==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3204 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xd5/0x320 mm/slub.c:4192

CPU: 1 PID: 26629 Comm: syz-executor.0 Not tainted 5.10.77-syzkaller-01258-g76698ea35fd3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x8d/0x3d0 mm/kasan/report.c:233
 kasan_report_invalid_free+0x58/0x130 mm/kasan/report.c:358
 ____kasan_slab_free+0x14b/0x170 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1596 [inline]
 slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1622
 slab_free mm/slub.c:3204 [inline]
 kfree+0xd5/0x320 mm/slub.c:4192
 io_put_identity fs/io_uring.c:1262 [inline]
 io_req_clean_work fs/io_uring.c:1300 [inline]
 io_dismantle_req+0x9b0/0xd90 fs/io_uring.c:1896
 __io_free_req+0x9c/0x380 fs/io_uring.c:1904
 io_free_req fs/io_uring.c:2137 [inline]
 io_put_req fs/io_uring.c:2226 [inline]
 io_free_work+0x92/0x5e0 fs/io_uring.c:7848
 io_run_cancel fs/io-wq.c:871 [inline]
 io_wqe_cancel_pending_work fs/io-wq.c:1019 [inline]
 io_wq_cancel_cb+0x5f2/0x9f0 fs/io-wq.c:1056
 __io_uring_cancel_task_requests fs/io_uring.c:8708 [inline]
 io_uring_cancel_task_requests+0x1916/0x1ed0 fs/io_uring.c:8764
 io_uring_flush+0x170/0x6d0 fs/io_uring.c:8925
 filp_close+0xb0/0x150 fs/open.c:1319
 close_files fs/file.c:401 [inline]
 put_files_struct+0x1d4/0x350 fs/file.c:429
 exit_files+0x80/0xa0 fs/file.c:458
 copy_process+0x39e4/0x5330 kernel/fork.c:2397
 kernel_clone+0x21f/0x9a0 kernel/fork.c:2507
 __do_sys_clone3 kernel/fork.c:2784 [inline]
 __se_sys_clone3+0x2e9/0x370 kernel/fork.c:2768
 __x64_sys_clone3+0x5b/0x70 kernel/fork.c:2768
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f01232f1ae9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0121068188 EFLAGS: 00000246 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007f0123404f60 RCX: 00007f01232f1ae9
RDX: 0000000000000000 RSI: 0000000000000058 RDI: 0000000020000340
RBP: 00007f012334bf25 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff3624ad1f R14: 00007f0121068300 R15: 0000000000022000

Allocated by task 26629:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:428 [inline]
 ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
 kasan_kmalloc include/linux/kasan.h:269 [inline]
 kmem_cache_alloc_trace+0x210/0x3a0 mm/slub.c:2975
 kmalloc include/linux/slab.h:552 [inline]
 io_uring_alloc_task_context+0x57/0x550 fs/io_uring.c:7903
 io_uring_add_task_file+0x1f7/0x290 fs/io_uring.c:8781
 io_uring_install_fd fs/io_uring.c:9315 [inline]
 io_uring_create+0x2195/0x3490 fs/io_uring.c:9517
 io_uring_setup fs/io_uring.c:9556 [inline]
 __do_sys_io_uring_setup fs/io_uring.c:9562 [inline]
 __se_sys_io_uring_setup fs/io_uring.c:9559 [inline]
 __x64_sys_io_uring_setup+0x1ce/0x290 fs/io_uring.c:9559
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88811684ec00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 88 bytes inside of
 192-byte region [ffff88811684ec00, ffff88811684ecc0)
The buggy address belongs to the page:
page:ffffea00045a1380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11684e
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100043380
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 476, ts 148052337407, free_ts 147999494444
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2385 [inline]
 prep_new_page mm/page_alloc.c:2391 [inline]
 get_page_from_freelist+0xa74/0xa90 mm/page_alloc.c:4063
 __alloc_pages_nodemask+0x3c8/0x820 mm/page_alloc.c:5106
 alloc_slab_page mm/slub.c:1807 [inline]
 allocate_slab+0x6b/0x350 mm/slub.c:1809
 new_slab mm/slub.c:1870 [inline]
 new_slab_objects mm/slub.c:2629 [inline]
 ___slab_alloc+0x143/0x2f0 mm/slub.c:2792
 __slab_alloc mm/slub.c:2832 [inline]
 slab_alloc_node mm/slub.c:2914 [inline]
 slab_alloc mm/slub.c:2956 [inline]
 __kmalloc_track_caller+0x299/0x3b0 mm/slub.c:4535
 kmemdup+0x24/0x50 mm/util.c:131
 neigh_parms_alloc+0x83/0x460 net/core/neighbour.c:1625
 inetdev_init+0x130/0x590 net/ipv4/devinet.c:266
 inetdev_event+0x205/0x11b0 net/ipv4/devinet.c:1531
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0x8e/0xf0 kernel/notifier.c:410
 call_netdevice_notifiers_info net/core/dev.c:2054 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:2066 [inline]
 call_netdevice_notifiers net/core/dev.c:2080 [inline]
 register_netdevice+0x1502/0x1ad0 net/core/dev.c:10135
 veth_newlink+0x864/0xba0 drivers/net/veth.c:1385
 __rtnl_newlink net/core/rtnetlink.c:3442 [inline]
 rtnl_newlink+0x1580/0x1db0 net/core/rtnetlink.c:3501
 rtnetlink_rcv_msg+0xbae/0xd70 net/core/rtnetlink.c:5567
 netlink_rcv_skb+0x200/0x470 net/netlink/af_netlink.c:2502
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5585
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1331 [inline]
 free_pcp_prepare+0x18f/0x1c0 mm/page_alloc.c:1405
 free_unref_page_prepare mm/page_alloc.c:3291 [inline]
 free_unref_page mm/page_alloc.c:3341 [inline]
 free_the_page mm/page_alloc.c:5165 [inline]
 __free_pages+0x2e3/0x4a0 mm/page_alloc.c:5173
 free_pages+0x7c/0x90 mm/page_alloc.c:5184
 tlb_batch_list_free mm/mmu_gather.c:61 [inline]
 tlb_finish_mmu+0x123/0x1f0 mm/mmu_gather.c:331
 exit_mmap+0x2e8/0x570 mm/mmap.c:3326
 __mmput+0x95/0x2c0 kernel/fork.c:1128
 mmput+0x4b/0x50 kernel/fork.c:1149
 exit_mm+0x615/0x7e0 kernel/exit.c:489
 do_exit+0x6c4/0x23a0 kernel/exit.c:800
 do_group_exit+0x16a/0x2d0 kernel/exit.c:910
 get_signal+0x133e/0x1f80 kernel/signal.c:2790
 arch_do_signal+0x8d/0x620 arch/x86/kernel/signal.c:805
 exit_to_user_mode_loop kernel/entry/common.c:161 [inline]
 exit_to_user_mode_prepare+0xaa/0xe0 kernel/entry/common.c:191
 syscall_exit_to_user_mode+0x24/0x40 kernel/entry/common.c:266
 do_syscall_64+0x3d/0x70 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Memory state around the buggy address:
 ffff88811684eb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811684eb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88811684ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    ^
 ffff88811684ec80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
 ffff88811684ed00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 26629 at lib/refcount.c:28 refcount_warn_saturate+0x165/0x1b0 lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 26629 Comm: syz-executor.0 Tainted: G    B             5.10.77-syzkaller-01258-g76698ea35fd3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x165/0x1b0 lib/refcount.c:28
Code: c7 60 b0 49 85 31 c0 e8 59 73 eb fe 0f 0b eb 83 e8 e0 90 18 ff c6 05 de c4 68 04 01 48 c7 c7 c0 b0 49 85 31 c0 e8 3b 73 eb fe <0f> 0b e9 62 ff ff ff e8 bf 90 18 ff c6 05 be c4 68 04 01 48 c7 c7
RSP: 0018:ffffc9000fc7f370 EFLAGS: 00010246
RAX: 7fce3c75e8ba1300 RBX: 0000000000000003 RCX: 1ffff92001f8fe28
RDX: ffffc90000ce9000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc9000fc7f380 R08: ffffffff81545288 R09: ffffed103ee295d8
R10: ffffed103ee295d8 R11: 0000000000000000 R12: ffff88811684ec58
R13: ffff888163f88488 R14: 0000000000000003 R15: 00000000ffffffff
FS:  00007f0121068700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001698fe000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 io_put_identity fs/io_uring.c:1261 [inline]
 io_req_clean_work fs/io_uring.c:1300 [inline]
 io_dismantle_req+0xa72/0xd90 fs/io_uring.c:1896
 io_req_free_batch fs/io_uring.c:2202 [inline]
 io_iopoll_complete fs/io_uring.c:2377 [inline]
 io_do_iopoll+0x13b4/0x23f0 fs/io_uring.c:2433
 io_iopoll_try_reap_events+0x116/0x290 fs/io_uring.c:2472
 __io_uring_cancel_task_requests fs/io_uring.c:8715 [inline]
 io_uring_cancel_task_requests+0x196d/0x1ed0 fs/io_uring.c:8764
 io_uring_flush+0x170/0x6d0 fs/io_uring.c:8925
 filp_close+0xb0/0x150 fs/open.c:1319
 close_files fs/file.c:401 [inline]
 put_files_struct+0x1d4/0x350 fs/file.c:429
 exit_files+0x80/0xa0 fs/file.c:458
 copy_process+0x39e4/0x5330 kernel/fork.c:2397
 kernel_clone+0x21f/0x9a0 kernel/fork.c:2507
 __do_sys_clone3 kernel/fork.c:2784 [inline]
 __se_sys_clone3+0x2e9/0x370 kernel/fork.c:2768
 __x64_sys_clone3+0x5b/0x70 kernel/fork.c:2768
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f01232f1ae9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0121068188 EFLAGS: 00000246 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007f0123404f60 RCX: 00007f01232f1ae9
RDX: 0000000000000000 RSI: 0000000000000058 RDI: 0000000020000340
RBP: 00007f012334bf25 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff3624ad1f R14: 00007f0121068300 R15: 0000000000022000
---[ end trace 588db88316c79a35 ]---