/page_alloc.c:2588
 stack_depot_save_flags+0x2da/0x900 lib/stackdepot.c:666
 ref_tracker_free+0x11e/0x820 lib/ref_tracker.c:240
 __netns_tracker_free include/net/net_namespace.h:348 [inline]
 put_net_track include/net/net_namespace.h:363 [inline]
 __sk_destruct+0x36a/0x730 net/core/sock.c:2204
 sk_destruct+0xc2/0xf0 net/core/sock.c:2223
 __sk_free+0xf4/0x3e0 net/core/sock.c:2234
 sk_free+0x7c/0xa0 net/core/sock.c:2245
 sock_put include/net/sock.h:1879 [inline]
 smc_release+0x4ef/0x640 net/smc/af_smc.c:351
 __sock_release+0xb0/0x270 net/socket.c:659
 sock_close+0x1c/0x30 net/socket.c:1421
 __fput+0x408/0xbb0 fs/file_table.c:422
 task_work_run+0x14e/0x250 kernel/task_work.c:180
 get_signal+0x1d3/0x2670 kernel/signal.c:2681
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x14a/0x2a0 kernel/entry/common.c:218
 __do_fast_syscall_32+0x80/0x120 arch/x86/entry/common.c:389

Memory state around the buggy address:
 ffff8880557a9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880557a9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880557a9c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880557a9c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880557a9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	89 44 24 18          	mov    %eax,0x18(%rsp)
   4:	48 89 6c 24 10       	mov    %rbp,0x10(%rsp)
   9:	48 c7 c7 60 5a 2b 8b 	mov    $0xffffffff8b2b5a60,%rdi
  10:	e8 cb aa 89 09       	call   0x989aae0
  15:	65 66 c7 05 59 df b0 	movw   $0x0,%gs:0x7eb0df59(%rip)        # 0x7eb0df78
  1c:	7e 00 00
  1f:	e8 6c d8 42 00       	call   0x42d890
  24:	fb                   	sti
  25:	bb ff ff ff ff       	mov    $0xffffffff,%ebx
* 2a:	49 c7 c6 c0 a0 80 8d 	mov    $0xffffffff8d80a0c0,%r14 <-- trapping instruction
  31:	41 0f bc dc          	bsf    %r12d,%ebx
  35:	83 c3 01             	add    $0x1,%ebx
  38:	0f 85 a7 00 00 00    	jne    0xe5
  3e:	e9                   	.byte 0xe9
  3f:	b4                   	.byte 0xb4