[ 5529.122476][ C2] ==================================================================
[ 5529.122710][ C2] BUG: KASAN: slab-use-after-free in dst_destroy+0x316/0x370
[ 5529.122912][ C2] Read of size 8 at addr ffff88800a6923b0 by task swapper/2/0
[ 5529.123093][ C2]
[ 5529.123162][ C2] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.9.0-rc6-virtme #1
[ 5529.123358][ C2] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 5529.123645][ C2] Call Trace:
[ 5529.123744][ C2]
[ 5529.123813][ C2] dump_stack_lvl+0x82/0xd0
[ 5529.123948][ C2] print_address_description.constprop.0+0x2c/0x3b0
[ 5529.124113][ C2] ? dst_destroy+0x316/0x370
[ 5529.124242][ C2] print_report+0xb4/0x270
[ 5529.124368][ C2] ? kasan_addr_to_slab+0x4e/0x90
[ 5529.124501][ C2] kasan_report+0xbd/0xf0
[ 5529.124596][ C2] ? dst_destroy+0x316/0x370
[ 5529.124722][ C2] dst_destroy+0x316/0x370
[ 5529.124847][ C2] ? rcu_do_batch+0x3be/0xfb0
[ 5529.124980][ C2] rcu_do_batch+0x3c0/0xfb0
[ 5529.125109][ C2] ? __pfx_rcu_do_batch+0x10/0x10
[ 5529.125233][ C2] ? lockdep_hardirqs_on_prepare.part.0+0x14f/0x370
[ 5529.125393][ C2] rcu_core+0x2be/0x500
[ 5529.125490][ C2] __do_softirq+0x1f8/0x5df
[ 5529.125622][ C2] irq_exit_rcu+0x97/0xc0
[ 5529.125721][ C2] sysvec_apic_timer_interrupt+0x75/0x80
[ 5529.125849][ C2]
[ 5529.125916][ C2]
[ 5529.125980][ C2] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 5529.126139][ C2] RIP: 0010:default_idle+0xf/0x20
[ 5529.126271][ C2] Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 e6 30 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
[ 5529.126724][ C2] RSP: 0018:ffffc9000015fdf8 EFLAGS: 00000246
[ 5529.126890][ C2] RAX: 00000000061d380f RBX: 1ffff9200002bfc1 RCX: ffffffffad3526a5
[ 5529.127080][ C2] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffaaaaefc4
[ 5529.127267][ C2] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1006c2709c
[ 5529.127455][ C2] R10: ffff8880361384e3 R11: ffff88803613de40 R12: 0000000000000000
[ 5529.127714][ C2] R13: ffff888001b945c0 R14: dffffc0000000000 R15: 0000000000000000
[ 5529.127977][ C2] ? ct_kernel_exit.constprop.0+0xc5/0xf0
[ 5529.128101][ C2] ? cpuidle_idle_call+0x1f4/0x280
[ 5529.128298][ C2] default_idle_call+0x6d/0xb0
[ 5529.128424][ C2] cpuidle_idle_call+0x1f4/0x280
[ 5529.128547][ C2] ? __pfx_cpuidle_idle_call+0x10/0x10
[ 5529.128673][ C2] ? tsc_verify_tsc_adjust+0x5e/0x2b0
[ 5529.128942][ C2] do_idle+0xf9/0x160
[ 5529.129037][ C2] cpu_startup_entry+0x54/0x60
[ 5529.129162][ C2] start_secondary+0x21c/0x2b0
[ 5529.129288][ C2] ? __pfx_start_secondary+0x10/0x10
[ 5529.129419][ C2] common_startup_64+0x12c/0x138
[ 5529.129624][ C2]
[ 5529.129717][ C2]
[ 5529.129780][ C2] Allocated by task 18953:
[ 5529.129904][ C2] kasan_save_stack+0x24/0x50
[ 5529.130033][ C2] kasan_save_track+0x14/0x30
[ 5529.130158][ C2] __kasan_slab_alloc+0x59/0x70
[ 5529.130282][ C2] kmem_cache_alloc+0xef/0x270
[ 5529.130415][ C2] copy_net_ns+0xc6/0x730
[ 5529.130512][ C2] create_new_namespaces+0x35f/0x920
[ 5529.130638][ C2] unshare_nsproxy_namespaces+0x8a/0x1b0
[ 5529.130767][ C2] ksys_unshare+0x2cc/0x6e0
[ 5529.130894][ C2] __x64_sys_unshare+0x31/0x40
[ 5529.131019][ C2] do_syscall_64+0xc3/0x1d0
[ 5529.131209][ C2] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 5529.131365][ C2]
[ 5529.131432][ C2] Freed by task 73:
[ 5529.131526][ C2] kasan_save_stack+0x24/0x50
[ 5529.131653][ C2] kasan_save_track+0x14/0x30
[ 5529.131845][ C2] kasan_save_free_info+0x3b/0x60
[ 5529.131971][ C2] __kasan_slab_free+0xf4/0x180
[ 5529.132095][ C2] kmem_cache_free+0xd7/0x220
[ 5529.132222][ C2] cleanup_net+0x7de/0xb60
[ 5529.132414][ C2] process_one_work+0xe2c/0x1730
[ 5529.132543][ C2] worker_thread+0x587/0xd30
[ 5529.132668][ C2] kthread+0x28a/0x350
[ 5529.132764][ C2] ret_from_fork+0x31/0x70
[ 5529.132889][ C2] ret_from_fork_asm+0x1a/0x30
[ 5529.133083][ C2]
[ 5529.133149][ C2] The buggy address belongs to the object at ffff88800a691a00
[ 5529.133149][ C2] which belongs to the cache net_namespace of size 6208
[ 5529.133473][ C2] The buggy address is located 2480 bytes inside of
[ 5529.133473][ C2] freed 6208-byte region [ffff88800a691a00, ffff88800a693240)
[ 5529.133838][ C2]
[ 5529.133902][ C2] The buggy address belongs to the physical page:
[ 5529.134129][ C2] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa690
[ 5529.134423][ C2] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 5529.134684][ C2] flags: 0x80000000000840(slab|head|node=0|zone=1)
[ 5529.134925][ C2] page_type: 0xffffffff()
[ 5529.135094][ C2] raw: 0080000000000840 ffff88800192d240 ffffea00001c2a10 ffff8880019320a8
[ 5529.135394][ C2] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[ 5529.135690][ C2] head: 0080000000000840 ffff88800192d240 ffffea00001c2a10 ffff8880019320a8
[ 5529.135992][ C2] head: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[ 5529.136218][ C2] head: 0080000000000003 ffffea000029a401 ffffea000029a448 00000000ffffffff
[ 5529.136585][ C2] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 5529.136878][ C2] page dumped because: kasan: bad access detected
[ 5529.137033][ C2]
[ 5529.137161][ C2] Memory state around the buggy address:
[ 5529.137284][ C2] ffff88800a692280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5529.137610][ C2] ffff88800a692300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5529.137789][ C2] >ffff88800a692380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5529.138041][ C2] ^
[ 5529.138166][ C2] ffff88800a692400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5529.138413][ C2] ffff88800a692480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5529.138662][ C2] ==================================================================
[ 5529.138965][ C2] Disabling lock debugging due to kernel taint