[ 126.745448][ T66] ================================================================== [ 126.745758][ T66] BUG: KASAN: slab-use-after-free in cleanup_net+0x932/0xa40 [ 126.745958][ T66] Read of size 8 at addr ffff888004f89c38 by task kworker/u16:1/66 [ 126.746144][ T66] [ 126.746214][ T66] CPU: 2 UID: 0 PID: 66 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1 [ 126.746403][ T66] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 126.746571][ T66] Workqueue: netns cleanup_net [ 126.746701][ T66] Call Trace: [ 126.746807][ T66] [ 126.746874][ T66] dump_stack_lvl+0x82/0xd0 [ 126.747004][ T66] print_address_description.constprop.0+0x2c/0x3b0 [ 126.747164][ T66] ? cleanup_net+0x932/0xa40 [ 126.747291][ T66] print_report+0xb4/0x270 [ 126.747412][ T66] ? kasan_addr_to_slab+0x25/0x80 [ 126.747535][ T66] kasan_report+0xbd/0xf0 [ 126.747628][ T66] ? cleanup_net+0x932/0xa40 [ 126.747757][ T66] cleanup_net+0x932/0xa40 [ 126.747885][ T66] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 126.748013][ T66] ? __pfx_cleanup_net+0x10/0x10 [ 126.748139][ T66] ? trace_lock_acquire+0x148/0x1f0 [ 126.748263][ T66] ? lock_acquire+0x32/0xc0 [ 126.748384][ T66] ? process_one_work+0xe0b/0x16d0 [ 126.748510][ T66] process_one_work+0xe55/0x16d0 [ 126.748640][ T66] ? __pfx___lock_release+0x10/0x10 [ 126.748764][ T66] ? __pfx_process_one_work+0x10/0x10 [ 126.748890][ T66] ? assign_work+0x16c/0x240 [ 126.749014][ T66] worker_thread+0x58c/0xce0 [ 126.749139][ T66] ? lockdep_hardirqs_on_prepare+0x275/0x410 [ 126.749291][ T66] ? __pfx_worker_thread+0x10/0x10 [ 126.749414][ T66] ? __pfx_worker_thread+0x10/0x10 [ 126.749536][ T66] kthread+0x28a/0x350 [ 126.749629][ T66] ? __pfx_kthread+0x10/0x10 [ 126.749753][ T66] ret_from_fork+0x31/0x70 [ 126.749880][ T66] ? __pfx_kthread+0x10/0x10 [ 126.750006][ T66] ret_from_fork_asm+0x1a/0x30 [ 126.750137][ T66] [ 126.750230][ T66] [ 126.750294][ T66] Allocated by task 325: [ 126.750389][ T66] kasan_save_stack+0x24/0x50 [ 126.750516][ T66] kasan_save_track+0x14/0x30 [ 126.750641][ T66] __kasan_slab_alloc+0x59/0x70 [ 126.750767][ T66] kmem_cache_alloc_noprof+0x10b/0x350 [ 126.750897][ T66] copy_net_ns+0xc6/0x340 [ 126.750992][ T66] create_new_namespaces+0x35f/0x920 [ 126.751120][ T66] unshare_nsproxy_namespaces+0x8d/0x130 [ 126.751244][ T66] ksys_unshare+0x2a9/0x660 [ 126.751369][ T66] __x64_sys_unshare+0x31/0x40 [ 126.751492][ T66] do_syscall_64+0xc1/0x1d0 [ 126.751626][ T66] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 126.751780][ T66] [ 126.751842][ T66] Freed by task 66: [ 126.751934][ T66] kasan_save_stack+0x24/0x50 [ 126.752064][ T66] kasan_save_track+0x14/0x30 [ 126.752188][ T66] kasan_save_free_info+0x3b/0x60 [ 126.752312][ T66] __kasan_slab_free+0x38/0x50 [ 126.752434][ T66] kmem_cache_free+0xf8/0x330 [ 126.752559][ T66] cleanup_net+0x5a8/0xa40 [ 126.752687][ T66] process_one_work+0xe55/0x16d0 [ 126.752814][ T66] worker_thread+0x58c/0xce0 [ 126.752935][ T66] kthread+0x28a/0x350 [ 126.753031][ T66] ret_from_fork+0x31/0x70 [ 126.753152][ T66] ret_from_fork_asm+0x1a/0x30 [ 126.753282][ T66] [ 126.753350][ T66] The buggy address belongs to the object at ffff888004f89b80 [ 126.753350][ T66] which belongs to the cache net_namespace of size 6592 [ 126.753673][ T66] The buggy address is located 184 bytes inside of [ 126.753673][ T66] freed 6592-byte region [ffff888004f89b80, ffff888004f8b540) [ 126.753976][ T66] [ 126.754039][ T66] The buggy address belongs to the physical page: [ 126.754191][ T66] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888004f8d200 pfn:0x4f88 [ 126.754449][ T66] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 126.754645][ T66] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 126.754809][ T66] page_type: f5(slab) [ 126.754909][ T66] raw: 0080000000000240 ffff888001963240 ffff888001968088 ffff888001968088 [ 126.755128][ T66] raw: ffff888004f8d200 0000000000040003 00000001f5000000 0000000000000000 [ 126.755345][ T66] head: 0080000000000240 ffff888001963240 ffff888001968088 ffff888001968088 [ 126.755567][ T66] head: ffff888004f8d200 0000000000040003 00000001f5000000 0000000000000000 [ 126.755790][ T66] head: 0080000000000003 ffffea000013e201 ffffffffffffffff 0000000000000000 [ 126.756006][ T66] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 126.756221][ T66] page dumped because: kasan: bad access detected [ 126.756372][ T66] [ 126.756436][ T66] Memory state around the buggy address: [ 126.756557][ T66] ffff888004f89b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 126.756737][ T66] ffff888004f89b80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 126.756913][ T66] >ffff888004f89c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 126.757090][ T66] ^ [ 126.757238][ T66] ffff888004f89c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 126.757417][ T66] ffff888004f89d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 126.757590][ T66] ================================================================== [ 126.757837][ T66] Disabling lock debugging due to kernel taint [ 294.317950][ T7300] iperf3[7300]: segfault at 0 ip 00007f51b13d32bc sp 00007ffebb7d0448 error 4 likely on CPU 2 (core 2, socket 0) [ 294.318476][ T7300] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 89 f8 62 a1 fd 00 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 34 01 00 00 <62> f3 7d 20 3f 07 00 c5 fb 93 c0 85 c0 74 55 f3 0f bc c0 c3 f3 0f [ 294.319753][ T7302] traps: iperf3[7302] general protection fault ip:7f225197fca9 sp:7fffa2bea1d8 error:0 in libc.so.6[107ca9,7f22518a0000+175000]