syzkaller login: [ 132.968148][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 132.989874][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 133.026960][ T3143] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:52811' (ECDSA) to the list of known hosts. 1970/01/01 00:02:36 fuzzer started 1970/01/01 00:02:42 connecting to host at localhost:39061 1970/01/01 00:02:42 checking machine... 1970/01/01 00:02:42 checking revisions... 1970/01/01 00:02:42 testing simple program... executing program executing program [ 171.538211][ T3305] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 171.575662][ T3305] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program [ 174.078340][ T3305] device hsr_slave_0 entered promiscuous mode [ 174.177253][ T3305] device hsr_slave_1 entered promiscuous mode executing program [ 176.098480][ T3305] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 176.202447][ T3305] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 176.326245][ T3305] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 176.415474][ T3305] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 179.298714][ T3305] 8021q: adding VLAN 0 to HW filter on device bond0 [ 179.529301][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 179.549306][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 181.117764][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 181.138232][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 181.214445][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 181.220520][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 181.372889][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 181.462373][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 181.746843][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 181.766582][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 181.873749][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 181.880325][ T2119] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 181.967002][ T3305] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready executing program [ 182.239541][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 182.245527][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 185.590093][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 185.618274][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 187.195169][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 187.216995][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 187.244616][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 187.250537][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 187.290286][ T3305] device veth0_vlan entered promiscuous mode [ 187.459997][ T3305] device veth1_vlan entered promiscuous mode [ 187.956152][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 187.978083][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready executing program [ 188.065365][ T3305] device veth0_macvtap entered promiscuous mode [ 188.134308][ T3305] device veth1_macvtap entered promiscuous mode [ 188.206429][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 188.214963][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 188.383962][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 188.419074][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 188.524395][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 188.548350][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 188.657207][ T3305] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 188.662395][ T3305] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 188.663401][ T3305] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 188.663900][ T3305] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 190.033502][ T3305] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation executing program 1970/01/01 00:03:09 building call list... [ 191.526992][ T139] ------------[ cut here ]------------ [ 191.545648][ T139] hook not found, pf 3 num 0 [ 191.547335][ T139] WARNING: CPU: 0 PID: 139 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 191.553207][ T139] Modules linked in: [ 191.554355][ T139] CPU: 0 PID: 139 Comm: kworker/u4:8 Not tainted 5.12.0-syzkaller-14869-gdd860052c99b #0 [ 191.556974][ T139] Hardware name: linux,dummy-virt (DT) [ 191.558048][ T139] Workqueue: netns cleanup_net [ 191.558934][ T139] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 191.559470][ T139] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 191.560038][ T139] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 191.562161][ T139] sp : ffff8000187979e0 [ 191.563764][ T139] x29: ffff8000187979e0 x28: 0000000000000003 x27: 0000000000000001 [ 191.564933][ T139] x26: ffff00000a148f10 x25: 0000000000000007 x24: ffff00000f78261c [ 191.565461][ T139] x23: ffff800017133160 x22: ffff00000a148000 x21: 0000000000000001 [ 191.566120][ T139] x20: ffff00000b69b020 x19: ffff00000f782600 x18: ffff00006aaf1b48 [ 191.566692][ T139] x17: 0000000000000000 x16: 0000000000000000 x15: ffff00006aaf1b7c [ 191.567274][ T139] x14: 1ffff000030f2e6a x13: 0000000000000001 x12: ffff7000030f2e9d [ 191.567979][ T139] x11: 1ffff000030f2e9c x10: ffff7000030f2e9c x9 : 1fffe000012cf7d2 [ 191.568663][ T139] x8 : ffff00000967be90 x7 : ffff8000173e47a0 x6 : 00000000f3f3f3f3 [ 191.569219][ T139] x5 : 00000000f2f2f200 x4 : 1fffe000012cf691 x3 : dfff800000000000 [ 191.569765][ T139] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00000967b480 [ 191.570783][ T139] Call trace: [ 191.571119][ T139] __nf_unregister_net_hook+0x17c/0x4f0 [ 191.571485][ T139] nf_unregister_net_hooks+0xd4/0x120 [ 191.571790][ T139] arpt_unregister_table_pre_exit+0x6c/0x8c [ 191.572208][ T139] arptable_filter_net_pre_exit+0x20/0x2c [ 191.572514][ T139] cleanup_net+0x328/0x820 [ 191.572805][ T139] process_one_work+0x798/0x1764 [ 191.573130][ T139] worker_thread+0x3d4/0xcd0 [ 191.573420][ T139] kthread+0x320/0x3bc [ 191.573696][ T139] ret_from_fork+0x10/0x3c [ 191.574251][ T139] irq event stamp: 260226 [ 191.574605][ T139] hardirqs last enabled at (260225): [] console_unlock+0x7f8/0xbf4 [ 191.575056][ T139] hardirqs last disabled at (260226): [] el1_dbg+0x24/0x80 [ 191.575466][ T139] softirqs last enabled at (260214): [] _stext+0x9e0/0x1084 [ 191.575903][ T139] softirqs last disabled at (260205): [] __irq_exit_rcu+0x494/0x550 [ 191.576315][ T139] ---[ end trace 018f31fc5dcfe81f ]--- [ 191.805165][ T139] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 192.080805][ T139] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 192.324651][ T139] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 192.570501][ T139] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 196.206731][ T139] device hsr_slave_0 left promiscuous mode [ 196.285036][ T139] device hsr_slave_1 left promiscuous mode [ 196.479127][ T139] device veth1_macvtap left promiscuous mode [ 196.505203][ T139] device veth0_macvtap left promiscuous mode [ 196.522520][ T139] device veth1_vlan left promiscuous mode [ 196.524959][ T139] device veth0_vlan left promiscuous mode executing program executing program [ 200.510512][ T139] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 200.696664][ T139] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 201.619731][ T139] bond0 (unregistering): Released all slaves executing program [ 204.368461][ T139] ================================================================== [ 204.371440][ T139] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 204.372051][ T139] Read of size 4 at addr ffff00000b69b348 by task kworker/u4:8/139 [ 204.372502][ T139] [ 204.373201][ T139] CPU: 0 PID: 139 Comm: kworker/u4:8 Tainted: G W 5.12.0-syzkaller-14869-gdd860052c99b #0 [ 204.373712][ T139] Hardware name: linux,dummy-virt (DT) [ 204.374040][ T139] Workqueue: netns cleanup_net [ 204.374524][ T139] Call trace: [ 204.374796][ T139] dump_backtrace+0x0/0x3e0 [ 204.375242][ T139] show_stack+0x18/0x24 [ 204.375625][ T139] dump_stack+0x120/0x1a8 [ 204.375992][ T139] print_address_description.constprop.0+0x2c/0x300 [ 204.376369][ T139] kasan_report+0x1ec/0x200 [ 204.377597][ T139] __asan_report_load4_noabort+0x34/0x60 [ 204.379463][ T139] hooks_validate+0x164/0x1ac [ 204.380036][ T139] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 204.380523][ T139] __nf_unregister_net_hook+0x240/0x4f0 [ 204.381073][ T139] nf_unregister_net_hook+0xb8/0x100 [ 204.381501][ T139] clusterip_net_exit+0x13c/0x204 [ 204.381991][ T139] ops_exit_list+0x78/0x124 [ 204.382371][ T139] cleanup_net+0x3a4/0x820 [ 204.382766][ T139] process_one_work+0x798/0x1764 [ 204.383205][ T139] worker_thread+0x3d4/0xcd0 [ 204.383599][ T139] kthread+0x320/0x3bc [ 204.383998][ T139] ret_from_fork+0x10/0x3c [ 204.384524][ T139] [ 204.384965][ T139] Allocated by task 3289: [ 204.385485][ T139] kasan_save_stack+0x28/0x60 [ 204.385908][ T139] __kasan_kmalloc+0x8c/0xb0 [ 204.386279][ T139] __kmalloc+0x268/0x4e0 [ 204.386662][ T139] tomoyo_encode2.part.0+0xac/0x2d4 [ 204.387069][ T139] tomoyo_encode+0x2c/0x44 [ 204.388482][ T139] tomoyo_realpath_from_path+0x110/0x51c [ 204.390749][ T139] tomoyo_path_perm+0x1f8/0x334 [ 204.391357][ T139] tomoyo_inode_getattr+0x1c/0x30 [ 204.391760][ T139] security_inode_getattr+0xb4/0x110 [ 204.393946][ T139] vfs_fstat+0x38/0xb0 [ 204.395688][ T139] __do_sys_newfstat+0x78/0xd0 [ 204.397109][ T139] __arm64_sys_newfstat+0x50/0x70 [ 204.398702][ T139] invoke_syscall+0x6c/0x260 [ 204.399935][ T139] el0_svc_common.constprop.0+0xc4/0x1e4 [ 204.400278][ T139] do_el0_svc+0xa4/0xd0 [ 204.400566][ T139] el0_svc+0x24/0x3c [ 204.400930][ T139] el0_sync_handler+0x1a4/0x1b0 [ 204.403018][ T139] el0_sync+0x198/0x1c0 [ 204.404869][ T139] [ 204.406274][ T139] Freed by task 139: [ 204.407899][ T139] kasan_save_stack+0x28/0x60 [ 204.409198][ T139] kasan_set_track+0x28/0x40 [ 204.409559][ T139] kasan_set_free_info+0x28/0x50 [ 204.409869][ T139] __kasan_slab_free+0xfc/0x150 [ 204.410182][ T139] slab_free_freelist_hook+0x140/0x264 [ 204.410528][ T139] kfree+0x154/0x7d0 [ 204.410796][ T139] xt_unregister_table+0x1cc/0x2ec [ 204.411244][ T139] __arpt_unregister_table+0x44/0x1b4 [ 204.411623][ T139] arpt_unregister_table+0x30/0x40 [ 204.412138][ T139] arptable_filter_net_exit+0x18/0x24 [ 204.412602][ T139] ops_exit_list+0x78/0x124 [ 204.412940][ T139] cleanup_net+0x3a4/0x820 [ 204.413256][ T139] process_one_work+0x798/0x1764 [ 204.413606][ T139] worker_thread+0x3d4/0xcd0 [ 204.413921][ T139] kthread+0x320/0x3bc [ 204.414241][ T139] ret_from_fork+0x10/0x3c [ 204.414609][ T139] [ 204.414890][ T139] The buggy address belongs to the object at ffff00000b69b300 [ 204.414890][ T139] which belongs to the cache kmalloc-128 of size 128 [ 204.415520][ T139] The buggy address is located 72 bytes inside of [ 204.415520][ T139] 128-byte region [ffff00000b69b300, ffff00000b69b380) [ 204.416165][ T139] The buggy address belongs to the page: [ 204.416893][ T139] page:000000005c7013f3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4b69b [ 204.417793][ T139] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 204.419814][ T139] raw: 01ffc00000000200 0000000000000000 0000000200000001 ffff000008802300 [ 204.426489][ T139] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 204.429042][ T139] page dumped because: kasan: bad access detected [ 204.431535][ T139] [ 204.432588][ T139] Memory state around the buggy address: [ 204.434563][ T139] ffff00000b69b200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 204.435032][ T139] ffff00000b69b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 204.435415][ T139] >ffff00000b69b300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 204.435806][ T139] ^ [ 204.436289][ T139] ffff00000b69b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 204.438340][ T139] ffff00000b69b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 204.438985][ T139] ================================================================== [ 204.439458][ T139] Disabling lock debugging due to kernel taint executing program [ 206.069976][ T3298] can: request_module (can-proto-0) failed. [ 206.184259][ T3298] can: request_module (can-proto-0) failed. [ 206.296793][ T3298] can: request_module (can-proto-0) failed. executing program executing program executing program VM DIAGNOSIS: 23:01:29 Registers: info registers vcpu 0 PC=ffff80001028aa90 X00=0000000000000080 X01=00000000000003c0 X02=0000000000000000 X03=1fffe0000d55e380 X04=0000000093b16812 X05=0000000000000000 X06=00000000f3f3f3f3 X07=ffff8000173e47a0 X08=ffff800015f0ac00 X09=1fffe000012cf7d7 X10=0000000000000004 X11=1fffe000012cf7bb X12=0000000000000001 X13=0000000000000001 X14=1ffff000030f2e14 X15=0000000000000012 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbf08 X19=ffff80001452ff00 X20=00000000000003c0 X21=1ffff000030f2e32 X22=ffff800015f0ac00 X23=ffff800054be7000 X24=ffff800016069aa0 X25=0000000000000001 X26=0000000000000000 X27=0000000000000000 X28=ffff8000102ae248 X29=ffff800018797110 X30=ffff80001028aa3c SP=ffff800018797100 PSTATE=100003c5 ---V EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:3fd3333333333333 Q01=0000000000000000:3fc1dc9d70c80cc8 Q02=0000000000000000:3ff3333333333333 Q03=0000000000000000:412983e000000000 Q04=0000000000000400:0000000000000000 Q05=4010040140100401:4010040140100401 Q06=0004000000000000:0004000000000000 Q07=e395fc84b4646d81:7fbcc11022d53642 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000005:000000005aea222a Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff800013193138 X00=ffff800013193130 X01=0000000000000000 X02=0000000000000003 X03=1fffe0000d56519a X04=dfff800000000000 X05=ffff8000182879b0 X06=0000000000000004 X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700003050f36 X11=1ffff00003050f36 X12=ffff700003050f37 X13=0000000000000001 X14=1ffff00003050f0c X15=ffff00006ab13b7c X16=0000000000000000 X17=0000000000000000 X18=ffff00006ab13b48 X19=ffff800016185430 X20=0000000000000000 X21=0000000000000003 X22=0000000000000028 X23=ffff8000161854c0 X24=dfff800000000000 X25=ffff800016185400 X26=0000000000000004 X27=ffff800016185430 X28=ffff800015f6f8c0 X29=ffff800018287930 X30=ffff8000103578d8 SP=ffff800018287930 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=6576726573007325:0a0d0a0d7525203a Q02=726f727265206465:6e72757465722072 Q03=0000000000ff0000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000100001:0000000000100000 Q06=0000000000000000:0000000000000000 Q07=4010040140100401:4010040140100401 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000110010:0000000000110010 Q17=a00a8000a00a9000:aa80aa90aa80aa80 Q18=8020080280000000:8020080280100000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000