[ 1894.832771][T17822] br0: port 1(veth1) entered blocking state [ 1894.832980][T17822] br0: port 1(veth1) entered disabled state [ 1894.833155][T17822] veth1: entered allmulticast mode [ 1894.834489][T17822] veth1: entered promiscuous mode [ 1894.993471][T17827] br0: port 2(veth_segment) entered blocking state [ 1894.993657][T17827] br0: port 2(veth_segment) entered disabled state [ 1894.993832][T17827] veth_segment: entered allmulticast mode [ 1894.994701][T17827] veth_segment: entered promiscuous mode [ 1895.023826][T17828] br0: port 1(veth1) entered blocking state [ 1895.024235][T17828] br0: port 1(veth1) entered forwarding state [ 1895.045943][ T46] br0: port 2(veth_segment) entered blocking state [ 1895.046195][ T46] br0: port 2(veth_segment) entered forwarding state [ 1897.410065][ T12] br0: port 1(veth1) entered disabled state [ 1897.418532][ T12] veth1 (unregistering): left allmulticast mode [ 1897.418718][ T12] veth1 (unregistering): left promiscuous mode [ 1897.418882][ T12] br0: port 1(veth1) entered disabled state [ 1897.450404][ T12] veth_segment: left allmulticast mode [ 1897.450594][ T12] veth_segment: left promiscuous mode [ 1897.450849][ T12] br0: port 2(veth_segment) entered disabled state [ 1913.900467][T18307] br0: port 1(veth1) entered blocking state [ 1913.900677][T18307] br0: port 1(veth1) entered disabled state [ 1913.900853][T18307] veth1: entered allmulticast mode [ 1913.902074][T18307] veth1: entered promiscuous mode [ 1914.067751][T18312] br0: port 2(veth_segment) entered blocking state [ 1914.067986][T18312] br0: port 2(veth_segment) entered disabled state [ 1914.068225][T18312] veth_segment: entered allmulticast mode [ 1914.069163][T18312] veth_segment: entered promiscuous mode [ 1914.097184][T18313] br0: port 1(veth1) entered blocking state [ 1914.097410][T18313] br0: port 1(veth1) entered forwarding state [ 1914.120832][T11796] br0: port 2(veth_segment) entered blocking state [ 1914.121026][T11796] br0: port 2(veth_segment) entered forwarding state [ 1916.353879][T18326] iperf3 (18326) used greatest stack depth: 21360 bytes left [ 1916.483318][ T12] br0: port 1(veth1) entered disabled state [ 1916.492516][ T12] veth1 (unregistering): left allmulticast mode [ 1916.492693][ T12] veth1 (unregistering): left promiscuous mode [ 1916.492851][ T12] br0: port 1(veth1) entered disabled state [ 1916.529780][ T12] ================================================================== [ 1916.529928][ T12] BUG: KASAN: slab-use-after-free in idr_for_each+0x1c1/0x1f0 [ 1916.530061][ T12] Read of size 8 at addr ff11000025af4310 by task kworker/u16:0/12 [ 1916.530186][ T12] [ 1916.530232][ T12] CPU: 0 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted 6.19.0-rc7-virtme #1 PREEMPT(full) [ 1916.530236][ T12] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 1916.530237][ T12] Workqueue: netns cleanup_net [ 1916.530243][ T12] Call Trace: [ 1916.530245][ T12] [ 1916.530246][ T12] dump_stack_lvl+0x6f/0xa0 [ 1916.530252][ T12] print_address_description.constprop.0+0x6e/0x300 [ 1916.530256][ T12] print_report+0xfc/0x1fb [ 1916.530257][ T12] ? idr_for_each+0x1c1/0x1f0 [ 1916.530259][ T12] ? __virt_addr_valid+0x1da/0x430 [ 1916.530262][ T12] ? idr_for_each+0x1c1/0x1f0 [ 1916.530264][ T12] kasan_report+0xe8/0x120 [ 1916.530268][ T12] ? idr_for_each+0x1c1/0x1f0 [ 1916.530270][ T12] ? rtnl_net_notifyid+0x1a0/0x1a0 [ 1916.530272][ T12] idr_for_each+0x1c1/0x1f0 [ 1916.530274][ T12] ? idr_find+0x70/0x70 [ 1916.530276][ T12] ? __lock_release.isra.0+0x59/0x170 [ 1916.530279][ T12] ? __up_write+0x283/0x4f0 [ 1916.530282][ T12] ? cleanup_net+0x1f6/0x880 [ 1916.530284][ T12] cleanup_net+0x264/0x880 [ 1916.530285][ T12] ? lock_acquire.part.0+0xbc/0x260 [ 1916.530287][ T12] ? process_one_work+0xd16/0x1390 [ 1916.530290][ T12] ? net_passive_dec+0x190/0x190 [ 1916.530292][ T12] ? rcu_is_watching+0x15/0xd0 [ 1916.530295][ T12] ? process_one_work+0xd16/0x1390 [ 1916.530296][ T12] ? lock_acquire+0x10a/0x150 [ 1916.530298][ T12] ? rcu_is_watching+0x15/0xd0 [ 1916.530300][ T12] process_one_work+0xd57/0x1390 [ 1916.530303][ T12] ? pwq_dec_nr_in_flight+0x700/0x700 [ 1916.530305][ T12] ? lock_acquire.part.0+0xbc/0x260 [ 1916.530307][ T12] ? assign_work+0x152/0x380 [ 1916.530309][ T12] worker_thread+0x4d6/0xd40 [ 1916.530312][ T12] ? process_one_work+0x1390/0x1390 [ 1916.530314][ T12] kthread+0x355/0x5b0 [ 1916.530317][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 1916.530318][ T12] ? __lock_release.isra.0+0x59/0x170 [ 1916.530320][ T12] ? rcu_is_watching+0x15/0xd0 [ 1916.530322][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 1916.530324][ T12] ret_from_fork+0x3fb/0x510 [ 1916.530327][ T12] ? arch_exit_to_user_mode_prepare.isra.0+0x140/0x140 [ 1916.530329][ T12] ? __switch_to+0x53c/0xd00 [ 1916.530332][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 1916.530334][ T12] ret_from_fork_asm+0x11/0x20 [ 1916.530337][ T12] [ 1916.530338][ T12] [ 1916.533930][ T12] Allocated by task 18242: [ 1916.534022][ T12] kasan_save_stack+0x30/0x50 [ 1916.534107][ T12] kasan_save_track+0x14/0x30 [ 1916.534189][ T12] __kasan_slab_alloc+0x5f/0x70 [ 1916.534271][ T12] kmem_cache_alloc_noprof+0x226/0x6e0 [ 1916.534354][ T12] radix_tree_node_alloc.constprop.0+0x176/0x340 [ 1916.534462][ T12] idr_get_free+0x326/0x840 [ 1916.534543][ T12] idr_alloc_u32+0x14a/0x2e0 [ 1916.534623][ T12] idr_alloc+0x7d/0xc0 [ 1916.534685][ T12] peernet2id_alloc+0x22c/0x340 [ 1916.534769][ T12] __dev_change_net_namespace+0x8e7/0x1f00 [ 1916.534870][ T12] do_setlink.isra.0+0x211/0x2880 [ 1916.534954][ T12] rtnl_newlink+0x75c/0xe90 [ 1916.535038][ T12] rtnetlink_rcv_msg+0x6fe/0xb90 [ 1916.535118][ T12] netlink_rcv_skb+0x123/0x380 [ 1916.535200][ T12] netlink_unicast+0x4a3/0x770 [ 1916.535280][ T12] netlink_sendmsg+0x735/0xc60 [ 1916.535361][ T12] ____sys_sendmsg+0x419/0x850 [ 1916.535445][ T12] ___sys_sendmsg+0xfd/0x180 [ 1916.535527][ T12] __sys_sendmsg+0x124/0x1c0 [ 1916.535609][ T12] do_syscall_64+0xbd/0xfc0 [ 1916.535691][ T12] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 1916.535795][ T12] [ 1916.535840][ T12] Freed by task 27: [ 1916.535904][ T12] kasan_save_stack+0x30/0x50 [ 1916.535991][ T12] kasan_save_track+0x14/0x30 [ 1916.536071][ T12] kasan_save_free_info+0x3b/0x60 [ 1916.536153][ T12] __kasan_slab_free+0x43/0x70 [ 1916.536238][ T12] kmem_cache_free+0xfe/0x5e0 [ 1916.536319][ T12] rcu_do_batch+0x28b/0xfe0 [ 1916.536404][ T12] rcu_core+0x2b4/0x5f0 [ 1916.536465][ T12] handle_softirqs+0x1d7/0x840 [ 1916.536548][ T12] run_ksoftirqd+0x39/0x60 [ 1916.536631][ T12] smpboot_thread_fn+0x2fb/0x9b0 [ 1916.536713][ T12] kthread+0x355/0x5b0 [ 1916.536774][ T12] ret_from_fork+0x3fb/0x510 [ 1916.536858][ T12] ret_from_fork_asm+0x11/0x20 [ 1916.536941][ T12] [ 1916.536986][ T12] Last potentially related work creation: [ 1916.537065][ T12] kasan_save_stack+0x30/0x50 [ 1916.537149][ T12] kasan_record_aux_stack+0x8c/0xa0 [ 1916.537233][ T12] __call_rcu_common.constprop.0+0xa6/0xa00 [ 1916.537342][ T12] delete_node+0x198/0x810 [ 1916.537424][ T12] radix_tree_delete_item+0xc5/0x1b0 [ 1916.537512][ T12] unhash_nsid_callback+0xb4/0x100 [ 1916.537598][ T12] idr_for_each+0x108/0x1f0 [ 1916.537683][ T12] cleanup_net+0x264/0x880 [ 1916.537764][ T12] process_one_work+0xd57/0x1390 [ 1916.537846][ T12] worker_thread+0x4d6/0xd40 [ 1916.537933][ T12] kthread+0x355/0x5b0 [ 1916.537999][ T12] ret_from_fork+0x3fb/0x510 [ 1916.538078][ T12] ret_from_fork_asm+0x11/0x20 [ 1916.538159][ T12] [ 1916.538202][ T12] The buggy address belongs to the object at ff11000025af42d8 [ 1916.538202][ T12] which belongs to the cache radix_tree_node of size 576 [ 1916.538420][ T12] The buggy address is located 56 bytes inside of [ 1916.538420][ T12] freed 576-byte region [ff11000025af42d8, ff11000025af4518) [ 1916.538617][ T12] [ 1916.538659][ T12] The buggy address belongs to the physical page: [ 1916.538759][ T12] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff11000025af5ef8 pfn:0x25af4 [ 1916.538929][ T12] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 1916.539057][ T12] flags: 0x80000000000240(workingset|head|node=0|zone=1) [ 1916.539168][ T12] page_type: f5(slab) [ 1916.539233][ T12] raw: 0080000000000240 ff11000001043700 ffd4000000850c10 ffd4000000858310 [ 1916.539380][ T12] raw: ff11000025af5ef8 0000000000160014 00000000f5000000 0000000000000000 [ 1916.539523][ T12] head: 0080000000000240 ff11000001043700 ffd4000000850c10 ffd4000000858310 [ 1916.539670][ T12] head: ff11000025af5ef8 0000000000160014 00000000f5000000 0000000000000000 [ 1916.539820][ T12] head: 0080000000000002 ffd400000096bd01 00000000ffffffff 00000000ffffffff [ 1916.539978][ T12] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 1916.540121][ T12] page dumped because: kasan: bad access detected [ 1916.540223][ T12] [ 1916.540266][ T12] Memory state around the buggy address: [ 1916.540347][ T12] ff11000025af4200: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 1916.540472][ T12] ff11000025af4280: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb [ 1916.540594][ T12] >ff11000025af4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1916.540710][ T12] ^ [ 1916.540791][ T12] ff11000025af4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1916.540908][ T12] ff11000025af4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1916.541035][ T12] ================================================================== [ 1916.541503][ T12] Disabling lock debugging due to kernel taint [ 1916.542467][ T12] veth_segment: left allmulticast mode [ 1916.542560][ T12] veth_segment: left promiscuous mode [ 1916.542705][ T12] br0: port 2(veth_segment) entered disabled state