[  208.212977][   T58] ==================================================================
[  208.213346][   T58] BUG: KASAN: slab-use-after-free in page_pool_release_retry+0x21a/0x260
[  208.213624][   T58] Read of size 8 at addr ffff88801050d6e0 by task kworker/1:1/58
[  208.213888][   T58] 
[  208.213985][   T58] CPU: 1 UID: 0 PID: 58 Comm: kworker/1:1 Not tainted 6.14.0-rc1-virtme #1
[  208.213991][   T58] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  208.213996][   T58] Workqueue: events page_pool_release_retry
[  208.214004][   T58] Call Trace:
[  208.214006][   T58]  <TASK>
[  208.214009][   T58]  dump_stack_lvl+0x82/0xd0
[  208.214020][   T58]  print_address_description.constprop.0+0x2c/0x3b0
[  208.214030][   T58]  ? page_pool_release_retry+0x21a/0x260
[  208.214036][   T58]  print_report+0xb4/0x270
[  208.214042][   T58]  ? kasan_addr_to_slab+0x25/0x80
[  208.214048][   T58]  kasan_report+0xbd/0xf0
[  208.214055][   T58]  ? page_pool_release_retry+0x21a/0x260
[  208.214065][   T58]  page_pool_release_retry+0x21a/0x260
[  208.214073][   T58]  process_one_work+0xe55/0x16d0
[  208.214083][   T58]  ? __pfx___lock_release+0x10/0x10
[  208.214090][   T58]  ? __pfx_process_one_work+0x10/0x10
[  208.214100][   T58]  ? assign_work+0x16c/0x240
[  208.214107][   T58]  worker_thread+0x58c/0xce0
[  208.214110][   T58]  ? lockdep_hardirqs_on_prepare+0x275/0x410
[  208.214116][   T58]  ? __pfx_worker_thread+0x10/0x10
[  208.214119][   T58]  kthread+0x359/0x5d0
[  208.214124][   T58]  ? __pfx_kthread+0x10/0x10
[  208.214130][   T58]  ? __pfx_kthread+0x10/0x10
[  208.214134][   T58]  ret_from_fork+0x31/0x70
[  208.214139][   T58]  ? __pfx_kthread+0x10/0x10
[  208.214142][   T58]  ret_from_fork_asm+0x1a/0x30
[  208.214150][   T58]  </TASK>
[  208.214152][   T58] 
[  208.219000][   T58] Allocated by task 3155:
[  208.219145][   T58]  kasan_save_stack+0x24/0x50
[  208.219340][   T58]  kasan_save_track+0x14/0x30
[  208.219516][   T58]  __kasan_kmalloc+0x7f/0x90
[  208.219694][   T58]  page_pool_create_percpu+0x76/0x1c0
[  208.219877][   T58]  __veth_napi_enable_range+0x166/0x9a0
[  208.220059][   T58]  veth_enable_xdp+0x272/0x5a0
[  208.220237][   T58]  veth_xdp_set+0x3ab/0x6d0
[  208.220418][   T58]  dev_xdp_install+0x19f/0x480
[  208.220626][   T58]  dev_xdp_attach+0x53f/0x1130
[  208.220811][   T58]  dev_change_xdp_fd+0x244/0x290
[  208.220999][   T58]  do_setlink.constprop.0+0x1ce2/0x2300
[  208.221187][   T58]  rtnl_newlink+0x69c/0xa70
[  208.221372][   T58]  rtnetlink_rcv_msg+0x712/0xc10
[  208.221562][   T58]  netlink_rcv_skb+0x130/0x360
[  208.221761][   T58]  netlink_unicast+0x44b/0x710
[  208.221942][   T58]  netlink_sendmsg+0x723/0xbe0
[  208.222130][   T58]  ____sys_sendmsg+0x7ac/0xa10
[  208.222317][   T58]  ___sys_sendmsg+0xee/0x170
[  208.222498][   T58]  __sys_sendmsg+0x109/0x1a0
[  208.222676][   T58]  do_syscall_64+0xc1/0x1d0
[  208.222855][   T58]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  208.223082][   T58] 
[  208.223175][   T58] Freed by task 58:
[  208.223309][   T58]  kasan_save_stack+0x24/0x50
[  208.223497][   T58]  kasan_save_track+0x14/0x30
[  208.223681][   T58]  kasan_save_free_info+0x3b/0x60
[  208.223862][   T58]  __kasan_slab_free+0x38/0x50
[  208.224038][   T58]  kfree+0x144/0x320
[  208.224175][   T58]  page_pool_release+0x49e/0x650
[  208.224371][   T58]  page_pool_release_retry+0x23/0x260
[  208.224561][   T58]  process_one_work+0xe55/0x16d0
[  208.224748][   T58]  worker_thread+0x58c/0xce0
[  208.224942][   T58]  kthread+0x359/0x5d0
[  208.225087][   T58]  ret_from_fork+0x31/0x70
[  208.225279][   T58]  ret_from_fork_asm+0x1a/0x30
[  208.225469][   T58] 
[  208.225575][   T58] Last potentially related work creation:
[  208.225791][   T58]  kasan_save_stack+0x24/0x50
[  208.225984][   T58]  kasan_record_aux_stack+0x8c/0xa0
[  208.226174][   T58]  insert_work+0x34/0x230
[  208.226329][   T58]  __queue_work+0x5fd/0xa40
[  208.226518][   T58]  call_timer_fn+0x13b/0x230
[  208.226709][   T58]  __run_timers+0x3ff/0x810
[  208.226912][   T58]  run_timer_softirq+0xee/0x1c0
[  208.227093][   T58]  handle_softirqs+0x1f6/0x5c0
[  208.227276][   T58]  __irq_exit_rcu+0xc4/0x100
[  208.227457][   T58]  irq_exit_rcu+0xe/0x20
[  208.227598][   T58]  sysvec_apic_timer_interrupt+0x78/0x90
[  208.227786][   T58]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  208.228011][   T58] 
[  208.228106][   T58] Second to last potentially related work creation:
[  208.228326][   T58]  kasan_save_stack+0x24/0x50
[  208.228518][   T58]  kasan_record_aux_stack+0x8c/0xa0
[  208.228706][   T58]  insert_work+0x34/0x230
[  208.228849][   T58]  __queue_work+0x5fd/0xa40
[  208.229033][   T58]  call_timer_fn+0x13b/0x230
[  208.229228][   T58]  __run_timers+0x3ff/0x810
[  208.229412][   T58]  timer_expire_remote+0x9e/0xf0
[  208.229597][   T58]  tmigr_handle_remote_cpu+0x278/0x440
[  208.229782][   T58]  tmigr_handle_remote_up+0x1a6/0x270
[  208.229967][   T58]  __walk_groups.isra.0+0x44/0x160
[  208.230148][   T58]  tmigr_handle_remote+0x20b/0x300
[  208.230330][   T58]  handle_softirqs+0x1f6/0x5c0
[  208.230523][   T58]  __irq_exit_rcu+0xc4/0x100
[  208.230703][   T58]  irq_exit_rcu+0xe/0x20
[  208.230842][   T58]  sysvec_apic_timer_interrupt+0x78/0x90
[  208.231026][   T58]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  208.231263][   T58] 
[  208.231355][   T58] The buggy address belongs to the object at ffff88801050d000
[  208.231355][   T58]  which belongs to the cache kmalloc-2k of size 2048
[  208.231788][   T58] The buggy address is located 1760 bytes inside of
[  208.231788][   T58]  freed 2048-byte region [ffff88801050d000, ffff88801050d800)
[  208.232211][   T58] 
[  208.232304][   T58] The buggy address belongs to the physical page:
[  208.232526][   T58] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88801050b800 pfn:0x10508
[  208.232901][   T58] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  208.233179][   T58] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[  208.233511][   T58] page_type: f5(slab)
[  208.233653][   T58] raw: 0080000000000240 ffff888001043240 ffffea00003d0e10 ffffea000043ae10
[  208.234085][   T58] raw: ffff88801050b800 0000000000050003 00000000f5000000 0000000000000000
[  208.234410][   T58] head: 0080000000000240 ffff888001043240 ffffea00003d0e10 ffffea000043ae10
[  208.234726][   T58] head: ffff88801050b800 0000000000050003 00000000f5000000 0000000000000000
[  208.235158][   T58] head: 0080000000000003 ffffea0000414201 ffffffffffffffff 0000000000000000
[  208.235475][   T58] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[  208.236057][   T58] page dumped because: kasan: bad access detected
[  208.236288][   T58] 
[  208.236383][   T58] Memory state around the buggy address:
[  208.236565][   T58]  ffff88801050d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  208.236838][   T58]  ffff88801050d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  208.237127][   T58] >ffff88801050d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  208.237413][   T58]                                                        ^
[  208.237881][   T58]  ffff88801050d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  208.238141][   T58]  ffff88801050d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  208.238404][   T58] ==================================================================
[  208.238789][   T58] Disabling lock debugging due to kernel taint