[ 185.212858][ C0] ==================================================================
[ 185.213115][ C0] BUG: KASAN: slab-use-after-free in page_pool_put_unrefed_netmem+0x773/0x890
[ 185.213367][ C0] Read of size 1 at addr ffff88800c221af4 by task kworker/0:2/984
[ 185.213578][ C0]
[ 185.213647][ C0] CPU: 0 UID: 0 PID: 984 Comm: kworker/0:2 Not tainted 6.14.0-virtme #1 PREEMPT(voluntary)
[ 185.213652][ C0] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 185.213654][ C0] Workqueue: mld mld_ifc_work
[ 185.213660][ C0] Call Trace:
[ 185.213662][ C0]
[ 185.213664][ C0] dump_stack_lvl+0x82/0xd0
[ 185.213671][ C0] print_address_description.constprop.0+0x2c/0x400
[ 185.213676][ C0] ? page_pool_put_unrefed_netmem+0x773/0x890
[ 185.213680][ C0] print_report+0xb4/0x270
[ 185.213682][ C0] ? page_pool_put_unrefed_netmem+0x773/0x890
[ 185.213685][ C0] ? kasan_addr_to_slab+0x25/0x80
[ 185.213689][ C0] ? page_pool_put_unrefed_netmem+0x773/0x890
[ 185.213692][ C0] kasan_report+0xca/0x100
[ 185.213695][ C0] ? page_pool_put_unrefed_netmem+0x773/0x890
[ 185.213700][ C0] page_pool_put_unrefed_netmem+0x773/0x890
[ 185.213706][ C0] ? __lock_acquire+0x591/0x9d0
[ 185.213712][ C0] napi_pp_put_page+0xcd/0x270
[ 185.213716][ C0] skb_free_head+0xf8/0x180
[ 185.213718][ C0] skb_release_data+0x420/0x680
[ 185.213722][ C0] ? __lock_release+0x5d/0x170
[ 185.213726][ C0] napi_consume_skb+0xe1/0x180
[ 185.213730][ C0] net_rx_action+0x3ac/0xcd0
[ 185.213736][ C0] ? __pfx_net_rx_action+0x10/0x10
[ 185.213739][ C0] ? lockdep_rcu_suspicious+0x124/0x1c0
[ 185.213742][ C0] ? tmigr_handle_remote+0x154/0x300
[ 185.213748][ C0] ? __pfx_tmigr_handle_remote+0x10/0x10
[ 185.213752][ C0] ? run_timer_softirq+0x21/0x1c0
[ 185.213758][ C0] ? mark_held_locks+0x49/0x80
[ 185.213761][ C0] handle_softirqs+0x1f6/0x5c0
[ 185.213766][ C0] ? __dev_queue_xmit+0x7a8/0x18d0
[ 185.213770][ C0] do_softirq+0x4d/0xa0
[ 185.213773][ C0]
[ 185.213774][ C0]
[ 185.213775][ C0] __local_bh_enable_ip+0xf6/0x120
[ 185.213779][ C0] ? __dev_queue_xmit+0x7a8/0x18d0
[ 185.213781][ C0] __dev_queue_xmit+0x7bd/0x18d0
[ 185.213784][ C0] ? __lock_acquire+0x591/0x9d0
[ 185.213788][ C0] ? __pfx___dev_queue_xmit+0x10/0x10
[ 185.213792][ C0] ? mark_held_locks+0x49/0x80
[ 185.213795][ C0] ? neigh_hh_output+0x33a/0x520
[ 185.213799][ C0] ? ip6_finish_output2+0x2f6/0x1050
[ 185.213803][ C0] ip6_finish_output2+0x630/0x1050
[ 185.213808][ C0] ip6_finish_output+0x56f/0xe40
[ 185.213812][ C0] ip6_output+0x204/0x790
[ 185.213815][ C0] ? __pfx_ip6_output+0x10/0x10
[ 185.213818][ C0] ? __lock_acquire+0x591/0x9d0
[ 185.213823][ C0] NF_HOOK.constprop.0+0xe1/0x680
[ 185.213827][ C0] ? __pfx_NF_HOOK.constprop.0+0x10/0x10
[ 185.213829][ C0] ? __pfx_xfrm_lookup_with_ifid+0x10/0x10
[ 185.213834][ C0] ? mark_held_locks+0x49/0x80
[ 185.213837][ C0] ? icmp6_dst_alloc+0x31b/0x4b0
[ 185.213842][ C0] ? __local_bh_enable_ip+0xa6/0x120
[ 185.213845][ C0] ? icmp6_dst_alloc+0x31b/0x4b0
[ 185.213849][ C0] mld_sendpack+0x61d/0xbb0
[ 185.213853][ C0] ? __pfx_mld_sendpack+0x10/0x10
[ 185.213858][ C0] ? mld_send_cr+0x3a1/0x780
[ 185.213861][ C0] mld_ifc_work+0x32/0x1f0
[ 185.213864][ C0] process_one_work+0xe40/0x1690
[ 185.213870][ C0] ? __pfx_process_one_work+0x10/0x10
[ 185.213875][ C0] ? assign_work+0x16c/0x240
[ 185.213878][ C0] worker_thread+0x58c/0xce0
[ 185.213881][ C0] ? trace_irq_enable.constprop.0+0xd4/0x130
[ 185.213887][ C0] ? __pfx_worker_thread+0x10/0x10
[ 185.213891][ C0] kthread+0x358/0x5d0
[ 185.213894][ C0] ? __pfx_kthread+0x10/0x10
[ 185.213897][ C0] ? ret_from_fork+0x1b/0x70
[ 185.213901][ C0] ? __lock_release+0x5d/0x170
[ 185.213903][ C0] ? calculate_sigpending+0x44/0xa0
[ 185.213907][ C0] ? __pfx_kthread+0x10/0x10
[ 185.213909][ C0] ret_from_fork+0x31/0x70
[ 185.213912][ C0] ? __pfx_kthread+0x10/0x10
[ 185.213915][ C0] ret_from_fork_asm+0x1a/0x30
[ 185.213922][ C0]
[ 185.213923][ C0]
[ 185.223943][ C0] Allocated by task 3966:
[ 185.224050][ C0] kasan_save_stack+0x24/0x50
[ 185.224197][ C0] kasan_save_track+0x14/0x30
[ 185.224341][ C0] __kasan_kmalloc+0x7f/0x90
[ 185.224481][ C0] __kvmalloc_node_noprof+0x221/0x590
[ 185.224626][ C0] alloc_netdev_mqs+0x78/0x1310
[ 185.224767][ C0] rtnl_create_link+0xab3/0xe40
[ 185.224908][ C0] rtnl_newlink_create+0x203/0x8f0
[ 185.225051][ C0] __rtnl_newlink+0x231/0xa40
[ 185.225198][ C0] rtnl_newlink+0x69a/0xa60
[ 185.225338][ C0] rtnetlink_rcv_msg+0x710/0xc00
[ 185.225477][ C0] netlink_rcv_skb+0x12f/0x360
[ 185.225618][ C0] netlink_unicast+0x449/0x710
[ 185.225760][ C0] netlink_sendmsg+0x721/0xbe0
[ 185.225899][ C0] ____sys_sendmsg+0x7aa/0xa10
[ 185.226040][ C0] ___sys_sendmsg+0xed/0x170
[ 185.226185][ C0] __sys_sendmsg+0x108/0x1a0
[ 185.226326][ C0] do_syscall_64+0xc1/0x1d0
[ 185.226466][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 185.226641][ C0]
[ 185.226712][ C0] Freed by task 12:
[ 185.226818][ C0] kasan_save_stack+0x24/0x50
[ 185.226960][ C0] kasan_save_track+0x14/0x30
[ 185.227100][ C0] kasan_save_free_info+0x3b/0x60
[ 185.227244][ C0] __kasan_slab_free+0x38/0x50
[ 185.227386][ C0] kfree+0x144/0x320
[ 185.227494][ C0] device_release+0x9c/0x210
[ 185.227635][ C0] kobject_cleanup+0x101/0x360
[ 185.227776][ C0] netdev_run_todo+0x5f3/0xc60
[ 185.227918][ C0] default_device_exit_batch+0x245/0x2e0
[ 185.228060][ C0] cleanup_net+0x4fd/0xaf0
[ 185.228202][ C0] process_one_work+0xe40/0x1690
[ 185.228346][ C0] worker_thread+0x58c/0xce0
[ 185.228487][ C0] kthread+0x358/0x5d0
[ 185.228595][ C0] ret_from_fork+0x31/0x70
[ 185.228736][ C0] ret_from_fork_asm+0x1a/0x30
[ 185.228877][ C0]
[ 185.229029][ C0] The buggy address belongs to the object at ffff88800c221000
[ 185.229029][ C0] which belongs to the cache kmalloc-4k of size 4096
[ 185.229366][ C0] The buggy address is located 2804 bytes inside of
[ 185.229366][ C0] freed 4096-byte region [ffff88800c221000, ffff88800c222000)
[ 185.229783][ C0]
[ 185.229857][ C0] The buggy address belongs to the physical page:
[ 185.230031][ C0] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc220
[ 185.230361][ C0] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 185.230577][ C0] flags: 0x80000000000040(head|node=0|zone=1)
[ 185.230765][ C0] page_type: f5(slab)
[ 185.230958][ C0] raw: 0080000000000040 ffff8880010433c0 ffffea0000903210 ffffea0000870010
[ 185.231207][ C0] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 185.231451][ C0] head: 0080000000000040 ffff8880010433c0 ffffea0000903210 ffffea0000870010
[ 185.231788][ C0] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 185.232036][ C0] head: 0080000000000003 ffffea0000308801 ffffffffffffffff 0000000000000000
[ 185.232368][ C0] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 185.232613][ C0] page dumped because: kasan: bad access detected
[ 185.232788][ C0]
[ 185.232939][ C0] Memory state around the buggy address:
[ 185.233087][ C0] ffff88800c221980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 185.233295][ C0] ffff88800c221a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 185.233576][ C0] >ffff88800c221a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 185.233782][ C0] ^
[ 185.233984][ C0] ffff88800c221b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 185.234273][ C0] ffff88800c221b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 185.234475][ C0] ==================================================================
[ 185.234776][ C0] Disabling lock debugging due to kernel taint