[   22.700754][  T324] br1: port 1(veth1) entered blocking state
[   22.701585][  T324] br1: port 1(veth1) entered disabled state
[   22.702346][  T324] veth1: entered allmulticast mode
[   22.707881][  T324] veth1: entered promiscuous mode
[   23.054021][   T37] br1: port 1(veth1) entered blocking state
[   23.054659][   T37] br1: port 1(veth1) entered forwarding state
[   23.218392][  T337] br1: port 2(veth2) entered blocking state
[   23.218927][  T337] br1: port 2(veth2) entered disabled state
[   23.219432][  T337] veth2: entered allmulticast mode
[   23.222865][  T337] veth2: entered promiscuous mode
[   23.645351][   T46] br1: port 2(veth2) entered blocking state
[   23.645804][   T46] br1: port 2(veth2) entered forwarding state
[   44.890980][  T541] br1: port 2(veth2) entered disabled state
[   45.043683][  T543] veth2: left allmulticast mode
[   45.044132][  T543] veth2: left promiscuous mode
[   45.044726][  T543] br1: port 2(veth2) entered disabled state
[   45.244335][  T545] br1: port 1(veth1) entered disabled state
[   45.453790][  T547] veth1: left allmulticast mode
[   45.454658][  T547] veth1: left promiscuous mode
[   45.455487][  T547] br1: port 1(veth1) entered disabled state
[   45.849774][  T551] ==================================================================
[   45.850123][  T551] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[   45.850434][  T551] Read of size 1 at addr ffff8880085b26ac by task ip/551
[   45.850660][  T551] 
[   45.850756][  T551] CPU: 2 UID: 0 PID: 551 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[   45.850762][  T551] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   45.850764][  T551] Call Trace:
[   45.850766][  T551]  <TASK>
[   45.850768][  T551]  dump_stack_lvl+0x82/0xc0
[   45.850774][  T551]  print_address_description.constprop.0+0x2c/0x3a0
[   45.850785][  T551]  ? kobject_put+0xbb/0xd0
[   45.850789][  T551]  print_report+0xb4/0x270
[   45.850792][  T551]  ? kobject_put+0xbb/0xd0
[   45.850795][  T551]  ? kasan_addr_to_slab+0x21/0x70
[   45.850798][  T551]  ? kobject_put+0xbb/0xd0
[   45.850801][  T551]  kasan_report+0xca/0x100
[   45.850805][  T551]  ? kobject_put+0xbb/0xd0
[   45.850810][  T551]  kobject_put+0xbb/0xd0
[   45.850814][  T551]  netdev_run_todo+0x5f0/0xc60
[   45.850819][  T551]  ? dev_ingress_queue_create+0x190/0x190
[   45.850824][  T551]  ? generic_xdp_install+0x410/0x410
[   45.850828][  T551]  ? kernfs_put.part.0+0x12d/0x480
[   45.850840][  T551]  ? unregister_netdevice_many+0x20/0x20
[   45.850847][  T551]  ? br_dev_delete+0x115/0x1a0 [bridge]
[   45.850892][  T551]  rtnl_dellink+0x350/0xa30
[   45.850898][  T551]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   45.850916][  T551]  ? find_held_lock+0x2b/0x80
[   45.850927][  T551]  ? __lock_acquire+0x449/0x7e0
[   45.850937][  T551]  ? find_held_lock+0x2b/0x80
[   45.850943][  T551]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   45.850947][  T551]  ? __lock_release+0x5d/0x170
[   45.850951][  T551]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   45.850955][  T551]  rtnetlink_rcv_msg+0x709/0xc00
[   45.850958][  T551]  ? rtnl_port_fill+0x850/0x850
[   45.850961][  T551]  ? __lock_acquire+0x449/0x7e0
[   45.850968][  T551]  netlink_rcv_skb+0x121/0x340
[   45.850973][  T551]  ? rtnl_port_fill+0x850/0x850
[   45.850976][  T551]  ? netlink_ack+0xdd0/0xdd0
[   45.850983][  T551]  ? netlink_deliver_tap+0x13e/0x340
[   45.850986][  T551]  ? netlink_deliver_tap+0xc3/0x340
[   45.850989][  T551]  netlink_unicast+0x4aa/0x780
[   45.850994][  T551]  ? netlink_attachskb+0x810/0x810
[   45.850998][  T551]  ? __lock_acquire+0x449/0x7e0
[   45.851003][  T551]  netlink_sendmsg+0x714/0xbd0
[   45.851008][  T551]  ? netlink_unicast+0x780/0x780
[   45.851011][  T551]  ? __import_iovec+0x230/0x3b0
[   45.851018][  T551]  ? netlink_unicast+0x780/0x780
[   45.851021][  T551]  ____sys_sendmsg+0x3dd/0x890
[   45.851027][  T551]  ? get_timestamp.constprop.0+0x380/0x380
[   45.851030][  T551]  ? __copy_msghdr+0x3c0/0x3c0
[   45.851043][  T551]  ___sys_sendmsg+0xed/0x170
[   45.851052][  T551]  ? kasan_record_aux_stack+0x8c/0xa0
[   45.851060][  T551]  ? __call_rcu_common.constprop.0+0xa8/0x630
[   45.851072][  T551]  ? copy_msghdr_from_user+0x110/0x110
[   45.851082][  T551]  ? find_held_lock+0x2b/0x80
[   45.851087][  T551]  ? __lock_acquire+0x449/0x7e0
[   45.851092][  T551]  ? find_held_lock+0x2b/0x80
[   45.851096][  T551]  ? __virt_addr_valid+0x22a/0x450
[   45.851107][  T551]  ? __lock_release+0x5d/0x170
[   45.851113][  T551]  __sys_sendmsg+0x10b/0x1a0
[   45.851116][  T551]  ? __call_rcu_common.constprop.0+0x318/0x630
[   45.851120][  T551]  ? __sys_sendmsg_sock+0x20/0x20
[   45.851127][  T551]  ? rcu_is_watching+0x12/0xb0
[   45.851131][  T551]  do_syscall_64+0xc1/0xfd0
[   45.851137][  T551]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   45.851143][  T551] RIP: 0033:0x7fc40eb7a1d7
[   45.851148][  T551] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[   45.851150][  T551] RSP: 002b:00007ffc035325d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   45.851154][  T551] RAX: ffffffffffffffda RBX: 00007ffc03532d00 RCX: 00007fc40eb7a1d7
[   45.851157][  T551] RDX: 0000000000000000 RSI: 00007ffc03532640 RDI: 0000000000000005
[   45.851158][  T551] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[   45.851160][  T551] R10: 00007fc40ea76f60 R11: 0000000000000246 R12: 0000000000000002
[   45.851162][  T551] R13: 00000000690deee5 R14: 0000000000499600 R15: 0000000000000000
[   45.851168][  T551]  </TASK>
[   45.851170][  T551] 
[   45.866127][  T551] Allocated by task 309:
[   45.866269][  T551]  kasan_save_stack+0x24/0x40
[   45.866489][  T551]  kasan_save_track+0x14/0x30
[   45.866670][  T551]  __kasan_kmalloc+0x7b/0x90
[   45.866862][  T551]  __kvmalloc_node_noprof+0x2e5/0x8e0
[   45.867065][  T551]  alloc_netdev_mqs+0x7d/0x1370
[   45.867285][  T551]  rtnl_create_link+0xa9e/0xe20
[   45.867519][  T551]  rtnl_newlink_create+0x203/0x770
[   45.867706][  T551]  __rtnl_newlink+0x231/0xa30
[   45.867914][  T551]  rtnl_newlink+0x693/0xa60
[   45.868123][  T551]  rtnetlink_rcv_msg+0x709/0xc00
[   45.868306][  T551]  netlink_rcv_skb+0x121/0x340
[   45.868508][  T551]  netlink_unicast+0x4aa/0x780
[   45.868689][  T551]  netlink_sendmsg+0x714/0xbd0
[   45.868907][  T551]  ____sys_sendmsg+0x3dd/0x890
[   45.869108][  T551]  ___sys_sendmsg+0xed/0x170
[   45.869304][  T551]  __sys_sendmsg+0x10b/0x1a0
[   45.869501][  T551]  do_syscall_64+0xc1/0xfd0
[   45.869696][  T551]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   45.869952][  T551] 
[   45.870055][  T551] Freed by task 551:
[   45.870193][  T551]  kasan_save_stack+0x24/0x40
[   45.870410][  T551]  kasan_save_track+0x14/0x30
[   45.870656][  T551]  __kasan_save_free_info+0x3b/0x60
[   45.870880][  T551]  __kasan_slab_free+0x3f/0x60
[   45.871090][  T551]  kfree+0x21d/0x540
[   45.871231][  T551]  device_release+0x9c/0x210
[   45.871453][  T551]  kobject_cleanup+0xfe/0x360
[   45.871652][  T551]  netdev_run_todo+0x81f/0xc60
[   45.871859][  T551]  rtnl_dellink+0x350/0xa30
[   45.872066][  T551]  rtnetlink_rcv_msg+0x709/0xc00
[   45.872252][  T551]  netlink_rcv_skb+0x121/0x340
[   45.872470][  T551]  netlink_unicast+0x4aa/0x780
[   45.872653][  T551]  netlink_sendmsg+0x714/0xbd0
[   45.872858][  T551]  ____sys_sendmsg+0x3dd/0x890
[   45.873072][  T551]  ___sys_sendmsg+0xed/0x170
[   45.873257][  T551]  __sys_sendmsg+0x10b/0x1a0
[   45.873460][  T551]  do_syscall_64+0xc1/0xfd0
[   45.873648][  T551]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   45.873909][  T551] 
[   45.874033][  T551] Last potentially related work creation:
[   45.874224][  T551]  kasan_save_stack+0x24/0x40
[   45.874436][  T551]  kasan_record_aux_stack+0x8c/0xa0
[   45.874623][  T551]  insert_work+0x34/0x230
[   45.874766][  T551]  __queue_work+0x5fd/0xab0
[   45.874977][  T551]  queue_work_on+0x84/0x90
[   45.875162][  T551]  fdb_delete+0x7bf/0xd50 [bridge]
[   45.875402][  T551]  br_fdb_delete_by_port+0x1ce/0x260 [bridge]
[   45.875664][  T551]  del_nbp+0x374/0xbe0 [bridge]
[   45.875896][  T551]  br_del_if+0xa3/0x1e0 [bridge]
[   45.876126][  T551]  do_set_master+0x144/0x4f0
[   45.876318][  T551]  do_setlink.constprop.0+0x9ee/0x2460
[   45.876527][  T551]  rtnl_newlink+0x693/0xa60
[   45.876715][  T551]  rtnetlink_rcv_msg+0x709/0xc00
[   45.876926][  T551]  netlink_rcv_skb+0x121/0x340
[   45.877138][  T551]  netlink_unicast+0x4aa/0x780
[   45.877342][  T551]  netlink_sendmsg+0x714/0xbd0
[   45.877538][  T551]  ____sys_sendmsg+0x3dd/0x890
[   45.877753][  T551]  ___sys_sendmsg+0xed/0x170
[   45.877998][  T551]  __sys_sendmsg+0x10b/0x1a0
[   45.878179][  T551]  do_syscall_64+0xc1/0xfd0
[   45.878371][  T551]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   45.878604][  T551] 
[   45.878813][  T551] Second to last potentially related work creation:
[   45.879117][  T551]  kasan_save_stack+0x24/0x40
[   45.879315][  T551]  kasan_record_aux_stack+0x8c/0xa0
[   45.879533][  T551]  insert_work+0x34/0x230
[   45.879785][  T551]  __queue_work+0x5fd/0xab0
[   45.880008][  T551]  call_timer_fn+0x13a/0x220
[   45.880192][  T551]  __run_timers+0x3f9/0x810
[   45.880398][  T551]  run_timer_softirq+0xa3/0xf0
[   45.880703][  T551]  handle_softirqs+0x215/0x610
[   45.880934][  T551]  irq_exit_rcu+0xab/0x100
[   45.881148][  T551]  sysvec_apic_timer_interrupt+0xa8/0xc0
[   45.881453][  T551]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   45.881803][  T551] 
[   45.881908][  T551] The buggy address belongs to the object at ffff8880085b2000
[   45.881908][  T551]  which belongs to the cache kmalloc-8k of size 8192
[   45.882370][  T551] The buggy address is located 1708 bytes inside of
[   45.882370][  T551]  freed 8192-byte region [ffff8880085b2000, ffff8880085b4000)
[   45.882990][  T551] 
[   45.883083][  T551] The buggy address belongs to the physical page:
[   45.883325][  T551] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x85b0
[   45.883796][  T551] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   45.884118][  T551] flags: 0x80000000000040(head|node=0|zone=1)
[   45.884468][  T551] page_type: f5(slab)
[   45.884621][  T551] raw: 0080000000000040 ffff8880010438c0 ffffea000017a010 ffffea00002e6210
[   45.884978][  T551] raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[   45.885419][  T551] head: 0080000000000040 ffff8880010438c0 ffffea000017a010 ffffea00002e6210
[   45.885762][  T551] head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[   45.886107][  T551] head: 0080000000000003 ffffea0000216c01 00000000ffffffff 00000000ffffffff
[   45.886562][  T551] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   45.886894][  T551] page dumped because: kasan: bad access detected
[   45.887225][  T551] 
[   45.887333][  T551] Memory state around the buggy address:
[   45.887531][  T551]  ffff8880085b2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.887806][  T551]  ffff8880085b2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.888178][  T551] >ffff8880085b2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.888455][  T551]                                   ^
[   45.888633][  T551]  ffff8880085b2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.889026][  T551]  ffff8880085b2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.889295][  T551] ==================================================================
[   45.889870][  T551] Disabling lock debugging due to kernel taint
[   45.890286][  T551] ------------[ cut here ]------------
[   45.890571][  T551] refcount_t: underflow; use-after-free.
[   45.890989][  T551] WARNING: CPU: 1 PID: 551 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[   45.891509][  T551] Modules linked in: bridge stp llc vrf veth
[   45.891857][  T551] CPU: 1 UID: 0 PID: 551 Comm: ip Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[   45.892386][  T551] Tainted: [B]=BAD_PAGE
[   45.892606][  T551] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   45.892945][  T551] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[   45.893320][  T551] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d 85 92 e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[   45.894386][  T551] RSP: 0018:ffffc90000e471f0 EFLAGS: 00010286
[   45.894742][  T551] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   45.895243][  T551] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[   45.895603][  T551] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff263e134
[   45.895975][  T551] R10: 0000000000000003 R11: ffffc90000e46d80 R12: 0000000000000001
[   45.896315][  T551] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[   45.896681][  T551] FS:  00007fc40e9ac800(0000) GS:ffff8880a1c72000(0000) knlGS:0000000000000000
[   45.897213][  T551] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   45.897499][  T551] CR2: 00007fdc53ba1000 CR3: 000000000b9da004 CR4: 0000000000772ef0
[   45.897827][  T551] PKRU: 55555554
[   45.898161][  T551] Call Trace:
[   45.898402][  T551]  <TASK>
[   45.898550][  T551]  netdev_run_todo+0x5f0/0xc60
[   45.898825][  T551]  ? dev_ingress_queue_create+0x190/0x190
[   45.899075][  T551]  ? generic_xdp_install+0x410/0x410
[   45.899485][  T551]  ? kernfs_put.part.0+0x12d/0x480
[   45.899719][  T551]  ? unregister_netdevice_many+0x20/0x20
[   45.899967][  T551]  ? br_dev_delete+0x115/0x1a0 [bridge]
[   45.900263][  T551]  rtnl_dellink+0x350/0xa30
[   45.900684][  T551]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   45.901022][  T551]  ? find_held_lock+0x2b/0x80
[   45.901270][  T551]  ? __lock_acquire+0x449/0x7e0
[   45.901496][  T551]  ? find_held_lock+0x2b/0x80
[   45.901869][  T551]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   45.902100][  T551]  ? __lock_release+0x5d/0x170
[   45.902318][  T551]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   45.902624][  T551]  rtnetlink_rcv_msg+0x709/0xc00
[   45.903071][  T551]  ? rtnl_port_fill+0x850/0x850
[   45.903320][  T551]  ? __lock_acquire+0x449/0x7e0
[   45.903580][  T551]  netlink_rcv_skb+0x121/0x340
[   45.903867][  T551]  ? rtnl_port_fill+0x850/0x850
[   45.904296][  T551]  ? netlink_ack+0xdd0/0xdd0
[   45.904542][  T551]  ? netlink_deliver_tap+0x13e/0x340
[   45.904792][  T551]  ? netlink_deliver_tap+0xc3/0x340
[   45.905051][  T551]  netlink_unicast+0x4aa/0x780
[   45.905406][  T551]  ? netlink_attachskb+0x810/0x810
[   45.905629][  T551]  ? __lock_acquire+0x449/0x7e0
[   45.905883][  T551]  netlink_sendmsg+0x714/0xbd0
[   45.906115][  T551]  ? netlink_unicast+0x780/0x780
[   45.906460][  T551]  ? __import_iovec+0x230/0x3b0
[   45.906676][  T551]  ? netlink_unicast+0x780/0x780
[   45.907005][  T551]  ____sys_sendmsg+0x3dd/0x890
[   45.907213][  T551]  ? get_timestamp.constprop.0+0x380/0x380
[   45.907585][  T551]  ? __copy_msghdr+0x3c0/0x3c0
[   45.907788][  T551]  ___sys_sendmsg+0xed/0x170
[   45.907996][  T551]  ? kasan_record_aux_stack+0x8c/0xa0
[   45.908197][  T551]  ? __call_rcu_common.constprop.0+0xa8/0x630
[   45.908573][  T551]  ? copy_msghdr_from_user+0x110/0x110
[   45.908785][  T551]  ? find_held_lock+0x2b/0x80
[   45.908996][  T551]  ? __lock_acquire+0x449/0x7e0
[   45.909321][  T551]  ? find_held_lock+0x2b/0x80
[   45.909519][  T551]  ? __virt_addr_valid+0x22a/0x450
[   45.909718][  T551]  ? __lock_release+0x5d/0x170
[   45.909927][  T551]  __sys_sendmsg+0x10b/0x1a0
[   45.910253][  T551]  ? __call_rcu_common.constprop.0+0x318/0x630
[   45.910541][  T551]  ? __sys_sendmsg_sock+0x20/0x20
[   45.910744][  T551]  ? rcu_is_watching+0x12/0xb0
[   45.910967][  T551]  do_syscall_64+0xc1/0xfd0
[   45.911290][  T551]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   45.911539][  T551] RIP: 0033:0x7fc40eb7a1d7
[   45.911751][  T551] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[   45.912638][  T551] RSP: 002b:00007ffc035325d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   45.912953][  T551] RAX: ffffffffffffffda RBX: 00007ffc03532d00 RCX: 00007fc40eb7a1d7
[   45.913397][  T551] RDX: 0000000000000000 RSI: 00007ffc03532640 RDI: 0000000000000005
[   45.913692][  T551] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[   45.914151][  T551] R10: 00007fc40ea76f60 R11: 0000000000000246 R12: 0000000000000002
[   45.914477][  T551] R13: 00000000690deee5 R14: 0000000000499600 R15: 0000000000000000
[   45.914886][  T551]  </TASK>
[   45.915214][  T551] irq event stamp: 43825
[   45.915375][  T551] hardirqs last  enabled at (43825): [<ffffffff90ccd1a9>] kasan_quarantine_put+0xf9/0x210
[   45.915774][  T551] hardirqs last disabled at (43824): [<ffffffff90ccd15c>] kasan_quarantine_put+0xac/0x210
[   45.916267][  T551] softirqs last  enabled at (43086): [<ffffffff9045b112>] handle_softirqs+0x352/0x610
[   45.916619][  T551] softirqs last disabled at (43069): [<ffffffff9045b97b>] irq_exit_rcu+0xab/0x100
[   45.916994][  T551] ---[ end trace 0000000000000000 ]---