[ 1713.381516][    C2] ==================================================================
[ 1713.381684][    C2] BUG: KASAN: slab-use-after-free in fib_rules_lookup+0xc66/0xc80
[ 1713.381825][    C2] Read of size 8 at addr ff11000011f032c0 by task kworker/u16:0/12
[ 1713.381955][    C2] 
[ 1713.382000][    C2] CPU: 2 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted 7.1.0-rc7-virtme #1 PREEMPT(full) 
[ 1713.382004][    C2] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1713.382006][    C2] Workqueue: ipv6_addrconf addrconf_dad_work
[ 1713.382011][    C2] Call Trace:
[ 1713.382012][    C2]  <IRQ>
[ 1713.382014][    C2]  dump_stack_lvl+0x6f/0xa0
[ 1713.382020][    C2]  print_address_description.constprop.0+0x56/0x2d0
[ 1713.382025][    C2]  print_report+0xfc/0x1fa
[ 1713.382026][    C2]  ? __virt_addr_valid+0x102/0x440
[ 1713.382030][    C2]  ? __virt_addr_valid+0x1da/0x440
[ 1713.382033][    C2]  kasan_report+0x108/0x130
[ 1713.382036][    C2]  ? fib_rules_lookup+0xc66/0xc80
[ 1713.382038][    C2]  ? fib_rules_lookup+0xc66/0xc80
[ 1713.382041][    C2]  fib_rules_lookup+0xc66/0xc80
[ 1713.382043][    C2]  ? fib_nl_delrule+0x80/0x80
[ 1713.382045][    C2]  ? l3mdev_update_flow+0xf8/0x550
[ 1713.382048][    C2]  ? dev_get_by_index_rcu+0xe6/0x180
[ 1713.382051][    C2]  __fib_lookup+0xdb/0x130
[ 1713.382053][    C2]  ? fib4_rule_nlmsg_payload+0x10/0x10
[ 1713.382055][    C2]  ? update_sg_lb_stats+0xc69/0x12d0
[ 1713.382059][    C2]  ? mark_usage+0x61/0x170
[ 1713.382062][    C2]  ip_route_input_slow+0x5eb/0x2400
[ 1713.382065][    C2]  ? sync_exp_reset_tree_hotplug+0x3a0/0x3f0
[ 1713.382068][    C2]  ? fib_multipath_hash+0x11b0/0x11b0
[ 1713.382073][    C2]  ? rcu_is_watching+0x15/0xd0
[ 1713.382074][    C2]  ? lock_acquire+0x134/0x160
[ 1713.382076][    C2]  ip_route_input_noref+0x114/0x250
[ 1713.382079][    C2]  ? ip_route_input_slow+0x2400/0x2400
[ 1713.382081][    C2]  ? __lock_acquire+0x508/0xc10
[ 1713.382083][    C2]  ip_rcv_finish_core+0x553/0x14c0
[ 1713.382086][    C2]  ? __lock_release.isra.0+0x6b/0x1a0
[ 1713.382088][    C2]  ip_rcv_finish+0xee/0x250
[ 1713.382090][    C2]  ? process_backlog+0x561/0x1490
[ 1713.382093][    C2]  ip_rcv+0xdc/0x3d0
[ 1713.382095][    C2]  ? ip_local_deliver+0x4c0/0x4c0
[ 1713.382097][    C2]  ? validate_chain+0x38b/0xc20
[ 1713.382098][    C2]  ? validate_chain+0x38b/0xc20
[ 1713.382100][    C2]  ? mark_usage+0x61/0x170
[ 1713.382102][    C2]  ? __lock_acquire+0x508/0xc10
[ 1713.382103][    C2]  ? debug_mutex_lock_common+0x57/0xa0
[ 1713.382105][    C2]  ? process_backlog+0x561/0x1490
[ 1713.382106][    C2]  __netif_receive_skb_one_core+0xfc/0x180
[ 1713.382108][    C2]  ? lock_acquire.part.0+0xbc/0x260
[ 1713.382110][    C2]  ? __netif_receive_skb_list_core+0x9e0/0x9e0
[ 1713.382112][    C2]  ? rcu_is_watching+0x15/0xd0
[ 1713.382114][    C2]  process_backlog+0x2bc/0x1490
[ 1713.382117][    C2]  __napi_poll+0xa7/0x3b0
[ 1713.382119][    C2]  net_rx_action+0x513/0xf50
[ 1713.382122][    C2]  ? __napi_poll+0x3b0/0x3b0
[ 1713.382124][    C2]  ? rcu_start_this_gp+0x270/0x490
[ 1713.382127][    C2]  ? __lock_release.isra.0+0x6b/0x1a0
[ 1713.382129][    C2]  ? note_gp_changes+0x158/0x1f0
[ 1713.382130][    C2]  ? clockevents_program_event+0x307/0x7e0
[ 1713.382133][    C2]  ? rcu_is_watching+0x15/0xd0
[ 1713.382135][    C2]  ? mark_held_locks+0x40/0x70
[ 1713.382136][    C2]  handle_softirqs+0x1d8/0x940
[ 1713.382140][    C2]  ? _local_bh_enable+0xd0/0xd0
[ 1713.382141][    C2]  ? _local_bh_enable+0xd0/0xd0
[ 1713.382143][    C2]  do_softirq+0xa9/0xe0
[ 1713.382145][    C2]  </IRQ>
[ 1713.382146][    C2]  <TASK>
[ 1713.382146][    C2]  ? __dev_queue_xmit+0x956/0x1b70
[ 1713.382148][    C2]  __local_bh_enable_ip+0x113/0x140
[ 1713.382150][    C2]  __dev_queue_xmit+0x96b/0x1b70
[ 1713.382152][    C2]  ? __lock_acquire+0x508/0xc10
[ 1713.382154][    C2]  ? find_held_lock+0x2b/0x80
[ 1713.382155][    C2]  ? netdev_core_pick_tx+0x2c0/0x2c0
[ 1713.382157][    C2]  ? __asan_memcpy+0x3c/0x60
[ 1713.382159][    C2]  ? eth_header+0x14c/0x180
[ 1713.382162][    C2]  ? neigh_resolve_output.part.0+0x344/0x740
[ 1713.382165][    C2]  ip6_finish_output2+0x488/0x1310
[ 1713.382169][    C2]  ? ip6_xmit+0x2000/0x2000
[ 1713.382170][    C2]  ? find_held_lock+0x2b/0x80
[ 1713.382172][    C2]  ? __lock_release.isra.0+0x6b/0x1a0
[ 1713.382173][    C2]  ? ip6_mtu+0x174/0x410
[ 1713.382176][    C2]  ip6_finish_output+0x701/0xe80
[ 1713.382178][    C2]  ip6_output+0x23f/0x7f0
[ 1713.382180][    C2]  ? ip6_finish_output+0xe80/0xe80
[ 1713.382182][    C2]  ? lock_acquire.part.0+0xbc/0x260
[ 1713.382183][    C2]  ? find_held_lock+0x2b/0x80
[ 1713.382185][    C2]  ? __lock_release.isra.0+0x6b/0x1a0
[ 1713.382186][    C2]  ? __local_bh_enable_ip+0xa5/0x140
[ 1713.382188][    C2]  ndisc_send_skb+0xba3/0x1520
[ 1713.382192][    C2]  ? ndisc_recv_na+0xf20/0xf20
[ 1713.382195][    C2]  ? trace_hardirqs_off+0xd/0x30
[ 1713.382198][    C2]  ? try_to_grab_pending+0x77/0x840
[ 1713.382201][    C2]  ? mark_held_locks+0x40/0x70
[ 1713.382203][    C2]  ndisc_send_ns+0xa9/0x120
[ 1713.382204][    C2]  ? find_held_lock+0x2b/0x80
[ 1713.382206][    C2]  ? ndisc_parse_options+0x30/0x30
[ 1713.382207][    C2]  ? __rwlock_init+0x150/0x150
[ 1713.382209][    C2]  ? mark_held_locks+0x40/0x70
[ 1713.382211][    C2]  ? lockdep_hardirqs_on+0x8c/0x130
[ 1713.382214][    C2]  addrconf_dad_work+0x6c2/0x930
[ 1713.382216][    C2]  ? addrconf_dad_begin+0x540/0x540
[ 1713.382217][    C2]  ? process_one_work+0xdb7/0x1410
[ 1713.382219][    C2]  ? rcu_is_watching+0x15/0xd0
[ 1713.382221][    C2]  ? rcu_is_watching+0x15/0xd0
[ 1713.382222][    C2]  ? lock_acquire+0x134/0x160
[ 1713.382224][    C2]  ? rcu_is_watching+0x15/0xd0
[ 1713.382228][    C2]  process_one_work+0xdf8/0x1410
[ 1713.382231][    C2]  ? pwq_dec_nr_in_flight+0x710/0x710
[ 1713.382233][    C2]  ? lock_acquire.part.0+0xbc/0x260
[ 1713.382236][    C2]  worker_thread+0x4f1/0xd60
[ 1713.382240][    C2]  ? rescuer_thread+0x1320/0x1320
[ 1713.382241][    C2]  kthread+0x367/0x460
[ 1713.382244][    C2]  ? trace_irq_enable.constprop.0+0x9b/0x180
[ 1713.382246][    C2]  ? kthread_affine_node+0x330/0x330
[ 1713.382248][    C2]  ret_from_fork+0x474/0x6b0
[ 1713.382251][    C2]  ? arch_exit_to_user_mode_prepare.isra.0+0x120/0x120
[ 1713.382253][    C2]  ? __switch_to+0x5a3/0xe00
[ 1713.382256][    C2]  ? kthread_affine_node+0x330/0x330
[ 1713.382258][    C2]  ret_from_fork_asm+0x11/0x20
[ 1713.382262][    C2]  </TASK>
[ 1713.382263][    C2] 
[ 1713.391885][    C2] Allocated by task 7139:
[ 1713.391952][    C2]  kasan_save_stack+0x2f/0x50
[ 1713.392042][    C2]  kasan_save_track+0x14/0x30
[ 1713.392126][    C2]  __kasan_kmalloc+0x7b/0x90
[ 1713.392211][    C2]  __kmalloc_node_track_caller_noprof+0x2d6/0x7b0
[ 1713.392317][    C2]  kmemdup_noprof+0x25/0x40
[ 1713.392407][    C2]  fib_rules_register+0x30/0x590
[ 1713.392495][    C2]  fib4_rules_init+0x21/0x140
[ 1713.392580][    C2]  fib_net_init+0x165/0x350
[ 1713.392666][    C2]  ops_init+0x187/0x560
[ 1713.392732][    C2]  setup_net+0x11b/0x3b0
[ 1713.392796][    C2]  copy_net_ns+0x383/0x660
[ 1713.392882][    C2]  create_new_namespaces+0x371/0xa10
[ 1713.392969][    C2]  unshare_nsproxy_namespaces+0xa5/0x1d0
[ 1713.393059][    C2]  ksys_unshare+0x353/0x880
[ 1713.393148][    C2]  __x64_sys_unshare+0x34/0x50
[ 1713.393233][    C2]  do_syscall_64+0x117/0x590
[ 1713.393320][    C2]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1713.393431][    C2] 
[ 1713.393476][    C2] Freed by task 27437:
[ 1713.393542][    C2]  kasan_save_stack+0x2f/0x50
[ 1713.393628][    C2]  kasan_save_track+0x14/0x30
[ 1713.393713][    C2]  kasan_save_free_info+0x3b/0x60
[ 1713.393799][    C2]  __kasan_slab_free+0x43/0x70
[ 1713.393885][    C2]  kmem_cache_free_bulk.part.0+0x1e3/0x480
[ 1713.393991][    C2]  kvfree_rcu_bulk+0x1f1/0x240
[ 1713.394077][    C2]  kfree_rcu_monitor+0x211/0x3f0
[ 1713.394162][    C2]  process_one_work+0xdf8/0x1410
[ 1713.394248][    C2]  worker_thread+0x4f1/0xd60
[ 1713.394335][    C2]  kthread+0x367/0x460
[ 1713.394399][    C2]  ret_from_fork+0x474/0x6b0
[ 1713.394489][    C2]  ret_from_fork_asm+0x11/0x20
[ 1713.394575][    C2] 
[ 1713.394619][    C2] Last potentially related work creation:
[ 1713.394706][    C2]  kasan_save_stack+0x2f/0x50
[ 1713.394793][    C2]  kasan_record_aux_stack+0x9b/0xc0
[ 1713.394878][    C2]  kvfree_call_rcu+0x7e/0x5b0
[ 1713.394963][    C2]  ops_undo_list+0x5be/0x8f0
[ 1713.395049][    C2]  cleanup_net+0x431/0x940
[ 1713.395135][    C2]  process_one_work+0xdf8/0x1410
[ 1713.395221][    C2]  worker_thread+0x4f1/0xd60
[ 1713.395307][    C2]  kthread+0x367/0x460
[ 1713.395372][    C2]  ret_from_fork+0x474/0x6b0
[ 1713.395461][    C2]  ret_from_fork_asm+0x11/0x20
[ 1713.395547][    C2] 
[ 1713.395591][    C2] The buggy address belongs to the object at ff11000011f03240
[ 1713.395591][    C2]  which belongs to the cache kmalloc-192 of size 192
[ 1713.395802][    C2] The buggy address is located 128 bytes inside of
[ 1713.395802][    C2]  freed 192-byte region [ff11000011f03240, ff11000011f03300)
[ 1713.396010][    C2] 
[ 1713.396054][    C2] The buggy address belongs to the physical page:
[ 1713.396161][    C2] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f02
[ 1713.396316][    C2] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1713.396450][    C2] flags: 0x80000000000040(head|node=0|zone=1)
[ 1713.396562][    C2] page_type: f5(slab)
[ 1713.396630][    C2] raw: 0080000000000040 ff1100000103c4c0 ffd40000002eb010 ffd4000000572590
[ 1713.396785][    C2] raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 1713.396936][    C2] head: 0080000000000040 ff1100000103c4c0 ffd40000002eb010 ffd4000000572590
[ 1713.397091][    C2] head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 1713.397243][    C2] head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
[ 1713.397395][    C2] head: ff1100000fd10c40 0000000000000000 00000000ffffffff 0000000000000000
[ 1713.397550][    C2] page dumped because: kasan: bad access detected
[ 1713.397657][    C2] 
[ 1713.397701][    C2] Memory state around the buggy address:
[ 1713.397786][    C2]  ff11000011f03180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1713.397959][    C2]  ff11000011f03200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1713.398083][    C2] >ff11000011f03280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1713.398207][    C2]                                            ^
[ 1713.398358][    C2]  ff11000011f03300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1713.398484][    C2]  ff11000011f03380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1713.398608][    C2] ==================================================================
[ 1713.398824][    C2] Disabling lock debugging due to kernel taint
[ 1714.276938][ T7264] br0: port 1(veth1) entered blocking state
[ 1714.277071][ T7264] br0: port 1(veth1) entered disabled state
[ 1714.277180][ T7264] veth1: entered allmulticast mode
[ 1714.277685][ T7264] veth1: entered promiscuous mode
[ 1714.385680][ T7269] br0: port 2(veth_segment) entered blocking state
[ 1714.385801][ T7269] br0: port 2(veth_segment) entered disabled state
[ 1714.385906][ T7269] veth_segment: entered allmulticast mode
[ 1714.386407][ T7269] veth_segment: entered promiscuous mode
[ 1714.404104][ T7270] br0: port 2(veth_segment) entered blocking state
[ 1714.404218][ T7270] br0: port 2(veth_segment) entered forwarding state
[ 1714.404390][ T7270] br0: port 1(veth1) entered blocking state
[ 1714.404490][ T7270] br0: port 1(veth1) entered forwarding state
[ 1714.425815][   T46] br0: port 2(veth_segment) entered disabled state
[ 1714.427067][   T46] br0: port 2(veth_segment) entered blocking state
[ 1714.427166][   T46] br0: port 2(veth_segment) entered forwarding state
[ 1716.633982][   T69] br0: port 1(veth1) entered disabled state
[ 1716.639435][   T69] veth1 (unregistering): left allmulticast mode
[ 1716.639539][   T69] veth1 (unregistering): left promiscuous mode
[ 1716.639638][   T69] br0: port 1(veth1) entered disabled state
[ 1716.664502][   T69] veth_segment: left allmulticast mode
[ 1716.664591][   T69] veth_segment: left promiscuous mode
[ 1716.664720][   T69] br0: port 2(veth_segment) entered disabled state
[ 1729.115435][ T7676] br0: port 1(veth1) entered blocking state
[ 1729.115569][ T7676] br0: port 1(veth1) entered disabled state
[ 1729.115677][ T7676] veth1: entered allmulticast mode
[ 1729.116165][ T7676] veth1: entered promiscuous mode
[ 1729.219997][ T7681] br0: port 2(veth_segment) entered blocking state
[ 1729.220113][ T7681] br0: port 2(veth_segment) entered disabled state
[ 1729.220215][ T7681] veth_segment: entered allmulticast mode
[ 1729.220709][ T7681] veth_segment: entered promiscuous mode
[ 1729.242271][ T7682] br0: port 2(veth_segment) entered blocking state
[ 1729.242413][ T7682] br0: port 2(veth_segment) entered forwarding state
[ 1729.242637][ T7682] br0: port 1(veth1) entered blocking state
[ 1729.242774][ T7682] br0: port 1(veth1) entered forwarding state
[ 1731.476146][   T69] br0: port 1(veth1) entered disabled state
[ 1731.483432][   T69] veth1 (unregistering): left allmulticast mode
[ 1731.483543][   T69] veth1 (unregistering): left promiscuous mode
[ 1731.483638][   T69] br0: port 1(veth1) entered disabled state
[ 1731.508820][   T69] veth_segment: left allmulticast mode
[ 1731.508946][   T69] veth_segment: left promiscuous mode
[ 1731.509128][   T69] br0: port 2(veth_segment) entered disabled state