syzkaller login: [ 110.905959][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 110.940335][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 110.956116][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:6295' (ECDSA) to the list of known hosts. 1970/01/01 00:02:08 fuzzer started 1970/01/01 00:02:12 connecting to host at localhost:46285 1970/01/01 00:02:12 checking machine... 1970/01/01 00:02:12 checking revisions... 1970/01/01 00:02:12 testing simple program... executing program executing program [ 139.799546][ T3304] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 139.857233][ T3304] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 141.836188][ T3304] device hsr_slave_0 entered promiscuous mode [ 141.918305][ T3304] device hsr_slave_1 entered promiscuous mode executing program [ 143.359204][ T3304] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 143.460561][ T3304] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 143.628317][ T3304] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 143.698986][ T3304] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 145.497372][ T3304] 8021q: adding VLAN 0 to HW filter on device bond0 [ 145.635102][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 145.647786][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program [ 146.720187][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 146.726149][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 146.779794][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 146.786867][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 146.856365][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 146.940474][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 147.135729][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 147.141234][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 147.227826][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 147.245520][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 147.316427][ T3304] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 147.559176][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 147.569394][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 150.213456][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 150.219005][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 151.526794][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 151.550664][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 151.574299][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 151.580961][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 151.617897][ T3304] device veth0_vlan entered promiscuous mode [ 151.751137][ T3304] device veth1_vlan entered promiscuous mode executing program [ 152.085043][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 152.103393][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 152.157229][ T3304] device veth0_macvtap entered promiscuous mode [ 152.232756][ T3304] device veth1_macvtap entered promiscuous mode [ 152.472467][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 152.480496][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 152.500168][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 152.515019][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 152.605905][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 152.624642][ T3503] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 152.714724][ T3304] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 152.716158][ T3304] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 152.716675][ T3304] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 152.717147][ T3304] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 153.850321][ T3304] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation executing program 1970/01/01 00:02:34 building call list... [ 155.400128][ T40] ------------[ cut here ]------------ [ 155.401194][ T40] hook not found, pf 3 num 0 [ 155.416436][ T40] WARNING: CPU: 1 PID: 40 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 155.417414][ T40] Modules linked in: [ 155.418143][ T40] CPU: 1 PID: 40 Comm: kworker/u4:3 Not tainted 5.12.0-syzkaller-14380-g8404c9fbc84b #0 [ 155.418624][ T40] Hardware name: linux,dummy-virt (DT) [ 155.419495][ T40] Workqueue: netns cleanup_net [ 155.420601][ T40] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 155.421322][ T40] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 155.421781][ T40] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 155.422285][ T40] sp : ffff8000184c79e0 [ 155.422721][ T40] x29: ffff8000184c79e0 x28: 0000000000000003 [ 155.423265][ T40] x27: 0000000000000001 x26: ffff00000a508f10 [ 155.423719][ T40] x25: 0000000000000007 x24: ffff00000d5f041c [ 155.424149][ T40] x23: ffff800017132f20 x22: ffff00000a508000 [ 155.424590][ T40] x21: 0000000000000001 x20: ffff0000094a4720 [ 155.425118][ T40] x19: ffff00000d5f0400 x18: ffff00006aaf1b48 [ 155.425551][ T40] x17: 0000000000000000 x16: 0000000000000007 [ 155.426006][ T40] x15: ffff00006aaf1b7c x14: 1ffff00003098e7a [ 155.426452][ T40] x13: 0000000000000001 x12: ffff60000d564697 [ 155.426931][ T40] x11: 1fffe0000d564696 x10: ffff60000d564696 [ 155.427388][ T40] x9 : dfff800000000000 x8 : ffff00006ab234b7 [ 155.427924][ T40] x7 : 0000000000000001 x6 : 00009ffff2a9b96a [ 155.428365][ T40] x5 : ffff00006ab234b0 x4 : 1fffe0000115b9d9 [ 155.428818][ T40] x3 : dfff800000000000 x2 : 0000000000000000 [ 155.429291][ T40] x1 : 0000000000000000 x0 : ffff000008adcec0 [ 155.430076][ T40] Call trace: [ 155.430450][ T40] __nf_unregister_net_hook+0x17c/0x4f0 [ 155.430805][ T40] nf_unregister_net_hooks+0xd4/0x120 [ 155.431115][ T40] arpt_unregister_table_pre_exit+0x6c/0x8c [ 155.431716][ T40] arptable_filter_net_pre_exit+0x20/0x2c [ 155.432054][ T40] cleanup_net+0x328/0x820 [ 155.432402][ T40] process_one_work+0x798/0x1764 [ 155.432727][ T40] worker_thread+0x3d4/0xcd0 [ 155.433068][ T40] kthread+0x320/0x3bc [ 155.433350][ T40] ret_from_fork+0x10/0x3c [ 155.433885][ T40] irq event stamp: 64710 [ 155.434219][ T40] hardirqs last enabled at (64709): [] _raw_spin_unlock_irq+0x78/0x15c [ 155.434801][ T40] hardirqs last disabled at (64710): [] el1_dbg+0x24/0x80 [ 155.435259][ T40] softirqs last enabled at (64706): [] _stext+0x9e0/0x1084 [ 155.435757][ T40] softirqs last disabled at (64693): [] __irq_exit_rcu+0x494/0x550 [ 155.436261][ T40] ---[ end trace 1be8a62ab1057976 ]--- [ 155.670558][ T40] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 155.960215][ T40] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 156.217996][ T40] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 156.528330][ T40] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 160.353718][ T40] device hsr_slave_0 left promiscuous mode [ 160.395455][ T40] device hsr_slave_1 left promiscuous mode [ 160.569741][ T40] device veth1_macvtap left promiscuous mode [ 160.584246][ T40] device veth0_macvtap left promiscuous mode [ 160.588202][ T40] device veth1_vlan left promiscuous mode [ 160.590823][ T40] device veth0_vlan left promiscuous mode executing program executing program [ 163.889897][ T40] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 164.026856][ T40] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 164.785372][ T40] bond0 (unregistering): Released all slaves executing program [ 167.004112][ T40] ================================================================== [ 167.005147][ T40] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 167.005640][ T40] Read of size 4 at addr ffff0000094a4648 by task kworker/u4:3/40 [ 167.006017][ T40] [ 167.006570][ T40] CPU: 1 PID: 40 Comm: kworker/u4:3 Tainted: G W 5.12.0-syzkaller-14380-g8404c9fbc84b #0 [ 167.007041][ T40] Hardware name: linux,dummy-virt (DT) [ 167.007395][ T40] Workqueue: netns cleanup_net [ 167.007836][ T40] Call trace: [ 167.008110][ T40] dump_backtrace+0x0/0x3e0 [ 167.008406][ T40] show_stack+0x18/0x24 [ 167.008691][ T40] dump_stack+0x120/0x1a8 [ 167.008988][ T40] print_address_description.constprop.0+0x2c/0x300 [ 167.009432][ T40] kasan_report+0x1ec/0x200 [ 167.009707][ T40] __asan_report_load4_noabort+0x34/0x60 [ 167.010024][ T40] hooks_validate+0x164/0x1ac [ 167.010336][ T40] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 167.010954][ T40] __nf_unregister_net_hook+0x240/0x4f0 [ 167.011304][ T40] nf_unregister_net_hook+0xb8/0x100 [ 167.011666][ T40] clusterip_net_exit+0x13c/0x204 [ 167.012079][ T40] ops_exit_list+0x78/0x124 [ 167.012487][ T40] cleanup_net+0x3a4/0x820 [ 167.012810][ T40] process_one_work+0x798/0x1764 [ 167.013252][ T40] worker_thread+0x3d4/0xcd0 [ 167.013550][ T40] kthread+0x320/0x3bc [ 167.013837][ T40] ret_from_fork+0x10/0x3c [ 167.014257][ T40] [ 167.014623][ T40] Allocated by task 0: [ 167.014922][ T40] (stack is not available) [ 167.015236][ T40] [ 167.015520][ T40] Freed by task 40: [ 167.015923][ T40] kasan_save_stack+0x28/0x60 [ 167.016287][ T40] kasan_set_track+0x28/0x40 [ 167.016598][ T40] kasan_set_free_info+0x28/0x50 [ 167.016897][ T40] __kasan_slab_free+0xfc/0x150 [ 167.017246][ T40] slab_free_freelist_hook+0x140/0x264 [ 167.017570][ T40] kfree+0x154/0x7d0 [ 167.017853][ T40] xt_unregister_table+0x1cc/0x2ec [ 167.018222][ T40] __arpt_unregister_table+0x44/0x1b4 [ 167.018527][ T40] arpt_unregister_table+0x30/0x40 [ 167.018846][ T40] arptable_filter_net_exit+0x18/0x24 [ 167.019092][ T40] ops_exit_list+0x78/0x124 [ 167.019276][ T40] cleanup_net+0x3a4/0x820 [ 167.019454][ T40] process_one_work+0x798/0x1764 [ 167.019642][ T40] worker_thread+0x3d4/0xcd0 [ 167.019822][ T40] kthread+0x320/0x3bc [ 167.019994][ T40] ret_from_fork+0x10/0x3c [ 167.020216][ T40] [ 167.020421][ T40] The buggy address belongs to the object at ffff0000094a4600 [ 167.020421][ T40] which belongs to the cache kmalloc-128 of size 128 [ 167.020852][ T40] The buggy address is located 72 bytes inside of [ 167.020852][ T40] 128-byte region [ffff0000094a4600, ffff0000094a4680) [ 167.021362][ T40] The buggy address belongs to the page: [ 167.021807][ T40] page:000000000810f175 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x494a4 [ 167.022544][ T40] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 167.023354][ T40] raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300 [ 167.023800][ T40] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 167.024252][ T40] page dumped because: kasan: bad access detected [ 167.024858][ T40] [ 167.025263][ T40] Memory state around the buggy address: [ 167.026091][ T40] ffff0000094a4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 167.026503][ T40] ffff0000094a4580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 167.026829][ T40] >ffff0000094a4600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 167.027171][ T40] ^ [ 167.027469][ T40] ffff0000094a4680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 167.027800][ T40] ffff0000094a4700: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 167.028188][ T40] ================================================================== [ 167.028499][ T40] Disabling lock debugging due to kernel taint executing program [ 169.920411][ T3296] can: request_module (can-proto-0) failed. [ 170.011026][ T3296] can: request_module (can-proto-0) failed. [ 170.102121][ T3296] can: request_module (can-proto-0) failed. executing program executing program [ 183.030166][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 183.042717][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 183.046013][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 184.229336][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. VM DIAGNOSIS: 15:47:40 Registers: info registers vcpu 0 PC=ffff80001027bdc0 X00=0000000000000000 X01=0000000000000000 X02=0000000000000000 X03=ffff80001028fe74 X04=0000000000000000 X05=ffff800018597740 X06=0000000000000004 X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff7000030b2ee8 X11=1ffff000030b2ee8 X12=ffff7000030b2ee9 X13=1ffff000030b2e40 X14=1ffff000030b2ebe X15=ffff00006ab13b7c X16=0000000000000000 X17=0000000000000000 X18=ffff00006ab13b48 X19=0000000000000000 X20=ffff800014530980 X21=ffff8000161585a0 X22=0000000000000028 X23=ffff00000f8bbb40 X24=ffff00000c81e850 X25=0000000000080040 X26=00000000000800e0 X27=ffff00000c901be8 X28=ffff00000c81e208 X29=ffff800018597850 X30=ffff8000108263c0 SP=ffff800018597730 PSTATE=600000c5 -ZC- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000004 Q01=0000000000000000:c1162e42fefa39ef Q02=1f7d8a596196a967:4db850e2e3f2c29b Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:0000001dc4ed8b80 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff80001001d4c8 X00=0000000000000000 X01=0000000000000000 X02=1ffff00003098f32 X03=0000000000000000 X04=1fffe0000115b9d9 X05=ffff00006ab13c18 X06=00009ffff2a9d87d X07=0000000000000001 X08=ffff00006ab13c1b X09=dfff800000000000 X10=ffff60000d562783 X11=1fffe0000d562783 X12=ffff60000d562784 X13=0000000000000001 X14=1ffff00003098de0 X15=ffff800016549720 X16=0000000000000007 X17=0000000000000000 X18=fffffffffffcbe98 X19=ffff8000184c7890 X20=ffff700003098e9a X21=ffff800015f0ac28 X22=ffff8000184c74b0 X23=ffff800016185440 X24=dfff800000000000 X25=ffff800016185380 X26=0000000000000004 X27=ffff8000161853b0 X28=0000000000000069 X29=ffff8000184c70c0 X30=ffff800010356a78 SP=ffff8000184c70c0 PSTATE=600003c5 -ZC- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000002 Q01=756e696c65732c6f:796f6d6f742c6469 Q02=07e658f396661ce3:26454a59fd2ac9a5 Q03=0000000000100000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=4010040140100401:4010040140100401 Q06=0000000000100000:0000000000100000 Q07=0000000000000000:3ff4b1285598976e Q08=0000000000000000:3fc03123b595f504 Q09=0000000000000000:3fe332439dfde09e Q10=0000000000000000:3fe0000000000000 Q11=0000000000000000:a6a97ded01848aa8 Q12=0000000000000000:eac420e782762ab8 Q13=0000000000000000:c3de1045c15de0b0 Q14=0000000000000000:a2bb80fbc34ca3ce Q15=0000000000000000:3fbaad7cce5b1a38 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000005:0000000078ddd3c6 Q31=0000000000000000:0000000000000000