======================================
| [ 4378.383060][    C3] ==================================================================
| [ 4378.383329][ C3] BUG: KASAN: slab-use-after-free in vrf_xmit (drivers/net/vrf.c:567)
| [ 4378.383528][    C3] Read of size 4 at addr ffff888012972b30 by task ping/9654
| [ 4378.383756][    C3]
[ 4378.384073][    C3] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 4378.384270][    C3] Call Trace:
[ 4378.384392][    C3]  <IRQ>
[ 4378.384476][ C3] dump_stack_lvl (lib/dump_stack.c:123)
[ 4378.384670][ C3] print_address_description.constprop.0 (mm/kasan/report.c:379)
[ 4378.384864][ C3] ? vrf_xmit (drivers/net/vrf.c:567)
[ 4378.384986][ C3] print_report (mm/kasan/report.c:490)
[ 4378.385137][ C3] ? kasan_addr_to_slab (./include/linux/mm.h:1294 mm/kasan/../slab.h:211 mm/kasan/common.c:38)
[ 4378.385296][ C3] kasan_report (mm/kasan/report.c:604)
[ 4378.385413][ C3] ? vrf_xmit (drivers/net/vrf.c:567)
[ 4378.385532][ C3] vrf_xmit (drivers/net/vrf.c:567)
[ 4378.385649][ C3] dev_hard_start_xmit (./include/linux/netdevice.h:5042 ./include/linux/netdevice.h:5051 net/core/dev.c:3590 net/core/dev.c:3606)
[ 4378.385811][ C3] __dev_queue_xmit (net/core/dev.h:291 net/core/dev.c:4435)
[ 4378.385964][ C3] ? __lock_release (kernel/locking/lockdep.c:5525)
[ 4378.386121][ C3] ? ip_finish_output2 (./include/net/neighbour.h:537 net/ipv4/ip_output.c:236)
[ 4378.386277][ C3] ? __pfx___lock_release (kernel/locking/lockdep.c:5501)
[ 4378.386433][ C3] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228)
[ 4378.386585][ C3] ? __pfx___dev_queue_xmit (net/core/dev.c:4343)
[ 4378.386738][ C3] ? mark_held_locks (kernel/locking/lockdep.c:4321)
[ 4378.386901][ C3] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406)
[ 4378.387089][ C3] ? neigh_hh_output (./include/linux/seqlock.h:74 ./include/linux/seqlock.h:813 ./include/net/neighbour.h:493)
[ 4378.387242][ C3] ip_finish_output2 (./include/net/neighbour.h:537 net/ipv4/ip_output.c:236)
[ 4378.387397][ C3] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200)
[ 4378.387551][ C3] ? __ip_finish_output (./include/linux/skbuff.h:1670 ./include/linux/skbuff.h:5049 net/ipv4/ip_output.c:308 net/ipv4/ip_output.c:296)
[ 4378.387699][ C3] ip_output (./include/linux/netfilter.h:303 net/ipv4/ip_output.c:434)
[ 4378.387811][ C3] ? __pfx_ip_output (net/ipv4/ip_output.c:428)
[ 4378.387960][ C3] ? ip_route_input_noref (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 net/ipv4/route.c:2520)
[ 4378.388114][ C3] ? ip_forward_finish (./include/linux/skbuff.h:1144 ./include/net/dst.h:450 net/ipv4/ip_forward.c:80)
[ 4378.388262][ C3] NF_HOOK.constprop.0 (./include/linux/netfilter.h:314)
[ 4378.388410][ C3] ? __pfx_NF_HOOK.constprop.0 (./include/linux/netfilter.h:308)
[ 4378.388560][ C3] ? ip_dst_mtu_maybe_forward.constprop.0 (./include/net/net_namespace.h:387 ./include/linux/netdevice.h:2635 ./include/net/ip.h:474)
[ 4378.388742][ C3] ? ip_forward (net/ipv4/ip_forward.c:45 net/ipv4/ip_forward.c:135)
[ 4378.388893][ C3] ip_rcv (./include/net/dst.h:460 ./include/net/dst.h:458 net/ipv4/ip_input.c:447 ./include/linux/netfilter.h:314 ./include/linux/netfilter.h:308 net/ipv4/ip_input.c:567)
[ 4378.389007][ C3] ? __pfx_ip_rcv (net/ipv4/ip_input.c:560)
[ 4378.389159][ C3] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6115)
[ 4378.389309][ C3] ? lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851)
[ 4378.389458][ C3] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6115)
[ 4378.389610][ C3] ? __pfx_ip_rcv (net/ipv4/ip_input.c:560)
[ 4378.389759][ C3] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6115)
[ 4378.389909][ C3] __netif_receive_skb_one_core (net/core/dev.c:5672 (discriminator 4))
[ 4378.390093][ C3] ? __pfx___netif_receive_skb_one_core (net/core/dev.c:5665)
[ 4378.390277][ C3] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 4378.390428][ C3] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6115)
[ 4378.390576][ C3] process_backlog (./include/linux/rcupdate.h:878 net/core/dev.c:6118)
[ 4378.390725][ C3] __napi_poll.constprop.0 (net/core/dev.c:6883)
[ 4378.390878][ C3] net_rx_action (net/core/dev.c:6952 net/core/dev.c:7074)
[ 4378.391031][ C3] ? __pfx_net_rx_action (net/core/dev.c:7036)
[ 4378.391181][ C3] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:101 kernel/locking/spinlock_debug.c:141)
[ 4378.391329][ C3] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:94 ./include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186)
[ 4378.391479][ C3] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228)
[ 4378.391627][ C3] ? mark_lock (kernel/locking/lockdep.c:4727 (discriminator 3))
[ 4378.391741][ C3] ? mark_held_locks (kernel/locking/lockdep.c:4321)
[ 4378.391893][ C3] handle_softirqs (kernel/softirq.c:554)
[ 4378.392046][ C3] ? __dev_queue_xmit (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:917 net/core/dev.c:4461)
[ 4378.392195][ C3] do_softirq (kernel/softirq.c:455 kernel/softirq.c:442)
[ 4378.392308][    C3]  </IRQ>
[ 4378.392386][    C3]  <TASK>
[ 4378.392461][ C3] __local_bh_enable_ip (kernel/softirq.c:382)
[ 4378.392608][ C3] ? __dev_queue_xmit (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:917 net/core/dev.c:4461)
[ 4378.392756][ C3] __dev_queue_xmit (net/core/dev.c:4462)
[ 4378.392909][ C3] ? __lock_release (kernel/locking/lockdep.c:5525)
[ 4378.393057][ C3] ? ip_finish_output2 (./include/net/neighbour.h:537 net/ipv4/ip_output.c:236)
[ 4378.393204][ C3] ? __pfx___lock_release (kernel/locking/lockdep.c:5501)
[ 4378.393355][ C3] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228)
[ 4378.393503][ C3] ? __pfx___dev_queue_xmit (net/core/dev.c:4343)
[ 4378.393651][ C3] ? mark_held_locks (kernel/locking/lockdep.c:4321)
[ 4378.393800][ C3] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 4378.393990][ C3] ? neigh_hh_output (./include/linux/seqlock.h:74 ./include/linux/seqlock.h:813 ./include/net/neighbour.h:493)
[ 4378.394137][ C3] ? do_csum (lib/checksum.c:56)
[ 4378.394254][ C3] ip_finish_output2 (./include/net/neighbour.h:537 net/ipv4/ip_output.c:236)
[ 4378.394402][ C3] ? __lock_acquire (kernel/locking/lockdep.c:5226)
[ 4378.394551][ C3] ? __pfx_raw_getfrag (net/ipv4/raw.c:453)
[ 4378.394701][ C3] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200)
[ 4378.394850][ C3] ? __ip_finish_output (./include/linux/skbuff.h:1670 ./include/linux/skbuff.h:5049 net/ipv4/ip_output.c:308 net/ipv4/ip_output.c:296)
[ 4378.394998][ C3] ip_output (./include/linux/netfilter.h:303 net/ipv4/ip_output.c:434)
[ 4378.395114][ C3] ? __ip_local_out (net/ipv4/ip_output.c:97 net/ipv4/ip_output.c:108)
[ 4378.395282][ C3] ? __pfx_ip_output (net/ipv4/ip_output.c:428)
[ 4378.395434][ C3] ? __ip_make_skb (net/ipv4/ip_output.c:1386 net/ipv4/ip_output.c:1496)
[ 4378.395588][ C3] ? __pfx_raw_getfrag (net/ipv4/raw.c:453)
[ 4378.395746][ C3] ? ip_append_data (net/ipv4/ip_output.c:1375 net/ipv4/ip_output.c:1354)
[ 4378.395901][ C3] ip_push_pending_frames (./include/net/dst.h:450 net/ipv4/ip_output.c:130 net/ipv4/ip_output.c:1505 net/ipv4/ip_output.c:1525)
[ 4378.396056][ C3] raw_sendmsg (net/ipv4/raw.c:658)
[ 4378.396210][ C3] ? __pfx_raw_sendmsg (net/ipv4/raw.c:483)
[ 4378.396374][ C3] ? __lock_release (kernel/locking/lockdep.c:5525)
[ 4378.396528][ C3] ? __pfx___lock_release (kernel/locking/lockdep.c:5501)
[ 4378.396681][ C3] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 47))
[ 4378.396836][ C3] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 4378.396998][ C3] ? __might_fault (mm/memory.c:6751 mm/memory.c:6744)
[ 4378.397170][ C3] ? __might_fault (mm/memory.c:6751 mm/memory.c:6744)
[ 4378.397326][ C3] __sys_sendto (net/socket.c:711 net/socket.c:726 net/socket.c:2197)
[ 4378.397485][ C3] ? __pfx___sys_sendto (net/socket.c:2164)
[ 4378.397652][ C3] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 4378.397803][ C3] ? rseq_update_cpu_node_id (kernel/rseq.c:109 (discriminator 10))
[ 4378.397956][ C3] ? __rseq_handle_notify_resume (kernel/rseq.c:333)
[ 4378.398140][ C3] ? do_user_addr_fault (./include/linux/mmap_lock.h:172 arch/x86/mm/fault.c:1417)
[ 4378.398292][ C3] ? __pfx___rseq_handle_notify_resume (kernel/rseq.c:316)
[ 4378.398478][ C3] __x64_sys_sendto (net/socket.c:2200)
[ 4378.398631][ C3] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 4378.398818][ C3] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 4378.398972][ C3] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 4378.399161][    C3] RIP: 0033:0x7f3bc073b85a
[ 4378.399318][ C3] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
All code
========
   0:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   4:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   b:	eb b8                	jmp    0xffffffffffffffc5
   d:	0f 1f 00             	nopl   (%rax)
  10:	f3 0f 1e fa          	endbr64
  14:	41 89 ca             	mov    %ecx,%r10d
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 15                	jne    0x38
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 7e                	ja     0xb0
  32:	c3                   	ret
  33:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  38:	41 54                	push   %r12
  3a:	48 83 ec 30          	sub    $0x30,%rsp
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 7e                	ja     0x86
   8:	c3                   	ret
   9:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   e:	41 54                	push   %r12
  10:	48 83 ec 30          	sub    $0x30,%rsp
  14:	44                   	rex.R
  15:	89                   	.byte 0x89
[ 4378.399848][    C3] RSP: 002b:00007ffd4f0aaad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 4378.400080][    C3] RAX: ffffffffffffffda RBX: 00000000000005aa RCX: 00007f3bc073b85a
[ 4378.400303][    C3] RDX: 00000000000005b2 RSI: 00000000121b6340 RDI: 0000000000000005
[ 4378.400549][    C3] RBP: 00007ffd4f0aab30 R08: 00000000004185e0 R09: 0000000000000010
[ 4378.400786][    C3] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000005c6


Finger prints:
print_report:kasan_report:vrf_xmit:dev_hard_start_xmit:__dev_queue_xmit