======================================
| [ 5848.107161][    C2] ==================================================================
| [ 5848.107586][ C2] BUG: KASAN: slab-use-after-free in __udp_enqueue_schedule_skb (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 net/ipv4/udp.c:1717) 
| [ 5848.107952][    C2] Read of size 4 at addr ffff88800bd71848 by task nettest/31938
| [ 5848.108254][    C2]
[ 5848.108367][    C2] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 5848.108369][    C2] Call Trace:
[ 5848.108371][    C2]  <IRQ>
[ 5848.108373][ C2] dump_stack_lvl (lib/dump_stack.c:123) 
[ 5848.108380][ C2] print_address_description.constprop.0 (mm/kasan/report.c:379) 
[ 5848.108389][ C2] ? __udp_enqueue_schedule_skb (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 net/ipv4/udp.c:1717) 
[ 5848.108394][ C2] print_report (mm/kasan/report.c:483) 
[ 5848.108397][ C2] ? __udp_enqueue_schedule_skb (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 net/ipv4/udp.c:1717) 
[ 5848.108400][ C2] ? kasan_addr_to_slab (./include/linux/mm.h:1180 mm/kasan/../slab.h:187 mm/kasan/common.c:38) 
[ 5848.108404][ C2] ? __udp_enqueue_schedule_skb (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 net/ipv4/udp.c:1717) 
[ 5848.108407][ C2] kasan_report (mm/kasan/report.c:597) 
[ 5848.108411][ C2] ? __udp_enqueue_schedule_skb (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 net/ipv4/udp.c:1717) 
[ 5848.108416][ C2] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) 
[ 5848.108420][ C2] __udp_enqueue_schedule_skb (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 net/ipv4/udp.c:1717) 
[ 5848.108424][ C2] ? sk_filter_trim_cap (net/core/filter.c:136) 
[ 5848.108430][ C2] ? reuseport_select_sock (net/core/sock_reuseport.c:608) 
[ 5848.108435][ C2] ? fib_lookup.constprop.0 (net/core/filter.c:136) 
[ 5848.108438][ C2] ? udp_sendmsg (net/ipv4/udp.c:1700) 
[ 5848.108441][ C2] ? udp6_lib_lookup2 (net/ipv6/udp.c:247) 
[ 5848.108447][ C2] ? txopt_get (net/ipv6/udp.c:83) 
[ 5848.108450][ C2] ? __xfrm_policy_check2.constprop.0 (./include/net/net_namespace.h:409 ./include/linux/netdevice.h:2722 ./include/net/xfrm.h:1273) 
[ 5848.108455][ C2] udpv6_queue_rcv_one_skb (net/ipv6/udp.c:795 net/ipv6/udp.c:905) 
[ 5848.108458][ C2] ? __udp6_lib_lookup (net/ipv6/udp.c:392) 
[ 5848.108462][ C2] ? __xfrm_policy_check2.constprop.0 (net/ipv4/ip_input.c:390) 
[ 5848.108468][ C2] udp6_unicast_rcv_skb (net/ipv6/udp.c:1069 (discriminator 3)) 
[ 5848.108472][ C2] __udp6_lib_rcv (net/ipv6/udp.c:1152) 
[ 5848.108478][ C2] ? udpv6_err (net/ipv6/udp.c:1073) 
[ 5848.108483][ C2] ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:440) 
[ 5848.108492][ C2] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 5848.108501][ C2] ip6_input_finish (net/ipv6/ip6_input.c:492) 
[ 5848.108505][ C2] ip6_input (./include/linux/netfilter.h:318 ./include/linux/netfilter.h:312 net/ipv6/ip6_input.c:500) 
[ 5848.108508][ C2] ? ip6_input_finish (net/ipv6/ip6_input.c:496) 
[ 5848.108513][ C2] ? ip6_rcv_core (./include/linux/skbuff.h:3371 net/ipv6/ip6_input.c:292) 
[ 5848.108518][ C2] ipv6_rcv (./include/net/dst.h:474 net/ipv6/ip6_input.c:79 ./include/linux/netfilter.h:318 ./include/linux/netfilter.h:312 net/ipv6/ip6_input.c:311) 
[ 5848.108521][ C2] ? __xfrm_policy_check2.constprop.0 (./include/net/dst_metadata.h:97 net/ipv4/ip_input.c:367) 
[ 5848.108525][ C2] ? rcu_read_lock_any_held (kernel/rcu/update.c:386 kernel/rcu/update.c:380) 
[ 5848.108528][ C2] ? validate_chain (kernel/locking/lockdep.c:3801 kernel/locking/lockdep.c:3821 kernel/locking/lockdep.c:3876) 
[ 5848.108536][ C2] ? __lock_acquire (kernel/locking/lockdep.c:5237) 
[ 5848.108540][ C2] ? __xfrm_policy_check2.constprop.0 (./include/net/dst_metadata.h:97 net/ipv4/ip_input.c:367) 
[ 5848.108543][ C2] ? process_backlog (./include/linux/local_lock_internal.h:54 net/core/dev.c:6535) 
[ 5848.108548][ C2] __netif_receive_skb_one_core (net/core/dev.c:6065) 
[ 5848.108552][ C2] ? __netif_receive_skb_list_core (net/core/dev.c:6065) 
[ 5848.108557][ C2] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 5848.108560][ C2] ? lock_acquire (./include/trace/events/lock.h:24 kernel/locking/lockdep.c:5831) 
[ 5848.108563][ C2] ? process_backlog (./include/linux/local_lock_internal.h:54 net/core/dev.c:6535) 
[ 5848.108567][ C2] process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6538) 
[ 5848.108573][ C2] __napi_poll.constprop.0 (net/core/dev.c:7588) 
[ 5848.108577][ C2] net_rx_action (net/core/dev.c:7650 net/core/dev.c:7777) 
[ 5848.108584][ C2] ? __napi_poll.constprop.0 (net/core/dev.c:7739) 
[ 5848.108587][ C2] ? sched_ttwu_pending (kernel/sched/core.c:3840 (discriminator 2)) 
[ 5848.108593][ C2] ? __lock_release (kernel/locking/lockdep.c:5536) 
[ 5848.108597][ C2] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:101 kernel/locking/spinlock_debug.c:141) 
[ 5848.108601][ C2] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:104 ./include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186) 
[ 5848.108609][ C2] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 5848.108612][ C2] ? ttwu_do_activate (kernel/sched/core.c:3821) 
[ 5848.108615][ C2] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472) 
[ 5848.108621][ C2] handle_softirqs (kernel/softirq.c:580) 
[ 5848.108627][ C2] ? __dev_queue_xmit (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:908 net/core/dev.c:4784) 
[ 5848.108631][ C2] do_softirq (kernel/softirq.c:480 kernel/softirq.c:467) 
[ 5848.108634][    C2]  </IRQ>
[ 5848.108635][    C2]  <TASK>
[ 5848.108636][ C2] __local_bh_enable_ip (kernel/softirq.c:407) 
[ 5848.108639][ C2] ? __dev_queue_xmit (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:908 net/core/dev.c:4784) 
[ 5848.108642][ C2] __dev_queue_xmit (net/core/dev.c:4785) 
[ 5848.108646][ C2] ? __lock_acquire (kernel/locking/lockdep.c:5237) 
[ 5848.108651][ C2] ? netdev_core_pick_tx (net/core/dev.c:4665) 
[ 5848.108654][ C2] ? ip6_finish_output (net/ipv6/ip6_output.c:209 net/ipv6/ip6_output.c:220) 
[ 5848.108659][ C2] ? neigh_hh_output (./include/linux/seqlock.h:74 ./include/linux/seqlock.h:836 ./include/net/neighbour.h:501) 
[ 5848.108662][ C2] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472) 
[ 5848.108665][ C2] ? neigh_hh_output (./include/linux/seqlock.h:74 ./include/linux/seqlock.h:836 ./include/net/neighbour.h:501) 
[ 5848.108672][ C2] ip6_finish_output (net/ipv6/ip6_output.c:209 net/ipv6/ip6_output.c:220) 
[ 5848.108676][ C2] ip6_output (./include/linux/netfilter.h:307 net/ipv6/ip6_output.c:247) 
[ 5848.108680][ C2] ? ip6_finish_output (net/ipv6/ip6_output.c:228) 
[ 5848.108687][ C2] ip6_send_skb (net/ipv6/ip6_output.c:1994) 
[ 5848.108691][ C2] udp_v6_send_skb (net/ipv6/udp.c:1440) 
[ 5848.108694][ C2] ? jhash.constprop.0 (./include/linux/bitops.h:126 ./include/linux/jhash.h:101) 
[ 5848.108700][ C2] udpv6_sendmsg (net/ipv6/udp.c:1731) 
[ 5848.108702][ C2] ? find_held_lock (kernel/locking/lockdep.c:5350) 
[ 5848.108705][ C2] ? ip_select_ident_segs (net/ipv4/ip_output.c:934) 
[ 5848.108715][ C2] ? udpv6_splice_eof (net/ipv6/udp.c:1476) 
[ 5848.108720][ C2] ? rcu_read_lock_any_held (kernel/rcu/update.c:386 kernel/rcu/update.c:380) 
[ 5848.108723][ C2] ? validate_chain (kernel/locking/lockdep.c:3801 kernel/locking/lockdep.c:3821 kernel/locking/lockdep.c:3876) 
[ 5848.108732][ C2] ? __might_fault (mm/memory.c:6958 mm/memory.c:6952) 
[ 5848.108737][ C2] ? __lock_release (kernel/locking/lockdep.c:5536) 
[ 5848.108742][ C2] ? __sys_sendto (net/socket.c:714 net/socket.c:729 net/socket.c:2228) 
[ 5848.108747][ C2] __sys_sendto (net/socket.c:714 net/socket.c:729 net/socket.c:2228) 
[ 5848.108750][ C2] ? __ia32_sys_getpeername (net/socket.c:2195) 
[ 5848.108758][ C2] ? __sys_recvmsg_sock (net/socket.c:2894) 
[ 5848.108766][ C2] __x64_sys_sendto (net/socket.c:2231) 
[ 5848.108769][ C2] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:124 arch/x86/entry/syscall_64.c:90) 
[ 5848.108772][ C2] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472) 
[ 5848.108775][ C2] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[ 5848.108778][ C2] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 5848.108782][    C2] RIP: 0033:0x7f4b1c57f28a
[ 5848.108786][ C2] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
All code
========
   0:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   4:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   b:	eb b8                	jmp    0xffffffffffffffc5
   d:	0f 1f 00             	nopl   (%rax)
  10:	f3 0f 1e fa          	endbr64
  14:	41 89 ca             	mov    %ecx,%r10d
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 15                	jne    0x38
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 7e                	ja     0xb0
  32:	c3                   	ret
  33:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  38:	41 54                	push   %r12
  3a:	48 83 ec 30          	sub    $0x30,%rsp
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 7e                	ja     0x86
   8:	c3                   	ret
   9:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   e:	41 54                	push   %r12
  10:	48 83 ec 30          	sub    $0x30,%rsp
  14:	44                   	rex.R
  15:	89                   	.byte 0x89
[ 5848.108788][    C2] RSP: 002b:00007ffd311bff28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 5848.108792][    C2] RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007f4b1c57f28a
[ 5848.108794][    C2] RDX: 000000000000000c RSI: 0000000000406752 RDI: 0000000000000005
[ 5848.108796][    C2] RBP: 0000000000000005 R08: 00007ffd311c04b0 R09: 000000000000001c
[ 5848.108798][    C2] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd311c04b0


Finger prints:
print_report:kasan_report:kasan_check_range:__udp_enqueue_schedule_skb:udpv6_queue_rcv_one_skb