bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:66:f8:8a:4b:83:54, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
==================================================================
BUG: KASAN: use-after-free in dst_dev_put+0x219/0x290 net/core/dst.c:172
Read of size 8 at addr ffff8880896f90ee by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 dst_dev_put+0x219/0x290 net/core/dst.c:172
 rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline]
 free_fib_info_rcu+0x2f4/0x4a0 net/ipv4/fib_semantics.c:217
 __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
 rcu_do_batch kernel/rcu/tree.c:2452 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline]
 rcu_process_callbacks+0x928/0x1390 kernel/rcu/tree.c:2754
 __do_softirq+0x266/0x95a kernel/softirq.c:292
 run_ksoftirqd kernel/softirq.c:654 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 9:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:468
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:503
 slab_post_alloc_hook mm/slab.h:440 [inline]
 slab_alloc mm/slab.c:3388 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3548
 skb_clone+0x150/0x3b0 net/core/skbuff.c:1289
 deliver_clone+0x46/0xc0 net/bridge/br_forward.c:123
 maybe_deliver net/bridge/br_forward.c:184 [inline]
 maybe_deliver net/bridge/br_forward.c:172 [inline]
 br_flood+0x4da/0x710 net/bridge/br_forward.c:226
 br_handle_frame_finish+0x6b6/0x14c0 net/bridge/br_input.c:169
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 br_handle_frame+0x82d/0x1450 net/bridge/br_input.c:305
 __netif_receive_skb_core+0xa96/0x3010 net/core/dev.c:4902
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4971
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
 __do_softirq+0x266/0x95a kernel/softirq.c:292

Freed by task 9:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:457
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:465
 __cache_free mm/slab.c:3494 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3754
 kfree_skbmem net/core/skbuff.c:589 [inline]
 kfree_skbmem+0xc5/0x150 net/core/skbuff.c:583
 __kfree_skb net/core/skbuff.c:646 [inline]
 kfree_skb net/core/skbuff.c:663 [inline]
 kfree_skb+0xf0/0x390 net/core/skbuff.c:657
 tipc_disc_rcv+0x56c/0x1ac0 net/tipc/discover.c:220
 tipc_rcv+0xdd4/0xe90 net/tipc/node.c:1755
 tipc_l2_rcv_msg+0x20e/0x550 net/tipc/bearer.c:582
 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5186
 netif_receive_skb+0x6e/0x5a0 net/core/dev.c:5261
 br_netif_receive_skb+0x107/0x200 net/bridge/br_input.c:34
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 br_pass_frame_up+0x354/0x730 net/bridge/br_input.c:69
 br_handle_frame_finish+0x6e0/0x14c0 net/bridge/br_input.c:175
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 br_handle_frame+0x82d/0x1450 net/bridge/br_input.c:305
 __netif_receive_skb_core+0xa96/0x3010 net/core/dev.c:4902
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4971
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
 __do_softirq+0x266/0x95a kernel/softirq.c:292

The buggy address belongs to the object at ffff8880896f9080
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 110 bytes inside of
 224-byte region [ffff8880896f9080, ffff8880896f9160)
The buggy address belongs to the page:
page:ffffea000225be40 count:1 mapcount:0 mapping:ffff88821b6ad3c0 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002508488 ffffea0002928148 ffff88821b6ad3c0
raw: 0000000000000000 ffff8880896f9080 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880896f8f80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880896f9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880896f9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8880896f9100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880896f9180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================