syzkaller login: [ 170.570950][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 170.601631][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 170.637845][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 170.670087][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:45500' (ECDSA) to the list of known hosts. 1970/01/01 00:03:19 fuzzer started 1970/01/01 00:03:26 connecting to host at localhost:39183 1970/01/01 00:03:26 checking machine... 1970/01/01 00:03:26 checking revisions... 1970/01/01 00:03:26 testing simple program... executing program executing program executing program [ 220.259419][ T3319] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 220.339684][ T3319] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program executing program [ 223.943755][ T3319] device hsr_slave_0 entered promiscuous mode [ 224.014046][ T3319] device hsr_slave_1 entered promiscuous mode [ 226.512703][ T3319] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 226.737490][ T3319] netdevsim netdevsim0 netdevsim1: renamed from eth1 executing program [ 226.838886][ T3319] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 226.978468][ T3319] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 230.471250][ T3319] 8021q: adding VLAN 0 to HW filter on device bond0 [ 230.650379][ T2121] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 230.671501][ T2121] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 232.728582][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 232.773676][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready executing program [ 232.930703][ T2121] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 232.943724][ T2121] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 233.068349][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 233.197852][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 233.551325][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 233.563051][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 233.659626][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 233.683493][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 234.374656][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 234.380116][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 238.552189][ T2121] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 238.583677][ T2121] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready executing program [ 240.434876][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 240.444535][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 240.498863][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 240.512251][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 240.566100][ T3319] device veth0_vlan entered promiscuous mode [ 240.734909][ T3319] device veth1_vlan entered promiscuous mode [ 241.175033][ T3542] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 241.201280][ T3542] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 241.274680][ T3319] device veth0_macvtap entered promiscuous mode [ 241.399287][ T3319] device veth1_macvtap entered promiscuous mode [ 241.470838][ T3542] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 241.491035][ T3542] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 241.712820][ T2121] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 241.748749][ T2121] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready executing program [ 241.869459][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 241.899905][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 241.991288][ T3319] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 242.008139][ T3319] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 242.010612][ T3319] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 242.013208][ T3319] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 243.524950][ T3319] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation executing program 1970/01/01 00:04:02 building call list... [ 245.339298][ T171] ------------[ cut here ]------------ [ 245.342191][ T171] hook not found, pf 3 num 0 [ 245.343888][ T171] WARNING: CPU: 0 PID: 171 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 245.347930][ T171] Modules linked in: [ 245.349349][ T171] CPU: 0 PID: 171 Comm: kworker/u4:6 Not tainted 5.12.0-syzkaller-13661-gd835ff6c96ae #0 [ 245.350779][ T171] Hardware name: linux,dummy-virt (DT) [ 245.352239][ T171] Workqueue: netns cleanup_net [ 245.353247][ T171] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 245.353898][ T171] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 245.355176][ T171] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 245.357908][ T171] sp : ffff8000187e79e0 [ 245.359395][ T171] x29: ffff8000187e79e0 x28: 0000000000000003 [ 245.360853][ T171] x27: 0000000000000001 x26: ffff0000137b8f10 [ 245.361414][ T171] x25: 0000000000000007 x24: ffff000013fad41c [ 245.361964][ T171] x23: ffff80001711f9a0 x22: ffff0000137b8000 [ 245.364029][ T171] x21: 0000000000000001 x20: ffff000009149f20 [ 245.366818][ T171] x19: ffff000013fad400 x18: 0000000000000000 [ 245.374634][ T171] x17: 0000000000000000 x16: 0000000000000000 [ 245.377169][ T171] x15: 0000000000000000 x14: 1ffff000030fce6a [ 245.377691][ T171] x13: 0000000000000001 x12: ffff60000d560784 [ 245.378167][ T171] x11: 1fffe0000d560783 x10: ffff60000d560783 [ 245.378648][ T171] x9 : dfff800000000000 x8 : ffff00006ab03c1b [ 245.379248][ T171] x7 : 0000000000000001 x6 : 00009ffff2a9f87d [ 245.379711][ T171] x5 : ffff00006ab03c18 x4 : 1fffe000012e99d9 [ 245.380208][ T171] x3 : dfff800000000000 x2 : 0000000000000000 [ 245.380735][ T171] x1 : 0000000000000000 x0 : ffff00000974cec0 [ 245.383354][ T171] Call trace: [ 245.384592][ T171] __nf_unregister_net_hook+0x17c/0x4f0 [ 245.387143][ T171] nf_unregister_net_hooks+0xd4/0x120 [ 245.388529][ T171] arpt_unregister_table_pre_exit+0x6c/0x8c [ 245.390473][ T171] arptable_filter_net_pre_exit+0x20/0x2c [ 245.392285][ T171] cleanup_net+0x328/0x820 [ 245.392875][ T171] process_one_work+0x798/0x1764 [ 245.394749][ T171] worker_thread+0x3d4/0xcd0 [ 245.396792][ T171] kthread+0x320/0x3bc [ 245.398278][ T171] ret_from_fork+0x10/0x3c [ 245.400574][ T171] irq event stamp: 66718 [ 245.401074][ T171] hardirqs last enabled at (66717): [] console_unlock+0x7f8/0xbf4 [ 245.401541][ T171] hardirqs last disabled at (66718): [] el1_dbg+0x24/0x80 [ 245.401995][ T171] softirqs last enabled at (66698): [] _stext+0x9e0/0x1084 [ 245.402453][ T171] softirqs last disabled at (66687): [] __irq_exit_rcu+0x494/0x550 [ 245.402908][ T171] ---[ end trace 18c0d482abc5157d ]--- [ 245.678034][ T171] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 246.011294][ T171] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 246.282971][ T171] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 246.674752][ T171] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program executing program [ 251.192291][ T171] device hsr_slave_0 left promiscuous mode [ 251.281809][ T171] device hsr_slave_1 left promiscuous mode [ 251.521424][ T171] device veth1_macvtap left promiscuous mode [ 251.523987][ T171] device veth0_macvtap left promiscuous mode [ 251.539223][ T171] device veth1_vlan left promiscuous mode [ 251.542156][ T171] device veth0_vlan left promiscuous mode executing program executing program [ 257.291263][ T171] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 257.522408][ T171] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 258.604595][ T171] bond0 (unregistering): Released all slaves executing program [ 261.342995][ T171] ================================================================== [ 261.344252][ T171] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 261.344842][ T171] Read of size 4 at addr ffff000009149e48 by task kworker/u4:6/171 [ 261.345590][ T171] [ 261.346407][ T171] CPU: 0 PID: 171 Comm: kworker/u4:6 Tainted: G W 5.12.0-syzkaller-13661-gd835ff6c96ae #0 [ 261.347212][ T171] Hardware name: linux,dummy-virt (DT) [ 261.347878][ T171] Workqueue: netns cleanup_net [ 261.348435][ T171] Call trace: [ 261.350130][ T171] dump_backtrace+0x0/0x3e0 [ 261.352224][ T171] show_stack+0x18/0x24 [ 261.354238][ T171] dump_stack+0x120/0x1a8 [ 261.356276][ T171] print_address_description.constprop.0+0x2c/0x300 [ 261.357707][ T171] kasan_report+0x1ec/0x200 [ 261.358279][ T171] __asan_report_load4_noabort+0x34/0x60 [ 261.358726][ T171] hooks_validate+0x164/0x1ac [ 261.359120][ T171] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 261.359532][ T171] __nf_unregister_net_hook+0x240/0x4f0 [ 261.359926][ T171] nf_unregister_net_hook+0xb8/0x100 [ 261.360406][ T171] clusterip_net_exit+0x13c/0x204 [ 261.360840][ T171] ops_exit_list+0x78/0x124 [ 261.361263][ T171] cleanup_net+0x3a4/0x820 [ 261.361678][ T171] process_one_work+0x798/0x1764 [ 261.362076][ T171] worker_thread+0x3d4/0xcd0 [ 261.362524][ T171] kthread+0x320/0x3bc [ 261.362885][ T171] ret_from_fork+0x10/0x3c [ 261.363440][ T171] [ 261.364743][ T171] Allocated by task 0: [ 261.366972][ T171] (stack is not available) [ 261.369554][ T171] [ 261.371036][ T171] Freed by task 171: [ 261.373436][ T171] kasan_save_stack+0x28/0x60 [ 261.376227][ T171] kasan_set_track+0x28/0x40 [ 261.378963][ T171] kasan_set_free_info+0x28/0x50 [ 261.381993][ T171] __kasan_slab_free+0xfc/0x150 [ 261.384344][ T171] slab_free_freelist_hook+0x140/0x264 [ 261.387121][ T171] kfree+0x154/0x7d0 [ 261.389331][ T171] xt_unregister_table+0x1cc/0x2ec [ 261.391970][ T171] __arpt_unregister_table+0x44/0x1b4 [ 261.394547][ T171] arpt_unregister_table+0x30/0x40 [ 261.397174][ T171] arptable_filter_net_exit+0x18/0x24 [ 261.399924][ T171] ops_exit_list+0x78/0x124 [ 261.402397][ T171] cleanup_net+0x3a4/0x820 [ 261.404128][ T171] process_one_work+0x798/0x1764 [ 261.404630][ T171] worker_thread+0x3d4/0xcd0 [ 261.405114][ T171] kthread+0x320/0x3bc [ 261.405497][ T171] ret_from_fork+0x10/0x3c [ 261.407700][ T171] [ 261.408127][ T171] The buggy address belongs to the object at ffff000009149e00 [ 261.408127][ T171] which belongs to the cache kmalloc-128 of size 128 [ 261.408933][ T171] The buggy address is located 72 bytes inside of [ 261.408933][ T171] 128-byte region [ffff000009149e00, ffff000009149e80) [ 261.409700][ T171] The buggy address belongs to the page: [ 261.410582][ T171] page:00000000b716bef5 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x49149 [ 261.411781][ T171] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 261.413307][ T171] raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300 [ 261.413875][ T171] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 261.414477][ T171] page dumped because: kasan: bad access detected [ 261.415063][ T171] [ 261.415562][ T171] Memory state around the buggy address: [ 261.416545][ T171] ffff000009149d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 261.417087][ T171] ffff000009149d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 261.417560][ T171] >ffff000009149e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 261.418018][ T171] ^ [ 261.418569][ T171] ffff000009149e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 261.419015][ T171] ffff000009149f00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 261.419627][ T171] ================================================================== [ 261.420151][ T171] Disabling lock debugging due to kernel taint executing program [ 264.441907][ T3306] can: request_module (can-proto-0) failed. [ 264.582404][ T3306] can: request_module (can-proto-0) failed. [ 264.721194][ T3306] can: request_module (can-proto-0) failed. executing program executing program executing program VM DIAGNOSIS: 21:22:58 Registers: info registers vcpu 0 PC=ffff8000111d10f4 X00=0000000000000003 X01=0000000000000004 X02=0000000000000000 X03=0000000000000003 X04=0000000000000000 X05=ffff8000154c46b0 X06=ffff7000030fcd8c X07=0000000041b58ab3 X08=ffff8000187e705e X09=dfff800000000000 X10=ffff7000030fce0b X11=1ffff000030fce0b X12=ffff7000030fce0c X13=0000000000000000 X14=2d72656c6c616b7a X15=0000000000000012 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbea8 X19=ffff8000147b5c40 X20=ffff8000987e705d X21=dfff800000000000 X22=ffff8000187e6ef0 X23=00000000ffffffd0 X24=ffff8000187e6d70 X25=ffff80001452bd64 X26=1ffff000030fcdaa X27=ffff8000187e705f X28=ffff80001452bd61 X29=ffff8000187e6cc0 X30=ffff8000111d10f4 SP=ffff8000187e6cc0 PSTATE=600003c5 -ZC- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:412fc00000000000 Q02=6e1d68604b01224d:25aff677e0857632 Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:0000002da7c398a0 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff800013186f58 X00=ffff800013186f50 X01=0000000000000000 X02=0000000000000003 X03=1fffe0000d5675a2 X04=dfff800000000000 X05=ffff800018167ab0 X06=0000000000000004 X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff70000302cf56 X11=1ffff0000302cf56 X12=ffff70000302cf57 X13=0000000000000001 X14=1ffff0000302cf2c X15=ffff00006ab03b7c X16=0000000000000000 X17=0000000000000000 X18=ffff00006ab03b48 X19=ffff8000161753f0 X20=0000000000000000 X21=0000000000000003 X22=0000000000000028 X23=ffff800016175480 X24=dfff800000000000 X25=ffff8000161753c0 X26=0000000000000004 X27=ffff8000161753f0 X28=ffff800015f60d58 X29=ffff800018167a30 X30=ffff800010355c78 SP=ffff800018167a30 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:412fc00000000000 Q02=6e1d68604b01224d:25aff677e0857632 Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:0000002da7c398a0 Q31=0000000000000000:0000000000000000