======================================
| [   37.408182][  T540] ==================================================================
| [   37.408499][  T540] BUG: KASAN: slab-use-after-free in kobject_put (lib/kobject.c:733)
| [   37.408767][  T540] Read of size 1 at addr ffff88800926c6ac by task ip/540
| [   37.408983][  T540]
[   37.409088][  T540] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   37.409097][  T540] Call Trace:
[   37.409100][  T540]  <TASK>
[   37.409102][  T540]  dump_stack_lvl (lib/dump_stack.c:123)
[   37.409109][  T540]  print_address_description.constprop.0 (mm/kasan/report.c:379)
[   37.409117][  T540]  ? kobject_put (lib/kobject.c:733)
[   37.409122][  T540]  print_report (mm/kasan/report.c:483)
[   37.409124][  T540]  ? kobject_put (lib/kobject.c:733)
[   37.409130][  T540]  ? kasan_addr_to_slab (./include/linux/mm.h:1245 mm/kasan/../slab.h:191 mm/kasan/common.c:47)
[   37.409133][  T540]  ? kobject_put (lib/kobject.c:733)
[   37.409137][  T540]  kasan_report (mm/kasan/report.c:597)
[   37.409140][  T540]  ? kobject_put (lib/kobject.c:733)
[   37.409146][  T540]  kobject_put (lib/kobject.c:733)
[   37.409149][  T540]  netdev_run_todo (./include/linux/list.h:381 net/core/dev.c:11670)
[   37.409155][  T540]  ? dev_ingress_queue_create (net/core/dev.c:12299)
[   37.409158][  T540]  ? generic_xdp_install (net/core/dev.c:11630)
[   37.409162][  T540]  ? vrf_dellink (drivers/net/vrf.c:1667) vrf
[   37.409169][  T540]  ? vrf_map_unregister_dev (drivers/net/vrf.c:1667) vrf
[   37.409174][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.409188][  T540]  rtnl_dellink (net/core/rtnetlink.c:3580)
[   37.409193][  T540]  ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536)
[   37.409212][  T540]  ? find_held_lock (kernel/locking/lockdep.c:5350)
[   37.409216][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.409222][  T540]  ? find_held_lock (kernel/locking/lockdep.c:5350)
[   37.409227][  T540]  ? rtnetlink_rcv_msg (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/core/rtnetlink.c:6956)
[   37.409232][  T540]  ? __lock_release (kernel/locking/lockdep.c:5536)
[   37.409239][  T540]  ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536)
[   37.409244][  T540]  rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
[   37.409250][  T540]  ? rtnl_port_fill (net/core/rtnetlink.c:6861)
[   37.409253][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.409260][  T540]  netlink_rcv_skb (net/netlink/af_netlink.c:2550)
[   37.409266][  T540]  ? rtnl_port_fill (net/core/rtnetlink.c:6861)
[   37.409269][  T540]  ? netlink_ack (net/netlink/af_netlink.c:2527)
[   37.409276][  T540]  ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/netlink/af_netlink.c:340)
[   37.409279][  T540]  ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 ./include/net/netns/generic.h:48 net/netlink/af_netlink.c:333)
[   37.409283][  T540]  netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
[   37.409287][  T540]  ? netlink_attachskb (net/netlink/af_netlink.c:1329)
[   37.409291][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.409297][  T540]  netlink_sendmsg (net/netlink/af_netlink.c:1894)
[   37.409301][  T540]  ? netlink_unicast (net/netlink/af_netlink.c:1813)
[   37.409305][  T540]  ? __import_iovec (lib/iov_iter.c:1346 lib/iov_iter.c:1361)
[   37.409315][  T540]  ? netlink_unicast (net/netlink/af_netlink.c:1813)
[   37.409319][  T540]  ____sys_sendmsg (net/socket.c:727 net/socket.c:742 net/socket.c:2630)
[   37.409326][  T540]  ? get_timestamp.constprop.0 (net/socket.c:2576)
[   37.409330][  T540]  ? __copy_msghdr (net/socket.c:2556)
[   37.409338][  T540]  ___sys_sendmsg (net/socket.c:2686)
[   37.409341][  T540]  ? kasan_record_aux_stack (mm/kasan/generic.c:559)
[   37.409345][  T540]  ? __call_rcu_common.constprop.0 (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:127 kernel/rcu/tree.c:3125)
[   37.409353][  T540]  ? copy_msghdr_from_user (net/socket.c:2673)
[   37.409358][  T540]  ? find_held_lock (kernel/locking/lockdep.c:5350)
[   37.409362][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.409368][  T540]  ? find_held_lock (kernel/locking/lockdep.c:5350)
[   37.409372][  T540]  ? __virt_addr_valid (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:979 ./include/linux/mmzone.h:2197 arch/x86/mm/physaddr.c:65)
[   37.409379][  T540]  ? __lock_release (kernel/locking/lockdep.c:5536)
[   37.409385][  T540]  __sys_sendmsg (net/socket.c:2716)
[   37.409388][  T540]  ? __call_rcu_common.constprop.0 (kernel/rcu/tree.c:3148)
[   37.409392][  T540]  ? __sys_sendmsg_sock (net/socket.c:2701)
[   37.409400][  T540]  ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
[   37.409404][  T540]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[   37.409410][  T540]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[   37.409414][  T540] RIP: 0033:0x7f4fd7ef61d7
[   37.409420][  T540] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
All code
========
   0:	0e                   	(bad)
   1:	00 f7                	add    %dh,%bh
   3:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   7:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   e:	eb b9                	jmp    0xffffffffffffffc9
  10:	0f 1f 00             	nopl   (%rax)
  13:	f3 0f 1e fa          	endbr64
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 10                	jne    0x33
  23:	b8 2e 00 00 00       	mov    $0x2e,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 51                	ja     0x83
  32:	c3                   	ret
  33:	48 83 ec 28          	sub    $0x28,%rsp
  37:	89 54 24 1c          	mov    %edx,0x1c(%rsp)
  3b:	48 89 74 24 10       	mov    %rsi,0x10(%rsp)

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 51                	ja     0x59
   8:	c3                   	ret
   9:	48 83 ec 28          	sub    $0x28,%rsp
   d:	89 54 24 1c          	mov    %edx,0x1c(%rsp)
  11:	48 89 74 24 10       	mov    %rsi,0x10(%rsp)
[   37.409423][  T540] RSP: 002b:00007ffd486c3178 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   37.409427][  T540] RAX: ffffffffffffffda RBX: 00007ffd486c38a0 RCX: 00007f4fd7ef61d7
[   37.409429][  T540] RDX: 0000000000000000 RSI: 00007ffd486c31e0 RDI: 0000000000000005
[   37.409431][  T540] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[   37.409433][  T540] R10: 00007f4fd7df2f60 R11: 0000000000000246 R12: 0000000000000002
[   37.409435][  T540] R13: 00000000690def7f R14: 0000000000499600 R15: 0000000000000000
| [   37.438348][  T540] refcount_t: underflow; use-after-free.
| [   37.438736][  T540] WARNING: CPU: 3 PID: 540 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28 (discriminator 3))
| [   37.439046][  T540] Modules linked in: act_gact cls_flower sch_ingress vrf veth
| [   37.440399][  T540] Tainted: [B]=BAD_PAGE
[   37.440527][  T540] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   37.440737][  T540] RIP: 0010:refcount_warn_saturate (lib/refcount.c:28 (discriminator 3))
[   37.440960][  T540] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d 85 b6 e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
All code
========
   0:	7d 93                	jge    0xffffffffffffff95
   2:	02 80 fb 01 0f 87    	add    -0x78f0fe05(%rax),%al
   8:	bb 99 d9 fe 83       	mov    $0x83fed999,%ebx
   d:	e3 01                	jrcxz  0x10
   f:	0f 85 51 ff ff ff    	jne    0xffffffffffffff66
  15:	c6 05 a8 7d 93 02 01 	movb   $0x1,0x2937da8(%rip)        # 0x2937dc4
  1c:	90                   	nop
  1d:	48 c7 c7 60 8d 85 b6 	mov    $0xffffffffb6858d60,%rdi
  24:	e8 32 bf 18 ff       	call   0xffffffffff18bf5b
  29:	90                   	nop
  2a:*	0f 0b                	ud2		<-- trapping instruction
  2c:	90                   	nop
  2d:	90                   	nop
  2e:	e9 33 ff ff ff       	jmp    0xffffffffffffff66
  33:	48 89 df             	mov    %rbx,%rdi
  36:	e8 b0 63 a1 ff       	call   0xffffffffffa163eb
  3b:	e9 ba fe ff ff       	jmp    0xfffffffffffffefa

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2
   2:	90                   	nop
   3:	90                   	nop
   4:	e9 33 ff ff ff       	jmp    0xffffffffffffff3c
   9:	48 89 df             	mov    %rbx,%rdi
   c:	e8 b0 63 a1 ff       	call   0xffffffffffa163c1
  11:	e9 ba fe ff ff       	jmp    0xfffffffffffffed0
[   37.441601][  T540] RSP: 0018:ffffc90000ee71f0 EFLAGS: 00010286
[   37.441890][  T540] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   37.442219][  T540] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[   37.442572][  T540] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff6e3e134
[   37.442838][  T540] R10: 0000000000000003 R11: ffffc90000ee6d80 R12: 0000000000000001
[   37.443205][  T540] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[   37.443467][  T540] FS:  00007f4fd7d28800(0000) GS:ffff888078172000(0000) knlGS:0000000000000000
[   37.443886][  T540] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   37.444100][  T540] CR2: 00000000004e73b0 CR3: 0000000004fd3001 CR4: 0000000000772ef0
[   37.444476][  T540] PKRU: 55555554
[   37.444603][  T540] Call Trace:
[   37.444733][  T540]  <TASK>
[   37.444833][  T540]  netdev_run_todo (./include/linux/list.h:381 net/core/dev.c:11670)
[   37.445017][  T540]  ? dev_ingress_queue_create (net/core/dev.c:12299)
[   37.445298][  T540]  ? generic_xdp_install (net/core/dev.c:11630)
[   37.445464][  T540]  ? vrf_dellink (drivers/net/vrf.c:1667) vrf
[   37.445645][  T540]  ? vrf_map_unregister_dev (drivers/net/vrf.c:1667) vrf
[   37.445986][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.446175][  T540]  rtnl_dellink (net/core/rtnetlink.c:3580)
[   37.446362][  T540]  ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536)
[   37.446585][  T540]  ? find_held_lock (kernel/locking/lockdep.c:5350)
[   37.446873][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.447063][  T540]  ? find_held_lock (kernel/locking/lockdep.c:5350)
[   37.447232][  T540]  ? rtnetlink_rcv_msg (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/core/rtnetlink.c:6956)
[   37.447416][  T540]  ? __lock_release (kernel/locking/lockdep.c:5536)
[   37.447691][  T540]  ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536)
[   37.447907][  T540]  rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
[   37.448082][  T540]  ? rtnl_port_fill (net/core/rtnetlink.c:6861)
[   37.448270][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.448547][  T540]  netlink_rcv_skb (net/netlink/af_netlink.c:2550)
[   37.448732][  T540]  ? rtnl_port_fill (net/core/rtnetlink.c:6861)
[   37.448928][  T540]  ? netlink_ack (net/netlink/af_netlink.c:2527)
[   37.449120][  T540]  ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/netlink/af_netlink.c:340)
[   37.449418][  T540]  ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 ./include/net/netns/generic.h:48 net/netlink/af_netlink.c:333)
[   37.449610][  T540]  netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
[   37.449794][  T540]  ? netlink_attachskb (net/netlink/af_netlink.c:1329)
[   37.449982][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.450275][  T540]  netlink_sendmsg (net/netlink/af_netlink.c:1894)
[   37.450470][  T540]  ? netlink_unicast (net/netlink/af_netlink.c:1813)
[   37.450644][  T540]  ? __import_iovec (lib/iov_iter.c:1346 lib/iov_iter.c:1361)
[   37.450838][  T540]  ? netlink_unicast (net/netlink/af_netlink.c:1813)
[   37.451127][  T540]  ____sys_sendmsg (net/socket.c:727 net/socket.c:742 net/socket.c:2630)
[   37.451322][  T540]  ? get_timestamp.constprop.0 (net/socket.c:2576)
[   37.451543][  T540]  ? __copy_msghdr (net/socket.c:2556)
[   37.451726][  T540]  ___sys_sendmsg (net/socket.c:2686)
[   37.452018][  T540]  ? kasan_record_aux_stack (mm/kasan/generic.c:559)
[   37.452203][  T540]  ? __call_rcu_common.constprop.0 (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:127 kernel/rcu/tree.c:3125)
[   37.452441][  T540]  ? copy_msghdr_from_user (net/socket.c:2673)
[   37.452715][  T540]  ? find_held_lock (kernel/locking/lockdep.c:5350)
[   37.452902][  T540]  ? __lock_acquire (kernel/locking/lockdep.c:5237)
[   37.453089][  T540]  ? find_held_lock (kernel/locking/lockdep.c:5350)
[   37.453284][  T540]  ? __virt_addr_valid (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:979 ./include/linux/mmzone.h:2197 arch/x86/mm/physaddr.c:65)
[   37.453620][  T540]  ? __lock_release (kernel/locking/lockdep.c:5536)
[   37.453820][  T540]  __sys_sendmsg (net/socket.c:2716)
[   37.454035][  T540]  ? __call_rcu_common.constprop.0 (kernel/rcu/tree.c:3148)
[   37.454293][  T540]  ? __sys_sendmsg_sock (net/socket.c:2701)
[   37.454585][  T540]  ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
[   37.454780][  T540]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[   37.454978][  T540]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[   37.455216][  T540] RIP: 0033:0x7f4fd7ef61d7
[   37.455536][  T540] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
All code
========
   0:	0e                   	(bad)
   1:	00 f7                	add    %dh,%bh
   3:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   7:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   e:	eb b9                	jmp    0xffffffffffffffc9
  10:	0f 1f 00             	nopl   (%rax)
  13:	f3 0f 1e fa          	endbr64
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 10                	jne    0x33
  23:	b8 2e 00 00 00       	mov    $0x2e,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 51                	ja     0x83
  32:	c3                   	ret
  33:	48 83 ec 28          	sub    $0x28,%rsp
  37:	89 54 24 1c          	mov    %edx,0x1c(%rsp)
  3b:	48 89 74 24 10       	mov    %rsi,0x10(%rsp)

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 51                	ja     0x59
   8:	c3                   	ret
   9:	48 83 ec 28          	sub    $0x28,%rsp
   d:	89 54 24 1c          	mov    %edx,0x1c(%rsp)
  11:	48 89 74 24 10       	mov    %rsi,0x10(%rsp)
[   37.456205][  T540] RSP: 002b:00007ffd486c3178 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   37.456469][  T540] RAX: ffffffffffffffda RBX: 00007ffd486c38a0 RCX: 00007f4fd7ef61d7
[   37.456747][  T540] RDX: 0000000000000000 RSI: 00007ffd486c31e0 RDI: 0000000000000005
[   37.457255][  T540] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[   37.457537][  T540] R10: 00007f4fd7df2f60 R11: 0000000000000246 R12: 0000000000000002


Finger prints:
print_report:kasan_report:kobject_put:netdev_run_todo:rtnl_dellink
refcount_warn_saturate:netdev_run_todo:rtnl_dellink:rtnetlink_rcv_msg:netlink_rcv_skb