======================================
| [   24.622346][   T67] ==================================================================
| [ 24.622589][ T67] BUG: KASAN: use-after-free in page_pool_item_uninit (net/core/page_pool.c:523)
| [   24.622808][   T67] Read of size 8 at addr ffff8880024f9008 by task kworker/u16:1/67
| [   24.623018][   T67]
[   24.623351][   T67] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   24.623538][   T67] Workqueue: netns cleanup_net
[   24.623695][   T67] Call Trace:
[   24.623807][   T67]  <TASK>
[ 24.623884][ T67] dump_stack_lvl (lib/dump_stack.c:123)
[ 24.624038][ T67] print_address_description.constprop.0 (mm/kasan/report.c:379)
[ 24.624230][ T67] ? page_pool_item_uninit (net/core/page_pool.c:523)
[ 24.624377][ T67] print_report (mm/kasan/report.c:490)
[ 24.624522][ T67] ? kasan_addr_to_slab (./include/linux/mm.h:1295 mm/kasan/../slab.h:211 mm/kasan/common.c:38)
[ 24.624668][ T67] kasan_report (mm/kasan/report.c:604)
[ 24.624783][ T67] ? page_pool_item_uninit (net/core/page_pool.c:523)
[ 24.624931][ T67] page_pool_item_uninit (net/core/page_pool.c:523)
[ 24.625079][ T67] page_pool_release (net/core/page_pool.c:1431 net/core/page_pool.c:1484)
[ 24.625224][ T67] ? __pfx_page_pool_release (net/core/page_pool.c:1478)
[ 24.625374][ T67] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 24.625564][ T67] page_pool_destroy (net/core/page_pool.c:1555)
[ 24.625711][ T67] veth_napi_del_range (drivers/net/veth.c:1054 (discriminator 3))
[ 24.625862][ T67] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 24.626044][ T67] veth_close (drivers/net/veth.c:1383)
[ 24.626155][ T67] __dev_close_many (net/core/dev.c:1591)
[ 24.626302][ T67] ? __pfx___dev_close_many (net/core/dev.c:1555)
[ 24.626453][ T67] dev_close_many (net/core/dev.c:1618)
[ 24.626600][ T67] ? fou_exit_net (net/ipv4/fou_core.c:1234)
[ 24.626746][ T67] ? __pfx_dev_close_many (net/core/dev.c:1608)
[ 24.626892][ T67] ? __mutex_trylock_common (./arch/x86/include/asm/atomic64_64.h:101 ./include/linux/atomic/atomic-arch-fallback.h:4296 ./include/linux/atomic/atomic-long.h:1482 ./include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:104)
[ 24.627043][ T67] ? __pfx___mutex_trylock_common (kernel/locking/mutex.c:79)
[ 24.627225][ T67] unregister_netdevice_many_notify (net/core/dev.c:11562)
[ 24.627408][ T67] ? __pfx_unregister_netdevice_many_notify (net/core/dev.c:11529)
[ 24.627589][ T67] ? default_device_exit_batch (net/core/dev.c:12122)
[ 24.627734][ T67] ? mutex_is_locked (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-long.h:38 ./include/linux/atomic/atomic-instrumented.h:3189 kernel/locking/mutex.h:47 kernel/locking/mutex.c:66)
[ 24.627881][ T67] ? rtnl_is_locked (net/core/rtnetlink.c:163)
[ 24.628029][ T67] ? unregister_netdevice_queue (net/core/dev.c:11514)
[ 24.628208][ T67] ? __pfx_unregister_netdevice_queue (net/core/dev.c:11513)
[ 24.628387][ T67] ? __pfx_unregister_netdevice_queue (net/core/dev.c:11513)
[ 24.628566][ T67] default_device_exit_batch (net/core/dev.c:12136)
[ 24.628714][ T67] ? __pfx_default_device_exit_batch (net/core/dev.c:12111)
[ 24.628903][ T67] ? ops_exit_list (net/core/net_namespace.c:171 (discriminator 3))
[ 24.629050][ T67] cleanup_net (net/core/net_namespace.c:647 (discriminator 3))
[ 24.629194][ T67] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5814)
[ 24.629337][ T67] ? __pfx_cleanup_net (net/core/net_namespace.c:592)
[ 24.629482][ T67] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 37))
[ 24.629627][ T67] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 24.629768][ T67] ? process_one_work (kernel/workqueue.c:3205)
[ 24.629916][ T67] process_one_work (kernel/workqueue.c:3229)
[ 24.630063][ T67] ? __pfx___lock_release (kernel/locking/lockdep.c:5501)
[ 24.630207][ T67] ? __pfx_process_one_work (kernel/workqueue.c:3131)
[ 24.630354][ T67] ? assign_work (kernel/workqueue.c:1200)
[ 24.630498][ T67] worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391)
[ 24.630643][ T67] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 24.630822][ T67] ? __pfx_worker_thread (kernel/workqueue.c:3337)
[ 24.630980][ T67] ? __pfx_worker_thread (kernel/workqueue.c:3337)
[ 24.631124][ T67] kthread (kernel/kthread.c:389)
[ 24.631236][ T67] ? __pfx_kthread (kernel/kthread.c:342)
[ 24.631381][ T67] ret_from_fork (arch/x86/kernel/process.c:147)
[ 24.631526][ T67] ? __pfx_kthread (kernel/kthread.c:342)
[ 24.631670][ T67] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
| [   24.635077][   T67] Disabling lock debugging due to kernel taint
| [   24.635262][   T67] Oops: general protection fault, probably for non-canonical address 0xf99995999999999c: 0000 [#1] PREEMPT SMP KASAN NOPTI
| [   24.635599][   T67] KASAN: maybe wild-memory-access in range [0xcccccccccccccce0-0xcccccccccccccce7]
| [   24.636126][   T67] Tainted: [B]=BAD_PAGE
[   24.636232][   T67] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   24.636406][   T67] Workqueue: netns cleanup_net
[ 24.636552][ T67] RIP: 0010:page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 24.636731][ T67] Code: b1 48 bb 00 00 00 00 00 fc ff df 48 c1 ed 03 48 01 dd 4d 8d 75 1c be 04 00 00 00 4c 89 f7 e8 ad 6d 63 fe 4c 89 f0 48 c1 e8 03 <0f> b6 14 18 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41
All code
========
   0:	b1 48                	mov    $0x48,%cl
   2:	bb 00 00 00 00       	mov    $0x0,%ebx
   7:	00 fc                	add    %bh,%ah
   9:	ff                   	(bad)
   a:	df 48 c1             	fisttps -0x3f(%rax)
   d:	ed                   	in     (%dx),%eax
   e:	03 48 01             	add    0x1(%rax),%ecx
  11:	dd 4d 8d             	fisttpll -0x73(%rbp)
  14:	75 1c                	jne    0x32
  16:	be 04 00 00 00       	mov    $0x4,%esi
  1b:	4c 89 f7             	mov    %r14,%rdi
  1e:	e8 ad 6d 63 fe       	call   0xfffffffffe636dd0
  23:	4c 89 f0             	mov    %r14,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	0f b6 14 18          	movzbl (%rax,%rbx,1),%edx		<-- trapping instruction
  2e:	4c 89 f0             	mov    %r14,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 03             	add    $0x3,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 04                	jl     0x3f
  3b:	84 d2                	test   %dl,%dl
  3d:	75 62                	jne    0xa1
  3f:	41                   	rex.B

Code starting with the faulting instruction
===========================================
   0:	0f b6 14 18          	movzbl (%rax,%rbx,1),%edx
   4:	4c 89 f0             	mov    %r14,%rax
   7:	83 e0 07             	and    $0x7,%eax
   a:	83 c0 03             	add    $0x3,%eax
   d:	38 d0                	cmp    %dl,%al
   f:	7c 04                	jl     0x15
  11:	84 d2                	test   %dl,%dl
  13:	75 62                	jne    0x77
  15:	41                   	rex.B
[   24.637230][   T67] RSP: 0000:ffffc90000487698 EFLAGS: 00010a06
[   24.637404][   T67] RAX: 199999999999999c RBX: dffffc0000000000 RCX: ffffffffafa9f6e3
[   24.637610][   T67] RDX: 0000000000000000 RSI: 0000000000000004 RDI: cccccccccccccce0
[   24.637822][   T67] RBP: fffffbfff6224c78 R08: 0000000000000000 R09: fffffbfff65ff688
[   24.638036][   T67] R10: ffffffffb2ffb447 R11: 205d373654202020 R12: ffff888009a9e620
[   24.638245][   T67] R13: ccccccccccccccc4 R14: cccccccccccccce0 R15: 0000000000000000
[   24.638449][   T67] FS:  0000000000000000(0000) GS:ffff88806d080000(0000) knlGS:0000000000000000
[   24.638689][   T67] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   24.638876][   T67] CR2: 00007f151f2cb000 CR3: 000000000dbfa005 CR4: 0000000000772ef0
[   24.639085][   T67] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   24.639293][   T67] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   24.639501][   T67] PKRU: 55555554
[   24.639606][   T67] Call Trace:
[   24.639720][   T67]  <TASK>
[ 24.639794][ T67] ? die_addr (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:460)
[ 24.639904][ T67] ? exc_general_protection (arch/x86/kernel/traps.c:751 arch/x86/kernel/traps.c:693)
[ 24.640046][ T67] ? asm_exc_general_protection (./arch/x86/include/asm/idtentry.h:617)
[ 24.640187][ T67] ? page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 24.640401][ T67] ? page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 24.640540][ T67] ? page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 24.640686][ T67] page_pool_release (net/core/page_pool.c:1431 net/core/page_pool.c:1484)
[ 24.640828][ T67] ? __pfx_page_pool_release (net/core/page_pool.c:1478)
[ 24.640967][ T67] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 24.641142][ T67] page_pool_destroy (net/core/page_pool.c:1555)
[ 24.641281][ T67] veth_napi_del_range (drivers/net/veth.c:1054 (discriminator 3))
[ 24.641420][ T67] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 24.641667][ T67] veth_close (drivers/net/veth.c:1383)
[ 24.641778][ T67] __dev_close_many (net/core/dev.c:1591)
[ 24.641917][ T67] ? __pfx___dev_close_many (net/core/dev.c:1555)
[ 24.642059][ T67] dev_close_many (net/core/dev.c:1618)
[ 24.642278][ T67] ? fou_exit_net (net/ipv4/fou_core.c:1234)
[ 24.642421][ T67] ? __pfx_dev_close_many (net/core/dev.c:1608)
[ 24.642558][ T67] ? __mutex_trylock_common (./arch/x86/include/asm/atomic64_64.h:101 ./include/linux/atomic/atomic-arch-fallback.h:4296 ./include/linux/atomic/atomic-long.h:1482 ./include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:104)
[ 24.642698][ T67] ? __pfx___mutex_trylock_common (kernel/locking/mutex.c:79)
[ 24.642952][ T67] unregister_netdevice_many_notify (net/core/dev.c:11562)
[ 24.643128][ T67] ? __pfx_unregister_netdevice_many_notify (net/core/dev.c:11529)
[ 24.643302][ T67] ? default_device_exit_batch (net/core/dev.c:12122)
[ 24.643515][ T67] ? mutex_is_locked (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-long.h:38 ./include/linux/atomic/atomic-instrumented.h:3189 kernel/locking/mutex.h:47 kernel/locking/mutex.c:66)
[ 24.643647][ T67] ? rtnl_is_locked (net/core/rtnetlink.c:163)
[ 24.643779][ T67] ? unregister_netdevice_queue (net/core/dev.c:11514)
[ 24.643946][ T67] ? __pfx_unregister_netdevice_queue (net/core/dev.c:11513)
[ 24.644195][ T67] ? __pfx_unregister_netdevice_queue (net/core/dev.c:11513)
[ 24.644362][ T67] default_device_exit_batch (net/core/dev.c:12136)
[ 24.644495][ T67] ? __pfx_default_device_exit_batch (net/core/dev.c:12111)
[ 24.644738][ T67] ? ops_exit_list (net/core/net_namespace.c:171 (discriminator 3))
[ 24.644872][ T67] cleanup_net (net/core/net_namespace.c:647 (discriminator 3))
[ 24.645005][ T67] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5814)
[ 24.645139][ T67] ? __pfx_cleanup_net (net/core/net_namespace.c:592)
[ 24.645358][ T67] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 37))
[ 24.645492][ T67] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 24.645623][ T67] ? process_one_work (kernel/workqueue.c:3205)
[ 24.645765][ T67] process_one_work (kernel/workqueue.c:3229)
[ 24.645973][ T67] ? __pfx___lock_release (kernel/locking/lockdep.c:5501)
[ 24.646105][ T67] ? __pfx_process_one_work (kernel/workqueue.c:3131)
[ 24.646238][ T67] ? assign_work (kernel/workqueue.c:1200)
[ 24.646380][ T67] worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391)
[ 24.646586][ T67] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 24.646750][ T67] ? __pfx_worker_thread (kernel/workqueue.c:3337)
[ 24.646883][ T67] ? __pfx_worker_thread (kernel/workqueue.c:3337)
[ 24.647016][ T67] kthread (kernel/kthread.c:389)
[ 24.647190][ T67] ? __pfx_kthread (kernel/kthread.c:342)
[ 24.647323][ T67] ret_from_fork (arch/x86/kernel/process.c:147)
[ 24.647466][ T67] ? __pfx_kthread (kernel/kthread.c:342)


Finger prints:
page_pool_item_uninit:page_pool_release:page_pool_destroy:veth_napi_del_range:veth_close
print_report:kasan_report:page_pool_item_uninit:page_pool_release:page_pool_destroy