[   42.669692][  T258] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   42.683338][   T49] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   42.684444][  T917] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   42.693354][   T49] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   42.708985][ T3614] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[   42.855865][    T8] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   43.458563][ T3595] can: request_module (can-proto-0) failed.
[   43.477579][ T3595] can: request_module (can-proto-0) failed.
[   43.495696][ T3595] can: request_module (can-proto-0) failed.
[   45.945433][    T8] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   48.482538][    T8] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   48.553271][    T8] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   49.316842][    T8] device hsr_slave_0 left promiscuous mode
[   49.325046][    T8] device hsr_slave_1 left promiscuous mode
[   49.331932][    T8] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[   49.339913][    T8] batman_adv: batadv0: Removing interface: batadv_slave_0
[   49.350321][    T8] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[   49.357904][    T8] batman_adv: batadv0: Removing interface: batadv_slave_1
[   49.366992][    T8] device bridge_slave_1 left promiscuous mode
[   49.374326][    T8] bridge0: port 2(bridge_slave_1) entered disabled state
[   49.390425][    T8] device bridge_slave_0 left promiscuous mode
[   49.396638][    T8] bridge0: port 1(bridge_slave_0) entered disabled state
[   49.417153][    T8] device veth1_macvtap left promiscuous mode
[   49.423930][    T8] device veth0_macvtap left promiscuous mode
[   49.430800][    T8] device veth1_vlan left promiscuous mode
[   49.436753][    T8] device veth0_vlan left promiscuous mode
[   49.640860][    T8] team0 (unregistering): Port device team_slave_1 removed
[   49.661862][    T8] team0 (unregistering): Port device team_slave_0 removed
[   49.673220][    T8] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[   49.685987][    T8] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[   49.732780][    T8] bond0 (unregistering): Released all slaves
[   50.131061][    T8] ==================================================================
[   50.139471][    T8] BUG: KASAN: use-after-free in ip6mr_sk_done+0xea/0x360
[   50.146754][    T8] Read of size 4 at addr ffff888013da0a88 by task kworker/u4:0/8
[   50.154464][    T8] 
[   50.156788][    T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.17.0-rc2-syzkaller #0
[   50.165024][    T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.175252][    T8] Workqueue: netns cleanup_net
[   50.180107][    T8] Call Trace:
[   50.183382][    T8]  <TASK>
[   50.186306][    T8]  dump_stack_lvl+0x57/0x7d
[   50.190807][    T8]  print_address_description.constprop.0.cold+0x8d/0x336
[   50.197832][    T8]  ? ip6mr_sk_done+0xea/0x360
[   50.202506][    T8]  ? ip6mr_sk_done+0xea/0x360
[   50.207177][    T8]  kasan_report.cold+0x83/0xdf
[   50.211945][    T8]  ? ip6mr_sk_done+0xea/0x360
[   50.216621][    T8]  kasan_check_range+0x13d/0x180
[   50.221551][    T8]  ip6mr_sk_done+0xea/0x360
[   50.226058][    T8]  ? remove_proc_entry+0x188/0x3e0
[   50.231256][    T8]  rawv6_close+0x3e/0x60
[   50.235491][    T8]  inet_release+0xef/0x210
[   50.240017][    T8]  sock_release+0x7d/0x190
[   50.244551][    T8]  igmp6_net_exit+0x61/0x160
[   50.249230][    T8]  ops_exit_list+0x94/0x160
[   50.253741][    T8]  cleanup_net+0x423/0x980
[   50.258155][    T8]  ? lockdep_hardirqs_on+0x79/0x100
[   50.263346][    T8]  ? unregister_pernet_device+0x60/0x60
[   50.268905][    T8]  process_one_work+0x879/0x1410
[   50.273944][    T8]  ? lock_release+0x720/0x720
[   50.278721][    T8]  ? pwq_dec_nr_in_flight+0x230/0x230
[   50.284186][    T8]  ? rwlock_bug.part.0+0x90/0x90
[   50.289127][    T8]  ? _raw_spin_lock_irq+0x41/0x50
[   50.294154][    T8]  worker_thread+0x5a0/0xf60
[   50.298761][    T8]  ? process_one_work+0x1410/0x1410
[   50.303958][    T8]  kthread+0x299/0x340
[   50.308021][    T8]  ? kthread_complete_and_exit+0x20/0x20
[   50.313657][    T8]  ret_from_fork+0x1f/0x30
[   50.318126][    T8]  </TASK>
[   50.321145][    T8] 
[   50.323832][    T8] Allocated by task 0:
[   50.327892][    T8] (stack is not available)
[   50.332399][    T8] 
[   50.334721][    T8] Freed by task 8:
[   50.338428][    T8]  kasan_save_stack+0x1e/0x40
[   50.343094][    T8]  kasan_set_track+0x21/0x30
[   50.347675][    T8]  kasan_set_free_info+0x20/0x30
[   50.352623][    T8]  ____kasan_slab_free+0x130/0x160
[   50.357725][    T8]  slab_free_freelist_hook+0x8b/0x1c0
[   50.363087][    T8]  kfree+0xcb/0x280
[   50.366888][    T8]  ops_exit_list+0x94/0x160
[   50.371381][    T8]  cleanup_net+0x423/0x980
[   50.375784][    T8]  process_one_work+0x879/0x1410
[   50.380717][    T8]  worker_thread+0x5a0/0xf60
[   50.385381][    T8]  kthread+0x299/0x340
[   50.390307][    T8]  ret_from_fork+0x1f/0x30
[   50.394718][    T8] 
[   50.397033][    T8] The buggy address belongs to the object at ffff888013da0a00
[   50.397033][    T8]  which belongs to the cache kmalloc-256 of size 256
[   50.411351][    T8] The buggy address is located 136 bytes inside of
[   50.411351][    T8]  256-byte region [ffff888013da0a00, ffff888013da0b00)
[   50.424702][    T8] The buggy address belongs to the page:
[   50.430311][    T8] page:ffffea00004f6800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13da0
[   50.440429][    T8] head:ffffea00004f6800 order:1 compound_mapcount:0
[   50.446995][    T8] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   50.455035][    T8] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff88800fc41b40
[   50.463591][    T8] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   50.472142][    T8] page dumped because: kasan: bad access detected
[   50.478615][    T8] page_owner tracks the page as allocated
[   50.484390][    T8] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 2085771656, free_ts 0
[   50.502239][    T8]  get_page_from_freelist+0xa6f/0x2f10
[   50.507679][    T8]  __alloc_pages+0x1b2/0x500
[   50.512262][    T8]  alloc_page_interleave+0xf/0x1c0
[   50.517543][    T8]  new_slab+0x28a/0x3b0
[   50.521787][    T8]  ___slab_alloc+0x87e/0xe80
[   50.526365][    T8]  __slab_alloc.constprop.0+0x4d/0xa0
[   50.531724][    T8]  __kmalloc_track_caller+0x2e7/0x320
[   50.537083][    T8]  krealloc+0x87/0xf0
[   50.541042][    T8]  add_sysfs_param+0xaf/0x900
[   50.545780][    T8]  param_sysfs_init+0x279/0x351
[   50.550605][    T8]  do_one_initcall+0xbe/0x440
[   50.555255][    T8]  kernel_init_freeable+0x5ab/0x605
[   50.560426][    T8]  kernel_init+0x14/0x130
[   50.564900][    T8]  ret_from_fork+0x1f/0x30
[   50.569296][    T8] page_owner free stack trace missing
[   50.574644][    T8] 
[   50.576945][    T8] Memory state around the buggy address:
[   50.582545][    T8]  ffff888013da0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.590580][    T8]  ffff888013da0a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.598680][    T8] >ffff888013da0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.606906][    T8]                       ^
[   50.611232][    T8]  ffff888013da0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.619263][    T8]  ffff888013da0b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.627311][    T8] ==================================================================
[   50.635352][    T8] Disabling lock debugging due to kernel taint
[   50.646090][    T8] Kernel panic - not syncing: panic_on_warn set ...
[   50.652691][    T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G    B             5.17.0-rc2-syzkaller #0
[   50.662389][    T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.672429][    T8] Workqueue: netns cleanup_net
[   50.677193][    T8] Call Trace:
[   50.680464][    T8]  <TASK>
[   50.683382][    T8]  dump_stack_lvl+0x57/0x7d
[   50.687874][    T8]  panic+0x214/0x49f
[   50.691762][    T8]  ? __warn_printk+0xee/0xee
[   50.696339][    T8]  ? preempt_schedule_common+0x59/0xc0
[   50.701785][    T8]  ? ip6mr_sk_done+0xea/0x360
[   50.706444][    T8]  ? preempt_schedule_thunk+0x16/0x18
[   50.711813][    T8]  ? ip6mr_sk_done+0xea/0x360
[   50.716568][    T8]  ? ip6mr_sk_done+0xea/0x360
[   50.721245][    T8]  end_report.cold+0x63/0x6f
[   50.725826][    T8]  kasan_report.cold+0x71/0xdf
[   50.730596][    T8]  ? ip6mr_sk_done+0xea/0x360
[   50.735269][    T8]  kasan_check_range+0x13d/0x180
[   50.740198][    T8]  ip6mr_sk_done+0xea/0x360
[   50.744696][    T8]  ? remove_proc_entry+0x188/0x3e0
[   50.749807][    T8]  rawv6_close+0x3e/0x60
[   50.754039][    T8]  inet_release+0xef/0x210
[   50.758444][    T8]  sock_release+0x7d/0x190
[   50.762850][    T8]  igmp6_net_exit+0x61/0x160
[   50.767434][    T8]  ops_exit_list+0x94/0x160
[   50.771925][    T8]  cleanup_net+0x423/0x980
[   50.776345][    T8]  ? lockdep_hardirqs_on+0x79/0x100
[   50.781611][    T8]  ? unregister_pernet_device+0x60/0x60
[   50.787248][    T8]  process_one_work+0x879/0x1410
[   50.792354][    T8]  ? lock_release+0x720/0x720
[   50.797022][    T8]  ? pwq_dec_nr_in_flight+0x230/0x230
[   50.802391][    T8]  ? rwlock_bug.part.0+0x90/0x90
[   50.807495][    T8]  ? _raw_spin_lock_irq+0x41/0x50
[   50.812610][    T8]  worker_thread+0x5a0/0xf60
[   50.817628][    T8]  ? process_one_work+0x1410/0x1410
[   50.822814][    T8]  kthread+0x299/0x340
[   50.827134][    T8]  ? kthread_complete_and_exit+0x20/0x20
[   50.832845][    T8]  ret_from_fork+0x1f/0x30
[   50.837260][    T8]  </TASK>
[   50.840446][    T8] Kernel Offset: disabled
[   50.844877][    T8] Rebooting in 86400 seconds..