==================================================================
BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:30 [inline]
BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
BUG: KASAN: use-after-free in __linkwatch_run_queue+0x732/0x7dc net/core/link_watch.c:245
Read of size 8 at addr ffffaf8030d08b68 by task kworker/u10:4/7283

CPU: 0 UID: 0 PID: 7283 Comm: kworker/u10:4 Not tainted 6.16.0-rc1-syzkaller-gfda589c28604 #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
Workqueue: events_unbound linkwatch_event
Call Trace:
[<ffffffff80078bbe>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff8000327a>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8006103e>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8006103e>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8000ef70>] print_address_description mm/kasan/report.c:408 [inline]
[<ffffffff8000ef70>] print_report+0x28e/0x5fe mm/kasan/report.c:521
[<ffffffff80af393a>] kasan_report+0xf0/0x214 mm/kasan/report.c:634
[<ffffffff80af59d2>] __asan_report_load8_noabort+0x12/0x1a mm/kasan/report_generic.c:381
[<ffffffff85189484>] netdev_need_ops_lock include/net/netdev_lock.h:30 [inline]
[<ffffffff85189484>] netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
[<ffffffff85189484>] __linkwatch_run_queue+0x732/0x7dc net/core/link_watch.c:245
[<ffffffff851895d8>] linkwatch_event+0xaa/0xdc net/core/link_watch.c:304
[<ffffffff801bd390>] process_one_work+0x96a/0x1f32 kernel/workqueue.c:3238
[<ffffffff801c04a0>] process_scheduled_works kernel/workqueue.c:3321 [inline]
[<ffffffff801c04a0>] worker_thread+0x5ce/0xde8 kernel/workqueue.c:3402
[<ffffffff801ddcbc>] kthread+0x39c/0x7d4 kernel/kthread.c:464
[<ffffffff8006977a>] ret_from_fork_kernel+0x2a/0xbb2 arch/riscv/kernel/process.c:214
[<ffffffff8634b8fa>] ret_from_fork_kernel_asm+0x16/0x18 arch/riscv/kernel/entry.S:327

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8030d0b900 pfn:0xb0d08
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 ffff8d8000636a08 ffffaf806ed62340 0000000000000000
raw: ffffaf8030d0b900 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 7834, tgid 7833 (syz.2.1432), ts 4449218721200, free_ts 4450542122300
 __set_page_owner+0x94/0x4a8 mm/page_owner.c:329
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xdc/0x1ba mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x880/0x3660 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x22e/0x2124 mm/page_alloc.c:4959
 __alloc_pages_noprof+0xe/0x22 mm/page_alloc.c:4993
 __alloc_pages_node_noprof include/linux/gfp.h:284 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:311 [inline]
 ___kmalloc_large_node+0x7a/0x2b2 mm/slub.c:4272
 __kmalloc_large_node_noprof+0x1e/0xf4 mm/slub.c:4300
 __do_kmalloc_node mm/slub.c:4316 [inline]
 __kvmalloc_node_noprof+0x2f4/0x6ac mm/slub.c:5015
 alloc_netdev_mqs+0xcc/0x11da net/core/dev.c:11711
 tun_set_iff drivers/net/tun.c:2752 [inline]
 __tun_chr_ioctl+0x2678/0x528a drivers/net/tun.c:3048
 tun_chr_ioctl+0x2a/0x38 drivers/net/tun.c:3297
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl fs/ioctl.c:893 [inline]
 __riscv_sys_ioctl+0x180/0x1e4 fs/ioctl.c:893
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
 do_trap_ecall_u+0x396/0x530 arch/riscv/kernel/traps.c:341
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
page last free pid 7833 tgid 7833 stack trace:
 __reset_page_owner+0x78/0x1ba mm/page_owner.c:308
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0x998/0x1580 mm/page_alloc.c:2706
 free_frozen_pages+0xe/0x16 mm/page_alloc.c:2744
 __folio_put+0x296/0x378 mm/swap.c:112
 folio_put include/linux/mm.h:1356 [inline]
 free_large_kmalloc+0xc4/0x190 mm/slub.c:4768
 kfree+0x348/0x4da mm/slub.c:4836
 kvfree+0x28/0x32 mm/slub.c:5058
 netdev_release+0x84/0xb0 net/core/net-sysfs.c:2231
 device_release+0x90/0x21c drivers/base/core.c:2568
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x238/0x4f0 lib/kobject.c:737
 netdev_run_todo+0x6a6/0x10b4 net/core/dev.c:11412
 rtnl_unlock+0x14/0x1c net/core/rtnetlink.c:157
 tun_detach drivers/net/tun.c:639 [inline]
 tun_chr_close+0xde/0x230 drivers/net/tun.c:3396
 __fput+0x382/0xa8c fs/file_table.c:465
 ____fput+0x1c/0x26 fs/file_table.c:493
 task_work_run+0x16a/0x25e kernel/task_work.c:227

Memory state around the buggy address:
 ffffaf8030d08a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffffaf8030d08a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffaf8030d08b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffffaf8030d08b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffffaf8030d08c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================