team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_0
device bond_slave_0 left promiscuous mode
bond0 (unregistering): Released all slaves
==================================================================
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:704 [inline]
BUG: KASAN: use-after-free in hlist_del_init include/linux/list.h:717 [inline]
BUG: KASAN: use-after-free in __xfrm_policy_unlink+0x9a4/0xa00 net/xfrm/xfrm_policy.c:2213
Write of size 8 at addr ffff88809035ecb0 by task kworker/u4:5/4863

CPU: 1 PID: 4863 Comm: kworker/u4:5 Not tainted 5.0.0-rc3+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
 __hlist_del include/linux/list.h:704 [inline]
 hlist_del_init include/linux/list.h:717 [inline]
 __xfrm_policy_unlink+0x9a4/0xa00 net/xfrm/xfrm_policy.c:2213
 xfrm_policy_flush+0x331/0x460 net/xfrm/xfrm_policy.c:1789
 xfrm_policy_fini+0xbf/0x640 net/xfrm/xfrm_policy.c:3866
 xfrm_net_exit+0x1d/0x70 net/xfrm/xfrm_policy.c:3928
 ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
 cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 17005:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
 __do_kmalloc_node mm/slab.c:3673 [inline]
 __kmalloc_node_track_caller+0x4e/0x70 mm/slab.c:3687
 __kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:140
 __alloc_skb+0x12d/0x730 net/core/skbuff.c:208
 alloc_skb include/linux/skbuff.h:1011 [inline]
 alloc_skb_with_frags+0xef/0x720 net/core/skbuff.c:5283
 sock_alloc_send_pskb+0x8c9/0xad0 net/core/sock.c:2091
 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2108
 __ip6_append_data.isra.0+0x2556/0x3f20 net/ipv6/ip6_output.c:1443
 ip6_make_skb+0x391/0x5f0 net/ipv6/ip6_output.c:1806
 udpv6_sendmsg+0x2b56/0x3570 net/ipv6/udp.c:1468
 inet_sendmsg+0x1af/0x740 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:631
 ___sys_sendmsg+0x409/0x910 net/socket.c:2116
 __sys_sendmmsg+0x246/0x730 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg net/socket.c:2237 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2237
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 17005:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x230 mm/slab.c:3806
 skb_free_head+0x93/0xb0 net/core/skbuff.c:553
 skb_release_data+0x6ea/0x970 net/core/skbuff.c:573
 skb_release_all+0x4d/0x60 net/core/skbuff.c:627
 __kfree_skb net/core/skbuff.c:641 [inline]
 kfree_skb net/core/skbuff.c:659 [inline]
 kfree_skb+0x199/0x580 net/core/skbuff.c:653
 ip_tunnel_xmit+0x800/0x3b3c net/ipv4/ip_tunnel.c:788
 __gre_xmit+0x5e9/0x9a0 net/ipv4/ip_gre.c:444
 erspan_xmit+0xa21/0x2c30 net/ipv4/ip_gre.c:753
 __netdev_start_xmit include/linux/netdevice.h:4382 [inline]
 netdev_start_xmit include/linux/netdevice.h:4391 [inline]
 xmit_one net/core/dev.c:3278 [inline]
 dev_hard_start_xmit+0x261/0xc70 net/core/dev.c:3294
 sch_direct_xmit+0x452/0x1100 net/sched/sch_generic.c:327
 qdisc_restart net/sched/sch_generic.c:390 [inline]
 __qdisc_run+0x606/0x19d0 net/sched/sch_generic.c:398
 qdisc_run include/net/pkt_sched.h:121 [inline]
 qdisc_run include/net/pkt_sched.h:118 [inline]
 __dev_xmit_skb net/core/dev.c:3473 [inline]
 __dev_queue_xmit+0x29d0/0x3a60 net/core/dev.c:3832
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3897
 neigh_hh_output include/net/neighbour.h:498 [inline]
 neigh_output include/net/neighbour.h:506 [inline]
 ip6_finish_output2+0x141a/0x28e0 net/ipv6/ip6_output.c:120
 ip6_finish_output+0x577/0xc30 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip6_output+0x23c/0xa00 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:444 [inline]
 ip6_local_out+0xc4/0x1b0 net/ipv6/output_core.c:176
 ip6_send_skb+0xbb/0x350 net/ipv6/ip6_output.c:1727
 udp_v6_send_skb.isra.0+0x839/0x14f0 net/ipv6/udp.c:1177
 udpv6_sendmsg+0x2ba8/0x3570 net/ipv6/udp.c:1474
 inet_sendmsg+0x1af/0x740 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:631
 ___sys_sendmsg+0x409/0x910 net/socket.c:2116
 __sys_sendmmsg+0x246/0x730 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg net/socket.c:2237 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2237
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809035e900
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 944 bytes inside of
 1024-byte region [ffff88809035e900, ffff88809035ed00)
The buggy address belongs to the page:
page:ffffea000240d780 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0xffff88809035e900 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0002601288 ffffea000259e988 ffff88812c3f0ac0
raw: ffff88809035e900 ffff88809035e000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809035eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809035ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809035ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88809035ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809035ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================