[ 1099.704602][T10368] br0: port 1(veth0) entered blocking state
[ 1099.705058][T10368] br0: port 1(veth0) entered disabled state
[ 1099.705491][T10368] veth0: entered allmulticast mode
[ 1099.709252][T10368] veth0: entered promiscuous mode
[ 1100.109557][T10371] br0: port 1(veth0) entered blocking state
[ 1100.110076][T10371] br0: port 1(veth0) entered forwarding state
[ 1104.549679][T10416] veth0: left allmulticast mode
[ 1104.550057][T10416] veth0: left promiscuous mode
[ 1104.550562][T10416] br0: port 1(veth0) entered disabled state
[ 1105.240592][T10421] br0: port 1(veth0.10) entered blocking state
[ 1105.241085][T10421] br0: port 1(veth0.10) entered disabled state
[ 1105.241535][T10421] veth0.10: entered allmulticast mode
[ 1105.241845][T10421] veth0: entered allmulticast mode
[ 1105.246255][T10421] veth0.10: entered promiscuous mode
[ 1105.246608][T10421] veth0: entered promiscuous mode
[ 1105.249427][T10421] br0: port 1(veth0.10) entered blocking state
[ 1105.249860][T10421] br0: port 1(veth0.10) entered forwarding state
[ 1110.197398][T10472] br0: port 1(veth0.10) entered disabled state
[ 1110.499738][T10474] veth0.10 (unregistering): left allmulticast mode
[ 1110.500206][T10474] veth0: left allmulticast mode
[ 1110.500550][T10474] veth0.10 (unregistering): left promiscuous mode
[ 1110.500954][T10474] veth0: left promiscuous mode
[ 1110.501566][T10474] br0: port 1(veth0.10) entered disabled state
[ 1113.345570][T10497] Initializing XFRM netlink socket
[ 1175.823608][T10716] ==================================================================
[ 1175.824013][T10716] BUG: KASAN: slab-use-after-free in tcp_prune_ofo_queue+0x55d/0x660
[ 1175.824357][T10716] Read of size 4 at addr ffff88800b5c37d8 by task socat/10716
[ 1175.824686][T10716] 
[ 1175.824804][T10716] CPU: 1 UID: 0 PID: 10716 Comm: socat Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full) 
[ 1175.824810][T10716] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1175.824812][T10716] Call Trace:
[ 1175.824814][T10716]  <TASK>
[ 1175.824816][T10716]  dump_stack_lvl+0x82/0xd0
[ 1175.824824][T10716]  print_address_description.constprop.0+0x2c/0x400
[ 1175.824832][T10716]  ? tcp_prune_ofo_queue+0x55d/0x660
[ 1175.824837][T10716]  print_report+0xb4/0x270
[ 1175.824840][T10716]  ? tcp_prune_ofo_queue+0x55d/0x660
[ 1175.824843][T10716]  ? kasan_addr_to_slab+0x25/0x80
[ 1175.824849][T10716]  ? tcp_prune_ofo_queue+0x55d/0x660
[ 1175.824851][T10716]  kasan_report+0xca/0x100
[ 1175.824862][T10716]  ? tcp_prune_ofo_queue+0x55d/0x660
[ 1175.824867][T10716]  tcp_prune_ofo_queue+0x55d/0x660
[ 1175.824873][T10716]  tcp_try_rmem_schedule+0x855/0x12e0
[ 1175.824880][T10716]  tcp_data_queue+0x4dd/0x2260
[ 1175.824887][T10716]  ? __pfx_tcp_data_queue+0x10/0x10
[ 1175.824892][T10716]  ? kvm_clock_get_cycles+0x18/0x30
[ 1175.824898][T10716]  ? ktime_get+0xb8/0x200
[ 1175.824905][T10716]  tcp_rcv_established+0x5e8/0x2370
[ 1175.824909][T10716]  ? find_held_lock+0x2b/0x80
[ 1175.824917][T10716]  ? __pfx_tcp_rcv_established+0x10/0x10
[ 1175.824921][T10716]  ? ipv4_dst_check+0x167/0x2e0
[ 1175.824928][T10716]  tcp_v4_do_rcv+0x4ba/0x8c0
[ 1175.824933][T10716]  ? lockdep_hardirqs_on+0x7c/0x110
[ 1175.824939][T10716]  __release_sock+0x27a/0x390
[ 1175.824947][T10716]  release_sock+0x53/0x1d0
[ 1175.824951][T10716]  tcp_recvmsg+0xf7/0x4f0
[ 1175.824956][T10716]  ? __unix_dgram_recvmsg+0x166/0xc70
[ 1175.824962][T10716]  ? __pfx_tcp_recvmsg+0x10/0x10
[ 1175.824966][T10716]  ? __unix_dgram_recvmsg+0x166/0xc70
[ 1175.824969][T10716]  ? __mutex_unlock_slowpath+0x144/0x400
[ 1175.824975][T10716]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 1175.824980][T10716]  inet_recvmsg+0x109/0x1f0
[ 1175.824985][T10716]  ? __pfx_inet_recvmsg+0x10/0x10
[ 1175.824989][T10716]  ? __unix_dgram_recvmsg+0x166/0xc70
[ 1175.824993][T10716]  sock_read_iter+0x3da/0x530
[ 1175.825000][T10716]  ? __pfx___unix_dgram_recvmsg+0x10/0x10
[ 1175.825003][T10716]  ? __pfx_sock_read_iter+0x10/0x10
[ 1175.825010][T10716]  ? rcu_is_watching+0x12/0xc0
[ 1175.825017][T10716]  vfs_read+0x9b4/0xce0
[ 1175.825022][T10716]  ? __pfx___sys_recvfrom+0x10/0x10
[ 1175.825025][T10716]  ? ksys_read+0x137/0x1d0
[ 1175.825028][T10716]  ? __lock_release+0x5d/0x170
[ 1175.825031][T10716]  ? __pfx_vfs_read+0x10/0x10
[ 1175.825038][T10716]  ? rcu_is_watching+0x12/0xc0
[ 1175.825043][T10716]  ksys_read+0x183/0x1d0
[ 1175.825046][T10716]  ? __pfx_ksys_read+0x10/0x10
[ 1175.825048][T10716]  ? audit_reset_context.part.0.constprop.0+0x954/0xe10
[ 1175.825056][T10716]  do_syscall_64+0xc1/0x380
[ 1175.825062][T10716]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1175.825066][T10716] RIP: 0033:0x7f1da2624292
[ 1175.825072][T10716] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 6a 15 0c 00 e8 65 e1 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[ 1175.825075][T10716] RSP: 002b:00007ffea5a84ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 1175.825079][T10716] RAX: ffffffffffffffda RBX: 0000559241bd5560 RCX: 00007f1da2624292
[ 1175.825081][T10716] RDX: 0000000000002000 RSI: 0000559241bd7000 RDI: 0000000000000007
[ 1175.825083][T10716] RBP: 0000559241bd7000 R08: 0000000000002000 R09: 0000000000000000
[ 1175.825085][T10716] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000007
[ 1175.825087][T10716] R13: 0000000000002000 R14: 000055920ce6110e R15: 0000000000000001
[ 1175.825094][T10716]  </TASK>
[ 1175.825096][T10716] 
[ 1175.839462][T10716] Allocated by task 10716:
[ 1175.839691][T10716]  kasan_save_stack+0x24/0x50
[ 1175.839926][T10716]  kasan_save_track+0x14/0x30
[ 1175.840158][T10716]  __kasan_slab_alloc+0x59/0x70
[ 1175.840383][T10716]  kmem_cache_alloc_noprof+0x10b/0x330
[ 1175.840619][T10716]  skb_clone+0x121/0x350
[ 1175.840794][T10716]  inet_frag_reasm_prepare+0xcd/0xed0
[ 1175.841022][T10716]  ip_frag_reasm.constprop.0+0x101/0x7d0
[ 1175.841249][T10716]  ip_frag_queue+0x8fd/0x19d0
[ 1175.841476][T10716]  ip_defrag+0x2cf/0x730
[ 1175.841648][T10716]  ipv4_conntrack_defrag+0x348/0x4d0 [nf_defrag_ipv4]
[ 1175.841935][T10716]  nf_hook_slow+0xba/0x200
[ 1175.842169][T10716]  nf_hook.constprop.0+0x353/0x4d0
[ 1175.842402][T10716]  ip_rcv+0x78/0x400
[ 1175.842573][T10716]  __netif_receive_skb_one_core+0x164/0x1b0
[ 1175.842854][T10716]  process_backlog+0x3c1/0x13e0
[ 1175.843080][T10716]  __napi_poll.constprop.0+0xa5/0x460
[ 1175.843305][T10716]  net_rx_action+0x54f/0xda0
[ 1175.843529][T10716]  handle_softirqs+0x218/0x620
[ 1175.843756][T10716]  do_softirq+0xb1/0xe0
[ 1175.843933][T10716]  __local_bh_enable_ip+0x105/0x130
[ 1175.844158][T10716]  __dev_queue_xmit+0x987/0x18e0
[ 1175.844385][T10716]  ip_finish_output2+0x6fd/0x17d0
[ 1175.844609][T10716]  __ip_queue_xmit+0xf12/0x1690
[ 1175.844835][T10716]  __tcp_transmit_skb+0x1df1/0x2de0
[ 1175.845071][T10716]  tcp_recvmsg_locked+0x5e2/0x20e0
[ 1175.845298][T10716]  tcp_recvmsg+0xec/0x4f0
[ 1175.845475][T10716]  inet_recvmsg+0x109/0x1f0
[ 1175.845702][T10716]  sock_read_iter+0x3da/0x530
[ 1175.845932][T10716]  vfs_read+0x9b4/0xce0
[ 1175.846102][T10716]  ksys_read+0x183/0x1d0
[ 1175.846271][T10716]  do_syscall_64+0xc1/0x380
[ 1175.846498][T10716]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1175.846779][T10716] 
[ 1175.846893][T10716] Freed by task 10716:
[ 1175.847067][T10716]  kasan_save_stack+0x24/0x50
[ 1175.847301][T10716]  kasan_save_track+0x14/0x30
[ 1175.847528][T10716]  kasan_save_free_info+0x3b/0x60
[ 1175.847755][T10716]  __kasan_slab_free+0x38/0x50
[ 1175.847980][T10716]  kmem_cache_free+0x149/0x330
[ 1175.848206][T10716]  tcp_prune_ofo_queue+0x211/0x660
[ 1175.848431][T10716]  tcp_try_rmem_schedule+0x855/0x12e0
[ 1175.848655][T10716]  tcp_data_queue+0x4dd/0x2260
[ 1175.848886][T10716]  tcp_rcv_established+0x5e8/0x2370
[ 1175.849110][T10716]  tcp_v4_do_rcv+0x4ba/0x8c0
[ 1175.849335][T10716]  __release_sock+0x27a/0x390
[ 1175.849561][T10716]  release_sock+0x53/0x1d0
[ 1175.849786][T10716]  tcp_recvmsg+0xf7/0x4f0
[ 1175.849957][T10716]  inet_recvmsg+0x109/0x1f0
[ 1175.850179][T10716]  sock_read_iter+0x3da/0x530
[ 1175.850404][T10716]  vfs_read+0x9b4/0xce0
[ 1175.850581][T10716]  ksys_read+0x183/0x1d0
[ 1175.850873][T10716]  do_syscall_64+0xc1/0x380
[ 1175.851101][T10716]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1175.851380][T10716] 
[ 1175.851494][T10716] The buggy address belongs to the object at ffff88800b5c3700
[ 1175.851494][T10716]  which belongs to the cache skbuff_head_cache of size 232
[ 1175.852198][T10716] The buggy address is located 216 bytes inside of
[ 1175.852198][T10716]  freed 232-byte region [ffff88800b5c3700, ffff88800b5c37e8)
[ 1175.852854][T10716] 
[ 1175.852967][T10716] The buggy address belongs to the physical page:
[ 1175.853241][T10716] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb5c2
[ 1175.853638][T10716] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1175.854105][T10716] flags: 0x80000000000040(head|node=0|zone=1)
[ 1175.854391][T10716] page_type: f5(slab)
[ 1175.854568][T10716] raw: 0080000000000040 ffff88800198fb40 ffffea000039e490 ffffea00000abb10
[ 1175.855102][T10716] raw: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
[ 1175.855496][T10716] head: 0080000000000040 ffff88800198fb40 ffffea000039e490 ffffea00000abb10
[ 1175.856025][T10716] head: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
[ 1175.856419][T10716] head: 0080000000000001 ffffea00002d7081 00000000ffffffff 00000000ffffffff
[ 1175.856935][T10716] head: ffff888000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1175.857331][T10716] page dumped because: kasan: bad access detected
[ 1175.857606][T10716] 
[ 1175.857723][T10716] Memory state around the buggy address:
[ 1175.858052][T10716]  ffff88800b5c3680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1175.858377][T10716]  ffff88800b5c3700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1175.858701][T10716] >ffff88800b5c3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[ 1175.859138][T10716]                                                     ^
[ 1175.859413][T10716]  ffff88800b5c3800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1175.859736][T10716]  ffff88800b5c3880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1175.860169][T10716] ==================================================================
[ 1175.860844][T10716] Disabling lock debugging due to kernel taint
[ 1202.442550][T10801] br0: port 1(veth0) entered blocking state
[ 1202.444005][T10801] br0: port 1(veth0) entered disabled state
[ 1202.444768][T10801] veth0: entered allmulticast mode
[ 1202.446729][T10801] veth0: entered promiscuous mode
[ 1202.695314][T10804] br0: port 1(veth0) entered blocking state
[ 1202.695608][T10804] br0: port 1(veth0) entered forwarding state
[ 1209.999368][T10849] veth0: left allmulticast mode
[ 1209.999604][T10849] veth0: left promiscuous mode
[ 1209.999947][T10849] br0: port 1(veth0) entered disabled state
[ 1210.418325][T10854] br0: port 1(veth0.10) entered blocking state
[ 1210.418614][T10854] br0: port 1(veth0.10) entered disabled state
[ 1210.419451][T10854] veth0.10: entered allmulticast mode
[ 1210.419644][T10854] veth0: entered allmulticast mode
[ 1210.421556][T10854] veth0.10: entered promiscuous mode
[ 1210.421752][T10854] veth0: entered promiscuous mode
[ 1210.422925][T10854] br0: port 1(veth0.10) entered blocking state
[ 1210.423187][T10854] br0: port 1(veth0.10) entered forwarding state
[ 1218.211849][T10905] br0: port 1(veth0.10) entered disabled state
[ 1218.393308][T10907] veth0.10 (unregistering): left allmulticast mode
[ 1218.393601][T10907] veth0: left allmulticast mode
[ 1218.393817][T10907] veth0.10 (unregistering): left promiscuous mode
[ 1218.394414][T10907] veth0: left promiscuous mode
[ 1218.394809][T10907] br0: port 1(veth0.10) entered disabled state