[ 355.806742][ T3534] br1: port 1(vx10) entered blocking state [ 355.807037][ T3534] br1: port 1(vx10) entered disabled state [ 355.807428][ T3534] vx10: entered allmulticast mode [ 355.810073][ T3534] vx10: entered promiscuous mode [ 355.810954][ T3534] br1: port 1(vx10) entered blocking state [ 355.811387][ T3534] br1: port 1(vx10) entered forwarding state [ 356.244671][ T3539] br1: port 2(vx20) entered blocking state [ 356.244982][ T3539] br1: port 2(vx20) entered disabled state [ 356.245291][ T3539] vx20: entered allmulticast mode [ 356.247210][ T3539] vx20: entered promiscuous mode [ 356.247797][ T3539] br1: port 2(vx20) entered blocking state [ 356.248046][ T3539] br1: port 2(vx20) entered forwarding state [ 356.416344][ T3541] br1: port 3(veth1) entered blocking state [ 356.416653][ T3541] br1: port 3(veth1) entered disabled state [ 356.416935][ T3541] veth1: entered allmulticast mode [ 356.418931][ T3541] veth1: entered promiscuous mode [ 356.543209][ T39] br1: port 3(veth1) entered blocking state [ 356.543643][ T39] br1: port 3(veth1) entered forwarding state [ 356.636025][ T3543] br1: port 4(veth2) entered blocking state [ 356.636444][ T3543] br1: port 4(veth2) entered disabled state [ 356.637139][ T3543] veth2: entered allmulticast mode [ 356.639086][ T3543] veth2: entered promiscuous mode [ 356.745814][ T39] br1: port 4(veth2) entered blocking state [ 356.746082][ T39] br1: port 4(veth2) entered forwarding state [ 357.037759][ T3548] br1: port 5(vx4001) entered blocking state [ 357.038123][ T3548] br1: port 5(vx4001) entered disabled state [ 357.038426][ T3548] vx4001: entered allmulticast mode [ 357.040334][ T3548] vx4001: entered promiscuous mode [ 357.040883][ T3548] br1: port 5(vx4001) entered blocking state [ 357.041150][ T3548] br1: port 5(vx4001) entered forwarding state [ 357.934618][ T3559] br1: entered promiscuous mode [ 357.937506][ T3559] br1: left promiscuous mode [ 357.946716][ T3559] br1: entered promiscuous mode [ 364.031586][ T3642] br1: port 1(vx10) entered blocking state [ 364.031936][ T3642] br1: port 1(vx10) entered disabled state [ 364.032265][ T3642] vx10: entered allmulticast mode [ 364.034277][ T3642] vx10: entered promiscuous mode [ 364.035113][ T3642] br1: port 1(vx10) entered blocking state [ 364.035713][ T3642] br1: port 1(vx10) entered forwarding state [ 364.417225][ T3646] br1: port 2(vx20) entered blocking state [ 364.417561][ T3646] br1: port 2(vx20) entered disabled state [ 364.417850][ T3646] vx20: entered allmulticast mode [ 364.420169][ T3646] vx20: entered promiscuous mode [ 364.421044][ T3646] br1: port 2(vx20) entered blocking state [ 364.421365][ T3646] br1: port 2(vx20) entered forwarding state [ 364.736573][ T3650] br1: port 3(vx4001) entered blocking state [ 364.736882][ T3650] br1: port 3(vx4001) entered disabled state [ 364.737165][ T3650] vx4001: entered allmulticast mode [ 364.739079][ T3650] vx4001: entered promiscuous mode [ 364.739635][ T3650] br1: port 3(vx4001) entered blocking state [ 364.739890][ T3650] br1: port 3(vx4001) entered forwarding state [ 364.895777][ T3652] br1: port 4(w1) entered blocking state [ 364.896050][ T3652] br1: port 4(w1) entered disabled state [ 364.896324][ T3652] w1: entered allmulticast mode [ 364.898499][ T3652] w1: entered promiscuous mode [ 364.990616][ T37] br1: port 4(w1) entered blocking state [ 364.990844][ T37] br1: port 4(w1) entered forwarding state [ 365.140077][ T3655] br1: port 5(w3) entered blocking state [ 365.140381][ T3655] br1: port 5(w3) entered disabled state [ 365.140640][ T3655] w3: entered allmulticast mode [ 365.142602][ T3655] w3: entered promiscuous mode [ 365.231757][ T37] br1: port 5(w3) entered blocking state [ 365.232088][ T37] br1: port 5(w3) entered forwarding state [ 366.005899][ T3665] br1: entered promiscuous mode [ 366.008787][ T3665] br1: left promiscuous mode [ 366.018942][ T3665] br1: entered promiscuous mode [ 366.937498][ C1] IPv6: vlan10-v: IPv6 duplicate address 2001:db8:1::3 used by 00:00:5e:00:01:01 detected! [ 367.064606][ C1] br1: received packet on vx20 with own address as source address (addr:00:00:5e:00:01:01, vlan:20) [ 367.065155][ C1] IPv6: vlan20-v: IPv6 duplicate address 2001:db8:2::3 used by 00:00:5e:00:01:01 detected! [ 367.382867][ C1] br1: received packet on vx10 with own address as source address (addr:00:00:5e:00:01:01, vlan:10) [ 367.383850][ C1] br1: received packet on vx10 with own address as source address (addr:00:00:5e:00:01:01, vlan:10) [ 367.558850][ C1] br1: received packet on vx10 with own address as source address (addr:00:00:5e:00:01:01, vlan:10) [ 367.702820][ C1] br1: received packet on vx20 with own address as source address (addr:00:00:5e:00:01:01, vlan:20) [ 367.703691][ C1] br1: received packet on vx20 with own address as source address (addr:00:00:5e:00:01:01, vlan:20) [ 367.822262][ C3] br1: received packet on vx10 with own address as source address (addr:00:00:5e:00:01:01, vlan:10) [ 367.823367][ C3] br1: received packet on vx20 with own address as source address (addr:00:00:5e:00:01:01, vlan:20) [ 385.362450][ T67] w3: left allmulticast mode [ 385.362791][ T67] w3: left promiscuous mode [ 385.363571][ T67] br1: port 5(w3) entered disabled state [ 385.365602][ T67] w1: left allmulticast mode [ 385.365896][ T67] w1: left promiscuous mode [ 385.366390][ T67] br1: port 4(w1) entered disabled state [ 385.368566][ T67] vx4001: left allmulticast mode [ 385.368860][ T67] vx4001: left promiscuous mode [ 385.369995][ T67] br1: port 3(vx4001) entered disabled state [ 385.374143][ T67] vx20: left allmulticast mode [ 385.374452][ T67] vx20: left promiscuous mode [ 385.374912][ T67] br1: port 2(vx20) entered disabled state [ 385.378001][ T67] vx10: left allmulticast mode [ 385.379424][ T67] vx10: left promiscuous mode [ 385.380087][ T67] br1: port 1(vx10) entered disabled state [ 386.271142][ T67] ================================================================== [ 386.271385][ T67] BUG: KASAN: slab-use-after-free in cleanup_net+0x932/0xa40 [ 386.271653][ T67] Read of size 8 at addr ffff88800e6880f8 by task kworker/u16:1/67 [ 386.271842][ T67] [ 386.271923][ T67] CPU: 1 UID: 0 PID: 67 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1 [ 386.272120][ T67] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 386.272291][ T67] Workqueue: netns cleanup_net [ 386.272428][ T67] Call Trace: [ 386.272538][ T67] [ 386.272607][ T67] dump_stack_lvl+0x82/0xd0 [ 386.272748][ T67] print_address_description.constprop.0+0x2c/0x3b0 [ 386.272922][ T67] ? cleanup_net+0x932/0xa40 [ 386.273051][ T67] print_report+0xb4/0x270 [ 386.273177][ T67] ? kasan_addr_to_slab+0x25/0x80 [ 386.273301][ T67] kasan_report+0xbd/0xf0 [ 386.273399][ T67] ? cleanup_net+0x932/0xa40 [ 386.273529][ T67] cleanup_net+0x932/0xa40 [ 386.273654][ T67] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 386.273783][ T67] ? __pfx_cleanup_net+0x10/0x10 [ 386.273911][ T67] ? trace_lock_acquire+0x148/0x1f0 [ 386.274038][ T67] ? lock_acquire+0x32/0xc0 [ 386.274163][ T67] ? process_one_work+0xe0b/0x16d0 [ 386.274290][ T67] process_one_work+0xe55/0x16d0 [ 386.274417][ T67] ? __pfx___lock_release+0x10/0x10 [ 386.274545][ T67] ? __pfx_process_one_work+0x10/0x10 [ 386.274673][ T67] ? assign_work+0x16c/0x240 [ 386.274806][ T67] worker_thread+0x58c/0xce0 [ 386.274932][ T67] ? lockdep_hardirqs_on_prepare+0x275/0x410 [ 386.275097][ T67] ? __pfx_worker_thread+0x10/0x10 [ 386.275223][ T67] ? __pfx_worker_thread+0x10/0x10 [ 386.275348][ T67] kthread+0x28a/0x350 [ 386.275444][ T67] ? __pfx_kthread+0x10/0x10 [ 386.275573][ T67] ret_from_fork+0x31/0x70 [ 386.275706][ T67] ? __pfx_kthread+0x10/0x10 [ 386.275848][ T67] ret_from_fork_asm+0x1a/0x30 [ 386.275990][ T67] [ 386.276097][ T67] [ 386.276174][ T67] Allocated by task 2962: [ 386.276270][ T67] kasan_save_stack+0x24/0x50 [ 386.276398][ T67] kasan_save_track+0x14/0x30 [ 386.276522][ T67] __kasan_slab_alloc+0x59/0x70 [ 386.276652][ T67] kmem_cache_alloc_noprof+0x10b/0x350 [ 386.276789][ T67] copy_net_ns+0xc6/0x340 [ 386.276883][ T67] create_new_namespaces+0x35f/0x920 [ 386.277016][ T67] unshare_nsproxy_namespaces+0x8d/0x130 [ 386.277141][ T67] ksys_unshare+0x2a9/0x660 [ 386.277269][ T67] __x64_sys_unshare+0x31/0x40 [ 386.277392][ T67] do_syscall_64+0xc1/0x1d0 [ 386.277522][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 386.277689][ T67] [ 386.277757][ T67] Freed by task 67: [ 386.277851][ T67] kasan_save_stack+0x24/0x50 [ 386.277982][ T67] kasan_save_track+0x14/0x30 [ 386.278110][ T67] kasan_save_free_info+0x3b/0x60 [ 386.278237][ T67] __kasan_slab_free+0x38/0x50 [ 386.278362][ T67] kmem_cache_free+0xf8/0x330 [ 386.278489][ T67] cleanup_net+0x5a8/0xa40 [ 386.278614][ T67] process_one_work+0xe55/0x16d0 [ 386.278741][ T67] worker_thread+0x58c/0xce0 [ 386.278864][ T67] kthread+0x28a/0x350 [ 386.278969][ T67] ret_from_fork+0x31/0x70 [ 386.279095][ T67] ret_from_fork_asm+0x1a/0x30 [ 386.279238][ T67] [ 386.279304][ T67] Last potentially related work creation: [ 386.279430][ T67] kasan_save_stack+0x24/0x50 [ 386.279558][ T67] __kasan_record_aux_stack+0x8e/0xa0 [ 386.279692][ T67] insert_work+0x34/0x230 [ 386.279791][ T67] __queue_work+0x5fd/0xa40 [ 386.279916][ T67] queue_delayed_work_on+0x8c/0xa0 [ 386.280043][ T67] __inet_insert_ifa+0x751/0xb10 [ 386.280203][ T67] inet_rtm_newaddr+0x833/0xbd0 [ 386.280346][ T67] rtnetlink_rcv_msg+0x712/0xc10 [ 386.280475][ T67] netlink_rcv_skb+0x130/0x360 [ 386.280603][ T67] netlink_unicast+0x44b/0x710 [ 386.280748][ T67] netlink_sendmsg+0x723/0xbe0 [ 386.280876][ T67] ____sys_sendmsg+0x7ac/0xa10 [ 386.281002][ T67] ___sys_sendmsg+0xee/0x170 [ 386.281131][ T67] __sys_sendmsg+0x109/0x1a0 [ 386.281258][ T67] do_syscall_64+0xc1/0x1d0 [ 386.281385][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 386.281553][ T67] [ 386.281618][ T67] Second to last potentially related work creation: [ 386.281777][ T67] kasan_save_stack+0x24/0x50 [ 386.281918][ T67] __kasan_record_aux_stack+0x8e/0xa0 [ 386.282060][ T67] insert_work+0x34/0x230 [ 386.282160][ T67] __queue_work+0x5fd/0xa40 [ 386.282292][ T67] queue_delayed_work_on+0x8c/0xa0 [ 386.282431][ T67] __inet_insert_ifa+0x751/0xb10 [ 386.282572][ T67] inet_rtm_newaddr+0x833/0xbd0 [ 386.282710][ T67] rtnetlink_rcv_msg+0x712/0xc10 [ 386.282851][ T67] netlink_rcv_skb+0x130/0x360 [ 386.282988][ T67] netlink_unicast+0x44b/0x710 [ 386.283123][ T67] netlink_sendmsg+0x723/0xbe0 [ 386.283256][ T67] ____sys_sendmsg+0x7ac/0xa10 [ 386.283399][ T67] ___sys_sendmsg+0xee/0x170 [ 386.283534][ T67] __sys_sendmsg+0x109/0x1a0 [ 386.283666][ T67] do_syscall_64+0xc1/0x1d0 [ 386.283799][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 386.283987][ T67] [ 386.284054][ T67] The buggy address belongs to the object at ffff88800e688040 [ 386.284054][ T67] which belongs to the cache net_namespace of size 6080 [ 386.284451][ T67] The buggy address is located 184 bytes inside of [ 386.284451][ T67] freed 6080-byte region [ffff88800e688040, ffff88800e689800) [ 386.284816][ T67] [ 386.284899][ T67] The buggy address belongs to the physical page: [ 386.285069][ T67] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800e68b2c0 pfn:0xe688 [ 386.285384][ T67] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 386.285607][ T67] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 386.285773][ T67] page_type: f5(slab) [ 386.285896][ T67] raw: 0080000000000240 ffff888001963240 ffff888001968088 ffff888001968088 [ 386.286134][ T67] raw: ffff88800e68b2c0 0000000000050002 00000001f5000000 0000000000000000 [ 386.286401][ T67] head: 0080000000000240 ffff888001963240 ffff888001968088 ffff888001968088 [ 386.286634][ T67] head: ffff88800e68b2c0 0000000000050002 00000001f5000000 0000000000000000 [ 386.286863][ T67] head: 0080000000000003 ffffea000039a201 ffffffffffffffff 0000000000000000 [ 386.287091][ T67] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 386.287322][ T67] page dumped because: kasan: bad access detected [ 386.287487][ T67] [ 386.287557][ T67] Memory state around the buggy address: [ 386.287682][ T67] ffff88800e687f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 386.287874][ T67] ffff88800e688000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 386.288062][ T67] >ffff88800e688080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 386.288311][ T67] ^ [ 386.288519][ T67] ffff88800e688100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 386.288720][ T67] ffff88800e688180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 386.288899][ T67] ================================================================== [ 386.289223][ T67] Disabling lock debugging due to kernel taint [ 387.680224][ T3862] br1: left promiscuous mode [ 388.190469][ T3868] br1: port 4(veth2) entered disabled state [ 388.261363][ T3869] veth2: left allmulticast mode [ 388.261714][ T3869] veth2: left promiscuous mode [ 388.262134][ T3869] br1: port 4(veth2) entered disabled state [ 388.414412][ T3871] br1: port 3(veth1) entered disabled state [ 388.478737][ T3872] veth1: left allmulticast mode [ 388.479008][ T3872] veth1: left promiscuous mode [ 388.479494][ T3872] br1: port 3(veth1) entered disabled state [ 388.635458][ T3874] vx4001: left allmulticast mode [ 388.635699][ T3874] vx4001: left promiscuous mode [ 388.636001][ T3874] br1: port 5(vx4001) entered disabled state [ 388.933284][ T3878] vx20: left allmulticast mode [ 388.933531][ T3878] vx20: left promiscuous mode [ 388.933833][ T3878] br1: port 2(vx20) entered disabled state [ 389.211646][ T3882] vx10: left allmulticast mode [ 389.211911][ T3882] vx10: left promiscuous mode [ 389.212276][ T3882] br1: port 1(vx10) entered disabled state