================================================================== BUG: KASAN: use-after-free in shutdown_one_device drivers/base/core.c:4817 [inline] BUG: KASAN: use-after-free in shutdown_one_device_async+0x4ac/0x5f0 drivers/base/core.c:4837 Read of size 8 at addr ffff88806d6e0738 by task kworker/u8:17/15032 CPU: 1 UID: 0 PID: 15032 Comm: kworker/u8:17 Not tainted 6.11.0-next-20240925-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: async async_run_entry_fn Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 shutdown_one_device drivers/base/core.c:4817 [inline] shutdown_one_device_async+0x4ac/0x5f0 drivers/base/core.c:4837 async_run_entry_fn+0xa8/0x420 kernel/async.c:129 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f7228b8b pfn:0x6d6e0 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001e54f08 ffff8880b8744b80 0000000000000000 raw: 00000007f7228b8b 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO), pid 14611, tgid 14611 (syz-executor), ts 776495307320, free_ts 814610926588 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4210 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4237 __do_kmalloc_node mm/slub.c:4253 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4271 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:658 alloc_netdev_mqs+0x9b/0x1000 net/core/dev.c:11093 tun_set_iff+0x542/0xe80 drivers/net/tun.c:2833 __tun_chr_ioctl+0x863/0x2400 drivers/net/tun.c:3131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 15032 tgid 15032 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638 __folio_put+0x2c7/0x440 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_large_kmalloc+0x105/0x1c0 mm/slub.c:4699 kfree+0x21c/0x440 mm/slub.c:4722 device_release+0x99/0x1c0 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x22f/0x480 lib/kobject.c:737 put_device drivers/base/core.c:3785 [inline] shutdown_one_device drivers/base/core.c:4816 [inline] shutdown_one_device_async+0x492/0x5f0 drivers/base/core.c:4837 async_run_entry_fn+0xa8/0x420 kernel/async.c:129 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Memory state around the buggy address: ffff88806d6e0600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88806d6e0680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88806d6e0700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88806d6e0780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88806d6e0800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================