[ 749.062640][ C5] ==================================================================
[ 749.062847][ C5] BUG: KASAN: slab-use-after-free in fbnic_tx_lso.isra.0+0x668/0x8e0
[ 749.063002][ C5] Read of size 4 at addr ff110000262edd98 by task swapper/5/0
[ 749.063163][ C5]
[ 749.063217][ C5] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 7.1.0-virtme #1 PREEMPT(full)
[ 749.063221][ C5] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 749.063223][ C5] Call Trace:
[ 749.063225][ C5]
[ 749.063227][ C5] dump_stack_lvl+0x6f/0xa0
[ 749.063233][ C5] print_address_description.constprop.0+0x56/0x2d0
[ 749.063238][ C5] print_report+0xfc/0x1fa
[ 749.063240][ C5] ? __virt_addr_valid+0x102/0x440
[ 749.063245][ C5] ? __virt_addr_valid+0x1da/0x440
[ 749.063247][ C5] kasan_report+0x108/0x130
[ 749.063250][ C5] ? fbnic_tx_lso.isra.0+0x668/0x8e0
[ 749.063252][ C5] ? fbnic_tx_lso.isra.0+0x668/0x8e0
[ 749.063255][ C5] fbnic_tx_lso.isra.0+0x668/0x8e0
[ 749.063257][ C5] fbnic_xmit_frame+0x622/0xba0
[ 749.063259][ C5] ? fbnic_ring_csr_base+0x50/0x50
[ 749.063262][ C5] dev_hard_start_xmit+0xf4/0x620
[ 749.063265][ C5] sch_direct_xmit+0x25b/0x1100
[ 749.063270][ C5] ? lock_acquire.part.0+0xbc/0x260
[ 749.063274][ C5] ? dequeue_skb+0x1db0/0x1db0
[ 749.063276][ C5] ? __rcu_read_lock+0x40/0x70
[ 749.063285][ C5] ? lock_acquire+0x13c/0x160
[ 749.063289][ C5] __dev_xmit_skb+0xede/0x1c00
[ 749.063299][ C5] ? netdev_pick_tx+0x60a/0x7b0
[ 749.063302][ C5] ? alloc_netdev_dummy+0x30/0x30
[ 749.063308][ C5] __dev_queue_xmit+0x90d/0x1a00
[ 749.063310][ C5] ? __lock_acquire+0x518/0xc20
[ 749.063314][ C5] ? netdev_core_pick_tx+0x2d0/0x2d0
[ 749.063317][ C5] ? __asan_memcpy+0x3c/0x60
[ 749.063325][ C5] ? eth_header+0x14c/0x180
[ 749.063329][ C5] ? neigh_resolve_output.part.0+0x344/0x740
[ 749.063335][ C5] neigh_update_process_arp_queue+0x698/0x840
[ 749.063338][ C5] ? __neigh_notify+0x123/0x280
[ 749.063341][ C5] ? neigh_managed_work+0x1f1/0x220
[ 749.063344][ C5] __neigh_update+0x595/0x2170
[ 749.063346][ C5] ? rcu_read_lock_any_held+0x30/0x90
[ 749.063351][ C5] arp_process.constprop.0+0x8a8/0x2490
[ 749.063356][ C5] ? do_xdp_generic+0x4a0/0x4a0
[ 749.063358][ C5] ? fbnic_run_xdp+0x2ee/0x5e0
[ 749.063360][ C5] ? arp_send+0x140/0x140
[ 749.063362][ C5] ? net_rx_action+0x513/0xf50
[ 749.063364][ C5] ? __irq_exit_rcu+0x103/0x1c0
[ 749.063368][ C5] ? common_interrupt+0xb5/0xf0
[ 749.063371][ C5] ? pv_native_safe_halt+0xf/0x10
[ 749.063374][ C5] ? default_idle+0x9/0x10
[ 749.063377][ C5] ? default_idle_call+0x6e/0xb0
[ 749.063379][ C5] ? cpuidle_idle_call.constprop.0+0x237/0x410
[ 749.063381][ C5] ? do_idle+0xd8/0x180
[ 749.063383][ C5] ? cpu_startup_entry+0x53/0x70
[ 749.063384][ C5] ? start_secondary+0x204/0x2b0
[ 749.063386][ C5] ? common_startup_64+0x13e/0x148
[ 749.063389][ C5] ? __asan_memset+0x27/0x50
[ 749.063392][ C5] __netif_receive_skb_list_core+0x628/0x9e0
[ 749.063394][ C5] ? __lock_acquire+0x518/0xc20
[ 749.063396][ C5] ? __netif_receive_skb_core.constprop.0+0x2960/0x2960
[ 749.063398][ C5] ? lock_acquire.part.0+0xbc/0x260
[ 749.063400][ C5] ? lock_acquire+0x13c/0x160
[ 749.063402][ C5] netif_receive_skb_list_internal+0x5f8/0xe20
[ 749.063404][ C5] ? process_backlog+0x1490/0x1490
[ 749.063405][ C5] ? dev_gro_receive+0x201/0x1740
[ 749.063407][ C5] ? xdp_build_skb_from_buff+0x39f/0x8b0
[ 749.063409][ C5] ? sched_clock_cpu+0x69/0x6b0
[ 749.063412][ C5] ? rcu_is_watching+0x15/0xd0
[ 749.063414][ C5] ? gro_receive_skb+0x871/0xbb0
[ 749.063416][ C5] napi_complete_done+0x1aa/0x8c0
[ 749.063418][ C5] ? netif_receive_skb_list+0x50/0x50
[ 749.063419][ C5] ? validate_chain+0x38b/0xc20
[ 749.063421][ C5] fbnic_poll+0x839/0xe80
[ 749.063424][ C5] ? ww_mutex_trylock+0x990/0xdd0
[ 749.063428][ C5] ? fbnic_clean_twq0+0xc60/0xc60
[ 749.063431][ C5] ? __lock_release.isra.0+0x6b/0x1a0
[ 749.063434][ C5] __napi_poll+0xd4/0x3b0
[ 749.063437][ C5] net_rx_action+0x513/0xf50
[ 749.063441][ C5] ? __napi_poll+0x3b0/0x3b0
[ 749.063443][ C5] ? validate_chain+0x38b/0xc20
[ 749.063445][ C5] ? rcu_read_lock_any_held+0x3c/0x90
[ 749.063447][ C5] ? validate_chain+0x38b/0xc20
[ 749.063453][ C5] ? __rwlock_init+0x150/0x150
[ 749.063456][ C5] ? rcu_is_watching+0x15/0xd0
[ 749.063459][ C5] handle_softirqs+0x1d8/0x8f0
[ 749.063463][ C5] ? _local_bh_enable+0xd0/0xd0
[ 749.063466][ C5] ? do_raw_spin_unlock+0x59/0x250
[ 749.063469][ C5] __irq_exit_rcu+0x103/0x1c0
[ 749.063472][ C5] irq_exit_rcu+0xe/0x30
[ 749.063474][ C5] common_interrupt+0xb5/0xf0
[ 749.063477][ C5]
[ 749.063478][ C5]
[ 749.063479][ C5] ? sysvec_apic_timer_interrupt+0xaa/0xe0
[ 749.063482][ C5] asm_common_interrupt+0x26/0x40
[ 749.063486][ C5] RIP: 0010:pv_native_safe_halt+0xf/0x10
[ 749.063490][ C5] Code: 48 8b 3d 84 21 5d 02 e8 1f 00 00 00 48 2b 05 48 d2 99 00 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa eb 07 0f 00 2d 03 69 0d 00 fb f4 0f 1f 40 d6 48 83 ec 20 8b 17 49 89 f8 83 e2 fe 41 89 d2 0f 01
[ 749.063492][ C5] RSP: 0018:ffa000000018fe00 EFLAGS: 00000282
[ 749.063497][ C5] RAX: 00000000011327ab RBX: ff11000001cac6c0 RCX: ffffffffa5100767
[ 749.063499][ C5] RDX: ff11000001cac6c0 RSI: ffffffffa80b99e0 RDI: ffffffffa7a79140
[ 749.063501][ C5] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 749.063503][ C5] R10: 0000000000000005 R11: 0000000000000001 R12: 1ff4000000031fc3
[ 749.063504][ C5] R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000000
[ 749.063507][ C5] ? cpuidle_idle_call.constprop.0+0x237/0x410
[ 749.063511][ C5] default_idle+0x9/0x10
[ 749.063514][ C5] default_idle_call+0x6e/0xb0
[ 749.063517][ C5] cpuidle_idle_call.constprop.0+0x237/0x410
[ 749.063519][ C5] ? arch_cpu_idle_exit+0x40/0x40
[ 749.063522][ C5] ? mark_tsc_async_resets+0x30/0x30
[ 749.063525][ C5] ? default_idle_call+0x98/0xb0
[ 749.063527][ C5] ? rcu_is_watching+0x15/0xd0
[ 749.063531][ C5] do_idle+0xd8/0x180
[ 749.063533][ C5] cpu_startup_entry+0x53/0x70
[ 749.063536][ C5] start_secondary+0x204/0x2b0
[ 749.063539][ C5] ? set_cpu_sibling_map+0x2130/0x2130
[ 749.063542][ C5] common_startup_64+0x13e/0x148
[ 749.063548][ C5]
[ 749.063549][ C5]
[ 749.075439][ C5] Allocated by task 8653:
[ 749.075521][ C5] kasan_save_stack+0x2f/0x50
[ 749.075628][ C5] kasan_save_track+0x14/0x30
[ 749.075727][ C5] __kasan_slab_alloc+0x60/0x70
[ 749.075824][ C5] kmem_cache_alloc_node_noprof+0x224/0x640
[ 749.075947][ C5] kmalloc_reserve+0x103/0x2d0
[ 749.076053][ C5] __alloc_skb+0x11e/0x5f0
[ 749.076154][ C5] alloc_skb_with_frags+0xcc/0x6c0
[ 749.076248][ C5] sock_alloc_send_pskb+0x327/0x3f0
[ 749.076345][ C5] __ip_append_data+0x188b/0x47a0
[ 749.076448][ C5] ip_make_skb+0x24a/0x300
[ 749.076547][ C5] udp_sendmsg+0x14d2/0x21e0
[ 749.076652][ C5] __sys_sendto+0x2aa/0x3e0
[ 749.076749][ C5] __x64_sys_sendto+0xe4/0x1f0
[ 749.076870][ C5] do_syscall_64+0x117/0x590
[ 749.077004][ C5] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 749.077132][ C5]
[ 749.077186][ C5] Freed by task 0:
[ 749.077268][ C5] kasan_save_stack+0x2f/0x50
[ 749.077370][ C5] kasan_save_track+0x14/0x30
[ 749.077481][ C5] kasan_save_free_info+0x3b/0x60
[ 749.077583][ C5] __kasan_slab_free+0x43/0x70
[ 749.077684][ C5] kfree+0x123/0x5a0
[ 749.077758][ C5] pskb_expand_head+0x36c/0xfa0
[ 749.077855][ C5] fbnic_tx_lso.isra.0+0x500/0x8e0
[ 749.077955][ C5] fbnic_xmit_frame+0x622/0xba0
[ 749.078054][ C5] dev_hard_start_xmit+0xf4/0x620
[ 749.078157][ C5] sch_direct_xmit+0x25b/0x1100
[ 749.078254][ C5] __dev_xmit_skb+0xede/0x1c00
[ 749.078352][ C5] __dev_queue_xmit+0x90d/0x1a00
[ 749.078457][ C5] neigh_update_process_arp_queue+0x698/0x840
[ 749.078580][ C5] __neigh_update+0x595/0x2170
[ 749.078680][ C5] arp_process.constprop.0+0x8a8/0x2490
[ 749.078778][ C5] __netif_receive_skb_list_core+0x628/0x9e0
[ 749.078901][ C5] netif_receive_skb_list_internal+0x5f8/0xe20
[ 749.079023][ C5] napi_complete_done+0x1aa/0x8c0
[ 749.079122][ C5] fbnic_poll+0x839/0xe80
[ 749.079200][ C5] __napi_poll+0xd4/0x3b0
[ 749.079272][ C5] net_rx_action+0x513/0xf50
[ 749.079369][ C5] handle_softirqs+0x1d8/0x8f0
[ 749.079471][ C5] __irq_exit_rcu+0x103/0x1c0
[ 749.079576][ C5] irq_exit_rcu+0xe/0x30
[ 749.079649][ C5] common_interrupt+0xb5/0xf0
[ 749.079749][ C5] asm_common_interrupt+0x26/0x40
[ 749.079846][ C5]
[ 749.079897][ C5] The buggy address belongs to the object at ff110000262edc40
[ 749.079897][ C5] which belongs to the cache skbuff_small_head of size 640
[ 749.080165][ C5] The buggy address is located 344 bytes inside of
[ 749.080165][ C5] freed 640-byte region [ff110000262edc40, ff110000262edec0)
[ 749.080403][ C5]
[ 749.080459][ C5] The buggy address belongs to the physical page:
[ 749.080639][ C5] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff110000262eedc0 pfn:0x262ec
[ 749.080842][ C5] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 749.081045][ C5] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 749.081175][ C5] page_type: f5(slab)
[ 749.081253][ C5] raw: 0080000000000240 ff110000021581c0 ffd40000009a3c10 ff1100000214e808
[ 749.081437][ C5] raw: ff110000262eedc0 000000000012000c 00000000f5000000 0000000000000000
[ 749.081667][ C5] head: 0080000000000240 ff110000021581c0 ffd40000009a3c10 ff1100000214e808
[ 749.081841][ C5] head: ff110000262eedc0 000000000012000c 00000000f5000000 0000000000000000
[ 749.082067][ C5] head: 0080000000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff
[ 749.082245][ C5] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 749.082478][ C5] page dumped because: kasan: bad access detected
[ 749.082606][ C5]
[ 749.082658][ C5] Memory state around the buggy address:
[ 749.082756][ C5] ff110000262edc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 749.082949][ C5] ff110000262edd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 749.083093][ C5] >ff110000262edd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 749.083235][ C5] ^
[ 749.083384][ C5] ff110000262ede00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 749.083541][ C5] ff110000262ede80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 749.083697][ C5] ==================================================================
[ 749.083914][ C5] Disabling lock debugging due to kernel taint