[ 639.138398][T19185] br1: port 1(vx10) entered blocking state [ 639.138625][T19185] br1: port 1(vx10) entered disabled state [ 639.138823][T19185] vx10: entered allmulticast mode [ 639.140331][T19185] vx10: entered promiscuous mode [ 639.140693][T19185] br1: port 1(vx10) entered blocking state [ 639.140880][T19185] br1: port 1(vx10) entered forwarding state [ 639.243052][T19191] br1: port 2(vx20) entered blocking state [ 639.243776][T19191] br1: port 2(vx20) entered disabled state [ 639.244025][T19191] vx20: entered allmulticast mode [ 639.245601][T19191] vx20: entered promiscuous mode [ 639.246072][T19191] br1: port 2(vx20) entered blocking state [ 639.246321][T19191] br1: port 2(vx20) entered forwarding state [ 639.299228][T19193] br1: port 3(veth1) entered blocking state [ 639.300522][T19193] br1: port 3(veth1) entered disabled state [ 639.300729][T19193] veth1: entered allmulticast mode [ 639.302220][T19193] veth1: entered promiscuous mode [ 639.329444][ T229] br1: port 3(veth1) entered blocking state [ 639.329692][ T229] br1: port 3(veth1) entered forwarding state [ 639.385937][T19197] br1: port 4(veth2) entered blocking state [ 639.386161][T19197] br1: port 4(veth2) entered disabled state [ 639.386375][T19197] veth2: entered allmulticast mode [ 639.387882][T19197] veth2: entered promiscuous mode [ 639.409367][ T229] br1: port 4(veth2) entered blocking state [ 639.409590][ T229] br1: port 4(veth2) entered forwarding state [ 640.600274][T19255] br2: port 1(w1) entered blocking state [ 640.600532][T19255] br2: port 1(w1) entered disabled state [ 640.600753][T19255] w1: entered allmulticast mode [ 640.602913][T19255] w1: entered promiscuous mode [ 640.780652][T19263] br2: port 2(vx10) entered blocking state [ 640.780898][T19263] br2: port 2(vx10) entered disabled state [ 640.781157][T19263] vx10: entered allmulticast mode [ 640.782720][T19263] vx10: entered promiscuous mode [ 640.783200][T19263] br2: port 2(vx10) entered blocking state [ 640.783439][T19263] br2: port 2(vx10) entered forwarding state [ 640.931290][T19270] br2: port 3(vx20) entered blocking state [ 640.931500][T19270] br2: port 3(vx20) entered disabled state [ 640.931707][T19270] vx20: entered allmulticast mode [ 640.933310][T19270] vx20: entered promiscuous mode [ 640.933669][T19270] br2: port 3(vx20) entered blocking state [ 640.933851][T19270] br2: port 3(vx20) entered forwarding state [ 641.121113][T15229] br2: port 1(w1) entered blocking state [ 641.121340][T15229] br2: port 1(w1) entered forwarding state [ 641.901859][T19310] br2: port 1(w1) entered blocking state [ 641.902112][T19310] br2: port 1(w1) entered disabled state [ 641.902413][T19310] w1: entered allmulticast mode [ 641.903976][T19310] w1: entered promiscuous mode [ 642.081434][T19318] br2: port 2(vx10) entered blocking state [ 642.081641][T19318] br2: port 2(vx10) entered disabled state [ 642.081837][T19318] vx10: entered allmulticast mode [ 642.083337][T19318] vx10: entered promiscuous mode [ 642.083705][T19318] br2: port 2(vx10) entered blocking state [ 642.083897][T19318] br2: port 2(vx10) entered forwarding state [ 642.236636][T19325] br2: port 3(vx20) entered blocking state [ 642.236880][T19325] br2: port 3(vx20) entered disabled state [ 642.237129][T19325] vx20: entered allmulticast mode [ 642.239142][T19325] vx20: entered promiscuous mode [ 642.239578][T19325] br2: port 3(vx20) entered blocking state [ 642.239805][T19325] br2: port 3(vx20) entered forwarding state [ 642.419181][T15229] br2: port 1(w1) entered blocking state [ 642.419363][T15229] br2: port 1(w1) entered forwarding state [ 654.944610][ T12] vx20: left allmulticast mode [ 654.944898][ T12] vx20: left promiscuous mode [ 654.945221][ T12] br2: port 3(vx20) entered disabled state [ 654.949018][ T12] vx10: left allmulticast mode [ 654.949211][ T12] vx10: left promiscuous mode [ 654.949574][ T12] br2: port 2(vx10) entered disabled state [ 654.952000][ T12] w1: left allmulticast mode [ 654.952194][ T12] w1: left promiscuous mode [ 654.952496][ T12] br2: port 1(w1) entered disabled state [ 655.109802][ T12] ================================================================== [ 655.109962][ T12] BUG: KASAN: slab-use-after-free in idr_for_each+0x1c1/0x1f0 [ 655.110097][ T12] Read of size 8 at addr ff1100000cc8e1f8 by task kworker/u16:0/12 [ 655.110227][ T12] [ 655.110279][ T12] CPU: 2 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted 6.19.0-rc7-virtme #1 PREEMPT(full) [ 655.110282][ T12] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 655.110284][ T12] Workqueue: netns cleanup_net [ 655.110289][ T12] Call Trace: [ 655.110291][ T12] [ 655.110293][ T12] dump_stack_lvl+0x6f/0xa0 [ 655.110299][ T12] print_address_description.constprop.0+0x6e/0x300 [ 655.110303][ T12] print_report+0xfc/0x1fb [ 655.110305][ T12] ? idr_for_each+0x1c1/0x1f0 [ 655.110307][ T12] ? __virt_addr_valid+0x1da/0x430 [ 655.110311][ T12] ? idr_for_each+0x1c1/0x1f0 [ 655.110312][ T12] kasan_report+0xe8/0x120 [ 655.110317][ T12] ? idr_for_each+0x1c1/0x1f0 [ 655.110319][ T12] ? rtnl_net_notifyid+0x1a0/0x1a0 [ 655.110321][ T12] idr_for_each+0x1c1/0x1f0 [ 655.110323][ T12] ? idr_find+0x70/0x70 [ 655.110325][ T12] ? __lock_release.isra.0+0x59/0x170 [ 655.110328][ T12] ? __up_write+0x283/0x4f0 [ 655.110330][ T12] ? cleanup_net+0x1f2/0x810 [ 655.110333][ T12] cleanup_net+0x260/0x810 [ 655.110334][ T12] ? lock_acquire.part.0+0xbc/0x260 [ 655.110336][ T12] ? process_one_work+0xd16/0x1390 [ 655.110339][ T12] ? net_passive_dec+0x190/0x190 [ 655.110341][ T12] ? rcu_is_watching+0x15/0xd0 [ 655.110344][ T12] ? process_one_work+0xd16/0x1390 [ 655.110345][ T12] ? lock_acquire+0x10a/0x150 [ 655.110347][ T12] ? rcu_is_watching+0x15/0xd0 [ 655.110349][ T12] process_one_work+0xd57/0x1390 [ 655.110352][ T12] ? pwq_dec_nr_in_flight+0x700/0x700 [ 655.110353][ T12] ? lock_acquire.part.0+0xbc/0x260 [ 655.110356][ T12] ? assign_work+0x152/0x380 [ 655.110358][ T12] worker_thread+0x4d6/0xd40 [ 655.110360][ T12] ? process_one_work+0x1390/0x1390 [ 655.110362][ T12] kthread+0x355/0x5b0 [ 655.110364][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 655.110365][ T12] ? __lock_release.isra.0+0x59/0x170 [ 655.110367][ T12] ? rcu_is_watching+0x15/0xd0 [ 655.110369][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 655.110370][ T12] ret_from_fork+0x3fb/0x510 [ 655.110374][ T12] ? arch_exit_to_user_mode_prepare.isra.0+0x140/0x140 [ 655.110377][ T12] ? __switch_to+0x53c/0xd00 [ 655.110379][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 655.110380][ T12] ret_from_fork_asm+0x11/0x20 [ 655.110384][ T12] [ 655.110385][ T12] [ 655.114061][ T12] Allocated by task 19236: [ 655.114148][ T12] kasan_save_stack+0x30/0x50 [ 655.114237][ T12] kasan_save_track+0x14/0x30 [ 655.114323][ T12] __kasan_slab_alloc+0x5f/0x70 [ 655.114409][ T12] kmem_cache_alloc_noprof+0x226/0x6e0 [ 655.114497][ T12] radix_tree_node_alloc.constprop.0+0x176/0x340 [ 655.114602][ T12] idr_get_free+0x326/0x840 [ 655.114687][ T12] idr_alloc_u32+0x14a/0x2e0 [ 655.114773][ T12] idr_alloc+0x7d/0xc0 [ 655.114837][ T12] peernet2id_alloc+0x22c/0x340 [ 655.114922][ T12] __dev_change_net_namespace+0x8e5/0x1980 [ 655.115027][ T12] do_setlink.isra.0+0x211/0x25d0 [ 655.115111][ T12] rtnl_newlink+0x75c/0xe90 [ 655.115199][ T12] rtnetlink_rcv_msg+0x6fe/0xb90 [ 655.115288][ T12] netlink_rcv_skb+0x123/0x380 [ 655.115372][ T12] netlink_unicast+0x4a3/0x770 [ 655.115458][ T12] netlink_sendmsg+0x735/0xc60 [ 655.115540][ T12] ____sys_sendmsg+0x419/0x850 [ 655.115626][ T12] ___sys_sendmsg+0xfd/0x180 [ 655.115707][ T12] __sys_sendmsg+0x124/0x1c0 [ 655.115789][ T12] do_syscall_64+0xbd/0xfc0 [ 655.115874][ T12] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 655.115977][ T12] [ 655.116021][ T12] Freed by task 12: [ 655.116085][ T12] kasan_save_stack+0x30/0x50 [ 655.116170][ T12] kasan_save_track+0x14/0x30 [ 655.116253][ T12] kasan_save_free_info+0x3b/0x60 [ 655.116342][ T12] __kasan_slab_free+0x43/0x70 [ 655.116425][ T12] kmem_cache_free+0xfe/0x5e0 [ 655.116509][ T12] rcu_do_batch+0x28b/0xfe0 [ 655.116598][ T12] rcu_core+0x2b4/0x5f0 [ 655.116664][ T12] handle_softirqs+0x1d7/0x840 [ 655.116752][ T12] irq_exit_rcu+0xa2/0xf0 [ 655.116815][ T12] sysvec_apic_timer_interrupt+0x9d/0xe0 [ 655.116902][ T12] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 655.117008][ T12] [ 655.117051][ T12] Last potentially related work creation: [ 655.117138][ T12] kasan_save_stack+0x30/0x50 [ 655.117224][ T12] kasan_record_aux_stack+0x8c/0xa0 [ 655.117312][ T12] __call_rcu_common.constprop.0+0xa6/0xa00 [ 655.117415][ T12] delete_node+0x198/0x810 [ 655.117499][ T12] radix_tree_delete_item+0xc5/0x1b0 [ 655.117586][ T12] unhash_nsid_callback+0xb4/0x100 [ 655.117673][ T12] idr_for_each+0x108/0x1f0 [ 655.117755][ T12] cleanup_net+0x260/0x810 [ 655.117838][ T12] process_one_work+0xd57/0x1390 [ 655.117922][ T12] worker_thread+0x4d6/0xd40 [ 655.118007][ T12] kthread+0x355/0x5b0 [ 655.118070][ T12] ret_from_fork+0x3fb/0x510 [ 655.118155][ T12] ret_from_fork_asm+0x11/0x20 [ 655.118242][ T12] [ 655.118290][ T12] The buggy address belongs to the object at ff1100000cc8e1c8 [ 655.118290][ T12] which belongs to the cache radix_tree_node of size 576 [ 655.118515][ T12] The buggy address is located 48 bytes inside of [ 655.118515][ T12] freed 576-byte region [ff1100000cc8e1c8, ff1100000cc8e408) [ 655.118719][ T12] [ 655.118762][ T12] The buggy address belongs to the physical page: [ 655.118874][ T12] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xcc8c [ 655.119025][ T12] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 655.119153][ T12] flags: 0x80000000000040(head|node=0|zone=1) [ 655.119260][ T12] page_type: f5(slab) [ 655.119336][ T12] raw: 0080000000000040 ff11000001043700 ffd40000003d2710 ffd4000000338510 [ 655.119490][ T12] raw: 0000000000000000 0000000000160016 00000000f5000000 0000000000000000 [ 655.119639][ T12] head: 0080000000000040 ff11000001043700 ffd40000003d2710 ffd4000000338510 [ 655.119786][ T12] head: 0000000000000000 0000000000160016 00000000f5000000 0000000000000000 [ 655.119939][ T12] head: 0080000000000002 ffd4000000332301 00000000ffffffff 00000000ffffffff [ 655.120088][ T12] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 655.120234][ T12] page dumped because: kasan: bad access detected [ 655.120343][ T12] [ 655.120388][ T12] Memory state around the buggy address: [ 655.120472][ T12] ff1100000cc8e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 655.120596][ T12] ff1100000cc8e100: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 655.120720][ T12] >ff1100000cc8e180: fc fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb [ 655.120840][ T12] ^ [ 655.120962][ T12] ff1100000cc8e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 655.121084][ T12] ff1100000cc8e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 655.121207][ T12] ================================================================== [ 655.121379][ T12] Disabling lock debugging due to kernel taint [ 655.122001][ T12] vx20: left allmulticast mode [ 655.122145][ T12] vx20: left promiscuous mode [ 655.122426][ T12] br2: port 3(vx20) entered disabled state [ 655.127445][ T12] vx10: left allmulticast mode [ 655.127588][ T12] vx10: left promiscuous mode [ 655.127793][ T12] br2: port 2(vx10) entered disabled state [ 655.128832][ T12] w1: left allmulticast mode [ 655.128971][ T12] w1: left promiscuous mode [ 655.129175][ T12] br2: port 1(w1) entered disabled state [ 655.553312][T19465] br1: port 4(veth2) entered disabled state [ 655.564919][T19466] veth2: left allmulticast mode [ 655.565070][T19466] veth2: left promiscuous mode [ 655.565305][T19466] br1: port 4(veth2) entered disabled state [ 655.605996][T19469] br1: port 3(veth1) entered disabled state [ 655.617928][T19470] veth1: left allmulticast mode [ 655.618073][T19470] veth1: left promiscuous mode [ 655.619081][T19470] br1: port 3(veth1) entered disabled state [ 655.645929][T19472] vx20: left allmulticast mode [ 655.646041][T19472] vx20: left promiscuous mode [ 655.646197][T19472] br1: port 2(vx20) entered disabled state [ 655.741066][T19476] vx10: left allmulticast mode [ 655.741231][T19476] vx10: left promiscuous mode [ 655.741465][T19476] br1: port 1(vx10) entered disabled state