[ 3807.708454][    C2] ==================================================================
[ 3807.709152][    C2] BUG: KASAN: slab-use-after-free in page_pool_put_unrefed_netmem+0x773/0x890
[ 3807.709814][    C2] Read of size 1 at addr ffff888012d8caf4 by task kworker/2:1/26699
[ 3807.710388][    C2] 
[ 3807.710579][    C2] CPU: 2 UID: 0 PID: 26699 Comm: kworker/2:1 Not tainted 6.14.0-virtme #1 PREEMPT(voluntary) 
[ 3807.710584][    C2] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 3807.710587][    C2] Workqueue: mld mld_ifc_work
[ 3807.710595][    C2] Call Trace:
[ 3807.710597][    C2]  <IRQ>
[ 3807.710600][    C2]  dump_stack_lvl+0x82/0xd0
[ 3807.710609][    C2]  print_address_description.constprop.0+0x2c/0x400
[ 3807.710615][    C2]  ? page_pool_put_unrefed_netmem+0x773/0x890
[ 3807.710619][    C2]  print_report+0xb4/0x270
[ 3807.710621][    C2]  ? page_pool_put_unrefed_netmem+0x773/0x890
[ 3807.710624][    C2]  ? kasan_addr_to_slab+0x25/0x80
[ 3807.710629][    C2]  ? page_pool_put_unrefed_netmem+0x773/0x890
[ 3807.710632][    C2]  kasan_report+0xca/0x100
[ 3807.710635][    C2]  ? page_pool_put_unrefed_netmem+0x773/0x890
[ 3807.710640][    C2]  page_pool_put_unrefed_netmem+0x773/0x890
[ 3807.710644][    C2]  napi_pp_put_page+0xcd/0x270
[ 3807.710649][    C2]  skb_release_data+0x39d/0x680
[ 3807.710654][    C2]  napi_consume_skb+0xe1/0x180
[ 3807.710658][    C2]  net_rx_action+0x3ac/0xcd0
[ 3807.710665][    C2]  ? __pfx_net_rx_action+0x10/0x10
[ 3807.710667][    C2]  ? lockdep_rcu_suspicious+0x124/0x1c0
[ 3807.710673][    C2]  ? tmigr_handle_remote+0x154/0x300
[ 3807.710680][    C2]  ? __pfx_tmigr_handle_remote+0x10/0x10
[ 3807.710684][    C2]  ? run_timer_softirq+0x24/0x1c0
[ 3807.710690][    C2]  ? mark_held_locks+0x49/0x80
[ 3807.710694][    C2]  handle_softirqs+0x1f6/0x5c0
[ 3807.710701][    C2]  ? __dev_queue_xmit+0x7a8/0x18d0
[ 3807.710704][    C2]  do_softirq+0x4d/0xa0
[ 3807.710707][    C2]  </IRQ>
[ 3807.710708][    C2]  <TASK>
[ 3807.710710][    C2]  __local_bh_enable_ip+0xf6/0x120
[ 3807.710713][    C2]  ? __dev_queue_xmit+0x7a8/0x18d0
[ 3807.710715][    C2]  __dev_queue_xmit+0x7bd/0x18d0
[ 3807.710718][    C2]  ? __lock_acquire+0x591/0x9d0
[ 3807.710722][    C2]  ? __pfx___dev_queue_xmit+0x10/0x10
[ 3807.710726][    C2]  ? eth_header+0x158/0x1a0
[ 3807.710732][    C2]  ? neigh_resolve_output+0x3d3/0x7d0
[ 3807.710738][    C2]  ip6_finish_output2+0x4e1/0x1050
[ 3807.710745][    C2]  ip6_finish_output+0x56f/0xe40
[ 3807.710749][    C2]  ip6_output+0x204/0x790
[ 3807.710752][    C2]  ? __pfx_ip6_output+0x10/0x10
[ 3807.710755][    C2]  ? __lock_acquire+0x591/0x9d0
[ 3807.710760][    C2]  NF_HOOK.constprop.0+0xe1/0x680
[ 3807.710763][    C2]  ? __pfx_NF_HOOK.constprop.0+0x10/0x10
[ 3807.710766][    C2]  ? __pfx_xfrm_lookup_with_ifid+0x10/0x10
[ 3807.710772][    C2]  ? mark_held_locks+0x49/0x80
[ 3807.710775][    C2]  ? icmp6_dst_alloc+0x31b/0x4b0
[ 3807.710781][    C2]  ? __local_bh_enable_ip+0xa6/0x120
[ 3807.710784][    C2]  ? icmp6_dst_alloc+0x31b/0x4b0
[ 3807.710788][    C2]  mld_sendpack+0x61d/0xbb0
[ 3807.710792][    C2]  ? __pfx_mld_sendpack+0x10/0x10
[ 3807.710796][    C2]  ? mld_send_cr+0x3a1/0x780
[ 3807.710800][    C2]  mld_ifc_work+0x32/0x1f0
[ 3807.710803][    C2]  process_one_work+0xe40/0x1690
[ 3807.710810][    C2]  ? __pfx_process_one_work+0x10/0x10
[ 3807.710815][    C2]  ? assign_work+0x16c/0x240
[ 3807.710818][    C2]  worker_thread+0x58c/0xce0
[ 3807.710823][    C2]  ? __pfx_worker_thread+0x10/0x10
[ 3807.710826][    C2]  kthread+0x358/0x5d0
[ 3807.710830][    C2]  ? __pfx_kthread+0x10/0x10
[ 3807.710833][    C2]  ? ret_from_fork+0x1b/0x70
[ 3807.710839][    C2]  ? __lock_release+0x5d/0x170
[ 3807.710842][    C2]  ? calculate_sigpending+0x44/0xa0
[ 3807.710846][    C2]  ? __pfx_kthread+0x10/0x10
[ 3807.710849][    C2]  ret_from_fork+0x31/0x70
[ 3807.710852][    C2]  ? __pfx_kthread+0x10/0x10
[ 3807.710855][    C2]  ret_from_fork_asm+0x1a/0x30
[ 3807.710862][    C2]  </TASK>
[ 3807.710863][    C2] 
[ 3807.737243][    C2] Allocated by task 9253:
[ 3807.737519][    C2]  kasan_save_stack+0x24/0x50
[ 3807.737885][    C2]  kasan_save_track+0x14/0x30
[ 3807.738269][    C2]  __kasan_kmalloc+0x7f/0x90
[ 3807.738639][    C2]  __kvmalloc_node_noprof+0x221/0x590
[ 3807.739008][    C2]  alloc_netdev_mqs+0x78/0x1310
[ 3807.739389][    C2]  rtnl_create_link+0xab3/0xe40
[ 3807.739761][    C2]  rtnl_newlink_create+0x203/0x8f0
[ 3807.740145][    C2]  __rtnl_newlink+0x231/0xa40
[ 3807.740512][    C2]  rtnl_newlink+0x69a/0xa60
[ 3807.740893][    C2]  rtnetlink_rcv_msg+0x710/0xc00
[ 3807.741267][    C2]  netlink_rcv_skb+0x12f/0x360
[ 3807.741642][    C2]  netlink_unicast+0x449/0x710
[ 3807.742014][    C2]  netlink_sendmsg+0x721/0xbe0
[ 3807.742401][    C2]  ____sys_sendmsg+0x7aa/0xa10
[ 3807.742776][    C2]  ___sys_sendmsg+0xed/0x170
[ 3807.743162][    C2]  __sys_sendmsg+0x108/0x1a0
[ 3807.743534][    C2]  do_syscall_64+0xc1/0x1d0
[ 3807.743907][    C2]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3807.744387][    C2] 
[ 3807.744574][    C2] Freed by task 67:
[ 3807.744853][    C2]  kasan_save_stack+0x24/0x50
[ 3807.745234][    C2]  kasan_save_track+0x14/0x30
[ 3807.745605][    C2]  kasan_save_free_info+0x3b/0x60
[ 3807.745977][    C2]  __kasan_slab_free+0x38/0x50
[ 3807.746351][    C2]  kfree+0x144/0x320
[ 3807.746628][    C2]  device_release+0x9c/0x210
[ 3807.746995][    C2]  kobject_cleanup+0x101/0x360
[ 3807.747381][    C2]  netdev_run_todo+0x5f3/0xc60
[ 3807.747755][    C2]  default_device_exit_batch+0x245/0x2e0
[ 3807.748130][    C2]  cleanup_net+0x4fd/0xaf0
[ 3807.748509][    C2]  process_one_work+0xe40/0x1690
[ 3807.748884][    C2]  worker_thread+0x58c/0xce0
[ 3807.749264][    C2]  kthread+0x358/0x5d0
[ 3807.749549][    C2]  ret_from_fork+0x31/0x70
[ 3807.749920][    C2]  ret_from_fork_asm+0x1a/0x30
[ 3807.750296][    C2] 
[ 3807.750482][    C2] The buggy address belongs to the object at ffff888012d8c000
[ 3807.750482][    C2]  which belongs to the cache kmalloc-4k of size 4096
[ 3807.751417][    C2] The buggy address is located 2804 bytes inside of
[ 3807.751417][    C2]  freed 4096-byte region [ffff888012d8c000, ffff888012d8d000)
[ 3807.752350][    C2] 
[ 3807.752538][    C2] The buggy address belongs to the physical page:
[ 3807.753010][    C2] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d88
[ 3807.753677][    C2] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 3807.754244][    C2] flags: 0x80000000000040(head|node=0|zone=1)
[ 3807.754709][    C2] page_type: f5(slab)
[ 3807.754994][    C2] raw: 0080000000000040 ffff8880010433c0 ffffea00002b5210 ffffea0000388c10
[ 3807.755655][    C2] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 3807.756117][    C2] head: 0080000000000040 ffff8880010433c0 ffffea00002b5210 ffffea0000388c10
[ 3807.756549][    C2] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 3807.756891][    C2] head: 0080000000000003 ffffea00004b6201 ffffffffffffffff 0000000000000000
[ 3807.757229][    C2] head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 3807.757641][    C2] page dumped because: kasan: bad access detected
[ 3807.757950][    C2] 
[ 3807.758051][    C2] Memory state around the buggy address:
[ 3807.758275][    C2]  ffff888012d8c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3807.758609][    C2]  ffff888012d8ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3807.758906][    C2] >ffff888012d8ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3807.759250][    C2]                                                              ^
[ 3807.759564][    C2]  ffff888012d8cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3807.759886][    C2]  ffff888012d8cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3807.760200][    C2] ==================================================================
[ 3807.760525][    C2] Disabling lock debugging due to kernel taint