==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x6a/0xf0 lib/list_debug.c:30
Read of size 8 at addr ffff888133d44c68 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 5.15.94-syzkaller-03204-g5448b2fda85f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:444
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
__list_add_valid+0x6a/0xf0 lib/list_debug.c:30
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x104/0x320 kernel/workqueue.c:1373
__queue_work+0x923/0xcd0 kernel/workqueue.c:1535
queue_work_on+0x105/0x170 kernel/workqueue.c:1562
wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:192 [inline]
wg_packet_create_data drivers/net/wireguard/send.c:320 [inline]
wg_packet_send_staged_packets+0xb30/0x1190 drivers/net/wireguard/send.c:387
wg_xmit+0xa8f/0xcf0 drivers/net/wireguard/device.c:201
__netdev_start_xmit include/linux/netdevice.h:5057 [inline]
netdev_start_xmit include/linux/netdevice.h:5071 [inline]
xmit_one net/core/dev.c:3597 [inline]
dev_hard_start_xmit+0x228/0x620 net/core/dev.c:3613
__dev_queue_xmit+0x18b4/0x2e70 net/core/dev.c:4228
dev_queue_xmit+0x17/0x20 net/core/dev.c:4261
neigh_connected_output+0x417/0x450 net/core/neighbour.c:1541
neigh_output include/net/neighbour.h:524 [inline]
ip6_finish_output2+0xf95/0x16e0 net/ipv6/ip6_output.c:126
__ip6_finish_output+0x678/0x850 net/ipv6/ip6_output.c:191
ip6_finish_output+0x31/0x210 net/ipv6/ip6_output.c:201
NF_HOOK_COND include/linux/netfilter.h:299 [inline]
ip6_output+0x1f7/0x4d0 net/ipv6/ip6_output.c:224
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:310 [inline]
ndisc_send_skb+0x73e/0xc90 net/ipv6/ndisc.c:508
ndisc_send_rs+0x532/0x6a0 net/ipv6/ndisc.c:702
addrconf_rs_timer+0x2d1/0x600 net/ipv6/addrconf.c:3954
call_timer_fn+0x3b/0x2d0 kernel/time/timer.c:1427
expire_timers kernel/time/timer.c:1472 [inline]
__run_timers+0x72a/0xa10 kernel/time/timer.c:1743
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1756
__do_softirq+0x26d/0x5bf kernel/softirq.c:565
invoke_softirq kernel/softirq.c:425 [inline]
__irq_exit_rcu+0x50/0xf0 kernel/softirq.c:647
irq_exit_rcu+0x9/0x10 kernel/softirq.c:659
sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:40 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:75 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:110 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:570 [inline]
RIP: 0010:acpi_idle_enter+0x416/0x760 drivers/acpi/processor_idle.c:705
Code: 89 de 48 83 e6 08 31 ff e8 d7 17 b7 fc 48 83 e3 08 0f 85 b0 00 00 00 0f 1f 44 00 00 e8 83 13 b7 fc 0f 00 2d 9c 84 b0 00 fb f4 <fa> e9 e1 00 00 00 49 83 c7 04 4c 89 f8 48 c1 e8 03 42 0f b6 04 30
RSP: 0018:ffffc90000157c30 EFLAGS: 000002d3
RAX: ffffffff84b85e3d RBX: 0000000000000000 RCX: ffff8881003293c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000157c70 R08: ffffffff84b85e29 R09: ffffed1020065279
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: ffff888100074004 R14: dffffc0000000000 R15: ffff888105dcd864
cpuidle_enter_state+0x5e1/0x1550 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x36b/0x5d0 kernel/sched/idle.c:306
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:403
start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:270
secondary_startup_64_no_verify+0xb1/0xbb
</TASK>
Allocated by task 27287:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:433 [inline]
____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:512
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:521
kasan_kmalloc include/linux/kasan.h:227 [inline]
__kmalloc+0x13a/0x270 mm/slub.c:4425
__kmalloc_node include/linux/slab.h:474 [inline]
kmalloc_node include/linux/slab.h:631 [inline]
kvmalloc_node+0x82/0x130 mm/util.c:623
kvmalloc include/linux/mm.h:851 [inline]
kvzalloc include/linux/mm.h:859 [inline]
alloc_netdev_mqs+0x8c/0xc90 net/core/dev.c:10828
alloc_etherdev_mqs+0x33/0x40 net/ethernet/eth.c:393
usbnet_probe+0x19e/0x2670 drivers/net/usb/usbnet.c:1694
usb_probe_interface+0x5b6/0xa90 drivers/usb/core/driver.c:396
really_probe+0x28d/0x970 drivers/base/dd.c:595
__driver_probe_device+0x1bb/0x290 drivers/base/dd.c:750
driver_probe_device+0x54/0x3d0 drivers/base/dd.c:780
__device_attach_driver+0x2c5/0x470 drivers/base/dd.c:902
bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
__device_attach+0x312/0x510 drivers/base/dd.c:974
device_initial_probe+0x1a/0x20 drivers/base/dd.c:1023
bus_probe_device+0xbe/0x1e0 drivers/base/bus.c:487
device_add+0xb80/0xf30 drivers/base/core.c:3404
usb_set_configuration+0x190f/0x1e80 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0x8b/0x150 drivers/usb/core/generic.c:238
usb_probe_device+0x144/0x260 drivers/usb/core/driver.c:293
really_probe+0x28d/0x970 drivers/base/dd.c:595
__driver_probe_device+0x1bb/0x290 drivers/base/dd.c:750
driver_probe_device+0x54/0x3d0 drivers/base/dd.c:780
__device_attach_driver+0x2c5/0x470 drivers/base/dd.c:902
bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
__device_attach+0x312/0x510 drivers/base/dd.c:974
device_initial_probe+0x1a/0x20 drivers/base/dd.c:1023
bus_probe_device+0xbe/0x1e0 drivers/base/bus.c:487
device_add+0xb80/0xf30 drivers/base/core.c:3404
usb_new_device+0x1034/0x1bf0 drivers/usb/core/hub.c:2575
hub_port_connect drivers/usb/core/hub.c:5417 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5561 [inline]
port_event drivers/usb/core/hub.c:5711 [inline]
hub_event+0x2da9/0x4a80 drivers/usb/core/hub.c:5793
process_one_work+0x6bb/0xc10 kernel/workqueue.c:2313
process_scheduled_works kernel/workqueue.c:2376 [inline]
worker_thread+0xe02/0x12a0 kernel/workqueue.c:2462
kthread+0x421/0x510 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 <unknown>:298
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xd3/0xf0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
insert_work+0x56/0x320 kernel/workqueue.c:1369
__queue_work+0x923/0xcd0 kernel/workqueue.c:1535
queue_work_on+0x105/0x170 kernel/workqueue.c:1562
usbnet_link_change+0xeb/0x100
usbnet_probe+0x1c5a/0x2670 drivers/net/usb/usbnet.c:1835
usb_probe_interface+0x5b6/0xa90 drivers/usb/core/driver.c:396
really_probe+0x28d/0x970 drivers/base/dd.c:595
__driver_probe_device+0x1bb/0x290 drivers/base/dd.c:750
driver_probe_device+0x54/0x3d0 drivers/base/dd.c:780
__device_attach_driver+0x2c5/0x470 drivers/base/dd.c:902
bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
__device_attach+0x312/0x510 drivers/base/dd.c:974
device_initial_probe+0x1a/0x20 drivers/base/dd.c:1023
bus_probe_device+0xbe/0x1e0 drivers/base/bus.c:487
device_add+0xb80/0xf30 drivers/base/core.c:3404
usb_set_configuration+0x190f/0x1e80 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0x8b/0x150 drivers/usb/core/generic.c:238
usb_probe_device+0x144/0x260 drivers/usb/core/driver.c:293
really_probe+0x28d/0x970 drivers/base/dd.c:595
__driver_probe_device+0x1bb/0x290 drivers/base/dd.c:750
driver_probe_device+0x54/0x3d0 drivers/base/dd.c:780
__device_attach_driver+0x2c5/0x470 drivers/base/dd.c:902
bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
__device_attach+0x312/0x510 drivers/base/dd.c:974
device_initial_probe+0x1a/0x20 drivers/base/dd.c:1023
bus_probe_device+0xbe/0x1e0 drivers/base/bus.c:487
device_add+0xb80/0xf30 drivers/base/core.c:3404
usb_new_device+0x1034/0x1bf0 drivers/usb/core/hub.c:2575
hub_port_connect drivers/usb/core/hub.c:5417 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5561 [inline]
port_event drivers/usb/core/hub.c:5711 [inline]
hub_event+0x2da9/0x4a80 drivers/usb/core/hub.c:5793
process_one_work+0x6bb/0xc10 kernel/workqueue.c:2313
process_scheduled_works kernel/workqueue.c:2376 [inline]
worker_thread+0xe02/0x12a0 kernel/workqueue.c:2462
kthread+0x421/0x510 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 <unknown>:298
The buggy address belongs to the object at ffff888133d44000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 3176 bytes inside of
4096-byte region [ffff888133d44000, ffff888133d45000)
The buggy address belongs to the page:
page:ffffea0004cf5000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888133d44000 pfn:0x133d40
head:ffffea0004cf5000 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 ffffea0004cc8408 ffffea0004438808 ffff888100043380
raw: ffff888133d44000 0000000000040003 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 347, ts 35261109665, free_ts 0
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2502
prep_new_page mm/page_alloc.c:2508 [inline]
get_page_from_freelist+0x2c14/0x2cf0 mm/page_alloc.c:4291
__alloc_pages+0x386/0x7b0 mm/page_alloc.c:5569
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x92/0x490 mm/slub.c:1993
___slab_alloc+0x39e/0x830 mm/slub.c:3026
__slab_alloc+0x4a/0x90 mm/slub.c:3113
slab_alloc_node mm/slub.c:3204 [inline]
slab_alloc mm/slub.c:3246 [inline]
kmem_cache_alloc_trace+0x142/0x210 mm/slub.c:3263
kmalloc include/linux/slab.h:608 [inline]
kzalloc include/linux/slab.h:738 [inline]
kobject_uevent_env+0x269/0x700 lib/kobject_uevent.c:524
kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:642
netdev_queue_add_kobject net/core/net-sysfs.c:1677 [inline]
netdev_queue_update_kobjects+0x1c0/0x400 net/core/net-sysfs.c:1711
register_queue_kobjects net/core/net-sysfs.c:1772 [inline]
netdev_register_kobject+0x270/0x320 net/core/net-sysfs.c:2018
register_netdevice+0xda5/0x1350 net/core/dev.c:10332
veth_newlink+0x948/0xe30 drivers/net/veth.c:1733
__rtnl_newlink net/core/rtnetlink.c:3462 [inline]
rtnl_newlink+0x146e/0x2040 net/core/rtnetlink.c:3510
rtnetlink_rcv_msg+0x951/0xc40 net/core/rtnetlink.c:5587
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2533
page_owner free stack trace missing
Memory state around the buggy address:
ffff888133d44b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888133d44b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888133d44c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888133d44c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888133d44d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 d7 17 b7 fc callq 0xfcb717e4
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 b0 00 00 00 jne 0xc7
17: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1c: e8 83 13 b7 fc callq 0xfcb713a4
21: 0f 00 2d 9c 84 b0 00 verw 0xb0849c(%rip) # 0xb084c4
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 e1 00 00 00 jmpq 0x111
30: 49 83 c7 04 add $0x4,%r15
34: 4c 89 f8 mov %r15,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax