syzkaller login: [  114.408826][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  114.427174][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  114.435565][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
Warning: Permanently added '[localhost]:41749' (ECDSA) to the list of known hosts.
1970/01/01 00:02:13 fuzzer started
1970/01/01 00:02:18 connecting to host at localhost:41807
1970/01/01 00:02:19 checking machine...
1970/01/01 00:02:19 checking revisions...
1970/01/01 00:02:19 testing simple program...
executing program
executing program
[  147.216939][ T3303] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  147.280610][ T3303] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  149.126075][ T3303] device hsr_slave_0 entered promiscuous mode
[  149.176569][ T3303] device hsr_slave_1 entered promiscuous mode
executing program
[  150.776334][ T3303] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  150.914385][ T3303] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  150.980796][ T3303] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  151.059849][ T3303] netdevsim netdevsim0 netdevsim3: renamed from eth3
executing program
[  153.303965][ T3303] 8021q: adding VLAN 0 to HW filter on device bond0
[  153.514312][   T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  153.540081][   T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  154.868676][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  154.877580][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  154.977551][ T3507] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  154.989073][ T3507] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  155.065393][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  155.132917][ T3507] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  155.343703][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  155.365037][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
executing program
[  155.438039][ T3507] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  155.453458][ T3507] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  155.535806][ T3303] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  155.758803][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  155.760126][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  158.108161][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[  158.126556][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
executing program
[  159.387961][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[  159.410328][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[  159.464262][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[  159.470721][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[  159.502463][ T3303] device veth0_vlan entered promiscuous mode
[  159.629408][ T3303] device veth1_vlan entered promiscuous mode
[  159.916668][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[  159.930216][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[  159.987301][ T3303] device veth0_macvtap entered promiscuous mode
[  160.038894][ T3303] device veth1_macvtap entered promiscuous mode
[  160.207124][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[  160.215633][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[  160.235295][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[  160.247190][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[  160.324545][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[  160.339092][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[  160.408151][ T3303] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  160.409467][ T3303] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  160.409971][ T3303] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  160.410454][ T3303] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
executing program
[  161.439179][ T3303] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
1970/01/01 00:02:41 building call list...
[  162.866750][    T7] ------------[ cut here ]------------
[  162.867569][    T7] hook not found, pf 3 num 0
[  162.869036][    T7] WARNING: CPU: 1 PID: 7 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0
[  162.869845][    T7] Modules linked in:
[  162.870553][    T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.12.0-syzkaller-13670-g5e321ded302d #0
[  162.871221][    T7] Hardware name: linux,dummy-virt (DT)
[  162.872308][    T7] Workqueue: netns cleanup_net
[  162.873957][    T7] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--)
[  162.874408][    T7] pc : __nf_unregister_net_hook+0x17c/0x4f0
[  162.874829][    T7] lr : __nf_unregister_net_hook+0x17c/0x4f0
[  162.875225][    T7] sp : ffff8000182179e0
[  162.875516][    T7] x29: ffff8000182179e0 x28: 0000000000000003 
[  162.876084][    T7] x27: 0000000000000001 x26: ffff00000aec0f10 
[  162.876423][    T7] x25: 0000000000000007 x24: ffff00001427ed1c 
[  162.876732][    T7] x23: ffff80001711f9a0 x22: ffff00000aec0000 
[  162.877015][    T7] x21: 0000000000000001 x20: ffff00000922f720 
[  162.877331][    T7] x19: ffff00001427ed00 x18: ffff00006ab25b48 
[  162.877686][    T7] x17: 0000000000000000 x16: 0000000000000000 
[  162.878006][    T7] x15: ffff00006ab25b7c x14: 1ffff00003042e6a 
[  162.878341][    T7] x13: 0000000000000001 x12: ffff60000d564b84 
[  162.878644][    T7] x11: 1fffe0000d564b83 x10: ffff60000d564b83 
[  162.878981][    T7] x9 : dfff800000000000 x8 : ffff00006ab25c1b 
[  162.879359][    T7] x7 : 0000000000000001 x6 : 00009ffff2a9b47d 
[  162.879639][    T7] x5 : ffff00006ab25c18 x4 : 1fffe00001134691 
[  162.879947][    T7] x3 : dfff800000000000 x2 : 0000000000000000 
[  162.880263][    T7] x1 : 0000000000000000 x0 : ffff0000089a3480 
[  162.880809][    T7] Call trace:
[  162.881092][    T7]  __nf_unregister_net_hook+0x17c/0x4f0
[  162.881473][    T7]  nf_unregister_net_hooks+0xd4/0x120
[  162.881758][    T7]  arpt_unregister_table_pre_exit+0x6c/0x8c
[  162.882288][    T7]  arptable_filter_net_pre_exit+0x20/0x2c
[  162.882504][    T7]  cleanup_net+0x328/0x820
[  162.882713][    T7]  process_one_work+0x798/0x1764
[  162.882965][    T7]  worker_thread+0x3d4/0xcd0
[  162.883183][    T7]  kthread+0x320/0x3bc
[  162.883394][    T7]  ret_from_fork+0x10/0x3c
[  162.883791][    T7] irq event stamp: 86754
[  162.884029][    T7] hardirqs last  enabled at (86753): [<ffff8000102aaaa8>] console_unlock+0x7f8/0xbf4
[  162.884376][    T7] hardirqs last disabled at (86754): [<ffff800014483114>] el1_dbg+0x24/0x80
[  162.884683][    T7] softirqs last  enabled at (86670): [<ffff8000100109e0>] _stext+0x9e0/0x1084
[  162.885004][    T7] softirqs last disabled at (86663): [<ffff80001015dfd4>] __irq_exit_rcu+0x494/0x550
[  162.885366][    T7] ---[ end trace 751e85464532e34f ]---
[  163.194399][    T7] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  163.518188][    T7] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  163.756301][    T7] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  164.025272][    T7] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
executing program
executing program
[  167.897406][    T7] device hsr_slave_0 left promiscuous mode
[  167.956804][    T7] device hsr_slave_1 left promiscuous mode
[  168.158146][    T7] device veth1_macvtap left promiscuous mode
[  168.160502][    T7] device veth0_macvtap left promiscuous mode
[  168.169909][    T7] device veth1_vlan left promiscuous mode
[  168.182132][    T7] device veth0_vlan left promiscuous mode
executing program
[  172.815504][    T7] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[  173.049023][    T7] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
executing program
[  174.034186][    T7] bond0 (unregistering): Released all slaves
executing program
[  176.405658][    T7] ==================================================================
[  176.406925][    T7] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac
[  176.407422][    T7] Read of size 4 at addr ffff00000922f648 by task kworker/u4:0/7
[  176.407846][    T7] 
[  176.408467][    T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Tainted: G        W         5.12.0-syzkaller-13670-g5e321ded302d #0
[  176.408970][    T7] Hardware name: linux,dummy-virt (DT)
[  176.409320][    T7] Workqueue: netns cleanup_net
[  176.409829][    T7] Call trace:
[  176.410119][    T7]  dump_backtrace+0x0/0x3e0
[  176.410464][    T7]  show_stack+0x18/0x24
[  176.410788][    T7]  dump_stack+0x120/0x1a8
[  176.411227][    T7]  print_address_description.constprop.0+0x2c/0x300
[  176.411627][    T7]  kasan_report+0x1ec/0x200
[  176.412098][    T7]  __asan_report_load4_noabort+0x34/0x60
[  176.412514][    T7]  hooks_validate+0x164/0x1ac
[  176.412873][    T7]  __nf_hook_entries_try_shrink+0x1d4/0x2c4
[  176.413241][    T7]  __nf_unregister_net_hook+0x240/0x4f0
[  176.413627][    T7]  nf_unregister_net_hook+0xb8/0x100
[  176.413989][    T7]  clusterip_net_exit+0x13c/0x204
[  176.414351][    T7]  ops_exit_list+0x78/0x124
[  176.414663][    T7]  cleanup_net+0x3a4/0x820
[  176.414978][    T7]  process_one_work+0x798/0x1764
[  176.415309][    T7]  worker_thread+0x3d4/0xcd0
[  176.415628][    T7]  kthread+0x320/0x3bc
[  176.415944][    T7]  ret_from_fork+0x10/0x3c
[  176.416408][    T7] 
[  176.416862][    T7] Allocated by task 0:
[  176.417202][    T7] (stack is not available)
[  176.417540][    T7] 
[  176.418161][    T7] Freed by task 7:
[  176.418653][    T7]  kasan_save_stack+0x28/0x60
[  176.419065][    T7]  kasan_set_track+0x28/0x40
[  176.419394][    T7]  kasan_set_free_info+0x28/0x50
[  176.419698][    T7]  __kasan_slab_free+0xfc/0x150
[  176.420012][    T7]  slab_free_freelist_hook+0x140/0x264
[  176.420331][    T7]  kfree+0x154/0x7d0
[  176.420627][    T7]  xt_unregister_table+0x1cc/0x2ec
[  176.420992][    T7]  __arpt_unregister_table+0x44/0x1b4
[  176.421518][    T7]  arpt_unregister_table+0x30/0x40
[  176.421893][    T7]  arptable_filter_net_exit+0x18/0x24
[  176.422272][    T7]  ops_exit_list+0x78/0x124
[  176.422609][    T7]  cleanup_net+0x3a4/0x820
[  176.422922][    T7]  process_one_work+0x798/0x1764
[  176.423273][    T7]  worker_thread+0x3d4/0xcd0
[  176.423589][    T7]  kthread+0x320/0x3bc
[  176.423917][    T7]  ret_from_fork+0x10/0x3c
[  176.424372][    T7] 
[  176.424849][    T7] The buggy address belongs to the object at ffff00000922f600
[  176.424849][    T7]  which belongs to the cache kmalloc-128 of size 128
[  176.425623][    T7] The buggy address is located 72 bytes inside of
[  176.425623][    T7]  128-byte region [ffff00000922f600, ffff00000922f680)
[  176.426375][    T7] The buggy address belongs to the page:
[  176.427531][    T7] page:000000001d5fde14 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4922f
[  176.428760][    T7] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff)
[  176.430429][    T7] raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300
[  176.431173][    T7] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[  176.431930][    T7] page dumped because: kasan: bad access detected
[  176.432412][    T7] 
[  176.432847][    T7] Memory state around the buggy address:
[  176.433554][    T7]  ffff00000922f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  176.434090][    T7]  ffff00000922f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  176.434485][    T7] >ffff00000922f600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  176.434958][    T7]                                               ^
[  176.435409][    T7]  ffff00000922f680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  176.435832][    T7]  ffff00000922f700: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[  176.436441][    T7] ==================================================================
[  176.436882][    T7] Disabling lock debugging due to kernel taint
executing program
[  179.580121][ T3295] can: request_module (can-proto-0) failed.
[  179.686480][ T3295] can: request_module (can-proto-0) failed.
[  179.798197][ T3295] can: request_module (can-proto-0) failed.
executing program
executing program

VM DIAGNOSIS:
02:12:02  Registers:
info registers vcpu 0
 PC=ffff800013186f58 X00=ffff800013186f50 X01=ffff800013186f90
X02=0000000000000000 X03=1fffe0000d560780 X04=00000000f204f1f1
X05=ffff700003096f24 X06=dfff800000000000 X07=00000000f1f1f1f1
X08=ffff800015efac00 X09=1fffe00001f677c8 X10=0000000000000007
X11=1fffe00001f677bb X12=0000000000000033 X13=0000000000000001
X14=1ffff00003096f02 X15=0000000000000000 X16=0000000000000000
X17=0000000000000000 X18=0000000000000000 X19=ffff800016167700
X20=0000000000007d3e X21=0000000000007d3e X22=dfff800000000000
X23=000000257c590a00 X24=0000000000000001 X25=ffff800016167c80
X26=1ffff00003096f98 X27=0000000000000000 X28=ffff8000184b7c90
X29=ffff8000184b79e0 X30=ffff800013186fa8  SP=ffff8000184b79e0
PSTATE=600000c5 -ZC- EL1h     FPCR=00000000 FPSR=00000010
Q00=0000000000000000:0000000000000000 Q01=0000000000000000:c1162e42fefa39ef
Q02=60d0359b1437e32b:c45e24fe9c70dd8f Q03=0000000040000000:0000000000000000
Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401
Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000
Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000
Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000
Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000
Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000
Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000
Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000
Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000
Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000
Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000
Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000
Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000
Q30=0000000000000010:0000001ee7751930 Q31=0000000000000000:0000000000000000
info registers vcpu 1
 PC=ffff8000115b4d40 X00=0000000000000002 X01=0000000000000002
X02=ffff000009432172 X03=dfff800000000000 X04=1fffe0000128642e
X05=0000000000000002 X06=1fffe0000128642e X07=0000000000000030
X08=0000000000000003 X09=dfff800000000000 X10=ffff700003042dcc
X11=1ffff00003042dcc X12=ffff700003042dcd X13=0000000000000001
X14=1ffff00003042da2 X15=0000000000000012 X16=0000000000000002
X17=0000000000000000 X18=fffffffffffcbe70 X19=ffff000009432080
X20=ffff80001815b018 X21=ffff800016674660 X22=ffff000009432080
X23=dfff800000000000 X24=ffff800017e323f4 X25=0000000000000005
X26=ffff000009432080 X27=dfff800000000000 X28=0000000000000034
X29=ffff800018216e10 X30=ffff8000115b6094  SP=ffff800018216e10
PSTATE=800003c5 N--- EL1h     FPCR=00000000 FPSR=00000010
Q00=0000000000000000:0000000000000010 Q01=756e696c65732c6f:796f6d6f742c6469
Q02=d5fb8b455e41482e:d7300ade37c380e3 Q03=0000000000100000:0000000000000000
Q04=0000000000000000:0000000000000000 Q05=4010040140100401:4010040140100401
Q06=0000000000100000:0000000000100000 Q07=0000000000000000:3ff7b92c435de1e4
Q08=0000000000000000:3fb79169a27aa688 Q09=0000000000000000:3fe328083edd824b
Q10=0000000000000000:3fe0000000000000 Q11=0000000000000000:ea16dc15bacf3e8b
Q12=0000000000000000:64831de222fd9538 Q13=0000000000000000:baa9841094c41c54
Q14=0000000000000000:51ffbc9cbc3c5423 Q15=0000000000000000:6d3d6176a813ccf1
Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000
Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000
Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000
Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000
Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000
Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000
Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000
Q30=0000000000000005:000000009ba48afc Q31=0000000000000000:0000000000000000