[   21.910317][  T306] 8021q: 802.1Q VLAN Support v1.8
[   27.445571][  T376] GACT probability NOT on
[   27.486622][  T374] tc (374) used greatest stack depth: 24448 bytes left
[   29.650603][  T411] br10: port 1(veth1.10) entered blocking state
[   29.651216][  T411] br10: port 1(veth1.10) entered disabled state
[   29.651810][  T411] veth1.10: entered allmulticast mode
[   29.652169][  T411] veth1: entered allmulticast mode
[   29.658080][  T411] veth1.10: entered promiscuous mode
[   29.658635][  T411] veth1: entered promiscuous mode
[   30.574556][  T428] br11: port 1(veth1.11) entered blocking state
[   30.577370][  T428] br11: port 1(veth1.11) entered disabled state
[   30.578091][  T428] veth1.11: entered allmulticast mode
[   30.583425][  T428] veth1.11: entered promiscuous mode
[   32.134649][  T458] br10: port 2(veth2.10) entered blocking state
[   32.135497][  T458] br10: port 2(veth2.10) entered disabled state
[   32.136353][  T458] veth2.10: entered allmulticast mode
[   32.136925][  T458] veth2: entered allmulticast mode
[   32.143241][  T458] veth2.10: entered promiscuous mode
[   32.143871][  T458] veth2: entered promiscuous mode
[   33.073369][  T475] br11: port 2(veth2.11) entered blocking state
[   33.074610][  T475] br11: port 2(veth2.11) entered disabled state
[   33.075114][  T475] veth2.11: entered allmulticast mode
[   33.079065][  T475] veth2.11: entered promiscuous mode
[   33.824674][  T487] br10: port 2(veth2.10) entered blocking state
[   33.825416][  T487] br10: port 2(veth2.10) entered forwarding state
[   33.826941][  T487] br10: port 1(veth1.10) entered blocking state
[   33.827501][  T487] br10: port 1(veth1.10) entered forwarding state
[   34.042114][  T492] br11: port 2(veth2.11) entered blocking state
[   34.042608][  T492] br11: port 2(veth2.11) entered forwarding state
[   34.043401][  T492] br11: port 1(veth1.11) entered blocking state
[   34.043845][  T492] br11: port 1(veth1.11) entered forwarding state
[  120.734808][  T838] br11: port 2(veth2.11) entered disabled state
[  120.735947][  T838] br11: port 1(veth1.11) entered disabled state
[  120.907313][  T840] br10: port 2(veth2.10) entered disabled state
[  120.909148][  T840] br10: port 1(veth1.10) entered disabled state
[  121.262031][  T844] veth2.11: left allmulticast mode
[  121.262526][  T844] veth2.11: left promiscuous mode
[  121.263673][  T844] br11: port 2(veth2.11) entered disabled state
[  121.433941][  T846] ==================================================================
[  121.434333][  T846] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[  121.434765][  T846] Read of size 1 at addr ffff88800a1846ac by task ip/846
[  121.435021][  T846] 
[  121.435128][  T846] CPU: 2 UID: 0 PID: 846 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[  121.435164][  T846] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  121.435167][  T846] Call Trace:
[  121.435169][  T846]  <TASK>
[  121.435172][  T846]  dump_stack_lvl+0x82/0xc0
[  121.435182][  T846]  print_address_description.constprop.0+0x2c/0x3a0
[  121.435194][  T846]  ? kobject_put+0xbb/0xd0
[  121.435198][  T846]  print_report+0xb4/0x270
[  121.435201][  T846]  ? kobject_put+0xbb/0xd0
[  121.435204][  T846]  ? kasan_addr_to_slab+0x21/0x70
[  121.435208][  T846]  ? kobject_put+0xbb/0xd0
[  121.435211][  T846]  kasan_report+0xca/0x100
[  121.435216][  T846]  ? kobject_put+0xbb/0xd0
[  121.435225][  T846]  kobject_put+0xbb/0xd0
[  121.435230][  T846]  netdev_run_todo+0x5f0/0xc60
[  121.435237][  T846]  ? dev_ingress_queue_create+0x190/0x190
[  121.435242][  T846]  ? vlan_vid_del+0x30c/0x5e0
[  121.435249][  T846]  ? generic_xdp_install+0x410/0x410
[  121.435254][  T846]  ? vlan_vid_del+0x30c/0x5e0
[  121.435258][  T846]  rtnl_dellink+0x350/0xa30
[  121.435263][  T846]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[  121.435283][  T846]  ? find_held_lock+0x2b/0x80
[  121.435298][  T846]  ? __lock_acquire+0x449/0x7e0
[  121.435307][  T846]  ? find_held_lock+0x2b/0x80
[  121.435312][  T846]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[  121.435316][  T846]  ? __lock_release+0x5d/0x170
[  121.435323][  T846]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[  121.435327][  T846]  rtnetlink_rcv_msg+0x709/0xc00
[  121.435332][  T846]  ? rtnl_port_fill+0x850/0x850
[  121.435336][  T846]  ? __lock_acquire+0x449/0x7e0
[  121.435345][  T846]  netlink_rcv_skb+0x121/0x340
[  121.435352][  T846]  ? rtnl_port_fill+0x850/0x850
[  121.435357][  T846]  ? netlink_ack+0xdd0/0xdd0
[  121.435370][  T846]  ? netlink_deliver_tap+0x13e/0x340
[  121.435374][  T846]  ? netlink_deliver_tap+0xc3/0x340
[  121.435379][  T846]  netlink_unicast+0x4aa/0x780
[  121.435384][  T846]  ? netlink_attachskb+0x810/0x810
[  121.435388][  T846]  ? __lock_acquire+0x449/0x7e0
[  121.435394][  T846]  netlink_sendmsg+0x714/0xbd0
[  121.435398][  T846]  ? netlink_unicast+0x780/0x780
[  121.435402][  T846]  ? __import_iovec+0x230/0x3b0
[  121.435409][  T846]  ? netlink_unicast+0x780/0x780
[  121.435413][  T846]  ____sys_sendmsg+0x3dd/0x890
[  121.435420][  T846]  ? get_timestamp.constprop.0+0x380/0x380
[  121.435423][  T846]  ? __copy_msghdr+0x3c0/0x3c0
[  121.435431][  T846]  ___sys_sendmsg+0xed/0x170
[  121.435434][  T846]  ? kasan_record_aux_stack+0x8c/0xa0
[  121.435437][  T846]  ? __call_rcu_common.constprop.0+0xa8/0x630
[  121.435450][  T846]  ? copy_msghdr_from_user+0x110/0x110
[  121.435455][  T846]  ? find_held_lock+0x2b/0x80
[  121.435459][  T846]  ? __lock_acquire+0x449/0x7e0
[  121.435465][  T846]  ? find_held_lock+0x2b/0x80
[  121.435468][  T846]  ? __virt_addr_valid+0x22a/0x450
[  121.435482][  T846]  ? __lock_release+0x5d/0x170
[  121.435488][  T846]  __sys_sendmsg+0x10b/0x1a0
[  121.435491][  T846]  ? __call_rcu_common.constprop.0+0x318/0x630
[  121.435496][  T846]  ? __sys_sendmsg_sock+0x20/0x20
[  121.435503][  T846]  ? rcu_is_watching+0x12/0xb0
[  121.435508][  T846]  do_syscall_64+0xc1/0xfd0
[  121.435515][  T846]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  121.435519][  T846] RIP: 0033:0x7f888f1b51d7
[  121.435526][  T846] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[  121.435529][  T846] RSP: 002b:00007fff06d8d468 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  121.435533][  T846] RAX: ffffffffffffffda RBX: 00007fff06d8db90 RCX: 00007f888f1b51d7
[  121.435536][  T846] RDX: 0000000000000000 RSI: 00007fff06d8d4d0 RDI: 0000000000000005
[  121.435539][  T846] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[  121.435541][  T846] R10: 00007f888f0b1f60 R11: 0000000000000246 R12: 0000000000000002
[  121.435545][  T846] R13: 00000000690deb12 R14: 0000000000499600 R15: 0000000000000000
[  121.435555][  T846]  </TASK>
[  121.435557][  T846] 
[  121.453136][  T846] Allocated by task 468:
[  121.453346][  T846]  kasan_save_stack+0x24/0x40
[  121.453644][  T846]  kasan_save_track+0x14/0x30
[  121.453921][  T846]  __kasan_kmalloc+0x7b/0x90
[  121.454194][  T846]  __kvmalloc_node_noprof+0x2e5/0x8e0
[  121.454452][  T846]  alloc_netdev_mqs+0x7d/0x1370
[  121.454737][  T846]  rtnl_create_link+0xa9e/0xe20
[  121.455041][  T846]  rtnl_newlink_create+0x203/0x770
[  121.455341][  T846]  __rtnl_newlink+0x231/0xa30
[  121.455634][  T846]  rtnl_newlink+0x693/0xa60
[  121.455917][  T846]  rtnetlink_rcv_msg+0x709/0xc00
[  121.456217][  T846]  netlink_rcv_skb+0x121/0x340
[  121.456514][  T846]  netlink_unicast+0x4aa/0x780
[  121.456808][  T846]  netlink_sendmsg+0x714/0xbd0
[  121.457100][  T846]  ____sys_sendmsg+0x3dd/0x890
[  121.457394][  T846]  ___sys_sendmsg+0xed/0x170
[  121.457694][  T846]  __sys_sendmsg+0x10b/0x1a0
[  121.457989][  T846]  do_syscall_64+0xc1/0xfd0
[  121.458278][  T846]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  121.458650][  T846] 
[  121.458810][  T846] Freed by task 846:
[  121.459024][  T846]  kasan_save_stack+0x24/0x40
[  121.459321][  T846]  kasan_save_track+0x14/0x30
[  121.459607][  T846]  __kasan_save_free_info+0x3b/0x60
[  121.459911][  T846]  __kasan_slab_free+0x3f/0x60
[  121.460379][  T846]  kfree+0x21d/0x540
[  121.460596][  T846]  device_release+0x9c/0x210
[  121.460901][  T846]  kobject_cleanup+0xfe/0x360
[  121.461193][  T846]  netdev_run_todo+0x81f/0xc60
[  121.461527][  T846]  rtnl_dellink+0x350/0xa30
[  121.461826][  T846]  rtnetlink_rcv_msg+0x709/0xc00
[  121.462114][  T846]  netlink_rcv_skb+0x121/0x340
[  121.462418][  T846]  netlink_unicast+0x4aa/0x780
[  121.462700][  T846]  netlink_sendmsg+0x714/0xbd0
[  121.462996][  T846]  ____sys_sendmsg+0x3dd/0x890
[  121.463279][  T846]  ___sys_sendmsg+0xed/0x170
[  121.463619][  T846]  __sys_sendmsg+0x10b/0x1a0
[  121.463810][  T846]  do_syscall_64+0xc1/0xfd0
[  121.464000][  T846]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  121.464343][  T846] 
[  121.464442][  T846] The buggy address belongs to the object at ffff88800a184000
[  121.464442][  T846]  which belongs to the cache kmalloc-4k of size 4096
[  121.465096][  T846] The buggy address is located 1708 bytes inside of
[  121.465096][  T846]  freed 4096-byte region [ffff88800a184000, ffff88800a185000)
[  121.465561][  T846] 
[  121.465659][  T846] The buggy address belongs to the physical page:
[  121.465898][  T846] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa180
[  121.466388][  T846] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  121.466784][  T846] flags: 0x80000000000040(head|node=0|zone=1)
[  121.467167][  T846] page_type: f5(slab)
[  121.467324][  T846] raw: 0080000000000040 ffff888001043700 ffffea00002c5c10 ffffea000029c010
[  121.467683][  T846] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[  121.468002][  T846] head: 0080000000000040 ffff888001043700 ffffea00002c5c10 ffffea000029c010
[  121.468315][  T846] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[  121.468615][  T846] head: 0080000000000003 ffffea0000286001 00000000ffffffff 00000000ffffffff
[  121.468917][  T846] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  121.469347][  T846] page dumped because: kasan: bad access detected
[  121.469563][  T846] 
[  121.469649][  T846] Memory state around the buggy address:
[  121.469822][  T846]  ffff88800a184580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  121.470114][  T846]  ffff88800a184600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  121.470394][  T846] >ffff88800a184680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  121.470675][  T846]                                   ^
[  121.470939][  T846]  ffff88800a184700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  121.471227][  T846]  ffff88800a184780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  121.471496][  T846] ==================================================================
[  121.471961][  T846] Disabling lock debugging due to kernel taint
[  121.472235][  T846] ------------[ cut here ]------------
[  121.472438][  T846] refcount_t: underflow; use-after-free.
[  121.472782][  T846] WARNING: CPU: 2 PID: 846 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[  121.473143][  T846] Modules linked in: sch_tbf sch_prio bridge stp llc act_gact cls_flower sch_ingress 8021q vrf veth
[  121.473566][  T846] CPU: 2 UID: 0 PID: 846 Comm: ip Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[  121.473996][  T846] Tainted: [B]=BAD_PAGE
[  121.474156][  T846] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  121.474518][  T846] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[  121.474800][  T846] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d e5 a4 e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[  121.475656][  T846] RSP: 0018:ffffc90000fef1f0 EFLAGS: 00010286
[  121.475914][  T846] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  121.476254][  T846] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[  121.476660][  T846] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff4afe134
[  121.476972][  T846] R10: 0000000000000003 R11: ffffc90000feed80 R12: 0000000000000001
[  121.477398][  T846] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[  121.477685][  T846] FS:  00007f888efe7800(0000) GS:ffff88808f6f2000(0000) knlGS:0000000000000000
[  121.478044][  T846] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  121.478407][  T846] CR2: 00005649bde71218 CR3: 000000000b068002 CR4: 0000000000772ef0
[  121.478723][  T846] PKRU: 55555554
[  121.478899][  T846] Call Trace:
[  121.479065][  T846]  <TASK>
[  121.479202][  T846]  netdev_run_todo+0x5f0/0xc60
[  121.479433][  T846]  ? dev_ingress_queue_create+0x190/0x190
[  121.479675][  T846]  ? vlan_vid_del+0x30c/0x5e0
[  121.479884][  T846]  ? generic_xdp_install+0x410/0x410
[  121.480219][  T846]  ? vlan_vid_del+0x30c/0x5e0
[  121.480436][  T846]  rtnl_dellink+0x350/0xa30
[  121.480668][  T846]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[  121.480947][  T846]  ? find_held_lock+0x2b/0x80
[  121.481284][  T846]  ? __lock_acquire+0x449/0x7e0
[  121.481494][  T846]  ? find_held_lock+0x2b/0x80
[  121.481703][  T846]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[  121.481921][  T846]  ? __lock_release+0x5d/0x170
[  121.482229][  T846]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[  121.482519][  T846]  rtnetlink_rcv_msg+0x709/0xc00
[  121.482737][  T846]  ? rtnl_port_fill+0x850/0x850
[  121.482947][  T846]  ? __lock_acquire+0x449/0x7e0
[  121.483301][  T846]  netlink_rcv_skb+0x121/0x340
[  121.483523][  T846]  ? rtnl_port_fill+0x850/0x850
[  121.483759][  T846]  ? netlink_ack+0xdd0/0xdd0
[  121.483956][  T846]  ? netlink_deliver_tap+0x13e/0x340
[  121.484306][  T846]  ? netlink_deliver_tap+0xc3/0x340
[  121.484571][  T846]  netlink_unicast+0x4aa/0x780
[  121.484935][  T846]  ? netlink_attachskb+0x810/0x810
[  121.485259][  T846]  ? __lock_acquire+0x449/0x7e0
[  121.485601][  T846]  netlink_sendmsg+0x714/0xbd0
[  121.485902][  T846]  ? netlink_unicast+0x780/0x780
[  121.486214][  T846]  ? __import_iovec+0x230/0x3b0
[  121.486532][  T846]  ? netlink_unicast+0x780/0x780
[  121.486879][  T846]  ____sys_sendmsg+0x3dd/0x890
[  121.487178][  T846]  ? get_timestamp.constprop.0+0x380/0x380
[  121.487600][  T846]  ? __copy_msghdr+0x3c0/0x3c0
[  121.487942][  T846]  ___sys_sendmsg+0xed/0x170
[  121.488425][  T846]  ? kasan_record_aux_stack+0x8c/0xa0
[  121.488777][  T846]  ? __call_rcu_common.constprop.0+0xa8/0x630
[  121.489338][  T846]  ? copy_msghdr_from_user+0x110/0x110
[  121.489869][  T846]  ? find_held_lock+0x2b/0x80
[  121.490181][  T846]  ? __lock_acquire+0x449/0x7e0
[  121.490536][  T846]  ? find_held_lock+0x2b/0x80
[  121.490882][  T846]  ? __virt_addr_valid+0x22a/0x450
[  121.491351][  T846]  ? __lock_release+0x5d/0x170
[  121.491667][  T846]  __sys_sendmsg+0x10b/0x1a0
[  121.491973][  T846]  ? __call_rcu_common.constprop.0+0x318/0x630
[  121.492325][  T846]  ? __sys_sendmsg_sock+0x20/0x20
[  121.492834][  T846]  ? rcu_is_watching+0x12/0xb0
[  121.493113][  T846]  do_syscall_64+0xc1/0xfd0
[  121.493407][  T846]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  121.493760][  T846] RIP: 0033:0x7f888f1b51d7
[  121.494107][  T846] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[  121.495276][  T846] RSP: 002b:00007fff06d8d468 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  121.495719][  T846] RAX: ffffffffffffffda RBX: 00007fff06d8db90 RCX: 00007f888f1b51d7
[  121.496135][  T846] RDX: 0000000000000000 RSI: 00007fff06d8d4d0 RDI: 0000000000000005
[  121.496738][  T846] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[  121.497154][  T846] R10: 00007f888f0b1f60 R11: 0000000000000246 R12: 0000000000000002
[  121.497577][  T846] R13: 00000000690deb12 R14: 0000000000499600 R15: 0000000000000000
[  121.498232][  T846]  </TASK>
[  121.498510][  T846] irq event stamp: 42627
[  121.498768][  T846] hardirqs last  enabled at (42627): [<ffffffffa4b93e8b>] irqentry_exit+0x3b/0x80
[  121.499456][  T846] hardirqs last disabled at (42626): [<ffffffffa2a5b23f>] handle_softirqs+0x47f/0x610
[  121.500012][  T846] softirqs last  enabled at (42060): [<ffffffffa2a5b112>] handle_softirqs+0x352/0x610
[  121.500672][  T846] softirqs last disabled at (42053): [<ffffffffa2a5b97b>] irq_exit_rcu+0xab/0x100
[  121.501183][  T846] ---[ end trace 0000000000000000 ]---
[  121.512255][  T846] ip (846) used greatest stack depth: 24232 bytes left
[  121.683081][  T852] veth2.10: left allmulticast mode
[  121.683463][  T852] veth2: left allmulticast mode
[  121.684852][  T852] veth2.10: left promiscuous mode
[  121.685358][  T852] veth2: left promiscuous mode
[  121.686192][  T852] br10: port 2(veth2.10) entered disabled state
[  122.202896][  T863] veth1.11: left allmulticast mode
[  122.203124][  T863] veth1.11: left promiscuous mode
[  122.203673][  T863] br11: port 1(veth1.11) entered disabled state
[  122.489234][  T869] veth1.10: left allmulticast mode
[  122.489526][  T869] veth1: left allmulticast mode
[  122.489756][  T869] veth1.10: left promiscuous mode
[  122.489991][  T869] veth1: left promiscuous mode
[  122.490501][  T869] br10: port 1(veth1.10) entered disabled state