======================================
| [ 1669.282772][   T76] ==================================================================
| [ 1669.283014][ T76] BUG: KASAN: slab-use-after-free in neigh_flush_dev.isra.0 (./include/linux/list.h:990 ./include/linux/rculist.h:516 net/core/neighbour.c:385) 
| [ 1669.283231][   T76] Write of size 8 at addr ffff888039110418 by task kworker/u18:2/76
| [ 1669.283431][   T76]
[ 1669.283766][   T76] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 1669.284075][   T76] Workqueue: events_unbound linkwatch_event
[ 1669.284252][   T76] Call Trace:
[ 1669.284361][   T76]  <TASK>
[ 1669.284435][ T76] dump_stack_lvl (lib/dump_stack.c:123) 
[ 1669.284574][ T76] print_address_description.constprop.0 (mm/kasan/report.c:378) 
[ 1669.284740][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:990 ./include/linux/rculist.h:516 net/core/neighbour.c:385) 
[ 1669.284879][ T76] print_report (mm/kasan/report.c:489) 
[ 1669.285032][ T76] ? kasan_addr_to_slab (./include/linux/mm.h:1282 mm/kasan/../slab.h:206 mm/kasan/common.c:38) 
[ 1669.285175][ T76] kasan_report (mm/kasan/report.c:603) 
[ 1669.285276][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:990 ./include/linux/rculist.h:516 net/core/neighbour.c:385) 
[ 1669.285464][ T76] neigh_flush_dev.isra.0 (./include/linux/list.h:990 ./include/linux/rculist.h:516 net/core/neighbour.c:385) 
[ 1669.285601][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 1669.285737][ T76] __neigh_ifdown.isra.0 (net/core/neighbour.c:826 net/core/neighbour.c:426) 
[ 1669.285906][ T76] neigh_carrier_down (net/core/neighbour.c:438) 
[ 1669.286036][ T76] arp_netdev_event (net/ipv4/arp.c:1343) 
[ 1669.286182][ T76] ? trace_notifier_run (./include/trace/events/notifier.h:59 (discriminator 52)) 
[ 1669.286326][ T76] notifier_call_chain (kernel/notifier.c:93 (discriminator 2)) 
[ 1669.286477][ T76] netdev_state_change (net/core/dev.c:1380 net/core/dev.c:1371) 
[ 1669.286610][ T76] ? __pfx_netdev_state_change (net/core/dev.c:1372) 
[ 1669.286740][ T76] ? dev_deactivate (./include/linux/list.h:111 ./include/linux/list.h:215 ./include/linux/list.h:229 net/sched/sch_generic.c:1404) 
[ 1669.286881][ T76] linkwatch_do_dev (net/core/link_watch.c:177) 
[ 1669.287013][ T76] __linkwatch_run_queue (./include/linux/spinlock.h:376 net/core/link_watch.c:236) 
[ 1669.287143][ T76] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 1669.287275][ T76] ? __pfx___linkwatch_run_queue (net/core/link_watch.c:186) 
[ 1669.287472][ T76] ? process_one_work (kernel/workqueue.c:3205) 
[ 1669.287684][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 1669.287840][ T76] linkwatch_event (net/core/link_watch.c:278) 
[ 1669.287969][ T76] process_one_work (kernel/workqueue.c:3229) 
[ 1669.288105][ T76] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 1669.288235][ T76] ? __pfx_process_one_work (kernel/workqueue.c:3131) 
[ 1669.288367][ T76] ? assign_work (kernel/workqueue.c:1200) 
[ 1669.288499][ T76] worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) 
[ 1669.288639][ T76] ? __pfx_worker_thread (kernel/workqueue.c:3337) 
[ 1669.288767][ T76] kthread (kernel/kthread.c:389) 
[ 1669.288884][ T76] ? __pfx_kthread (kernel/kthread.c:342) 
[ 1669.289017][ T76] ret_from_fork (arch/x86/kernel/process.c:147) 
[ 1669.289150][ T76] ? __pfx_kthread (kernel/kthread.c:342) 
[ 1669.289281][ T76] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) 
| [ 1669.301256][   T76] Disabling lock debugging due to kernel taint
| [ 1669.301540][   T76] Oops: general protection fault, probably for non-canonical address 0xe07b3c3820000531: 0000 [#1] PREEMPT SMP KASAN NOPTI
| [ 1669.301942][   T76] KASAN: maybe wild-memory-access in range [0x03da01c100002988-0x03da01c10000298f]
| [ 1669.302512][   T76] Tainted: [B]=BAD_PAGE
[ 1669.302616][   T76] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 1669.302904][   T76] Workqueue: events_unbound linkwatch_event
[ 1669.303099][ T76] RIP: 0010:neigh_flush_dev.isra.0 (./include/linux/list.h:988 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 1669.303262][ T76] Code: 0f 85 ef 04 00 00 49 8d 7f 08 49 8b 1f 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 cc 04 00 00 49 8b 6f 08 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 19 05 00 00 48 89 5d 00 48 85 db 74 1a 48 8d
All code
========
   0:	0f 85 ef 04 00 00    	jne    0x4f5
   6:	49 8d 7f 08          	lea    0x8(%r15),%rdi
   a:	49 8b 1f             	mov    (%r15),%rbx
   d:	48 89 f8             	mov    %rdi,%rax
  10:	48 c1 e8 03          	shr    $0x3,%rax
  14:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  19:	0f 85 cc 04 00 00    	jne    0x4eb
  1f:	49 8b 6f 08          	mov    0x8(%r15),%rbp
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)		<-- trapping instruction
  2f:	0f 85 19 05 00 00    	jne    0x54e
  35:	48 89 5d 00          	mov    %rbx,0x0(%rbp)
  39:	48 85 db             	test   %rbx,%rbx
  3c:	74 1a                	je     0x58
  3e:	48                   	rex.W
  3f:	8d                   	.byte 0x8d

Code starting with the faulting instruction
===========================================
   0:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
   5:	0f 85 19 05 00 00    	jne    0x524
   b:	48 89 5d 00          	mov    %rbx,0x0(%rbp)
   f:	48 85 db             	test   %rbx,%rbx
  12:	74 1a                	je     0x2e
  14:	48                   	rex.W
  15:	8d                   	.byte 0x8d
[ 1669.303796][   T76] RSP: 0018:ffffc9000051fa08 EFLAGS: 00010202
[ 1669.303959][   T76] RAX: 007b403820000531 RBX: ffff88800815e7c0 RCX: ffffffff900796f0
[ 1669.304149][   T76] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888039110408
[ 1669.304410][   T76] RBP: 03da01c10000298a R08: 0000000000000000 R09: 0000000000000000
[ 1669.304599][   T76] R10: ffffffff92571f0f R11: ffffc9000051f619 R12: ffff88803911053c
[ 1669.304788][   T76] R13: dffffc0000000000 R14: ffff8880391fc000 R15: ffff888039110400
[ 1669.305055][   T76] FS:  0000000000000000(0000) GS:ffff88802f700000(0000) knlGS:0000000000000000
[ 1669.305276][   T76] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1669.305441][   T76] CR2: 00007f49ca3df270 CR3: 0000000037926005 CR4: 0000000000772ef0
[ 1669.305784][   T76] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1669.305991][   T76] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1669.306180][   T76] PKRU: 55555554
[ 1669.306349][   T76] Call Trace:
[ 1669.306449][   T76]  <TASK>
[ 1669.306517][ T76] ? die_addr (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:460) 
[ 1669.306628][ T76] ? exc_general_protection (arch/x86/kernel/traps.c:751 arch/x86/kernel/traps.c:693) 
[ 1669.306759][ T76] ? asm_exc_general_protection (./arch/x86/include/asm/idtentry.h:617) 
[ 1669.306959][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:986 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 1669.307100][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:988 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 1669.307226][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:986 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 1669.307352][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 1669.307550][ T76] __neigh_ifdown.isra.0 (net/core/neighbour.c:826 net/core/neighbour.c:426) 
[ 1669.307686][ T76] neigh_carrier_down (net/core/neighbour.c:438) 
[ 1669.307812][ T76] arp_netdev_event (net/ipv4/arp.c:1343) 
[ 1669.307942][ T76] ? trace_notifier_run (./include/trace/events/notifier.h:59 (discriminator 52)) 
[ 1669.308072][ T76] notifier_call_chain (kernel/notifier.c:93 (discriminator 2)) 
[ 1669.308267][ T76] netdev_state_change (net/core/dev.c:1380 net/core/dev.c:1371) 
[ 1669.308398][ T76] ? __pfx_netdev_state_change (net/core/dev.c:1372) 
[ 1669.308522][ T76] ? dev_deactivate (./include/linux/list.h:111 ./include/linux/list.h:215 ./include/linux/list.h:229 net/sched/sch_generic.c:1404) 
[ 1669.308653][ T76] linkwatch_do_dev (net/core/link_watch.c:177) 
[ 1669.308851][ T76] __linkwatch_run_queue (./include/linux/spinlock.h:376 net/core/link_watch.c:236) 
[ 1669.308984][ T76] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 1669.309112][ T76] ? __pfx___linkwatch_run_queue (net/core/link_watch.c:186) 
[ 1669.309272][ T76] ? process_one_work (kernel/workqueue.c:3205) 
[ 1669.309468][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 1669.309596][ T76] linkwatch_event (net/core/link_watch.c:278) 
[ 1669.309733][ T76] process_one_work (kernel/workqueue.c:3229) 
[ 1669.309868][ T76] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 1669.310067][ T76] ? __pfx_process_one_work (kernel/workqueue.c:3131) 
[ 1669.310207][ T76] ? assign_work (kernel/workqueue.c:1200) 
[ 1669.310337][ T76] worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) 
[ 1669.310469][ T76] ? __pfx_worker_thread (kernel/workqueue.c:3337) 
[ 1669.310742][ T76] kthread (kernel/kthread.c:389) 
[ 1669.310848][ T76] ? __pfx_kthread (kernel/kthread.c:342) 
[ 1669.310976][ T76] ret_from_fork (arch/x86/kernel/process.c:147) 
[ 1669.311113][ T76] ? __pfx_kthread (kernel/kthread.c:342) 


Finger prints:
print_report:kasan_report:neigh_carrier_down:arp_netdev_event:notifier_call_chain
neigh_carrier_down:arp_netdev_event:notifier_call_chain:netdev_state_change:linkwatch_do_dev