==================================================================
BUG: KASAN: use-after-free in netif_is_l3_master include/linux/netdevice.h:4693 [inline]
BUG: KASAN: use-after-free in l3mdev_master_ifindex_rcu+0xfa/0x130 net/l3mdev/l3mdev.c:24
Read of size 4 at addr ffff888097c7821c by task kworker/1:4/2690

CPU: 1 PID: 2690 Comm: kworker/1:4 Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events iterate_cleanup_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:641
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
 netif_is_l3_master include/linux/netdevice.h:4693 [inline]
 l3mdev_master_ifindex_rcu+0xfa/0x130 net/l3mdev/l3mdev.c:24
 ipv6_dev_get_saddr+0x229/0x9f0 net/ipv6/addrconf.c:1817
 ip6_route_get_saddr include/net/ip6_route.h:144 [inline]
 ip6_dst_lookup_tail+0xe52/0x12b0 net/ipv6/ip6_output.c:1030
 ip6_dst_lookup_flow+0x6e/0x110 net/ipv6/ip6_output.c:1153
 geneve_get_v6_dst+0x459/0x660 drivers/net/geneve.c:856
 geneve6_xmit_skb drivers/net/geneve.c:950 [inline]
 geneve_xmit+0x71f/0x1f70 drivers/net/geneve.c:1001
 __netdev_start_xmit include/linux/netdevice.h:4510 [inline]
 netdev_start_xmit include/linux/netdevice.h:4524 [inline]
 xmit_one net/core/dev.c:3470 [inline]
 dev_hard_start_xmit+0x1b1/0x3f0 net/core/dev.c:3486
 __dev_queue_xmit+0x1e1f/0x2e70 net/core/dev.c:4063
 dev_queue_xmit+0x17/0x20 net/core/dev.c:4096
 neigh_hh_output include/net/neighbour.h:499 [inline]
 neigh_output include/net/neighbour.h:508 [inline]
 ip6_finish_output2+0x101d/0x13e0 net/ipv6/ip6_output.c:116
 __ip6_finish_output+0x693/0x8c0 net/ipv6/ip6_output.c:142
 ip6_finish_output+0x52/0x1e0 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x2c2/0x3c0 net/ipv6/ip6_output.c:175
 dst_output include/net/dst.h:436 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 mld_sendpack+0x770/0xb80 net/ipv6/mcast.c:1682
 mld_send_cr net/ipv6/mcast.c:1978 [inline]
 mld_ifc_timer_expire+0x85b/0xc60 net/ipv6/mcast.c:2477
 call_timer_fn+0x95/0x170 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers+0x776/0x970 kernel/time/timer.c:1773
 run_timer_softirq+0x4a/0x90 kernel/time/timer.c:1786
 __do_softirq+0x283/0x7bd kernel/softirq.c:292
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
 </IRQ>
 do_softirq+0xfd/0x190 kernel/softirq.c:337
 __local_bh_enable_ip+0x194/0x240 kernel/softirq.c:189
 local_bh_enable+0x1f/0x30 include/linux/bottom_half.h:32
 get_next_corpse net/netfilter/nf_conntrack_core.c:2012 [inline]
 nf_ct_iterate_cleanup+0x2fa/0x3a0 net/netfilter/nf_conntrack_core.c:2035
 nf_ct_iterate_cleanup_net+0xf9/0x150 net/netfilter/nf_conntrack_core.c:2120
 iterate_cleanup_work+0x4f/0x100 net/netfilter/nf_nat_masquerade.c:216
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 9089:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 __do_kmalloc_node mm/slab.c:3616 [inline]
 __kmalloc_node+0x4d/0x60 mm/slab.c:3623
 kmalloc_node include/linux/slab.h:578 [inline]
 kvmalloc_node+0x85/0x110 mm/util.c:574
 kvmalloc include/linux/mm.h:645 [inline]
 kvzalloc include/linux/mm.h:653 [inline]
 alloc_netdev_mqs+0x8e/0xd40 net/core/dev.c:9797
 rtnl_create_link+0x238/0x940 net/core/rtnetlink.c:3047
 __rtnl_newlink net/core/rtnetlink.c:3309 [inline]
 rtnl_newlink+0x12a2/0x1c00 net/core/rtnetlink.c:3377
 rtnetlink_rcv_msg+0x889/0xd40 net/core/rtnetlink.c:5438
 netlink_rcv_skb+0x19e/0x3e0 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5456
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x766/0x920 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0xa2b/0xd40 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg net/socket.c:672 [inline]
 __sys_sendto+0x43c/0x5e0 net/socket.c:1998
 __do_sys_sendto net/socket.c:2010 [inline]
 __se_sys_sendto net/socket.c:2006 [inline]
 __x64_sys_sendto+0xe5/0x100 net/socket.c:2006
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9089:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10d/0x220 mm/slab.c:3757
 __netdev_name_node_alt_destroy net/core/dev.c:322 [inline]
 netdev_name_node_alt_destroy+0x35c/0x380 net/core/dev.c:334
 rtnl_alt_ifname net/core/rtnetlink.c:3518 [inline]
 rtnl_linkprop+0x42d/0x680 net/core/rtnetlink.c:3567
 rtnl_dellinkprop+0x2a/0x40 net/core/rtnetlink.c:3588
 rtnetlink_rcv_msg+0x889/0xd40 net/core/rtnetlink.c:5438
 netlink_rcv_skb+0x19e/0x3e0 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5456
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x766/0x920 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0xa2b/0xd40 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg net/socket.c:672 [inline]
 ____sys_sendmsg+0x4f7/0x7f0 net/socket.c:2343
 ___sys_sendmsg net/socket.c:2397 [inline]
 __sys_sendmsg+0x1ed/0x290 net/socket.c:2430
 __do_sys_sendmsg net/socket.c:2439 [inline]
 __se_sys_sendmsg net/socket.c:2437 [inline]
 __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2437
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888097c78000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 540 bytes inside of
 4096-byte region [ffff888097c78000, ffff888097c79000)
The buggy address belongs to the page:
page:ffffea00025f1e00 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00023a5e88 ffffea00020f9808 ffff8880aa402000
raw: 0000000000000000 ffff888097c78000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888097c78100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888097c78180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888097c78200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888097c78280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888097c78300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================