[  160.902246][  T955] ==================================================================
[  160.902549][  T955] BUG: KASAN: slab-use-after-free in page_pool_release_retry+0x21a/0x260
[  160.902736][  T955] Read of size 8 at addr ffff88800ae8eee0 by task kworker/1:2/955
[  160.902919][  T955] 
[  160.902984][  T955] CPU: 1 UID: 0 PID: 955 Comm: kworker/1:2 Not tainted 6.14.0-rc1-virtme #1
[  160.902988][  T955] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  160.902990][  T955] Workqueue: events page_pool_release_retry
[  160.902996][  T955] Call Trace:
[  160.902998][  T955]  <TASK>
[  160.903000][  T955]  dump_stack_lvl+0x82/0xd0
[  160.903009][  T955]  print_address_description.constprop.0+0x2c/0x3b0
[  160.903016][  T955]  ? page_pool_release_retry+0x21a/0x260
[  160.903020][  T955]  print_report+0xb4/0x270
[  160.903023][  T955]  ? kasan_addr_to_slab+0x25/0x80
[  160.903026][  T955]  kasan_report+0xbd/0xf0
[  160.903030][  T955]  ? page_pool_release_retry+0x21a/0x260
[  160.903036][  T955]  page_pool_release_retry+0x21a/0x260
[  160.903041][  T955]  process_one_work+0xe55/0x16d0
[  160.903048][  T955]  ? __pfx___lock_release+0x10/0x10
[  160.903054][  T955]  ? __pfx_process_one_work+0x10/0x10
[  160.903059][  T955]  ? assign_work+0x16c/0x240
[  160.903064][  T955]  worker_thread+0x58c/0xce0
[  160.903068][  T955]  ? lockdep_hardirqs_on_prepare+0x275/0x410
[  160.903073][  T955]  ? __pfx_worker_thread+0x10/0x10
[  160.903076][  T955]  kthread+0x359/0x5d0
[  160.903081][  T955]  ? __pfx_kthread+0x10/0x10
[  160.903086][  T955]  ? __pfx_kthread+0x10/0x10
[  160.903090][  T955]  ret_from_fork+0x31/0x70
[  160.903095][  T955]  ? __pfx_kthread+0x10/0x10
[  160.903098][  T955]  ret_from_fork_asm+0x1a/0x30
[  160.903111][  T955]  </TASK>
[  160.903112][  T955] 
[  160.906422][  T955] Allocated by task 1891:
[  160.906515][  T955]  kasan_save_stack+0x24/0x50
[  160.906643][  T955]  kasan_save_track+0x14/0x30
[  160.906771][  T955]  __kasan_kmalloc+0x7f/0x90
[  160.906895][  T955]  page_pool_create_percpu+0x76/0x1c0
[  160.907017][  T955]  __veth_napi_enable_range+0x166/0x9a0
[  160.907140][  T955]  veth_enable_xdp+0x272/0x5a0
[  160.907262][  T955]  veth_xdp_set+0x3ab/0x6d0
[  160.907385][  T955]  dev_xdp_install+0x19f/0x480
[  160.907510][  T955]  dev_xdp_attach+0x53f/0x1130
[  160.907633][  T955]  dev_change_xdp_fd+0x244/0x290
[  160.907758][  T955]  do_setlink.constprop.0+0x1ce2/0x2300
[  160.907886][  T955]  rtnl_newlink+0x69c/0xa70
[  160.908010][  T955]  rtnetlink_rcv_msg+0x712/0xc10
[  160.908133][  T955]  netlink_rcv_skb+0x130/0x360
[  160.908258][  T955]  netlink_unicast+0x44b/0x710
[  160.908383][  T955]  netlink_sendmsg+0x723/0xbe0
[  160.908507][  T955]  ____sys_sendmsg+0x7ac/0xa10
[  160.908631][  T955]  ___sys_sendmsg+0xee/0x170
[  160.908759][  T955]  __sys_sendmsg+0x109/0x1a0
[  160.908883][  T955]  do_syscall_64+0xc1/0x1d0
[  160.909006][  T955]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  160.909167][  T955] 
[  160.909231][  T955] Freed by task 955:
[  160.909322][  T955]  kasan_save_stack+0x24/0x50
[  160.909446][  T955]  kasan_save_track+0x14/0x30
[  160.909567][  T955]  kasan_save_free_info+0x3b/0x60
[  160.909692][  T955]  __kasan_slab_free+0x38/0x50
[  160.909815][  T955]  kfree+0x144/0x320
[  160.909910][  T955]  page_pool_release+0x49e/0x650
[  160.910031][  T955]  page_pool_release_retry+0x23/0x260
[  160.910153][  T955]  process_one_work+0xe55/0x16d0
[  160.910275][  T955]  worker_thread+0x58c/0xce0
[  160.910397][  T955]  kthread+0x359/0x5d0
[  160.910493][  T955]  ret_from_fork+0x31/0x70
[  160.910620][  T955]  ret_from_fork_asm+0x1a/0x30
[  160.910741][  T955] 
[  160.910804][  T955] Last potentially related work creation:
[  160.910926][  T955]  kasan_save_stack+0x24/0x50
[  160.911050][  T955]  kasan_record_aux_stack+0x8c/0xa0
[  160.911176][  T955]  insert_work+0x34/0x230
[  160.911272][  T955]  __queue_work+0x5fd/0xa40
[  160.911398][  T955]  call_timer_fn+0x13b/0x230
[  160.911528][  T955]  __run_timers+0x3ff/0x810
[  160.911653][  T955]  run_timer_softirq+0xee/0x1c0
[  160.911779][  T955]  handle_softirqs+0x1f6/0x5c0
[  160.911906][  T955]  __irq_exit_rcu+0xc4/0x100
[  160.912031][  T955]  irq_exit_rcu+0xe/0x20
[  160.912125][  T955]  sysvec_apic_timer_interrupt+0x78/0x90
[  160.912252][  T955]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  160.912414][  T955] 
[  160.912480][  T955] Second to last potentially related work creation:
[  160.912631][  T955]  kasan_save_stack+0x24/0x50
[  160.912757][  T955]  kasan_record_aux_stack+0x8c/0xa0
[  160.912946][  T955]  insert_work+0x34/0x230
[  160.913043][  T955]  __queue_work+0x5fd/0xa40
[  160.913165][  T955]  call_timer_fn+0x13b/0x230
[  160.913287][  T955]  __run_timers+0x3ff/0x810
[  160.913412][  T955]  run_timer_softirq+0xee/0x1c0
[  160.913535][  T955]  handle_softirqs+0x1f6/0x5c0
[  160.913720][  T955]  __irq_exit_rcu+0xc4/0x100
[  160.913846][  T955]  irq_exit_rcu+0xe/0x20
[  160.913941][  T955]  sysvec_apic_timer_interrupt+0x78/0x90
[  160.914063][  T955]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  160.914218][  T955] 
[  160.914280][  T955] The buggy address belongs to the object at ffff88800ae8e800
[  160.914280][  T955]  which belongs to the cache kmalloc-2k of size 2048
[  160.914635][  T955] The buggy address is located 1760 bytes inside of
[  160.914635][  T955]  freed 2048-byte region [ffff88800ae8e800, ffff88800ae8f000)
[  160.914928][  T955] 
[  160.914990][  T955] The buggy address belongs to the physical page:
[  160.915141][  T955] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xae88
[  160.915366][  T955] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  160.915618][  T955] flags: 0x80000000000040(head|node=0|zone=1)
[  160.915776][  T955] page_type: f5(slab)
[  160.915875][  T955] raw: 0080000000000040 ffff888001043240 ffffea0000220210 ffffea0000362610
[  160.916159][  T955] raw: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000
[  160.916381][  T955] head: 0080000000000040 ffff888001043240 ffffea0000220210 ffffea0000362610
[  160.916666][  T955] head: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000
[  160.916947][  T955] head: 0080000000000003 ffffea00002ba201 ffffffffffffffff 0000000000000000
[  160.917222][  T955] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[  160.917506][  T955] page dumped because: kasan: bad access detected
[  160.917713][  T955] 
[  160.917830][  T955] Memory state around the buggy address:
[  160.918005][  T955]  ffff88800ae8ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.918185][  T955]  ffff88800ae8ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.918418][  T955] >ffff88800ae8ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.918595][  T955]                                                        ^
[  160.918768][  T955]  ffff88800ae8ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.918942][  T955]  ffff88800ae8ef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.919119][  T955] ==================================================================
[  160.919319][  T955] Disabling lock debugging due to kernel taint