======================================
| [  377.074157][ T4174] ==================================================================
| [ 377.074430][ T4174] BUG: KASAN: use-after-free in page_pool_item_uninit (net/core/page_pool.c:523)
| [  377.074661][ T4174] Read of size 8 at addr ffff88801cdae008 by task ethtool/4174
| [  377.074874][ T4174]
[  377.075181][ T4174] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  377.075368][ T4174] Call Trace:
[  377.075481][ T4174]  <TASK>
[ 377.075558][ T4174] dump_stack_lvl (lib/dump_stack.c:123)
[ 377.075710][ T4174] print_address_description.constprop.0 (mm/kasan/report.c:379)
[ 377.075892][ T4174] ? page_pool_item_uninit (net/core/page_pool.c:523)
[ 377.076041][ T4174] print_report (mm/kasan/report.c:490)
[ 377.076187][ T4174] ? kasan_addr_to_slab (./include/linux/mm.h:1295 mm/kasan/../slab.h:211 mm/kasan/common.c:38)
[ 377.076341][ T4174] kasan_report (mm/kasan/report.c:604)
[ 377.076453][ T4174] ? page_pool_item_uninit (net/core/page_pool.c:523)
[ 377.076599][ T4174] page_pool_item_uninit (net/core/page_pool.c:523)
[ 377.076745][ T4174] page_pool_release (net/core/page_pool.c:1431 net/core/page_pool.c:1484)
[ 377.076889][ T4174] ? __pfx_page_pool_release (net/core/page_pool.c:1478)
[ 377.077036][ T4174] page_pool_destroy (net/core/page_pool.c:1555)
[ 377.077179][ T4174] veth_napi_del_range (drivers/net/veth.c:1054 (discriminator 3))
[ 377.077324][ T4174] ? __pfx_call_netdevice_notifiers (net/core/dev.c:2095)
[ 377.077508][ T4174] veth_set_features (drivers/net/veth.c:1060 drivers/net/veth.c:1494 drivers/net/veth.c:1472)
[ 377.077653][ T4174] ? netdev_upper_get_next_dev_rcu (net/core/dev.c:7309 (discriminator 1))
[ 377.077837][ T4174] __netdev_update_features (net/core/dev.c:10251)
[ 377.077986][ T4174] ? __pfx___netdev_update_features (net/core/dev.c:10224)
[ 377.078171][ T4174] ? __pfx_ethnl_parse_header_dev_get.part.0 (net/ethtool/netlink.c:137)
[ 377.078364][ T4174] ethnl_set_features (net/ethtool/features.c:262)
[ 377.078512][ T4174] ? __pfx_ethnl_set_features (net/ethtool/features.c:211)
[ 377.078656][ T4174] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 377.078842][ T4174] ? __nla_validate_parse (lib/nlattr.c:638)
[ 377.078993][ T4174] ? __nla_parse (lib/nlattr.c:732)
[ 377.079139][ T4174] ? genl_family_rcv_msg_attrs_parse.constprop.0 (net/netlink/genetlink.c:947)
[ 377.079358][ T4174] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115)
[ 377.079505][ T4174] ? __pfx_genl_family_rcv_msg_doit (net/netlink/genetlink.c:1088)
[ 377.079691][ T4174] ? rcu_read_lock_any_held (kernel/rcu/update.c:386 kernel/rcu/update.c:380)
[ 377.079841][ T4174] ? validate_chain (kernel/locking/lockdep.c:3797 kernel/locking/lockdep.c:3817 kernel/locking/lockdep.c:3872)
[ 377.079990][ T4174] genl_family_rcv_msg (net/netlink/genetlink.c:1195)
[ 377.080136][ T4174] ? __pfx_genl_family_rcv_msg (net/netlink/genetlink.c:1160)
[ 377.080283][ T4174] ? __pfx_ethnl_set_features (net/ethtool/features.c:211)
[ 377.080435][ T4174] genl_rcv_msg (net/netlink/genetlink.c:65 net/netlink/genetlink.c:1211)
[ 377.080580][ T4174] netlink_rcv_skb (net/netlink/af_netlink.c:2543)
[ 377.080726][ T4174] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201)
[ 377.080869][ T4174] ? __pfx_netlink_rcv_skb (net/netlink/af_netlink.c:2520)
[ 377.081018][ T4174] ? genl_rcv (net/netlink/genetlink.c:1219)
[ 377.081128][ T4174] ? __pfx_down_read (kernel/locking/rwsem.c:1522)
[ 377.081276][ T4174] ? netlink_deliver_tap (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 net/netlink/af_netlink.c:340)
[ 377.081425][ T4174] genl_rcv (net/netlink/genetlink.c:1220)
[ 377.081533][ T4174] netlink_unicast (net/netlink/af_netlink.c:1322 net/netlink/af_netlink.c:1348)
[ 377.081678][ T4174] ? __pfx_netlink_unicast (net/netlink/af_netlink.c:1333)
[ 377.081827][ T4174] ? find_held_lock (kernel/locking/lockdep.c:5339)
[ 377.081975][ T4174] netlink_sendmsg (net/netlink/af_netlink.c:1892)
[ 377.082123][ T4174] ? __pfx_netlink_sendmsg (net/netlink/af_netlink.c:1811)
[ 377.082269][ T4174] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 377.082417][ T4174] ? __might_fault (mm/memory.c:6751 mm/memory.c:6744)
[ 377.082566][ T4174] __sys_sendto (net/socket.c:711 net/socket.c:726 net/socket.c:2208)
[ 377.082713][ T4174] ? __pfx___sys_sendto (net/socket.c:2175)
[ 377.082864][ T4174] ? __lock_release (kernel/locking/lockdep.c:5525)
[ 377.083018][ T4174] ? __sys_recvmsg (net/socket.c:2889)
[ 377.083161][ T4174] ? __pfx___sys_recvmsg (net/socket.c:2874)
[ 377.083313][ T4174] ? do_user_addr_fault (./include/linux/rcupdate.h:882 ./include/linux/mm.h:742 arch/x86/mm/fault.c:1340)
[ 377.083462][ T4174] __x64_sys_sendto (net/socket.c:2211)
[ 377.083606][ T4174] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 377.083784][ T4174] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 377.083929][ T4174] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[  377.084110][ T4174] RIP: 0033:0x7f581bf97a4a
[ 377.084262][ T4174] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
All code
========
   0:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   4:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   b:	eb b8                	jmp    0xffffffffffffffc5
   d:	0f 1f 00             	nopl   (%rax)
  10:	f3 0f 1e fa          	endbr64
  14:	41 89 ca             	mov    %ecx,%r10d
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 15                	jne    0x38
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 7e                	ja     0xb0
  32:	c3                   	ret
  33:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  38:	41 54                	push   %r12
  3a:	48 83 ec 30          	sub    $0x30,%rsp
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 7e                	ja     0x86
   8:	c3                   	ret
   9:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   e:	41 54                	push   %r12
  10:	48 83 ec 30          	sub    $0x30,%rsp
  14:	44                   	rex.R
  15:	89                   	.byte 0x89
[  377.084767][ T4174] RSP: 002b:00007ffd9034f208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[  377.084988][ T4174] RAX: ffffffffffffffda RBX: 00000000141da2a0 RCX: 00007f581bf97a4a
[  377.085203][ T4174] RDX: 0000000000000044 RSI: 00000000141da3b0 RDI: 0000000000000005
[  377.085421][ T4174] RBP: 0000000000486020 R08: 00007f581c054200 R09: 000000000000000c
[  377.085636][ T4174] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000141da340
[  377.085852][ T4174] R13: 0000000000000000 R14: 00000000141da350 R15: 00000000141da2a0
| [  377.089389][ T4174] Disabling lock debugging due to kernel taint
| [  377.089582][ T4174] Oops: general protection fault, probably for non-canonical address 0xf99995999999999c: 0000 [#1] PREEMPT SMP KASAN NOPTI
| [  377.089929][ T4174] KASAN: maybe wild-memory-access in range [0xcccccccccccccce0-0xcccccccccccccce7]
| [  377.090418][ T4174] Tainted: [B]=BAD_PAGE
[  377.090527][ T4174] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 377.090703][ T4174] RIP: 0010:page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 377.090889][ T4174] Code: 8f 48 bb 00 00 00 00 00 fc ff df 48 c1 ed 03 48 01 dd 4d 8d 75 1c be 04 00 00 00 4c 89 f7 e8 ad 6d 63 fe 4c 89 f0 48 c1 e8 03 <0f> b6 14 18 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41
All code
========
   0:	8f 48 bb 00          	(bad)
   4:	00 00                	add    %al,(%rax)
   6:	00 00                	add    %al,(%rax)
   8:	fc                   	cld
   9:	ff                   	(bad)
   a:	df 48 c1             	fisttps -0x3f(%rax)
   d:	ed                   	in     (%dx),%eax
   e:	03 48 01             	add    0x1(%rax),%ecx
  11:	dd 4d 8d             	fisttpll -0x73(%rbp)
  14:	75 1c                	jne    0x32
  16:	be 04 00 00 00       	mov    $0x4,%esi
  1b:	4c 89 f7             	mov    %r14,%rdi
  1e:	e8 ad 6d 63 fe       	call   0xfffffffffe636dd0
  23:	4c 89 f0             	mov    %r14,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	0f b6 14 18          	movzbl (%rax,%rbx,1),%edx		<-- trapping instruction
  2e:	4c 89 f0             	mov    %r14,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 03             	add    $0x3,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 04                	jl     0x3f
  3b:	84 d2                	test   %dl,%dl
  3d:	75 62                	jne    0xa1
  3f:	41                   	rex.B

Code starting with the faulting instruction
===========================================
   0:	0f b6 14 18          	movzbl (%rax,%rbx,1),%edx
   4:	4c 89 f0             	mov    %r14,%rax
   7:	83 e0 07             	and    $0x7,%eax
   a:	83 c0 03             	add    $0x3,%eax
   d:	38 d0                	cmp    %dl,%al
   f:	7c 04                	jl     0x15
  11:	84 d2                	test   %dl,%dl
  13:	75 62                	jne    0x77
  15:	41                   	rex.B
[  377.091385][ T4174] RSP: 0018:ffffc90000e872e0 EFLAGS: 00010a06
[  377.091567][ T4174] RAX: 199999999999999c RBX: dffffc0000000000 RCX: ffffffff8dc9f6e3
[  377.091776][ T4174] RDX: 0000000000000000 RSI: 0000000000000004 RDI: cccccccccccccce0
[  377.091984][ T4174] RBP: fffffbfff1e64c78 R08: 0000000000000000 R09: fffffbfff223f688
[  377.092199][ T4174] R10: ffffffff911fb447 R11: 205d343731345420 R12: ffff888004cf1e20
[  377.092408][ T4174] R13: ccccccccccccccc4 R14: cccccccccccccce0 R15: 0000000000000000
[  377.092616][ T4174] FS:  00007f581be47000(0000) GS:ffff88806d180000(0000) knlGS:0000000000000000
[  377.092862][ T4174] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  377.093049][ T4174] CR2: 00000000141eb088 CR3: 0000000012898006 CR4: 0000000000772ef0
[  377.093260][ T4174] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  377.093468][ T4174] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  377.093676][ T4174] PKRU: 55555554
[  377.093785][ T4174] Call Trace:
[  377.093894][ T4174]  <TASK>
[ 377.093970][ T4174] ? die_addr (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:460)
[ 377.094080][ T4174] ? exc_general_protection (arch/x86/kernel/traps.c:751 arch/x86/kernel/traps.c:693)
[ 377.094226][ T4174] ? asm_exc_general_protection (./arch/x86/include/asm/idtentry.h:617)
[ 377.094370][ T4174] ? page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 377.094510][ T4174] ? page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 377.094653][ T4174] page_pool_release (net/core/page_pool.c:1431 net/core/page_pool.c:1484)
[ 377.094795][ T4174] ? __pfx_page_pool_release (net/core/page_pool.c:1478)
[ 377.094942][ T4174] page_pool_destroy (net/core/page_pool.c:1555)
[ 377.095082][ T4174] veth_napi_del_range (drivers/net/veth.c:1054 (discriminator 3))
[ 377.095224][ T4174] ? __pfx_call_netdevice_notifiers (net/core/dev.c:2095)
[ 377.095399][ T4174] veth_set_features (drivers/net/veth.c:1060 drivers/net/veth.c:1494 drivers/net/veth.c:1472)
[ 377.095542][ T4174] ? netdev_upper_get_next_dev_rcu (net/core/dev.c:7309 (discriminator 1))
[ 377.095716][ T4174] __netdev_update_features (net/core/dev.c:10251)
[ 377.095857][ T4174] ? __pfx___netdev_update_features (net/core/dev.c:10224)
[ 377.096035][ T4174] ? __pfx_ethnl_parse_header_dev_get.part.0 (net/ethtool/netlink.c:137)
[ 377.096214][ T4174] ethnl_set_features (net/ethtool/features.c:262)
[ 377.096355][ T4174] ? __pfx_ethnl_set_features (net/ethtool/features.c:211)
[ 377.096494][ T4174] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 377.096670][ T4174] ? __nla_validate_parse (lib/nlattr.c:638)
[ 377.096812][ T4174] ? __nla_parse (lib/nlattr.c:732)
[ 377.096953][ T4174] ? genl_family_rcv_msg_attrs_parse.constprop.0 (net/netlink/genetlink.c:947)
[ 377.097162][ T4174] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115)
[ 377.097302][ T4174] ? __pfx_genl_family_rcv_msg_doit (net/netlink/genetlink.c:1088)
[ 377.097481][ T4174] ? rcu_read_lock_any_held (kernel/rcu/update.c:386 kernel/rcu/update.c:380)
[ 377.097622][ T4174] ? validate_chain (kernel/locking/lockdep.c:3797 kernel/locking/lockdep.c:3817 kernel/locking/lockdep.c:3872)
[ 377.097764][ T4174] genl_family_rcv_msg (net/netlink/genetlink.c:1195)
[ 377.097909][ T4174] ? __pfx_genl_family_rcv_msg (net/netlink/genetlink.c:1160)
[ 377.098047][ T4174] ? __pfx_ethnl_set_features (net/ethtool/features.c:211)
[ 377.098189][ T4174] genl_rcv_msg (net/netlink/genetlink.c:65 net/netlink/genetlink.c:1211)
[ 377.098330][ T4174] netlink_rcv_skb (net/netlink/af_netlink.c:2543)
[ 377.098468][ T4174] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201)
[ 377.098606][ T4174] ? __pfx_netlink_rcv_skb (net/netlink/af_netlink.c:2520)
[ 377.098747][ T4174] ? genl_rcv (net/netlink/genetlink.c:1219)
[ 377.098853][ T4174] ? __pfx_down_read (kernel/locking/rwsem.c:1522)
[ 377.098997][ T4174] ? netlink_deliver_tap (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 net/netlink/af_netlink.c:340)
[ 377.099140][ T4174] genl_rcv (net/netlink/genetlink.c:1220)
[ 377.099244][ T4174] netlink_unicast (net/netlink/af_netlink.c:1322 net/netlink/af_netlink.c:1348)
[ 377.099384][ T4174] ? __pfx_netlink_unicast (net/netlink/af_netlink.c:1333)
[ 377.099523][ T4174] ? find_held_lock (kernel/locking/lockdep.c:5339)
[ 377.099663][ T4174] netlink_sendmsg (net/netlink/af_netlink.c:1892)
[ 377.099803][ T4174] ? __pfx_netlink_sendmsg (net/netlink/af_netlink.c:1811)
[ 377.099945][ T4174] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 377.100085][ T4174] ? __might_fault (mm/memory.c:6751 mm/memory.c:6744)
[ 377.100228][ T4174] __sys_sendto (net/socket.c:711 net/socket.c:726 net/socket.c:2208)
[ 377.100369][ T4174] ? __pfx___sys_sendto (net/socket.c:2175)
[ 377.100512][ T4174] ? __lock_release (kernel/locking/lockdep.c:5525)
[ 377.100654][ T4174] ? __sys_recvmsg (net/socket.c:2889)
[ 377.100793][ T4174] ? __pfx___sys_recvmsg (net/socket.c:2874)
[ 377.100933][ T4174] ? do_user_addr_fault (./include/linux/rcupdate.h:882 ./include/linux/mm.h:742 arch/x86/mm/fault.c:1340)
[ 377.101077][ T4174] __x64_sys_sendto (net/socket.c:2211)
[ 377.101219][ T4174] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 377.101395][ T4174] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 377.101536][ T4174] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[  377.101708][ T4174] RIP: 0033:0x7f581bf97a4a
[ 377.101853][ T4174] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
All code
========
   0:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   4:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   b:	eb b8                	jmp    0xffffffffffffffc5
   d:	0f 1f 00             	nopl   (%rax)
  10:	f3 0f 1e fa          	endbr64
  14:	41 89 ca             	mov    %ecx,%r10d
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 15                	jne    0x38
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 7e                	ja     0xb0
  32:	c3                   	ret
  33:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  38:	41 54                	push   %r12
  3a:	48 83 ec 30          	sub    $0x30,%rsp
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 7e                	ja     0x86
   8:	c3                   	ret
   9:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   e:	41 54                	push   %r12
  10:	48 83 ec 30          	sub    $0x30,%rsp
  14:	44                   	rex.R
  15:	89                   	.byte 0x89
[  377.102346][ T4174] RSP: 002b:00007ffd9034f208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[  377.102556][ T4174] RAX: ffffffffffffffda RBX: 00000000141da2a0 RCX: 00007f581bf97a4a
[  377.102766][ T4174] RDX: 0000000000000044 RSI: 00000000141da3b0 RDI: 0000000000000005
[  377.102985][ T4174] RBP: 0000000000486020 R08: 00007f581c054200 R09: 000000000000000c
[  377.103191][ T4174] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000141da340


Finger prints:
page_pool_item_uninit:page_pool_release:page_pool_destroy:veth_napi_del_range:veth_set_features
print_report:kasan_report:page_pool_item_uninit:page_pool_release:page_pool_destroy