[   36.162301][  T385] ==================================================================
[   36.162633][  T385] BUG: KASAN: out-of-bounds in kobject_put+0xbb/0xd0
[   36.162883][  T385] Read of size 1 at addr ffff88800cf506c4 by task tun/385
[   36.163106][  T385] 
[   36.163204][  T385] CPU: 1 UID: 0 PID: 385 Comm: tun Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[   36.163210][  T385] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   36.163212][  T385] Call Trace:
[   36.163214][  T385]  <TASK>
[   36.163216][  T385]  dump_stack_lvl+0x82/0xc0
[   36.163223][  T385]  print_address_description.constprop.0+0x2c/0x3a0
[   36.163231][  T385]  ? kobject_put+0xbb/0xd0
[   36.163235][  T385]  print_report+0xb4/0x270
[   36.163239][  T385]  ? kobject_put+0xbb/0xd0
[   36.163242][  T385]  ? kasan_addr_to_slab+0x21/0x70
[   36.163246][  T385]  ? kobject_put+0xbb/0xd0
[   36.163249][  T385]  kasan_report+0xca/0x100
[   36.163253][  T385]  ? kobject_put+0xbb/0xd0
[   36.163258][  T385]  kobject_put+0xbb/0xd0
[   36.163262][  T385]  netdev_run_todo+0x5f0/0xc60
[   36.163269][  T385]  ? dev_ingress_queue_create+0x190/0x190
[   36.163273][  T385]  ? generic_xdp_install+0x410/0x410
[   36.163277][  T385]  ? unregister_netdevice_many+0x20/0x20
[   36.163283][  T385]  rtnl_dellink+0x350/0xa30
[   36.163289][  T385]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   36.163308][  T385]  ? find_held_lock+0x2b/0x80
[   36.163317][  T385]  ? __lock_acquire+0x449/0x7e0
[   36.163323][  T385]  ? find_held_lock+0x2b/0x80
[   36.163327][  T385]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   36.163330][  T385]  ? __lock_release+0x5d/0x170
[   36.163333][  T385]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   36.163337][  T385]  rtnetlink_rcv_msg+0x709/0xc00
[   36.163341][  T385]  ? rtnl_port_fill+0x890/0x890
[   36.163345][  T385]  ? __lock_acquire+0x449/0x7e0
[   36.163351][  T385]  netlink_rcv_skb+0x121/0x340
[   36.163356][  T385]  ? rtnl_port_fill+0x890/0x890
[   36.163360][  T385]  ? netlink_ack+0xdf0/0xdf0
[   36.163366][  T385]  ? netlink_deliver_tap+0x13e/0x340
[   36.163369][  T385]  ? netlink_deliver_tap+0xc3/0x340
[   36.163372][  T385]  netlink_unicast+0x4aa/0x780
[   36.163376][  T385]  ? netlink_attachskb+0x810/0x810
[   36.163379][  T385]  ? netlink_insert+0xee/0x2a0
[   36.163382][  T385]  ? netlink_autobind.isra.0+0xa5/0x270
[   36.163385][  T385]  ? netlink_autobind.isra.0+0x18a/0x270
[   36.163389][  T385]  netlink_sendmsg+0x714/0xbd0
[   36.163393][  T385]  ? netlink_unicast+0x780/0x780
[   36.163399][  T385]  __sys_sendto+0x24b/0x380
[   36.163404][  T385]  ? __ia32_sys_getpeername+0xb0/0xb0
[   36.163409][  T385]  ? rcu_is_watching+0x12/0xb0
[   36.163416][  T385]  ? trace_rseq_update+0xce/0x130
[   36.163422][  T385]  ? rseq_update_cpu_node_id+0x10c/0x170
[   36.163426][  T385]  ? __rseq_handle_notify_resume+0x2a7/0x400
[   36.163430][  T385]  ? rseq_get_rseq_cs.isra.0+0x650/0x650
[   36.163432][  T385]  ? __sys_socket+0x162/0x1d0
[   36.163435][  T385]  ? update_socket_protocol+0x10/0x10
[   36.163438][  T385]  ? do_user_addr_fault+0x955/0xe00
[   36.163444][  T385]  __x64_sys_sendto+0xe0/0x1b0
[   36.163447][  T385]  ? do_syscall_64+0x85/0xfd0
[   36.163452][  T385]  ? lockdep_hardirqs_on+0x7c/0x110
[   36.163461][  T385]  do_syscall_64+0xc1/0xfd0
[   36.163465][  T385]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   36.163468][  T385] RIP: 0033:0x7f7210386120
[   36.163474][  T385] Code: ff ff 64 89 02 eb bd 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
[   36.163476][  T385] RSP: 002b:00007fff0b9ca208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   36.163480][  T385] RAX: ffffffffffffffda RBX: 00007fff0b9ca2a0 RCX: 00007f7210386120
[   36.163483][  T385] RDX: 0000000000000034 RSI: 00007fff0b9ca210 RDI: 0000000000000007
[   36.163484][  T385] RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000
[   36.163486][  T385] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   36.163487][  T385] R13: 00007fff0b9ca2a0 R14: 00007f7210272000 R15: 0000000000406140
[   36.163494][  T385]  </TASK>
[   36.163495][  T385] 
[   36.175226][  T385] The buggy address belongs to the physical page:
[   36.175432][  T385] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800cf53a00 pfn:0xcf50
[   36.175770][  T385] flags: 0x80000000000000(node=0|zone=1)
[   36.175951][  T385] raw: 0080000000000000 0000000000000000 dead000000000122 0000000000000000
[   36.176262][  T385] raw: ffff88800cf53a00 0000000000000000 00000001ffffffff 0000000000000000
[   36.176551][  T385] page dumped because: kasan: bad access detected
[   36.176761][  T385] 
[   36.176850][  T385] Memory state around the buggy address:
[   36.177008][  T385]  ffff88800cf50580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.177277][  T385]  ffff88800cf50600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.177517][  T385] >ffff88800cf50680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.177754][  T385]                                               ^
[   36.177954][  T385]  ffff88800cf50700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.178208][  T385]  ffff88800cf50780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.178451][  T385] ==================================================================
[   36.179009][  T385] Disabling lock debugging due to kernel taint
[   36.179251][  T385] ------------[ cut here ]------------
[   36.179443][  T385] refcount_t: underflow; use-after-free.
[   36.179675][  T385] WARNING: CPU: 1 PID: 385 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[   36.180199][  T385] Modules linked in:
[   36.180333][  T385] CPU: 1 UID: 0 PID: 385 Comm: tun Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[   36.180655][  T385] Tainted: [B]=BAD_PAGE
[   36.180778][  T385] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   36.180982][  T385] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[   36.181274][  T385] Code: cc 38 03 80 fb 01 0f 87 29 33 d7 fe 83 e3 01 0f 85 51 ff ff ff c6 05 17 cc 38 03 01 90 48 c7 c7 40 ba e5 88 e8 62 d6 16 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 c0 9d a0 ff e9 ba fe ff ff
[   36.181846][  T385] RSP: 0018:ffffc90000f073f0 EFLAGS: 00010286
[   36.182120][  T385] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   36.182382][  T385] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[   36.182616][  T385] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff13c0934
[   36.182942][  T385] R10: 0000000000000003 R11: ffffc90000f06f80 R12: 0000000000000001
[   36.183271][  T385] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[   36.183525][  T385] FS:  00007f7210273b80(0000) GS:ffff8880e1d88000(0000) knlGS:0000000000000000
[   36.183808][  T385] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.184172][  T385] CR2: 00007f72103863a0 CR3: 00000000097d2003 CR4: 0000000000772ef0
[   36.184424][  T385] PKRU: 55555554
[   36.184543][  T385] Call Trace:
[   36.184663][  T385]  <TASK>
[   36.184747][  T385]  netdev_run_todo+0x5f0/0xc60
[   36.184911][  T385]  ? dev_ingress_queue_create+0x190/0x190
[   36.185141][  T385]  ? generic_xdp_install+0x410/0x410
[   36.185302][  T385]  ? unregister_netdevice_many+0x20/0x20
[   36.185470][  T385]  rtnl_dellink+0x350/0xa30
[   36.185629][  T385]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   36.185932][  T385]  ? find_held_lock+0x2b/0x80
[   36.186156][  T385]  ? __lock_acquire+0x449/0x7e0
[   36.186313][  T385]  ? find_held_lock+0x2b/0x80
[   36.186481][  T385]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   36.186635][  T385]  ? __lock_release+0x5d/0x170
[   36.186792][  T385]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   36.187142][  T385]  rtnetlink_rcv_msg+0x709/0xc00
[   36.187298][  T385]  ? rtnl_port_fill+0x890/0x890
[   36.187463][  T385]  ? __lock_acquire+0x449/0x7e0
[   36.187622][  T385]  netlink_rcv_skb+0x121/0x340
[   36.187781][  T385]  ? rtnl_port_fill+0x890/0x890
[   36.187936][  T385]  ? netlink_ack+0xdf0/0xdf0
[   36.188199][  T385]  ? netlink_deliver_tap+0x13e/0x340
[   36.188357][  T385]  ? netlink_deliver_tap+0xc3/0x340
[   36.188529][  T385]  netlink_unicast+0x4aa/0x780
[   36.188683][  T385]  ? netlink_attachskb+0x810/0x810
[   36.188929][  T385]  ? netlink_insert+0xee/0x2a0
[   36.189089][  T385]  ? netlink_autobind.isra.0+0xa5/0x270
[   36.189245][  T385]  ? netlink_autobind.isra.0+0x18a/0x270
[   36.189401][  T385]  netlink_sendmsg+0x714/0xbd0
[   36.189678][  T385]  ? netlink_unicast+0x780/0x780
[   36.189845][  T385]  __sys_sendto+0x24b/0x380
[   36.190002][  T385]  ? __ia32_sys_getpeername+0xb0/0xb0
[   36.190167][  T385]  ? rcu_is_watching+0x12/0xb0
[   36.190416][  T385]  ? trace_rseq_update+0xce/0x130
[   36.190587][  T385]  ? rseq_update_cpu_node_id+0x10c/0x170
[   36.190742][  T385]  ? __rseq_handle_notify_resume+0x2a7/0x400
[   36.190936][  T385]  ? rseq_get_rseq_cs.isra.0+0x650/0x650
[   36.191193][  T385]  ? __sys_socket+0x162/0x1d0
[   36.191356][  T385]  ? update_socket_protocol+0x10/0x10
[   36.191524][  T385]  ? do_user_addr_fault+0x955/0xe00
[   36.191685][  T385]  __x64_sys_sendto+0xe0/0x1b0
[   36.191938][  T385]  ? do_syscall_64+0x85/0xfd0
[   36.192101][  T385]  ? lockdep_hardirqs_on+0x7c/0x110
[   36.192262][  T385]  do_syscall_64+0xc1/0xfd0
[   36.192429][  T385]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   36.192735][  T385] RIP: 0033:0x7f7210386120
[   36.192905][  T385] Code: ff ff 64 89 02 eb bd 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
[   36.193591][  T385] RSP: 002b:00007fff0b9ca208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   36.193840][  T385] RAX: ffffffffffffffda RBX: 00007fff0b9ca2a0 RCX: 00007f7210386120
[   36.194081][  T385] RDX: 0000000000000034 RSI: 00007fff0b9ca210 RDI: 0000000000000007
[   36.194315][  T385] RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000
[   36.194558][  T385] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   36.194896][  T385] R13: 00007fff0b9ca2a0 R14: 00007f7210272000 R15: 0000000000406140
[   36.195138][  T385]  </TASK>
[   36.195257][  T385] irq event stamp: 13159
[   36.195376][  T385] hardirqs last  enabled at (13159): [<ffffffff867072e5>] finish_task_switch.isra.0+0x245/0x960
[   36.195807][  T385] hardirqs last disabled at (13158): [<ffffffff88a0a2ca>] __schedule+0x94a/0x1b10
[   36.196094][  T385] softirqs last  enabled at (12784): [<ffffffff87cd85d6>] __tun_set_ebpf+0xc6/0x180
[   36.196463][  T385] softirqs last disabled at (12782): [<ffffffff87cd85a1>] __tun_set_ebpf+0x91/0x180
[   36.196745][  T385] ---[ end trace 0000000000000000 ]---