bisecting cause commit starting from 5e60366d56c630e32befce7ef05c569e04391ca3
building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b
testing commit 5e60366d56c630e32befce7ef05c569e04391ca3 with gcc (GCC) 8.1.0
kernel signature: 01825cbba90804af60ff77ae0ded5055a816f397fe535df94df4bfbd1e90d5f6
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0
kernel signature: f5760b2c445d15f5ece92b856df5a49be8c93d3d22f6cda3cb5ed85afe8f4ee1
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #9: OK
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0
kernel signature: 48a44b356059ba46606be11d05f4af2fd4977ae6064a111f191a24ab366037c1
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 22aa95b7e7e6aea83bcbde6ee96bb510036c390ecb1edc1d673d8134021fdfef
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #8: crashed: INFO: task hung in hub_port_init
run #9: crashed: INFO: task hung in hub_port_init
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: f5d9faac2087b090050e744a65f37f315c08f987da9cd1b89f915d62396835a7
run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #7: crashed: INFO: task hung in hub_port_init
run #8: crashed: INFO: task hung in hub_port_init
run #9: crashed: INFO: task hung in hub_port_init
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: c44a15efe9f4dddfd3265e3ee72039e8fedc8e1a971752bf1b7899bdd24b69bf
run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #7: crashed: INFO: task hung in hub_port_init
run #8: crashed: INFO: task hung in hub_port_init
run #9: crashed: INFO: task hung in hub_port_init
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 0965e741efe2c9a43f96ed4ce7756181094148b594e50125c1ef55585450eb5a
all runs: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: dc0e86cd1e84b0f0c4d2d664ac1a48c712bc8a201fcae8c2993a60e9b2ae998d
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #9: crashed: INFO: task hung in hub_port_init
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: b037b1dd21cfbbefec3369d9afc20b2628ba8eb7e83fdf09374888aacb7ba29f
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #9: crashed: INFO: task hung in hub_port_init
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 93349bcc046589cc66751b3d8ad6ba9fb4ca2c06a1b85b534c498825df415deb
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #8: crashed: INFO: task hung in hub_port_init
run #9: crashed: INFO: task hung in hub_port_init
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: baae87b14f521b4d0298531dee49e0a8e580ad4914eded127bc80495085be314
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #9: crashed: INFO: task hung in hub_port_init
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 56e224fa321819c58e1b7f8aa075ac994eb8feafc73959952675898bf266d174
run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #7: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #8: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
run #9: crashed: INFO: task hung in hub_port_init
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: cf4dea3a78ea029193338a24833b744fd9a282b1231b839f6a7406a8640087b2
all runs: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: 136acb850f3749fe7dee3c65b4aa085821c663b1c75779c3c25438218c75d87d
all runs: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: 9ca5f6094a3e2efb58f5bc0a0d418336cf561a0f05188535b4229b39bc20c076
all runs: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
kernel signature: d35260378b3ff92d2d9a117ca17aee218099f2e87b7dc19347dc26a6ad318958
all runs: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
kernel signature: 1566de2652e4545112bfa02d9ec4ef9f38bad54a271e4c80951296a66968c1c9
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #8: crashed: BUG: unable to handle kernel
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
kernel signature: 27a02e61eb7955ed91b1b48cf7e73fecdbedee3ce6e65f84267e25a1a6f05780
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #8: crashed: INFO: task hung in hub_port_init
run #9: crashed: INFO: task hung in hub_port_init
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
kernel signature: b2a394deb33079b21c7e340390013ede94b8643c7f2455f059dcfd1dff3cbc20
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: INFO: task hung in hub_port_init
run #5: crashed: INFO: task hung in hub_port_init
run #6: crashed: INFO: task hung in hub_port_init
run #7: crashed: INFO: task hung in hub_port_init
run #8: crashed: INFO: task hung in hub_port_init
run #9: crashed: INFO: task hung in hub_port_init
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
kernel signature: a9502f80632488ad819db2e32cde7bd0e2c624ea8780832e500f4a1b48b69652
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection
run #4: crashed: INFO: task hung in hub_port_init
run #5: crashed: INFO: task hung in hub_port_init
run #6: crashed: INFO: task hung in hub_port_init
run #7: crashed: INFO: task hung in hub_port_init
run #8: crashed: INFO: task hung in hub_port_init
run #9: crashed: INFO: task hung in hub_port_init
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
kernel signature: 79c406c428b9e578774d6c6087c38754e27e4469d5e4b92748ea5052a7bb7649
all runs: basic kernel testing failed: BUG: sleeping function called from invalid context in tap_get_minor
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0
kernel signature: 49b4fe4fa9b4ebaa65d4b7efbba36e7a93ec1b7fa6cc3cf5796a81ff7dbf24a3
all runs: basic kernel testing failed: BUG: sleeping function called from invalid context in tap_get_minor
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0
kernel signature: 781885a9b34d656aaa1b677f5ba7a6bd603b43d26642b4f4abd92237ce32f6c9
run #0: crashed: WARNING in nf_unregister_net_hook
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
reproducer seems to be flaky
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0
kernel signature: 09719a6d36a7b04feef1e80f3394582288a63b955c17842648ebd59d9cd895c1
run #0: crashed: WARNING in nf_unregister_net_hook
run #1: crashed: WARNING in nf_unregister_net_hook
run #2: crashed: WARNING in nf_unregister_net_hook
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0
kernel signature: cde89f4e0f96b4914ffae2b57945ed2a7cf064974b78c513ef6f2f98bfb6bdc7
run #0: crashed: KASAN: use-after-free Read in br_multicast_group_expired
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0
kernel signature: de86cca3bdecf200f64fb8f19fa9dcf1aa47d2b406e27c8b6fbcd21acec09f30
all runs: OK
# git bisect start c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 523d939ef98fd712632d93a5a2b588e477a7565e
Bisecting: 7344 revisions left to test after this (roughly 13 steps)
[e61c10e468a42512f5fad74c00b62af5cc19f65f] sh: add device tree source for J2 FPGA on Mimas v2 board

testing commit e61c10e468a42512f5fad74c00b62af5cc19f65f with gcc (GCC) 5.5.0
kernel signature: 47d054b25af4b27b7ff5cf41dbf0fc226de913f2295880f1e2af3a51b8cde409
all runs: OK
# git bisect good e61c10e468a42512f5fad74c00b62af5cc19f65f
Bisecting: 3672 revisions left to test after this (roughly 12 steps)
[b6e8d4aa1110306378af0f3472a6b85a1f039a16] rapidio: add RapidIO channelized messaging driver

testing commit b6e8d4aa1110306378af0f3472a6b85a1f039a16 with gcc (GCC) 5.5.0
kernel signature: a482785d4eb762175ee69b5c81a35b793bdb636912d415ce65c60d80882f6b54
all runs: OK
# git bisect good b6e8d4aa1110306378af0f3472a6b85a1f039a16
Bisecting: 1836 revisions left to test after this (roughly 11 steps)
[694d0d0bb2030d2e36df73e2d23d5770511dbc8d] Linux 4.8-rc2

testing commit 694d0d0bb2030d2e36df73e2d23d5770511dbc8d with gcc (GCC) 5.5.0
kernel signature: a7d56e9c9898f74e27e7340f7b68d02fec1975407d7afa6ee3d75075c1b063bd
all runs: OK
# git bisect good 694d0d0bb2030d2e36df73e2d23d5770511dbc8d
Bisecting: 931 revisions left to test after this (roughly 10 steps)
[39da979c98cf7516bc7b2c648ee4aed528eb1f36] Merge tag 'tty-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

testing commit 39da979c98cf7516bc7b2c648ee4aed528eb1f36 with gcc (GCC) 5.5.0
kernel signature: 08691eb035842a991f5e63ff8d4fa13c72b32a71f98e318f89fda3ed652b6d0e
all runs: OK
# git bisect good 39da979c98cf7516bc7b2c648ee4aed528eb1f36
Bisecting: 465 revisions left to test after this (roughly 9 steps)
[fda67514e444533b44106362baddca1cdbbba836] Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit fda67514e444533b44106362baddca1cdbbba836 with gcc (GCC) 5.5.0
kernel signature: 23bbd45ca191da2491b50682c41766181e23ab804d92989473a293b4d82eb046
all runs: OK
# git bisect good fda67514e444533b44106362baddca1cdbbba836
Bisecting: 265 revisions left to test after this (roughly 8 steps)
[96b03ab86d843524ec4aed7fe0ceef412c684c68] locking/hung_task: Fix typo in CONFIG_DETECT_HUNG_TASK help text

testing commit 96b03ab86d843524ec4aed7fe0ceef412c684c68 with gcc (GCC) 5.5.0
kernel signature: 3074e73901d42cd1b79c9d14dbc4e2ae7defd84906151f07c7f93de6c0dc2608
all runs: OK
# git bisect good 96b03ab86d843524ec4aed7fe0ceef412c684c68
Bisecting: 131 revisions left to test after this (roughly 7 steps)
[0f26574178f6c698e5d76e66ca68a95cc35eef9f] Merge branch 'hughd-fixes' (patches from Hugh Dickins)

testing commit 0f26574178f6c698e5d76e66ca68a95cc35eef9f with gcc (GCC) 5.5.0
kernel signature: 78f99d40d4580b82509610076f54b2385b08616bce9c9871b9f7b858769dc8ca
all runs: OK
# git bisect good 0f26574178f6c698e5d76e66ca68a95cc35eef9f
Bisecting: 64 revisions left to test after this (roughly 6 steps)
[e3b3656ca63e23b5755183718df36fb9ff518b02] Merge tag 'drm-fixes-for-v4.8-final' of git://people.freedesktop.org/~airlied/linux

testing commit e3b3656ca63e23b5755183718df36fb9ff518b02 with gcc (GCC) 5.5.0
kernel signature: d5b7ed7ad76d25fa7c7d608876a059b796f99cf59d5566bd952b514d7040009e
all runs: OK
# git bisect good e3b3656ca63e23b5755183718df36fb9ff518b02
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[bb6bbc7ca2254fd885f5b85f4cc0cda7cf04f8c1] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

testing commit bb6bbc7ca2254fd885f5b85f4cc0cda7cf04f8c1 with gcc (GCC) 5.5.0
kernel signature: d72d1d3ef3e82bda64e1f910dded74a96a02eb0869fca70529646162ef880403
all runs: OK
# git bisect good bb6bbc7ca2254fd885f5b85f4cc0cda7cf04f8c1
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[6605d156bdfbb2502ba301bc4fbd8db696ae4b6d] MIPS: CM: Fix mips_cm_max_vp_width for non-MT kernels on MT systems

testing commit 6605d156bdfbb2502ba301bc4fbd8db696ae4b6d with gcc (GCC) 5.5.0
kernel signature: a33cb7913128e73012726beeac5c671a2b3c05b88b0b40055bb40a8db46aac6c
all runs: OK
# git bisect good 6605d156bdfbb2502ba301bc4fbd8db696ae4b6d
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[66188fb11a82692629e85b6cbc3ecc08c752d2dc] Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus

testing commit 66188fb11a82692629e85b6cbc3ecc08c752d2dc with gcc (GCC) 5.5.0
kernel signature: d72d1d3ef3e82bda64e1f910dded74a96a02eb0869fca70529646162ef880403
all runs: OK
# git bisect good 66188fb11a82692629e85b6cbc3ecc08c752d2dc
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[2fa5f04f85730d0c4f49f984b7efeb4f8d5bd1fc] x86/entry/64: Fix context tracking state warning when load_gs_index fails

testing commit 2fa5f04f85730d0c4f49f984b7efeb4f8d5bd1fc with gcc (GCC) 5.5.0
kernel signature: 5286545a77ff7b9a7d98e92981e65f9295d46d50c2f3fcdf1053f7f0399de48f
all runs: OK
# git bisect good 2fa5f04f85730d0c4f49f984b7efeb4f8d5bd1fc
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[117e5e9c4cfcb7628f08de074fbfefec1bb678b7] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7

testing commit 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 with gcc (GCC) 5.5.0
kernel signature: e62bcfe7490cc60f94bc2e1bcbc5ea23e0065802724591d3e447f2aadbac9741
all runs: OK
# git bisect good 117e5e9c4cfcb7628f08de074fbfefec1bb678b7
Bisecting: 0 revisions left to test after this (roughly 1 step)
[f76d9c61d91343806e59335493806e87daf78947] Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm

testing commit f76d9c61d91343806e59335493806e87daf78947 with gcc (GCC) 5.5.0
kernel signature: b1f8954b8159ad5acb287295430a9005725a420abed5d789b1854b3aa110f1f7
all runs: OK
# git bisect good f76d9c61d91343806e59335493806e87daf78947
c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 is the first bad commit
commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sun Oct 2 16:24:33 2016 -0700

    Linux 4.8

 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

culprit signature: cde89f4e0f96b4914ffae2b57945ed2a7cf064974b78c513ef6f2f98bfb6bdc7
parent  signature: b1f8954b8159ad5acb287295430a9005725a420abed5d789b1854b3aa110f1f7
Reproducer flagged being flaky
revisions tested: 40, total time: 8h4m33.960074873s (build: 2h50m37.673749853s, test: 5h9m3.778854307s)
first bad commit: c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 Linux 4.8
recipients (to): ["linux-kbuild@vger.kernel.org" "mmarek@suse.com" "torvalds@linux-foundation.org"]
recipients (cc): ["linux-kernel@vger.kernel.org"]
crash: KASAN: use-after-free Read in br_multicast_group_expired
NOHZ: local_softirq_pending 08
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x5047/0x5290 kernel/locking/lockdep.c:3221 at addr ffff8801362e3648
Read of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07980 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffffffff88076580 1ffff10027780f64
 ffff88013bc079a8 ffffffff8171d43c ffff88013bc07a38 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da9e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324
 [<ffffffff8140ab87>] __lock_acquire+0x5047/0x5290 kernel/locking/lockdep.c:3221
 [<ffffffff8140b9e7>] lock_acquire+0x197/0x4b0 kernel/locking/lockdep.c:3746
 [<ffffffff86758216>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<ffffffff86758216>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x4ea4/0x5290 kernel/locking/lockdep.c:3225 at addr ffff8801362e3650
Read of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07980 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffffffff88076580 1ffff10027780f64
 ffff88013bc079a8 ffffffff8171d43c ffff88013bc07a38 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da9e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324
 [<ffffffff8140a9e4>] __lock_acquire+0x4ea4/0x5290 kernel/locking/lockdep.c:3225
 [<ffffffff8140b9e7>] lock_acquire+0x197/0x4b0 kernel/locking/lockdep.c:3746
 [<ffffffff86758216>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<ffffffff86758216>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801362e3634
BUG: KASAN: use-after-free in do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3634
Read of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da5e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da5e>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323
 [<ffffffff814159cb>] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 [<ffffffff814159cb>] do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:135
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801362e3640
BUG: KASAN: use-after-free in do_raw_spin_lock+0x2c1/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3640
Read of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da9e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324
 [<ffffffff81415a01>] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline]
 [<ffffffff81415a01>] do_raw_spin_lock+0x2c1/0x2f0 kernel/locking/spinlock_debug.c:135
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801362e3638
BUG: KASAN: use-after-free in do_raw_spin_lock+0x2a5/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3638
Read of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da5e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da5e>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323
 [<ffffffff814159e5>] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 [<ffffffff814159e5>] do_raw_spin_lock+0x2a5/0x2f0 kernel/locking/spinlock_debug.c:135
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:220 [inline] at addr ffff8801362e3630
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801362e3630
BUG: KASAN: use-after-free in queued_spin_trylock include/asm-generic/qspinlock.h:84 [inline] at addr ffff8801362e3630
BUG: KASAN: use-after-free in do_raw_spin_lock+0x298/0x2f0 kernel/locking/spinlock_debug.c:136 at addr ffff8801362e3630
Read of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da5e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da5e>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323
 [<ffffffff814159d8>] __read_once_size include/linux/compiler.h:220 [inline]
 [<ffffffff814159d8>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<ffffffff814159d8>] queued_spin_trylock include/asm-generic/qspinlock.h:84 [inline]
 [<ffffffff814159d8>] do_raw_spin_lock+0x298/0x2f0 kernel/locking/spinlock_debug.c:136
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
NOHZ: local_softirq_pending 08
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] at addr ffff8801362e3638
BUG: KASAN: use-after-free in do_raw_spin_lock+0x2b2/0x2f0 kernel/locking/spinlock_debug.c:138 at addr ffff8801362e3638
Write of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000000 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171db9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171db9e>] __asan_report_store4_noabort+0x3e/0x40 mm/kasan/report.c:328
 [<ffffffff814159f2>] debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline]
 [<ffffffff814159f2>] do_raw_spin_lock+0x2b2/0x2f0 kernel/locking/spinlock_debug.c:138
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] at addr ffff8801362e3640
BUG: KASAN: use-after-free in do_raw_spin_lock+0x2e5/0x2f0 kernel/locking/spinlock_debug.c:138 at addr ffff8801362e3640
Write of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000000 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171dbde>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171dbde>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
 [<ffffffff81415a25>] debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline]
 [<ffffffff81415a25>] do_raw_spin_lock+0x2e5/0x2f0 kernel/locking/spinlock_debug.c:138
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in br_multicast_group_expired+0x346/0x360 net/bridge/br_multicast.c:244 at addr ffff8801362e2b88
Read of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07bd0 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000
 ffff88013bc07bf8 ffffffff8171d43c ffff88013bc07c88 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da9e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324
 [<ffffffff85d3b946>] br_multicast_group_expired+0x346/0x360 net/bridge/br_multicast.c:244
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e2b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8801362e2c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:311 [inline] at addr ffff8801362e2148
BUG: KASAN: use-after-free in netif_running include/linux/netdevice.h:3084 [inline] at addr ffff8801362e2148
BUG: KASAN: use-after-free in br_multicast_group_expired+0x33c/0x360 net/bridge/br_multicast.c:244 at addr ffff8801362e2148
Read of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07bd0 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000
 ffff88013bc07bf8 ffffffff8171d43c ffff88013bc07c88 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da9e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324
 [<ffffffff85d3b93c>] constant_test_bit arch/x86/include/asm/bitops.h:311 [inline]
 [<ffffffff85d3b93c>] netif_running include/linux/netdevice.h:3084 [inline]
 [<ffffffff85d3b93c>] br_multicast_group_expired+0x33c/0x360 net/bridge/br_multicast.c:244
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801362e2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801362e2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff8801362e2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] at addr ffff8801362e3634
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x20f/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3634
Read of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000
 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da5e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da5e>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323
 [<ffffffff81415cff>] debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline]
 [<ffffffff81415cff>] do_raw_spin_unlock+0x20f/0x250 kernel/locking/spinlock_debug.c:158
 [<ffffffff86758552>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff86758552>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff85d3b6c1>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff85d3b6c1>] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:220 [inline] at addr ffff8801362e3630
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801362e3630
BUG: KASAN: use-after-free in queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] at addr ffff8801362e3630
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] at addr ffff8801362e3630
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x205/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3630
Read of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000
 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da5e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da5e>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323
 [<ffffffff81415cf5>] __read_once_size include/linux/compiler.h:220 [inline]
 [<ffffffff81415cf5>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<ffffffff81415cf5>] queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline]
 [<ffffffff81415cf5>] debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline]
 [<ffffffff81415cf5>] do_raw_spin_unlock+0x205/0x250 kernel/locking/spinlock_debug.c:158
 [<ffffffff86758552>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff86758552>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff85d3b6c1>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff85d3b6c1>] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] at addr ffff8801362e3640
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x229/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3640
Read of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000
 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da9e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324
 [<ffffffff81415d19>] debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline]
 [<ffffffff81415d19>] do_raw_spin_unlock+0x229/0x250 kernel/locking/spinlock_debug.c:158
 [<ffffffff86758552>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff86758552>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff85d3b6c1>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff85d3b6c1>] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] at addr ffff8801362e3638
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1f8/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3638
Read of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000
 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da5e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da5e>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323
 [<ffffffff81415ce8>] debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline]
 [<ffffffff81415ce8>] do_raw_spin_unlock+0x1f8/0x250 kernel/locking/spinlock_debug.c:158
 [<ffffffff86758552>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff86758552>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff85d3b6c1>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff85d3b6c1>] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] at addr ffff8801362e3640
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x240/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3640
Write of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000
 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171dbde>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171dbde>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
 [<ffffffff81415d30>] debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline]
 [<ffffffff81415d30>] do_raw_spin_unlock+0x240/0x250 kernel/locking/spinlock_debug.c:158
 [<ffffffff86758552>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff86758552>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff85d3b6c1>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff85d3b6c1>] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] at addr ffff8801362e3638
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x21c/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3638
Write of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000
 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171db9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171db9e>] __asan_report_store4_noabort+0x3e/0x40 mm/kasan/report.c:328
 [<ffffffff81415d0c>] debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline]
 [<ffffffff81415d0c>] do_raw_spin_unlock+0x21c/0x250 kernel/locking/spinlock_debug.c:158
 [<ffffffff86758552>] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline]
 [<ffffffff86758552>] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
 [<ffffffff85d3b6c1>] spin_unlock include/linux/spinlock.h:347 [inline]
 [<ffffffff85d3b6c1>] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801362e3634
BUG: KASAN: use-after-free in do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3634
Read of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da5e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da5e>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323
 [<ffffffff814159cb>] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 [<ffffffff814159cb>] do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:135
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801362e3640
BUG: KASAN: use-after-free in do_raw_spin_lock+0x2c1/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3640
Read of size 8 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da9e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da9e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324
 [<ffffffff81415a01>] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline]
 [<ffffffff81415a01>] do_raw_spin_lock+0x2c1/0x2f0 kernel/locking/spinlock_debug.c:135
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610
 [<ffffffff854cc812>] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302
 [<ffffffff854dc645>] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547
 [<ffffffff854dce32>] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846
 [<ffffffff856689e2>] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280
 [<ffffffff854d28a5>] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852
 [<ffffffff8566756f>] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline]
 [<ffffffff8566756f>] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240
 [<ffffffff856681ab>] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786
 [<ffffffff8542d015>] sock_sendmsg_nosec net/socket.c:609 [inline]
 [<ffffffff8542d015>] sock_sendmsg+0xb5/0xf0 net/socket.c:619
 [<ffffffff85430eea>] SYSC_sendto net/socket.c:1644 [inline]
 [<ffffffff85430eea>] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612
 [<ffffffff86759240>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 2978
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171cfce>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171cfce>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171cfce>] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555
 [<ffffffff817198bb>] slab_free_hook mm/slub.c:1356 [inline]
 [<ffffffff817198bb>] slab_free_freelist_hook mm/slub.c:1378 [inline]
 [<ffffffff817198bb>] slab_free mm/slub.c:2936 [inline]
 [<ffffffff817198bb>] kfree+0x11b/0x3a0 mm/slub.c:3856
 [<ffffffff8165a765>] kvfree+0x25/0x30 mm/util.c:329
 [<ffffffff854a7377>] netdev_freemem+0x47/0x60 net/core/dev.c:7562
 [<ffffffff854f8a2c>] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469
 [<ffffffff83453b51>] device_release+0x71/0x1e0 drivers/base/core.c:247
 [<ffffffff82e53e36>] kobject_cleanup lib/kobject.c:645 [inline]
 [<ffffffff82e53e36>] kobject_release lib/kobject.c:674 [inline]
 [<ffffffff82e53e36>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff82e53e36>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff82e53e36>] kobject_put+0x146/0x400 lib/kobject.c:691
 [<ffffffff854a6fe3>] netdev_run_todo+0x483/0x650 net/core/dev.c:7467
 [<ffffffff854cb279>] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104
 [<ffffffff8549995e>] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244
 [<ffffffff85471fc6>] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137
 [<ffffffff85474380>] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431
 [<ffffffff8134eedd>] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096
 [<ffffffff8134fe2a>] worker_thread+0xda/0xf10 kernel/workqueue.c:2230
 [<ffffffff81360879>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff8675948f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393
Memory state around the buggy address:
 ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801362e3638
BUG: KASAN: use-after-free in do_raw_spin_lock+0x2a5/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3638
Read of size 4 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80
 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000
 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80
Call Trace:
 <IRQ>  [<ffffffff82e4dd32>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff82e4dd32>] dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 [<ffffffff8171d43c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<ffffffff8171d6c2>] print_address_description mm/kasan/report.c:194 [inline]
 [<ffffffff8171d6c2>] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283
 [<ffffffff8171da5e>] kasan_report mm/kasan/report.c:303 [inline]
 [<ffffffff8171da5e>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323
 [<ffffffff814159e5>] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 [<ffffffff814159e5>] do_raw_spin_lock+0x2a5/0x2f0 kernel/locking/spinlock_debug.c:135
 [<ffffffff8675821e>] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline]
 [<ffffffff8675821e>] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151
 [<ffffffff85d3b647>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff85d3b647>] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243
 [<ffffffff8146f5ef>] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298
 [<ffffffff8146fd5f>] expire_timers+0x28f/0x460 kernel/time/timer.c:1338
 [<ffffffff814700d6>] __run_timers kernel/time/timer.c:1627 [inline]
 [<ffffffff814700d6>] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640
 [<ffffffff8675c1bb>] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273
 [<ffffffff8131196f>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8131196f>] irq_exit+0x14f/0x190 kernel/softirq.c:391
 [<ffffffff8675b94b>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff8675b94b>] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
 [<ffffffff8675a9dc>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633
 <EOI>  [<ffffffff8122bdf6>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff811c316f>] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 [<ffffffff811c316f>] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307
 [<ffffffff811c481a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298
 [<ffffffff813f12c8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
 [<ffffffff813f190c>] cpuidle_idle_call kernel/sched/idle.c:151 [inline]
 [<ffffffff813f190c>] cpu_idle_loop kernel/sched/idle.c:244 [inline]
 [<ffffffff813f190c>] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293
 [<ffffffff867450a2>] rest_init+0x152/0x160 init/main.c:408
 [<ffffffff88adf557>] start_kernel+0x4fd/0x523 init/main.c:662
 [<ffffffff88ade2b0>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195
 [<ffffffff88ade42e>] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176
Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192
Allocated:
PID = 7529
 [<ffffffff811d45c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8171c97e>] save_stack mm/kasan/kasan.c:479 [inline]
 [<ffffffff8171c97e>] set_track mm/kasan/kasan.c:491 [inline]
 [<ffffffff8171c97e>] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582
 [<ffffffff8171723f>] __kmalloc+0x15f/0x3c0 mm/slub.c:3719
 [<ffffffff8549cc00>] kmalloc include/linux/slab.h:495 [inline]
 [<ffffffff8549cc00>] kzalloc include/linux/slab.h:636 [inline]
 [<ffffffff8549cc00>] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610