================================================================== BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x46a/0x4b0 net/rose/rose_timer.c:183 Read of size 2 at addr ffff888059aaf82a by task kworker/u4:1/411 CPU: 0 PID: 411 Comm: kworker/u4:1 Not tainted 6.6.99-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: netns cleanup_net Call Trace: dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xac/0x200 mm/kasan/report.c:466 kasan_report+0x117/0x150 mm/kasan/report.c:579 rose_timer_expiry+0x46a/0x4b0 net/rose/rose_timer.c:183 call_timer_fn+0x16e/0x530 kernel/time/timer.c:1700 expire_timers kernel/time/timer.c:1751 [inline] __run_timers+0x52d/0x7d0 kernel/time/timer.c:2022 run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2035 handle_softirqs+0x280/0x820 kernel/softirq.c:578 __do_softirq kernel/softirq.c:612 [inline] invoke_softirq kernel/softirq.c:452 [inline] __irq_exit_rcu+0xc7/0x190 kernel/softirq.c:661 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687 RIP: 0010:rwsem_optimistic_spin kernel/locking/rwsem.c:839 [inline] RIP: 0010:rwsem_down_write_slowpath+0x43f/0xfa0 kernel/locking/rwsem.c:1113 Code: fc ff df 0f b6 04 08 84 c0 75 34 41 83 fc 02 74 13 48 8b 44 24 30 83 38 64 48 8b 1c 24 7d 09 e9 42 01 00 00 48 8b 1c 24 f3 90 <48> 89 df e8 39 77 f0 f6 a8 07 0f 85 05 fe ff ff e9 27 01 00 00 48 RSP: 0018:ffffc900037d7660 EFLAGS: 00000206 RAX: ffff888050a73c6c RBX: ffff88801967f8d8 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88801967f8d8 RBP: ffffc900037d7850 R08: ffff88801967f8df R09: 1ffff110032cff1b R10: dffffc0000000000 R11: ffffed10032cff1c R12: 0000000000000001 R13: ffffc900037d7760 R14: 1ffff110032cff1c R15: ffff88801967f8e0 __down_write_common kernel/locking/rwsem.c:1306 [inline] __down_write kernel/locking/rwsem.c:1315 [inline] down_write+0x1a7/0x1f0 kernel/locking/rwsem.c:1574 kernfs_remove_by_name_ns+0x7c/0x150 fs/kernfs/dir.c:1690 kernfs_remove_by_name include/linux/kernfs.h:624 [inline] remove_files fs/sysfs/group.c:28 [inline] sysfs_remove_group+0xfc/0x2a0 fs/sysfs/group.c:292 sysfs_remove_groups+0x54/0xa0 fs/sysfs/group.c:316 destroy_gid_attrs drivers/infiniband/core/sysfs.c:1194 [inline] ib_free_port_attrs+0xc5/0x3b0 drivers/infiniband/core/sysfs.c:1419 remove_one_compat_dev drivers/infiniband/core/device.c:1011 [inline] rdma_dev_exit_net+0x1d9/0x330 drivers/infiniband/core/device.c:1149 ops_exit_list net/core/net_namespace.c:173 [inline] cleanup_net+0x6f4/0xb90 net/core/net_namespace.c:652 process_one_work kernel/workqueue.c:2634 [inline] process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 Allocated by task 850: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4e/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:600 [inline] kzalloc include/linux/slab.h:721 [inline] mca_alloc net/ipv6/mcast.c:880 [inline] __ipv6_dev_mc_inc+0x413/0xac0 net/ipv6/mcast.c:936 ipv6_add_dev+0xd75/0x11f0 net/ipv6/addrconf.c:466 addrconf_notify+0x67b/0x1010 net/ipv6/addrconf.c:3623 notifier_call_chain+0x197/0x390 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline] call_netdevice_notifiers net/core/dev.c:2078 [inline] register_netdevice+0x160c/0x1ae0 net/core/dev.c:10301 register_netdev+0x3b/0x50 net/core/dev.c:10400 loopback_net_init+0x75/0x150 drivers/net/loopback.c:220 ops_init+0x397/0x640 net/core/net_namespace.c:139 setup_net+0x3a5/0xa00 net/core/net_namespace.c:343 copy_net_ns+0x36d/0x5e0 net/core/net_namespace.c:520 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:228 ksys_unshare+0x4c0/0x890 kernel/fork.c:3439 __do_sys_unshare kernel/fork.c:3510 [inline] __se_sys_unshare kernel/fork.c:3508 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3508 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 kvfree_call_rcu+0xee/0x780 kernel/rcu/tree.c:3452 __ipv6_dev_mc_dec+0x2cc/0x330 net/ipv6/mcast.c:982 ipv6_mc_destroy_dev+0x338/0x590 net/ipv6/mcast.c:2805 addrconf_ifdown+0x139f/0x1880 net/ipv6/addrconf.c:3969 addrconf_notify+0x6c6/0x1010 net/ipv6/addrconf.c:-1 notifier_call_chain+0x197/0x390 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline] call_netdevice_notifiers net/core/dev.c:2078 [inline] unregister_netdevice_many_notify+0xf36/0x1810 net/core/dev.c:11074 unregister_netdevice_many net/core/dev.c:11130 [inline] default_device_exit_batch+0x9cb/0xa60 net/core/dev.c:11608 ops_exit_list net/core/net_namespace.c:178 [inline] setup_net+0x83a/0xa00 net/core/net_namespace.c:375 copy_net_ns+0x36d/0x5e0 net/core/net_namespace.c:520 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:228 ksys_unshare+0x4c0/0x890 kernel/fork.c:3439 __do_sys_unshare kernel/fork.c:3510 [inline] __se_sys_unshare kernel/fork.c:3508 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3508 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Second to last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 kvfree_call_rcu+0xee/0x780 kernel/rcu/tree.c:3452 ipv6_mc_destroy_dev+0x3c1/0x590 net/ipv6/mcast.c:2815 addrconf_ifdown+0x139f/0x1880 net/ipv6/addrconf.c:3969 addrconf_notify+0x6c6/0x1010 net/ipv6/addrconf.c:-1 notifier_call_chain+0x197/0x390 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline] call_netdevice_notifiers net/core/dev.c:2078 [inline] unregister_netdevice_many_notify+0xf36/0x1810 net/core/dev.c:11074 sit_exit_batch_net+0x49c/0x4e0 net/ipv6/sit.c:1888 ops_exit_list net/core/net_namespace.c:178 [inline] cleanup_net+0x77f/0xb90 net/core/net_namespace.c:652 process_one_work kernel/workqueue.c:2634 [inline] process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 The buggy address belongs to the object at ffff888059aaf800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 42 bytes inside of freed 512-byte region [ffff888059aaf800, ffff888059aafa00) The buggy address belongs to the physical page: page:ffffea000166ab00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888059aaf800 pfn:0x59aac head:ffffea000166ab00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000840 ffff888017841c80 ffffea000165c810 ffffea00007cf510 raw: ffff888059aaf800 000000000010000e 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5786, tgid 5786 (syz-executor), ts 88519667058, free_ts 25891327611 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554 prep_new_page mm/page_alloc.c:1561 [inline] get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457 alloc_slab_page+0x5d/0x170 mm/slub.c:1876 allocate_slab mm/slub.c:2023 [inline] new_slab+0x87/0x2e0 mm/slub.c:2076 ___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230 __slab_alloc mm/slub.c:3329 [inline] __slab_alloc_node mm/slub.c:3382 [inline] slab_alloc_node mm/slub.c:3475 [inline] __kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0xa4/0x240 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] fib6_info_alloc+0x32/0xe0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x44f/0x1200 net/ipv6/route.c:3793 ip6_route_add+0x28/0x130 net/ipv6/route.c:3889 addrconf_add_mroute net/ipv6/addrconf.c:2515 [inline] addrconf_add_dev+0x257/0x340 net/ipv6/addrconf.c:2533 addrconf_gre_config net/ipv6/addrconf.c:3502 [inline] addrconf_init_auto_addrs+0x19f/0xaa0 net/ipv6/addrconf.c:3532 addrconf_notify+0xb62/0x1010 net/ipv6/addrconf.c:3713 notifier_call_chain+0x197/0x390 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline] call_netdevice_notifiers net/core/dev.c:2078 [inline] __dev_notify_flags+0x18e/0x2e0 net/core/dev.c:-1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1154 [inline] free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429 free_contig_range+0xa1/0x160 mm/page_alloc.c:6369 destroy_args+0x87/0x770 mm/debug_vm_pgtable.c:1015 debug_vm_pgtable+0x3cc/0x410 mm/debug_vm_pgtable.c:1395 do_one_initcall+0x1fd/0x750 init/main.c:1238 do_initcall_level+0x137/0x1f0 init/main.c:1300 do_initcalls+0x69/0xd0 init/main.c:1316 kernel_init_freeable+0x3d2/0x570 init/main.c:1553 kernel_init+0x1d/0x1c0 init/main.c:1443 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 Memory state around the buggy address: ffff888059aaf700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888059aaf780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888059aaf800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888059aaf880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888059aaf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ---------------- Code disassembly (best guess), 2 bytes skipped: 0: df 0f fisttps (%rdi) 2: b6 04 mov $0x4,%dh 4: 08 84 c0 75 34 41 83 or %al,-0x7cbecb8b(%rax,%rax,8) b: fc cld c: 02 74 13 48 add 0x48(%rbx,%rdx,1),%dh 10: 8b 44 24 30 mov 0x30(%rsp),%eax 14: 83 38 64 cmpl $0x64,(%rax) 17: 48 8b 1c 24 mov (%rsp),%rbx 1b: 7d 09 jge 0x26 1d: e9 42 01 00 00 jmp 0x164 22: 48 8b 1c 24 mov (%rsp),%rbx 26: f3 90 pause * 28: 48 89 df mov %rbx,%rdi <-- trapping instruction 2b: e8 39 77 f0 f6 call 0xf6f07769 30: a8 07 test $0x7,%al 32: 0f 85 05 fe ff ff jne 0xfffffe3d 38: e9 27 01 00 00 jmp 0x164 3d: 48 rex.W