syzkaller login: [ 145.722907][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 145.755585][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 145.776031][ T3142] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:15722' (ECDSA) to the list of known hosts. 1970/01/01 00:02:44 fuzzer started 1970/01/01 00:02:49 connecting to host at localhost:33451 1970/01/01 00:02:49 checking machine... 1970/01/01 00:02:49 checking revisions... 1970/01/01 00:02:50 testing simple program... executing program executing program [ 179.691164][ T3304] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 179.729806][ T3304] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program [ 183.083577][ T3304] device hsr_slave_0 entered promiscuous mode [ 183.132247][ T3304] device hsr_slave_1 entered promiscuous mode executing program [ 185.062140][ T3304] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 185.169020][ T3304] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 185.293067][ T3304] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 185.444031][ T3304] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 188.433905][ T3304] 8021q: adding VLAN 0 to HW filter on device bond0 [ 188.582461][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 188.607080][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program [ 190.409828][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 190.430469][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 190.531575][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 190.550190][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 190.657424][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 190.780860][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 191.126200][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 191.132488][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 191.222852][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 191.246991][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 191.330889][ T3304] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 191.607584][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 191.609938][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 195.159309][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 195.198250][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready executing program [ 196.983229][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 196.994339][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 197.063988][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 197.089105][ T2118] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 197.193388][ T3304] device veth0_vlan entered promiscuous mode [ 197.421666][ T3304] device veth1_vlan entered promiscuous mode [ 197.837014][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 197.869176][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 197.959284][ T3304] device veth0_macvtap entered promiscuous mode [ 197.987807][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 198.114306][ T3304] device veth1_macvtap entered promiscuous mode [ 198.425672][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 198.506831][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 198.597163][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 198.603806][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 198.737664][ T3304] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 198.739135][ T3304] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 198.739762][ T3304] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 198.740323][ T3304] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 199.952708][ T3304] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation 1970/01/01 00:03:19 building call list... [ 201.551887][ T31] ------------[ cut here ]------------ [ 201.553007][ T31] hook not found, pf 3 num 0 [ 201.554624][ T31] WARNING: CPU: 1 PID: 31 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 201.555736][ T31] Modules linked in: [ 201.556458][ T31] CPU: 1 PID: 31 Comm: kworker/u4:3 Not tainted 5.12.0-syzkaller-14459-g322a3b843d7f #0 [ 201.556978][ T31] Hardware name: linux,dummy-virt (DT) [ 201.559091][ T31] Workqueue: netns cleanup_net [ 201.560963][ T31] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 201.563213][ T31] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 201.564106][ T31] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 201.564618][ T31] sp : ffff8000183c79e0 [ 201.565933][ T31] x29: ffff8000183c79e0 x28: 0000000000000003 [ 201.567897][ T31] x27: 0000000000000001 x26: ffff00000acc0f10 [ 201.569759][ T31] x25: 0000000000000007 x24: ffff00000d48ba1c [ 201.570470][ T31] x23: ffff800017132f20 x22: ffff00000acc0000 [ 201.571019][ T31] x21: 0000000000000001 x20: ffff00000fd76620 [ 201.571495][ T31] x19: ffff00000d48ba00 x18: ffff00006aaf1b48 [ 201.572071][ T31] x17: 0000000000000000 x16: 0000000000000007 [ 201.572559][ T31] x15: ffff00006aaf1b7c x14: 1ffff00003078e6a [ 201.573034][ T31] x13: 0000000000000001 x12: ffff60000d562784 [ 201.573552][ T31] x11: 1fffe0000d562783 x10: ffff60000d562783 [ 201.574027][ T31] x9 : dfff800000000000 x8 : ffff00006ab13c1b [ 201.574786][ T31] x7 : 0000000000000001 x6 : 00009ffff2a9d87d [ 201.576108][ T31] x5 : ffff00006ab13c18 x4 : 1fffe0000120f9d9 [ 201.576722][ T31] x3 : dfff800000000000 x2 : 0000000000000000 [ 201.577325][ T31] x1 : 0000000000000000 x0 : ffff00000907cec0 [ 201.578369][ T31] Call trace: [ 201.578787][ T31] __nf_unregister_net_hook+0x17c/0x4f0 [ 201.579272][ T31] nf_unregister_net_hooks+0xd4/0x120 [ 201.579722][ T31] arpt_unregister_table_pre_exit+0x6c/0x8c [ 201.580169][ T31] arptable_filter_net_pre_exit+0x20/0x2c [ 201.580660][ T31] cleanup_net+0x328/0x820 [ 201.581163][ T31] process_one_work+0x798/0x1764 [ 201.581584][ T31] worker_thread+0x3d4/0xcd0 [ 201.582044][ T31] kthread+0x320/0x3bc [ 201.582475][ T31] ret_from_fork+0x10/0x3c [ 201.583112][ T31] irq event stamp: 102018 [ 201.583528][ T31] hardirqs last enabled at (102017): [] console_unlock+0x7f8/0xbf4 [ 201.584264][ T31] hardirqs last disabled at (102018): [] el1_dbg+0x24/0x80 [ 201.584900][ T31] softirqs last enabled at (101848): [] _stext+0x9e0/0x1084 [ 201.586434][ T31] softirqs last disabled at (101839): [] __irq_exit_rcu+0x494/0x550 [ 201.586959][ T31] ---[ end trace b9d7845d21116d32 ]--- executing program [ 201.987581][ T31] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 202.351559][ T31] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 202.663344][ T31] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 202.963365][ T31] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 207.417815][ T31] device hsr_slave_0 left promiscuous mode [ 207.521279][ T31] device hsr_slave_1 left promiscuous mode executing program [ 207.749599][ T31] device veth1_macvtap left promiscuous mode [ 207.753857][ T31] device veth0_macvtap left promiscuous mode [ 207.790941][ T31] device veth1_vlan left promiscuous mode [ 207.803319][ T31] device veth0_vlan left promiscuous mode executing program [ 212.541164][ T31] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 212.759663][ T31] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface executing program [ 213.797986][ T31] bond0 (unregistering): Released all slaves executing program [ 216.721888][ T31] ================================================================== [ 216.723131][ T31] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 216.724609][ T31] Read of size 4 at addr ffff00000a679048 by task kworker/u4:3/31 [ 216.725948][ T31] [ 216.727012][ T31] CPU: 1 PID: 31 Comm: kworker/u4:3 Tainted: G W 5.12.0-syzkaller-14459-g322a3b843d7f #0 [ 216.731404][ T31] Hardware name: linux,dummy-virt (DT) [ 216.733606][ T31] Workqueue: netns cleanup_net [ 216.735674][ T31] Call trace: [ 216.737178][ T31] dump_backtrace+0x0/0x3e0 [ 216.738795][ T31] show_stack+0x18/0x24 [ 216.740572][ T31] dump_stack+0x120/0x1a8 [ 216.742520][ T31] print_address_description.constprop.0+0x2c/0x300 [ 216.745485][ T31] kasan_report+0x1ec/0x200 [ 216.746595][ T31] __asan_report_load4_noabort+0x34/0x60 [ 216.746916][ T31] hooks_validate+0x164/0x1ac [ 216.747296][ T31] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 216.747639][ T31] __nf_unregister_net_hook+0x240/0x4f0 [ 216.747957][ T31] nf_unregister_net_hook+0xb8/0x100 [ 216.748272][ T31] clusterip_net_exit+0x13c/0x204 [ 216.748590][ T31] ops_exit_list+0x78/0x124 [ 216.748885][ T31] cleanup_net+0x3a4/0x820 [ 216.749237][ T31] process_one_work+0x798/0x1764 [ 216.749543][ T31] worker_thread+0x3d4/0xcd0 [ 216.749863][ T31] kthread+0x320/0x3bc [ 216.750157][ T31] ret_from_fork+0x10/0x3c [ 216.750635][ T31] [ 216.751086][ T31] Allocated by task 3289: [ 216.751605][ T31] kasan_save_stack+0x28/0x60 [ 216.752007][ T31] __kasan_kmalloc+0x8c/0xb0 [ 216.752351][ T31] __kmalloc_node+0x234/0x590 [ 216.752675][ T31] __vmalloc_node_range+0x5cc/0x7f0 [ 216.753049][ T31] __vmalloc+0xd4/0x1a0 [ 216.753357][ T31] bpf_prog_alloc_no_stats+0x40/0x2e0 [ 216.753693][ T31] bpf_prog_alloc+0x24/0x170 [ 216.754013][ T31] bpf_prog_create_from_user+0x94/0x650 [ 216.754354][ T31] do_seccomp+0x5c4/0x1f30 [ 216.756365][ T31] prctl_set_seccomp+0x3c/0x70 [ 216.758237][ T31] __arm64_sys_prctl+0x9a4/0xfd0 [ 216.760201][ T31] invoke_syscall+0x6c/0x260 [ 216.761796][ T31] el0_svc_common.constprop.0+0xc4/0x1e4 [ 216.763802][ T31] do_el0_svc+0xa4/0xd0 [ 216.765431][ T31] el0_svc+0x24/0x3c [ 216.766652][ T31] el0_sync_handler+0x1a4/0x1b0 [ 216.766956][ T31] el0_sync+0x18c/0x1c0 [ 216.767364][ T31] [ 216.767723][ T31] Freed by task 31: [ 216.768005][ T31] kasan_save_stack+0x28/0x60 [ 216.768320][ T31] kasan_set_track+0x28/0x40 [ 216.768611][ T31] kasan_set_free_info+0x28/0x50 [ 216.768918][ T31] __kasan_slab_free+0xfc/0x150 [ 216.769294][ T31] slab_free_freelist_hook+0x140/0x264 [ 216.769731][ T31] kfree+0x154/0x7d0 [ 216.770082][ T31] xt_unregister_table+0x1cc/0x2ec [ 216.770454][ T31] __arpt_unregister_table+0x44/0x1b4 [ 216.770962][ T31] arpt_unregister_table+0x30/0x40 [ 216.771347][ T31] arptable_filter_net_exit+0x18/0x24 [ 216.771757][ T31] ops_exit_list+0x78/0x124 [ 216.772168][ T31] cleanup_net+0x3a4/0x820 [ 216.772609][ T31] process_one_work+0x798/0x1764 [ 216.773031][ T31] worker_thread+0x3d4/0xcd0 [ 216.773333][ T31] kthread+0x320/0x3bc [ 216.773631][ T31] ret_from_fork+0x10/0x3c [ 216.773939][ T31] [ 216.774232][ T31] The buggy address belongs to the object at ffff00000a679000 [ 216.774232][ T31] which belongs to the cache kmalloc-128 of size 128 [ 216.776220][ T31] The buggy address is located 72 bytes inside of [ 216.776220][ T31] 128-byte region [ffff00000a679000, ffff00000a679080) [ 216.776791][ T31] The buggy address belongs to the page: [ 216.777491][ T31] page:00000000695083cf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4a679 [ 216.778318][ T31] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 216.779456][ T31] raw: 01ffc00000000200 0000000000000000 0000000200000001 ffff000008802300 [ 216.779950][ T31] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 216.780505][ T31] page dumped because: kasan: bad access detected [ 216.780958][ T31] [ 216.781244][ T31] Memory state around the buggy address: [ 216.781893][ T31] ffff00000a678f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 216.782338][ T31] ffff00000a678f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 216.782817][ T31] >ffff00000a679000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 216.783348][ T31] ^ [ 216.783814][ T31] ffff00000a679080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 216.784219][ T31] ffff00000a679100: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 216.784930][ T31] ================================================================== [ 216.785420][ T31] Disabling lock debugging due to kernel taint [ 218.947795][ T3299] can: request_module (can-proto-0) failed. [ 219.052037][ T3299] can: request_module (can-proto-0) failed. [ 219.227951][ T3299] can: request_module (can-proto-0) failed. executing program executing program executing program executing program VM DIAGNOSIS: 16:53:40 Registers: info registers vcpu 0 PC=ffff800013191cf8 X00=ffff800013191cf0 X01=0000000000000000 X02=0000000000000003 X03=dfff800000000000 X04=0000000000001180 X05=0000000000000000 X06=1ffff00002bedf18 X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700002000f94 X11=1ffff00002000f94 X12=ffff700002000f95 X13=0000000000000001 X14=1ffff00002000f6a X15=ffff00006aaf1b7c X16=0000000000000000 X17=0000000000000000 X18=ffff00006aaf1b48 X19=ffff8000161853b0 X20=0000000000000000 X21=0000000000000003 X22=0000000000000028 X23=ffff800016185440 X24=dfff800000000000 X25=ffff800016185380 X26=0000000000000004 X27=ffff8000161853b0 X28=0000000000000004 X29=ffff800010007bc0 X30=ffff800010356a78 SP=ffff800010007bc0 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=2f6e69622f006e77:6f64747568730000 Q02=00722d20612d2074:6e756f6d752f6e69 Q03=0000000000000000:0000000000000000 Q04=ffffffff00000000:0000000000000000 Q05=0000000000100000:0000000000000401 Q06=4010040100000000:0000000000000000 Q07=4010040140100401:4010040140100401 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=5500000000100005:5500000000100005 Q17=0000000000000000:0000000020008000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff8000102b2000 X00=0000000000000000 X01=0000000000000003 X02=1ffff00002c0d429 X03=1ffff00003078e08 X04=0000000000000028 X05=ffff8000183c6ed0 X06=00008ffffcf87226 X07=0000000000002424 X08=ffff8000183c6ed7 X09=dfff800000000000 X10=1ffff00003078e0e X11=ffff80001611ebd0 X12=ffff700003078ddb X13=ffff8000183c7040 X14=1ffff00003078da4 X15=0000000000000012 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbeb8 X19=ffff8000183c7030 X20=ffff80001606a120 X21=1ffff00003078e10 X22=00000000ffffe303 X23=ffff80001606a148 X24=ffff8000183c7070 X25=ffff80001611ebc8 X26=ffff8000183c7080 X27=0000000000000012 X28=ffff80001607ac68 X29=ffff8000183c6db0 X30=ffff8000102b1fac SP=ffff8000183c6db0 PSTATE=200003c5 --C- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000004 Q01=0000000000000000:c1162e42fefa39ef Q02=868729ac19b307d5:e18768e716d3b784 Q03=0000000040000000:0000000000000000 Q04=4010040140100401:4000000000000000 Q05=4010040140100401:4010040140100401 Q06=5555400000400000:5555400000400000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000010:00000025f892bc10 Q31=0000000000000000:0000000000000000