==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1aa1/0x22d0
Read of size 8 at addr ffff888043f8fd40 by task syz-executor.3/8277

CPU: 1 PID: 8277 Comm: syz-executor.3 Not tainted 6.2.0-rc8-next-20230217 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x91/0xf0
 print_report+0xcc/0x620
 kasan_report+0xc0/0xf0
 unwind_next_frame+0x1aa1/0x22d0
 arch_stack_walk+0x87/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 __kasan_record_aux_stack+0x95/0xb0
 __call_rcu_common.constprop.0+0x6a/0xa70
 kmem_cache_free+0xb9/0x510
 rcu_core+0x822/0x1d40
 __do_softirq+0x258/0x8a2
 __irq_exit_rcu+0xcc/0x110
 irq_exit_rcu+0x9/0x20
 sysvec_apic_timer_interrupt+0x6e/0x90
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:kasan_check_range+0x15e/0x1d0
Code: d0 49 39 c2 0f 85 f3 fe ff ff 4c 89 c8 49 0f be 12 83 e0 07 48 39 d0 0f 8d e0 fe ff ff 41 bb 01 00 00 00 5b 5d 44 89 d8 41 5c <e9> d1 8e c9 02 48 85 d2 74 e9 48 01 ea eb 09 48 83 c0 01 48 39 d0
RSP: 0018:ffff888043f8fca8 EFLAGS: 00000246
RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffffff812c56d2
RDX: fffffbfff0ba4bcb RSI: 0000000000000008 RDI: ffffffff85d25e50
RBP: ffff88800846b948 R08: 0000000000000000 R09: ffffffff85d25e57
R10: fffffbfff0ba4bca R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff81a7dd99
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 41b58ab3:kernfs_remove_by_name_ns+0x89/0x130
RSP: 0018:ffffffff8448da90 EFLAGS: ffffffff85236845 ORIG_RAX: ffffffff8448db22
RAX: ffff88800846b8d8 RBX: ffffffff81a7dd99 RCX: dffffc0000000000
RDX: ffff888016944640 RSI: 0000000000000000 RDI: ffff888008852040
RBP: 0000000000000000 R08: 1ffff110087f1fa8 R09: 0000000000000000
R10: ffffffff81a7dd99 R11: ffffffff812d60b2 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88800846b948 R15: 0000000000000001
 </TASK>

The buggy address belongs to stack of task syz-executor.3/8277
 and is located at offset 0 in frame:
 down_write+0x0/0x1f0

This frame has 1 object:
 [32, 40) 'tmp'

The buggy address belongs to the physical page:
page:000000007f62505d refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43f8f
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 ffffea00010fe3c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888043f8fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888043f8fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888043f8fd00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3
                                           ^
 ffff888043f8fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888043f8fe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
==================================================================
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.6'.
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	49 39 c2             	cmp    %rax,%r10
   3:	0f 85 f3 fe ff ff    	jne    0xfffffefc
   9:	4c 89 c8             	mov    %r9,%rax
   c:	49 0f be 12          	movsbq (%r10),%rdx
  10:	83 e0 07             	and    $0x7,%eax
  13:	48 39 d0             	cmp    %rdx,%rax
  16:	0f 8d e0 fe ff ff    	jge    0xfffffefc
  1c:	41 bb 01 00 00 00    	mov    $0x1,%r11d
  22:	5b                   	pop    %rbx
  23:	5d                   	pop    %rbp
  24:	44 89 d8             	mov    %r11d,%eax
  27:	41 5c                	pop    %r12
* 29:	e9 d1 8e c9 02       	jmpq   0x2c98eff <-- trapping instruction
  2e:	48 85 d2             	test   %rdx,%rdx
  31:	74 e9                	je     0x1c
  33:	48 01 ea             	add    %rbp,%rdx
  36:	eb 09                	jmp    0x41
  38:	48 83 c0 01          	add    $0x1,%rax
  3c:	48 39 d0             	cmp    %rdx,%rax