======================================
| [   35.900767][   T38] ==================================================================
| [   35.901153][   T38] BUG: KASAN: null-ptr-deref in try_to_grab_pending (./arch/x86/include/asm/bitops.h:136 ./include/asm-generic/bitops/instrumented-atomic.h:72 kernel/workqueue.c:2072)
| [   35.901507][   T38] Write of size 8 at addr 0000000000000000 by task kworker/u20:0/38
| [   35.901791][   T38]
[   35.901926][   T38] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   35.901929][   T38] Workqueue: l2tp l2tp_session_del_work [l2tp_core]
[   35.901955][   T38] Call Trace:
[   35.901961][   T38]  <TASK>
[   35.901963][   T38]  dump_stack_lvl (lib/dump_stack.c:123)
[   35.901983][   T38]  ? try_to_grab_pending (./arch/x86/include/asm/bitops.h:136 ./include/asm-generic/bitops/instrumented-atomic.h:72 kernel/workqueue.c:2072)
[   35.901989][   T38]  kasan_report (mm/kasan/report.c:597)
[   35.902005][   T38]  ? try_to_grab_pending (./arch/x86/include/asm/bitops.h:136 ./include/asm-generic/bitops/instrumented-atomic.h:72 kernel/workqueue.c:2072)
[   35.902011][   T38]  kasan_check_range (mm/kasan/generic.c:194 mm/kasan/generic.c:200)
[   35.902015][   T38]  try_to_grab_pending (./arch/x86/include/asm/bitops.h:136 ./include/asm-generic/bitops/instrumented-atomic.h:72 kernel/workqueue.c:2072)
[   35.902020][   T38]  __cancel_work (kernel/workqueue.c:2161 kernel/workqueue.c:4364)
[   35.902023][   T38]  ? enable_delayed_work (kernel/workqueue.c:4359)
[   35.902028][   T38]  ? qdisc_destroy (net/sched/sch_generic.c:1355)
[   35.902041][   T38]  __cancel_work_sync (kernel/workqueue.c:4383)
[   35.902045][   T38]  __dev_close_many (net/core/dev.c:1879 (discriminator 2) net/core/dev.c:1932 (discriminator 2))
[   35.902057][   T38]  ? netdev_notify_peers (net/core/dev.c:1891)
[   35.902061][   T38]  ? netif_close_many (net/core/dev.c:1959)
[   35.902065][   T38]  netif_close_many (net/core/dev.c:1959)
[   35.902069][   T38]  ? __dev_close_many (net/core/dev.c:1949)
[   35.902073][   T38]  ? netif_close_many_and_unlock (net/core/dev.c:12476)
[   35.902077][   T38]  unregister_netdevice_many_notify (net/core/dev.c:12545)
[   35.902081][   T38]  ? __mutex_handoff (kernel/locking/mutex.c:88)
[   35.902092][   T38]  ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
[   35.902102][   T38]  ? dev_ingress_queue_create (net/core/dev.c:12499)
[   35.902105][   T38]  ? __mutex_lock (./arch/x86/include/asm/preempt.h:104 kernel/locking/mutex.c:739 kernel/locking/mutex.c:760)
[   35.902126][   T38]  ? l2tp_eth_delete (net/l2tp/l2tp_eth.c:154 net/l2tp/l2tp_eth.c:145) l2tp_eth
[   35.902133][   T38]  ? ww_mutex_lock (kernel/locking/mutex.c:759)
[   35.902138][   T38]  unregister_netdevice_queue (net/core/dev.c:12452)
[   35.902142][   T38]  ? unregister_netdevice_many (net/core/dev.c:12441)
[   35.902149][   T38] l2tp_eth_delete (net/l2tp/l2tp_eth.c:157 net/l2tp/l2tp_eth.c:145) l2tp_eth
[   35.902152][   T38] l2tp_session_del_work (net/l2tp/l2tp_core.c:1748) l2tp_core
[   35.902161][   T38]  ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
[   35.902165][   T38]  process_one_work (kernel/workqueue.c:3268)
[   35.902172][   T38]  ? pwq_dec_nr_in_flight (kernel/workqueue.c:3165)
[   35.902178][   T38]  ? assign_work (kernel/workqueue.c:1206)
[   35.902183][   T38]  worker_thread (kernel/workqueue.c:3340 kernel/workqueue.c:3427)
[   35.902189][   T38]  ? rescuer_thread (kernel/workqueue.c:3373)
[   35.902192][   T38]  kthread (kernel/kthread.c:463)
[   35.902201][   T38]  ? kthread_is_per_cpu (kernel/kthread.c:412)
[   35.902204][   T38]  ? ret_from_fork (arch/x86/kernel/process.c:157)
[   35.902217][   T38]  ? __lock_release (kernel/locking/lockdep.c:5536)
[   35.902221][   T38]  ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
[   35.902225][   T38]  ? kthread_is_per_cpu (kernel/kthread.c:412)
[   35.902228][   T38]  ret_from_fork (arch/x86/kernel/process.c:164)
[   35.902231][   T38]  ? kthread_is_per_cpu (kernel/kthread.c:412)
[   35.902234][   T38]  ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
| [   35.911940][   T38] #PF: error_code(0x0002) - not-present page
| [   35.912154][   T38] PGD 0 P4D 0
| [   35.912296][   T38] Oops: Oops: 0002 [#1] SMP KASAN
| [   35.912928][   T38] Tainted: [B]=BAD_PAGE
[   35.913071][   T38] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   35.913291][   T38] Workqueue: l2tp l2tp_session_del_work [l2tp_core]
[   35.913571][   T38] RIP: 0010:try_to_grab_pending (./arch/x86/include/asm/bitops.h:136 ./include/asm-generic/bitops/instrumented-atomic.h:72 kernel/workqueue.c:2072)
[   35.913796][   T38] Code: 00 41 89 c0 b8 01 00 00 00 45 85 c0 74 0f 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 be 08 00 00 00 48 89 df e8 1f 93 82 00 <f0> 48 0f ba 2b 00 72 11 48 83 c4 10 31 c0 5b 5d 41 5c 41 5d 41 5e
All code
========
   0:	00 41 89             	add    %al,-0x77(%rcx)
   3:	c0 b8 01 00 00 00 45 	sarb   $0x45,0x1(%rax)
   a:	85 c0                	test   %eax,%eax
   c:	74 0f                	je     0x1d
   e:	48 83 c4 10          	add    $0x10,%rsp
  12:	5b                   	pop    %rbx
  13:	5d                   	pop    %rbp
  14:	41 5c                	pop    %r12
  16:	41 5d                	pop    %r13
  18:	41 5e                	pop    %r14
  1a:	41 5f                	pop    %r15
  1c:	c3                   	ret
  1d:	be 08 00 00 00       	mov    $0x8,%esi
  22:	48 89 df             	mov    %rbx,%rdi
  25:	e8 1f 93 82 00       	call   0x829349
  2a:*	f0 48 0f ba 2b 00    	lock btsq $0x0,(%rbx)		<-- trapping instruction
  30:	72 11                	jb     0x43
  32:	48 83 c4 10          	add    $0x10,%rsp
  36:	31 c0                	xor    %eax,%eax
  38:	5b                   	pop    %rbx
  39:	5d                   	pop    %rbp
  3a:	41 5c                	pop    %r12
  3c:	41 5d                	pop    %r13
  3e:	41 5e                	pop    %r14

Code starting with the faulting instruction
===========================================
   0:	f0 48 0f ba 2b 00    	lock btsq $0x0,(%rbx)
   6:	72 11                	jb     0x19
   8:	48 83 c4 10          	add    $0x10,%rsp
   c:	31 c0                	xor    %eax,%eax
   e:	5b                   	pop    %rbx
   f:	5d                   	pop    %rbp
  10:	41 5c                	pop    %r12
  12:	41 5d                	pop    %r13
  14:	41 5e                	pop    %r14
[   35.914423][   T38] RSP: 0018:ffffc900002af790 EFLAGS: 00010046
[   35.914655][   T38] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff94649b8a
[   35.914913][   T38] RDX: fffffbfff326cacd RSI: 0000000000000008 RDI: ffffffff99365660
[   35.915177][   T38] RBP: ffffc900002af7f8 R08: 0000000000000001 R09: fffffbfff326cacc
[   35.915441][   T38] R10: ffffffff99365667 R11: ffffc900002af280 R12: 0000000000000000
[   35.915715][   T38] R13: 0000000000000286 R14: ffff888004a24000 R15: dffffc0000000000
[   35.915978][   T38] FS:  0000000000000000(0000) GS:ffff8880d3e87000(0000) knlGS:0000000000000000
[   35.916285][   T38] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   35.916515][   T38] CR2: 0000000000000000 CR3: 000000000e42d004 CR4: 0000000000772ef0
[   35.916789][   T38] PKRU: 55555554
[   35.916921][   T38] Call Trace:
[   35.917057][   T38]  <TASK>
[   35.917158][   T38]  __cancel_work (kernel/workqueue.c:2161 kernel/workqueue.c:4364)
[   35.917337][   T38]  ? enable_delayed_work (kernel/workqueue.c:4359)
[   35.917518][   T38]  ? qdisc_destroy (net/sched/sch_generic.c:1355)
[   35.917700][   T38]  __cancel_work_sync (kernel/workqueue.c:4383)
[   35.917978][   T38]  __dev_close_many (net/core/dev.c:1879 (discriminator 2) net/core/dev.c:1932 (discriminator 2))
[   35.918157][   T38]  ? netdev_notify_peers (net/core/dev.c:1891)
[   35.918326][   T38]  ? netif_close_many (net/core/dev.c:1959)
[   35.918501][   T38]  netif_close_many (net/core/dev.c:1959)
[   35.918776][   T38]  ? __dev_close_many (net/core/dev.c:1949)
[   35.918944][   T38]  ? netif_close_many_and_unlock (net/core/dev.c:12476)
[   35.919157][   T38]  unregister_netdevice_many_notify (net/core/dev.c:12545)
[   35.919468][   T38]  ? __mutex_handoff (kernel/locking/mutex.c:88)
[   35.919657][   T38]  ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
[   35.919829][   T38]  ? dev_ingress_queue_create (net/core/dev.c:12499)
[   35.920002][   T38]  ? __mutex_lock (./arch/x86/include/asm/preempt.h:104 kernel/locking/mutex.c:739 kernel/locking/mutex.c:760)
[   35.920283][   T38]  ? l2tp_eth_delete (net/l2tp/l2tp_eth.c:154 net/l2tp/l2tp_eth.c:145) l2tp_eth
[   35.920460][   T38]  ? ww_mutex_lock (kernel/locking/mutex.c:759)
[   35.920639][   T38]  unregister_netdevice_queue (net/core/dev.c:12452)
[   35.920831][   T38]  ? unregister_netdevice_many (net/core/dev.c:12441)
[   35.921116][   T38] l2tp_eth_delete (net/l2tp/l2tp_eth.c:157 net/l2tp/l2tp_eth.c:145) l2tp_eth
[   35.921289][   T38] l2tp_session_del_work (net/l2tp/l2tp_core.c:1748) l2tp_core
[   35.921511][   T38]  ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
[   35.921689][   T38]  process_one_work (kernel/workqueue.c:3268)
[   35.921979][   T38]  ? pwq_dec_nr_in_flight (kernel/workqueue.c:3165)
[   35.922155][   T38]  ? assign_work (kernel/workqueue.c:1206)
[   35.922325][   T38]  worker_thread (kernel/workqueue.c:3340 kernel/workqueue.c:3427)
[   35.922500][   T38]  ? rescuer_thread (kernel/workqueue.c:3373)
[   35.922785][   T38]  kthread (kernel/kthread.c:463)
[   35.922918][   T38]  ? kthread_is_per_cpu (kernel/kthread.c:412)
[   35.923093][   T38]  ? ret_from_fork (arch/x86/kernel/process.c:157)
[   35.923267][   T38]  ? __lock_release (kernel/locking/lockdep.c:5536)
[   35.923553][   T38]  ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
[   35.923731][   T38]  ? kthread_is_per_cpu (kernel/kthread.c:412)
[   35.923902][   T38]  ret_from_fork (arch/x86/kernel/process.c:164)
[   35.924073][   T38]  ? kthread_is_per_cpu (kernel/kthread.c:412)


Finger prints:
kasan_report:kasan_check_range:try_to_grab_pending:__cancel_work:__cancel_work_sync
try_to_grab_pending:__cancel_work:__cancel_work_sync:__dev_close_many:netif_close_many