[ 1906.304099][ C1] ==================================================================
[ 1906.304413][ C1] BUG: KASAN: slab-use-after-free in xfrm_lookup_with_ifid+0x9bf/0xa90
[ 1906.304695][ C1] Read of size 8 at addr ffff8880147e5810 by task socat/9391
[ 1906.304967][ C1]
[ 1906.305068][ C1] CPU: 1 UID: 0 PID: 9391 Comm: socat Not tainted 6.12.0-rc1-virtme #1
[ 1906.305341][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 1906.305733][ C1] Call Trace:
[ 1906.305878][ C1]
[ 1906.305970][ C1] dump_stack_lvl+0x82/0xd0
[ 1906.306158][ C1] print_address_description.constprop.0+0x2c/0x3b0
[ 1906.306382][ C1] ? xfrm_lookup_with_ifid+0x9bf/0xa90
[ 1906.306569][ C1] print_report+0xb4/0x270
[ 1906.306750][ C1] ? kasan_addr_to_slab+0x25/0x80
[ 1906.306943][ C1] kasan_report+0xbd/0xf0
[ 1906.307085][ C1] ? xfrm_lookup_with_ifid+0x9bf/0xa90
[ 1906.307263][ C1] xfrm_lookup_with_ifid+0x9bf/0xa90
[ 1906.307439][ C1] ? __pfx_xfrm_lookup_with_ifid+0x10/0x10
[ 1906.307660][ C1] ? l4proto_manip_pkt+0x670/0x10f0 [nf_nat]
[ 1906.307896][ C1] nf_xfrm_me_harder+0x1a8/0x5e0 [nf_nat]
[ 1906.308079][ C1] ? __pfx_nf_xfrm_me_harder+0x10/0x10 [nf_nat]
[ 1906.308301][ C1] ? nft_do_chain_ipv4+0x184/0x210 [nf_tables]
[ 1906.308563][ C1] ? __pfx_nft_do_chain_ipv4+0x10/0x10 [nf_tables]
[ 1906.308833][ C1] nf_nat_ipv4_out+0x3c7/0x470 [nf_nat]
[ 1906.309020][ C1] ? __pfx_nf_nat_ipv4_out+0x10/0x10 [nf_nat]
[ 1906.309252][ C1] nf_hook_slow+0xba/0x200
[ 1906.309437][ C1] nf_hook+0x374/0x4f0
[ 1906.309577][ C1] ? __pfx_ip_finish_output+0x10/0x10
[ 1906.309756][ C1] ? __pfx_nf_hook+0x10/0x10
[ 1906.309938][ C1] ? __ip_append_data+0x22e4/0x3900
[ 1906.310127][ C1] ? __pfx_ip_finish_output+0x10/0x10
[ 1906.310321][ C1] ip_output+0x172/0x240
[ 1906.310473][ C1] ? __pfx_ip_finish_output+0x10/0x10
[ 1906.310650][ C1] ip_push_pending_frames+0x24b/0x480
[ 1906.310843][ C1] ip_send_unicast_reply+0xac1/0x14b0
[ 1906.311032][ C1] ? hlock_class+0x4e/0x130
[ 1906.311221][ C1] ? mark_lock+0x38/0x3e0
[ 1906.311358][ C1] ? __pfx_ip_send_unicast_reply+0x10/0x10
[ 1906.311598][ C1] ? __lock_acquire+0xb3f/0x1580
[ 1906.311789][ C1] ? lock_acquire.part.0+0xeb/0x330
[ 1906.311971][ C1] ? tcp_v4_send_ack.constprop.0+0x4c4/0x1050
[ 1906.312199][ C1] ? mark_lock+0x38/0x3e0
[ 1906.312338][ C1] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 1906.312522][ C1] ? trace_lock_acquire+0x14d/0x1f0
[ 1906.312704][ C1] tcp_v4_send_ack.constprop.0+0x7c6/0x1050
[ 1906.312935][ C1] ? __pfx_tcp_v4_send_ack.constprop.0+0x10/0x10
[ 1906.313177][ C1] ? __pfx___lock_release+0x10/0x10
[ 1906.313359][ C1] ? mark_held_locks+0x9e/0xe0
[ 1906.313543][ C1] ? tcp_v4_rcv+0x2251/0x3460
[ 1906.313726][ C1] tcp_v4_rcv+0x2251/0x3460
[ 1906.313913][ C1] ? __pfx_tcp_v4_rcv+0x10/0x10
[ 1906.314104][ C1] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 1906.314288][ C1] ip_protocol_deliver_rcu+0x93/0x360
[ 1906.314473][ C1] ? process_backlog+0x332/0x1180
[ 1906.314658][ C1] ip_local_deliver_finish+0x2af/0x490
[ 1906.314846][ C1] ? process_backlog+0x332/0x1180
[ 1906.315028][ C1] ? __pfx_ip_rcv+0x10/0x10
[ 1906.315212][ C1] __netif_receive_skb_one_core+0x166/0x1b0
[ 1906.315438][ C1] ? __pfx___netif_receive_skb_one_core+0x10/0x10
[ 1906.315671][ C1] ? process_backlog+0x332/0x1180
[ 1906.315853][ C1] ? lock_acquire+0x32/0xc0
[ 1906.316037][ C1] ? process_backlog+0x332/0x1180
[ 1906.316221][ C1] process_backlog+0x372/0x1180
[ 1906.316409][ C1] __napi_poll.constprop.0+0xa2/0x460
[ 1906.316599][ C1] net_rx_action+0x50e/0xce0
[ 1906.316789][ C1] ? __pfx_net_rx_action+0x10/0x10
[ 1906.316977][ C1] ? __free_zapped_classes+0x170/0x1e0
[ 1906.317158][ C1] ? find_held_lock+0x2c/0x110
[ 1906.317345][ C1] ? hlock_class+0x4e/0x130
[ 1906.317527][ C1] ? mark_lock+0x38/0x3e0
[ 1906.317671][ C1] ? mark_held_locks+0x9e/0xe0
[ 1906.317856][ C1] handle_softirqs+0x1f6/0x5c0
[ 1906.318041][ C1] ? __dev_queue_xmit+0x78e/0x18b0
[ 1906.318224][ C1] do_softirq+0x4d/0xa0
[ 1906.318363][ C1]
[ 1906.318461][ C1]
[ 1906.318554][ C1] __local_bh_enable_ip+0xf6/0x120
[ 1906.318738][ C1] ? __dev_queue_xmit+0x78e/0x18b0
[ 1906.318921][ C1] __dev_queue_xmit+0x7a3/0x18b0
[ 1906.319105][ C1] ? __lock_release+0x103/0x460
[ 1906.319293][ C1] ? ip_finish_output2+0xac2/0x18f0
[ 1906.319475][ C1] ? __pfx___lock_release+0x10/0x10
[ 1906.319657][ C1] ? hlock_class+0x4e/0x130
[ 1906.319842][ C1] ? __pfx___dev_queue_xmit+0x10/0x10
[ 1906.320024][ C1] ? mark_held_locks+0x9e/0xe0
[ 1906.320207][ C1] ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 1906.320445][ C1] ? neigh_hh_output+0x36f/0x560
[ 1906.320629][ C1] ip_finish_output2+0xac2/0x18f0
[ 1906.320813][ C1] ? __pfx_ip_finish_output2+0x10/0x10
[ 1906.321005][ C1] ? __ip_finish_output+0x10f/0x760
[ 1906.321190][ C1] __ip_queue_xmit+0x64f/0x1790
[ 1906.321372][ C1] ? __skb_clone+0x571/0x750
[ 1906.321557][ C1] __tcp_transmit_skb+0x2291/0x2d10
[ 1906.321745][ C1] ? __pfx___tcp_transmit_skb+0x10/0x10
[ 1906.321932][ C1] ? mark_held_locks+0x9e/0xe0
[ 1906.322119][ C1] ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 1906.322359][ C1] ? tcp_small_queue_check.isra.0+0xe9/0x380
[ 1906.322583][ C1] tcp_write_xmit+0x8a3/0x2cf0
[ 1906.322770][ C1] ? tcp_current_mss+0x40a/0x510
[ 1906.322955][ C1] ? __pfx_tcp_current_mss+0x10/0x10
[ 1906.323136][ C1] ? __alloc_skb+0x23d/0x2e0
[ 1906.323318][ C1] ? __pfx_tcp_write_xmit+0x10/0x10
[ 1906.323502][ C1] ? tcp_set_state+0x10b/0x510
[ 1906.323684][ C1] ? __pfx_tcp_set_state+0x10/0x10
[ 1906.323874][ C1] __tcp_push_pending_frames+0x96/0x320
[ 1906.324064][ C1] inet_shutdown+0x164/0x390
[ 1906.324254][ C1] ? sockfd_lookup_light+0x1a/0x140
[ 1906.324434][ C1] __sys_shutdown+0xcb/0x160
[ 1906.324621][ C1] ? __pfx___sys_shutdown+0x10/0x10
[ 1906.324804][ C1] ? audit_reset_context.part.0.constprop.0+0x987/0xe50
[ 1906.325045][ C1] __x64_sys_shutdown+0x53/0x80
[ 1906.325229][ C1] do_syscall_64+0xc1/0x1d0
[ 1906.325424][ C1] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1906.325655][ C1] RIP: 0033:0x7ff46d575beb
[ 1906.325853][ C1] Code: 73 01 c3 48 8b 0d 15 92 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 30 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 91 1b 00 f7 d8 64 89 01 48
[ 1906.326502][ C1] RSP: 002b:00007ffd060ca128 EFLAGS: 00000206 ORIG_RAX: 0000000000000030
[ 1906.326790][ C1] RAX: ffffffffffffffda RBX: 000055dd7772b610 RCX: 00007ff46d575beb
[ 1906.327063][ C1] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000008
[ 1906.327344][ C1] RBP: 0000000000000008 R08: 0000000000000001 R09: 0000000000000000
[ 1906.327626][ C1] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffffff
[ 1906.327908][ C1] R13: 0000000000000000 R14: 000055dd7338c10e R15: 0000000000000001
[ 1906.328195][ C1]
[ 1906.328339][ C1]
[ 1906.328438][ C1] Allocated by task 6732:
[ 1906.328581][ C1] kasan_save_stack+0x24/0x50
[ 1906.328774][ C1] kasan_save_track+0x14/0x30
[ 1906.328962][ C1] __kasan_slab_alloc+0x59/0x70
[ 1906.329147][ C1] kmem_cache_alloc_noprof+0xdb/0x250
[ 1906.329335][ C1] inet_twsk_alloc+0x115/0x970
[ 1906.329519][ C1] tcp_time_wait+0x60/0xe70
[ 1906.329705][ C1] tcp_fin+0x2fb/0x470
[ 1906.329846][ C1] tcp_data_queue+0xe66/0x22b0
[ 1906.330036][ C1] tcp_rcv_state_process+0x6cb/0x2030
[ 1906.330219][ C1] tcp_v4_do_rcv+0x14d/0x8c0
[ 1906.330416][ C1] tcp_v4_rcv+0x25e8/0x3460
[ 1906.330602][ C1] ip_protocol_deliver_rcu+0x93/0x360
[ 1906.330791][ C1] ip_local_deliver_finish+0x2af/0x490
[ 1906.330978][ C1] __netif_receive_skb_one_core+0x166/0x1b0
[ 1906.331214][ C1] process_backlog+0x372/0x1180
[ 1906.331397][ C1] __napi_poll.constprop.0+0xa2/0x460
[ 1906.331585][ C1] net_rx_action+0x50e/0xce0
[ 1906.331766][ C1] handle_softirqs+0x1f6/0x5c0
[ 1906.331953][ C1] do_softirq+0x4d/0xa0
[ 1906.332093][ C1] __local_bh_enable_ip+0xf6/0x120
[ 1906.332386][ C1] __dev_queue_xmit+0x7a3/0x18b0
[ 1906.332573][ C1] ip_finish_output2+0x9ca/0x18f0
[ 1906.332757][ C1] __ip_queue_xmit+0x64f/0x1790
[ 1906.332940][ C1] __tcp_transmit_skb+0x2291/0x2d10
[ 1906.333229][ C1] tcp_write_xmit+0x8a3/0x2cf0
[ 1906.333413][ C1] __tcp_push_pending_frames+0x96/0x320
[ 1906.333600][ C1] inet_shutdown+0x164/0x390
[ 1906.333785][ C1] __sys_shutdown+0xcb/0x160
[ 1906.333977][ C1] __x64_sys_shutdown+0x53/0x80
[ 1906.334262][ C1] do_syscall_64+0xc1/0x1d0
[ 1906.334450][ C1] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1906.334687][ C1]
[ 1906.334783][ C1] Freed by task 0:
[ 1906.335034][ C1] kasan_save_stack+0x24/0x50
[ 1906.335224][ C1] kasan_save_track+0x14/0x30
[ 1906.335408][ C1] kasan_save_free_info+0x3b/0x60
[ 1906.335594][ C1] __kasan_slab_free+0x38/0x50
[ 1906.335779][ C1] slab_free_after_rcu_debug+0xd7/0x2b0
[ 1906.335969][ C1] rcu_do_batch+0x34f/0xf20
[ 1906.336152][ C1] rcu_core+0x2bd/0x4f0
[ 1906.336295][ C1] handle_softirqs+0x1f6/0x5c0
[ 1906.336479][ C1] irq_exit_rcu+0x99/0xc0
[ 1906.336619][ C1] sysvec_apic_timer_interrupt+0x78/0x90
[ 1906.336808][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 1906.337036][ C1]
[ 1906.337131][ C1] Last potentially related work creation:
[ 1906.337314][ C1] kasan_save_stack+0x24/0x50
[ 1906.337606][ C1] __kasan_record_aux_stack+0x8e/0xa0
[ 1906.337790][ C1] kmem_cache_free+0x207/0x340
[ 1906.337981][ C1] inet_twsk_free+0x11d/0x180
[ 1906.338167][ C1] inet_twsk_purge+0x4c8/0x660
[ 1906.338457][ C1] tcp_twsk_purge+0x112/0x160
[ 1906.338646][ C1] tcp_sk_exit_batch+0x28/0x140
[ 1906.338833][ C1] cleanup_net+0x4ef/0x9d0
[ 1906.339023][ C1] process_one_work+0xe55/0x16d0
[ 1906.339311][ C1] worker_thread+0x58c/0xce0
[ 1906.339499][ C1] kthread+0x28a/0x350
[ 1906.339639][ C1] ret_from_fork+0x31/0x70
[ 1906.339833][ C1] ret_from_fork_asm+0x1a/0x30
[ 1906.340022][ C1]
[ 1906.340219][ C1] The buggy address belongs to the object at ffff8880147e57f0
[ 1906.340219][ C1] which belongs to the cache tw_sock_TCP of size 280
[ 1906.340683][ C1] The buggy address is located 32 bytes inside of
[ 1906.340683][ C1] freed 280-byte region [ffff8880147e57f0, ffff8880147e5908)
[ 1906.341260][ C1]
[ 1906.341364][ C1] The buggy address belongs to the physical page:
[ 1906.341598][ C1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880147e5b20 pfn:0x147e4
[ 1906.341977][ C1] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1906.342253][ C1] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 1906.342491][ C1] page_type: f5(slab)
[ 1906.342637][ C1] raw: 0080000000000240 ffff8880035fcc40 ffffea0000145310 ffff8880035f8bc8
[ 1906.342970][ C1] raw: ffff8880147e5b20 0000000000140001 00000001f5000000 0000000000000000
[ 1906.343288][ C1] head: 0080000000000240 ffff8880035fcc40 ffffea0000145310 ffff8880035f8bc8
[ 1906.343721][ C1] head: ffff8880147e5b20 0000000000140001 00000001f5000000 0000000000000000
[ 1906.344038][ C1] head: 0080000000000001 ffffea000051f901 ffffffffffffffff 0000000000000000
[ 1906.344353][ C1] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[ 1906.344779][ C1] page dumped because: kasan: bad access detected
[ 1906.345006][ C1]
[ 1906.345100][ C1] Memory state around the buggy address:
[ 1906.345380][ C1] ffff8880147e5700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 1906.345649][ C1] ffff8880147e5780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fa fb
[ 1906.345915][ C1] >ffff8880147e5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1906.346292][ C1] ^
[ 1906.346471][ C1] ffff8880147e5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1906.346742][ C1] ffff8880147e5900: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1906.347109][ C1] ==================================================================
[ 1906.347404][ C1] Disabling lock debugging due to kernel taint