[ 13.796321][ T302] br0: port 1(gw_l) entered blocking state [ 13.796859][ T302] br0: port 1(gw_l) entered disabled state [ 13.797131][ T302] gw_l: entered allmulticast mode [ 13.798950][ T302] gw_l: entered promiscuous mode [ 13.800722][ T302] br0: port 1(gw_l) entered blocking state [ 13.801041][ T302] br0: port 1(gw_l) entered forwarding state [ 14.203177][ T304] br0: port 2(amtg) entered blocking state [ 14.203616][ T304] br0: port 2(amtg) entered disabled state [ 14.203902][ T304] amtg: entered allmulticast mode [ 14.205256][ T304] amtg: entered promiscuous mode [ 15.684826][ T315] br0: port 2(amtg) entered blocking state [ 15.685372][ T315] br0: port 2(amtg) entered forwarding state [ 16.538265][ T323] amtr: entered allmulticast mode [ 16.538946][ T323] relay_gw: entered allmulticast mode [ 16.539227][ T323] relay_src: entered allmulticast mode [ 1189.028472][ T11] br0: port 1(gw_l) entered disabled state [ 1189.157186][ T11] gw_l (unregistering): left allmulticast mode [ 1189.157518][ T11] gw_l (unregistering): left promiscuous mode [ 1189.157725][ T11] br0: port 1(gw_l) entered disabled state [ 1189.208229][ T11] amtg: left allmulticast mode [ 1189.208477][ T11] amtg: left promiscuous mode [ 1189.208767][ T11] br0: port 2(amtg) entered disabled state [ 1189.252879][ T323] amtr: left allmulticast mode [ 1189.253200][ T323] relay_gw: left allmulticast mode [ 1189.253471][ T323] relay_src: left allmulticast mode [ 1189.457177][ T11] ================================================================== [ 1189.457487][ T11] BUG: KASAN: slab-use-after-free in cleanup_net+0xa5d/0xb90 [ 1189.457706][ T11] Read of size 8 at addr ffff88800a9380f8 by task kworker/u16:0/11 [ 1189.457905][ T11] [ 1189.457976][ T11] CPU: 2 UID: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.12.0-virtme #1 [ 1189.458187][ T11] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 1189.458355][ T11] Workqueue: netns cleanup_net [ 1189.458497][ T11] Call Trace: [ 1189.458601][ T11] [ 1189.458686][ T11] dump_stack_lvl+0x82/0xd0 [ 1189.458826][ T11] print_address_description.constprop.0+0x2c/0x3b0 [ 1189.459011][ T11] ? cleanup_net+0xa5d/0xb90 [ 1189.459147][ T11] print_report+0xb4/0x270 [ 1189.459282][ T11] ? kasan_addr_to_slab+0x25/0x80 [ 1189.459417][ T11] kasan_report+0xbd/0xf0 [ 1189.459522][ T11] ? cleanup_net+0xa5d/0xb90 [ 1189.459659][ T11] cleanup_net+0xa5d/0xb90 [ 1189.459793][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 1189.459935][ T11] ? __pfx_cleanup_net+0x10/0x10 [ 1189.460071][ T11] ? trace_lock_acquire+0x148/0x1f0 [ 1189.460241][ T11] ? lock_acquire+0x32/0xc0 [ 1189.460390][ T11] ? process_one_work+0xe0b/0x16d0 [ 1189.460530][ T11] process_one_work+0xe55/0x16d0 [ 1189.460671][ T11] ? __pfx___lock_release+0x10/0x10 [ 1189.460812][ T11] ? __pfx_process_one_work+0x10/0x10 [ 1189.460954][ T11] ? assign_work+0x16c/0x240 [ 1189.461091][ T11] worker_thread+0x58c/0xce0 [ 1189.461231][ T11] ? __pfx_worker_thread+0x10/0x10 [ 1189.461375][ T11] kthread+0x28a/0x350 [ 1189.461493][ T11] ? __pfx_kthread+0x10/0x10 [ 1189.461633][ T11] ret_from_fork+0x31/0x70 [ 1189.461775][ T11] ? __pfx_kthread+0x10/0x10 [ 1189.461912][ T11] ret_from_fork_asm+0x1a/0x30 [ 1189.462055][ T11] [ 1189.462162][ T11] [ 1189.462232][ T11] Allocated by task 257: [ 1189.462336][ T11] kasan_save_stack+0x24/0x50 [ 1189.462476][ T11] kasan_save_track+0x14/0x30 [ 1189.462610][ T11] __kasan_slab_alloc+0x59/0x70 [ 1189.462744][ T11] kmem_cache_alloc_noprof+0x10b/0x350 [ 1189.462882][ T11] copy_net_ns+0xc6/0x540 [ 1189.462988][ T11] create_new_namespaces+0x35f/0x920 [ 1189.463127][ T11] unshare_nsproxy_namespaces+0x8a/0x1b0 [ 1189.463264][ T11] ksys_unshare+0x2c4/0x6e0 [ 1189.463410][ T11] __x64_sys_unshare+0x31/0x40 [ 1189.463541][ T11] do_syscall_64+0xc1/0x1d0 [ 1189.463676][ T11] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1189.463848][ T11] [ 1189.463916][ T11] Freed by task 11: [ 1189.464016][ T11] kasan_save_stack+0x24/0x50 [ 1189.464159][ T11] kasan_save_track+0x14/0x30 [ 1189.464308][ T11] kasan_save_free_info+0x3b/0x60 [ 1189.464444][ T11] __kasan_slab_free+0x38/0x50 [ 1189.464578][ T11] kmem_cache_free+0xf8/0x330 [ 1189.464711][ T11] cleanup_net+0x5a8/0xb90 [ 1189.464846][ T11] process_one_work+0xe55/0x16d0 [ 1189.464979][ T11] worker_thread+0x58c/0xce0 [ 1189.465113][ T11] kthread+0x28a/0x350 [ 1189.465214][ T11] ret_from_fork+0x31/0x70 [ 1189.465350][ T11] ret_from_fork_asm+0x1a/0x30 [ 1189.465490][ T11] [ 1189.465558][ T11] Last potentially related work creation: [ 1189.465712][ T11] kasan_save_stack+0x24/0x50 [ 1189.465846][ T11] __kasan_record_aux_stack+0x8e/0xa0 [ 1189.465979][ T11] insert_work+0x34/0x230 [ 1189.466082][ T11] __queue_work+0x5fd/0xa40 [ 1189.466215][ T11] call_timer_fn+0x13b/0x230 [ 1189.466355][ T11] __run_timers+0x3ff/0x810 [ 1189.466514][ T11] run_timer_softirq+0x154/0x1c0 [ 1189.466651][ T11] handle_softirqs+0x1f6/0x5c0 [ 1189.466792][ T11] __irq_exit_rcu+0xc4/0x100 [ 1189.466932][ T11] irq_exit_rcu+0xe/0x20 [ 1189.467041][ T11] sysvec_apic_timer_interrupt+0x78/0x90 [ 1189.467180][ T11] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 1189.467351][ T11] [ 1189.467420][ T11] Second to last potentially related work creation: [ 1189.467600][ T11] kasan_save_stack+0x24/0x50 [ 1189.467736][ T11] __kasan_record_aux_stack+0x8e/0xa0 [ 1189.467871][ T11] insert_work+0x34/0x230 [ 1189.467971][ T11] __queue_work+0x2ff/0xa40 [ 1189.468104][ T11] call_timer_fn+0x13b/0x230 [ 1189.468239][ T11] __run_timers+0x3ff/0x810 [ 1189.468372][ T11] run_timer_softirq+0x154/0x1c0 [ 1189.468519][ T11] handle_softirqs+0x1f6/0x5c0 [ 1189.468652][ T11] __irq_exit_rcu+0xc4/0x100 [ 1189.468794][ T11] irq_exit_rcu+0xe/0x20 [ 1189.468893][ T11] sysvec_apic_timer_interrupt+0x78/0x90 [ 1189.469040][ T11] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 1189.469211][ T11] [ 1189.469286][ T11] The buggy address belongs to the object at ffff88800a938040 [ 1189.469286][ T11] which belongs to the cache net_namespace of size 6528 [ 1189.469640][ T11] The buggy address is located 184 bytes inside of [ 1189.469640][ T11] freed 6528-byte region [ffff88800a938040, ffff88800a9399c0) [ 1189.469963][ T11] [ 1189.470032][ T11] The buggy address belongs to the physical page: [ 1189.470196][ T11] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa938 [ 1189.470442][ T11] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 1189.470643][ T11] flags: 0x80000000000040(head|node=0|zone=1) [ 1189.470815][ T11] page_type: f5(slab) [ 1189.470921][ T11] raw: 0080000000000040 ffff888001975240 ffff88800197a0a8 ffff88800197a0a8 [ 1189.471160][ T11] raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 [ 1189.471398][ T11] head: 0080000000000040 ffff888001975240 ffff88800197a0a8 ffff88800197a0a8 [ 1189.471632][ T11] head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 [ 1189.471867][ T11] head: 0080000000000003 ffffea00002a4e01 ffffffffffffffff 0000000000000000 [ 1189.472103][ T11] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 1189.472337][ T11] page dumped because: kasan: bad access detected [ 1189.472500][ T11] [ 1189.472567][ T11] Memory state around the buggy address: [ 1189.472707][ T11] ffff88800a937f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1189.472902][ T11] ffff88800a938000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 1189.473093][ T11] >ffff88800a938080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1189.473289][ T11] ^ [ 1189.473477][ T11] ffff88800a938100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1189.473671][ T11] ffff88800a938180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1189.473859][ T11] ================================================================== [ 1189.474131][ T11] Disabling lock debugging due to kernel taint