======================================
| [  950.513253][   T12] ==================================================================
| [  950.513436][   T12] BUG: KASAN: slab-use-after-free in __fib6_drop_pcpu_from.part.0 (net/ipv6/ip6_fib.c:1004 (discriminator 5))
| [  950.513600][   T12] Read of size 8 at addr ff11000004ab8450 by task kworker/u16:0/12
| [  950.513746][   T12]
[  950.513801][   T12] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  950.513803][   T12] Workqueue: netns cleanup_net
[  950.513809][   T12] Call Trace:
[  950.513810][   T12]  <TASK>
[  950.513812][   T12]  dump_stack_lvl (lib/dump_stack.c:122)
[  950.513818][   T12]  print_address_description.constprop.0 (mm/kasan/report.c:379 (discriminator 1))
[  950.513822][   T12]  print_report (mm/kasan/report.c:483)
[  950.513824][   T12]  ? __virt_addr_valid (./include/linux/rcupdate.h:937 (discriminator 1) ./include/linux/mmzone.h:2197 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[  950.513828][   T12]  ? __virt_addr_valid (./include/linux/rcupdate.h:963 (discriminator 4) ./include/linux/mmzone.h:2207 (discriminator 4) arch/x86/mm/physaddr.c:54 (discriminator 4))
[  950.513830][   T12]  kasan_report (mm/kasan/report.c:597)
[  950.513834][   T12]  ? __fib6_drop_pcpu_from.part.0 (net/ipv6/ip6_fib.c:1004 (discriminator 5))
[  950.513836][   T12]  ? __fib6_drop_pcpu_from.part.0 (net/ipv6/ip6_fib.c:1004 (discriminator 5))
[  950.513839][   T12]  __fib6_drop_pcpu_from.part.0 (net/ipv6/ip6_fib.c:1004 (discriminator 5))
[  950.513841][   T12]  fib6_purge_rt (net/ipv6/ip6_fib.c:1037 net/ipv6/ip6_fib.c:1038 net/ipv6/ip6_fib.c:1049)
[  950.513843][   T12]  fib6_del_route (net/ipv6/ip6_fib.c:2052)
[  950.513846][   T12]  ? fib6_purge_rt (net/ipv6/ip6_fib.c:1972)
[  950.513848][   T12]  ? ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[  950.513851][   T12]  fib6_del (net/ipv6/ip6_fib.c:2096)
[  950.513853][   T12]  ? validate_chain (kernel/locking/lockdep.c:3801 (discriminator 3) kernel/locking/lockdep.c:3821 (discriminator 3) kernel/locking/lockdep.c:3876 (discriminator 3))
[  950.513857][   T12]  fib6_clean_node (net/ipv6/ip6_fib.c:2258)
[  950.513859][   T12]  ? fib6_del (net/ipv6/ip6_fib.c:2234)
[  950.513861][   T12]  ? lock_acquire.part.0 (kernel/locking/lockdep.c:470 (discriminator 2) kernel/locking/lockdep.c:5870 (discriminator 2))
[  950.513863][   T12]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[  950.513865][   T12]  fib6_walk_continue (net/ipv6/ip6_fib.c:2180)
[  950.513867][   T12]  ? mark_held_locks (kernel/locking/lockdep.c:4325 (discriminator 1))
[  950.513869][   T12]  ? fib6_ifup (net/ipv6/route.c:4963)
[  950.513870][   T12]  ? fib6_ifup (net/ipv6/route.c:4963)
[  950.513872][   T12]  fib6_walk (net/ipv6/ip6_fib.c:2227)
[  950.513874][   T12]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[  950.513876][   T12]  fib6_clean_tree (net/ipv6/ip6_fib.c:2293)
[  950.513878][   T12]  ? fib6_walk (net/ipv6/ip6_fib.c:2293)
[  950.513880][   T12]  ? fib6_del (net/ipv6/ip6_fib.c:2234)
[  950.513881][   T12]  ? fib6_ifup (net/ipv6/route.c:4963)
[  950.513883][   T12]  ? fib6_ifup (net/ipv6/route.c:4963)
[  950.513885][   T12]  __fib6_clean_all (./include/linux/spinlock.h:396 net/ipv6/ip6_fib.c:2325)
[  950.513887][   T12]  rt6_disable_ip (net/ipv6/route.c:5018 net/ipv6/route.c:5023)
[  950.513889][   T12]  ? rt6_sync_down_dev (net/ipv6/route.c:5022)
[  950.513891][   T12]  ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:470 (discriminator 11) kernel/locking/lockdep.c:4411 (discriminator 11))
[  950.513893][   T12]  ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:179 (discriminator 4) kernel/locking/spinlock.c:198 (discriminator 4))
[  950.513896][   T12]  addrconf_ifdown.isra.0 (./include/net/addrconf.h:348 (discriminator 4) net/ipv6/addrconf.c:3873 (discriminator 4))
[  950.513899][   T12]  ? __timer_delete_sync (kernel/time/timer.c:1603 (discriminator 2))
[  950.513902][   T12]  ? __timer_delete_sync (kernel/time/timer.c:1623 (discriminator 1))
[  950.513903][   T12]  ? __neigh_ifdown.isra.0 (net/core/neighbour.c:479 (discriminator 1))
[  950.513906][   T12]  ? addrconf_dad_run (net/ipv6/addrconf.c:3858)
[  950.513908][   T12]  ? netkit_xmit (drivers/net/netkit.c:1186)
[  950.513912][   T12]  addrconf_notify (net/ipv6/addrconf.c:3828)
[  950.513914][   T12]  ? team_port_get_rtnl (drivers/net/team/team_core.c:42 (discriminator 4))
[  950.513917][   T12]  notifier_call_chain (kernel/notifier.c:87)
[  950.513921][   T12]  netif_close_many (net/core/dev.c:1806)
[  950.513923][   T12]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[  950.513925][   T12]  ? lock_acquire (./include/trace/events/lock.h:24 (discriminator 24) kernel/locking/lockdep.c:5831 (discriminator 24))
[  950.513927][   T12]  ? __dev_close_many (net/core/dev.c:1793)
[  950.513929][   T12]  ? netif_close_many_and_unlock (net/core/dev.c:12322 (discriminator 1))
[  950.513930][   T12]  ? __mutex_lock (./arch/x86/include/asm/preempt.h:104 kernel/locking/mutex.c:784 kernel/locking/mutex.c:806)
[  950.513933][   T12]  unregister_netdevice_many_notify (net/core/dev.c:12397 (discriminator 1))
[  950.513936][   T12]  ? mutex_is_locked (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-long.h:38 ./include/linux/atomic/atomic-instrumented.h:3189 kernel/locking/mutex.h:48 kernel/locking/mutex.c:65)
[  950.513937][   T12]  ? rtnl_is_locked (net/core/rtnetlink.c:169 (discriminator 1))
[  950.513939][   T12]  ? default_device_exit_net (net/core/dev.c:13024 (discriminator 3))
[  950.513941][   T12]  ? unregister_netdevice_queued (net/core/dev.c:12351)
[  950.513943][   T12]  ? perf_trace_sched_switch (kernel/sched/core.c:9112)
[  950.513946][   T12]  default_device_exit_batch (net/core/dev.c:13081)
[  950.513949][   T12]  ? unregister_netdev (net/core/dev.c:13056)
[  950.513950][   T12]  ? perf_trace_sched_switch (kernel/sched/core.c:9112)
[  950.513952][   T12]  ? fou_exit_net (net/ipv4/fou_core.c:1232 (discriminator 1))
[  950.513955][   T12]  ops_undo_list (net/core/net_namespace.c:251 (discriminator 3))
[  950.513957][   T12]  ? netns_install (net/core/net_namespace.c:223)
[  950.513958][   T12]  ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536)
[  950.513961][   T12]  cleanup_net (net/core/net_namespace.c:704)
[  950.513963][   T12]  ? net_passive_dec (net/core/net_namespace.c:663)
[  950.513964][   T12]  ? process_one_work (kernel/workqueue.c:3264 (discriminator 2))
[  950.513967][   T12]  ? lock_acquire (./include/trace/events/lock.h:24 (discriminator 24) kernel/locking/lockdep.c:5831 (discriminator 24))
[  950.513969][   T12]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[  950.513970][   T12]  process_one_work (kernel/workqueue.c:3293)
[  950.513973][   T12]  ? pwq_dec_nr_in_flight (kernel/workqueue.c:3189)
[  950.513975][   T12]  ? lock_acquire.part.0 (kernel/locking/lockdep.c:470 (discriminator 2) kernel/locking/lockdep.c:5870 (discriminator 2))
[  950.513978][   T12]  worker_thread (kernel/workqueue.c:3365 (discriminator 5) kernel/workqueue.c:3452 (discriminator 5))
[  950.513980][   T12]  ? rescuer_thread (kernel/workqueue.c:3398)
[  950.513982][   T12]  kthread (kernel/kthread.c:436)
[  950.513983][   T12]  ? trace_irq_enable.constprop.0 (./include/trace/events/preemptirq.h:40 (discriminator 24))
[  950.513987][   T12]  ? kthread_affine_node (kernel/kthread.c:381)
[  950.513988][   T12]  ret_from_fork (arch/x86/kernel/process.c:164)
[  950.513992][   T12]  ? arch_exit_to_user_mode_prepare.isra.0 (arch/x86/entry/syscall_64.c:37)
[  950.513994][   T12]  ? __switch_to (./arch/x86/include/asm/cpufeature.h:101 (discriminator 1) arch/x86/kernel/process_64.c:377 (discriminator 1) arch/x86/kernel/process_64.c:665 (discriminator 1))
[  950.513996][   T12]  ? kthread_affine_node (kernel/kthread.c:381)
[  950.513998][   T12]  ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
| [  950.528197][   T12] Disabling lock debugging due to kernel taint
| [  950.537521][    C0] Oops: general protection fault, probably for non-canonical address 0xe050bc3500000007: 0000 [#1] SMP KASAN
| [  950.537737][    C0] KASAN: maybe wild-memory-access in range [0x028601a800000038-0x028601a80000003f]
| [  950.538056][    C0] Tainted: [B]=BAD_PAGE
[  950.538124][    C0] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  950.538231][    C0] RIP: 0010:dst_dev_put (net/core/dst.c:150)
[  950.538327][    C0] Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 2c 02 00 00 48 ba 00 00 00 00 00 fc ff df 48 8b 43 08 48 8d 78 38 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 d8 01 00 00 48 8b 40 38 48 85 c0 74 08 48 89 ee
All code
========
   0:	fc                   	cld
   1:	ff                   	lcall  (bad)
   2:	df 48 c1             	fisttps -0x3f(%rax)
   5:	ea                   	(bad)
   6:	03 80 3c 02 00 0f    	add    0xf00023c(%rax),%eax
   c:	85 2c 02             	test   %ebp,(%rdx,%rax,1)
   f:	00 00                	add    %al,(%rax)
  11:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  18:	fc ff df 
  1b:	48 8b 43 08          	mov    0x8(%rbx),%rax
  1f:	48 8d 78 38          	lea    0x38(%rax),%rdi
  23:	48 89 f9             	mov    %rdi,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
  2a:*	80 3c 11 00          	cmpb   $0x0,(%rcx,%rdx,1)		<-- trapping instruction
  2e:	0f 85 d8 01 00 00    	jne    0x20c
  34:	48 8b 40 38          	mov    0x38(%rax),%rax
  38:	48 85 c0             	test   %rax,%rax
  3b:	74 08                	je     0x45
  3d:	48 89 ee             	mov    %rbp,%rsi

Code starting with the faulting instruction
===========================================
   0:	80 3c 11 00          	cmpb   $0x0,(%rcx,%rdx,1)
   4:	0f 85 d8 01 00 00    	jne    0x1e2
   a:	48 8b 40 38          	mov    0x38(%rax),%rax
   e:	48 85 c0             	test   %rax,%rax
  11:	74 08                	je     0x1b
  13:	48 89 ee             	mov    %rbp,%rsi
[  950.538637][    C0] RSP: 0018:ffa0000000007d48 EFLAGS: 00010212
[  950.538747][    C0] RAX: 028601a800000000 RBX: ff11000004ab83c0 RCX: 0050c03500000007
[  950.538871][    C0] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: 028601a800000038
[  950.539003][    C0] RBP: ff11000005717ad8 R08: ffffffffb112c4fc R09: 1ffa3ffffffa0c37
[  950.539128][    C0] R10: fffa3bfffffa0c38 R11: fffa3bfffffa0c38 R12: ff11000015f94400
[  950.539251][    C0] R13: fffffbfff63e684c R14: ff11000015f944c8 R15: 0000000000000036
[  950.539378][    C0] FS:  0000000000000000(0000) GS:ff110000b84cc000(0000) knlGS:0000000000000000
[  950.539530][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  950.539639][    C0] CR2: 00007f4e6771d4a0 CR3: 000000000c74e004 CR4: 0000000000771ef0
[  950.539770][    C0] PKRU: 55555554
[  950.539833][    C0] Call Trace:
[  950.539895][    C0]  <IRQ>
[  950.539938][    C0]  fib6_nh_release_dsts.part.0 (net/ipv6/route.c:3748)
[  950.540023][    C0]  fib6_nh_release (net/ipv6/route.c:3729)
[  950.540106][    C0]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[  950.540189][    C0]  fib6_info_destroy_rcu (net/ipv6/ip6_fib.c:177)
[  950.540272][    C0]  ? rcu_do_batch (kernel/rcu/tree.c:2617)
[  950.540354][    C0]  ? rcu_do_batch (./arch/x86/include/asm/jump_label.h:37 ./include/trace/events/rcu.h:597 kernel/rcu/tree.c:2612)
[  950.540435][    C0]  rcu_do_batch (./include/linux/rcupdate.h:310 (discriminator 2) kernel/rcu/tree.c:2619 (discriminator 2))
[  950.540519][    C0]  ? trace_rcu_batch_end (kernel/rcu/tree.c:2541)
[  950.540601][    C0]  ? trace_irq_enable.constprop.0 (./include/trace/events/preemptirq.h:40 (discriminator 24))
[  950.540705][    C0]  ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:101 kernel/locking/spinlock_debug.c:141)
[  950.540793][    C0]  ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
[  950.540875][    C0]  ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:179 (discriminator 4) kernel/locking/spinlock.c:198 (discriminator 4))
[  950.540981][    C0]  rcu_core (kernel/rcu/tree.c:2871)
[  950.541045][    C0]  handle_softirqs (./arch/x86/include/asm/jump_label.h:37 ./include/trace/events/irq.h:142 kernel/softirq.c:623)
[  950.541129][    C0]  ? clockevents_tick_resume (kernel/time/clockevents.c:337)
[  950.541214][    C0]  ? _local_bh_enable (kernel/softirq.c:580)
[  950.541297][    C0]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[  950.541379][    C0]  ? lock_release (./include/trace/events/lock.h:69 (discriminator 24) kernel/locking/lockdep.c:5879 (discriminator 24))
[  950.541461][    C0]  __irq_exit_rcu (kernel/softirq.c:496 (discriminator 1) kernel/softirq.c:735 (discriminator 1))
[  950.541544][    C0]  irq_exit_rcu (kernel/softirq.c:754)
[  950.541607][    C0]  sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1061 (discriminator 37) arch/x86/kernel/apic/apic.c:1061 (discriminator 37))
[  950.541691][    C0]  </IRQ>
[  950.541741][    C0]  <TASK>
[  950.541783][    C0]  asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:697)
[  950.541889][    C0] RIP: 0010:pv_native_safe_halt (arch/x86/kernel/paravirt.c:63)
[  950.541975][    C0] Code: 48 8b 3d 54 53 60 02 e8 1f 00 00 00 48 2b 05 d8 11 9e 00 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa eb 07 0f 00 2d 13 44 14 00 fb f4 <c3> 0f 1f 40 d6 48 83 ec 20 8b 17 49 89 f8 83 e2 fe 41 89 d2 0f 01
All code
========
   0:	48 8b 3d 54 53 60 02 	mov    0x2605354(%rip),%rdi        # 0x260535b
   7:	e8 1f 00 00 00       	call   0x2b
   c:	48 2b 05 d8 11 9e 00 	sub    0x9e11d8(%rip),%rax        # 0x9e11eb
  13:	c3                   	ret
  14:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  1b:	f3 0f 1e fa          	endbr64
  1f:	eb 07                	jmp    0x28
  21:	0f 00 2d 13 44 14 00 	verw   0x144413(%rip)        # 0x14443b
  28:	fb                   	sti
  29:	f4                   	hlt
  2a:*	c3                   	ret		<-- trapping instruction
  2b:	0f 1f 40 d6          	nopl   -0x2a(%rax)
  2f:	48 83 ec 20          	sub    $0x20,%rsp
  33:	8b 17                	mov    (%rdi),%edx
  35:	49 89 f8             	mov    %rdi,%r8
  38:	83 e2 fe             	and    $0xfffffffe,%edx
  3b:	41 89 d2             	mov    %edx,%r10d
  3e:	0f                   	.byte 0xf
  3f:	01                   	.byte 0x1

Code starting with the faulting instruction
===========================================
   0:	c3                   	ret
   1:	0f 1f 40 d6          	nopl   -0x2a(%rax)
   5:	48 83 ec 20          	sub    $0x20,%rsp
   9:	8b 17                	mov    (%rdi),%edx
   b:	49 89 f8             	mov    %rdi,%r8
   e:	83 e2 fe             	and    $0xfffffffe,%edx
  11:	41 89 d2             	mov    %edx,%r10d
  14:	0f                   	.byte 0xf
  15:	01                   	.byte 0x1
[  950.542265][    C0] RSP: 0018:ffffffffb2607e00 EFLAGS: 00000246
[  950.542370][    C0] RAX: 0000000000000000 RBX: ffffffffb2630740 RCX: 0000000000000001
[  950.542493][    C0] RDX: 0000000000000000 RSI: ffffffffb18719c0 RDI: ffffffffaeedf5db
[  950.542616][    C0] RBP: 0000000000000000 R08: ffffffffb15544f1 R09: 1fe220000d80639a
[  950.542752][    C0] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffffffff64c0fc3
[  950.542876][    C0] R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000014770
[  950.543000][    C0]  ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:126)
[  950.543106][    C0]  ? cpuidle_idle_call.constprop.0 (kernel/sched/idle.c:200)
[  950.543214][    C0]  default_idle (./arch/x86/include/asm/paravirt.h:62 arch/x86/kernel/process.c:767)
[  950.543277][    C0]  default_idle_call (./include/linux/cpuidle.h:143 (discriminator 1) kernel/sched/idle.c:123 (discriminator 1))
[  950.543358][    C0]  cpuidle_idle_call.constprop.0 (kernel/sched/idle.c:200)
[  950.543458][    C0]  ? arch_cpu_idle_exit+0x40/0x40
[  950.543540][    C0]  ? mark_tsc_async_resets (arch/x86/kernel/tsc_sync.c:52)
[  950.543623][    C0]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 3) kernel/rcu/tree.c:752 (discriminator 3))
[  950.543705][    C0]  do_idle (kernel/sched/idle.c:352)
[  950.543771][    C0]  cpu_startup_entry (kernel/sched/idle.c:450 (discriminator 1))
[  950.543856][    C0]  rest_init (init/main.c:762)
[  950.543922][    C0]  start_kernel (init/main.c:1220)
[  950.544007][    C0]  x86_64_start_reservations (arch/x86/kernel/head64.c:310)
[  950.544089][    C0]  x86_64_start_kernel (??:?)


Finger prints:
dst_dev_put:fib6_nh_release:fib6_info_destroy_rcu:rcu_do_batch:rcu_core
print_report:kasan_report:fib6_purge_rt:fib6_del_route:fib6_del