wlan0 speed is unknown, defaulting to 1000
==================================================================
BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
Read of size 4 at addr ffff8880557940e0 by task kworker/1:5/4299

CPU: 1 PID: 4299 Comm: kworker/1:5 Not tainted 6.1.132-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: infiniband ib_cache_event_task
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:427
 kasan_report+0x136/0x160 mm/kasan/report.c:531
 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1483
 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1557
 process_one_work+0x917/0x1260 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the physical page:
page:ffffea000155e500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x55794
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea000155ef08 ffff8880b8f411f0 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x546dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 4252, tgid 4252 (syz-executor), ts 77985538224, free_ts 210797018103
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4328
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5606
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x91/0x1d0 mm/slab_common.c:1077
 __do_kmalloc_node mm/slab_common.c:924 [inline]
 __kmalloc_node+0x111/0x230 mm/slab_common.c:943
 kmalloc_node include/linux/slab.h:589 [inline]
 kvmalloc_node+0x6e/0x180 mm/util.c:581
 kvmalloc include/linux/slab.h:716 [inline]
 kvzalloc include/linux/slab.h:724 [inline]
 alloc_netdev_mqs+0x85/0xef0 net/core/dev.c:10719
 ieee80211_if_add+0xee0/0x1940 net/mac80211/iface.c:2175
 ieee80211_register_hw+0x32ff/0x3f10 net/mac80211/main.c:1402
 mac80211_hwsim_new_radio+0x2355/0x41c0 drivers/net/wireless/mac80211_hwsim.c:4582
 hwsim_new_radio_nl+0xc54/0x1190 drivers/net/wireless/mac80211_hwsim.c:5176
 genl_family_rcv_msg_doit net/netlink/genetlink.c:756 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
 genl_rcv_msg+0xbfa/0xf50 net/netlink/genetlink.c:850
 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2493
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
 netlink_unicast+0x7e2/0x970 net/netlink/af_netlink.c:1337
 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1859
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x12a6/0x15b0 mm/page_alloc.c:3384
 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3479
 free_large_kmalloc+0xfb/0x190 mm/slab_common.c:913
 device_release+0x91/0x1c0 drivers/base/core.c:-1
 kobject_cleanup lib/kobject.c:681 [inline]
 kobject_release lib/kobject.c:712 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x224/0x460 lib/kobject.c:729
 netdev_run_todo+0xe19/0xf20 net/core/dev.c:10509
 ieee80211_unregister_hw+0xfc/0x290 net/mac80211/main.c:1485
 mac80211_hwsim_del_radio+0x2be/0x4a0 drivers/net/wireless/mac80211_hwsim.c:4683
 hwsim_exit_net+0x5bd/0x660 drivers/net/wireless/mac80211_hwsim.c:5470
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x7f1/0xd20 net/core/net_namespace.c:640
 process_one_work+0x917/0x1260 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff888055793f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888055794000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888055794080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff888055794100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888055794180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================