[ 2040.718733][T28774] ==================================================================
[ 2040.718874][T28774] BUG: KASAN: slab-use-after-free in neigh_dump_info+0x4fe/0x570
[ 2040.718990][T28774] Read of size 1 at addr ff11000014df4ad0 by task netlink-dumps/28774
[ 2040.719101][T28774] 
[ 2040.719140][T28774] CPU: 3 UID: 0 PID: 28774 Comm: netlink-dumps Not tainted 7.1.0-rc4-virtme #1 PREEMPT(full) 
[ 2040.719144][T28774] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2040.719146][T28774] Call Trace:
[ 2040.719147][T28774]  <TASK>
[ 2040.719149][T28774]  dump_stack_lvl+0x6f/0xa0
[ 2040.719154][T28774]  print_address_description.constprop.0+0x56/0x2d0
[ 2040.719159][T28774]  print_report+0xfc/0x1fa
[ 2040.719161][T28774]  ? __virt_addr_valid+0x102/0x440
[ 2040.719165][T28774]  ? __virt_addr_valid+0x1da/0x440
[ 2040.719168][T28774]  kasan_report+0x108/0x130
[ 2040.719171][T28774]  ? neigh_dump_info+0x4fe/0x570
[ 2040.719173][T28774]  ? neigh_dump_info+0x4fe/0x570
[ 2040.719175][T28774]  neigh_dump_info+0x4fe/0x570
[ 2040.719177][T28774]  ? __alloc_skb+0x342/0x5f0
[ 2040.719179][T28774]  ? __alloc_skb+0x4c2/0x5f0
[ 2040.719181][T28774]  ? neigh_proc_base_reachable_time+0x1b0/0x1b0
[ 2040.719184][T28774]  netlink_dump+0x4b8/0x12b0
[ 2040.719188][T28774]  ? netlink_lookup+0x1a0/0x1a0
[ 2040.719190][T28774]  ? kmem_cache_free+0xf8/0x560
[ 2040.719193][T28774]  netlink_recvmsg+0x693/0x960
[ 2040.719195][T28774]  ? netlink_dump+0x12b0/0x12b0
[ 2040.719198][T28774]  __sys_recvfrom+0x255/0x370
[ 2040.719201][T28774]  ? __ia32_sys_send+0x120/0x120
[ 2040.719205][T28774]  ? exc_page_fault+0x87/0x100
[ 2040.719209][T28774]  __x64_sys_recvfrom+0xe4/0x1f0
[ 2040.719211][T28774]  ? trace_irq_enable.constprop.0+0x9b/0x180
[ 2040.719215][T28774]  ? lockdep_hardirqs_on+0x8c/0x130
[ 2040.719216][T28774]  ? do_syscall_64+0x82/0xfc0
[ 2040.719218][T28774]  do_syscall_64+0x117/0xfc0
[ 2040.719220][T28774]  ? trace_hardirqs_off+0xd/0x30
[ 2040.719221][T28774]  ? exc_page_fault+0xee/0x100
[ 2040.719223][T28774]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 2040.719225][T28774] RIP: 0033:0x7fa21d9b608e
[ 2040.719228][T28774] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 2040.719229][T28774] RSP: 002b:00007fff29c58090 EFLAGS: 00000202 ORIG_RAX: 000000000000002d
[ 2040.719233][T28774] RAX: ffffffffffffffda RBX: 00000000004062c0 RCX: 00007fa21d9b608e
[ 2040.719234][T28774] RDX: 0000000000002000 RSI: 00007fff29c58100 RDI: 0000000000000005
[ 2040.719235][T28774] RBP: 00007fff29c580a0 R08: 0000000000000000 R09: 0000000000000000
[ 2040.719236][T28774] R10: 0000000000000040 R11: 0000000000000202 R12: 0000000000000005
[ 2040.719237][T28774] R13: 0000000000000018 R14: 000000000000001c R15: 0000000000000003
[ 2040.719240][T28774]  </TASK>
[ 2040.719241][T28774] 
[ 2040.722608][T28774] Allocated by task 28774:
[ 2040.722682][T28774]  kasan_save_stack+0x2f/0x50
[ 2040.722757][T28774]  kasan_save_track+0x14/0x30
[ 2040.722832][T28774]  __kasan_slab_alloc+0x60/0x70
[ 2040.722908][T28774]  kmem_cache_alloc_node_noprof+0x224/0x640
[ 2040.722997][T28774]  kmalloc_reserve+0x103/0x2d0
[ 2040.723071][T28774]  __alloc_skb+0x11e/0x5f0
[ 2040.723147][T28774]  netlink_sendmsg+0x573/0xc60
[ 2040.723219][T28774]  __sys_sendto+0x2c9/0x400
[ 2040.723289][T28774]  __x64_sys_sendto+0xe4/0x1f0
[ 2040.723360][T28774]  do_syscall_64+0x117/0xfc0
[ 2040.723434][T28774]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 2040.723522][T28774] 
[ 2040.723564][T28774] Freed by task 28774:
[ 2040.723619][T28774]  kasan_save_stack+0x2f/0x50
[ 2040.723691][T28774]  kasan_save_track+0x14/0x30
[ 2040.723762][T28774]  kasan_save_free_info+0x3b/0x60
[ 2040.723836][T28774]  __kasan_slab_free+0x43/0x70
[ 2040.723908][T28774]  kfree+0x123/0x5a0
[ 2040.723964][T28774]  skb_release_data+0x56c/0x8f0
[ 2040.724035][T28774]  consume_skb+0x8e/0xb0
[ 2040.724089][T28774]  netlink_unicast+0x48e/0x750
[ 2040.724160][T28774]  netlink_sendmsg+0x735/0xc60
[ 2040.724235][T28774]  __sys_sendto+0x2c9/0x400
[ 2040.724310][T28774]  __x64_sys_sendto+0xe4/0x1f0
[ 2040.724388][T28774]  do_syscall_64+0x117/0xfc0
[ 2040.724463][T28774]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 2040.724555][T28774] 
[ 2040.724592][T28774] The buggy address belongs to the object at ff11000014df4ac0
[ 2040.724592][T28774]  which belongs to the cache skbuff_small_head of size 640
[ 2040.724783][T28774] The buggy address is located 16 bytes inside of
[ 2040.724783][T28774]  freed 640-byte region [ff11000014df4ac0, ff11000014df4d40)
[ 2040.724956][T28774] 
[ 2040.724993][T28774] The buggy address belongs to the physical page:
[ 2040.725084][T28774] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14df4
[ 2040.725217][T28774] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 2040.725326][T28774] flags: 0x80000000000040(head|node=0|zone=1)
[ 2040.725419][T28774] page_type: f5(slab)
[ 2040.725479][T28774] raw: 0080000000000040 ff11000001943e40 ffd40000005fcb10 ffd40000002ec810
[ 2040.725615][T28774] raw: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
[ 2040.725741][T28774] head: 0080000000000040 ff11000001943e40 ffd40000005fcb10 ffd40000002ec810
[ 2040.725870][T28774] head: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
[ 2040.725995][T28774] head: 0080000000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff
[ 2040.726126][T28774] head: ff110000161a5440 0000000000000000 00000000ffffffff 0000000000000000
[ 2040.726254][T28774] page dumped because: kasan: bad access detected
[ 2040.726348][T28774] 
[ 2040.726387][T28774] Memory state around the buggy address:
[ 2040.726460][T28774]  ff11000014df4980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 2040.726569][T28774]  ff11000014df4a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2040.726680][T28774] >ff11000014df4a80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 2040.726784][T28774]                                                  ^
[ 2040.726877][T28774]  ff11000014df4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2040.726985][T28774]  ff11000014df4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2040.727094][T28774] ==================================================================
[ 2040.727205][T28774] Disabling lock debugging due to kernel taint
[ 2040.727309][T28774] ------------[ cut here ]------------
[ 2040.727384][T28774] refcount_t: underflow; use-after-free.
[ 2040.727460][T28774] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x99/0xc0, CPU#3: netlink-dumps/28774
[ 2040.727612][T28774] Modules linked in: cls_bpf nft_chain_nat xt_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipvtap ipvlan geneve ip6_gre ip_gre gre act_gact vxlan cls_flower sch_prio xt_mark sch_ingress act_mirred cls_basic sch_fq_codel ip6t_REJECT nf_reject_ipv6 nft_compat nf_tables [last unloaded: ila]
[ 2040.727994][T28774] CPU: 3 UID: 0 PID: 28774 Comm: netlink-dumps Tainted: G    B               7.1.0-rc4-virtme #1 PREEMPT(full) 
[ 2040.728165][T28774] Tainted: [B]=BAD_PAGE
[ 2040.728220][T28774] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2040.728311][T28774] RIP: 0010:refcount_warn_saturate+0x99/0xc0
[ 2040.728404][T28774] Code: b9 3a 5b 5d c3 48 8d 3d 35 ba 50 03 67 48 0f b9 3a 5b 5d c3 48 8d 3d 36 ba 50 03 67 48 0f b9 3a 5b 5d c3 48 8d 3d 37 ba 50 03 <67> 48 0f b9 3a 5b 5d c3 48 8d 3d 38 ba 50 03 67 48 0f b9 3a 5b 5d
[ 2040.728664][T28774] RSP: 0018:ffa0000001007a80 EFLAGS: 00010246
[ 2040.728755][T28774] RAX: 0000000000000000 RBX: ff1100000c5642dc RCX: ffffffff905fec28
[ 2040.728862][T28774] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff93b0a640
[ 2040.728968][T28774] RBP: 0000000000000003 R08: ffffffff905feb85 R09: 1fe22000018ac85b
[ 2040.729078][T28774] R10: 0000000000000007 R11: ffe21c00018ac85c R12: 0000000000000000
[ 2040.729185][T28774] R13: ff11000013ea2000 R14: ff110000265475b4 R15: ff11000026547540
[ 2040.729293][T28774] FS:  00007fa21d943740(0000) GS:ff110000d0c45000(0000) knlGS:0000000000000000
[ 2040.729420][T28774] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2040.729515][T28774] CR2: 00007fa21d949a00 CR3: 000000000d59d003 CR4: 0000000000771ef0
[ 2040.729629][T28774] PKRU: 55555554
[ 2040.729689][T28774] Call Trace:
[ 2040.729745][T28774]  <TASK>
[ 2040.729784][T28774]  netlink_dump+0xe60/0x12b0
[ 2040.729859][T28774]  ? netlink_lookup+0x1a0/0x1a0
[ 2040.729931][T28774]  ? kmem_cache_free+0xf8/0x560
[ 2040.730002][T28774]  netlink_recvmsg+0x693/0x960
[ 2040.730076][T28774]  ? netlink_dump+0x12b0/0x12b0
[ 2040.730150][T28774]  __sys_recvfrom+0x255/0x370
[ 2040.730223][T28774]  ? __ia32_sys_send+0x120/0x120
[ 2040.730302][T28774]  ? exc_page_fault+0x87/0x100
[ 2040.730377][T28774]  __x64_sys_recvfrom+0xe4/0x1f0
[ 2040.730453][T28774]  ? trace_irq_enable.constprop.0+0x9b/0x180
[ 2040.730546][T28774]  ? lockdep_hardirqs_on+0x8c/0x130
[ 2040.730621][T28774]  ? do_syscall_64+0x82/0xfc0
[ 2040.730695][T28774]  do_syscall_64+0x117/0xfc0
[ 2040.730770][T28774]  ? trace_hardirqs_off+0xd/0x30
[ 2040.730844][T28774]  ? exc_page_fault+0xee/0x100
[ 2040.730923][T28774]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 2040.731012][T28774] RIP: 0033:0x7fa21d9b608e
[ 2040.731089][T28774] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 2040.731389][T28774] RSP: 002b:00007fff29c58090 EFLAGS: 00000202 ORIG_RAX: 000000000000002d
[ 2040.731502][T28774] RAX: ffffffffffffffda RBX: 00000000004062c0 RCX: 00007fa21d9b608e
[ 2040.731649][T28774] RDX: 0000000000002000 RSI: 00007fff29c58100 RDI: 0000000000000005
[ 2040.731756][T28774] RBP: 00007fff29c580a0 R08: 0000000000000000 R09: 0000000000000000
[ 2040.731864][T28774] R10: 0000000000000040 R11: 0000000000000202 R12: 0000000000000005
[ 2040.732005][T28774] R13: 0000000000000018 R14: 000000000000001c R15: 0000000000000003
[ 2040.732113][T28774]  </TASK>
[ 2040.732168][T28774] irq event stamp: 7279
[ 2040.732223][T28774] hardirqs last  enabled at (7279): [<ffffffff91d52d1c>] irqentry_exit+0x21c/0x710
[ 2040.732381][T28774] hardirqs last disabled at (7278): [<ffffffff91d51912>] sysvec_apic_timer_interrupt+0x12/0xe0
[ 2040.732526][T28774] softirqs last  enabled at (7262): [<ffffffff9121e302>] __alloc_skb+0x4c2/0x5f0
[ 2040.732689][T28774] softirqs last disabled at (7260): [<ffffffff9121e302>] __alloc_skb+0x4c2/0x5f0
[ 2040.732812][T28774] ---[ end trace 0000000000000000 ]---