wlan0 speed is unknown, defaulting to 1000 ================================================================== BUG: KASAN: use-after-free in siw_query_port+0x358/0x450 drivers/infiniband/sw/siw/siw_verbs.c:175 Read of size 4 at addr ffff88805ea740d8 by task kworker/1:22/6469 CPU: 1 PID: 6469 Comm: kworker/1:22 Not tainted 5.15.185-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: infiniband ib_cache_event_task Call Trace: dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106 print_address_description+0x60/0x2d0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0xdf/0x130 mm/kasan/report.c:451 siw_query_port+0x358/0x450 drivers/infiniband/sw/siw/siw_verbs.c:175 ib_cache_update+0x1bb/0x980 drivers/infiniband/core/cache.c:1477 ib_cache_event_task+0xd4/0x1c0 drivers/infiniband/core/cache.c:1551 process_one_work+0x863/0x1000 kernel/workqueue.c:2310 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457 kthread+0x436/0x520 kernel/kthread.c:334 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 The buggy address belongs to the page: page:ffffea00017a9d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ea74 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001790c08 ffff8880b91409b0 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x546dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 4169, ts 61595333740, free_ts 239783251408 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5474 __alloc_pages_node include/linux/gfp.h:570 [inline] alloc_pages_node include/linux/gfp.h:584 [inline] kmalloc_large_node+0x7d/0x190 mm/slub.c:4421 __kmalloc_node+0x232/0x3b0 mm/slub.c:4437 kmalloc_node include/linux/slab.h:627 [inline] kvmalloc_node+0x84/0x130 mm/util.c:619 kvmalloc include/linux/mm.h:805 [inline] kvzalloc include/linux/mm.h:813 [inline] alloc_netdev_mqs+0x84/0xc40 net/core/dev.c:10884 ieee80211_if_add+0x11f8/0x1dc0 net/mac80211/iface.c:1952 ieee80211_register_hw+0x2ad6/0x39d0 net/mac80211/main.c:1323 mac80211_hwsim_new_radio+0x20d3/0x4080 drivers/net/wireless/mac80211_hwsim.c:3374 hwsim_new_radio_nl+0xa6f/0xc40 drivers/net/wireless/mac80211_hwsim.c:3950 genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline] genl_family_rcv_msg net/netlink/genetlink.c:775 [inline] genl_rcv_msg+0xbc6/0xf40 net/netlink/genetlink.c:792 netlink_rcv_skb+0x1e0/0x430 net/netlink/af_netlink.c:2489 genl_rcv+0x24/0x40 net/netlink/genetlink.c:803 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x77c/0x920 net/netlink/af_netlink.c:1337 netlink_sendmsg+0x8ab/0xbc0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:704 [inline] __sock_sendmsg net/socket.c:716 [inline] __sys_sendto+0x423/0x580 net/socket.c:2063 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare mm/page_alloc.c:1391 [inline] free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317 free_unref_page+0x94/0x280 mm/page_alloc.c:3396 free_nonslab_page+0xe2/0x150 mm/slub.c:3535 device_release+0x92/0x1c0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:713 [inline] kobject_release lib/kobject.c:744 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x21d/0x460 lib/kobject.c:761 netdev_run_todo+0x8d0/0xa40 net/core/dev.c:10702 ieee80211_unregister_hw+0x5a/0x220 net/mac80211/main.c:1401 mac80211_hwsim_del_radio+0x26d/0x450 drivers/net/wireless/mac80211_hwsim.c:3473 hwsim_exit_net+0x581/0x640 drivers/net/wireless/mac80211_hwsim.c:4243 ops_exit_list net/core/net_namespace.c:172 [inline] cleanup_net+0x6f0/0xb80 net/core/net_namespace.c:635 process_one_work+0x863/0x1000 kernel/workqueue.c:2310 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457 kthread+0x436/0x520 kernel/kthread.c:334 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 Memory state around the buggy address: ffff88805ea73f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88805ea74000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88805ea74080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88805ea74100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88805ea74180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================