======================================
| xx__-> [ 2040.718733][T28774] ==================================================================
| [ 2040.718874][T28774] BUG: KASAN: slab-use-after-free in neigh_dump_info (net/core/neighbour.c:2950 (discriminator 1))
| [ 2040.718990][T28774] Read of size 1 at addr ff11000014df4ad0 by task netlink-dumps/28774
| [ 2040.719101][T28774]
[ 2040.719144][T28774] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2040.719146][T28774] Call Trace:
[ 2040.719147][T28774]  <TASK>
[ 2040.719149][T28774]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 2040.719154][T28774]  print_address_description.constprop.0 (mm/kasan/report.c:378)
[ 2040.719159][T28774]  print_report (mm/kasan/report.c:482)
[ 2040.719161][T28774]  ? __virt_addr_valid (./include/linux/rcupdate.h:937 ./include/linux/mmzone.h:2281 arch/x86/mm/physaddr.c:54)
[ 2040.719165][T28774]  ? __virt_addr_valid (./include/linux/rcupdate.h:963 (discriminator 1) ./include/linux/mmzone.h:2291 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[ 2040.719168][T28774]  kasan_report (mm/kasan/report.c:595)
[ 2040.719171][T28774]  ? neigh_dump_info (net/core/neighbour.c:2950 (discriminator 1))
[ 2040.719173][T28774]  ? neigh_dump_info (net/core/neighbour.c:2950 (discriminator 1))
[ 2040.719175][T28774]  neigh_dump_info (net/core/neighbour.c:2950 (discriminator 1))
[ 2040.719177][T28774]  ? __alloc_skb (./include/linux/instrumented.h:97 ./include/linux/atomic/atomic-instrumented.h:67 net/core/skbuff.c:408 net/core/skbuff.c:720)
[ 2040.719179][T28774]  ? __alloc_skb (./include/linux/bottom_half.h:20 (discriminator 2) net/core/skbuff.c:695 (discriminator 2))
[ 2040.719181][T28774]  ? neigh_proc_base_reachable_time (net/core/neighbour.c:3745)
[ 2040.719184][T28774]  netlink_dump (net/netlink/af_netlink.c:2326)
[ 2040.719188][T28774]  ? netlink_lookup (./include/linux/refcount.h:291)
[ 2040.719190][T28774]  ? kmem_cache_free (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6250 mm/slub.c:6377)
[ 2040.719193][T28774]  netlink_recvmsg (net/netlink/af_netlink.c:1977)
[ 2040.719195][T28774]  ? netlink_dump (net/netlink/af_netlink.c:2239 (discriminator 1))
[ 2040.719198][T28774]  __sys_recvfrom (net/socket.c:1137 (discriminator 4) net/socket.c:1159 (discriminator 4) net/socket.c:2315 (discriminator 4))
[ 2040.719201][T28774]  ? __ia32_sys_send (net/socket.c:2279)
[ 2040.719205][T28774]  ? exc_page_fault (arch/x86/mm/fault.c:1474 arch/x86/mm/fault.c:1527)
[ 2040.719209][T28774]  __x64_sys_recvfrom (net/socket.c:2330 net/socket.c:2326 net/socket.c:2326)
[ 2040.719211][T28774]  ? trace_irq_enable.constprop.0 (./include/trace/events/preemptirq.h:40 (discriminator 22))
[ 2040.719215][T28774]  ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472)
[ 2040.719216][T28774]  ? do_syscall_64 (./include/linux/entry-common.h:177 arch/x86/entry/syscall_64.c:89)
[ 2040.719218][T28774]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 2040.719220][T28774]  ? trace_hardirqs_off (kernel/trace/trace_preemptirq.c:104 (discriminator 1))
[ 2040.719221][T28774]  ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
[ 2040.719223][T28774]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 2040.719225][T28774] RIP: 0033:0x7fa21d9b608e
[ 2040.719228][T28774] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
All code
========
   0:	4d 89 d8             	mov    %r11,%r8
   3:	e8 94 bd 00 00       	call   0xbd9c
   8:	4c 8b 5d f8          	mov    -0x8(%rbp),%r11
   c:	41 8b 93 08 03 00 00 	mov    0x308(%r11),%edx
  13:	59                   	pop    %rcx
  14:	5e                   	pop    %rsi
  15:	48 83 f8 fc          	cmp    $0xfffffffffffffffc,%rax
  19:	74 11                	je     0x2c
  1b:	c9                   	leave
  1c:	c3                   	ret
  1d:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  24:	48 8b 45 10          	mov    0x10(%rbp),%rax
  28:	0f 05                	syscall
  2a:*	c9                   	leave		<-- trapping instruction
  2b:	c3                   	ret
  2c:	83 e2 39             	and    $0x39,%edx
  2f:	83 fa 08             	cmp    $0x8,%edx
  32:	75 e7                	jne    0x1b
  34:	e8 03 ff ff ff       	call   0xffffffffffffff3c
  39:	0f 1f 00             	nopl   (%rax)
  3c:	f3 0f 1e fa          	endbr64

Code starting with the faulting instruction
===========================================
   0:	c9                   	leave
   1:	c3                   	ret
   2:	83 e2 39             	and    $0x39,%edx
   5:	83 fa 08             	cmp    $0x8,%edx
   8:	75 e7                	jne    0xfffffffffffffff1
   a:	e8 03 ff ff ff       	call   0xffffffffffffff12
   f:	0f 1f 00             	nopl   (%rax)
  12:	f3 0f 1e fa          	endbr64
[ 2040.719229][T28774] RSP: 002b:00007fff29c58090 EFLAGS: 00000202 ORIG_RAX: 000000000000002d
[ 2040.719233][T28774] RAX: ffffffffffffffda RBX: 00000000004062c0 RCX: 00007fa21d9b608e
[ 2040.719234][T28774] RDX: 0000000000002000 RSI: 00007fff29c58100 RDI: 0000000000000005
[ 2040.719235][T28774] RBP: 00007fff29c580a0 R08: 0000000000000000 R09: 0000000000000000
[ 2040.719236][T28774] R10: 0000000000000040 R11: 0000000000000202 R12: 0000000000000005
[ 2040.719237][T28774] R13: 0000000000000018 R14: 000000000000001c R15: 0000000000000003
| [ 2040.727384][T28774] refcount_t: underflow; use-after-free.
| [ 2040.727460][T28774] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x99/0xc0, CPU#3: netlink-dumps/28774
| [ 2040.727612][T28774] Modules linked in: cls_bpf nft_chain_nat xt_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipvtap ipvlan geneve ip6_gre ip_gre gre act_gact vxlan cls_flower sch_prio xt_mark sch_ingress act_mirred cls_basic sch_fq_codel ip6t_REJECT nf_reject_ipv6 nft_compat nf_tables [last unloaded: ila]
| [ 2040.728165][T28774] Tainted: [B]=BAD_PAGE
[ 2040.728220][T28774] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2040.728311][T28774] RIP: 0010:refcount_warn_saturate (lib/refcount.c:28 (discriminator 6))
[ 2040.728404][T28774] Code: b9 3a 5b 5d c3 48 8d 3d 35 ba 50 03 67 48 0f b9 3a 5b 5d c3 48 8d 3d 36 ba 50 03 67 48 0f b9 3a 5b 5d c3 48 8d 3d 37 ba 50 03 <67> 48 0f b9 3a 5b 5d c3 48 8d 3d 38 ba 50 03 67 48 0f b9 3a 5b 5d
All code
========
   0:	b9 3a 5b 5d c3       	mov    $0xc35d5b3a,%ecx
   5:	48 8d 3d 35 ba 50 03 	lea    0x350ba35(%rip),%rdi        # 0x350ba41
   c:	67 48 0f b9 3a       	ud1    (%edx),%rdi
  11:	5b                   	pop    %rbx
  12:	5d                   	pop    %rbp
  13:	c3                   	ret
  14:	48 8d 3d 36 ba 50 03 	lea    0x350ba36(%rip),%rdi        # 0x350ba51
  1b:	67 48 0f b9 3a       	ud1    (%edx),%rdi
  20:	5b                   	pop    %rbx
  21:	5d                   	pop    %rbp
  22:	c3                   	ret
  23:	48 8d 3d 37 ba 50 03 	lea    0x350ba37(%rip),%rdi        # 0x350ba61
  2a:*	67 48 0f b9 3a       	ud1    (%edx),%rdi		<-- trapping instruction
  2f:	5b                   	pop    %rbx
  30:	5d                   	pop    %rbp
  31:	c3                   	ret
  32:	48 8d 3d 38 ba 50 03 	lea    0x350ba38(%rip),%rdi        # 0x350ba71
  39:	67 48 0f b9 3a       	ud1    (%edx),%rdi
  3e:	5b                   	pop    %rbx
  3f:	5d                   	pop    %rbp

Code starting with the faulting instruction
===========================================
   0:	67 48 0f b9 3a       	ud1    (%edx),%rdi
   5:	5b                   	pop    %rbx
   6:	5d                   	pop    %rbp
   7:	c3                   	ret
   8:	48 8d 3d 38 ba 50 03 	lea    0x350ba38(%rip),%rdi        # 0x350ba47
   f:	67 48 0f b9 3a       	ud1    (%edx),%rdi
  14:	5b                   	pop    %rbx
  15:	5d                   	pop    %rbp
[ 2040.728664][T28774] RSP: 0018:ffa0000001007a80 EFLAGS: 00010246
[ 2040.728755][T28774] RAX: 0000000000000000 RBX: ff1100000c5642dc RCX: ffffffff905fec28
[ 2040.728862][T28774] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff93b0a640
[ 2040.728968][T28774] RBP: 0000000000000003 R08: ffffffff905feb85 R09: 1fe22000018ac85b
[ 2040.729078][T28774] R10: 0000000000000007 R11: ffe21c00018ac85c R12: 0000000000000000
[ 2040.729185][T28774] R13: ff11000013ea2000 R14: ff110000265475b4 R15: ff11000026547540
[ 2040.729293][T28774] FS:  00007fa21d943740(0000) GS:ff110000d0c45000(0000) knlGS:0000000000000000
[ 2040.729420][T28774] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2040.729515][T28774] CR2: 00007fa21d949a00 CR3: 000000000d59d003 CR4: 0000000000771ef0
[ 2040.729629][T28774] PKRU: 55555554
[ 2040.729689][T28774] Call Trace:
[ 2040.729745][T28774]  <TASK>
[ 2040.729784][T28774]  netlink_dump (net/netlink/af_netlink.c:2378)
[ 2040.729859][T28774]  ? netlink_lookup (./include/linux/refcount.h:291)
[ 2040.729931][T28774]  ? kmem_cache_free (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6250 mm/slub.c:6377)
[ 2040.730002][T28774]  netlink_recvmsg (net/netlink/af_netlink.c:1977)
[ 2040.730076][T28774]  ? netlink_dump (net/netlink/af_netlink.c:2239 (discriminator 1))
[ 2040.730150][T28774]  __sys_recvfrom (net/socket.c:1137 (discriminator 4) net/socket.c:1159 (discriminator 4) net/socket.c:2315 (discriminator 4))
[ 2040.730223][T28774]  ? __ia32_sys_send (net/socket.c:2279)
[ 2040.730302][T28774]  ? exc_page_fault (arch/x86/mm/fault.c:1474 arch/x86/mm/fault.c:1527)
[ 2040.730377][T28774]  __x64_sys_recvfrom (net/socket.c:2330 net/socket.c:2326 net/socket.c:2326)
[ 2040.730453][T28774]  ? trace_irq_enable.constprop.0 (./include/trace/events/preemptirq.h:40 (discriminator 22))
[ 2040.730546][T28774]  ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472)
[ 2040.730621][T28774]  ? do_syscall_64 (./include/linux/entry-common.h:177 arch/x86/entry/syscall_64.c:89)
[ 2040.730695][T28774]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 2040.730770][T28774]  ? trace_hardirqs_off (kernel/trace/trace_preemptirq.c:104 (discriminator 1))
[ 2040.730844][T28774]  ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
[ 2040.730923][T28774]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 2040.731012][T28774] RIP: 0033:0x7fa21d9b608e
[ 2040.731089][T28774] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
All code
========
   0:	4d 89 d8             	mov    %r11,%r8
   3:	e8 94 bd 00 00       	call   0xbd9c
   8:	4c 8b 5d f8          	mov    -0x8(%rbp),%r11
   c:	41 8b 93 08 03 00 00 	mov    0x308(%r11),%edx
  13:	59                   	pop    %rcx
  14:	5e                   	pop    %rsi
  15:	48 83 f8 fc          	cmp    $0xfffffffffffffffc,%rax
  19:	74 11                	je     0x2c
  1b:	c9                   	leave
  1c:	c3                   	ret
  1d:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  24:	48 8b 45 10          	mov    0x10(%rbp),%rax
  28:	0f 05                	syscall
  2a:*	c9                   	leave		<-- trapping instruction
  2b:	c3                   	ret
  2c:	83 e2 39             	and    $0x39,%edx
  2f:	83 fa 08             	cmp    $0x8,%edx
  32:	75 e7                	jne    0x1b
  34:	e8 03 ff ff ff       	call   0xffffffffffffff3c
  39:	0f 1f 00             	nopl   (%rax)
  3c:	f3 0f 1e fa          	endbr64

Code starting with the faulting instruction
===========================================
   0:	c9                   	leave
   1:	c3                   	ret
   2:	83 e2 39             	and    $0x39,%edx
   5:	83 fa 08             	cmp    $0x8,%edx
   8:	75 e7                	jne    0xfffffffffffffff1
   a:	e8 03 ff ff ff       	call   0xffffffffffffff12
   f:	0f 1f 00             	nopl   (%rax)
  12:	f3 0f 1e fa          	endbr64
[ 2040.731389][T28774] RSP: 002b:00007fff29c58090 EFLAGS: 00000202 ORIG_RAX: 000000000000002d
[ 2040.731502][T28774] RAX: ffffffffffffffda RBX: 00000000004062c0 RCX: 00007fa21d9b608e
[ 2040.731649][T28774] RDX: 0000000000002000 RSI: 00007fff29c58100 RDI: 0000000000000005
[ 2040.731756][T28774] RBP: 00007fff29c580a0 R08: 0000000000000000 R09: 0000000000000000
[ 2040.731864][T28774] R10: 0000000000000040 R11: 0000000000000202 R12: 0000000000000005


Finger prints:
refcount_warn_saturate:netlink_dump:netlink_recvmsg:__sys_recvfrom:__x64_sys_recvfrom
print_report:kasan_report:neigh_dump_info:netlink_dump:netlink_recvmsg