======================================
| [ 3003.477561][    C3] ==================================================================
| [ 3003.477893][ C3] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:115) 
| [ 3003.478135][    C3] Read of size 8 at addr ffff88800907d730 by task kworker/u16:0/10
| [ 3003.478373][    C3]
[ 3003.478697][    C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 3003.479045][    C3] Workqueue: netns cleanup_net
[ 3003.479218][    C3] Call Trace:
[ 3003.479344][    C3]  <IRQ>
[ 3003.479428][ C3] dump_stack_lvl (lib/dump_stack.c:117) 
[ 3003.479606][ C3] print_address_description.constprop.0 (mm/kasan/report.c:378) 
[ 3003.479814][ C3] ? dst_destroy (net/core/dst.c:115) 
[ 3003.480062][ C3] print_report (mm/kasan/report.c:489) 
[ 3003.480221][ C3] ? kasan_addr_to_slab (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/page-flags.h:527 mm/kasan/../slab.h:206 mm/kasan/common.c:38) 
[ 3003.480382][ C3] kasan_report (mm/kasan/report.c:603) 
[ 3003.480503][ C3] ? dst_destroy (net/core/dst.c:115) 
[ 3003.480662][ C3] dst_destroy (net/core/dst.c:115) 
[ 3003.480914][ C3] ? rcu_do_batch (kernel/rcu/tree.c:2196) 
[ 3003.481072][ C3] rcu_do_batch (kernel/rcu/tree.c:2196) 
[ 3003.481238][ C3] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) 
[ 3003.481399][ C3] ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2120) 
[ 3003.481644][ C3] ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:4292 kernel/locking/lockdep.c:4359) 
[ 3003.481841][ C3] rcu_core (kernel/rcu/tree.c:2473) 
[ 3003.481962][ C3] __do_softirq (kernel/softirq.c:554) 
[ 3003.482120][ C3] irq_exit_rcu (kernel/softirq.c:428 kernel/softirq.c:633 kernel/softirq.c:645) 
[ 3003.482409][ C3] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043 arch/x86/kernel/apic/apic.c:1043) 
[ 3003.482582][    C3]  </IRQ>
[ 3003.482668][    C3]  <TASK>
[ 3003.482750][ C3] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) 
[ 3003.482950][ C3] RIP: 0010:__orc_find (arch/x86/kernel/unwind_orc.c:100) 
[ 3003.483124][ C3] Code: f0 4c 39 e7 77 7b 48 b9 00 00 00 00 00 fc ff df 49 89 ff 48 89 fd eb 0c 48 8d 6b 04 49 89 df 4c 39 e5 77 4e 4c 89 e2 48 29 ea <48> 89 d6 48 c1 ea 3f 48 c1 fe 02 48 01 f2 48 d1 fa 48 8d 5c 95 00
All code
========
   0:	f0 4c 39 e7          	lock cmp %r12,%rdi
   4:	77 7b                	ja     0x81
   6:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
   d:	fc ff df 
  10:	49 89 ff             	mov    %rdi,%r15
  13:	48 89 fd             	mov    %rdi,%rbp
  16:	eb 0c                	jmp    0x24
  18:	48 8d 6b 04          	lea    0x4(%rbx),%rbp
  1c:	49 89 df             	mov    %rbx,%r15
  1f:	4c 39 e5             	cmp    %r12,%rbp
  22:	77 4e                	ja     0x72
  24:	4c 89 e2             	mov    %r12,%rdx
  27:	48 29 ea             	sub    %rbp,%rdx
  2a:*	48 89 d6             	mov    %rdx,%rsi		<-- trapping instruction
  2d:	48 c1 ea 3f          	shr    $0x3f,%rdx
  31:	48 c1 fe 02          	sar    $0x2,%rsi
  35:	48 01 f2             	add    %rsi,%rdx
  38:	48 d1 fa             	sar    %rdx
  3b:	48 8d 5c 95 00       	lea    0x0(%rbp,%rdx,4),%rbx

Code starting with the faulting instruction
===========================================
   0:	48 89 d6             	mov    %rdx,%rsi
   3:	48 c1 ea 3f          	shr    $0x3f,%rdx
   7:	48 c1 fe 02          	sar    $0x2,%rsi
   b:	48 01 f2             	add    %rsi,%rdx
   e:	48 d1 fa             	sar    %rdx
  11:	48 8d 5c 95 00       	lea    0x0(%rbp,%rdx,4),%rbx
[ 3003.483775][    C3] RSP: 0018:ffffc900000af598 EFLAGS: 00000206
[ 3003.483981][    C3] RAX: ffffffff90f37d0e RBX: ffffffff90c0cb10 RCX: dffffc0000000000
[ 3003.484306][    C3] RDX: 0000000000000014 RSI: 0000000000000000 RDI: ffffffff90c0cacc
[ 3003.484544][    C3] RBP: ffffffff90c0cb14 R08: ffffc900000af718 R09: 1ffff92000015ec4
[ 3003.484876][    C3] R10: ffffc900000af6d8 R11: ffffc900000af719 R12: ffffffff90c0cb28
[ 3003.485115][    C3] R13: ffffffff8c4c27a0 R14: ffffffff90c0cacc R15: ffffffff90c0cb10
[ 3003.485355][ C3] ? ret_from_fork (arch/x86/kernel/process.c:147) 
[ 3003.485612][ C3] ? arch_stack_walk (arch/x86/kernel/stacktrace.c:24) 
[ 3003.485775][ C3] unwind_next_frame (arch/x86/kernel/unwind_orc.c:495) 
[ 3003.485934][ C3] ? ret_from_fork (arch/x86/kernel/process.c:147) 
[ 3003.486095][ C3] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) 
[ 3003.486337][ C3] ? __pfx_unwind_next_frame (arch/x86/kernel/unwind_orc.c:469) 
[ 3003.486498][ C3] ? ret_from_fork (arch/x86/kernel/process.c:147) 
[ 3003.486653][ C3] ? kernel_text_address (kernel/extable.c:99) 
[ 3003.486813][ C3] ? __pfx_stack_trace_consume_entry (kernel/stacktrace.c:83) 
[ 3003.487012][ C3] arch_stack_walk (arch/x86/kernel/stacktrace.c:24) 
[ 3003.487261][ C3] ? ret_from_fork (arch/x86/kernel/process.c:147) 
[ 3003.487422][ C3] stack_trace_save (kernel/stacktrace.c:123) 
[ 3003.487582][ C3] ? __pfx_stack_trace_save (kernel/stacktrace.c:114) 
[ 3003.487740][ C3] ? __lock_release (kernel/locking/lockdep.c:5430) 
[ 3003.487898][ C3] ? __pfx___lock_release (kernel/locking/lockdep.c:5406) 
[ 3003.488217][ C3] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) 
[ 3003.488375][ C3] ? mark_lock (kernel/locking/lockdep.c:4656 (discriminator 3)) 
[ 3003.488496][ C3] ref_tracker_free (lib/ref_tracker.c:240) 
[ 3003.488656][ C3] ? mark_held_locks (kernel/locking/lockdep.c:4274) 
[ 3003.488816][ C3] ? __pfx_ref_tracker_free (lib/ref_tracker.c:221) 
[ 3003.488975][ C3] ? in6_dev_finish_destroy (./include/linux/netdevice.h:4017 ./include/linux/netdevice.h:4078 net/ipv6/addrconf_core.c:273) 
[ 3003.489226][ C3] ? addrconf_ifdown.isra.0 (./include/net/addrconf.h:389 net/ipv6/addrconf.c:4011) 
[ 3003.489380][ C3] ? addrconf_notify (net/ipv6/addrconf.c:3812) 
[ 3003.489539][ C3] ? notifier_call_chain (kernel/notifier.c:93 (discriminator 2)) 
[ 3003.489710][ C3] ? unregister_netdevice_many_notify (net/core/dev.c:11255) 
[ 3003.489908][ C3] ? cleanup_net (net/core/net_namespace.c:636) 
[ 3003.490159][ C3] ? process_one_work (kernel/workqueue.c:3267) 
[ 3003.490318][ C3] ? worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) 
[ 3003.490477][ C3] ? kthread (kernel/kthread.c:388) 
[ 3003.490597][ C3] ? ret_from_fork (arch/x86/kernel/process.c:147) 
[ 3003.490747][ C3] ? __pfx___try_to_del_timer_sync (kernel/time/timer.c:1500) 
[ 3003.491028][ C3] ? mark_held_locks (kernel/locking/lockdep.c:4274) 
[ 3003.491192][ C3] in6_dev_finish_destroy (./include/linux/netdevice.h:4017 ./include/linux/netdevice.h:4078 net/ipv6/addrconf_core.c:273) 
[ 3003.491352][ C3] addrconf_ifdown.isra.0 (./include/net/addrconf.h:389 net/ipv6/addrconf.c:4011) 
[ 3003.491521][ C3] ? __pfx_addrconf_ifdown.isra.0 (net/ipv6/addrconf.c:3842) 
[ 3003.491885][ C3] ? rt_flush_dev (./include/linux/spinlock.h:397 net/ipv4/route.c:1544) 
[ 3003.492043][ C3] addrconf_notify (net/ipv6/addrconf.c:3812) 
[ 3003.492199][ C3] notifier_call_chain (kernel/notifier.c:93 (discriminator 2)) 
[ 3003.492357][ C3] unregister_netdevice_many_notify (net/core/dev.c:11255) 
[ 3003.492660][ C3] ? __pfx_unregister_netdevice_many_notify (net/core/dev.c:11197) 
[ 3003.492859][ C3] ? mutex_is_locked (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-long.h:38 ./include/linux/atomic/atomic-instrumented.h:3189 kernel/locking/mutex.c:81 kernel/locking/mutex.c:91) 
[ 3003.493020][ C3] ? nexthop_net_exit_batch_rtnl (net/ipv4/nexthop.c:585 net/ipv4/nexthop.c:2145 net/ipv4/nexthop.c:2653 net/ipv4/nexthop.c:4003) 
[ 3003.493223][ C3] cleanup_net (net/core/net_namespace.c:636) 
[ 3003.493384][ C3] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5719) 
[ 3003.493536][ C3] ? __pfx_cleanup_net (net/core/net_namespace.c:584) 
[ 3003.493694][ C3] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 3003.493938][ C3] ? process_one_work (kernel/workqueue.c:3243) 
[ 3003.494092][ C3] ? lock_acquire (kernel/locking/lockdep.c:5727) 
[ 3003.494250][ C3] ? process_one_work (kernel/workqueue.c:3243) 
[ 3003.494410][ C3] process_one_work (kernel/workqueue.c:3267) 
[ 3003.494570][ C3] ? __pfx___lock_release (kernel/locking/lockdep.c:5406) 
[ 3003.494809][ C3] ? __pfx_process_one_work (kernel/workqueue.c:3169) 
[ 3003.494967][ C3] ? assign_work (kernel/workqueue.c:1209) 
[ 3003.495130][ C3] worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) 
[ 3003.495289][ C3] ? __pfx_worker_thread (kernel/workqueue.c:3375) 
[ 3003.495530][ C3] kthread (kernel/kthread.c:388) 
[ 3003.495654][ C3] ? __pfx_kthread (kernel/kthread.c:341) 
[ 3003.495808][ C3] ret_from_fork (arch/x86/kernel/process.c:147) 
[ 3003.495968][ C3] ? __pfx_kthread (kernel/kthread.c:341) 


Finger prints:
print_report:kasan_report:dst_destroy:rcu_do_batch:rcu_core