[  259.457451][   T70] ==================================================================
[  259.457635][   T70] BUG: KASAN: slab-use-after-free in idr_for_each+0x1c1/0x1f0
[  259.457772][   T70] Read of size 8 at addr ff1100000d249f28 by task kworker/u16:1/70
[  259.457906][   T70] 
[  259.457959][   T70] CPU: 3 UID: 0 PID: 70 Comm: kworker/u16:1 Not tainted 6.19.0-rc7-virtme #1 PREEMPT(full) 
[  259.457963][   T70] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  259.457965][   T70] Workqueue: netns cleanup_net
[  259.457971][   T70] Call Trace:
[  259.457972][   T70]  <TASK>
[  259.457975][   T70]  dump_stack_lvl+0x6f/0xa0
[  259.457981][   T70]  print_address_description.constprop.0+0x6e/0x300
[  259.457986][   T70]  print_report+0xfc/0x1fb
[  259.457987][   T70]  ? idr_for_each+0x1c1/0x1f0
[  259.457990][   T70]  ? __virt_addr_valid+0x1da/0x430
[  259.457993][   T70]  ? idr_for_each+0x1c1/0x1f0
[  259.457995][   T70]  kasan_report+0xe8/0x120
[  259.458005][   T70]  ? idr_for_each+0x1c1/0x1f0
[  259.458008][   T70]  ? rtnl_net_notifyid+0x1a0/0x1a0
[  259.458010][   T70]  idr_for_each+0x1c1/0x1f0
[  259.458012][   T70]  ? idr_find+0x70/0x70
[  259.458015][   T70]  ? __lock_release.isra.0+0x59/0x170
[  259.458018][   T70]  ? __up_write+0x283/0x4f0
[  259.458021][   T70]  ? cleanup_net+0x1f2/0x810
[  259.458022][   T70]  cleanup_net+0x260/0x810
[  259.458024][   T70]  ? lock_acquire.part.0+0xbc/0x260
[  259.458025][   T70]  ? process_one_work+0xd16/0x1390
[  259.458029][   T70]  ? net_passive_dec+0x190/0x190
[  259.458030][   T70]  ? rcu_is_watching+0x15/0xd0
[  259.458033][   T70]  ? process_one_work+0xd16/0x1390
[  259.458035][   T70]  ? lock_acquire+0x10a/0x150
[  259.458036][   T70]  ? rcu_is_watching+0x15/0xd0
[  259.458039][   T70]  process_one_work+0xd57/0x1390
[  259.458042][   T70]  ? pwq_dec_nr_in_flight+0x700/0x700
[  259.458044][   T70]  ? lock_acquire.part.0+0xbc/0x260
[  259.458046][   T70]  ? assign_work+0x152/0x380
[  259.458049][   T70]  worker_thread+0x4d6/0xd40
[  259.458051][   T70]  ? process_one_work+0x1390/0x1390
[  259.458053][   T70]  ? __kthread_parkme+0xb3/0x200
[  259.458056][   T70]  ? process_one_work+0x1390/0x1390
[  259.458058][   T70]  kthread+0x355/0x5b0
[  259.458060][   T70]  ? kthread_is_per_cpu+0xe0/0xe0
[  259.458062][   T70]  ? __lock_release.isra.0+0x59/0x170
[  259.458064][   T70]  ? rcu_is_watching+0x15/0xd0
[  259.458066][   T70]  ? kthread_is_per_cpu+0xe0/0xe0
[  259.458068][   T70]  ret_from_fork+0x3fb/0x510
[  259.458071][   T70]  ? arch_exit_to_user_mode_prepare.isra.0+0x140/0x140
[  259.458074][   T70]  ? __switch_to+0x53c/0xd00
[  259.458077][   T70]  ? kthread_is_per_cpu+0xe0/0xe0
[  259.458079][   T70]  ret_from_fork_asm+0x11/0x20
[  259.458083][   T70]  </TASK>
[  259.458083][   T70] 
[  259.462072][   T70] Allocated by task 602:
[  259.462142][   T70]  kasan_save_stack+0x30/0x50
[  259.462232][   T70]  kasan_save_track+0x14/0x30
[  259.462322][   T70]  __kasan_slab_alloc+0x5f/0x70
[  259.462408][   T70]  kmem_cache_alloc_noprof+0x226/0x6e0
[  259.462499][   T70]  radix_tree_node_alloc.constprop.0+0x176/0x340
[  259.462611][   T70]  idr_get_free+0x326/0x840
[  259.462698][   T70]  idr_alloc_u32+0x14a/0x2e0
[  259.462786][   T70]  idr_alloc+0x7d/0xc0
[  259.462850][   T70]  peernet2id_alloc+0x22c/0x340
[  259.462937][   T70]  rtnl_fill_ifinfo.isra.0+0x1630/0x2d80
[  259.463036][   T70]  rtmsg_ifinfo_build_skb+0x135/0x230
[  259.463129][   T70]  rtmsg_ifinfo_event.part.0+0x2c/0x130
[  259.463219][   T70]  rtmsg_ifinfo+0x5c/0xb0
[  259.463284][   T70]  __dev_notify_flags+0x1b8/0x280
[  259.463369][   T70]  netif_change_flags+0xee/0x170
[  259.463453][   T70]  do_setlink.isra.0+0x180a/0x25d0
[  259.463540][   T70]  rtnl_newlink+0x75c/0xe90
[  259.463627][   T70]  rtnetlink_rcv_msg+0x6fe/0xb90
[  259.463712][   T70]  netlink_rcv_skb+0x123/0x380
[  259.463800][   T70]  netlink_unicast+0x4a3/0x770
[  259.463895][   T70]  netlink_sendmsg+0x735/0xc60
[  259.463986][   T70]  __sys_sendto+0x265/0x390
[  259.464075][   T70]  __x64_sys_sendto+0xe4/0x1f0
[  259.464162][   T70]  do_syscall_64+0xbd/0xfc0
[  259.464248][   T70]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  259.464360][   T70] 
[  259.464405][   T70] Freed by task 70:
[  259.464471][   T70]  kasan_save_stack+0x30/0x50
[  259.464557][   T70]  kasan_save_track+0x14/0x30
[  259.464642][   T70]  kasan_save_free_info+0x3b/0x60
[  259.464727][   T70]  __kasan_slab_free+0x43/0x70
[  259.464811][   T70]  kmem_cache_free+0xfe/0x5e0
[  259.464895][   T70]  rcu_do_batch+0x28b/0xfe0
[  259.464986][   T70]  rcu_core+0x2b4/0x5f0
[  259.465055][   T70]  handle_softirqs+0x1d7/0x840
[  259.465146][   T70]  irq_exit_rcu+0xa2/0xf0
[  259.465209][   T70]  sysvec_apic_timer_interrupt+0x9d/0xe0
[  259.465296][   T70]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  259.465403][   T70] 
[  259.465448][   T70] Last potentially related work creation:
[  259.465536][   T70]  kasan_save_stack+0x30/0x50
[  259.465625][   T70]  kasan_record_aux_stack+0x8c/0xa0
[  259.465714][   T70]  __call_rcu_common.constprop.0+0xa6/0xa00
[  259.465828][   T70]  delete_node+0x198/0x810
[  259.465919][   T70]  radix_tree_delete_item+0xc5/0x1b0
[  259.466011][   T70]  unhash_nsid_callback+0xb4/0x100
[  259.466102][   T70]  idr_for_each+0x108/0x1f0
[  259.466192][   T70]  cleanup_net+0x260/0x810
[  259.466280][   T70]  process_one_work+0xd57/0x1390
[  259.466367][   T70]  worker_thread+0x4d6/0xd40
[  259.466454][   T70]  kthread+0x355/0x5b0
[  259.466519][   T70]  ret_from_fork+0x3fb/0x510
[  259.466606][   T70]  ret_from_fork_asm+0x11/0x20
[  259.466699][   T70] 
[  259.466745][   T70] The buggy address belongs to the object at ff1100000d249ef8
[  259.466745][   T70]  which belongs to the cache radix_tree_node of size 576
[  259.466986][   T70] The buggy address is located 48 bytes inside of
[  259.466986][   T70]  freed 576-byte region [ff1100000d249ef8, ff1100000d24a138)
[  259.467210][   T70] 
[  259.467258][   T70] The buggy address belongs to the physical page:
[  259.467374][   T70] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff1100000d24a498 pfn:0xd248
[  259.467561][   T70] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  259.467698][   T70] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[  259.467809][   T70] page_type: f5(slab)
[  259.467876][   T70] raw: 0080000000000240 ff11000001043700 ffd4000000348a10 ffd400000034c910
[  259.468035][   T70] raw: ff1100000d24a498 0000000000160015 00000000f5000000 0000000000000000
[  259.468183][   T70] head: 0080000000000240 ff11000001043700 ffd4000000348a10 ffd400000034c910
[  259.468336][   T70] head: ff1100000d24a498 0000000000160015 00000000f5000000 0000000000000000
[  259.468486][   T70] head: 0080000000000002 ffd4000000349201 00000000ffffffff 00000000ffffffff
[  259.468634][   T70] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  259.468792][   T70] page dumped because: kasan: bad access detected
[  259.468898][   T70] 
[  259.468944][   T70] Memory state around the buggy address:
[  259.469032][   T70]  ff1100000d249e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
[  259.469167][   T70]  ff1100000d249e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fa
[  259.469289][   T70] >ff1100000d249f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  259.469413][   T70]                                   ^
[  259.469498][   T70]  ff1100000d249f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  259.469623][   T70]  ff1100000d24a000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  259.469747][   T70] ==================================================================
[  259.469876][   T70] Disabling lock debugging due to kernel taint