[ 4473.065804][T19695] ==================================================================
[ 4473.066100][T19695] BUG: KASAN: slab-use-after-free in page_pool_release_retry+0x21a/0x260
[ 4473.066303][T19695] Read of size 8 at addr ffff888011710ee0 by task kworker/1:0/19695
[ 4473.066483][T19695] 
[ 4473.066550][T19695] CPU: 1 UID: 0 PID: 19695 Comm: kworker/1:0 Not tainted 6.14.0-rc1-virtme #1
[ 4473.066555][T19695] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 4473.066558][T19695] Workqueue: events page_pool_release_retry
[ 4473.066565][T19695] Call Trace:
[ 4473.066567][T19695]  <TASK>
[ 4473.066569][T19695]  dump_stack_lvl+0x82/0xd0
[ 4473.066580][T19695]  print_address_description.constprop.0+0x2c/0x3b0
[ 4473.066589][T19695]  ? page_pool_release_retry+0x21a/0x260
[ 4473.066593][T19695]  print_report+0xb4/0x270
[ 4473.066596][T19695]  ? kasan_addr_to_slab+0x25/0x80
[ 4473.066599][T19695]  kasan_report+0xbd/0xf0
[ 4473.066603][T19695]  ? page_pool_release_retry+0x21a/0x260
[ 4473.066610][T19695]  page_pool_release_retry+0x21a/0x260
[ 4473.066615][T19695]  process_one_work+0xe55/0x16d0
[ 4473.066623][T19695]  ? __pfx___lock_release+0x10/0x10
[ 4473.066630][T19695]  ? __pfx_process_one_work+0x10/0x10
[ 4473.066636][T19695]  ? assign_work+0x16c/0x240
[ 4473.066642][T19695]  worker_thread+0x58c/0xce0
[ 4473.066645][T19695]  ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 4473.066651][T19695]  ? __pfx_worker_thread+0x10/0x10
[ 4473.066654][T19695]  kthread+0x359/0x5d0
[ 4473.066660][T19695]  ? __pfx_kthread+0x10/0x10
[ 4473.066665][T19695]  ? __pfx_kthread+0x10/0x10
[ 4473.066669][T19695]  ret_from_fork+0x31/0x70
[ 4473.066675][T19695]  ? __pfx_kthread+0x10/0x10
[ 4473.066678][T19695]  ret_from_fork_asm+0x1a/0x30
[ 4473.066687][T19695]  </TASK>
[ 4473.066689][T19695] 
[ 4473.069978][T19695] Allocated by task 20910:
[ 4473.070101][T19695]  kasan_save_stack+0x24/0x50
[ 4473.070229][T19695]  kasan_save_track+0x14/0x30
[ 4473.070350][T19695]  __kasan_kmalloc+0x7f/0x90
[ 4473.070471][T19695]  page_pool_create_percpu+0x76/0x1c0
[ 4473.070595][T19695]  __veth_napi_enable_range+0x166/0x9a0
[ 4473.070724][T19695]  veth_enable_xdp+0x272/0x5a0
[ 4473.070850][T19695]  veth_xdp_set+0x3ab/0x6d0
[ 4473.070972][T19695]  dev_xdp_install+0x19f/0x480
[ 4473.071103][T19695]  dev_xdp_attach+0x53f/0x1130
[ 4473.071231][T19695]  dev_change_xdp_fd+0x244/0x290
[ 4473.071354][T19695]  do_setlink.constprop.0+0x1ce2/0x2300
[ 4473.071479][T19695]  rtnl_newlink+0x69c/0xa70
[ 4473.071603][T19695]  rtnetlink_rcv_msg+0x712/0xc10
[ 4473.071726][T19695]  netlink_rcv_skb+0x130/0x360
[ 4473.071855][T19695]  netlink_unicast+0x44b/0x710
[ 4473.071978][T19695]  netlink_sendmsg+0x723/0xbe0
[ 4473.072101][T19695]  ____sys_sendmsg+0x7ac/0xa10
[ 4473.072225][T19695]  ___sys_sendmsg+0xee/0x170
[ 4473.072349][T19695]  __sys_sendmsg+0x109/0x1a0
[ 4473.072472][T19695]  do_syscall_64+0xc1/0x1d0
[ 4473.072596][T19695]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 4473.072751][T19695] 
[ 4473.072884][T19695] Freed by task 19695:
[ 4473.072977][T19695]  kasan_save_stack+0x24/0x50
[ 4473.073100][T19695]  kasan_save_track+0x14/0x30
[ 4473.073224][T19695]  kasan_save_free_info+0x3b/0x60
[ 4473.073345][T19695]  __kasan_slab_free+0x38/0x50
[ 4473.073528][T19695]  kfree+0x144/0x320
[ 4473.073621][T19695]  page_pool_release+0x49e/0x650
[ 4473.073745][T19695]  page_pool_release_retry+0x23/0x260
[ 4473.073872][T19695]  process_one_work+0xe55/0x16d0
[ 4473.074053][T19695]  worker_thread+0x58c/0xce0
[ 4473.074173][T19695]  kthread+0x359/0x5d0
[ 4473.074268][T19695]  ret_from_fork+0x31/0x70
[ 4473.074390][T19695]  ret_from_fork_asm+0x1a/0x30
[ 4473.074575][T19695] 
[ 4473.074638][T19695] Last potentially related work creation:
[ 4473.074761][T19695]  kasan_save_stack+0x24/0x50
[ 4473.074891][T19695]  kasan_record_aux_stack+0x8c/0xa0
[ 4473.075019][T19695]  insert_work+0x34/0x230
[ 4473.075177][T19695]  __queue_work+0x5fd/0xa40
[ 4473.075303][T19695]  call_timer_fn+0x13b/0x230
[ 4473.075431][T19695]  __run_timers+0x3ff/0x810
[ 4473.075555][T19695]  run_timer_softirq+0xee/0x1c0
[ 4473.075738][T19695]  handle_softirqs+0x1f6/0x5c0
[ 4473.075859][T19695]  run_ksoftirqd+0x33/0x60
[ 4473.075984][T19695]  smpboot_thread_fn+0x306/0x850
[ 4473.076114][T19695]  kthread+0x359/0x5d0
[ 4473.076208][T19695]  ret_from_fork+0x31/0x70
[ 4473.076332][T19695]  ret_from_fork_asm+0x1a/0x30
[ 4473.076456][T19695] 
[ 4473.076520][T19695] Second to last potentially related work creation:
[ 4473.076729][T19695]  kasan_save_stack+0x24/0x50
[ 4473.076858][T19695]  kasan_record_aux_stack+0x8c/0xa0
[ 4473.076983][T19695]  insert_work+0x34/0x230
[ 4473.077084][T19695]  __queue_work+0x5fd/0xa40
[ 4473.077207][T19695]  call_timer_fn+0x13b/0x230
[ 4473.077395][T19695]  __run_timers+0x3ff/0x810
[ 4473.077517][T19695]  run_timer_softirq+0xee/0x1c0
[ 4473.077640][T19695]  handle_softirqs+0x1f6/0x5c0
[ 4473.077763][T19695]  __irq_exit_rcu+0xc4/0x100
[ 4473.077949][T19695]  irq_exit_rcu+0xe/0x20
[ 4473.078042][T19695]  sysvec_apic_timer_interrupt+0x78/0x90
[ 4473.078170][T19695]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 4473.078323][T19695] 
[ 4473.078446][T19695] The buggy address belongs to the object at ffff888011710800
[ 4473.078446][T19695]  which belongs to the cache kmalloc-2k of size 2048
[ 4473.078749][T19695] The buggy address is located 1760 bytes inside of
[ 4473.078749][T19695]  freed 2048-byte region [ffff888011710800, ffff888011711000)
[ 4473.079108][T19695] 
[ 4473.079171][T19695] The buggy address belongs to the physical page:
[ 4473.079322][T19695] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888011713800 pfn:0x11710
[ 4473.079631][T19695] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 4473.079819][T19695] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 4473.079982][T19695] page_type: f5(slab)
[ 4473.080147][T19695] raw: 0080000000000240 ffff888001043240 ffffea00003ee610 ffffea0000186610
[ 4473.080370][T19695] raw: ffff888011713800 0000000000050004 00000000f5000000 0000000000000000
[ 4473.080654][T19695] head: 0080000000000240 ffff888001043240 ffffea00003ee610 ffffea0000186610
[ 4473.080874][T19695] head: ffff888011713800 0000000000050004 00000000f5000000 0000000000000000
[ 4473.081096][T19695] head: 0080000000000003 ffffea000045c401 ffffffffffffffff 0000000000000000
[ 4473.081318][T19695] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 4473.081537][T19695] page dumped because: kasan: bad access detected
[ 4473.081757][T19695] 
[ 4473.081823][T19695] Memory state around the buggy address:
[ 4473.081944][T19695]  ffff888011710d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4473.082131][T19695]  ffff888011710e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4473.082367][T19695] >ffff888011710e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4473.082545][T19695]                                                        ^
[ 4473.082723][T19695]  ffff888011710f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4473.082960][T19695]  ffff888011710f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4473.083139][T19695] ==================================================================
[ 4473.083735][T19695] Disabling lock debugging due to kernel taint