[ 4465.739695][T18454] netdevsim netdevsim21590 eni21590np1: renamed from eth0
[ 4468.243197][ T1847] ==================================================================
[ 4468.243528][ T1847] BUG: KASAN: slab-use-after-free in page_pool_release_retry+0x21a/0x260
[ 4468.243733][ T1847] Read of size 8 at addr ffff888060d68ee0 by task kworker/1:1/1847
[ 4468.243931][ T1847] 
[ 4468.244004][ T1847] CPU: 1 UID: 0 PID: 1847 Comm: kworker/1:1 Not tainted 6.14.0-rc1-virtme #1
[ 4468.244010][ T1847] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 4468.244013][ T1847] Workqueue: events page_pool_release_retry
[ 4468.244019][ T1847] Call Trace:
[ 4468.244021][ T1847]  <TASK>
[ 4468.244024][ T1847]  dump_stack_lvl+0x82/0xd0
[ 4468.244035][ T1847]  print_address_description.constprop.0+0x2c/0x3b0
[ 4468.244044][ T1847]  ? page_pool_release_retry+0x21a/0x260
[ 4468.244048][ T1847]  print_report+0xb4/0x270
[ 4468.244051][ T1847]  ? kasan_addr_to_slab+0x25/0x80
[ 4468.244055][ T1847]  kasan_report+0xbd/0xf0
[ 4468.244059][ T1847]  ? page_pool_release_retry+0x21a/0x260
[ 4468.244065][ T1847]  page_pool_release_retry+0x21a/0x260
[ 4468.244070][ T1847]  process_one_work+0xe55/0x16d0
[ 4468.244078][ T1847]  ? __pfx___lock_release+0x10/0x10
[ 4468.244085][ T1847]  ? __pfx_process_one_work+0x10/0x10
[ 4468.244091][ T1847]  ? assign_work+0x16c/0x240
[ 4468.244097][ T1847]  worker_thread+0x58c/0xce0
[ 4468.244100][ T1847]  ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 4468.244106][ T1847]  ? __pfx_worker_thread+0x10/0x10
[ 4468.244109][ T1847]  kthread+0x359/0x5d0
[ 4468.244115][ T1847]  ? __pfx_kthread+0x10/0x10
[ 4468.244120][ T1847]  ? __pfx_kthread+0x10/0x10
[ 4468.244124][ T1847]  ret_from_fork+0x31/0x70
[ 4468.244129][ T1847]  ? __pfx_kthread+0x10/0x10
[ 4468.244132][ T1847]  ret_from_fork_asm+0x1a/0x30
[ 4468.244153][ T1847]  </TASK>
[ 4468.244154][ T1847] 
[ 4468.247584][ T1847] Allocated by task 18465:
[ 4468.247723][ T1847]  kasan_save_stack+0x24/0x50
[ 4468.247860][ T1847]  kasan_save_track+0x14/0x30
[ 4468.247985][ T1847]  __kasan_kmalloc+0x7f/0x90
[ 4468.248111][ T1847]  page_pool_create_percpu+0x76/0x1c0
[ 4468.248238][ T1847]  nsim_open+0x33c/0x8c0 [netdevsim]
[ 4468.248386][ T1847]  __dev_open+0x221/0x490
[ 4468.248480][ T1847]  __dev_change_flags+0x469/0x6c0
[ 4468.248601][ T1847]  dev_change_flags+0x80/0x160
[ 4468.248727][ T1847]  do_setlink.constprop.0+0x79d/0x2300
[ 4468.248850][ T1847]  rtnl_newlink+0x69c/0xa70
[ 4468.248973][ T1847]  rtnetlink_rcv_msg+0x712/0xc10
[ 4468.249115][ T1847]  netlink_rcv_skb+0x130/0x360
[ 4468.249240][ T1847]  netlink_unicast+0x44b/0x710
[ 4468.249365][ T1847]  netlink_sendmsg+0x723/0xbe0
[ 4468.249489][ T1847]  ____sys_sendmsg+0x7ac/0xa10
[ 4468.249625][ T1847]  ___sys_sendmsg+0xee/0x170
[ 4468.249758][ T1847]  __sys_sendmsg+0x109/0x1a0
[ 4468.249882][ T1847]  do_syscall_64+0xc1/0x1d0
[ 4468.250008][ T1847]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 4468.250164][ T1847] 
[ 4468.250230][ T1847] Freed by task 1847:
[ 4468.250325][ T1847]  kasan_save_stack+0x24/0x50
[ 4468.250454][ T1847]  kasan_save_track+0x14/0x30
[ 4468.250582][ T1847]  kasan_save_free_info+0x3b/0x60
[ 4468.250728][ T1847]  __kasan_slab_free+0x38/0x50
[ 4468.250864][ T1847]  kfree+0x144/0x320
[ 4468.250963][ T1847]  page_pool_release+0x49e/0x650
[ 4468.251089][ T1847]  page_pool_release_retry+0x23/0x260
[ 4468.251217][ T1847]  process_one_work+0xe55/0x16d0
[ 4468.251347][ T1847]  worker_thread+0x58c/0xce0
[ 4468.251476][ T1847]  kthread+0x359/0x5d0
[ 4468.251574][ T1847]  ret_from_fork+0x31/0x70
[ 4468.251701][ T1847]  ret_from_fork_asm+0x1a/0x30
[ 4468.251832][ T1847] 
[ 4468.251897][ T1847] Last potentially related work creation:
[ 4468.252032][ T1847]  kasan_save_stack+0x24/0x50
[ 4468.252159][ T1847]  kasan_record_aux_stack+0x8c/0xa0
[ 4468.252284][ T1847]  insert_work+0x34/0x230
[ 4468.252380][ T1847]  __queue_work+0x5fd/0xa40
[ 4468.252504][ T1847]  call_timer_fn+0x13b/0x230
[ 4468.252632][ T1847]  __run_timers+0x3ff/0x810
[ 4468.252762][ T1847]  timer_expire_remote+0x9e/0xf0
[ 4468.252885][ T1847]  tmigr_handle_remote_cpu+0x278/0x440
[ 4468.253012][ T1847]  tmigr_handle_remote_up+0x1a6/0x270
[ 4468.253134][ T1847]  __walk_groups.isra.0+0x44/0x160
[ 4468.253257][ T1847]  tmigr_handle_remote+0x20b/0x300
[ 4468.253384][ T1847]  handle_softirqs+0x1f6/0x5c0
[ 4468.253514][ T1847]  __irq_exit_rcu+0xc4/0x100
[ 4468.253643][ T1847]  irq_exit_rcu+0xe/0x20
[ 4468.253738][ T1847]  sysvec_apic_timer_interrupt+0x78/0x90
[ 4468.253862][ T1847]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 4468.254015][ T1847] 
[ 4468.254080][ T1847] The buggy address belongs to the object at ffff888060d68800
[ 4468.254080][ T1847]  which belongs to the cache kmalloc-2k of size 2048
[ 4468.254400][ T1847] The buggy address is located 1760 bytes inside of
[ 4468.254400][ T1847]  freed 2048-byte region [ffff888060d68800, ffff888060d69000)
[ 4468.254701][ T1847] 
[ 4468.254765][ T1847] The buggy address belongs to the physical page:
[ 4468.254921][ T1847] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60d68
[ 4468.255144][ T1847] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 4468.255337][ T1847] flags: 0x80000000000040(head|node=0|zone=1)
[ 4468.255508][ T1847] page_type: f5(slab)
[ 4468.255605][ T1847] raw: 0080000000000040 ffff888001043240 ffffea000180a610 ffffea00004a3c10
[ 4468.255819][ T1847] raw: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000
[ 4468.256033][ T1847] head: 0080000000000040 ffff888001043240 ffffea000180a610 ffffea00004a3c10
[ 4468.256257][ T1847] head: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000
[ 4468.256470][ T1847] head: 0080000000000003 ffffea0001835a01 ffffffffffffffff 0000000000000000
[ 4468.256704][ T1847] head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 4468.256921][ T1847] page dumped because: kasan: bad access detected
[ 4468.257081][ T1847] 
[ 4468.257148][ T1847] Memory state around the buggy address:
[ 4468.257271][ T1847]  ffff888060d68d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4468.257454][ T1847]  ffff888060d68e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4468.257634][ T1847] >ffff888060d68e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4468.257814][ T1847]                                                        ^
[ 4468.257997][ T1847]  ffff888060d68f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4468.258176][ T1847]  ffff888060d68f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4468.258351][ T1847] ==================================================================
[ 4468.258618][ T1847] Disabling lock debugging due to kernel taint
[ 4468.718972][T18454] netdevsim netdevsim3525 eni3525np1: renamed from eth0
[ 4470.902882][T18478] netdevsim netdevsim1610 eni1610np1: renamed from eth0