[   17.145512][  T233] ==================================================================
[   17.145830][  T233] BUG: KASAN: use-after-free in kobject_put+0xbb/0xd0
[   17.146055][  T233] Read of size 1 at addr ffff888004e5068c by task packetdrill/233
[   17.146331][  T233] 
[   17.146430][  T233] CPU: 0 UID: 0 PID: 233 Comm: packetdrill Not tainted 6.18.0-rc4-virtme #1 PREEMPT(full) 
[   17.146436][  T233] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   17.146438][  T233] Call Trace:
[   17.146439][  T233]  <TASK>
[   17.146442][  T233]  dump_stack_lvl+0x82/0xc0
[   17.146449][  T233]  print_address_description.constprop.0+0x2c/0x3a0
[   17.146458][  T233]  ? kobject_put+0xbb/0xd0
[   17.146462][  T233]  print_report+0xb4/0x270
[   17.146465][  T233]  ? kobject_put+0xbb/0xd0
[   17.146468][  T233]  ? kasan_addr_to_slab+0x21/0x70
[   17.146472][  T233]  ? kobject_put+0xbb/0xd0
[   17.146475][  T233]  kasan_report+0xca/0x100
[   17.146479][  T233]  ? kobject_put+0xbb/0xd0
[   17.146485][  T233]  kobject_put+0xbb/0xd0
[   17.146488][  T233]  netdev_run_todo+0x5f0/0xc60
[   17.146495][  T233]  ? rtnl_is_locked+0x15/0x20
[   17.146502][  T233]  ? generic_xdp_install+0x410/0x410
[   17.146508][  T233]  ? kfree+0x21d/0x540
[   17.146519][  T233]  tun_chr_close+0xc0/0x1c0
[   17.146528][  T233]  __fput+0x35c/0xa70
[   17.146536][  T233]  task_work_run+0x12e/0x210
[   17.146544][  T233]  ? task_work_cancel+0x30/0x30
[   17.146547][  T233]  ? kmem_cache_free+0x22b/0x4b0
[   17.146550][  T233]  ? refcount_dec_and_lock+0x17/0x80
[   17.146557][  T233]  ? do_exit+0x5a2/0xeb0
[   17.146564][  T233]  do_exit+0x5a7/0xeb0
[   17.146567][  T233]  ? stack_not_used+0x80/0x80
[   17.146569][  T233]  ? find_held_lock+0x2b/0x80
[   17.146575][  T233]  ? get_signal+0x6c0/0x1b30
[   17.146580][  T233]  ? __lock_release+0x5d/0x170
[   17.146584][  T233]  do_group_exit+0xb8/0x260
[   17.146588][  T233]  get_signal+0x1970/0x1b30
[   17.146592][  T233]  ? hrtimer_cb_get_time+0x70/0x70
[   17.146600][  T233]  ? __might_fault+0x117/0x170
[   17.146606][  T233]  ? ptrace_signal+0x670/0x670
[   17.146610][  T233]  ? do_futex+0x1b0/0x240
[   17.146617][  T233]  arch_do_signal_or_restart+0x7a/0x2f0
[   17.146625][  T233]  ? get_sigframe_size+0x20/0x20
[   17.146628][  T233]  ? __x64_sys_futex+0x177/0x440
[   17.146632][  T233]  ? fput+0x4d/0xa0
[   17.146636][  T233]  ? do_futex+0x240/0x240
[   17.146640][  T233]  ? vfs_write+0x12c0/0x12c0
[   17.146643][  T233]  ? rcu_is_watching+0x12/0xb0
[   17.146650][  T233]  exit_to_user_mode_loop+0x82/0xd0
[   17.146655][  T233]  do_syscall_64+0x2ee/0xfd0
[   17.146660][  T233]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   17.146664][  T233] RIP: 0033:0x4d7f9a
[   17.146667][  T233] Code: Unable to access opcode bytes at 0x4d7f70.
[   17.146668][  T233] RSP: 002b:00007fffce746910 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   17.146672][  T233] RAX: fffffffffffffdfc RBX: 0000000000000000 RCX: 00000000004d7f9a
[   17.146674][  T233] RDX: 0000000000000000 RSI: 0000000000000189 RDI: 000000000e8c2350
[   17.146676][  T233] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffffffff
[   17.146677][  T233] R10: 00007fffce746a20 R11: 0000000000000246 R12: 0000000000000000
[   17.146679][  T233] R13: 00007fffce746980 R14: 000000000e8c2350 R15: 0000000000000000
[   17.146685][  T233]  </TASK>
[   17.146686][  T233] 
[   17.157135][  T233] The buggy address belongs to the physical page:
[   17.157386][  T233] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888004e53400 pfn:0x4e50
[   17.157772][  T233] flags: 0x80000000000000(node=0|zone=1)
[   17.157973][  T233] raw: 0080000000000000 ffffea0000138408 ffff88803623bc40 0000000000000000
[   17.158324][  T233] raw: ffff888004e53400 0000000000000000 00000000ffffffff 0000000000000000
[   17.158655][  T233] page dumped because: kasan: bad access detected
[   17.158898][  T233] 
[   17.158991][  T233] Memory state around the buggy address:
[   17.159175][  T233]  ffff888004e50580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   17.159457][  T233]  ffff888004e50600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   17.159736][  T233] >ffff888004e50680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   17.160010][  T233]                       ^
[   17.160148][  T233]  ffff888004e50700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   17.160427][  T233]  ffff888004e50780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   17.160699][  T233] ==================================================================
[   17.160995][  T233] Disabling lock debugging due to kernel taint
[   17.161337][  T233] ------------[ cut here ]------------
[   17.161533][  T233] refcount_t: underflow; use-after-free.
[   17.161734][  T233] WARNING: CPU: 0 PID: 233 at lib/refcount.c:28 refcount_warn_saturate+0x16f/0x1b0
[   17.162329][  T233] Modules linked in:
[   17.162520][  T233] CPU: 0 UID: 0 PID: 233 Comm: packetdrill Tainted: G    B               6.18.0-rc4-virtme #1 PREEMPT(full) 
[   17.163102][  T233] Tainted: [B]=BAD_PAGE
[   17.163485][  T233] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   17.163847][  T233] RIP: 0010:refcount_warn_saturate+0x16f/0x1b0
[   17.164198][  T233] Code: 3f 92 02 80 fb 01 0f 87 bb b9 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 5e 3f 92 02 01 90 48 c7 c7 20 8d 25 b1 e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff
[   17.165410][  T233] RSP: 0018:ffffc90000b079f0 EFLAGS: 00010286
[   17.165777][  T233] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   17.166397][  T233] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001
[   17.166827][  T233] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff637e134
[   17.167437][  T233] R10: 0000000000000003 R11: ffffc90000b07580 R12: 0000000000000001
[   17.167874][  T233] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100
[   17.168307][  T233] FS:  0000000000000000(0000) GS:ffff88808321a000(0000) knlGS:0000000000000000
[   17.168992][  T233] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   17.169309][  T233] CR2: 00007f172d876000 CR3: 0000000030535006 CR4: 0000000000772ef0
[   17.169717][  T233] PKRU: 55555554
[   17.170100][  T233] Call Trace:
[   17.170306][  T233]  <TASK>
[   17.170458][  T233]  netdev_run_todo+0x5f0/0xc60
[   17.170721][  T233]  ? rtnl_is_locked+0x15/0x20
[   17.171010][  T233]  ? generic_xdp_install+0x410/0x410
[   17.171454][  T233]  ? kfree+0x21d/0x540
[   17.171666][  T233]  tun_chr_close+0xc0/0x1c0
[   17.171935][  T233]  __fput+0x35c/0xa70
[   17.172155][  T233]  task_work_run+0x12e/0x210
[   17.172447][  T233]  ? task_work_cancel+0x30/0x30
[   17.172722][  T233]  ? kmem_cache_free+0x22b/0x4b0
[   17.173003][  T233]  ? refcount_dec_and_lock+0x17/0x80
[   17.173293][  T233]  ? do_exit+0x5a2/0xeb0
[   17.173723][  T233]  do_exit+0x5a7/0xeb0
[   17.173945][  T233]  ? stack_not_used+0x80/0x80
[   17.174225][  T233]  ? find_held_lock+0x2b/0x80
[   17.174516][  T233]  ? get_signal+0x6c0/0x1b30
[   17.174797][  T233]  ? __lock_release+0x5d/0x170
[   17.175260][  T233]  do_group_exit+0xb8/0x260
[   17.175595][  T233]  get_signal+0x1970/0x1b30
[   17.175888][  T233]  ? hrtimer_cb_get_time+0x70/0x70
[   17.176161][  T233]  ? __might_fault+0x117/0x170
[   17.176650][  T233]  ? ptrace_signal+0x670/0x670
[   17.176901][  T233]  ? do_futex+0x1b0/0x240
[   17.177102][  T233]  arch_do_signal_or_restart+0x7a/0x2f0
[   17.177380][  T233]  ? get_sigframe_size+0x20/0x20
[   17.177665][  T233]  ? __x64_sys_futex+0x177/0x440
[   17.177845][  T233]  ? fput+0x4d/0xa0
[   17.177996][  T233]  ? do_futex+0x240/0x240
[   17.178127][  T233]  ? vfs_write+0x12c0/0x12c0
[   17.178303][  T233]  ? rcu_is_watching+0x12/0xb0
[   17.178595][  T233]  exit_to_user_mode_loop+0x82/0xd0
[   17.178773][  T233]  do_syscall_64+0x2ee/0xfd0
[   17.179009][  T233]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   17.179320][  T233] RIP: 0033:0x4d7f9a
[   17.179475][  T233] Code: Unable to access opcode bytes at 0x4d7f70.
[   17.179707][  T233] RSP: 002b:00007fffce746910 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   17.179980][  T233] RAX: fffffffffffffdfc RBX: 0000000000000000 RCX: 00000000004d7f9a
[   17.180341][  T233] RDX: 0000000000000000 RSI: 0000000000000189 RDI: 000000000e8c2350
[   17.180611][  T233] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffffffff
[   17.180987][  T233] R10: 00007fffce746a20 R11: 0000000000000246 R12: 0000000000000000
[   17.181252][  T233] R13: 00007fffce746980 R14: 000000000e8c2350 R15: 0000000000000000
[   17.181540][  T233]  </TASK>
[   17.181661][  T233] irq event stamp: 1991141
[   17.181920][  T233] hardirqs last  enabled at (1991141): [<ffffffffb0f47e8b>] irqentry_exit+0x3b/0x80
[   17.182214][  T233] hardirqs last disabled at (1991140): [<ffffffffaee5923f>] handle_softirqs+0x47f/0x610
[   17.182613][  T233] softirqs last  enabled at (1991062): [<ffffffffaee59112>] handle_softirqs+0x352/0x610
[   17.182910][  T233] softirqs last disabled at (1991057): [<ffffffffaee5997b>] irq_exit_rcu+0xab/0x100
[   17.183208][  T233] ---[ end trace 0000000000000000 ]---