==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57b/0x630 net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8801d12907f8 by task kworker/1:5/10374

CPU: 1 PID: 10374 Comm: kworker/1:5 Not tainted 4.4.155+ #34
Workqueue: events xfrm_state_gc_task
 0000000000000000 df46dbc99539d653 ffff8801d0defaa8 ffffffff81a556dd
 ffffea000744a400 ffff8801d12907f8 0000000000000000 ffff8801d12907f8
 ffff8800b60cc584 ffff8801d0defae0 ffffffff8146c8f9 ffff8801d12907f8
Call Trace:
 [<ffffffff81a556dd>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81a556dd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8146c8f9>] print_address_description+0x6c/0x217 mm/kasan/report.c:252
 [<ffffffff8146cc19>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8146cc19>] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff81461b24>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff825f928b>] xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
 [<ffffffff825f928b>] xfrm6_tunnel_destroy+0x57b/0x630 net/ipv6/xfrm6_tunnel.c:300
 [<ffffffff824d94bf>] xfrm_state_gc_destroy net/xfrm/xfrm_state.c:349 [inline]
 [<ffffffff824d94bf>] xfrm_state_gc_task+0x39f/0x500 net/xfrm/xfrm_state.c:368
 [<ffffffff8111e67f>] process_one_work+0x78f/0x1560 kernel/workqueue.c:2064
 [<ffffffff8111f529>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff8112f2e8>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff82690fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510

Allocated by task 2123:
 [<ffffffff8102dd46>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff81460b62>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff81460b62>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff81460b62>] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:616
 [<ffffffff81460ddf>] kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:601
 [<ffffffff8145d28d>] __kmalloc+0x13d/0x330 mm/slub.c:3613
 [<ffffffff82199b1f>] kmalloc include/linux/slab.h:481 [inline]
 [<ffffffff82199b1f>] kzalloc include/linux/slab.h:620 [inline]
 [<ffffffff82199b1f>] ops_init+0xef/0x3a0 net/core/net_namespace.c:99
 [<ffffffff8219b629>] setup_net+0x1b9/0x3f0 net/core/net_namespace.c:289
 [<ffffffff8219d032>] copy_net_ns+0xd2/0x1b0 net/core/net_namespace.c:388
 [<ffffffff811317e6>] create_new_namespaces+0x416/0x640 kernel/nsproxy.c:95
 [<ffffffff81131f65>] unshare_nsproxy_namespaces+0xa5/0x1d0 kernel/nsproxy.c:190
 [<ffffffff810d0696>] SYSC_unshare kernel/fork.c:2074 [inline]
 [<ffffffff810d0696>] SyS_unshare+0x316/0x710 kernel/fork.c:2024
 [<ffffffff81005ffe>] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline]
 [<ffffffff81005ffe>] do_fast_syscall_32+0x31e/0x8b0 arch/x86/entry/common.c:460
 [<ffffffff82692350>] sysenter_flags_fixed+0xd/0x1a

Freed by task 7823:
 [<ffffffff8102dd46>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff8146145c>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff8146145c>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff8146145c>] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:589
 [<ffffffff8145e944>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff8145e944>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff8145e944>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff8145e944>] kfree+0xf4/0x310 mm/slub.c:3749
 [<ffffffff8219b33f>] ops_free net/core/net_namespace.c:124 [inline]
 [<ffffffff8219b33f>] ops_free_list.part.3+0x1ff/0x330 net/core/net_namespace.c:146
 [<ffffffff8219cd1f>] ops_free_list net/core/net_namespace.c:144 [inline]
 [<ffffffff8219cd1f>] cleanup_net+0x3bf/0x600 net/core/net_namespace.c:456
 [<ffffffff8111e67f>] process_one_work+0x78f/0x1560 kernel/workqueue.c:2064
 [<ffffffff8111f529>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff8112f2e8>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff82690fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510

The buggy address belongs to the object at ffff8801d1290000
 which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
 8192-byte region [ffff8801d1290000, ffff8801d1292000)
The buggy address belongs to the page:
double fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 10374 Comm: kworker/1:5 Not tainted 4.4.155+ #34
Workqueue:  xfrm_state_gc_task (5�@�����)
task: ffff8800a76a5f00 task.stack: ffff8801d0de8000
RIP: 0010:[<ffffffff8140aa59>]  [<ffffffff8140aa59>] dump_page+0x9/0x30 mm/debug.c:104
RSP: 0018:ffff880100000000  EFLAGS: 00010093
RAX: ffff8800a76a5f00 RBX: ffffea000744a400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82891320 RDI: ffffea000744a400
RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff83fd5174 R12: ffffffff82891320
R13: ffffffff82891320 R14: ffff8801d1290000 R15: ffff8801d1292000
FS:  0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000130 CR3: 00000000afc1a000 CR4: 00000000001606b0
Stack:

Call Trace:
 <UNK> 
Code: 89 df e8 1b 00 00 00 0f 0b 48 89 df e8 d1 70 05 00 eb d5 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 54 49 89 f4 <53> 48 89 fb e8 5e a2 ee ff 4c 89 e6 48 89 df 31 d2 e8 71 ff ff 
RIP  [<ffffffff8140aa59>] dump_page+0x9/0x30 mm/debug.c:104
 RSP <ffff880100000000>
---[ end trace bc05feef96a9b85a ]---