bisecting cause commit starting from d887ae3247e022183f244cb325dca1dfbd0a9ed0
building syzkaller on 744a39e220cece33e207035facce6c5ae161b775
testing commit d887ae3247e022183f244cb325dca1dfbd0a9ed0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4363e15805a00c00bccdf92231fee9c10a02116adafb128565639571de6704e4
all runs: crashed: KASAN: use-after-free Read in nf_confirm
testing release v5.17
testing commit f443e374ae131c168a065ea1748feac6b2e76613
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4f6fe75e1d58d296fb3acceed1bd0275e8a1210415bde93908afb7f6a8eb5216
all runs: OK
# git bisect start d887ae3247e022183f244cb325dca1dfbd0a9ed0 f443e374ae131c168a065ea1748feac6b2e76613
Bisecting: 8195 revisions left to test after this (roughly 13 steps)
[b14ffae378aa1db993e62b01392e70d1e585fb23] Merge tag 'drm-next-2022-03-24' of git://anongit.freedesktop.org/drm/drm

testing commit b14ffae378aa1db993e62b01392e70d1e585fb23
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e210d570ed9b64c84e2fa0d930141586e7a299adbf349a3adcd757c2a9c5474e
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good b14ffae378aa1db993e62b01392e70d1e585fb23
Bisecting: 4058 revisions left to test after this (roughly 12 steps)
[95124339875c8d9c092eb2fa3993e4751e1be48d] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

testing commit 95124339875c8d9c092eb2fa3993e4751e1be48d
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4ad136d88f90c2f173504d29800b60eec0e8ef6f133938d28ff6639c49f25baf
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 95124339875c8d9c092eb2fa3993e4751e1be48d
Bisecting: 2019 revisions left to test after this (roughly 11 steps)
[249aca0d3d631660aa3583c6a3559b75b6e971b4] Merge tag 'net-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit 249aca0d3d631660aa3583c6a3559b75b6e971b4
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a2a9992cf2502e45e1a91cb86128ff09001a53233a8c92d8dff6d4e7dbd7353a
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 249aca0d3d631660aa3583c6a3559b75b6e971b4
Bisecting: 953 revisions left to test after this (roughly 10 steps)
[f43f0cd2d9b07caf38d744701b0b54d4244da8cc] Merge tag 'wireless-next-2022-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next

testing commit f43f0cd2d9b07caf38d744701b0b54d4244da8cc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 976ea11b00ae89cfe0e18433a60c25453b1d1d0755d6589b438f634a53113150
all runs: OK
# git bisect good f43f0cd2d9b07caf38d744701b0b54d4244da8cc
Bisecting: 476 revisions left to test after this (roughly 9 steps)
[05a8d7d4fadfc0ab65c6e8d81f8a02484d8db116] mlxsw: spectrum: Update a comment

testing commit 05a8d7d4fadfc0ab65c6e8d81f8a02484d8db116
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7383fa71bc933b5baa70bb6f02e83155c2fe9bdeacafa3d7fb8f3cef821bf5a0
all runs: OK
# git bisect good 05a8d7d4fadfc0ab65c6e8d81f8a02484d8db116
Bisecting: 255 revisions left to test after this (roughly 8 steps)
[f3f19f939c11925dadd3f4776f99f8c278a7017b] Merge tag 'net-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit f3f19f939c11925dadd3f4776f99f8c278a7017b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2820ed7a8fe4544d0919bf9ac4b1f5a5547261d934ea2fc80d08ad8ef473f431
all runs: OK
# git bisect good f3f19f939c11925dadd3f4776f99f8c278a7017b
Bisecting: 127 revisions left to test after this (roughly 7 steps)
[f4826443f4d69d2c97c184952c085caf0936a7b8] mlxbf_gige: remove driver-managed interrupt counts

testing commit f4826443f4d69d2c97c184952c085caf0936a7b8
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 710ae32fcff3575f178efabbc094afae8a5e70e834dc02986d70f3e8ef602f5f
all runs: OK
# git bisect good f4826443f4d69d2c97c184952c085caf0936a7b8
Bisecting: 65 revisions left to test after this (roughly 6 steps)
[d9713088158b23973266e07fdc85ff7d68791a8c] ice: Expose RSS indirection tables for queue groups via ethtool

testing commit d9713088158b23973266e07fdc85ff7d68791a8c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9d70bd8195796e55ff8504103ce545b1cfce5e024190b05ec6260fb538f17771
all runs: OK
# git bisect good d9713088158b23973266e07fdc85ff7d68791a8c
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[80e425b613421911f89664663a7060216abcaed2] ipv6: Add hop-by-hop header to jumbograms in ip6_output

testing commit 80e425b613421911f89664663a7060216abcaed2
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9425cff94b17e3cff0c41aa3c07a8afc3c07c87ad6c343818daee81280c01cef
all runs: crashed: KASAN: use-after-free Read in nf_confirm
# git bisect bad 80e425b613421911f89664663a7060216abcaed2
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[3412e16418286bdc12561827cbd22f94cb8af5e1] netfilter: flowtable: nft_flow_route use more data for reverse route

testing commit 3412e16418286bdc12561827cbd22f94cb8af5e1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1cff2a275e990c8f3ef19b687429ddafda9c05528bae7071aa2cdead32ebe792
all runs: crashed: KASAN: use-after-free Read in nf_confirm
# git bisect bad 3412e16418286bdc12561827cbd22f94cb8af5e1
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[ace53fdc262fa6751acd3d61f3236f84ae3340f1] netfilter: conntrack: remove __nf_ct_unconfirmed_destroy

testing commit ace53fdc262fa6751acd3d61f3236f84ae3340f1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ab4e79ac434c9bf3c4f8d4da83da66dac5aff8f564e76b2f9afffd05101bba05
all runs: crashed: KASAN: use-after-free Read in nf_ct_deliver_cached_events
# git bisect bad ace53fdc262fa6751acd3d61f3236f84ae3340f1
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[78222bacfca97cb18505df1ba5f3591864498a7e] netfilter: cttimeout: decouple unlink and free on netns destruction

testing commit 78222bacfca97cb18505df1ba5f3591864498a7e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e3790d4b60016df2867b94770cabb7ece463ee4bfbdd5d76fb81969f5a80c752
all runs: crashed: KASAN: use-after-free Read in nf_ct_deliver_cached_events
# git bisect bad 78222bacfca97cb18505df1ba5f3591864498a7e
Bisecting: 1 revision left to test after this (roughly 1 step)
[0d3cc504ba9cdcff76346306c37eb1ea01e60a86] netfilter: conntrack: include ecache dying list in dumps

testing commit 0d3cc504ba9cdcff76346306c37eb1ea01e60a86
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a6a599c4c5936c0753244bc3ed21be5e60882c6b6ebee5b8c38aed35b8316a94
all runs: OK
# git bisect good 0d3cc504ba9cdcff76346306c37eb1ea01e60a86
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912] netfilter: conntrack: remove the percpu dying list

testing commit 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 28904e6b28783ba7cc99ab18324eac46cfaca699e9a73d800e624a5dcd15487b
all runs: crashed: KASAN: use-after-free Read in nf_ct_deliver_cached_events
# git bisect bad 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912
1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 is the first bad commit
commit 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912
Author: Florian Westphal <fw@strlen.de>
Date:   Mon Apr 11 13:01:18 2022 +0200

    netfilter: conntrack: remove the percpu dying list
    
    Its no longer needed. Entries that need event redelivery are placed
    on the new pernet dying list.
    
    The advantage is that there is no need to take additional spinlock on
    conntrack removal unless event redelivery failed or the conntrack entry
    was never added to the table in the first place (confirmed bit not set).
    
    The IPS_CONFIRMED bit now needs to be set as soon as the entry has been
    unlinked from the unconfirmed list, else the destroy function may
    attempt to unlink it a second time.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/net/netns/conntrack.h        |  1 -
 net/netfilter/nf_conntrack_core.c    | 35 ++++++-----------------------------
 net/netfilter/nf_conntrack_ecache.c  |  1 -
 net/netfilter/nf_conntrack_netlink.c | 23 +++++++----------------
 4 files changed, 13 insertions(+), 47 deletions(-)

culprit signature: 28904e6b28783ba7cc99ab18324eac46cfaca699e9a73d800e624a5dcd15487b
parent  signature: a6a599c4c5936c0753244bc3ed21be5e60882c6b6ebee5b8c38aed35b8316a94
revisions tested: 16, total time: 3h48m23.493134599s (build: 1h37m24.089727651s, test: 2h9m26.825446201s)
first bad commit: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 netfilter: conntrack: remove the percpu dying list
recipients (to): ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "fw@strlen.de" "kadlec@netfilter.org" "kuba@kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pabeni@redhat.com" "pablo@netfilter.org" "pablo@netfilter.org"]
recipients (cc): ["ali.abdallah@suse.com" "linux-kernel@vger.kernel.org" "ozsh@nvidia.com" "paulb@nvidia.com"]
crash: KASAN: use-after-free Read in nf_ct_deliver_cached_events
==================================================================
BUG: KASAN: use-after-free in __nf_ct_ext_exist include/net/netfilter/nf_conntrack_extend.h:57 [inline]
BUG: KASAN: use-after-free in nf_ct_ext_exist include/net/netfilter/nf_conntrack_extend.h:62 [inline]
BUG: KASAN: use-after-free in __nf_ct_ext_find include/net/netfilter/nf_conntrack_extend.h:67 [inline]
BUG: KASAN: use-after-free in nf_ct_ecache_find include/net/netfilter/nf_conntrack_ecache.h:33 [inline]
BUG: KASAN: use-after-free in nf_ct_deliver_cached_events+0x1e0/0x210 net/netfilter/nf_conntrack_ecache.c:213
Read of size 1 at addr ffff88806db27004 by task syz-executor.0/4322

CPU: 1 PID: 4322 Comm: syz-executor.0 Not tainted 5.18.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 __nf_ct_ext_exist include/net/netfilter/nf_conntrack_extend.h:57 [inline]
 nf_ct_ext_exist include/net/netfilter/nf_conntrack_extend.h:62 [inline]
 __nf_ct_ext_find include/net/netfilter/nf_conntrack_extend.h:67 [inline]
 nf_ct_ecache_find include/net/netfilter/nf_conntrack_ecache.h:33 [inline]
 nf_ct_deliver_cached_events+0x1e0/0x210 net/netfilter/nf_conntrack_ecache.c:213
 nf_conntrack_confirm include/net/netfilter/nf_conntrack_core.h:64 [inline]
 nf_confirm+0x2ad/0x390 net/netfilter/nf_conntrack_proto.c:154
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xaf/0x160 net/netfilter/core.c:620
 nf_hook+0x186/0x490 include/linux/netfilter.h:262
 NF_HOOK_COND include/linux/netfilter.h:295 [inline]
 ip_output+0x1c0/0x2a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:451 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 ip_send_skb+0x9f/0x1c0 net/ipv4/ip_output.c:1571
 udp_send_skb+0x927/0x1460 net/ipv4/udp.c:967
 udp_sendmsg+0x16f7/0x2040 net/ipv4/udp.c:1254
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:725
 rxrpc_send_abort_packet+0x419/0x6a0 net/rxrpc/output.c:330
 rxrpc_release_calls_on_socket+0x1d7/0x2f0 net/rxrpc/call_object.c:606
 rxrpc_release_sock net/rxrpc/af_rxrpc.c:886 [inline]
 rxrpc_release+0x23a/0x530 net/rxrpc/af_rxrpc.c:917
 __sock_release+0xbb/0x270 net/socket.c:650
 sock_close+0xf/0x20 net/socket.c:1318
 __fput+0x1f5/0x8c0 fs/file_table.c:317
 task_work_run+0xc0/0x160 kernel/task_work.c:164
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7efe9de3bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007fffa1639730 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00007efe9de3bd2b
RDX: 00007efe9dfa0e28 RSI: ffffffffffffffff RDI: 0000000000000005
RBP: 00007efe9df9d960 R08: 0000000000000000 R09: 00007efe9dfa0e30
R10: 00007fffa1639830 R11: 0000000000000293 R12: 0000000000013ece
R13: 00007fffa1639830 R14: 00007efe9df9bf60 R15: 0000000000000032
 </TASK>

Allocated by task 4322:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_krealloc+0x10e/0x190 mm/kasan/common.c:583
 kasan_krealloc include/linux/kasan.h:254 [inline]
 __do_krealloc mm/slab_common.c:1180 [inline]
 krealloc+0x54/0xf0 mm/slab_common.c:1217
 nf_ct_ext_add+0x167/0x3a0 net/netfilter/nf_conntrack_extend.c:115
 nf_ct_ecache_ext_add include/net/netfilter/nf_conntrack_ecache.h:53 [inline]
 init_conntrack.constprop.0+0x4ea/0x1190 net/netfilter/nf_conntrack_core.c:1717
 resolve_normal_ct net/netfilter/nf_conntrack_core.c:1807 [inline]
 nf_conntrack_in+0xc2b/0x1370 net/netfilter/nf_conntrack_core.c:1962
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xaf/0x160 net/netfilter/core.c:620
 nf_hook+0x186/0x490 include/linux/netfilter.h:262
 __ip_local_out+0x20f/0x450 net/ipv4/ip_output.c:115
 ip_local_out net/ipv4/ip_output.c:124 [inline]
 ip_send_skb+0x42/0x1c0 net/ipv4/ip_output.c:1571
 udp_send_skb+0x927/0x1460 net/ipv4/udp.c:967
 udp_sendmsg+0x16f7/0x2040 net/ipv4/udp.c:1254
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:725
 rxrpc_send_abort_packet+0x419/0x6a0 net/rxrpc/output.c:330
 rxrpc_release_calls_on_socket+0x1d7/0x2f0 net/rxrpc/call_object.c:606
 rxrpc_release_sock net/rxrpc/af_rxrpc.c:886 [inline]
 rxrpc_release+0x23a/0x530 net/rxrpc/af_rxrpc.c:917
 __sock_release+0xbb/0x270 net/socket.c:650
 sock_close+0xf/0x20 net/socket.c:1318
 __fput+0x1f5/0x8c0 fs/file_table.c:317
 task_work_run+0xc0/0x160 kernel/task_work.c:164
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 4322:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
 slab_free mm/slub.c:3510 [inline]
 kfree+0xd6/0x4d0 mm/slub.c:4552
 nf_conntrack_free+0xcf/0x480 net/netfilter/nf_conntrack_core.c:1662
 nf_ct_put include/net/netfilter/nf_conntrack.h:185 [inline]
 nf_ct_put include/net/netfilter/nf_conntrack.h:182 [inline]
 __nf_ct_resolve_clash+0x424/0x53b net/netfilter/nf_conntrack_core.c:1009
 nf_ct_resolve_clash+0x136/0x8c3 net/netfilter/nf_conntrack_core.c:1132
 __nf_conntrack_confirm.cold+0x11/0x23d net/netfilter/nf_conntrack_core.c:1266
 nf_conntrack_confirm include/net/netfilter/nf_conntrack_core.h:62 [inline]
 nf_confirm+0x301/0x390 net/netfilter/nf_conntrack_proto.c:154
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xaf/0x160 net/netfilter/core.c:620
 nf_hook+0x186/0x490 include/linux/netfilter.h:262
 NF_HOOK_COND include/linux/netfilter.h:295 [inline]
 ip_output+0x1c0/0x2a0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:451 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 ip_send_skb+0x9f/0x1c0 net/ipv4/ip_output.c:1571
 udp_send_skb+0x927/0x1460 net/ipv4/udp.c:967
 udp_sendmsg+0x16f7/0x2040 net/ipv4/udp.c:1254
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:725
 rxrpc_send_abort_packet+0x419/0x6a0 net/rxrpc/output.c:330
 rxrpc_release_calls_on_socket+0x1d7/0x2f0 net/rxrpc/call_object.c:606
 rxrpc_release_sock net/rxrpc/af_rxrpc.c:886 [inline]
 rxrpc_release+0x23a/0x530 net/rxrpc/af_rxrpc.c:917
 __sock_release+0xbb/0x270 net/socket.c:650
 sock_close+0xf/0x20 net/socket.c:1318
 __fput+0x1f5/0x8c0 fs/file_table.c:317
 task_work_run+0xc0/0x160 kernel/task_work.c:164
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88806db27000
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 4 bytes inside of
 128-byte region [ffff88806db27000, ffff88806db27080)

The buggy address belongs to the physical page:
page:ffffea0001b6c9c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6db27
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001c4fb40 dead000000000003 ffff8880100418c0
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3704, tgid 3704 (dhcpcd-run-hook), ts 47898811933, free_ts 47895117148
 prep_new_page mm/page_alloc.c:2441 [inline]
 get_page_from_freelist+0x178d/0x3dc0 mm/page_alloc.c:4182
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
 __alloc_pages_node include/linux/gfp.h:587 [inline]
 alloc_slab_page mm/slub.c:1801 [inline]
 allocate_slab+0x80/0x3c0 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0x8e1/0xf20 mm/slub.c:3005
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
 slab_alloc_node mm/slub.c:3183 [inline]
 __kmalloc_node+0x2cb/0x390 mm/slub.c:4458
 kmalloc_array_node include/linux/slab.h:676 [inline]
 kcalloc_node include/linux/slab.h:681 [inline]
 memcg_alloc_slab_cgroups+0x8b/0x140 mm/memcontrol.c:2800
 account_slab mm/slab.h:652 [inline]
 allocate_slab+0x2c9/0x3c0 mm/slub.c:1960
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0x8e1/0xf20 mm/slub.c:3005
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
 slab_alloc_node mm/slub.c:3183 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3232 [inline]
 kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242
 vm_area_dup+0x83/0x380 kernel/fork.c:467
 dup_mmap kernel/fork.c:643 [inline]
 dup_mm+0x4da/0x10c0 kernel/fork.c:1521
 copy_mm kernel/fork.c:1573 [inline]
 copy_process+0x602d/0x68e0 kernel/fork.c:2234
 kernel_clone+0xb8/0x7f0 kernel/fork.c:2639
 __do_sys_clone+0xaf/0xf0 kernel/fork.c:2756
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1356 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3328 [inline]
 free_unref_page_list+0x16f/0xf80 mm/page_alloc.c:3460
 release_pages+0x6f1/0x1780 mm/swap.c:980
 tlb_batch_pages_flush mm/mmu_gather.c:50 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:243 [inline]
 tlb_flush_mmu mm/mmu_gather.c:250 [inline]
 tlb_finish_mmu+0x127/0x790 mm/mmu_gather.c:341
 exit_mmap+0x19d/0x3f0 mm/mmap.c:3150
 __mmput+0xed/0x430 kernel/fork.c:1183
 exit_mm kernel/exit.c:510 [inline]
 do_exit+0x8e9/0x2470 kernel/exit.c:782
 do_group_exit+0xb2/0x2a0 kernel/exit.c:925
 __do_sys_exit_group kernel/exit.c:936 [inline]
 __se_sys_exit_group kernel/exit.c:934 [inline]
 __x64_sys_exit_group+0x35/0x40 kernel/exit.c:934
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff88806db26f00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
 ffff88806db26f80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
>ffff88806db27000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88806db27080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806db27100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================