netlink: 'syz-executor3': attribute type 3 has an invalid length.
team0: No ports can be present during mode change
netlink: 'syz-executor3': attribute type 3 has an invalid length.
team0: No ports can be present during mode change
==================================================================
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:704 [inline]
BUG: KASAN: use-after-free in hlist_del_init include/linux/list.h:717 [inline]
BUG: KASAN: use-after-free in __xfrm_policy_unlink+0x9a4/0xa00 net/xfrm/xfrm_policy.c:2213
Write of size 8 at addr ffff888097dedef0 by task kworker/u4:14/9063

CPU: 1 PID: 9063 Comm: kworker/u4:14 Not tainted 5.0.0-rc2+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
 __hlist_del include/linux/list.h:704 [inline]
 hlist_del_init include/linux/list.h:717 [inline]
 __xfrm_policy_unlink+0x9a4/0xa00 net/xfrm/xfrm_policy.c:2213
 xfrm_policy_flush+0x331/0x460 net/xfrm/xfrm_policy.c:1789
 xfrm_policy_fini+0xbf/0x640 net/xfrm/xfrm_policy.c:3866
 xfrm_net_exit+0x1d/0x70 net/xfrm/xfrm_policy.c:3928
 ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
 cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 15360:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc mm/kasan/common.c:504 [inline]
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:411
 kmem_cache_alloc+0x12d/0x710 mm/slab.c:3543
 mempool_alloc_slab+0x47/0x60 mm/mempool.c:505
 mempool_alloc+0x19f/0x500 mm/mempool.c:385
 bvec_alloc+0xe0/0x2f0 block/bio.c:218
 bio_alloc_bioset+0x492/0x720 block/bio.c:509
 bio_alloc include/linux/bio.h:393 [inline]
 io_submit_init_bio fs/ext4/page-io.c:374 [inline]
 io_submit_add_bh fs/ext4/page-io.c:399 [inline]
 ext4_bio_write_page+0xf1b/0x1936 fs/ext4/page-io.c:506
 mpage_submit_page+0x15a/0x270 fs/ext4/inode.c:2237
 mpage_process_page_bufs+0x517/0x610 fs/ext4/inode.c:2348
 mpage_prepare_extent_to_map+0xe27/0x1950 fs/ext4/inode.c:2710
 ext4_writepages+0x1381/0x41a0 fs/ext4/inode.c:2838
 do_writepages+0x99/0x1a0 mm/page-writeback.c:2335
 __writeback_single_inode+0x1c5/0x1620 fs/fs-writeback.c:1316
 writeback_sb_inodes+0x762/0x1260 fs/fs-writeback.c:1580
 __writeback_inodes_wb+0x16d/0x3d0 fs/fs-writeback.c:1649
 wb_writeback+0xa2d/0xf70 fs/fs-writeback.c:1758
 wb_check_start_all fs/fs-writeback.c:1882 [inline]
 wb_do_writeback fs/fs-writeback.c:1908 [inline]
 wb_workfn+0xe52/0x16f0 fs/fs-writeback.c:1942
 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Freed by task 7169:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3749
 mempool_free_slab+0x1e/0x30 mm/mempool.c:512
 mempool_free+0xed/0x380 mm/mempool.c:494
 bvec_free+0xa6/0xc0 block/bio.c:173
 bio_free+0x2ec/0x570 block/bio.c:259
 bio_put+0x17a/0x1f0 block/bio.c:561
 ext4_end_bio+0x1a6/0x700 fs/ext4/page-io.c:343
 bio_endio+0x840/0xfb0 block/bio.c:1793
 req_bio_endio block/blk-core.c:196 [inline]
 blk_update_request+0x3dd/0xd10 block/blk-core.c:1454
 scsi_end_request+0xf2/0xb70 drivers/scsi/scsi_lib.c:587
 scsi_io_completion+0x263/0x1bb0 drivers/scsi/scsi_lib.c:993
 scsi_finish_command+0x527/0x910 drivers/scsi/scsi.c:248
 scsi_softirq_done+0x45d/0x520 drivers/scsi/scsi_lib.c:1499
 blk_done_softirq+0x4ab/0x750 block/blk-softirq.c:37
 __do_softirq+0x30b/0xb11 kernel/softirq.c:292

The buggy address belongs to the object at ffff888097dedcc0
 which belongs to the cache biovec-max of size 8192
The buggy address is located 560 bytes inside of
 8192-byte region [ffff888097dedcc0, ffff888097defcc0)
The buggy address belongs to the page:
page:ffffea00025f7b00 count:1 mapcount:0 mapping:ffff88821b2eb000 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea000180c208 ffffea0002770608 ffff88821b2eb000
raw: 0000000000000000 ffff888097dedcc0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888097dedd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888097dede00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888097dede80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff888097dedf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888097dedf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================