syzbot

==================================================================
BUG: KASAN: use-after-free in rose_timer_expiry+0x470/0x490 net/rose/rose_timer.c:183
Read of size 2 at addr ffff88802200942a by task aoe_tx0/1422

CPU: 1 PID: 1422 Comm: aoe_tx0 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 rose_timer_expiry+0x470/0x490 net/rose/rose_timer.c:183
 call_timer_fn+0x16c/0x530 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x525/0x7c0 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 do_softirq+0x13b/0x200 kernel/softirq.c:477
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x174/0x1b0 kernel/softirq.c:401
 rcu_read_unlock_bh include/linux/rcupdate.h:810 [inline]
 __dev_queue_xmit+0x1bc5/0x2ed0 net/core/dev.c:4315
 tx+0x65/0x160 drivers/block/aoe/aoenet.c:63
 kthread+0x1bc/0x390 drivers/block/aoe/aoecmd.c:1238
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 20:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 __netdev_alloc_skb+0x103/0x4a0 net/core/skbuff.c:494
 netdev_alloc_skb include/linux/skbuff.h:3024 [inline]
 dev_alloc_skb include/linux/skbuff.h:3037 [inline]
 __ieee80211_beacon_get+0xa73/0x1f80 net/mac80211/tx.c:5088
 ieee80211_beacon_get_tim+0x48/0x840 net/mac80211/tx.c:5202
 ieee80211_beacon_get include/net/mac80211.h:4983 [inline]
 mac80211_hwsim_beacon_tx+0xf4/0x920 drivers/net/wireless/mac80211_hwsim.c:1812
 __iterate_interfaces+0x243/0x500 net/mac80211/util.c:793
 ieee80211_iterate_active_interfaces_atomic+0xb3/0x140 net/mac80211/util.c:829
 mac80211_hwsim_beacon+0x9b/0x180 drivers/net/wireless/mac80211_hwsim.c:1865
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x53d/0xc40 kernel/time/hrtimer.c:1749
 hrtimer_run_softirq+0x176/0x240 kernel/time/hrtimer.c:1766
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 run_ksoftirqd+0x98/0xf0 kernel/softirq.c:943
 smpboot_thread_fn+0x4f6/0x970 kernel/smpboot.c:164
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

The buggy address belongs to the object at ffff888022009400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 42 bytes inside of
 512-byte region [ffff888022009400, ffff888022009600)
The buggy address belongs to the page:
page:ffffea0000880200 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802200b800 pfn:0x22008
head:ffffea0000880200 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001e28308 ffffea00017cb708 ffff888016841c80
raw: ffff88802200b800 0000000000100006 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 9192098339, free_ts 0
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
 alloc_page_interleave+0x24/0x1e0 mm/mempolicy.c:2031
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc_trace+0x1a5/0x2a0 mm/slub.c:3250
 kmalloc include/linux/slab.h:607 [inline]
 kzalloc include/linux/slab.h:738 [inline]
 device_private_init drivers/base/core.c:3256 [inline]
 device_add+0xba/0xfb0 drivers/base/core.c:3306
 device_create_groups_vargs drivers/base/core.c:4096 [inline]
 device_create+0x258/0x2e0 drivers/base/core.c:4138
 bdi_register_va+0x93/0x6c0 mm/backing-dev.c:884
 bdi_register+0xd1/0x120 mm/backing-dev.c:916
 device_add_disk+0x83a/0xd40 block/genhd.c:502
 add_mtd_blktrans_dev+0xe6a/0x1280 drivers/mtd/mtd_blkdevs.c:387
 mtdblock_add_mtd+0x186/0x240 drivers/mtd/mtdblock.c:333
 blktrans_notify_add+0x95/0xe0 drivers/mtd/mtd_blkdevs.c:464
 add_mtd_device+0xcbf/0x11a0 drivers/mtd/mtdcore.c:693
 mtd_device_parse_register+0x8b2/0xa20 drivers/mtd/mtdcore.c:989
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888022009300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888022009380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888022009400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff888022009480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888022009500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================