==================================================================
BUG: KASAN: slab-use-after-free in string+0x231/0x2b0
Read of size 1 at addr ffff888027c881a0 by task udevd/9709

CPU: 0 UID: 0 PID: 9709 Comm: udevd Not tainted 6.16.0-syzkaller-11895-gcca7a0aae895-dirty #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250
 print_report+0xca/0x240
 kasan_report+0x118/0x150
 string+0x231/0x2b0
 vsnprintf+0x739/0xf00
 add_uevent_var+0x1cc/0x450
 ib_device_uevent+0x79/0xa0
 dev_uevent+0x48f/0x7a0
 uevent_show+0x19f/0x310
 dev_attr_show+0x58/0xc0
 sysfs_kf_seq_show+0x310/0x490
 seq_read_iter+0x4ea/0xe10
 vfs_read+0x4d0/0x980
 ksys_read+0x145/0x250
 do_syscall_64+0xfa/0x3b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fef9eb16b6a
Code: 00 3d 00 00 41 00 75 0d 50 48 8d 3d 2d 08 0a 00 e8 ea 7d 01 00 31 c0 e9 07 ff ff ff 64 8b 04 25 18 00 00 00 85 c0 75 1b 0f 05 <48> 3d 00 f0 ff ff 76 6c 48 8b 15 8f a2 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fffdfb02818 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000556c07092870 RCX: 00007fef9eb16b6a
RDX: 0000000000001000 RSI: 0000556c07055690 RDI: 0000000000000008
RBP: 0000556c07092870 R08: 0000000000000008 R09: 0000000000000010
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffdfb02cf8 R15: 000000000000000a
 </TASK>

Allocated by task 10428:
 kasan_save_track+0x3e/0x80
 __kasan_kmalloc+0x93/0xb0
 __kmalloc_node_track_caller_noprof+0x271/0x4e0
 kstrdup+0x42/0x100
 kobject_set_name_vargs+0x61/0x110
 dev_set_name+0xd4/0x120
 ib_register_device+0x12c/0x1380
 rxe_register_device+0x1ef/0x310
 rxe_net_add+0x81/0x110
 rxe_newlink+0xdd/0x190
 nldev_newlink+0x4a5/0x5a0
 rdma_nl_rcv+0x6ae/0x980
 netlink_unicast+0x82f/0x9e0
 netlink_sendmsg+0x805/0xb30
 __sock_sendmsg+0x21c/0x270
 ____sys_sendmsg+0x505/0x830
 ___sys_sendmsg+0x21f/0x2a0
 __x64_sys_sendmsg+0x19b/0x260
 do_syscall_64+0xfa/0x3b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 10496:
 kasan_save_track+0x3e/0x80
 kasan_save_free_info+0x46/0x50
 __kasan_slab_free+0x5b/0x80
 kfree+0x18e/0x440
 kobject_rename+0x38f/0x420
 device_rename+0x15d/0x1f0
 ib_device_rename+0x23d/0x660
 nldev_set_doit+0x29f/0x480
 rdma_nl_rcv+0x6ae/0x980
 netlink_unicast+0x82f/0x9e0
 netlink_sendmsg+0x805/0xb30
 __sock_sendmsg+0x21c/0x270
 ____sys_sendmsg+0x505/0x830
 ___sys_sendmsg+0x21f/0x2a0
 __x64_sys_sendmsg+0x19b/0x260
 do_syscall_64+0xfa/0x3b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888027c881a0
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 freed 8-byte region [ffff888027c881a0, ffff888027c881a8)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888027c88520 pfn:0x27c88
anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801a441500 0000000000000000 dead000000000001
raw: ffff888027c88520 000000000080007e 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 10021, tgid 10019 (syz.2.990), ts 147063871938, free_ts 110468434184
 post_alloc_hook+0x240/0x2a0
 get_page_from_freelist+0x21e4/0x22c0
 __alloc_frozen_pages_noprof+0x181/0x370
 alloc_pages_mpol+0x232/0x4a0
 allocate_slab+0x8a/0x370
 ___slab_alloc+0xbeb/0x1410
 __kmalloc_node_track_caller_noprof+0x2f8/0x4e0
 kvasprintf+0xdc/0x190
 kobject_set_name_vargs+0x61/0x110
 kobject_init_and_add+0xdd/0x190
 net_rx_queue_update_kobjects+0x221/0x740
 netdev_register_kobject+0x21f/0x310
 register_netdevice+0x126c/0x1ae0
 __ip_tunnel_create+0x3e7/0x560
 ip_tunnel_init_net+0x2ba/0x800
 ops_init+0x35c/0x5c0
page last free pid 9290 tgid 9290 stack trace:
 __free_frozen_pages+0xbc4/0xd30
 __tlb_remove_table+0x2d2/0x3b0
 tlb_remove_table_rcu+0x85/0x100
 rcu_core+0xcab/0x1770
 handle_softirqs+0x286/0x870
 __irq_exit_rcu+0xca/0x1f0
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0xa6/0xc0
 asm_sysvec_apic_timer_interrupt+0x1a/0x20

Memory state around the buggy address:
 ffff888027c88080: 05 fc fc fc 02 fc fc fc 06 fc fc fc 03 fc fc fc
 ffff888027c88100: 05 fc fc fc 03 fc fc fc 05 fc fc fc 05 fc fc fc
>ffff888027c88180: 00 fc fc fc fa fc fc fc 03 fc fc fc 04 fc fc fc
                               ^
 ffff888027c88200: 03 fc fc fc 04 fc fc fc 05 fc fc fc 04 fc fc fc
 ffff888027c88280: 03 fc fc fc fa fc fc fc 03 fc fc fc fa fc fc fc
==================================================================
