[ 3003.477561][    C3] ==================================================================
[ 3003.477893][    C3] BUG: KASAN: slab-use-after-free in dst_destroy+0x316/0x370
[ 3003.478135][    C3] Read of size 8 at addr ffff88800907d730 by task kworker/u16:0/10
[ 3003.478373][    C3] 
[ 3003.478459][    C3] CPU: 3 PID: 10 Comm: kworker/u16:0 Not tainted 6.9.0-rc6-virtme #1
[ 3003.478697][    C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 3003.479045][    C3] Workqueue: netns cleanup_net
[ 3003.479218][    C3] Call Trace:
[ 3003.479344][    C3]  <IRQ>
[ 3003.479428][    C3]  dump_stack_lvl+0x82/0xd0
[ 3003.479606][    C3]  print_address_description.constprop.0+0x2c/0x3b0
[ 3003.479814][    C3]  ? dst_destroy+0x316/0x370
[ 3003.480062][    C3]  print_report+0xb4/0x270
[ 3003.480221][    C3]  ? kasan_addr_to_slab+0x4e/0x90
[ 3003.480382][    C3]  kasan_report+0xbd/0xf0
[ 3003.480503][    C3]  ? dst_destroy+0x316/0x370
[ 3003.480662][    C3]  dst_destroy+0x316/0x370
[ 3003.480914][    C3]  ? rcu_do_batch+0x3be/0xfb0
[ 3003.481072][    C3]  rcu_do_batch+0x3c0/0xfb0
[ 3003.481238][    C3]  ? hlock_class+0x4e/0x130
[ 3003.481399][    C3]  ? __pfx_rcu_do_batch+0x10/0x10
[ 3003.481644][    C3]  ? lockdep_hardirqs_on_prepare.part.0+0x14f/0x370
[ 3003.481841][    C3]  rcu_core+0x2be/0x500
[ 3003.481962][    C3]  __do_softirq+0x1f8/0x5df
[ 3003.482120][    C3]  irq_exit_rcu+0x97/0xc0
[ 3003.482409][    C3]  sysvec_apic_timer_interrupt+0x75/0x80
[ 3003.482582][    C3]  </IRQ>
[ 3003.482668][    C3]  <TASK>
[ 3003.482750][    C3]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 3003.482950][    C3] RIP: 0010:__orc_find+0x54/0xf0
[ 3003.483124][    C3] Code: f0 4c 39 e7 77 7b 48 b9 00 00 00 00 00 fc ff df 49 89 ff 48 89 fd eb 0c 48 8d 6b 04 49 89 df 4c 39 e5 77 4e 4c 89 e2 48 29 ea <48> 89 d6 48 c1 ea 3f 48 c1 fe 02 48 01 f2 48 d1 fa 48 8d 5c 95 00
[ 3003.483775][    C3] RSP: 0018:ffffc900000af598 EFLAGS: 00000206
[ 3003.483981][    C3] RAX: ffffffff90f37d0e RBX: ffffffff90c0cb10 RCX: dffffc0000000000
[ 3003.484306][    C3] RDX: 0000000000000014 RSI: 0000000000000000 RDI: ffffffff90c0cacc
[ 3003.484544][    C3] RBP: ffffffff90c0cb14 R08: ffffc900000af718 R09: 1ffff92000015ec4
[ 3003.484876][    C3] R10: ffffc900000af6d8 R11: ffffc900000af719 R12: ffffffff90c0cb28
[ 3003.485115][    C3] R13: ffffffff8c4c27a0 R14: ffffffff90c0cacc R15: ffffffff90c0cb10
[ 3003.485355][    C3]  ? ret_from_fork+0x30/0x70
[ 3003.485612][    C3]  ? arch_stack_walk+0x68/0xf0
[ 3003.485775][    C3]  unwind_next_frame+0x1d2/0x1d00
[ 3003.485934][    C3]  ? ret_from_fork+0x31/0x70
[ 3003.486095][    C3]  ? hlock_class+0x4e/0x130
[ 3003.486337][    C3]  ? __pfx_unwind_next_frame+0x10/0x10
[ 3003.486498][    C3]  ? ret_from_fork+0x31/0x70
[ 3003.486653][    C3]  ? kernel_text_address+0x17/0xe0
[ 3003.486813][    C3]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 3003.487012][    C3]  arch_stack_walk+0x8c/0xf0
[ 3003.487261][    C3]  ? ret_from_fork+0x31/0x70
[ 3003.487422][    C3]  stack_trace_save+0x94/0xd0
[ 3003.487582][    C3]  ? __pfx_stack_trace_save+0x10/0x10
[ 3003.487740][    C3]  ? __lock_release+0x103/0x460
[ 3003.487898][    C3]  ? __pfx___lock_release+0x10/0x10
[ 3003.488217][    C3]  ? hlock_class+0x4e/0x130
[ 3003.488375][    C3]  ? mark_lock+0x38/0x3e0
[ 3003.488496][    C3]  ref_tracker_free+0xf0/0x910
[ 3003.488656][    C3]  ? mark_held_locks+0x9e/0xe0
[ 3003.488816][    C3]  ? __pfx_ref_tracker_free+0x10/0x10
[ 3003.488975][    C3]  ? in6_dev_finish_destroy+0xce/0x1b0
[ 3003.489226][    C3]  ? addrconf_ifdown.isra.0+0x11a3/0x1560
[ 3003.489380][    C3]  ? addrconf_notify+0xd1/0xd60
[ 3003.489539][    C3]  ? notifier_call_chain+0xcd/0x150
[ 3003.489710][    C3]  ? unregister_netdevice_many_notify+0x548/0x1190
[ 3003.489908][    C3]  ? cleanup_net+0x4cf/0xb60
[ 3003.490159][    C3]  ? process_one_work+0xe2c/0x1730
[ 3003.490318][    C3]  ? worker_thread+0x587/0xd30
[ 3003.490477][    C3]  ? kthread+0x28a/0x350
[ 3003.490597][    C3]  ? ret_from_fork+0x31/0x70
[ 3003.490747][    C3]  ? __pfx___try_to_del_timer_sync+0x10/0x10
[ 3003.491028][    C3]  ? mark_held_locks+0x9e/0xe0
[ 3003.491192][    C3]  in6_dev_finish_destroy+0xce/0x1b0
[ 3003.491352][    C3]  addrconf_ifdown.isra.0+0x11a3/0x1560
[ 3003.491521][    C3]  ? __pfx_addrconf_ifdown.isra.0+0x10/0x10
[ 3003.491885][    C3]  ? rt_flush_dev+0x38c/0x670
[ 3003.492043][    C3]  addrconf_notify+0xd1/0xd60
[ 3003.492199][    C3]  notifier_call_chain+0xcd/0x150
[ 3003.492357][    C3]  unregister_netdevice_many_notify+0x548/0x1190
[ 3003.492660][    C3]  ? __pfx_unregister_netdevice_many_notify+0x10/0x10
[ 3003.492859][    C3]  ? mutex_is_locked+0x17/0x50
[ 3003.493020][    C3]  ? nexthop_net_exit_batch_rtnl+0x83/0x210
[ 3003.493223][    C3]  cleanup_net+0x4cf/0xb60
[ 3003.493384][    C3]  ? __pfx_lock_acquire.part.0+0x10/0x10
[ 3003.493536][    C3]  ? __pfx_cleanup_net+0x10/0x10
[ 3003.493694][    C3]  ? trace_lock_acquire+0x135/0x1c0
[ 3003.493938][    C3]  ? process_one_work+0xde2/0x1730
[ 3003.494092][    C3]  ? lock_acquire+0x32/0xc0
[ 3003.494250][    C3]  ? process_one_work+0xde2/0x1730
[ 3003.494410][    C3]  process_one_work+0xe2c/0x1730
[ 3003.494570][    C3]  ? __pfx___lock_release+0x10/0x10
[ 3003.494809][    C3]  ? __pfx_process_one_work+0x10/0x10
[ 3003.494967][    C3]  ? assign_work+0x16c/0x240
[ 3003.495130][    C3]  worker_thread+0x587/0xd30
[ 3003.495289][    C3]  ? __pfx_worker_thread+0x10/0x10
[ 3003.495530][    C3]  kthread+0x28a/0x350
[ 3003.495654][    C3]  ? __pfx_kthread+0x10/0x10
[ 3003.495808][    C3]  ret_from_fork+0x31/0x70
[ 3003.495968][    C3]  ? __pfx_kthread+0x10/0x10
[ 3003.496285][    C3]  ret_from_fork_asm+0x1a/0x30
[ 3003.496447][    C3]  </TASK>
[ 3003.496566][    C3] 
[ 3003.496646][    C3] Allocated by task 19526:
[ 3003.496808][    C3]  kasan_save_stack+0x24/0x50
[ 3003.496973][    C3]  kasan_save_track+0x14/0x30
[ 3003.497132][    C3]  __kasan_slab_alloc+0x59/0x70
[ 3003.497287][    C3]  kmem_cache_alloc+0xef/0x270
[ 3003.497442][    C3]  copy_net_ns+0xc6/0x730
[ 3003.497564][    C3]  create_new_namespaces+0x35f/0x920
[ 3003.497803][    C3]  unshare_nsproxy_namespaces+0x8a/0x1b0
[ 3003.497967][    C3]  ksys_unshare+0x2cc/0x6e0
[ 3003.498124][    C3]  __x64_sys_unshare+0x31/0x40
[ 3003.498281][    C3]  do_syscall_64+0xc3/0x1d0
[ 3003.498519][    C3]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3003.498706][    C3] 
[ 3003.498868][    C3] Freed by task 10:
[ 3003.498989][    C3]  kasan_save_stack+0x24/0x50
[ 3003.499152][    C3]  kasan_save_track+0x14/0x30
[ 3003.499407][    C3]  kasan_save_free_info+0x3b/0x60
[ 3003.499564][    C3]  __kasan_slab_free+0xf4/0x180
[ 3003.499729][    C3]  kmem_cache_free+0xd7/0x220
[ 3003.499887][    C3]  cleanup_net+0x7de/0xb60
[ 3003.500043][    C3]  process_one_work+0xe2c/0x1730
[ 3003.500199][    C3]  worker_thread+0x587/0xd30
[ 3003.500356][    C3]  kthread+0x28a/0x350
[ 3003.500475][    C3]  ret_from_fork+0x31/0x70
[ 3003.500635][    C3]  ret_from_fork_asm+0x1a/0x30
[ 3003.500880][    C3] 
[ 3003.500962][    C3] The buggy address belongs to the object at ffff88800907cd80
[ 3003.500962][    C3]  which belongs to the cache net_namespace of size 6208
[ 3003.501373][    C3] The buggy address is located 2480 bytes inside of
[ 3003.501373][    C3]  freed 6208-byte region [ffff88800907cd80, ffff88800907e5c0)
[ 3003.501755][    C3] 
[ 3003.501923][    C3] The buggy address belongs to the physical page:
[ 3003.502135][    C3] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9078
[ 3003.502424][    C3] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 3003.502655][    C3] flags: 0x80000000000840(slab|head|node=0|zone=1)
[ 3003.503034][    C3] page_type: 0xffffffff()
[ 3003.503159][    C3] raw: 0080000000000840 ffff88800192d240 ffffea000019f810 ffff8880019320a8
[ 3003.503446][    C3] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[ 3003.503809][    C3] head: 0080000000000840 ffff88800192d240 ffffea000019f810 ffff8880019320a8
[ 3003.504177][    C3] head: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[ 3003.504453][    C3] head: 0080000000000003 ffffea0000241e01 dead000000000122 00000000ffffffff
[ 3003.504738][    C3] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 3003.505105][    C3] page dumped because: kasan: bad access detected
[ 3003.505290][    C3] 
[ 3003.505368][    C3] Memory state around the buggy address:
[ 3003.505523][    C3]  ffff88800907d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3003.505760][    C3]  ffff88800907d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3003.505994][    C3] >ffff88800907d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3003.506222][    C3]                                      ^
[ 3003.506376][    C3]  ffff88800907d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3003.506610][    C3]  ffff88800907d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3003.506844][    C3] ==================================================================
[ 3003.507107][    C3] Disabling lock debugging due to kernel taint