[   13.556444][  T302] br0: port 1(gw_l) entered blocking state
[   13.556808][  T302] br0: port 1(gw_l) entered disabled state
[   13.557219][  T302] gw_l: entered allmulticast mode
[   13.559480][  T302] gw_l: entered promiscuous mode
[   13.561016][  T302] br0: port 1(gw_l) entered blocking state
[   13.561304][  T302] br0: port 1(gw_l) entered forwarding state
[   13.961863][  T304] br0: port 2(amtg) entered blocking state
[   13.962216][  T304] br0: port 2(amtg) entered disabled state
[   13.962487][  T304] amtg: entered allmulticast mode
[   13.963829][  T304] amtg: entered promiscuous mode
[   15.361139][  T315] br0: port 2(amtg) entered blocking state
[   15.361470][  T315] br0: port 2(amtg) entered forwarding state
[   16.192344][  T323] amtr: entered allmulticast mode
[   16.192769][  T323] relay_gw: entered allmulticast mode
[   16.193046][  T323] relay_src: entered allmulticast mode
[ 1199.351924][   T66] br0: port 1(gw_l) entered disabled state
[ 1199.440109][   T66] gw_l (unregistering): left allmulticast mode
[ 1199.440503][   T66] gw_l (unregistering): left promiscuous mode
[ 1199.440754][   T66] br0: port 1(gw_l) entered disabled state
[ 1199.492211][   T66] amtg: left allmulticast mode
[ 1199.492477][   T66] amtg: left promiscuous mode
[ 1199.492811][   T66] br0: port 2(amtg) entered disabled state
[ 1199.698917][   T66] relay_gw (unregistering): left allmulticast mode
[ 1199.715109][   T66] amtr (unregistering): left allmulticast mode
[ 1199.738211][  T323] relay_src: left allmulticast mode
[ 1199.780325][   T66] ==================================================================
[ 1199.780551][   T66] BUG: KASAN: slab-use-after-free in cleanup_net+0xa5d/0xb90
[ 1199.780743][   T66] Read of size 8 at addr ffff888008a280f8 by task kworker/u16:1/66
[ 1199.780932][   T66] 
[ 1199.780999][   T66] CPU: 0 UID: 0 PID: 66 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1
[ 1199.781190][   T66] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1199.781350][   T66] Workqueue: netns cleanup_net
[ 1199.781480][   T66] Call Trace:
[ 1199.781578][   T66]  <TASK>
[ 1199.781665][   T66]  dump_stack_lvl+0x82/0xd0
[ 1199.781798][   T66]  print_address_description.constprop.0+0x2c/0x3b0
[ 1199.781960][   T66]  ? cleanup_net+0xa5d/0xb90
[ 1199.782090][   T66]  print_report+0xb4/0x270
[ 1199.782213][   T66]  ? kasan_addr_to_slab+0x25/0x80
[ 1199.782340][   T66]  kasan_report+0xbd/0xf0
[ 1199.782436][   T66]  ? cleanup_net+0xa5d/0xb90
[ 1199.782561][   T66]  cleanup_net+0xa5d/0xb90
[ 1199.782681][   T66]  ? __pfx_lock_acquire.part.0+0x10/0x10
[ 1199.782807][   T66]  ? __pfx_cleanup_net+0x10/0x10
[ 1199.782933][   T66]  ? trace_lock_acquire+0x148/0x1f0
[ 1199.783059][   T66]  ? lock_acquire+0x32/0xc0
[ 1199.783181][   T66]  ? process_one_work+0xe0b/0x16d0
[ 1199.783306][   T66]  process_one_work+0xe55/0x16d0
[ 1199.783431][   T66]  ? __pfx___lock_release+0x10/0x10
[ 1199.783555][   T66]  ? __pfx_process_one_work+0x10/0x10
[ 1199.783681][   T66]  ? assign_work+0x16c/0x240
[ 1199.783804][   T66]  worker_thread+0x58c/0xce0
[ 1199.783930][   T66]  ? lockdep_hardirqs_on_prepare+0x275/0x410
[ 1199.784086][   T66]  ? __pfx_worker_thread+0x10/0x10
[ 1199.784208][   T66]  ? __pfx_worker_thread+0x10/0x10
[ 1199.784331][   T66]  kthread+0x28a/0x350
[ 1199.784427][   T66]  ? __pfx_kthread+0x10/0x10
[ 1199.784552][   T66]  ret_from_fork+0x31/0x70
[ 1199.784682][   T66]  ? __pfx_kthread+0x10/0x10
[ 1199.784812][   T66]  ret_from_fork_asm+0x1a/0x30
[ 1199.784942][   T66]  </TASK>
[ 1199.785035][   T66] 
[ 1199.785098][   T66] Allocated by task 257:
[ 1199.785195][   T66]  kasan_save_stack+0x24/0x50
[ 1199.785326][   T66]  kasan_save_track+0x14/0x30
[ 1199.785449][   T66]  __kasan_slab_alloc+0x59/0x70
[ 1199.785571][   T66]  kmem_cache_alloc_noprof+0x10b/0x350
[ 1199.785701][   T66]  copy_net_ns+0xc6/0x540
[ 1199.785793][   T66]  create_new_namespaces+0x35f/0x920
[ 1199.785923][   T66]  unshare_nsproxy_namespaces+0x8a/0x1b0
[ 1199.786052][   T66]  ksys_unshare+0x2c4/0x6e0
[ 1199.786183][   T66]  __x64_sys_unshare+0x31/0x40
[ 1199.786308][   T66]  do_syscall_64+0xc1/0x1d0
[ 1199.786436][   T66]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1199.786594][   T66] 
[ 1199.786657][   T66] Freed by task 66:
[ 1199.786754][   T66]  kasan_save_stack+0x24/0x50
[ 1199.786879][   T66]  kasan_save_track+0x14/0x30
[ 1199.787002][   T66]  kasan_save_free_info+0x3b/0x60
[ 1199.787130][   T66]  __kasan_slab_free+0x38/0x50
[ 1199.787254][   T66]  kmem_cache_free+0xf8/0x330
[ 1199.787380][   T66]  cleanup_net+0x5a8/0xb90
[ 1199.787503][   T66]  process_one_work+0xe55/0x16d0
[ 1199.787625][   T66]  worker_thread+0x58c/0xce0
[ 1199.787751][   T66]  kthread+0x28a/0x350
[ 1199.787848][   T66]  ret_from_fork+0x31/0x70
[ 1199.787973][   T66]  ret_from_fork_asm+0x1a/0x30
[ 1199.788095][   T66] 
[ 1199.788159][   T66] Last potentially related work creation:
[ 1199.788283][   T66]  kasan_save_stack+0x24/0x50
[ 1199.788411][   T66]  __kasan_record_aux_stack+0x8e/0xa0
[ 1199.788535][   T66]  insert_work+0x34/0x230
[ 1199.788631][   T66]  __queue_work+0x5fd/0xa40
[ 1199.788757][   T66]  call_timer_fn+0x13b/0x230
[ 1199.788887][   T66]  __run_timers+0x3ff/0x810
[ 1199.789014][   T66]  run_timer_softirq+0x154/0x1c0
[ 1199.789140][   T66]  handle_softirqs+0x1f6/0x5c0
[ 1199.789263][   T66]  do_softirq+0x4d/0xa0
[ 1199.789368][   T66]  __local_bh_enable_ip+0xf6/0x120
[ 1199.789501][   T66]  __dev_queue_xmit+0x7bf/0x18d0
[ 1199.789629][   T66]  ip6_finish_output2+0x659/0x10e0
[ 1199.789754][   T66]  ip6_fragment+0x199e/0x26a0
[ 1199.789879][   T66]  ip6_finish_output+0x70a/0xe40
[ 1199.790004][   T66]  ip6_output+0x205/0x780
[ 1199.790097][   T66]  ip6_send_skb+0xef/0x350
[ 1199.790223][   T66]  udp_v6_send_skb+0x864/0x1d60
[ 1199.790350][   T66]  udpv6_sendmsg+0x1b65/0x2810
[ 1199.790473][   T66]  __sys_sendto+0x25c/0x450
[ 1199.790601][   T66]  __x64_sys_sendto+0xe0/0x1c0
[ 1199.790725][   T66]  do_syscall_64+0xc1/0x1d0
[ 1199.790851][   T66]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1199.791010][   T66] 
[ 1199.791074][   T66] Second to last potentially related work creation:
[ 1199.791225][   T66]  kasan_save_stack+0x24/0x50
[ 1199.791351][   T66]  __kasan_record_aux_stack+0x8e/0xa0
[ 1199.791481][   T66]  insert_work+0x34/0x230
[ 1199.791573][   T66]  __queue_work+0x5fd/0xa40
[ 1199.791696][   T66]  call_timer_fn+0x13b/0x230
[ 1199.791822][   T66]  __run_timers+0x3ff/0x810
[ 1199.791948][   T66]  run_timer_softirq+0x154/0x1c0
[ 1199.792072][   T66]  handle_softirqs+0x1f6/0x5c0
[ 1199.792195][   T66]  __irq_exit_rcu+0xc4/0x100
[ 1199.792319][   T66]  irq_exit_rcu+0xe/0x20
[ 1199.792417][   T66]  sysvec_apic_timer_interrupt+0x78/0x90
[ 1199.792540][   T66]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 1199.792693][   T66] 
[ 1199.792757][   T66] The buggy address belongs to the object at ffff888008a28040
[ 1199.792757][   T66]  which belongs to the cache net_namespace of size 6528
[ 1199.793080][   T66] The buggy address is located 184 bytes inside of
[ 1199.793080][   T66]  freed 6528-byte region [ffff888008a28040, ffff888008a299c0)
[ 1199.793375][   T66] 
[ 1199.793438][   T66] The buggy address belongs to the physical page:
[ 1199.793586][   T66] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8a28
[ 1199.793803][   T66] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1199.793991][   T66] flags: 0x80000000000040(head|node=0|zone=1)
[ 1199.794153][   T66] page_type: f5(slab)
[ 1199.794250][   T66] raw: 0080000000000040 ffff888001975240 ffff88800197a0a8 ffff88800197a0a8
[ 1199.794474][   T66] raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
[ 1199.794691][   T66] head: 0080000000000040 ffff888001975240 ffff88800197a0a8 ffff88800197a0a8
[ 1199.794909][   T66] head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
[ 1199.795131][   T66] head: 0080000000000003 ffffea0000228a01 ffffffffffffffff 0000000000000000
[ 1199.795346][   T66] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 1199.795563][   T66] page dumped because: kasan: bad access detected
[ 1199.795713][   T66] 
[ 1199.795776][   T66] Memory state around the buggy address:
[ 1199.795901][   T66]  ffff888008a27f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1199.796081][   T66]  ffff888008a28000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1199.796258][   T66] >ffff888008a28080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1199.796436][   T66]                                                                 ^
[ 1199.796615][   T66]  ffff888008a28100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1199.796794][   T66]  ffff888008a28180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1199.796970][   T66] ==================================================================
[ 1199.797159][   T66] Disabling lock debugging due to kernel taint