[ 197.522201][ C1] ==================================================================
[ 197.522470][ C1] BUG: KASAN: slab-use-after-free in xfrm_lookup_with_ifid+0x9bf/0xa90
[ 197.522717][ C1] Read of size 8 at addr ffff888005df4358 by task socat/1252
[ 197.522966][ C1]
[ 197.523051][ C1] CPU: 1 UID: 0 PID: 1252 Comm: socat Not tainted 6.12.0-rc1-virtme #1
[ 197.523306][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 197.523663][ C1] Call Trace:
[ 197.523790][ C1]
[ 197.523874][ C1] dump_stack_lvl+0x82/0xd0
[ 197.524054][ C1] print_address_description.constprop.0+0x2c/0x3b0
[ 197.524256][ C1] ? xfrm_lookup_with_ifid+0x9bf/0xa90
[ 197.524423][ C1] print_report+0xb4/0x270
[ 197.524590][ C1] ? kasan_addr_to_slab+0x25/0x80
[ 197.524752][ C1] kasan_report+0xbd/0xf0
[ 197.524877][ C1] ? xfrm_lookup_with_ifid+0x9bf/0xa90
[ 197.525041][ C1] xfrm_lookup_with_ifid+0x9bf/0xa90
[ 197.525204][ C1] ? __pfx_xfrm_lookup_with_ifid+0x10/0x10
[ 197.525405][ C1] ? l4proto_manip_pkt+0x670/0x10f0 [nf_nat]
[ 197.525611][ C1] nf_xfrm_me_harder+0x1a8/0x5e0 [nf_nat]
[ 197.525781][ C1] ? __pfx_nf_xfrm_me_harder+0x10/0x10 [nf_nat]
[ 197.525991][ C1] ? nft_do_chain_ipv4+0x184/0x210 [nf_tables]
[ 197.526227][ C1] ? __pfx_nft_do_chain_ipv4+0x10/0x10 [nf_tables]
[ 197.526458][ C1] nf_nat_ipv4_out+0x3c7/0x470 [nf_nat]
[ 197.526626][ C1] ? __pfx_nf_nat_ipv4_out+0x10/0x10 [nf_nat]
[ 197.526829][ C1] nf_hook_slow+0xba/0x200
[ 197.526993][ C1] nf_hook+0x374/0x4f0
[ 197.527114][ C1] ? __pfx_ip_finish_output+0x10/0x10
[ 197.527283][ C1] ? __pfx_nf_hook+0x10/0x10
[ 197.527444][ C1] ? __ip_append_data+0x25e4/0x3900
[ 197.527604][ C1] ? __pfx_ip_finish_output+0x10/0x10
[ 197.527766][ C1] ip_output+0x172/0x240
[ 197.527908][ C1] ? __pfx_ip_finish_output+0x10/0x10
[ 197.528071][ C1] ip_push_pending_frames+0x24b/0x480
[ 197.528235][ C1] ip_send_unicast_reply+0xac1/0x14b0
[ 197.528410][ C1] ? mark_lock+0x335/0x3e0
[ 197.528577][ C1] ? __pfx_ip_send_unicast_reply+0x10/0x10
[ 197.528780][ C1] ? __lock_acquire+0xb3f/0x1580
[ 197.528943][ C1] ? lock_acquire.part.0+0xeb/0x330
[ 197.529112][ C1] ? tcp_v4_send_ack.constprop.0+0x4c4/0x1050
[ 197.529322][ C1] ? mark_lock+0x38/0x3e0
[ 197.529451][ C1] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 197.529611][ C1] ? trace_lock_acquire+0x14d/0x1f0
[ 197.529777][ C1] tcp_v4_send_ack.constprop.0+0x7c6/0x1050
[ 197.529983][ C1] ? __pfx_tcp_v4_send_ack.constprop.0+0x10/0x10
[ 197.530184][ C1] ? __pfx___lock_release+0x10/0x10
[ 197.530346][ C1] ? mark_held_locks+0x9e/0xe0
[ 197.530506][ C1] ? tcp_v4_rcv+0x2251/0x3460
[ 197.530664][ C1] tcp_v4_rcv+0x2251/0x3460
[ 197.530828][ C1] ? __pfx_tcp_v4_rcv+0x10/0x10
[ 197.530989][ C1] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 197.531158][ C1] ip_protocol_deliver_rcu+0x93/0x360
[ 197.531324][ C1] ? process_backlog+0x332/0x1180
[ 197.531495][ C1] ip_local_deliver_finish+0x2af/0x490
[ 197.531656][ C1] ? process_backlog+0x332/0x1180
[ 197.531817][ C1] ? __pfx_ip_rcv+0x10/0x10
[ 197.531978][ C1] __netif_receive_skb_one_core+0x166/0x1b0
[ 197.532191][ C1] ? __pfx___netif_receive_skb_one_core+0x10/0x10
[ 197.532392][ C1] ? process_backlog+0x332/0x1180
[ 197.532557][ C1] ? lock_acquire+0x32/0xc0
[ 197.532719][ C1] ? process_backlog+0x332/0x1180
[ 197.532885][ C1] process_backlog+0x372/0x1180
[ 197.533049][ C1] __napi_poll.constprop.0+0xa2/0x460
[ 197.533209][ C1] net_rx_action+0x50e/0xce0
[ 197.533373][ C1] ? __pfx_net_rx_action+0x10/0x10
[ 197.533533][ C1] ? __lock_release+0x90/0x460
[ 197.533692][ C1] ? rcu_core+0x158/0x4f0
[ 197.533816][ C1] ? __pfx___lock_release+0x10/0x10
[ 197.533984][ C1] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 197.534146][ C1] ? lock_acquire+0x32/0xc0
[ 197.534310][ C1] ? swake_up_one+0x1f/0x1f0
[ 197.534472][ C1] ? hlock_class+0x4e/0x130
[ 197.534639][ C1] ? mark_lock+0x38/0x3e0
[ 197.534761][ C1] ? mark_held_locks+0x9e/0xe0
[ 197.534926][ C1] handle_softirqs+0x1f6/0x5c0
[ 197.535089][ C1] ? __dev_queue_xmit+0x78e/0x18b0
[ 197.535248][ C1] do_softirq+0x4d/0xa0
[ 197.535368][ C1]
[ 197.535452][ C1]
[ 197.535533][ C1] __local_bh_enable_ip+0xf6/0x120
[ 197.535823][ C1] ? __dev_queue_xmit+0x78e/0x18b0
[ 197.535987][ C1] __dev_queue_xmit+0x7a3/0x18b0
[ 197.536149][ C1] ? __lock_release+0x103/0x460
[ 197.536313][ C1] ? ip_finish_output2+0xac2/0x18f0
[ 197.536584][ C1] ? __pfx___lock_release+0x10/0x10
[ 197.536745][ C1] ? hlock_class+0x4e/0x130
[ 197.536917][ C1] ? __pfx___dev_queue_xmit+0x10/0x10
[ 197.537082][ C1] ? mark_held_locks+0x9e/0xe0
[ 197.537357][ C1] ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 197.537563][ C1] ? neigh_hh_output+0x36f/0x560
[ 197.537738][ C1] ip_finish_output2+0xac2/0x18f0
[ 197.537899][ C1] ? __pfx_ip_finish_output2+0x10/0x10
[ 197.538069][ C1] ? __ip_finish_output+0x10f/0x760
[ 197.538230][ C1] __ip_queue_xmit+0x64f/0x1790
[ 197.538391][ C1] ? __skb_clone+0x571/0x750
[ 197.538554][ C1] __tcp_transmit_skb+0x2291/0x2d10
[ 197.538718][ C1] ? __pfx___tcp_transmit_skb+0x10/0x10
[ 197.539000][ C1] ? mark_held_locks+0x9e/0xe0
[ 197.539160][ C1] ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 197.539358][ C1] ? tcp_small_queue_check.isra.0+0xe9/0x380
[ 197.539559][ C1] tcp_write_xmit+0x8a3/0x2cf0
[ 197.539722][ C1] ? tcp_current_mss+0x40a/0x510
[ 197.539992][ C1] ? __pfx_tcp_current_mss+0x10/0x10
[ 197.540151][ C1] ? __alloc_skb+0x23d/0x2e0
[ 197.540312][ C1] ? __pfx_tcp_write_xmit+0x10/0x10
[ 197.540477][ C1] ? tcp_set_state+0x10b/0x510
[ 197.540747][ C1] ? __pfx_tcp_set_state+0x10/0x10
[ 197.540914][ C1] __tcp_push_pending_frames+0x96/0x320
[ 197.541075][ C1] inet_shutdown+0x164/0x390
[ 197.541349][ C1] ? sockfd_lookup_light+0x1a/0x140
[ 197.541512][ C1] __sys_shutdown+0xcb/0x160
[ 197.541672][ C1] ? __pfx___sys_shutdown+0x10/0x10
[ 197.541833][ C1] ? ksys_read+0x17a/0x1e0
[ 197.541995][ C1] ? __pfx_ksys_read+0x10/0x10
[ 197.542159][ C1] __x64_sys_shutdown+0x53/0x80
[ 197.542319][ C1] do_syscall_64+0xc1/0x1d0
[ 197.542490][ C1] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 197.542804][ C1] RIP: 0033:0x7f2f86c64beb
[ 197.542971][ C1] Code: 73 01 c3 48 8b 0d 15 92 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 30 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 91 1b 00 f7 d8 64 89 01 48
[ 197.543658][ C1] RSP: 002b:00007ffc3c832838 EFLAGS: 00000202 ORIG_RAX: 0000000000000030
[ 197.543911][ C1] RAX: ffffffffffffffda RBX: 00005634629f3610 RCX: 00007f2f86c64beb
[ 197.544283][ C1] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000008
[ 197.544632][ C1] RBP: 0000000000000008 R08: 0000000000000001 R09: 0000000000000000
[ 197.544991][ C1] R10: 0000000000000000 R11: 0000000000000202 R12: ffffffffffffffff
[ 197.545340][ C1] R13: 0000000000000000 R14: 00005634309e610e R15: 0000000000000001
[ 197.545586][ C1]
[ 197.545712][ C1]
[ 197.545800][ C1] Allocated by task 599:
[ 197.545922][ C1] kasan_save_stack+0x24/0x50
[ 197.546207][ C1] kasan_save_track+0x14/0x30
[ 197.546368][ C1] __kasan_slab_alloc+0x59/0x70
[ 197.546531][ C1] kmem_cache_alloc_noprof+0xdb/0x250
[ 197.546703][ C1] inet_twsk_alloc+0x115/0x970
[ 197.546972][ C1] tcp_time_wait+0x60/0xe70
[ 197.547137][ C1] tcp_fin+0x2fb/0x470
[ 197.547259][ C1] tcp_data_queue+0xe66/0x22b0
[ 197.547531][ C1] tcp_rcv_state_process+0x6cb/0x2030
[ 197.547696][ C1] tcp_v4_do_rcv+0x14d/0x8c0
[ 197.547861][ C1] tcp_v4_rcv+0x25e8/0x3460
[ 197.548129][ C1] ip_protocol_deliver_rcu+0x93/0x360
[ 197.548307][ C1] ip_local_deliver_finish+0x2af/0x490
[ 197.548468][ C1] __netif_receive_skb_one_core+0x166/0x1b0
[ 197.548672][ C1] process_backlog+0x372/0x1180
[ 197.548942][ C1] __napi_poll.constprop.0+0xa2/0x460
[ 197.549111][ C1] net_rx_action+0x50e/0xce0
[ 197.549270][ C1] handle_softirqs+0x1f6/0x5c0
[ 197.549437][ C1] do_softirq+0x4d/0xa0
[ 197.549661][ C1] __local_bh_enable_ip+0xf6/0x120
[ 197.549820][ C1] __dev_queue_xmit+0x7a3/0x18b0
[ 197.549978][ C1] ip_finish_output2+0x9ca/0x18f0
[ 197.550141][ C1] __ip_queue_xmit+0x64f/0x1790
[ 197.550415][ C1] __tcp_transmit_skb+0x2291/0x2d10
[ 197.550580][ C1] tcp_write_xmit+0x8a3/0x2cf0
[ 197.550847][ C1] __tcp_push_pending_frames+0x96/0x320
[ 197.551006][ C1] inet_shutdown+0x164/0x390
[ 197.551167][ C1] __sys_shutdown+0xcb/0x160
[ 197.551339][ C1] __x64_sys_shutdown+0x53/0x80
[ 197.551499][ C1] do_syscall_64+0xc1/0x1d0
[ 197.551656][ C1] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 197.551858][ C1]
[ 197.552054][ C1] Freed by task 0:
[ 197.552177][ C1] kasan_save_stack+0x24/0x50
[ 197.552338][ C1] kasan_save_track+0x14/0x30
[ 197.552498][ C1] kasan_save_free_info+0x3b/0x60
[ 197.552665][ C1] __kasan_slab_free+0x38/0x50
[ 197.552830][ C1] slab_free_after_rcu_debug+0xd7/0x2b0
[ 197.552993][ C1] rcu_do_batch+0x34f/0xf20
[ 197.553153][ C1] rcu_core+0x2bd/0x4f0
[ 197.553286][ C1] handle_softirqs+0x1f6/0x5c0
[ 197.553655][ C1] irq_exit_rcu+0x99/0xc0
[ 197.553780][ C1] sysvec_apic_timer_interrupt+0x78/0x90
[ 197.553950][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 197.554149][ C1]
[ 197.554233][ C1] Last potentially related work creation:
[ 197.554392][ C1] kasan_save_stack+0x24/0x50
[ 197.554663][ C1] __kasan_record_aux_stack+0x8e/0xa0
[ 197.554828][ C1] kmem_cache_free+0x207/0x340
[ 197.554995][ C1] inet_twsk_free+0x11d/0x180
[ 197.555160][ C1] call_timer_fn+0x13b/0x230
[ 197.555325][ C1] __run_timers+0x545/0x810
[ 197.555592][ C1] run_timer_softirq+0xe8/0x1b0
[ 197.555755][ C1] handle_softirqs+0x1f6/0x5c0
[ 197.556036][ C1] irq_exit_rcu+0x99/0xc0
[ 197.556159][ C1] sysvec_apic_timer_interrupt+0x78/0x90
[ 197.556321][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 197.556523][ C1]
[ 197.556605][ C1] The buggy address belongs to the object at ffff888005df4338
[ 197.556605][ C1] which belongs to the cache tw_sock_TCP of size 280
[ 197.557119][ C1] The buggy address is located 32 bytes inside of
[ 197.557119][ C1] freed 280-byte region [ffff888005df4338, ffff888005df4450)
[ 197.557526][ C1]
[ 197.557609][ C1] The buggy address belongs to the physical page:
[ 197.557920][ C1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888005df4338 pfn:0x5df4
[ 197.558250][ C1] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 197.558503][ C1] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 197.558818][ C1] page_type: f5(slab)
[ 197.558944][ C1] raw: 0080000000000240 ffff88800378ec40 ffff88800378abc8 ffff88800378abc8
[ 197.559237][ C1] raw: ffff888005df4338 0000000000140001 00000001f5000000 0000000000000000
[ 197.559627][ C1] head: 0080000000000240 ffff88800378ec40 ffff88800378abc8 ffff88800378abc8
[ 197.559920][ C1] head: ffff888005df4338 0000000000140001 00000001f5000000 0000000000000000
[ 197.560310][ C1] head: 0080000000000001 ffffea0000177d01 ffffffffffffffff 0000000000000000
[ 197.560592][ C1] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[ 197.560892][ C1] page dumped because: kasan: bad access detected
[ 197.561211][ C1]
[ 197.561294][ C1] Memory state around the buggy address:
[ 197.561459][ C1] ffff888005df4200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 197.561806][ C1] ffff888005df4280: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[ 197.562049][ C1] >ffff888005df4300: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb
[ 197.562288][ C1] ^
[ 197.562594][ C1] ffff888005df4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 197.562829][ C1] ffff888005df4400: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[ 197.563176][ C1] ==================================================================
[ 197.563427][ C1] Disabling lock debugging due to kernel taint