======================================
| [   16.798874][  T327] ==================================================================
| [ 16.799120][ T327] BUG: KASAN: use-after-free in page_pool_item_uninit (net/core/page_pool.c:523)
| [   16.799339][  T327] Read of size 8 at addr ffff88800c300008 by task ethtool/327
| [   16.799549][  T327]
[   16.799839][  T327] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   16.800016][  T327] Call Trace:
[   16.800124][  T327]  <TASK>
[ 16.800199][ T327] dump_stack_lvl (lib/dump_stack.c:123)
[ 16.800354][ T327] print_address_description.constprop.0 (mm/kasan/report.c:379)
[ 16.800535][ T327] ? page_pool_item_uninit (net/core/page_pool.c:523)
[ 16.800681][ T327] print_report (mm/kasan/report.c:490)
[ 16.800825][ T327] ? kasan_addr_to_slab (./include/linux/mm.h:1295 mm/kasan/../slab.h:211 mm/kasan/common.c:38)
[ 16.800974][ T327] kasan_report (mm/kasan/report.c:604)
[ 16.801083][ T327] ? page_pool_item_uninit (net/core/page_pool.c:523)
[ 16.801230][ T327] page_pool_item_uninit (net/core/page_pool.c:523)
[ 16.801375][ T327] page_pool_release (net/core/page_pool.c:1431 net/core/page_pool.c:1484)
[ 16.801520][ T327] ? __pfx_page_pool_release (net/core/page_pool.c:1478)
[ 16.801665][ T327] page_pool_destroy (net/core/page_pool.c:1555)
[ 16.801808][ T327] veth_napi_del_range (drivers/net/veth.c:1054 (discriminator 3))
[ 16.801957][ T327] ? __pfx_call_netdevice_notifiers (net/core/dev.c:2095)
[ 16.802140][ T327] veth_set_features (drivers/net/veth.c:1060 drivers/net/veth.c:1494 drivers/net/veth.c:1472)
[ 16.802284][ T327] ? netdev_upper_get_next_dev_rcu (net/core/dev.c:7309 (discriminator 1))
[ 16.802463][ T327] __netdev_update_features (net/core/dev.c:10251)
[ 16.802610][ T327] ? __pfx___netdev_update_features (net/core/dev.c:10224)
[ 16.802787][ T327] ? __pfx_ethnl_parse_header_dev_get.part.0 (net/ethtool/netlink.c:137)
[ 16.802972][ T327] ethnl_set_features (net/ethtool/features.c:262)
[ 16.803116][ T327] ? __pfx_ethnl_set_features (net/ethtool/features.c:211)
[ 16.803261][ T327] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 16.803441][ T327] ? __nla_validate_parse (lib/nlattr.c:638)
[ 16.803588][ T327] ? __nla_parse (lib/nlattr.c:732)
[ 16.803731][ T327] ? genl_family_rcv_msg_attrs_parse.constprop.0 (net/netlink/genetlink.c:947)
[ 16.803946][ T327] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115)
[ 16.804089][ T327] ? __pfx_genl_family_rcv_msg_doit (net/netlink/genetlink.c:1088)
[ 16.804269][ T327] ? rcu_read_lock_any_held (kernel/rcu/update.c:386 kernel/rcu/update.c:380)
[ 16.804415][ T327] ? validate_chain (kernel/locking/lockdep.c:3797 kernel/locking/lockdep.c:3817 kernel/locking/lockdep.c:3872)
[ 16.804561][ T327] genl_family_rcv_msg (net/netlink/genetlink.c:1195)
[ 16.804706][ T327] ? __pfx_genl_family_rcv_msg (net/netlink/genetlink.c:1160)
[ 16.804850][ T327] ? __pfx_ethnl_set_features (net/ethtool/features.c:211)
[ 16.804999][ T327] genl_rcv_msg (net/netlink/genetlink.c:65 net/netlink/genetlink.c:1211)
[ 16.805143][ T327] netlink_rcv_skb (net/netlink/af_netlink.c:2543)
[ 16.805287][ T327] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201)
[ 16.805435][ T327] ? __pfx_netlink_rcv_skb (net/netlink/af_netlink.c:2520)
[ 16.805583][ T327] ? genl_rcv (net/netlink/genetlink.c:1219)
[ 16.805694][ T327] ? __pfx_down_read (kernel/locking/rwsem.c:1522)
[ 16.805839][ T327] ? netlink_deliver_tap (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 net/netlink/af_netlink.c:340)
[ 16.805986][ T327] genl_rcv (net/netlink/genetlink.c:1220)
[ 16.806096][ T327] netlink_unicast (net/netlink/af_netlink.c:1322 net/netlink/af_netlink.c:1348)
[ 16.806240][ T327] ? __pfx_netlink_unicast (net/netlink/af_netlink.c:1333)
[ 16.806385][ T327] ? find_held_lock (kernel/locking/lockdep.c:5339)
[ 16.806534][ T327] netlink_sendmsg (net/netlink/af_netlink.c:1892)
[ 16.806685][ T327] ? __pfx_netlink_sendmsg (net/netlink/af_netlink.c:1811)
[ 16.806834][ T327] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 16.806979][ T327] ? __might_fault (mm/memory.c:6751 mm/memory.c:6744)
[ 16.807127][ T327] __sys_sendto (net/socket.c:711 net/socket.c:726 net/socket.c:2208)
[ 16.807274][ T327] ? __pfx___sys_sendto (net/socket.c:2175)
[ 16.807420][ T327] ? __lock_release (kernel/locking/lockdep.c:5525)
[ 16.807564][ T327] ? __sys_recvmsg (net/socket.c:2889)
[ 16.807707][ T327] ? __pfx___sys_recvmsg (net/socket.c:2874)
[ 16.807858][ T327] ? do_user_addr_fault (./include/linux/rcupdate.h:882 ./include/linux/mm.h:742 arch/x86/mm/fault.c:1340)
[ 16.808004][ T327] __x64_sys_sendto (net/socket.c:2211)
[ 16.808148][ T327] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 16.808324][ T327] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 16.808466][ T327] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[   16.808645][  T327] RIP: 0033:0x7ff3c8891a4a
[ 16.808795][ T327] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
All code
========
   0:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   4:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   b:	eb b8                	jmp    0xffffffffffffffc5
   d:	0f 1f 00             	nopl   (%rax)
  10:	f3 0f 1e fa          	endbr64
  14:	41 89 ca             	mov    %ecx,%r10d
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 15                	jne    0x38
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 7e                	ja     0xb0
  32:	c3                   	ret
  33:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  38:	41 54                	push   %r12
  3a:	48 83 ec 30          	sub    $0x30,%rsp
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 7e                	ja     0x86
   8:	c3                   	ret
   9:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   e:	41 54                	push   %r12
  10:	48 83 ec 30          	sub    $0x30,%rsp
  14:	44                   	rex.R
  15:	89                   	.byte 0x89
[   16.809301][  T327] RSP: 002b:00007ffd8babfd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   16.809521][  T327] RAX: ffffffffffffffda RBX: 00000000280ab2a0 RCX: 00007ff3c8891a4a
[   16.809733][  T327] RDX: 0000000000000044 RSI: 00000000280ab3b0 RDI: 0000000000000005
[   16.809949][  T327] RBP: 0000000000486020 R08: 00007ff3c894e200 R09: 000000000000000c
[   16.810164][  T327] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000280ab340
[   16.810376][  T327] R13: 0000000000000000 R14: 00000000280ab350 R15: 00000000280ab2a0
| [   16.813761][  T327] Disabling lock debugging due to kernel taint
| [   16.813946][  T327] Oops: general protection fault, probably for non-canonical address 0xf99995999999999c: 0000 [#1] PREEMPT SMP KASAN NOPTI
| [   16.814287][  T327] KASAN: maybe wild-memory-access in range [0xcccccccccccccce0-0xcccccccccccccce7]
| [   16.814775][  T327] Tainted: [B]=BAD_PAGE
[   16.814884][  T327] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 16.815058][ T327] RIP: 0010:page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 16.815240][ T327] Code: a8 48 bb 00 00 00 00 00 fc ff df 48 c1 ed 03 48 01 dd 4d 8d 75 1c be 04 00 00 00 4c 89 f7 e8 ad 6d 63 fe 4c 89 f0 48 c1 e8 03 <0f> b6 14 18 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41
All code
========
   0:	a8 48                	test   $0x48,%al
   2:	bb 00 00 00 00       	mov    $0x0,%ebx
   7:	00 fc                	add    %bh,%ah
   9:	ff                   	(bad)
   a:	df 48 c1             	fisttps -0x3f(%rax)
   d:	ed                   	in     (%dx),%eax
   e:	03 48 01             	add    0x1(%rax),%ecx
  11:	dd 4d 8d             	fisttpll -0x73(%rbp)
  14:	75 1c                	jne    0x32
  16:	be 04 00 00 00       	mov    $0x4,%esi
  1b:	4c 89 f7             	mov    %r14,%rdi
  1e:	e8 ad 6d 63 fe       	call   0xfffffffffe636dd0
  23:	4c 89 f0             	mov    %r14,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	0f b6 14 18          	movzbl (%rax,%rbx,1),%edx		<-- trapping instruction
  2e:	4c 89 f0             	mov    %r14,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 03             	add    $0x3,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 04                	jl     0x3f
  3b:	84 d2                	test   %dl,%dl
  3d:	75 62                	jne    0xa1
  3f:	41                   	rex.B

Code starting with the faulting instruction
===========================================
   0:	0f b6 14 18          	movzbl (%rax,%rbx,1),%edx
   4:	4c 89 f0             	mov    %r14,%rax
   7:	83 e0 07             	and    $0x7,%eax
   a:	83 c0 03             	add    $0x3,%eax
   d:	38 d0                	cmp    %dl,%al
   f:	7c 04                	jl     0x15
  11:	84 d2                	test   %dl,%dl
  13:	75 62                	jne    0x77
  15:	41                   	rex.B
[   16.815734][  T327] RSP: 0018:ffffc900005a72e0 EFLAGS: 00010a06
[   16.815911][  T327] RAX: 199999999999999c RBX: dffffc0000000000 RCX: ffffffffa6c9f6e3
[   16.816118][  T327] RDX: 0000000000000000 RSI: 0000000000000004 RDI: cccccccccccccce0
[   16.816325][  T327] RBP: fffffbfff5064c78 R08: 0000000000000000 R09: fffffbfff543f688
[   16.816536][  T327] R10: ffffffffaa1fb447 R11: 205d373233542020 R12: ffff88800b6c7220
[   16.816740][  T327] R13: ccccccccccccccc4 R14: cccccccccccccce0 R15: 0000000000000000
[   16.816960][  T327] FS:  00007ff3c8741000(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000
[   16.817200][  T327] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   16.817379][  T327] CR2: 00000000280bc088 CR3: 0000000009a0e002 CR4: 0000000000772ef0
[   16.817588][  T327] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   16.817796][  T327] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   16.818005][  T327] PKRU: 55555554
[   16.818110][  T327] Call Trace:
[   16.818214][  T327]  <TASK>
[ 16.818287][ T327] ? die_addr (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:460)
[ 16.818398][ T327] ? exc_general_protection (arch/x86/kernel/traps.c:751 arch/x86/kernel/traps.c:693)
[ 16.818540][ T327] ? asm_exc_general_protection (./arch/x86/include/asm/idtentry.h:617)
[ 16.818681][ T327] ? page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 16.818821][ T327] ? page_pool_item_uninit (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/core/page_pool.c:524)
[ 16.818961][ T327] page_pool_release (net/core/page_pool.c:1431 net/core/page_pool.c:1484)
[ 16.819103][ T327] ? __pfx_page_pool_release (net/core/page_pool.c:1478)
[ 16.819244][ T327] page_pool_destroy (net/core/page_pool.c:1555)
[ 16.819384][ T327] veth_napi_del_range (drivers/net/veth.c:1054 (discriminator 3))
[ 16.819526][ T327] ? __pfx_call_netdevice_notifiers (net/core/dev.c:2095)
[ 16.819700][ T327] veth_set_features (drivers/net/veth.c:1060 drivers/net/veth.c:1494 drivers/net/veth.c:1472)
[ 16.819837][ T327] ? netdev_upper_get_next_dev_rcu (net/core/dev.c:7309 (discriminator 1))
[ 16.820008][ T327] __netdev_update_features (net/core/dev.c:10251)
[ 16.820151][ T327] ? __pfx___netdev_update_features (net/core/dev.c:10224)
[ 16.820326][ T327] ? __pfx_ethnl_parse_header_dev_get.part.0 (net/ethtool/netlink.c:137)
[ 16.820503][ T327] ethnl_set_features (net/ethtool/features.c:262)
[ 16.820644][ T327] ? __pfx_ethnl_set_features (net/ethtool/features.c:211)
[ 16.820784][ T327] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 16.820957][ T327] ? __nla_validate_parse (lib/nlattr.c:638)
[ 16.821098][ T327] ? __nla_parse (lib/nlattr.c:732)
[ 16.821240][ T327] ? genl_family_rcv_msg_attrs_parse.constprop.0 (net/netlink/genetlink.c:947)
[ 16.821446][ T327] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115)
[ 16.821586][ T327] ? __pfx_genl_family_rcv_msg_doit (net/netlink/genetlink.c:1088)
[ 16.821762][ T327] ? rcu_read_lock_any_held (kernel/rcu/update.c:386 kernel/rcu/update.c:380)
[ 16.821901][ T327] ? validate_chain (kernel/locking/lockdep.c:3797 kernel/locking/lockdep.c:3817 kernel/locking/lockdep.c:3872)
[ 16.822040][ T327] genl_family_rcv_msg (net/netlink/genetlink.c:1195)
[ 16.822183][ T327] ? __pfx_genl_family_rcv_msg (net/netlink/genetlink.c:1160)
[ 16.822322][ T327] ? __pfx_ethnl_set_features (net/ethtool/features.c:211)
[ 16.822463][ T327] genl_rcv_msg (net/netlink/genetlink.c:65 net/netlink/genetlink.c:1211)
[ 16.822601][ T327] netlink_rcv_skb (net/netlink/af_netlink.c:2543)
[ 16.822738][ T327] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201)
[ 16.822878][ T327] ? __pfx_netlink_rcv_skb (net/netlink/af_netlink.c:2520)
[ 16.823020][ T327] ? genl_rcv (net/netlink/genetlink.c:1219)
[ 16.823125][ T327] ? __pfx_down_read (kernel/locking/rwsem.c:1522)
[ 16.823266][ T327] ? netlink_deliver_tap (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 net/netlink/af_netlink.c:340)
[ 16.823408][ T327] genl_rcv (net/netlink/genetlink.c:1220)
[ 16.823515][ T327] netlink_unicast (net/netlink/af_netlink.c:1322 net/netlink/af_netlink.c:1348)
[ 16.823656][ T327] ? __pfx_netlink_unicast (net/netlink/af_netlink.c:1333)
[ 16.823795][ T327] ? find_held_lock (kernel/locking/lockdep.c:5339)
[ 16.824017][ T327] netlink_sendmsg (net/netlink/af_netlink.c:1892)
[ 16.824160][ T327] ? __pfx_netlink_sendmsg (net/netlink/af_netlink.c:1811)
[ 16.824301][ T327] ? lock_acquire (kernel/locking/lockdep.c:5822)
[ 16.824441][ T327] ? __might_fault (mm/memory.c:6751 mm/memory.c:6744)
[ 16.824661][ T327] __sys_sendto (net/socket.c:711 net/socket.c:726 net/socket.c:2208)
[ 16.824804][ T327] ? __pfx___sys_sendto (net/socket.c:2175)
[ 16.824946][ T327] ? __lock_release (kernel/locking/lockdep.c:5525)
[ 16.825086][ T327] ? __sys_recvmsg (net/socket.c:2889)
[ 16.825303][ T327] ? __pfx___sys_recvmsg (net/socket.c:2874)
[ 16.825445][ T327] ? do_user_addr_fault (./include/linux/rcupdate.h:882 ./include/linux/mm.h:742 arch/x86/mm/fault.c:1340)
[ 16.825589][ T327] __x64_sys_sendto (net/socket.c:2211)
[ 16.825728][ T327] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 16.825981][ T327] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 16.826123][ T327] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[   16.826295][  T327] RIP: 0033:0x7ff3c8891a4a
[ 16.826437][ T327] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
All code
========
   0:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   4:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   b:	eb b8                	jmp    0xffffffffffffffc5
   d:	0f 1f 00             	nopl   (%rax)
  10:	f3 0f 1e fa          	endbr64
  14:	41 89 ca             	mov    %ecx,%r10d
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 15                	jne    0x38
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 7e                	ja     0xb0
  32:	c3                   	ret
  33:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  38:	41 54                	push   %r12
  3a:	48 83 ec 30          	sub    $0x30,%rsp
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 7e                	ja     0x86
   8:	c3                   	ret
   9:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   e:	41 54                	push   %r12
  10:	48 83 ec 30          	sub    $0x30,%rsp
  14:	44                   	rex.R
  15:	89                   	.byte 0x89
[   16.827010][  T327] RSP: 002b:00007ffd8babfd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   16.827304][  T327] RAX: ffffffffffffffda RBX: 00000000280ab2a0 RCX: 00007ff3c8891a4a
[   16.827512][  T327] RDX: 0000000000000044 RSI: 00000000280ab3b0 RDI: 0000000000000005
[   16.827720][  T327] RBP: 0000000000486020 R08: 00007ff3c894e200 R09: 000000000000000c
[   16.828006][  T327] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000280ab340


Finger prints:
page_pool_item_uninit:page_pool_release:page_pool_destroy:veth_napi_del_range:veth_set_features
print_report:kasan_report:page_pool_item_uninit:page_pool_release:page_pool_destroy