syzkaller login: [ 80.805329][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 80.817627][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 80.828651][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:62919' (ECDSA) to the list of known hosts. 1970/01/01 00:01:32 fuzzer started 1970/01/01 00:01:34 connecting to host at localhost:43879 1970/01/01 00:01:34 checking machine... 1970/01/01 00:01:34 checking revisions... 1970/01/01 00:01:35 testing simple program... executing program [ 99.550724][ T3305] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.568743][ T3305] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 100.930399][ T3305] device hsr_slave_0 entered promiscuous mode [ 101.004026][ T3305] device hsr_slave_1 entered promiscuous mode executing program [ 102.004111][ T3305] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 102.103655][ T3305] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 102.191115][ T3305] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 102.262606][ T3305] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 103.625210][ T3305] 8021q: adding VLAN 0 to HW filter on device bond0 [ 103.706262][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 103.726770][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 104.494867][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 104.498936][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready executing program [ 104.558691][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 104.564059][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 104.598575][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 104.645958][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 104.767358][ T2914] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 104.772718][ T2914] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 104.814959][ T2114] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 104.824713][ T2114] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 104.882425][ T3305] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 105.036129][ T3510] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 105.037595][ T3510] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 106.732288][ T2114] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 106.736721][ T2114] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready executing program [ 107.604680][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 107.617559][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 107.636034][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 107.643423][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 107.666383][ T3305] device veth0_vlan entered promiscuous mode [ 107.747408][ T3305] device veth1_vlan entered promiscuous mode [ 107.954999][ T2914] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 107.962319][ T2914] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 108.007497][ T3305] device veth0_macvtap entered promiscuous mode [ 108.052890][ T3305] device veth1_macvtap entered promiscuous mode [ 108.166867][ T2114] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 108.175962][ T2114] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 108.184448][ T2114] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 108.188322][ T2114] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 108.236621][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 108.243653][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 108.291301][ T3305] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.292237][ T3305] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.292586][ T3305] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.292913][ T3305] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.017487][ T3305] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation 1970/01/01 00:01:49 building call list... [ 110.367471][ T2349] ------------[ cut here ]------------ [ 110.368244][ T2349] hook not found, pf 3 num 0 [ 110.369371][ T2349] WARNING: CPU: 0 PID: 2349 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 110.370543][ T2349] Modules linked in: [ 110.371123][ T2349] CPU: 0 PID: 2349 Comm: kworker/u4:8 Not tainted 5.12.0-syzkaller-13670-g5e321ded302d #0 [ 110.371476][ T2349] Hardware name: linux,dummy-virt (DT) [ 110.372077][ T2349] Workqueue: netns cleanup_net [ 110.372821][ T2349] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 110.373563][ T2349] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 110.374233][ T2349] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 110.374491][ T2349] sp : ffff80001db679e0 [ 110.374691][ T2349] x29: ffff80001db679e0 x28: 0000000000000003 [ 110.375067][ T2349] x27: 0000000000000001 x26: ffff00000a740f10 [ 110.375441][ T2349] x25: 0000000000000007 x24: ffff0000141a801c [ 110.375743][ T2349] x23: ffff80001711f9a0 x22: ffff00000a740000 [ 110.376031][ T2349] x21: 0000000000000001 x20: ffff00000ac9b820 [ 110.376327][ T2349] x19: ffff0000141a8000 x18: ffff00006ab03b48 [ 110.376777][ T2349] x17: 0000000000000000 x16: 0000000000000000 [ 110.377454][ T2349] x15: ffff00006ab03b7c x14: 1ffff00003b6ce6a [ 110.378039][ T2349] x13: 0000000000000001 x12: ffff60000d560784 [ 110.378520][ T2349] x11: 1fffe0000d560783 x10: ffff60000d560783 [ 110.378920][ T2349] x9 : dfff800000000000 x8 : ffff00006ab03c1b [ 110.379411][ T2349] x7 : 0000000000000001 x6 : 00009ffff2a9f87d [ 110.379805][ T2349] x5 : ffff00006ab03c18 x4 : 1fffe0000155e691 [ 110.380167][ T2349] x3 : dfff800000000000 x2 : 0000000000000000 [ 110.380644][ T2349] x1 : 0000000000000000 x0 : ffff00000aaf3480 [ 110.381448][ T2349] Call trace: [ 110.381852][ T2349] __nf_unregister_net_hook+0x17c/0x4f0 [ 110.382195][ T2349] nf_unregister_net_hooks+0xd4/0x120 [ 110.382554][ T2349] arpt_unregister_table_pre_exit+0x6c/0x8c [ 110.382848][ T2349] arptable_filter_net_pre_exit+0x20/0x2c [ 110.383204][ T2349] cleanup_net+0x328/0x820 [ 110.383436][ T2349] process_one_work+0x798/0x1764 [ 110.383694][ T2349] worker_thread+0x3d4/0xcd0 [ 110.383911][ T2349] kthread+0x320/0x3bc [ 110.384091][ T2349] ret_from_fork+0x10/0x3c [ 110.384524][ T2349] irq event stamp: 42600 [ 110.384742][ T2349] hardirqs last enabled at (42599): [] console_unlock+0x7f8/0xbf4 [ 110.385084][ T2349] hardirqs last disabled at (42600): [] el1_dbg+0x24/0x80 [ 110.385400][ T2349] softirqs last enabled at (42338): [] _stext+0x9e0/0x1084 [ 110.385710][ T2349] softirqs last disabled at (42269): [] __irq_exit_rcu+0x494/0x550 [ 110.386020][ T2349] ---[ end trace 40e17dd1c3929428 ]--- executing program [ 110.623789][ T2349] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 110.885835][ T2349] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 111.065821][ T2349] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 111.226671][ T2349] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 114.138282][ T2349] device hsr_slave_0 left promiscuous mode [ 114.215420][ T2349] device hsr_slave_1 left promiscuous mode [ 114.406040][ T2349] device veth1_macvtap left promiscuous mode [ 114.407519][ T2349] device veth0_macvtap left promiscuous mode [ 114.417690][ T2349] device veth1_vlan left promiscuous mode [ 114.426303][ T2349] device veth0_vlan left promiscuous mode executing program [ 117.014160][ T2349] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 117.141406][ T2349] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 117.731719][ T2349] bond0 (unregistering): Released all slaves executing program [ 119.533127][ T2349] ================================================================== [ 119.533866][ T2349] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 119.534240][ T2349] Read of size 4 at addr ffff00000ac9b748 by task kworker/u4:8/2349 [ 119.534510][ T2349] [ 119.534901][ T2349] CPU: 0 PID: 2349 Comm: kworker/u4:8 Tainted: G W 5.12.0-syzkaller-13670-g5e321ded302d #0 [ 119.535212][ T2349] Hardware name: linux,dummy-virt (DT) [ 119.535483][ T2349] Workqueue: netns cleanup_net [ 119.535788][ T2349] Call trace: [ 119.535951][ T2349] dump_backtrace+0x0/0x3e0 [ 119.536142][ T2349] show_stack+0x18/0x24 [ 119.536339][ T2349] dump_stack+0x120/0x1a8 [ 119.536525][ T2349] print_address_description.constprop.0+0x2c/0x300 [ 119.536762][ T2349] kasan_report+0x1ec/0x200 [ 119.536965][ T2349] __asan_report_load4_noabort+0x34/0x60 [ 119.537183][ T2349] hooks_validate+0x164/0x1ac [ 119.537391][ T2349] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 119.537617][ T2349] __nf_unregister_net_hook+0x240/0x4f0 [ 119.537835][ T2349] nf_unregister_net_hook+0xb8/0x100 [ 119.538046][ T2349] clusterip_net_exit+0x13c/0x204 [ 119.538259][ T2349] ops_exit_list+0x78/0x124 [ 119.538492][ T2349] cleanup_net+0x3a4/0x820 [ 119.538685][ T2349] process_one_work+0x798/0x1764 [ 119.538890][ T2349] worker_thread+0x3d4/0xcd0 [ 119.539086][ T2349] kthread+0x320/0x3bc [ 119.539510][ T2349] ret_from_fork+0x10/0x3c [ 119.539841][ T2349] [ 119.540183][ T2349] Allocated by task 0: [ 119.540381][ T2349] (stack is not available) [ 119.540572][ T2349] [ 119.540758][ T2349] Freed by task 2349: [ 119.541042][ T2349] kasan_save_stack+0x28/0x60 [ 119.541283][ T2349] kasan_set_track+0x28/0x40 [ 119.541485][ T2349] kasan_set_free_info+0x28/0x50 [ 119.541670][ T2349] __kasan_slab_free+0xfc/0x150 [ 119.541841][ T2349] slab_free_freelist_hook+0x140/0x264 [ 119.542042][ T2349] kfree+0x154/0x7d0 [ 119.542224][ T2349] xt_unregister_table+0x1cc/0x2ec [ 119.542493][ T2349] __arpt_unregister_table+0x44/0x1b4 [ 119.542710][ T2349] arpt_unregister_table+0x30/0x40 [ 119.542916][ T2349] arptable_filter_net_exit+0x18/0x24 [ 119.543127][ T2349] ops_exit_list+0x78/0x124 [ 119.543334][ T2349] cleanup_net+0x3a4/0x820 [ 119.543527][ T2349] process_one_work+0x798/0x1764 [ 119.543739][ T2349] worker_thread+0x3d4/0xcd0 [ 119.544084][ T2349] kthread+0x320/0x3bc [ 119.544285][ T2349] ret_from_fork+0x10/0x3c [ 119.544538][ T2349] [ 119.544705][ T2349] The buggy address belongs to the object at ffff00000ac9b700 [ 119.544705][ T2349] which belongs to the cache kmalloc-128 of size 128 [ 119.545077][ T2349] The buggy address is located 72 bytes inside of [ 119.545077][ T2349] 128-byte region [ffff00000ac9b700, ffff00000ac9b780) [ 119.545460][ T2349] The buggy address belongs to the page: [ 119.546003][ T2349] page:000000001be8bdf3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ac9b [ 119.546617][ T2349] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 119.547464][ T2349] raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300 [ 119.547763][ T2349] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 119.548062][ T2349] page dumped because: kasan: bad access detected [ 119.548361][ T2349] [ 119.548540][ T2349] Memory state around the buggy address: [ 119.548978][ T2349] ffff00000ac9b600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.549372][ T2349] ffff00000ac9b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 119.549632][ T2349] >ffff00000ac9b700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.549929][ T2349] ^ [ 119.550308][ T2349] ffff00000ac9b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 119.550652][ T2349] ffff00000ac9b800: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 119.551048][ T2349] ================================================================== [ 119.551466][ T2349] Disabling lock debugging due to kernel taint [ 120.786268][ T3294] can: request_module (can-proto-0) failed. [ 120.868151][ T3294] can: request_module (can-proto-0) failed. [ 120.953253][ T3294] can: request_module (can-proto-0) failed. executing program executing program [ 131.957806][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 133.951163][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 133.953940][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 134.594955][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. VM DIAGNOSIS: 01:22:43 Registers: info registers vcpu 0 PC=ffff8000115b4d40 X00=0000000000000002 X01=0000000000000002 X02=ffff000009435172 X03=dfff800000000000 X04=1fffe00001286a2e X05=0000000000000002 X06=1fffe00001286a2e X07=0000000000000030 X08=0000000000000003 X09=dfff800000000000 X10=ffff700003b6ce08 X11=1ffff00003b6ce08 X12=ffff700003b6ce09 X13=0000000000000001 X14=1ffff00003b6cdde X15=ffff800016536c20 X16=0000000000000007 X17=0000000000000000 X18=fffffffffffcbe80 X19=ffff000009435080 X20=ffff80001815b018 X21=ffff800016674660 X22=1fffe00001286a53 X23=00000000000003c0 X24=0000000000000001 X25=0000000000000f01 X26=ffff000009435080 X27=dfff800000000000 X28=000000000000004c X29=ffff80001db67070 X30=ffff8000115c0bac SP=ffff80001db67070 PSTATE=800003c5 N--- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000000 Q01=6b7a79732f373438:3838363830327269 Q02=04b72ae546c3566a:b841293eb75b5bae Q03=0000000000000000:0000000000000000 Q04=4010040100000000:0000000000000000 Q05=4010040140100401:4010040140100401 Q06=5500000000000000:5500000000000000 Q07=0000000000000000:3fef2e590d4e8a61 Q08=0000000000000000:3fbb56ad15e5f938 Q09=0000000000000000:3fe3fa09799bb06f Q10=0000000000000000:3fe0000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=000000000000000d:000000007e6371ea Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff80001027f838 X00=ffff8000107435d8 X01=ffff800014520980 X02=0000000000000001 X03=1fffe00002894349 X04=ffff700003136ef0 X05=ffff8000189b77a0 X06=00008ffffcec910c X07=0000000000000001 X08=ffff8000189b77a8 X09=dfff800000000000 X10=ffff700003136ef4 X11=dfff800000000000 X12=000000000000f1f1 X13=0000000000000001 X14=1ffff00003136eca X15=1fffe0000120b3bb X16=0000000000000000 X17=0000000000000000 X18=ffff00006ab25b48 X19=0000000000000000 X20=0000000000000004 X21=ffff0000144a2458 X22=c9add46bdd551957 X23=ffff800011050814 X24=ffff800015efac00 X25=ffff80001451ff00 X26=00000000ffffffff X27=ffff000010b2e640 X28=1fffe00002894476 X29=ffff8000189b7750 X30=ffff800010749bc4 SP=ffff8000189b76f0 PSTATE=800000c5 N--- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000004 Q01=0000000000000000:c1162e42fefa39ef Q02=04b72ae546c3566a:b841293eb75b5bae Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:0000001566b7aae0 Q31=0000000000000000:0000000000000000