syzkaller login: [ 139.358069][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 139.410421][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 139.446548][ T3141] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:23286' (ECDSA) to the list of known hosts. 1970/01/01 00:02:38 fuzzer started 1970/01/01 00:02:42 connecting to host at localhost:38869 1970/01/01 00:02:42 checking machine... 1970/01/01 00:02:42 checking revisions... 1970/01/01 00:02:43 testing simple program... executing program executing program [ 173.454706][ T3303] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 173.493094][ T3303] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program [ 173.836635][ C1] hrtimer: interrupt took 56858976 ns [ 176.063517][ T3303] device hsr_slave_0 entered promiscuous mode [ 176.129740][ T3303] device hsr_slave_1 entered promiscuous mode executing program [ 178.154281][ T3303] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 178.274794][ T3303] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 178.383509][ T3303] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 178.467537][ T3303] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 180.924003][ T3303] 8021q: adding VLAN 0 to HW filter on device bond0 [ 181.048211][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 181.075883][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 182.453740][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 182.460432][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 182.577762][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 182.587424][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready executing program [ 182.696338][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 182.805747][ T2115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 183.046397][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 183.067877][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 183.185401][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 183.206013][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 183.289798][ T3303] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 183.608683][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 183.617533][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready executing program [ 187.215250][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 187.238760][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready executing program [ 188.995887][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 189.008928][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 189.038341][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 189.054877][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 189.088711][ T3303] device veth0_vlan entered promiscuous mode [ 189.220594][ T3303] device veth1_vlan entered promiscuous mode [ 189.570268][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 189.597648][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 189.708301][ T3303] device veth0_macvtap entered promiscuous mode [ 189.798267][ T3303] device veth1_macvtap entered promiscuous mode [ 189.994668][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 190.001158][ T3427] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 190.031033][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 190.041456][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 190.134829][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 190.155703][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 190.229455][ T3303] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 190.230929][ T3303] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 190.233602][ T3303] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 190.234350][ T3303] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 191.448047][ T3303] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation executing program 1970/01/01 00:03:11 building call list... [ 192.976499][ T28] ------------[ cut here ]------------ [ 192.979567][ T28] hook not found, pf 3 num 0 [ 192.981006][ T28] WARNING: CPU: 0 PID: 28 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 [ 192.983872][ T28] Modules linked in: [ 192.986105][ T28] CPU: 0 PID: 28 Comm: kworker/u4:2 Not tainted 5.12.0-syzkaller-13812-ge4adffb8daf4 #0 [ 192.987699][ T28] Hardware name: linux,dummy-virt (DT) [ 192.989172][ T28] Workqueue: netns cleanup_net [ 192.990021][ T28] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 192.990433][ T28] pc : __nf_unregister_net_hook+0x17c/0x4f0 [ 192.994211][ T28] lr : __nf_unregister_net_hook+0x17c/0x4f0 [ 192.994640][ T28] sp : ffff8000183979e0 [ 192.994970][ T28] x29: ffff8000183979e0 x28: 0000000000000003 [ 192.995524][ T28] x27: 0000000000000001 x26: ffff000009cf0f10 [ 192.996019][ T28] x25: 0000000000000007 x24: ffff00000ba6061c [ 192.996492][ T28] x23: ffff800017131120 x22: ffff000009cf0000 [ 192.996957][ T28] x21: 0000000000000001 x20: ffff0000098e4b20 [ 192.997413][ T28] x19: ffff00000ba60600 x18: ffff00006aaf1b48 [ 192.997861][ T28] x17: 0000000000000000 x16: 0000000000000000 [ 192.998321][ T28] x15: ffff00006aaf1b7c x14: 1ffff00003072e6a [ 192.998784][ T28] x13: 0000000000000001 x12: ffff60000d55e384 [ 192.999260][ T28] x11: 1fffe0000d55e383 x10: ffff60000d55e383 [ 192.999670][ T28] x9 : dfff800000000000 x8 : ffff00006aaf1c1b [ 193.000494][ T28] x7 : 0000000000000001 x6 : 00009ffff2aa1c7d [ 193.001076][ T28] x5 : ffff00006aaf1c18 x4 : 1fffe00001215349 [ 193.001591][ T28] x3 : dfff800000000000 x2 : 0000000000000000 [ 193.002297][ T28] x1 : 0000000000000000 x0 : ffff0000090a9a40 [ 193.003415][ T28] Call trace: [ 193.003851][ T28] __nf_unregister_net_hook+0x17c/0x4f0 [ 193.004355][ T28] nf_unregister_net_hooks+0xd4/0x120 [ 193.004819][ T28] arpt_unregister_table_pre_exit+0x6c/0x8c [ 193.005349][ T28] arptable_filter_net_pre_exit+0x20/0x2c [ 193.005796][ T28] cleanup_net+0x328/0x820 [ 193.006185][ T28] process_one_work+0x798/0x1764 [ 193.006614][ T28] worker_thread+0x3d4/0xcd0 [ 193.007023][ T28] kthread+0x320/0x3bc [ 193.007374][ T28] ret_from_fork+0x10/0x3c [ 193.008027][ T28] irq event stamp: 61882 [ 193.008438][ T28] hardirqs last enabled at (61881): [] console_unlock+0x7f8/0xbf4 [ 193.009077][ T28] hardirqs last disabled at (61882): [] el1_dbg+0x24/0x80 [ 193.009638][ T28] softirqs last enabled at (61790): [] _stext+0x9e0/0x1084 [ 193.010399][ T28] softirqs last disabled at (61687): [] __irq_exit_rcu+0x494/0x550 [ 193.010998][ T28] ---[ end trace 5bcc87981e81dc50 ]--- [ 193.210563][ T28] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 193.478049][ T28] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 193.750017][ T28] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 194.080187][ T28] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program executing program [ 198.362815][ T28] device hsr_slave_0 left promiscuous mode [ 198.439110][ T28] device hsr_slave_1 left promiscuous mode [ 198.637859][ T28] device veth1_macvtap left promiscuous mode [ 198.640894][ T28] device veth0_macvtap left promiscuous mode [ 198.670451][ T28] device veth1_vlan left promiscuous mode [ 198.676553][ T28] device veth0_vlan left promiscuous mode executing program executing program [ 204.485026][ T28] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 204.768708][ T28] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 205.967430][ T28] bond0 (unregistering): Released all slaves executing program [ 208.727152][ T28] ================================================================== [ 208.729588][ T28] BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac [ 208.730280][ T28] Read of size 4 at addr ffff0000098e4a48 by task kworker/u4:2/28 [ 208.730925][ T28] [ 208.731663][ T28] CPU: 0 PID: 28 Comm: kworker/u4:2 Tainted: G W 5.12.0-syzkaller-13812-ge4adffb8daf4 #0 [ 208.732367][ T28] Hardware name: linux,dummy-virt (DT) [ 208.732868][ T28] Workqueue: netns cleanup_net [ 208.733402][ T28] Call trace: [ 208.733687][ T28] dump_backtrace+0x0/0x3e0 [ 208.733996][ T28] show_stack+0x18/0x24 [ 208.734303][ T28] dump_stack+0x120/0x1a8 [ 208.734572][ T28] print_address_description.constprop.0+0x2c/0x300 [ 208.734902][ T28] kasan_report+0x1ec/0x200 [ 208.735172][ T28] __asan_report_load4_noabort+0x34/0x60 [ 208.735467][ T28] hooks_validate+0x164/0x1ac [ 208.735728][ T28] __nf_hook_entries_try_shrink+0x1d4/0x2c4 [ 208.736065][ T28] __nf_unregister_net_hook+0x240/0x4f0 [ 208.736352][ T28] nf_unregister_net_hook+0xb8/0x100 [ 208.736753][ T28] clusterip_net_exit+0x13c/0x204 [ 208.737047][ T28] ops_exit_list+0x78/0x124 [ 208.737315][ T28] cleanup_net+0x3a4/0x820 [ 208.737581][ T28] process_one_work+0x798/0x1764 [ 208.737877][ T28] worker_thread+0x3d4/0xcd0 [ 208.738145][ T28] kthread+0x320/0x3bc [ 208.738418][ T28] ret_from_fork+0x10/0x3c [ 208.738806][ T28] [ 208.739887][ T28] Allocated by task 0: [ 208.741114][ T28] (stack is not available) [ 208.742746][ T28] [ 208.743654][ T28] Freed by task 28: [ 208.749059][ T28] kasan_save_stack+0x28/0x60 [ 208.750747][ T28] kasan_set_track+0x28/0x40 [ 208.751523][ T28] kasan_set_free_info+0x28/0x50 [ 208.751821][ T28] __kasan_slab_free+0xfc/0x150 [ 208.752289][ T28] slab_free_freelist_hook+0x140/0x264 [ 208.752570][ T28] kfree+0x154/0x7d0 [ 208.753005][ T28] xt_unregister_table+0x1cc/0x2ec [ 208.753419][ T28] __arpt_unregister_table+0x44/0x1b4 [ 208.753939][ T28] arpt_unregister_table+0x30/0x40 [ 208.754298][ T28] arptable_filter_net_exit+0x18/0x24 [ 208.754577][ T28] ops_exit_list+0x78/0x124 [ 208.754850][ T28] cleanup_net+0x3a4/0x820 [ 208.755114][ T28] process_one_work+0x798/0x1764 [ 208.756020][ T28] worker_thread+0x3d4/0xcd0 [ 208.756296][ T28] kthread+0x320/0x3bc [ 208.756624][ T28] ret_from_fork+0x10/0x3c [ 208.757777][ T28] [ 208.758416][ T28] The buggy address belongs to the object at ffff0000098e4a00 [ 208.758416][ T28] which belongs to the cache kmalloc-128 of size 128 [ 208.762766][ T28] The buggy address is located 72 bytes inside of [ 208.762766][ T28] 128-byte region [ffff0000098e4a00, ffff0000098e4a80) [ 208.766418][ T28] The buggy address belongs to the page: [ 208.769398][ T28] page:00000000c014cb9d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x498e4 [ 208.773522][ T28] flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff) [ 208.775908][ T28] raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300 [ 208.776597][ T28] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 208.777271][ T28] page dumped because: kasan: bad access detected [ 208.777791][ T28] [ 208.778199][ T28] Memory state around the buggy address: [ 208.778945][ T28] ffff0000098e4900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 208.779356][ T28] ffff0000098e4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 208.779865][ T28] >ffff0000098e4a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 208.780443][ T28] ^ [ 208.781025][ T28] ffff0000098e4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 208.781606][ T28] ffff0000098e4b00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 208.782249][ T28] ================================================================== [ 208.782748][ T28] Disabling lock debugging due to kernel taint executing program [ 210.131180][ T3294] can: request_module (can-proto-0) failed. [ 210.274432][ T3294] can: request_module (can-proto-0) failed. [ 210.403634][ T3294] can: request_module (can-proto-0) failed. executing program executing program executing program VM DIAGNOSIS: 19:22:52 Registers: info registers vcpu 0 PC=ffff800010289c00 X00=0000000000000080 X01=00000000000003c0 X02=0000000000000000 X03=1fffe0000d55e380 X04=00000000d770dc27 X05=0000000000000000 X06=00000000f3f3f3f3 X07=ffff8000173e2760 X08=ffff800015f0ac00 X09=1fffe00001215499 X10=0000000000000007 X11=1fffe00001215473 X12=0000000000000000 X13=0000000000000001 X14=1ffff00003072de0 X15=0000000000000012 X16=0000000000000002 X17=0000000000000000 X18=fffffffffffcbe88 X19=ffff80001452ff00 X20=00000000000003c0 X21=1ffff00003072dfe X22=ffff800015f0ac00 X23=ffff800054be7000 X24=ffff800016069f78 X25=0000000000000001 X26=0000000000000000 X27=0000000000000000 X28=ffff8000102aa83c X29=ffff800018396f70 X30=ffff800010289bac SP=ffff800018396f60 PSTATE=100003c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=2f6e69622f006e77:6f64747568730000 Q02=00722d20612d2074:6e756f6d752f6e69 Q03=0000000000000000:0000000000000000 Q04=ffffffff00000000:0000000000000000 Q05=0000000000100000:0000000000000401 Q06=4010040100000000:0000000000000000 Q07=4010040140100401:4010040140100401 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=5500000000100005:5500000000100005 Q17=0000000000000000:0000000020008000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 PC=ffff800010013bdc X00=0000000000000fd7 X01=0000004000634c3e X02=000000000000b1c2 X03=0000000000000000 X04=0000000000000000 X05=0000000000000000 X06=0000000000000001 X07=0000000000000001 X08=000000000000003f X09=0000000000000200 X10=0000000000000017 X11=0005a995c0000000 X12=00000002dee73056 X13=000000007fffffff X14=0000000000000011 X15=0000000000000003 X16=0000000000000012 X17=0000000000000011 X18=0000000000000000 X19=0000ffff889c1000 X20=000000400003dba0 X21=000000400002c400 X22=000000400003e000 X23=0000000000000000 X24=0000000000000000 X25=0000000000000000 X26=0000004000039240 X27=00000000013d68a0 X28=0000004000000180 X29=0000004000039108 X30=00000000000af4f0 SP=ffff8000184a8000 PSTATE=400003c5 -Z-- EL1h FPCR=00000000 FPSR=00000010 Q00=0000000000000000:0000000000000020 Q01=756e696c65732c6f:796f6d6f742c6469 Q02=8ee898a3bb5303d7:55664727fde6cd36 Q03=0000000000100000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=4010040140100401:4010040140100401 Q06=0000000000100000:0000000000100000 Q07=0000000000000000:0000000000000002 Q08=0000000000000000:0000000000000002 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000005:0000000080e24e92 Q31=0000000000000000:0000000000000000