bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
==================================================================
BUG: KASAN: slab-use-after-free in ip6_rcv_core+0x1304/0x1590 net/ipv6/ip6_input.c:199
Read of size 1 at addr ffff88804a87b010 by task kworker/R-krdsd/3398

CPU: 0 UID: 0 PID: 3398 Comm: kworker/R-krdsd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: krdsd rds_connect_worker
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 ip6_rcv_core+0x1304/0x1590 net/ipv6/ip6_input.c:199
 ipv6_rcv+0x72/0xc0 net/ipv6/ip6_input.c:308
 __netif_receive_skb_one_core net/core/dev.c:6079 [inline]
 __netif_receive_skb+0xd3/0x380 net/core/dev.c:6192
 process_backlog+0x60e/0x14f0 net/core/dev.c:6544
 __napi_poll+0xc7/0x360 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0x5f7/0xdf0 net/core/dev.c:7784
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 do_softirq+0xec/0x180 kernel/softirq.c:523
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:450
 lock_sock include/net/sock.h:1679 [inline]
 rds_tcp_tune+0xd2/0x4f0 net/rds/tcp.c:498
 rds_tcp_conn_path_connect+0x2a1/0x680 net/rds/tcp_connect.c:127
 rds_connect_worker+0x1d8/0x290 net/rds/threads.c:176
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 rescuer_thread+0x53c/0xdd0 kernel/workqueue.c:3523
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 10090:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
 kasan_kmalloc include/linux/kasan.h:262 [inline]
 __do_kmalloc_node mm/slub.c:5634 [inline]
 __kmalloc_node_track_caller_noprof+0x568/0x800 mm/slub.c:5743
 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:601
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1383 [inline]
 mld_newpack+0x13c/0xc40 net/ipv6/mcast.c:1775
 add_grhead+0x5a/0x2a0 net/ipv6/mcast.c:1886
 add_grec+0x1452/0x1740 net/ipv6/mcast.c:2025
 mld_send_cr net/ipv6/mcast.c:2109 [inline]
 mld_ifc_work+0x30b/0xd60 net/ipv6/mcast.c:2693
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 3398:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
 kasan_save_free_info mm/kasan/kasan.h:406 [inline]
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2530 [inline]
 slab_free mm/slub.c:6619 [inline]
 kfree+0x19a/0x6d0 mm/slub.c:6826
 pskb_expand_head+0x382/0x1150 net/core/skbuff.c:2273
 netif_skb_check_for_xdp net/core/dev.c:5439 [inline]
 netif_receive_generic_xdp net/core/dev.c:5470 [inline]
 do_xdp_generic+0x8c5/0x11a0 net/core/dev.c:5538
 __netif_receive_skb_core+0x18f4/0x4380 net/core/dev.c:5889
 __netif_receive_skb_one_core net/core/dev.c:6077 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6192
 netif_receive_skb_internal net/core/dev.c:6278 [inline]
 netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
 NF_HOOK+0xa0/0x390 include/linux/netfilter.h:319
 br_handle_frame_finish+0x15c6/0x1c50 net/bridge/br_input.c:235
 br_nf_hook_thresh+0x3c6/0x4a0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0x999/0xd60 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x37e/0x6b0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0x982/0x14c0 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
 __netif_receive_skb_one_core net/core/dev.c:6077 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6192
 process_backlog+0x60e/0x14f0 net/core/dev.c:6544
 __napi_poll+0xc7/0x360 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0x5f7/0xdf0 net/core/dev.c:7784
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 do_softirq+0xec/0x180 kernel/softirq.c:523
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:450
 lock_sock include/net/sock.h:1679 [inline]
 rds_tcp_tune+0xd2/0x4f0 net/rds/tcp.c:498
 rds_tcp_conn_path_connect+0x2a1/0x680 net/rds/tcp_connect.c:127
 rds_connect_worker+0x1d8/0x290 net/rds/threads.c:176
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 rescuer_thread+0x53c/0xdd0 kernel/workqueue.c:3523
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88804a87b000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 16 bytes inside of
 freed 2048-byte region [ffff88804a87b000, ffff88804a87b800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804a87f000 pfn:0x4a878
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff88801a027000 ffffea00015f8210 ffffea0001fdce10
raw: ffff88804a87f000 0000000000080003 00000000f5000000 0000000000000000
head: 00fff00000000240 ffff88801a027000 ffffea00015f8210 ffffea0001fdce10
head: ffff88804a87f000 0000000000080003 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea00012a1e01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 20840, tgid 20839 (syz.4.4439), ts 431180507447, free_ts 36962903598
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
 prep_new_page mm/page_alloc.c:1858 [inline]
 get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:3046 [inline]
 allocate_slab+0x96/0x3a0 mm/slub.c:3219
 new_slab mm/slub.c:3273 [inline]
 ___slab_alloc+0xe94/0x18a0 mm/slub.c:4643
 __slab_alloc+0x65/0x100 mm/slub.c:4762
 __slab_alloc_node mm/slub.c:4838 [inline]
 slab_alloc_node mm/slub.c:5260 [inline]
 __do_kmalloc_node mm/slub.c:5633 [inline]
 __kmalloc_node_noprof+0x5cc/0x800 mm/slub.c:5640
 kmalloc_node_noprof include/linux/slab.h:987 [inline]
 qdisc_alloc+0x97/0xaa0 net/sched/sch_generic.c:950
 qdisc_create_dflt+0x8e/0x4e0 net/sched/sch_generic.c:1012
 mq_init+0x2dc/0x660 net/sched/sch_mq.c:90
 qdisc_create_dflt+0x13b/0x4e0 net/sched/sch_generic.c:1019
 attach_default_qdiscs net/sched/sch_generic.c:1201 [inline]
 dev_activate+0x1ce/0x1150 net/sched/sch_generic.c:1255
 __dev_open+0x69c/0x880 net/core/dev.c:1691
 __dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9637
 netif_change_flags+0x88/0x1a0 net/core/dev.c:9700
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1394 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2906
 __free_pages mm/page_alloc.c:5302 [inline]
 free_contig_range+0x1bd/0x4a0 mm/page_alloc.c:7146
 destroy_args+0x69/0x660 mm/debug_vm_pgtable.c:958
 debug_vm_pgtable+0x39f/0x3b0 mm/debug_vm_pgtable.c:1345
 do_one_initcall+0x236/0x820 init/main.c:1283
 do_initcall_level+0x104/0x190 init/main.c:1345
 do_initcalls+0x59/0xa0 init/main.c:1361
 kernel_init_freeable+0x334/0x4b0 init/main.c:1593
 kernel_init+0x1d/0x1d0 init/main.c:1483
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff88804a87af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804a87af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88804a87b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88804a87b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804a87b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================