==================================================================
BUG: KASAN: double-free or invalid-free in tcf_exts_destroy+0x53/0xb0 net/sched/cls_api.c:3002

CPU: 0 PID: 8436 Comm: syz-executor.4 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374
 kasan_report_invalid_free+0x60/0xa0 mm/kasan/report.c:468
 __kasan_slab_free+0x129/0x140 mm/kasan/common.c:453
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3757
 tcf_exts_destroy+0x53/0xb0 net/sched/cls_api.c:3002
 tcf_exts_change+0xeb/0x140 net/sched/cls_api.c:3059
 tcindex_set_parms+0xcce/0x1b90 net/sched/cls_tcindex.c:456
 tcindex_change+0x1c2/0x280 net/sched/cls_tcindex.c:519
 tc_new_tfilter+0xffa/0x1da0 net/sched/cls_api.c:2103
 rtnetlink_rcv_msg+0x60c/0x8c0 net/core/rtnetlink.c:5429
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x54e/0x750 net/socket.c:2343
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397
 __sys_sendmsg+0xce/0x170 net/socket.c:2430
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Allocated by task 8346:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:513
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc_track_caller+0x15c/0x7a0 mm/slab.c:3671
 kmemdup+0x17/0x40 mm/util.c:127
 kmemdup include/linux/string.h:453 [inline]
 neigh_parms_alloc+0x7a/0x420 net/core/neighbour.c:1615
 inetdev_init+0x124/0x3f0 net/ipv4/devinet.c:266
 inetdev_event+0xc90/0x1170 net/ipv4/devinet.c:1525
 notifier_call_chain+0x86/0x150 kernel/notifier.c:83
 call_netdevice_notifiers_extack net/core/dev.c:1955 [inline]
 call_netdevice_notifiers net/core/dev.c:1969 [inline]
 register_netdevice+0x60b/0xe30 net/core/dev.c:9411
 veth_newlink+0x48f/0x890 drivers/net/veth.c:1312
 __rtnl_newlink+0xbe9/0x1250 net/core/rtnetlink.c:3319
 rtnl_newlink+0x5c/0x80 net/core/rtnetlink.c:3377
 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5438
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 __sys_sendto+0x1d3/0x2b0 net/socket.c:1998
 __do_compat_sys_socketcall net/compat.c:771 [inline]
 __se_compat_sys_socketcall net/compat.c:719 [inline]
 __ia32_compat_sys_socketcall+0x401/0x550 net/compat.c:719
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff88809e9a6c00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
 192-byte region [ffff88809e9a6c00, ffff88809e9a6cc0)
The buggy address belongs to the page:
page:ffffea00027a6980 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0x0
raw: 00fffe0000000200 ffffea0002a183c8 ffffea00029e73c8 ffff8880aa400000
raw: 0000000000000000 ffff88809e9a6000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809e9a6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809e9a6b80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809e9a6c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                         ^
 ffff88809e9a6c80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809e9a6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================