==================================================================
BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x46a/0x4b0 net/rose/rose_timer.c:183
Read of size 2 at addr ffff888059aaf82a by task kworker/u4:1/411

CPU: 0 PID: 411 Comm: kworker/u4:1 Not tainted 6.6.99-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xac/0x200 mm/kasan/report.c:466
 kasan_report+0x117/0x150 mm/kasan/report.c:579
 rose_timer_expiry+0x46a/0x4b0 net/rose/rose_timer.c:183
 call_timer_fn+0x16e/0x530 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x52d/0x7d0 kernel/time/timer.c:2022
 run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2035
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xc7/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:rwsem_optimistic_spin kernel/locking/rwsem.c:839 [inline]
RIP: 0010:rwsem_down_write_slowpath+0x43f/0xfa0 kernel/locking/rwsem.c:1113
Code: fc ff df 0f b6 04 08 84 c0 75 34 41 83 fc 02 74 13 48 8b 44 24 30 83 38 64 48 8b 1c 24 7d 09 e9 42 01 00 00 48 8b 1c 24 f3 90 <48> 89 df e8 39 77 f0 f6 a8 07 0f 85 05 fe ff ff e9 27 01 00 00 48
RSP: 0018:ffffc900037d7660 EFLAGS: 00000206
RAX: ffff888050a73c6c RBX: ffff88801967f8d8 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88801967f8d8
RBP: ffffc900037d7850 R08: ffff88801967f8df R09: 1ffff110032cff1b
R10: dffffc0000000000 R11: ffffed10032cff1c R12: 0000000000000001
R13: ffffc900037d7760 R14: 1ffff110032cff1c R15: ffff88801967f8e0
 __down_write_common kernel/locking/rwsem.c:1306 [inline]
 __down_write kernel/locking/rwsem.c:1315 [inline]
 down_write+0x1a7/0x1f0 kernel/locking/rwsem.c:1574
 kernfs_remove_by_name_ns+0x7c/0x150 fs/kernfs/dir.c:1690
 kernfs_remove_by_name include/linux/kernfs.h:624 [inline]
 remove_files fs/sysfs/group.c:28 [inline]
 sysfs_remove_group+0xfc/0x2a0 fs/sysfs/group.c:292
 sysfs_remove_groups+0x54/0xa0 fs/sysfs/group.c:316
 destroy_gid_attrs drivers/infiniband/core/sysfs.c:1194 [inline]
 ib_free_port_attrs+0xc5/0x3b0 drivers/infiniband/core/sysfs.c:1419
 remove_one_compat_dev drivers/infiniband/core/device.c:1011 [inline]
 rdma_dev_exit_net+0x1d9/0x330 drivers/infiniband/core/device.c:1149
 ops_exit_list net/core/net_namespace.c:173 [inline]
 cleanup_net+0x6f4/0xb90 net/core/net_namespace.c:652
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>

Allocated by task 850:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 mca_alloc net/ipv6/mcast.c:880 [inline]
 __ipv6_dev_mc_inc+0x413/0xac0 net/ipv6/mcast.c:936
 ipv6_add_dev+0xd75/0x11f0 net/ipv6/addrconf.c:466
 addrconf_notify+0x67b/0x1010 net/ipv6/addrconf.c:3623
 notifier_call_chain+0x197/0x390 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline]
 call_netdevice_notifiers net/core/dev.c:2078 [inline]
 register_netdevice+0x160c/0x1ae0 net/core/dev.c:10301
 register_netdev+0x3b/0x50 net/core/dev.c:10400
 loopback_net_init+0x75/0x150 drivers/net/loopback.c:220
 ops_init+0x397/0x640 net/core/net_namespace.c:139
 setup_net+0x3a5/0xa00 net/core/net_namespace.c:343
 copy_net_ns+0x36d/0x5e0 net/core/net_namespace.c:520
 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:228
 ksys_unshare+0x4c0/0x890 kernel/fork.c:3439
 __do_sys_unshare kernel/fork.c:3510 [inline]
 __se_sys_unshare kernel/fork.c:3508 [inline]
 __x64_sys_unshare+0x38/0x40 kernel/fork.c:3508
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
 kvfree_call_rcu+0xee/0x780 kernel/rcu/tree.c:3452
 __ipv6_dev_mc_dec+0x2cc/0x330 net/ipv6/mcast.c:982
 ipv6_mc_destroy_dev+0x338/0x590 net/ipv6/mcast.c:2805
 addrconf_ifdown+0x139f/0x1880 net/ipv6/addrconf.c:3969
 addrconf_notify+0x6c6/0x1010 net/ipv6/addrconf.c:-1
 notifier_call_chain+0x197/0x390 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline]
 call_netdevice_notifiers net/core/dev.c:2078 [inline]
 unregister_netdevice_many_notify+0xf36/0x1810 net/core/dev.c:11074
 unregister_netdevice_many net/core/dev.c:11130 [inline]
 default_device_exit_batch+0x9cb/0xa60 net/core/dev.c:11608
 ops_exit_list net/core/net_namespace.c:178 [inline]
 setup_net+0x83a/0xa00 net/core/net_namespace.c:375
 copy_net_ns+0x36d/0x5e0 net/core/net_namespace.c:520
 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:228
 ksys_unshare+0x4c0/0x890 kernel/fork.c:3439
 __do_sys_unshare kernel/fork.c:3510 [inline]
 __se_sys_unshare kernel/fork.c:3508 [inline]
 __x64_sys_unshare+0x38/0x40 kernel/fork.c:3508
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Second to last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
 kvfree_call_rcu+0xee/0x780 kernel/rcu/tree.c:3452
 ipv6_mc_destroy_dev+0x3c1/0x590 net/ipv6/mcast.c:2815
 addrconf_ifdown+0x139f/0x1880 net/ipv6/addrconf.c:3969
 addrconf_notify+0x6c6/0x1010 net/ipv6/addrconf.c:-1
 notifier_call_chain+0x197/0x390 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline]
 call_netdevice_notifiers net/core/dev.c:2078 [inline]
 unregister_netdevice_many_notify+0xf36/0x1810 net/core/dev.c:11074
 sit_exit_batch_net+0x49c/0x4e0 net/ipv6/sit.c:1888
 ops_exit_list net/core/net_namespace.c:178 [inline]
 cleanup_net+0x77f/0xb90 net/core/net_namespace.c:652
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff888059aaf800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 42 bytes inside of
 freed 512-byte region [ffff888059aaf800, ffff888059aafa00)

The buggy address belongs to the physical page:
page:ffffea000166ab00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888059aaf800 pfn:0x59aac
head:ffffea000166ab00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888017841c80 ffffea000165c810 ffffea00007cf510
raw: ffff888059aaf800 000000000010000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5786, tgid 5786 (syz-executor), ts 88519667058, free_ts 25891327611
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
 prep_new_page mm/page_alloc.c:1561 [inline]
 get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
 alloc_slab_page+0x5d/0x170 mm/slub.c:1876
 allocate_slab mm/slub.c:2023 [inline]
 new_slab+0x87/0x2e0 mm/slub.c:2076
 ___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230
 __slab_alloc mm/slub.c:3329 [inline]
 __slab_alloc_node mm/slub.c:3382 [inline]
 slab_alloc_node mm/slub.c:3475 [inline]
 __kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0xa4/0x240 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 fib6_info_alloc+0x32/0xe0 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x44f/0x1200 net/ipv6/route.c:3793
 ip6_route_add+0x28/0x130 net/ipv6/route.c:3889
 addrconf_add_mroute net/ipv6/addrconf.c:2515 [inline]
 addrconf_add_dev+0x257/0x340 net/ipv6/addrconf.c:2533
 addrconf_gre_config net/ipv6/addrconf.c:3502 [inline]
 addrconf_init_auto_addrs+0x19f/0xaa0 net/ipv6/addrconf.c:3532
 addrconf_notify+0xb62/0x1010 net/ipv6/addrconf.c:3713
 notifier_call_chain+0x197/0x390 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline]
 call_netdevice_notifiers net/core/dev.c:2078 [inline]
 __dev_notify_flags+0x18e/0x2e0 net/core/dev.c:-1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1154 [inline]
 free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
 free_contig_range+0xa1/0x160 mm/page_alloc.c:6369
 destroy_args+0x87/0x770 mm/debug_vm_pgtable.c:1015
 debug_vm_pgtable+0x3cc/0x410 mm/debug_vm_pgtable.c:1395
 do_one_initcall+0x1fd/0x750 init/main.c:1238
 do_initcall_level+0x137/0x1f0 init/main.c:1300
 do_initcalls+0x69/0xd0 init/main.c:1316
 kernel_init_freeable+0x3d2/0x570 init/main.c:1553
 kernel_init+0x1d/0x1c0 init/main.c:1443
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293

Memory state around the buggy address:
 ffff888059aaf700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888059aaf780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888059aaf800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff888059aaf880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888059aaf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	df 0f                	fisttps (%rdi)
   2:	b6 04                	mov    $0x4,%dh
   4:	08 84 c0 75 34 41 83 	or     %al,-0x7cbecb8b(%rax,%rax,8)
   b:	fc                   	cld
   c:	02 74 13 48          	add    0x48(%rbx,%rdx,1),%dh
  10:	8b 44 24 30          	mov    0x30(%rsp),%eax
  14:	83 38 64             	cmpl   $0x64,(%rax)
  17:	48 8b 1c 24          	mov    (%rsp),%rbx
  1b:	7d 09                	jge    0x26
  1d:	e9 42 01 00 00       	jmp    0x164
  22:	48 8b 1c 24          	mov    (%rsp),%rbx
  26:	f3 90                	pause
* 28:	48 89 df             	mov    %rbx,%rdi <-- trapping instruction
  2b:	e8 39 77 f0 f6       	call   0xf6f07769
  30:	a8 07                	test   $0x7,%al
  32:	0f 85 05 fe ff ff    	jne    0xfffffe3d
  38:	e9 27 01 00 00       	jmp    0x164
  3d:	48                   	rex.W