[ 13.261070][ T241] openvswitch: Open vSwitch switching datapath [ 18.332607][ T272] netlink: 'python3': attribute type 2 has an invalid length. [ 18.341750][ T272] arpping: entered promiscuous mode [ 22.571825][ T322] c0: entered promiscuous mode [ 25.805409][ T369] s0: entered promiscuous mode [ 32.477426][ T433] s0 (unregistering): left promiscuous mode [ 32.562233][ T433] ip (433) used greatest stack depth: 23696 bytes left [ 32.870007][ T441] c0 (unregistering): left promiscuous mode [ 33.123459][ T66] ================================================================== [ 33.123682][ T66] BUG: KASAN: slab-use-after-free in cleanup_net+0xa5d/0xb90 [ 33.123893][ T66] Read of size 8 at addr ffff88800cc69bf8 by task kworker/u16:1/66 [ 33.124075][ T66] [ 33.124139][ T66] CPU: 0 UID: 0 PID: 66 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1 [ 33.124327][ T66] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 33.124481][ T66] Workqueue: netns cleanup_net [ 33.124617][ T66] Call Trace: [ 33.124732][ T66] [ 33.124800][ T66] dump_stack_lvl+0x82/0xd0 [ 33.124932][ T66] print_address_description.constprop.0+0x2c/0x3b0 [ 33.125094][ T66] ? cleanup_net+0xa5d/0xb90 [ 33.125224][ T66] print_report+0xb4/0x270 [ 33.125360][ T66] ? kasan_addr_to_slab+0x25/0x80 [ 33.125488][ T66] kasan_report+0xbd/0xf0 [ 33.125602][ T66] ? cleanup_net+0xa5d/0xb90 [ 33.125728][ T66] cleanup_net+0xa5d/0xb90 [ 33.125852][ T66] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 33.125990][ T66] ? __pfx_cleanup_net+0x10/0x10 [ 33.126120][ T66] ? trace_lock_acquire+0x148/0x1f0 [ 33.126256][ T66] ? lock_acquire+0x32/0xc0 [ 33.126394][ T66] ? process_one_work+0xe0b/0x16d0 [ 33.126521][ T66] process_one_work+0xe55/0x16d0 [ 33.126652][ T66] ? __pfx___lock_release+0x10/0x10 [ 33.126793][ T66] ? __pfx_process_one_work+0x10/0x10 [ 33.126923][ T66] ? assign_work+0x16c/0x240 [ 33.127047][ T66] worker_thread+0x58c/0xce0 [ 33.127183][ T66] ? lockdep_hardirqs_on_prepare+0x275/0x410 [ 33.127337][ T66] ? __pfx_worker_thread+0x10/0x10 [ 33.127461][ T66] ? __pfx_worker_thread+0x10/0x10 [ 33.127582][ T66] kthread+0x28a/0x350 [ 33.127693][ T66] ? __pfx_kthread+0x10/0x10 [ 33.127818][ T66] ret_from_fork+0x31/0x70 [ 33.127943][ T66] ? __pfx_kthread+0x10/0x10 [ 33.128084][ T66] ret_from_fork_asm+0x1a/0x30 [ 33.128214][ T66] [ 33.128307][ T66] [ 33.128371][ T66] Allocated by task 339: [ 33.128471][ T66] kasan_save_stack+0x24/0x50 [ 33.128601][ T66] kasan_save_track+0x14/0x30 [ 33.128738][ T66] __kasan_slab_alloc+0x59/0x70 [ 33.128863][ T66] kmem_cache_alloc_noprof+0x10b/0x350 [ 33.128990][ T66] copy_net_ns+0xc6/0x540 [ 33.129088][ T66] create_new_namespaces+0x35f/0x920 [ 33.129215][ T66] unshare_nsproxy_namespaces+0x8a/0x1b0 [ 33.129340][ T66] ksys_unshare+0x2c4/0x6e0 [ 33.129466][ T66] __x64_sys_unshare+0x31/0x40 [ 33.129593][ T66] do_syscall_64+0xc1/0x1d0 [ 33.129717][ T66] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 33.129888][ T66] [ 33.129952][ T66] Freed by task 66: [ 33.130045][ T66] kasan_save_stack+0x24/0x50 [ 33.130184][ T66] kasan_save_track+0x14/0x30 [ 33.130311][ T66] kasan_save_free_info+0x3b/0x60 [ 33.130440][ T66] __kasan_slab_free+0x38/0x50 [ 33.130598][ T66] kmem_cache_free+0xf8/0x330 [ 33.130731][ T66] cleanup_net+0x5a8/0xb90 [ 33.130856][ T66] process_one_work+0xe55/0x16d0 [ 33.130981][ T66] worker_thread+0x58c/0xce0 [ 33.131116][ T66] kthread+0x28a/0x350 [ 33.131211][ T66] ret_from_fork+0x31/0x70 [ 33.131332][ T66] ret_from_fork_asm+0x1a/0x30 [ 33.131466][ T66] [ 33.131530][ T66] Last potentially related work creation: [ 33.131656][ T66] kasan_save_stack+0x24/0x50 [ 33.131801][ T66] __kasan_record_aux_stack+0x8e/0xa0 [ 33.131928][ T66] insert_work+0x34/0x230 [ 33.132023][ T66] __queue_work+0x5fd/0xa40 [ 33.132151][ T66] queue_delayed_work_on+0x8c/0xa0 [ 33.132294][ T66] __inet_insert_ifa+0x751/0xb10 [ 33.132421][ T66] inet_rtm_newaddr+0x833/0xbd0 [ 33.132543][ T66] rtnetlink_rcv_msg+0x712/0xc10 [ 33.132673][ T66] netlink_rcv_skb+0x130/0x360 [ 33.132801][ T66] netlink_unicast+0x44b/0x710 [ 33.132927][ T66] netlink_sendmsg+0x723/0xbe0 [ 33.133053][ T66] ____sys_sendmsg+0x7ac/0xa10 [ 33.133188][ T66] ___sys_sendmsg+0xee/0x170 [ 33.133317][ T66] __sys_sendmsg+0x109/0x1a0 [ 33.133452][ T66] do_syscall_64+0xc1/0x1d0 [ 33.133578][ T66] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 33.133738][ T66] [ 33.133806][ T66] The buggy address belongs to the object at ffff88800cc69b40 [ 33.133806][ T66] which belongs to the cache net_namespace of size 6528 [ 33.134132][ T66] The buggy address is located 184 bytes inside of [ 33.134132][ T66] freed 6528-byte region [ffff88800cc69b40, ffff88800cc6b4c0) [ 33.134425][ T66] [ 33.134487][ T66] The buggy address belongs to the physical page: [ 33.134639][ T66] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800cc6b640 pfn:0xcc68 [ 33.134883][ T66] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 33.135071][ T66] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 33.135230][ T66] page_type: f5(slab) [ 33.135326][ T66] raw: 0080000000000240 ffff888001975240 ffff88800197a088 ffff88800197a088 [ 33.135546][ T66] raw: ffff88800cc6b640 0000000000040002 00000001f5000000 0000000000000000 [ 33.135766][ T66] head: 0080000000000240 ffff888001975240 ffff88800197a088 ffff88800197a088 [ 33.135988][ T66] head: ffff88800cc6b640 0000000000040002 00000001f5000000 0000000000000000 [ 33.136215][ T66] head: 0080000000000003 ffffea0000331a01 ffffffffffffffff 0000000000000000 [ 33.136435][ T66] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 33.136652][ T66] page dumped because: kasan: bad access detected [ 33.136808][ T66] [ 33.136870][ T66] Memory state around the buggy address: [ 33.136998][ T66] ffff88800cc69a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.137182][ T66] ffff88800cc69b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 33.137356][ T66] >ffff88800cc69b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.137532][ T66] ^ [ 33.137720][ T66] ffff88800cc69c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.137897][ T66] ffff88800cc69c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.138076][ T66] ================================================================== [ 33.138269][ T66] Disabling lock debugging due to kernel taint [ 34.665035][ T447] arpping: left promiscuous mode [ 39.810703][ T492] netlink: 'python3': attribute type 2 has an invalid length. [ 39.815212][ T492] ct4: entered promiscuous mode [ 42.518438][ T542] c0: entered promiscuous mode [ 45.188399][ T580] s0: entered promiscuous mode [ 70.997793][ T735] s0 (unregistering): left promiscuous mode [ 71.376106][ T743] c0 (unregistering): left promiscuous mode [ 73.031885][ T749] ct4: left promiscuous mode [ 77.733711][ T792] netlink: 'python3': attribute type 2 has an invalid length. [ 77.744904][ T792] cv4: entered promiscuous mode [ 80.406893][ T842] c0: entered promiscuous mode [ 82.976656][ T880] s0: entered promiscuous mode [ 93.032892][ T967] s0 (unregistering): left promiscuous mode [ 93.373438][ T975] c0 (unregistering): left promiscuous mode [ 95.103664][ T981] cv4: left promiscuous mode [ 100.016628][ T1025] netlink: 'python3': attribute type 2 has an invalid length. [ 100.022366][ T1025] nat4: entered promiscuous mode [ 102.547253][ T1076] c0: entered promiscuous mode [ 104.973129][ T1114] s0: entered promiscuous mode [ 128.860633][ T1254] s0 (unregistering): left promiscuous mode [ 129.189590][ T1262] c0 (unregistering): left promiscuous mode [ 130.777245][ T1268] nat4: left promiscuous mode [ 135.411474][ T1312] netlink: 'python3': attribute type 2 has an invalid length. [ 135.416206][ T1312] natrelated4: entered promiscuous mode [ 138.019849][ T1362] c0: entered promiscuous mode [ 140.415520][ T1400] s0: entered promiscuous mode [ 153.493738][ T1553] s0 (unregistering): left promiscuous mode [ 153.810673][ T1561] c0 (unregistering): left promiscuous mode [ 155.387972][ T1567] natrelated4: left promiscuous mode [ 159.931197][ T1611] netlink: 'python3': attribute type 2 has an invalid length. [ 159.935553][ T1611] nv0: entered promiscuous mode [ 161.580512][ T1635] netlink: 'python3': attribute type 2 has an invalid length. [ 161.581519][ T1635] openvswitch: nv0: Dropping previously announced user features [ 164.033092][ T1684] left0: entered promiscuous mode [ 166.469656][ T1722] right0: entered promiscuous mode [ 169.552975][ T1754] right0: left promiscuous mode [ 172.667960][ T1790] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 172.771655][ T1790] python3 (1790) used greatest stack depth: 22472 bytes left [ 174.395680][ T1813] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 175.044577][ T1840] left0 (unregistering): left promiscuous mode [ 176.604403][ T1846] nv0: left promiscuous mode [ 182.679693][ T1905] ui0: entered promiscuous mode [ 185.301695][ T1956] left0: entered promiscuous mode [ 187.789738][ T1987] left0 (unregistering): left promiscuous mode [ 189.368044][ T1995] ui0: left promiscuous mode [ 193.910043][ T2039] netlink: 'python3': attribute type 2 has an invalid length. [ 193.914285][ T2039] dropreason: entered promiscuous mode [ 196.436746][ T2089] c0: entered promiscuous mode [ 198.891042][ T2127] s0: entered promiscuous mode [ 235.031607][ T2298] s0 (unregistering): left promiscuous mode [ 235.314684][ T2306] c0 (unregistering): left promiscuous mode [ 236.936974][ T2312] dropreason: left promiscuous mode [ 241.631943][ T2355] psample: entered promiscuous mode [ 244.807265][ T2407] c0: entered promiscuous mode [ 245.653220][ T2438] s0: entered promiscuous mode [ 248.955203][ T2501] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 250.730802][ T2524] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 252.531449][ T2547] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 264.023570][ T2690] s0 (unregistering): left promiscuous mode [ 264.399646][ T2700] c0 (unregistering): left promiscuous mode [ 266.079545][ T2706] psample: left promiscuous mode