[ 11.151653][ T240] openvswitch: Open vSwitch switching datapath [ 11.500147][ T236] python3 (236) used greatest stack depth: 24232 bytes left [ 15.511402][ T271] netlink: 'python3': attribute type 2 has an invalid length. [ 15.517663][ T271] arpping: entered promiscuous mode [ 18.773625][ T322] c0: entered promiscuous mode [ 21.893361][ T360] s0: entered promiscuous mode [ 28.325564][ T425] s0 (unregistering): left promiscuous mode [ 28.759937][ T433] c0 (unregistering): left promiscuous mode [ 28.855524][ T433] ip (433) used greatest stack depth: 23544 bytes left [ 29.074621][ T67] ================================================================== [ 29.074842][ T67] BUG: KASAN: slab-use-after-free in cleanup_net+0xa5d/0xb90 [ 29.075033][ T67] Read of size 8 at addr ffff88800aa79bf8 by task kworker/u16:1/67 [ 29.075211][ T67] [ 29.075275][ T67] CPU: 1 UID: 0 PID: 67 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1 [ 29.075463][ T67] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 29.075615][ T67] Workqueue: netns cleanup_net [ 29.075743][ T67] Call Trace: [ 29.075835][ T67] [ 29.075903][ T67] dump_stack_lvl+0x82/0xd0 [ 29.076039][ T67] print_address_description.constprop.0+0x2c/0x3b0 [ 29.076216][ T67] ? cleanup_net+0xa5d/0xb90 [ 29.076339][ T67] print_report+0xb4/0x270 [ 29.076462][ T67] ? kasan_addr_to_slab+0x25/0x80 [ 29.076584][ T67] kasan_report+0xbd/0xf0 [ 29.076679][ T67] ? cleanup_net+0xa5d/0xb90 [ 29.076803][ T67] cleanup_net+0xa5d/0xb90 [ 29.076926][ T67] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 29.077051][ T67] ? __pfx_cleanup_net+0x10/0x10 [ 29.077172][ T67] ? trace_lock_acquire+0x148/0x1f0 [ 29.077295][ T67] ? lock_acquire+0x32/0xc0 [ 29.077424][ T67] ? process_one_work+0xe0b/0x16d0 [ 29.077553][ T67] process_one_work+0xe55/0x16d0 [ 29.077680][ T67] ? __pfx___lock_release+0x10/0x10 [ 29.077806][ T67] ? __pfx_process_one_work+0x10/0x10 [ 29.077932][ T67] ? assign_work+0x16c/0x240 [ 29.078055][ T67] worker_thread+0x58c/0xce0 [ 29.078177][ T67] ? lockdep_hardirqs_on_prepare+0x275/0x410 [ 29.078331][ T67] ? __pfx_worker_thread+0x10/0x10 [ 29.078455][ T67] ? __pfx_worker_thread+0x10/0x10 [ 29.078587][ T67] kthread+0x28a/0x350 [ 29.078681][ T67] ? __pfx_kthread+0x10/0x10 [ 29.078799][ T67] ret_from_fork+0x31/0x70 [ 29.078922][ T67] ? __pfx_kthread+0x10/0x10 [ 29.079041][ T67] ret_from_fork_asm+0x1a/0x30 [ 29.079167][ T67] [ 29.079276][ T67] [ 29.079338][ T67] Allocated by task 338: [ 29.079432][ T67] kasan_save_stack+0x24/0x50 [ 29.079560][ T67] kasan_save_track+0x14/0x30 [ 29.079680][ T67] __kasan_slab_alloc+0x59/0x70 [ 29.079800][ T67] kmem_cache_alloc_noprof+0x10b/0x350 [ 29.079923][ T67] copy_net_ns+0xc6/0x540 [ 29.080014][ T67] create_new_namespaces+0x35f/0x920 [ 29.080139][ T67] unshare_nsproxy_namespaces+0x8a/0x1b0 [ 29.080265][ T67] ksys_unshare+0x2c4/0x6e0 [ 29.080388][ T67] __x64_sys_unshare+0x31/0x40 [ 29.080523][ T67] do_syscall_64+0xc1/0x1d0 [ 29.080643][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 29.080791][ T67] [ 29.080851][ T67] Freed by task 67: [ 29.080940][ T67] kasan_save_stack+0x24/0x50 [ 29.081059][ T67] kasan_save_track+0x14/0x30 [ 29.081176][ T67] kasan_save_free_info+0x3b/0x60 [ 29.081296][ T67] __kasan_slab_free+0x38/0x50 [ 29.081415][ T67] kmem_cache_free+0xf8/0x330 [ 29.081532][ T67] cleanup_net+0x5a8/0xb90 [ 29.081666][ T67] process_one_work+0xe55/0x16d0 [ 29.081788][ T67] worker_thread+0x58c/0xce0 [ 29.081913][ T67] kthread+0x28a/0x350 [ 29.082006][ T67] ret_from_fork+0x31/0x70 [ 29.082126][ T67] ret_from_fork_asm+0x1a/0x30 [ 29.082247][ T67] [ 29.082310][ T67] Last potentially related work creation: [ 29.082434][ T67] kasan_save_stack+0x24/0x50 [ 29.082557][ T67] __kasan_record_aux_stack+0x8e/0xa0 [ 29.082680][ T67] insert_work+0x34/0x230 [ 29.082775][ T67] __queue_work+0x5fd/0xa40 [ 29.082900][ T67] queue_delayed_work_on+0x8c/0xa0 [ 29.083024][ T67] __inet_insert_ifa+0x751/0xb10 [ 29.083164][ T67] inet_rtm_newaddr+0x833/0xbd0 [ 29.083286][ T67] rtnetlink_rcv_msg+0x712/0xc10 [ 29.083413][ T67] netlink_rcv_skb+0x130/0x360 [ 29.083537][ T67] netlink_unicast+0x44b/0x710 [ 29.083660][ T67] netlink_sendmsg+0x723/0xbe0 [ 29.083781][ T67] ____sys_sendmsg+0x7ac/0xa10 [ 29.083906][ T67] ___sys_sendmsg+0xee/0x170 [ 29.084028][ T67] __sys_sendmsg+0x109/0x1a0 [ 29.084149][ T67] do_syscall_64+0xc1/0x1d0 [ 29.084272][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 29.084430][ T67] [ 29.084492][ T67] The buggy address belongs to the object at ffff88800aa79b40 [ 29.084492][ T67] which belongs to the cache net_namespace of size 6528 [ 29.084827][ T67] The buggy address is located 184 bytes inside of [ 29.084827][ T67] freed 6528-byte region [ffff88800aa79b40, ffff88800aa7b4c0) [ 29.085118][ T67] [ 29.085180][ T67] The buggy address belongs to the physical page: [ 29.085328][ T67] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800aa7b640 pfn:0xaa78 [ 29.085573][ T67] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 29.085758][ T67] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 29.085915][ T67] page_type: f5(slab) [ 29.086012][ T67] raw: 0080000000000240 ffff888001975240 ffff88800197a088 ffff88800197a088 [ 29.086231][ T67] raw: ffff88800aa7b640 0000000000040002 00000001f5000000 0000000000000000 [ 29.086451][ T67] head: 0080000000000240 ffff888001975240 ffff88800197a088 ffff88800197a088 [ 29.086667][ T67] head: ffff88800aa7b640 0000000000040002 00000001f5000000 0000000000000000 [ 29.086881][ T67] head: 0080000000000003 ffffea00002a9e01 ffffffffffffffff 0000000000000000 [ 29.087107][ T67] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 29.087322][ T67] page dumped because: kasan: bad access detected [ 29.087473][ T67] [ 29.087536][ T67] Memory state around the buggy address: [ 29.087653][ T67] ffff88800aa79a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.087835][ T67] ffff88800aa79b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 29.088008][ T67] >ffff88800aa79b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.088183][ T67] ^ [ 29.088357][ T67] ffff88800aa79c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.088529][ T67] ffff88800aa79c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.088707][ T67] ================================================================== [ 29.088936][ T67] Disabling lock debugging due to kernel taint [ 30.428130][ T439] arpping: left promiscuous mode [ 34.869446][ T485] netlink: 'python3': attribute type 2 has an invalid length. [ 34.876935][ T485] ct4: entered promiscuous mode [ 37.923295][ T536] c0: entered promiscuous mode [ 40.670375][ T574] s0: entered promiscuous mode [ 66.348882][ T729] s0 (unregistering): left promiscuous mode [ 66.697812][ T737] c0 (unregistering): left promiscuous mode [ 68.304772][ T743] ct4: left promiscuous mode [ 73.199856][ T786] netlink: 'python3': attribute type 2 has an invalid length. [ 73.204274][ T786] cv4: entered promiscuous mode [ 75.834465][ T837] c0: entered promiscuous mode [ 78.406560][ T875] s0: entered promiscuous mode [ 88.512910][ T962] s0 (unregistering): left promiscuous mode [ 88.863720][ T970] c0 (unregistering): left promiscuous mode [ 90.480595][ T976] cv4: left promiscuous mode [ 95.429243][ T1020] netlink: 'python3': attribute type 2 has an invalid length. [ 95.434371][ T1020] nat4: entered promiscuous mode [ 98.216189][ T1070] c0: entered promiscuous mode [ 100.926005][ T1108] s0: entered promiscuous mode [ 125.320041][ T1248] s0 (unregistering): left promiscuous mode [ 125.642804][ T1256] c0 (unregistering): left promiscuous mode [ 127.227047][ T1262] nat4: left promiscuous mode [ 132.116575][ T1306] netlink: 'python3': attribute type 2 has an invalid length. [ 132.121257][ T1306] natrelated4: entered promiscuous mode [ 134.724895][ T1357] c0: entered promiscuous mode [ 137.147285][ T1395] s0: entered promiscuous mode [ 151.307822][ T1548] s0 (unregistering): left promiscuous mode [ 151.605836][ T1556] c0 (unregistering): left promiscuous mode [ 153.274370][ T1562] natrelated4: left promiscuous mode [ 158.000615][ T1606] netlink: 'python3': attribute type 2 has an invalid length. [ 158.005096][ T1606] nv0: entered promiscuous mode [ 159.748208][ T1630] netlink: 'python3': attribute type 2 has an invalid length. [ 159.749437][ T1630] openvswitch: nv0: Dropping previously announced user features [ 162.361996][ T1679] left0: entered promiscuous mode [ 165.015086][ T1718] right0: entered promiscuous mode [ 168.248245][ T1750] right0: left promiscuous mode [ 171.583541][ T1786] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 171.749918][ T1786] python3 (1786) used greatest stack depth: 22472 bytes left [ 173.431941][ T1809] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 174.086903][ T1836] left0 (unregistering): left promiscuous mode [ 175.794427][ T1842] nv0: left promiscuous mode [ 182.378270][ T1901] ui0: entered promiscuous mode [ 185.136457][ T1951] left0: entered promiscuous mode [ 187.494765][ T1982] left0 (unregistering): left promiscuous mode [ 189.097945][ T1990] ui0: left promiscuous mode [ 193.801888][ T2034] netlink: 'python3': attribute type 2 has an invalid length. [ 193.806331][ T2034] dropreason: entered promiscuous mode [ 196.312223][ T2084] c0: entered promiscuous mode [ 198.746773][ T2122] s0: entered promiscuous mode [ 235.829776][ T2293] s0 (unregistering): left promiscuous mode [ 236.186477][ T2301] c0 (unregistering): left promiscuous mode [ 237.788637][ T2307] dropreason: left promiscuous mode [ 242.317034][ T2350] psample: entered promiscuous mode [ 245.378130][ T2401] c0: entered promiscuous mode [ 246.107759][ T2433] s0: entered promiscuous mode [ 249.599969][ T2496] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 251.318274][ T2519] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 253.047088][ T2542] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 264.227769][ T2685] s0 (unregistering): left promiscuous mode [ 264.600806][ T2695] c0 (unregistering): left promiscuous mode [ 266.195446][ T2701] psample: left promiscuous mode