==================================================================
BUG: KASAN: slab-out-of-bounds in tcp_retransmit_timer+0x2d30/0x3220 net/ipv4/tcp_timer.c:499
Read of size 8 at addr ffff888086fa0310 by task syz-executor.2/15630

CPU: 1 PID: 15630 Comm: syz-executor.2 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 tcp_retransmit_timer+0x2d30/0x3220 net/ipv4/tcp_timer.c:499
 tcp_write_timer_handler+0x79b/0xa60 net/ipv4/tcp_timer.c:610
 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:630
 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413
 expire_timers kernel/time/timer.c:1458 [inline]
 __run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755
 __run_timers kernel/time/timer.c:1736 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1768
 __do_softirq+0x1f8/0xb23 kernel/softirq.c:298
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:393 [inline]
 __irq_exit_rcu kernel/softirq.c:423 [inline]
 irq_exit_rcu+0x235/0x280 kernel/softirq.c:435
 sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1091
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581
RIP: 0010:lock_acquire+0x32/0xaf0 kernel/locking/lockdep.c:5000
Code: 55 41 89 f5 41 54 41 89 cc 55 48 89 fd 53 44 89 c3 48 81 ec b8 00 00 00 48 8d 44 24 18 4c 89 0c 24 48 c7 44 24 18 b3 8a b5 41 <48> c1 e8 03 48 89 44 24 08 48 89 c6 48 b8 00 00 00 00 00 fc ff df
RSP: 0018:ffffc90005877610 EFLAGS: 00000282
RAX: ffffc90005877628 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8a068440
RBP: ffffffff8a068440 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:241 [inline]
 rcu_read_lock include/linux/rcupdate.h:634 [inline]
 lock_page_memcg+0x63/0x260 mm/memcontrol.c:2094
 page_remove_rmap+0x25/0x1690 mm/rmap.c:1328
 zap_pte_range mm/memory.c:1093 [inline]
 zap_pmd_range mm/memory.c:1197 [inline]
 zap_pud_range mm/memory.c:1226 [inline]
 zap_p4d_range mm/memory.c:1247 [inline]
 unmap_page_range+0xf6b/0x2bf0 mm/memory.c:1268
 unmap_single_vma+0x198/0x300 mm/memory.c:1313
 unmap_vmas+0x168/0x2e0 mm/memory.c:1345
 exit_mmap+0x2b1/0x530 mm/mmap.c:3183
 __mmput+0x122/0x470 kernel/fork.c:1076
 mmput+0x53/0x60 kernel/fork.c:1097
 exit_mm kernel/exit.c:483 [inline]
 do_exit+0xa8b/0x29f0 kernel/exit.c:793
 do_group_exit+0x125/0x310 kernel/exit.c:903
 get_signal+0x428/0x1f00 kernel/signal.c:2757
 arch_do_signal+0x82/0x2520 arch/x86/kernel/signal.c:811
 exit_to_user_mode_loop kernel/entry/common.c:161 [inline]
 exit_to_user_mode_prepare+0x1ae/0x200 kernel/entry/common.c:192
 syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:267
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45de59
Code: Bad RIP value.
RSP: 002b:00007f37097e0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: 000000000000002e RBX: 000000000002e400 RCX: 000000000045de59
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 000000000118c0b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118c07c
R13: 00007fffe9d5e9df R14: 00007f37097e19c0 R15: 000000000118c07c

Allocated by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:518 [inline]
 slab_alloc mm/slab.c:3312 [inline]
 kmem_cache_alloc+0x13a/0x3f0 mm/slab.c:3482
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:138
 getname_flags include/linux/audit.h:320 [inline]
 getname+0x8e/0xd0 fs/namei.c:209
 do_sys_openat2+0xf5/0x420 fs/open.c:1162
 do_sys_open fs/open.c:1184 [inline]
 __do_sys_open fs/open.c:1192 [inline]
 __se_sys_open fs/open.c:1188 [inline]
 __x64_sys_open+0x119/0x1c0 fs/open.c:1188
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693
 putname+0xe1/0x120 fs/namei.c:259
 do_sys_openat2+0x153/0x420 fs/open.c:1177
 do_sys_open fs/open.c:1184 [inline]
 __do_sys_open fs/open.c:1192 [inline]
 __se_sys_open fs/open.c:1188 [inline]
 __x64_sys_open+0x119/0x1c0 fs/open.c:1188
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888086fa0e00
 which belongs to the cache names_cache of size 4096
The buggy address is located 2800 bytes to the left of
 4096-byte region [ffff888086fa0e00, ffff888086fa1e00)
The buggy address belongs to the page:
page:000000000dd90944 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x86fa0
head:000000000dd90944 order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea000161cb88 ffffea00027d9988 ffff8880aa221c00
raw: 0000000000000000 ffff888086fa0e00 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888086fa0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888086fa0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888086fa0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff888086fa0380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888086fa0400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================