[  399.508144] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.3'.
[  399.550236] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.2'.
[  399.613296] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'.
[  399.622498] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.1'.
[  399.645105] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.0'.
[  399.654552] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.3'.
[  399.682160] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.4'.
[  399.728733] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.2'.
[  399.790605] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'.
[  399.799761] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.3'.
[  404.581145] nla_parse: 96 callbacks suppressed
[  404.581149] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.0'.
[  405.065665] syz-executor.3 (5959) used greatest stack depth: 23352 bytes left
[  405.154415] syz-executor.2 (5960) used greatest stack depth: 23144 bytes left
[  406.190852] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  406.198225] batman_adv: batadv0: Removing interface: batadv_slave_0
[  406.206996] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  406.214341] batman_adv: batadv0: Removing interface: batadv_slave_1
[  406.222810] device bridge_slave_1 left promiscuous mode
[  406.229316] bridge0: port 2(bridge_slave_1) entered disabled state
[  406.276300] device bridge_slave_0 left promiscuous mode
[  406.282713] bridge0: port 1(bridge_slave_0) entered disabled state
[  406.330372] device veth1_macvtap left promiscuous mode
[  406.336733] device veth0_macvtap left promiscuous mode
[  406.343914] device veth1_vlan left promiscuous mode
[  406.349796] device veth0_vlan left promiscuous mode
[  406.475027] device hsr_slave_1 left promiscuous mode
[  406.527198] device hsr_slave_0 left promiscuous mode
[  406.570330] team0 (unregistering): Port device team_slave_1 removed
[  406.579539] team0 (unregistering): Port device team_slave_0 removed
[  406.590794] bond0 (unregistering): Releasing backup interface bond_slave_1
Warning: Permanently added '10.128.0.208' (ECDSA) to the list of known hosts.
[  406.637463] bond0 (unregistering): Releasing backup interface bond_slave_0
[  406.713121] bond0 (unregistering): Released all slaves
[  406.944231] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'.
[  406.953110] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'.
[  406.963526] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'.
[  406.972968] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'.
[  406.983141] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'.
[  406.997995] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'.
[  407.008527] ==================================================================
[  407.016489] BUG: KASAN: use-after-free in tcf_action_destroy+0xda/0xf0
[  407.023348] Read of size 8 at addr ffff8881dc6e7280 by task syz-executor044/2257
[  407.032074] 
[  407.033703] CPU: 0 PID: 2257 Comm: syz-executor044 Not tainted 4.19.176-syzkaller #0
[  407.041666] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  407.051224] Call Trace:
[  407.053987]  dump_stack+0x17c/0x226
[  407.057618]  print_address_description.cold.6+0x9/0x211
[  407.063165]  kasan_report.cold.7+0x242/0x2fe
[  407.067658]  ? tcf_action_destroy+0xda/0xf0
[  407.072154]  __asan_report_load8_noabort+0x14/0x20
[  407.077256]  tcf_action_destroy+0xda/0xf0
[  407.081496]  tcf_action_init+0x292/0x300
[  407.085658]  ? tcf_action_init_1+0xaf0/0xaf0
[  407.090093]  tcf_action_add+0xf2/0x320
[  407.094109]  ? tca_action_gd+0x1440/0x1440
[  407.098483]  ? __mutex_lock+0xd81/0x1200
[  407.103757]  ? lock_downgrade+0x860/0x860
[  407.108094]  ? memset+0x31/0x40
[  407.111370]  ? nla_parse+0x34/0x280
[  407.115083]  tc_ctl_action+0x28d/0x3d0
[  407.119061]  ? tcf_action_add+0x320/0x320
[  407.123213]  rtnetlink_rcv_msg+0x34f/0x950
[  407.127530]  ? rtnl_calcit.isra.10+0x360/0x360
[  407.132101]  ? __netlink_lookup+0x2fd/0x630
[  407.136414]  ? lock_downgrade+0x860/0x860
[  407.140572]  netlink_rcv_skb+0x13e/0x3d0
[  407.144719]  ? lock_downgrade+0x860/0x860
[  407.148949]  ? rtnl_calcit.isra.10+0x360/0x360
[  407.153614]  ? netlink_ack+0x990/0x990
[  407.157926]  ? netlink_deliver_tap+0x182/0xb00
[  407.162838]  ? kasan_check_read+0x11/0x20
[  407.167089]  rtnetlink_rcv+0x10/0x20
[  407.171032]  netlink_unicast+0x443/0x660
[  407.175101]  ? netlink_sendskb+0x40/0x40
[  407.179281]  ? _copy_from_iter_full+0x189/0x770
[  407.184212]  ? __check_object_size+0x1e0/0x300
[  407.188987]  netlink_sendmsg+0x667/0xc60
[  407.193175]  ? nlmsg_notify+0x140/0x140
[  407.197196]  ? apparmor_socket_sendmsg+0x1b/0x20
[  407.202119]  ? nlmsg_notify+0x140/0x140
[  407.206173]  sock_sendmsg+0xac/0xf0
[  407.209878]  ___sys_sendmsg+0x647/0x950
[  407.213846]  ? do_huge_pmd_anonymous_page+0xdb8/0x1dd0
[  407.219108]  ? copy_msghdr_from_user+0x430/0x430
[  407.224110]  ? __fget+0x285/0x400
[  407.227634]  ? kasan_check_read+0x11/0x20
[  407.231848]  ? __fget+0x2a2/0x400
[  407.235616]  ? do_dup2+0x3f0/0x3f0
[  407.239222]  ? __handle_mm_fault+0x21a4/0x4100
[  407.243877]  ? __fget_light+0x174/0x1e0
[  407.248077]  ? __fdget+0xe/0x10
[  407.251802]  __sys_sendmsg+0xd9/0x180
[  407.255756]  ? __ia32_sys_shutdown+0x70/0x70
[  407.260159]  ? up_read+0x1a/0x110
[  407.263594]  ? __do_page_fault+0x53a/0xb30
[  407.267899]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  407.273530]  __x64_sys_sendmsg+0x73/0xb0
[  407.277661]  do_syscall_64+0xd0/0x4e0
[  407.281442]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  407.286615] RIP: 0033:0x445c79
[  407.290248] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[  407.309839] RSP: 002b:00007fe8534c5318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  407.317792] RAX: ffffffffffffffda RBX: 00000000004cb428 RCX: 0000000000445c79
[  407.325304] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
[  407.332566] RBP: 00000000004cb420 R08: 0000000000000000 R09: 0000000000000000
[  407.340109] R10: 0000000000000000 R11: 0000000000000246 R12: 6b72616d6e6e6f63
[  407.347368] R13: 00007fff77e6f01f R14: 00007fe8534c5400 R15: 0000000000022000
[  407.354751] 
[  407.356400] Allocated by task 2248:
[  407.360096]  kasan_kmalloc.part.1+0x62/0xf0
[  407.364414]  kasan_kmalloc+0xaf/0xc0
[  407.368112]  __kmalloc+0x15d/0x3d0
[  407.372243]  tcf_idr_create+0x55/0x560
[  407.376313]  tcf_connmark_init+0x3d8/0x6a0
[  407.380623]  tcf_action_init_1+0x837/0xaf0
[  407.385297]  tcf_action_init+0x178/0x300
[  407.389518]  tcf_action_add+0xf2/0x320
[  407.393486]  tc_ctl_action+0x28d/0x3d0
[  407.397367]  rtnetlink_rcv_msg+0x34f/0x950
[  407.401690]  netlink_rcv_skb+0x13e/0x3d0
[  407.406091]  rtnetlink_rcv+0x10/0x20
[  407.409887]  netlink_unicast+0x443/0x660
[  407.414146]  netlink_sendmsg+0x667/0xc60
[  407.418547]  sock_sendmsg+0xac/0xf0
[  407.422330]  ___sys_sendmsg+0x647/0x950
[  407.426458]  __sys_sendmsg+0xd9/0x180
[  407.430250]  __x64_sys_sendmsg+0x73/0xb0
[  407.434378]  do_syscall_64+0xd0/0x4e0
[  407.438338]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  407.443777] 
[  407.445477] Freed by task 2248:
[  407.448736]  __kasan_slab_free+0x13c/0x220
[  407.452950]  kasan_slab_free+0xe/0x10
[  407.456728]  kfree+0xcf/0x220
[  407.459860]  tcf_action_cleanup+0xfd/0x130
[  407.464072]  __tcf_action_put+0xbe/0x100
[  407.468115]  __tcf_idr_release+0x6a/0x90
[  407.472153]  tcf_action_destroy+0x7d/0xf0
[  407.476302]  tcf_action_init+0x292/0x300
[  407.480470]  tcf_action_add+0xf2/0x320
[  407.484425]  tc_ctl_action+0x28d/0x3d0
[  407.488299]  rtnetlink_rcv_msg+0x34f/0x950
[  407.492609]  netlink_rcv_skb+0x13e/0x3d0
[  407.497075]  rtnetlink_rcv+0x10/0x20
[  407.500765]  netlink_unicast+0x443/0x660
[  407.504933]  netlink_sendmsg+0x667/0xc60
[  407.509094]  sock_sendmsg+0xac/0xf0
[  407.512802]  ___sys_sendmsg+0x647/0x950
[  407.516863]  __sys_sendmsg+0xd9/0x180
[  407.520653]  __x64_sys_sendmsg+0x73/0xb0
[  407.524780]  do_syscall_64+0xd0/0x4e0
[  407.528558]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  407.533811] 
[  407.535604] The buggy address belongs to the object at ffff8881dc6e7280
[  407.535604]  which belongs to the cache kmalloc-256 of size 256
[  407.548799] The buggy address is located 0 bytes inside of
[  407.548799]  256-byte region [ffff8881dc6e7280, ffff8881dc6e7380)
[  407.560568] The buggy address belongs to the page:
[  407.565620] page:ffffea000771b9c0 count:1 mapcount:0 mapping:ffff8881f60007c0 index:0x0
[  407.574178] flags: 0x17ffe0000000100(slab)
[  407.578740] raw: 017ffe0000000100 ffffea00077b8708 ffffea000771d288 ffff8881f60007c0
[  407.586695] raw: 0000000000000000 ffff8881dc6e7000 000000010000000c 0000000000000000
[  407.594736] page dumped because: kasan: bad access detected
[  407.600512] 
[  407.602125] Memory state around the buggy address:
[  407.607238]  ffff8881dc6e7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  407.614661]  ffff8881dc6e7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  407.622100] >ffff8881dc6e7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  407.629435]                    ^
[  407.632779]  ffff8881dc6e7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  407.640486]  ffff8881dc6e7380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  407.648008] ==================================================================
[  407.655433] Disabling lock debugging due to kernel taint
[  407.688830] Kernel panic - not syncing: panic_on_warn set ...
[  407.688830] 
[  407.696521] CPU: 1 PID: 2257 Comm: syz-executor044 Tainted: G    B             4.19.176-syzkaller #0
[  407.706352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  407.715939] Call Trace:
[  407.718616]  dump_stack+0x17c/0x226
[  407.722344]  panic+0x1cd/0x375
[  407.725532]  ? __warn_printk+0xd6/0xd6
[  407.729498]  ? ___preempt_schedule+0x16/0x18
[  407.733922]  kasan_end_report+0x47/0x4f
[  407.738060]  kasan_report.cold.7+0x76/0x2fe
[  407.742370]  ? tcf_action_destroy+0xda/0xf0
[  407.746682]  __asan_report_load8_noabort+0x14/0x20
[  407.751599]  tcf_action_destroy+0xda/0xf0
[  407.755830]  tcf_action_init+0x292/0x300
[  407.759995]  ? tcf_action_init_1+0xaf0/0xaf0
[  407.764501]  tcf_action_add+0xf2/0x320
[  407.768761]  ? tca_action_gd+0x1440/0x1440
[  407.773076]  ? __mutex_lock+0xd81/0x1200
[  407.777306]  ? lock_downgrade+0x860/0x860
[  407.781541]  ? memset+0x31/0x40
[  407.784812]  ? nla_parse+0x34/0x280
[  407.788427]  tc_ctl_action+0x28d/0x3d0
[  407.792425]  ? tcf_action_add+0x320/0x320
[  407.796849]  rtnetlink_rcv_msg+0x34f/0x950
[  407.801227]  ? rtnl_calcit.isra.10+0x360/0x360
[  407.805804]  ? __netlink_lookup+0x2fd/0x630
[  407.810568]  ? lock_downgrade+0x860/0x860
[  407.815021]  netlink_rcv_skb+0x13e/0x3d0
[  407.819338]  ? lock_downgrade+0x860/0x860
[  407.823583]  ? rtnl_calcit.isra.10+0x360/0x360
[  407.828241]  ? netlink_ack+0x990/0x990
[  407.832208]  ? netlink_deliver_tap+0x182/0xb00
[  407.837011]  ? kasan_check_read+0x11/0x20
[  407.841254]  rtnetlink_rcv+0x10/0x20
[  407.845413]  netlink_unicast+0x443/0x660
[  407.849809]  ? netlink_sendskb+0x40/0x40
[  407.853858]  ? _copy_from_iter_full+0x189/0x770
[  407.858534]  ? __check_object_size+0x1e0/0x300
[  407.863128]  netlink_sendmsg+0x667/0xc60
[  407.867198]  ? nlmsg_notify+0x140/0x140
[  407.871345]  ? apparmor_socket_sendmsg+0x1b/0x20
[  407.876365]  ? nlmsg_notify+0x140/0x140
[  407.880771]  sock_sendmsg+0xac/0xf0
[  407.884548]  ___sys_sendmsg+0x647/0x950
[  407.889088]  ? do_huge_pmd_anonymous_page+0xdb8/0x1dd0
[  407.894775]  ? copy_msghdr_from_user+0x430/0x430
[  407.899876]  ? __fget+0x285/0x400
[  407.903500]  ? kasan_check_read+0x11/0x20
[  407.907652]  ? __fget+0x2a2/0x400
[  407.911091]  ? do_dup2+0x3f0/0x3f0
[  407.914701]  ? __handle_mm_fault+0x21a4/0x4100
[  407.919353]  ? __fget_light+0x174/0x1e0
[  407.923335]  ? __fdget+0xe/0x10
[  407.926692]  __sys_sendmsg+0xd9/0x180
[  407.930808]  ? __ia32_sys_shutdown+0x70/0x70
[  407.935564]  ? up_read+0x1a/0x110
[  407.940655]  ? __do_page_fault+0x53a/0xb30
[  407.944883]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  407.950234]  __x64_sys_sendmsg+0x73/0xb0
[  407.954299]  do_syscall_64+0xd0/0x4e0
[  407.958167]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  407.963562] RIP: 0033:0x445c79
[  407.966948] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[  407.987190] RSP: 002b:00007fe8534c5318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  407.995645] RAX: ffffffffffffffda RBX: 00000000004cb428 RCX: 0000000000445c79
[  408.003192] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
[  408.010544] RBP: 00000000004cb420 R08: 0000000000000000 R09: 0000000000000000
[  408.017988] R10: 0000000000000000 R11: 0000000000000246 R12: 6b72616d6e6e6f63
[  408.025382] R13: 00007fff77e6f01f R14: 00007fe8534c5400 R15: 0000000000022000
[  408.033814] Kernel Offset: disabled
[  408.037536] Rebooting in 86400 seconds..