[ 4368.345105][ T2602] netdevsim netdevsim3416 eni3416np1: renamed from eth0
[ 4370.755182][T28208] ==================================================================
[ 4370.755478][T28208] BUG: KASAN: slab-use-after-free in page_pool_release_retry+0x21a/0x260
[ 4370.755664][T28208] Read of size 8 at addr ffff8880175d26e0 by task kworker/1:2/28208
[ 4370.755841][T28208] 
[ 4370.755903][T28208] CPU: 1 UID: 0 PID: 28208 Comm: kworker/1:2 Not tainted 6.14.0-rc1-virtme #1
[ 4370.755908][T28208] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 4370.755910][T28208] Workqueue: events page_pool_release_retry
[ 4370.755915][T28208] Call Trace:
[ 4370.755917][T28208]  <TASK>
[ 4370.755919][T28208]  dump_stack_lvl+0x82/0xd0
[ 4370.755927][T28208]  print_address_description.constprop.0+0x2c/0x3b0
[ 4370.755934][T28208]  ? page_pool_release_retry+0x21a/0x260
[ 4370.755938][T28208]  print_report+0xb4/0x270
[ 4370.755941][T28208]  ? kasan_addr_to_slab+0x25/0x80
[ 4370.755944][T28208]  kasan_report+0xbd/0xf0
[ 4370.755948][T28208]  ? page_pool_release_retry+0x21a/0x260
[ 4370.755953][T28208]  page_pool_release_retry+0x21a/0x260
[ 4370.755958][T28208]  process_one_work+0xe55/0x16d0
[ 4370.755965][T28208]  ? __pfx___lock_release+0x10/0x10
[ 4370.755971][T28208]  ? __pfx_process_one_work+0x10/0x10
[ 4370.755976][T28208]  ? assign_work+0x16c/0x240
[ 4370.755981][T28208]  worker_thread+0x58c/0xce0
[ 4370.755984][T28208]  ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 4370.755989][T28208]  ? __pfx_worker_thread+0x10/0x10
[ 4370.755993][T28208]  kthread+0x359/0x5d0
[ 4370.755997][T28208]  ? __pfx_kthread+0x10/0x10
[ 4370.756002][T28208]  ? __pfx_kthread+0x10/0x10
[ 4370.756006][T28208]  ret_from_fork+0x31/0x70
[ 4370.756010][T28208]  ? __pfx_kthread+0x10/0x10
[ 4370.756013][T28208]  ret_from_fork_asm+0x1a/0x30
[ 4370.756021][T28208]  </TASK>
[ 4370.756022][T28208] 
[ 4370.759296][T28208] Allocated by task 2613:
[ 4370.759389][T28208]  kasan_save_stack+0x24/0x50
[ 4370.759514][T28208]  kasan_save_track+0x14/0x30
[ 4370.759636][T28208]  __kasan_kmalloc+0x7f/0x90
[ 4370.759755][T28208]  page_pool_create_percpu+0x76/0x1c0
[ 4370.759874][T28208]  nsim_open+0x33c/0x8c0 [netdevsim]
[ 4370.760013][T28208]  __dev_open+0x221/0x490
[ 4370.760106][T28208]  __dev_change_flags+0x469/0x6c0
[ 4370.760225][T28208]  dev_change_flags+0x80/0x160
[ 4370.760348][T28208]  do_setlink.constprop.0+0x79d/0x2300
[ 4370.760470][T28208]  rtnl_newlink+0x69c/0xa70
[ 4370.760588][T28208]  rtnetlink_rcv_msg+0x712/0xc10
[ 4370.760706][T28208]  netlink_rcv_skb+0x130/0x360
[ 4370.760825][T28208]  netlink_unicast+0x44b/0x710
[ 4370.760942][T28208]  netlink_sendmsg+0x723/0xbe0
[ 4370.761062][T28208]  ____sys_sendmsg+0x7ac/0xa10
[ 4370.761199][T28208]  ___sys_sendmsg+0xee/0x170
[ 4370.761326][T28208]  __sys_sendmsg+0x109/0x1a0
[ 4370.761449][T28208]  do_syscall_64+0xc1/0x1d0
[ 4370.761580][T28208]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 4370.761736][T28208] 
[ 4370.761802][T28208] Freed by task 28208:
[ 4370.761897][T28208]  kasan_save_stack+0x24/0x50
[ 4370.762021][T28208]  kasan_save_track+0x14/0x30
[ 4370.762143][T28208]  kasan_save_free_info+0x3b/0x60
[ 4370.762266][T28208]  __kasan_slab_free+0x38/0x50
[ 4370.762387][T28208]  kfree+0x144/0x320
[ 4370.762480][T28208]  page_pool_release+0x49e/0x650
[ 4370.762603][T28208]  page_pool_release_retry+0x23/0x260
[ 4370.762728][T28208]  process_one_work+0xe55/0x16d0
[ 4370.762849][T28208]  worker_thread+0x58c/0xce0
[ 4370.762970][T28208]  kthread+0x359/0x5d0
[ 4370.763073][T28208]  ret_from_fork+0x31/0x70
[ 4370.763197][T28208]  ret_from_fork_asm+0x1a/0x30
[ 4370.763319][T28208] 
[ 4370.763382][T28208] Last potentially related work creation:
[ 4370.763506][T28208]  kasan_save_stack+0x24/0x50
[ 4370.763631][T28208]  kasan_record_aux_stack+0x8c/0xa0
[ 4370.763755][T28208]  insert_work+0x34/0x230
[ 4370.763849][T28208]  __queue_work+0x5fd/0xa40
[ 4370.763971][T28208]  call_timer_fn+0x13b/0x230
[ 4370.764098][T28208]  __run_timers+0x3ff/0x810
[ 4370.764219][T28208]  timer_expire_remote+0x9e/0xf0
[ 4370.764342][T28208]  tmigr_handle_remote_cpu+0x278/0x440
[ 4370.764468][T28208]  tmigr_handle_remote_up+0x1a6/0x270
[ 4370.764592][T28208]  __walk_groups.isra.0+0x44/0x160
[ 4370.764721][T28208]  tmigr_handle_remote+0x20b/0x300
[ 4370.764845][T28208]  handle_softirqs+0x1f6/0x5c0
[ 4370.764971][T28208]  __irq_exit_rcu+0xc4/0x100
[ 4370.765094][T28208]  irq_exit_rcu+0xe/0x20
[ 4370.765187][T28208]  sysvec_apic_timer_interrupt+0x78/0x90
[ 4370.765310][T28208]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 4370.765462][T28208] 
[ 4370.765538][T28208] The buggy address belongs to the object at ffff8880175d2000
[ 4370.765538][T28208]  which belongs to the cache kmalloc-2k of size 2048
[ 4370.765827][T28208] The buggy address is located 1760 bytes inside of
[ 4370.765827][T28208]  freed 2048-byte region [ffff8880175d2000, ffff8880175d2800)
[ 4370.766119][T28208] 
[ 4370.766183][T28208] The buggy address belongs to the physical page:
[ 4370.766336][T28208] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x175d0
[ 4370.766551][T28208] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 4370.766732][T28208] flags: 0x80000000000040(head|node=0|zone=1)
[ 4370.766887][T28208] page_type: f5(slab)
[ 4370.766987][T28208] raw: 0080000000000040 ffff888001043240 ffffea00005f0a10 ffffea0000623410
[ 4370.767204][T28208] raw: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000
[ 4370.767417][T28208] head: 0080000000000040 ffff888001043240 ffffea00005f0a10 ffffea0000623410
[ 4370.767633][T28208] head: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000
[ 4370.767845][T28208] head: 0080000000000003 ffffea00005d7401 ffffffffffffffff 0000000000000000
[ 4370.768059][T28208] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 4370.768269][T28208] page dumped because: kasan: bad access detected
[ 4370.768418][T28208] 
[ 4370.768481][T28208] Memory state around the buggy address:
[ 4370.768600][T28208]  ffff8880175d2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4370.768776][T28208]  ffff8880175d2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4370.768954][T28208] >ffff8880175d2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4370.769129][T28208]                                                        ^
[ 4370.769301][T28208]  ffff8880175d2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4370.769476][T28208]  ffff8880175d2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4370.769652][T28208] ==================================================================
[ 4370.769856][T28208] Disabling lock debugging due to kernel taint
[ 4371.218697][ T2602] netdevsim netdevsim18216 eni18216np1: renamed from eth0
[ 4373.367900][ T2630] netdevsim netdevsim2183 eni2183np1: renamed from eth0