syzkaller login: [ 131.445558][ T3144] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 131.472450][ T3144] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 131.489611][ T3144] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:16679' (ECDSA) to the list of known hosts. 1970/01/01 00:02:30 fuzzer started 1970/01/01 00:02:34 connecting to host at localhost:41061 1970/01/01 00:02:34 checking machine... 1970/01/01 00:02:34 checking revisions... 1970/01/01 00:02:35 testing simple program... executing program executing program [ 164.480224][ T3306] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 164.540975][ T3306] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program [ 166.994473][ T3306] device hsr_slave_0 entered promiscuous mode [ 167.078743][ T3306] device hsr_slave_1 entered promiscuous mode executing program [ 168.960895][ T3306] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 169.065110][ T3306] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 169.234926][ T3306] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 169.355926][ T3306] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 172.042613][ T3306] 8021q: adding VLAN 0 to HW filter on device bond0 [ 172.164256][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 172.198426][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 173.511042][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 173.515572][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 173.584550][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 173.590592][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 173.655565][ T2120] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 173.727172][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 173.982861][ T3498] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 174.019125][ T3498] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 174.110590][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 174.131048][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 174.212812][ T3306] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready executing program [ 174.590674][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 174.592699][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 178.241090][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 178.320431][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 179.845503][ T3498] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 179.865548][ T3498] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 179.893569][ T3498] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 179.905708][ T3498] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 179.938236][ T3306] device veth0_vlan entered promiscuous mode [ 180.133163][ T3306] device veth1_vlan entered promiscuous mode executing program [ 180.554823][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 180.570331][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 180.672741][ T3306] device veth0_macvtap entered promiscuous mode [ 180.734666][ T3306] device veth1_macvtap entered promiscuous mode [ 180.854856][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 180.874365][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 180.952395][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 180.969452][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 181.243699][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 181.253664][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 181.338760][ T3306] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 181.340723][ T3306] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 181.343625][ T3306] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 181.358869][ T3306] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 182.601982][ T3306] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation executing program 1970/01/01 00:03:02 building call list... [ 184.035061][ T24] ------------[ cut here ]------------ [ 184.059454][ T24] hook not found, pf 3 num 0 [ 184.061249][ T24] WARNING: CPU: 1 PID: 24 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 184.062453][ T24] Modules linked in: [ 184.063193][ T24] CPU: 1 PID: 24 Comm: kworker/u4:1 Not tainted 5.12.0-syzkaller-14855-g51595e3b4943 #0 [ 184.065680][ T24] Hardware name: linux,dummy-virt (DT) [ 184.067458][ T24] Workqueue: netns cleanup_net [ 184.068158][ T24] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 184.068598][ T24] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 184.068973][ T24] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 184.071163][ T24] sp : ffff8000183479e0 [ 184.072468][ T24] x29: ffff8000183479e0 x28: 0000000000000003 x27: 0000000000000001 [ 184.074920][ T24] x26: ffff000009fe0f10 x25: 0000000000000007 x24: ffff000013b0441c [ 184.077594][ T24] x23: ffff800017133160 x22: ffff000009fe0000 x21: 0000000000000001 [ 184.078287][ T24] x20: ffff00001028d620 x19: ffff000013b04400 x18: ffff00006ab13b48 [ 184.080620][ T24] x17: 0000000000000000 x16: 0000000000000000 x15: ffff00006ab13b7c [ 184.082817][ T24] x14: 1ffff00003068e6a x13: 0000000000000001 x12: ffff60000d562784 [ 184.085892][ T24] x11: 1fffe0000d562783 x10: ffff60000d562783 x9 : dfff800000000000 [ 184.089004][ T24] x8 : ffff00006ab13c1b x7 : 0000000000000001 x6 : 00009ffff2a9d87d [ 184.091610][ T24] x5 : ffff00006ab13c18 x4 : 1fffe0000115e691 x3 : dfff800000000000 [ 184.094251][ T24] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000008af3480 [ 184.097347][ T24] Call trace: [ 184.106960][ T24] __nf_unregister_net_hook+0x17c/0x4f0 [ 184.108530][ T24] nf_unregister_net_hooks+0xd4/0x120 [ 184.110092][ T24] arpt_unregister_table_pre_exit+0x6c/0x8c [ 184.111785][ T24] arptable_filter_net_pre_exit+0x20/0x2c [ 184.113421][ T24] cleanup_net+0x328/0x820 [ 184.114700][ T24] process_one_work+0x798/0x1764 [ 184.116215][ T24] worker_thread+0x3d4/0xcd0 [ 184.117532][ T24] kthread+0x320/0x3bc [ 184.118772][ T24] ret_from_fork+0x10/0x3c [ 184.120505][ T24] irq event stamp: 207446 [ 184.121830][ T24] hardirqs last enabled at (207445): [] console_unlock+0x7f8/0xbf4 [ 184.124454][ T24] hardirqs last disabled at (207446): [] el1_dbg+0x24/0x80 [ 184.126893][ T24] softirqs last enabled at (207434): [] _stext+0x9e0/0x1084 [ 184.128971][ T24] softirqs last disabled at (207303): [] __irq_exit_rcu+0x494/0x550 [ 184.131296][ T24] ---[ end trace c6fa1a438bad1c6b ]--- [ 184.423669][ T24] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 184.734225][ T24] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 184.974753][ T24] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 185.214709][ T24] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 189.487237][ T24] device hsr_slave_0 left promiscuous mode executing program [ 189.541646][ T24] device hsr_slave_1 left promiscuous mode [ 189.717583][ T24] device veth1_macvtap left promiscuous mode [ 189.721224][ T24] device veth0_macvtap left promiscuous mode [ 189.731141][ T24] device veth1_vlan left promiscuous mode [ 189.733466][ T24] device veth0_vlan left promiscuous mode executing program [ 193.661492][ T24] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 193.895053][ T24] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 194.888503][ T24] bond0 (unregistering): Released all slaves executing program [ 197.429010][ T24] ================================================================== [ 197.431122][ T24] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 197.433119][ T24] Read of size 4 at addr ffff00001028dd48 by task kworker/u4:1/24 [ 197.435161][ T24] [ 197.436363][ T24] CPU: 0 PID: 24 Comm: kworker/u4:1 Tainted: G W 5.12.0-syzkaller-14855-g51595e3b4943 #0 [ 197.441005][ T24] Hardware name: linux,dummy-virt (DT) [ 197.442571][ T24] Workqueue: netns cleanup_net [ 197.443027][ T24] Call trace: [ 197.444091][ T24] dump_backtrace+0x0/0x3e0 [ 197.444884][ T24] show_stack+0x18/0x24 [ 197.446325][ T24] dump_stack+0x120/0x1a8 [ 197.448222][ T24] print_address_description.constprop.0+0x2c/0x300 [ 197.450036][ T24] kasan_report+0x1ec/0x200 [ 197.451305][ T24] __asan_report_load4_noabort+0x34/0x60 [ 197.453008][ T24] hooks_validate+0x164/0x1ac [ 197.454542][ T24] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 197.456605][ T24] __nf_unregister_net_hook+0x240/0x4f0 [ 197.458576][ T24] nf_unregister_net_hook+0xb8/0x100 [ 197.458947][ T24] clusterip_net_exit+0x13c/0x204 [ 197.460436][ T24] ops_exit_list+0x78/0x124 [ 197.461720][ T24] cleanup_net+0x3a4/0x820 [ 197.463598][ T24] process_one_work+0x798/0x1764 [ 197.464250][ T24] worker_thread+0x3d4/0xcd0 [ 197.466041][ T24] kthread+0x320/0x3bc [ 197.467836][ T24] ret_from_fork+0x10/0x3c [ 197.469966][ T24] [ 197.471261][ T24] Allocated by task 3292: [ 197.472527][ T24] kasan_save_stack+0x28/0x60 [ 197.473017][ T24] __kasan_kmalloc+0x8c/0xb0 [ 197.473380][ T24] __kmalloc+0x268/0x4e0 [ 197.473797][ T24] tomoyo_encode2.part.0+0xac/0x2d4 [ 197.474211][ T24] tomoyo_encode+0x2c/0x44 [ 197.474576][ T24] tomoyo_realpath_from_path+0x110/0x51c [ 197.474971][ T24] tomoyo_path_perm+0x1f8/0x334 [ 197.475368][ T24] tomoyo_inode_getattr+0x1c/0x30 [ 197.475719][ T24] security_inode_getattr+0xb4/0x110 [ 197.476127][ T24] vfs_fstat+0x38/0xb0 [ 197.476440][ T24] __do_sys_newfstat+0x78/0xd0 [ 197.476752][ T24] __arm64_sys_newfstat+0x50/0x70 [ 197.477048][ T24] invoke_syscall+0x6c/0x260 [ 197.477378][ T24] el0_svc_common.constprop.0+0xc4/0x1e4 [ 197.477709][ T24] do_el0_svc+0xa4/0xd0 [ 197.478005][ T24] el0_svc+0x24/0x3c [ 197.478313][ T24] el0_sync_handler+0x1a4/0x1b0 [ 197.478619][ T24] el0_sync+0x198/0x1c0 [ 197.478980][ T24] [ 197.479285][ T24] Freed by task 24: [ 197.479593][ T24] kasan_save_stack+0x28/0x60 [ 197.479917][ T24] kasan_set_track+0x28/0x40 [ 197.480223][ T24] kasan_set_free_info+0x28/0x50 [ 197.480562][ T24] __kasan_slab_free+0xfc/0x150 [ 197.480869][ T24] slab_free_freelist_hook+0x140/0x264 [ 197.481184][ T24] kfree+0x154/0x7d0 [ 197.481482][ T24] xt_unregister_table+0x1cc/0x2ec [ 197.482070][ T24] __arpt_unregister_table+0x44/0x1b4 [ 197.482529][ T24] arpt_unregister_table+0x30/0x40 [ 197.482970][ T24] arptable_filter_net_exit+0x18/0x24 [ 197.483326][ T24] ops_exit_list+0x78/0x124 [ 197.483656][ T24] cleanup_net+0x3a4/0x820 [ 197.483952][ T24] process_one_work+0x798/0x1764 [ 197.484280][ T24] worker_thread+0x3d4/0xcd0 [ 197.484577][ T24] kthread+0x320/0x3bc [ 197.484903][ T24] ret_from_fork+0x10/0x3c [ 197.485224][ T24] [ 197.485525][ T24] The buggy address belongs to the object at ffff00001028dd00 [ 197.485525][ T24] which belongs to the cache kmalloc-128 of size 128 [ 197.486277][ T24] The buggy address is located 72 bytes inside of [ 197.486277][ T24] 128-byte region [ffff00001028dd00, ffff00001028dd80) [ 197.487058][ T24] The buggy address belongs to the page: [ 197.487774][ T24] page:00000000c484a7ed refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5028d [ 197.488757][ T24] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 197.489951][ T24] raw: 01ffc00000000200 0000000000000000 0000000100000001 ffff000008802300 [ 197.490427][ T24] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 197.490870][ T24] page dumped because: kasan: bad access detected [ 197.491335][ T24] [ 197.491712][ T24] Memory state around the buggy address: [ 197.492413][ T24] ffff00001028dc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 197.492888][ T24] ffff00001028dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 197.493281][ T24] >ffff00001028dd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 197.493653][ T24] ^ [ 197.494180][ T24] ffff00001028dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 197.494571][ T24] ffff00001028de00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 197.495088][ T24] ================================================================== [ 197.495558][ T24] Disabling lock debugging due to kernel taint executing program [ 199.277200][ T3297] can: request_module (can-proto-0) failed. [ 199.422910][ T3297] can: request_module (can-proto-0) failed. [ 199.562212][ T3297] can: request_module (can-proto-0) failed. executing program executing program executing program VM DIAGNOSIS: 20:10:45 Registers: info registers vcpu 0 PC=ffff800010013cc8 X00=0000000000000ffa X01=00000040003b8cce X02=000000000000f132 X03=0000000000000000 X04=0000000000000000 X05=0000000000000000 X06=0000000000000001 X07=0000000000000001 X08=000000000000003f X09=0000000000000200 X10=303038666666660a X11=3030303866666666 X12=3030303030303031 X13=000000007fffffff X14=0000000000002001 X15=0000000000000003 X16=0000000000000009 X17=0000000000002001 X18=0000000000000000 X19=0000ffff856a0000 X20=00000040000bbba0 X21=00000040000aa000 X22=00000040000ae000 X23=0000000000000000 X24=0000000000000000 X25=0000000000000000 X26=00000040000b9240 X27=00000000013d6920 X28=0000004000000180 X29=00000040000b9108 X30=00000000000af4f0 SP=ffff800018538000 PSTATE=400003c5 -Z-- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000010 Q01=756e696c65732c6f:796f6d6f742c6469 Q02=d5d85ed56cd6ac8c:b2d92ee0c6dfe5ca Q03=0000000000100000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=4010040140100401:4010040140100401 Q06=0000000000100000:0000000000100000 Q07=0000000000000000:3feae2523760bc24 Q08=0000000000000000:3f8aac995707d3c0 Q09=0000000000000000:3fe4fcd0d7b9b72c Q10=0000000000000000:3fe0000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000005:00000000634dc7b8 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff80001074ef20 X00=ffff000000000000 X01=0000000000000001 X02=0000000000000000 X03=ffff8000111db194 X04=0000000000000000 X05=ffff8000147c8a53 X06=0000000000000001 X07=0000000041b58ab3 X08=ffff8000147c8a54 X09=1ffff00003068dbe X10=ffff700002fca749 X11=1ffff00002fca749 X12=ffff700002fca74a X13=0000000000000001 X14=1ffff00003068dd2 X15=0000000000000012 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbe98 X19=0000000000000001 X20=ffff800017e53a64 X21=ffff8000111db194 X22=ffff8000173cf000 X23=ffff8000147c8a53 X24=ffff800018346fa0 X25=ffff8000147c8a54 X26=1ffff00003068df0 X27=ffff800017e53a64 X28=ffff8000147c8a53 X29=ffff800018346eb0 X30=ffff800010750174 SP=ffff800018346eb0 PSTATE=000003c5 ---- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:c1162e42fefa39ef Q02=9b193c87ad05181d:851ad8b3d2f72691 Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:00000022b4e77300 Q31=0000000000000000:0000000000000000