[ 17.166812][ T251] ip (251) used greatest stack depth: 24688 bytes left
[ 18.287714][ T272] ip (272) used greatest stack depth: 24464 bytes left
[ 24.184680][ T324] gre: GRE over IPv4 demultiplexer driver
[ 24.293643][ T324] ip6_gre: GRE over IPv6 tunneling driver
[ 24.551276][ T12] ip6_tunnel: g1 xmit: Local address not yet configured!
[ 24.773801][ T12] ip6_tunnel: g1 xmit: Local address not yet configured!
[ 26.720912][ T345] 8021q: 802.1Q VLAN Support v1.8
[ 31.453465][ T383] GACT probability NOT on
[ 33.247904][ T12] ip6_tunnel: g2 xmit: Local address not yet configured!
[ 33.379592][ T12] ip6_tunnel: g2 xmit: Local address not yet configured!
[ 219.860291][ T573] ==================================================================
[ 219.860767][ T573] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[ 219.861240][ T573] Read of size 1 at addr ffff88800b65c6ac by task ip/573
[ 219.861575][ T573]
[ 219.861728][ T573] CPU: 0 UID: 0 PID: 573 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full)
[ 219.861738][ T573] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 219.861743][ T573] Call Trace:
[ 219.861751][ T573]
[ 219.861755][ T573] dump_stack_lvl+0x82/0xc0
[ 219.861769][ T573] print_address_description.constprop.0+0x2c/0x3a0
[ 219.861794][ T573] ? kobject_put+0xbb/0xd0
[ 219.861801][ T573] print_report+0xb4/0x270
[ 219.861806][ T573] ? kobject_put+0xbb/0xd0
[ 219.861810][ T573] ? kasan_addr_to_slab+0x21/0x70
[ 219.861816][ T573] ? kobject_put+0xbb/0xd0
[ 219.861821][ T573] kasan_report+0xca/0x100
[ 219.861827][ T573] ? kobject_put+0xbb/0xd0
[ 219.861841][ T573] kobject_put+0xbb/0xd0
[ 219.861846][ T573] netdev_run_todo+0x5f0/0xc60
[ 219.861858][ T573] ? dev_ingress_queue_create+0x190/0x190
[ 219.861864][ T573] ? generic_xdp_install+0x410/0x410
[ 219.861871][ T573] ? vrf_dellink+0xff/0x150 [vrf]
[ 219.861885][ T573] ? vrf_map_unregister_dev+0x480/0x480 [vrf]
[ 219.861894][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.861914][ T573] rtnl_dellink+0x350/0xa30
[ 219.861922][ T573] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 219.861959][ T573] ? find_held_lock+0x2b/0x80
[ 219.861968][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.861978][ T573] ? find_held_lock+0x2b/0x80
[ 219.861984][ T573] ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 219.861988][ T573] ? __lock_release+0x5d/0x170
[ 219.861996][ T573] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 219.862002][ T573] rtnetlink_rcv_msg+0x709/0xc00
[ 219.862009][ T573] ? rtnl_port_fill+0x850/0x850
[ 219.862014][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.862026][ T573] netlink_rcv_skb+0x121/0x340
[ 219.862035][ T573] ? rtnl_port_fill+0x850/0x850
[ 219.862041][ T573] ? netlink_ack+0xdd0/0xdd0
[ 219.862053][ T573] ? netlink_deliver_tap+0x13e/0x340
[ 219.862061][ T573] ? netlink_deliver_tap+0xc3/0x340
[ 219.862068][ T573] netlink_unicast+0x4aa/0x780
[ 219.862076][ T573] ? netlink_attachskb+0x810/0x810
[ 219.862083][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.862093][ T573] netlink_sendmsg+0x714/0xbd0
[ 219.862100][ T573] ? netlink_unicast+0x780/0x780
[ 219.862106][ T573] ? __import_iovec+0x230/0x3b0
[ 219.862130][ T573] ? netlink_unicast+0x780/0x780
[ 219.862135][ T573] ____sys_sendmsg+0x3dd/0x890
[ 219.862152][ T573] ? get_timestamp.constprop.0+0x380/0x380
[ 219.862157][ T573] ? __copy_msghdr+0x3c0/0x3c0
[ 219.862173][ T573] ___sys_sendmsg+0xed/0x170
[ 219.862178][ T573] ? kasan_record_aux_stack+0x8c/0xa0
[ 219.862182][ T573] ? __call_rcu_common.constprop.0+0xa8/0x630
[ 219.862203][ T573] ? copy_msghdr_from_user+0x110/0x110
[ 219.862212][ T573] ? find_held_lock+0x2b/0x80
[ 219.862220][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.862230][ T573] ? find_held_lock+0x2b/0x80
[ 219.862236][ T573] ? __virt_addr_valid+0x22a/0x450
[ 219.862256][ T573] ? __lock_release+0x5d/0x170
[ 219.862267][ T573] __sys_sendmsg+0x10b/0x1a0
[ 219.862272][ T573] ? __call_rcu_common.constprop.0+0x318/0x630
[ 219.862278][ T573] ? __sys_sendmsg_sock+0x20/0x20
[ 219.862293][ T573] ? rcu_is_watching+0x12/0xb0
[ 219.862300][ T573] do_syscall_64+0xc1/0xfd0
[ 219.862310][ T573] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 219.862324][ T573] RIP: 0033:0x7ff8693551d7
[ 219.862333][ T573] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 219.862338][ T573] RSP: 002b:00007ffed277d0e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 219.862349][ T573] RAX: ffffffffffffffda RBX: 00007ffed277d810 RCX: 00007ff8693551d7
[ 219.862353][ T573] RDX: 0000000000000000 RSI: 00007ffed277d150 RDI: 0000000000000005
[ 219.862356][ T573] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 219.862359][ T573] R10: 00007ff869251f60 R11: 0000000000000246 R12: 0000000000000002
[ 219.862362][ T573] R13: 00000000690df334 R14: 0000000000499600 R15: 0000000000000000
[ 219.862374][ T573]
[ 219.862376][ T573]
[ 219.875507][ T573] Allocated by task 404:
[ 219.875639][ T573] kasan_save_stack+0x24/0x40
[ 219.875815][ T573] kasan_save_track+0x14/0x30
[ 219.875988][ T573] __kasan_kmalloc+0x7b/0x90
[ 219.876155][ T573] __kvmalloc_node_noprof+0x2e5/0x8e0
[ 219.876328][ T573] alloc_netdev_mqs+0x7d/0x1370
[ 219.876499][ T573] rtnl_create_link+0xa9e/0xe20
[ 219.876665][ T573] rtnl_newlink_create+0x203/0x770
[ 219.876846][ T573] __rtnl_newlink+0x231/0xa30
[ 219.877013][ T573] rtnl_newlink+0x693/0xa60
[ 219.877182][ T573] rtnetlink_rcv_msg+0x709/0xc00
[ 219.877344][ T573] netlink_rcv_skb+0x121/0x340
[ 219.877518][ T573] netlink_unicast+0x4aa/0x780
[ 219.877681][ T573] netlink_sendmsg+0x714/0xbd0
[ 219.877854][ T573] ____sys_sendmsg+0x3dd/0x890
[ 219.878023][ T573] ___sys_sendmsg+0xed/0x170
[ 219.878198][ T573] __sys_sendmsg+0x10b/0x1a0
[ 219.878367][ T573] do_syscall_64+0xc1/0xfd0
[ 219.878540][ T573] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 219.878739][ T573]
[ 219.878828][ T573] Freed by task 573:
[ 219.878954][ T573] kasan_save_stack+0x24/0x40
[ 219.879123][ T573] kasan_save_track+0x14/0x30
[ 219.879291][ T573] __kasan_save_free_info+0x3b/0x60
[ 219.879457][ T573] __kasan_slab_free+0x3f/0x60
[ 219.879620][ T573] kfree+0x21d/0x540
[ 219.879748][ T573] device_release+0x9c/0x210
[ 219.879939][ T573] kobject_cleanup+0xfe/0x360
[ 219.880108][ T573] netdev_run_todo+0x81f/0xc60
[ 219.880276][ T573] rtnl_dellink+0x350/0xa30
[ 219.880439][ T573] rtnetlink_rcv_msg+0x709/0xc00
[ 219.880604][ T573] netlink_rcv_skb+0x121/0x340
[ 219.880765][ T573] netlink_unicast+0x4aa/0x780
[ 219.880944][ T573] netlink_sendmsg+0x714/0xbd0
[ 219.881117][ T573] ____sys_sendmsg+0x3dd/0x890
[ 219.881285][ T573] ___sys_sendmsg+0xed/0x170
[ 219.881450][ T573] __sys_sendmsg+0x10b/0x1a0
[ 219.881616][ T573] do_syscall_64+0xc1/0xfd0
[ 219.881780][ T573] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 219.881992][ T573]
[ 219.882080][ T573] The buggy address belongs to the object at ffff88800b65c000
[ 219.882080][ T573] which belongs to the cache kmalloc-4k of size 4096
[ 219.882492][ T573] The buggy address is located 1708 bytes inside of
[ 219.882492][ T573] freed 4096-byte region [ffff88800b65c000, ffff88800b65d000)
[ 219.882895][ T573]
[ 219.882983][ T573] The buggy address belongs to the physical page:
[ 219.883197][ T573] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb658
[ 219.883499][ T573] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 219.883755][ T573] flags: 0x80000000000040(head|node=0|zone=1)
[ 219.883988][ T573] page_type: f5(slab)
[ 219.884122][ T573] raw: 0080000000000040 ffff888001043700 ffffea00001fec10 ffffea000012aa10
[ 219.884424][ T573] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 219.884728][ T573] head: 0080000000000040 ffff888001043700 ffffea00001fec10 ffffea000012aa10
[ 219.885032][ T573] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 219.885343][ T573] head: 0080000000000003 ffffea00002d9601 00000000ffffffff 00000000ffffffff
[ 219.885643][ T573] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 219.885947][ T573] page dumped because: kasan: bad access detected
[ 219.886162][ T573]
[ 219.886248][ T573] Memory state around the buggy address:
[ 219.886414][ T573] ffff88800b65c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 219.886656][ T573] ffff88800b65c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 219.886898][ T573] >ffff88800b65c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 219.887151][ T573] ^
[ 219.887317][ T573] ffff88800b65c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 219.887560][ T573] ffff88800b65c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 219.887801][ T573] ==================================================================
[ 219.888116][ T573] Disabling lock debugging due to kernel taint
[ 219.888384][ T573] ------------[ cut here ]------------
[ 219.888574][ T573] refcount_t: underflow; use-after-free.
[ 219.888849][ T573] WARNING: CPU: 2 PID: 573 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[ 219.889344][ T573] Modules linked in: act_gact cls_flower sch_ingress 8021q ip6_gre ip6_tunnel tunnel6 gre vrf veth
[ 219.889807][ T573] CPU: 2 UID: 0 PID: 573 Comm: ip Tainted: G B 6.18.0-rc4-virtme #1 PREEMPT(full)
[ 219.890186][ T573] Tainted: [B]=BAD_PAGE
[ 219.890335][ T573] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 219.890565][ T573] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[ 219.890801][ T573] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d 25 8f e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[ 219.891439][ T573] RSP: 0000:ffffc90000eef1f0 EFLAGS: 00010286
[ 219.891679][ T573] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 219.891947][ T573] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[ 219.892236][ T573] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff1f7e134
[ 219.892507][ T573] R10: 0000000000000003 R11: ffffc90000eeed80 R12: 0000000000000001
[ 219.892768][ T573] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[ 219.893034][ T573] FS: 00007ff869187800(0000) GS:ffff8880a52f2000(0000) knlGS:0000000000000000
[ 219.893363][ T573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 219.893595][ T573] CR2: 00007ff869459038 CR3: 0000000012534002 CR4: 0000000000772ef0
[ 219.893869][ T573] PKRU: 55555554
[ 219.894017][ T573] Call Trace:
[ 219.894187][ T573]
[ 219.894337][ T573] netdev_run_todo+0x5f0/0xc60
[ 219.894625][ T573] ? dev_ingress_queue_create+0x190/0x190
[ 219.894827][ T573] ? generic_xdp_install+0x410/0x410
[ 219.895033][ T573] ? vrf_dellink+0xff/0x150 [vrf]
[ 219.895343][ T573] ? vrf_map_unregister_dev+0x480/0x480 [vrf]
[ 219.895576][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.895779][ T573] rtnl_dellink+0x350/0xa30
[ 219.895973][ T573] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 219.896219][ T573] ? find_held_lock+0x2b/0x80
[ 219.896520][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.896831][ T573] ? find_held_lock+0x2b/0x80
[ 219.897043][ T573] ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 219.897259][ T573] ? __lock_release+0x5d/0x170
[ 219.897463][ T573] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 219.897808][ T573] rtnetlink_rcv_msg+0x709/0xc00
[ 219.898010][ T573] ? rtnl_port_fill+0x850/0x850
[ 219.898344][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.898563][ T573] netlink_rcv_skb+0x121/0x340
[ 219.898869][ T573] ? rtnl_port_fill+0x850/0x850
[ 219.899060][ T573] ? netlink_ack+0xdd0/0xdd0
[ 219.899271][ T573] ? netlink_deliver_tap+0x13e/0x340
[ 219.899574][ T573] ? netlink_deliver_tap+0xc3/0x340
[ 219.899766][ T573] netlink_unicast+0x4aa/0x780
[ 219.899971][ T573] ? netlink_attachskb+0x810/0x810
[ 219.900268][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.900460][ T573] netlink_sendmsg+0x714/0xbd0
[ 219.900644][ T573] ? netlink_unicast+0x780/0x780
[ 219.900829][ T573] ? __import_iovec+0x230/0x3b0
[ 219.901028][ T573] ? netlink_unicast+0x780/0x780
[ 219.901226][ T573] ____sys_sendmsg+0x3dd/0x890
[ 219.901410][ T573] ? get_timestamp.constprop.0+0x380/0x380
[ 219.901731][ T573] ? __copy_msghdr+0x3c0/0x3c0
[ 219.901934][ T573] ___sys_sendmsg+0xed/0x170
[ 219.902144][ T573] ? kasan_record_aux_stack+0x8c/0xa0
[ 219.902442][ T573] ? __call_rcu_common.constprop.0+0xa8/0x630
[ 219.902783][ T573] ? copy_msghdr_from_user+0x110/0x110
[ 219.903002][ T573] ? find_held_lock+0x2b/0x80
[ 219.903212][ T573] ? __lock_acquire+0x449/0x7e0
[ 219.903413][ T573] ? find_held_lock+0x2b/0x80
[ 219.903778][ T573] ? __virt_addr_valid+0x22a/0x450
[ 219.903995][ T573] ? __lock_release+0x5d/0x170
[ 219.904206][ T573] __sys_sendmsg+0x10b/0x1a0
[ 219.904407][ T573] ? __call_rcu_common.constprop.0+0x318/0x630
[ 219.904759][ T573] ? __sys_sendmsg_sock+0x20/0x20
[ 219.904959][ T573] ? rcu_is_watching+0x12/0xb0
[ 219.905178][ T573] do_syscall_64+0xc1/0xfd0
[ 219.905468][ T573] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 219.905702][ T573] RIP: 0033:0x7ff8693551d7
[ 219.905894][ T573] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 219.906616][ T573] RSP: 002b:00007ffed277d0e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 219.906936][ T573] RAX: ffffffffffffffda RBX: 00007ffed277d810 RCX: 00007ff8693551d7
[ 219.907346][ T573] RDX: 0000000000000000 RSI: 00007ffed277d150 RDI: 0000000000000005
[ 219.907652][ T573] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 219.907955][ T573] R10: 00007ff869251f60 R11: 0000000000000246 R12: 0000000000000002
[ 219.908242][ T573] R13: 00000000690df334 R14: 0000000000499600 R15: 0000000000000000
[ 219.908534][ T573]
[ 219.908684][ T573] irq event stamp: 40673
[ 219.908925][ T573] hardirqs last enabled at (40673): [] finish_task_switch.isra.0+0x245/0x960
[ 219.909308][ T573] hardirqs last disabled at (40672): [] __schedule+0x94a/0x1b10
[ 219.909663][ T573] softirqs last enabled at (39838): [] handle_softirqs+0x352/0x610
[ 219.909962][ T573] softirqs last disabled at (39677): [] irq_exit_rcu+0xab/0x100
[ 219.910272][ T573] ---[ end trace 0000000000000000 ]---