======================================
| [ 6853.739583][   T76] ==================================================================
| [ 6853.739855][ T76] BUG: KASAN: slab-use-after-free in neigh_flush_dev.isra.0 (./include/linux/list.h:990 ./include/linux/rculist.h:516 net/core/neighbour.c:385) 
| [ 6853.740093][   T76] Write of size 8 at addr ffff888006021018 by task kworker/u16:1/76
| [ 6853.740324][   T76]
[ 6853.740693][   T76] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 6853.741040][   T76] Workqueue: netns cleanup_net
[ 6853.741211][   T76] Call Trace:
[ 6853.741335][   T76]  <TASK>
[ 6853.741423][ T76] dump_stack_lvl (lib/dump_stack.c:123) 
[ 6853.741585][ T76] print_address_description.constprop.0 (mm/kasan/report.c:378) 
[ 6853.741782][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:990 ./include/linux/rculist.h:516 net/core/neighbour.c:385) 
[ 6853.741943][ T76] print_report (mm/kasan/report.c:489) 
[ 6853.742102][ T76] ? kasan_addr_to_slab (./include/linux/mm.h:1282 mm/kasan/../slab.h:206 mm/kasan/common.c:38) 
[ 6853.742261][ T76] kasan_report (mm/kasan/report.c:603) 
[ 6853.742382][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:990 ./include/linux/rculist.h:516 net/core/neighbour.c:385) 
[ 6853.742539][ T76] neigh_flush_dev.isra.0 (./include/linux/list.h:990 ./include/linux/rculist.h:516 net/core/neighbour.c:385) 
[ 6853.742692][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 6853.742852][ T76] __neigh_ifdown.isra.0 (net/core/neighbour.c:826 net/core/neighbour.c:426) 
[ 6853.743014][ T76] ? fib_flush (net/ipv4/fib_frontend.c:195 (discriminator 11)) 
[ 6853.743135][ T76] neigh_ifdown (net/core/neighbour.c:445) 
[ 6853.743253][ T76] fib_netdev_event (net/ipv4/fib_frontend.c:1521) 
[ 6853.743410][ T76] notifier_call_chain (kernel/notifier.c:93 (discriminator 2)) 
[ 6853.743570][ T76] dev_close_many (net/core/dev.c:1590) 
[ 6853.743728][ T76] ? lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5827) 
[ 6853.743904][ T76] ? default_device_exit_batch (net/core/dev.c:12061) 
[ 6853.744063][ T76] ? __pfx_dev_close_many (net/core/dev.c:1577) 
[ 6853.744220][ T76] ? fou_exit_net (net/ipv4/fou_core.c:1234) 
[ 6853.744379][ T76] ? __mutex_trylock_common (./arch/x86/include/asm/atomic64_64.h:101 ./include/linux/atomic/atomic-arch-fallback.h:4296 ./include/linux/atomic/atomic-long.h:1482 ./include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:129) 
[ 6853.744537][ T76] unregister_netdevice_many_notify (net/core/dev.c:11503) 
[ 6853.744743][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 6853.744898][ T76] ? trace_contention_end (./include/trace/events/lock.h:122 (discriminator 52)) 
[ 6853.745054][ T76] ? __mutex_lock (./arch/x86/include/asm/preempt.h:94 kernel/locking/mutex.c:618 kernel/locking/mutex.c:752) 
[ 6853.745212][ T76] ? __pfx_unregister_netdevice_many_notify (net/core/dev.c:11470) 
[ 6853.745405][ T76] ? __mutex_lock (./arch/x86/include/asm/preempt.h:94 kernel/locking/mutex.c:618 kernel/locking/mutex.c:752) 
[ 6853.745560][ T76] ? find_held_lock (kernel/locking/lockdep.c:5315) 
[ 6853.745721][ T76] ? mutex_is_locked (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-long.h:38 ./include/linux/atomic/atomic-instrumented.h:3189 kernel/locking/mutex.c:81 kernel/locking/mutex.c:91) 
[ 6853.745878][ T76] ? rtnl_is_locked (net/core/rtnetlink.c:164) 
[ 6853.746037][ T76] ? unregister_netdevice_queue (net/core/dev.c:11455) 
[ 6853.746229][ T76] ? __pfx_unregister_netdevice_queue (net/core/dev.c:11454) 
[ 6853.746423][ T76] ? __pfx_unregister_netdevice_queue (net/core/dev.c:11454) 
[ 6853.746619][ T76] default_device_exit_batch (net/core/dev.c:12075) 
[ 6853.746776][ T76] ? __pfx_default_device_exit_batch (net/core/dev.c:12050) 
[ 6853.746970][ T76] ? ops_exit_list (net/core/net_namespace.c:172 (discriminator 3)) 
[ 6853.747128][ T76] cleanup_net (net/core/net_namespace.c:632 (discriminator 3)) 
[ 6853.747288][ T76] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5790) 
[ 6853.747514][ T76] ? __pfx_cleanup_net (net/core/net_namespace.c:577) 
[ 6853.747670][ T76] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 6853.747827][ T76] ? process_one_work (kernel/workqueue.c:3205) 
[ 6853.747981][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 6853.748207][ T76] ? process_one_work (kernel/workqueue.c:3205) 
[ 6853.748363][ T76] process_one_work (kernel/workqueue.c:3229) 
[ 6853.748522][ T76] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 6853.748681][ T76] ? __pfx_process_one_work (kernel/workqueue.c:3131) 
[ 6853.748838][ T76] ? assign_work (kernel/workqueue.c:1200) 
[ 6853.749075][ T76] worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) 
[ 6853.749231][ T76] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) 
[ 6853.749426][ T76] ? __pfx_worker_thread (kernel/workqueue.c:3337) 
[ 6853.749581][ T76] ? __pfx_worker_thread (kernel/workqueue.c:3337) 
[ 6853.749804][ T76] kthread (kernel/kthread.c:389) 
[ 6853.749922][ T76] ? __pfx_kthread (kernel/kthread.c:342) 
[ 6853.750080][ T76] ret_from_fork (arch/x86/kernel/process.c:147) 
[ 6853.750239][ T76] ? __pfx_kthread (kernel/kthread.c:342) 
[ 6853.750464][ T76] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) 
| [ 6853.764876][   T76] Disabling lock debugging due to kernel taint
| [ 6853.765174][   T76] Oops: general protection fault, probably for non-canonical address 0xe079bc3ee0000007: 0000 [#1] PREEMPT SMP KASAN NOPTI
| [ 6853.765658][   T76] KASAN: maybe wild-memory-access in range [0x03ce01f700000038-0x03ce01f70000003f]
| [ 6853.766293][   T76] Tainted: [B]=BAD_PAGE
[ 6853.766408][   T76] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 6853.766748][   T76] Workqueue: netns cleanup_net
[ 6853.766981][ T76] RIP: 0010:neigh_flush_dev.isra.0 (./include/linux/list.h:988 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 6853.767180][ T76] Code: 0f 85 ef 04 00 00 49 8d 7f 08 49 8b 1f 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 cc 04 00 00 49 8b 6f 08 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 19 05 00 00 48 89 5d 00 48 85 db 74 1a 48 8d
All code
========
   0:	0f 85 ef 04 00 00    	jne    0x4f5
   6:	49 8d 7f 08          	lea    0x8(%r15),%rdi
   a:	49 8b 1f             	mov    (%r15),%rbx
   d:	48 89 f8             	mov    %rdi,%rax
  10:	48 c1 e8 03          	shr    $0x3,%rax
  14:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  19:	0f 85 cc 04 00 00    	jne    0x4eb
  1f:	49 8b 6f 08          	mov    0x8(%r15),%rbp
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)		<-- trapping instruction
  2f:	0f 85 19 05 00 00    	jne    0x54e
  35:	48 89 5d 00          	mov    %rbx,0x0(%rbp)
  39:	48 85 db             	test   %rbx,%rbx
  3c:	74 1a                	je     0x58
  3e:	48                   	rex.W
  3f:	8d                   	.byte 0x8d

Code starting with the faulting instruction
===========================================
   0:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
   5:	0f 85 19 05 00 00    	jne    0x524
   b:	48 89 5d 00          	mov    %rbx,0x0(%rbp)
   f:	48 85 db             	test   %rbx,%rbx
  12:	74 1a                	je     0x2e
  14:	48                   	rex.W
  15:	8d                   	.byte 0x8d
[ 6853.767781][   T76] RSP: 0018:ffffc9000050f7a8 EFLAGS: 00010203
[ 6853.767973][   T76] RAX: 0079c03ee0000007 RBX: ffff88800456a040 RCX: ffffffff9a0c6ef0
[ 6853.768203][   T76] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888006021008
[ 6853.768502][   T76] RBP: 03ce01f70000003f R08: 0000000000000000 R09: 0000000000000000
[ 6853.768731][   T76] R10: ffffffff9c7e8a8f R11: ffffc9000050f3b9 R12: ffff88800602113c
[ 6853.768962][   T76] R13: dffffc0000000000 R14: ffff888014af1000 R15: ffff888006021000
[ 6853.769265][   T76] FS:  0000000000000000(0000) GS:ffff888036100000(0000) knlGS:0000000000000000
[ 6853.769534][   T76] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6853.769727][   T76] CR2: 00007fae54b91000 CR3: 000000002b73a004 CR4: 0000000000772ef0
[ 6853.770094][   T76] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 6853.770320][   T76] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 6853.770548][   T76] PKRU: 55555554
[ 6853.770736][   T76] Call Trace:
[ 6853.770851][   T76]  <TASK>
[ 6853.770932][ T76] ? die_addr (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:460) 
[ 6853.771055][ T76] ? exc_general_protection (arch/x86/kernel/traps.c:751 arch/x86/kernel/traps.c:693) 
[ 6853.771211][ T76] ? asm_exc_general_protection (./arch/x86/include/asm/idtentry.h:617) 
[ 6853.771432][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:986 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 6853.771583][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:988 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 6853.771735][ T76] ? neigh_flush_dev.isra.0 (./include/linux/list.h:986 ./include/linux/rculist.h:516 net/core/neighbour.c:384) 
[ 6853.771885][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 6853.772112][ T76] __neigh_ifdown.isra.0 (net/core/neighbour.c:826 net/core/neighbour.c:426) 
[ 6853.772271][ T76] ? fib_flush (net/ipv4/fib_frontend.c:195 (discriminator 11)) 
[ 6853.772386][ T76] neigh_ifdown (net/core/neighbour.c:445) 
[ 6853.772501][ T76] fib_netdev_event (net/ipv4/fib_frontend.c:1521) 
[ 6853.772652][ T76] notifier_call_chain (kernel/notifier.c:93 (discriminator 2)) 
[ 6853.772873][ T76] dev_close_many (net/core/dev.c:1590) 
[ 6853.773025][ T76] ? lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5827) 
[ 6853.773177][ T76] ? default_device_exit_batch (net/core/dev.c:12061) 
[ 6853.773334][ T76] ? __pfx_dev_close_many (net/core/dev.c:1577) 
[ 6853.773569][ T76] ? fou_exit_net (net/ipv4/fou_core.c:1234) 
[ 6853.773722][ T76] ? __mutex_trylock_common (./arch/x86/include/asm/atomic64_64.h:101 ./include/linux/atomic/atomic-arch-fallback.h:4296 ./include/linux/atomic/atomic-long.h:1482 ./include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:129) 
[ 6853.773874][ T76] unregister_netdevice_many_notify (net/core/dev.c:11503) 
[ 6853.774063][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 6853.774215][ T76] ? trace_contention_end (./include/trace/events/lock.h:122 (discriminator 52)) 
[ 6853.774367][ T76] ? __mutex_lock (./arch/x86/include/asm/preempt.h:94 kernel/locking/mutex.c:618 kernel/locking/mutex.c:752) 
[ 6853.774522][ T76] ? __pfx_unregister_netdevice_many_notify (net/core/dev.c:11470) 
[ 6853.774714][ T76] ? __mutex_lock (./arch/x86/include/asm/preempt.h:94 kernel/locking/mutex.c:618 kernel/locking/mutex.c:752) 
[ 6853.774866][ T76] ? find_held_lock (kernel/locking/lockdep.c:5315) 
[ 6853.775019][ T76] ? mutex_is_locked (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-long.h:38 ./include/linux/atomic/atomic-instrumented.h:3189 kernel/locking/mutex.c:81 kernel/locking/mutex.c:91) 
[ 6853.775170][ T76] ? rtnl_is_locked (net/core/rtnetlink.c:164) 
[ 6853.775320][ T76] ? unregister_netdevice_queue (net/core/dev.c:11455) 
[ 6853.775586][ T76] ? __pfx_unregister_netdevice_queue (net/core/dev.c:11454) 
[ 6853.775774][ T76] ? __pfx_unregister_netdevice_queue (net/core/dev.c:11454) 
[ 6853.775965][ T76] default_device_exit_batch (net/core/dev.c:12075) 
[ 6853.776122][ T76] ? __pfx_default_device_exit_batch (net/core/dev.c:12050) 
[ 6853.776313][ T76] ? ops_exit_list (net/core/net_namespace.c:172 (discriminator 3)) 
[ 6853.776467][ T76] cleanup_net (net/core/net_namespace.c:632 (discriminator 3)) 
[ 6853.776620][ T76] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5790) 
[ 6853.776771][ T76] ? __pfx_cleanup_net (net/core/net_namespace.c:577) 
[ 6853.776924][ T76] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 6853.777077][ T76] ? process_one_work (kernel/workqueue.c:3205) 
[ 6853.777233][ T76] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 6853.777383][ T76] ? process_one_work (kernel/workqueue.c:3205) 
[ 6853.777535][ T76] process_one_work (kernel/workqueue.c:3229) 
[ 6853.777689][ T76] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 6853.777841][ T76] ? __pfx_process_one_work (kernel/workqueue.c:3131) 
[ 6853.777995][ T76] ? assign_work (kernel/workqueue.c:1200) 
[ 6853.778148][ T76] worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) 
[ 6853.778299][ T76] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) 
[ 6853.778493][ T76] ? __pfx_worker_thread (kernel/workqueue.c:3337) 
[ 6853.778645][ T76] ? __pfx_worker_thread (kernel/workqueue.c:3337) 
[ 6853.778797][ T76] kthread (kernel/kthread.c:389) 
[ 6853.778913][ T76] ? __pfx_kthread (kernel/kthread.c:342) 
[ 6853.779076][ T76] ret_from_fork (arch/x86/kernel/process.c:147) 
[ 6853.779227][ T76] ? __pfx_kthread (kernel/kthread.c:342) 


Finger prints:
neigh_ifdown:fib_netdev_event:notifier_call_chain:dev_close_many:unregister_netdevice_many_notify
print_report:kasan_report:neigh_ifdown:fib_netdev_event:notifier_call_chain