8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: use-after-free in __fire_sched_in_preempt_notifiers kernel/sched/core.c:2511 [inline]
BUG: KASAN: use-after-free in fire_sched_in_preempt_notifiers kernel/sched/core.c:2517 [inline]
BUG: KASAN: use-after-free in finish_task_switch+0x56e/0x8c0 kernel/sched/core.c:2709
Read of size 8 at addr ffff8801c46c8058 by task syz-executor0/6761

CPU: 0 PID: 6761 Comm: syz-executor0 Not tainted 4.18.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x16e/0x22a lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __fire_sched_in_preempt_notifiers kernel/sched/core.c:2511 [inline]
 fire_sched_in_preempt_notifiers kernel/sched/core.c:2517 [inline]
 finish_task_switch+0x56e/0x8c0 kernel/sched/core.c:2709
 context_switch kernel/sched/core.c:2856 [inline]
 __schedule+0x83e/0x1f40 kernel/sched/core.c:3501
 preempt_schedule_irq+0x87/0x110 kernel/sched/core.c:3728
 retint_kernel+0x1b/0x2d
RIP: 0010:jhash2 include/linux/jhash.h:128 [inline]
RIP: 0010:hash_stack lib/stackdepot.c:161 [inline]
RIP: 0010:depot_save_stack+0xbf/0x470 lib/stackdepot.c:230
Code: 01 
c8 c1 c3 08 44 31 d3 41 
vmwrite error: reg 6c0a value fffffe0000034000 (err 212992)
89 da 41 29 d9 01 c3 41 c1 c2 10 45 31 d1 45 89 ca 44 29 c8 41 01 d9 41 c1 ca 0d 44 31 d0 41 89 c2 <29> c3 44 01 c8 41 c1 c2 04 44 31 d3 41 83 f8 03 77 86 41 83 f8 02 
RSP: 0018:ffff8801b88df1c8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
RAX: 00000000f053ad46 RBX: 000000009697aeaf RCX: ffff8801b88df228
RDX: ffff8801b88df24c RSI: 0000000000608040 RDI: 0000000000000014
RBP: ffff8801b88df200 R08: 000000000000001f R09: 000000004b2c9494
R10: 00000000f053ad46 R11: ffff8801dac23953 R12: ffff8801da97c0c0
R13: ffff8801b88df210 R14: 0000000000000000 R15: ffff8801cc817faf
 save_stack+0xa9/0xd0 mm/kasan/kasan.c:454
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3554
 kmem_cache_zalloc include/linux/slab.h:697 [inline]
 new_inode_smack+0x1b/0xa0 security/smack/smack_lsm.c:299
 smack_inode_alloc_security+0x85/0xf0 security/smack/smack_lsm.c:974
 security_inode_alloc+0x63/0xa0 security/security.c:443
 inode_init_always+0x685/0xdd0 fs/inode.c:168
 alloc_inode+0x6c/0x150 fs/inode.c:217
 new_inode_pseudo+0x66/0x190 fs/inode.c:895
 new_inode+0x14/0x30 fs/inode.c:924
 debugfs_get_inode+0xe/0x110 fs/debugfs/inode.c:37
 __debugfs_create_file+0x74/0x390 fs/debugfs/inode.c:352
 debugfs_create_file+0x24/0x30 fs/debugfs/inode.c:399
 kvm_create_vm_debugfs arch/x86/kvm/../../../virt/kvm/kvm_main.c:614 [inline]
 kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3204 [inline]
 kvm_dev_ioctl+0xa24/0x1a30 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3231
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x195/0x1650 fs/ioctl.c:684
 ksys_ioctl+0x62/0x90 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:706
 do_syscall_64+0x183/0x700 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4577c9
Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007fdc056e1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fdc056e26d4 RCX: 00000000004577c9
RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000006
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004cfcc8 R14: 00000000004bfe00 R15: 0000000000000000

CPU: 1 PID: 6783 Comm: syz-executor4 Not tainted 4.18.0-rc6-syzkaller #0
Allocated by task 6761:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
Call Trace:
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x16e/0x22a lib/dump_stack.c:113
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3554
 kmem_cache_zalloc include/linux/slab.h:697 [inline]
 vmx_create_vcpu+0xc6/0x1f50 arch/x86/kvm/vmx.c:10313
 kvm_arch_vcpu_create+0xb0/0x1c0 arch/x86/kvm/x86.c:8387
 vmwrite_error+0x2a/0x30 arch/x86/kvm/vmx.c:2097
 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:2466 [inline]
 kvm_vm_ioctl+0x5e0/0x1c60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2967
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x195/0x1650 fs/ioctl.c:684
 __vmcs_writel arch/x86/kvm/vmx.c:2107 [inline]
 vmcs_writel arch/x86/kvm/vmx.c:2147 [inline]
 vmx_vcpu_load+0xad9/0xf40 arch/x86/kvm/vmx.c:2774
 ksys_ioctl+0x62/0x90 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:706
 do_syscall_64+0x183/0x700 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 6760:
 kvm_arch_vcpu_load+0x1d8/0x7a0 arch/x86/kvm/x86.c:3075
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kvm_sched_in+0x63/0x80 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3965
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x83/0x2d0 mm/slab.c:3756
 __fire_sched_in_preempt_notifiers kernel/sched/core.c:2511 [inline]
 fire_sched_in_preempt_notifiers kernel/sched/core.c:2517 [inline]
 finish_task_switch+0x537/0x8c0 kernel/sched/core.c:2709
 vmx_free_vcpu+0x200/0x290 arch/x86/kvm/vmx.c:10307
 kvm_arch_vcpu_free arch/x86/kvm/x86.c:8373 [inline]
 kvm_free_vcpus arch/x86/kvm/x86.c:8822 [inline]
 kvm_arch_destroy_vm+0x322/0x7a0 arch/x86/kvm/x86.c:8919
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:746 [inline]
 kvm_put_kvm+0x59c/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:767
 kvm_vcpu_release+0x77/0xa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2397
 __fput+0x2e6/0x990 fs/file_table.c:209
 ____fput+0x9/0x10 fs/file_table.c:243
 context_switch kernel/sched/core.c:2856 [inline]
 __schedule+0x83e/0x1f40 kernel/sched/core.c:3501
 task_work_run+0x19f/0x240 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:192 [inline]
 exit_to_usermode_loop+0x269/0x300 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x587/0x700 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801c46c8040
 which belongs to the cache kvm_vcpu of size 23616
 preempt_schedule_common+0x1f/0xd0 kernel/sched/core.c:3625
The buggy address is located 24 bytes inside of
 23616-byte region [ffff8801c46c8040, ffff8801c46cdc80)
The buggy address belongs to the page:
 preempt_schedule+0x4d/0x60 kernel/sched/core.c:3651
page:ffffea000711b200 count:1 mapcount:0 mapping:ffff8801d57a0a80 index:0x0
 ___preempt_schedule+0x16/0x18
 compound_mapcount: 0
 vprintk_emit+0x3df/0xad0 kernel/printk/printk.c:1908
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d579e648 ffffea0007022c08 ffff8801d57a0a80
raw: 0000000000000000 ffff8801c46c8040 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c46c7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801c46c7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801c46c8000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 vprintk_default+0x1a/0x20 kernel/printk/printk.c:1948
                                                    ^
 ffff8801c46c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 vprintk_func+0x2c/0xf2 kernel/printk/printk_safe.c:382
 ffff8801c46c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 printk+0x9a/0xc0 kernel/printk/printk.c:1981
==================================================================
 __dynamic_pr_debug+0x149/0x1c0 lib/dynamic_debug.c:565