[ 3628.352821][    C0] ==================================================================
[ 3628.353075][    C0] BUG: KASAN: slab-use-after-free in page_pool_put_unrefed_netmem+0x773/0x890
[ 3628.353324][    C0] Read of size 1 at addr ffff88801a6a4af4 by task kworker/0:0/32300
[ 3628.353545][    C0] 
[ 3628.353625][    C0] CPU: 0 UID: 0 PID: 32300 Comm: kworker/0:0 Not tainted 6.14.0-virtme #1 PREEMPT(voluntary) 
[ 3628.353629][    C0] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 3628.353631][    C0] Workqueue: mld mld_ifc_work
[ 3628.353637][    C0] Call Trace:
[ 3628.353639][    C0]  <IRQ>
[ 3628.353641][    C0]  dump_stack_lvl+0x82/0xd0
[ 3628.353648][    C0]  print_address_description.constprop.0+0x2c/0x400
[ 3628.353653][    C0]  ? page_pool_put_unrefed_netmem+0x773/0x890
[ 3628.353657][    C0]  print_report+0xb4/0x270
[ 3628.353659][    C0]  ? page_pool_put_unrefed_netmem+0x773/0x890
[ 3628.353662][    C0]  ? kasan_addr_to_slab+0x25/0x80
[ 3628.353666][    C0]  ? page_pool_put_unrefed_netmem+0x773/0x890
[ 3628.353669][    C0]  kasan_report+0xca/0x100
[ 3628.353672][    C0]  ? page_pool_put_unrefed_netmem+0x773/0x890
[ 3628.353677][    C0]  page_pool_put_unrefed_netmem+0x773/0x890
[ 3628.353681][    C0]  napi_pp_put_page+0xcd/0x270
[ 3628.353685][    C0]  skb_release_data+0x39d/0x680
[ 3628.353690][    C0]  napi_consume_skb+0xe1/0x180
[ 3628.353694][    C0]  net_rx_action+0x3ac/0xcd0
[ 3628.353700][    C0]  ? __pfx_net_rx_action+0x10/0x10
[ 3628.353705][    C0]  ? __pfx_rcu_do_batch+0x10/0x10
[ 3628.353713][    C0]  ? mark_held_locks+0x49/0x80
[ 3628.353719][    C0]  handle_softirqs+0x1f6/0x5c0
[ 3628.353724][    C0]  ? __dev_queue_xmit+0x7a8/0x18d0
[ 3628.353728][    C0]  do_softirq+0x4d/0xa0
[ 3628.353731][    C0]  </IRQ>
[ 3628.353732][    C0]  <TASK>
[ 3628.353733][    C0]  __local_bh_enable_ip+0xf6/0x120
[ 3628.353737][    C0]  ? __dev_queue_xmit+0x7a8/0x18d0
[ 3628.353739][    C0]  __dev_queue_xmit+0x7bd/0x18d0
[ 3628.353742][    C0]  ? __lock_acquire+0x591/0x9d0
[ 3628.353747][    C0]  ? __pfx___dev_queue_xmit+0x10/0x10
[ 3628.353750][    C0]  ? mark_held_locks+0x49/0x80
[ 3628.353754][    C0]  ? neigh_hh_output+0x33a/0x520
[ 3628.353759][    C0]  ? ip6_finish_output2+0x2f6/0x1050
[ 3628.353763][    C0]  ip6_finish_output2+0x630/0x1050
[ 3628.353767][    C0]  ip6_finish_output+0x56f/0xe40
[ 3628.353771][    C0]  ip6_output+0x204/0x790
[ 3628.353775][    C0]  ? __pfx_ip6_output+0x10/0x10
[ 3628.353778][    C0]  ? __lock_acquire+0x591/0x9d0
[ 3628.353783][    C0]  NF_HOOK.constprop.0+0xe1/0x680
[ 3628.353787][    C0]  ? __pfx_NF_HOOK.constprop.0+0x10/0x10
[ 3628.353789][    C0]  ? __pfx_xfrm_lookup_with_ifid+0x10/0x10
[ 3628.353794][    C0]  ? mark_held_locks+0x49/0x80
[ 3628.353797][    C0]  ? icmp6_dst_alloc+0x31b/0x4b0
[ 3628.353801][    C0]  ? __local_bh_enable_ip+0xa6/0x120
[ 3628.353804][    C0]  ? icmp6_dst_alloc+0x31b/0x4b0
[ 3628.353809][    C0]  mld_sendpack+0x61d/0xbb0
[ 3628.353812][    C0]  ? __pfx_mld_sendpack+0x10/0x10
[ 3628.353817][    C0]  ? mld_send_cr+0x3a1/0x780
[ 3628.353821][    C0]  mld_ifc_work+0x32/0x1f0
[ 3628.353824][    C0]  process_one_work+0xe40/0x1690
[ 3628.353830][    C0]  ? __pfx_process_one_work+0x10/0x10
[ 3628.353834][    C0]  ? assign_work+0x16c/0x240
[ 3628.353838][    C0]  worker_thread+0x58c/0xce0
[ 3628.353841][    C0]  ? trace_irq_enable.constprop.0+0xd4/0x130
[ 3628.353848][    C0]  ? __pfx_worker_thread+0x10/0x10
[ 3628.353851][    C0]  kthread+0x358/0x5d0
[ 3628.353854][    C0]  ? __pfx_kthread+0x10/0x10
[ 3628.353856][    C0]  ? ret_from_fork+0x1b/0x70
[ 3628.353860][    C0]  ? __lock_release+0x5d/0x170
[ 3628.353863][    C0]  ? calculate_sigpending+0x44/0xa0
[ 3628.353867][    C0]  ? __pfx_kthread+0x10/0x10
[ 3628.353870][    C0]  ret_from_fork+0x31/0x70
[ 3628.353873][    C0]  ? __pfx_kthread+0x10/0x10
[ 3628.353875][    C0]  ret_from_fork_asm+0x1a/0x30
[ 3628.353882][    C0]  </TASK>
[ 3628.353883][    C0] 
[ 3628.363143][    C0] Allocated by task 11135:
[ 3628.363290][    C0]  kasan_save_stack+0x24/0x50
[ 3628.363439][    C0]  kasan_save_track+0x14/0x30
[ 3628.363585][    C0]  __kasan_kmalloc+0x7f/0x90
[ 3628.363729][    C0]  __kvmalloc_node_noprof+0x221/0x590
[ 3628.363871][    C0]  alloc_netdev_mqs+0x78/0x1310
[ 3628.364014][    C0]  rtnl_create_link+0xab3/0xe40
[ 3628.364157][    C0]  rtnl_newlink_create+0x203/0x8f0
[ 3628.364297][    C0]  __rtnl_newlink+0x231/0xa40
[ 3628.364436][    C0]  rtnl_newlink+0x69a/0xa60
[ 3628.364582][    C0]  rtnetlink_rcv_msg+0x710/0xc00
[ 3628.364723][    C0]  netlink_rcv_skb+0x12f/0x360
[ 3628.364870][    C0]  netlink_unicast+0x449/0x710
[ 3628.365010][    C0]  netlink_sendmsg+0x721/0xbe0
[ 3628.365152][    C0]  ____sys_sendmsg+0x7aa/0xa10
[ 3628.365297][    C0]  ___sys_sendmsg+0xed/0x170
[ 3628.365437][    C0]  __sys_sendmsg+0x108/0x1a0
[ 3628.365576][    C0]  do_syscall_64+0xc1/0x1d0
[ 3628.365717][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3628.365892][    C0] 
[ 3628.365969][    C0] Freed by task 68:
[ 3628.366076][    C0]  kasan_save_stack+0x24/0x50
[ 3628.366222][    C0]  kasan_save_track+0x14/0x30
[ 3628.366364][    C0]  kasan_save_free_info+0x3b/0x60
[ 3628.366505][    C0]  __kasan_slab_free+0x38/0x50
[ 3628.366644][    C0]  kfree+0x144/0x320
[ 3628.366751][    C0]  device_release+0x9c/0x210
[ 3628.366895][    C0]  kobject_cleanup+0x101/0x360
[ 3628.367035][    C0]  netdev_run_todo+0x5f3/0xc60
[ 3628.367180][    C0]  default_device_exit_batch+0x245/0x2e0
[ 3628.367321][    C0]  cleanup_net+0x4fd/0xaf0
[ 3628.367463][    C0]  process_one_work+0xe40/0x1690
[ 3628.367603][    C0]  worker_thread+0x58c/0xce0
[ 3628.367743][    C0]  kthread+0x358/0x5d0
[ 3628.367850][    C0]  ret_from_fork+0x31/0x70
[ 3628.367993][    C0]  ret_from_fork_asm+0x1a/0x30
[ 3628.368134][    C0] 
[ 3628.368210][    C0] The buggy address belongs to the object at ffff88801a6a4000
[ 3628.368210][    C0]  which belongs to the cache kmalloc-4k of size 4096
[ 3628.368570][    C0] The buggy address is located 2804 bytes inside of
[ 3628.368570][    C0]  freed 4096-byte region [ffff88801a6a4000, ffff88801a6a5000)
[ 3628.368919][    C0] 
[ 3628.368989][    C0] The buggy address belongs to the physical page:
[ 3628.369168][    C0] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a6a0
[ 3628.369419][    C0] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 3628.369630][    C0] flags: 0x80000000000040(head|node=0|zone=1)
[ 3628.369810][    C0] page_type: f5(slab)
[ 3628.369921][    C0] raw: 0080000000000040 ffff8880010433c0 ffffea00007a6210 ffffea00007a6e10
[ 3628.370175][    C0] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 3628.370423][    C0] head: 0080000000000040 ffff8880010433c0 ffffea00007a6210 ffffea00007a6e10
[ 3628.370677][    C0] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 3628.370929][    C0] head: 0080000000000003 ffffea000069a801 ffffffffffffffff 0000000000000000
[ 3628.371268][    C0] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 3628.371520][    C0] page dumped because: kasan: bad access detected
[ 3628.371692][    C0] 
[ 3628.371840][    C0] Memory state around the buggy address:
[ 3628.371977][    C0]  ffff88801a6a4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3628.372183][    C0]  ffff88801a6a4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3628.372467][    C0] >ffff88801a6a4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3628.372671][    C0]                                                              ^
[ 3628.372873][    C0]  ffff88801a6a4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3628.373151][    C0]  ffff88801a6a4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3628.373356][    C0] ==================================================================
[ 3628.373576][    C0] Disabling lock debugging due to kernel taint