==================================================================
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
Read of size 4 at addr ffff888064a18008 by task kworker/u8:0/11

CPU: 1 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.13.0-rc2-syzkaller-00040-g6e8ba494d87d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 rht_key_hashfn include/linux/rhashtable.h:159 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
 rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]
 ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
 ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:185
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:269 [inline]
 NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312
 __netif_receive_skb_one_core net/core/dev.c:5672 [inline]
 __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5785
 process_backlog+0x662/0x15b0 net/core/dev.c:6117
 __napi_poll+0xcb/0x490 net/core/dev.c:6883
 napi_poll net/core/dev.c:6952 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:7074
 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:655
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x996/0xeb0
Code: 48 21 c3 0f 85 16 02 00 00 e8 d6 ad 20 00 4c 8b 7c 24 10 4d 85 f6 75 07 e8 c7 ad 20 00 eb 06 e8 c0 ad 20 00 fb 48 8b 5c 24 18 <48> 8b 44 24 30 42 80 3c 28 00 74 08 48 89 df e8 e6 1a 87 00 4c 8b
RSP: 0018:ffffc90000107340 EFLAGS: 00000293
RAX: ffffffff817eb080 RBX: ffffffff8f173d98 RCX: ffff88801cac3c00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900001074f0 R08: ffffffff817eb057 R09: 1ffffffff2854310
R10: dffffc0000000000 R11: fffffbfff2854311 R12: ffffffff8f173d40
R13: dffffc0000000000 R14: 0000000000000200 R15: ffffc90000107540
 __console_flush_and_unlock kernel/printk/printk.c:3269 [inline]
 console_unlock+0x14f/0x3b0 kernel/printk/printk.c:3309
 vprintk_emit+0x730/0xa10 kernel/printk/printk.c:2432
 _printk+0xd5/0x120 kernel/printk/printk.c:2457
 batadv_hardif_deactivate_interface net/batman-adv/hard-interface.c:696 [inline]
 batadv_hardif_disable_interface+0x1ac/0x10e0 net/batman-adv/hard-interface.c:828
 batadv_softif_destroy_netlink+0x9c/0x270 net/batman-adv/soft-interface.c:1107
 default_device_exit_batch+0x966/0xaa0 net/core/dev.c:12068
 ops_exit_list net/core/net_namespace.c:177 [inline]
 cleanup_net+0x89d/0xcc0 net/core/net_namespace.c:632
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64a18
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f0(buddy)
raw: 00fff00000000000 ffffea0000c87408 ffffea000189de08 0000000000000000
raw: 0000000000000000 0000000000000003 00000000f0000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5837, tgid 5837 (syz-executor), ts 59814140395, free_ts 91064223450
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4228
 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0x33a/0x4d0 mm/slub.c:4289
 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650
 bucket_table_alloc lib/rhashtable.c:186 [inline]
 rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071
 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:608
 ops_init+0x31e/0x590 net/core/net_namespace.c:138
 setup_net+0x287/0x9e0 net/core/net_namespace.c:362
 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500
 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228
 ksys_unshare+0x57d/0xa70 kernel/fork.c:3334
 __do_sys_unshare kernel/fork.c:3405 [inline]
 __se_sys_unshare kernel/fork.c:3403 [inline]
 __x64_sys_unshare+0x38/0x40 kernel/fork.c:3403
page last free pid 11 tgid 11 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2657
 __folio_put+0x2b3/0x360 mm/swap.c:112
 folio_put include/linux/mm.h:1488 [inline]
 free_large_kmalloc+0xfe/0x180 mm/slub.c:4717
 kfree+0x212/0x430 mm/slub.c:4740
 rhashtable_free_and_destroy+0x7c6/0x920 lib/rhashtable.c:1169
 ila_xlat_exit_net+0x4f/0xa0 net/ipv6/ila/ila_xlat.c:630
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x802/0xcc0 net/core/net_namespace.c:632
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff888064a17f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888064a17f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888064a18000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff888064a18080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888064a18100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess):
   0:	48 21 c3             	and    %rax,%rbx
   3:	0f 85 16 02 00 00    	jne    0x21f
   9:	e8 d6 ad 20 00       	call   0x20ade4
   e:	4c 8b 7c 24 10       	mov    0x10(%rsp),%r15
  13:	4d 85 f6             	test   %r14,%r14
  16:	75 07                	jne    0x1f
  18:	e8 c7 ad 20 00       	call   0x20ade4
  1d:	eb 06                	jmp    0x25
  1f:	e8 c0 ad 20 00       	call   0x20ade4
  24:	fb                   	sti
  25:	48 8b 5c 24 18       	mov    0x18(%rsp),%rbx
* 2a:	48 8b 44 24 30       	mov    0x30(%rsp),%rax <-- trapping instruction
  2f:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  34:	74 08                	je     0x3e
  36:	48 89 df             	mov    %rbx,%rdi
  39:	e8 e6 1a 87 00       	call   0x871b24
  3e:	4c                   	rex.WR
  3f:	8b                   	.byte 0x8b