==================================================================
BUG: KASAN: slab-use-after-free in __ethtool_get_link_ksettings+0x230/0x250
Read of size 1 at addr ffff888176378e09 by task kworker/0:7/15845

CPU: 0 UID: 0 PID: 15845 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: events smc_ib_port_event_work
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150
 print_address_description+0x55/0x1e0
 print_report+0x58/0x70
 kasan_report+0x117/0x150
 __ethtool_get_link_ksettings+0x230/0x250
 __ethtool_get_link_ksettings+0x11f/0x250
 ib_get_eth_speed+0x180/0x7f0
 rxe_query_port+0x93/0x3d0
 ib_query_port+0x16e/0x830
 smc_ib_port_event_work+0x147/0x920
 process_scheduled_works+0xa8e/0x14e0
 worker_thread+0xa47/0xfb0
 kthread+0x388/0x470
 ret_from_fork+0x514/0xb70
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Allocated by task 6473:
 kasan_save_track+0x3e/0x80
 __kasan_kmalloc+0x93/0xb0
 __kvmalloc_node_noprof+0x53f/0x860
 alloc_netdev_mqs+0xa9/0x12b0
 rtnl_create_link+0x321/0xd70
 rtnl_newlink_create+0x25f/0xb00
 rtnl_newlink+0x167f/0x1bd0
 rtnetlink_rcv_msg+0x802/0xc00
 netlink_rcv_skb+0x226/0x4a0
 netlink_unicast+0x7bb/0x940
 netlink_sendmsg+0x813/0xb40
 sock_sendmsg_nosec+0x13a/0x180
 __sys_sendto+0x408/0x5a0
 __x64_sys_sendto+0xde/0x100
 do_syscall_64+0x174/0x580
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 14665:
 kasan_save_track+0x3e/0x80
 kasan_save_free_info+0x40/0x50
 __kasan_slab_free+0x5c/0x80
 kfree+0x1c5/0x640
 device_release+0xc4/0x1f0
 kobject_put+0x222/0x550
 netdev_run_todo+0xf56/0x10d0
 default_device_exit_batch+0x966/0x9e0
 ops_undo_list+0x4b4/0x8d0
 cleanup_net+0x572/0x810
 process_scheduled_works+0xa8e/0x14e0
 worker_thread+0xa47/0xfb0
 kthread+0x388/0x470
 ret_from_fork+0x514/0xb70
 ret_from_fork_asm+0x1a/0x30

The buggy address belongs to the object at ffff888176378000
 which belongs to the cache kmalloc-cg-4k of size 4096
The buggy address is located 3593 bytes inside of
 freed 4096-byte region [ffff888176378000, ffff888176379000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88817637a000 pfn:0x176378
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888176379011
flags: 0x57ff00000000240(workingset|head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000240 ffff88810005d500 ffffea0006690810 ffffea0006409410
raw: ffff88817637a000 0000200000040003 00000000f5000000 ffff888176379011
head: 057ff00000000240 ffff88810005d500 ffffea0006690810 ffffea0006409410
head: ffff88817637a000 0000200000040003 00000000f5000000 ffff888176379011
head: 057ff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 29406, tgid 29406 (syz-executor), ts 879670445689, free_ts 877906531609
 post_alloc_hook+0x1f9/0x250
 get_page_from_freelist+0x21fa/0x2270
 __alloc_frozen_pages_noprof+0x18d/0x380
 allocate_slab+0x79/0x5e0
 refill_objects+0x2d5/0x350
 __pcs_replace_empty_main+0x2bf/0x6b0
 __kmalloc_cache_noprof+0x3a7/0x660
 ipv6_add_dev+0x6aa/0x13a0
 addrconf_notify+0x771/0x1050
 notifier_call_chain+0x1a5/0x3d0
 register_netdevice+0x18a4/0x1eb0
 rtnl_newlink_create+0x31f/0xb00
 rtnl_newlink+0x167f/0x1bd0
 rtnetlink_rcv_msg+0x802/0xc00
 netlink_rcv_skb+0x226/0x4a0
 netlink_unicast+0x7bb/0x940
page last free pid 29392 tgid 29391 stack trace:
 __free_frozen_pages+0xc1e/0xd10
 __slab_free+0x274/0x2c0
 qlist_free_all+0x99/0x100
 kasan_quarantine_reduce+0x148/0x160
 __kasan_slab_alloc+0x22/0x80
 __kmalloc_cache_node_noprof+0x354/0x630
 __get_vm_area_node+0x136/0x300
 __vmalloc_node_range_noprof+0x358/0x1730
 __vmalloc_noprof+0xd2/0x120
 bpf_prog_alloc_no_stats+0x47/0x4f0
 bpf_prog_alloc+0x3c/0x1a0
 bpf_prog_load+0x7f8/0x1c00
 __sys_bpf+0xd0d/0xd90
 __x64_sys_bpf+0xba/0xd0
 do_syscall_64+0x174/0x580
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888176378d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888176378d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888176378e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888176378e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888176378f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
