syzkaller login: [ 127.738272][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 127.762247][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 127.792297][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:54748' (ECDSA) to the list of known hosts. 1970/01/01 00:02:32 fuzzer started 1970/01/01 00:02:36 connecting to host at localhost:38917 1970/01/01 00:02:36 checking machine... 1970/01/01 00:02:36 checking revisions... 1970/01/01 00:02:37 testing simple program... executing program executing program [ 166.309864][ T3304] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 166.340480][ T3304] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program [ 168.681116][ T3304] device hsr_slave_0 entered promiscuous mode [ 168.751351][ T3304] device hsr_slave_1 entered promiscuous mode executing program [ 170.418928][ T3304] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 170.502550][ T3304] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 170.596076][ T3304] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 170.688968][ T3304] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 173.075104][ T3304] 8021q: adding VLAN 0 to HW filter on device bond0 [ 173.214342][ T3496] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 173.256092][ T3496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program [ 174.771785][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 174.781222][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 174.863045][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 174.871885][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 174.952427][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 175.004566][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 175.186396][ T3496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 175.201785][ T3496] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 175.270674][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 175.288610][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 175.360567][ T3304] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 175.686757][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 175.690641][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 179.016161][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 179.038107][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready executing program [ 180.918159][ T3496] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 180.949517][ T3496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 180.971304][ T3496] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 181.011512][ T3496] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 181.103232][ T3304] device veth0_vlan entered promiscuous mode [ 181.269153][ T3304] device veth1_vlan entered promiscuous mode [ 181.607364][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 181.625591][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 181.686867][ T3304] device veth0_macvtap entered promiscuous mode [ 181.805988][ T3304] device veth1_macvtap entered promiscuous mode [ 181.930601][ T3510] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 181.948751][ T3510] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 182.132943][ T3529] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 182.147731][ T3529] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 182.246228][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 182.271318][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 182.389165][ T3304] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 182.390516][ T3304] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 182.391045][ T3304] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 182.391539][ T3304] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 183.510810][ T3304] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation 1970/01/01 00:03:03 building call list... [ 184.979296][ T7] ------------[ cut here ]------------ [ 184.980526][ T7] hook not found, pf 3 num 0 [ 184.982035][ T7] WARNING: CPU: 0 PID: 7 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 184.982910][ T7] Modules linked in: [ 184.983680][ T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.12.0-syzkaller-14380-g8404c9fbc84b #0 [ 184.984235][ T7] Hardware name: linux,dummy-virt (DT) [ 184.986278][ T7] Workqueue: netns cleanup_net [ 184.987511][ T7] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 184.987984][ T7] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 184.988376][ T7] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 184.988822][ T7] sp : ffff8000182279e0 [ 184.989148][ T7] x29: ffff8000182279e0 x28: 0000000000000003 [ 184.989782][ T7] x27: 0000000000000001 x26: ffff00000b188f10 [ 184.990234][ T7] x25: 0000000000000007 x24: ffff0000141c641c [ 184.990723][ T7] x23: ffff800017132f20 x22: ffff00000b188000 [ 184.991178][ T7] x21: 0000000000000001 x20: ffff000009371720 [ 184.991615][ T7] x19: ffff0000141c6400 x18: 0000000000000000 [ 184.992063][ T7] x17: 0000000000000000 x16: 0000000000000000 [ 184.992561][ T7] x15: 0000000000000000 x14: 1ffff00003044e6a [ 184.992992][ T7] x13: 0000000000000001 x12: ffff60000d55e384 [ 184.993694][ T7] x11: 1fffe0000d55e383 x10: ffff60000d55e383 [ 184.994120][ T7] x9 : dfff800000000000 x8 : ffff00006aaf1c1b [ 184.994882][ T7] x7 : 0000000000000001 x6 : 00009ffff2aa1c7d [ 184.997070][ T7] x5 : ffff00006aaf1c18 x4 : 1fffe00001134691 [ 184.997908][ T7] x3 : dfff800000000000 x2 : 0000000000000000 [ 184.998459][ T7] x1 : 0000000000000000 x0 : ffff0000089a3480 [ 184.999309][ T7] Call trace: [ 184.999652][ T7] __nf_unregister_net_hook+0x17c/0x4f0 [ 185.000004][ T7] nf_unregister_net_hooks+0xd4/0x120 [ 185.000424][ T7] arpt_unregister_table_pre_exit+0x6c/0x8c [ 185.000747][ T7] arptable_filter_net_pre_exit+0x20/0x2c [ 185.001063][ T7] cleanup_net+0x328/0x820 [ 185.001345][ T7] process_one_work+0x798/0x1764 [ 185.001682][ T7] worker_thread+0x3d4/0xcd0 [ 185.002074][ T7] kthread+0x320/0x3bc [ 185.002382][ T7] ret_from_fork+0x10/0x3c [ 185.002891][ T7] irq event stamp: 236966 [ 185.004502][ T7] hardirqs last enabled at (236965): [] console_unlock+0x7f8/0xbf4 [ 185.005969][ T7] hardirqs last disabled at (236966): [] el1_dbg+0x24/0x80 [ 185.006497][ T7] softirqs last enabled at (236938): [] _stext+0x9e0/0x1084 [ 185.006991][ T7] softirqs last disabled at (236923): [] __irq_exit_rcu+0x494/0x550 [ 185.009465][ T7] ---[ end trace 69e8a8fedffe8ac9 ]--- [ 185.281143][ T7] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 185.562358][ T7] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 185.772038][ T7] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 186.048858][ T7] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 190.517718][ T7] device hsr_slave_0 left promiscuous mode [ 190.589239][ T7] device hsr_slave_1 left promiscuous mode [ 190.806088][ T7] device veth1_macvtap left promiscuous mode [ 190.808544][ T7] device veth0_macvtap left promiscuous mode [ 190.811837][ T7] device veth1_vlan left promiscuous mode [ 190.838393][ T7] device veth0_vlan left promiscuous mode executing program executing program [ 196.079484][ T7] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 196.388526][ T7] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface executing program [ 197.410444][ T7] bond0 (unregistering): Released all slaves [ 200.002671][ T7] ================================================================== [ 200.003910][ T7] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 200.004492][ T7] Read of size 4 at addr ffff000009371648 by task kworker/u4:0/7 [ 200.004943][ T7] [ 200.005505][ T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Tainted: G W 5.12.0-syzkaller-14380-g8404c9fbc84b #0 [ 200.006056][ T7] Hardware name: linux,dummy-virt (DT) [ 200.006499][ T7] Workqueue: netns cleanup_net [ 200.006986][ T7] Call trace: [ 200.007241][ T7] dump_backtrace+0x0/0x3e0 [ 200.007766][ T7] show_stack+0x18/0x24 [ 200.008288][ T7] dump_stack+0x120/0x1a8 [ 200.008668][ T7] print_address_description.constprop.0+0x2c/0x300 [ 200.009041][ T7] kasan_report+0x1ec/0x200 [ 200.009374][ T7] __asan_report_load4_noabort+0x34/0x60 [ 200.009765][ T7] hooks_validate+0x164/0x1ac [ 200.010109][ T7] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 200.010528][ T7] __nf_unregister_net_hook+0x240/0x4f0 [ 200.010874][ T7] nf_unregister_net_hook+0xb8/0x100 [ 200.011218][ T7] clusterip_net_exit+0x13c/0x204 [ 200.011566][ T7] ops_exit_list+0x78/0x124 [ 200.011906][ T7] cleanup_net+0x3a4/0x820 [ 200.012248][ T7] process_one_work+0x798/0x1764 [ 200.012592][ T7] worker_thread+0x3d4/0xcd0 [ 200.012894][ T7] kthread+0x320/0x3bc [ 200.013284][ T7] ret_from_fork+0x10/0x3c [ 200.014001][ T7] [ 200.014380][ T7] Allocated by task 0: [ 200.014772][ T7] (stack is not available) [ 200.015075][ T7] [ 200.015357][ T7] Freed by task 7: [ 200.015772][ T7] kasan_save_stack+0x28/0x60 [ 200.016124][ T7] kasan_set_track+0x28/0x40 [ 200.016467][ T7] kasan_set_free_info+0x28/0x50 [ 200.016790][ T7] __kasan_slab_free+0xfc/0x150 [ 200.017128][ T7] slab_free_freelist_hook+0x140/0x264 [ 200.017556][ T7] kfree+0x154/0x7d0 [ 200.017974][ T7] xt_unregister_table+0x1cc/0x2ec [ 200.018324][ T7] __arpt_unregister_table+0x44/0x1b4 [ 200.018696][ T7] arpt_unregister_table+0x30/0x40 [ 200.019093][ T7] arptable_filter_net_exit+0x18/0x24 [ 200.019443][ T7] ops_exit_list+0x78/0x124 [ 200.019752][ T7] cleanup_net+0x3a4/0x820 [ 200.020051][ T7] process_one_work+0x798/0x1764 [ 200.020379][ T7] worker_thread+0x3d4/0xcd0 [ 200.020679][ T7] kthread+0x320/0x3bc [ 200.020952][ T7] ret_from_fork+0x10/0x3c [ 200.021302][ T7] [ 200.021645][ T7] The buggy address belongs to the object at ffff000009371600 [ 200.021645][ T7] which belongs to the cache kmalloc-128 of size 128 [ 200.022318][ T7] The buggy address is located 72 bytes inside of [ 200.022318][ T7] 128-byte region [ffff000009371600, ffff000009371680) [ 200.022886][ T7] The buggy address belongs to the page: [ 200.023623][ T7] page:00000000c3227c8b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x49371 [ 200.024581][ T7] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 200.025699][ T7] raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300 [ 200.026161][ T7] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 200.026638][ T7] page dumped because: kasan: bad access detected [ 200.027089][ T7] [ 200.027357][ T7] Memory state around the buggy address: [ 200.028069][ T7] ffff000009371500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 200.028527][ T7] ffff000009371580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 200.028910][ T7] >ffff000009371600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 200.029312][ T7] ^ [ 200.029803][ T7] ffff000009371680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 200.030181][ T7] ffff000009371700: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 200.030772][ T7] ================================================================== [ 200.031204][ T7] Disabling lock debugging due to kernel taint executing program [ 202.164894][ T3296] can: request_module (can-proto-0) failed. [ 202.305034][ T3296] can: request_module (can-proto-0) failed. [ 202.446512][ T3296] can: request_module (can-proto-0) failed. executing program executing program executing program VM DIAGNOSIS: 22:18:01 Registers: info registers vcpu 0 PC=ffff8000101ac31c X00=0000000000000000 X01=0000000000000000 X02=0000000000000003 X03=ffff8000136e8640 X04=1fffe00001134694 X05=ffff700003044e6a X06=00000000f1f1f1f1 X07=1fffe00001134694 X08=00000000f3f3f3f3 X09=00000000f3000000 X10=00000000f2f2f2f2 X11=00000000f2000000 X12=ffff60000d55e384 X13=0000000000000001 X14=1ffff00003044dd2 X15=0000000000000012 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbe60 X19=1ffff00003044e80 X20=ffff8000144d5020 X21=ffff00000894fe00 X22=ffff8000182274c0 X23=ffff800018227480 X24=0000000000000000 X25=0000000000000007 X26=ffff8000147c8760 X27=0000000000000005 X28=ffff80001002e0a0 X29=ffff8000182273b0 X30=ffff8000101ac2d4 SP=ffff8000182273b0 PSTATE=100003c5 ---V EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000004 Q01=0000000000000000:c1162e42fefa39ef Q02=4a0ad84fbe053254:281a9f7816078655 Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:0000002328933d80 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff80001027bdc0 X00=ffff800017b17a2c X01=1ffff00002f96e25 X02=0000000000000000 X03=0000000000000016 X04=000000000000002f X05=0000000000000000 X06=ffff800017b07690 X07=0000000000000003 X08=ffff8000173e4000 X09=0000000000000001 X10=ffff800017e45a40 X11=0000000000000000 X12=00000000f1f1f1f1 X13=1ffff000030a8d46 X14=1ffff000030a8dc4 X15=ffff00006ab13b7c X16=0000000000000007 X17=0000000000000000 X18=ffff00006ab13b48 X19=ffff800017e45a40 X20=ffff800017e45000 X21=ffff00000ac358b0 X22=ffff800015f0ac00 X23=ffff000008800210 X24=ffff800010ab0244 X25=ffff000008800248 X26=0000000000000000 X27=fffffc0000290780 X28=fffffc0000290788 X29=ffff800018546f80 X30=ffff8000144906f4 SP=ffff800018546f80 PSTATE=200000c5 --C- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000008 Q01=756e696c65732c6f:796f6d6f742c6469 Q02=15be2605736b4bdc:b5571caf1ec5a569 Q03=0000000000100000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=4010040140100401:4010040140100401 Q06=0000000000100000:0000000000100000 Q07=0000000000000000:0000000000000001 Q08=0000000000000000:0000000000000003 Q09=0000000000000000:3fe2ce9e6f10cba3 Q10=0000000000000000:3fe0000000000000 Q11=0000000000000000:13284b8ef5fbf569 Q12=0000000000000000:1fe86dbd6e83525d Q13=0000000000000000:5d8fb4ddcfc2a544 Q14=0000000000000000:d070cb3cc6bf193f Q15=0000000000000000:7896e009ca4ee275 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000005:00000000c2523b8b Q31=0000000000000000:0000000000000000