======================================
| [ 2110.397204][   T12] ==================================================================
| [ 2110.397386][   T12] BUG: KASAN: slab-use-after-free in __fib6_drop_pcpu_from.part.0 (net/ipv6/ip6_fib.c:1004 (discriminator 5))
| [ 2110.397552][   T12] Read of size 8 at addr ff1100001ddb0290 by task kworker/u16:0/12
| [ 2110.397689][   T12]
[ 2110.397740][   T12] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2110.397743][   T12] Workqueue: netns cleanup_net
[ 2110.397748][   T12] Call Trace:
[ 2110.397750][   T12]  <TASK>
[ 2110.397752][   T12]  dump_stack_lvl (lib/dump_stack.c:122)
[ 2110.397758][   T12]  print_address_description.constprop.0 (mm/kasan/report.c:379 (discriminator 1))
[ 2110.397763][   T12]  print_report (mm/kasan/report.c:483)
[ 2110.397765][   T12]  ? __virt_addr_valid (./include/linux/rcupdate.h:937 (discriminator 1) ./include/linux/mmzone.h:2197 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[ 2110.397769][   T12]  ? __virt_addr_valid (./include/linux/rcupdate.h:963 (discriminator 4) ./include/linux/mmzone.h:2207 (discriminator 4) arch/x86/mm/physaddr.c:54 (discriminator 4))
[ 2110.397771][   T12]  kasan_report (mm/kasan/report.c:597)
[ 2110.397774][   T12]  ? __fib6_drop_pcpu_from.part.0 (net/ipv6/ip6_fib.c:1004 (discriminator 5))
[ 2110.397777][   T12]  ? __fib6_drop_pcpu_from.part.0 (net/ipv6/ip6_fib.c:1004 (discriminator 5))
[ 2110.397779][   T12]  __fib6_drop_pcpu_from.part.0 (net/ipv6/ip6_fib.c:1004 (discriminator 5))
[ 2110.397781][   T12]  fib6_purge_rt (net/ipv6/ip6_fib.c:1037 net/ipv6/ip6_fib.c:1038 net/ipv6/ip6_fib.c:1049)
[ 2110.397784][   T12]  fib6_del_route (net/ipv6/ip6_fib.c:2052)
[ 2110.397787][   T12]  ? fib6_purge_rt (net/ipv6/ip6_fib.c:1972)
[ 2110.397789][   T12]  ? ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[ 2110.397792][   T12]  fib6_del (net/ipv6/ip6_fib.c:2096)
[ 2110.397793][   T12]  ? validate_chain (kernel/locking/lockdep.c:3801 (discriminator 3) kernel/locking/lockdep.c:3821 (discriminator 3) kernel/locking/lockdep.c:3876 (discriminator 3))
[ 2110.397797][   T12]  fib6_clean_node (net/ipv6/ip6_fib.c:2258)
[ 2110.397799][   T12]  ? fib6_del (net/ipv6/ip6_fib.c:2234)
[ 2110.397801][   T12]  ? lock_acquire.part.0 (kernel/locking/lockdep.c:470 (discriminator 2) kernel/locking/lockdep.c:5870 (discriminator 2))
[ 2110.397803][   T12]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 2110.397806][   T12]  fib6_walk_continue (net/ipv6/ip6_fib.c:2180)
[ 2110.397807][   T12]  ? mark_held_locks (kernel/locking/lockdep.c:4325 (discriminator 1))
[ 2110.397809][   T12]  ? fib6_ifup (net/ipv6/route.c:4963)
[ 2110.397811][   T12]  ? fib6_ifup (net/ipv6/route.c:4963)
[ 2110.397812][   T12]  fib6_walk (net/ipv6/ip6_fib.c:2227)
[ 2110.397814][   T12]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[ 2110.397816][   T12]  fib6_clean_tree (net/ipv6/ip6_fib.c:2293)
[ 2110.397818][   T12]  ? fib6_walk (net/ipv6/ip6_fib.c:2293)
[ 2110.397820][   T12]  ? fib6_del (net/ipv6/ip6_fib.c:2234)
[ 2110.397822][   T12]  ? fib6_ifup (net/ipv6/route.c:4963)
[ 2110.397824][   T12]  ? fib6_ifup (net/ipv6/route.c:4963)
[ 2110.397825][   T12]  __fib6_clean_all (./include/linux/spinlock.h:396 net/ipv6/ip6_fib.c:2325)
[ 2110.397828][   T12]  rt6_disable_ip (net/ipv6/route.c:5018 net/ipv6/route.c:5023)
[ 2110.397829][   T12]  ? rt6_sync_down_dev (net/ipv6/route.c:5022)
[ 2110.397831][   T12]  ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:470 (discriminator 11) kernel/locking/lockdep.c:4411 (discriminator 11))
[ 2110.397833][   T12]  ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:179 (discriminator 4) kernel/locking/spinlock.c:198 (discriminator 4))
[ 2110.397837][   T12]  addrconf_ifdown.isra.0 (./include/net/addrconf.h:348 (discriminator 4) net/ipv6/addrconf.c:3873 (discriminator 4))
[ 2110.397840][   T12]  ? __timer_delete_sync (kernel/time/timer.c:1603 (discriminator 2))
[ 2110.397842][   T12]  ? __timer_delete_sync (kernel/time/timer.c:1623 (discriminator 1))
[ 2110.397844][   T12]  ? __neigh_ifdown.isra.0 (net/core/neighbour.c:479 (discriminator 1))
[ 2110.397847][   T12]  ? addrconf_dad_run (net/ipv6/addrconf.c:3858)
[ 2110.397848][   T12]  ? netkit_xmit (drivers/net/netkit.c:1186)
[ 2110.397852][   T12]  addrconf_notify (net/ipv6/addrconf.c:3828)
[ 2110.397854][   T12]  ? team_port_get_rtnl (drivers/net/team/team_core.c:42 (discriminator 4))
[ 2110.397857][   T12]  notifier_call_chain (kernel/notifier.c:87)
[ 2110.397861][   T12]  netif_close_many (net/core/dev.c:1806)
[ 2110.397863][   T12]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[ 2110.397866][   T12]  ? lock_acquire (./include/trace/events/lock.h:24 (discriminator 24) kernel/locking/lockdep.c:5831 (discriminator 24))
[ 2110.397867][   T12]  ? __dev_close_many (net/core/dev.c:1793)
[ 2110.397869][   T12]  ? netif_close_many_and_unlock (net/core/dev.c:12322 (discriminator 1))
[ 2110.397870][   T12]  ? __mutex_lock (./arch/x86/include/asm/preempt.h:104 kernel/locking/mutex.c:784 kernel/locking/mutex.c:806)
[ 2110.397873][   T12]  unregister_netdevice_many_notify (net/core/dev.c:12397 (discriminator 1))
[ 2110.397876][   T12]  ? mutex_is_locked (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-long.h:38 ./include/linux/atomic/atomic-instrumented.h:3189 kernel/locking/mutex.h:48 kernel/locking/mutex.c:65)
[ 2110.397877][   T12]  ? rtnl_is_locked (net/core/rtnetlink.c:169 (discriminator 1))
[ 2110.397879][   T12]  ? default_device_exit_net (net/core/dev.c:13024 (discriminator 3))
[ 2110.397880][   T12]  ? unregister_netdevice_queued (net/core/dev.c:12351)
[ 2110.397883][   T12]  ? perf_trace_sched_switch (kernel/sched/core.c:9112)
[ 2110.397886][   T12]  default_device_exit_batch (net/core/dev.c:13081)
[ 2110.397888][   T12]  ? unregister_netdev (net/core/dev.c:13056)
[ 2110.397890][   T12]  ? perf_trace_sched_switch (kernel/sched/core.c:9112)
[ 2110.397892][   T12]  ? fou_exit_net (net/ipv4/fou_core.c:1232 (discriminator 1))
[ 2110.397895][   T12]  ops_undo_list (net/core/net_namespace.c:251 (discriminator 3))
[ 2110.397897][   T12]  ? netns_install (net/core/net_namespace.c:223)
[ 2110.397898][   T12]  ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536)
[ 2110.397901][   T12]  cleanup_net (net/core/net_namespace.c:704)
[ 2110.397903][   T12]  ? net_passive_dec (net/core/net_namespace.c:663)
[ 2110.397904][   T12]  ? process_one_work (kernel/workqueue.c:3264 (discriminator 2))
[ 2110.397907][   T12]  ? lock_acquire (./include/trace/events/lock.h:24 (discriminator 24) kernel/locking/lockdep.c:5831 (discriminator 24))
[ 2110.397908][   T12]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[ 2110.397910][   T12]  process_one_work (kernel/workqueue.c:3293)
[ 2110.397913][   T12]  ? pwq_dec_nr_in_flight (kernel/workqueue.c:3189)
[ 2110.397914][   T12]  ? lock_acquire.part.0 (kernel/locking/lockdep.c:470 (discriminator 2) kernel/locking/lockdep.c:5870 (discriminator 2))
[ 2110.397917][   T12]  worker_thread (kernel/workqueue.c:3365 (discriminator 5) kernel/workqueue.c:3452 (discriminator 5))
[ 2110.397920][   T12]  ? rescuer_thread (kernel/workqueue.c:3398)
[ 2110.397922][   T12]  kthread (kernel/kthread.c:436)
[ 2110.397923][   T12]  ? trace_irq_enable.constprop.0 (./include/trace/events/preemptirq.h:40 (discriminator 24))
[ 2110.397926][   T12]  ? kthread_affine_node (kernel/kthread.c:381)
[ 2110.397928][   T12]  ret_from_fork (arch/x86/kernel/process.c:164)
[ 2110.397931][   T12]  ? arch_exit_to_user_mode_prepare.isra.0 (arch/x86/entry/syscall_64.c:37)
[ 2110.397934][   T12]  ? __switch_to (./arch/x86/include/asm/cpufeature.h:101 (discriminator 1) arch/x86/kernel/process_64.c:377 (discriminator 1) arch/x86/kernel/process_64.c:665 (discriminator 1))
[ 2110.397936][   T12]  ? kthread_affine_node (kernel/kthread.c:381)
[ 2110.397937][   T12]  ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
| [ 2110.413800][   T12] Disabling lock debugging due to kernel taint
| [ 2110.417259][    C0] Oops: general protection fault, probably for non-canonical address 0xe0b3fc3540000007: 0000 [#1] SMP KASAN
| [ 2110.417456][    C0] KASAN: maybe wild-memory-access in range [0x05a001aa00000038-0x05a001aa0000003f]
| [ 2110.417735][    C0] Tainted: [B]=BAD_PAGE
[ 2110.417794][    C0] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2110.417887][    C0] RIP: 0010:dst_dev_put (net/core/dst.c:150)
[ 2110.417972][    C0] Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 2c 02 00 00 48 ba 00 00 00 00 00 fc ff df 48 8b 43 08 48 8d 78 38 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 d8 01 00 00 48 8b 40 38 48 85 c0 74 08 48 89 ee
All code
========
   0:	fc                   	cld
   1:	ff                   	lcall  (bad)
   2:	df 48 c1             	fisttps -0x3f(%rax)
   5:	ea                   	(bad)
   6:	03 80 3c 02 00 0f    	add    0xf00023c(%rax),%eax
   c:	85 2c 02             	test   %ebp,(%rdx,%rax,1)
   f:	00 00                	add    %al,(%rax)
  11:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  18:	fc ff df 
  1b:	48 8b 43 08          	mov    0x8(%rbx),%rax
  1f:	48 8d 78 38          	lea    0x38(%rax),%rdi
  23:	48 89 f9             	mov    %rdi,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
  2a:*	80 3c 11 00          	cmpb   $0x0,(%rcx,%rdx,1)		<-- trapping instruction
  2e:	0f 85 d8 01 00 00    	jne    0x20c
  34:	48 8b 40 38          	mov    0x38(%rax),%rax
  38:	48 85 c0             	test   %rax,%rax
  3b:	74 08                	je     0x45
  3d:	48 89 ee             	mov    %rbp,%rsi

Code starting with the faulting instruction
===========================================
   0:	80 3c 11 00          	cmpb   $0x0,(%rcx,%rdx,1)
   4:	0f 85 d8 01 00 00    	jne    0x1e2
   a:	48 8b 40 38          	mov    0x38(%rax),%rax
   e:	48 85 c0             	test   %rax,%rax
  11:	74 08                	je     0x1b
  13:	48 89 ee             	mov    %rbp,%rsi
[ 2110.418230][    C0] RSP: 0018:ffa00000000e7b70 EFLAGS: 00010212
[ 2110.418326][    C0] RAX: 05a001aa00000000 RBX: ff1100001ddb0200 RCX: 00b4003540000007
[ 2110.418444][    C0] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: 05a001aa00000038
[ 2110.418558][    C0] RBP: ff1100000c0e9730 R08: ffffffffb0d2c4fc R09: 1ffa3ffffff600a2
[ 2110.418666][    C0] R10: fffa3bfffff600a3 R11: fffa3bfffff600a3 R12: ff1100000fe08200
[ 2110.418778][    C0] R13: fffffbfff636684c R14: ff1100000fe082c8 R15: 0000000000000008
[ 2110.418891][    C0] FS:  0000000000000000(0000) GS:ff110000b88cc000(0000) knlGS:0000000000000000
[ 2110.419024][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2110.419117][    C0] CR2: 000055d25a498060 CR3: 000000005f54e002 CR4: 0000000000771ef0
[ 2110.419229][    C0] PKRU: 55555554
[ 2110.419296][    C0] Call Trace:
[ 2110.419354][    C0]  <TASK>
[ 2110.419395][    C0]  fib6_nh_release_dsts.part.0 (net/ipv6/route.c:3748)
[ 2110.419480][    C0]  fib6_nh_release (net/ipv6/route.c:3729)
[ 2110.419559][    C0]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[ 2110.419635][    C0]  fib6_info_destroy_rcu (net/ipv6/ip6_fib.c:177)
[ 2110.419710][    C0]  ? rcu_do_batch (kernel/rcu/tree.c:2617)
[ 2110.419784][    C0]  ? rcu_do_batch (./arch/x86/include/asm/jump_label.h:37 ./include/trace/events/rcu.h:597 kernel/rcu/tree.c:2612)
[ 2110.419859][    C0]  rcu_do_batch (./include/linux/rcupdate.h:310 (discriminator 2) kernel/rcu/tree.c:2619 (discriminator 2))
[ 2110.419932][    C0]  ? rcu_start_this_gp (kernel/rcu/tree.c:1019)
[ 2110.420016][    C0]  ? trace_rcu_batch_end (kernel/rcu/tree.c:2541)
[ 2110.420092][    C0]  ? trace_rcu_grace_period (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3) ./include/trace/events/rcu.h:69 (discriminator 3))
[ 2110.420166][    C0]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[ 2110.420245][    C0]  ? trace_irq_enable.constprop.0 (./include/trace/events/preemptirq.h:40 (discriminator 24))
[ 2110.420343][    C0]  ? trace_irq_disable.constprop.0 (./include/trace/events/preemptirq.h:36 (discriminator 24))
[ 2110.420437][    C0]  rcu_core (kernel/rcu/tree.c:2871)
[ 2110.420495][    C0]  handle_softirqs (./arch/x86/include/asm/jump_label.h:37 ./include/trace/events/irq.h:142 kernel/softirq.c:623)
[ 2110.420575][    C0]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 2110.420650][    C0]  ? _local_bh_enable (kernel/softirq.c:580)
[ 2110.420722][    C0]  ? perf_trace_sched_switch (kernel/sched/core.c:9112)
[ 2110.420797][    C0]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[ 2110.420872][    C0]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[ 2110.420944][    C0]  run_ksoftirqd (kernel/softirq.c:479 kernel/softirq.c:1077 kernel/softirq.c:1068)
[ 2110.421022][    C0]  smpboot_thread_fn (kernel/smpboot.c:160)
[ 2110.421096][    C0]  ? sort_range (kernel/smpboot.c:103)
[ 2110.421151][    C0]  kthread (kernel/kthread.c:436)
[ 2110.421214][    C0]  ? trace_irq_enable.constprop.0 (./include/trace/events/preemptirq.h:40 (discriminator 24))
[ 2110.421310][    C0]  ? kthread_affine_node (kernel/kthread.c:381)
[ 2110.421383][    C0]  ret_from_fork (arch/x86/kernel/process.c:164)
[ 2110.421464][    C0]  ? arch_exit_to_user_mode_prepare.isra.0 (arch/x86/entry/syscall_64.c:37)
[ 2110.421567][    C0]  ? __switch_to (./arch/x86/include/asm/cpufeature.h:101 (discriminator 1) arch/x86/kernel/process_64.c:377 (discriminator 1) arch/x86/kernel/process_64.c:665 (discriminator 1))
[ 2110.421640][    C0]  ? kthread_affine_node (kernel/kthread.c:381)


Finger prints:
dst_dev_put:fib6_nh_release:fib6_info_destroy_rcu:rcu_do_batch:rcu_core
print_report:kasan_report:fib6_purge_rt:fib6_del_route:fib6_del