batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
==================================================================
BUG: KASAN: use-after-free in __queue_work+0xa2e/0xdf0 kernel/workqueue.c:1383
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Read of size 4 at addr ffff8880a8dd1e40 by task kworker/1:2/3400
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.152-syzkaller #0

CPU: 1 PID: 3400 Comm: kworker/1:2 Not tainted 4.19.152-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Workqueue: events l2cap_chan_timeout
RIP: 0010:__queue_work+0x400/0xdf0 kernel/workqueue.c:1404
Call Trace:
Code: 80 3c 3a 00 0f 85 b7 08 00 00 48 89 df 4c 03 34 c5 00 2f 2b 88 e8 50 da ff ff 48 85 c0 0f 85 63 fd ff ff 4c 89 f0 48 c1 e8 03 <42> 80 3c 38 00 0f 85 81 09 00 00 49 8b 06 e9 64 fd ff ff 65 8b 05
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x17c/0x22a lib/dump_stack.c:118
RSP: 0018:ffff8880a9807b08 EFLAGS: 00010046
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
RAX: 0000000000000000 RBX: ffff888090630a60 RCX: ffffed10153ff180
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412
RDX: 1ffffffff10a3f28 RSI: 0000000000000000 RDI: ffffffff8851f940
RBP: ffff8880a9807b78 R08: 1ffff110153ff180 R09: ffffed1015d4473a
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
R10: ffffed1015d4473a R11: ffff8880aea239d3 R12: ffff88808b4e4040
 __queue_work+0xa2e/0xdf0 kernel/workqueue.c:1383
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffef4382efc CR3: 000000008f4ba000 CR4: 00000000001406f0
 __queue_delayed_work+0x174/0x290 kernel/workqueue.c:1524
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 queue_delayed_work_on+0x148/0x180 kernel/workqueue.c:1560
Call Trace:
 queue_delayed_work include/linux/workqueue.h:527 [inline]
 hci_conn_drop include/net/bluetooth/hci_core.h:998 [inline]
 l2cap_chan_del+0x45b/0x7b0 net/bluetooth/l2cap_core.c:616
 l2cap_chan_close+0x35b/0x830 net/bluetooth/l2cap_core.c:757
 l2cap_chan_timeout+0x11d/0x1c0 net/bluetooth/l2cap_core.c:430
 __queue_delayed_work+0x174/0x290 kernel/workqueue.c:1524
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2155
 queue_delayed_work_on+0x148/0x180 kernel/workqueue.c:1560
 queue_delayed_work include/linux/workqueue.h:527 [inline]
 hci_conn_drop include/net/bluetooth/hci_core.h:998 [inline]
 l2cap_chan_del+0x45b/0x7b0 net/bluetooth/l2cap_core.c:616
 l2cap_chan_close+0x35b/0x830 net/bluetooth/l2cap_core.c:757
 worker_thread+0x85/0xb60 kernel/workqueue.c:2298
 l2cap_chan_timeout+0x11d/0x1c0 net/bluetooth/l2cap_core.c:430
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2155
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

 worker_thread+0x85/0xb60 kernel/workqueue.c:2298
Allocated by task 2385:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kthread+0x347/0x410 kernel/kthread.c:259
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3703
 __kmalloc_reserve.isra.9+0x2c/0xc0 net/core/skbuff.c:137
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
 __alloc_skb+0xd7/0x580 net/core/skbuff.c:205
Modules linked in:
 alloc_skb include/linux/skbuff.h:995 [inline]
 nlmsg_new include/net/netlink.h:511 [inline]
 mpls_netconf_notify_devconf+0x3b/0xd0 net/mpls/af_mpls.c:1188
---[ end trace 2ca58b2c02c1a7ff ]---
 mpls_dev_sysctl_unregister+0x99/0xc0 net/mpls/af_mpls.c:1391
RIP: 0010:__queue_work+0x400/0xdf0 kernel/workqueue.c:1404
 mpls_dev_notify+0x459/0x600 net/mpls/af_mpls.c:1578
Code: 80 3c 3a 00 0f 85 b7 08 00 00 48 89 df 4c 03 34 c5 00 2f 2b 88 e8 50 da ff ff 48 85 c0 0f 85 63 fd ff ff 4c 89 f0 48 c1 e8 03 <42> 80 3c 38 00 0f 85 81 09 00 00 49 8b 06 e9 64 fd ff ff 65 8b 05
RSP: 0018:ffff8880a9807b08 EFLAGS: 00010046
 notifier_call_chain+0x8a/0x160 kernel/notifier.c:93
RAX: 0000000000000000 RBX: ffff888090630a60 RCX: ffffed10153ff180
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
RDX: 1ffffffff10a3f28 RSI: 0000000000000000 RDI: ffffffff8851f940
 call_netdevice_notifiers_info+0x28/0x60 net/core/dev.c:1744
 call_netdevice_notifiers net/core/dev.c:1762 [inline]
 rollback_registered_many+0x5a9/0xb50 net/core/dev.c:8188
RBP: ffff8880a9807b78 R08: 1ffff110153ff180 R09: ffffed1015d4473a
 unregister_netdevice_many+0x3e/0x1f0 net/core/dev.c:9311
R10: ffffed1015d4473a R11: ffff8880aea239d3 R12: ffff88808b4e4040
 ip6gre_exit_batch_net+0x3ad/0x5b0 net/ipv6/ip6_gre.c:1627
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
 ops_exit_list.isra.0+0xd3/0x120 net/core/net_namespace.c:156
FS:  0000000000000000(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
 cleanup_net+0x368/0x850 net/core/net_namespace.c:553
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2155
CR2: 00007ffef4382efc CR3: 000000008f4ba000 CR4: 00000000001406f0
 worker_thread+0x85/0xb60 kernel/workqueue.c:2298
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 kthread+0x347/0x410 kernel/kthread.c:259
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415