syzkaller login: [ 150.247006][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 150.260453][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 150.307966][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:60311' (ECDSA) to the list of known hosts. 1970/01/01 00:02:53 fuzzer started 1970/01/01 00:02:57 connecting to host at localhost:32885 1970/01/01 00:02:58 checking machine... 1970/01/01 00:02:58 checking revisions... 1970/01/01 00:02:58 testing simple program... executing program executing program [ 188.743450][ T3303] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 188.777208][ T3303] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program [ 191.707746][ T3303] device hsr_slave_0 entered promiscuous mode [ 191.768069][ T3303] device hsr_slave_1 entered promiscuous mode executing program [ 194.041474][ T3303] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 194.155922][ T3303] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 194.282830][ T3303] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 194.373144][ T3303] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 197.306225][ T3303] 8021q: adding VLAN 0 to HW filter on device bond0 [ 197.477132][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 197.508533][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program [ 199.186908][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 199.218804][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 199.326072][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 199.341657][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 199.446596][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 199.530802][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 199.750999][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 199.769792][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 199.878087][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 199.909074][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 200.007584][ T3303] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 200.558295][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 200.560240][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 204.212595][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 204.261351][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready executing program [ 206.240124][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 206.253069][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 206.316580][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 206.340705][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 206.391126][ T3303] device veth0_vlan entered promiscuous mode [ 206.582956][ T3303] device veth1_vlan entered promiscuous mode [ 207.061561][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 207.070989][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 207.147436][ T3303] device veth0_macvtap entered promiscuous mode [ 207.247059][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 207.314300][ T3303] device veth1_macvtap entered promiscuous mode executing program [ 207.569921][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 207.579117][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 207.701343][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 207.710971][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 207.793007][ T3303] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 207.816440][ T3303] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 207.817215][ T3303] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 207.817748][ T3303] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 209.180677][ T3303] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation executing program 1970/01/01 00:03:28 building call list... [ 210.822303][ T28] ------------[ cut here ]------------ [ 210.830228][ T28] hook not found, pf 3 num 0 [ 210.831809][ T28] WARNING: CPU: 0 PID: 28 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 210.832770][ T28] Modules linked in: [ 210.833681][ T28] CPU: 0 PID: 28 Comm: kworker/u4:2 Not tainted 5.12.0-syzkaller-13670-g5e321ded302d #0 [ 210.834185][ T28] Hardware name: linux,dummy-virt (DT) [ 210.836245][ T28] Workqueue: netns cleanup_net [ 210.837565][ T28] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 210.837985][ T28] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 210.838808][ T28] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 210.839164][ T28] sp : ffff8000183679e0 [ 210.839534][ T28] x29: ffff8000183679e0 x28: 0000000000000003 [ 210.840118][ T28] x27: 0000000000000001 x26: ffff000014af8f10 [ 210.840570][ T28] x25: 0000000000000007 x24: ffff000013775c1c [ 210.841054][ T28] x23: ffff80001711f9a0 x22: ffff000014af8000 [ 210.841495][ T28] x21: 0000000000000001 x20: ffff000013f8dc20 [ 210.841937][ T28] x19: ffff000013775c00 x18: ffff00006ab03b48 [ 210.842512][ T28] x17: 0000000000000000 x16: 0000000000000000 [ 210.842981][ T28] x15: ffff00006ab03b7c x14: 1ffff0000306ce6a [ 210.843640][ T28] x13: 0000000000000001 x12: ffff60000d562697 [ 210.844279][ T28] x11: 1fffe0000d562696 x10: ffff60000d562696 [ 210.844786][ T28] x9 : dfff800000000000 x8 : ffff00006ab134b7 [ 210.845382][ T28] x7 : 0000000000000001 x6 : 00009ffff2a9d96a [ 210.845854][ T28] x5 : ffff00006ab134b0 x4 : 1fffe00001207691 [ 210.846354][ T28] x3 : dfff800000000000 x2 : 0000000000000000 [ 210.846827][ T28] x1 : 0000000000000000 x0 : ffff00000903b480 [ 210.847632][ T28] Call trace: [ 210.848003][ T28] __nf_unregister_net_hook+0x17c/0x4f0 [ 210.848408][ T28] nf_unregister_net_hooks+0xd4/0x120 [ 210.849049][ T28] arpt_unregister_table_pre_exit+0x6c/0x8c [ 210.849605][ T28] arptable_filter_net_pre_exit+0x20/0x2c [ 210.850039][ T28] cleanup_net+0x328/0x820 [ 210.850367][ T28] process_one_work+0x798/0x1764 [ 210.850970][ T28] worker_thread+0x3d4/0xcd0 [ 210.851362][ T28] kthread+0x320/0x3bc [ 210.852071][ T28] ret_from_fork+0x10/0x3c [ 210.852915][ T28] irq event stamp: 70046 [ 210.854775][ T28] hardirqs last enabled at (70045): [] console_unlock+0x7f8/0xbf4 [ 210.858856][ T28] hardirqs last disabled at (70046): [] el1_dbg+0x24/0x80 [ 210.859829][ T28] softirqs last enabled at (70036): [] _stext+0x9e0/0x1084 [ 210.860440][ T28] softirqs last disabled at (69907): [] __irq_exit_rcu+0x494/0x550 [ 210.860978][ T28] ---[ end trace a31cfc186c763318 ]--- [ 211.179074][ T28] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 211.468567][ T28] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 211.862345][ T28] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 212.266951][ T28] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 216.458439][ T28] device hsr_slave_0 left promiscuous mode [ 216.538615][ T28] device hsr_slave_1 left promiscuous mode executing program [ 216.771832][ T28] device veth1_macvtap left promiscuous mode [ 216.776864][ T28] device veth0_macvtap left promiscuous mode [ 216.784377][ T28] device veth1_vlan left promiscuous mode [ 216.798466][ T28] device veth0_vlan left promiscuous mode executing program [ 222.202474][ T28] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface executing program [ 222.402970][ T28] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 223.589739][ T28] bond0 (unregistering): Released all slaves executing program [ 226.205340][ T28] ================================================================== [ 226.209422][ T28] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 226.212169][ T28] Read of size 4 at addr ffff000013f8db48 by task kworker/u4:2/28 [ 226.215042][ T28] [ 226.216780][ T28] CPU: 1 PID: 28 Comm: kworker/u4:2 Tainted: G W 5.12.0-syzkaller-13670-g5e321ded302d #0 [ 226.221290][ T28] Hardware name: linux,dummy-virt (DT) [ 226.222990][ T28] Workqueue: netns cleanup_net [ 226.225520][ T28] Call trace: [ 226.226921][ T28] dump_backtrace+0x0/0x3e0 [ 226.228872][ T28] show_stack+0x18/0x24 [ 226.229968][ T28] dump_stack+0x120/0x1a8 [ 226.230411][ T28] print_address_description.constprop.0+0x2c/0x300 [ 226.230841][ T28] kasan_report+0x1ec/0x200 [ 226.231210][ T28] __asan_report_load4_noabort+0x34/0x60 [ 226.233825][ T28] hooks_validate+0x164/0x1ac [ 226.235865][ T28] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 226.238489][ T28] __nf_unregister_net_hook+0x240/0x4f0 [ 226.238984][ T28] nf_unregister_net_hook+0xb8/0x100 [ 226.239327][ T28] clusterip_net_exit+0x13c/0x204 [ 226.239857][ T28] ops_exit_list+0x78/0x124 [ 226.240178][ T28] cleanup_net+0x3a4/0x820 [ 226.240531][ T28] process_one_work+0x798/0x1764 [ 226.240929][ T28] worker_thread+0x3d4/0xcd0 [ 226.241265][ T28] kthread+0x320/0x3bc [ 226.241594][ T28] ret_from_fork+0x10/0x3c [ 226.242268][ T28] [ 226.242678][ T28] Allocated by task 0: [ 226.243013][ T28] (stack is not available) [ 226.243343][ T28] [ 226.243792][ T28] Freed by task 28: [ 226.244336][ T28] kasan_save_stack+0x28/0x60 [ 226.244778][ T28] kasan_set_track+0x28/0x40 [ 226.245189][ T28] kasan_set_free_info+0x28/0x50 [ 226.245536][ T28] __kasan_slab_free+0xfc/0x150 [ 226.245869][ T28] slab_free_freelist_hook+0x140/0x264 [ 226.246223][ T28] kfree+0x154/0x7d0 [ 226.246547][ T28] xt_unregister_table+0x1cc/0x2ec [ 226.246904][ T28] __arpt_unregister_table+0x44/0x1b4 [ 226.247248][ T28] arpt_unregister_table+0x30/0x40 [ 226.247599][ T28] arptable_filter_net_exit+0x18/0x24 [ 226.247950][ T28] ops_exit_list+0x78/0x124 [ 226.248276][ T28] cleanup_net+0x3a4/0x820 [ 226.248636][ T28] process_one_work+0x798/0x1764 [ 226.249000][ T28] worker_thread+0x3d4/0xcd0 [ 226.249336][ T28] kthread+0x320/0x3bc [ 226.249659][ T28] ret_from_fork+0x10/0x3c [ 226.250062][ T28] [ 226.250354][ T28] The buggy address belongs to the object at ffff000013f8db00 [ 226.250354][ T28] which belongs to the cache kmalloc-128 of size 128 [ 226.250967][ T28] The buggy address is located 72 bytes inside of [ 226.250967][ T28] 128-byte region [ffff000013f8db00, ffff000013f8db80) [ 226.251540][ T28] The buggy address belongs to the page: [ 226.253759][ T28] page:0000000042327ccf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53f8d [ 226.258576][ T28] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 226.260836][ T28] raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300 [ 226.261283][ T28] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 226.261766][ T28] page dumped because: kasan: bad access detected [ 226.262257][ T28] [ 226.262560][ T28] Memory state around the buggy address: [ 226.263209][ T28] ffff000013f8da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 226.264087][ T28] ffff000013f8da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 226.264883][ T28] >ffff000013f8db00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 226.265478][ T28] ^ [ 226.266085][ T28] ffff000013f8db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 226.266590][ T28] ffff000013f8dc00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 226.267265][ T28] ================================================================== [ 226.267822][ T28] Disabling lock debugging due to kernel taint executing program [ 229.557777][ T3294] can: request_module (can-proto-0) failed. [ 229.674303][ T3294] can: request_module (can-proto-0) failed. [ 229.786665][ T3294] can: request_module (can-proto-0) failed. executing program executing program executing program VM DIAGNOSIS: 23:06:18 Registers: info registers vcpu 0 PC=ffff8000101ac2d4 X00=0000000000000000 X01=0000000000000000 X02=0000000000000003 X03=1fffe00001207928 X04=1fffe00001207694 X05=ffff70000306ce6a X06=00000000f1f1f1f1 X07=1fffe00001207694 X08=00000000f3f3f3f3 X09=00000000f3000000 X10=00000000f2f2f2f2 X11=00000000f2000000 X12=ffff60000d560784 X13=0000000000000001 X14=1ffff0000306cdd2 X15=0000000000000012 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbd78 X19=1ffff0000306ce80 X20=ffff8000144c5020 X21=ffff000008b97a00 X22=ffff8000183674c0 X23=ffff800018367480 X24=0000000000000000 X25=000000000000001c X26=ffff8000147b7260 X27=0000000000000005 X28=ffff80001002e0a0 X29=ffff8000183673b0 X30=ffff8000101ac2d4 SP=ffff8000183673b0 PSTATE=100003c5 ---V EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000004 Q01=0000000000000000:c1162e42fefa39ef Q02=ba6d68f3ce232b3e:f07d934210af2c26 Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:000000280493e770 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff80001002ccf4 X00=0000000000000000 X01=ffff8000107cf66c X02=1ffff00002e77802 X03=0000000000000000 X04=1ffff00003d00e87 X05=ffff800010010000 X06=000000000702fee7 X07=0000000000000003 X08=ffff80001e80754c X09=dfff800000000000 X10=ffff700003d00e70 X11=1ffff00003d00e70 X12=ffff700003d00e71 X13=0000000000000001 X14=1ffff00003d00e92 X15=fffffbffeff674bc X16=0000000000000000 X17=0000000000000000 X18=fffffbffeff67488 X19=ffff80001e8075e0 X20=ffff80001e807570 X21=ffff80001e8075c0 X22=ffff80001e8075e8 X23=ffff80001074a758 X24=0000000000000030 X25=ffff80001e807830 X26=ffff80001e807600 X27=ffff0000103abc80 X28=1ffff00003d00ebc X29=ffff80001e8074d0 X30=ffff80001002cba0 SP=ffff80001e807610 PSTATE=00000005 ---- EL1h FPCR=00000000 FPSR=00000000 Q00=0a0a0a0a0a0a0a0a:0a0a0a0a0a0a0a0a Q01=00002d2d2d2d2d2d:2d2d2d2d2d2d5d20 Q02=2065756420676e69:686374616d207465 Q03=ffff000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=4010000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=4010040140100401:4010040140100401 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000050000000:0000000050000000 Q17=a00a8000a00a9000:aa80aa90aa80aa80 Q18=8020080280000000:8020080280100000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000