==================================================================
BUG: KASAN: slab-use-after-free in page_pool_put_unrefed_netmem+0x8b8/0x11f4
Read of size 8 at addr ffff0000efe5e708 by task syz.3.51/6689

CPU: 0 UID: 0 PID: 6689 Comm: syz.3.51 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0x198/0x550 mm/kasan/report.c:521
 kasan_report+0xd8/0x138 mm/kasan/report.c:634
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 page_pool_put_unrefed_netmem+0x8b8/0x11f4
 page_pool_put_netmem include/net/page_pool/helpers.h:336 [inline]
 page_pool_put_full_netmem include/net/page_pool/helpers.h:366 [inline]
 napi_pp_put_page+0x124/0x204 net/core/skbuff.c:946
 skb_pp_recycle net/core/skbuff.c:957 [inline]
 skb_free_head+0x150/0x1bc net/core/skbuff.c:1004
 skb_release_data+0x484/0x618 net/core/skbuff.c:1035
 skb_release_all net/core/skbuff.c:1100 [inline]
 __kfree_skb net/core/skbuff.c:1114 [inline]
 sk_skb_reason_drop+0x1d4/0x43c net/core/skbuff.c:1152
 kfree_skb_reason include/linux/skbuff.h:1271 [inline]
 __skb_queue_purge_reason include/linux/skbuff.h:3351 [inline]
 skb_queue_purge_reason+0x33c/0x444 net/core/skbuff.c:3855
 skb_queue_purge include/linux/skbuff.h:3364 [inline]
 packet_set_ring+0x1128/0x1d98 net/packet/af_packet.c:4594
 packet_setsockopt+0xc34/0x1274 net/packet/af_packet.c:3892
 do_sock_setsockopt+0x2a0/0x4e0 net/socket.c:2303
 __sys_setsockopt net/socket.c:2328 [inline]
 __do_sys_setsockopt net/socket.c:2334 [inline]
 __se_sys_setsockopt net/socket.c:2331 [inline]
 __arm64_sys_setsockopt+0x170/0x1e0 net/socket.c:2331
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 6685:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_node_noprof+0x2d8/0x434 mm/slub.c:4337
 kmalloc_node_noprof include/linux/slab.h:924 [inline]
 page_pool_create_percpu+0x94/0xab0 net/core/page_pool.c:339
 page_pool_create+0x24/0x34 net/core/page_pool.c:368
 xdp_test_run_setup net/bpf/test_run.c:182 [inline]
 bpf_test_run_xdp_live+0x27c/0x1b70 net/bpf/test_run.c:383
 bpf_prog_test_run_xdp+0x698/0x102c net/bpf/test_run.c:1316
 bpf_prog_test_run+0x294/0x33c kernel/bpf/syscall.c:4407
 __sys_bpf+0x314/0x5f0 kernel/bpf/syscall.c:5813
 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]
 __arm64_sys_bpf+0x80/0x98 kernel/bpf/syscall.c:5900
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Freed by task 6513:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4609 [inline]
 kfree+0x180/0x478 mm/slub.c:4757
 __page_pool_destroy net/core/page_pool.c:1056 [inline]
 page_pool_release+0x780/0x820 net/core/page_pool.c:1094
 page_pool_release_retry+0x30/0x24c net/core/page_pool.c:1106
 process_one_work+0x810/0x1638 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x97c/0xeec kernel/workqueue.c:3400
 kthread+0x65c/0x7b0 kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 kasan_record_aux_stack+0xb4/0xcc mm/kasan/generic.c:548
 insert_work+0x54/0x2d4 kernel/workqueue.c:2183
 __queue_work+0xe34/0x1324 kernel/workqueue.c:2341
 delayed_work_timer_fn+0x74/0x90 kernel/workqueue.c:2487
 call_timer_fn+0x1b4/0x8b8 kernel/time/timer.c:1789
 expire_timers kernel/time/timer.c:1835 [inline]
 __run_timers kernel/time/timer.c:2414 [inline]
 __run_timer_base+0x59c/0x7b4 kernel/time/timer.c:2426
 run_timer_base kernel/time/timer.c:2435 [inline]
 run_timer_softirq+0xcc/0x194 kernel/time/timer.c:2445
 handle_softirqs+0x320/0xd34 kernel/softirq.c:561
 __do_softirq+0x14/0x20 kernel/softirq.c:595

The buggy address belongs to the object at ffff0000efe5e000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1800 bytes inside of
 freed 2048-byte region [ffff0000efe5e000, ffff0000efe5e800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12fe58
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0002000 fffffdffc327c000 0000000000000002
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0002000 fffffdffc327c000 0000000000000002
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc3bf9601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000efe5e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000efe5e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000efe5e700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff0000efe5e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000efe5e800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================