syzbot

bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
==================================================================
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:143 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:492 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:534 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup_fast include/linux/rhashtable.h:560 [inline]
BUG: KASAN: use-after-free in ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:133 [inline]
BUG: KASAN: use-after-free in ila_xlat_addr net/ipv6/ila/ila_xlat.c:658 [inline]
BUG: KASAN: use-after-free in ila_nf_input+0xcd7/0xe00 net/ipv6/ila/ila_xlat.c:191
Read of size 4 at addr ffff88805d2d12cc by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.0.0+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
 rht_key_hashfn include/linux/rhashtable.h:143 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:492 [inline]
 rhashtable_lookup include/linux/rhashtable.h:534 [inline]
 rhashtable_lookup_fast include/linux/rhashtable.h:560 [inline]
 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:133 [inline]
 ila_xlat_addr net/ipv6/ila/ila_xlat.c:658 [inline]
 ila_nf_input+0xcd7/0xe00 net/ipv6/ila/ila_xlat.c:191
 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
 nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511
 nf_hook include/linux/netfilter.h:244 [inline]
 NF_HOOK include/linux/netfilter.h:287 [inline]
 ipv6_rcv+0x25d/0x420 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
 __do_softirq+0x266/0x95a kernel/softirq.c:292
 run_ksoftirqd kernel/softirq.c:654 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 7632:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:468
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:509
 __do_kmalloc_node mm/slab.c:3678 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3685
 kmalloc_node include/linux/slab.h:588 [inline]
 kvmalloc_node+0xbd/0x100 mm/util.c:416
 kvmalloc include/linux/mm.h:604 [inline]
 kvzalloc include/linux/mm.h:612 [inline]
 bucket_table_alloc+0x3f/0x450 lib/rhashtable.c:176
 rhashtable_init+0x489/0x8a0 lib/rhashtable.c:1065
 ila_xlat_init_net+0x1df/0x2f0 net/ipv6/ila/ila_xlat.c:623
 ila_init_net+0x16/0x20 net/ipv6/ila/ila_main.c:63
 ops_init+0xb6/0x410 net/core/net_namespace.c:129
 setup_net+0x2c5/0x730 net/core/net_namespace.c:314
 copy_net_ns+0x1d9/0x340 net/core/net_namespace.c:437
 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
 ksys_unshare+0x440/0x980 kernel/fork.c:2550
 __do_sys_unshare kernel/fork.c:2618 [inline]
 __se_sys_unshare kernel/fork.c:2616 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8191:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:457
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:465
 __cache_free mm/slab.c:3494 [inline]
 kfree+0xcf/0x230 mm/slab.c:3811
 kvfree+0x61/0x70 mm/util.c:445
 bucket_table_free+0x93/0x180 lib/rhashtable.c:108
 rhashtable_free_and_destroy+0x155/0x8f0 lib/rhashtable.c:1163
 ila_xlat_exit_net+0x1a4/0x360 net/ipv6/ila/ila_xlat.c:632
 ila_exit_net+0x16/0x20 net/ipv6/ila/ila_main.c:75
 ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
 worker_thread+0x98/0xe40 kernel/workqueue.c:2319
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88805d2d12c0
 which belongs to the cache kmalloc-32k of size 32768
The buggy address is located 12 bytes inside of
 32768-byte region [ffff88805d2d12c0, ffff88805d2d92c0)
The buggy address belongs to the page:
page:ffffea000174b400 count:1 mapcount:0 mapping:ffff88812c3f2380 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0001746408 ffffea000173d408 ffff88812c3f2380
raw: 0000000000000000 ffff88805d2d12c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88805d2d1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805d2d1200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805d2d1280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff88805d2d1300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805d2d1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================