[   19.208958][  T304] br1: port 1(veth1) entered blocking state
[   19.209568][  T304] br1: port 1(veth1) entered disabled state
[   19.210182][  T304] veth1: entered allmulticast mode
[   19.214170][  T304] veth1: entered promiscuous mode
[   19.345093][   T37] br1: port 1(veth1) entered blocking state
[   19.345657][   T37] br1: port 1(veth1) entered forwarding state
[   19.467546][  T308] br1: port 2(veth2) entered blocking state
[   19.467976][  T308] br1: port 2(veth2) entered disabled state
[   19.468377][  T308] veth2: entered allmulticast mode
[   19.472217][  T308] veth2: entered promiscuous mode
[   19.583639][   T38] br1: port 2(veth2) entered blocking state
[   19.584108][   T38] br1: port 2(veth2) entered forwarding state
[   29.272396][  T358] GACT probability NOT on
[   42.390113][  T509] br1: port 2(veth2) entered disabled state
[   42.508655][  T510] veth2: left allmulticast mode
[   42.509326][  T510] veth2: left promiscuous mode
[   42.510038][  T510] br1: port 2(veth2) entered disabled state
[   42.628043][  T511] br1: port 1(veth1) entered disabled state
[   42.751761][  T512] veth1: left allmulticast mode
[   42.752199][  T512] veth1: left promiscuous mode
[   42.752715][  T512] br1: port 1(veth1) entered disabled state
[   42.905743][  T513] ==================================================================
[   42.906121][  T513] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[   42.906436][  T513] Read of size 1 at addr ffff88800bdda6ac by task ip/513
[   42.906659][  T513] 
[   42.906767][  T513] CPU: 0 UID: 0 PID: 513 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[   42.906774][  T513] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   42.906779][  T513] Call Trace:
[   42.906784][  T513]  <TASK>
[   42.906786][  T513]  dump_stack_lvl+0x82/0xc0
[   42.906796][  T513]  print_address_description.constprop.0+0x2c/0x3a0
[   42.906815][  T513]  ? kobject_put+0xbb/0xd0
[   42.906819][  T513]  print_report+0xb4/0x270
[   42.906822][  T513]  ? kobject_put+0xbb/0xd0
[   42.906825][  T513]  ? kasan_addr_to_slab+0x21/0x70
[   42.906828][  T513]  ? kobject_put+0xbb/0xd0
[   42.906832][  T513]  kasan_report+0xca/0x100
[   42.906835][  T513]  ? kobject_put+0xbb/0xd0
[   42.906841][  T513]  kobject_put+0xbb/0xd0
[   42.906844][  T513]  netdev_run_todo+0x5f0/0xc60
[   42.906856][  T513]  ? dev_ingress_queue_create+0x190/0x190
[   42.906859][  T513]  ? generic_xdp_install+0x410/0x410
[   42.906862][  T513]  ? kernfs_put.part.0+0x12d/0x480
[   42.906878][  T513]  ? unregister_netdevice_many+0x20/0x20
[   42.906884][  T513]  ? br_dev_delete+0x115/0x1a0 [bridge]
[   42.906930][  T513]  rtnl_dellink+0x350/0xa30
[   42.906937][  T513]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   42.906956][  T513]  ? find_held_lock+0x2b/0x80
[   42.906973][  T513]  ? __lock_acquire+0x449/0x7e0
[   42.906980][  T513]  ? find_held_lock+0x2b/0x80
[   42.906983][  T513]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   42.906986][  T513]  ? __lock_release+0x5d/0x170
[   42.906990][  T513]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   42.906993][  T513]  rtnetlink_rcv_msg+0x709/0xc00
[   42.906997][  T513]  ? rtnl_port_fill+0x850/0x850
[   42.907000][  T513]  ? __lock_acquire+0x449/0x7e0
[   42.907007][  T513]  netlink_rcv_skb+0x121/0x340
[   42.907015][  T513]  ? rtnl_port_fill+0x850/0x850
[   42.907019][  T513]  ? netlink_ack+0xdd0/0xdd0
[   42.907026][  T513]  ? netlink_deliver_tap+0x13e/0x340
[   42.907030][  T513]  ? netlink_deliver_tap+0xc3/0x340
[   42.907036][  T513]  netlink_unicast+0x4aa/0x780
[   42.907042][  T513]  ? netlink_attachskb+0x810/0x810
[   42.907048][  T513]  ? __lock_acquire+0x449/0x7e0
[   42.907055][  T513]  netlink_sendmsg+0x714/0xbd0
[   42.907059][  T513]  ? netlink_unicast+0x780/0x780
[   42.907063][  T513]  ? __import_iovec+0x230/0x3b0
[   42.907076][  T513]  ? netlink_unicast+0x780/0x780
[   42.907079][  T513]  ____sys_sendmsg+0x3dd/0x890
[   42.907092][  T513]  ? get_timestamp.constprop.0+0x380/0x380
[   42.907095][  T513]  ? __copy_msghdr+0x3c0/0x3c0
[   42.907105][  T513]  ___sys_sendmsg+0xed/0x170
[   42.907108][  T513]  ? kasan_record_aux_stack+0x8c/0xa0
[   42.907112][  T513]  ? __call_rcu_common.constprop.0+0xa8/0x630
[   42.907124][  T513]  ? copy_msghdr_from_user+0x110/0x110
[   42.907129][  T513]  ? find_held_lock+0x2b/0x80
[   42.907134][  T513]  ? __lock_acquire+0x449/0x7e0
[   42.907139][  T513]  ? find_held_lock+0x2b/0x80
[   42.907143][  T513]  ? __virt_addr_valid+0x22a/0x450
[   42.907159][  T513]  ? __lock_release+0x5d/0x170
[   42.907166][  T513]  __sys_sendmsg+0x10b/0x1a0
[   42.907169][  T513]  ? __call_rcu_common.constprop.0+0x318/0x630
[   42.907173][  T513]  ? __sys_sendmsg_sock+0x20/0x20
[   42.907181][  T513]  ? rcu_is_watching+0x12/0xb0
[   42.907185][  T513]  do_syscall_64+0xc1/0xfd0
[   42.907193][  T513]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   42.907202][  T513] RIP: 0033:0x7f16377af1d7
[   42.907209][  T513] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[   42.907214][  T513] RSP: 002b:00007ffff2024c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   42.907223][  T513] RAX: ffffffffffffffda RBX: 00007ffff2025380 RCX: 00007f16377af1d7
[   42.907226][  T513] RDX: 0000000000000000 RSI: 00007ffff2024cc0 RDI: 0000000000000005
[   42.907228][  T513] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[   42.907229][  T513] R10: 00007f16376abf60 R11: 0000000000000246 R12: 0000000000000002
[   42.907231][  T513] R13: 00000000690df9e6 R14: 0000000000499600 R15: 0000000000000000
[   42.907239][  T513]  </TASK>
[   42.907240][  T513] 
[   42.920168][  T513] Allocated by task 302:
[   42.920312][  T513]  kasan_save_stack+0x24/0x40
[   42.920490][  T513]  kasan_save_track+0x14/0x30
[   42.920653][  T513]  __kasan_kmalloc+0x7b/0x90
[   42.920829][  T513]  __kvmalloc_node_noprof+0x2e5/0x8e0
[   42.921015][  T513]  alloc_netdev_mqs+0x7d/0x1370
[   42.921204][  T513]  rtnl_create_link+0xa9e/0xe20
[   42.921386][  T513]  rtnl_newlink_create+0x203/0x770
[   42.921562][  T513]  __rtnl_newlink+0x231/0xa30
[   42.921750][  T513]  rtnl_newlink+0x693/0xa60
[   42.921959][  T513]  rtnetlink_rcv_msg+0x709/0xc00
[   42.922153][  T513]  netlink_rcv_skb+0x121/0x340
[   42.922343][  T513]  netlink_unicast+0x4aa/0x780
[   42.922522][  T513]  netlink_sendmsg+0x714/0xbd0
[   42.922705][  T513]  ____sys_sendmsg+0x3dd/0x890
[   42.922921][  T513]  ___sys_sendmsg+0xed/0x170
[   42.923111][  T513]  __sys_sendmsg+0x10b/0x1a0
[   42.923290][  T513]  do_syscall_64+0xc1/0xfd0
[   42.923488][  T513]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   42.923739][  T513] 
[   42.923833][  T513] Freed by task 513:
[   42.923983][  T513]  kasan_save_stack+0x24/0x40
[   42.924183][  T513]  kasan_save_track+0x14/0x30
[   42.924365][  T513]  __kasan_save_free_info+0x3b/0x60
[   42.924544][  T513]  __kasan_slab_free+0x3f/0x60
[   42.924753][  T513]  kfree+0x21d/0x540
[   42.924889][  T513]  device_release+0x9c/0x210
[   42.925095][  T513]  kobject_cleanup+0xfe/0x360
[   42.925309][  T513]  netdev_run_todo+0x81f/0xc60
[   42.925489][  T513]  rtnl_dellink+0x350/0xa30
[   42.925664][  T513]  rtnetlink_rcv_msg+0x709/0xc00
[   42.925843][  T513]  netlink_rcv_skb+0x121/0x340
[   42.926074][  T513]  netlink_unicast+0x4aa/0x780
[   42.926257][  T513]  netlink_sendmsg+0x714/0xbd0
[   42.926434][  T513]  ____sys_sendmsg+0x3dd/0x890
[   42.926648][  T513]  ___sys_sendmsg+0xed/0x170
[   42.926835][  T513]  __sys_sendmsg+0x10b/0x1a0
[   42.927024][  T513]  do_syscall_64+0xc1/0xfd0
[   42.927227][  T513]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   42.927454][  T513] 
[   42.927549][  T513] Last potentially related work creation:
[   42.927762][  T513]  kasan_save_stack+0x24/0x40
[   42.927954][  T513]  kasan_record_aux_stack+0x8c/0xa0
[   42.928140][  T513]  insert_work+0x34/0x230
[   42.928293][  T513]  __queue_work+0x5fd/0xab0
[   42.928519][  T513]  queue_work_on+0x84/0x90
[   42.928710][  T513]  br_multicast_dev_del+0xeb/0x240 [bridge]
[   42.928976][  T513]  br_dev_uninit+0x19/0x40 [bridge]
[   42.929179][  T513]  unregister_netdevice_many_notify+0xa80/0x1b30
[   42.929415][  T513]  rtnl_dellink+0x344/0xa30
[   42.929617][  T513]  rtnetlink_rcv_msg+0x709/0xc00
[   42.929805][  T513]  netlink_rcv_skb+0x121/0x340
[   42.930014][  T513]  netlink_unicast+0x4aa/0x780
[   42.930194][  T513]  netlink_sendmsg+0x714/0xbd0
[   42.930375][  T513]  ____sys_sendmsg+0x3dd/0x890
[   42.930574][  T513]  ___sys_sendmsg+0xed/0x170
[   42.930761][  T513]  __sys_sendmsg+0x10b/0x1a0
[   42.930959][  T513]  do_syscall_64+0xc1/0xfd0
[   42.931142][  T513]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   42.931385][  T513] 
[   42.931480][  T513] Second to last potentially related work creation:
[   42.931709][  T513]  kasan_save_stack+0x24/0x40
[   42.931898][  T513]  kasan_record_aux_stack+0x8c/0xa0
[   42.932081][  T513]  insert_work+0x34/0x230
[   42.932222][  T513]  __queue_work+0x5fd/0xab0
[   42.932405][  T513]  queue_work_on+0x84/0x90
[   42.932587][  T513]  br_multicast_del_mdb_entry+0x95d/0xfe0 [bridge]
[   42.932879][  T513]  br_multicast_dev_del+0xeb/0x240 [bridge]
[   42.933131][  T513]  br_dev_uninit+0x19/0x40 [bridge]
[   42.933336][  T513]  unregister_netdevice_many_notify+0xa80/0x1b30
[   42.933586][  T513]  rtnl_dellink+0x344/0xa30
[   42.933771][  T513]  rtnetlink_rcv_msg+0x709/0xc00
[   42.933955][  T513]  netlink_rcv_skb+0x121/0x340
[   42.934156][  T513]  netlink_unicast+0x4aa/0x780
[   42.934471][  T513]  netlink_sendmsg+0x714/0xbd0
[   42.934753][  T513]  ____sys_sendmsg+0x3dd/0x890
[   42.934955][  T513]  ___sys_sendmsg+0xed/0x170
[   42.935238][  T513]  __sys_sendmsg+0x10b/0x1a0
[   42.935419][  T513]  do_syscall_64+0xc1/0xfd0
[   42.935710][  T513]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   42.935969][  T513] 
[   42.936082][  T513] The buggy address belongs to the object at ffff88800bdda000
[   42.936082][  T513]  which belongs to the cache kmalloc-8k of size 8192
[   42.936747][  T513] The buggy address is located 1708 bytes inside of
[   42.936747][  T513]  freed 8192-byte region [ffff88800bdda000, ffff88800bddc000)
[   42.937179][  T513] 
[   42.937276][  T513] The buggy address belongs to the physical page:
[   42.937726][  T513] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbdd8
[   42.938071][  T513] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   42.938577][  T513] flags: 0x80000000000040(head|node=0|zone=1)
[   42.938842][  T513] page_type: f5(slab)
[   42.939098][  T513] raw: 0080000000000040 ffff8880010438c0 ffffea00002e5e10 ffff888001041228
[   42.939427][  T513] raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[   42.939771][  T513] head: 0080000000000040 ffff8880010438c0 ffffea00002e5e10 ffff888001041228
[   42.940106][  T513] head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[   42.940435][  T513] head: 0080000000000003 ffffea00002f7601 00000000ffffffff 00000000ffffffff
[   42.940764][  T513] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   42.941087][  T513] page dumped because: kasan: bad access detected
[   42.941314][  T513] 
[   42.941406][  T513] Memory state around the buggy address:
[   42.941595][  T513]  ffff88800bdda580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.941867][  T513]  ffff88800bdda600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.942145][  T513] >ffff88800bdda680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.942416][  T513]                                   ^
[   42.942621][  T513]  ffff88800bdda700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.942878][  T513]  ffff88800bdda780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.943135][  T513] ==================================================================
[   42.943590][  T513] Disabling lock debugging due to kernel taint
[   42.943822][  T513] ------------[ cut here ]------------
[   42.944001][  T513] refcount_t: underflow; use-after-free.
[   42.944250][  T513] WARNING: CPU: 0 PID: 513 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[   42.944579][  T513] Modules linked in: act_gact act_pedit cls_flower bridge stp llc sch_ingress vrf veth
[   42.945037][  T513] CPU: 0 UID: 0 PID: 513 Comm: ip Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[   42.945409][  T513] Tainted: [B]=BAD_PAGE
[   42.945649][  T513] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   42.945998][  T513] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[   42.946253][  T513] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d e5 b9 e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[   42.947006][  T513] RSP: 0018:ffffc90000c7f1f0 EFLAGS: 00010286
[   42.947239][  T513] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   42.947612][  T513] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[   42.947897][  T513] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff74fe134
[   42.948290][  T513] R10: 0000000000000003 R11: ffffc90000c7ed80 R12: 0000000000000001
[   42.948562][  T513] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[   42.948932][  T513] FS:  00007f16375e1800(0000) GS:ffff88807a5f2000(0000) knlGS:0000000000000000
[   42.949273][  T513] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   42.949512][  T513] CR2: 00000000004e68d0 CR3: 000000000942e004 CR4: 0000000000772ef0
[   42.949891][  T513] PKRU: 55555554
[   42.950036][  T513] Call Trace:
[   42.950172][  T513]  <TASK>
[   42.950271][  T513]  netdev_run_todo+0x5f0/0xc60
[   42.950464][  T513]  ? dev_ingress_queue_create+0x190/0x190
[   42.950742][  T513]  ? generic_xdp_install+0x410/0x410
[   42.950922][  T513]  ? kernfs_put.part.0+0x12d/0x480
[   42.951115][  T513]  ? unregister_netdevice_many+0x20/0x20
[   42.951297][  T513]  ? br_dev_delete+0x115/0x1a0 [bridge]
[   42.951635][  T513]  rtnl_dellink+0x350/0xa30
[   42.951819][  T513]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   42.952080][  T513]  ? find_held_lock+0x2b/0x80
[   42.952380][  T513]  ? __lock_acquire+0x449/0x7e0
[   42.952564][  T513]  ? find_held_lock+0x2b/0x80
[   42.952747][  T513]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   42.952923][  T513]  ? __lock_release+0x5d/0x170
[   42.953203][  T513]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   42.953442][  T513]  rtnetlink_rcv_msg+0x709/0xc00
[   42.953624][  T513]  ? rtnl_port_fill+0x850/0x850
[   42.953802][  T513]  ? __lock_acquire+0x449/0x7e0
[   42.953997][  T513]  netlink_rcv_skb+0x121/0x340
[   42.954173][  T513]  ? rtnl_port_fill+0x850/0x850
[   42.954359][  T513]  ? netlink_ack+0xdd0/0xdd0
[   42.954535][  T513]  ? netlink_deliver_tap+0x13e/0x340
[   42.954816][  T513]  ? netlink_deliver_tap+0xc3/0x340
[   42.955000][  T513]  netlink_unicast+0x4aa/0x780
[   42.955177][  T513]  ? netlink_attachskb+0x810/0x810
[   42.955352][  T513]  ? __lock_acquire+0x449/0x7e0
[   42.955533][  T513]  netlink_sendmsg+0x714/0xbd0
[   42.955710][  T513]  ? netlink_unicast+0x780/0x780
[   42.955887][  T513]  ? __import_iovec+0x230/0x3b0
[   42.956090][  T513]  ? netlink_unicast+0x780/0x780
[   42.956362][  T513]  ____sys_sendmsg+0x3dd/0x890
[   42.956545][  T513]  ? get_timestamp.constprop.0+0x380/0x380
[   42.956765][  T513]  ? __copy_msghdr+0x3c0/0x3c0
[   42.956954][  T513]  ___sys_sendmsg+0xed/0x170
[   42.957225][  T513]  ? kasan_record_aux_stack+0x8c/0xa0
[   42.957404][  T513]  ? __call_rcu_common.constprop.0+0xa8/0x630
[   42.957626][  T513]  ? copy_msghdr_from_user+0x110/0x110
[   42.957802][  T513]  ? find_held_lock+0x2b/0x80
[   42.958080][  T513]  ? __lock_acquire+0x449/0x7e0
[   42.958261][  T513]  ? find_held_lock+0x2b/0x80
[   42.958438][  T513]  ? __virt_addr_valid+0x22a/0x450
[   42.958616][  T513]  ? __lock_release+0x5d/0x170
[   42.958889][  T513]  __sys_sendmsg+0x10b/0x1a0
[   42.959073][  T513]  ? __call_rcu_common.constprop.0+0x318/0x630
[   42.959291][  T513]  ? __sys_sendmsg_sock+0x20/0x20
[   42.959562][  T513]  ? rcu_is_watching+0x12/0xb0
[   42.959742][  T513]  do_syscall_64+0xc1/0xfd0
[   42.959921][  T513]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   42.960150][  T513] RIP: 0033:0x7f16377af1d7
[   42.960541][  T513] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[   42.961285][  T513] RSP: 002b:00007ffff2024c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   42.961553][  T513] RAX: ffffffffffffffda RBX: 00007ffff2025380 RCX: 00007f16377af1d7
[   42.961819][  T513] RDX: 0000000000000000 RSI: 00007ffff2024cc0 RDI: 0000000000000005
[   42.962088][  T513] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[   42.962362][  T513] R10: 00007f16376abf60 R11: 0000000000000246 R12: 0000000000000002
[   42.962624][  T513] R13: 00000000690df9e6 R14: 0000000000499600 R15: 0000000000000000
[   42.962895][  T513]  </TASK>
[   42.963038][  T513] irq event stamp: 43175
[   42.963174][  T513] hardirqs last  enabled at (43175): [<ffffffffb9b93e8b>] irqentry_exit+0x3b/0x80
[   42.963492][  T513] hardirqs last disabled at (43174): [<ffffffffb7a5b23f>] handle_softirqs+0x47f/0x610
[   42.963804][  T513] softirqs last  enabled at (43026): [<ffffffffb7a5b112>] handle_softirqs+0x352/0x610
[   42.964115][  T513] softirqs last disabled at (43019): [<ffffffffb7a5b97b>] irq_exit_rcu+0xab/0x100
[   42.964521][  T513] ---[ end trace 0000000000000000 ]---