==================================================================
BUG: KASAN: use-after-free in smc_fback_error_report+0x96/0xa0 net/smc/af_smc.c:664
Read of size 8 at addr ffff8880198811e8 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc4-syzkaller-00052-g359303076163 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 smc_fback_error_report+0x96/0xa0 net/smc/af_smc.c:664
 sk_error_report+0x35/0x310 net/core/sock.c:340
 tcp_write_err net/ipv4/tcp_timer.c:71 [inline]
 tcp_probe_timer net/ipv4/tcp_timer.c:395 [inline]
 tcp_write_timer_handler+0x437/0xbc0 net/ipv4/tcp_timer.c:626
 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:642
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:default_idle+0xb/0x10 arch/x86/kernel/process.c:734
Code: f8 e9 8c fd ff ff 4c 89 f7 e8 11 9d 6e f8 e9 3a fd ff ff cc cc cc cc cc cc cc cc cc cc cc cc eb 07 0f 00 2d b7 1c 56 00 fb f4 <c3> 0f 1f 40 00 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 70 02 00
RSP: 0018:ffffffff8b807e40 EFLAGS: 00000206
RAX: 000000000032d4a3 RBX: ffffffff8b8bc6c0 RCX: ffffffff894da9e1
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88802ca3acd3
R10: ffffed100594759a R11: 0000000000000000 R12: fffffbfff17178d8
R13: 0000000000000000 R14: ffffffff8d93cf10 R15: 0000000000000000
 default_idle_call+0x87/0xd0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:194 [inline]
 do_idle+0x401/0x590 kernel/sched/idle.c:306
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:403
 start_kernel+0x47a/0x49b init/main.c:1138
 secondary_startup_64_no_verify+0xc3/0xcb
 </TASK>

The buggy address belongs to the page:
page:ffffea0000662040 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19881
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 ffffffff00000101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x2c2220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 30138, ts 1368422796665, free_ts 1368919670790
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages_slowpath.constprop.0+0x2eb/0x20d0 mm/page_alloc.c:4934
 __alloc_pages+0x412/0x500 mm/page_alloc.c:5402
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x390 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 slab_alloc_node mm/slab.c:3241 [inline]
 kmem_cache_alloc_node_trace+0x49c/0x5b0 mm/slab.c:3609
 __do_kmalloc_node mm/slab.c:3631 [inline]
 __kmalloc_node_track_caller+0x38/0x60 mm/slab.c:3646
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0xde/0x340 net/core/skbuff.c:426
 alloc_skb include/linux/skbuff.h:1158 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:745 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:802 [inline]
 nsim_dev_trap_report_work+0x29a/0xbc0 drivers/net/netdevsim/dev.c:843
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 slab_destroy mm/slab.c:1630 [inline]
 slabs_destroy+0x89/0xc0 mm/slab.c:1650
 cache_flusharray mm/slab.c:3410 [inline]
 ___cache_free+0x303/0x600 mm/slab.c:3472
 qlink_free mm/kasan/quarantine.c:157 [inline]
 qlist_free_all+0x50/0x1a0 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc mm/slab.c:3315 [inline]
 kmem_cache_alloc+0x265/0x560 mm/slab.c:3499
 ptlock_alloc+0x1d/0x70 mm/memory.c:5467
 ptlock_init include/linux/mm.h:2300 [inline]
 pgtable_pte_page_ctor include/linux/mm.h:2327 [inline]
 __pte_alloc_one include/asm-generic/pgalloc.h:66 [inline]
 pte_alloc_one+0x68/0x230 arch/x86/mm/pgtable.c:33
 do_huge_pmd_anonymous_page+0x108c/0x2840 mm/huge_memory.c:743
 create_huge_pmd mm/memory.c:4441 [inline]
 __handle_mm_fault+0x2a1a/0x5110 mm/memory.c:4676
 handle_mm_fault+0x1c8/0x790 mm/memory.c:4803
 do_user_addr_fault+0x489/0x11c0 arch/x86/mm/fault.c:1397
 handle_page_fault arch/x86/mm/fault.c:1484 [inline]
 exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1540
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568

Memory state around the buggy address:
 ffff888019881080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888019881100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888019881180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff888019881200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888019881280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess):
   0:	f8                   	clc
   1:	e9 8c fd ff ff       	jmpq   0xfffffd92
   6:	4c 89 f7             	mov    %r14,%rdi
   9:	e8 11 9d 6e f8       	callq  0xf86e9d1f
   e:	e9 3a fd ff ff       	jmpq   0xfffffd4d
  13:	cc                   	int3
  14:	cc                   	int3
  15:	cc                   	int3
  16:	cc                   	int3
  17:	cc                   	int3
  18:	cc                   	int3
  19:	cc                   	int3
  1a:	cc                   	int3
  1b:	cc                   	int3
  1c:	cc                   	int3
  1d:	cc                   	int3
  1e:	cc                   	int3
  1f:	eb 07                	jmp    0x28
  21:	0f 00 2d b7 1c 56 00 	verw   0x561cb7(%rip)        # 0x561cdf
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	c3                   	retq <-- trapping instruction
  2b:	0f 1f 40 00          	nopl   0x0(%rax)
  2f:	41 54                	push   %r12
  31:	be 08 00 00 00       	mov    $0x8,%esi
  36:	53                   	push   %rbx
  37:	65 48 8b 1c 25 00 70 	mov    %gs:0x27000,%rbx
  3e:	02 00