[  112.848903][   T68] ==================================================================
[  112.849109][   T68] BUG: KASAN: slab-use-after-free in idr_for_each+0x1c1/0x1f0
[  112.849269][   T68] Read of size 8 at addr ff1100000c9f1f28 by task kworker/u16:1/68
[  112.849418][   T68] 
[  112.849473][   T68] CPU: 1 UID: 0 PID: 68 Comm: kworker/u16:1 Not tainted 6.19.0-rc7-virtme #1 PREEMPT(full) 
[  112.849476][   T68] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  112.849478][   T68] Workqueue: netns cleanup_net
[  112.849484][   T68] Call Trace:
[  112.849485][   T68]  <TASK>
[  112.849487][   T68]  dump_stack_lvl+0x6f/0xa0
[  112.849493][   T68]  print_address_description.constprop.0+0x6e/0x300
[  112.849497][   T68]  print_report+0xfc/0x1fb
[  112.849499][   T68]  ? idr_for_each+0x1c1/0x1f0
[  112.849501][   T68]  ? __virt_addr_valid+0x1da/0x430
[  112.849505][   T68]  ? idr_for_each+0x1c1/0x1f0
[  112.849507][   T68]  kasan_report+0xe8/0x120
[  112.849511][   T68]  ? idr_for_each+0x1c1/0x1f0
[  112.849514][   T68]  ? rtnl_net_notifyid+0x1a0/0x1a0
[  112.849517][   T68]  idr_for_each+0x1c1/0x1f0
[  112.849519][   T68]  ? idr_find+0x70/0x70
[  112.849521][   T68]  ? __lock_release.isra.0+0x59/0x170
[  112.849525][   T68]  ? __up_write+0x283/0x4f0
[  112.849527][   T68]  ? cleanup_net+0x1f2/0x810
[  112.849529][   T68]  cleanup_net+0x260/0x810
[  112.849530][   T68]  ? lock_acquire.part.0+0xbc/0x260
[  112.849532][   T68]  ? process_one_work+0xd16/0x1390
[  112.849535][   T68]  ? net_passive_dec+0x190/0x190
[  112.849536][   T68]  ? rcu_is_watching+0x15/0xd0
[  112.849540][   T68]  ? process_one_work+0xd16/0x1390
[  112.849541][   T68]  ? lock_acquire+0x10a/0x150
[  112.849543][   T68]  ? rcu_is_watching+0x15/0xd0
[  112.849545][   T68]  process_one_work+0xd57/0x1390
[  112.849548][   T68]  ? pwq_dec_nr_in_flight+0x700/0x700
[  112.849550][   T68]  ? lock_acquire.part.0+0xbc/0x260
[  112.849552][   T68]  ? assign_work+0x152/0x380
[  112.849555][   T68]  worker_thread+0x4d6/0xd40
[  112.849557][   T68]  ? process_one_work+0x1390/0x1390
[  112.849559][   T68]  ? __kthread_parkme+0xb3/0x200
[  112.849562][   T68]  ? process_one_work+0x1390/0x1390
[  112.849564][   T68]  kthread+0x355/0x5b0
[  112.849566][   T68]  ? kthread_is_per_cpu+0xe0/0xe0
[  112.849568][   T68]  ? __lock_release.isra.0+0x59/0x170
[  112.849569][   T68]  ? rcu_is_watching+0x15/0xd0
[  112.849571][   T68]  ? kthread_is_per_cpu+0xe0/0xe0
[  112.849573][   T68]  ret_from_fork+0x3fb/0x510
[  112.849577][   T68]  ? arch_exit_to_user_mode_prepare.isra.0+0x140/0x140
[  112.849579][   T68]  ? __switch_to+0x53c/0xd00
[  112.849582][   T68]  ? kthread_is_per_cpu+0xe0/0xe0
[  112.849584][   T68]  ret_from_fork_asm+0x11/0x20
[  112.849588][   T68]  </TASK>
[  112.849589][   T68] 
[  112.853661][   T68] Allocated by task 401:
[  112.853726][   T68]  kasan_save_stack+0x30/0x50
[  112.853812][   T68]  kasan_save_track+0x14/0x30
[  112.853894][   T68]  __kasan_slab_alloc+0x5f/0x70
[  112.853975][   T68]  kmem_cache_alloc_noprof+0x226/0x6e0
[  112.854060][   T68]  radix_tree_node_alloc.constprop.0+0x176/0x340
[  112.854163][   T68]  idr_get_free+0x326/0x840
[  112.854245][   T68]  idr_alloc_u32+0x14a/0x2e0
[  112.854327][   T68]  idr_alloc+0x7d/0xc0
[  112.854394][   T68]  peernet2id_alloc+0x22c/0x340
[  112.854475][   T68]  rtnl_fill_ifinfo.isra.0+0x1630/0x2d80
[  112.854562][   T68]  rtmsg_ifinfo_build_skb+0x135/0x230
[  112.854643][   T68]  rtmsg_ifinfo_event.part.0+0x2c/0x130
[  112.854726][   T68]  rtmsg_ifinfo+0x5c/0xb0
[  112.854789][   T68]  __dev_notify_flags+0x1b8/0x280
[  112.854871][   T68]  netif_change_flags+0xee/0x170
[  112.854952][   T68]  do_setlink.isra.0+0x180a/0x25d0
[  112.855039][   T68]  rtnl_newlink+0x75c/0xe90
[  112.855127][   T68]  rtnetlink_rcv_msg+0x6fe/0xb90
[  112.855210][   T68]  netlink_rcv_skb+0x123/0x380
[  112.855294][   T68]  netlink_unicast+0x4a3/0x770
[  112.855378][   T68]  netlink_sendmsg+0x735/0xc60
[  112.855459][   T68]  __sys_sendto+0x265/0x390
[  112.855544][   T68]  __x64_sys_sendto+0xe4/0x1f0
[  112.855625][   T68]  do_syscall_64+0xbd/0xfc0
[  112.855708][   T68]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  112.855813][   T68] 
[  112.855855][   T68] Freed by task 68:
[  112.855919][   T68]  kasan_save_stack+0x30/0x50
[  112.856008][   T68]  kasan_save_track+0x14/0x30
[  112.856092][   T68]  kasan_save_free_info+0x3b/0x60
[  112.856175][   T68]  __kasan_slab_free+0x43/0x70
[  112.856260][   T68]  kmem_cache_free+0xfe/0x5e0
[  112.856341][   T68]  rcu_do_batch+0x28b/0xfe0
[  112.856422][   T68]  rcu_core+0x2b4/0x5f0
[  112.856485][   T68]  handle_softirqs+0x1d7/0x840
[  112.856570][   T68]  irq_exit_rcu+0xa2/0xf0
[  112.856633][   T68]  sysvec_apic_timer_interrupt+0x9d/0xe0
[  112.856716][   T68]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  112.856822][   T68] 
[  112.856865][   T68] Last potentially related work creation:
[  112.856948][   T68]  kasan_save_stack+0x30/0x50
[  112.857030][   T68]  kasan_record_aux_stack+0x8c/0xa0
[  112.857121][   T68]  __call_rcu_common.constprop.0+0xa6/0xa00
[  112.857225][   T68]  delete_node+0x198/0x810
[  112.857308][   T68]  radix_tree_delete_item+0xc5/0x1b0
[  112.857392][   T68]  unhash_nsid_callback+0xb4/0x100
[  112.857475][   T68]  idr_for_each+0x108/0x1f0
[  112.857558][   T68]  cleanup_net+0x260/0x810
[  112.857639][   T68]  process_one_work+0xd57/0x1390
[  112.857723][   T68]  worker_thread+0x4d6/0xd40
[  112.857806][   T68]  kthread+0x355/0x5b0
[  112.857869][   T68]  ret_from_fork+0x3fb/0x510
[  112.857952][   T68]  ret_from_fork_asm+0x11/0x20
[  112.858034][   T68] 
[  112.858081][   T68] The buggy address belongs to the object at ff1100000c9f1ef8
[  112.858081][   T68]  which belongs to the cache radix_tree_node of size 576
[  112.858303][   T68] The buggy address is located 48 bytes inside of
[  112.858303][   T68]  freed 576-byte region [ff1100000c9f1ef8, ff1100000c9f2138)
[  112.858508][   T68] 
[  112.858551][   T68] The buggy address belongs to the physical page:
[  112.858655][   T68] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff1100000c9f21c8 pfn:0xc9f0
[  112.858824][   T68] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  112.858951][   T68] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[  112.859061][   T68] page_type: f5(slab)
[  112.859131][   T68] raw: 0080000000000240 ff11000001043700 ffd4000000327410 ff11000001041e88
[  112.859282][   T68] raw: ff1100000c9f21c8 000000000016000c 00000000f5000000 0000000000000000
[  112.859429][   T68] head: 0080000000000240 ff11000001043700 ffd4000000327410 ff11000001041e88
[  112.859575][   T68] head: ff1100000c9f21c8 000000000016000c 00000000f5000000 0000000000000000
[  112.859718][   T68] head: 0080000000000002 ffd4000000327c01 00000000ffffffff 00000000ffffffff
[  112.859869][   T68] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  112.860016][   T68] page dumped because: kasan: bad access detected
[  112.860123][   T68] 
[  112.860166][   T68] Memory state around the buggy address:
[  112.860248][   T68]  ff1100000c9f1e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
[  112.860373][   T68]  ff1100000c9f1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fa
[  112.860494][   T68] >ff1100000c9f1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.860616][   T68]                                   ^
[  112.860700][   T68]  ff1100000c9f1f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.860821][   T68]  ff1100000c9f2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.860945][   T68] ==================================================================
[  112.861525][   T68] Disabling lock debugging due to kernel taint