======================================
| xx__-> [ 1906.304099][    C1] ==================================================================
| [ 1906.304413][ C1] BUG: KASAN: slab-use-after-free in xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3145) 
| [ 1906.304695][    C1] Read of size 8 at addr ffff8880147e5810 by task socat/9391
| [ 1906.304967][    C1]
[ 1906.305341][    C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 1906.305733][    C1] Call Trace:
[ 1906.305878][    C1]  <IRQ>
[ 1906.305970][ C1] dump_stack_lvl (lib/dump_stack.c:123) 
[ 1906.306158][ C1] print_address_description.constprop.0 (mm/kasan/report.c:378) 
[ 1906.306382][ C1] ? xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3145) 
[ 1906.306569][ C1] print_report (mm/kasan/report.c:489) 
[ 1906.306750][ C1] ? kasan_addr_to_slab (./include/linux/mm.h:1282 mm/kasan/../slab.h:206 mm/kasan/common.c:38) 
[ 1906.306943][ C1] kasan_report (mm/kasan/report.c:603) 
[ 1906.307085][ C1] ? xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3145) 
[ 1906.307263][ C1] xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3145) 
[ 1906.307439][ C1] ? __pfx_xfrm_lookup_with_ifid (net/xfrm/xfrm_policy.c:3132) 
[ 1906.307660][ C1] ? l4proto_manip_pkt (./include/net/checksum.h:167 net/netfilter/nf_nat_proto.c:216 net/netfilter/nf_nat_proto.c:342) nf_nat
[ 1906.307896][ C1] nf_xfrm_me_harder (net/netfilter/nf_nat_proto.c:684) nf_nat
[ 1906.308079][ C1] ? __pfx_nf_xfrm_me_harder (net/netfilter/nf_nat_proto.c:664) nf_nat
[ 1906.308301][ C1] ? nft_do_chain_ipv4 (net/netfilter/nft_chain_filter.c:17) nf_tables
[ 1906.308563][ C1] ? __pfx_nft_do_chain_ipv4 (net/netfilter/nft_chain_filter.c:17) nf_tables
[ 1906.308833][ C1] nf_nat_ipv4_out (net/netfilter/nf_nat_proto.c:783 net/netfilter/nf_nat_proto.c:755) nf_nat
[ 1906.309020][ C1] ? __pfx_nf_nat_ipv4_out (net/netfilter/nf_nat_proto.c:757) nf_nat
[ 1906.309252][ C1] nf_hook_slow (./include/linux/netfilter.h:154 net/netfilter/core.c:626) 
[ 1906.309437][ C1] nf_hook (./include/linux/netfilter.h:269) 
[ 1906.309577][ C1] ? __pfx_ip_finish_output (net/ipv4/ip_output.c:318) 
[ 1906.309756][ C1] ? __pfx_nf_hook (./include/linux/netfilter.h:227) 
[ 1906.309938][ C1] ? __ip_append_data (net/ipv4/ip_output.c:1029) 
[ 1906.310127][ C1] ? __pfx_ip_finish_output (net/ipv4/ip_output.c:318) 
[ 1906.310321][ C1] ip_output (./include/linux/netfilter.h:301 net/ipv4/ip_output.c:434) 
[ 1906.310473][ C1] ? __pfx_ip_finish_output (net/ipv4/ip_output.c:318) 
[ 1906.310650][ C1] ip_push_pending_frames (./include/net/dst.h:450 net/ipv4/ip_output.c:130 net/ipv4/ip_output.c:1505 net/ipv4/ip_output.c:1525) 
[ 1906.310843][ C1] ip_send_unicast_reply (./include/net/route.h:269 net/ipv4/ip_output.c:1675) 
[ 1906.311032][ C1] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) 
[ 1906.311221][ C1] ? mark_lock (kernel/locking/lockdep.c:4703 (discriminator 3)) 
[ 1906.311358][ C1] ? __pfx_ip_send_unicast_reply (net/ipv4/ip_output.c:1605) 
[ 1906.311598][ C1] ? __lock_acquire (kernel/locking/lockdep.c:5202) 
[ 1906.311789][ C1] ? lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5827) 
[ 1906.311971][ C1] ? tcp_v4_send_ack.constprop.0 (./include/linux/local_lock_internal.h:29 net/ipv4/tcp_ipv4.c:1016) 
[ 1906.312199][ C1] ? mark_lock (kernel/locking/lockdep.c:4703 (discriminator 3)) 
[ 1906.312338][ C1] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5790) 
[ 1906.312522][ C1] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) 
[ 1906.312704][ C1] tcp_v4_send_ack.constprop.0 (./include/net/net_namespace.h:380 ./include/net/sock.h:661 net/ipv4/tcp_ipv4.c:1030) 
[ 1906.312935][ C1] ? __pfx_tcp_v4_send_ack.constprop.0 (net/ipv4/tcp_ipv4.c:933) 
[ 1906.313177][ C1] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 1906.313359][ C1] ? mark_held_locks (kernel/locking/lockdep.c:4321) 
[ 1906.313543][ C1] ? tcp_v4_rcv (net/ipv4/tcp_ipv4.c:1086 net/ipv4/tcp_ipv4.c:2427) 
[ 1906.313726][ C1] tcp_v4_rcv (net/ipv4/tcp_ipv4.c:1086 net/ipv4/tcp_ipv4.c:2427) 
[ 1906.313913][ C1] ? __pfx_tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2177) 
[ 1906.314104][ C1] ? __pfx_lock_acquire.part.0 (kernel/locking/lockdep.c:5790) 
[ 1906.314288][ C1] ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207 (discriminator 8)) 
[ 1906.314473][ C1] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6113) 
[ 1906.314658][ C1] ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) 
[ 1906.314846][ C1] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6113) 
[ 1906.315028][ C1] ? __pfx_ip_rcv (net/ipv4/ip_input.c:561) 
[ 1906.315212][ C1] __netif_receive_skb_one_core (net/core/dev.c:5670 (discriminator 4)) 
[ 1906.315438][ C1] ? __pfx___netif_receive_skb_one_core (net/core/dev.c:5663) 
[ 1906.315671][ C1] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6113) 
[ 1906.315853][ C1] ? lock_acquire (kernel/locking/lockdep.c:5798) 
[ 1906.316037][ C1] ? process_backlog (./include/linux/local_lock_internal.h:38 net/core/dev.c:6113) 
[ 1906.316221][ C1] process_backlog (./include/linux/rcupdate.h:878 net/core/dev.c:6116) 
[ 1906.316409][ C1] __napi_poll.constprop.0 (net/core/dev.c:6779) 
[ 1906.316599][ C1] net_rx_action (net/core/dev.c:6848 net/core/dev.c:6970) 
[ 1906.316789][ C1] ? __pfx_net_rx_action (net/core/dev.c:6932) 
[ 1906.316977][ C1] ? __free_zapped_classes (kernel/locking/lockdep.c:6299) 
[ 1906.317158][ C1] ? find_held_lock (kernel/locking/lockdep.c:5315) 
[ 1906.317345][ C1] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) 
[ 1906.317527][ C1] ? mark_lock (kernel/locking/lockdep.c:4703 (discriminator 3)) 
[ 1906.317671][ C1] ? mark_held_locks (kernel/locking/lockdep.c:4321) 
[ 1906.317856][ C1] handle_softirqs (kernel/softirq.c:554) 
[ 1906.318041][ C1] ? __dev_queue_xmit (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:917 net/core/dev.c:4459) 
[ 1906.318224][ C1] do_softirq (kernel/softirq.c:455 kernel/softirq.c:442) 
[ 1906.318363][    C1]  </IRQ>
[ 1906.318461][    C1]  <TASK>
[ 1906.318554][ C1] __local_bh_enable_ip (kernel/softirq.c:382) 
[ 1906.318738][ C1] ? __dev_queue_xmit (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:917 net/core/dev.c:4459) 
[ 1906.318921][ C1] __dev_queue_xmit (net/core/dev.c:4460) 
[ 1906.319105][ C1] ? __lock_release (kernel/locking/lockdep.c:5501) 
[ 1906.319293][ C1] ? ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:236) 
[ 1906.319475][ C1] ? __pfx___lock_release (kernel/locking/lockdep.c:5477) 
[ 1906.319657][ C1] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) 
[ 1906.319842][ C1] ? __pfx___dev_queue_xmit (net/core/dev.c:4341) 
[ 1906.320024][ C1] ? mark_held_locks (kernel/locking/lockdep.c:4321) 
[ 1906.320207][ C1] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) 
[ 1906.320445][ C1] ? neigh_hh_output (./include/linux/seqlock.h:74 ./include/linux/seqlock.h:757 ./include/net/neighbour.h:496) 
[ 1906.320629][ C1] ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:236) 
[ 1906.320813][ C1] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200) 
[ 1906.321005][ C1] ? __ip_finish_output (./include/linux/skbuff.h:1669 ./include/linux/skbuff.h:5010 net/ipv4/ip_output.c:308 net/ipv4/ip_output.c:296) 
[ 1906.321190][ C1] __ip_queue_xmit (net/ipv4/ip_output.c:536 (discriminator 4)) 
[ 1906.321372][ C1] ? __skb_clone (./arch/x86/include/asm/atomic.h:53 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:992 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:436 (discriminator 4) net/core/skbuff.c:1605 (discriminator 4)) 
[ 1906.321557][ C1] __tcp_transmit_skb (net/ipv4/tcp_output.c:1466 (discriminator 4)) 
[ 1906.321745][ C1] ? __pfx___tcp_transmit_skb (net/ipv4/tcp_output.c:1287) 
[ 1906.321932][ C1] ? mark_held_locks (kernel/locking/lockdep.c:4321) 
[ 1906.322119][ C1] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) 
[ 1906.322359][ C1] ? tcp_small_queue_check.isra.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/linux/refcount.h:136 net/ipv4/tcp_output.c:2631) 
[ 1906.322583][ C1] tcp_write_xmit (net/ipv4/tcp_output.c:2830) 
[ 1906.322770][ C1] ? tcp_current_mss (./include/net/dst.h:216 net/ipv4/tcp_output.c:1872) 
[ 1906.322955][ C1] ? __pfx_tcp_current_mss (net/ipv4/tcp_output.c:1861) 
[ 1906.323136][ C1] ? __alloc_skb (./arch/x86/include/asm/atomic.h:28 ./include/linux/atomic/atomic-arch-fallback.h:503 ./include/linux/atomic/atomic-instrumented.h:68 ./include/linux/refcount.h:125 net/core/skbuff.c:702) 
[ 1906.323318][ C1] ? __pfx_tcp_write_xmit (net/ipv4/tcp_output.c:2739) 
[ 1906.323502][ C1] ? tcp_set_state (net/ipv4/tcp.c:2870 (discriminator 53)) 
[ 1906.323684][ C1] ? __pfx_tcp_set_state (net/ipv4/tcp.c:2870) 
[ 1906.323874][ C1] __tcp_push_pending_frames (net/ipv4/tcp_output.c:3015) 
[ 1906.324064][ C1] inet_shutdown (net/ipv4/af_inet.c:925) 
[ 1906.324254][ C1] ? sockfd_lookup_light (net/socket.c:557) 
[ 1906.324434][ C1] __sys_shutdown (net/socket.c:2448 net/socket.c:2460) 
[ 1906.324621][ C1] ? __pfx___sys_shutdown (net/socket.c:2454) 
[ 1906.324804][ C1] ? audit_reset_context.part.0.constprop.0 (./include/linux/list.h:373 kernel/auditsc.c:1023) 
[ 1906.325045][ C1] __x64_sys_shutdown (net/socket.c:2466) 
[ 1906.325229][ C1] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 1906.325424][ C1] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 1906.325655][    C1] RIP: 0033:0x7ff46d575beb
[ 1906.325853][ C1] Code: 73 01 c3 48 8b 0d 15 92 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 30 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 91 1b 00 f7 d8 64 89 01 48
All code
========
   0:	73 01                	jae    0x3
   2:	c3                   	ret
   3:	48 8b 0d 15 92 1b 00 	mov    0x1b9215(%rip),%rcx        # 0x1b921f
   a:	f7 d8                	neg    %eax
   c:	64 89 01             	mov    %eax,%fs:(%rcx)
   f:	48 83 c8 ff          	or     $0xffffffffffffffff,%rax
  13:	c3                   	ret
  14:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  1b:	00 00 00 
  1e:	90                   	nop
  1f:	f3 0f 1e fa          	endbr64
  23:	b8 30 00 00 00       	mov    $0x30,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	ret
  33:	48 8b 0d e5 91 1b 00 	mov    0x1b91e5(%rip),%rcx        # 0x1b921f
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	ret
   9:	48 8b 0d e5 91 1b 00 	mov    0x1b91e5(%rip),%rcx        # 0x1b91f5
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
[ 1906.326502][    C1] RSP: 002b:00007ffd060ca128 EFLAGS: 00000206 ORIG_RAX: 0000000000000030
[ 1906.326790][    C1] RAX: ffffffffffffffda RBX: 000055dd7772b610 RCX: 00007ff46d575beb
[ 1906.327063][    C1] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000008
[ 1906.327344][    C1] RBP: 0000000000000008 R08: 0000000000000001 R09: 0000000000000000
[ 1906.327626][    C1] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffffff


Finger prints:
print_report:kasan_report:xfrm_lookup_with_ifid:nf_xfrm_me_harder:nf_nat_ipv4_out