==================================================================
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff8880344e0008 by task ksoftirqd/0/16

CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc4-syzkaller-00256-gc71f8fb4dc91 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 rht_key_hashfn include/linux/rhashtable.h:159 [inline]
 __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
 rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
 ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline]
 ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5666
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5779
 process_backlog+0x443/0x15f0 net/core/dev.c:6111
 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6775
 napi_poll net/core/dev.c:6844 [inline]
 net_rx_action+0xa92/0x1010 net/core/dev.c:6966
 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
 run_ksoftirqd kernel/softirq.c:927 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919
 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880344e0000 pfn:0x344e0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001a30408 ffffea0000a4c808 0000000000000000
raw: ffff8880344e0000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 6404, tgid 6404 (syz-executor), ts 106253141637, free_ts 175241586929
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 ___kmalloc_large_node+0x84/0x1b0 mm/slub.c:4209
 __kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof.cold+0x5/0x5f mm/slub.c:4270
 __kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:658
 bucket_table_alloc.isra.0+0x86/0x460 lib/rhashtable.c:186
 rhashtable_init_noprof+0x43b/0x7d0 lib/rhashtable.c:1071
 ila_xlat_init_net+0xb5/0x110 net/ipv6/ila/ila_xlat.c:613
 ops_init+0x1df/0x5f0 net/core/net_namespace.c:139
 setup_net+0x21f/0x860 net/core/net_namespace.c:356
 copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:494
 create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
 ksys_unshare+0x45d/0xa40 kernel/fork.c:3311
page last free pid 7035 tgid 7035 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638
 __folio_put+0x30d/0x3d0 mm/swap.c:126
 kvfree+0x47/0x50 mm/util.c:701
 rhashtable_free_and_destroy+0x16c/0x990 lib/rhashtable.c:1169
 ila_xlat_exit_net+0x59/0xa0 net/ipv6/ila/ila_xlat.c:635
 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173
 cleanup_net+0x5b7/0xb40 net/core/net_namespace.c:626
 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff8880344dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880344dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880344e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff8880344e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880344e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================