syzkaller login: [ 133.931566][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 133.981867][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 134.006921][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:20362' (ECDSA) to the list of known hosts. 1970/01/01 00:02:35 fuzzer started 1970/01/01 00:02:40 connecting to host at localhost:38989 1970/01/01 00:02:40 checking machine... 1970/01/01 00:02:40 checking revisions... 1970/01/01 00:02:41 testing simple program... executing program executing program [ 170.201340][ T3304] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 170.228954][ T3304] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program [ 172.849068][ T3304] device hsr_slave_0 entered promiscuous mode [ 172.915177][ T3304] device hsr_slave_1 entered promiscuous mode executing program [ 174.710314][ T3304] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 174.827811][ T3304] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 174.912827][ T3304] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 175.012315][ T3304] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 177.801493][ T3304] 8021q: adding VLAN 0 to HW filter on device bond0 [ 177.922789][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 177.947076][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 179.829905][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 179.861620][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready executing program [ 179.972915][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 179.991923][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 180.079437][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 180.227098][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 180.476331][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 180.507244][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 180.578288][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 180.602321][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 180.689487][ T3304] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 180.912597][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 180.915669][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 184.137912][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 184.158119][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready executing program [ 186.076744][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 186.107930][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 186.200361][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 186.225398][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 186.272739][ T3304] device veth0_vlan entered promiscuous mode [ 186.437427][ T3304] device veth1_vlan entered promiscuous mode [ 186.821906][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 186.866319][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 186.937731][ T3304] device veth0_macvtap entered promiscuous mode [ 187.020169][ T3304] device veth1_macvtap entered promiscuous mode [ 187.076371][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 187.089829][ T3508] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 187.269085][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 187.282189][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 187.383376][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 187.406474][ T2116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 187.638340][ T3304] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 187.639885][ T3304] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 187.640350][ T3304] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 187.640768][ T3304] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 executing program [ 189.062961][ T3304] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation 1970/01/01 00:03:08 building call list... [ 190.628672][ T7] ------------[ cut here ]------------ [ 190.631005][ T7] hook not found, pf 3 num 0 [ 190.632432][ T7] WARNING: CPU: 1 PID: 7 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 190.638590][ T7] Modules linked in: [ 190.639440][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.12.0-syzkaller-13882-gd665ea6ea86c #0 [ 190.640487][ T7] Hardware name: linux,dummy-virt (DT) [ 190.641894][ T7] Workqueue: netns cleanup_net [ 190.642585][ T7] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 190.643150][ T7] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 190.643604][ T7] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 190.646060][ T7] sp : ffff8000182279e0 [ 190.647894][ T7] x29: ffff8000182279e0 x28: 0000000000000003 [ 190.650475][ T7] x27: 0000000000000001 x26: ffff00000ae50f10 [ 190.653219][ T7] x25: 0000000000000007 x24: ffff0000140b491c [ 190.655804][ T7] x23: ffff800017131120 x22: ffff00000ae50000 [ 190.658492][ T7] x21: 0000000000000001 x20: ffff00001003df20 [ 190.661026][ T7] x19: ffff0000140b4900 x18: ffff00006ab13b48 [ 190.662751][ T7] x17: 0000000000000000 x16: 0000000000000000 [ 190.665236][ T7] x15: ffff00006ab13b7c x14: 1ffff00003044e6a [ 190.666260][ T7] x13: 0000000000000001 x12: ffff60000d562784 [ 190.666652][ T7] x11: 1fffe0000d562783 x10: ffff60000d562783 [ 190.667383][ T7] x9 : dfff800000000000 x8 : ffff00006ab13c1b [ 190.668146][ T7] x7 : 0000000000000001 x6 : 00009ffff2a9d87d [ 190.668575][ T7] x5 : ffff00006ab13c18 x4 : 1fffe00001134691 [ 190.669115][ T7] x3 : dfff800000000000 x2 : 0000000000000000 [ 190.669567][ T7] x1 : 0000000000000000 x0 : ffff0000089a3480 [ 190.670298][ T7] Call trace: [ 190.670662][ T7] __nf_unregister_net_hook+0x17c/0x4f0 [ 190.670976][ T7] nf_unregister_net_hooks+0xd4/0x120 [ 190.671300][ T7] arpt_unregister_table_pre_exit+0x6c/0x8c [ 190.671624][ T7] arptable_filter_net_pre_exit+0x20/0x2c [ 190.671918][ T7] cleanup_net+0x328/0x820 [ 190.672303][ T7] process_one_work+0x798/0x1764 [ 190.672621][ T7] worker_thread+0x3d4/0xcd0 [ 190.672895][ T7] kthread+0x320/0x3bc [ 190.673150][ T7] ret_from_fork+0x10/0x3c [ 190.673683][ T7] irq event stamp: 184800 [ 190.674128][ T7] hardirqs last enabled at (184799): [] console_unlock+0x7f8/0xbf4 [ 190.674556][ T7] hardirqs last disabled at (184800): [] el1_dbg+0x24/0x80 [ 190.675135][ T7] softirqs last enabled at (184694): [] _stext+0x9e0/0x1084 [ 190.675571][ T7] softirqs last disabled at (184679): [] __irq_exit_rcu+0x494/0x550 [ 190.675966][ T7] ---[ end trace 6bed8bf797a1ca5c ]--- [ 190.941709][ T7] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 191.190261][ T7] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 191.398180][ T7] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 191.782577][ T7] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program executing program [ 196.208870][ T7] device hsr_slave_0 left promiscuous mode [ 196.289501][ T7] device hsr_slave_1 left promiscuous mode [ 196.496445][ T7] device veth1_macvtap left promiscuous mode [ 196.501801][ T7] device veth0_macvtap left promiscuous mode [ 196.510290][ T7] device veth1_vlan left promiscuous mode [ 196.512690][ T7] device veth0_vlan left promiscuous mode executing program executing program [ 201.098077][ T7] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 201.260815][ T7] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 202.228780][ T7] bond0 (unregistering): Released all slaves executing program [ 204.788765][ T7] ================================================================== [ 204.789822][ T7] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 204.790310][ T7] Read of size 4 at addr ffff00001003d148 by task kworker/u4:0/7 [ 204.790650][ T7] [ 204.791199][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Tainted: G W 5.12.0-syzkaller-13882-gd665ea6ea86c #0 [ 204.791649][ T7] Hardware name: linux,dummy-virt (DT) [ 204.791960][ T7] Workqueue: netns cleanup_net [ 204.792430][ T7] Call trace: [ 204.792677][ T7] dump_backtrace+0x0/0x3e0 [ 204.792977][ T7] show_stack+0x18/0x24 [ 204.793259][ T7] dump_stack+0x120/0x1a8 [ 204.793545][ T7] print_address_description.constprop.0+0x2c/0x300 [ 204.793898][ T7] kasan_report+0x1ec/0x200 [ 204.795904][ T7] __asan_report_load4_noabort+0x34/0x60 [ 204.798245][ T7] hooks_validate+0x164/0x1ac [ 204.800307][ T7] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 204.801208][ T7] __nf_unregister_net_hook+0x240/0x4f0 [ 204.803116][ T7] nf_unregister_net_hook+0xb8/0x100 [ 204.805174][ T7] clusterip_net_exit+0x13c/0x204 [ 204.806987][ T7] ops_exit_list+0x78/0x124 [ 204.807317][ T7] cleanup_net+0x3a4/0x820 [ 204.807648][ T7] process_one_work+0x798/0x1764 [ 204.807957][ T7] worker_thread+0x3d4/0xcd0 [ 204.808238][ T7] kthread+0x320/0x3bc [ 204.808519][ T7] ret_from_fork+0x10/0x3c [ 204.808959][ T7] [ 204.809333][ T7] Allocated by task 3290: [ 204.809767][ T7] kasan_save_stack+0x28/0x60 [ 204.810124][ T7] __kasan_kmalloc+0x8c/0xb0 [ 204.810403][ T7] kmem_cache_alloc_trace+0x254/0x490 [ 204.810705][ T7] selinux_sk_alloc_security+0x84/0x1b0 [ 204.811020][ T7] security_sk_alloc+0x60/0xc0 [ 204.811314][ T7] sk_prot_alloc+0x16c/0x224 [ 204.811635][ T7] sk_alloc+0x38/0x8ec [ 204.811927][ T7] unix_create1+0xf4/0x4bc [ 204.812216][ T7] unix_create+0xc4/0x1f0 [ 204.812496][ T7] __sock_create+0x2c8/0x570 [ 204.812790][ T7] __sys_socket+0xcc/0x1b0 [ 204.813094][ T7] __arm64_sys_socket+0x6c/0xa0 [ 204.813398][ T7] invoke_syscall+0x6c/0x260 [ 204.813695][ T7] el0_svc_common.constprop.0+0xc4/0x1e4 [ 204.813999][ T7] do_el0_svc+0xa4/0xd0 [ 204.814296][ T7] el0_svc+0x24/0x3c [ 204.814586][ T7] el0_sync_handler+0x1a4/0x1b0 [ 204.814867][ T7] el0_sync+0x18c/0x1c0 [ 204.815257][ T7] [ 204.815585][ T7] Freed by task 7: [ 204.815870][ T7] kasan_save_stack+0x28/0x60 [ 204.816235][ T7] kasan_set_track+0x28/0x40 [ 204.816528][ T7] kasan_set_free_info+0x28/0x50 [ 204.816833][ T7] __kasan_slab_free+0xfc/0x150 [ 204.817135][ T7] slab_free_freelist_hook+0x140/0x264 [ 204.817431][ T7] kfree+0x154/0x7d0 [ 204.817698][ T7] xt_unregister_table+0x1cc/0x2ec [ 204.818005][ T7] __arpt_unregister_table+0x44/0x1b4 [ 204.818320][ T7] arpt_unregister_table+0x30/0x40 [ 204.818621][ T7] arptable_filter_net_exit+0x18/0x24 [ 204.818938][ T7] ops_exit_list+0x78/0x124 [ 204.819225][ T7] cleanup_net+0x3a4/0x820 [ 204.823969][ T7] process_one_work+0x798/0x1764 [ 204.826063][ T7] worker_thread+0x3d4/0xcd0 [ 204.827317][ T7] kthread+0x320/0x3bc [ 204.828885][ T7] ret_from_fork+0x10/0x3c [ 204.830217][ T7] [ 204.831059][ T7] The buggy address belongs to the object at ffff00001003d100 [ 204.831059][ T7] which belongs to the cache kmalloc-128 of size 128 [ 204.834325][ T7] The buggy address is located 72 bytes inside of [ 204.834325][ T7] 128-byte region [ffff00001003d100, ffff00001003d180) [ 204.836324][ T7] The buggy address belongs to the page: [ 204.837137][ T7] page:000000009be976b6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5003d [ 204.838127][ T7] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 204.839240][ T7] raw: 01ffc00000000200 0000000000000000 0000000700000001 ffff000008802300 [ 204.839776][ T7] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 204.840307][ T7] page dumped because: kasan: bad access detected [ 204.840752][ T7] [ 204.841017][ T7] Memory state around the buggy address: [ 204.841653][ T7] ffff00001003d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 204.842238][ T7] ffff00001003d080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 204.842783][ T7] >ffff00001003d100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 204.843152][ T7] ^ [ 204.843656][ T7] ffff00001003d180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 204.844156][ T7] ffff00001003d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 204.844695][ T7] ================================================================== [ 204.845141][ T7] Disabling lock debugging due to kernel taint [ 206.087123][ T3293] can: request_module (can-proto-0) failed. [ 206.219082][ T3293] can: request_module (can-proto-0) failed. [ 206.331115][ T3293] can: request_module (can-proto-0) failed. executing program executing program executing program VM DIAGNOSIS: 01:28:05 Registers: info registers vcpu 0 PC=ffff80001025e004 X00=ffff000009334014 X01=0000000000000007 X02=0000000000000000 X03=1fffe00001266802 X04=1fffe000027106d7 X05=1fffe000027106d2 X06=00000000000010b5 X07=000000000000b67e X08=0000000000008cb9 X09=0000000000000000 X10=1fffe000027106d3 X11=1fffe000027107bb X12=0000000000000000 X13=0000000000000000 X14=1ffff00002000f0e X15=1fffe000023fe142 X16=0000000000000000 X17=0000000000000000 X18=1fffe000023fe142 X19=ffff000009334000 X20=ffff000009334080 X21=000000000000360a X22=0000000000000400 X23=0000000000d82970 X24=0000002518658000 X25=1fffe000027106d0 X26=ffff000013883680 X27=1ffff00002000f5c X28=dfff800000000000 X29=ffff800010007950 X30=ffff80001020c5cc SP=ffff800010007950 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000004 Q01=0000000000000000:c1162e42fefa39ef Q02=ce86508a7696c3d2:26c80154e39c5e0f Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:00000023f3a4ad60 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff8000115b9c44 X00=0000000000000002 X01=0000000000000000 X02=0000000000000002 X03=1fffe0000128da2e X04=0000000000000000 X05=0000000000000002 X06=1fffe0000128da2e X07=0000000000000030 X08=0000000000000003 X09=dfff800000000000 X10=ffff700003044dfa X11=1ffff00003044dfa X12=ffff700003044dfb X13=0000000000000001 X14=1ffff00003044dd0 X15=0000000000000012 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbef8 X19=ffff00000946d080 X20=ffff800016685a60 X21=000000000000002d X22=ffff80001816b000 X23=dfff800000000000 X24=ffff800017e433fc X25=0000000000000001 X26=ffff00000946d080 X27=dfff800000000000 X28=000000000000003c X29=ffff800018226fc0 X30=ffff8000115b9c44 SP=ffff800018226fc0 PSTATE=800003c5 N--- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:3fe036baf4ad9e5e Q01=0000000000000000:3fd0000000000000 Q02=0000000000000000:3ff3333333333333 Q03=0000000000000000:3ff0000000000000 Q04=0000000000000000:3ff0000000000000 Q05=0000000000000000:3fd3333333333333 Q06=0000000000100000:0000000000100000 Q07=0000000000000000:3fee25e777dcde14 Q08=0000000000000000:3fc4a926d3776324 Q09=0000000000000000:3fe3de2bcc66d539 Q10=0000000000000000:3fe0000000000000 Q11=280a3b596fd0c376:25ea4c1f268da859 Q12=362afdf60724e8e6:090af2239a7be4d9 Q13=7ce6f764bf6ad16c:27d20581d1f5aebc Q14=cb4ad4a1a01448ca:0db55db51b7f2d12 Q15=b77a8168285db94c:eb152663b8e0c162 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000005:00000000fb5f6f56 Q31=0000000000000000:0000000000000000