==================================================================
BUG: KASAN: use-after-free in virtqueue_add+0x2ee1/0x3730 drivers/virtio/virtio_ring.c:1704
Read of size 1 at addr ffff8881efaf7638 by task init/1

CPU: 1 PID: 1 Comm: init Tainted: G        W         5.4.268-syzkaller-04870-gd0d34dcb02cc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 virtqueue_add+0x2ee1/0x3730 drivers/virtio/virtio_ring.c:1704
 virtqueue_add_sgs+0xf8/0x110 drivers/virtio/virtio_ring.c:1740
 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:447 [inline]
 virtscsi_add_cmd+0x589/0x6d0 drivers/scsi/virtio_scsi.c:481
 virtscsi_queuecommand+0x35f/0x5a0 drivers/scsi/virtio_scsi.c:578
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1568 [inline]
 scsi_queue_rq+0x1b41/0x2860 drivers/scsi/scsi_lib.c:1699
 blk_mq_dispatch_rq_list+0x8ee/0x16f0 block/blk-mq.c:1304
 blk_mq_do_dispatch_sched+0x389/0x480 block/blk-mq-sched.c:132
 __blk_mq_sched_dispatch_requests+0x3d8/0x4d0 block/blk-mq-sched.c:235
 blk_mq_sched_dispatch_requests+0xec/0x160 block/blk-mq-sched.c:266
 __blk_mq_run_hw_queue+0x15f/0x270 block/blk-mq.c:1435
 __blk_mq_delay_run_hw_queue+0x12b/0x5b0 block/blk-mq.c:1503
 blk_mq_run_hw_queue+0x1d1/0x320 block/blk-mq.c:1540
 blk_mq_sched_insert_requests+0x22b/0x380 block/blk-mq-sched.c:522
 blk_mq_flush_plug_list+0x8b4/0xb00 block/blk-mq.c:1808
 blk_flush_plug_list+0x47e/0x4d0 block/blk-core.c:1790
 blk_finish_plug+0x59/0x80 block/blk-core.c:1807
 read_pages+0x39d/0x400 mm/readahead.c:142
 __do_page_cache_readahead+0x448/0x4f0 mm/readahead.c:212
 ra_submit mm/internal.h:62 [inline]
 do_sync_mmap_readahead mm/filemap.c:2580 [inline]
 filemap_fault+0xb5d/0x16b0 mm/filemap.c:2666
 ext4_filemap_fault+0x7b/0x90 fs/ext4/inode.c:6510
 __do_fault mm/memory.c:3258 [inline]
 do_read_fault mm/memory.c:3667 [inline]
 do_fault mm/memory.c:3796 [inline]
 handle_pte_fault mm/memory.c:4027 [inline]
 __handle_mm_fault mm/memory.c:4151 [inline]
 handle_mm_fault+0x330a/0x4840 mm/memory.c:4188
 do_user_addr_fault arch/x86/mm/fault.c:1469 [inline]
 __do_page_fault+0x509/0xbb0 arch/x86/mm/fault.c:1530
 page_fault+0x2f/0x40 arch/x86/entry/entry_64.S:1206

Allocated by task 566:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 kmalloc include/linux/slab.h:556 [inline]
 __vring_new_virtqueue+0x13c/0xd50 drivers/virtio/virtio_ring.c:2071
 vring_create_virtqueue_split drivers/virtio/virtio_ring.c:894 [inline]
 vring_create_virtqueue+0x11a3/0x1d20 drivers/virtio/virtio_ring.c:2152
 setup_vq+0x153/0x350 drivers/virtio/virtio_pci_legacy.c:137
 vp_setup_vq+0xbc/0x330 drivers/virtio/virtio_pci_common.c:189
 vp_find_vqs_msix+0x8a3/0xc70 drivers/virtio/virtio_pci_common.c:322
 vp_find_vqs+0x4f/0x470 drivers/virtio/virtio_pci_common.c:399
 virtio_find_vqs include/linux/virtio_config.h:198 [inline]
 virtscsi_init+0x490/0xb70 drivers/scsi/virtio_scsi.c:807
 virtscsi_restore+0x4f/0x190 drivers/scsi/virtio_scsi.c:941
 virtio_device_restore+0x39d/0x5a0 drivers/virtio/virtio.c:427
 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487
 device_resume+0x551/0x620 drivers/base/power/main.c:1029
 async_resume+0x23/0x170 drivers/base/power/main.c:1049
 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Freed by task 501:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kfree+0x123/0x370 mm/slub.c:4071
 vp_del_vq drivers/virtio/virtio_pci_common.c:221 [inline]
 vp_del_vqs+0x35a/0x890 drivers/virtio/virtio_pci_common.c:243
 virtscsi_remove_vqs drivers/scsi/virtio_scsi.c:772 [inline]
 virtscsi_freeze+0x8d/0xa0 drivers/scsi/virtio_scsi.c:931
 virtio_pci_freeze+0x39/0x70 drivers/virtio/virtio_pci_common.c:465
 pci_pm_suspend+0x2a5/0x930 drivers/pci/pci-driver.c:789
 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487
 __device_suspend+0xa18/0xff0 drivers/base/power/main.c:1816
 async_suspend+0x25/0x230 drivers/base/power/main.c:1848
 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

The buggy address belongs to the object at ffff8881efaf7600
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of
 192-byte region [ffff8881efaf7600, ffff8881efaf76c0)
The buggy address belongs to the page:
page:ffffea0007bebdc0 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5c02a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 __kmalloc+0x19b/0x2e0 mm/slub.c:3909
 kmalloc include/linux/slab.h:561 [inline]
 bio_alloc_bioset+0x16a/0x650 block/bio.c:446
 bio_kmalloc include/linux/bio.h:406 [inline]
 bio_map_kern+0xc7/0x460 block/bio.c:1536
 blk_rq_map_kern+0x23e/0x460 block/blk-map.c:240
 __scsi_execute+0xe1/0x5d0 drivers/scsi/scsi_lib.c:265
 scsi_execute_req include/scsi/scsi_device.h:460 [inline]
 scsi_probe_lun drivers/scsi/scsi_scan.c:594 [inline]
 scsi_probe_and_add_lun+0x534/0x4010 drivers/scsi/scsi_scan.c:1088
 __scsi_scan_target+0x1fb/0xe80 drivers/scsi/scsi_scan.c:1562
 scsi_scan_channel drivers/scsi/scsi_scan.c:1650 [inline]
 scsi_scan_host_selected+0x349/0x620 drivers/scsi/scsi_scan.c:1679
 do_scsi_scan_host drivers/scsi/scsi_scan.c:1818 [inline]
 scsi_scan_host+0x38e/0x660 drivers/scsi/scsi_scan.c:1848
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881efaf7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881efaf7580: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881efaf7600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8881efaf7680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8881efaf7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================