[ 11.595904][ T68] ================================================================== [ 11.596254][ T68] BUG: KASAN: slab-use-after-free in cleanup_net+0x932/0xa40 [ 11.596552][ T68] Read of size 8 at addr ffff8880115b80f8 by task kworker/u16:1/68 [ 11.596761][ T68] [ 11.596844][ T68] CPU: 3 UID: 0 PID: 68 Comm: kworker/u16:1 Not tainted 6.12.0-virtme #1 [ 11.597064][ T68] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 11.597251][ T68] Workqueue: netns cleanup_net [ 11.597413][ T68] Call Trace: [ 11.597519][ T68] [ 11.597596][ T68] dump_stack_lvl+0x82/0xd0 [ 11.597743][ T68] print_address_description.constprop.0+0x2c/0x3b0 [ 11.597940][ T68] ? cleanup_net+0x932/0xa40 [ 11.598093][ T68] print_report+0xb4/0x270 [ 11.598243][ T68] ? kasan_addr_to_slab+0x25/0x80 [ 11.598391][ T68] kasan_report+0xbd/0xf0 [ 11.598528][ T68] ? cleanup_net+0x932/0xa40 [ 11.598674][ T68] cleanup_net+0x932/0xa40 [ 11.598830][ T68] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 11.598979][ T68] ? __pfx_cleanup_net+0x10/0x10 [ 11.599127][ T68] ? trace_lock_acquire+0x148/0x1f0 [ 11.599279][ T68] ? lock_acquire+0x32/0xc0 [ 11.599418][ T68] ? process_one_work+0xe0b/0x16d0 [ 11.599570][ T68] process_one_work+0xe55/0x16d0 [ 11.599713][ T68] ? __pfx___lock_release+0x10/0x10 [ 11.599886][ T68] ? __pfx_process_one_work+0x10/0x10 [ 11.600038][ T68] ? assign_work+0x16c/0x240 [ 11.600181][ T68] worker_thread+0x58c/0xce0 [ 11.600324][ T68] ? lockdep_hardirqs_on_prepare+0x275/0x410 [ 11.600501][ T68] ? __pfx_worker_thread+0x10/0x10 [ 11.600643][ T68] ? __pfx_worker_thread+0x10/0x10 [ 11.600791][ T68] kthread+0x28a/0x350 [ 11.600954][ T68] ? __pfx_kthread+0x10/0x10 [ 11.601169][ T68] ret_from_fork+0x31/0x70 [ 11.601383][ T68] ? __pfx_kthread+0x10/0x10 [ 11.601610][ T68] ret_from_fork_asm+0x1a/0x30 [ 11.601829][ T68] [ 11.602000][ T68] [ 11.602106][ T68] Allocated by task 227: [ 11.602266][ T68] kasan_save_stack+0x24/0x50 [ 11.602488][ T68] kasan_save_track+0x14/0x30 [ 11.602687][ T68] __kasan_slab_alloc+0x59/0x70 [ 11.602901][ T68] kmem_cache_alloc_noprof+0x10b/0x350 [ 11.603072][ T68] copy_net_ns+0xc6/0x340 [ 11.603190][ T68] create_new_namespaces+0x35f/0x920 [ 11.603352][ T68] unshare_nsproxy_namespaces+0x8d/0x130 [ 11.603518][ T68] ksys_unshare+0x2a9/0x660 [ 11.603688][ T68] __x64_sys_unshare+0x31/0x40 [ 11.603861][ T68] do_syscall_64+0xc1/0x1d0 [ 11.604020][ T68] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 11.604218][ T68] [ 11.604302][ T68] Freed by task 68: [ 11.604421][ T68] kasan_save_stack+0x24/0x50 [ 11.604580][ T68] kasan_save_track+0x14/0x30 [ 11.604736][ T68] kasan_save_free_info+0x3b/0x60 [ 11.604902][ T68] __kasan_slab_free+0x38/0x50 [ 11.605061][ T68] kmem_cache_free+0xf8/0x330 [ 11.605221][ T68] cleanup_net+0x5a8/0xa40 [ 11.605380][ T68] process_one_work+0xe55/0x16d0 [ 11.605592][ T68] worker_thread+0x58c/0xce0 [ 11.605813][ T68] kthread+0x28a/0x350 [ 11.605975][ T68] ret_from_fork+0x31/0x70 [ 11.606156][ T68] ret_from_fork_asm+0x1a/0x30 [ 11.606379][ T68] [ 11.606493][ T68] The buggy address belongs to the object at ffff8880115b8040 [ 11.606493][ T68] which belongs to the cache net_namespace of size 5696 [ 11.607059][ T68] The buggy address is located 184 bytes inside of [ 11.607059][ T68] freed 5696-byte region [ffff8880115b8040, ffff8880115b9680) [ 11.607561][ T68] [ 11.607663][ T68] The buggy address belongs to the physical page: [ 11.607923][ T68] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880115bafc0 pfn:0x115b8 [ 11.608341][ T68] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 11.608655][ T68] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 11.608918][ T68] page_type: f5(slab) [ 11.609082][ T68] raw: 0080000000000240 ffff88800195f240 ffff888001962088 ffff888001962088 [ 11.609463][ T68] raw: ffff8880115bafc0 0000000000050002 00000001f5000000 0000000000000000 [ 11.609844][ T68] head: 0080000000000240 ffff88800195f240 ffff888001962088 ffff888001962088 [ 11.610226][ T68] head: ffff8880115bafc0 0000000000050002 00000001f5000000 0000000000000000 [ 11.610567][ T68] head: 0080000000000003 ffffea0000456e01 ffffffffffffffff 0000000000000000 [ 11.610927][ T68] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 11.611314][ T68] page dumped because: kasan: bad access detected [ 11.611575][ T68] [ 11.611688][ T68] Memory state around the buggy address: [ 11.611911][ T68] ffff8880115b7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.612223][ T68] ffff8880115b8000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 11.612538][ T68] >ffff8880115b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.612845][ T68] ^ [ 11.613142][ T68] ffff8880115b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.613423][ T68] ffff8880115b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.613717][ T68] ================================================================== [ 11.614055][ T68] Disabling lock debugging due to kernel taint [ 13.617727][ T227] TCP: AO key ifindex 200 != sk bound ifindex 3 [ 13.618645][ T227] TCP: AO key ifindex 200 != sk bound ifindex 3 [ 13.619463][ T227] TCP: AO key ifindex 200 != sk bound ifindex 3 [ 13.620296][ T227] TCP: AO key ifindex 200 != sk bound ifindex 3 [ 13.620974][ T227] TCP: AO key ifindex 200 != sk bound ifindex 3 [ 13.771737][ T227] key-management_ (227) used greatest stack depth: 24176 bytes left