[ 1476.670278][T23617] gre: GRE over IPv4 demultiplexer driver
[ 1477.142184][T23640] ip_gre: GRE over IPv4 tunneling driver
[ 1482.587360][ C1] ==================================================================
[ 1482.587552][ C1] BUG: KASAN: slab-use-after-free in fib_rules_lookup+0xc66/0xc80
[ 1482.587691][ C1] Read of size 8 at addr ff1100000a1638c0 by task kworker/1:2/22527
[ 1482.587825][ C1]
[ 1482.587873][ C1] CPU: 1 UID: 0 PID: 22527 Comm: kworker/1:2 Not tainted 7.1.0-rc7-virtme #1 PREEMPT(full)
[ 1482.587876][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1482.587878][ C1] Workqueue: mld mld_ifc_work
[ 1482.587885][ C1] Call Trace:
[ 1482.587887][ C1]
[ 1482.587888][ C1] dump_stack_lvl+0x6f/0xa0
[ 1482.587894][ C1] print_address_description.constprop.0+0x56/0x2d0
[ 1482.587898][ C1] print_report+0xfc/0x1fa
[ 1482.587900][ C1] ? __virt_addr_valid+0x102/0x440
[ 1482.587904][ C1] ? __virt_addr_valid+0x1da/0x440
[ 1482.587907][ C1] kasan_report+0x108/0x130
[ 1482.587910][ C1] ? fib_rules_lookup+0xc66/0xc80
[ 1482.587912][ C1] ? fib_rules_lookup+0xc66/0xc80
[ 1482.587914][ C1] fib_rules_lookup+0xc66/0xc80
[ 1482.587916][ C1] ? fib_nl_delrule+0x80/0x80
[ 1482.587918][ C1] ? l3mdev_update_flow+0xf8/0x550
[ 1482.587920][ C1] ? dev_get_by_index_rcu+0xe6/0x180
[ 1482.587924][ C1] __fib_lookup+0xdb/0x130
[ 1482.587927][ C1] ? fib4_rule_nlmsg_payload+0x10/0x10
[ 1482.587929][ C1] ? mark_usage+0x61/0x170
[ 1482.587932][ C1] ? __lock_acquire+0x508/0xc10
[ 1482.587934][ C1] ip_route_input_slow+0x5eb/0x2400
[ 1482.587938][ C1] ? fib_multipath_hash+0x11b0/0x11b0
[ 1482.587946][ C1] ? rcu_is_watching+0x15/0xd0
[ 1482.587949][ C1] ? lock_acquire+0x134/0x160
[ 1482.587951][ C1] ip_route_input_noref+0x114/0x250
[ 1482.587953][ C1] ? ip_route_input_slow+0x2400/0x2400
[ 1482.587956][ C1] ? __lock_release.isra.0+0x6b/0x1a0
[ 1482.587958][ C1] ip_rcv_finish_core+0x553/0x14c0
[ 1482.587961][ C1] ip_rcv_finish+0xee/0x250
[ 1482.587963][ C1] ? process_backlog+0x561/0x1490
[ 1482.587966][ C1] ip_rcv+0xdc/0x3d0
[ 1482.587968][ C1] ? ip_local_deliver+0x4c0/0x4c0
[ 1482.587969][ C1] ? validate_chain+0x38b/0xc20
[ 1482.587971][ C1] ? handle_softirqs+0x1d8/0x940
[ 1482.587974][ C1] ? __irq_exit_rcu+0x103/0x1c0
[ 1482.587975][ C1] ? irq_exit_rcu+0xe/0x30
[ 1482.587977][ C1] ? mark_usage+0x61/0x170
[ 1482.587978][ C1] ? __lock_acquire+0x508/0xc10
[ 1482.587979][ C1] ? rcu_do_batch+0xbe7/0x1020
[ 1482.587981][ C1] __netif_receive_skb_one_core+0xfc/0x180
[ 1482.587983][ C1] ? lock_acquire.part.0+0xbc/0x260
[ 1482.587985][ C1] ? __netif_receive_skb_list_core+0x9e0/0x9e0
[ 1482.587987][ C1] ? rcu_is_watching+0x15/0xd0
[ 1482.587989][ C1] process_backlog+0x2bc/0x1490
[ 1482.587992][ C1] __napi_poll+0xa7/0x3b0
[ 1482.587994][ C1] net_rx_action+0x513/0xf50
[ 1482.587997][ C1] ? __napi_poll+0x3b0/0x3b0
[ 1482.588001][ C1] ? mark_held_locks+0x40/0x70
[ 1482.588002][ C1] handle_softirqs+0x1d8/0x940
[ 1482.588004][ C1] ? __lock_release.isra.0+0x6b/0x1a0
[ 1482.588006][ C1] ? _local_bh_enable+0xd0/0xd0
[ 1482.588007][ C1] ? rcu_is_watching+0x15/0xd0
[ 1482.588009][ C1] do_softirq+0xa9/0xe0
[ 1482.588011][ C1]
[ 1482.588012][ C1]
[ 1482.588012][ C1] ? __dev_queue_xmit+0x956/0x1b70
[ 1482.588014][ C1] __local_bh_enable_ip+0x113/0x140
[ 1482.588016][ C1] __dev_queue_xmit+0x96b/0x1b70
[ 1482.588018][ C1] ? __lock_acquire+0x508/0xc10
[ 1482.588020][ C1] ? netdev_core_pick_tx+0x2c0/0x2c0
[ 1482.588021][ C1] ? eth_header+0xe0/0x180
[ 1482.588025][ C1] ? vlan_dev_hard_header+0xf8/0x4d0
[ 1482.588027][ C1] ? mark_held_locks+0x40/0x70
[ 1482.588029][ C1] ? neigh_connected_output+0x2cf/0x5a0
[ 1482.588032][ C1] ip6_finish_output2+0x488/0x1310
[ 1482.588036][ C1] ? ip6_xmit+0x2000/0x2000
[ 1482.588037][ C1] ? find_held_lock+0x2b/0x80
[ 1482.588039][ C1] ? __lock_release.isra.0+0x6b/0x1a0
[ 1482.588040][ C1] ? ip6_mtu+0x174/0x410
[ 1482.588043][ C1] ip6_finish_output+0x701/0xe80
[ 1482.588045][ C1] ip6_output+0x23f/0x7f0
[ 1482.588047][ C1] ? ip6_finish_output+0xe80/0xe80
[ 1482.588049][ C1] ? __lock_release.isra.0+0x6b/0x1a0
[ 1482.588050][ C1] ? xfrm_bundle_lookup.constprop.0+0xba0/0xba0
[ 1482.588053][ C1] ? mark_held_locks+0x40/0x70
[ 1482.588054][ C1] ? __local_bh_enable_ip+0xa5/0x140
[ 1482.588056][ C1] ? __local_bh_enable_ip+0xa5/0x140
[ 1482.588057][ C1] ? icmp6_dst_alloc+0x317/0x4d0
[ 1482.588060][ C1] mld_sendpack+0x9d6/0xec0
[ 1482.588062][ C1] ? nf_hook.constprop.0+0x340/0x340
[ 1482.588065][ C1] ? mld_send_cr+0x50f/0x820
[ 1482.588068][ C1] mld_ifc_work+0x36/0x190
[ 1482.588070][ C1] ? process_one_work+0xdb7/0x1410
[ 1482.588072][ C1] process_one_work+0xdf8/0x1410
[ 1482.588075][ C1] ? pwq_dec_nr_in_flight+0x710/0x710
[ 1482.588077][ C1] ? lock_acquire.part.0+0xbc/0x260
[ 1482.588080][ C1] worker_thread+0x4f1/0xd60
[ 1482.588082][ C1] ? rescuer_thread+0x1320/0x1320
[ 1482.588084][ C1] ? __kthread_parkme+0xbd/0x210
[ 1482.588086][ C1] ? rescuer_thread+0x1320/0x1320
[ 1482.588088][ C1] kthread+0x367/0x460
[ 1482.588090][ C1] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 1482.588093][ C1] ? kthread_affine_node+0x330/0x330
[ 1482.588095][ C1] ret_from_fork+0x474/0x6b0
[ 1482.588098][ C1] ? arch_exit_to_user_mode_prepare.isra.0+0x120/0x120
[ 1482.588100][ C1] ? __switch_to+0x5a3/0xe00
[ 1482.588103][ C1] ? kthread_affine_node+0x330/0x330
[ 1482.588104][ C1] ret_from_fork_asm+0x11/0x20
[ 1482.588108][ C1]
[ 1482.588109][ C1]
[ 1482.597328][ C1] Allocated by task 23869:
[ 1482.597428][ C1] kasan_save_stack+0x2f/0x50
[ 1482.597521][ C1] kasan_save_track+0x14/0x30
[ 1482.597654][ C1] __kasan_kmalloc+0x7b/0x90
[ 1482.597740][ C1] __kmalloc_node_track_caller_noprof+0x2d6/0x7b0
[ 1482.597846][ C1] kmemdup_noprof+0x25/0x40
[ 1482.597984][ C1] fib_rules_register+0x30/0x590
[ 1482.598073][ C1] fib4_rules_init+0x21/0x140
[ 1482.598159][ C1] fib_net_init+0x165/0x350
[ 1482.598245][ C1] ops_init+0x187/0x560
[ 1482.598312][ C1] setup_net+0x11b/0x3b0
[ 1482.598424][ C1] copy_net_ns+0x383/0x660
[ 1482.598519][ C1] create_new_namespaces+0x371/0xa10
[ 1482.598605][ C1] unshare_nsproxy_namespaces+0xa5/0x1d0
[ 1482.598690][ C1] ksys_unshare+0x353/0x880
[ 1482.598824][ C1] __x64_sys_unshare+0x34/0x50
[ 1482.598910][ C1] do_syscall_64+0x117/0x590
[ 1482.599002][ C1] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1482.599109][ C1]
[ 1482.599200][ C1] Freed by task 37:
[ 1482.599266][ C1] kasan_save_stack+0x2f/0x50
[ 1482.599353][ C1] kasan_save_track+0x14/0x30
[ 1482.599443][ C1] kasan_save_free_info+0x3b/0x60
[ 1482.599585][ C1] __kasan_slab_free+0x43/0x70
[ 1482.599672][ C1] kmem_cache_free_bulk.part.0+0x1e3/0x480
[ 1482.599782][ C1] kvfree_rcu_bulk+0x1f1/0x240
[ 1482.599868][ C1] kfree_rcu_monitor+0x211/0x3f0
[ 1482.600004][ C1] process_one_work+0xdf8/0x1410
[ 1482.600090][ C1] worker_thread+0x4f1/0xd60
[ 1482.600180][ C1] kthread+0x367/0x460
[ 1482.600246][ C1] ret_from_fork+0x474/0x6b0
[ 1482.600387][ C1] ret_from_fork_asm+0x11/0x20
[ 1482.600473][ C1]
[ 1482.600517][ C1] Last potentially related work creation:
[ 1482.600610][ C1] kasan_save_stack+0x2f/0x50
[ 1482.600698][ C1] kasan_record_aux_stack+0x9b/0xc0
[ 1482.600833][ C1] kvfree_call_rcu+0x7e/0x5b0
[ 1482.600919][ C1] ops_undo_list+0x5be/0x8f0
[ 1482.601008][ C1] cleanup_net+0x431/0x940
[ 1482.601094][ C1] process_one_work+0xdf8/0x1410
[ 1482.601227][ C1] worker_thread+0x4f1/0xd60
[ 1482.601315][ C1] kthread+0x367/0x460
[ 1482.601381][ C1] ret_from_fork+0x474/0x6b0
[ 1482.601475][ C1] ret_from_fork_asm+0x11/0x20
[ 1482.601610][ C1]
[ 1482.601655][ C1] The buggy address belongs to the object at ff1100000a163840
[ 1482.601655][ C1] which belongs to the cache kmalloc-192 of size 192
[ 1482.601864][ C1] The buggy address is located 128 bytes inside of
[ 1482.601864][ C1] freed 192-byte region [ff1100000a163840, ff1100000a163900)
[ 1482.602126][ C1]
[ 1482.602170][ C1] The buggy address belongs to the physical page:
[ 1482.602277][ C1] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff1100000a162f40 pfn:0xa162
[ 1482.602500][ C1] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1482.602629][ C1] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 1482.602743][ C1] page_type: f5(slab)
[ 1482.602812][ C1] raw: 0080000000000240 ff1100000103c4c0 ffd400000034c990 ffd400000007bb10
[ 1482.602970][ C1] raw: ff1100000a162f40 0000000000150006 00000000f5000000 0000000000000000
[ 1482.603170][ C1] head: 0080000000000240 ff1100000103c4c0 ffd400000034c990 ffd400000007bb10
[ 1482.603325][ C1] head: ff1100000a162f40 0000000000150006 00000000f5000000 0000000000000000
[ 1482.603524][ C1] head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
[ 1482.603673][ C1] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1482.603823][ C1] page dumped because: kasan: bad access detected
[ 1482.603981][ C1]
[ 1482.604025][ C1] Memory state around the buggy address:
[ 1482.604110][ C1] ff1100000a163780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1482.604236][ C1] ff1100000a163800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1482.604411][ C1] >ff1100000a163880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1482.604540][ C1] ^
[ 1482.604693][ C1] ff1100000a163900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1482.604819][ C1] ff1100000a163980: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 1482.604947][ C1] ==================================================================
[ 1482.605177][ C1] Disabling lock debugging due to kernel taint
[ 1490.391066][T24211] ip6_gre: GRE over IPv6 tunneling driver
[ 1497.810740][ C2] ip6_tunnel: tep0 xmit: Local address not yet configured!
[ 1499.411744][ C3] ip6_tunnel: tep0 xmit: Local address not yet configured!
[ 1500.947747][ C3] ip6_tunnel: tep0 xmit: Local address not yet configured!
[ 1502.546740][ C0] ip6_tunnel: tep0 xmit: Local address not yet configured!