[   18.661000][  T281] link0: entered promiscuous mode
[   19.675283][  T281] link0: left promiscuous mode
[   20.141633][  T292] ==================================================================
[   20.142105][  T292] BUG: KASAN: slab-use-after-free in kobject_put+0xbb/0xd0
[   20.142519][  T292] Read of size 1 at addr ffff88800b5796c4 by task ip/292
[   20.142825][  T292] 
[   20.142957][  T292] CPU: 0 UID: 0 PID: 292 Comm: ip Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[   20.142966][  T292] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   20.142969][  T292] Call Trace:
[   20.142974][  T292]  <TASK>
[   20.142977][  T292]  dump_stack_lvl+0x82/0xc0
[   20.142989][  T292]  print_address_description.constprop.0+0x2c/0x3a0
[   20.143006][  T292]  ? kobject_put+0xbb/0xd0
[   20.143012][  T292]  print_report+0xb4/0x270
[   20.143020][  T292]  ? kobject_put+0xbb/0xd0
[   20.143024][  T292]  ? kasan_addr_to_slab+0x21/0x70
[   20.143031][  T292]  ? kobject_put+0xbb/0xd0
[   20.143036][  T292]  kasan_report+0xca/0x100
[   20.143043][  T292]  ? kobject_put+0xbb/0xd0
[   20.143053][  T292]  kobject_put+0xbb/0xd0
[   20.143058][  T292]  netdev_run_todo+0x5f0/0xc60
[   20.143069][  T292]  ? dev_ingress_queue_create+0x190/0x190
[   20.143075][  T292]  ? generic_xdp_install+0x410/0x410
[   20.143081][  T292]  ? unregister_netdevice_many+0x20/0x20
[   20.143092][  T292]  rtnl_dellink+0x350/0xa30
[   20.143101][  T292]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   20.143140][  T292]  ? find_held_lock+0x2b/0x80
[   20.143150][  T292]  ? __lock_acquire+0x449/0x7e0
[   20.143160][  T292]  ? find_held_lock+0x2b/0x80
[   20.143166][  T292]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   20.143171][  T292]  ? __lock_release+0x5d/0x170
[   20.143178][  T292]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   20.143184][  T292]  rtnetlink_rcv_msg+0x709/0xc00
[   20.143192][  T292]  ? rtnl_port_fill+0x890/0x890
[   20.143197][  T292]  ? __lock_acquire+0x449/0x7e0
[   20.143210][  T292]  netlink_rcv_skb+0x121/0x340
[   20.143221][  T292]  ? rtnl_port_fill+0x890/0x890
[   20.143229][  T292]  ? netlink_ack+0xdf0/0xdf0
[   20.143241][  T292]  ? netlink_deliver_tap+0x13e/0x340
[   20.143245][  T292]  ? netlink_deliver_tap+0xc3/0x340
[   20.143252][  T292]  netlink_unicast+0x4aa/0x780
[   20.143260][  T292]  ? netlink_attachskb+0x810/0x810
[   20.143267][  T292]  ? __lock_acquire+0x449/0x7e0
[   20.143276][  T292]  netlink_sendmsg+0x714/0xbd0
[   20.143284][  T292]  ? netlink_unicast+0x780/0x780
[   20.143290][  T292]  ? __import_iovec+0x230/0x3b0
[   20.143313][  T292]  ? netlink_unicast+0x780/0x780
[   20.143319][  T292]  ____sys_sendmsg+0x3dd/0x890
[   20.143326][  T292]  ? get_timestamp.constprop.0+0x370/0x370
[   20.143331][  T292]  ? __copy_msghdr+0x3c0/0x3c0
[   20.143344][  T292]  ___sys_sendmsg+0xed/0x170
[   20.143349][  T292]  ? kasan_record_aux_stack+0x8c/0xa0
[   20.143357][  T292]  ? __call_rcu_common.constprop.0+0xa8/0x630
[   20.143364][  T292]  ? copy_msghdr_from_user+0x110/0x110
[   20.143372][  T292]  ? find_held_lock+0x2b/0x80
[   20.143380][  T292]  ? __lock_acquire+0x449/0x7e0
[   20.143390][  T292]  ? find_held_lock+0x2b/0x80
[   20.143396][  T292]  ? __virt_addr_valid+0x22a/0x450
[   20.143411][  T292]  ? __lock_release+0x5d/0x170
[   20.143421][  T292]  __sys_sendmsg+0x10b/0x1a0
[   20.143426][  T292]  ? __call_rcu_common.constprop.0+0x318/0x630
[   20.143431][  T292]  ? __sys_sendmsg_sock+0x20/0x20
[   20.143445][  T292]  ? rcu_is_watching+0x12/0xb0
[   20.143454][  T292]  do_syscall_64+0xc1/0xfd0
[   20.143463][  T292]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   20.143469][  T292] RIP: 0033:0x7fb9100f51d7
[   20.143479][  T292] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[   20.143484][  T292] RSP: 002b:00007ffd45052478 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   20.143490][  T292] RAX: ffffffffffffffda RBX: 00007ffd45052bb0 RCX: 00007fb9100f51d7
[   20.143494][  T292] RDX: 0000000000000000 RSI: 00007ffd450524e0 RDI: 0000000000000005
[   20.143497][  T292] RBP: 0000000000000001 R08: 0000000000000003 R09: 0000000000000078
[   20.143500][  T292] R10: 00007fb90fff1510 R11: 0000000000000246 R12: 0000000000000001
[   20.143503][  T292] R13: 00000000690df891 R14: 0000000000499600 R15: 0000000000000000
[   20.143516][  T292]  </TASK>
[   20.143518][  T292] 
[   20.162024][  T292] Allocated by task 271:
[   20.162226][  T292]  kasan_save_stack+0x24/0x40
[   20.162501][  T292]  kasan_save_track+0x14/0x30
[   20.162769][  T292]  __kasan_kmalloc+0x7b/0x90
[   20.163023][  T292]  __kvmalloc_node_noprof+0x2e5/0x8e0
[   20.163307][  T292]  alloc_netdev_mqs+0x7d/0x1370
[   20.163569][  T292]  rtnl_create_link+0xa9e/0xe20
[   20.163832][  T292]  rtnl_newlink_create+0x203/0x8f0
[   20.164085][  T292]  __rtnl_newlink+0x231/0xa30
[   20.164351][  T292]  rtnl_newlink+0x693/0xa60
[   20.164617][  T292]  rtnetlink_rcv_msg+0x709/0xc00
[   20.164890][  T292]  netlink_rcv_skb+0x121/0x340
[   20.165149][  T292]  netlink_unicast+0x4aa/0x780
[   20.165409][  T292]  netlink_sendmsg+0x714/0xbd0
[   20.165672][  T292]  ____sys_sendmsg+0x3dd/0x890
[   20.165951][  T292]  ___sys_sendmsg+0xed/0x170
[   20.166221][  T292]  __sys_sendmsg+0x10b/0x1a0
[   20.166479][  T292]  do_syscall_64+0xc1/0xfd0
[   20.166743][  T292]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   20.167079][  T292] 
[   20.167212][  T292] Freed by task 292:
[   20.167410][  T292]  kasan_save_stack+0x24/0x40
[   20.167684][  T292]  kasan_save_track+0x14/0x30
[   20.167949][  T292]  __kasan_save_free_info+0x3b/0x60
[   20.168200][  T292]  __kasan_slab_free+0x3f/0x60
[   20.168440][  T292]  kfree+0x21d/0x540
[   20.168644][  T292]  device_release+0x9c/0x210
[   20.169112][  T292]  kobject_cleanup+0xfe/0x360
[   20.169401][  T292]  netdev_run_todo+0x81f/0xc60
[   20.169614][  T292]  rtnl_dellink+0x350/0xa30
[   20.169892][  T292]  rtnetlink_rcv_msg+0x709/0xc00
[   20.170346][  T292]  netlink_rcv_skb+0x121/0x340
[   20.170610][  T292]  netlink_unicast+0x4aa/0x780
[   20.170905][  T292]  netlink_sendmsg+0x714/0xbd0
[   20.171115][  T292]  ____sys_sendmsg+0x3dd/0x890
[   20.171374][  T292]  ___sys_sendmsg+0xed/0x170
[   20.171658][  T292]  __sys_sendmsg+0x10b/0x1a0
[   20.171945][  T292]  do_syscall_64+0xc1/0xfd0
[   20.172226][  T292]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   20.172751][  T292] 
[   20.172891][  T292] The buggy address belongs to the object at ffff88800b579000
[   20.172891][  T292]  which belongs to the cache kmalloc-4k of size 4096
[   20.173721][  T292] The buggy address is located 1732 bytes inside of
[   20.173721][  T292]  freed 4096-byte region [ffff88800b579000, ffff88800b57a000)
[   20.174347][  T292] 
[   20.174496][  T292] The buggy address belongs to the physical page:
[   20.174997][  T292] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb578
[   20.175502][  T292] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   20.175940][  T292] flags: 0x80000000000040(head|node=0|zone=1)
[   20.176470][  T292] page_type: f5(slab)
[   20.176691][  T292] raw: 0080000000000040 ffff888001043700 ffffea00002d6010 ffffea000033bc10
[   20.177198][  T292] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[   20.177877][  T292] head: 0080000000000040 ffff888001043700 ffffea00002d6010 ffffea000033bc10
[   20.178381][  T292] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[   20.179071][  T292] head: 0080000000000003 ffffea00002d5e01 00000000ffffffff 00000000ffffffff
[   20.179564][  T292] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   20.180246][  T292] page dumped because: kasan: bad access detected
[   20.180591][  T292] 
[   20.180730][  T292] Memory state around the buggy address:
[   20.181004][  T292]  ffff88800b579580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.181580][  T292]  ffff88800b579600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.181977][  T292] >ffff88800b579680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.182376][  T292]                                            ^
[   20.182878][  T292]  ffff88800b579700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.183278][  T292]  ffff88800b579780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.183688][  T292] ==================================================================
[   20.184284][  T292] Disabling lock debugging due to kernel taint
[   20.184608][  T292] ------------[ cut here ]------------
[   20.184855][  T292] refcount_t: underflow; use-after-free.
[   20.185335][  T292] WARNING: CPU: 0 PID: 292 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[   20.185798][  T292] Modules linked in:
[   20.186008][  T292] CPU: 0 UID: 0 PID: 292 Comm: ip Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[   20.186731][  T292] Tainted: [B]=BAD_PAGE
[   20.186934][  T292] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   20.187270][  T292] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[   20.187620][  T292] Code: cc 38 03 80 fb 01 0f 87 29 33 d7 fe 83 e3 01 0f 85 51 ff ff ff c6 05 17 cc 38 03 01 90 48 c7 c7 40 ba 85 b6 e8 62 d6 16 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 c0 9d a0 ff e9 ba fe ff ff
[   20.188592][  T292] RSP: 0018:ffffc90000d071f0 EFLAGS: 00010286
[   20.188954][  T292] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   20.189388][  T292] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[   20.189785][  T292] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff6f00934
[   20.190190][  T292] R10: 0000000000000003 R11: ffffc90000d06d80 R12: 0000000000000001
[   20.190616][  T292] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[   20.191041][  T292] FS:  00007fb90ff27800(0000) GS:ffff8880b4308000(0000) knlGS:0000000000000000
[   20.191544][  T292] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   20.191904][  T292] CR2: 000055b2d4514dec CR3: 000000000b99b005 CR4: 0000000000772ef0
[   20.192347][  T292] PKRU: 55555554
[   20.192574][  T292] Call Trace:
[   20.192785][  T292]  <TASK>
[   20.192916][  T292]  netdev_run_todo+0x5f0/0xc60
[   20.193210][  T292]  ? dev_ingress_queue_create+0x190/0x190
[   20.193511][  T292]  ? generic_xdp_install+0x410/0x410
[   20.193791][  T292]  ? unregister_netdevice_many+0x20/0x20
[   20.194078][  T292]  rtnl_dellink+0x350/0xa30
[   20.194381][  T292]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   20.194761][  T292]  ? find_held_lock+0x2b/0x80
[   20.195044][  T292]  ? __lock_acquire+0x449/0x7e0
[   20.195462][  T292]  ? find_held_lock+0x2b/0x80
[   20.195744][  T292]  ? rtnetlink_rcv_msg+0x6e6/0xc00
[   20.196022][  T292]  ? __lock_release+0x5d/0x170
[   20.196428][  T292]  ? valid_bridge_getlink_req.constprop.0+0x640/0x640
[   20.196791][  T292]  rtnetlink_rcv_msg+0x709/0xc00
[   20.197069][  T292]  ? rtnl_port_fill+0x890/0x890
[   20.197473][  T292]  ? __lock_acquire+0x449/0x7e0
[   20.197759][  T292]  netlink_rcv_skb+0x121/0x340
[   20.198037][  T292]  ? rtnl_port_fill+0x890/0x890
[   20.198481][  T292]  ? netlink_ack+0xdf0/0xdf0
[   20.198761][  T292]  ? netlink_deliver_tap+0x13e/0x340
[   20.199026][  T292]  ? netlink_deliver_tap+0xc3/0x340
[   20.199455][  T292]  netlink_unicast+0x4aa/0x780
[   20.199741][  T292]  ? netlink_attachskb+0x810/0x810
[   20.200017][  T292]  ? __lock_acquire+0x449/0x7e0
[   20.200426][  T292]  netlink_sendmsg+0x714/0xbd0
[   20.200704][  T292]  ? netlink_unicast+0x780/0x780
[   20.200986][  T292]  ? __import_iovec+0x230/0x3b0
[   20.201390][  T292]  ? netlink_unicast+0x780/0x780
[   20.201673][  T292]  ____sys_sendmsg+0x3dd/0x890
[   20.201934][  T292]  ? get_timestamp.constprop.0+0x370/0x370
[   20.202372][  T292]  ? __copy_msghdr+0x3c0/0x3c0
[   20.202643][  T292]  ___sys_sendmsg+0xed/0x170
[   20.202914][  T292]  ? kasan_record_aux_stack+0x8c/0xa0
[   20.203333][  T292]  ? __call_rcu_common.constprop.0+0xa8/0x630
[   20.203695][  T292]  ? copy_msghdr_from_user+0x110/0x110
[   20.203982][  T292]  ? find_held_lock+0x2b/0x80
[   20.204394][  T292]  ? __lock_acquire+0x449/0x7e0
[   20.204677][  T292]  ? find_held_lock+0x2b/0x80
[   20.204960][  T292]  ? __virt_addr_valid+0x22a/0x450
[   20.205359][  T292]  ? __lock_release+0x5d/0x170
[   20.205644][  T292]  __sys_sendmsg+0x10b/0x1a0
[   20.205917][  T292]  ? __call_rcu_common.constprop.0+0x318/0x630
[   20.206290][  T292]  ? __sys_sendmsg_sock+0x20/0x20
[   20.206469][  T292]  ? rcu_is_watching+0x12/0xb0
[   20.206643][  T292]  do_syscall_64+0xc1/0xfd0
[   20.206826][  T292]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   20.207238][  T292] RIP: 0033:0x7fb9100f51d7
[   20.207543][  T292] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[   20.208670][  T292] RSP: 002b:00007ffd45052478 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   20.209094][  T292] RAX: ffffffffffffffda RBX: 00007ffd45052bb0 RCX: 00007fb9100f51d7
[   20.209626][  T292] RDX: 0000000000000000 RSI: 00007ffd450524e0 RDI: 0000000000000005
[   20.210038][  T292] RBP: 0000000000000001 R08: 0000000000000003 R09: 0000000000000078
[   20.210446][  T292] R10: 00007fb90fff1510 R11: 0000000000000246 R12: 0000000000000001
[   20.210704][  T292] R13: 00000000690df891 R14: 0000000000499600 R15: 0000000000000000
[   20.210975][  T292]  </TASK>
[   20.211169][  T292] irq event stamp: 49059
[   20.211298][  T292] hardirqs last  enabled at (49059): [<ffffffffb6400e8b>] irqentry_exit+0x3b/0x80
[   20.211615][  T292] hardirqs last disabled at (49058): [<ffffffffb406395f>] handle_softirqs+0x47f/0x610
[   20.211918][  T292] softirqs last  enabled at (48962): [<ffffffffb4063832>] handle_softirqs+0x352/0x610
[   20.212288][  T292] softirqs last disabled at (48957): [<ffffffffb406409b>] irq_exit_rcu+0xab/0x100
[   20.212583][  T292] ---[ end trace 0000000000000000 ]---