==================================================================
BUG: KASAN: slab-use-after-free in af_alg_pull_tsgl+0xc4/0x25c crypto/af_alg.c:712
Read at addr f9f000000776cc00 by task syz.1.11649/2416
Pointer tag: [f9], memory tag: [fb]

CPU: 0 UID: 0 PID: 2416 Comm: syz.1.11649 Not tainted syzkaller #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x1c4/0x4b0 mm/kasan/report.c:482
 kasan_report+0x84/0xac mm/kasan/report.c:595
 report_tag_fault arch/arm64/mm/fault.c:330 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:342 [inline]
 __do_kernel_fault+0x174/0x1c8 arch/arm64/mm/fault.c:384
 do_bad_area+0x68/0x78 arch/arm64/mm/fault.c:484
 do_tag_check_fault+0x34/0x44 arch/arm64/mm/fault.c:857
 do_mem_abort+0x40/0x90 arch/arm64/mm/fault.c:933
 el1_abort+0x44/0x70 arch/arm64/kernel/entry-common.c:303
 el1h_64_sync_handler+0x50/0xac arch/arm64/kernel/entry-common.c:437
 el1h_64_sync+0x6c/0x70 arch/arm64/kernel/entry.S:591
 af_alg_pull_tsgl+0xc4/0x25c crypto/af_alg.c:712 (P)
 _skcipher_recvmsg crypto/algif_skcipher.c:152 [inline]
 skcipher_recvmsg+0x188/0x474 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg net/socket.c:1100 [inline]
 sock_recvmsg net/socket.c:1096 [inline]
 __sys_recvfrom+0x158/0x1a8 net/socket.c:2256
 __do_sys_recvfrom net/socket.c:2271 [inline]
 __se_sys_recvfrom net/socket.c:2267 [inline]
 __arm64_sys_recvfrom+0x24/0x38 net/socket.c:2267
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596

Allocated by task 2392:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:57
 save_stack_info+0x40/0x160 mm/kasan/tags.c:106
 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:142
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 poison_kmalloc_redzone mm/kasan/common.c:371 [inline]
 __kasan_kmalloc+0xf8/0x120 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5260 [inline]
 __kmalloc_node_track_caller_noprof+0x200/0x570 mm/slub.c:5368
 kmemdup_noprof+0x34/0x60 mm/util.c:138
 kmemdup_noprof include/linux/fortify-string.h:763 [inline]
 shmem_symlink+0x130/0x2d8 mm/shmem.c:4133
 vfs_symlink fs/namei.c:5621 [inline]
 vfs_symlink+0xa0/0x188 fs/namei.c:5600
 filename_symlinkat+0x118/0x200 fs/namei.c:5646
 __do_sys_symlinkat fs/namei.c:5666 [inline]
 __se_sys_symlinkat fs/namei.c:5661 [inline]
 __arm64_sys_symlinkat+0x54/0x84 fs/namei.c:5661
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596

Freed by task 3316:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:57
 save_stack_info+0x40/0x160 mm/kasan/tags.c:106
 kasan_save_free_info+0x18/0x40 mm/kasan/tags.c:147
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0xe8/0x160 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x140/0x3f4 mm/slub.c:6483
 shmem_free_in_core_inode+0x4c/0x6c mm/shmem.c:5176
 i_callback+0x1c/0x44 fs/inode.c:326
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x214/0x560 kernel/rcu/tree.c:2869
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2886
 handle_softirqs+0x100/0x244 kernel/softirq.c:622
 __do_softirq+0x14/0x20 kernel/softirq.c:656

The buggy address belongs to the object at fff000000776cc00
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [fff000000776cc00, fff000000776cc20)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4776c
flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: f5(slab)
raw: 01ffc00000000000 f0f0000003401500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800800080 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 fff000000776ca00: f1 f1 f3 f3 f7 f7 f4 f4 f6 f6 fc fc f0 f0 f0 f0
 fff000000776cb00: f4 f4 f6 f6 f4 f4 fa fa fd fd f0 f0 f0 f0 f9 f9
>fff000000776cc00: fb fb f4 f4 fa fa f9 f9 fa fa fa fa f4 f4 f6 f6
                   ^
 fff000000776cd00: f8 f8 f3 f3 fd fd f4 f4 f6 f6 f1 f1 f1 f1 f9 f9
 fff000000776ce00: fd fd f7 f7 fc fc f5 f5 f8 f8 f6 f6 fb fb f4 f4
==================================================================