[ 4051.903691][T19843] ==================================================================
[ 4051.903989][T19843] BUG: KASAN: slab-use-after-free in page_pool_release_retry+0x21a/0x260
[ 4051.904182][T19843] Read of size 8 at addr ffff888014f5eee0 by task kworker/3:2/19843
[ 4051.904361][T19843] 
[ 4051.904431][T19843] CPU: 3 UID: 0 PID: 19843 Comm: kworker/3:2 Not tainted 6.14.0-rc1-virtme #1
[ 4051.904437][T19843] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 4051.904439][T19843] Workqueue: events page_pool_release_retry
[ 4051.904446][T19843] Call Trace:
[ 4051.904448][T19843]  <TASK>
[ 4051.904450][T19843]  dump_stack_lvl+0x82/0xd0
[ 4051.904461][T19843]  print_address_description.constprop.0+0x2c/0x3b0
[ 4051.904470][T19843]  ? page_pool_release_retry+0x21a/0x260
[ 4051.904474][T19843]  print_report+0xb4/0x270
[ 4051.904477][T19843]  ? kasan_addr_to_slab+0x25/0x80
[ 4051.904481][T19843]  kasan_report+0xbd/0xf0
[ 4051.904484][T19843]  ? page_pool_release_retry+0x21a/0x260
[ 4051.904491][T19843]  page_pool_release_retry+0x21a/0x260
[ 4051.904495][T19843]  process_one_work+0xe55/0x16d0
[ 4051.904504][T19843]  ? __pfx___lock_release+0x10/0x10
[ 4051.904511][T19843]  ? __pfx_process_one_work+0x10/0x10
[ 4051.904517][T19843]  ? assign_work+0x16c/0x240
[ 4051.904524][T19843]  worker_thread+0x58c/0xce0
[ 4051.904526][T19843]  ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 4051.904532][T19843]  ? __pfx_worker_thread+0x10/0x10
[ 4051.904535][T19843]  kthread+0x359/0x5d0
[ 4051.904541][T19843]  ? __pfx_kthread+0x10/0x10
[ 4051.904546][T19843]  ? __pfx_kthread+0x10/0x10
[ 4051.904550][T19843]  ret_from_fork+0x31/0x70
[ 4051.904556][T19843]  ? __pfx_kthread+0x10/0x10
[ 4051.904559][T19843]  ret_from_fork_asm+0x1a/0x30
[ 4051.904569][T19843]  </TASK>
[ 4051.904570][T19843] 
[ 4051.907927][T19843] Allocated by task 5352:
[ 4051.908021][T19843]  kasan_save_stack+0x24/0x50
[ 4051.908149][T19843]  kasan_save_track+0x14/0x30
[ 4051.908272][T19843]  __kasan_kmalloc+0x7f/0x90
[ 4051.908394][T19843]  page_pool_create_percpu+0x76/0x1c0
[ 4051.908520][T19843]  __veth_napi_enable_range+0x166/0x9a0
[ 4051.908648][T19843]  veth_enable_xdp+0x272/0x5a0
[ 4051.908773][T19843]  veth_xdp_set+0x3ab/0x6d0
[ 4051.908896][T19843]  dev_xdp_install+0x19f/0x480
[ 4051.909021][T19843]  dev_xdp_attach+0x53f/0x1130
[ 4051.909151][T19843]  dev_change_xdp_fd+0x244/0x290
[ 4051.909279][T19843]  do_setlink.constprop.0+0x1ce2/0x2300
[ 4051.909403][T19843]  rtnl_newlink+0x69c/0xa70
[ 4051.909531][T19843]  rtnetlink_rcv_msg+0x712/0xc10
[ 4051.909658][T19843]  netlink_rcv_skb+0x130/0x360
[ 4051.909786][T19843]  netlink_unicast+0x44b/0x710
[ 4051.909916][T19843]  netlink_sendmsg+0x723/0xbe0
[ 4051.910044][T19843]  ____sys_sendmsg+0x7ac/0xa10
[ 4051.910175][T19843]  ___sys_sendmsg+0xee/0x170
[ 4051.910308][T19843]  __sys_sendmsg+0x109/0x1a0
[ 4051.910442][T19843]  do_syscall_64+0xc1/0x1d0
[ 4051.910571][T19843]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 4051.910736][T19843] 
[ 4051.910810][T19843] Freed by task 19843:
[ 4051.910906][T19843]  kasan_save_stack+0x24/0x50
[ 4051.911032][T19843]  kasan_save_track+0x14/0x30
[ 4051.911155][T19843]  kasan_save_free_info+0x3b/0x60
[ 4051.911281][T19843]  __kasan_slab_free+0x38/0x50
[ 4051.911404][T19843]  kfree+0x144/0x320
[ 4051.911505][T19843]  page_pool_release+0x49e/0x650
[ 4051.911631][T19843]  page_pool_release_retry+0x23/0x260
[ 4051.911772][T19843]  process_one_work+0xe55/0x16d0
[ 4051.911894][T19843]  worker_thread+0x58c/0xce0
[ 4051.912017][T19843]  kthread+0x359/0x5d0
[ 4051.912113][T19843]  ret_from_fork+0x31/0x70
[ 4051.912241][T19843]  ret_from_fork_asm+0x1a/0x30
[ 4051.912365][T19843] 
[ 4051.912429][T19843] Last potentially related work creation:
[ 4051.912554][T19843]  kasan_save_stack+0x24/0x50
[ 4051.912685][T19843]  kasan_record_aux_stack+0x8c/0xa0
[ 4051.912811][T19843]  insert_work+0x34/0x230
[ 4051.912907][T19843]  __queue_work+0x5fd/0xa40
[ 4051.913033][T19843]  call_timer_fn+0x13b/0x230
[ 4051.913165][T19843]  __run_timers+0x3ff/0x810
[ 4051.913291][T19843]  timer_expire_remote+0x9e/0xf0
[ 4051.913418][T19843]  tmigr_handle_remote_cpu+0x278/0x440
[ 4051.913558][T19843]  tmigr_handle_remote_up+0x1a6/0x270
[ 4051.913690][T19843]  __walk_groups.isra.0+0x44/0x160
[ 4051.913818][T19843]  tmigr_handle_remote+0x20b/0x300
[ 4051.913950][T19843]  handle_softirqs+0x1f6/0x5c0
[ 4051.914078][T19843]  do_softirq+0x4d/0xa0
[ 4051.914174][T19843]  __local_bh_enable_ip+0xf6/0x120
[ 4051.914302][T19843]  __dev_queue_xmit+0x7bf/0x18d0
[ 4051.914430][T19843]  ip_finish_output2+0x768/0x1860
[ 4051.914563][T19843]  ip_output+0x174/0x4f0
[ 4051.914658][T19843]  ip_send_skb+0x2e0/0x440
[ 4051.914784][T19843]  udp_send_skb+0x5f6/0x1990
[ 4051.914914][T19843]  udp_sendmsg+0x14c9/0x22d0
[ 4051.915038][T19843]  ____sys_sendmsg+0x76c/0xa10
[ 4051.915163][T19843]  ___sys_sendmsg+0xee/0x170
[ 4051.915293][T19843]  __sys_sendmsg+0x109/0x1a0
[ 4051.915421][T19843]  do_syscall_64+0xc1/0x1d0
[ 4051.915547][T19843]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 4051.915700][T19843] 
[ 4051.915767][T19843] Second to last potentially related work creation:
[ 4051.915921][T19843]  kasan_save_stack+0x24/0x50
[ 4051.916051][T19843]  kasan_record_aux_stack+0x8c/0xa0
[ 4051.916178][T19843]  insert_work+0x34/0x230
[ 4051.916273][T19843]  __queue_work+0x5fd/0xa40
[ 4051.916397][T19843]  call_timer_fn+0x13b/0x230
[ 4051.916530][T19843]  __run_timers+0x3ff/0x810
[ 4051.916657][T19843]  run_timer_softirq+0xee/0x1c0
[ 4051.916784][T19843]  handle_softirqs+0x1f6/0x5c0
[ 4051.916918][T19843]  __irq_exit_rcu+0xc4/0x100
[ 4051.917044][T19843]  irq_exit_rcu+0xe/0x20
[ 4051.917139][T19843]  sysvec_apic_timer_interrupt+0x78/0x90
[ 4051.917269][T19843]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 4051.917432][T19843] 
[ 4051.917501][T19843] The buggy address belongs to the object at ffff888014f5e800
[ 4051.917501][T19843]  which belongs to the cache kmalloc-2k of size 2048
[ 4051.917805][T19843] The buggy address is located 1760 bytes inside of
[ 4051.917805][T19843]  freed 2048-byte region [ffff888014f5e800, ffff888014f5f000)
[ 4051.918101][T19843] 
[ 4051.918165][T19843] The buggy address belongs to the physical page:
[ 4051.918327][T19843] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f58
[ 4051.918546][T19843] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 4051.918730][T19843] flags: 0x80000000000040(head|node=0|zone=1)
[ 4051.918889][T19843] page_type: f5(slab)
[ 4051.918991][T19843] raw: 0080000000000040 ffff888001043240 ffffea00000ace10 ffffea0000156610
[ 4051.919217][T19843] raw: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000
[ 4051.919439][T19843] head: 0080000000000040 ffff888001043240 ffffea00000ace10 ffffea0000156610
[ 4051.919661][T19843] head: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000
[ 4051.919883][T19843] head: 0080000000000003 ffffea000053d601 ffffffffffffffff 0000000000000000
[ 4051.920106][T19843] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 4051.920329][T19843] page dumped because: kasan: bad access detected
[ 4051.920485][T19843] 
[ 4051.920551][T19843] Memory state around the buggy address:
[ 4051.920678][T19843]  ffff888014f5ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4051.920867][T19843]  ffff888014f5ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4051.921052][T19843] >ffff888014f5ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4051.921234][T19843]                                                        ^
[ 4051.921422][T19843]  ffff888014f5ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4051.921597][T19843]  ffff888014f5ef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4051.921780][T19843] ==================================================================
[ 4051.921991][T19843] Disabling lock debugging due to kernel taint