==================================================================
BUG: KASAN: use-after-free in __nf_ct_ext_exist include/net/netfilter/nf_conntrack_extend.h:47 [inline]
BUG: KASAN: use-after-free in nf_ct_ext_exist include/net/netfilter/nf_conntrack_extend.h:52 [inline]
BUG: KASAN: use-after-free in nf_ct_ecache_exist include/net/netfilter/nf_conntrack_ecache.h:42 [inline]
BUG: KASAN: use-after-free in nf_conntrack_confirm include/net/netfilter/nf_conntrack_core.h:63 [inline]
BUG: KASAN: use-after-free in nf_confirm+0x4f2/0x520 net/netfilter/nf_conntrack_proto.c:154
Read of size 1 at addr ffff88801c46f504 by task syz-executor.2/7544

CPU: 0 PID: 7544 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-11712-g700170bf6b4d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description+0x65/0x4b0 mm/kasan/report.c:313
 print_report+0xf4/0x210 mm/kasan/report.c:429
 kasan_report+0xfb/0x130 mm/kasan/report.c:491
 __nf_ct_ext_exist include/net/netfilter/nf_conntrack_extend.h:47 [inline]
 nf_ct_ext_exist include/net/netfilter/nf_conntrack_extend.h:52 [inline]
 nf_ct_ecache_exist include/net/netfilter/nf_conntrack_ecache.h:42 [inline]
 nf_conntrack_confirm include/net/netfilter/nf_conntrack_core.h:63 [inline]
 nf_confirm+0x4f2/0x520 net/netfilter/nf_conntrack_proto.c:154
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xae/0x1e0 net/netfilter/core.c:620
 nf_hook+0x26e/0x3d0 include/linux/netfilter.h:262
 NF_HOOK_COND include/linux/netfilter.h:295 [inline]
 ip_output+0x1ed/0x2c0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:451 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 ip_send_skb+0x113/0x1a0 net/ipv4/ip_output.c:1571
 udp_send_skb+0x8f7/0x11e0 net/ipv4/udp.c:967
 udp_sendmsg+0x1d30/0x2b00 net/ipv4/udp.c:1254
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 kernel_sendmsg+0xf5/0x130 net/socket.c:754
 rxrpc_send_abort_packet+0x5a7/0xa00 net/rxrpc/output.c:334
 rxrpc_release_calls_on_socket+0x2ee/0x390 net/rxrpc/call_object.c:608
 rxrpc_release_sock net/rxrpc/af_rxrpc.c:886 [inline]
 rxrpc_release+0x262/0x430 net/rxrpc/af_rxrpc.c:917
 __sock_release net/socket.c:650 [inline]
 sock_close+0xd7/0x260 net/socket.c:1365
 __fput+0x3b9/0x820 fs/file_table.c:317
 task_work_run+0x146/0x1c0 kernel/task_work.c:177
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169
 exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fad7c23bd4b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffce5ef4c70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007fad7c23bd4b
RDX: 00007fad7c3a0a30 RSI: ffffffffffffffff RDI: 0000000000000004
RBP: 00007fad7c39d960 R08: 0000000000000000 R09: 00007fad7c3a0a38
R10: 00007ffce5ef4d70 R11: 0000000000000293 R12: 000000000003b2c9
R13: 00007ffce5ef4d70 R14: 00007fad7c39bf60 R15: 0000000000000032
 </TASK>

Allocated by task 2971:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:515
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 kmem_cache_alloc_trace+0x94/0x310 mm/slub.c:3255
 kmalloc include/linux/slab.h:600 [inline]
 kernfs_get_open_node fs/kernfs/file.c:547 [inline]
 kernfs_fop_open+0x8f9/0xbc0 fs/kernfs/file.c:693
 do_dentry_open+0x789/0x1040 fs/open.c:848
 do_open fs/namei.c:3527 [inline]
 path_openat+0x26c0/0x2ec0 fs/namei.c:3660
 do_filp_open+0x277/0x4f0 fs/namei.c:3687
 do_sys_openat2+0x13b/0x500 fs/open.c:1278
 do_sys_open fs/open.c:1294 [inline]
 __do_sys_openat fs/open.c:1310 [inline]
 __se_sys_openat fs/open.c:1305 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1305
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 7544:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0xd8/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1727 [inline]
 slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1753
 slab_free mm/slub.c:3507 [inline]
 kfree+0xc6/0x210 mm/slub.c:4555
 nf_conntrack_free+0x256/0x2f0 net/netfilter/nf_conntrack_core.c:1680
 nf_ct_put include/net/netfilter/nf_conntrack.h:184 [inline]
 __nf_ct_resolve_clash+0xa2f/0x10f0 net/netfilter/nf_conntrack_core.c:1013
 nf_ct_resolve_clash+0xfc/0xbd8 net/netfilter/nf_conntrack_core.c:1136
 __nf_conntrack_confirm+0x1b94/0x1d50 net/netfilter/nf_conntrack_core.c:1284
 nf_conntrack_confirm include/net/netfilter/nf_conntrack_core.h:62 [inline]
 nf_confirm+0x38b/0x520 net/netfilter/nf_conntrack_proto.c:154
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xae/0x1e0 net/netfilter/core.c:620
 nf_hook+0x26e/0x3d0 include/linux/netfilter.h:262
 NF_HOOK_COND include/linux/netfilter.h:295 [inline]
 ip_output+0x1ed/0x2c0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:451 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 ip_send_skb+0x113/0x1a0 net/ipv4/ip_output.c:1571
 udp_send_skb+0x8f7/0x11e0 net/ipv4/udp.c:967
 udp_sendmsg+0x1d30/0x2b00 net/ipv4/udp.c:1254
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 kernel_sendmsg+0xf5/0x130 net/socket.c:754
 rxrpc_send_abort_packet+0x5a7/0xa00 net/rxrpc/output.c:334
 rxrpc_release_calls_on_socket+0x2ee/0x390 net/rxrpc/call_object.c:608
 rxrpc_release_sock net/rxrpc/af_rxrpc.c:886 [inline]
 rxrpc_release+0x262/0x430 net/rxrpc/af_rxrpc.c:917
 __sock_release net/socket.c:650 [inline]
 sock_close+0xd7/0x260 net/socket.c:1365
 __fput+0x3b9/0x820 fs/file_table.c:317
 task_work_run+0x146/0x1c0 kernel/task_work.c:177
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169
 exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
 kvfree_call_rcu+0x118/0x840 kernel/rcu/tree.c:3647
 tipc_nametbl_unsubscribe+0x39a/0x3e0 net/tipc/name_table.c:878
 tipc_sub_unsubscribe+0x24/0x1f0 net/tipc/subscr.c:178
 tipc_conn_delete_sub+0x16b/0x1a0 net/tipc/topsrv.c:237
 tipc_conn_send_to_sock net/tipc/topsrv.c:265 [inline]
 tipc_conn_send_work+0x285/0x9e0 net/tipc/topsrv.c:303
 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
 kthread+0x266/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30

Second to last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
 kvfree_call_rcu+0x118/0x840 kernel/rcu/tree.c:3647
 __hw_addr_del_entry net/core/dev_addr_lists.c:161 [inline]
 __hw_addr_del_ex net/core/dev_addr_lists.c:200 [inline]
 __dev_mc_del+0x376/0x450 net/core/dev_addr_lists.c:908
 igmp6_group_dropped+0x1a9/0xc50 net/ipv6/mcast.c:715
 ipv6_mc_down+0x88/0x450 net/ipv6/mcast.c:2717
 ipv6_mc_destroy_dev+0x28/0x6b0 net/ipv6/mcast.c:2786
 addrconf_ifdown+0x1740/0x1bc0 net/ipv6/addrconf.c:3893
 addrconf_notify+0x403/0xf80
 notifier_call_chain kernel/notifier.c:87 [inline]
 raw_notifier_call_chain+0xe7/0x170 kernel/notifier.c:455
 call_netdevice_notifiers_info net/core/dev.c:1943 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1981 [inline]
 call_netdevice_notifiers net/core/dev.c:1995 [inline]
 unregister_netdevice_many+0xeee/0x1950 net/core/dev.c:10834
 ip_tunnel_delete_nets+0x325/0x370 net/ipv4/ip_tunnel.c:1124
 ops_exit_list net/core/net_namespace.c:167 [inline]
 cleanup_net+0x80c/0xc50 net/core/net_namespace.c:594
 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
 kthread+0x266/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff88801c46f500
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 4 bytes inside of
 128-byte region [ffff88801c46f500, ffff88801c46f580)

The buggy address belongs to the physical page:
page:ffffea0000711bc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c46f
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000001 ffff8880114418c0
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3903, tgid 3901 (syz-executor.0), ts 140571414672, free_ts 140571355336
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4198
 __alloc_pages+0x259/0x560 mm/page_alloc.c:5426
 alloc_slab_page+0x70/0xf0 mm/slub.c:1797
 allocate_slab+0x5e/0x520 mm/slub.c:1942
 new_slab mm/slub.c:2002 [inline]
 ___slab_alloc+0x41e/0xcd0 mm/slub.c:3002
 __slab_alloc mm/slub.c:3089 [inline]
 slab_alloc_node mm/slub.c:3180 [inline]
 slab_alloc mm/slub.c:3222 [inline]
 kmem_cache_alloc_trace+0x25c/0x310 mm/slub.c:3253
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 do_check_common+0xd6/0x16d0 kernel/bpf/verifier.c:14337
 do_check_main kernel/bpf/verifier.c:14453 [inline]
 bpf_check+0x2c8e/0x13b70 kernel/bpf/verifier.c:15022
 bpf_prog_load+0x1288/0x1b80 kernel/bpf/syscall.c:2575
 __sys_bpf+0x3d3/0x6c0 kernel/bpf/syscall.c:4917
 __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5019 [inline]
 __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5019
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x7d/0x390 mm/page_alloc.c:3438
 __vunmap+0x867/0x9d0 mm/vmalloc.c:2665
 bpf_prog_calc_tag+0x727/0xa00 kernel/bpf/core.c:337
 resolve_pseudo_ldimm64+0xe1/0x1270 kernel/bpf/verifier.c:12624
 bpf_check+0x2606/0x13b70 kernel/bpf/verifier.c:15007
 bpf_prog_load+0x1288/0x1b80 kernel/bpf/syscall.c:2575
 __sys_bpf+0x3d3/0x6c0 kernel/bpf/syscall.c:4917
 __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5019 [inline]
 __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5019
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Memory state around the buggy address:
 ffff88801c46f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801c46f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801c46f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88801c46f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801c46f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================