wlan1 speed is unknown, defaulting to 1000 ================================================================== BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:175 Read of size 4 at addr ffff88801e7780d8 by task kworker/1:5/3594 CPU: 1 PID: 3594 Comm: kworker/1:5 Not tainted 5.15.146-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: infiniband ib_cache_event_task Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description+0x63/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x16b/0x1c0 mm/kasan/report.c:451 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:175 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1481 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1555 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457 kthread+0x3f6/0x4f0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 The buggy address belongs to the page: page:ffffea000079de00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e778 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0000f49f08 ffff8880b9a3fdb0 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x546dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 13410, ts 895007605626, free_ts 1041734073720 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159 __alloc_pages+0x272/0x700 mm/page_alloc.c:5421 __alloc_pages_node include/linux/gfp.h:570 [inline] alloc_pages_node include/linux/gfp.h:584 [inline] kmalloc_large_node+0x7c/0x180 mm/slub.c:4421 __kmalloc_node+0x22d/0x390 mm/slub.c:4437 kmalloc_node include/linux/slab.h:614 [inline] kvmalloc_node+0x80/0x140 mm/util.c:619 kvmalloc include/linux/mm.h:805 [inline] kvzalloc include/linux/mm.h:813 [inline] alloc_netdev_mqs+0x85/0xc10 net/core/dev.c:10840 ieee80211_if_add+0x11fe/0x1e50 net/mac80211/iface.c:1934 ieee80211_register_hw+0x2aa9/0x39d0 net/mac80211/main.c:1314 mac80211_hwsim_new_radio+0x223d/0x4200 drivers/net/wireless/mac80211_hwsim.c:3374 hwsim_new_radio_nl+0xbae/0x1090 drivers/net/wireless/mac80211_hwsim.c:3950 genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline] genl_family_rcv_msg net/netlink/genetlink.c:775 [inline] genl_rcv_msg+0xfbd/0x14a0 net/netlink/genetlink.c:792 netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505 genl_rcv+0x24/0x40 net/netlink/genetlink.c:803 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356 netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924 sock_sendmsg_nosec net/socket.c:704 [inline] __sock_sendmsg net/socket.c:716 [inline] __sys_sendto+0x564/0x720 net/socket.c:2056 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare mm/page_alloc.c:1391 [inline] free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396 free_nonslab_page+0xe4/0x150 mm/slub.c:3535 kfree+0x1cf/0x270 mm/slub.c:4556 device_release+0x91/0x1c0 kobject_cleanup lib/kobject.c:713 [inline] kobject_release lib/kobject.c:744 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x224/0x460 lib/kobject.c:761 netdev_run_todo+0xaaf/0xc40 net/core/dev.c:10658 ieee80211_unregister_hw+0x5a/0x220 net/mac80211/main.c:1392 mac80211_hwsim_del_radio+0x2bb/0x4a0 drivers/net/wireless/mac80211_hwsim.c:3473 hwsim_exit_net+0x5b8/0x660 drivers/net/wireless/mac80211_hwsim.c:4243 ops_exit_list net/core/net_namespace.c:169 [inline] cleanup_net+0x6ce/0xb60 net/core/net_namespace.c:596 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457 kthread+0x3f6/0x4f0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 Memory state around the buggy address: ffff88801e777f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88801e778000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88801e778080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88801e778100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801e778180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================