======================================
| xx__-> [  197.522201][    C1] ==================================================================
| [ 197.522470][ C1] BUG: KASAN: slab-use-after-free in xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3145) 
| [  197.522717][    C1] Read of size 8 at addr ffff888005df4358 by task socat/1252
| [  197.522966][    C1]
[  197.523306][    C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[  197.523663][    C1] Call Trace:
[  197.523790][    C1]  <IRQ>
[ 197.523874][ C1] dump_stack_lvl (lib/dump_stack.c:123) 
[ 197.524054][ C1] print_address_description.constprop.0 (mm/kasan/report.c:378) 
[ 197.524256][ C1] ? xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3145) 
[ 197.524423][ C1] print_report (mm/kasan/report.c:489) 
[ 197.524590][ C1] ? kasan_addr_to_slab (./include/linux/mm.h:1282 mm/kasan/../slab.h:206 mm/kasan/common.c:38) 
[ 197.524752][ C1] kasan_report (mm/kasan/report.c:603) 
[ 197.524877][ C1] ? xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3145) 
[ 197.525041][ C1] xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3145) 
[ 197.525204][ C1] ? __pfx_xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3132) 
[ 197.525405][ C1] ? l4proto_manip_pkt (./include/net/checksum.h:167 net/netfilter/nf_nat_proto.c:216 net/netfilter/nf_nat_proto.c:342) nf_nat
[ 197.525611][ C1] nf_xfrm_me_harder (net/netfilter/nf_nat_proto.c:684) nf_nat
[ 197.525781][ C1] ? __pfx_nf_xfrm_me_harder (net/netfilter/nf_nat_proto.c:664) nf_nat
[ 197.525991][ C1] ? nft_do_chain_ipv4 (net/netfilter/nft_chain_filter.c:17) nf_tables
[ 197.526227][ C1] ? __pfx_nft_do_chain_ipv4 (net/netfilter/nft_chain_filter.c:17) nf_tables
[ 197.526458][ C1] nf_nat_ipv4_out (net/netfilter/nf_nat_proto.c:783 net/netfilter/nf_nat_proto.c:755) nf_nat
[ 197.526626][ C1] ? __pfx_nf_nat_ipv4_out (net/netfilter/nf_nat_proto.c:757) nf_nat
[ 197.526829][ C1] nf_hook_slow (./include/linux/netfilter.h:154 net/netfilter/core.c:626) 
[ 197.526993][ C1] nf_hook (./include/linux/netfilter.h:269) 
[ 197.527114][ C1] ? __pfx_ip_finish_output (net/ipv4/ip_output.c:318) 
[ 197.527283][ C1] ? __pfx_nf_hook (./include/linux/netfilter.h:227) 
[ 197.527444][ C1] ? __ip_append_data (./include/linux/skbuff.h:3205 ./include/linux/skbuff.h:3213 ./include/linux/skbuff.h:3227 net/ipv4/ip_output.c:1165) 
[ 197.527604][ C1] ? __pfx_ip_finish_output (net/ipv4/ip_output.c:318) 
[ 197.527766][ C1] ip_output (./include/linux/netfilter.h:301 net/ipv4/ip_output.c:434) 
[ 197.527908][ C1] ? __pfx_ip_finish_output (net/ipv4/ip_output.c:318) 
[ 197.528071][ C1] ip_push_pending_frames (./include/net/dst.h:450 net/ipv4/ip_output.c:130 net/ipv4/ip_output.c:1505 net/ipv4/ip_output.c:1525) 
[ 197.528235][ C1] ip_send_unicast_reply (./include/net/route.h:266 net/ipv4/ip_output.c:1675) 
[ 197.528410][ C1] ? mark_lock (kernel/locking/lockdep.c:186 kernel/locking/lockdep.c:4731) 
[ 197.528577][ C1] ? __pfx_ip_send_unicast_reply (net/ipv4/ip_output.c:1605) 
[ 197.528780][ C1] ? __lock_acquire (kernel/locking/lockdep.c:5202) 
[ 197.528943][ C1] ? lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5827) 
[ 197.529112][ C1] ? tcp_v4_send_ack.constprop.0 (./include/linux/local_lock_internal.h:29 net/ipv4/tcp_ipv4.c:1016) 
[ 197.529322][ C1] ? mark_lock (kernel/locking/lockdep.c:4703 (discriminator 3)) 
[ 197.529451][ C1] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5790) 
[ 197.529611][ C1] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 197.529777][ C1] tcp_v4_send_ack.constprop.0 (./include/net/net_namespace.h:380 ./include/net/sock.h:661 net/ipv4/tcp_ipv4.c:1030) 
[ 197.529983][ C1] ? __pfx_tcp_v4_send_ack.constprop.0 (net/ipv4/tcp_ipv4.c:933) 
[ 197.530184][ C1] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 197.530346][ C1] ? mark_held_locks (kernel/locking/lockdep.c:4321) 
[ 197.530506][ C1] ? tcp_v4_rcv (net/ipv4/tcp_ipv4.c:1086 net/ipv4/tcp_ipv4.c:2427) 
[ 197.530664][ C1] tcp_v4_rcv (net/ipv4/tcp_ipv4.c:1086 net/ipv4/tcp_ipv4.c:2427) 
[ 197.530828][ C1] ? __pfx_tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2177) 
[ 197.530989][ C1] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5790) 
[ 197.531158][ C1] ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207 (discriminator 8)) 
[ 197.531324][ C1] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6113) 
[ 197.531495][ C1] ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) 
[ 197.531656][ C1] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6113) 
[ 197.531817][ C1] ? __pfx_ip_rcv (net/ipv4/ip_input.c:562) 
[ 197.531978][ C1] __netif_receive_skb_one_core (net/core/dev.c:5670 (discriminator 4)) 
[ 197.532191][ C1] ? __pfx___netif_receive_skb_one_core (net/core/dev.c:5663) 
[ 197.532392][ C1] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6113) 
[ 197.532557][ C1] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 197.532719][ C1] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6113) 
[ 197.532885][ C1] process_backlog (./include/linux/rcupdate.h:878 net/core/dev.c:6116) 
[ 197.533049][ C1] __napi_poll.constprop.0 (net/core/dev.c:6779) 
[ 197.533209][ C1] net_rx_action (net/core/dev.c:6848 net/core/dev.c:6970) 
[ 197.533373][ C1] ? __pfx_net_rx_action (net/core/dev.c:6932) 
[ 197.533533][ C1] ? __lock_release (kernel/locking/lockdep.c:5483) 
[ 197.533692][ C1] ? rcu_core (kernel/rcu/rcu.h:135 kernel/rcu/tree.c:234 kernel/rcu/tree.c:2810) 
[ 197.533816][ C1] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 197.533984][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) 
[ 197.534146][ C1] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 197.534310][ C1] ? swake_up_one (./include/linux/list.h:373 kernel/sched/swait.c:25 kernel/sched/swait.c:52) 
[ 197.534472][ C1] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) 
[ 197.534639][ C1] ? mark_lock (kernel/locking/lockdep.c:4703 (discriminator 3)) 
[ 197.534761][ C1] ? mark_held_locks (kernel/locking/lockdep.c:4321) 
[ 197.534926][ C1] handle_softirqs (kernel/softirq.c:554) 
[ 197.535089][ C1] ? __dev_queue_xmit (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:917 net/core/dev.c:4459) 
[ 197.535248][ C1] do_softirq (kernel/softirq.c:455 kernel/softirq.c:442) 
[  197.535368][    C1]  </IRQ>
[  197.535452][    C1]  <TASK>
[ 197.535533][ C1] __local_bh_enable_ip (kernel/softirq.c:382) 
[ 197.535823][ C1] ? __dev_queue_xmit (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:917 net/core/dev.c:4459) 
[ 197.535987][ C1] __dev_queue_xmit (net/core/dev.c:4460) 
[ 197.536149][ C1] ? __lock_release (kernel/locking/lockdep.c:5501) 
[ 197.536313][ C1] ? ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:236) 
[ 197.536584][ C1] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 197.536745][ C1] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) 
[ 197.536917][ C1] ? __pfx___dev_queue_xmit (net/core/dev.c:4341) 
[ 197.537082][ C1] ? mark_held_locks (kernel/locking/lockdep.c:4321) 
[ 197.537357][ C1] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) 
[ 197.537563][ C1] ? neigh_hh_output (./include/linux/seqlock.h:74 ./include/linux/seqlock.h:757 ./include/net/neighbour.h:496) 
[ 197.537738][ C1] ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:236) 
[ 197.537899][ C1] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200) 
[ 197.538069][ C1] ? __ip_finish_output (./include/linux/skbuff.h:1669 ./include/linux/skbuff.h:5010 net/ipv4/ip_output.c:308 net/ipv4/ip_output.c:296) 
[ 197.538230][ C1] __ip_queue_xmit (net/ipv4/ip_output.c:536 (discriminator 4)) 
[ 197.538391][ C1] ? __skb_clone (./arch/x86/include/asm/atomic.h:53 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:992 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:436 (discriminator 4) net/core/skbuff.c:1605 (discriminator 4)) 
[ 197.538554][ C1] __tcp_transmit_skb (net/ipv4/tcp_output.c:1466 (discriminator 4)) 
[ 197.538718][ C1] ? __pfx___tcp_transmit_skb (net/ipv4/tcp_output.c:1287) 
[ 197.539000][ C1] ? mark_held_locks (kernel/locking/lockdep.c:4321) 
[ 197.539160][ C1] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) 
[ 197.539358][ C1] ? tcp_small_queue_check.isra.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/ipv4/tcp_output.c:2631) 
[ 197.539559][ C1] tcp_write_xmit (net/ipv4/tcp_output.c:2830) 
[ 197.539722][ C1] ? tcp_current_mss (./include/net/dst.h:216 net/ipv4/tcp_output.c:1872) 
[ 197.539992][ C1] ? __pfx_tcp_current_mss (net/ipv4/tcp_output.c:1861) 
[ 197.540151][ C1] ? __alloc_skb (./arch/x86/include/asm/atomic.h:28 ./include/linux/atomic/atomic-arch-fallback.h:503 ./include/linux/atomic/atomic-instrumented.h:68 ./include/linux/refcount.h:125 net/core/skbuff.c:702) 
[ 197.540312][ C1] ? __pfx_tcp_write_xmit (net/ipv4/tcp_output.c:2739) 
[ 197.540477][ C1] ? tcp_set_state (net/ipv4/tcp.c:2870 (discriminator 53)) 
[ 197.540747][ C1] ? __pfx_tcp_set_state (net/ipv4/tcp.c:2870) 
[ 197.540914][ C1] __tcp_push_pending_frames (net/ipv4/tcp_output.c:3015) 
[ 197.541075][ C1] inet_shutdown (net/ipv4/af_inet.c:925) 
[ 197.541349][ C1] ? sockfd_lookup_light (net/socket.c:557) 
[ 197.541512][ C1] __sys_shutdown (net/socket.c:2448 net/socket.c:2460) 
[ 197.541672][ C1] ? __pfx___sys_shutdown (net/socket.c:2454) 
[ 197.541833][ C1] ? ksys_read (fs/read_write.c:712) 
[ 197.541995][ C1] ? __pfx_ksys_read (fs/read_write.c:702) 
[ 197.542159][ C1] __x64_sys_shutdown (net/socket.c:2466) 
[ 197.542319][ C1] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 197.542490][ C1] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  197.542804][    C1] RIP: 0033:0x7f2f86c64beb
[ 197.542971][ C1] Code: 73 01 c3 48 8b 0d 15 92 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 30 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 91 1b 00 f7 d8 64 89 01 48
All code
========
   0:	73 01                	jae    0x3
   2:	c3                   	ret
   3:	48 8b 0d 15 92 1b 00 	mov    0x1b9215(%rip),%rcx        # 0x1b921f
   a:	f7 d8                	neg    %eax
   c:	64 89 01             	mov    %eax,%fs:(%rcx)
   f:	48 83 c8 ff          	or     $0xffffffffffffffff,%rax
  13:	c3                   	ret
  14:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  1b:	00 00 00 
  1e:	90                   	nop
  1f:	f3 0f 1e fa          	endbr64
  23:	b8 30 00 00 00       	mov    $0x30,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	ret
  33:	48 8b 0d e5 91 1b 00 	mov    0x1b91e5(%rip),%rcx        # 0x1b921f
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	ret
   9:	48 8b 0d e5 91 1b 00 	mov    0x1b91e5(%rip),%rcx        # 0x1b91f5
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
[  197.543658][    C1] RSP: 002b:00007ffc3c832838 EFLAGS: 00000202 ORIG_RAX: 0000000000000030
[  197.543911][    C1] RAX: ffffffffffffffda RBX: 00005634629f3610 RCX: 00007f2f86c64beb
[  197.544283][    C1] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000008
[  197.544632][    C1] RBP: 0000000000000008 R08: 0000000000000001 R09: 0000000000000000
[  197.544991][    C1] R10: 0000000000000000 R11: 0000000000000202 R12: ffffffffffffffff


Finger prints:
print_report:kasan_report:xfrm_lookup_with_ifid:nf_xfrm_me_harder:nf_nat_ipv4_out