[ 15.134743][ T250] ip (250) used greatest stack depth: 23824 bytes left
[ 15.647477][ T260] ip (260) used greatest stack depth: 23664 bytes left
[ 22.586534][ T336] 8021q: 802.1Q VLAN Support v1.8
[ 23.056076][ T341] gre: GRE over IPv4 demultiplexer driver
[ 23.112864][ T341] ip6_gre: GRE over IPv6 tunneling driver
[ 34.558179][ T417] GACT probability NOT on
[ 58.213942][ T633] ==================================================================
[ 58.214335][ T633] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[ 58.214663][ T633] Read of size 1 at addr ffff88800ec316ac by task ip/633
[ 58.214910][ T633]
[ 58.215018][ T633] CPU: 3 UID: 0 PID: 633 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full)
[ 58.215023][ T633] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 58.215026][ T633] Call Trace:
[ 58.215028][ T633]
[ 58.215031][ T633] dump_stack_lvl+0x82/0xc0
[ 58.215039][ T633] print_address_description.constprop.0+0x2c/0x3a0
[ 58.215051][ T633] ? kobject_put+0xbb/0xd0
[ 58.215055][ T633] print_report+0xb4/0x270
[ 58.215058][ T633] ? kobject_put+0xbb/0xd0
[ 58.215061][ T633] ? kasan_addr_to_slab+0x21/0x70
[ 58.215065][ T633] ? kobject_put+0xbb/0xd0
[ 58.215068][ T633] kasan_report+0xca/0x100
[ 58.215072][ T633] ? kobject_put+0xbb/0xd0
[ 58.215077][ T633] kobject_put+0xbb/0xd0
[ 58.215081][ T633] netdev_run_todo+0x5f0/0xc60
[ 58.215086][ T633] ? dev_ingress_queue_create+0x190/0x190
[ 58.215091][ T633] ? generic_xdp_install+0x410/0x410
[ 58.215094][ T633] ? unregister_netdevice_many+0x20/0x20
[ 58.215100][ T633] ? net_generic+0xbb/0x1f0 [ip6_gre]
[ 58.215108][ T633] rtnl_dellink+0x350/0xa30
[ 58.215114][ T633] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 58.215133][ T633] ? find_held_lock+0x2b/0x80
[ 58.215142][ T633] ? __lock_acquire+0x449/0x7e0
[ 58.215149][ T633] ? find_held_lock+0x2b/0x80
[ 58.215153][ T633] ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 58.215156][ T633] ? __lock_release+0x5d/0x170
[ 58.215160][ T633] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 58.215164][ T633] rtnetlink_rcv_msg+0x709/0xc00
[ 58.215167][ T633] ? rtnl_port_fill+0x850/0x850
[ 58.215170][ T633] ? __lock_acquire+0x449/0x7e0
[ 58.215177][ T633] netlink_rcv_skb+0x121/0x340
[ 58.215183][ T633] ? rtnl_port_fill+0x850/0x850
[ 58.215186][ T633] ? netlink_ack+0xdd0/0xdd0
[ 58.215193][ T633] ? netlink_deliver_tap+0x13e/0x340
[ 58.215196][ T633] ? netlink_deliver_tap+0xc3/0x340
[ 58.215200][ T633] netlink_unicast+0x4aa/0x780
[ 58.215204][ T633] ? netlink_attachskb+0x810/0x810
[ 58.215208][ T633] ? __lock_acquire+0x449/0x7e0
[ 58.215215][ T633] netlink_sendmsg+0x714/0xbd0
[ 58.215220][ T633] ? netlink_unicast+0x780/0x780
[ 58.215223][ T633] ? __import_iovec+0x230/0x3b0
[ 58.215230][ T633] ? netlink_unicast+0x780/0x780
[ 58.215233][ T633] ____sys_sendmsg+0x3dd/0x890
[ 58.215239][ T633] ? get_timestamp.constprop.0+0x380/0x380
[ 58.215242][ T633] ? __copy_msghdr+0x3c0/0x3c0
[ 58.215249][ T633] ___sys_sendmsg+0xed/0x170
[ 58.215252][ T633] ? kasan_record_aux_stack+0x8c/0xa0
[ 58.215255][ T633] ? __call_rcu_common.constprop.0+0xa8/0x630
[ 58.215261][ T633] ? copy_msghdr_from_user+0x110/0x110
[ 58.215266][ T633] ? find_held_lock+0x2b/0x80
[ 58.215274][ T633] ? __lock_acquire+0x449/0x7e0
[ 58.215282][ T633] ? find_held_lock+0x2b/0x80
[ 58.215287][ T633] ? __virt_addr_valid+0x22a/0x450
[ 58.215296][ T633] ? __lock_release+0x5d/0x170
[ 58.215302][ T633] __sys_sendmsg+0x10b/0x1a0
[ 58.215305][ T633] ? __call_rcu_common.constprop.0+0x318/0x630
[ 58.215309][ T633] ? __sys_sendmsg_sock+0x20/0x20
[ 58.215322][ T633] ? rcu_is_watching+0x12/0xb0
[ 58.215327][ T633] do_syscall_64+0xc1/0xfd0
[ 58.215336][ T633] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 58.215341][ T633] RIP: 0033:0x7fdc24b161d7
[ 58.215347][ T633] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 58.215350][ T633] RSP: 002b:00007ffe49d7af68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 58.215355][ T633] RAX: ffffffffffffffda RBX: 00007ffe49d7b690 RCX: 00007fdc24b161d7
[ 58.215357][ T633] RDX: 0000000000000000 RSI: 00007ffe49d7afd0 RDI: 0000000000000005
[ 58.215359][ T633] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 58.215361][ T633] R10: 00007fdc24a12f60 R11: 0000000000000246 R12: 0000000000000002
[ 58.215363][ T633] R13: 00000000690df828 R14: 0000000000499600 R15: 0000000000000000
[ 58.215369][ T633]
[ 58.215371][ T633]
[ 58.229761][ T633] Allocated by task 367:
[ 58.229918][ T633] kasan_save_stack+0x24/0x40
[ 58.230116][ T633] kasan_save_track+0x14/0x30
[ 58.230306][ T633] __kasan_kmalloc+0x7b/0x90
[ 58.230492][ T633] __kvmalloc_node_noprof+0x2e5/0x8e0
[ 58.230700][ T633] alloc_netdev_mqs+0x7d/0x1370
[ 58.230911][ T633] rtnl_create_link+0xa9e/0xe20
[ 58.231096][ T633] rtnl_newlink_create+0x203/0x770
[ 58.231286][ T633] __rtnl_newlink+0x231/0xa30
[ 58.231475][ T633] rtnl_newlink+0x693/0xa60
[ 58.231672][ T633] rtnetlink_rcv_msg+0x709/0xc00
[ 58.231862][ T633] netlink_rcv_skb+0x121/0x340
[ 58.232056][ T633] netlink_unicast+0x4aa/0x780
[ 58.232242][ T633] netlink_sendmsg+0x714/0xbd0
[ 58.232449][ T633] ____sys_sendmsg+0x3dd/0x890
[ 58.232657][ T633] ___sys_sendmsg+0xed/0x170
[ 58.232849][ T633] __sys_sendmsg+0x10b/0x1a0
[ 58.233035][ T633] do_syscall_64+0xc1/0xfd0
[ 58.233227][ T633] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 58.233469][ T633]
[ 58.233586][ T633] Freed by task 633:
[ 58.233731][ T633] kasan_save_stack+0x24/0x40
[ 58.233938][ T633] kasan_save_track+0x14/0x30
[ 58.234123][ T633] __kasan_save_free_info+0x3b/0x60
[ 58.234321][ T633] __kasan_slab_free+0x3f/0x60
[ 58.234508][ T633] kfree+0x21d/0x540
[ 58.234670][ T633] device_release+0x9c/0x210
[ 58.234877][ T633] kobject_cleanup+0xfe/0x360
[ 58.235068][ T633] netdev_run_todo+0x81f/0xc60
[ 58.235253][ T633] rtnl_dellink+0x350/0xa30
[ 58.235458][ T633] rtnetlink_rcv_msg+0x709/0xc00
[ 58.235665][ T633] netlink_rcv_skb+0x121/0x340
[ 58.235862][ T633] netlink_unicast+0x4aa/0x780
[ 58.236044][ T633] netlink_sendmsg+0x714/0xbd0
[ 58.236229][ T633] ____sys_sendmsg+0x3dd/0x890
[ 58.236424][ T633] ___sys_sendmsg+0xed/0x170
[ 58.236623][ T633] __sys_sendmsg+0x10b/0x1a0
[ 58.236824][ T633] do_syscall_64+0xc1/0xfd0
[ 58.237017][ T633] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 58.237261][ T633]
[ 58.237370][ T633] The buggy address belongs to the object at ffff88800ec31000
[ 58.237370][ T633] which belongs to the cache kmalloc-4k of size 4096
[ 58.237854][ T633] The buggy address is located 1708 bytes inside of
[ 58.237854][ T633] freed 4096-byte region [ffff88800ec31000, ffff88800ec32000)
[ 58.238302][ T633]
[ 58.238398][ T633] The buggy address belongs to the physical page:
[ 58.238657][ T633] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xec30
[ 58.239002][ T633] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 58.239296][ T633] flags: 0x80000000000040(head|node=0|zone=1)
[ 58.239551][ T633] page_type: f5(slab)
[ 58.239708][ T633] raw: 0080000000000040 ffff888001043700 ffffea00002f9c10 ffffea000030e210
[ 58.240067][ T633] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 58.240403][ T633] head: 0080000000000040 ffff888001043700 ffffea00002f9c10 ffffea000030e210
[ 58.240753][ T633] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 58.241190][ T633] head: 0080000000000003 ffffea00003b0c01 00000000ffffffff 00000000ffffffff
[ 58.241538][ T633] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 58.241992][ T633] page dumped because: kasan: bad access detected
[ 58.242221][ T633]
[ 58.242324][ T633] Memory state around the buggy address:
[ 58.242513][ T633] ffff88800ec31580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.242903][ T633] ffff88800ec31600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.243171][ T633] >ffff88800ec31680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.243583][ T633] ^
[ 58.243784][ T633] ffff88800ec31700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.244144][ T633] ffff88800ec31780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.244419][ T633] ==================================================================
[ 58.245008][ T633] Disabling lock debugging due to kernel taint
[ 58.245553][ T633] ------------[ cut here ]------------
[ 58.245863][ T633] refcount_t: underflow; use-after-free.
[ 58.246230][ T633] WARNING: CPU: 2 PID: 633 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[ 58.246813][ T633] Modules linked in: act_gact cls_flower sch_ingress ip6_gre ip6_tunnel tunnel6 gre 8021q vrf veth
[ 58.247530][ T633] CPU: 2 UID: 0 PID: 633 Comm: ip Tainted: G B 6.18.0-rc4-virtme #1 PREEMPT(full)
[ 58.248216][ T633] Tainted: [B]=BAD_PAGE
[ 58.248477][ T633] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 58.248898][ T633] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[ 58.249341][ T633] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d 65 ac e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[ 58.250706][ T633] RSP: 0018:ffffc90000fff1f0 EFLAGS: 00010286
[ 58.251131][ T633] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 58.251620][ T633] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[ 58.252321][ T633] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff59fe134
[ 58.252814][ T633] R10: 0000000000000003 R11: ffffc90000ffed80 R12: 0000000000000001
[ 58.253321][ T633] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[ 58.253869][ T633] FS: 00007fdc24948800(0000) GS:ffff888087ef2000(0000) knlGS:0000000000000000
[ 58.254460][ T633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 58.254892][ T633] CR2: 000055f3647c2dec CR3: 00000000054c1002 CR4: 0000000000772ef0
[ 58.255411][ T633] PKRU: 55555554
[ 58.255668][ T633] Call Trace:
[ 58.255935][ T633]
[ 58.256141][ T633] netdev_run_todo+0x5f0/0xc60
[ 58.256671][ T633] ? dev_ingress_queue_create+0x190/0x190
[ 58.257025][ T633] ? generic_xdp_install+0x410/0x410
[ 58.257382][ T633] ? unregister_netdevice_many+0x20/0x20
[ 58.257722][ T633] ? net_generic+0xbb/0x1f0 [ip6_gre]
[ 58.258251][ T633] rtnl_dellink+0x350/0xa30
[ 58.258587][ T633] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 58.259014][ T633] ? find_held_lock+0x2b/0x80
[ 58.259372][ T633] ? __lock_acquire+0x449/0x7e0
[ 58.259903][ T633] ? find_held_lock+0x2b/0x80
[ 58.260265][ T633] ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 58.260586][ T633] ? __lock_release+0x5d/0x170
[ 58.260904][ T633] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 58.261313][ T633] rtnetlink_rcv_msg+0x709/0xc00
[ 58.261647][ T633] ? rtnl_port_fill+0x850/0x850
[ 58.261969][ T633] ? __lock_acquire+0x449/0x7e0
[ 58.262339][ T633] netlink_rcv_skb+0x121/0x340
[ 58.262676][ T633] ? rtnl_port_fill+0x850/0x850
[ 58.263018][ T633] ? netlink_ack+0xdd0/0xdd0
[ 58.263373][ T633] ? netlink_deliver_tap+0x13e/0x340
[ 58.263728][ T633] ? netlink_deliver_tap+0xc3/0x340
[ 58.264058][ T633] netlink_unicast+0x4aa/0x780
[ 58.264404][ T633] ? netlink_attachskb+0x810/0x810
[ 58.264744][ T633] ? __lock_acquire+0x449/0x7e0
[ 58.265052][ T633] netlink_sendmsg+0x714/0xbd0
[ 58.265583][ T633] ? netlink_unicast+0x780/0x780
[ 58.265891][ T633] ? __import_iovec+0x230/0x3b0
[ 58.266222][ T633] ? netlink_unicast+0x780/0x780
[ 58.266548][ T633] ____sys_sendmsg+0x3dd/0x890
[ 58.267062][ T633] ? get_timestamp.constprop.0+0x380/0x380
[ 58.267473][ T633] ? __copy_msghdr+0x3c0/0x3c0
[ 58.267829][ T633] ___sys_sendmsg+0xed/0x170
[ 58.268357][ T633] ? kasan_record_aux_stack+0x8c/0xa0
[ 58.268693][ T633] ? __call_rcu_common.constprop.0+0xa8/0x630
[ 58.269108][ T633] ? copy_msghdr_from_user+0x110/0x110
[ 58.269440][ T633] ? find_held_lock+0x2b/0x80
[ 58.269911][ T633] ? __lock_acquire+0x449/0x7e0
[ 58.270256][ T633] ? find_held_lock+0x2b/0x80
[ 58.270593][ T633] ? __virt_addr_valid+0x22a/0x450
[ 58.270933][ T633] ? __lock_release+0x5d/0x170
[ 58.271454][ T633] __sys_sendmsg+0x10b/0x1a0
[ 58.271784][ T633] ? __call_rcu_common.constprop.0+0x318/0x630
[ 58.272189][ T633] ? __sys_sendmsg_sock+0x20/0x20
[ 58.272522][ T633] ? rcu_is_watching+0x12/0xb0
[ 58.273029][ T633] do_syscall_64+0xc1/0xfd0
[ 58.273375][ T633] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 58.273802][ T633] RIP: 0033:0x7fdc24b161d7
[ 58.274158][ T633] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 58.275462][ T633] RSP: 002b:00007ffe49d7af68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 58.276132][ T633] RAX: ffffffffffffffda RBX: 00007ffe49d7b690 RCX: 00007fdc24b161d7
[ 58.276625][ T633] RDX: 0000000000000000 RSI: 00007ffe49d7afd0 RDI: 0000000000000005
[ 58.277109][ T633] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 58.277781][ T633] R10: 00007fdc24a12f60 R11: 0000000000000246 R12: 0000000000000002
[ 58.278270][ T633] R13: 00000000690df828 R14: 0000000000499600 R15: 0000000000000000
[ 58.278929][ T633]
[ 58.279197][ T633] irq event stamp: 38613
[ 58.279465][ T633] hardirqs last enabled at (38613): [] finish_task_switch.isra.0+0x245/0x960
[ 58.280101][ T633] hardirqs last disabled at (38612): [] __schedule+0x94a/0x1b10
[ 58.280841][ T633] softirqs last enabled at (38454): [] handle_softirqs+0x352/0x610
[ 58.281409][ T633] softirqs last disabled at (38447): [] irq_exit_rcu+0xab/0x100
[ 58.282136][ T633] ---[ end trace 0000000000000000 ]---