==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57c/0x630 net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8801ba9507f8 by task kworker/0:1/23

CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 4.9.124+ #32
Workqueue: events xfrm_state_gc_task
 ffff8801d9fdfaa8 ffffffff81af4529 ffffea0006ea5400 ffff8801ba9507f8
 0000000000000000 ffff8801ba9507f8 ffff8801da4ddc04 ffff8801d9fdfae0
 ffffffff814f31c5 ffff8801ba9507f8 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81af4529>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81af4529>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff814f31c5>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff814f35cf>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff814f35cf>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff814e5ca4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff826ed58c>] xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
 [<ffffffff826ed58c>] xfrm6_tunnel_destroy+0x57c/0x630 net/ipv6/xfrm6_tunnel.c:300
 [<ffffffff825c254d>] xfrm_state_gc_destroy net/xfrm/xfrm_state.c:368 [inline]
 [<ffffffff825c254d>] xfrm_state_gc_task+0x3ad/0x510 net/xfrm/xfrm_state.c:388
 [<ffffffff8112fcf1>] process_one_work+0x791/0x1470 kernel/workqueue.c:2092
 [<ffffffff81130aa6>] worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
 [<ffffffff811410dd>] kthread+0x26d/0x300 kernel/kthread.c:211
 [<ffffffff8278bc1c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373

Allocated by task 2302:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
 __kmalloc+0x11d/0x300 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ops_init+0xef/0x3a0 net/core/net_namespace.c:101
 setup_net+0x1b9/0x3f0 net/core/net_namespace.c:291
 copy_net_ns+0x189/0x290 net/core/net_namespace.c:408
 create_new_namespaces+0x501/0x760 kernel/nsproxy.c:106
 unshare_nsproxy_namespaces+0xa5/0x1d0 kernel/nsproxy.c:205
 SYSC_unshare kernel/fork.c:2254 [inline]
 SyS_unshare+0x319/0x710 kernel/fork.c:2204
 do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 2983:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 ops_free net/core/net_namespace.c:126 [inline]
 ops_free_list.part.3+0x1ff/0x330 net/core/net_namespace.c:148
 ops_free_list net/core/net_namespace.c:146 [inline]
 cleanup_net+0x3bf/0x630 net/core/net_namespace.c:477
 process_one_work+0x791/0x1470 kernel/workqueue.c:2092
 worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
 kthread+0x26d/0x300 kernel/kthread.c:211
 ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373

The buggy address belongs to the object at ffff8801ba950000
 which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
 8192-byte region [ffff8801ba950000, ffff8801ba952000)
The buggy address belongs to the page:
page:ffffea0006ea5400 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ba950680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ba950700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801ba950780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8801ba950800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ba950880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================