syzbot

==================================================================
BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x471/0x4b0 net/rose/rose_timer.c:183
Read of size 2 at addr ffff888056ea402a by task syz.0.1993/14360

CPU: 0 UID: 0 PID: 14360 Comm: syz.0.1993 Not tainted 6.16.0-rc5-syzkaller-00224-g379f604cc3dc #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xd2/0x2b0 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 rose_timer_expiry+0x471/0x4b0 net/rose/rose_timer.c:183
 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 3b ed 55 f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 03 0e 1f f6 65 8b 05 ac 7a 2e 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc9000462f5e0 EFLAGS: 00000206
RAX: 83e10dbe708eb100 RBX: 0000000000000212 RCX: 83e10dbe708eb100
RDX: 0000000000000006 RSI: ffffffff8d998e51 RDI: 0000000000000001
RBP: ffffc9000462f670 R08: ffffffff8fa1f5f7 R09: 1ffffffff1f43ebe
R10: dffffc0000000000 R11: fffffbfff1f43ebf R12: dffffc0000000000
R13: ffff888024d18740 R14: ffff888024d18700 R15: 1ffff920008c5ebc
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 __wake_up_common_lock+0x190/0x1f0 kernel/sched/wait.c:108
 __unix_dgram_recvmsg+0x49f/0xde0 net/unix/af_unix.c:2541
 sock_recvmsg_nosec+0x186/0x1c0 net/socket.c:1017
 ____sys_recvmsg+0x3aa/0x460 net/socket.c:2784
 ___sys_recvmsg+0x1b5/0x510 net/socket.c:2828
 do_recvmmsg+0x307/0x770 net/socket.c:2923
 __sys_recvmmsg net/socket.c:2997 [inline]
 __do_sys_recvmmsg net/socket.c:3020 [inline]
 __se_sys_recvmmsg net/socket.c:3013 [inline]
 __x64_sys_recvmmsg+0x190/0x240 net/socket.c:3013
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa11bb8e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa11ca1f038 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fa11bdb6080 RCX: 00007fa11bb8e929
RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000005
RBP: 00007fa11bc10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa11bdb6080 R15: 00007ffedc0fc8b8
 </TASK>

Allocated by task 14004:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4328 [inline]
 __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 __alloc_workqueue+0x103/0x1b70 kernel/workqueue.c:5685
 alloc_workqueue+0xd4/0x210 kernel/workqueue.c:5788
 bch2_fs_init_rw+0xc6/0x2d0 fs/bcachefs/super.c:803
 bch2_fs_alloc fs/bcachefs/super.c:1022 [inline]
 bch2_fs_open+0x2338/0x2600 fs/bcachefs/super.c:2433
 bch2_fs_get_tree+0x44f/0x1520 fs/bcachefs/fs.c:2472
 vfs_get_tree+0x92/0x2b0 fs/super.c:1804
 do_new_mount+0x24a/0xa40 fs/namespace.c:3902
 do_mount fs/namespace.c:4239 [inline]
 __do_sys_mount fs/namespace.c:4450 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4427
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 15:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x18e/0x440 mm/slub.c:4842
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:968
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:164
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 __call_rcu_common kernel/rcu/tree.c:3094 [inline]
 call_rcu+0x157/0x9c0 kernel/rcu/tree.c:3214
 kthread_worker_fn+0x507/0xb60 kernel/kthread.c:1010
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888056ea4000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 42 bytes inside of
 freed 512-byte region [ffff888056ea4000, ffff888056ea4200)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888056ea4000 pfn:0x56ea4
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff88801a441c80 ffffea000158f210 ffffea00007ff310
raw: ffff888056ea4000 0000000000100009 00000000f5000000 0000000000000000
head: 00fff00000000240 ffff88801a441c80 ffffea000158f210 ffffea00007ff310
head: ffff888056ea4000 0000000000100009 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea00015ba901 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5841, tgid 5841 (syz-executor), ts 96434247431, free_ts 28522883985
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab+0x8a/0x3b0 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x305/0x4f0 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3811
 addrconf_f6i_alloc+0x1d2/0x450 net/ipv6/route.c:4679
 ipv6_add_addr+0x56e/0x1090 net/ipv6/addrconf.c:1121
 add_addr+0x8b/0x2d0 net/ipv6/addrconf.c:3200
 add_v4_addrs+0x70c/0xbd0 net/ipv6/addrconf.c:3262
 addrconf_sit_config net/ipv6/addrconf.c:3514 [inline]
 addrconf_init_auto_addrs+0x393/0xab0 net/ipv6/addrconf.c:3552
 addrconf_notify+0xacc/0x1010 net/ipv6/addrconf.c:3739
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 __free_pages mm/page_alloc.c:5071 [inline]
 free_contig_range+0x1bd/0x4a0 mm/page_alloc.c:6927
 destroy_args+0x7e/0x5d0 mm/debug_vm_pgtable.c:1009
 debug_vm_pgtable+0x412/0x450 mm/debug_vm_pgtable.c:1389
 do_one_initcall+0x236/0x820 init/main.c:1274
 do_initcall_level+0x137/0x1f0 init/main.c:1336
 do_initcalls+0x69/0xd0 init/main.c:1352
 kernel_init_freeable+0x3d9/0x570 init/main.c:1584
 kernel_init+0x1d/0x1d0 init/main.c:1474
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888056ea3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888056ea3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888056ea4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff888056ea4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888056ea4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	74 05                	je     0x7
   2:	e8 3b ed 55 f6       	call   0xf655ed42
   7:	48 c7 44 24 20 00 00 	movq   $0x0,0x20(%rsp)
   e:	00 00
  10:	9c                   	pushf
  11:	8f 44 24 20          	pop    0x20(%rsp)
  15:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  1a:	75 4f                	jne    0x6b
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 03 0e 1f f6       	call   0xf61f0e32 <-- trapping instruction
  2f:	65 8b 05 ac 7a 2e 07 	mov    %gs:0x72e7aac(%rip),%eax        # 0x72e7ae2
  36:	85 c0                	test   %eax,%eax
  38:	74 40                	je     0x7a
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss