[ 1564.469023][ C3] ==================================================================
[ 1564.469205][ C3] BUG: KASAN: slab-use-after-free in fib_rules_lookup+0xc66/0xc80
[ 1564.469353][ C3] Read of size 8 at addr ff110000164409c0 by task kworker/u16:1/67
[ 1564.469498][ C3]
[ 1564.469547][ C3] CPU: 3 UID: 0 PID: 67 Comm: kworker/u16:1 Not tainted 7.1.0-rc7-virtme #1 PREEMPT(full)
[ 1564.469551][ C3] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1564.469553][ C3] Workqueue: ipv6_addrconf addrconf_dad_work
[ 1564.469559][ C3] Call Trace:
[ 1564.469560][ C3]
[ 1564.469562][ C3] dump_stack_lvl+0x6f/0xa0
[ 1564.469567][ C3] print_address_description.constprop.0+0x56/0x2d0
[ 1564.469572][ C3] print_report+0xfc/0x1fa
[ 1564.469574][ C3] ? __virt_addr_valid+0x102/0x440
[ 1564.469578][ C3] ? __virt_addr_valid+0x1da/0x440
[ 1564.469581][ C3] kasan_report+0x108/0x130
[ 1564.469584][ C3] ? fib_rules_lookup+0xc66/0xc80
[ 1564.469586][ C3] ? fib_rules_lookup+0xc66/0xc80
[ 1564.469589][ C3] fib_rules_lookup+0xc66/0xc80
[ 1564.469591][ C3] ? fib_nl_delrule+0x80/0x80
[ 1564.469593][ C3] ? l3mdev_update_flow+0xf8/0x550
[ 1564.469596][ C3] ? dev_get_by_index_rcu+0xe6/0x180
[ 1564.469599][ C3] __fib_lookup+0xdb/0x130
[ 1564.469602][ C3] ? fib4_rule_nlmsg_payload+0x10/0x10
[ 1564.469605][ C3] ip_route_input_slow+0x5eb/0x2400
[ 1564.469608][ C3] ? unwind_next_frame+0x69b/0x1ea0
[ 1564.469610][ C3] ? ret_from_fork_asm+0x11/0x20
[ 1564.469613][ C3] ? fib_multipath_hash+0x11b0/0x11b0
[ 1564.469615][ C3] ? stack_access_ok+0x1e0/0x1e0
[ 1564.469618][ C3] ? rcu_is_watching+0x15/0xd0
[ 1564.469622][ C3] ? find_held_lock+0x2b/0x80
[ 1564.469624][ C3] ? lock_acquire+0x134/0x160
[ 1564.469626][ C3] ip_route_input_noref+0x114/0x250
[ 1564.469629][ C3] ? ip_route_input_slow+0x2400/0x2400
[ 1564.469631][ C3] ? __lock_release.isra.0+0x6b/0x1a0
[ 1564.469633][ C3] ip_rcv_finish_core+0x553/0x14c0
[ 1564.469636][ C3] ip_rcv_finish+0xee/0x250
[ 1564.469639][ C3] ? process_backlog+0x561/0x1490
[ 1564.469641][ C3] ip_rcv+0xdc/0x3d0
[ 1564.469643][ C3] ? ip_local_deliver+0x4c0/0x4c0
[ 1564.469645][ C3] ? validate_chain+0x38b/0xc20
[ 1564.469647][ C3] ? mark_usage+0x61/0x170
[ 1564.469649][ C3] ? __lock_acquire+0x508/0xc10
[ 1564.469651][ C3] __netif_receive_skb_one_core+0xfc/0x180
[ 1564.469653][ C3] ? lock_acquire.part.0+0xbc/0x260
[ 1564.469655][ C3] ? __netif_receive_skb_list_core+0x9e0/0x9e0
[ 1564.469657][ C3] ? rcu_is_watching+0x15/0xd0
[ 1564.469659][ C3] process_backlog+0x2bc/0x1490
[ 1564.469662][ C3] __napi_poll+0xa7/0x3b0
[ 1564.469664][ C3] net_rx_action+0x513/0xf50
[ 1564.469667][ C3] ? __napi_poll+0x3b0/0x3b0
[ 1564.469669][ C3] ? do_raw_spin_unlock+0x59/0x250
[ 1564.469672][ C3] ? debug_object_activate+0x329/0x4b0
[ 1564.469676][ C3] ? rcu_barrier_entrain+0x270/0x270
[ 1564.469678][ C3] ? find_held_lock+0x2b/0x80
[ 1564.469679][ C3] ? mark_held_locks+0x40/0x70
[ 1564.469681][ C3] handle_softirqs+0x1d8/0x940
[ 1564.469683][ C3] ? rcu_is_watching+0x15/0xd0
[ 1564.469685][ C3] ? _raw_spin_unlock+0x2d/0x50
[ 1564.469688][ C3] ? _local_bh_enable+0xd0/0xd0
[ 1564.469690][ C3] ? rcu_is_watching+0x15/0xd0
[ 1564.469692][ C3] do_softirq+0xa9/0xe0
[ 1564.469694][ C3]
[ 1564.469694][ C3]
[ 1564.469695][ C3] ? __dev_queue_xmit+0x956/0x1b70
[ 1564.469697][ C3] __local_bh_enable_ip+0x113/0x140
[ 1564.469699][ C3] __dev_queue_xmit+0x96b/0x1b70
[ 1564.469701][ C3] ? __lock_acquire+0x508/0xc10
[ 1564.469703][ C3] ? find_held_lock+0x2b/0x80
[ 1564.469704][ C3] ? netdev_core_pick_tx+0x2c0/0x2c0
[ 1564.469706][ C3] ? __asan_memcpy+0x3c/0x60
[ 1564.469709][ C3] ? eth_header+0x14c/0x180
[ 1564.469711][ C3] ? neigh_resolve_output.part.0+0x344/0x740
[ 1564.469714][ C3] ip6_finish_output2+0x488/0x1310
[ 1564.469718][ C3] ? ip6_xmit+0x2000/0x2000
[ 1564.469720][ C3] ? find_held_lock+0x2b/0x80
[ 1564.469721][ C3] ? __lock_release.isra.0+0x6b/0x1a0
[ 1564.469723][ C3] ? ip6_mtu+0x174/0x410
[ 1564.469725][ C3] ip6_finish_output+0x701/0xe80
[ 1564.469728][ C3] ip6_output+0x23f/0x7f0
[ 1564.469730][ C3] ? ip6_finish_output+0xe80/0xe80
[ 1564.469732][ C3] ? lock_acquire.part.0+0xbc/0x260
[ 1564.469733][ C3] ? find_held_lock+0x2b/0x80
[ 1564.469735][ C3] ? __lock_release.isra.0+0x6b/0x1a0
[ 1564.469736][ C3] ? __local_bh_enable_ip+0xa5/0x140
[ 1564.469738][ C3] ndisc_send_skb+0xba3/0x1520
[ 1564.469741][ C3] ? ndisc_recv_na+0xf20/0xf20
[ 1564.469744][ C3] ? mod_delayed_work_on+0x109/0x120
[ 1564.469748][ C3] ndisc_send_ns+0xa9/0x120
[ 1564.469749][ C3] ? find_held_lock+0x2b/0x80
[ 1564.469751][ C3] ? ndisc_parse_options+0x30/0x30
[ 1564.469752][ C3] ? __rwlock_init+0x150/0x150
[ 1564.469754][ C3] ? mark_held_locks+0x40/0x70
[ 1564.469756][ C3] ? lockdep_hardirqs_on+0x8c/0x130
[ 1564.469758][ C3] addrconf_dad_work+0x6c2/0x930
[ 1564.469760][ C3] ? addrconf_dad_begin+0x540/0x540
[ 1564.469761][ C3] ? process_one_work+0xdb7/0x1410
[ 1564.469763][ C3] ? rcu_is_watching+0x15/0xd0
[ 1564.469765][ C3] ? rcu_is_watching+0x15/0xd0
[ 1564.469767][ C3] ? lock_acquire+0x134/0x160
[ 1564.469768][ C3] ? rcu_is_watching+0x15/0xd0
[ 1564.469770][ C3] process_one_work+0xdf8/0x1410
[ 1564.469773][ C3] ? pwq_dec_nr_in_flight+0x710/0x710
[ 1564.469775][ C3] ? lock_acquire.part.0+0xbc/0x260
[ 1564.469777][ C3] ? find_held_lock+0x2b/0x80
[ 1564.469779][ C3] worker_thread+0x4f1/0xd60
[ 1564.469782][ C3] ? rescuer_thread+0x1320/0x1320
[ 1564.469784][ C3] kthread+0x367/0x460
[ 1564.469787][ C3] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 1564.469790][ C3] ? kthread_affine_node+0x330/0x330
[ 1564.469792][ C3] ret_from_fork+0x474/0x6b0
[ 1564.469795][ C3] ? arch_exit_to_user_mode_prepare.isra.0+0x120/0x120
[ 1564.469797][ C3] ? __switch_to+0x5a3/0xe00
[ 1564.469800][ C3] ? kthread_affine_node+0x330/0x330
[ 1564.469802][ C3] ret_from_fork_asm+0x11/0x20
[ 1564.469805][ C3]
[ 1564.469806][ C3]
[ 1564.480059][ C3] Allocated by task 23084:
[ 1564.480159][ C3] kasan_save_stack+0x2f/0x50
[ 1564.480258][ C3] kasan_save_track+0x14/0x30
[ 1564.480354][ C3] __kasan_kmalloc+0x7b/0x90
[ 1564.480442][ C3] __kmalloc_node_track_caller_noprof+0x2d6/0x7b0
[ 1564.480558][ C3] kmemdup_noprof+0x25/0x40
[ 1564.480650][ C3] fib_rules_register+0x30/0x590
[ 1564.480739][ C3] fib4_rules_init+0x21/0x140
[ 1564.480838][ C3] fib_net_init+0x165/0x350
[ 1564.480929][ C3] ops_init+0x187/0x560
[ 1564.481001][ C3] setup_net+0x11b/0x3b0
[ 1564.481068][ C3] copy_net_ns+0x383/0x660
[ 1564.481157][ C3] create_new_namespaces+0x371/0xa10
[ 1564.481257][ C3] unshare_nsproxy_namespaces+0xa5/0x1d0
[ 1564.481351][ C3] ksys_unshare+0x353/0x880
[ 1564.481440][ C3] __x64_sys_unshare+0x34/0x50
[ 1564.481529][ C3] do_syscall_64+0x117/0x590
[ 1564.481619][ C3] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1564.481732][ C3]
[ 1564.481778][ C3] Freed by task 37:
[ 1564.481846][ C3] kasan_save_stack+0x2f/0x50
[ 1564.481938][ C3] kasan_save_track+0x14/0x30
[ 1564.482025][ C3] kasan_save_free_info+0x3b/0x60
[ 1564.482114][ C3] __kasan_slab_free+0x43/0x70
[ 1564.482207][ C3] kmem_cache_free_bulk.part.0+0x1e3/0x480
[ 1564.482315][ C3] kvfree_rcu_bulk+0x1f1/0x240
[ 1564.482411][ C3] kfree_rcu_work+0x130/0x1b0
[ 1564.482504][ C3] process_one_work+0xdf8/0x1410
[ 1564.482599][ C3] worker_thread+0x4f1/0xd60
[ 1564.482688][ C3] kthread+0x367/0x460
[ 1564.482756][ C3] ret_from_fork+0x474/0x6b0
[ 1564.482844][ C3] ret_from_fork_asm+0x11/0x20
[ 1564.482937][ C3]
[ 1564.482984][ C3] Last potentially related work creation:
[ 1564.483080][ C3] kasan_save_stack+0x2f/0x50
[ 1564.483170][ C3] kasan_record_aux_stack+0x9b/0xc0
[ 1564.483264][ C3] kvfree_call_rcu+0x7e/0x5b0
[ 1564.483355][ C3] ops_undo_list+0x5be/0x8f0
[ 1564.483458][ C3] cleanup_net+0x431/0x940
[ 1564.483567][ C3] process_one_work+0xdf8/0x1410
[ 1564.483697][ C3] worker_thread+0x4f1/0xd60
[ 1564.483820][ C3] kthread+0x367/0x460
[ 1564.483919][ C3] ret_from_fork+0x474/0x6b0
[ 1564.484045][ C3] ret_from_fork_asm+0x11/0x20
[ 1564.484176][ C3]
[ 1564.484241][ C3] The buggy address belongs to the object at ff11000016440940
[ 1564.484241][ C3] which belongs to the cache kmalloc-192 of size 192
[ 1564.484558][ C3] The buggy address is located 128 bytes inside of
[ 1564.484558][ C3] freed 192-byte region [ff11000016440940, ff11000016440a00)
[ 1564.484876][ C3]
[ 1564.484943][ C3] The buggy address belongs to the physical page:
[ 1564.485078][ C3] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16440
[ 1564.485238][ C3] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1564.485380][ C3] flags: 0x80000000000040(head|node=0|zone=1)
[ 1564.485496][ C3] page_type: f5(slab)
[ 1564.485567][ C3] raw: 0080000000000040 ff1100000103c4c0 ffd400000031a810 ffd4000000345010
[ 1564.485732][ C3] raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 1564.485889][ C3] head: 0080000000000040 ff1100000103c4c0 ffd400000031a810 ffd4000000345010
[ 1564.486067][ C3] head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 1564.486224][ C3] head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
[ 1564.486394][ C3] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1564.486550][ C3] page dumped because: kasan: bad access detected
[ 1564.486665][ C3]
[ 1564.486710][ C3] Memory state around the buggy address:
[ 1564.486799][ C3] ff11000016440880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1564.486938][ C3] ff11000016440900: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1564.487071][ C3] >ff11000016440980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1564.487201][ C3] ^
[ 1564.487315][ C3] ff11000016440a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1564.487455][ C3] ff11000016440a80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 1564.487636][ C3] ==================================================================
[ 1564.487777][ C3] Disabling lock debugging due to kernel taint
[ 1565.437254][T23200] udpgso_bench_tx (23200) used greatest stack depth: 22728 bytes left
[ 1590.167866][T24057] udpgso_bench_tx (24057) used greatest stack depth: 22256 bytes left
[ 1591.202483][T24127] udpgso_bench_tx (24127) used greatest stack depth: 21608 bytes left
[ 1604.351578][T24554] udpgso_bench_tx (24554) used greatest stack depth: 21568 bytes left