[  421.660406][T11860] netlink: 'syz-executor.1': attribute type 4 has an invalid length.
[  421.675148][T11863] netlink: 'syz-executor.4': attribute type 4 has an invalid length.
[  421.690136][T11864] netlink: 'syz-executor.0': attribute type 4 has an invalid length.
[  426.509365][T12425] validate_nla: 278 callbacks suppressed
[  426.509385][T12425] netlink: 'syz-executor.2': attribute type 4 has an invalid length.
[  426.599269][T12423] netlink: 'syz-executor.5': attribute type 4 has an invalid length.
[  426.616498][T12429] netlink: 'syz-executor.3': attribute type 4 has an invalid length.
[  426.630040][T12430] netlink: 'syz-executor.0': attribute type 4 has an invalid length.
[  426.645681][T12433] netlink: 'syz-executor.1': attribute type 4 has an invalid length.
[  426.688667][T12432] netlink: 'syz-executor.4': attribute type 4 has an invalid length.
[  427.465103][ T3960] syz-executor.5 (3960) used greatest stack depth: 22576 bytes left
[  428.638696][ T1247] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  428.711947][ T1247] netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  428.780822][ T1247] netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  428.850607][ T1247] netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  429.755627][ T1247] device hsr_slave_0 left promiscuous mode
[  429.762275][ T1247] device hsr_slave_1 left promiscuous mode
[  429.769620][ T1247] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  429.780252][ T1247] batman_adv: batadv0: Removing interface: batadv_slave_0
[  429.790425][ T1247] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  429.798438][ T1247] batman_adv: batadv0: Removing interface: batadv_slave_1
[  429.808842][ T1247] device bridge_slave_1 left promiscuous mode
[  429.818262][ T1247] bridge0: port 2(bridge_slave_1) entered disabled state
[  429.828828][ T1247] device bridge_slave_0 left promiscuous mode
[  429.835468][ T1247] bridge0: port 1(bridge_slave_0) entered disabled state
[  429.858655][ T1247] device veth1_macvtap left promiscuous mode
[  429.865147][ T1247] device veth0_macvtap left promiscuous mode
[  429.871285][ T1247] device veth1_vlan left promiscuous mode
[  429.886064][ T1247] device veth0_vlan left promiscuous mode
[  430.316896][ T1247] team0 (unregistering): Port device team_slave_1 removed
[  430.334673][ T1247] team0 (unregistering): Port device team_slave_0 removed
[  430.350936][ T1247] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[  430.371632][ T1247] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[  430.521358][ T1247] bond0 (unregistering): Released all slaves
[  431.433872][    C0] ==================================================================
[  431.442669][    C0] BUG: KASAN: use-after-free in tcp_retransmit_timer+0x2ef3/0x3360
[  431.452694][    C0] Read of size 8 at addr ffff88807298e380 by task kworker/u4:5/1247
[  431.460690][    C0] 
[  431.463015][    C0] CPU: 0 PID: 1247 Comm: kworker/u4:5 Not tainted 5.18.0-rc3-syzkaller-00007-g559089e0a93d-dirty #0
[  431.473807][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  431.483875][    C0] Workqueue: netns cleanup_net
[  431.488872][    C0] Call Trace:
[  431.492170][    C0]  <IRQ>
[  431.495021][    C0]  dump_stack_lvl+0xcd/0x134
[  431.499722][    C0]  print_address_description.constprop.0.cold+0xeb/0x467
[  431.506819][    C0]  ? tcp_retransmit_timer+0x2ef3/0x3360
[  431.512385][    C0]  kasan_report.cold+0xf4/0x1c6
[  431.517258][    C0]  ? tcp_retransmit_timer+0x2ef3/0x3360
[  431.522831][    C0]  tcp_retransmit_timer+0x2ef3/0x3360
[  431.528232][    C0]  ? tcp_mstamp_refresh+0x12/0xa0
[  431.533375][    C0]  ? tcp_delack_timer+0x320/0x320
[  431.538768][    C0]  ? ktime_get+0x38a/0x470
[  431.543466][    C0]  ? lockdep_hardirqs_on+0x79/0x100
[  431.548766][    C0]  ? __sanitizer_cov_trace_cmp4+0x1c/0x70
[  431.554652][    C0]  ? ktime_get+0x30b/0x470
[  431.559094][    C0]  tcp_write_timer_handler+0x5e6/0xbc0
[  431.564668][    C0]  tcp_write_timer+0xa2/0x2b0
[  431.569362][    C0]  ? tcp_write_timer_handler+0xbc0/0xbc0
[  431.575275][    C0]  call_timer_fn+0x1a5/0x6b0
[  431.579896][    C0]  ? timer_fixup_activate+0x350/0x350
[  431.585395][    C0]  ? _raw_spin_unlock_irq+0x1f/0x40
[  431.590679][    C0]  ? tcp_write_timer_handler+0xbc0/0xbc0
[  431.596342][    C0]  __run_timers.part.0+0x679/0xa80
[  431.601475][    C0]  ? call_timer_fn+0x6b0/0x6b0
[  431.606251][    C0]  run_timer_softirq+0xb3/0x1d0
[  431.611209][    C0]  __do_softirq+0x29b/0x9c2
[  431.615739][    C0]  do_softirq.part.0+0xde/0x130
[  431.620699][    C0]  </IRQ>
[  431.623648][    C0]  <TASK>
[  431.626677][    C0]  ? addrconf_ifdown.isra.0+0x544/0x16b0
[  431.632412][    C0]  __local_bh_enable_ip+0x102/0x120
[  431.637638][    C0]  addrconf_ifdown.isra.0+0x544/0x16b0
[  431.643139][    C0]  ? add_v4_addrs+0x890/0x890
[  431.647844][    C0]  addrconf_notify+0xeb/0x1ba0
[  431.652671][    C0]  ? clusterip_netdev_event+0x419/0x650
[  431.658300][    C0]  ? __local_bh_enable_ip+0xa0/0x120
[  431.663612][    C0]  ? clusterip_netdev_event+0x419/0x650
[  431.669356][    C0]  ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[  431.675624][    C0]  ? ip6mr_device_event+0x1ab/0x220
[  431.680906][    C0]  notifier_call_chain+0xb5/0x200
[  431.686015][    C0]  call_netdevice_notifiers_info+0xb5/0x130
[  431.691928][    C0]  unregister_netdevice_many+0x92e/0x1890
[  431.697672][    C0]  ? __mutex_lock+0x21a/0x12f0
[  431.702458][    C0]  ? netdev_pick_tx+0xbe0/0xbe0
[  431.707325][    C0]  ? nsim_destroy+0x35/0x190
[  431.712058][    C0]  ? mutex_lock_io_nested+0x1150/0x1150
[  431.717629][    C0]  unregister_netdevice_queue+0x2dd/0x3c0
[  431.723370][    C0]  ? unregister_netdevice_many+0x1890/0x1890
[  431.729363][    C0]  ? queue_delayed_work_on+0xe6/0x120
[  431.734971][    C0]  ? lockdep_hardirqs_on+0x79/0x100
[  431.740192][    C0]  ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[  431.746457][    C0]  ? queue_delayed_work_on+0xbb/0x120
[  431.751849][    C0]  nsim_destroy+0x3f/0x190
[  431.756286][    C0]  __nsim_dev_port_del+0x191/0x250
[  431.761417][    C0]  nsim_dev_port_del_all+0x85/0xe0
[  431.766564][    C0]  nsim_dev_reload_destroy+0x11f/0x420
[  431.772050][    C0]  nsim_dev_reload_down+0xdf/0x180
[  431.777189][    C0]  devlink_reload+0x1c2/0x6b0
[  431.782055][    C0]  ? devlink_remote_reload_actions_performed+0xa0/0xa0
[  431.788931][    C0]  ? devlink_try_get+0x159/0x1e0
[  431.793897][    C0]  ? __mutex_unlock_slowpath+0x157/0x5e0
[  431.799549][    C0]  devlink_pernet_pre_exit+0x17e/0x220
[  431.805085][    C0]  ? devlink_nl_cmd_get_dumpit+0x3f0/0x3f0
[  431.810906][    C0]  ? devlink_nl_cmd_get_dumpit+0x3f0/0x3f0
[  431.816726][    C0]  cleanup_net+0x451/0xb00
[  431.821169][    C0]  ? unregister_pernet_device+0x70/0x70
[  431.826735][    C0]  process_one_work+0x996/0x1610
[  431.831686][    C0]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[  431.837082][    C0]  ? rwlock_bug.part.0+0x90/0x90
[  431.842090][    C0]  ? _raw_spin_lock_irq+0x41/0x50
[  431.847139][    C0]  worker_thread+0x665/0x1080
[  431.851840][    C0]  ? __kthread_parkme+0x15f/0x220
[  431.856889][    C0]  ? process_one_work+0x1610/0x1610
[  431.862106][    C0]  kthread+0x2e9/0x3a0
[  431.866194][    C0]  ? kthread_complete_and_exit+0x40/0x40
[  431.871860][    C0]  ret_from_fork+0x1f/0x30
[  431.876591][    C0]  </TASK>
[  431.879702][    C0] 
[  431.882022][    C0] Allocated by task 3888:
[  431.886348][    C0]  kasan_save_stack+0x1e/0x40
[  431.891140][    C0]  __kasan_slab_alloc+0x85/0xb0
[  431.896133][    C0]  kmem_cache_alloc+0x265/0x560
[  431.901003][    C0]  copy_net_ns+0x125/0x760
[  431.905612][    C0]  create_new_namespaces+0x3f6/0xb20
[  431.910931][    C0]  unshare_nsproxy_namespaces+0xc1/0x1f0
[  431.916686][    C0]  ksys_unshare+0x445/0x920
[  431.921294][    C0]  __x64_sys_unshare+0x2d/0x40
[  431.926294][    C0]  do_syscall_64+0x35/0x80
[  431.930731][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  431.936655][    C0] 
[  431.938983][    C0] Freed by task 1247:
[  431.942966][    C0]  kasan_save_stack+0x1e/0x40
[  431.947665][    C0]  kasan_set_track+0x21/0x30
[  431.952270][    C0]  kasan_set_free_info+0x20/0x30
[  431.957229][    C0]  ____kasan_slab_free+0x13d/0x180
[  431.962443][    C0]  kmem_cache_free.part.0+0xa9/0x240
[  431.967751][    C0]  cleanup_net+0x8ba/0xb00
[  431.972233][    C0]  process_one_work+0x996/0x1610
[  431.977185][    C0]  worker_thread+0x665/0x1080
[  431.981958][    C0]  kthread+0x2e9/0x3a0
[  431.986042][    C0]  ret_from_fork+0x1f/0x30
[  431.990611][    C0] 
[  431.992934][    C0] Last potentially related work creation:
[  432.001545][    C0]  kasan_save_stack+0x1e/0x40
[  432.006242][    C0]  __kasan_record_aux_stack+0x7e/0x90
[  432.011633][    C0]  insert_work+0x48/0x350
[  432.016042][    C0]  __queue_work+0x62e/0x1140
[  432.020651][    C0]  call_timer_fn+0x1a5/0x6b0
[  432.025426][    C0]  __run_timers.part.0+0x4a3/0xa80
[  432.030665][    C0]  run_timer_softirq+0x152/0x1d0
[  432.035618][    C0]  __do_softirq+0x29b/0x9c2
[  432.040142][    C0] 
[  432.042465][    C0] Second to last potentially related work creation:
[  432.049044][    C0]  kasan_save_stack+0x1e/0x40
[  432.053744][    C0]  __kasan_record_aux_stack+0x7e/0x90
[  432.059156][    C0]  insert_work+0x48/0x350
[  432.063508][    C0]  __queue_work+0x62e/0x1140
[  432.068121][    C0]  call_timer_fn+0x1a5/0x6b0
[  432.072814][    C0]  __run_timers.part.0+0x4a3/0xa80
[  432.077942][    C0]  run_timer_softirq+0x152/0x1d0
[  432.082900][    C0]  __do_softirq+0x29b/0x9c2
[  432.087426][    C0] 
[  432.089752][    C0] The buggy address belongs to the object at ffff88807298e0c0
[  432.089752][    C0]  which belongs to the cache net_namespace of size 6784
[  432.104281][    C0] The buggy address is located 704 bytes inside of
[  432.104281][    C0]  6784-byte region [ffff88807298e0c0, ffff88807298fb40)
[  432.118445][    C0] 
[  432.120778][    C0] The buggy address belongs to the physical page:
[  432.127200][    C0] page:ffffea0001ca6380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7298e
[  432.137543][    C0] head:ffffea0001ca6380 order:1 compound_mapcount:0 compound_pincount:0
[  432.146144][    C0] memcg:ffff888078f24941
[  432.150394][    C0] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[  432.158570][    C0] raw: 00fff00000010200 ffffea0001f67908 ffffea0001f8e288 ffff8880114d3600
[  432.167179][    C0] raw: 0000000000000000 ffff88807298e0c0 0000000100000001 ffff888078f24941
[  432.175865][    C0] page dumped because: kasan: bad access detected
[  432.182319][    C0] page_owner tracks the page as allocated
[  432.188212][    C0] page last allocated via order 1, migratetype Unmovable, gfp_mask 0x3420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 3888, tgid 3888 (syz-executor.4), ts 67454771819, free_ts 67446428805
[  432.210040][    C0]  get_page_from_freelist+0xba2/0x3e00
[  432.215837][    C0]  __alloc_pages+0x1b2/0x500
[  432.220450][    C0]  cache_grow_begin+0x75/0x350
[  432.225460][    C0]  cache_alloc_refill+0x27f/0x380
[  432.230516][    C0]  kmem_cache_alloc+0x450/0x560
[  432.235392][    C0]  copy_net_ns+0x125/0x760
[  432.239833][    C0]  create_new_namespaces+0x3f6/0xb20
[  432.245153][    C0]  unshare_nsproxy_namespaces+0xc1/0x1f0
[  432.250809][    C0]  ksys_unshare+0x445/0x920
[  432.255338][    C0]  __x64_sys_unshare+0x2d/0x40
[  432.260121][    C0]  do_syscall_64+0x35/0x80
[  432.264583][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  432.270492][    C0] page last free stack trace:
[  432.275169][    C0]  free_pcp_prepare+0x549/0xd20
[  432.280034][    C0]  free_unref_page+0x19/0x6a0
[  432.284825][    C0]  slabs_destroy+0x89/0xc0
[  432.289263][    C0]  ___cache_free+0x34e/0x670
[  432.293873][    C0]  qlist_free_all+0x4f/0x1b0
[  432.298548][    C0]  kasan_quarantine_reduce+0x180/0x200
[  432.304021][    C0]  __kasan_slab_alloc+0x97/0xb0
[  432.308891][    C0]  __kmalloc+0x27a/0x4d0
[  432.313143][    C0]  tomoyo_supervisor+0xce6/0xf00
[  432.318161][    C0]  tomoyo_path_number_perm+0x419/0x590
[  432.323721][    C0]  security_file_ioctl+0x50/0xb0
[  432.328780][    C0]  __x64_sys_ioctl+0xb3/0x200
[  432.334027][    C0]  do_syscall_64+0x35/0x80
[  432.338655][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  432.345292][    C0] 
[  432.347793][    C0] Memory state around the buggy address:
[  432.353946][    C0]  ffff88807298e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  432.362118][    C0]  ffff88807298e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  432.370286][    C0] >ffff88807298e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  432.378358][    C0]                    ^
[  432.382528][    C0]  ffff88807298e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  432.391040][    C0]  ffff88807298e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  432.399146][    C0] ==================================================================
[  432.407281][    C0] Kernel panic - not syncing: panic_on_warn set ...
[  432.413876][    C0] CPU: 0 PID: 1247 Comm: kworker/u4:5 Not tainted 5.18.0-rc3-syzkaller-00007-g559089e0a93d-dirty #0
[  432.424912][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  432.435078][    C0] Workqueue: netns cleanup_net
[  432.439971][    C0] Call Trace:
[  432.443430][    C0]  <IRQ>
[  432.446365][    C0]  dump_stack_lvl+0xcd/0x134
[  432.451078][    C0]  panic+0x2d7/0x636
[  432.455238][    C0]  ? panic_print_sys_info.part.0+0x10b/0x10b
[  432.461241][    C0]  ? tcp_retransmit_timer+0x2ef3/0x3360
[  432.467334][    C0]  ? tcp_retransmit_timer+0x2ef3/0x3360
[  432.472904][    C0]  end_report.part.0+0x3f/0x7c
[  432.478170][    C0]  kasan_report.cold+0x93/0x1c6
[  432.483138][    C0]  ? tcp_retransmit_timer+0x2ef3/0x3360
[  432.488739][    C0]  tcp_retransmit_timer+0x2ef3/0x3360
[  432.494144][    C0]  ? tcp_mstamp_refresh+0x12/0xa0
[  432.499194][    C0]  ? tcp_delack_timer+0x320/0x320
[  432.504238][    C0]  ? ktime_get+0x38a/0x470
[  432.508685][    C0]  ? lockdep_hardirqs_on+0x79/0x100
[  432.513921][    C0]  ? __sanitizer_cov_trace_cmp4+0x1c/0x70
[  432.519664][    C0]  ? ktime_get+0x30b/0x470
[  432.524115][    C0]  tcp_write_timer_handler+0x5e6/0xbc0
[  432.530147][    C0]  tcp_write_timer+0xa2/0x2b0
[  432.534849][    C0]  ? tcp_write_timer_handler+0xbc0/0xbc0
[  432.540499][    C0]  call_timer_fn+0x1a5/0x6b0
[  432.545105][    C0]  ? timer_fixup_activate+0x350/0x350
[  432.550501][    C0]  ? _raw_spin_unlock_irq+0x1f/0x40
[  432.555733][    C0]  ? tcp_write_timer_handler+0xbc0/0xbc0
[  432.561668][    C0]  __run_timers.part.0+0x679/0xa80
[  432.566806][    C0]  ? call_timer_fn+0x6b0/0x6b0
[  432.571592][    C0]  run_timer_softirq+0xb3/0x1d0
[  432.576469][    C0]  __do_softirq+0x29b/0x9c2
[  432.580997][    C0]  do_softirq.part.0+0xde/0x130
[  432.585873][    C0]  </IRQ>
[  432.588817][    C0]  <TASK>
[  432.591842][    C0]  ? addrconf_ifdown.isra.0+0x544/0x16b0
[  432.597591][    C0]  __local_bh_enable_ip+0x102/0x120
[  432.602814][    C0]  addrconf_ifdown.isra.0+0x544/0x16b0
[  432.608301][    C0]  ? add_v4_addrs+0x890/0x890
[  432.613005][    C0]  addrconf_notify+0xeb/0x1ba0
[  432.617794][    C0]  ? clusterip_netdev_event+0x419/0x650
[  432.623363][    C0]  ? __local_bh_enable_ip+0xa0/0x120
[  432.628669][    C0]  ? clusterip_netdev_event+0x419/0x650
[  432.634236][    C0]  ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[  432.640501][    C0]  ? ip6mr_device_event+0x1ab/0x220
[  432.645723][    C0]  notifier_call_chain+0xb5/0x200
[  432.650768][    C0]  call_netdevice_notifiers_info+0xb5/0x130
[  432.656681][    C0]  unregister_netdevice_many+0x92e/0x1890
[  432.662426][    C0]  ? __mutex_lock+0x21a/0x12f0
[  432.667224][    C0]  ? netdev_pick_tx+0xbe0/0xbe0
[  432.672100][    C0]  ? nsim_destroy+0x35/0x190
[  432.676709][    C0]  ? mutex_lock_io_nested+0x1150/0x1150
[  432.682275][    C0]  unregister_netdevice_queue+0x2dd/0x3c0
[  432.688024][    C0]  ? unregister_netdevice_many+0x1890/0x1890
[  432.694021][    C0]  ? queue_delayed_work_on+0xe6/0x120
[  432.699412][    C0]  ? lockdep_hardirqs_on+0x79/0x100
[  432.704715][    C0]  ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[  432.710971][    C0]  ? queue_delayed_work_on+0xbb/0x120
[  432.716442][    C0]  nsim_destroy+0x3f/0x190
[  432.720873][    C0]  __nsim_dev_port_del+0x191/0x250
[  432.726088][    C0]  nsim_dev_port_del_all+0x85/0xe0
[  432.731242][    C0]  nsim_dev_reload_destroy+0x11f/0x420
[  432.736728][    C0]  nsim_dev_reload_down+0xdf/0x180
[  432.741866][    C0]  devlink_reload+0x1c2/0x6b0
[  432.746559][    C0]  ? devlink_remote_reload_actions_performed+0xa0/0xa0
[  432.753430][    C0]  ? devlink_try_get+0x159/0x1e0
[  432.758388][    C0]  ? __mutex_unlock_slowpath+0x157/0x5e0
[  432.764049][    C0]  devlink_pernet_pre_exit+0x17e/0x220
[  432.769641][    C0]  ? devlink_nl_cmd_get_dumpit+0x3f0/0x3f0
[  432.775466][    C0]  ? devlink_nl_cmd_get_dumpit+0x3f0/0x3f0
[  432.781289][    C0]  cleanup_net+0x451/0xb00
[  432.785724][    C0]  ? unregister_pernet_device+0x70/0x70
[  432.791562][    C0]  process_one_work+0x996/0x1610
[  432.796516][    C0]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[  432.801910][    C0]  ? rwlock_bug.part.0+0x90/0x90
[  432.806955][    C0]  ? _raw_spin_lock_irq+0x41/0x50
[  432.812015][    C0]  worker_thread+0x665/0x1080
[  432.816795][    C0]  ? __kthread_parkme+0x15f/0x220
[  432.821839][    C0]  ? process_one_work+0x1610/0x1610
[  432.827052][    C0]  kthread+0x2e9/0x3a0
[  432.831137][    C0]  ? kthread_complete_and_exit+0x40/0x40
[  432.836797][    C0]  ret_from_fork+0x1f/0x30
[  432.841235][    C0]  </TASK>
[  432.844412][    C0] Kernel Offset: disabled
[  432.848731][    C0] Rebooting in 86400 seconds..