[ 1267.359657][ T7756] br1: port 1(vx100) entered blocking state [ 1267.359981][ T7756] br1: port 1(vx100) entered disabled state [ 1267.360315][ T7756] vx100: entered allmulticast mode [ 1267.362724][ T7756] vx100: entered promiscuous mode [ 1267.363559][ T7756] br1: port 1(vx100) entered blocking state [ 1267.363843][ T7756] br1: port 1(vx100) entered forwarding state [ 1267.558829][ T7758] br1: port 2(veth1) entered blocking state [ 1267.559168][ T7758] br1: port 2(veth1) entered disabled state [ 1267.559484][ T7758] veth1: entered allmulticast mode [ 1267.561427][ T7758] veth1: entered promiscuous mode [ 1267.656393][ T46] br1: port 2(veth1) entered blocking state [ 1267.656853][ T46] br1: port 2(veth1) entered forwarding state [ 1267.827315][ T7761] br1: port 3(veth2) entered blocking state [ 1267.827601][ T7761] br1: port 3(veth2) entered disabled state [ 1267.827883][ T7761] veth2: entered allmulticast mode [ 1267.830391][ T7761] veth2: entered promiscuous mode [ 1267.913059][ T46] br1: port 3(veth2) entered blocking state [ 1267.913388][ T46] br1: port 3(veth2) entered forwarding state [ 1271.684131][ T7815] br2: port 1(w1) entered blocking state [ 1271.685549][ T7815] br2: port 1(w1) entered disabled state [ 1271.685969][ T7815] w1: entered allmulticast mode [ 1271.689325][ T7815] w1: entered promiscuous mode [ 1272.281391][ T7822] br2: port 2(vx100) entered blocking state [ 1272.281715][ T7822] br2: port 2(vx100) entered disabled state [ 1272.282017][ T7822] vx100: entered allmulticast mode [ 1272.283992][ T7822] vx100: entered promiscuous mode [ 1272.284577][ T7822] br2: port 2(vx100) entered blocking state [ 1272.284857][ T7822] br2: port 2(vx100) entered forwarding state [ 1273.107052][ T39] br2: port 1(w1) entered blocking state [ 1273.107344][ T39] br2: port 1(w1) entered forwarding state [ 1275.571819][ T7862] br2: port 1(w1) entered blocking state [ 1275.572170][ T7862] br2: port 1(w1) entered disabled state [ 1275.572468][ T7862] w1: entered allmulticast mode [ 1275.574726][ T7862] w1: entered promiscuous mode [ 1276.193915][ T7869] br2: port 2(vx100) entered blocking state [ 1276.194211][ T7869] br2: port 2(vx100) entered disabled state [ 1276.194822][ T7869] vx100: entered allmulticast mode [ 1276.196854][ T7869] vx100: entered promiscuous mode [ 1276.197416][ T7869] br2: port 2(vx100) entered blocking state [ 1276.197661][ T7869] br2: port 2(vx100) entered forwarding state [ 1276.959926][ T39] br2: port 1(w1) entered blocking state [ 1276.960195][ T39] br2: port 1(w1) entered forwarding state [ 1289.355704][ T67] vx100: left allmulticast mode [ 1289.355985][ T67] vx100: left promiscuous mode [ 1289.356333][ T67] br2: port 2(vx100) entered disabled state [ 1289.358981][ T67] w1: left allmulticast mode [ 1289.359453][ T67] w1: left promiscuous mode [ 1289.359778][ T67] br2: port 1(w1) entered disabled state [ 1289.795717][ T67] ================================================================== [ 1289.796005][ T67] BUG: KASAN: slab-use-after-free in cleanup_net+0x932/0xa40 [ 1289.796302][ T67] Read of size 8 at addr ffff88800fc500f8 by task kworker/u16:1/67 [ 1289.796564][ T67] [ 1289.796665][ T67] CPU: 0 UID: 0 PID: 67 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1 [ 1289.796910][ T67] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 1289.797077][ T67] Workqueue: netns cleanup_net [ 1289.797218][ T67] Call Trace: [ 1289.797316][ T67] [ 1289.797389][ T67] dump_stack_lvl+0x82/0xd0 [ 1289.797528][ T67] print_address_description.constprop.0+0x2c/0x3b0 [ 1289.797688][ T67] ? cleanup_net+0x932/0xa40 [ 1289.797819][ T67] print_report+0xb4/0x270 [ 1289.797956][ T67] ? kasan_addr_to_slab+0x25/0x80 [ 1289.798085][ T67] kasan_report+0xbd/0xf0 [ 1289.798187][ T67] ? cleanup_net+0x932/0xa40 [ 1289.798317][ T67] cleanup_net+0x932/0xa40 [ 1289.798443][ T67] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 1289.798579][ T67] ? __pfx_cleanup_net+0x10/0x10 [ 1289.798703][ T67] ? trace_lock_acquire+0x148/0x1f0 [ 1289.798838][ T67] ? lock_acquire+0x32/0xc0 [ 1289.798991][ T67] ? process_one_work+0xe0b/0x16d0 [ 1289.799120][ T67] process_one_work+0xe55/0x16d0 [ 1289.799248][ T67] ? __pfx___lock_release+0x10/0x10 [ 1289.799386][ T67] ? __pfx_process_one_work+0x10/0x10 [ 1289.799519][ T67] ? assign_work+0x16c/0x240 [ 1289.799646][ T67] worker_thread+0x58c/0xce0 [ 1289.799771][ T67] ? lockdep_hardirqs_on_prepare+0x275/0x410 [ 1289.799938][ T67] ? __pfx_worker_thread+0x10/0x10 [ 1289.800062][ T67] ? __pfx_worker_thread+0x10/0x10 [ 1289.800187][ T67] kthread+0x28a/0x350 [ 1289.800283][ T67] ? __pfx_kthread+0x10/0x10 [ 1289.800413][ T67] ret_from_fork+0x31/0x70 [ 1289.800537][ T67] ? __pfx_kthread+0x10/0x10 [ 1289.800661][ T67] ret_from_fork_asm+0x1a/0x30 [ 1289.800791][ T67] [ 1289.800891][ T67] [ 1289.800955][ T67] Allocated by task 7030: [ 1289.801050][ T67] kasan_save_stack+0x24/0x50 [ 1289.801179][ T67] kasan_save_track+0x14/0x30 [ 1289.801301][ T67] __kasan_slab_alloc+0x59/0x70 [ 1289.801430][ T67] kmem_cache_alloc_noprof+0x10b/0x350 [ 1289.801555][ T67] copy_net_ns+0xc6/0x340 [ 1289.801650][ T67] create_new_namespaces+0x35f/0x920 [ 1289.801776][ T67] unshare_nsproxy_namespaces+0x8d/0x130 [ 1289.801900][ T67] ksys_unshare+0x2a9/0x660 [ 1289.802031][ T67] __x64_sys_unshare+0x31/0x40 [ 1289.802154][ T67] do_syscall_64+0xc1/0x1d0 [ 1289.802278][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1289.802429][ T67] [ 1289.802494][ T67] Freed by task 67: [ 1289.802589][ T67] kasan_save_stack+0x24/0x50 [ 1289.802712][ T67] kasan_save_track+0x14/0x30 [ 1289.802833][ T67] kasan_save_free_info+0x3b/0x60 [ 1289.802964][ T67] __kasan_slab_free+0x38/0x50 [ 1289.803089][ T67] kmem_cache_free+0xf8/0x330 [ 1289.803217][ T67] cleanup_net+0x5a8/0xa40 [ 1289.803340][ T67] process_one_work+0xe55/0x16d0 [ 1289.803465][ T67] worker_thread+0x58c/0xce0 [ 1289.803588][ T67] kthread+0x28a/0x350 [ 1289.803681][ T67] ret_from_fork+0x31/0x70 [ 1289.803803][ T67] ret_from_fork_asm+0x1a/0x30 [ 1289.803926][ T67] [ 1289.803991][ T67] Last potentially related work creation: [ 1289.804120][ T67] kasan_save_stack+0x24/0x50 [ 1289.804247][ T67] __kasan_record_aux_stack+0x8e/0xa0 [ 1289.804374][ T67] insert_work+0x34/0x230 [ 1289.804468][ T67] __queue_work+0x5fd/0xa40 [ 1289.804602][ T67] queue_delayed_work_on+0x8c/0xa0 [ 1289.804724][ T67] __inet_insert_ifa+0x751/0xb10 [ 1289.804848][ T67] inet_rtm_newaddr+0x833/0xbd0 [ 1289.804972][ T67] rtnetlink_rcv_msg+0x712/0xc10 [ 1289.805100][ T67] netlink_rcv_skb+0x130/0x360 [ 1289.805224][ T67] netlink_unicast+0x44b/0x710 [ 1289.805350][ T67] netlink_sendmsg+0x723/0xbe0 [ 1289.805476][ T67] ____sys_sendmsg+0x7ac/0xa10 [ 1289.805595][ T67] ___sys_sendmsg+0xee/0x170 [ 1289.805718][ T67] __sys_sendmsg+0x109/0x1a0 [ 1289.805839][ T67] do_syscall_64+0xc1/0x1d0 [ 1289.805964][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1289.806121][ T67] [ 1289.806186][ T67] Second to last potentially related work creation: [ 1289.806338][ T67] kasan_save_stack+0x24/0x50 [ 1289.806466][ T67] __kasan_record_aux_stack+0x8e/0xa0 [ 1289.806590][ T67] insert_work+0x34/0x230 [ 1289.806684][ T67] __queue_work+0x5fd/0xa40 [ 1289.806823][ T67] queue_delayed_work_on+0x8c/0xa0 [ 1289.806956][ T67] __inet_insert_ifa+0x751/0xb10 [ 1289.807079][ T67] inet_rtm_newaddr+0x833/0xbd0 [ 1289.807203][ T67] rtnetlink_rcv_msg+0x712/0xc10 [ 1289.807325][ T67] netlink_rcv_skb+0x130/0x360 [ 1289.807450][ T67] netlink_unicast+0x44b/0x710 [ 1289.807573][ T67] netlink_sendmsg+0x723/0xbe0 [ 1289.807737][ T67] ____sys_sendmsg+0x7ac/0xa10 [ 1289.807890][ T67] ___sys_sendmsg+0xee/0x170 [ 1289.808105][ T67] __sys_sendmsg+0x109/0x1a0 [ 1289.808242][ T67] do_syscall_64+0xc1/0x1d0 [ 1289.808384][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1289.808555][ T67] [ 1289.808688][ T67] The buggy address belongs to the object at ffff88800fc50040 [ 1289.808688][ T67] which belongs to the cache net_namespace of size 6080 [ 1289.809111][ T67] The buggy address is located 184 bytes inside of [ 1289.809111][ T67] freed 6080-byte region [ffff88800fc50040, ffff88800fc51800) [ 1289.809450][ T67] [ 1289.809523][ T67] The buggy address belongs to the physical page: [ 1289.809688][ T67] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800fc54c00 pfn:0xfc50 [ 1289.809962][ T67] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 1289.810175][ T67] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 1289.810351][ T67] page_type: f5(slab) [ 1289.810461][ T67] raw: 0080000000000240 ffff888001963240 ffff888001968088 ffff888001968088 [ 1289.810707][ T67] raw: ffff88800fc54c00 0000000000050003 00000001f5000000 0000000000000000 [ 1289.810948][ T67] head: 0080000000000240 ffff888001963240 ffff888001968088 ffff888001968088 [ 1289.811196][ T67] head: ffff88800fc54c00 0000000000050003 00000001f5000000 0000000000000000 [ 1289.811437][ T67] head: 0080000000000003 ffffea00003f1401 ffffffffffffffff 0000000000000000 [ 1289.811674][ T67] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 1289.811912][ T67] page dumped because: kasan: bad access detected [ 1289.812087][ T67] [ 1289.812156][ T67] Memory state around the buggy address: [ 1289.812290][ T67] ffff88800fc4ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1289.812492][ T67] ffff88800fc50000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 1289.812690][ T67] >ffff88800fc50080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1289.812887][ T67] ^ [ 1289.813090][ T67] ffff88800fc50100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1289.813672][ T67] ffff88800fc50180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1289.813867][ T67] ================================================================== [ 1289.814088][ T67] Disabling lock debugging due to kernel taint [ 1289.872317][ T67] vx100: left allmulticast mode [ 1289.872574][ T67] vx100: left promiscuous mode [ 1289.872983][ T67] br2: port 2(vx100) entered disabled state [ 1289.875172][ T67] w1: left allmulticast mode [ 1289.875433][ T67] w1: left promiscuous mode [ 1289.875808][ T67] br2: port 1(w1) entered disabled state [ 1291.569220][ T7990] br1: port 3(veth2) entered disabled state [ 1291.617086][ T7991] veth2: left allmulticast mode [ 1291.617340][ T7991] veth2: left promiscuous mode [ 1291.617729][ T7991] br1: port 3(veth2) entered disabled state [ 1291.750376][ T7993] br1: port 2(veth1) entered disabled state [ 1291.804719][ T7994] veth1: left allmulticast mode [ 1291.804936][ T7994] veth1: left promiscuous mode [ 1291.805205][ T7994] br1: port 2(veth1) entered disabled state [ 1291.875270][ T7995] vx100: left allmulticast mode [ 1291.875502][ T7995] vx100: left promiscuous mode [ 1291.875799][ T7995] br1: port 1(vx100) entered disabled state