[   19.163035][  T299] br1: port 1(veth1) entered blocking state
[   19.163905][  T299] br1: port 1(veth1) entered disabled state
[   19.165437][  T299] veth1: entered allmulticast mode
[   19.170893][  T299] veth1: entered promiscuous mode
[   19.443008][  T301] br1: port 2(veth2) entered blocking state
[   19.443479][  T301] br1: port 2(veth2) entered disabled state
[   19.444260][  T301] veth2: entered allmulticast mode
[   19.448253][  T301] veth2: entered promiscuous mode
[   19.693884][  T303] br1: port 2(veth2) entered blocking state
[   19.694548][  T303] br1: port 2(veth2) entered forwarding state
[   19.695572][  T303] br1: port 1(veth1) entered blocking state
[   19.696024][  T303] br1: port 1(veth1) entered forwarding state
[   26.722255][  T331] GACT probability NOT on
[   46.233045][  T621] br1: port 2(veth2) entered disabled state
[   46.234687][  T621] br1: port 1(veth1) entered disabled state
[   46.515985][  T624] veth2: left allmulticast mode
[   46.516592][  T624] veth2: left promiscuous mode
[   46.517476][  T624] br1: port 2(veth2) entered disabled state
[   46.750336][  T626] veth1: left allmulticast mode
[   46.750706][  T626] veth1: left promiscuous mode
[   46.751234][  T626] br1: port 1(veth1) entered disabled state
[   46.883420][  T627] ==================================================================
[   46.883770][  T627] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[   46.884077][  T627] Read of size 1 at addr ffff8880057ca6ac by task ip/627
[   46.884349][  T627] 
[   46.884463][  T627] CPU: 3 UID: 0 PID: 627 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[   46.884468][  T627] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   46.884471][  T627] Call Trace:
[   46.884473][  T627]  <TASK>
[   46.884475][  T627]  dump_stack_lvl+0x82/0xc0
[   46.884484][  T627]  print_address_description.constprop.0+0x2c/0x3a0
[   46.884492][  T627]  ? kobject_put+0xbb/0xd0
[   46.884499][  T627]  print_report+0xb4/0x270
[   46.884504][  T627]  ? kobject_put+0xbb/0xd0
[   46.884510][  T627]  ? kasan_addr_to_slab+0x21/0x70
[   46.884515][  T627]  ? kobject_put+0xbb/0xd0
[   46.884520][  T627]  kasan_report+0xca/0x100
[   46.884527][  T627]  ? kobject_put+0xbb/0xd0
[   46.884535][  T627]  kobject_put+0xbb/0xd0
[   46.884541][  T627]  netdev_run_todo+0x5f0/0xc60
[   46.884548][  T627]  ? dev_ingress_queue_create+0x190/0x190
[   46.884554][  T627]  ? generic_xdp_install+0x410/0x410
[   46.884558][  T627]  ? kernfs_put.part.0+0x12d/0x480
[   46.884566][  T627]  ? unregister_netdevice_many+0x20/0x20
[   46.884575][  T627]  ? br_dev_delete+0x115/0x1a0 [bridge]
[   46.884621][  T627]  rtnl_dellink+0x350/0xa30
[   46.884626][  T627]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   46.884644][  T627]  ? find_held_lock+0x2b/0x80
[   46.884651][  T627]  ? __lock_acquire+0x449/0x7e0
[   46.884657][  T627]  ? find_held_lock+0x2b/0x80
[   46.884660][  T627]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   46.884663][  T627]  ? __lock_release+0x5d/0x170
[   46.884667][  T627]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   46.884670][  T627]  rtnetlink_rcv_msg+0x709/0xc00
[   46.884674][  T627]  ? rtnl_port_fill+0x850/0x850
[   46.884676][  T627]  ? __lock_acquire+0x449/0x7e0
[   46.884683][  T627]  netlink_rcv_skb+0x121/0x340
[   46.884688][  T627]  ? rtnl_port_fill+0x850/0x850
[   46.884691][  T627]  ? netlink_ack+0xdd0/0xdd0
[   46.884697][  T627]  ? netlink_deliver_tap+0x13e/0x340
[   46.884700][  T627]  ? netlink_deliver_tap+0xc3/0x340
[   46.884704][  T627]  netlink_unicast+0x4aa/0x780
[   46.884708][  T627]  ? netlink_attachskb+0x810/0x810
[   46.884714][  T627]  ? __lock_acquire+0x449/0x7e0
[   46.884723][  T627]  netlink_sendmsg+0x714/0xbd0
[   46.884731][  T627]  ? netlink_unicast+0x780/0x780
[   46.884737][  T627]  ? __import_iovec+0x230/0x3b0
[   46.884748][  T627]  ? netlink_unicast+0x780/0x780
[   46.884753][  T627]  ____sys_sendmsg+0x3dd/0x890
[   46.884763][  T627]  ? get_timestamp.constprop.0+0x380/0x380
[   46.884768][  T627]  ? __copy_msghdr+0x3c0/0x3c0
[   46.884782][  T627]  ___sys_sendmsg+0xed/0x170
[   46.884787][  T627]  ? kasan_record_aux_stack+0x8c/0xa0
[   46.884792][  T627]  ? __call_rcu_common.constprop.0+0xa8/0x630
[   46.884803][  T627]  ? copy_msghdr_from_user+0x110/0x110
[   46.884811][  T627]  ? find_held_lock+0x2b/0x80
[   46.884819][  T627]  ? __lock_acquire+0x449/0x7e0
[   46.884830][  T627]  ? find_held_lock+0x2b/0x80
[   46.884835][  T627]  ? __virt_addr_valid+0x22a/0x450
[   46.884843][  T627]  ? __lock_release+0x5d/0x170
[   46.884854][  T627]  __sys_sendmsg+0x10b/0x1a0
[   46.884859][  T627]  ? __call_rcu_common.constprop.0+0x318/0x630
[   46.884865][  T627]  ? __sys_sendmsg_sock+0x20/0x20
[   46.884874][  T627]  ? rcu_is_watching+0x12/0xb0
[   46.884878][  T627]  do_syscall_64+0xc1/0xfd0
[   46.884885][  T627]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   46.884890][  T627] RIP: 0033:0x7f677c6bc1d7
[   46.884895][  T627] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[   46.884899][  T627] RSP: 002b:00007fffe9809aa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   46.884903][  T627] RAX: ffffffffffffffda RBX: 00007fffe980a1d0 RCX: 00007f677c6bc1d7
[   46.884906][  T627] RDX: 0000000000000000 RSI: 00007fffe9809b10 RDI: 0000000000000005
[   46.884908][  T627] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[   46.884909][  T627] R10: 00007f677c5b8f60 R11: 0000000000000246 R12: 0000000000000002
[   46.884911][  T627] R13: 00000000690df9b7 R14: 0000000000499600 R15: 0000000000000000
[   46.884918][  T627]  </TASK>
[   46.884919][  T627] 
[   46.899086][  T627] Allocated by task 296:
[   46.899226][  T627]  kasan_save_stack+0x24/0x40
[   46.899417][  T627]  kasan_save_track+0x14/0x30
[   46.899598][  T627]  __kasan_kmalloc+0x7b/0x90
[   46.899799][  T627]  __kvmalloc_node_noprof+0x2e5/0x8e0
[   46.899986][  T627]  alloc_netdev_mqs+0x7d/0x1370
[   46.900174][  T627]  rtnl_create_link+0xa9e/0xe20
[   46.900357][  T627]  rtnl_newlink_create+0x203/0x770
[   46.900632][  T627]  __rtnl_newlink+0x231/0xa30
[   46.900927][  T627]  rtnl_newlink+0x693/0xa60
[   46.901215][  T627]  rtnetlink_rcv_msg+0x709/0xc00
[   46.901443][  T627]  netlink_rcv_skb+0x121/0x340
[   46.901627][  T627]  netlink_unicast+0x4aa/0x780
[   46.901819][  T627]  netlink_sendmsg+0x714/0xbd0
[   46.902000][  T627]  ____sys_sendmsg+0x3dd/0x890
[   46.902185][  T627]  ___sys_sendmsg+0xed/0x170
[   46.902374][  T627]  __sys_sendmsg+0x10b/0x1a0
[   46.902554][  T627]  do_syscall_64+0xc1/0xfd0
[   46.902742][  T627]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   46.902970][  T627] 
[   46.903063][  T627] Freed by task 627:
[   46.903200][  T627]  kasan_save_stack+0x24/0x40
[   46.903389][  T627]  kasan_save_track+0x14/0x30
[   46.903567][  T627]  __kasan_save_free_info+0x3b/0x60
[   46.903765][  T627]  __kasan_slab_free+0x3f/0x60
[   46.903945][  T627]  kfree+0x21d/0x540
[   46.904082][  T627]  device_release+0x9c/0x210
[   46.904268][  T627]  kobject_cleanup+0xfe/0x360
[   46.904451][  T627]  netdev_run_todo+0x81f/0xc60
[   46.904632][  T627]  rtnl_dellink+0x350/0xa30
[   46.904849][  T627]  rtnetlink_rcv_msg+0x709/0xc00
[   46.905030][  T627]  netlink_rcv_skb+0x121/0x340
[   46.905215][  T627]  netlink_unicast+0x4aa/0x780
[   46.905398][  T627]  netlink_sendmsg+0x714/0xbd0
[   46.905580][  T627]  ____sys_sendmsg+0x3dd/0x890
[   46.905771][  T627]  ___sys_sendmsg+0xed/0x170
[   46.905951][  T627]  __sys_sendmsg+0x10b/0x1a0
[   46.906131][  T627]  do_syscall_64+0xc1/0xfd0
[   46.906314][  T627]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   46.906538][  T627] 
[   46.906633][  T627] Last potentially related work creation:
[   46.906822][  T627]  kasan_save_stack+0x24/0x40
[   46.907014][  T627]  kasan_record_aux_stack+0x8c/0xa0
[   46.907208][  T627]  insert_work+0x34/0x230
[   46.907348][  T627]  __queue_work+0x5fd/0xab0
[   46.907532][  T627]  queue_work_on+0x84/0x90
[   46.907707][  T627]  br_multicast_dev_del+0xeb/0x240 [bridge]
[   46.907986][  T627]  br_dev_uninit+0x19/0x40 [bridge]
[   46.908194][  T627]  unregister_netdevice_many_notify+0xa80/0x1b30
[   46.908445][  T627]  rtnl_dellink+0x344/0xa30
[   46.908628][  T627]  rtnetlink_rcv_msg+0x709/0xc00
[   46.908823][  T627]  netlink_rcv_skb+0x121/0x340
[   46.909118][  T627]  netlink_unicast+0x4aa/0x780
[   46.909300][  T627]  netlink_sendmsg+0x714/0xbd0
[   46.909483][  T627]  ____sys_sendmsg+0x3dd/0x890
[   46.909673][  T627]  ___sys_sendmsg+0xed/0x170
[   46.909975][  T627]  __sys_sendmsg+0x10b/0x1a0
[   46.910158][  T627]  do_syscall_64+0xc1/0xfd0
[   46.910554][  T627]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   46.910793][  T627] 
[   46.910889][  T627] Second to last potentially related work creation:
[   46.911217][  T627]  kasan_save_stack+0x24/0x40
[   46.911403][  T627]  kasan_record_aux_stack+0x8c/0xa0
[   46.911590][  T627]  insert_work+0x34/0x230
[   46.911735][  T627]  __queue_work+0x5fd/0xab0
[   46.911929][  T627]  queue_work_on+0x84/0x90
[   46.912215][  T627]  br_multicast_del_mdb_entry+0x95d/0xfe0 [bridge]
[   46.912475][  T627]  br_multicast_dev_del+0xeb/0x240 [bridge]
[   46.912734][  T627]  br_dev_uninit+0x19/0x40 [bridge]
[   46.912944][  T627]  unregister_netdevice_many_notify+0xa80/0x1b30
[   46.913270][  T627]  rtnl_dellink+0x344/0xa30
[   46.913457][  T627]  rtnetlink_rcv_msg+0x709/0xc00
[   46.913640][  T627]  netlink_rcv_skb+0x121/0x340
[   46.913831][  T627]  netlink_unicast+0x4aa/0x780
[   46.914109][  T627]  netlink_sendmsg+0x714/0xbd0
[   46.914294][  T627]  ____sys_sendmsg+0x3dd/0x890
[   46.914479][  T627]  ___sys_sendmsg+0xed/0x170
[   46.914668][  T627]  __sys_sendmsg+0x10b/0x1a0
[   46.914976][  T627]  do_syscall_64+0xc1/0xfd0
[   46.915199][  T627]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   46.915607][  T627] 
[   46.915745][  T627] The buggy address belongs to the object at ffff8880057ca000
[   46.915745][  T627]  which belongs to the cache kmalloc-8k of size 8192
[   46.916533][  T627] The buggy address is located 1708 bytes inside of
[   46.916533][  T627]  freed 8192-byte region [ffff8880057ca000, ffff8880057cc000)
[   46.917200][  T627] 
[   46.917347][  T627] The buggy address belongs to the physical page:
[   46.917703][  T627] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x57c8
[   46.918227][  T627] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   46.918686][  T627] flags: 0x80000000000040(head|node=0|zone=1)
[   46.919259][  T627] page_type: f5(slab)
[   46.919497][  T627] raw: 0080000000000040 ffff8880010438c0 ffffea0000295210 ffff888001041228
[   46.920172][  T627] raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[   46.920501][  T627] head: 0080000000000040 ffff8880010438c0 ffffea0000295210 ffff888001041228
[   46.920895][  T627] head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[   46.921357][  T627] head: 0080000000000003 ffffea000015f201 00000000ffffffff 00000000ffffffff
[   46.921678][  T627] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   46.922006][  T627] page dumped because: kasan: bad access detected
[   46.922256][  T627] 
[   46.922446][  T627] Memory state around the buggy address:
[   46.922635][  T627]  ffff8880057ca580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.922920][  T627]  ffff8880057ca600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.923182][  T627] >ffff8880057ca680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.923540][  T627]                                   ^
[   46.923730][  T627]  ffff8880057ca700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.924037][  T627]  ffff8880057ca780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.924301][  T627] ==================================================================
[   46.924613][  T627] Disabling lock debugging due to kernel taint
[   46.924951][  T627] ------------[ cut here ]------------
[   46.925133][  T627] refcount_t: underflow; use-after-free.
[   46.925342][  T627] WARNING: CPU: 3 PID: 627 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[   46.925671][  T627] Modules linked in: act_gact cls_flower sch_ingress bridge stp llc vrf veth
[   46.926122][  T627] CPU: 3 UID: 0 PID: 627 Comm: ip Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[   46.926496][  T627] Tainted: [B]=BAD_PAGE
[   46.926757][  T627] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   46.926993][  T627] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[   46.927233][  T627] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d 65 9f e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[   46.928008][  T627] RSP: 0000:ffffc90000ff71f0 EFLAGS: 00010286
[   46.928245][  T627] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   46.928641][  T627] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[   46.928937][  T627] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff3ffe134
[   46.929336][  T627] R10: 0000000000000003 R11: ffffc90000ff6d80 R12: 0000000000000001
[   46.929646][  T627] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[   46.929957][  T627] FS:  00007f677c4ee800(0000) GS:ffff888094f72000(0000) knlGS:0000000000000000
[   46.930465][  T627] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   46.930762][  T627] CR2: 00007fe3a9179aa0 CR3: 000000000fa85005 CR4: 0000000000772ef0
[   46.931047][  T627] PKRU: 55555554
[   46.931235][  T627] Call Trace:
[   46.931475][  T627]  <TASK>
[   46.931571][  T627]  netdev_run_todo+0x5f0/0xc60
[   46.931785][  T627]  ? dev_ingress_queue_create+0x190/0x190
[   46.931972][  T627]  ? generic_xdp_install+0x410/0x410
[   46.932257][  T627]  ? kernfs_put.part.0+0x12d/0x480
[   46.932445][  T627]  ? unregister_netdevice_many+0x20/0x20
[   46.932634][  T627]  ? br_dev_delete+0x115/0x1a0 [bridge]
[   46.932895][  T627]  rtnl_dellink+0x350/0xa30
[   46.933178][  T627]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   46.933417][  T627]  ? find_held_lock+0x2b/0x80
[   46.933606][  T627]  ? __lock_acquire+0x449/0x7e0
[   46.933939][  T627]  ? find_held_lock+0x2b/0x80
[   46.934128][  T627]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   46.934313][  T627]  ? __lock_release+0x5d/0x170
[   46.934494][  T627]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   46.934790][  T627]  rtnetlink_rcv_msg+0x709/0xc00
[   46.934976][  T627]  ? rtnl_port_fill+0x850/0x850
[   46.935157][  T627]  ? __lock_acquire+0x449/0x7e0
[   46.935347][  T627]  netlink_rcv_skb+0x121/0x340
[   46.935626][  T627]  ? rtnl_port_fill+0x850/0x850
[   46.935830][  T627]  ? netlink_ack+0xdd0/0xdd0
[   46.936066][  T627]  ? netlink_deliver_tap+0x13e/0x340
[   46.936255][  T627]  ? netlink_deliver_tap+0xc3/0x340
[   46.936529][  T627]  netlink_unicast+0x4aa/0x780
[   46.936715][  T627]  ? netlink_attachskb+0x810/0x810
[   46.936971][  T627]  ? __lock_acquire+0x449/0x7e0
[   46.937162][  T627]  netlink_sendmsg+0x714/0xbd0
[   46.937499][  T627]  ? netlink_unicast+0x780/0x780
[   46.937680][  T627]  ? __import_iovec+0x230/0x3b0
[   46.937877][  T627]  ? netlink_unicast+0x780/0x780
[   46.938062][  T627]  ____sys_sendmsg+0x3dd/0x890
[   46.938377][  T627]  ? get_timestamp.constprop.0+0x380/0x380
[   46.938613][  T627]  ? __copy_msghdr+0x3c0/0x3c0
[   46.938849][  T627]  ___sys_sendmsg+0xed/0x170
[   46.939035][  T627]  ? kasan_record_aux_stack+0x8c/0xa0
[   46.939307][  T627]  ? __call_rcu_common.constprop.0+0xa8/0x630
[   46.939556][  T627]  ? copy_msghdr_from_user+0x110/0x110
[   46.939759][  T627]  ? find_held_lock+0x2b/0x80
[   46.939936][  T627]  ? __lock_acquire+0x449/0x7e0
[   46.940209][  T627]  ? find_held_lock+0x2b/0x80
[   46.940383][  T627]  ? __virt_addr_valid+0x22a/0x450
[   46.940568][  T627]  ? __lock_release+0x5d/0x170
[   46.940760][  T627]  __sys_sendmsg+0x10b/0x1a0
[   46.941028][  T627]  ? __call_rcu_common.constprop.0+0x318/0x630
[   46.941249][  T627]  ? __sys_sendmsg_sock+0x20/0x20
[   46.941424][  T627]  ? rcu_is_watching+0x12/0xb0
[   46.941600][  T627]  do_syscall_64+0xc1/0xfd0
[   46.941797][  T627]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   46.942014][  T627] RIP: 0033:0x7f677c6bc1d7
[   46.942211][  T627] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[   46.942887][  T627] RSP: 002b:00007fffe9809aa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   46.943192][  T627] RAX: ffffffffffffffda RBX: 00007fffe980a1d0 RCX: 00007f677c6bc1d7
[   46.943494][  T627] RDX: 0000000000000000 RSI: 00007fffe9809b10 RDI: 0000000000000005
[   46.943873][  T627] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[   46.944226][  T627] R10: 00007f677c5b8f60 R11: 0000000000000246 R12: 0000000000000002
[   46.944486][  T627] R13: 00000000690df9b7 R14: 0000000000499600 R15: 0000000000000000
[   46.944815][  T627]  </TASK>
[   46.945047][  T627] irq event stamp: 33831
[   46.945181][  T627] hardirqs last  enabled at (33831): [<ffffffff9f393e8b>] irqentry_exit+0x3b/0x80
[   46.945488][  T627] hardirqs last disabled at (33830): [<ffffffff9d25b23f>] handle_softirqs+0x47f/0x610
[   46.945904][  T627] softirqs last  enabled at (33730): [<ffffffff9d25b112>] handle_softirqs+0x352/0x610
[   46.946259][  T627] softirqs last disabled at (33725): [<ffffffff9d25b97b>] irq_exit_rcu+0xab/0x100
[   46.946689][  T627] ---[ end trace 0000000000000000 ]---