[syzbot] [kasan?] [mm?] WARNING in __kfence_free (4)

[syzbot <syzbot+ac1ff64591d23db965f7@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    8bf22c33e7a1 Merge tag 'net-7.0-rc1' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1220195a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1bd834155be39cb
dashboard link: https://syzkaller.appspot.com/bug?extid=ac1ff64591d23db965f7
compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-8bf22c33.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/80710eccc853/vmlinux-8bf22c33.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9a174aad260d/Image-8bf22c33.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ac1ff64591d23db965f7@syzkaller.appspotmail.com

soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
------------[ cut here ]------------
WARNING: mm/kfence/core.c:1224 at __kfence_free+0x60/0x100 mm/kfence/core.c:1244, CPU#1: syz-executor/3322
Modules linked in:
CPU: 1 UID: 0 PID: 3322 Comm: syz-executor Not tainted syzkaller #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
pstate: 81402009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : __kfence_free+0x60/0x100 mm/kfence/core.c:1224
lr : kfence_free include/linux/kfence.h:187 [inline]
lr : slab_free_hook mm/slub.c:2625 [inline]
lr : slab_free mm/slub.c:6124 [inline]
lr : kfree+0x3bc/0x3f4 mm/slub.c:6442
sp : ffff800089acbab0
x29: ffff800089acbab0 x28: fbf0000005fa0000 x27: 0000000000000000
x26: 0000000000084008 x25: ffff800082a81000 x24: 0000000000000000
x23: f6f0000003412e00 x22: ffff80008033b784 x21: ffffc1ffc1ffc000
x20: 5eaf80008033b784 x19: fff000007d89df78 x18: 0000000000000002
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 000000000006f7ec x12: 0000000000000001
x11: 0000000000000400 x10: 0000000000006400 x9 : 00000000000000b0
x8 : f3f000000622c45c x7 : 0000000000000024 x6 : 0000000000000024
x5 : 000000000000003c x4 : fff000007d87a000 x3 : ffff800082a81000
x2 : ffff800082a815e0 x1 : f4f0000005ff0c80 x0 : fff000007ff00000
Call trace:
 __kfence_free+0x60/0x100 mm/kfence/core.c:1244 (P)
 kfence_free include/linux/kfence.h:187 [inline]
 slab_free_hook mm/slub.c:2625 [inline]
 slab_free mm/slub.c:6124 [inline]
 kfree+0x3bc/0x3f4 mm/slub.c:6442
 kvfree+0x3c/0x58 mm/slub.c:6760
 xt_free_table_info+0x80/0x90 net/netfilter/x_tables.c:1213
 __do_replace+0x250/0x310 net/ipv4/netfilter/ip_tables.c:1084
 do_replace net/ipv6/netfilter/ip6_tables.c:1158 [inline]
 do_ip6t_set_ctl+0x374/0x418 net/ipv6/netfilter/ip6_tables.c:1644
 nf_setsockopt+0x68/0xb0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x90/0xe4 net/ipv6/ipv6_sockglue.c:978
 tcp_setsockopt+0x20/0x3c net/ipv4/tcp.c:4217
 sock_common_setsockopt+0x1c/0x28 net/core/sock.c:3973
 do_sock_setsockopt+0xa4/0x198 net/socket.c:2322
 __sys_setsockopt+0x7c/0x100 net/socket.c:2347
 __do_sys_setsockopt net/socket.c:2353 [inline]
 __se_sys_setsockopt net/socket.c:2350 [inline]
 __arm64_sys_setsockopt+0x28/0x40 net/socket.c:2350
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup