[   17.640095][  T269] ip (269) used greatest stack depth: 24688 bytes left
[   18.014097][  T272] ip (272) used greatest stack depth: 23760 bytes left
[   22.247637][  T310] br0: port 1(gw_l) entered blocking state
[   22.248169][  T310] br0: port 1(gw_l) entered disabled state
[   22.248571][  T310] gw_l: entered allmulticast mode
[   22.250780][  T310] gw_l: entered promiscuous mode
[   22.253082][  T310] br0: port 1(gw_l) entered blocking state
[   22.253544][  T310] br0: port 1(gw_l) entered forwarding state
[   22.965411][  T312] br0: port 2(amtg) entered blocking state
[   22.965963][  T312] br0: port 2(amtg) entered disabled state
[   22.966407][  T312] amtg: entered allmulticast mode
[   22.971835][  T312] amtg: entered promiscuous mode
[   25.509696][  T324] br0: port 2(amtg) entered blocking state
[   25.510228][  T324] br0: port 2(amtg) entered forwarding state
[   27.036830][  T333] amtr: entered allmulticast mode
[   27.037967][  T333] relay_gw: entered allmulticast mode
[   27.038746][  T333] relay_src: entered allmulticast mode
[ 2097.740638][   T67] ==================================================================
[ 2097.741253][   T67] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[ 2097.741751][   T67] Read of size 1 at addr ffff888008e8c6c4 by task kworker/u16:1/67
[ 2097.742175][   T67] 
[ 2097.742339][   T67] CPU: 2 UID: 0 PID: 67 Comm: kworker/u16:1 Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[ 2097.742348][   T67] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2097.742355][   T67] Workqueue: netns cleanup_net
[ 2097.742379][   T67] Call Trace:
[ 2097.742385][   T67]  <TASK>
[ 2097.742389][   T67]  dump_stack_lvl+0x82/0xc0
[ 2097.742402][   T67]  print_address_description.constprop.0+0x2c/0x3a0
[ 2097.742423][   T67]  ? kobject_put+0xbb/0xd0
[ 2097.742429][   T67]  print_report+0xb4/0x270
[ 2097.742435][   T67]  ? kobject_put+0xbb/0xd0
[ 2097.742439][   T67]  ? kasan_addr_to_slab+0x21/0x70
[ 2097.742446][   T67]  ? kobject_put+0xbb/0xd0
[ 2097.742451][   T67]  kasan_report+0xca/0x100
[ 2097.742458][   T67]  ? kobject_put+0xbb/0xd0
[ 2097.742468][   T67]  kobject_put+0xbb/0xd0
[ 2097.742474][   T67]  netdev_run_todo+0x5f0/0xc60
[ 2097.742482][   T67]  ? dev_ingress_queue_create+0x190/0x190
[ 2097.742488][   T67]  ? generic_xdp_install+0x410/0x410
[ 2097.742496][   T67]  ? net_generic+0xb1/0x1f0
[ 2097.742514][   T67]  ops_undo_list+0x714/0x890
[ 2097.742524][   T67]  ? rtnl_net_dumpid_one+0x270/0x270
[ 2097.742530][   T67]  ? cleanup_net+0x2d6/0x8b0
[ 2097.742540][   T67]  cleanup_net+0x3b2/0x8b0
[ 2097.742547][   T67]  ? net_passive_dec+0x190/0x190
[ 2097.742556][   T67]  ? rcu_is_watching+0x12/0xb0
[ 2097.742579][   T67]  process_one_work+0xe35/0x1650
[ 2097.742602][   T67]  ? pwq_dec_nr_in_flight+0x550/0x550
[ 2097.742611][   T67]  ? assign_work+0x168/0x240
[ 2097.742619][   T67]  worker_thread+0x591/0xcf0
[ 2097.742630][   T67]  ? rescuer_thread+0xd10/0xd10
[ 2097.742637][   T67]  kthread+0x37b/0x5f0
[ 2097.742645][   T67]  ? kthread_is_per_cpu+0xc0/0xc0
[ 2097.742651][   T67]  ? ret_from_fork+0x1b/0x270
[ 2097.742663][   T67]  ? __lock_release+0x5d/0x170
[ 2097.742673][   T67]  ? rcu_is_watching+0x12/0xb0
[ 2097.742679][   T67]  ? kthread_is_per_cpu+0xc0/0xc0
[ 2097.742686][   T67]  ret_from_fork+0x1db/0x270
[ 2097.742691][   T67]  ? kthread_is_per_cpu+0xc0/0xc0
[ 2097.742696][   T67]  ret_from_fork_asm+0x11/0x20
[ 2097.742725][   T67]  </TASK>
[ 2097.742727][   T67] 
[ 2097.754099][   T67] Allocated by task 264:
[ 2097.754317][   T67]  kasan_save_stack+0x24/0x40
[ 2097.754624][   T67]  kasan_save_track+0x14/0x30
[ 2097.754920][   T67]  __kasan_kmalloc+0x7b/0x90
[ 2097.755216][   T67]  __kvmalloc_node_noprof+0x2e5/0x8e0
[ 2097.755493][   T67]  alloc_netdev_mqs+0x7d/0x1370
[ 2097.755779][   T67]  ip6_tnl_init_net+0x102/0x3f0
[ 2097.756056][   T67]  ops_init+0x189/0x550
[ 2097.756271][   T67]  setup_net+0xf1/0x380
[ 2097.756472][   T67]  copy_net_ns+0x253/0x510
[ 2097.756757][   T67]  create_new_namespaces+0x35f/0x900
[ 2097.757027][   T67]  unshare_nsproxy_namespaces+0x8a/0x1a0
[ 2097.757301][   T67]  ksys_unshare+0x2be/0x6e0
[ 2097.757677][   T67]  __x64_sys_unshare+0x31/0x40
[ 2097.757962][   T67]  do_syscall_64+0xc1/0xfd0
[ 2097.758250][   T67]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 2097.758618][   T67] 
[ 2097.758764][   T67] Freed by task 67:
[ 2097.758957][   T67]  kasan_save_stack+0x24/0x40
[ 2097.759266][   T67]  kasan_save_track+0x14/0x30
[ 2097.759546][   T67]  __kasan_save_free_info+0x3b/0x60
[ 2097.759833][   T67]  __kasan_slab_free+0x3f/0x60
[ 2097.760122][   T67]  kfree+0x21d/0x540
[ 2097.760331][   T67]  device_release+0x9c/0x210
[ 2097.760609][   T67]  kobject_cleanup+0xfe/0x360
[ 2097.760872][   T67]  netdev_run_todo+0x81f/0xc60
[ 2097.761132][   T67]  ops_undo_list+0x714/0x890
[ 2097.761394][   T67]  cleanup_net+0x3b2/0x8b0
[ 2097.761688][   T67]  process_one_work+0xe35/0x1650
[ 2097.762003][   T67]  worker_thread+0x591/0xcf0
[ 2097.762283][   T67]  kthread+0x37b/0x5f0
[ 2097.762482][   T67]  ret_from_fork+0x1db/0x270
[ 2097.762744][   T67]  ret_from_fork_asm+0x11/0x20
[ 2097.763010][   T67] 
[ 2097.763143][   T67] The buggy address belongs to the object at ffff888008e8c000
[ 2097.763143][   T67]  which belongs to the cache kmalloc-4k of size 4096
[ 2097.763809][   T67] The buggy address is located 1732 bytes inside of
[ 2097.763809][   T67]  freed 4096-byte region [ffff888008e8c000, ffff888008e8d000)
[ 2097.764421][   T67] 
[ 2097.764600][   T67] The buggy address belongs to the physical page:
[ 2097.764929][   T67] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8e88
[ 2097.765435][   T67] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 2097.765880][   T67] flags: 0x80000000000040(head|node=0|zone=1)
[ 2097.766262][   T67] page_type: f5(slab)
[ 2097.766481][   T67] raw: 0080000000000040 ffff888001043700 ffffea000021a010 ffffea000029ec10
[ 2097.766999][   T67] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 2097.767490][   T67] head: 0080000000000040 ffff888001043700 ffffea000021a010 ffffea000029ec10
[ 2097.768002][   T67] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 2097.768490][   T67] head: 0080000000000003 ffffea000023a201 00000000ffffffff 00000000ffffffff
[ 2097.768987][   T67] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 2097.769464][   T67] page dumped because: kasan: bad access detected
[ 2097.769853][   T67] 
[ 2097.769986][   T67] Memory state around the buggy address:
[ 2097.770274][   T67]  ffff888008e8c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2097.770660][   T67]  ffff888008e8c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2097.771051][   T67] >ffff888008e8c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2097.771518][   T67]                                            ^
[ 2097.771922][   T67]  ffff888008e8c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2097.772672][   T67]  ffff888008e8c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2097.773111][   T67] ==================================================================
[ 2097.774129][   T67] Disabling lock debugging due to kernel taint
[ 2097.774462][   T67] ------------[ cut here ]------------
[ 2097.774746][   T67] refcount_t: underflow; use-after-free.
[ 2097.775009][   T67] WARNING: CPU: 3 PID: 67 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[ 2097.775369][   T67] Modules linked in: xt_HL nft_compat nf_tables amt
[ 2097.775686][   T67] CPU: 3 UID: 0 PID: 67 Comm: kworker/u16:1 Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[ 2097.776102][   T67] Tainted: [B]=BAD_PAGE
[ 2097.776247][   T67] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2097.776494][   T67] Workqueue: netns cleanup_net
[ 2097.776710][   T67] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[ 2097.776934][   T67] Code: cc 38 03 80 fb 01 0f 87 29 33 d7 fe 83 e3 01 0f 85 51 ff ff ff c6 05 17 cc 38 03 01 90 48 c7 c7 40 ba a5 8d e8 62 d6 16 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 c0 9d a0 ff e9 ba fe ff ff
[ 2097.777578][   T67] RSP: 0018:ffffc90000487a08 EFLAGS: 00010282
[ 2097.777809][   T67] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 2097.778059][   T67] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[ 2097.778345][   T67] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff1d40934
[ 2097.778634][   T67] R10: 0000000000000003 R11: ffffc90000487580 R12: 0000000000000001
[ 2097.778895][   T67] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[ 2097.779153][   T67] FS:  0000000000000000(0000) GS:ffff8880dd288000(0000) knlGS:0000000000000000
[ 2097.779468][   T67] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2097.779675][   T67] CR2: 00007f3504073000 CR3: 0000000011549001 CR4: 0000000000772ef0
[ 2097.779949][   T67] PKRU: 55555554
[ 2097.780088][   T67] Call Trace:
[ 2097.780219][   T67]  <TASK>
[ 2097.780310][   T67]  netdev_run_todo+0x5f0/0xc60
[ 2097.780528][   T67]  ? dev_ingress_queue_create+0x190/0x190
[ 2097.780703][   T67]  ? generic_xdp_install+0x410/0x410
[ 2097.780873][   T67]  ? net_generic+0xb1/0x1f0
[ 2097.781103][   T67]  ops_undo_list+0x714/0x890
[ 2097.781268][   T67]  ? rtnl_net_dumpid_one+0x270/0x270
[ 2097.781637][   T67]  ? cleanup_net+0x2d6/0x8b0
[ 2097.781795][   T67]  cleanup_net+0x3b2/0x8b0
[ 2097.781969][   T67]  ? net_passive_dec+0x190/0x190
[ 2097.782224][   T67]  ? rcu_is_watching+0x12/0xb0
[ 2097.782515][   T67]  process_one_work+0xe35/0x1650
[ 2097.782695][   T67]  ? pwq_dec_nr_in_flight+0x550/0x550
[ 2097.782856][   T67]  ? assign_work+0x168/0x240
[ 2097.783019][   T67]  worker_thread+0x591/0xcf0
[ 2097.783214][   T67]  ? rescuer_thread+0xd10/0xd10
[ 2097.783388][   T67]  kthread+0x37b/0x5f0
[ 2097.783537][   T67]  ? kthread_is_per_cpu+0xc0/0xc0
[ 2097.783700][   T67]  ? ret_from_fork+0x1b/0x270
[ 2097.783900][   T67]  ? __lock_release+0x5d/0x170
[ 2097.784067][   T67]  ? rcu_is_watching+0x12/0xb0
[ 2097.784266][   T67]  ? kthread_is_per_cpu+0xc0/0xc0
[ 2097.784472][   T67]  ret_from_fork+0x1db/0x270
[ 2097.784748][   T67]  ? kthread_is_per_cpu+0xc0/0xc0
[ 2097.784920][   T67]  ret_from_fork_asm+0x11/0x20
[ 2097.785098][   T67]  </TASK>
[ 2097.785235][   T67] irq event stamp: 18661
[ 2097.785406][   T67] hardirqs last  enabled at (18661): [<ffffffff8b3072e5>] finish_task_switch.isra.0+0x245/0x960
[ 2097.785916][   T67] hardirqs last disabled at (18660): [<ffffffff8d60a2ca>] __schedule+0x94a/0x1b10
[ 2097.786212][   T67] softirqs last  enabled at (18544): [<ffffffff8b263832>] handle_softirqs+0x352/0x610
[ 2097.786696][   T67] softirqs last disabled at (18495): [<ffffffff8b26409b>] irq_exit_rcu+0xab/0x100
[ 2097.787010][   T67] ---[ end trace 0000000000000000 ]---
[ 2097.800593][   T67] br0: port 1(gw_l) entered disabled state
[ 2097.807233][   T67] gw_l (unregistering): left allmulticast mode
[ 2097.807536][   T67] gw_l (unregistering): left promiscuous mode
[ 2097.807791][   T67] br0: port 1(gw_l) entered disabled state
[ 2097.837903][   T67] amtg: left allmulticast mode
[ 2097.838159][   T67] amtg: left promiscuous mode
[ 2097.838521][   T67] br0: port 2(amtg) entered disabled state
[ 2097.908195][   T67] relay_gw (unregistering): left allmulticast mode
[ 2097.918894][   T67] amtr (unregistering): left allmulticast mode
[ 2097.980749][  T333] relay_src: left allmulticast mode