[ 15.301558][ T276] ==================================================================
[ 15.301871][ T276] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[ 15.302177][ T276] Read of size 1 at addr ffff8880052aa6c4 by task ip/276
[ 15.302405][ T276]
[ 15.302500][ T276] CPU: 0 UID: 0 PID: 276 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full)
[ 15.302505][ T276] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 15.302507][ T276] Call Trace:
[ 15.302509][ T276]
[ 15.302511][ T276] dump_stack_lvl+0x82/0xc0
[ 15.302518][ T276] print_address_description.constprop.0+0x2c/0x3a0
[ 15.302527][ T276] ? kobject_put+0xbb/0xd0
[ 15.302531][ T276] print_report+0xb4/0x270
[ 15.302534][ T276] ? kobject_put+0xbb/0xd0
[ 15.302537][ T276] ? kasan_addr_to_slab+0x21/0x70
[ 15.302541][ T276] ? kobject_put+0xbb/0xd0
[ 15.302544][ T276] kasan_report+0xca/0x100
[ 15.302548][ T276] ? kobject_put+0xbb/0xd0
[ 15.302553][ T276] kobject_put+0xbb/0xd0
[ 15.302556][ T276] netdev_run_todo+0x5f0/0xc60
[ 15.302565][ T276] ? dev_ingress_queue_create+0x190/0x190
[ 15.302568][ T276] ? generic_xdp_install+0x410/0x410
[ 15.302572][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.302579][ T276] rtnl_dellink+0x350/0xa30
[ 15.302585][ T276] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 15.302613][ T276] ? find_held_lock+0x2b/0x80
[ 15.302624][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.302629][ T276] ? find_held_lock+0x2b/0x80
[ 15.302633][ T276] ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 15.302636][ T276] ? __lock_release+0x5d/0x170
[ 15.302639][ T276] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 15.302643][ T276] rtnetlink_rcv_msg+0x709/0xc00
[ 15.302647][ T276] ? rtnl_port_fill+0x890/0x890
[ 15.302651][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.302657][ T276] netlink_rcv_skb+0x121/0x340
[ 15.302661][ T276] ? rtnl_port_fill+0x890/0x890
[ 15.302665][ T276] ? netlink_ack+0xdf0/0xdf0
[ 15.302671][ T276] ? netlink_deliver_tap+0x13e/0x340
[ 15.302674][ T276] ? netlink_deliver_tap+0xc3/0x340
[ 15.302678][ T276] netlink_unicast+0x4aa/0x780
[ 15.302682][ T276] ? netlink_attachskb+0x810/0x810
[ 15.302685][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.302690][ T276] netlink_sendmsg+0x714/0xbd0
[ 15.302694][ T276] ? netlink_unicast+0x780/0x780
[ 15.302697][ T276] ? __import_iovec+0x230/0x3b0
[ 15.302704][ T276] ? netlink_unicast+0x780/0x780
[ 15.302707][ T276] ____sys_sendmsg+0x3dd/0x890
[ 15.302712][ T276] ? get_timestamp.constprop.0+0x370/0x370
[ 15.302714][ T276] ? __copy_msghdr+0x3c0/0x3c0
[ 15.302722][ T276] ___sys_sendmsg+0xed/0x170
[ 15.302725][ T276] ? kasan_record_aux_stack+0x8c/0xa0
[ 15.302729][ T276] ? __call_rcu_common.constprop.0+0xa8/0x630
[ 15.302734][ T276] ? copy_msghdr_from_user+0x110/0x110
[ 15.302739][ T276] ? find_held_lock+0x2b/0x80
[ 15.302743][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.302748][ T276] ? find_held_lock+0x2b/0x80
[ 15.302752][ T276] ? __virt_addr_valid+0x22a/0x450
[ 15.302760][ T276] ? __lock_release+0x5d/0x170
[ 15.302765][ T276] __sys_sendmsg+0x10b/0x1a0
[ 15.302767][ T276] ? __call_rcu_common.constprop.0+0x318/0x630
[ 15.302770][ T276] ? __sys_sendmsg_sock+0x20/0x20
[ 15.302777][ T276] ? rcu_is_watching+0x12/0xb0
[ 15.302784][ T276] do_syscall_64+0xc1/0xfd0
[ 15.302791][ T276] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 15.302795][ T276] RIP: 0033:0x7f75e32131d7
[ 15.302799][ T276] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 15.302802][ T276] RSP: 002b:00007fff82c27408 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 15.302806][ T276] RAX: ffffffffffffffda RBX: 00007fff82c27b30 RCX: 00007f75e32131d7
[ 15.302808][ T276] RDX: 0000000000000000 RSI: 00007fff82c27470 RDI: 0000000000000005
[ 15.302810][ T276] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 15.302812][ T276] R10: 00007f75e310ff60 R11: 0000000000000246 R12: 0000000000000002
[ 15.302814][ T276] R13: 00000000690e05ad R14: 0000000000499600 R15: 0000000000000000
[ 15.302820][ T276]
[ 15.302821][ T276]
[ 15.316135][ T276] Allocated by task 268:
[ 15.316271][ T276] kasan_save_stack+0x24/0x40
[ 15.316456][ T276] kasan_save_track+0x14/0x30
[ 15.316640][ T276] __kasan_kmalloc+0x7b/0x90
[ 15.316820][ T276] __kvmalloc_node_noprof+0x2e5/0x8e0
[ 15.317002][ T276] alloc_netdev_mqs+0x7d/0x1370
[ 15.317189][ T276] rtnl_create_link+0xa9e/0xe20
[ 15.317366][ T276] rtnl_newlink_create+0x203/0x8f0
[ 15.317544][ T276] __rtnl_newlink+0x231/0xa30
[ 15.317736][ T276] rtnl_newlink+0x693/0xa60
[ 15.317916][ T276] rtnetlink_rcv_msg+0x709/0xc00
[ 15.318105][ T276] netlink_rcv_skb+0x121/0x340
[ 15.318287][ T276] netlink_unicast+0x4aa/0x780
[ 15.318471][ T276] netlink_sendmsg+0x714/0xbd0
[ 15.318658][ T276] ____sys_sendmsg+0x3dd/0x890
[ 15.318840][ T276] ___sys_sendmsg+0xed/0x170
[ 15.319029][ T276] __sys_sendmsg+0x10b/0x1a0
[ 15.319222][ T276] do_syscall_64+0xc1/0xfd0
[ 15.319400][ T276] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 15.319629][ T276]
[ 15.319719][ T276] Freed by task 276:
[ 15.319852][ T276] kasan_save_stack+0x24/0x40
[ 15.320043][ T276] kasan_save_track+0x14/0x30
[ 15.320232][ T276] __kasan_save_free_info+0x3b/0x60
[ 15.320415][ T276] __kasan_slab_free+0x3f/0x60
[ 15.320591][ T276] kfree+0x21d/0x540
[ 15.320735][ T276] device_release+0x9c/0x210
[ 15.320917][ T276] kobject_cleanup+0xfe/0x360
[ 15.321107][ T276] netdev_run_todo+0x81f/0xc60
[ 15.321284][ T276] rtnl_dellink+0x350/0xa30
[ 15.321459][ T276] rtnetlink_rcv_msg+0x709/0xc00
[ 15.321648][ T276] netlink_rcv_skb+0x121/0x340
[ 15.321835][ T276] netlink_unicast+0x4aa/0x780
[ 15.322013][ T276] netlink_sendmsg+0x714/0xbd0
[ 15.322197][ T276] ____sys_sendmsg+0x3dd/0x890
[ 15.322371][ T276] ___sys_sendmsg+0xed/0x170
[ 15.322545][ T276] __sys_sendmsg+0x10b/0x1a0
[ 15.322730][ T276] do_syscall_64+0xc1/0xfd0
[ 15.322909][ T276] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 15.323141][ T276]
[ 15.323237][ T276] The buggy address belongs to the object at ffff8880052aa000
[ 15.323237][ T276] which belongs to the cache kmalloc-8k of size 8192
[ 15.323666][ T276] The buggy address is located 1732 bytes inside of
[ 15.323666][ T276] freed 8192-byte region [ffff8880052aa000, ffff8880052ac000)
[ 15.324100][ T276]
[ 15.324194][ T276] The buggy address belongs to the physical page:
[ 15.324412][ T276] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52a8
[ 15.324838][ T276] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 15.325118][ T276] flags: 0x80000000000040(head|node=0|zone=1)
[ 15.325349][ T276] page_type: f5(slab)
[ 15.325487][ T276] raw: 0080000000000040 ffff8880010438c0 ffffea0000228810 ffff888001041228
[ 15.325920][ T276] raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[ 15.326257][ T276] head: 0080000000000040 ffff8880010438c0 ffffea0000228810 ffff888001041228
[ 15.326683][ T276] head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
[ 15.327002][ T276] head: 0080000000000003 ffffea000014aa01 00000000ffffffff 00000000ffffffff
[ 15.327432][ T276] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 15.327756][ T276] page dumped because: kasan: bad access detected
[ 15.327974][ T276]
[ 15.328170][ T276] Memory state around the buggy address:
[ 15.328342][ T276] ffff8880052aa580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 15.328610][ T276] ffff8880052aa600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 15.328876][ T276] >ffff8880052aa680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 15.329148][ T276] ^
[ 15.329361][ T276] ffff8880052aa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 15.329716][ T276] ffff8880052aa780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 15.329975][ T276] ==================================================================
[ 15.330307][ T276] Disabling lock debugging due to kernel taint
[ 15.330530][ T276] ------------[ cut here ]------------
[ 15.330704][ T276] refcount_t: underflow; use-after-free.
[ 15.331245][ T276] WARNING: CPU: 0 PID: 276 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[ 15.331558][ T276] Modules linked in: vxlan
[ 15.331744][ T276] CPU: 0 UID: 0 PID: 276 Comm: ip Tainted: G B 6.18.0-rc4-virtme #1 PREEMPT(full)
[ 15.332120][ T276] Tainted: [B]=BAD_PAGE
[ 15.332264][ T276] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 15.332480][ T276] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[ 15.332713][ T276] Code: cc 38 03 80 fb 01 0f 87 29 33 d7 fe 83 e3 01 0f 85 51 ff ff ff c6 05 17 cc 38 03 01 90 48 c7 c7 40 ba e5 aa e8 62 d6 16 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 c0 9d a0 ff e9 ba fe ff ff
[ 15.333363][ T276] RSP: 0018:ffffc90000ae71f0 EFLAGS: 00010286
[ 15.333581][ T276] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 15.333867][ T276] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[ 15.334144][ T276] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff57c0934
[ 15.334500][ T276] R10: 0000000000000003 R11: ffffc90000ae6d80 R12: 0000000000000001
[ 15.334770][ T276] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[ 15.335045][ T276] FS: 00007f75e3045800(0000) GS:ffff8880bfd08000(0000) knlGS:0000000000000000
[ 15.335459][ T276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 15.335687][ T276] CR2: 00000000004e5d20 CR3: 000000001186e001 CR4: 0000000000772ef0
[ 15.336061][ T276] PKRU: 55555554
[ 15.336206][ T276] Call Trace:
[ 15.336334][ T276]
[ 15.336422][ T276] netdev_run_todo+0x5f0/0xc60
[ 15.336601][ T276] ? dev_ingress_queue_create+0x190/0x190
[ 15.336789][ T276] ? generic_xdp_install+0x410/0x410
[ 15.337074][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.337263][ T276] rtnl_dellink+0x350/0xa30
[ 15.337434][ T276] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 15.337756][ T276] ? find_held_lock+0x2b/0x80
[ 15.337939][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.338122][ T276] ? find_held_lock+0x2b/0x80
[ 15.338302][ T276] ? rtnetlink_rcv_msg+0x6e6/0xc00
[ 15.338570][ T276] ? __lock_release+0x5d/0x170
[ 15.338753][ T276] ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[ 15.338977][ T276] rtnetlink_rcv_msg+0x709/0xc00
[ 15.339172][ T276] ? rtnl_port_fill+0x890/0x890
[ 15.339524][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.339704][ T276] netlink_rcv_skb+0x121/0x340
[ 15.339892][ T276] ? rtnl_port_fill+0x890/0x890
[ 15.340072][ T276] ? netlink_ack+0xdf0/0xdf0
[ 15.340354][ T276] ? netlink_deliver_tap+0x13e/0x340
[ 15.340522][ T276] ? netlink_deliver_tap+0xc3/0x340
[ 15.340702][ T276] netlink_unicast+0x4aa/0x780
[ 15.340890][ T276] ? netlink_attachskb+0x810/0x810
[ 15.341174][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.341352][ T276] netlink_sendmsg+0x714/0xbd0
[ 15.341525][ T276] ? netlink_unicast+0x780/0x780
[ 15.341703][ T276] ? __import_iovec+0x230/0x3b0
[ 15.341982][ T276] ? netlink_unicast+0x780/0x780
[ 15.342174][ T276] ____sys_sendmsg+0x3dd/0x890
[ 15.342347][ T276] ? get_timestamp.constprop.0+0x370/0x370
[ 15.342557][ T276] ? __copy_msghdr+0x3c0/0x3c0
[ 15.342836][ T276] ___sys_sendmsg+0xed/0x170
[ 15.343091][ T276] ? kasan_record_aux_stack+0x8c/0xa0
[ 15.343279][ T276] ? __call_rcu_common.constprop.0+0xa8/0x630
[ 15.343493][ T276] ? copy_msghdr_from_user+0x110/0x110
[ 15.343674][ T276] ? find_held_lock+0x2b/0x80
[ 15.343966][ T276] ? __lock_acquire+0x449/0x7e0
[ 15.344154][ T276] ? find_held_lock+0x2b/0x80
[ 15.344418][ T276] ? __virt_addr_valid+0x22a/0x450
[ 15.344589][ T276] ? __lock_release+0x5d/0x170
[ 15.344780][ T276] __sys_sendmsg+0x10b/0x1a0
[ 15.345047][ T276] ? __call_rcu_common.constprop.0+0x318/0x630
[ 15.345367][ T276] ? __sys_sendmsg_sock+0x20/0x20
[ 15.345540][ T276] ? rcu_is_watching+0x12/0xb0
[ 15.345724][ T276] do_syscall_64+0xc1/0xfd0
[ 15.345970][ T276] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 15.346203][ T276] RIP: 0033:0x7f75e32131d7
[ 15.346379][ T276] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[ 15.347111][ T276] RSP: 002b:00007fff82c27408 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 15.347382][ T276] RAX: ffffffffffffffda RBX: 00007fff82c27b30 RCX: 00007f75e32131d7
[ 15.347653][ T276] RDX: 0000000000000000 RSI: 00007fff82c27470 RDI: 0000000000000005
[ 15.347984][ T276] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078
[ 15.348267][ T276] R10: 00007f75e310ff60 R11: 0000000000000246 R12: 0000000000000002
[ 15.348530][ T276] R13: 00000000690e05ad R14: 0000000000499600 R15: 0000000000000000
[ 15.348973][ T276]
[ 15.349129][ T276] irq event stamp: 40731
[ 15.349260][ T276] hardirqs last enabled at (40731): [] finish_task_switch.isra.0+0x245/0x960
[ 15.349611][ T276] hardirqs last disabled at (40730): [] __schedule+0x94a/0x1b10
[ 15.350107][ T276] softirqs last enabled at (40506): [] handle_softirqs+0x352/0x610
[ 15.350506][ T276] softirqs last disabled at (40501): [] irq_exit_rcu+0xab/0x100
[ 15.350825][ T276] ---[ end trace 0000000000000000 ]---
[ 70.598321][ T1393] br0: port 1(vx10) entered blocking state
[ 70.598577][ T1393] br0: port 1(vx10) entered disabled state
[ 70.598823][ T1393] vx10: entered allmulticast mode
[ 70.600172][ T1393] vx10: entered promiscuous mode
[ 71.669533][ T1420] vx10: left allmulticast mode
[ 71.669750][ T1420] vx10: left promiscuous mode
[ 71.671418][ T1420] br0: port 1(vx10) entered disabled state