[ 1952.564661][T17218] ==================================================================
[ 1952.565127][T17218] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[ 1952.565538][T17218] Read of size 1 at addr ffff888007df16ac by task ip/17218
[ 1952.565922][T17218] 
[ 1952.566067][T17218] CPU: 2 UID: 0 PID: 17218 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[ 1952.566075][T17218] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1952.566078][T17218] Call Trace:
[ 1952.566082][T17218]  <TASK>
[ 1952.566085][T17218]  dump_stack_lvl+0x82/0xc0
[ 1952.566093][T17218]  print_address_description.constprop.0+0x2c/0x3a0
[ 1952.566102][T17218]  ? kobject_put+0xbb/0xd0
[ 1952.566108][T17218]  print_report+0xb4/0x270
[ 1952.566113][T17218]  ? kobject_put+0xbb/0xd0
[ 1952.566117][T17218]  ? kasan_addr_to_slab+0x21/0x70
[ 1952.566122][T17218]  ? kobject_put+0xbb/0xd0
[ 1952.566126][T17218]  kasan_report+0xca/0x100
[ 1952.566132][T17218]  ? kobject_put+0xbb/0xd0
[ 1952.566141][T17218]  kobject_put+0xbb/0xd0
[ 1952.566146][T17218]  netdev_run_todo+0x5f0/0xc60
[ 1952.566153][T17218]  ? dev_ingress_queue_create+0x190/0x190
[ 1952.566158][T17218]  ? generic_xdp_install+0x410/0x410
[ 1952.566163][T17218]  ? vrf_dellink+0xff/0x150 [vrf]
[ 1952.566177][T17218]  ? vrf_map_unregister_dev+0x480/0x480 [vrf]
[ 1952.566184][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.566197][T17218]  rtnl_dellink+0x350/0xa30
[ 1952.566205][T17218]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 1952.566237][T17218]  ? find_held_lock+0x2b/0x80
[ 1952.566245][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.566253][T17218]  ? find_held_lock+0x2b/0x80
[ 1952.566258][T17218]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 1952.566263][T17218]  ? __lock_release+0x5d/0x170
[ 1952.566270][T17218]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 1952.566275][T17218]  rtnetlink_rcv_msg+0x709/0xc00
[ 1952.566281][T17218]  ? rtnl_port_fill+0x850/0x850
[ 1952.566285][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.566296][T17218]  netlink_rcv_skb+0x121/0x340
[ 1952.566302][T17218]  ? rtnl_port_fill+0x850/0x850
[ 1952.566308][T17218]  ? netlink_ack+0xdd0/0xdd0
[ 1952.566318][T17218]  ? netlink_deliver_tap+0x13e/0x340
[ 1952.566323][T17218]  ? netlink_deliver_tap+0xc3/0x340
[ 1952.566329][T17218]  netlink_unicast+0x4aa/0x780
[ 1952.566335][T17218]  ? netlink_attachskb+0x810/0x810
[ 1952.566340][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.566347][T17218]  netlink_sendmsg+0x714/0xbd0
[ 1952.566353][T17218]  ? netlink_unicast+0x780/0x780
[ 1952.566358][T17218]  ? __import_iovec+0x230/0x3b0
[ 1952.566367][T17218]  ? netlink_unicast+0x780/0x780
[ 1952.566372][T17218]  ____sys_sendmsg+0x3dd/0x890
[ 1952.566379][T17218]  ? get_timestamp.constprop.0+0x380/0x380
[ 1952.566383][T17218]  ? __copy_msghdr+0x3c0/0x3c0
[ 1952.566394][T17218]  ___sys_sendmsg+0xed/0x170
[ 1952.566399][T17218]  ? kasan_record_aux_stack+0x8c/0xa0
[ 1952.566403][T17218]  ? __call_rcu_common.constprop.0+0xa8/0x630
[ 1952.566414][T17218]  ? copy_msghdr_from_user+0x110/0x110
[ 1952.566422][T17218]  ? find_held_lock+0x2b/0x80
[ 1952.566429][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.566439][T17218]  ? find_held_lock+0x2b/0x80
[ 1952.566444][T17218]  ? __virt_addr_valid+0x22a/0x450
[ 1952.566453][T17218]  ? __lock_release+0x5d/0x170
[ 1952.566464][T17218]  __sys_sendmsg+0x10b/0x1a0
[ 1952.566468][T17218]  ? __call_rcu_common.constprop.0+0x318/0x630
[ 1952.566474][T17218]  ? __sys_sendmsg_sock+0x20/0x20
[ 1952.566487][T17218]  ? rcu_is_watching+0x12/0xb0
[ 1952.566493][T17218]  do_syscall_64+0xc1/0xfd0
[ 1952.566502][T17218]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1952.566508][T17218] RIP: 0033:0x7f8f58e1f1d7
[ 1952.566516][T17218] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 1952.566520][T17218] RSP: 002b:00007ffc0df1ae38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 1952.566526][T17218] RAX: ffffffffffffffda RBX: 00007ffc0df1b560 RCX: 00007f8f58e1f1d7
[ 1952.566530][T17218] RDX: 0000000000000000 RSI: 00007ffc0df1aea0 RDI: 0000000000000005
[ 1952.566533][T17218] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 1952.566535][T17218] R10: 00007f8f58d1bf60 R11: 0000000000000246 R12: 0000000000000002
[ 1952.566538][T17218] R13: 00000000690de9fc R14: 0000000000499600 R15: 0000000000000000
[ 1952.566549][T17218]  </TASK>
[ 1952.566551][T17218] 
[ 1952.585829][T17218] Allocated by task 343:
[ 1952.586040][T17218]  kasan_save_stack+0x24/0x40
[ 1952.586318][T17218]  kasan_save_track+0x14/0x30
[ 1952.586565][T17218]  __kasan_kmalloc+0x7b/0x90
[ 1952.586815][T17218]  __kvmalloc_node_noprof+0x2e5/0x8e0
[ 1952.587070][T17218]  alloc_netdev_mqs+0x7d/0x1370
[ 1952.587324][T17218]  rtnl_create_link+0xa9e/0xe20
[ 1952.587591][T17218]  rtnl_newlink_create+0x203/0x770
[ 1952.587859][T17218]  __rtnl_newlink+0x231/0xa30
[ 1952.588125][T17218]  rtnl_newlink+0x693/0xa60
[ 1952.588385][T17218]  rtnetlink_rcv_msg+0x709/0xc00
[ 1952.588657][T17218]  netlink_rcv_skb+0x121/0x340
[ 1952.588924][T17218]  netlink_unicast+0x4aa/0x780
[ 1952.589184][T17218]  netlink_sendmsg+0x714/0xbd0
[ 1952.589449][T17218]  ____sys_sendmsg+0x3dd/0x890
[ 1952.589729][T17218]  ___sys_sendmsg+0xed/0x170
[ 1952.590023][T17218]  __sys_sendmsg+0x10b/0x1a0
[ 1952.590305][T17218]  do_syscall_64+0xc1/0xfd0
[ 1952.590570][T17218]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1952.590901][T17218] 
[ 1952.591039][T17218] Freed by task 17218:
[ 1952.591236][T17218]  kasan_save_stack+0x24/0x40
[ 1952.591511][T17218]  kasan_save_track+0x14/0x30
[ 1952.591779][T17218]  __kasan_save_free_info+0x3b/0x60
[ 1952.592059][T17218]  __kasan_slab_free+0x3f/0x60
[ 1952.592317][T17218]  kfree+0x21d/0x540
[ 1952.592515][T17218]  device_release+0x9c/0x210
[ 1952.592790][T17218]  kobject_cleanup+0xfe/0x360
[ 1952.593068][T17218]  netdev_run_todo+0x81f/0xc60
[ 1952.593335][T17218]  rtnl_dellink+0x350/0xa30
[ 1952.593602][T17218]  rtnetlink_rcv_msg+0x709/0xc00
[ 1952.593872][T17218]  netlink_rcv_skb+0x121/0x340
[ 1952.594145][T17218]  netlink_unicast+0x4aa/0x780
[ 1952.594405][T17218]  netlink_sendmsg+0x714/0xbd0
[ 1952.594712][T17218]  ____sys_sendmsg+0x3dd/0x890
[ 1952.594931][T17218]  ___sys_sendmsg+0xed/0x170
[ 1952.595129][T17218]  __sys_sendmsg+0x10b/0x1a0
[ 1952.595311][T17218]  do_syscall_64+0xc1/0xfd0
[ 1952.595515][T17218]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1952.595857][T17218] 
[ 1952.595968][T17218] The buggy address belongs to the object at ffff888007df1000
[ 1952.595968][T17218]  which belongs to the cache kmalloc-4k of size 4096
[ 1952.596526][T17218] The buggy address is located 1708 bytes inside of
[ 1952.596526][T17218]  freed 4096-byte region [ffff888007df1000, ffff888007df2000)
[ 1952.597179][T17218] 
[ 1952.597279][T17218] The buggy address belongs to the physical page:
[ 1952.597524][T17218] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7df0
[ 1952.597963][T17218] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1952.598350][T17218] flags: 0x80000000000040(head|node=0|zone=1)
[ 1952.598596][T17218] page_type: f5(slab)
[ 1952.598742][T17218] raw: 0080000000000040 ffff888001043700 ffffea00001f8410 ffffea000021a810
[ 1952.599191][T17218] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 1952.599519][T17218] head: 0080000000000040 ffff888001043700 ffffea00001f8410 ffffea000021a810
[ 1952.599838][T17218] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 1952.600169][T17218] head: 0080000000000003 ffffea00001f7c01 00000000ffffffff 00000000ffffffff
[ 1952.600503][T17218] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1952.600822][T17218] page dumped because: kasan: bad access detected
[ 1952.601062][T17218] 
[ 1952.601156][T17218] Memory state around the buggy address:
[ 1952.601424][T17218]  ffff888007df1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1952.601689][T17218]  ffff888007df1600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1952.601964][T17218] >ffff888007df1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1952.602324][T17218]                                   ^
[ 1952.602511][T17218]  ffff888007df1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1952.602768][T17218]  ffff888007df1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1952.603130][T17218] ==================================================================
[ 1952.603614][T17218] Disabling lock debugging due to kernel taint
[ 1952.603875][T17218] ------------[ cut here ]------------
[ 1952.604061][T17218] refcount_t: underflow; use-after-free.
[ 1952.604266][T17218] WARNING: CPU: 1 PID: 17218 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[ 1952.604706][T17218] Modules linked in: vrf veth
[ 1952.604929][T17218] CPU: 1 UID: 0 PID: 17218 Comm: ip Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[ 1952.605302][T17218] Tainted: [B]=BAD_PAGE
[ 1952.605443][T17218] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1952.605684][T17218] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[ 1952.605952][T17218] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d 65 a8 e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[ 1952.606727][T17218] RSP: 0018:ffffc90005ea71f0 EFLAGS: 00010286
[ 1952.607069][T17218] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 1952.607347][T17218] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[ 1952.607639][T17218] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff51fe134
[ 1952.608032][T17218] R10: 0000000000000003 R11: ffffc90005ea6d80 R12: 0000000000000001
[ 1952.608312][T17218] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[ 1952.608601][T17218] FS:  00007f8f58c51800(0000) GS:ffff88808be72000(0000) knlGS:0000000000000000
[ 1952.608936][T17218] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1952.609175][T17218] CR2: 00007fa7196d4000 CR3: 000000000a505006 CR4: 0000000000772ef0
[ 1952.609583][T17218] PKRU: 55555554
[ 1952.609737][T17218] Call Trace:
[ 1952.609874][T17218]  <TASK>
[ 1952.609983][T17218]  netdev_run_todo+0x5f0/0xc60
[ 1952.610172][T17218]  ? dev_ingress_queue_create+0x190/0x190
[ 1952.610465][T17218]  ? generic_xdp_install+0x410/0x410
[ 1952.610683][T17218]  ? vrf_dellink+0xff/0x150 [vrf]
[ 1952.610877][T17218]  ? vrf_map_unregister_dev+0x480/0x480 [vrf]
[ 1952.611113][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.611401][T17218]  rtnl_dellink+0x350/0xa30
[ 1952.611598][T17218]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 1952.611838][T17218]  ? find_held_lock+0x2b/0x80
[ 1952.612035][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.612215][T17218]  ? find_held_lock+0x2b/0x80
[ 1952.612425][T17218]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 1952.612624][T17218]  ? __lock_release+0x5d/0x170
[ 1952.612824][T17218]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 1952.613058][T17218]  rtnetlink_rcv_msg+0x709/0xc00
[ 1952.613245][T17218]  ? rtnl_port_fill+0x850/0x850
[ 1952.613534][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.613737][T17218]  netlink_rcv_skb+0x121/0x340
[ 1952.613945][T17218]  ? rtnl_port_fill+0x850/0x850
[ 1952.614221][T17218]  ? netlink_ack+0xdd0/0xdd0
[ 1952.614415][T17218]  ? netlink_deliver_tap+0x13e/0x340
[ 1952.614629][T17218]  ? netlink_deliver_tap+0xc3/0x340
[ 1952.614925][T17218]  netlink_unicast+0x4aa/0x780
[ 1952.615112][T17218]  ? netlink_attachskb+0x810/0x810
[ 1952.615298][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.615482][T17218]  netlink_sendmsg+0x714/0xbd0
[ 1952.615689][T17218]  ? netlink_unicast+0x780/0x780
[ 1952.615882][T17218]  ? __import_iovec+0x230/0x3b0
[ 1952.616080][T17218]  ? netlink_unicast+0x780/0x780
[ 1952.616278][T17218]  ____sys_sendmsg+0x3dd/0x890
[ 1952.616582][T17218]  ? get_timestamp.constprop.0+0x380/0x380
[ 1952.616816][T17218]  ? __copy_msghdr+0x3c0/0x3c0
[ 1952.617011][T17218]  ___sys_sendmsg+0xed/0x170
[ 1952.617391][T17218]  ? kasan_record_aux_stack+0x8c/0xa0
[ 1952.617595][T17218]  ? __call_rcu_common.constprop.0+0xa8/0x630
[ 1952.617833][T17218]  ? copy_msghdr_from_user+0x110/0x110
[ 1952.618025][T17218]  ? find_held_lock+0x2b/0x80
[ 1952.618298][T17218]  ? __lock_acquire+0x449/0x7e0
[ 1952.618474][T17218]  ? find_held_lock+0x2b/0x80
[ 1952.618665][T17218]  ? __virt_addr_valid+0x22a/0x450
[ 1952.618856][T17218]  ? __lock_release+0x5d/0x170
[ 1952.619136][T17218]  __sys_sendmsg+0x10b/0x1a0
[ 1952.619313][T17218]  ? __call_rcu_common.constprop.0+0x318/0x630
[ 1952.619552][T17218]  ? __sys_sendmsg_sock+0x20/0x20
[ 1952.619839][T17218]  ? rcu_is_watching+0x12/0xb0
[ 1952.620031][T17218]  do_syscall_64+0xc1/0xfd0
[ 1952.620210][T17218]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1952.620428][T17218] RIP: 0033:0x7f8f58e1f1d7
[ 1952.620640][T17218] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 1952.621281][T17218] RSP: 002b:00007ffc0df1ae38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 1952.621665][T17218] RAX: ffffffffffffffda RBX: 00007ffc0df1b560 RCX: 00007f8f58e1f1d7
[ 1952.621952][T17218] RDX: 0000000000000000 RSI: 00007ffc0df1aea0 RDI: 0000000000000005
[ 1952.622310][T17218] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 1952.622588][T17218] R10: 00007f8f58d1bf60 R11: 0000000000000246 R12: 0000000000000002
[ 1952.622857][T17218] R13: 00000000690de9fc R14: 0000000000499600 R15: 0000000000000000
[ 1952.623234][T17218]  </TASK>
[ 1952.623371][T17218] irq event stamp: 40017
[ 1952.623508][T17218] hardirqs last  enabled at (40017): [<ffffffffa6acd1a9>] kasan_quarantine_put+0xf9/0x210
[ 1952.623948][T17218] hardirqs last disabled at (40016): [<ffffffffa6acd15c>] kasan_quarantine_put+0xac/0x210
[ 1952.624263][T17218] softirqs last  enabled at (39858): [<ffffffffa625b112>] handle_softirqs+0x352/0x610
[ 1952.624615][T17218] softirqs last disabled at (39851): [<ffffffffa625b97b>] irq_exit_rcu+0xab/0x100
[ 1952.625032][T17218] ---[ end trace 0000000000000000 ]---