syzbot

==================================================================
BUG: KASAN: use-after-free in rose_timer_expiry+0x470/0x490 net/rose/rose_timer.c:183
Read of size 2 at addr ffff88805ee5e42a by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.188-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 rose_timer_expiry+0x470/0x490 net/rose/rose_timer.c:183
 call_timer_fn+0x16c/0x530 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x525/0x7c0 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xb/0x10 arch/x86/kernel/process.c:729
Code: bf 48 89 df e8 f6 5e 0a f8 eb b5 e8 df af f6 ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 cc 66 90 0f 00 2d 77 d4 52 00 fb f4 <c3> 0f 1f 40 00 41 57 41 56 53 49 be 00 00 00 00 00 fc ff df 65 48
RSP: 0018:ffffc90000d67d48 EFLAGS: 000002c2
RAX: cde9ff53c27ef800 RBX: ffff88813fe40000 RCX: cde9ff53c27ef800
RDX: 0000000000000001 RSI: ffffffff8a0b15c0 RDI: ffffffff8a59b000
RBP: ffffc90000d67e80 R08: dffffc0000000000 R09: ffffed101722765a
R10: ffffed101722765a R11: 1ffff11017227659 R12: ffffffff8d6982a8
R13: 0000000000000001 R14: 0000000000000001 R15: 1ffff11027fc8000
 default_idle_call+0x81/0xc0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:194 [inline]
 do_idle+0x21b/0x5b0 kernel/sched/idle.c:306
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:403
 start_secondary+0x31f/0x430 arch/x86/kernel/smpboot.c:281
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>

Allocated by task 22159:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 skb_copy+0x139/0x790 net/core/skbuff.c:1595
 mac80211_hwsim_tx_frame_no_nl+0xcc7/0x15d0 drivers/net/wireless/mac80211_hwsim.c:1569
 mac80211_hwsim_tx_frame+0x1b5/0x200 drivers/net/wireless/mac80211_hwsim.c:1788
 mac80211_hwsim_beacon_tx+0x4f3/0x920 drivers/net/wireless/mac80211_hwsim.c:1842
 __iterate_interfaces+0x243/0x500 net/mac80211/util.c:793
 ieee80211_iterate_active_interfaces_atomic+0xb3/0x140 net/mac80211/util.c:829
 mac80211_hwsim_beacon+0x9b/0x180 drivers/net/wireless/mac80211_hwsim.c:1865
 __run_hrtimer kernel/time/hrtimer.c:1690 [inline]
 __hrtimer_run_queues+0x53d/0xc40 kernel/time/hrtimer.c:1754
 hrtimer_run_softirq+0x176/0x240 kernel/time/hrtimer.c:1771
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676

Freed by task 4360:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kfree+0xef/0x2a0 mm/slub.c:4559
 skb_free_head net/core/skbuff.c:655 [inline]
 skb_release_data+0x6fe/0x850 net/core/skbuff.c:677
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb net/core/skbuff.c:756 [inline]
 kfree_skb_reason+0xaf/0x110 net/core/skbuff.c:776
 kfree_skb include/linux/skbuff.h:1118 [inline]
 ieee80211_iface_work+0x798/0xc60 net/mac80211/iface.c:1515
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Last potentially related work creation:
 kasan_save_stack+0x35/0x60 mm/kasan/common.c:38
 kasan_record_aux_stack+0xb8/0x100 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3011 [inline]
 call_rcu+0x182/0x930 kernel/rcu/tree.c:3091
 fib6_info_release include/net/ip6_fib.h:339 [inline]
 ip6_route_info_create+0x9c5/0x1210 net/ipv6/route.c:3851
 ip6_route_add+0x24/0x130 net/ipv6/route.c:3865
 addrconf_add_mroute net/ipv6/addrconf.c:2511 [inline]
 addrconf_add_dev+0x250/0x350 net/ipv6/addrconf.c:2529
 inet6_addr_add+0x18d/0x9c0 net/ipv6/addrconf.c:2967
 inet6_rtm_newaddr+0x5d7/0x840 net/ipv6/addrconf.c:4957
 rtnetlink_rcv_msg+0x9b9/0xe60 net/core/rtnetlink.c:5650
 netlink_rcv_skb+0x1e0/0x430 net/netlink/af_netlink.c:2489
 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
 netlink_unicast+0x77c/0x920 net/netlink/af_netlink.c:1337
 netlink_sendmsg+0x8ab/0xbc0 net/netlink/af_netlink.c:1905
 sock_sendmsg_nosec net/socket.c:704 [inline]
 __sock_sendmsg net/socket.c:716 [inline]
 __sys_sendto+0x423/0x580 net/socket.c:2063
 __do_sys_sendto net/socket.c:2075 [inline]
 __se_sys_sendto net/socket.c:2071 [inline]
 __x64_sys_sendto+0xda/0xf0 net/socket.c:2071
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff88805ee5e400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 42 bytes inside of
 512-byte region [ffff88805ee5e400, ffff88805ee5e600)
The buggy address belongs to the page:
page:ffffea00017b9700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ee5c
head:ffffea00017b9700 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888016841c80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 4185, ts 75329417776, free_ts 75281257798
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5474
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab mm/slub.c:1912 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1975
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 __kmalloc+0x1cd/0x330 mm/slub.c:4403
 kmalloc include/linux/slab.h:609 [inline]
 kzalloc include/linux/slab.h:735 [inline]
 fib6_info_alloc+0x2e/0xe0 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x44f/0x1210 net/ipv6/route.c:3769
 ip6_route_add+0x24/0x130 net/ipv6/route.c:3865
 addrconf_prefix_route net/ipv6/addrconf.c:2447 [inline]
 addrconf_add_linklocal+0x453/0x6b0 net/ipv6/addrconf.c:3241
 addrconf_addr_gen+0x4ee/0x620 net/ipv6/addrconf.c:3370
 addrconf_init_auto_addrs+0x6e0/0xb20 net/ipv6/addrconf.c:-1
 addrconf_notify+0xa6b/0xf00 net/ipv6/addrconf.c:3668
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391
 call_netdevice_notifiers_extack net/core/dev.c:2061 [inline]
 call_netdevice_notifiers net/core/dev.c:2075 [inline]
 __dev_notify_flags+0x178/0x2d0 net/core/dev.c:-1
 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8929
 do_setlink+0xc01/0x3980 net/core/rtnetlink.c:2779
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 stack_depot_save+0x418/0x440 lib/stackdepot.c:335
 kasan_save_stack mm/kasan/common.c:40 [inline]
 kasan_set_track+0x62/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kmem_cache_free+0x8f/0x210 mm/slub.c:3515
 merge_or_add_vmap_area mm/vmalloc.c:1142 [inline]
 free_vmap_area_noflush+0x990/0xa90 mm/vmalloc.c:1759
 free_unmap_vmap_area mm/vmalloc.c:1778 [inline]
 remove_vm_area+0x1ac/0x1d0 mm/vmalloc.c:2517
 vm_remove_mappings mm/vmalloc.c:2546 [inline]
 __vunmap+0x322/0xa40 mm/vmalloc.c:2611
 copy_entries_to_user net/ipv4/netfilter/arp_tables.c:712 [inline]
 get_entries net/ipv4/netfilter/arp_tables.c:866 [inline]
 do_arpt_get_ctl+0xce3/0xf40 net/ipv4/netfilter/arp_tables.c:1460
 nf_getsockopt+0x25e/0x280 net/netfilter/nf_sockopt.c:116
 ip_getsockopt+0x115a/0x1590 net/ipv4/ip_sockglue.c:1797
 tcp_getsockopt+0x1f2/0x23f0 net/ipv4/tcp.c:4313
 __sys_getsockopt+0x206/0x430 net/socket.c:2247

Memory state around the buggy address:
 ffff88805ee5e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805ee5e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805ee5e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff88805ee5e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805ee5e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	bf 48 89 df e8       	mov    $0xe8df8948,%edi
   5:	f6 5e 0a             	negb   0xa(%rsi)
   8:	f8                   	clc
   9:	eb b5                	jmp    0xffffffc0
   b:	e8 df af f6 ff       	call   0xfff6afef
  10:	00 00                	add    %al,(%rax)
  12:	cc                   	int3
  13:	cc                   	int3
  14:	00 00                	add    %al,(%rax)
  16:	cc                   	int3
  17:	cc                   	int3
  18:	00 00                	add    %al,(%rax)
  1a:	cc                   	int3
  1b:	cc                   	int3
  1c:	00 00                	add    %al,(%rax)
  1e:	cc                   	int3
  1f:	66 90                	xchg   %ax,%ax
  21:	0f 00 2d 77 d4 52 00 	verw   0x52d477(%rip)        # 0x52d49f
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	c3                   	ret <-- trapping instruction
  2b:	0f 1f 40 00          	nopl   0x0(%rax)
  2f:	41 57                	push   %r15
  31:	41 56                	push   %r14
  33:	53                   	push   %rbx
  34:	49 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%r14
  3b:	fc ff df
  3e:	65                   	gs
  3f:	48                   	rex.W