[  920.003502][T26914] ==================================================================
[  920.003666][T26914] BUG: KASAN: slab-use-after-free in rtnl_fill_prop_list+0x5c0/0x620
[  920.003790][T26914] Read of size 8 at addr ff1100000cebfc50 by task ip/26914
[  920.003905][T26914] 
[  920.003949][T26914] CPU: 3 UID: 0 PID: 26914 Comm: ip Not tainted 7.1.0-rc3-virtme #1 PREEMPT(full) 
[  920.003952][T26914] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  920.003954][T26914] Call Trace:
[  920.003956][T26914]  <TASK>
[  920.003957][T26914]  dump_stack_lvl+0x6f/0xa0
[  920.003963][T26914]  print_address_description.constprop.0+0x56/0x2d0
[  920.003967][T26914]  print_report+0xfc/0x1fa
[  920.003968][T26914]  ? __virt_addr_valid+0x102/0x440
[  920.003972][T26914]  ? __virt_addr_valid+0x1da/0x440
[  920.003974][T26914]  kasan_report+0x108/0x130
[  920.003977][T26914]  ? rtnl_fill_prop_list+0x5c0/0x620
[  920.003980][T26914]  ? rtnl_fill_prop_list+0x5c0/0x620
[  920.003982][T26914]  rtnl_fill_prop_list+0x5c0/0x620
[  920.003984][T26914]  ? __asan_memcpy+0x3c/0x60
[  920.003990][T26914]  rtnl_fill_ifinfo.isra.0+0x3d6/0x2bf0
[  920.003993][T26914]  ? rcu_read_lock_any_held+0x3c/0x90
[  920.003996][T26914]  ? validate_chain+0x38b/0xc20
[  920.003999][T26914]  ? rtnl_fill_vf+0x460/0x460
[  920.004000][T26914]  ? lockdep_hardirqs_on_prepare.part.0+0x9a/0x160
[  920.004001][T26914]  ? lockdep_hardirqs_on+0x8c/0x130
[  920.004005][T26914]  ? _raw_spin_unlock_irqrestore+0x40/0x80
[  920.004007][T26914]  ? __lock_acquire+0x508/0xc10
[  920.004009][T26914]  ? rtnl_calcit.isra.0+0x148/0x460
[  920.004011][T26914]  ? lock_acquire.part.0+0xbc/0x260
[  920.004012][T26914]  ? find_held_lock+0x2b/0x80
[  920.004014][T26914]  ? __lock_release.isra.0+0x6b/0x1a0
[  920.004016][T26914]  ? mark_held_locks+0x40/0x70
[  920.004017][T26914]  ? lockdep_hardirqs_on_prepare.part.0+0x9a/0x160
[  920.004019][T26914]  ? lockdep_hardirqs_on+0x8c/0x130
[  920.004020][T26914]  ? _raw_spin_unlock_irqrestore+0x53/0x80
[  920.004022][T26914]  rtnl_getlink+0xa48/0xe50
[  920.004024][T26914]  ? find_held_lock+0x2b/0x80
[  920.004026][T26914]  ? rtnl_dump_ifinfo+0xfb0/0xfb0
[  920.004028][T26914]  ? mark_usage+0x61/0x170
[  920.004029][T26914]  ? __lock_release.isra.0+0x6b/0x1a0
[  920.004030][T26914]  ? __lock_acquire+0x508/0xc10
[  920.004037][T26914]  ? lock_acquire.part.0+0xbc/0x260
[  920.004038][T26914]  ? find_held_lock+0x2b/0x80
[  920.004040][T26914]  ? mark_usage+0x61/0x170
[  920.004041][T26914]  ? __lock_release.isra.0+0x6b/0x1a0
[  920.004042][T26914]  ? __lock_acquire+0x508/0xc10
[  920.004044][T26914]  ? __lock_release.isra.0+0x6b/0x1a0
[  920.004046][T26914]  ? rtnl_dump_ifinfo+0xfb0/0xfb0
[  920.004048][T26914]  rtnetlink_rcv_msg+0x6fd/0xbd0
[  920.004050][T26914]  ? validate_chain+0x38b/0xc20
[  920.004051][T26914]  ? rtnl_link_fill+0x920/0x920
[  920.004053][T26914]  ? __lock_acquire+0x508/0xc10
[  920.004055][T26914]  ? lock_acquire.part.0+0xbc/0x260
[  920.004056][T26914]  ? find_held_lock+0x2b/0x80
[  920.004058][T26914]  netlink_rcv_skb+0x14e/0x3a0
[  920.004061][T26914]  ? rtnl_link_fill+0x920/0x920
[  920.004063][T26914]  ? netlink_ack+0xce0/0xce0
[  920.004066][T26914]  ? netlink_deliver_tap+0xc5/0x330
[  920.004068][T26914]  ? netlink_deliver_tap+0x13c/0x330
[  920.004070][T26914]  netlink_unicast+0x47c/0x740
[  920.004072][T26914]  ? netlink_attachskb+0x800/0x800
[  920.004075][T26914]  netlink_sendmsg+0x735/0xc60
[  920.004077][T26914]  ? netlink_unicast+0x740/0x740
[  920.004080][T26914]  ____sys_sendmsg+0x419/0x850
[  920.004083][T26914]  ? copy_msghdr_from_user+0x2a0/0x460
[  920.004085][T26914]  ? get_timestamp.constprop.0+0x390/0x390
[  920.004086][T26914]  ? move_addr_to_kernel+0xf0/0xf0
[  920.004088][T26914]  ? folio_add_lru_vma+0x19e/0x240
[  920.004091][T26914]  ___sys_sendmsg+0x14e/0x1d0
[  920.004092][T26914]  ? copy_msghdr_from_user+0x460/0x460
[  920.004094][T26914]  ? __lock_release.isra.0+0x6b/0x1a0
[  920.004098][T26914]  ? lock_vma_under_rcu+0x159/0x410
[  920.004101][T26914]  __sys_sendmsg+0x145/0x1f0
[  920.004103][T26914]  ? __sys_sendmsg_sock+0x20/0x20
[  920.004106][T26914]  ? rcu_is_watching+0x15/0xd0
[  920.004107][T26914]  ? rcu_is_watching+0x15/0xd0
[  920.004109][T26914]  do_syscall_64+0xf3/0xfc0
[  920.004112][T26914]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  920.004114][T26914] RIP: 0033:0x7fedc70af08e
[  920.004117][T26914] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[  920.004119][T26914] RSP: 002b:00007ffd0c80cba0 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[  920.004123][T26914] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fedc70af08e
[  920.004124][T26914] RDX: 0000000000000000 RSI: 00007ffd0c80cc50 RDI: 0000000000000006
[  920.004125][T26914] RBP: 00007ffd0c80cbb0 R08: 0000000000000000 R09: 0000000000000000
[  920.004126][T26914] R10: 0000000000000000 R11: 0000000000000202 R12: 000000006a0c8248
[  920.004127][T26914] R13: 00007ffd0c80cd00 R14: 000000000049f620 R15: 0000000000000001
[  920.004129][T26914]  </TASK>
[  920.004130][T26914] 
[  920.010827][T26914] Allocated by task 26738:
[  920.010907][T26914]  kasan_save_stack+0x2f/0x50
[  920.010995][T26914]  kasan_save_track+0x14/0x30
[  920.011078][T26914]  __kasan_kmalloc+0x7b/0x90
[  920.011160][T26914]  register_netdevice+0x48b/0x1980
[  920.011238][T26914]  veth_newlink+0x3a9/0x8d0 [veth]
[  920.011320][T26914]  rtnl_newlink_create+0x2da/0x780
[  920.011397][T26914]  __rtnl_newlink+0x22b/0xa50
[  920.011474][T26914]  rtnl_newlink+0x8d1/0xee0
[  920.011552][T26914]  rtnetlink_rcv_msg+0x6fd/0xbd0
[  920.011629][T26914]  netlink_rcv_skb+0x14e/0x3a0
[  920.011712][T26914]  netlink_unicast+0x47c/0x740
[  920.011789][T26914]  netlink_sendmsg+0x735/0xc60
[  920.011870][T26914]  ____sys_sendmsg+0x419/0x850
[  920.011948][T26914]  ___sys_sendmsg+0x14e/0x1d0
[  920.012030][T26914]  __sys_sendmsg+0x145/0x1f0
[  920.012109][T26914]  do_syscall_64+0xf3/0xfc0
[  920.012192][T26914]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  920.012291][T26914] 
[  920.012330][T26914] Freed by task 69:
[  920.012388][T26914]  kasan_save_stack+0x2f/0x50
[  920.012470][T26914]  kasan_save_track+0x14/0x30
[  920.012547][T26914]  kasan_save_free_info+0x3b/0x60
[  920.012625][T26914]  __kasan_slab_free+0x43/0x70
[  920.012702][T26914]  kfree+0x123/0x5a0
[  920.012761][T26914]  unregister_netdevice_many_notify+0xe38/0x1d80
[  920.012862][T26914]  default_device_exit_batch+0x38b/0x600
[  920.012939][T26914]  ops_undo_list+0x2ce/0x8f0
[  920.013022][T26914]  cleanup_net+0x431/0x890
[  920.013098][T26914]  process_one_work+0xdf5/0x1410
[  920.013175][T26914]  worker_thread+0x4f1/0xd60
[  920.013251][T26914]  kthread+0x364/0x460
[  920.013310][T26914]  ret_from_fork+0x4a4/0x720
[  920.013388][T26914]  ret_from_fork_asm+0x11/0x20
[  920.013465][T26914] 
[  920.013504][T26914] The buggy address belongs to the object at ff1100000cebfc40
[  920.013504][T26914]  which belongs to the cache kmalloc-64 of size 64
[  920.013691][T26914] The buggy address is located 16 bytes inside of
[  920.013691][T26914]  freed 64-byte region [ff1100000cebfc40, ff1100000cebfc80)
[  920.013885][T26914] 
[  920.013927][T26914] The buggy address belongs to the physical page:
[  920.014027][T26914] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff1100000cebf040 pfn:0xcebf
[  920.014182][T26914] flags: 0x80000000000200(workingset|node=0|zone=1)
[  920.014281][T26914] page_type: f5(slab)
[  920.014342][T26914] raw: 0080000000000200 ff1100000103cac0 ffd4000000083250 ffd40000002dedd0
[  920.014495][T26914] raw: ff1100000cebf040 0000000000100008 00000000f5000000 0000000000000000
[  920.014631][T26914] page dumped because: kasan: bad access detected
[  920.014726][T26914] 
[  920.014765][T26914] Memory state around the buggy address:
[  920.014848][T26914]  ff1100000cebfb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  920.014962][T26914]  ff1100000cebfb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  920.015079][T26914] >ff1100000cebfc00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  920.015189][T26914]                                                  ^
[  920.015281][T26914]  ff1100000cebfc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  920.015393][T26914]  ff1100000cebfd00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  920.015504][T26914] ==================================================================
[  920.015645][T26914] Disabling lock debugging due to kernel taint