syzbot

==================================================================
BUG: KASAN: use-after-free in rose_get_neigh+0x17e/0x550 net/rose/rose_route.c:692
Read of size 1 at addr ffff8880304d4430 by task syz.5.708/7199

CPU: 0 PID: 7199 Comm: syz.5.708 Not tainted 6.1.143-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0xa8/0x220 mm/kasan/report.c:427
 kasan_report+0x10b/0x140 mm/kasan/report.c:531
 rose_get_neigh+0x17e/0x550 net/rose/rose_route.c:692
 rose_connect+0x412/0x1380 net/rose/af_rose.c:816
 __sys_connect_file net/socket.c:2011 [inline]
 __sys_connect+0x389/0x410 net/socket.c:2028
 __do_sys_connect net/socket.c:2038 [inline]
 __se_sys_connect net/socket.c:2035 [inline]
 __x64_sys_connect+0x76/0x80 net/socket.c:2035
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7efc5838e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efc59158038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007efc585b6080 RCX: 00007efc5838e929
RDX: 000000000000001c RSI: 0000200000000040 RDI: 000000000000000f
RBP: 00007efc58410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007efc585b6080 R15: 00007ffea5a73118
 </TASK>

Allocated by task 6512:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:563 [inline]
 rose_add_node+0x227/0xdb0 net/rose/rose_route.c:85
 rose_rt_ioctl+0xa4c/0xe90 net/rose/rose_route.c:747
 rose_ioctl+0x27a/0x790 net/rose/af_rose.c:1380
 sock_do_ioctl+0xd3/0x2f0 net/socket.c:1204
 sock_ioctl+0x4ed/0x6e0 net/socket.c:1321
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 7199:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1750
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0xb6/0x1f0 mm/slub.c:3674
 rose_rt_device_down+0x3e5/0x430 net/rose/rose_route.c:522
 rose_device_event+0x600/0x690 net/rose/af_rose.c:248
 notifier_call_chain kernel/notifier.c:87 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:455
 call_netdevice_notifiers_extack net/core/dev.c:2039 [inline]
 call_netdevice_notifiers net/core/dev.c:2053 [inline]
 __dev_notify_flags+0x178/0x2d0 net/core/dev.c:-1
 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8702
 dev_ifsioc+0x159/0xe90 net/core/dev_ioctl.c:327
 dev_ioctl+0x578/0xea0 net/core/dev_ioctl.c:588
 sock_do_ioctl+0x222/0x2f0 net/socket.c:1218
 sock_ioctl+0x4ed/0x6e0 net/socket.c:1321
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Last potentially related work creation:
 kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486
 insert_work+0x54/0x3c0 kernel/workqueue.c:1361
 __queue_work+0xba3/0xfb0 kernel/workqueue.c:1520
 call_timer_fn+0x1a0/0x670 kernel/time/timer.c:1504
 expire_timers kernel/time/timer.c:1544 [inline]
 __run_timers+0x550/0x7c0 kernel/time/timer.c:1820
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1833
 handle_softirqs+0x2a1/0x920 kernel/softirq.c:596
 __do_softirq kernel/softirq.c:630 [inline]
 invoke_softirq kernel/softirq.c:470 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:679
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691

The buggy address belongs to the object at ffff8880304d4400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 48 bytes inside of
 512-byte region [ffff8880304d4400, ffff8880304d4600)

The buggy address belongs to the physical page:
page:ffffea0000c13500 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880304d5400 pfn:0x304d4
head:ffffea0000c13500 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea00009ba408 ffffea00015e2b08 ffff888017441c80
raw: ffff8880304d5400 0000000000100005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4266, tgid 4266 (syz-executor), ts 87523936344, free_ts 83673609305
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
 alloc_slab_page+0x5d/0x160 mm/slub.c:1794
 allocate_slab mm/slub.c:1939 [inline]
 new_slab+0x87/0x2c0 mm/slub.c:1992
 ___slab_alloc+0xbc6/0x1220 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 __kmem_cache_alloc_node+0x1a0/0x260 mm/slub.c:3437
 __do_kmalloc_node mm/slab_common.c:935 [inline]
 __kmalloc_node_track_caller+0x9e/0x230 mm/slab_common.c:956
 kmalloc_reserve net/core/skbuff.c:446 [inline]
 __alloc_skb+0x22a/0x7e0 net/core/skbuff.c:515
 alloc_skb include/linux/skbuff.h:1271 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
 netlink_sendmsg+0x645/0xbc0 net/netlink/af_netlink.c:1834
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg net/socket.c:730 [inline]
 __sys_sendto+0x44f/0x5c0 net/socket.c:2153
 __do_sys_sendto net/socket.c:2165 [inline]
 __se_sys_sendto net/socket.c:2161 [inline]
 __x64_sys_sendto+0xda/0xf0 net/socket.c:2161
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x144/0x160 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1e/0x80 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x4b/0x480 mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 __kmem_cache_alloc_node+0x140/0x260 mm/slub.c:3437
 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1026
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 nsim_fib6_rt_create drivers/net/netdevsim/fib.c:547 [inline]
 nsim_fib6_rt_insert drivers/net/netdevsim/fib.c:752 [inline]
 nsim_fib6_event drivers/net/netdevsim/fib.c:856 [inline]
 nsim_fib_event drivers/net/netdevsim/fib.c:889 [inline]
 nsim_fib_event_work+0x10f2/0x32b0 drivers/net/netdevsim/fib.c:1494
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 process_scheduled_works kernel/workqueue.c:2355 [inline]
 worker_thread+0xd62/0x1250 kernel/workqueue.c:2441
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff8880304d4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880304d4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880304d4400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8880304d4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880304d4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================