syzbot

==================================================================
BUG: KASAN: use-after-free in ax25_release+0x5ca/0x870 net/ax25/af_ax25.c:1061
Read of size 8 at addr ffff8880199cd808 by task syz.3.639/6703

CPU: 1 PID: 6703 Comm: syz.3.639 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 ax25_release+0x5ca/0x870 net/ax25/af_ax25.c:1061
 __sock_release net/socket.c:651 [inline]
 sock_close+0xd5/0x240 net/socket.c:1345
 __fput+0x234/0x930 fs/file_table.c:311
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 get_signal+0x1222/0x12c0 kernel/signal.c:2672
 arch_do_signal_or_restart+0xe7/0x12c0 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0x9e/0x130 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fce38ad2819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fce36d2c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 00007fce38d4bfa0 RCX: 00007fce38ad2819
RDX: 0000000000000014 RSI: 00002000000000c0 RDI: 000000000000000c
RBP: 00007fce38b68c91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fce38d4c038 R14: 00007fce38d4bfa0 R15: 00007ffc68783098
 </TASK>

Allocated by task 6706:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:607 [inline]
 kzalloc include/linux/slab.h:738 [inline]
 ax25_dev_device_up+0x50/0x580 net/ax25/ax25_dev.c:55
 ax25_device_event+0x483/0x4f0 net/ax25/af_ax25.c:139
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391
 call_netdevice_notifiers_extack net/core/dev.c:2074 [inline]
 call_netdevice_notifiers net/core/dev.c:2088 [inline]
 __dev_notify_flags+0x194/0x300 net/core/dev.c:8917
 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8955
 dev_ifsioc+0x130/0xd50 net/core/dev_ioctl.c:324
 dev_ioctl+0x545/0xe30 net/core/dev_ioctl.c:572
 sock_do_ioctl+0x245/0x320 net/socket.c:1161
 sock_ioctl+0x4d2/0x710 net/socket.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 6706:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kfree+0xef/0x2a0 mm/slub.c:4564
 ax25_device_event+0x4b4/0x4f0 net/ax25/af_ax25.c:144
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391
 call_netdevice_notifiers_extack net/core/dev.c:2074 [inline]
 call_netdevice_notifiers net/core/dev.c:2088 [inline]
 __dev_notify_flags+0x158/0x300 net/core/dev.c:8919
 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8955
 dev_ifsioc+0x130/0xd50 net/core/dev_ioctl.c:324
 dev_ioctl+0x545/0xe30 net/core/dev_ioctl.c:572
 sock_do_ioctl+0x245/0x320 net/socket.c:1161
 sock_ioctl+0x4d2/0x710 net/socket.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Last potentially related work creation:
 kasan_save_stack+0x35/0x60 mm/kasan/common.c:38
 kasan_record_aux_stack+0xb8/0x100 mm/kasan/generic.c:348
 insert_work+0x54/0x3d0 kernel/workqueue.c:1366
 __queue_work+0x9c5/0xd50 kernel/workqueue.c:1532
 queue_work_on+0x124/0x1f0 kernel/workqueue.c:1559
 queue_work include/linux/workqueue.h:512 [inline]
 netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:659 [inline]
 netdevice_event+0x803/0x900 drivers/infiniband/core/roce_gid_mgmt.c:802
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391
 call_netdevice_notifiers_extack net/core/dev.c:2074 [inline]
 call_netdevice_notifiers net/core/dev.c:2088 [inline]
 register_netdevice+0x12a6/0x1710 net/core/dev.c:10454
 veth_newlink+0x6bc/0xe30 drivers/net/veth.c:1683
 __rtnl_newlink net/core/rtnetlink.c:3526 [inline]
 rtnl_newlink+0x1359/0x1a50 net/core/rtnetlink.c:3574
 rtnetlink_rcv_msg+0x844/0xf30 net/core/rtnetlink.c:5684
 netlink_rcv_skb+0x1f5/0x440 net/netlink/af_netlink.c:2507
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x774/0x920 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x8ba/0xbe0 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:706 [inline]
 __sock_sendmsg net/socket.c:718 [inline]
 __sys_sendto+0x46d/0x620 net/socket.c:2072
 __do_sys_sendto net/socket.c:2084 [inline]
 __se_sys_sendto net/socket.c:2080 [inline]
 __x64_sys_sendto+0xda/0xf0 net/socket.c:2080
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff8880199cd800
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 8 bytes inside of
 192-byte region [ffff8880199cd800, ffff8880199cd8c0)
The buggy address belongs to the page:
page:ffffea0000667340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x199cd
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00009281c0 0000000300000003 ffff888016c41a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2518059739, free_ts 0
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192
 __alloc_pages+0x1ee/0x480 mm/page_alloc.c:5501
 alloc_page_interleave+0x24/0x1e0 mm/mempolicy.c:2031
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x80a/0xdd0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 __kmalloc_track_caller+0x1cb/0x330 mm/slub.c:4930
 __do_krealloc mm/slab_common.c:1244 [inline]
 krealloc+0x5a/0xf0 mm/slab_common.c:1277
 add_sysfs_param+0xe8/0x930 kernel/params.c:651
 kernel_add_sysfs_param+0xaf/0x120 kernel/params.c:812
 param_sysfs_builtin+0x183/0x200 kernel/params.c:851
 param_sysfs_init+0x66/0x70 kernel/params.c:972
 do_one_initcall+0x272/0x730 init/main.c:1316
 do_initcall_level+0x137/0x1f0 init/main.c:1389
 do_initcalls+0x4b/0x90 init/main.c:1405
 kernel_init_freeable+0x3e9/0x570 init/main.c:1629
 kernel_init+0x19/0x1b0 init/main.c:1520
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880199cd700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880199cd780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880199cd800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880199cd880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880199cd900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================