KASAN did not properly detect this bug:
and it caused silent memory corruptions and explosion of assorted bugs reported by syzbot.
The crux is that double-free happens via kzfree. kzfree calls ksize to do memset before before calling kfree. ksize _unpoisons_ whole object (which was already free). And finally we call kfree, which checks first shadow byte and decides that the object is good.
Probably need an additional kasan check in ksize.