syzbot

==================================================================
BUG: KASAN: use-after-free in ax25_release+0x5ca/0x870 net/ax25/af_ax25.c:1061
Read of size 8 at addr ffff888148393908 by task syz.4.1367/10675

CPU: 1 PID: 10675 Comm: syz.4.1367 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 ax25_release+0x5ca/0x870 net/ax25/af_ax25.c:1061
 __sock_release net/socket.c:651 [inline]
 sock_close+0xd5/0x240 net/socket.c:1345
 __fput+0x234/0x930 fs/file_table.c:311
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0x626/0x20c0 kernel/exit.c:883
 do_group_exit+0x12e/0x300 kernel/exit.c:997
 get_signal+0x6ca/0x12c0 kernel/signal.c:2900
 arch_do_signal_or_restart+0xe7/0x12c0 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0x9e/0x130 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fce3ac1aeb9
Code: Unable to access opcode bytes at RIP 0x7fce3ac1ae8f.
RSP: 002b:00007fce38e55028 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: 0000000000000000 RBX: 00007fce3ae96090 RCX: 00007fce3ac1aeb9
RDX: 0000000000000019 RSI: 0000000000000101 RDI: 0000000000000008
RBP: 00007fce3ac88c1f R08: 0000000000000010 R09: 0000000000000000
R10: 00002000000001c0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fce3ae96128 R14: 00007fce3ae96090 R15: 00007ffe3c36c6e8
 </TASK>

Allocated by task 6448:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:607 [inline]
 kzalloc include/linux/slab.h:738 [inline]
 ax25_dev_device_up+0x50/0x580 net/ax25/ax25_dev.c:55
 ax25_device_event+0x483/0x4f0 net/ax25/af_ax25.c:139
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391
 call_netdevice_notifiers_extack net/core/dev.c:2061 [inline]
 call_netdevice_notifiers net/core/dev.c:2075 [inline]
 __dev_notify_flags+0x194/0x300 net/core/dev.c:8891
 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8929
 dev_ifsioc+0x130/0xd50 net/core/dev_ioctl.c:324
 dev_ioctl+0x545/0xe30 net/core/dev_ioctl.c:572
 sock_do_ioctl+0x245/0x320 net/socket.c:1161
 sock_ioctl+0x4d2/0x710 net/socket.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 10676:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kfree+0xef/0x2a0 mm/slub.c:4564
 ax25_device_event+0x4b4/0x4f0 net/ax25/af_ax25.c:144
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391
 call_netdevice_notifiers_extack net/core/dev.c:2061 [inline]
 call_netdevice_notifiers net/core/dev.c:2075 [inline]
 __dev_notify_flags+0x158/0x300 net/core/dev.c:8893
 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8929
 dev_ifsioc+0x130/0xd50 net/core/dev_ioctl.c:324
 dev_ioctl+0x545/0xe30 net/core/dev_ioctl.c:572
 sock_do_ioctl+0x245/0x320 net/socket.c:1161
 sock_ioctl+0x4d2/0x710 net/socket.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Last potentially related work creation:
 kasan_save_stack+0x35/0x60 mm/kasan/common.c:38
 kasan_record_aux_stack+0xb8/0x100 mm/kasan/generic.c:348
 insert_work+0x54/0x3d0 kernel/workqueue.c:1366
 __queue_work+0x9c5/0xd50 kernel/workqueue.c:1532
 queue_work_on+0x124/0x1f0 kernel/workqueue.c:1559
 queue_work include/linux/workqueue.h:512 [inline]
 call_usermodehelper_exec+0x2e3/0x520 kernel/umh.c:435
 kobject_uevent_env+0x681/0x890 lib/kobject_uevent.c:633
 really_probe+0x77d/0xc80 drivers/base/dd.c:649
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:755
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:785
 __device_attach_driver+0x2b0/0x500 drivers/base/dd.c:907
 bus_for_each_drv+0x184/0x210 drivers/base/bus.c:429
 __device_attach+0x2a8/0x480 drivers/base/dd.c:979
 bus_probe_device+0xbc/0x1e0 drivers/base/bus.c:489
 device_add+0xa00/0xfb0 drivers/base/core.c:3412
 usb_set_configuration+0x1991/0x1fd0 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x89/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x139/0x270 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x284/0xc80 drivers/base/dd.c:595
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:755
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:785
 __device_attach_driver+0x2b0/0x500 drivers/base/dd.c:907
 bus_for_each_drv+0x184/0x210 drivers/base/bus.c:429
 __device_attach+0x2a8/0x480 drivers/base/dd.c:979
 bus_probe_device+0xbc/0x1e0 drivers/base/bus.c:489
 device_add+0xa00/0xfb0 drivers/base/core.c:3412
 usb_new_device+0xd65/0x1660 drivers/usb/core/hub.c:2632
 register_root_hub+0x278/0x580 drivers/usb/core/hcd.c:1021
 usb_add_hcd+0xa88/0xef0 drivers/usb/core/hcd.c:3007
 dummy_hcd_probe+0x130/0x260 drivers/usb/gadget/udc/dummy_hcd.c:2676
 platform_probe+0x137/0x1c0 drivers/base/platform.c:1391
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x284/0xc80 drivers/base/dd.c:595
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:755
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:785
 __device_attach_driver+0x2b0/0x500 drivers/base/dd.c:907
 bus_for_each_drv+0x184/0x210 drivers/base/bus.c:429
 __device_attach+0x2a8/0x480 drivers/base/dd.c:979
 bus_probe_device+0xbc/0x1e0 drivers/base/bus.c:489
 device_add+0xa00/0xfb0 drivers/base/core.c:3412
 platform_device_add+0x4b9/0x820 drivers/base/platform.c:712
 init+0x2cb/0x10d0 drivers/usb/gadget/udc/dummy_hcd.c:2829
 do_one_initcall+0x272/0x730 init/main.c:1316
 do_initcall_level+0x137/0x1f0 init/main.c:1389
 do_initcalls+0x4b/0x90 init/main.c:1405
 kernel_init_freeable+0x3e9/0x570 init/main.c:1629
 kernel_init+0x19/0x1b0 init/main.c:1520
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

The buggy address belongs to the object at ffff888148393900
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 8 bytes inside of
 192-byte region [ffff888148393900, ffff8881483939c0)
The buggy address belongs to the page:
page:ffffea000520e4c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888148393000 pfn:0x148393
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 ffffea000526ddc8 ffffea00051dab88 ffff888016c41a00
raw: ffff888148393000 0000000000100007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 8950711939, free_ts 0
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192
 __alloc_pages+0x1ee/0x480 mm/page_alloc.c:5487
 alloc_page_interleave+0x24/0x1e0 mm/mempolicy.c:2031
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x80a/0xdd0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 __kmalloc+0x1cd/0x330 mm/slub.c:4408
 kmalloc include/linux/slab.h:612 [inline]
 usb_alloc_urb+0x3f/0x140 drivers/usb/core/urb.c:74
 usb_internal_control_msg drivers/usb/core/message.c:95 [inline]
 usb_control_msg+0x115/0x3e0 drivers/usb/core/message.c:153
 usb_get_string+0xa1/0x3c0 drivers/usb/core/message.c:843
 usb_string_sub+0x76/0x420 drivers/usb/core/message.c:882
 usb_string+0x38b/0x760 drivers/usb/core/message.c:987
 usb_cache_string+0x7b/0xf0 drivers/usb/core/message.c:1029
 usb_enumerate_device drivers/usb/core/hub.c:2477 [inline]
 usb_new_device+0x352/0x1660 drivers/usb/core/hub.c:2602
 register_root_hub+0x278/0x580 drivers/usb/core/hcd.c:1021
 usb_add_hcd+0xa88/0xef0 drivers/usb/core/hcd.c:3007
 dummy_hcd_probe+0x130/0x260 drivers/usb/gadget/udc/dummy_hcd.c:2676
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888148393800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888148393880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888148393900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888148393980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888148393a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================