[ 1737.919434][ C2] ==================================================================
[ 1737.919612][ C2] BUG: KASAN: slab-use-after-free in fib_rules_lookup+0xc66/0xc80
[ 1737.919749][ C2] Read of size 8 at addr ff1100001062efc0 by task kworker/2:2/66
[ 1737.919875][ C2]
[ 1737.919922][ C2] CPU: 2 UID: 0 PID: 66 Comm: kworker/2:2 Not tainted 7.1.0-rc7-virtme #1 PREEMPT(full)
[ 1737.919925][ C2] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1737.919927][ C2] Workqueue: mld mld_ifc_work
[ 1737.919933][ C2] Call Trace:
[ 1737.919935][ C2]
[ 1737.919937][ C2] dump_stack_lvl+0x6f/0xa0
[ 1737.919942][ C2] print_address_description.constprop.0+0x56/0x2d0
[ 1737.919947][ C2] print_report+0xfc/0x1fa
[ 1737.919949][ C2] ? __virt_addr_valid+0x102/0x440
[ 1737.919953][ C2] ? __virt_addr_valid+0x1da/0x440
[ 1737.919955][ C2] kasan_report+0x108/0x130
[ 1737.919958][ C2] ? fib_rules_lookup+0xc66/0xc80
[ 1737.919960][ C2] ? fib_rules_lookup+0xc66/0xc80
[ 1737.919963][ C2] fib_rules_lookup+0xc66/0xc80
[ 1737.919964][ C2] ? fib_nl_delrule+0x80/0x80
[ 1737.919966][ C2] ? l3mdev_update_flow+0xf8/0x550
[ 1737.919969][ C2] ? dev_get_by_index_rcu+0xe6/0x180
[ 1737.919973][ C2] __fib_lookup+0xdb/0x130
[ 1737.919976][ C2] ? fib4_rule_nlmsg_payload+0x10/0x10
[ 1737.919977][ C2] ? mark_usage+0x61/0x170
[ 1737.919981][ C2] ip_route_input_slow+0x5eb/0x2400
[ 1737.919984][ C2] ? update_curr_rt+0x70/0xa0
[ 1737.919987][ C2] ? rcu_is_watching+0x15/0xd0
[ 1737.919990][ C2] ? fib_multipath_hash+0x11b0/0x11b0
[ 1737.919994][ C2] ? rcu_is_watching+0x15/0xd0
[ 1737.919996][ C2] ? lock_acquire+0x134/0x160
[ 1737.919997][ C2] ip_route_input_noref+0x114/0x250
[ 1737.920000][ C2] ? ip_route_input_slow+0x2400/0x2400
[ 1737.920002][ C2] ? __lock_release.isra.0+0x6b/0x1a0
[ 1737.920005][ C2] ip_rcv_finish_core+0x553/0x14c0
[ 1737.920007][ C2] ip_rcv_finish+0xee/0x250
[ 1737.920009][ C2] ? process_backlog+0x561/0x1490
[ 1737.920012][ C2] ip_rcv+0xdc/0x3d0
[ 1737.920014][ C2] ? ip_local_deliver+0x4c0/0x4c0
[ 1737.920016][ C2] ? validate_chain+0x38b/0xc20
[ 1737.920017][ C2] ? __queue_work+0x315/0xc00
[ 1737.920020][ C2] ? mark_usage+0x61/0x170
[ 1737.920022][ C2] ? __lock_acquire+0x508/0xc10
[ 1737.920024][ C2] __netif_receive_skb_one_core+0xfc/0x180
[ 1737.920025][ C2] ? lock_acquire.part.0+0xbc/0x260
[ 1737.920027][ C2] ? __netif_receive_skb_list_core+0x9e0/0x9e0
[ 1737.920029][ C2] ? rcu_is_watching+0x15/0xd0
[ 1737.920031][ C2] process_backlog+0x2bc/0x1490
[ 1737.920034][ C2] __napi_poll+0xa7/0x3b0
[ 1737.920036][ C2] net_rx_action+0x513/0xf50
[ 1737.920039][ C2] ? __napi_poll+0x3b0/0x3b0
[ 1737.920042][ C2] ? __lock_release.isra.0+0x6b/0x1a0
[ 1737.920043][ C2] ? __rwlock_init+0x150/0x150
[ 1737.920046][ C2] ? __run_timers+0xab0/0xab0
[ 1737.920048][ C2] ? rcu_is_watching+0x15/0xd0
[ 1737.920050][ C2] ? mark_held_locks+0x40/0x70
[ 1737.920051][ C2] handle_softirqs+0x1d8/0x940
[ 1737.920054][ C2] ? _local_bh_enable+0xd0/0xd0
[ 1737.920056][ C2] ? _local_bh_enable+0xd0/0xd0
[ 1737.920058][ C2] do_softirq+0xa9/0xe0
[ 1737.920060][ C2]
[ 1737.920060][ C2]
[ 1737.920061][ C2] ? __dev_queue_xmit+0x956/0x1b70
[ 1737.920062][ C2] __local_bh_enable_ip+0x113/0x140
[ 1737.920064][ C2] __dev_queue_xmit+0x96b/0x1b70
[ 1737.920066][ C2] ? arch_stack_walk+0xd7/0x130
[ 1737.920068][ C2] ? __lock_acquire+0x508/0xc10
[ 1737.920070][ C2] ? netdev_core_pick_tx+0x2c0/0x2c0
[ 1737.920072][ C2] ? find_held_lock+0x2b/0x80
[ 1737.920074][ C2] ? __lock_release.isra.0+0x6b/0x1a0
[ 1737.920075][ C2] ? rcu_is_watching+0x15/0xd0
[ 1737.920077][ C2] ? mark_held_locks+0x40/0x70
[ 1737.920078][ C2] ? __asan_memcpy+0x3c/0x60
[ 1737.920080][ C2] ? neigh_hh_output+0x152/0x4c0
[ 1737.920084][ C2] ip6_finish_output2+0x986/0x1310
[ 1737.920086][ C2] ? ip6_xmit+0x2130/0x2130
[ 1737.920087][ C2] ? find_held_lock+0x2b/0x80
[ 1737.920089][ C2] ? __lock_release.isra.0+0x6b/0x1a0
[ 1737.920091][ C2] ? ip6_mtu+0x174/0x410
[ 1737.920093][ C2] ip6_finish_output+0x701/0xe80
[ 1737.920096][ C2] ip6_output+0x23f/0x7f0
[ 1737.920098][ C2] ? ip6_finish_output+0xe80/0xe80
[ 1737.920099][ C2] ? __lock_release.isra.0+0x6b/0x1a0
[ 1737.920105][ C2] ? xfrm_bundle_lookup.constprop.0+0xba0/0xba0
[ 1737.920107][ C2] ? mark_held_locks+0x40/0x70
[ 1737.920109][ C2] ? __local_bh_enable_ip+0xa5/0x140
[ 1737.920111][ C2] ? __local_bh_enable_ip+0xa5/0x140
[ 1737.920112][ C2] ? icmp6_dst_alloc+0x317/0x4d0
[ 1737.920114][ C2] mld_sendpack+0x9d6/0xec0
[ 1737.920117][ C2] ? find_held_lock+0x2b/0x80
[ 1737.920118][ C2] ? nf_hook.constprop.0+0x340/0x340
[ 1737.920121][ C2] ? mld_send_cr+0x50f/0x820
[ 1737.920123][ C2] mld_ifc_work+0x36/0x190
[ 1737.920125][ C2] ? process_one_work+0xdb7/0x1410
[ 1737.920127][ C2] process_one_work+0xdf8/0x1410
[ 1737.920130][ C2] ? pwq_dec_nr_in_flight+0x710/0x710
[ 1737.920132][ C2] ? lock_acquire.part.0+0xbc/0x260
[ 1737.920135][ C2] worker_thread+0x4f1/0xd60
[ 1737.920137][ C2] ? rescuer_thread+0x1320/0x1320
[ 1737.920138][ C2] ? __kthread_parkme+0xbd/0x210
[ 1737.920141][ C2] ? rescuer_thread+0x1320/0x1320
[ 1737.920143][ C2] kthread+0x367/0x460
[ 1737.920144][ C2] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 1737.920147][ C2] ? kthread_affine_node+0x330/0x330
[ 1737.920149][ C2] ret_from_fork+0x474/0x6b0
[ 1737.920152][ C2] ? arch_exit_to_user_mode_prepare.isra.0+0x120/0x120
[ 1737.920154][ C2] ? __switch_to+0x5a3/0xe00
[ 1737.920156][ C2] ? kthread_affine_node+0x330/0x330
[ 1737.920158][ C2] ret_from_fork_asm+0x11/0x20
[ 1737.920162][ C2]
[ 1737.920163][ C2]
[ 1737.929523][ C2] Allocated by task 12506:
[ 1737.929656][ C2] kasan_save_stack+0x2f/0x50
[ 1737.929744][ C2] kasan_save_track+0x14/0x30
[ 1737.929828][ C2] __kasan_kmalloc+0x7b/0x90
[ 1737.929916][ C2] __kmalloc_node_track_caller_noprof+0x2d6/0x7b0
[ 1737.930024][ C2] kmemdup_noprof+0x25/0x40
[ 1737.930163][ C2] fib_rules_register+0x30/0x590
[ 1737.930251][ C2] fib4_rules_init+0x21/0x140
[ 1737.930336][ C2] fib_net_init+0x165/0x350
[ 1737.930470][ C2] ops_init+0x187/0x560
[ 1737.930534][ C2] setup_net+0x11b/0x3b0
[ 1737.930598][ C2] copy_net_ns+0x383/0x660
[ 1737.930683][ C2] create_new_namespaces+0x371/0xa10
[ 1737.930816][ C2] unshare_nsproxy_namespaces+0xa5/0x1d0
[ 1737.930901][ C2] ksys_unshare+0x353/0x880
[ 1737.930986][ C2] __x64_sys_unshare+0x34/0x50
[ 1737.931070][ C2] do_syscall_64+0x117/0x590
[ 1737.931209][ C2] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1737.931315][ C2]
[ 1737.931359][ C2] Freed by task 38:
[ 1737.931425][ C2] kasan_save_stack+0x2f/0x50
[ 1737.931512][ C2] kasan_save_track+0x14/0x30
[ 1737.931644][ C2] kasan_save_free_info+0x3b/0x60
[ 1737.931729][ C2] __kasan_slab_free+0x43/0x70
[ 1737.931813][ C2] kmem_cache_free_bulk.part.0+0x1e3/0x480
[ 1737.931964][ C2] kvfree_rcu_bulk+0x1f1/0x240
[ 1737.932049][ C2] kfree_rcu_work+0x130/0x1b0
[ 1737.932138][ C2] process_one_work+0xdf8/0x1410
[ 1737.932222][ C2] worker_thread+0x4f1/0xd60
[ 1737.932353][ C2] kthread+0x367/0x460
[ 1737.932418][ C2] ret_from_fork+0x474/0x6b0
[ 1737.932502][ C2] ret_from_fork_asm+0x11/0x20
[ 1737.932587][ C2]
[ 1737.932630][ C2] Last potentially related work creation:
[ 1737.932764][ C2] kasan_save_stack+0x2f/0x50
[ 1737.932850][ C2] kasan_record_aux_stack+0x9b/0xc0
[ 1737.932937][ C2] kvfree_call_rcu+0x7e/0x5b0
[ 1737.933022][ C2] ops_undo_list+0x5be/0x8f0
[ 1737.933161][ C2] cleanup_net+0x431/0x940
[ 1737.933246][ C2] process_one_work+0xdf8/0x1410
[ 1737.933332][ C2] worker_thread+0x4f1/0xd60
[ 1737.933416][ C2] kthread+0x367/0x460
[ 1737.933530][ C2] ret_from_fork+0x474/0x6b0
[ 1737.933618][ C2] ret_from_fork_asm+0x11/0x20
[ 1737.933704][ C2]
[ 1737.933749][ C2] The buggy address belongs to the object at ff1100001062ef40
[ 1737.933749][ C2] which belongs to the cache kmalloc-192 of size 192
[ 1737.934007][ C2] The buggy address is located 128 bytes inside of
[ 1737.934007][ C2] freed 192-byte region [ff1100001062ef40, ff1100001062f000)
[ 1737.934221][ C2]
[ 1737.934313][ C2] The buggy address belongs to the physical page:
[ 1737.934419][ C2] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062e
[ 1737.934571][ C2] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1737.934750][ C2] flags: 0x80000000000040(head|node=0|zone=1)
[ 1737.934862][ C2] page_type: f5(slab)
[ 1737.934930][ C2] raw: 0080000000000040 ff1100000103c4c0 ffd4000000418510 ffd400000028f210
[ 1737.935137][ C2] raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 1737.935289][ C2] head: 0080000000000040 ff1100000103c4c0 ffd4000000418510 ffd400000028f210
[ 1737.935442][ C2] head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 1737.935644][ C2] head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
[ 1737.935795][ C2] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1737.935994][ C2] page dumped because: kasan: bad access detected
[ 1737.936100][ C2]
[ 1737.936147][ C2] Memory state around the buggy address:
[ 1737.936231][ C2] ff1100001062ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1737.936406][ C2] ff1100001062ef00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1737.936530][ C2] >ff1100001062ef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1737.936700][ C2] ^
[ 1737.936805][ C2] ff1100001062f000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1737.936930][ C2] ff1100001062f080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1737.937099][ C2] ==================================================================
[ 1737.937272][ C2] Disabling lock debugging due to kernel taint
[ 1745.879722][T12855] ip6_gre: GRE over IPv6 tunneling driver
[ 1748.304933][ T353] ip6_tunnel: tep1 xmit: Local address not yet configured!
[ 1750.279434][ T7597] ip6_tunnel: tep1 xmit: Local address not yet configured!
[ 1751.035392][T12526] ip6_tunnel: tep1 xmit: Local address not yet configured!
[ 1753.528350][ C1] ip6_tunnel: tep0 xmit: Local address not yet configured!
[ 1755.191356][ C0] ip6_tunnel: tep0 xmit: Local address not yet configured!
[ 1756.727350][ C3] ip6_tunnel: tep0 xmit: Local address not yet configured!
[ 1758.327349][ C0] ip6_tunnel: tep0 xmit: Local address not yet configured!