[ 534.861488][ T4460] br1: port 1(vx10) entered blocking state [ 534.861789][ T4460] br1: port 1(vx10) entered disabled state [ 534.862110][ T4460] vx10: entered allmulticast mode [ 534.864068][ T4460] vx10: entered promiscuous mode [ 534.864907][ T4460] br1: port 1(vx10) entered blocking state [ 534.865175][ T4460] br1: port 1(vx10) entered forwarding state [ 535.214118][ T4465] br1: port 2(vx20) entered blocking state [ 535.214437][ T4465] br1: port 2(vx20) entered disabled state [ 535.214719][ T4465] vx20: entered allmulticast mode [ 535.216681][ T4465] vx20: entered promiscuous mode [ 535.217215][ T4465] br1: port 2(vx20) entered blocking state [ 535.217489][ T4465] br1: port 2(vx20) entered forwarding state [ 535.378217][ T4467] br1: port 3(veth1) entered blocking state [ 535.378530][ T4467] br1: port 3(veth1) entered disabled state [ 535.378810][ T4467] veth1: entered allmulticast mode [ 535.381317][ T4467] veth1: entered promiscuous mode [ 535.468328][ T37] br1: port 3(veth1) entered blocking state [ 535.468780][ T37] br1: port 3(veth1) entered forwarding state [ 535.768589][ T4471] br1: port 4(veth2) entered blocking state [ 535.768874][ T4471] br1: port 4(veth2) entered disabled state [ 535.769139][ T4471] veth2: entered allmulticast mode [ 535.771268][ T4471] veth2: entered promiscuous mode [ 535.855315][ T122] br1: port 4(veth2) entered blocking state [ 535.855741][ T122] br1: port 4(veth2) entered forwarding state [ 539.498597][ T4528] br2: port 1(w1) entered blocking state [ 539.498834][ T4528] br2: port 1(w1) entered disabled state [ 539.499060][ T4528] w1: entered allmulticast mode [ 539.501083][ T4528] w1: entered promiscuous mode [ 540.153746][ T4536] br2: port 2(vx10) entered blocking state [ 540.154052][ T4536] br2: port 2(vx10) entered disabled state [ 540.154383][ T4536] vx10: entered allmulticast mode [ 540.156299][ T4536] vx10: entered promiscuous mode [ 540.156855][ T4536] br2: port 2(vx10) entered blocking state [ 540.157121][ T4536] br2: port 2(vx10) entered forwarding state [ 540.730301][ T4543] br2: port 3(vx20) entered blocking state [ 540.730742][ T4543] br2: port 3(vx20) entered disabled state [ 540.731163][ T4543] vx20: entered allmulticast mode [ 540.736780][ T4543] vx20: entered promiscuous mode [ 540.737498][ T4543] br2: port 3(vx20) entered blocking state [ 540.737763][ T4543] br2: port 3(vx20) entered forwarding state [ 541.538182][ T37] br2: port 1(w1) entered blocking state [ 541.538445][ T37] br2: port 1(w1) entered forwarding state [ 544.014339][ T4584] br2: port 1(w1) entered blocking state [ 544.014752][ T4584] br2: port 1(w1) entered disabled state [ 544.015134][ T4584] w1: entered allmulticast mode [ 544.018419][ T4584] w1: entered promiscuous mode [ 544.773447][ T4592] br2: port 2(vx10) entered blocking state [ 544.773759][ T4592] br2: port 2(vx10) entered disabled state [ 544.774047][ T4592] vx10: entered allmulticast mode [ 544.776124][ T4592] vx10: entered promiscuous mode [ 544.776727][ T4592] br2: port 2(vx10) entered blocking state [ 544.776974][ T4592] br2: port 2(vx10) entered forwarding state [ 545.452782][ T4599] br2: port 3(vx20) entered blocking state [ 545.453111][ T4599] br2: port 3(vx20) entered disabled state [ 545.453449][ T4599] vx20: entered allmulticast mode [ 545.455496][ T4599] vx20: entered promiscuous mode [ 545.456014][ T4599] br2: port 3(vx20) entered blocking state [ 545.456308][ T4599] br2: port 3(vx20) entered forwarding state [ 546.214604][ T150] br2: port 1(w1) entered blocking state [ 546.214908][ T150] br2: port 1(w1) entered forwarding state [ 562.374179][ T64] vx20: left allmulticast mode [ 562.374501][ T64] vx20: left promiscuous mode [ 562.375018][ T64] br2: port 3(vx20) entered disabled state [ 562.378238][ T64] vx10: left allmulticast mode [ 562.378443][ T64] vx10: left promiscuous mode [ 562.378759][ T64] br2: port 2(vx10) entered disabled state [ 562.380489][ T64] w1: left allmulticast mode [ 562.380691][ T64] w1: left promiscuous mode [ 562.380998][ T64] br2: port 1(w1) entered disabled state [ 562.841986][ T64] vx20: left allmulticast mode [ 562.842296][ T64] vx20: left promiscuous mode [ 562.842760][ T64] br2: port 3(vx20) entered disabled state [ 562.845768][ T64] vx10: left allmulticast mode [ 562.846066][ T64] vx10: left promiscuous mode [ 562.847011][ T64] br2: port 2(vx10) entered disabled state [ 562.849188][ T64] w1: left allmulticast mode [ 562.849814][ T64] w1: left promiscuous mode [ 562.850124][ T64] br2: port 1(w1) entered disabled state [ 563.278128][ T64] ================================================================== [ 563.278399][ T64] BUG: KASAN: slab-use-after-free in cleanup_net+0x932/0xa40 [ 563.278601][ T64] Read of size 8 at addr ffff88800bad9a38 by task kworker/u16:1/64 [ 563.278801][ T64] [ 563.278878][ T64] CPU: 2 UID: 0 PID: 64 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1 [ 563.279087][ T64] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 563.279277][ T64] Workqueue: netns cleanup_net [ 563.279420][ T64] Call Trace: [ 563.279526][ T64] [ 563.279599][ T64] dump_stack_lvl+0x82/0xd0 [ 563.279741][ T64] print_address_description.constprop.0+0x2c/0x3b0 [ 563.279911][ T64] ? cleanup_net+0x932/0xa40 [ 563.280053][ T64] print_report+0xb4/0x270 [ 563.280256][ T64] ? kasan_addr_to_slab+0x25/0x80 [ 563.280403][ T64] kasan_report+0xbd/0xf0 [ 563.280513][ T64] ? cleanup_net+0x932/0xa40 [ 563.280654][ T64] cleanup_net+0x932/0xa40 [ 563.280797][ T64] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 563.280958][ T64] ? __pfx_cleanup_net+0x10/0x10 [ 563.281102][ T64] ? trace_lock_acquire+0x148/0x1f0 [ 563.281239][ T64] ? lock_acquire+0x32/0xc0 [ 563.281378][ T64] ? process_one_work+0xe0b/0x16d0 [ 563.281525][ T64] process_one_work+0xe55/0x16d0 [ 563.281666][ T64] ? __pfx___lock_release+0x10/0x10 [ 563.281810][ T64] ? __pfx_process_one_work+0x10/0x10 [ 563.281962][ T64] ? assign_work+0x16c/0x240 [ 563.282104][ T64] worker_thread+0x58c/0xce0 [ 563.282246][ T64] ? lockdep_hardirqs_on_prepare+0x275/0x410 [ 563.282436][ T64] ? __pfx_worker_thread+0x10/0x10 [ 563.282566][ T64] ? __pfx_worker_thread+0x10/0x10 [ 563.282714][ T64] kthread+0x28a/0x350 [ 563.282819][ T64] ? __pfx_kthread+0x10/0x10 [ 563.282954][ T64] ret_from_fork+0x31/0x70 [ 563.283090][ T64] ? __pfx_kthread+0x10/0x10 [ 563.283243][ T64] ret_from_fork_asm+0x1a/0x30 [ 563.283376][ T64] [ 563.283472][ T64] [ 563.283535][ T64] Allocated by task 4562: [ 563.283628][ T64] kasan_save_stack+0x24/0x50 [ 563.283760][ T64] kasan_save_track+0x14/0x30 [ 563.283887][ T64] __kasan_slab_alloc+0x59/0x70 [ 563.284013][ T64] kmem_cache_alloc_noprof+0x10b/0x350 [ 563.284138][ T64] copy_net_ns+0xc6/0x340 [ 563.284236][ T64] create_new_namespaces+0x35f/0x920 [ 563.284361][ T64] unshare_nsproxy_namespaces+0x8d/0x130 [ 563.284487][ T64] ksys_unshare+0x2a9/0x660 [ 563.284612][ T64] __x64_sys_unshare+0x31/0x40 [ 563.284734][ T64] do_syscall_64+0xc1/0x1d0 [ 563.284858][ T64] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 563.285017][ T64] [ 563.285088][ T64] Freed by task 64: [ 563.285181][ T64] kasan_save_stack+0x24/0x50 [ 563.285305][ T64] kasan_save_track+0x14/0x30 [ 563.285427][ T64] kasan_save_free_info+0x3b/0x60 [ 563.285550][ T64] __kasan_slab_free+0x38/0x50 [ 563.285725][ T64] kmem_cache_free+0xf8/0x330 [ 563.285850][ T64] cleanup_net+0x5a8/0xa40 [ 563.285973][ T64] process_one_work+0xe55/0x16d0 [ 563.286113][ T64] worker_thread+0x58c/0xce0 [ 563.286236][ T64] kthread+0x28a/0x350 [ 563.286330][ T64] ret_from_fork+0x31/0x70 [ 563.286453][ T64] ret_from_fork_asm+0x1a/0x30 [ 563.286581][ T64] [ 563.286645][ T64] Last potentially related work creation: [ 563.286769][ T64] kasan_save_stack+0x24/0x50 [ 563.286898][ T64] __kasan_record_aux_stack+0x8e/0xa0 [ 563.287026][ T64] insert_work+0x34/0x230 [ 563.287120][ T64] __queue_work+0x5fd/0xa40 [ 563.287265][ T64] queue_delayed_work_on+0x8c/0xa0 [ 563.287388][ T64] __inet_insert_ifa+0x751/0xb10 [ 563.287516][ T64] inet_rtm_newaddr+0x833/0xbd0 [ 563.287638][ T64] rtnetlink_rcv_msg+0x712/0xc10 [ 563.287763][ T64] netlink_rcv_skb+0x130/0x360 [ 563.287886][ T64] netlink_unicast+0x44b/0x710 [ 563.288020][ T64] netlink_sendmsg+0x723/0xbe0 [ 563.288142][ T64] ____sys_sendmsg+0x7ac/0xa10 [ 563.288266][ T64] ___sys_sendmsg+0xee/0x170 [ 563.288391][ T64] __sys_sendmsg+0x109/0x1a0 [ 563.288515][ T64] do_syscall_64+0xc1/0x1d0 [ 563.288639][ T64] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 563.288791][ T64] [ 563.288856][ T64] Second to last potentially related work creation: [ 563.289010][ T64] kasan_save_stack+0x24/0x50 [ 563.289136][ T64] __kasan_record_aux_stack+0x8e/0xa0 [ 563.289259][ T64] insert_work+0x34/0x230 [ 563.289353][ T64] __queue_work+0x5fd/0xa40 [ 563.289476][ T64] queue_delayed_work_on+0x8c/0xa0 [ 563.289593][ T64] __inet_insert_ifa+0x751/0xb10 [ 563.289716][ T64] inet_rtm_newaddr+0x833/0xbd0 [ 563.289846][ T64] rtnetlink_rcv_msg+0x712/0xc10 [ 563.289979][ T64] netlink_rcv_skb+0x130/0x360 [ 563.290102][ T64] netlink_unicast+0x44b/0x710 [ 563.290225][ T64] netlink_sendmsg+0x723/0xbe0 [ 563.290349][ T64] ____sys_sendmsg+0x7ac/0xa10 [ 563.290477][ T64] ___sys_sendmsg+0xee/0x170 [ 563.290599][ T64] __sys_sendmsg+0x109/0x1a0 [ 563.290722][ T64] do_syscall_64+0xc1/0x1d0 [ 563.290846][ T64] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 563.291001][ T64] [ 563.291066][ T64] The buggy address belongs to the object at ffff88800bad9980 [ 563.291066][ T64] which belongs to the cache net_namespace of size 6080 [ 563.291412][ T64] The buggy address is located 184 bytes inside of [ 563.291412][ T64] freed 6080-byte region [ffff88800bad9980, ffff88800badb140) [ 563.291706][ T64] [ 563.291777][ T64] The buggy address belongs to the physical page: [ 563.291925][ T64] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800badb2c0 pfn:0xbad8 [ 563.292168][ T64] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 563.292352][ T64] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 563.292512][ T64] page_type: f5(slab) [ 563.292610][ T64] raw: 0080000000000240 ffff888001963240 ffff888001968088 ffff888001968088 [ 563.292837][ T64] raw: ffff88800badb2c0 0000000000050002 00000001f5000000 0000000000000000 [ 563.293050][ T64] head: 0080000000000240 ffff888001963240 ffff888001968088 ffff888001968088 [ 563.293266][ T64] head: ffff88800badb2c0 0000000000050002 00000001f5000000 0000000000000000 [ 563.293482][ T64] head: 0080000000000003 ffffea00002eb601 ffffffffffffffff 0000000000000000 [ 563.293700][ T64] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 563.293926][ T64] page dumped because: kasan: bad access detected [ 563.294077][ T64] [ 563.294140][ T64] Memory state around the buggy address: [ 563.294282][ T64] ffff88800bad9900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 563.294465][ T64] ffff88800bad9980: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 563.294639][ T64] >ffff88800bad9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 563.294825][ T64] ^ [ 563.294974][ T64] ffff88800bad9a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 563.295149][ T64] ffff88800bad9b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 563.295327][ T64] ================================================================== [ 563.295577][ T64] Disabling lock debugging due to kernel taint [ 564.837099][ T4739] br1: port 4(veth2) entered disabled state [ 564.913725][ T4740] veth2: left allmulticast mode [ 564.913980][ T4740] veth2: left promiscuous mode [ 564.914358][ T4740] br1: port 4(veth2) entered disabled state [ 565.135842][ T4743] br1: port 3(veth1) entered disabled state [ 565.203478][ T4744] veth1: left allmulticast mode [ 565.203664][ T4744] veth1: left promiscuous mode [ 565.203916][ T4744] br1: port 3(veth1) entered disabled state [ 565.329700][ T4746] vx20: left allmulticast mode [ 565.329890][ T4746] vx20: left promiscuous mode [ 565.330147][ T4746] br1: port 2(vx20) entered disabled state [ 565.623876][ T4750] vx10: left allmulticast mode [ 565.624112][ T4750] vx10: left promiscuous mode [ 565.624420][ T4750] br1: port 1(vx10) entered disabled state