======================================
| [  739.043065][ T4337] ==================================================================
| [ 739.043381][ T4337] BUG: KASAN: slab-use-after-free in ___neigh_create (./include/linux/rculist.h:598 net/core/neighbour.c:688) 
| [  739.043675][ T4337] Write of size 8 at addr ffff88800924cc18 by task msend/4337
| [  739.043964][ T4337]
[  739.044348][ T4337] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[  739.044792][ T4337] Call Trace:
[  739.044947][ T4337]  <TASK>
[ 739.045049][ T4337] dump_stack_lvl (lib/dump_stack.c:123) 
[ 739.045251][ T4337] print_address_description.constprop.0 (mm/kasan/report.c:378) 
[ 739.045499][ T4337] ? ___neigh_create (./include/linux/rculist.h:598 net/core/neighbour.c:688) 
[ 739.045693][ T4337] print_report (mm/kasan/report.c:489) 
[ 739.045885][ T4337] ? kasan_addr_to_slab (./include/linux/mm.h:1282 mm/kasan/../slab.h:206 mm/kasan/common.c:38) 
[ 739.046084][ T4337] kasan_report (mm/kasan/report.c:603) 
[ 739.046239][ T4337] ? ___neigh_create (./include/linux/rculist.h:598 net/core/neighbour.c:688) 
[ 739.046442][ T4337] ___neigh_create (./include/linux/rculist.h:598 net/core/neighbour.c:688) 
[ 739.046647][ T4337] ip_finish_output2 (./include/net/route.h:381 ./include/net/route.h:399 net/ipv4/ip_output.c:229) 
[ 739.046839][ T4337] ? kfree (mm/slub.c:4716) 
[ 739.046997][ T4337] ? __ip_select_ident (./arch/x86/include/asm/atomic.h:85 ./include/linux/atomic/atomic-arch-fallback.h:564 ./include/linux/atomic/atomic-instrumented.h:124 net/ipv4/route.c:478 net/ipv4/route.c:494) 
[ 739.047170][ T4337] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 739.047364][ T4337] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:199) 
[ 739.047559][ T4337] ? __ip_finish_output (./include/linux/skbuff.h:1672 ./include/linux/skbuff.h:5019 net/ipv4/ip_output.c:307 net/ipv4/ip_output.c:295) 
[ 739.047710][ T4337] ip_output (./include/linux/netfilter.h:303 net/ipv4/ip_output.c:433) 
[ 739.047865][ T4337] ? __ip_local_out (./include/net/l3mdev.h:203 ./include/net/l3mdev.h:213 net/ipv4/ip_output.c:112) 
[ 739.048061][ T4337] ? __pfx_ip_output (net/ipv4/ip_output.c:427) 
[ 739.048207][ T4337] ? ip_make_skb (net/ipv4/ip_output.c:1584) 
[ 739.048332][ T4337] ? ip_route_output_key_hash (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 net/ipv4/route.c:2623) 
[ 739.048529][ T4337] ? __pfx_ip_make_skb (net/ipv4/ip_output.c:1560) 
[ 739.048721][ T4337] ? ip_route_output_key_hash (net/ipv4/route.c:2609) 
[ 739.048906][ T4337] ip_send_skb (./include/net/dst.h:450 net/ipv4/ip_output.c:129 net/ipv4/ip_output.c:1510) 
[ 739.049104][ T4337] udp_send_skb (net/ipv4/udp.c:984) 
[ 739.049308][ T4337] udp_sendmsg (net/ipv4/udp.c:1272) 
[ 739.049490][ T4337] ? __pfx_ip_generic_getfrag (net/ipv4/ip_output.c:935) 
[ 739.049693][ T4337] ? __pfx_udp_sendmsg (net/ipv4/udp.c:1060) 
[ 739.049891][ T4337] ? __lock_acquire (kernel/locking/lockdep.c:5202) 
[ 739.050087][ T4337] ? find_held_lock (kernel/locking/lockdep.c:5315) 
[ 739.050284][ T4337] ? __might_fault (mm/memory.c:6700 mm/memory.c:6693) 
[ 739.050485][ T4337] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 739.050679][ T4337] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 739.050889][ T4337] ? __might_fault (mm/memory.c:6700 mm/memory.c:6693) 
[ 739.051087][ T4337] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 739.051278][ T4337] ? __might_fault (mm/memory.c:6700 mm/memory.c:6693) 
[ 739.051470][ T4337] ? __might_fault (mm/memory.c:6700 mm/memory.c:6693) 
[ 739.051679][ T4337] __sys_sendto (net/socket.c:729 net/socket.c:744 net/socket.c:2214) 
[ 739.051886][ T4337] ? __pfx___sys_sendto (net/socket.c:2184) 
[ 739.052089][ T4337] ? vfs_write (./arch/x86/include/asm/current.h:49 fs/read_write.c:688) 
[ 739.052293][ T4337] ? __pfx_x64_setup_rt_frame (arch/x86/kernel/signal_64.c:165) 
[ 739.052496][ T4337] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 kernel/softirq.c:387) 
[ 739.052672][ T4337] ? handle_signal (arch/x86/kernel/signal.c:310) 
[ 739.052866][ T4337] ? arch_do_signal_or_restart (arch/x86/kernel/signal.c:340) 
[ 739.053116][ T4337] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334) 
[ 739.053353][ T4337] ? ksys_write (fs/read_write.c:736) 
[ 739.053545][ T4337] ? __pfx_ksys_write (fs/read_write.c:726) 
[ 739.053741][ T4337] __x64_sys_sendto (net/socket.c:2222) 
[ 739.053949][ T4337] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) 
[ 739.054192][ T4337] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 739.054394][ T4337] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  739.054643][ T4337] RIP: 0033:0x7fb8c5e5e85a
[ 739.054850][ T4337] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
All code
========
   0:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   4:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   b:	eb b8                	jmp    0xffffffffffffffc5
   d:	0f 1f 00             	nopl   (%rax)
  10:	f3 0f 1e fa          	endbr64
  14:	41 89 ca             	mov    %ecx,%r10d
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 15                	jne    0x38
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 7e                	ja     0xb0
  32:	c3                   	ret
  33:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  38:	41 54                	push   %r12
  3a:	48 83 ec 30          	sub    $0x30,%rsp
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 7e                	ja     0x86
   8:	c3                   	ret
   9:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   e:	41 54                	push   %r12
  10:	48 83 ec 30          	sub    $0x30,%rsp
  14:	44                   	rex.R
  15:	89                   	.byte 0x89
[  739.055541][ T4337] RSP: 002b:00007ffda62afd58 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[  739.055853][ T4337] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb8c5e5e85a
[  739.056154][ T4337] RDX: 0000000000000001 RSI: 00007ffda62b0c20 RDI: 0000000000000005
[  739.056452][ T4337] RBP: 00007ffda62afd80 R08: 00007ffda62b1024 R09: 0000000000000010
[  739.056762][ T4337] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffda62b11d8
[  739.057061][ T4337] R13: 000000000040140a R14: 0000000000404de8 R15: 00007fb8c5f59000
| [  761.537794][ T4506] veth1: left promiscuous mode
| [  761.945797][   T78] Oops: general protection fault, probably for non-canonical address 0xed6d696d6d6d6d6d: 0000 [#1] PREEMPT SMP KASAN NOPTI
| [  761.946158][   T78] KASAN: maybe wild-memory-access in range [0x6b6b6b6b6b6b6b68-0x6b6b6b6b6b6b6b6f]
| [  761.946651][   T78] Tainted: [B]=BAD_PAGE
[  761.946753][   T78] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[  761.947033][   T78] Workqueue: events_unbound linkwatch_event
[ 761.947198][ T78] RIP: 0010:neigh_flush_dev.isra.0 (./include/linux/list.h:988 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 761.947362][ T78] Code: 0f 85 ef 04 00 00 49 8d 7f 08 49 8b 1f 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 cc 04 00 00 49 8b 6f 08 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 19 05 00 00 48 89 5d 00 48 85 db 74 1a 48 8d
All code
========
   0:	0f 85 ef 04 00 00    	jne    0x4f5
   6:	49 8d 7f 08          	lea    0x8(%r15),%rdi
   a:	49 8b 1f             	mov    (%r15),%rbx
   d:	48 89 f8             	mov    %rdi,%rax
  10:	48 c1 e8 03          	shr    $0x3,%rax
  14:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  19:	0f 85 cc 04 00 00    	jne    0x4eb
  1f:	49 8b 6f 08          	mov    0x8(%r15),%rbp
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)		<-- trapping instruction
  2f:	0f 85 19 05 00 00    	jne    0x54e
  35:	48 89 5d 00          	mov    %rbx,0x0(%rbp)
  39:	48 85 db             	test   %rbx,%rbx
  3c:	74 1a                	je     0x58
  3e:	48                   	rex.W
  3f:	8d                   	.byte 0x8d

Code starting with the faulting instruction
===========================================
   0:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
   5:	0f 85 19 05 00 00    	jne    0x524
   b:	48 89 5d 00          	mov    %rbx,0x0(%rbp)
   f:	48 85 db             	test   %rbx,%rbx
  12:	74 1a                	je     0x2e
  14:	48                   	rex.W
  15:	8d                   	.byte 0x8d
[  761.947800][   T78] RSP: 0018:ffffc9000053fa08 EFLAGS: 00010202
[  761.947958][   T78] RAX: 0d6d6d6d6d6d6d6d RBX: 6b6b6b6b6b6b6b6b RCX: ffffffff910796f0
[  761.948146][   T78] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88800924cc08
[  761.948330][   T78] RBP: 6b6b6b6b6b6b6b6b R08: 0000000000000000 R09: 0000000000000000
[  761.948516][   T78] R10: ffffffff93571f0f R11: ffffc9000053f619 R12: ffff88800924cd3c
[  761.948697][   T78] R13: dffffc0000000000 R14: ffff888005ae4000 R15: ffff88800924cc00
[  761.948881][   T78] FS:  0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[  761.949101][   T78] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  761.949257][   T78] CR2: 00007f1580b662a8 CR3: 0000000006328004 CR4: 0000000000772ef0
[  761.949449][   T78] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  761.949633][   T78] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  761.949817][   T78] PKRU: 55555554
[  761.949912][   T78] Call Trace:
[  761.950006][   T78]  <TASK>
[ 761.950071][ T78] ? die_addr (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:460) 
[ 761.950170][ T78] ? exc_general_protection (arch/x86/kernel/traps.c:751 arch/x86/kernel/traps.c:693) 
[ 761.950297][ T78] ? asm_exc_general_protection (./arch/x86/include/asm/idtentry.h:617) 
[ 761.950427][ T78] ? neigh_flush_dev.isra.0 (./include/linux/list.h:986 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 761.950550][ T78] ? neigh_flush_dev.isra.0 (./include/linux/list.h:988 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 761.950675][ T78] ? neigh_flush_dev.isra.0 (./include/linux/list.h:986 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 761.950797][ T78] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 761.950923][ T78] __neigh_ifdown.isra.0 (net/core/neighbour.c:826 net/core/neighbour.c:426) 
[ 761.951049][ T78] neigh_carrier_down (net/core/neighbour.c:438) 
[ 761.951171][ T78] arp_netdev_event (net/ipv4/arp.c:1343) 
[ 761.951298][ T78] ? trace_notifier_run (./include/trace/events/notifier.h:59 (discriminator 52)) 
[ 761.951422][ T78] notifier_call_chain (kernel/notifier.c:93 (discriminator 2)) 
[ 761.951547][ T78] netdev_state_change (net/core/dev.c:1380 net/core/dev.c:1371) 
[ 761.951670][ T78] ? __pfx_netdev_state_change (net/core/dev.c:1372) 
[ 761.951791][ T78] ? dev_deactivate (./include/linux/list.h:111 ./include/linux/list.h:215 ./include/linux/list.h:229 net/sched/sch_generic.c:1404) 
[ 761.951916][ T78] ? veth_get_iflink (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 drivers/net/veth.c:1450) veth
[ 761.952045][ T78] linkwatch_do_dev (net/core/link_watch.c:177) 
[ 761.952169][ T78] __linkwatch_run_queue (./include/linux/spinlock.h:376 net/core/link_watch.c:236) 
[ 761.952296][ T78] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 761.952421][ T78] ? __pfx___linkwatch_run_queue (net/core/link_watch.c:186) 
[ 761.952598][ T78] ? process_one_work (kernel/workqueue.c:3205) 
[ 761.952719][ T78] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 761.952842][ T78] linkwatch_event (net/core/link_watch.c:278) 
[ 761.952968][ T78] process_one_work (kernel/workqueue.c:3229) 
[ 761.953095][ T78] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 761.953216][ T78] ? __pfx_process_one_work (kernel/workqueue.c:3131) 
[ 761.953343][ T78] ? assign_work (kernel/workqueue.c:1200) 
[ 761.953468][ T78] worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) 
[ 761.953591][ T78] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) 
[ 761.953758][ T78] ? __pfx_worker_thread (kernel/workqueue.c:3337) 
[ 761.953881][ T78] ? __pfx_worker_thread (kernel/workqueue.c:3337) 
[ 761.954002][ T78] kthread (kernel/kthread.c:389) 
[ 761.954096][ T78] ? __pfx_kthread (kernel/kthread.c:342) 
[ 761.954222][ T78] ret_from_fork (arch/x86/kernel/process.c:147) 
[ 761.954349][ T78] ? __pfx_kthread (kernel/kthread.c:342) 


Finger prints:
neigh_carrier_down:arp_netdev_event:notifier_call_chain:netdev_state_change:linkwatch_do_dev
print_report:kasan_report:___neigh_create:ip_finish_output2:ip_output