==================================================================
BUG: KASAN: use-after-free in dev_put include/linux/netdevice.h:3943 [inline]
BUG: KASAN: use-after-free in netdevice_event_work_handler+0x110/0x3f0 drivers/infiniband/core/roce_gid_mgmt.c:630
Read of size 8 at addr ffff888072038568 by task kworker/u4:0/8

CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: gid-cache-wq netdevice_event_work_handler
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:120
 print_address_description+0x6c/0x660 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report+0x136/0x1e0 mm/kasan/report.c:562
 dev_put include/linux/netdevice.h:3943 [inline]
 netdevice_event_work_handler+0x110/0x3f0 drivers/infiniband/core/roce_gid_mgmt.c:630
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2272
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2418
 kthread+0x39a/0x3c0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Allocated by task 21365:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x111/0x140 mm/kasan/common.c:461
 __kmalloc_node+0xb5/0x3b0 mm/slub.c:4018
 kmalloc_node include/linux/slab.h:575 [inline]
 kvmalloc_node+0x81/0xf0 mm/util.c:575
 kvmalloc include/linux/mm.h:772 [inline]
 kvzalloc include/linux/mm.h:780 [inline]
 alloc_netdev_mqs+0x86/0xc50 net/core/dev.c:10461
 rtnl_create_link+0x242/0x9c0 net/core/rtnetlink.c:3169
 __rtnl_newlink net/core/rtnetlink.c:3431 [inline]
 rtnl_newlink+0x1210/0x1ba0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x889/0xd40 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x780/0x930 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x9a8/0xd40 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:671 [inline]
 ____sys_sendmsg+0x519/0x800 net/socket.c:2353
 ___sys_sendmsg net/socket.c:2407 [inline]
 __sys_sendmsg+0x2b1/0x360 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 21365:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1544 [inline]
 slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1577
 slab_free mm/slub.c:3142 [inline]
 kfree+0xd1/0x280 mm/slub.c:4124
 device_release+0x98/0x1c0 drivers/base/core.c:1802
 kobject_cleanup+0x20e/0x280 lib/kobject.c:705
 __rtnl_newlink net/core/rtnetlink.c:3450 [inline]
 rtnl_newlink+0x16eb/0x1ba0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x889/0xd40 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x780/0x930 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x9a8/0xd40 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:671 [inline]
 ____sys_sendmsg+0x519/0x800 net/socket.c:2353
 ___sys_sendmsg net/socket.c:2407 [inline]
 __sys_sendmsg+0x2b1/0x360 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888072038000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1384 bytes inside of
 4096-byte region [ffff888072038000, ffff888072039000)
The buggy address belongs to the page:
page:0000000086dcced3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72038
head:0000000086dcced3 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010442140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888072038400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888072038480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888072038500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff888072038580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888072038600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================