FWIW,
Managed to locally reproduce it twice on 58720809f527 (tag: v6.6-rc6)
Linux 6.6-rc6 + TCP-AO patches on the top.
(but can't reproduce reliably at will)
[dima@Mindolluin linux-tcp-ao]$ ./scripts/faddr2line vmlinux
reweight_entity+0x3b0/0x490
reweight_entity+0x3b0/0x490:
__update_min_deadline at kernel/sched/fair.c:805
(inlined by) min_deadline_update at kernel/sched/fair.c:819
(inlined by) min_deadline_cb_propagate at kernel/sched/fair.c:825
(inlined by) reweight_entity at kernel/sched/fair.c:3660
[ 258.450573] TCP: AO key not found for (10.0.1.1,
58651)->(10.0.254.1, 7018) S keyid: 100 L3index: 0
[ 259.482680] ==================================================================
[ 259.483732] BUG: KASAN: slab-use-after-free in reweight_entity+0x3b0/0x490
[ 259.484564] Read of size 8 at addr ffff88800859dcf0 by task
unsigned-md5_ip/2535
[ 259.485593] CPU: 0 PID: 2535 Comm: unsigned-md5_ip Not tainted 6.6.0-rc6+ #7
[ 259.486393] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS Arch Linux 1.16.2-2-2 04/01/2014
[ 259.487445] Call Trace:
[ 259.487783] <TASK>
[ 259.488057] dump_stack_lvl+0x46/0x70
[ 259.488578] print_report+0xc5/0x610
[ 259.489099] ? lock_acquire+0x162/0x3d0
[ 259.489641] ? __virt_addr_valid+0xbe/0x130
[ 259.490211] kasan_report+0xbe/0xf0
[ 259.490902] ? reweight_entity+0x3b0/0x490
[ 259.491683] ? reweight_entity+0x3b0/0x490
[ 259.492475] reweight_entity+0x3b0/0x490
[ 259.493319] enqueue_task_fair+0x944/0xc90
[ 259.494146] activate_task+0x95/0x1b0
[ 259.494932] ttwu_do_activate+0x91/0x3c0
[ 259.495645] try_to_wake_up+0x423/0xd60
[ 259.496425] ? sched_ttwu_pending+0x260/0x260
[ 259.497543] ? _raw_spin_unlock+0x29/0x40
[ 259.498301] wake_up_q+0x6f/0xf0
[ 259.498889] __mutex_unlock_slowpath+0x19b/0x3e0
[ 259.500191] ? bit_wait_io_timeout+0xc0/0xc0
[ 259.501691] ? reacquire_held_locks+0x280/0x280
[ 259.502634] ? rcu_is_watching+0x34/0x50
[ 259.503485] __rtnl_unlock+0x3f/0x80
[ 259.504089] netdev_run_todo+0x1b7/0x840
[ 259.504721] ? generic_xdp_install+0x2a0/0x2a0
[ 259.505394] ? __kmem_cache_free+0x192/0x2b0
[ 259.506021] ? rtnl_newlink+0x59/0x70
[ 259.506562] rtnetlink_rcv_msg+0x200/0x650
[ 259.507088] ? rtnl_getlink+0x590/0x590
[ 259.507600] ? lockdep_hardirqs_on_prepare+0x220/0x220
[ 259.508247] ? find_held_lock+0x8a/0xa0
[ 259.508750] ? local_clock_noinstr+0x9/0xb0
[ 259.509254] netlink_rcv_skb+0xdd/0x210
[ 259.509751] ? rtnl_getlink+0x590/0x590
[ 259.510214] ? netlink_ack+0x840/0x840
[ 259.511082] ? lock_sync+0x100/0x100
[ 259.511775] ? __rcu_read_unlock+0x6b/0x2a0
[ 259.512822] ? netlink_deliver_tap+0xfe/0x620
[ 259.513527] netlink_unicast+0x2f3/0x480
[ 259.514105] ? netlink_attachskb+0x440/0x440
[ 259.514642] netlink_sendmsg+0x3c0/0x6e0
[ 259.515108] ? netlink_unicast+0x480/0x480
[ 259.515572] ? netlink_unicast+0x480/0x480
[ 259.516030] __sock_sendmsg+0x73/0xc0
[ 259.516425] __sys_sendto+0x18b/0x210
[ 259.516878] ? __ia32_sys_getpeername+0x50/0x50
[ 259.517435] ? mark_held_locks+0x1a/0x80
[ 259.517949] __x64_sys_sendto+0x72/0x80
[ 259.518457] do_syscall_64+0x35/0x80
[ 259.518945] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 259.519626] RIP: 0033:0x7f62cf55f9ec
[ 259.520117] Code: 89 4c 24 1c e8 a5 63 f7 ff 44 8b 54 24 1c 8b 3c
24 45 31 c9 89 c5 48 8b 54 24 10 48 8b 74 24 08 45 31 c0 b8 2c 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 04 24 e8 f1 63 f7 ff 48
8b 04
[ 259.522762] RSP: 002b:00007ffddd3c4c90 EFLAGS: 00000246 ORIG_RAX:
000000000000002c
[ 259.523854] RAX: ffffffffffffffda RBX: 00007ffddd3c4cd0 RCX: 00007f62cf55f9ec
[ 259.524768] RDX: 0000000000000044 RSI: 00007ffddd3c4cd0 RDI: 0000000000000006
[ 259.525679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 259.526585] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038
[ 259.528558] R13: 0000000000000006 R14: 00007ffddd3c4cfc R15: 00007ffddd3c4d08
[ 259.529452] </TASK>
[ 259.529950] Allocated by task 31:
[ 259.530390] kasan_save_stack+0x21/0x40
[ 259.530904] kasan_set_track+0x21/0x30
[ 259.531399] __kasan_slab_alloc+0x62/0x70
[ 259.531946] kmem_cache_alloc_node+0x187/0x370
[ 259.532551] copy_process+0x2c4/0x3460
[ 259.533080] kernel_clone+0xf6/0x570
[ 259.533553] user_mode_thread+0xab/0xe0
[ 259.534067] call_usermodehelper_exec_work+0x78/0xb0
[ 259.534713] process_one_work+0x439/0x8d0
[ 259.535240] worker_thread+0x393/0x680
[ 259.535733] kthread+0x1ad/0x1f0
[ 259.536192] ret_from_fork+0x2d/0x50
[ 259.536682] ret_from_fork_asm+0x11/0x20
[ 259.537439] Freed by task 21:
[ 259.537837] kasan_save_stack+0x21/0x40
[ 259.538350] kasan_set_track+0x21/0x30
[ 259.538864] kasan_save_free_info+0x27/0x40
[ 259.539427] __kasan_slab_free+0x106/0x180
[ 259.539932] kmem_cache_free+0x1d4/0x460
[ 259.540437] delayed_put_task_struct+0x131/0x170
[ 259.541068] rcu_core+0x63d/0x1470
[ 259.541494] __do_softirq+0x10f/0x51b
[ 259.542145] Last potentially related work creation:
[ 259.542746] kasan_save_stack+0x21/0x40
[ 259.544124] __kasan_record_aux_stack+0x94/0xa0
[ 259.545804] __call_rcu_common.constprop.0+0x47/0x620
[ 259.546507] __schedule+0x74c/0x1490
[ 259.547010] schedule+0x81/0xe0
[ 259.547458] schedule_timeout+0x138/0x2a0
[ 259.548006] rcu_gp_fqs_loop+0x1c0/0x990
[ 259.548522] rcu_gp_kthread+0x307/0x3a0
[ 259.549032] kthread+0x1ad/0x1f0
[ 259.549471] ret_from_fork+0x2d/0x50
[ 259.549965] ret_from_fork_asm+0x11/0x20
[ 259.550727] Second to last potentially related work creation:
[ 259.551493] kasan_save_stack+0x21/0x40
[ 259.552017] __kasan_record_aux_stack+0x94/0xa0
[ 259.552609] __call_rcu_common.constprop.0+0x47/0x620
[ 259.553263] wait_consider_task+0xad9/0x1a50
[ 259.553868] do_wait+0x3b7/0x530
[ 259.554351] kernel_wait4+0xf0/0x1c0
[ 259.554841] __do_sys_wait4+0xf5/0x100
[ 259.555417] do_syscall_64+0x35/0x80
[ 259.555978] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 259.556927] The buggy address belongs to the object at ffff88800859dc40
which belongs to the cache task_struct of size 7616
[ 259.558500] The buggy address is located 176 bytes inside of
freed 7616-byte region [ffff88800859dc40, ffff88800859fa00)
[ 259.560279] The buggy address belongs to the physical page:
[ 259.561018] page:ffffea0000216600 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x8598
[ 259.562223] head:ffffea0000216600 order:3 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[ 259.563253] memcg:ffff8880061adcc1
[ 259.563701] flags: 0x100000000000840(slab|head|node=0|zone=1)
[ 259.564489] page_type: 0xffffffff()
[ 259.564968] raw: 0100000000000840 ffff888001270500 ffffea0000132000
dead000000000002
[ 259.565986] raw: 0000000000000000 0000000080040004 00000001ffffffff
ffff8880061adcc1
[ 259.566960] page dumped because: kasan: bad access detected
[ 259.567919] Memory state around the buggy address:
[ 259.568556] ffff88800859db80: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 259.569494] ffff88800859dc00: fc fc fc fc fc fc fc fc fa fb fb fb
fb fb fb fb
[ 259.570401] >ffff88800859dc80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 259.571290] ^
[ 259.572200] ffff88800859dd00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 259.573044] ffff88800859dd80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 259.574019] ==================================================================
[ 259.575110] Disabling lock debugging due to kernel taint
And the second hit:
[ 36.796236] TCP: AO key not found for (10.0.1.1,
35779)->(10.0.254.1, 7018) S keyid: 100 L3index: 0
[ 37.869018] ==================================================================
[ 37.870095] BUG: KASAN: slab-use-after-free in reweight_entity+0x3b0/0x490
[ 37.870728] Read of size 8 at addr ffff88800fd51f70 by task
unsigned-md5_ip/1488
[ 37.871569] CPU: 1 PID: 1488 Comm: unsigned-md5_ip Not tainted 6.6.0-rc6+ #10
[ 37.872272] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS Arch Linux 1.16.2-2-2 04/01/2014
[ 37.873054] Call Trace:
[ 37.873275] <IRQ>
[ 37.873455] dump_stack_lvl+0x46/0x70
[ 37.873780] print_report+0xc5/0x610
[ 37.874147] ? __virt_addr_valid+0xbe/0x130
[ 37.874544] kasan_report+0xbe/0xf0
[ 37.874870] ? reweight_entity+0x3b0/0x490
[ 37.875240] ? reweight_entity+0x3b0/0x490
[ 37.875588] reweight_entity+0x3b0/0x490
[ 37.875923] task_tick_fair+0x8e/0x3e0
[ 37.876257] ? lock_is_held_type+0xbf/0x110
[ 37.876621] scheduler_tick+0xef/0x210
[ 37.876944] update_process_times+0xb9/0xd0
[ 37.877314] tick_sched_handle+0x37/0x90
[ 37.877660] tick_sched_timer+0x84/0xa0
[ 37.877989] ? tick_sched_do_timer+0x100/0x100
[ 37.878437] __hrtimer_run_queues+0x35e/0x600
[ 37.878828] ? enqueue_hrtimer+0x140/0x140
[ 37.879254] ? kvm_clock_get_cycles+0x14/0x30
[ 37.879652] ? ktime_get_update_offsets_now+0xd9/0x1d0
[ 37.880146] hrtimer_interrupt+0x1b4/0x360
[ 37.880506] __sysvec_apic_timer_interrupt+0xb7/0x280
[ 37.880941] sysvec_apic_timer_interrupt+0x85/0xb0
[ 37.881379] </IRQ>
[ 37.881565] <TASK>
[ 37.881751] asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 37.882204] RIP: 0010:insert_header+0x3cf/0x8a0
[ 37.882600] Code: 8b 7c 24 20 e8 32 17 ec ff 49 c7 47 38 00 00 00
00 48 89 df e8 12 fa ff ff 48 83 c4 60 89 e8 5b 5d 41 5c 41 5d 41 5e
41 5f c3 <48> 8d 6b 10 e9 f4 fd ff ff 31 db 4c 89 ef e8 fe 16 ec ff 49
89 5d
[ 37.884196] RSP: 0018:ffffc9000114f240 EFLAGS: 00000286
[ 37.884656] RAX: 00000000ffffffff RBX: ffff88800fd72590 RCX: ffffffff8e5cb5f1
[ 37.885266] RDX: 1ffffffff1db04b4 RSI: 0000000000000008 RDI: ffffffff8ed825a1
[ 37.885857] RBP: 000000000000000d R08: 0000000000000000 R09: fffffbfff1db04b4
[ 37.886475] R10: ffffffff8ed825a7 R11: 0000000000000001 R12: 0000000000000013
[ 37.887087] R13: ffff88800fd72690 R14: ffffffff8ed827a0 R15: ffffffff8ed825a0
[ 37.887681] ? memcmp+0x41/0xa0
[ 37.887972] __register_sysctl_table+0x57d/0xac0
[ 37.888378] ? proc_sys_evict_inode+0xa0/0xa0
[ 37.888751] ? rcu_is_watching+0x34/0x50
[ 37.889134] ? register_net_sysctl_sz+0xef/0x200
[ 37.889531] __addrconf_sysctl_register+0x16f/0x270
[ 37.889954] ? inet6_netconf_notify_devconf+0x100/0x100
[ 37.890408] ? lockdep_init_map_type+0xe8/0x390
[ 37.890798] addrconf_sysctl_register+0xa5/0xd0
[ 37.891213] ipv6_add_dev+0x4d5/0x890
[ 37.891537] addrconf_notify+0x21a/0xad0
[ 37.891876] ? cfg80211_netdev_notifier_call+0x31/0x750
[ 37.892336] ? lockdep_rtnl_is_held+0x16/0x20
[ 37.892732] notifier_call_chain+0x56/0x180
[ 37.893130] register_netdevice+0x83d/0x960
[ 37.893487] ? unregister_netdevice_queue+0x1e0/0x1e0
[ 37.893911] ? alloc_netdev_mqs+0x78a/0x800
[ 37.894318] vrf_newlink+0x8b/0x4f0
[ 37.894654] __rtnl_newlink+0x7ea/0xc90
[ 37.895011] ? rtnl_setlink+0x250/0x250
[ 37.895351] ? reacquire_held_locks+0x280/0x280
[ 37.895753] ? kasan_unpoison+0x40/0x60
[ 37.896112] ? rtnl_newlink+0x36/0x70
[ 37.896439] rtnl_newlink+0x4f/0x70
[ 37.896749] rtnetlink_rcv_msg+0x1f8/0x650
[ 37.897263] ? rtnl_getlink+0x590/0x590
[ 37.897616] ? lockdep_hardirqs_on_prepare+0x220/0x220
[ 37.898089] ? find_held_lock+0x8a/0xa0
[ 37.898462] ? local_clock_noinstr+0x9/0xb0
[ 37.898896] netlink_rcv_skb+0xdd/0x210
[ 37.899709] ? rtnl_getlink+0x590/0x590
[ 37.900112] ? netlink_ack+0x840/0x840
[ 37.900468] ? lock_sync+0x100/0x100
[ 37.900784] ? __rcu_read_unlock+0x6b/0x2a0
[ 37.901198] ? netlink_deliver_tap+0xfe/0x620
[ 37.901583] netlink_unicast+0x2f3/0x480
[ 37.901926] ? netlink_attachskb+0x440/0x440
[ 37.902318] netlink_sendmsg+0x3c0/0x6e0
[ 37.902662] ? netlink_unicast+0x480/0x480
[ 37.903037] ? netlink_unicast+0x480/0x480
[ 37.903396] __sock_sendmsg+0x73/0xc0
[ 37.903725] __sys_sendto+0x18b/0x210
[ 37.904084] ? __ia32_sys_getpeername+0x50/0x50
[ 37.904521] ? mark_held_locks+0x1a/0x80
[ 37.904892] __x64_sys_sendto+0x72/0x80
[ 37.905257] do_syscall_64+0x35/0x80
[ 37.905584] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 37.906053] RIP: 0033:0x7fb3d69e69ec
[ 37.906379] Code: 89 4c 24 1c e8 a5 63 f7 ff 44 8b 54 24 1c 8b 3c
24 45 31 c9 89 c5 48 8b 54 24 10 48 8b 74 24 08 45 31 c0 b8 2c 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 04 24 e8 f1 63 f7 ff 48
8b 04
[ 37.907987] RSP: 002b:00007fff52147f60 EFLAGS: 00000246 ORIG_RAX:
000000000000002c
[ 37.908695] RAX: ffffffffffffffda RBX: 00007fff52147fa0 RCX: 00007fb3d69e69ec
[ 37.909335] RDX: 0000000000000044 RSI: 00007fff52147fa0 RDI: 0000000000000006
[ 37.909978] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 37.910597] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038
[ 37.911224] R13: 0000000000000006 R14: 00007fff52147fcc R15: 00007fff52147fd8
[ 37.911894] </TASK>
[ 37.912609] Allocated by task 817:
[ 37.913277] kasan_save_stack+0x21/0x40
[ 37.913712] kasan_set_track+0x21/0x30
[ 37.914070] __kasan_slab_alloc+0x62/0x70
[ 37.914436] kmem_cache_alloc_node+0x187/0x370
[ 37.914835] copy_process+0x2c4/0x3460
[ 37.915187] kernel_clone+0xf6/0x570
[ 37.915502] user_mode_thread+0xab/0xe0
[ 37.915837] call_usermodehelper_exec_work+0x78/0xb0
[ 37.916288] process_one_work+0x439/0x8d0
[ 37.916652] worker_thread+0x393/0x680
[ 37.917001] kthread+0x1ad/0x1f0
[ 37.917343] ret_from_fork+0x2d/0x50
[ 37.917673] ret_from_fork_asm+0x11/0x20
[ 37.918208] Freed by task 0:
[ 37.918471] kasan_save_stack+0x21/0x40
[ 37.918833] kasan_set_track+0x21/0x30
[ 37.919192] kasan_save_free_info+0x27/0x40
[ 37.919576] __kasan_slab_free+0x106/0x180
[ 37.919967] kmem_cache_free+0x1d4/0x460
[ 37.920337] delayed_put_task_struct+0x131/0x170
[ 37.920762] rcu_core+0x63d/0x1470
[ 37.921113] __do_softirq+0x10f/0x51b
[ 37.921613] Last potentially related work creation:
[ 37.922097] kasan_save_stack+0x21/0x40
[ 37.922460] __kasan_record_aux_stack+0x94/0xa0
[ 37.922875] __call_rcu_common.constprop.0+0x47/0x620
[ 37.923353] __schedule+0x74c/0x1490
[ 37.923685] schedule+0x81/0xe0
[ 37.923989] schedule_timeout+0x138/0x2a0
[ 37.924365] rcu_gp_fqs_loop+0x1c0/0x990
[ 37.924737] rcu_gp_kthread+0x307/0x3a0
[ 37.925112] kthread+0x1ad/0x1f0
[ 37.925416] ret_from_fork+0x2d/0x50
[ 37.925753] ret_from_fork_asm+0x11/0x20
[ 37.926280] The buggy address belongs to the object at ffff88800fd51ec0
which belongs to the cache task_struct of size 7616
[ 37.927547] The buggy address is located 176 bytes inside of
freed 7616-byte region [ffff88800fd51ec0, ffff88800fd53c80)
[ 37.928923] The buggy address belongs to the physical page:
[ 37.929463] page:ffffea00003f5400 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0xfd50
[ 37.930370] head:ffffea00003f5400 order:3 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[ 37.931313] memcg:ffff888006cc0f41
[ 37.931735] flags: 0x100000000000840(slab|head|node=0|zone=1)
[ 37.932434] page_type: 0xffffffff()
[ 37.932787] raw: 0100000000000840 ffff888001270500 dead000000000122
0000000000000000
[ 37.933502] raw: 0000000000000000 0000000080040004 00000001ffffffff
ffff888006cc0f41
[ 37.934220] page dumped because: kasan: bad access detected
[ 37.934911] Memory state around the buggy address:
[ 37.935377] ffff88800fd51e00: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 37.936063] ffff88800fd51e80: fc fc fc fc fc fc fc fc fa fb fb fb
fb fb fb fb
[ 37.936729] >ffff88800fd51f00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 37.937445] ^
[ 37.938101] ffff88800fd51f80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 37.938817] ffff88800fd52000: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 37.939655] ==================================================================
[ 37.940196] Disabling lock debugging due to kernel taint
--
Dmitry