================================================================== BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:30 [inline] BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline] BUG: KASAN: use-after-free in __linkwatch_run_queue+0x7d8/0x8a0 net/core/link_watch.c:245 Read of size 8 at addr ffff888071be4b88 by task kworker/u32:4/89 CPU: 3 UID: 0 PID: 89 Comm: kworker/u32:4 Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound linkwatch_event Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x610 mm/kasan/report.c:480 kasan_report+0xe0/0x110 mm/kasan/report.c:593 netdev_need_ops_lock include/net/netdev_lock.h:30 [inline] netdev_unlock_ops include/net/netdev_lock.h:47 [inline] __linkwatch_run_queue+0x7d8/0x8a0 net/core/link_watch.c:245 linkwatch_event+0x8f/0xc0 net/core/link_watch.c:304 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888071be4340 pfn:0x71be4 flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 ffffea0001b0b508 ffff88802b5403c0 0000000000000000 raw: ffff888071be4340 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 8932, tgid 8928 (syz.3.656), ts 276652384956, free_ts 276950070633 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959 __alloc_pages_noprof+0xb/0x1b0 mm/page_alloc.c:4993 __alloc_pages_node_noprof include/linux/gfp.h:284 [inline] alloc_pages_node_noprof include/linux/gfp.h:311 [inline] ___kmalloc_large_node+0x84/0x1e0 mm/slub.c:4272 __kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4300 __do_kmalloc_node mm/slub.c:4316 [inline] __kvmalloc_node_noprof.cold+0xb/0x65 mm/slub.c:5015 alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711 tun_set_iff drivers/net/tun.c:2752 [inline] __tun_chr_ioctl+0x19d9/0x47a0 drivers/net/tun.c:3048 __do_compat_sys_ioctl fs/ioctl.c:1005 [inline] __se_compat_sys_ioctl fs/ioctl.c:948 [inline] __ia32_compat_sys_ioctl+0x23f/0x370 fs/ioctl.c:948 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331 entry_SYSENTER_compat_after_hwframe+0x84/0x8e page last free pid 8932 tgid 8928 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706 __folio_put+0x329/0x450 mm/swap.c:112 device_release+0xa4/0x240 drivers/base/core.c:2568 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e7/0x5a0 lib/kobject.c:737 netdev_run_todo+0x7e9/0x1320 net/core/dev.c:11412 tun_detach drivers/net/tun.c:639 [inline] tun_chr_close+0xea/0x230 drivers/net/tun.c:3396 __fput+0x3ff/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] __do_fast_syscall_32+0x2ac/0x3a0 arch/x86/entry/syscall_32.c:309 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Memory state around the buggy address: ffff888071be4a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888071be4b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888071be4b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888071be4c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888071be4c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================