==================================================================
BUG: KASAN: use-after-free in virtqueue_add+0x2ee1/0x3730 drivers/virtio/virtio_ring.c:1704
Read of size 1 at addr ffff8881dcd6c338 by task kworker/u4:13/503

CPU: 1 PID: 503 Comm: kworker/u4:13 Not tainted 5.4.281-syzkaller-04937-gd883a2284ec1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: writeback wb_workfn (flush-8:0)
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 virtqueue_add+0x2ee1/0x3730 drivers/virtio/virtio_ring.c:1704
 virtqueue_add_sgs+0xf8/0x110 drivers/virtio/virtio_ring.c:1740
 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:447 [inline]
 virtscsi_add_cmd+0x589/0x6d0 drivers/scsi/virtio_scsi.c:481
 virtscsi_queuecommand+0x35f/0x5a0 drivers/scsi/virtio_scsi.c:578
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1568 [inline]
 scsi_queue_rq+0x1b41/0x2860 drivers/scsi/scsi_lib.c:1699
 blk_mq_dispatch_rq_list+0x8f4/0x16f0 block/blk-mq.c:1320
 blk_mq_do_dispatch_sched+0x389/0x480 block/blk-mq-sched.c:132
 __blk_mq_sched_dispatch_requests+0x3d8/0x4d0 block/blk-mq-sched.c:235
 blk_mq_sched_dispatch_requests+0xec/0x160 block/blk-mq-sched.c:266
 __blk_mq_run_hw_queue+0x15f/0x270 block/blk-mq.c:1451
 __blk_mq_delay_run_hw_queue+0x12b/0x5b0 block/blk-mq.c:1519
 blk_mq_run_hw_queue+0x1d1/0x320 block/blk-mq.c:1556
 blk_mq_sched_insert_requests+0x22b/0x380 block/blk-mq-sched.c:522
 blk_mq_flush_plug_list+0x8b4/0xb00 block/blk-mq.c:1824
 blk_flush_plug_list+0x47e/0x4d0 block/blk-core.c:1790
 blk_finish_plug+0x59/0x80 block/blk-core.c:1807
 wb_writeback+0xcf4/0xd70 fs/fs-writeback.c:1941
 wb_check_start_all fs/fs-writeback.c:2031 [inline]
 wb_do_writeback fs/fs-writeback.c:2057 [inline]
 wb_workfn+0x9b2/0x1230 fs/fs-writeback.c:2091
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Allocated by task 509:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 kmalloc include/linux/slab.h:556 [inline]
 __vring_new_virtqueue+0x13c/0xd50 drivers/virtio/virtio_ring.c:2071
 vring_create_virtqueue_split drivers/virtio/virtio_ring.c:894 [inline]
 vring_create_virtqueue+0x11a3/0x1d20 drivers/virtio/virtio_ring.c:2152
 setup_vq+0x153/0x350 drivers/virtio/virtio_pci_legacy.c:137
 vp_setup_vq+0xbc/0x330 drivers/virtio/virtio_pci_common.c:189
 vp_find_vqs_msix+0x890/0xe90 drivers/virtio/virtio_pci_common.c:322
 vp_find_vqs+0x4f/0x470 drivers/virtio/virtio_pci_common.c:401
 virtio_find_vqs include/linux/virtio_config.h:198 [inline]
 virtscsi_init+0x490/0xb70 drivers/scsi/virtio_scsi.c:807
 virtscsi_restore+0x4f/0x190 drivers/scsi/virtio_scsi.c:941
 virtio_device_restore+0x39d/0x5a0 drivers/virtio/virtio.c:433
 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487
 device_resume+0x551/0x620 drivers/base/power/main.c:1029
 async_resume+0x23/0x170 drivers/base/power/main.c:1049
 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Freed by task 733:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kfree+0x123/0x370 mm/slub.c:4071
 vp_del_vq drivers/virtio/virtio_pci_common.c:221 [inline]
 vp_del_vqs+0x35a/0x890 drivers/virtio/virtio_pci_common.c:243
 virtscsi_remove_vqs drivers/scsi/virtio_scsi.c:772 [inline]
 virtscsi_freeze+0x8d/0xa0 drivers/scsi/virtio_scsi.c:931
 virtio_device_freeze+0x138/0x300 drivers/virtio/virtio.c:390
 virtio_pci_freeze+0x39/0x70 drivers/virtio/virtio_pci_common.c:467
 pci_pm_suspend+0x2a5/0x930 drivers/pci/pci-driver.c:794
 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487
 __device_suspend+0xa18/0xff0 drivers/base/power/main.c:1816
 async_suspend+0x25/0x230 drivers/base/power/main.c:1848
 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

The buggy address belongs to the object at ffff8881dcd6c300
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of
 192-byte region [ffff8881dcd6c300, ffff8881dcd6c3c0)
The buggy address belongs to the page:
page:ffffea0007735b00 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea0007735f40 0000000500000005 ffff8881f5c02a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc_trace+0x12d/0x260 mm/slub.c:2854
 kmalloc include/linux/slab.h:556 [inline]
 kzalloc include/linux/slab.h:690 [inline]
 mca_alloc net/ipv6/mcast.c:856 [inline]
 __ipv6_dev_mc_inc+0x39a/0x940 net/ipv6/mcast.c:914
 ipv6_add_dev+0xbee/0x10a0 net/ipv6/addrconf.c:454
 addrconf_notify+0x59b/0xe50 net/ipv6/addrconf.c:3555
 notifier_call_chain kernel/notifier.c:98 [inline]
 __raw_notifier_call_chain kernel/notifier.c:399 [inline]
 raw_notifier_call_chain+0x95/0x110 kernel/notifier.c:406
 call_netdevice_notifiers_info net/core/dev.c:1670 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1682 [inline]
 call_netdevice_notifiers net/core/dev.c:1696 [inline]
 register_netdevice+0xeef/0x12a0 net/core/dev.c:9221
 wg_newlink+0x4a1/0x710 drivers/net/wireguard/device.c:355
 __rtnl_newlink net/core/rtnetlink.c:3255 [inline]
 rtnl_newlink+0x1567/0x2060 net/core/rtnetlink.c:3314
 rtnetlink_rcv_msg+0x983/0xc70 net/core/rtnetlink.c:5290
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881dcd6c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881dcd6c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8881dcd6c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8881dcd6c380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8881dcd6c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================