syzbot

bridge0: received packet on veth0_to_bridge with own address as source address (addr:5e:49:01:6d:05:0d, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:5e:49:01:6d:05:0d, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:5e:49:01:6d:05:0d, vlan:0)
==================================================================
BUG: KASAN: use-after-free in tcp_orphan_retries net/ipv4/tcp_timer.c:127 [inline]
BUG: KASAN: use-after-free in tcp_probe_timer net/ipv4/tcp_timer.c:362 [inline]
BUG: KASAN: use-after-free in tcp_write_timer_handler+0x889/0x8a0 net/ipv4/tcp_timer.c:591
Read of size 4 at addr ffff88806aa2c8e8 by task ksoftirqd/1/16

CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0+ #98
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 tcp_orphan_retries net/ipv4/tcp_timer.c:127 [inline]
 tcp_probe_timer net/ipv4/tcp_timer.c:362 [inline]
 tcp_write_timer_handler+0x889/0x8a0 net/ipv4/tcp_timer.c:591
 tcp_write_timer+0x10e/0x1d0 net/ipv4/tcp_timer.c:607
 call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
 expire_timers kernel/time/timer.c:1362 [inline]
 __run_timers kernel/time/timer.c:1681 [inline]
 __run_timers kernel/time/timer.c:1649 [inline]
 run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
 __do_softirq+0x266/0x95a kernel/softirq.c:293
 run_ksoftirqd kernel/softirq.c:655 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:647
 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
 kthread+0x357/0x430 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the page:
page:ffffea0001aa8b00 count:0 mapcount:-128 mapping:0000000000000000 index:0xffff88806aa2c180
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 ffffea0002155b08 ffffea0001ac8408 0000000000000000
raw: ffff88806aa2c180 0000000000000002 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88806aa2c780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806aa2c800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806aa2c880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff88806aa2c900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806aa2c980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================