==================================================================
BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:30 [inline]
BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
BUG: KASAN: use-after-free in __linkwatch_run_queue+0x6fc/0x7dc net/core/link_watch.c:245
Read of size 1 at addr ffffaf8035afcca9 by task kworker/u8:8/7304

CPU: 1 UID: 0 PID: 7304 Comm: kworker/u8:8 Not tainted syzkaller #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
Workqueue: events_unbound linkwatch_event
Call Trace:
[<ffffffff8007941a>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff8000329a>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff80060c50>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff80060c50>] dump_stack_lvl+0x12a/0x1a2 lib/dump_stack.c:120
[<ffffffff8000ee84>] print_address_description mm/kasan/report.c:378 [inline]
[<ffffffff8000ee84>] print_report+0x28c/0x59e mm/kasan/report.c:482
[<ffffffff80b52a7c>] kasan_report+0xf0/0x218 mm/kasan/report.c:595
[<ffffffff80b549d0>] __asan_report_load1_noabort+0x12/0x1a mm/kasan/report_generic.c:378
[<ffffffff85314574>] netdev_need_ops_lock include/net/netdev_lock.h:30 [inline]
[<ffffffff85314574>] netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
[<ffffffff85314574>] __linkwatch_run_queue+0x6fc/0x7dc net/core/link_watch.c:245
[<ffffffff853146fe>] linkwatch_event+0xaa/0xdc net/core/link_watch.c:304
[<ffffffff801c6f18>] process_one_work+0x96a/0x1f3a kernel/workqueue.c:3263
[<ffffffff801ca030>] process_scheduled_works kernel/workqueue.c:3346 [inline]
[<ffffffff801ca030>] worker_thread+0x5ce/0xde8 kernel/workqueue.c:3427
[<ffffffff801e7768>] kthread+0x39c/0x7d6 kernel/kthread.c:463
[<ffffffff800699de>] ret_from_fork_kernel+0x2a/0xbc6 arch/riscv/kernel/process.c:214
[<ffffffff8655c446>] ret_from_fork_kernel_asm+0x16/0x18 arch/riscv/kernel/entry.S:328

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8035afcc00 pfn:0xb5afc
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 ffff8d8000ac1608 ffffaf806ed15740 0000000000000000
raw: ffffaf8035afcc00 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 9260, tgid 9252 (syz.4.606), ts 5119000865100, free_ts 5133056904100
 __set_page_owner+0x94/0x4a8 mm/page_owner.c:329
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xdc/0x1ba mm/page_alloc.c:1850
 prep_new_page mm/page_alloc.c:1858 [inline]
 get_page_from_freelist+0xdfc/0x3672 mm/page_alloc.c:3884
 __alloc_frozen_pages_noprof+0x22e/0x2124 mm/page_alloc.c:5183
 alloc_pages_mpol+0x1fa/0x5be mm/mempolicy.c:2416
 alloc_frozen_pages_noprof+0x174/0x2f0 mm/mempolicy.c:2487
 ___kmalloc_large_node+0x11e/0x200 mm/slub.c:5568
 __kmalloc_large_node_noprof+0x1e/0xf4 mm/slub.c:5599
 __do_kmalloc_node mm/slub.c:5615 [inline]
 __kvmalloc_node_noprof+0x3be/0xa7c mm/slub.c:7081
 alloc_netdev_mqs+0xce/0x124a net/core/dev.c:11900
 tun_set_iff drivers/net/tun.c:2778 [inline]
 __tun_chr_ioctl+0x27fe/0x5c8c drivers/net/tun.c:3088
 tun_chr_ioctl+0x2a/0x38 drivers/net/tun.c:3337
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __riscv_sys_ioctl+0x180/0x1e4 fs/ioctl.c:583
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
 do_trap_ecall_u+0x39e/0x53a arch/riscv/kernel/traps.c:343
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:198
page last free pid 9252 tgid 9252 stack trace:
 __reset_page_owner+0x78/0x1ba mm/page_owner.c:308
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1394 [inline]
 __free_frozen_pages+0x846/0x1570 mm/page_alloc.c:2906
 free_frozen_pages+0xe/0x16 mm/page_alloc.c:2944
 free_large_kmalloc+0x9c/0x172 mm/slub.c:6744
 kfree+0x4cc/0x76e mm/slub.c:6812
 kvfree+0x28/0x32 mm/slub.c:7124
 netdev_release+0x84/0xb0 net/core/net-sysfs.c:2252
 device_release+0x90/0x21c drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x238/0x4f0 lib/kobject.c:737
 netdev_run_todo+0x6aa/0x10b8 net/core/dev.c:11601
 rtnl_unlock+0x14/0x1c net/core/rtnetlink.c:157
 tun_detach drivers/net/tun.c:640 [inline]
 tun_chr_close+0xde/0x230 drivers/net/tun.c:3436
 __fput+0x382/0xa8c fs/file_table.c:468
 ____fput+0x1c/0x26 fs/file_table.c:496
 task_work_run+0x16a/0x25e kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0x110/0x142 kernel/entry/common.c:43

Memory state around the buggy address:
 ffffaf8035afcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffffaf8035afcc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffaf8035afcc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffffaf8035afcd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffffaf8035afcd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================