IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready ================================================================== BUG: KASAN: use-after-free in tcp_skb_pcount include/net/tcp.h:796 [inline] BUG: KASAN: use-after-free in tcp_init_tso_segs net/ipv4/tcp_output.c:1619 [inline] BUG: KASAN: use-after-free in tcp_write_xmit+0x3fc2/0x4cb0 net/ipv4/tcp_output.c:2056 Read of size 2 at addr ffff8800ba98f1b0 by task syz-executor0/4209 CPU: 0 PID: 4209 Comm: syz-executor0 Not tainted 4.4.136-gfb7e319 #57 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 bead00a411c184e7 ffff8801d6fe76c8 ffffffff81e0edad ffffea0002ea6380 ffff8800ba98f1b0 0000000000000000 ffff8800ba98f1b0 dffffc0000000000 ffff8801d6fe7700 ffffffff815159b6 ffff8800ba98f1b0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:427 [] tcp_skb_pcount include/net/tcp.h:796 [inline] [] tcp_init_tso_segs net/ipv4/tcp_output.c:1619 [inline] [] tcp_write_xmit+0x3fc2/0x4cb0 net/ipv4/tcp_output.c:2056 [] __tcp_push_pending_frames+0xa0/0x290 net/ipv4/tcp_output.c:2307 [] tcp_send_fin+0x176/0xab0 net/ipv4/tcp_output.c:2883 [] tcp_close+0xca0/0xf70 net/ipv4/tcp.c:2112 [] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435 [] sock_release+0x96/0x1c0 net/socket.c:586 [] sock_close+0x16/0x20 net/socket.c:1037 [] __fput+0x235/0x6f0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x10f/0x190 kernel/task_work.c:115 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x9e5/0x26b0 kernel/exit.c:759 [] do_group_exit+0x111/0x330 kernel/exit.c:889 [] get_signal+0x4ec/0x14b0 kernel/signal.c:2321