[ 355.846278][ C2] ==================================================================
[ 355.846614][ C2] BUG: KASAN: slab-use-after-free in page_pool_put_unrefed_netmem+0x773/0x890
[ 355.846896][ C2] Read of size 1 at addr ffff8880097a9af4 by task kworker/2:1/55
[ 355.847137][ C2]
[ 355.847221][ C2] CPU: 2 UID: 0 PID: 55 Comm: kworker/2:1 Not tainted 6.14.0-virtme #1 PREEMPT(voluntary)
[ 355.847227][ C2] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 355.847230][ C2] Workqueue: mld mld_ifc_work
[ 355.847237][ C2] Call Trace:
[ 355.847240][ C2]
[ 355.847242][ C2] dump_stack_lvl+0x82/0xd0
[ 355.847251][ C2] print_address_description.constprop.0+0x2c/0x400
[ 355.847258][ C2] ? page_pool_put_unrefed_netmem+0x773/0x890
[ 355.847261][ C2] print_report+0xb4/0x270
[ 355.847263][ C2] ? page_pool_put_unrefed_netmem+0x773/0x890
[ 355.847267][ C2] ? kasan_addr_to_slab+0x25/0x80
[ 355.847272][ C2] ? page_pool_put_unrefed_netmem+0x773/0x890
[ 355.847275][ C2] kasan_report+0xca/0x100
[ 355.847278][ C2] ? page_pool_put_unrefed_netmem+0x773/0x890
[ 355.847282][ C2] page_pool_put_unrefed_netmem+0x773/0x890
[ 355.847285][ C2] ? __lock_acquire+0x591/0x9d0
[ 355.847292][ C2] napi_pp_put_page+0xcd/0x270
[ 355.847297][ C2] skb_free_head+0xf8/0x180
[ 355.847300][ C2] skb_release_data+0x420/0x680
[ 355.847303][ C2] ? __lock_release+0x5d/0x170
[ 355.847307][ C2] napi_consume_skb+0xe1/0x180
[ 355.847311][ C2] net_rx_action+0x3ac/0xcd0
[ 355.847319][ C2] ? __pfx_net_rx_action+0x10/0x10
[ 355.847322][ C2] ? lockdep_rcu_suspicious+0x124/0x1c0
[ 355.847326][ C2] ? tmigr_handle_remote+0x154/0x300
[ 355.847332][ C2] ? __pfx_tmigr_handle_remote+0x10/0x10
[ 355.847336][ C2] ? run_timer_softirq+0x24/0x1c0
[ 355.847343][ C2] ? mark_held_locks+0x49/0x80
[ 355.847346][ C2] handle_softirqs+0x1f6/0x5c0
[ 355.847354][ C2] ? __dev_queue_xmit+0x7a8/0x18d0
[ 355.847357][ C2] do_softirq+0x4d/0xa0
[ 355.847360][ C2]
[ 355.847361][ C2]
[ 355.847363][ C2] __local_bh_enable_ip+0xf6/0x120
[ 355.847367][ C2] ? __dev_queue_xmit+0x7a8/0x18d0
[ 355.847369][ C2] __dev_queue_xmit+0x7bd/0x18d0
[ 355.847372][ C2] ? __lock_acquire+0x591/0x9d0
[ 355.847377][ C2] ? __pfx___dev_queue_xmit+0x10/0x10
[ 355.847380][ C2] ? mark_held_locks+0x49/0x80
[ 355.847384][ C2] ? neigh_hh_output+0x33a/0x520
[ 355.847390][ C2] ? ip6_finish_output2+0x2f6/0x1050
[ 355.847394][ C2] ip6_finish_output2+0x630/0x1050
[ 355.847398][ C2] ip6_finish_output+0x56f/0xe40
[ 355.847402][ C2] ip6_output+0x204/0x790
[ 355.847406][ C2] ? __pfx_ip6_output+0x10/0x10
[ 355.847409][ C2] ? __lock_acquire+0x591/0x9d0
[ 355.847415][ C2] NF_HOOK.constprop.0+0xe1/0x680
[ 355.847418][ C2] ? __pfx_NF_HOOK.constprop.0+0x10/0x10
[ 355.847421][ C2] ? __pfx_xfrm_lookup_with_ifid+0x10/0x10
[ 355.847427][ C2] ? mark_held_locks+0x49/0x80
[ 355.847430][ C2] ? icmp6_dst_alloc+0x31b/0x4b0
[ 355.847436][ C2] ? __local_bh_enable_ip+0xa6/0x120
[ 355.847440][ C2] ? icmp6_dst_alloc+0x31b/0x4b0
[ 355.847444][ C2] mld_sendpack+0x61d/0xbb0
[ 355.847448][ C2] ? __pfx_mld_sendpack+0x10/0x10
[ 355.847452][ C2] ? mld_send_cr+0x3a1/0x780
[ 355.847456][ C2] mld_ifc_work+0x32/0x1f0
[ 355.847459][ C2] process_one_work+0xe40/0x1690
[ 355.847466][ C2] ? __pfx_process_one_work+0x10/0x10
[ 355.847470][ C2] ? assign_work+0x16c/0x240
[ 355.847474][ C2] worker_thread+0x58c/0xce0
[ 355.847476][ C2] ? trace_irq_enable.constprop.0+0xd4/0x130
[ 355.847484][ C2] ? __pfx_worker_thread+0x10/0x10
[ 355.847487][ C2] kthread+0x358/0x5d0
[ 355.847491][ C2] ? __pfx_kthread+0x10/0x10
[ 355.847493][ C2] ? ret_from_fork+0x1b/0x70
[ 355.847498][ C2] ? __lock_release+0x5d/0x170
[ 355.847500][ C2] ? calculate_sigpending+0x44/0xa0
[ 355.847504][ C2] ? __pfx_kthread+0x10/0x10
[ 355.847507][ C2] ret_from_fork+0x31/0x70
[ 355.847510][ C2] ? __pfx_kthread+0x10/0x10
[ 355.847512][ C2] ret_from_fork_asm+0x1a/0x30
[ 355.847520][ C2]
[ 355.847521][ C2]
[ 355.858968][ C2] Allocated by task 5693:
[ 355.859090][ C2] kasan_save_stack+0x24/0x50
[ 355.859354][ C2] kasan_save_track+0x14/0x30
[ 355.859591][ C2] __kasan_kmalloc+0x7f/0x90
[ 355.859751][ C2] __kvmalloc_node_noprof+0x221/0x590
[ 355.859912][ C2] alloc_netdev_mqs+0x78/0x1310
[ 355.860070][ C2] rtnl_create_link+0xab3/0xe40
[ 355.860233][ C2] rtnl_newlink_create+0x203/0x8f0
[ 355.860389][ C2] __rtnl_newlink+0x231/0xa40
[ 355.860566][ C2] rtnl_newlink+0x69a/0xa60
[ 355.860727][ C2] rtnetlink_rcv_msg+0x710/0xc00
[ 355.860891][ C2] netlink_rcv_skb+0x12f/0x360
[ 355.861054][ C2] netlink_unicast+0x449/0x710
[ 355.861217][ C2] netlink_sendmsg+0x721/0xbe0
[ 355.861372][ C2] ____sys_sendmsg+0x7aa/0xa10
[ 355.861538][ C2] ___sys_sendmsg+0xed/0x170
[ 355.861695][ C2] __sys_sendmsg+0x108/0x1a0
[ 355.861856][ C2] do_syscall_64+0xc1/0x1d0
[ 355.862014][ C2] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 355.862238][ C2]
[ 355.862320][ C2] Freed by task 12:
[ 355.862441][ C2] kasan_save_stack+0x24/0x50
[ 355.862601][ C2] kasan_save_track+0x14/0x30
[ 355.862764][ C2] kasan_save_free_info+0x3b/0x60
[ 355.862930][ C2] __kasan_slab_free+0x38/0x50
[ 355.863085][ C2] kfree+0x144/0x320
[ 355.863205][ C2] device_release+0x9c/0x210
[ 355.863365][ C2] kobject_cleanup+0x101/0x360
[ 355.863523][ C2] netdev_run_todo+0x5f3/0xc60
[ 355.863765][ C2] default_device_exit_batch+0x245/0x2e0
[ 355.863922][ C2] cleanup_net+0x4fd/0xaf0
[ 355.864086][ C2] process_one_work+0xe40/0x1690
[ 355.864244][ C2] worker_thread+0x58c/0xce0
[ 355.864400][ C2] kthread+0x358/0x5d0
[ 355.864519][ C2] ret_from_fork+0x31/0x70
[ 355.864675][ C2] ret_from_fork_asm+0x1a/0x30
[ 355.864832][ C2]
[ 355.864916][ C2] The buggy address belongs to the object at ffff8880097a9000
[ 355.864916][ C2] which belongs to the cache kmalloc-4k of size 4096
[ 355.865301][ C2] The buggy address is located 2804 bytes inside of
[ 355.865301][ C2] freed 4096-byte region [ffff8880097a9000, ffff8880097aa000)
[ 355.865676][ C2]
[ 355.865759][ C2] The buggy address belongs to the physical page:
[ 355.865951][ C2] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x97a8
[ 355.866321][ C2] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 355.866564][ C2] flags: 0x80000000000040(head|node=0|zone=1)
[ 355.866756][ C2] page_type: f5(slab)
[ 355.866876][ C2] raw: 0080000000000040 ffff8880010433c0 ffffea0000316a10 ffffea00002ad410
[ 355.867162][ C2] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 355.867528][ C2] head: 0080000000000040 ffff8880010433c0 ffffea0000316a10 ffffea00002ad410
[ 355.867807][ C2] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 355.868089][ C2] head: 0080000000000003 ffffea000025ea01 ffffffffffffffff 0000000000000000
[ 355.868456][ C2] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 355.868738][ C2] page dumped because: kasan: bad access detected
[ 355.869032][ C2]
[ 355.869114][ C2] Memory state around the buggy address:
[ 355.869272][ C2] ffff8880097a9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 355.869504][ C2] ffff8880097a9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 355.869746][ C2] >ffff8880097a9a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 355.869986][ C2] ^
[ 355.870206][ C2] ffff8880097a9b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 355.870436][ C2] ffff8880097a9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 355.870752][ C2] ==================================================================
[ 355.871151][ C2] Disabling lock debugging due to kernel taint