syzbot

IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
8021q: adding VLAN 0 to HW filter on device team0
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
==================================================================
BUG: KASAN: use-after-scope in lookup_object lib/debugobjects.c:157 [inline]
BUG: KASAN: use-after-scope in debug_object_deactivate+0x425/0x450 lib/debugobjects.c:540
Read of size 8 at addr ffff8801b8c1b750 by task syz-executor121/4719

CPU: 0 PID: 4719 Comm: syz-executor121 Not tainted 4.18.0-rc3+ #48
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 lookup_object lib/debugobjects.c:157 [inline]
 debug_object_deactivate+0x425/0x450 lib/debugobjects.c:540
 debug_hrtimer_deactivate kernel/time/hrtimer.c:421 [inline]
 debug_deactivate kernel/time/hrtimer.c:471 [inline]
 __run_hrtimer kernel/time/hrtimer.c:1368 [inline]
 __hrtimer_run_queues+0x2bf/0x10c0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 </IRQ>

Allocated by task 917528:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
 kmem_cache_zalloc include/linux/slab.h:697 [inline]
 fill_pool lib/debugobjects.c:134 [inline]
 __debug_object_init+0xbe1/0x12e0 lib/debugobjects.c:377
 debug_object_init lib/debugobjects.c:429 [inline]
 debug_object_activate+0x32e/0x690 lib/debugobjects.c:510
 debug_rcu_head_queue kernel/rcu/rcu.h:135 [inline]
 __call_rcu.constprop.68+0xc8/0xc00 kernel/rcu/tree.c:2906
 call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:2985
 file_free fs/file_table.c:55 [inline]
 put_filp+0xa1/0xb2 fs/file_table.c:307
 path_openat+0x38f2/0x4e10 fs/namei.c:3552
 do_filp_open+0x255/0x380 fs/namei.c:3574
 do_sys_open+0x584/0x760 fs/open.c:1101
 __do_sys_open fs/open.c:1119 [inline]
 __se_sys_open fs/open.c:1114 [inline]
 __x64_sys_open+0x7e/0xc0 fs/open.c:1114
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801b8c1b738
 which belongs to the cache debug_objects_cache of size 40
The buggy address is located 24 bytes inside of
 40-byte region [ffff8801b8c1b738, ffff8801b8c1b760)
The buggy address belongs to the page:
page:ffffea0006e306c0 count:1 mapcount:0 mapping:ffff8801da810dc0 index:0xffff8801b8c1bfb9
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0006e85b08 ffffea0006df5fc8 ffff8801da810dc0
raw: ffff8801b8c1bfb9 ffff8801b8c1b000 0000000100000047 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801b8c1b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
 ffff8801b8c1b680: f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
>ffff8801b8c1b700: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2
                                                 ^
 ffff8801b8c1b780: f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
 ffff8801b8c1b800: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
==================================================================