[ 15.744966][ T250] ip (250) used greatest stack depth: 24672 bytes left
[ 18.285286][ T281] br0: port 1(veth1) entered blocking state
[ 18.285854][ T281] br0: port 1(veth1) entered disabled state
[ 18.286434][ T281] veth1: entered allmulticast mode
[ 18.290142][ T281] veth1: entered promiscuous mode
[ 18.612400][ T70] br0: port 1(veth1) entered blocking state
[ 18.613046][ T70] br0: port 1(veth1) entered forwarding state
[ 25.869885][ T324] br0: port 1(veth1) entered disabled state
[ 26.004366][ T325] veth1: left allmulticast mode
[ 26.004718][ T325] veth1: left promiscuous mode
[ 26.005236][ T325] br0: port 1(veth1) entered disabled state
[ 26.051153][ T325] ==================================================================
[ 26.051461][ T325] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[ 26.051786][ T325] Read of size 1 at addr ffff88801220a6ac by task ip/325
[ 26.052013][ T325]
[ 26.052119][ T325] CPU: 1 UID: 0 PID: 325 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full)
[ 26.052127][ T325] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 26.052132][ T325] Call Trace:
[ 26.052134][ T325]
[ 26.052136][ T325] dump_stack_lvl+0x82/0xc0
[ 26.052143][ T325] print_address_description.constprop.0+0x2c/0x3a0
[ 26.052150][ T325] ? kobject_put+0xbb/0xd0
[ 26.052155][ T325] print_report+0xb4/0x270
[ 26.052158][ T325] ? kobject_put+0xbb/0xd0
[ 26.052161][ T325] ? kasan_addr_to_slab+0x21/0x70
[ 26.052164][ T325] ? kobject_put+0xbb/0xd0
[ 26.052167][ T325] kasan_report+0xca/0x100
[ 26.052171][ T325] ? kobject_put+0xbb/0xd0
[ 26.052177][ T325] kobject_put+0xbb/0xd0
[ 26.052180][ T325] netdev_run_todo+0x5f0/0xc60
[ 26.052186][ T325] ? dev_ingress_queue_create+0x190/0x190
[ 26.052189][ T325] ? generic_xdp_install+0x410/0x410
[ 26.052192][ T325] ? kernfs_put.part.0+0x12d/0x480
[ 26.052198][ T325] ? unregister_netdevice_many+0x20/0x20
[ 26.052204][ T325] ? br_dev_delete+0x115/0x1a0 [bridge]
[ 26.052244][ T325] rtnl_dellink+0x350/0xa30
[ 26.052249][ T325] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 26.052268][ T325] ? find_held_lock+0x2b/0x80
[ 26.052274][ T325] ? __lock_acquire+0x449/0x7e0
[ 26.052280][ T325] ? find_held_lock+0x2b/0x80
[ 26.052284][ T325] ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 26.052287][ T325] ? __lock_release+0x5d/0x170
[ 26.052291][ T325] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 26.052294][ T325] rtnetlink_rcv_msg+0x709/0xc00
[ 26.052298][ T325] ? rtnl_port_fill+0x850/0x850
[ 26.052301][ T325] ? __lock_acquire+0x449/0x7e0
[ 26.052308][ T325] netlink_rcv_skb+0x121/0x340
[ 26.052312][ T325] ? rtnl_port_fill+0x850/0x850
[ 26.052315][ T325] ? netlink_ack+0xdd0/0xdd0
[ 26.052322][ T325] ? netlink_deliver_tap+0x13e/0x340
[ 26.052324][ T325] ? netlink_deliver_tap+0xc3/0x340
[ 26.052328][ T325] netlink_unicast+0x4aa/0x780
[ 26.052332][ T325] ? netlink_attachskb+0x810/0x810
[ 26.052336][ T325] ? __lock_acquire+0x449/0x7e0
[ 26.052341][ T325] netlink_sendmsg+0x714/0xbd0
[ 26.052346][ T325] ? netlink_unicast+0x780/0x780
[ 26.052349][ T325] ? __import_iovec+0x230/0x3b0
[ 26.052355][ T325] ? netlink_unicast+0x780/0x780
[ 26.052358][ T325] ____sys_sendmsg+0x3dd/0x890
[ 26.052363][ T325] ? get_timestamp.constprop.0+0x380/0x380
[ 26.052366][ T325] ? __copy_msghdr+0x3c0/0x3c0
[ 26.052373][ T325] ___sys_sendmsg+0xed/0x170
[ 26.052376][ T325] ? kasan_record_aux_stack+0x8c/0xa0
[ 26.052379][ T325] ? __call_rcu_common.constprop.0+0xa8/0x630
[ 26.052385][ T325] ? copy_msghdr_from_user+0x110/0x110
[ 26.052390][ T325] ? find_held_lock+0x2b/0x80
[ 26.052394][ T325] ? __lock_acquire+0x449/0x7e0
[ 26.052400][ T325] ? find_held_lock+0x2b/0x80
[ 26.052403][ T325] ? __virt_addr_valid+0x22a/0x450
[ 26.052407][ T325] ? __lock_release+0x5d/0x170
[ 26.052414][ T325] __sys_sendmsg+0x10b/0x1a0
[ 26.052417][ T325] ? __call_rcu_common.constprop.0+0x318/0x630
[ 26.052420][ T325] ? __sys_sendmsg_sock+0x20/0x20
[ 26.052428][ T325] ? rcu_is_watching+0x12/0xb0
[ 26.052432][ T325] do_syscall_64+0xc1/0xfd0
[ 26.052437][ T325] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 26.052441][ T325] RIP: 0033:0x7f3939dc31d7
[ 26.052447][ T325] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 26.052450][ T325] RSP: 002b:00007ffda6998888 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 26.052456][ T325] RAX: ffffffffffffffda RBX: 00007ffda6998fb0 RCX: 00007f3939dc31d7
[ 26.052458][ T325] RDX: 0000000000000000 RSI: 00007ffda69988f0 RDI: 0000000000000005
[ 26.052460][ T325] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 26.052462][ T325] R10: 00007f3939cbff60 R11: 0000000000000246 R12: 0000000000000002
[ 26.052463][ T325] R13: 00000000690defe0 R14: 0000000000499600 R15: 0000000000000000
[ 26.052470][ T325]
[ 26.052471][ T325]
[ 26.066579][ T325] Allocated by task 279:
[ 26.066715][ T325] kasan_save_stack+0x24/0x40
[ 26.066904][ T325] kasan_save_track+0x14/0x30
[ 26.067075][ T325] __kasan_kmalloc+0x7b/0x90
[ 26.067246][ T325] __kvmalloc_node_noprof+0x2e5/0x8e0
[ 26.067429][ T325] alloc_netdev_mqs+0x7d/0x1370
[ 26.067603][ T325] rtnl_create_link+0xa9e/0xe20
[ 26.067774][ T325] rtnl_newlink_create+0x203/0x770
[ 26.067947][ T325] __rtnl_newlink+0x231/0xa30
[ 26.068147][ T325] rtnl_newlink+0x693/0xa60
[ 26.068331][ T325] rtnetlink_rcv_msg+0x709/0xc00
[ 26.068502][ T325] netlink_rcv_skb+0x121/0x340
[ 26.068674][ T325] netlink_unicast+0x4aa/0x780
[ 26.068885][ T325] netlink_sendmsg+0x714/0xbd0
[ 26.069059][ T325] ____sys_sendmsg+0x3dd/0x890
[ 26.069237][ T325] ___sys_sendmsg+0xed/0x170
[ 26.069416][ T325] __sys_sendmsg+0x10b/0x1a0
[ 26.069588][ T325] do_syscall_64+0xc1/0xfd0
[ 26.069764][ T325] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 26.070003][ T325]
[ 26.070094][ T325] Freed by task 325:
[ 26.070234][ T325] kasan_save_stack+0x24/0x40
[ 26.070420][ T325] kasan_save_track+0x14/0x30
[ 26.070590][ T325] __kasan_save_free_info+0x3b/0x60
[ 26.070765][ T325] __kasan_slab_free+0x3f/0x60
[ 26.070942][ T325] kfree+0x21d/0x540
[ 26.071076][ T325] device_release+0x9c/0x210
[ 26.071272][ T325] kobject_cleanup+0xfe/0x360
[ 26.071453][ T325] netdev_run_todo+0x81f/0xc60
[ 26.071630][ T325] rtnl_dellink+0x350/0xa30
[ 26.071811][ T325] rtnetlink_rcv_msg+0x709/0xc00
[ 26.071981][ T325] netlink_rcv_skb+0x121/0x340
[ 26.072152][ T325] netlink_unicast+0x4aa/0x780
[ 26.072324][ T325] netlink_sendmsg+0x714/0xbd0
[ 26.072495][ T325] ____sys_sendmsg+0x3dd/0x890
[ 26.072668][ T325] ___sys_sendmsg+0xed/0x170
[ 26.072854][ T325] __sys_sendmsg+0x10b/0x1a0
[ 26.073035][ T325] do_syscall_64+0xc1/0xfd0
[ 26.073209][ T325] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 26.073430][ T325]
[ 26.073527][ T325] Last potentially related work creation:
[ 26.073714][ T325] kasan_save_stack+0x24/0x40
[ 26.073913][ T325] kasan_record_aux_stack+0x8c/0xa0
[ 26.074090][ T325] insert_work+0x34/0x230
[ 26.074229][ T325] __queue_work+0x5fd/0xab0
[ 26.074423][ T325] queue_work_on+0x84/0x90
[ 26.074601][ T325] br_multicast_dev_del+0xeb/0x240 [bridge]
[ 26.074858][ T325] br_dev_uninit+0x19/0x40 [bridge]
[ 26.075057][ T325] unregister_netdevice_many_notify+0xa80/0x1b30
[ 26.075272][ T325] rtnl_dellink+0x344/0xa30
[ 26.075454][ T325] rtnetlink_rcv_msg+0x709/0xc00
[ 26.075639][ T325] netlink_rcv_skb+0x121/0x340
[ 26.075820][ T325] netlink_unicast+0x4aa/0x780
[ 26.075993][ T325] netlink_sendmsg+0x714/0xbd0
[ 26.076167][ T325] ____sys_sendmsg+0x3dd/0x890
[ 26.076346][ T325] ___sys_sendmsg+0xed/0x170
[ 26.076532][ T325] __sys_sendmsg+0x10b/0x1a0
[ 26.076718][ T325] do_syscall_64+0xc1/0xfd0
[ 26.076898][ T325] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 26.077117][ T325]
[ 26.077211][ T325] Second to last potentially related work creation:
[ 26.077448][ T325] kasan_save_stack+0x24/0x40
[ 26.077634][ T325] kasan_record_aux_stack+0x8c/0xa0
[ 26.077814][ T325] insert_work+0x34/0x230
[ 26.077946][ T325] __queue_work+0x5fd/0xab0
[ 26.078120][ T325] queue_work_on+0x84/0x90
[ 26.078315][ T325] br_multicast_del_mdb_entry+0x95d/0xfe0 [bridge]
[ 26.078588][ T325] br_multicast_dev_del+0xeb/0x240 [bridge]
[ 26.078834][ T325] br_dev_uninit+0x19/0x40 [bridge]
[ 26.079031][ T325] unregister_netdevice_many_notify+0xa80/0x1b30
[ 26.079269][ T325] rtnl_dellink+0x344/0xa30
[ 26.079457][ T325] rtnetlink_rcv_msg+0x709/0xc00
[ 26.079629][ T325] netlink_rcv_skb+0x121/0x340
[ 26.079811][ T325] netlink_unicast+0x4aa/0x780
[ 26.079983][ T325] netlink_sendmsg+0x714/0xbd0
[ 26.080160][ T325] ____sys_sendmsg+0x3dd/0x890
[ 26.080335][ T325] ___sys_sendmsg+0xed/0x170
[ 26.080520][ T325] __sys_sendmsg+0x10b/0x1a0
[ 26.080692][ T325] do_syscall_64+0xc1/0xfd0
[ 26.080868][ T325] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 26.081091][ T325]
[ 26.081217][ T325] The buggy address belongs to the object at ffff88801220a000
[ 26.081217][ T325] which belongs to the cache kmalloc-8k of size 8192
[ 26.081651][ T325] The buggy address is located 1708 bytes inside of
[ 26.081651][ T325] freed 8192-byte region [ffff88801220a000, ffff88801220c000)
[ 26.082131][ T325]
[ 26.082225][ T325] The buggy address belongs to the physical page:
[ 26.082465][ T325] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12208
[ 26.082814][ T325] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 26.083080][ T325] flags: 0x80000000000040(head|node=0|zone=1)
[ 26.083310][ T325] page_type: f5(slab)
[ 26.083457][ T325] raw: 0080000000000040 ffff8880010438c0 ffffea00003db410 ffff888001041228
[ 26.083767][ T325] raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[ 26.084079][ T325] head: 0080000000000040 ffff8880010438c0 ffffea00003db410 ffff888001041228
[ 26.084402][ T325] head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[ 26.084709][ T325] head: 0080000000000003 ffffea0000488201 00000000ffffffff 00000000ffffffff
[ 26.085016][ T325] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 26.085335][ T325] page dumped because: kasan: bad access detected
[ 26.085570][ T325]
[ 26.085664][ T325] Memory state around the buggy address:
[ 26.085846][ T325] ffff88801220a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 26.086117][ T325] ffff88801220a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 26.086383][ T325] >ffff88801220a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 26.086673][ T325] ^
[ 26.086881][ T325] ffff88801220a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 26.087161][ T325] ffff88801220a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 26.087439][ T325] ==================================================================
[ 26.087907][ T325] Disabling lock debugging due to kernel taint
[ 26.088209][ T325] ------------[ cut here ]------------
[ 26.088384][ T325] refcount_t: underflow; use-after-free.
[ 26.088673][ T325] WARNING: CPU: 1 PID: 325 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[ 26.089019][ T325] Modules linked in: bridge stp llc vrf veth
[ 26.089265][ T325] CPU: 1 UID: 0 PID: 325 Comm: ip Tainted: G B 6.18.0-rc4-virtme #1 PREEMPT(full)
[ 26.089640][ T325] Tainted: [B]=BAD_PAGE
[ 26.089777][ T325] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 26.090015][ T325] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[ 26.090271][ T325] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d 45 9a e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[ 26.090907][ T325] RSP: 0018:ffffc900007771f0 EFLAGS: 00010286
[ 26.091223][ T325] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 26.091488][ T325] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[ 26.091758][ T325] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff35be134
[ 26.092019][ T325] R10: 0000000000000003 R11: ffffc90000776d80 R12: 0000000000000001
[ 26.092282][ T325] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[ 26.092572][ T325] FS: 00007f3939bf5800(0000) GS:ffff88809a072000(0000) knlGS:0000000000000000
[ 26.092866][ T325] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 26.093098][ T325] CR2: 00000000004e68c8 CR3: 0000000004f04006 CR4: 0000000000772ef0
[ 26.093364][ T325] PKRU: 55555554
[ 26.093507][ T325] Call Trace:
[ 26.093652][ T325]
[ 26.093738][ T325] netdev_run_todo+0x5f0/0xc60
[ 26.093910][ T325] ? dev_ingress_queue_create+0x190/0x190
[ 26.094092][ T325] ? generic_xdp_install+0x410/0x410
[ 26.094272][ T325] ? kernfs_put.part.0+0x12d/0x480
[ 26.094453][ T325] ? unregister_netdevice_many+0x20/0x20
[ 26.094633][ T325] ? br_dev_delete+0x115/0x1a0 [bridge]
[ 26.094848][ T325] rtnl_dellink+0x350/0xa30
[ 26.095024][ T325] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 26.095272][ T325] ? find_held_lock+0x2b/0x80
[ 26.095464][ T325] ? __lock_acquire+0x449/0x7e0
[ 26.095649][ T325] ? find_held_lock+0x2b/0x80
[ 26.095819][ T325] ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 26.095990][ T325] ? __lock_release+0x5d/0x170
[ 26.096174][ T325] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 26.096386][ T325] rtnetlink_rcv_msg+0x709/0xc00
[ 26.096586][ T325] ? rtnl_port_fill+0x850/0x850
[ 26.096788][ T325] ? __lock_acquire+0x449/0x7e0
[ 26.096969][ T325] netlink_rcv_skb+0x121/0x340
[ 26.097188][ T325] ? rtnl_port_fill+0x850/0x850
[ 26.097360][ T325] ? netlink_ack+0xdd0/0xdd0
[ 26.097553][ T325] ? netlink_deliver_tap+0x13e/0x340
[ 26.097716][ T325] ? netlink_deliver_tap+0xc3/0x340
[ 26.097892][ T325] netlink_unicast+0x4aa/0x780
[ 26.098064][ T325] ? netlink_attachskb+0x810/0x810
[ 26.098246][ T325] ? __lock_acquire+0x449/0x7e0
[ 26.098441][ T325] netlink_sendmsg+0x714/0xbd0
[ 26.098611][ T325] ? netlink_unicast+0x780/0x780
[ 26.098773][ T325] ? __import_iovec+0x230/0x3b0
[ 26.098942][ T325] ? netlink_unicast+0x780/0x780
[ 26.099122][ T325] ____sys_sendmsg+0x3dd/0x890
[ 26.099293][ T325] ? get_timestamp.constprop.0+0x380/0x380
[ 26.099519][ T325] ? __copy_msghdr+0x3c0/0x3c0
[ 26.099706][ T325] ___sys_sendmsg+0xed/0x170
[ 26.099871][ T325] ? kasan_record_aux_stack+0x8c/0xa0
[ 26.100047][ T325] ? __call_rcu_common.constprop.0+0xa8/0x630
[ 26.100267][ T325] ? copy_msghdr_from_user+0x110/0x110
[ 26.100447][ T325] ? find_held_lock+0x2b/0x80
[ 26.100613][ T325] ? __lock_acquire+0x449/0x7e0
[ 26.100775][ T325] ? find_held_lock+0x2b/0x80
[ 26.100938][ T325] ? __virt_addr_valid+0x22a/0x450
[ 26.101150][ T325] ? __lock_release+0x5d/0x170
[ 26.101329][ T325] __sys_sendmsg+0x10b/0x1a0
[ 26.101547][ T325] ? __call_rcu_common.constprop.0+0x318/0x630
[ 26.101749][ T325] ? __sys_sendmsg_sock+0x20/0x20
[ 26.101913][ T325] ? rcu_is_watching+0x12/0xb0
[ 26.102115][ T325] do_syscall_64+0xc1/0xfd0
[ 26.102279][ T325] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 26.102499][ T325] RIP: 0033:0x7f3939dc31d7
[ 26.102679][ T325] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 26.103276][ T325] RSP: 002b:00007ffda6998888 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 26.103534][ T325] RAX: ffffffffffffffda RBX: 00007ffda6998fb0 RCX: 00007f3939dc31d7
[ 26.103791][ T325] RDX: 0000000000000000 RSI: 00007ffda69988f0 RDI: 0000000000000005
[ 26.104049][ T325] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 26.104297][ T325] R10: 00007f3939cbff60 R11: 0000000000000246 R12: 0000000000000002
[ 26.104552][ T325] R13: 00000000690defe0 R14: 0000000000499600 R15: 0000000000000000
[ 26.104816][ T325]
[ 26.104948][ T325] irq event stamp: 53315
[ 26.105083][ T325] hardirqs last enabled at (53315): [] irqentry_exit+0x3b/0x80
[ 26.105372][ T325] hardirqs last disabled at (53314): [] handle_softirqs+0x47f/0x610
[ 26.105665][ T325] softirqs last enabled at (53092): [] handle_softirqs+0x352/0x610
[ 26.105963][ T325] softirqs last disabled at (53085): [] irq_exit_rcu+0xab/0x100
[ 26.106255][ T325] ---[ end trace 0000000000000000 ]---
[ 26.115475][ T325] ip (325) used greatest stack depth: 24528 bytes left