================================================================== BUG: KASAN: slab-use-after-free in ucma_create_uevent+0x116/0xbe0 drivers/infiniband/core/ucma.c:275 Read of size 8 at addr ffff888034f9f510 by task kworker/u8:3/37 CPU: 1 UID: 0 PID: 37 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: rdma_cm cma_iboe_join_work_handler Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ucma_create_uevent+0x116/0xbe0 drivers/infiniband/core/ucma.c:275 ucma_event_handler+0x131/0x9a0 drivers/infiniband/core/ucma.c:356 cma_cm_event_handler+0xac/0x2c0 drivers/infiniband/core/cma.c:2181 cma_iboe_join_work_handler+0xcb/0x1c0 drivers/infiniband/core/cma.c:3017 process_one_work+0x9a3/0x1710 kernel/workqueue.c:3288 process_scheduled_works kernel/workqueue.c:3379 [inline] worker_thread+0xba8/0x11e0 kernel/workqueue.c:3465 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 12313: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5412 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] ucma_process_join+0x33e/0xb30 drivers/infiniband/core/ucma.c:1532 ucma_join_multicast+0x138/0x1c0 drivers/infiniband/core/ucma.c:1624 ucma_write+0x24e/0x2f0 drivers/infiniband/core/ucma.c:1856 vfs_write+0x29a/0xb90 fs/read_write.c:686 ksys_write+0x150/0x270 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 12313: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6242 [inline] kfree+0x1c5/0x640 mm/slub.c:6557 ucma_process_join+0x922/0xb30 drivers/infiniband/core/ucma.c:1583 ucma_join_multicast+0x138/0x1c0 drivers/infiniband/core/ucma.c:1624 ucma_write+0x24e/0x2f0 drivers/infiniband/core/ucma.c:1856 vfs_write+0x29a/0xb90 fs/read_write.c:686 ksys_write+0x150/0x270 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888034f9f500 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 16 bytes inside of freed 192-byte region [ffff888034f9f500, ffff888034f9f5c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34f9f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff88813ff1c3c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 19357478902, free_ts 19356194011 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1859 prep_new_page mm/page_alloc.c:1867 [inline] get_page_from_freelist+0x2418/0x24b0 mm/page_alloc.c:3926 __alloc_frozen_pages_noprof+0x233/0x3d0 mm/page_alloc.c:5213 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x339/0x3d0 mm/slub.c:7247 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651 alloc_from_pcs mm/slub.c:4749 [inline] slab_alloc_node mm/slub.c:4883 [inline] __do_kmalloc_node mm/slub.c:5291 [inline] __kmalloc_node_track_caller_noprof+0x572/0x7b0 mm/slub.c:5400 __do_krealloc mm/slub.c:6702 [inline] krealloc_node_align_noprof+0x1af/0x390 mm/slub.c:6761 add_sysfs_param+0xd4/0xb80 kernel/params.c:648 kernel_add_sysfs_param+0x7f/0xe0 kernel/params.c:797 param_sysfs_builtin+0x199/0x250 kernel/params.c:836 param_sysfs_builtin_init+0x23/0x30 kernel/params.c:972 do_one_initcall+0x250/0x870 init/main.c:1386 do_initcall_level+0x104/0x190 init/main.c:1448 do_initcalls+0x59/0xa0 init/main.c:1464 kernel_init_freeable+0x2a6/0x3e0 init/main.c:1696 page last free pid 994 tgid 994 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1403 [inline] __free_frozen_pages+0xbc7/0xd30 mm/page_alloc.c:2944 vfree+0x1d1/0x2f0 mm/vmalloc.c:3472 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3392 process_one_work+0x9a3/0x1710 kernel/workqueue.c:3288 process_scheduled_works kernel/workqueue.c:3379 [inline] worker_thread+0xba8/0x11e0 kernel/workqueue.c:3465 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888034f9f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888034f9f480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888034f9f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888034f9f580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888034f9f600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================