bisecting cause commit starting from 0be0ee71816b2b6725e2b4f32ad6726c9d729777
building syzkaller on f746151a9375b5b700196314d9e5f308b81e729f
testing commit 0be0ee71816b2b6725e2b4f32ad6726c9d729777 with gcc (GCC) 8.1.0
kernel signature: 9a0fc581972034262c2e20bf18318adb4ba87e8a
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 4f6ac1ee92b8a19f9106a67dacbc0ce18bf7ec2f
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: a35c68116e01165ef7229e95f071c951db4f2b3e
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 4e58f8a8d5ce93e0da6453ed97201d582f647a56
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 0d3271b4959d293e3c6618aaf0a698185c1db001
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 46ea16584a779b7c14bc42a0ceb237bd9c8b79c5
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 443d62d250653a315bedc7fb4a7a50b06c47b5b4
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: a7e878308121e0e871343100c7c508d2d62c3ae8
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: d25387ecfd45d57d13c33a1b1b9cd56ffaa6b0fd
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
kernel signature: 5b85429b897cd8e768f9546ea219f7c0785c8e6a
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
kernel signature: f020da70d86da3660275e23dc780fc545f15990f
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
kernel signature: b5309a7731e2b39137e304d0e6cf0643ef69a5d1
all runs: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
kernel signature: a61d8d17ebff975f1f84555f780aa29cb525c508
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
kernel signature: 458bfff6ad2eea0d07301aa7e70db8fec4e1272e
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
kernel signature: fc52a7d1b9d106aa158b9ad0e57261c86da9bb77
all runs: OK
# git bisect start 569dbb88e80deb68974ef6fdd6a13edb9d686261 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c
Bisecting: 7028 revisions left to test after this (roughly 13 steps)
[ac7b75966c9c86426b55fe1c50ae148aa4571075] Merge tag 'pinctrl-v4.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit ac7b75966c9c86426b55fe1c50ae148aa4571075 with gcc (GCC) 8.1.0
kernel signature: 9e38235aa99fbc053b7c4271a7cf5723c60d2837
all runs: OK
# git bisect good ac7b75966c9c86426b55fe1c50ae148aa4571075
Bisecting: 3520 revisions left to test after this (roughly 12 steps)
[9c284c41c0886f09e75c323a16278b6d353b0b4a] mmc: tmio-mmc: fix bad pointer math
testing commit 9c284c41c0886f09e75c323a16278b6d353b0b4a with gcc (GCC) 8.1.0
kernel signature: 2728fa2295df6da9d4741974eaaf0e65d4a36ab4
all runs: OK
# git bisect good 9c284c41c0886f09e75c323a16278b6d353b0b4a
Bisecting: 1754 revisions left to test after this (roughly 11 steps)
[505d5c11192960a3f0639d1d9e05dffeddd4e874] Merge tag 'nfs-for-4.13-2' of git://git.linux-nfs.org/projects/anna/linux-nfs
testing commit 505d5c11192960a3f0639d1d9e05dffeddd4e874 with gcc (GCC) 8.1.0
kernel signature: 579dab221e44a47c326aebc93441e890e86d3f55
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 505d5c11192960a3f0639d1d9e05dffeddd4e874
Bisecting: 909 revisions left to test after this (roughly 10 steps)
[62403005975c678ba7594a36670ae3bf0273d7c4] Merge tag 'nfsd-4.13' of git://linux-nfs.org/~bfields/linux
testing commit 62403005975c678ba7594a36670ae3bf0273d7c4 with gcc (GCC) 8.1.0
kernel signature: 1481ceafca7627290cbb37ddc5e4517b0bd30b75
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #5: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #6: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #7: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #8: OK
run #9: OK
# git bisect bad 62403005975c678ba7594a36670ae3bf0273d7c4
Bisecting: 430 revisions left to test after this (roughly 9 steps)
[38f7d2da4e39d454f2cb3e7c1ae35afde3d61123] Merge tag 'pwm/for-4.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm
testing commit 38f7d2da4e39d454f2cb3e7c1ae35afde3d61123 with gcc (GCC) 8.1.0
kernel signature: e3225f81bf0c5eec10642552f494b87a1b367750
all runs: OK
# git bisect good 38f7d2da4e39d454f2cb3e7c1ae35afde3d61123
Bisecting: 212 revisions left to test after this (roughly 8 steps)
[6735a1971a00a29a96aa3ea5dc08912bfee95c51] Merge tag 'platform-drivers-x86-v4.13-2' of git://git.infradead.org/linux-platform-drivers-x86
testing commit 6735a1971a00a29a96aa3ea5dc08912bfee95c51 with gcc (GCC) 8.1.0
kernel signature: 0b1d158135b5cc30246f1d78f370e3f8ff3967f7
all runs: OK
# git bisect good 6735a1971a00a29a96aa3ea5dc08912bfee95c51
Bisecting: 100 revisions left to test after this (roughly 7 steps)
[bc0f51d35994bc14ae9bebadc9523399711fedf8] Merge tag 'trace-v4.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
testing commit bc0f51d35994bc14ae9bebadc9523399711fedf8 with gcc (GCC) 8.1.0
kernel signature: 938aff69b0b7efa3b2ecd5037c076987d8067226
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad bc0f51d35994bc14ae9bebadc9523399711fedf8
Bisecting: 55 revisions left to test after this (roughly 6 steps)
[a10a842ff81a7e3810817b3b04e4c432b6191e21] kernel/watchdog: provide watchdog_nmi_reconfigure() for arch watchdogs
testing commit a10a842ff81a7e3810817b3b04e4c432b6191e21 with gcc (GCC) 8.1.0
kernel signature: 512bb74a6f8b4b909008d7653d1c979d9bafa1d5
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #5: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #6: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #7: OK
run #8: OK
run #9: OK
# git bisect bad a10a842ff81a7e3810817b3b04e4c432b6191e21
Bisecting: 27 revisions left to test after this (roughly 5 steps)
[77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f] procfs: fdinfo: extend information about epoll target files
testing commit 77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f with gcc (GCC) 8.1.0
kernel signature: ae3131113bd8e5eff06c5325df74f2c00cd72db5
all runs: OK
# git bisect good 77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[52f908904e7e05b6300162faa48152df073be645] ipc/msg: avoid ipc_rcu_alloc()
testing commit 52f908904e7e05b6300162faa48152df073be645 with gcc (GCC) 8.1.0
kernel signature: 72a83293e8daa37cb49aca2e5627413c2bb61ced
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #5: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 52f908904e7e05b6300162faa48152df073be645
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[f8dbe8d290637ac3f68600e30d092393fe9b40a5] ipc: drop non-RCU allocation
testing commit f8dbe8d290637ac3f68600e30d092393fe9b40a5 with gcc (GCC) 8.1.0
kernel signature: 5d05c6a90af96031b13abfbaa9fa364a5faaff6a
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: no output from test machine
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #5: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #6: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #7: OK
run #8: OK
run #9: OK
# git bisect bad f8dbe8d290637ac3f68600e30d092393fe9b40a5
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[e41d58185f1444368873d4d7422f7664a68be61d] fault-inject: support systematic fault injection
testing commit e41d58185f1444368873d4d7422f7664a68be61d with gcc (GCC) 8.1.0
kernel signature: dc0df7c2e74038df09ee58f45aa5a5d307fc9790
run #0: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #1: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #2: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #3: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #4: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #5: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #6: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #7: crashed: KASAN: use-after-free Write in qdisc_class_hash_insert
run #8: OK
run #9: OK
# git bisect bad e41d58185f1444368873d4d7422f7664a68be61d
Bisecting: 0 revisions left to test after this (roughly 1 step)
[92ef6da3d06ff551a86de41ae37df9cc4b58d7a0] kcmp: fs/epoll: wrap kcmp code with CONFIG_CHECKPOINT_RESTORE
testing commit 92ef6da3d06ff551a86de41ae37df9cc4b58d7a0 with gcc (GCC) 8.1.0
kernel signature: 546ddbdda5e33ce8ac9e315c8c866d45f48b5ff0
all runs: OK
# git bisect good 92ef6da3d06ff551a86de41ae37df9cc4b58d7a0
e41d58185f1444368873d4d7422f7664a68be61d is the first bad commit
commit e41d58185f1444368873d4d7422f7664a68be61d
Author: Dmitry Vyukov <dvyukov@google.com>
Date:   Wed Jul 12 14:34:35 2017 -0700

    fault-inject: support systematic fault injection
    
    Add /proc/self/task/<current-tid>/fail-nth file that allows failing
    0-th, 1-st, 2-nd and so on calls systematically.
    Excerpt from the added documentation:
    
     "Write to this file of integer N makes N-th call in the current task
      fail (N is 0-based). Read from this file returns a single char 'Y' or
      'N' that says if the fault setup with a previous write to this file
      was injected or not, and disables the fault if it wasn't yet injected.
      Note that this file enables all types of faults (slab, futex, etc).
      This setting takes precedence over all other generic settings like
      probability, interval, times, etc. But per-capability settings (e.g.
      fail_futex/ignore-private) take precedence over it. This feature is
      intended for systematic testing of faults in a single system call. See
      an example below"
    
    Why add a new setting:
    1. Existing settings are global rather than per-task.
       So parallel testing is not possible.
    2. attr->interval is close but it depends on attr->count
       which is non reset to 0, so interval does not work as expected.
    3. Trying to model this with existing settings requires manipulations
       of all of probability, interval, times, space, task-filter and
       unexposed count and per-task make-it-fail files.
    4. Existing settings are per-failure-type, and the set of failure
       types is potentially expanding.
    5. make-it-fail can't be changed by unprivileged user and aggressive
       stress testing better be done from an unprivileged user.
       Similarly, this would require opening the debugfs files to the
       unprivileged user, as he would need to reopen at least times file
       (not possible to pre-open before dropping privs).
    
    The proposed interface solves all of the above (see the example).
    
    We want to integrate this into syzkaller fuzzer.  A prototype has found
    10 bugs in kernel in first day of usage:
    
      https://groups.google.com/forum/#!searchin/syzkaller/%22FAULT_INJECTION%22%7Csort:relevance
    
    I've made the current interface work with all types of our sandboxes.
    For setuid the secret sauce was prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) to
    make /proc entries non-root owned.  So I am fine with the current
    version of the code.
    
    [akpm@linux-foundation.org: fix build]
    Link: http://lkml.kernel.org/r/20170328130128.101773-1-dvyukov@google.com
    Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: Akinobu Mita <akinobu.mita@gmail.com>
    Cc: Michal Hocko <mhocko@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

:040000 040000 5ff23b4f717faa09a3a303c852d1f879e5c93424 dee40d91ff399cf23471067637b29ba5e1d89733 M	Documentation
:040000 040000 27977119aa5c7d9e92fc80003c42eb2b4f32cd8a 17fc845fd59fd4d9cd4b38fc91096cf8dfa8cbe3 M	fs
:040000 040000 ed948d2418da0ee21a502e292d26d30545d58083 67b2b84dc7ad4f73ffe68c2027ef782fb3f91120 M	include
:040000 040000 5a5aae0ff0d0ab5471e6a7da1dade99054f3438d 5649fd62cab2718586583d958d93c058385fdd52 M	kernel
:040000 040000 1394cb104a7599e44373b833e369563c29cb2560 d6b4eb0e7b6f9335a6e35b9dbe3f136c0c8dc3b7 M	lib
kernel signature:   dc0df7c2e74038df09ee58f45aa5a5d307fc9790
previous signature: 546ddbdda5e33ce8ac9e315c8c866d45f48b5ff0
revisions tested: 28, total time: 6h12m36.752117717s (build: 2h26m31.935054593s, test: 3h38m59.55641971s)
first bad commit: e41d58185f1444368873d4d7422f7664a68be61d fault-inject: support systematic fault injection
cc: ["akinobu.mita@gmail.com" "akpm@linux-foundation.org" "dvyukov@google.com" "mhocko@kernel.org" "torvalds@linux-foundation.org"]
crash: KASAN: use-after-free Write in qdisc_class_hash_insert
RBP: 0000000000000082 R08: 0000000000000001 R09: 0000000000400037
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000404810 R14: 0000000000000000 R15: 0000000000000000
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:673 [inline]
BUG: KASAN: use-after-free in qdisc_class_hash_insert+0x417/0x430 net/sched/sch_api.c:716
Write of size 8 at addr ffff880118801250 by task syz-executor831/12392

CPU: 1 PID: 12392 Comm: syz-executor831 Not tainted 4.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x145/0x1e1 lib/dump_stack.c:52
 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.8+0x121/0x2da mm/kasan/report.c:408
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:434
 hlist_add_head include/linux/list.h:673 [inline]
 qdisc_class_hash_insert+0x417/0x430 net/sched/sch_api.c:716
 qfq_change_class+0x8b4/0x126f net/sched/sch_qfq.c:502
 tc_ctl_tclass+0x3c9/0xc60 net/sched/sch_api.c:1696
 rtnetlink_rcv_msg+0x4c0/0x7e0 net/core/rtnetlink.c:4216
 netlink_rcv_skb+0x211/0x490 net/netlink/af_netlink.c:2397
 rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:4222
 netlink_unicast_kernel net/netlink/af_netlink.c:1265 [inline]
 netlink_unicast+0x426/0x630 net/netlink/af_netlink.c:1291
 netlink_sendmsg+0x8c3/0xe80 net/netlink/af_netlink.c:1854
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 ___sys_sendmsg+0x2a7/0x9a0 net/socket.c:2037
 __sys_sendmmsg+0x1ae/0x590 net/socket.c:2127
 SYSC_sendmmsg net/socket.c:2158 [inline]
 SyS_sendmmsg+0xd/0x20 net/socket.c:2153
 entry_SYSCALL_64_fastpath+0x23/0xc2
RIP: 0033:0x447569
RSP: 002b:00007ffddf02be88 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447569
RDX: 0000000004924b68 RSI: 0000000020000140 RDI: 0000000000000006
RBP: 0000000000000082 R08: 0000000000000001 R09: 0000000000400037
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000404810 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 12355:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x14b/0x7a0 mm/slab.c:3627
 kmalloc include/linux/slab.h:492 [inline]
 kzalloc include/linux/slab.h:665 [inline]
 qfq_change_class+0x64a/0x126f net/sched/sch_qfq.c:476
 tc_ctl_tclass+0x3c9/0xc60 net/sched/sch_api.c:1696
 rtnetlink_rcv_msg+0x4c0/0x7e0 net/core/rtnetlink.c:4216
 netlink_rcv_skb+0x211/0x490 net/netlink/af_netlink.c:2397
 rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:4222
 netlink_unicast_kernel net/netlink/af_netlink.c:1265 [inline]
 netlink_unicast+0x426/0x630 net/netlink/af_netlink.c:1291
 netlink_sendmsg+0x8c3/0xe80 net/netlink/af_netlink.c:1854
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 ___sys_sendmsg+0x2a7/0x9a0 net/socket.c:2037
 __sys_sendmmsg+0x1ae/0x590 net/socket.c:2127
 SYSC_sendmmsg net/socket.c:2158 [inline]
 SyS_sendmmsg+0xd/0x20 net/socket.c:2153
 entry_SYSCALL_64_fastpath+0x23/0xc2

Freed by task 12355:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x270 mm/slab.c:3820
 qfq_change_class+0xdb5/0x126f net/sched/sch_qfq.c:531
 tc_ctl_tclass+0x3c9/0xc60 net/sched/sch_api.c:1696
 rtnetlink_rcv_msg+0x4c0/0x7e0 net/core/rtnetlink.c:4216
 netlink_rcv_skb+0x211/0x490 net/netlink/af_netlink.c:2397
 rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:4222
 netlink_unicast_kernel net/netlink/af_netlink.c:1265 [inline]
 netlink_unicast+0x426/0x630 net/netlink/af_netlink.c:1291
 netlink_sendmsg+0x8c3/0xe80 net/netlink/af_netlink.c:1854
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 ___sys_sendmsg+0x2a7/0x9a0 net/socket.c:2037
 __sys_sendmmsg+0x1ae/0x590 net/socket.c:2127
 SYSC_sendmmsg net/socket.c:2158 [inline]
 SyS_sendmmsg+0xd/0x20 net/socket.c:2153
 entry_SYSCALL_64_fastpath+0x23/0xc2

The buggy address belongs to the object at ffff880118801240
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 16 bytes inside of
 128-byte region [ffff880118801240, ffff8801188012c0)
The buggy address belongs to the page:
page:ffffea0004620040 count:1 mapcount:0 mapping:ffff880118801000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff880118801000 0000000000000000 0000000100000015
raw: ffffea000456d320 ffffea0004a8ee20 ffff88012bc00640 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880118801100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff880118801180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880118801200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                 ^
 ffff880118801280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff880118801300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================