[ 1676.694635][ C2] ==================================================================
[ 1676.694814][ C2] BUG: KASAN: slab-use-after-free in fib_rules_lookup+0xc66/0xc80
[ 1676.694952][ C2] Read of size 8 at addr ff1100000a1729c0 by task kworker/u16:1/67
[ 1676.695082][ C2]
[ 1676.695133][ C2] CPU: 2 UID: 0 PID: 67 Comm: kworker/u16:1 Not tainted 7.1.0-rc7-virtme #1 PREEMPT(full)
[ 1676.695137][ C2] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1676.695139][ C2] Workqueue: ipv6_addrconf addrconf_dad_work
[ 1676.695144][ C2] Call Trace:
[ 1676.695146][ C2]
[ 1676.695148][ C2] dump_stack_lvl+0x6f/0xa0
[ 1676.695153][ C2] print_address_description.constprop.0+0x56/0x2d0
[ 1676.695157][ C2] print_report+0xfc/0x1fa
[ 1676.695159][ C2] ? __virt_addr_valid+0x102/0x440
[ 1676.695164][ C2] ? __virt_addr_valid+0x1da/0x440
[ 1676.695166][ C2] kasan_report+0x108/0x130
[ 1676.695170][ C2] ? fib_rules_lookup+0xc66/0xc80
[ 1676.695172][ C2] ? fib_rules_lookup+0xc66/0xc80
[ 1676.695174][ C2] fib_rules_lookup+0xc66/0xc80
[ 1676.695176][ C2] ? fib_nl_delrule+0x80/0x80
[ 1676.695178][ C2] ? l3mdev_update_flow+0xf8/0x550
[ 1676.695181][ C2] ? dev_get_by_index_rcu+0xe6/0x180
[ 1676.695184][ C2] __fib_lookup+0xdb/0x130
[ 1676.695186][ C2] ? fib4_rule_nlmsg_payload+0x10/0x10
[ 1676.695189][ C2] ip_route_input_slow+0x5eb/0x2400
[ 1676.695193][ C2] ? fib_multipath_hash+0x11b0/0x11b0
[ 1676.695197][ C2] ? rcu_is_watching+0x15/0xd0
[ 1676.695201][ C2] ? lock_acquire+0x134/0x160
[ 1676.695204][ C2] ip_route_input_noref+0x114/0x250
[ 1676.695206][ C2] ? ip_route_input_slow+0x2400/0x2400
[ 1676.695209][ C2] ? __lock_release.isra.0+0x6b/0x1a0
[ 1676.695211][ C2] ip_rcv_finish_core+0x553/0x14c0
[ 1676.695214][ C2] ip_rcv_finish+0xee/0x250
[ 1676.695216][ C2] ? process_backlog+0x561/0x1490
[ 1676.695219][ C2] ip_rcv+0xdc/0x3d0
[ 1676.695221][ C2] ? ip_local_deliver+0x4c0/0x4c0
[ 1676.695223][ C2] ? validate_chain+0x38b/0xc20
[ 1676.695225][ C2] ? mark_usage+0x61/0x170
[ 1676.695226][ C2] ? __lock_acquire+0x508/0xc10
[ 1676.695228][ C2] ? debug_mutex_lock_common+0x57/0xa0
[ 1676.695230][ C2] __netif_receive_skb_one_core+0xfc/0x180
[ 1676.695232][ C2] ? lock_acquire.part.0+0xbc/0x260
[ 1676.695233][ C2] ? __netif_receive_skb_list_core+0x9e0/0x9e0
[ 1676.695235][ C2] ? rcu_is_watching+0x15/0xd0
[ 1676.695238][ C2] process_backlog+0x2bc/0x1490
[ 1676.695241][ C2] __napi_poll+0xa7/0x3b0
[ 1676.695243][ C2] net_rx_action+0x513/0xf50
[ 1676.695245][ C2] ? __napi_poll+0x3b0/0x3b0
[ 1676.695248][ C2] ? find_held_lock+0x2b/0x80
[ 1676.695251][ C2] ? mark_held_locks+0x40/0x70
[ 1676.695253][ C2] handle_softirqs+0x1d8/0x940
[ 1676.695256][ C2] ? rcu_is_watching+0x15/0xd0
[ 1676.695258][ C2] ? _local_bh_enable+0xd0/0xd0
[ 1676.695259][ C2] ? trace_csd_function_exit+0xb3/0x1a0
[ 1676.695262][ C2] ? rcu_is_watching+0x15/0xd0
[ 1676.695264][ C2] do_softirq+0xa9/0xe0
[ 1676.695266][ C2]
[ 1676.695266][ C2]
[ 1676.695267][ C2] ? __dev_queue_xmit+0x956/0x1b70
[ 1676.695268][ C2] __local_bh_enable_ip+0x113/0x140
[ 1676.695270][ C2] __dev_queue_xmit+0x96b/0x1b70
[ 1676.695272][ C2] ? __lock_acquire+0x508/0xc10
[ 1676.695274][ C2] ? find_held_lock+0x2b/0x80
[ 1676.695276][ C2] ? netdev_core_pick_tx+0x2c0/0x2c0
[ 1676.695278][ C2] ? __asan_memcpy+0x3c/0x60
[ 1676.695280][ C2] ? eth_header+0x14c/0x180
[ 1676.695282][ C2] ? neigh_resolve_output.part.0+0x344/0x740
[ 1676.695286][ C2] ip6_finish_output2+0x488/0x1310
[ 1676.695289][ C2] ? ip6_xmit+0x2130/0x2130
[ 1676.695290][ C2] ? find_held_lock+0x2b/0x80
[ 1676.695292][ C2] ? __lock_release.isra.0+0x6b/0x1a0
[ 1676.695294][ C2] ? ip6_mtu+0x174/0x410
[ 1676.695296][ C2] ip6_finish_output+0x701/0xe80
[ 1676.695298][ C2] ip6_output+0x23f/0x7f0
[ 1676.695300][ C2] ? ip6_finish_output+0xe80/0xe80
[ 1676.695302][ C2] ? lock_acquire.part.0+0xbc/0x260
[ 1676.695303][ C2] ? find_held_lock+0x2b/0x80
[ 1676.695305][ C2] ? __lock_release.isra.0+0x6b/0x1a0
[ 1676.695306][ C2] ? __local_bh_enable_ip+0xa5/0x140
[ 1676.695308][ C2] ndisc_send_skb+0xba3/0x1520
[ 1676.695312][ C2] ? ndisc_recv_na+0xf20/0xf20
[ 1676.695315][ C2] ? trace_hardirqs_off+0xd/0x30
[ 1676.695318][ C2] ? try_to_grab_pending+0x77/0x840
[ 1676.695321][ C2] ? mark_held_locks+0x40/0x70
[ 1676.695323][ C2] ndisc_send_ns+0xa9/0x120
[ 1676.695324][ C2] ? find_held_lock+0x2b/0x80
[ 1676.695326][ C2] ? ndisc_parse_options+0x30/0x30
[ 1676.695327][ C2] ? __rwlock_init+0x150/0x150
[ 1676.695329][ C2] ? mark_held_locks+0x40/0x70
[ 1676.695331][ C2] ? lockdep_hardirqs_on+0x8c/0x130
[ 1676.695333][ C2] addrconf_dad_work+0x6c2/0x930
[ 1676.695335][ C2] ? addrconf_dad_begin+0x540/0x540
[ 1676.695336][ C2] ? process_one_work+0xdb7/0x1410
[ 1676.695339][ C2] ? rcu_is_watching+0x15/0xd0
[ 1676.695340][ C2] ? rcu_is_watching+0x15/0xd0
[ 1676.695342][ C2] ? lock_acquire+0x134/0x160
[ 1676.695343][ C2] ? rcu_is_watching+0x15/0xd0
[ 1676.695345][ C2] process_one_work+0xdf8/0x1410
[ 1676.695348][ C2] ? pwq_dec_nr_in_flight+0x710/0x710
[ 1676.695350][ C2] ? lock_acquire.part.0+0xbc/0x260
[ 1676.695353][ C2] worker_thread+0x4f1/0xd60
[ 1676.695356][ C2] ? rescuer_thread+0x1320/0x1320
[ 1676.695358][ C2] kthread+0x367/0x460
[ 1676.695360][ C2] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 1676.695362][ C2] ? kthread_affine_node+0x330/0x330
[ 1676.695364][ C2] ret_from_fork+0x474/0x6b0
[ 1676.695367][ C2] ? arch_exit_to_user_mode_prepare.isra.0+0x120/0x120
[ 1676.695369][ C2] ? __switch_to+0x5a3/0xe00
[ 1676.695371][ C2] ? kthread_affine_node+0x330/0x330
[ 1676.695373][ C2] ret_from_fork_asm+0x11/0x20
[ 1676.695377][ C2]
[ 1676.695378][ C2]
[ 1676.704348][ C2] Allocated by task 2103:
[ 1676.704416][ C2] kasan_save_stack+0x2f/0x50
[ 1676.704506][ C2] kasan_save_track+0x14/0x30
[ 1676.704596][ C2] __kasan_kmalloc+0x7b/0x90
[ 1676.704685][ C2] __kmalloc_node_track_caller_noprof+0x2d6/0x7b0
[ 1676.704793][ C2] kmemdup_noprof+0x25/0x40
[ 1676.704881][ C2] fib_rules_register+0x30/0x590
[ 1676.704968][ C2] fib4_rules_init+0x21/0x140
[ 1676.705057][ C2] fib_net_init+0x165/0x350
[ 1676.705143][ C2] ops_init+0x187/0x560
[ 1676.705209][ C2] setup_net+0x11b/0x3b0
[ 1676.705273][ C2] copy_net_ns+0x383/0x660
[ 1676.705360][ C2] create_new_namespaces+0x371/0xa10
[ 1676.705446][ C2] unshare_nsproxy_namespaces+0xa5/0x1d0
[ 1676.705533][ C2] ksys_unshare+0x353/0x880
[ 1676.705626][ C2] __x64_sys_unshare+0x34/0x50
[ 1676.705713][ C2] do_syscall_64+0x117/0x590
[ 1676.705801][ C2] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1676.705910][ C2]
[ 1676.705954][ C2] Freed by task 1725:
[ 1676.706021][ C2] kasan_save_stack+0x2f/0x50
[ 1676.706107][ C2] kasan_save_track+0x14/0x30
[ 1676.706192][ C2] kasan_save_free_info+0x3b/0x60
[ 1676.706280][ C2] __kasan_slab_free+0x43/0x70
[ 1676.706366][ C2] kmem_cache_free_bulk.part.0+0x1e3/0x480
[ 1676.706473][ C2] kvfree_rcu_bulk+0x1f1/0x240
[ 1676.706565][ C2] kfree_rcu_work+0x130/0x1b0
[ 1676.706651][ C2] process_one_work+0xdf8/0x1410
[ 1676.706737][ C2] worker_thread+0x4f1/0xd60
[ 1676.706824][ C2] kthread+0x367/0x460
[ 1676.706889][ C2] ret_from_fork+0x474/0x6b0
[ 1676.706977][ C2] ret_from_fork_asm+0x11/0x20
[ 1676.707065][ C2]
[ 1676.707109][ C2] Last potentially related work creation:
[ 1676.707195][ C2] kasan_save_stack+0x2f/0x50
[ 1676.707283][ C2] kasan_record_aux_stack+0x9b/0xc0
[ 1676.707369][ C2] kvfree_call_rcu+0x7e/0x5b0
[ 1676.707456][ C2] ops_undo_list+0x5be/0x8f0
[ 1676.707543][ C2] cleanup_net+0x431/0x940
[ 1676.707635][ C2] process_one_work+0xdf8/0x1410
[ 1676.707722][ C2] worker_thread+0x4f1/0xd60
[ 1676.707808][ C2] kthread+0x367/0x460
[ 1676.707874][ C2] ret_from_fork+0x474/0x6b0
[ 1676.707963][ C2] ret_from_fork_asm+0x11/0x20
[ 1676.708050][ C2]
[ 1676.708095][ C2] The buggy address belongs to the object at ff1100000a172940
[ 1676.708095][ C2] which belongs to the cache kmalloc-192 of size 192
[ 1676.708307][ C2] The buggy address is located 128 bytes inside of
[ 1676.708307][ C2] freed 192-byte region [ff1100000a172940, ff1100000a172a00)
[ 1676.708519][ C2]
[ 1676.708566][ C2] The buggy address belongs to the physical page:
[ 1676.708674][ C2] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa172
[ 1676.708832][ C2] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1676.708962][ C2] flags: 0x80000000000040(head|node=0|zone=1)
[ 1676.709075][ C2] page_type: f5(slab)
[ 1676.709146][ C2] raw: 0080000000000040 ff1100000103c4c0 ffd40000006e4e90 ffd40000002a3590
[ 1676.709302][ C2] raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 1676.709456][ C2] head: 0080000000000040 ff1100000103c4c0 ffd40000006e4e90 ffd40000002a3590
[ 1676.709615][ C2] head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 1676.709769][ C2] head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
[ 1676.709922][ C2] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1676.710076][ C2] page dumped because: kasan: bad access detected
[ 1676.710186][ C2]
[ 1676.710230][ C2] Memory state around the buggy address:
[ 1676.710316][ C2] ff1100000a172880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1676.710445][ C2] ff1100000a172900: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1676.710575][ C2] >ff1100000a172980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1676.710702][ C2] ^
[ 1676.710813][ C2] ff1100000a172a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1676.710940][ C2] ff1100000a172a80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 1676.711068][ C2] ==================================================================
[ 1676.711241][ C2] Disabling lock debugging due to kernel taint
[ 1677.628239][ T2219] udpgso_bench_tx (2219) used greatest stack depth: 22592 bytes left
[ 1702.460046][ T3143] udpgso_bench_tx (3143) used greatest stack depth: 21488 bytes left
[ 1711.086560][ T3426] udpgso_bench_tx (3426) used greatest stack depth: 21440 bytes left