syzkaller login: [ 119.938836][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 119.983653][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 119.995781][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:12671' (ECDSA) to the list of known hosts. 1970/01/01 00:02:18 fuzzer started 1970/01/01 00:02:21 connecting to host at localhost:42445 1970/01/01 00:02:22 checking machine... 1970/01/01 00:02:22 checking revisions... 1970/01/01 00:02:22 testing simple program... executing program executing program [ 149.692829][ T3303] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 149.729270][ T3303] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 152.202558][ T3303] device hsr_slave_0 entered promiscuous mode [ 152.295695][ T3303] device hsr_slave_1 entered promiscuous mode executing program [ 153.943259][ T3303] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 154.033755][ T3303] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 154.119441][ T3303] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 154.186788][ T3303] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 156.375334][ T3303] 8021q: adding VLAN 0 to HW filter on device bond0 [ 156.496460][ T3465] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 156.521012][ T3465] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 157.751307][ T3465] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 157.757293][ T3465] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 157.845908][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 157.853668][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 157.947090][ T3465] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 158.007552][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 158.191514][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 158.198618][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 158.304453][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 158.328072][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 158.399202][ T3303] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready executing program [ 158.688934][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 158.692495][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 161.293185][ T3509] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 161.298247][ T3509] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready executing program [ 162.515928][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 162.535846][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 162.567291][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 162.582406][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 162.618761][ T3303] device veth0_vlan entered promiscuous mode [ 162.767908][ T3303] device veth1_vlan entered promiscuous mode [ 163.066874][ T3465] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 163.075237][ T3465] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 163.137019][ T3303] device veth0_macvtap entered promiscuous mode [ 163.224131][ T3303] device veth1_macvtap entered promiscuous mode [ 163.437220][ T3509] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 163.484670][ T3509] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 163.499266][ T3509] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 163.508030][ T3509] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 163.626855][ T3509] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 163.644786][ T3509] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 163.706816][ T3303] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 163.707814][ T3303] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 163.708224][ T3303] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 163.708632][ T3303] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 executing program [ 164.657498][ T3303] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation 1970/01/01 00:02:44 building call list... [ 166.018096][ T129] ------------[ cut here ]------------ [ 166.019299][ T129] hook not found, pf 3 num 0 [ 166.062929][ T129] WARNING: CPU: 1 PID: 129 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 166.064380][ T129] Modules linked in: [ 166.065235][ T129] CPU: 1 PID: 129 Comm: kworker/u4:6 Not tainted 5.12.0-syzkaller-13670-g5e321ded302d #0 [ 166.065850][ T129] Hardware name: linux,dummy-virt (DT) [ 166.067112][ T129] Workqueue: netns cleanup_net [ 166.068451][ T129] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 166.069004][ T129] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 166.069650][ T129] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 166.070074][ T129] sp : ffff8000187279e0 [ 166.070579][ T129] x29: ffff8000187279e0 x28: 0000000000000003 [ 166.071166][ T129] x27: 0000000000000001 x26: ffff0000124f8f10 [ 166.071651][ T129] x25: 0000000000000007 x24: ffff00000c3cdc1c [ 166.072514][ T129] x23: ffff800017120fa0 x22: ffff0000124f8000 [ 166.073103][ T129] x21: 0000000000000001 x20: ffff00000966bf20 [ 166.073694][ T129] x19: ffff00000c3cdc00 x18: 0000000000000000 [ 166.074154][ T129] x17: 0000000000000000 x16: 0000000000000000 [ 166.074857][ T129] x15: 0000000000000000 x14: 1ffff000030e4e6a [ 166.075786][ T129] x13: 0000000000000001 x12: ffff60000d564a97 [ 166.076429][ T129] x11: 1fffe0000d564a96 x10: ffff60000d564a96 [ 166.077039][ T129] x9 : dfff800000000000 x8 : ffff00006ab254b7 [ 166.077859][ T129] x7 : 0000000000000001 x6 : 00009ffff2a9b56a [ 166.078610][ T129] x5 : ffff00006ab254b0 x4 : 1fffe000012ba001 [ 166.079222][ T129] x3 : dfff800000000000 x2 : 0000000000000000 [ 166.079780][ T129] x1 : 0000000000000000 x0 : ffff0000095d0000 [ 166.080767][ T129] Call trace: [ 166.081140][ T129] __nf_unregister_net_hook+0x17c/0x4f0 [ 166.081542][ T129] nf_unregister_net_hooks+0xd4/0x120 [ 166.081939][ T129] arpt_unregister_table_pre_exit+0x6c/0x8c [ 166.082304][ T129] arptable_filter_net_pre_exit+0x20/0x2c [ 166.082713][ T129] cleanup_net+0x328/0x820 [ 166.083026][ T129] process_one_work+0x798/0x1764 [ 166.083367][ T129] worker_thread+0x3d4/0xcd0 [ 166.083704][ T129] kthread+0x320/0x3bc [ 166.083993][ T129] ret_from_fork+0x10/0x3c [ 166.084585][ T129] irq event stamp: 188248 [ 166.084935][ T129] hardirqs last enabled at (188247): [] console_unlock+0x7f8/0xbf4 [ 166.085445][ T129] hardirqs last disabled at (188248): [] el1_dbg+0x24/0x80 [ 166.085944][ T129] softirqs last enabled at (188238): [] _stext+0x9e0/0x1084 [ 166.086501][ T129] softirqs last disabled at (188223): [] __irq_exit_rcu+0x494/0x550 [ 166.087010][ T129] ---[ end trace b2ee093a8001beda ]--- [ 166.408959][ T129] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 166.681778][ T129] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 166.949990][ T129] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 167.185795][ T129] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program executing program [ 170.986565][ T129] device hsr_slave_0 left promiscuous mode [ 171.083711][ T129] device hsr_slave_1 left promiscuous mode [ 171.287241][ T129] device veth1_macvtap left promiscuous mode [ 171.290805][ T129] device veth0_macvtap left promiscuous mode [ 171.325313][ T129] device veth1_vlan left promiscuous mode [ 171.327865][ T129] device veth0_vlan left promiscuous mode executing program [ 175.926184][ T129] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 176.051708][ T129] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface executing program [ 177.065088][ T129] bond0 (unregistering): Released all slaves executing program [ 179.497775][ T129] ================================================================== [ 179.498928][ T129] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 179.499391][ T129] Read of size 4 at addr ffff00000966be48 by task kworker/u4:6/129 [ 179.499769][ T129] [ 179.500407][ T129] CPU: 0 PID: 129 Comm: kworker/u4:6 Tainted: G W 5.12.0-syzkaller-13670-g5e321ded302d #0 [ 179.500859][ T129] Hardware name: linux,dummy-virt (DT) [ 179.501197][ T129] Workqueue: netns cleanup_net [ 179.501618][ T129] Call trace: [ 179.501908][ T129] dump_backtrace+0x0/0x3e0 [ 179.502192][ T129] show_stack+0x18/0x24 [ 179.502490][ T129] dump_stack+0x120/0x1a8 [ 179.502775][ T129] print_address_description.constprop.0+0x2c/0x300 [ 179.503092][ T129] kasan_report+0x1ec/0x200 [ 179.503366][ T129] __asan_report_load4_noabort+0x34/0x60 [ 179.503658][ T129] hooks_validate+0x164/0x1ac [ 179.503922][ T129] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 179.504220][ T129] __nf_unregister_net_hook+0x240/0x4f0 [ 179.504518][ T129] nf_unregister_net_hook+0xb8/0x100 [ 179.504837][ T129] clusterip_net_exit+0x13c/0x204 [ 179.505160][ T129] ops_exit_list+0x78/0x124 [ 179.505423][ T129] cleanup_net+0x3a4/0x820 [ 179.505691][ T129] process_one_work+0x798/0x1764 [ 179.505979][ T129] worker_thread+0x3d4/0xcd0 [ 179.506261][ T129] kthread+0x320/0x3bc [ 179.506573][ T129] ret_from_fork+0x10/0x3c [ 179.506957][ T129] [ 179.507316][ T129] Allocated by task 0: [ 179.507688][ T129] (stack is not available) [ 179.507958][ T129] [ 179.508207][ T129] Freed by task 129: [ 179.508613][ T129] kasan_save_stack+0x28/0x60 [ 179.508913][ T129] kasan_set_track+0x28/0x40 [ 179.509190][ T129] kasan_set_free_info+0x28/0x50 [ 179.509655][ T129] __kasan_slab_free+0xfc/0x150 [ 179.509936][ T129] slab_free_freelist_hook+0x140/0x264 [ 179.510224][ T129] kfree+0x154/0x7d0 [ 179.510668][ T129] xt_unregister_table+0x1cc/0x2ec [ 179.510955][ T129] __arpt_unregister_table+0x44/0x1b4 [ 179.511260][ T129] arpt_unregister_table+0x30/0x40 [ 179.511537][ T129] arptable_filter_net_exit+0x18/0x24 [ 179.511995][ T129] ops_exit_list+0x78/0x124 [ 179.512333][ T129] cleanup_net+0x3a4/0x820 [ 179.512643][ T129] process_one_work+0x798/0x1764 [ 179.512928][ T129] worker_thread+0x3d4/0xcd0 [ 179.513307][ T129] kthread+0x320/0x3bc [ 179.513798][ T129] ret_from_fork+0x10/0x3c [ 179.514169][ T129] [ 179.514491][ T129] The buggy address belongs to the object at ffff00000966be00 [ 179.514491][ T129] which belongs to the cache kmalloc-128 of size 128 [ 179.515046][ T129] The buggy address is located 72 bytes inside of [ 179.515046][ T129] 128-byte region [ffff00000966be00, ffff00000966be80) [ 179.516872][ T129] The buggy address belongs to the page: [ 179.517711][ T129] page:000000001657f276 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4966b [ 179.518547][ T129] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 179.519743][ T129] raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300 [ 179.520228][ T129] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 179.520735][ T129] page dumped because: kasan: bad access detected [ 179.521189][ T129] [ 179.521450][ T129] Memory state around the buggy address: [ 179.522188][ T129] ffff00000966bd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 179.522690][ T129] ffff00000966bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 179.523317][ T129] >ffff00000966be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 179.523685][ T129] ^ [ 179.524090][ T129] ffff00000966be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 179.524400][ T129] ffff00000966bf00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 179.524866][ T129] ================================================================== [ 179.525228][ T129] Disabling lock debugging due to kernel taint [ 182.411921][ T3296] can: request_module (can-proto-0) failed. executing program [ 182.534255][ T3296] can: request_module (can-proto-0) failed. [ 182.650126][ T3296] can: request_module (can-proto-0) failed. executing program executing program VM DIAGNOSIS: 14:24:27 Registers: info registers vcpu 0 PC=ffff800010278ccc X00=00000000000000c0 X01=00000000000000c0 X02=0000000000000003 X03=1fffe0000148d691 X04=000000000000b67e X05=0000000000000007 X06=00000000fa83b2da X07=0000000000000000 X08=1ffff000028a3a8c X09=0000000000000000 X10=1fffe0000151f5b3 X11=1fffe0000148d7bb X12=0000000000000000 X13=0000000000000000 X14=1ffff0000309eed2 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=0000000000000000 X19=0000000000000000 X20=ffff00000a46bdf8 X21=ffff800016148560 X22=0000000000000028 X23=ffff00000a46bdf8 X24=ffff800015efac00 X25=ffff80001451ff00 X26=00000000ffffffff X27=00000000000000c0 X28=ffff00000a46b480 X29=ffff8000184f76f0 X30=ffff800014488700 SP=ffff8000184f76f0 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:4112dd0000000000 Q02=aa4ed878049f4d77:5bf3cc504cce7dc7 Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:0000001ff20aed50 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff800010288cbc X00=0000000000000000 X01=0000000000000000 X02=0000000000000003 X03=1fffe000012ba001 X04=00000000000000a0 X05=00000000f2f2f200 X06=00000000f3f3f3f3 X07=ffff8000173d2760 X08=ffff800015efac00 X09=1fffe000012ba147 X10=1ffff000030e4e1e X11=1ffff00002c21d6f X12=ffff7000030e4e0d X13=0000000000000001 X14=1ffff000030e4e22 X15=ffff800016538220 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbea0 X19=0000000000000029 X20=0000000000004818 X21=ffff800018727050 X22=dfff800000000000 X23=ffff800015f5cbc0 X24=ffff800018727230 X25=ffff8000187270c0 X26=1ffff000030e4dbc X27=ffff8000187270c0 X28=ffff80001452bce1 X29=ffff800018726c30 X30=ffff8000111c6ef0 SP=ffff800018726d30 PSTATE=100003c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=25207334362e2520:732500676f6c2f76 Q02=6f736e6f632f7665:642f000a73252073 Q03=0000000000000000:0000ff0000000000 Q04=0000000000000000:0000ff0000000000 Q05=4000000000000400:0010040000000000 Q06=0000000000000000:0000040000100000 Q07=4010040140100401:4010040140100401 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000041040041400:0000041040041400 Q17=0000000000001000:00000010aa80aa80 Q18=0000000000000000:0000000000100000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000