==================================================================
BUG: KASAN: use-after-free in virtqueue_add+0x2f3c/0x37a0 drivers/virtio/virtio_ring.c:1704
Read of size 1 at addr ffff8881dabfe038 by task jbd2/sda1-8/127

CPU: 1 PID: 127 Comm: jbd2/sda1-8 Tainted: G        W         5.4.249-syzkaller-04712-g50533a8b511b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 virtqueue_add+0x2f3c/0x37a0 drivers/virtio/virtio_ring.c:1704
 virtqueue_add_sgs+0xf8/0x110 drivers/virtio/virtio_ring.c:1740
 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:447 [inline]
 virtscsi_add_cmd+0x589/0x6d0 drivers/scsi/virtio_scsi.c:481
 virtscsi_queuecommand+0x35f/0x5a0 drivers/scsi/virtio_scsi.c:578
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1568 [inline]
 scsi_queue_rq+0x1b41/0x2860 drivers/scsi/scsi_lib.c:1699
 blk_mq_dispatch_rq_list+0x8ee/0x16f0 block/blk-mq.c:1304
 blk_mq_do_dispatch_sched+0x389/0x480 block/blk-mq-sched.c:132
 __blk_mq_sched_dispatch_requests+0x3d8/0x4d0 block/blk-mq-sched.c:235
 blk_mq_sched_dispatch_requests+0xec/0x160 block/blk-mq-sched.c:266
 __blk_mq_run_hw_queue+0x15f/0x270 block/blk-mq.c:1435
 __blk_mq_delay_run_hw_queue+0x12b/0x5b0 block/blk-mq.c:1503
 blk_mq_run_hw_queue+0x1d1/0x320 block/blk-mq.c:1540
 blk_mq_sched_insert_requests+0x22b/0x380 block/blk-mq-sched.c:522
 blk_mq_flush_plug_list+0x8b4/0xb00 block/blk-mq.c:1808
 blk_flush_plug_list+0x47e/0x4d0 block/blk-core.c:1791
 blk_finish_plug+0x59/0x80 block/blk-core.c:1808
 jbd2_journal_commit_transaction+0x367b/0x6720 fs/jbd2/commit.c:792
 kjournald2+0x486/0x880 fs/jbd2/journal.c:209
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Allocated by task 511:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 kmalloc include/linux/slab.h:556 [inline]
 __vring_new_virtqueue+0x13c/0xd50 drivers/virtio/virtio_ring.c:2071
 vring_create_virtqueue_split drivers/virtio/virtio_ring.c:894 [inline]
 vring_create_virtqueue+0x11a3/0x1d20 drivers/virtio/virtio_ring.c:2152
 setup_vq+0x153/0x350 drivers/virtio/virtio_pci_legacy.c:137
 vp_setup_vq+0xbc/0x330 drivers/virtio/virtio_pci_common.c:189
 vp_find_vqs_msix+0x8a3/0xc70 drivers/virtio/virtio_pci_common.c:322
 vp_find_vqs+0x4f/0x470 drivers/virtio/virtio_pci_common.c:399
 virtio_find_vqs include/linux/virtio_config.h:198 [inline]
 virtscsi_init+0x490/0xb70 drivers/scsi/virtio_scsi.c:807
 virtscsi_restore+0x4f/0x190 drivers/scsi/virtio_scsi.c:941
 virtio_device_restore+0x39d/0x5a0 drivers/virtio/virtio.c:427
 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487
 device_resume+0x551/0x620 drivers/base/power/main.c:1029
 async_resume+0x23/0x170 drivers/base/power/main.c:1049
 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123
 process_one_work+0x765/0xd20 kernel/workqueue.c:2287
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2433
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Freed by task 7:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kfree+0x123/0x370 mm/slub.c:4071
 vp_del_vq drivers/virtio/virtio_pci_common.c:221 [inline]
 vp_del_vqs+0x35a/0x890 drivers/virtio/virtio_pci_common.c:243
 virtscsi_remove_vqs drivers/scsi/virtio_scsi.c:772 [inline]
 virtscsi_freeze+0x8d/0xa0 drivers/scsi/virtio_scsi.c:931
 virtio_pci_freeze+0x39/0x70 drivers/virtio/virtio_pci_common.c:465
 pci_pm_suspend+0x2a5/0x930 drivers/pci/pci-driver.c:789
 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487
 __device_suspend+0xa18/0xff0 drivers/base/power/main.c:1816
 async_suspend+0x25/0x230 drivers/base/power/main.c:1848
 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123
 process_one_work+0x765/0xd20 kernel/workqueue.c:2287
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2433
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

The buggy address belongs to the object at ffff8881dabfe000
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of
 192-byte region [ffff8881dabfe000, ffff8881dabfe0c0)
The buggy address belongs to the page:
page:ffffea00076aff80 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea000778a4c0 0000000200000002 ffff8881f5c02a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc_trace+0x12d/0x260 mm/slub.c:2854
 kmalloc include/linux/slab.h:556 [inline]
 kzalloc include/linux/slab.h:690 [inline]
 ____ip_mc_inc_group+0x205/0x8d0 net/ipv4/igmp.c:1444
 __ip_mc_inc_group net/ipv4/igmp.c:1479 [inline]
 ip_mc_inc_group net/ipv4/igmp.c:1485 [inline]
 ip_mc_up+0x10b/0x1e0 net/ipv4/igmp.c:1784
 inetdev_event+0xbed/0x1040 net/ipv4/devinet.c:1574
 notifier_call_chain kernel/notifier.c:98 [inline]
 __raw_notifier_call_chain kernel/notifier.c:399 [inline]
 raw_notifier_call_chain+0x95/0x110 kernel/notifier.c:406
 __dev_notify_flags+0x26e/0x510 net/core/dev.c:1670
 dev_change_flags+0xe7/0x190 net/core/dev.c:8007
 do_setlink+0xc4c/0x3b70 net/core/rtnetlink.c:2522
 __rtnl_newlink net/core/rtnetlink.c:3165 [inline]
 rtnl_newlink+0x1666/0x2010 net/core/rtnetlink.c:3291
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881dabfdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881dabfdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881dabfe000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8881dabfe080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8881dabfe100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================