==================================================================
BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:30 [inline]
BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
BUG: KASAN: use-after-free in __linkwatch_run_queue+0x69b/0x7e0 net/core/link_watch.c:245
Read of size 1 at addr ffff88807c170cc5 by task kworker/u8:17/6707

CPU: 1 UID: 0 PID: 6707 Comm: kworker/u8:17 Not tainted 6.15.0-syzkaller-12433-gfdd9ebccfc32 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events_unbound linkwatch_event
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xd2/0x2b0 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 netdev_need_ops_lock include/net/netdev_lock.h:30 [inline]
 netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
 __linkwatch_run_queue+0x69b/0x7e0 net/core/link_watch.c:245
 linkwatch_event+0x4c/0x60 net/core/link_watch.c:304
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807c173c00 pfn:0x7c170
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0000c92b08 ffff8880b8741740 0000000000000000
raw: ffff88807c173c00 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x92c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC), pid 154, tgid 154 (kworker/u8:6), ts 115095408051, free_ts 115095500119
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_frozen_pages_noprof mm/mempolicy.c:2490 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2510
 stack_depot_save_flags+0x7a3/0x900 lib/stackdepot.c:628
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_save_track+0x4f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
 skb_clone+0x212/0x3a0 net/core/skbuff.c:2050
 do_one_broadcast net/netlink/af_netlink.c:1444 [inline]
 netlink_broadcast_filtered+0x659/0x1140 net/netlink/af_netlink.c:1522
 netlink_broadcast+0x37/0x50 net/netlink/af_netlink.c:1546
 uevent_net_broadcast_untagged lib/kobject_uevent.c:331 [inline]
 kobject_uevent_net_broadcast+0x378/0x560 lib/kobject_uevent.c:410
 kobject_uevent_env+0x55b/0x8c0 lib/kobject_uevent.c:608
 device_del+0x73a/0x8e0 drivers/base/core.c:3899
 rfkill_unregister+0xba/0x220 net/rfkill/core.c:1143
page last free pid 154 tgid 154 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 stack_depot_save_flags+0x445/0x900 lib/stackdepot.c:678
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_save_track+0x4f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
 skb_clone+0x212/0x3a0 net/core/skbuff.c:2050
 do_one_broadcast net/netlink/af_netlink.c:1444 [inline]
 netlink_broadcast_filtered+0x659/0x1140 net/netlink/af_netlink.c:1522
 netlink_broadcast+0x37/0x50 net/netlink/af_netlink.c:1546
 uevent_net_broadcast_untagged lib/kobject_uevent.c:331 [inline]
 kobject_uevent_net_broadcast+0x378/0x560 lib/kobject_uevent.c:410
 kobject_uevent_env+0x55b/0x8c0 lib/kobject_uevent.c:608
 device_del+0x73a/0x8e0 drivers/base/core.c:3899
 rfkill_unregister+0xba/0x220 net/rfkill/core.c:1143
 wiphy_unregister+0x238/0xae0 net/wireless/core.c:1136
 ieee80211_unregister_hw+0x1e2/0x2c0 net/mac80211/main.c:1706
 mac80211_hwsim_del_radio+0x275/0x460 drivers/net/wireless/virtual/mac80211_hwsim.c:5671
 hwsim_exit_net+0x584/0x640 drivers/net/wireless/virtual/mac80211_hwsim.c:6551

Memory state around the buggy address:
 ffff88807c170b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88807c170c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88807c170c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff88807c170d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88807c170d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================