[ 16.417801][ T292] eth1: renamed from tmp [ 80.403535][ T68] ================================================================== [ 80.403841][ T68] BUG: KASAN: slab-use-after-free in cleanup_net+0xa5d/0xb90 [ 80.404079][ T68] Read of size 8 at addr ffff888008e500f8 by task kworker/u16:1/68 [ 80.404327][ T68] [ 80.404395][ T68] CPU: 3 UID: 0 PID: 68 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1 [ 80.404620][ T68] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 80.404777][ T68] Workqueue: netns cleanup_net [ 80.404959][ T68] Call Trace: [ 80.405057][ T68] [ 80.405148][ T68] dump_stack_lvl+0x82/0xd0 [ 80.405287][ T68] print_address_description.constprop.0+0x2c/0x3b0 [ 80.405455][ T68] ? cleanup_net+0xa5d/0xb90 [ 80.405600][ T68] print_report+0xb4/0x270 [ 80.405737][ T68] ? kasan_addr_to_slab+0x25/0x80 [ 80.405890][ T68] kasan_report+0xbd/0xf0 [ 80.406008][ T68] ? cleanup_net+0xa5d/0xb90 [ 80.406174][ T68] cleanup_net+0xa5d/0xb90 [ 80.406313][ T68] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 80.406464][ T68] ? __pfx_cleanup_net+0x10/0x10 [ 80.406605][ T68] ? trace_lock_acquire+0x148/0x1f0 [ 80.406833][ T68] ? lock_acquire+0x32/0xc0 [ 80.407014][ T68] ? process_one_work+0xe0b/0x16d0 [ 80.407172][ T68] process_one_work+0xe55/0x16d0 [ 80.407323][ T68] ? __pfx___lock_release+0x10/0x10 [ 80.407515][ T68] ? __pfx_process_one_work+0x10/0x10 [ 80.407661][ T68] ? assign_work+0x16c/0x240 [ 80.407806][ T68] worker_thread+0x58c/0xce0 [ 80.407954][ T68] ? lockdep_hardirqs_on_prepare+0x275/0x410 [ 80.408182][ T68] ? __pfx_worker_thread+0x10/0x10 [ 80.408329][ T68] ? __pfx_worker_thread+0x10/0x10 [ 80.408531][ T68] kthread+0x28a/0x350 [ 80.408641][ T68] ? __pfx_kthread+0x10/0x10 [ 80.408832][ T68] ret_from_fork+0x31/0x70 [ 80.409018][ T68] ? __pfx_kthread+0x10/0x10 [ 80.409156][ T68] ret_from_fork_asm+0x1a/0x30 [ 80.409301][ T68] [ 80.409412][ T68] [ 80.409484][ T68] Allocated by task 268: [ 80.409597][ T68] kasan_save_stack+0x24/0x50 [ 80.409747][ T68] kasan_save_track+0x14/0x30 [ 80.409915][ T68] __kasan_slab_alloc+0x59/0x70 [ 80.410084][ T68] kmem_cache_alloc_noprof+0x10b/0x350 [ 80.410286][ T68] copy_net_ns+0xc6/0x540 [ 80.410419][ T68] create_new_namespaces+0x35f/0x920 [ 80.410562][ T68] unshare_nsproxy_namespaces+0x8a/0x1b0 [ 80.410700][ T68] ksys_unshare+0x2c4/0x6e0 [ 80.410864][ T68] __x64_sys_unshare+0x31/0x40 [ 80.410999][ T68] do_syscall_64+0xc1/0x1d0 [ 80.411153][ T68] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.411364][ T68] [ 80.411438][ T68] Freed by task 68: [ 80.411548][ T68] kasan_save_stack+0x24/0x50 [ 80.411693][ T68] kasan_save_track+0x14/0x30 [ 80.411823][ T68] kasan_save_free_info+0x3b/0x60 [ 80.411963][ T68] __kasan_slab_free+0x38/0x50 [ 80.412110][ T68] kmem_cache_free+0xf8/0x330 [ 80.412303][ T68] cleanup_net+0x5a8/0xb90 [ 80.412462][ T68] process_one_work+0xe55/0x16d0 [ 80.412626][ T68] worker_thread+0x58c/0xce0 [ 80.412794][ T68] kthread+0x28a/0x350 [ 80.412923][ T68] ret_from_fork+0x31/0x70 [ 80.413114][ T68] ret_from_fork_asm+0x1a/0x30 [ 80.413261][ T68] [ 80.413334][ T68] Last potentially related work creation: [ 80.413524][ T68] kasan_save_stack+0x24/0x50 [ 80.413669][ T68] __kasan_record_aux_stack+0x8e/0xa0 [ 80.413826][ T68] insert_work+0x34/0x230 [ 80.413936][ T68] __queue_work+0x5fd/0xa40 [ 80.414076][ T68] queue_delayed_work_on+0x8c/0xa0 [ 80.414228][ T68] __inet_insert_ifa+0x751/0xb10 [ 80.414424][ T68] inet_rtm_newaddr+0x833/0xbd0 [ 80.414568][ T68] rtnetlink_rcv_msg+0x712/0xc10 [ 80.414698][ T68] netlink_rcv_skb+0x130/0x360 [ 80.414827][ T68] netlink_unicast+0x44b/0x710 [ 80.414955][ T68] netlink_sendmsg+0x723/0xbe0 [ 80.415080][ T68] ____sys_sendmsg+0x7ac/0xa10 [ 80.415227][ T68] ___sys_sendmsg+0xee/0x170 [ 80.415411][ T68] __sys_sendmsg+0x109/0x1a0 [ 80.415544][ T68] do_syscall_64+0xc1/0x1d0 [ 80.415672][ T68] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.415832][ T68] [ 80.415899][ T68] Second to last potentially related work creation: [ 80.416056][ T68] kasan_save_stack+0x24/0x50 [ 80.416216][ T68] __kasan_record_aux_stack+0x8e/0xa0 [ 80.416382][ T68] insert_work+0x34/0x230 [ 80.416537][ T68] __queue_work+0x5fd/0xa40 [ 80.416667][ T68] queue_delayed_work_on+0x8c/0xa0 [ 80.416836][ T68] __inet_insert_ifa+0x751/0xb10 [ 80.417012][ T68] inet_rtm_newaddr+0x833/0xbd0 [ 80.417189][ T68] rtnetlink_rcv_msg+0x712/0xc10 [ 80.417345][ T68] netlink_rcv_skb+0x130/0x360 [ 80.417486][ T68] netlink_unicast+0x44b/0x710 [ 80.417619][ T68] netlink_sendmsg+0x723/0xbe0 [ 80.417761][ T68] ____sys_sendmsg+0x7ac/0xa10 [ 80.417947][ T68] ___sys_sendmsg+0xee/0x170 [ 80.418075][ T68] __sys_sendmsg+0x109/0x1a0 [ 80.418223][ T68] do_syscall_64+0xc1/0x1d0 [ 80.418410][ T68] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.418587][ T68] [ 80.418662][ T68] The buggy address belongs to the object at ffff888008e50040 [ 80.418662][ T68] which belongs to the cache net_namespace of size 6528 [ 80.419078][ T68] The buggy address is located 184 bytes inside of [ 80.419078][ T68] freed 6528-byte region [ffff888008e50040, ffff888008e519c0) [ 80.419442][ T68] [ 80.419541][ T68] The buggy address belongs to the physical page: [ 80.419699][ T68] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888008e53640 pfn:0x8e50 [ 80.420043][ T68] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 80.420249][ T68] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 80.420415][ T68] page_type: f5(slab) [ 80.420575][ T68] raw: 0080000000000240 ffff888001975240 ffff88800197a088 ffff88800197a088 [ 80.420945][ T68] raw: ffff888008e53640 0000000000040002 00000001f5000000 0000000000000000 [ 80.421261][ T68] head: 0080000000000240 ffff888001975240 ffff88800197a088 ffff88800197a088 [ 80.421494][ T68] head: ffff888008e53640 0000000000040002 00000001f5000000 0000000000000000 [ 80.421723][ T68] head: 0080000000000003 ffffea0000239401 ffffffffffffffff 0000000000000000 [ 80.421968][ T68] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 80.422244][ T68] page dumped because: kasan: bad access detected [ 80.422424][ T68] [ 80.422509][ T68] Memory state around the buggy address: [ 80.422655][ T68] ffff888008e4ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 80.422913][ T68] ffff888008e50000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 80.423136][ T68] >ffff888008e50080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.423376][ T68] ^ [ 80.423614][ T68] ffff888008e50100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.423897][ T68] ffff888008e50180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.424167][ T68] ================================================================== [ 80.424469][ T68] Disabling lock debugging due to kernel taint [ 83.075516][ T546] eth1: renamed from tmp [ 145.326897][ T800] eth1: renamed from tmp [ 207.576733][ T1052] eth1: renamed from tmp [ 269.663389][ T1313] eth1: renamed from tmp [ 331.512204][ T1575] eth1: renamed from tmp [ 658.893808][ T2426] eth1: renamed from tmp [ 691.379624][ T2565] eth2: renamed from tmp [ 899.103358][ T3139] eth1: renamed from tmp [ 1231.966517][ T4066] eth1: renamed from tmp [ 1359.374859][ T4549] eth1: renamed from tmp [ 1392.257385][ T4716] eth1: renamed from tmp [ 1441.872283][ T4943] eth1: renamed from tmp [ 1456.064137][ T5057] eth1: renamed from tmp [ 1470.359613][ T5171] eth1: renamed from tmp [ 1484.412129][ T5286] eth1: renamed from tmp [ 1499.612048][ T5404] eth1: renamed from tmp [ 1514.725150][ T5522] eth1: renamed from tmp [ 1529.719883][ T5640] eth1: renamed from tmp [ 1544.563015][ T5758] eth1: renamed from tmp [ 1559.710988][ T5876] eth1: renamed from tmp [ 1574.460228][ T5995] eth1: renamed from tmp [ 1589.255130][ T6113] eth1: renamed from tmp [ 1604.234989][ T6231] eth1: renamed from tmp [ 1619.101258][ T6349] eth1: renamed from tmp [ 1633.931410][ T6467] eth1: renamed from tmp [ 1648.822901][ T6585] eth1: renamed from tmp [ 1663.567976][ T6703] eth1: renamed from tmp [ 1678.445959][ T6821] eth1: renamed from tmp [ 1693.328747][ T6939] eth1: renamed from tmp [ 1708.078034][ T7057] eth1: renamed from tmp [ 1722.863936][ T7175] eth1: renamed from tmp [ 1737.617007][ T7293] eth1: renamed from tmp [ 1752.501878][ T7412] eth1: renamed from tmp [ 1767.381989][ T7530] eth1: renamed from tmp [ 1781.943041][ T7649] eth1: renamed from tmp [ 1796.505078][ T7767] eth1: renamed from tmp [ 1811.212276][ T7885] eth1: renamed from tmp [ 1825.824131][ T8003] eth1: renamed from tmp [ 1840.548247][ T8121] eth1: renamed from tmp [ 1855.229180][ T8239] eth1: renamed from tmp [ 1870.283482][ T8357] eth1: renamed from tmp [ 1885.124154][ T8475] eth1: renamed from tmp [ 1899.883983][ T8593] eth1: renamed from tmp [ 1931.367522][ T8777] eth1: renamed from tmp [ 2009.686114][ T9104] eth1: renamed from tmp [ 2088.241315][ T9431] eth1: renamed from tmp [ 2169.680133][ T9768] eth1: renamed from tmp [ 2250.691560][T10106] eth1: renamed from tmp [ 2525.912212][T10891] eth1: renamed from tmp [ 2570.156019][T11073] eth2: renamed from tmp [ 2774.594494][T11663] eth1: renamed from tmp [ 3068.965387][T12701] eth1: renamed from tmp [ 3217.584091][T13259] eth1: renamed from tmp [ 3242.053075][T13403] eth1: renamed from tmp [ 3276.713119][T13587] eth1: renamed from tmp [ 3290.373072][T13701] eth1: renamed from tmp [ 3301.956964][T13815] eth1: renamed from tmp [ 3316.472988][T13933] eth1: renamed from tmp [ 3331.246183][T14051] eth1: renamed from tmp [ 3346.003003][T14169] eth1: renamed from tmp [ 3360.654466][T14287] eth1: renamed from tmp [ 3375.301140][T14405] eth1: renamed from tmp [ 3389.909488][T14523] eth1: renamed from tmp [ 3404.505070][T14641] eth1: renamed from tmp [ 3419.284630][T14758] eth1: renamed from tmp [ 3434.258044][T14876] eth1: renamed from tmp [ 3449.192036][T14994] eth1: renamed from tmp [ 3464.223626][T15112] eth1: renamed from tmp [ 3479.210134][T15230] eth1: renamed from tmp [ 3494.159154][T15348] eth1: renamed from tmp [ 3508.932105][T15466] eth1: renamed from tmp [ 3523.666064][T15584] eth1: renamed from tmp [ 3538.449362][T15702] eth1: renamed from tmp [ 3553.194100][T15821] eth1: renamed from tmp [ 3567.981945][T15942] eth1: renamed from tmp [ 3582.708141][T16060] eth1: renamed from tmp [ 3597.341183][T16178] eth1: renamed from tmp [ 3612.062124][T16297] eth1: renamed from tmp [ 3626.902981][T16414] eth1: renamed from tmp [ 3641.768242][T16532] eth1: renamed from tmp [ 3656.761813][T16650] eth1: renamed from tmp [ 3671.613026][T16768] eth1: renamed from tmp [ 3686.525254][T16886] eth1: renamed from tmp [ 3701.476338][T17004] eth1: renamed from tmp [ 3716.404114][T17122] eth1: renamed from tmp [ 3731.287130][T17240] eth1: renamed from tmp [ 3746.412025][T17359] eth1: renamed from tmp [ 3760.953990][T17477] eth1: renamed from tmp [ 3775.493300][T17595] eth1: renamed from tmp [ 3790.025084][T17713] eth1: renamed from tmp [ 3804.589004][T17831] eth1: renamed from tmp [ 3819.194855][T17949] eth1: renamed from tmp [ 3833.846984][T18067] eth1: renamed from tmp [ 3848.522125][T18184] eth1: renamed from tmp [ 3863.136125][T18301] eth1: renamed from tmp [ 3877.603094][T18419] eth1: renamed from tmp [ 3892.203226][T18538] eth1: renamed from tmp [ 3906.863103][T18656] eth1: renamed from tmp [ 3921.484720][T18774] eth1: renamed from tmp [ 3935.994493][T18892] eth1: renamed from tmp [ 3950.509315][T19010] eth1: renamed from tmp [ 3965.036419][T19128] eth1: renamed from tmp [ 3996.986937][T19310] eth1: renamed from tmp [ 4000.352702][T19357] br0: port 1(eth1) entered blocking state [ 4000.352998][T19357] br0: port 1(eth1) entered disabled state [ 4000.353229][T19357] eth1: entered allmulticast mode [ 4000.354162][T19357] eth1: entered promiscuous mode [ 4000.587830][T19361] br0: port 1(eth1) entered blocking state [ 4000.588150][T19361] br0: port 1(eth1) entered forwarding state [ 4000.711405][T19363] br0: port 1(eth1) entered disabled state [ 4000.712063][T19363] br0: port 1(eth1) entered blocking state [ 4000.712284][T19363] br0: port 1(eth1) entered forwarding state [ 4011.270072][T19392] br0: port 1(eth1) entered disabled state [ 4011.270987][T19392] br0: port 1(eth1) entered blocking state [ 4011.271210][T19392] br0: port 1(eth1) entered forwarding state [ 4018.637070][T19437] eth1: left allmulticast mode [ 4018.637295][T19437] eth1: left promiscuous mode [ 4018.637575][T19437] br0: port 1(eth1) entered disabled state [ 4023.863954][T19515] eth1: renamed from tmp [ 4024.113108][T19519] eth2: renamed from tmp [ 4043.804276][T19663] eth1: renamed from tmp