==================================================================
BUG: KASAN: use-after-free in io_rsrc_node_ref_zero+0x5a/0x274 fs/io_uring.c:7821
Read of size 8 at addr ffff888014f94900 by task kworker/0:4/3670

CPU: 0 PID: 3670 Comm: kworker/0:4 Not tainted 5.17.0-rc4-syzkaller-00241-g7f25f0412c9e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events free_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 io_rsrc_node_ref_zero+0x5a/0x274 fs/io_uring.c:7821
 percpu_ref_put_many.constprop.0+0x22b/0x260 include/linux/percpu-refcount.h:335
 rcu_do_batch kernel/rcu/tree.c:2527 [inline]
 rcu_core+0x7b1/0x1820 kernel/rcu/tree.c:2778
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:free_unref_page+0x328/0x690 mm/page_alloc.c:3426
Code: a3 46 b5 81 48 89 ef e8 d6 8d a7 ff 48 85 db 0f 85 cd 00 00 00 9c 58 f6 c4 02 0f 85 8a 01 00 00 48 85 db 74 01 fb 48 83 c4 10 <5b> 5d 41 5c 41 5d 41 5e 41 5f c3 48 b8 00 00 00 00 00 fc ff df 4c
RSP: 0018:ffffc90002b57c60 EFLAGS: 00000286
RAX: 0000000000000006 RBX: 0000000000000200 RCX: 1ffffffff1ffc116
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880b9c35800 R08: 0000000000000001 R09: ffffffff8ffc6987
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880b9c35828
R13: 0000000000000000 R14: ffffffff90514900 R15: 0000000000000000
 __vunmap+0x798/0xc50 mm/vmalloc.c:2635
 free_work+0x58/0x70 mm/vmalloc.c:97
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 5506:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:270 [inline]
 __do_kmalloc mm/slab.c:3694 [inline]
 __kmalloc+0x209/0x4d0 mm/slab.c:3703
 io_rsrc_data_alloc+0x40/0x3b8 fs/io_uring.c:7968
 io_sqe_buffers_register.cold+0x1f/0x443 fs/io_uring.c:9255
 __io_uring_register fs/io_uring.c:11039 [inline]
 __do_sys_io_uring_register+0x109b/0x15a0 fs/io_uring.c:11170
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 5506:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 __cache_free mm/slab.c:3437 [inline]
 kfree+0xf8/0x2b0 mm/slab.c:3794
 __io_sqe_buffers_unregister+0xf6/0x18d fs/io_uring.c:8997
 io_sqe_buffers_unregister fs/io_uring.c:9012 [inline]
 __io_uring_register fs/io_uring.c:11045 [inline]
 __do_sys_io_uring_register.cold+0x28f/0x1611 fs/io_uring.c:11170
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3591
 drop_sysctl_table+0x3c0/0x4e0 fs/proc/proc_sysctl.c:1705
 unregister_sysctl_table fs/proc/proc_sysctl.c:1743 [inline]
 unregister_sysctl_table+0xc0/0x190 fs/proc/proc_sysctl.c:1718
 nf_ct_frags6_sysctl_unregister net/ipv6/netfilter/nf_conntrack_reasm.c:111 [inline]
 nf_ct_net_exit+0x241/0x550 net/ipv6/netfilter/nf_conntrack_reasm.c:523
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:168
 setup_net+0x77e/0xbb0 net/core/net_namespace.c:353
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:474
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3047
 __do_sys_unshare kernel/fork.c:3118 [inline]
 __se_sys_unshare kernel/fork.c:3116 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3116
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 insert_work+0x48/0x370 kernel/workqueue.c:1368
 __queue_work+0x5ca/0xf30 kernel/workqueue.c:1534
 queue_work_on+0xee/0x110 kernel/workqueue.c:1562
 queue_work include/linux/workqueue.h:502 [inline]
 netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:659 [inline]
 netdevice_event+0x42f/0x8a0 drivers/infiniband/core/roce_gid_mgmt.c:802
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919
 call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
 call_netdevice_notifiers net/core/dev.c:1945 [inline]
 dev_set_mac_address+0x2d5/0x3e0 net/core/dev.c:8400
 dev_set_mac_address_user+0x2d/0x50 net/core/dev.c:8414
 do_setlink+0x1847/0x3a10 net/core/rtnetlink.c:2686
 __rtnl_newlink+0xdf5/0x1760 net/core/rtnetlink.c:3416
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3531
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5596
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 __sys_sendto+0x21c/0x320 net/socket.c:2040
 __do_sys_sendto net/socket.c:2052 [inline]
 __se_sys_sendto net/socket.c:2048 [inline]
 __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2048
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888014f94900
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 192-byte region [ffff888014f94900, ffff888014f949c0)
The buggy address belongs to the page:
page:ffffea000053e500 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888014f94d00 pfn:0x14f94
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00008f1688 ffffea000074ae88 ffff888010c40000
raw: ffff888014f94d00 ffff888014f94000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2007146894, free_ts 0
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x390 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 __do_cache_alloc mm/slab.c:3267 [inline]
 slab_alloc mm/slab.c:3308 [inline]
 kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365
 kobject_uevent_env+0xf28/0x1600 lib/kobject_uevent.c:614
 kernel_add_sysfs_param kernel/params.c:816 [inline]
 param_sysfs_builtin kernel/params.c:851 [inline]
 param_sysfs_init+0x367/0x43b kernel/params.c:970
 do_one_initcall+0x103/0x650 init/main.c:1300
 do_initcall_level init/main.c:1373 [inline]
 do_initcalls init/main.c:1389 [inline]
 do_basic_setup init/main.c:1408 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1613
 kernel_init+0x1a/0x1d0 init/main.c:1502
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888014f94800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888014f94880: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888014f94900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888014f94980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888014f94a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	a3 46 b5 81 48 89 ef 	movabs %eax,0xd6e8ef894881b546
   7:	e8 d6
   9:	8d a7 ff 48 85 db    	lea    -0x247ab701(%rdi),%esp
   f:	0f 85 cd 00 00 00    	jne    0xe2
  15:	9c                   	pushfq
  16:	58                   	pop    %rax
  17:	f6 c4 02             	test   $0x2,%ah
  1a:	0f 85 8a 01 00 00    	jne    0x1aa
  20:	48 85 db             	test   %rbx,%rbx
  23:	74 01                	je     0x26
  25:	fb                   	sti
  26:	48 83 c4 10          	add    $0x10,%rsp
* 2a:	5b                   	pop    %rbx <-- trapping instruction
  2b:	5d                   	pop    %rbp
  2c:	41 5c                	pop    %r12
  2e:	41 5d                	pop    %r13
  30:	41 5e                	pop    %r14
  32:	41 5f                	pop    %r15
  34:	c3                   	retq
  35:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  3c:	fc ff df
  3f:	4c                   	rex.WR