==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3143 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xdb/0x360 mm/slub.c:4125

CPU: 0 PID: 10 Comm: ksoftirqd/0 Not tainted 5.11.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
 kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
 ____kasan_slab_free+0xfd/0x110 mm/kasan/common.c:341
 kasan_slab_free include/linux/kasan.h:188 [inline]
 slab_free_hook mm/slub.c:1547 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580
 slab_free mm/slub.c:3143 [inline]
 kfree+0xdb/0x360 mm/slub.c:4125
 bdev_free_inode+0x57/0x80 fs/block_dev.c:787
 i_callback+0x3f/0x70 fs/inode.c:222
 rcu_do_batch kernel/rcu/tree.c:2489 [inline]
 rcu_core+0x5eb/0xf00 kernel/rcu/tree.c:2723
 __do_softirq+0x2a5/0x9f7 kernel/softirq.c:343
 run_ksoftirqd kernel/softirq.c:650 [inline]
 run_ksoftirqd+0x2d/0x50 kernel/softirq.c:642
 smpboot_thread_fn+0x655/0x9e0 kernel/smpboot.c:165
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Allocated by task 4897:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429
 kasan_slab_alloc include/linux/kasan.h:205 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc_node mm/slub.c:2892 [inline]
 slab_alloc mm/slub.c:2900 [inline]
 __kmalloc_track_caller+0x1d7/0x3b0 mm/slub.c:4465
 kmemdup+0x23/0x50 mm/util.c:128
 kmemdup include/linux/string.h:520 [inline]
 add_partition+0x348/0x910 block/partitions/core.c:368
 blk_add_partition block/partitions/core.c:598 [inline]
 blk_add_partitions+0xa83/0xf10 block/partitions/core.c:674
 bdev_disk_changed+0x1fd/0x410 fs/block_dev.c:1249
 blkdev_reread_part block/ioctl.c:94 [inline]
 blkdev_common_ioctl+0x129c/0x16a0 block/ioctl.c:501
 blkdev_ioctl+0x1d4/0x6b0 block/ioctl.c:570
 block_ioctl+0xf9/0x140 fs/block_dev.c:1648
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xc0/0xf0 mm/kasan/generic.c:342
 __call_rcu kernel/rcu/tree.c:2965 [inline]
 call_rcu+0xbb/0x700 kernel/rcu/tree.c:3038
 nf_hook_entries_free net/netfilter/core.c:88 [inline]
 nf_hook_entries_free net/netfilter/core.c:75 [inline]
 __nf_register_net_hook+0x2aa/0x610 net/netfilter/core.c:424
 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:541
 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:557
 nf_nat_register_fn+0x4cf/0x7d0 net/netfilter/nf_nat_core.c:1063
 ip6t_nat_register_lookups net/ipv6/netfilter/ip6table_nat.c:70 [inline]
 ip6table_nat_table_init.part.0+0x84/0x1e0 net/ipv6/netfilter/ip6table_nat.c:108
 ip6table_nat_table_init+0x4f/0x70 net/ipv6/netfilter/ip6table_nat.c:115
 xt_find_table_lock+0x2d9/0x540 net/netfilter/x_tables.c:1223
 xt_request_find_table_lock+0x27/0xf0 net/netfilter/x_tables.c:1253
 get_info+0x16a/0x710 net/ipv6/netfilter/ip6_tables.c:980
 do_ip6t_get_ctl+0x152/0xa00 net/ipv6/netfilter/ip6_tables.c:1660
 nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
 ipv6_getsockopt+0x1be/0x270 net/ipv6/ipv6_sockglue.c:1486
 tcp_getsockopt+0x86/0xd0 net/ipv4/tcp.c:4141
 __sys_getsockopt+0x219/0x4c0 net/socket.c:2156
 __do_sys_getsockopt net/socket.c:2171 [inline]
 __se_sys_getsockopt net/socket.c:2168 [inline]
 __x64_sys_getsockopt+0xba/0x150 net/socket.c:2168
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888024ab2900
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
 128-byte region [ffff888024ab2900, ffff888024ab2980)
The buggy address belongs to the page:
page:00000000ad61fdb0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888024ab2900 pfn:0x24ab2
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea0000ae39c8 ffffea0000815608 ffff888010041640
raw: ffff888024ab2900 000000000010000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888024ab2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888024ab2880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888024ab2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888024ab2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888024ab2a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================