geneve0 speed is unknown, defaulting to 1000 ================================================================== BUG: KASAN: slab-use-after-free in siw_query_port+0x37b/0x3e0 drivers/infiniband/sw/siw/siw_verbs.c:177 Read of size 4 at addr ffff8880365440e8 by task kworker/0:2/15614 CPU: 0 PID: 15614 Comm: kworker/0:2 Not tainted 6.4.0-syzkaller-12491-gc192ac735768 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 Workqueue: infiniband ib_cache_event_task Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364 print_report mm/kasan/report.c:475 [inline] kasan_report+0x11d/0x130 mm/kasan/report.c:588 siw_query_port+0x37b/0x3e0 drivers/infiniband/sw/siw/siw_verbs.c:177 iw_query_port drivers/infiniband/core/device.c:2049 [inline] ib_query_port drivers/infiniband/core/device.c:2090 [inline] ib_query_port+0x3c4/0x8f0 drivers/infiniband/core/device.c:2082 ib_cache_update.part.0+0xcf/0x920 drivers/infiniband/core/cache.c:1487 ib_cache_update drivers/infiniband/core/cache.c:1561 [inline] ib_cache_event_task+0x1b1/0x270 drivers/infiniband/core/cache.c:1561 process_one_work+0xa34/0x16f0 kernel/workqueue.c:2597 worker_thread+0x67d/0x10c0 kernel/workqueue.c:2748 kthread+0x344/0x440 kernel/kthread.c:389 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Allocated by task 5068: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] ____kasan_kmalloc mm/kasan/common.c:333 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:196 [inline] __do_kmalloc_node mm/slab_common.c:985 [inline] __kmalloc_node+0x61/0x1a0 mm/slab_common.c:992 kmalloc_node include/linux/slab.h:602 [inline] kvmalloc_node+0xa2/0x1a0 mm/util.c:604 kvmalloc include/linux/slab.h:720 [inline] kvzalloc include/linux/slab.h:728 [inline] alloc_netdev_mqs+0x9b/0x1270 net/core/dev.c:10594 rtnl_create_link+0xc17/0xf20 net/core/rtnetlink.c:3336 rtnl_newlink_create net/core/rtnetlink.c:3462 [inline] __rtnl_newlink+0x1001/0x1860 net/core/rtnetlink.c:3689 rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3702 rtnetlink_rcv_msg+0x43d/0xd50 net/core/rtnetlink.c:6424 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2549 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0xde/0x190 net/socket.c:748 __sys_sendto+0x254/0x350 net/socket.c:2134 __do_sys_sendto net/socket.c:2146 [inline] __se_sys_sendto net/socket.c:2142 [inline] __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2142 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 17500: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:162 [inline] __cache_free mm/slab.c:3370 [inline] __do_kmem_cache_free mm/slab.c:3557 [inline] __kmem_cache_free+0xcd/0x2c0 mm/slab.c:3564 kvfree+0x46/0x50 mm/util.c:650 device_release+0xa3/0x240 drivers/base/core.c:2484 kobject_cleanup lib/kobject.c:682 [inline] kobject_release lib/kobject.c:713 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c2/0x4d0 lib/kobject.c:730 netdev_run_todo+0x762/0x1100 net/core/dev.c:10366 default_device_exit_batch+0x456/0x5b0 net/core/dev.c:11360 ops_exit_list+0x125/0x170 net/core/net_namespace.c:175 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:614 process_one_work+0xa34/0x16f0 kernel/workqueue.c:2597 worker_thread+0x67d/0x10c0 kernel/workqueue.c:2748 kthread+0x344/0x440 kernel/kthread.c:389 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the object at ffff888036544000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 232 bytes inside of freed 4096-byte region [ffff888036544000, ffff888036545000) The buggy address belongs to the physical page: page:ffffea0000d95100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36544 head:ffffea0000d95100 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0x1() raw: 00fff00000010200 ffff88801284da00 ffffea0000d93910 ffffea0000d95310 raw: 0000000000000000 ffff888036544000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0x2460c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_THISNODE), pid 5068, tgid 5068 (syz-executor.3), ts 270078571196, free_ts 0 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477 __alloc_pages_node include/linux/gfp.h:237 [inline] kmem_getpages mm/slab.c:1356 [inline] cache_grow_begin+0x9b/0x3b0 mm/slab.c:2550 cache_alloc_refill+0x289/0x3a0 mm/slab.c:2923 ____cache_alloc mm/slab.c:2999 [inline] ____cache_alloc mm/slab.c:2982 [inline] __do_cache_alloc mm/slab.c:3182 [inline] slab_alloc_node mm/slab.c:3230 [inline] __kmem_cache_alloc_node+0x392/0x410 mm/slab.c:3521 __do_kmalloc_node mm/slab_common.c:984 [inline] __kmalloc_node+0x51/0x1a0 mm/slab_common.c:992 kmalloc_node include/linux/slab.h:602 [inline] kvmalloc_node+0xa2/0x1a0 mm/util.c:604 kvmalloc include/linux/slab.h:720 [inline] kvzalloc include/linux/slab.h:728 [inline] alloc_netdev_mqs+0x9b/0x1270 net/core/dev.c:10594 rtnl_create_link+0xc17/0xf20 net/core/rtnetlink.c:3336 rtnl_newlink_create net/core/rtnetlink.c:3462 [inline] __rtnl_newlink+0x1001/0x1860 net/core/rtnetlink.c:3689 rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3702 rtnetlink_rcv_msg+0x43d/0xd50 net/core/rtnetlink.c:6424 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2549 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 page_owner free stack trace missing Memory state around the buggy address: ffff888036543f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888036544000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888036544080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888036544100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888036544180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================