netlink: 'syz-executor154': attribute type 4 has an invalid length. Unable to handle kernel paging request at virtual address dfff800000000003 KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000003] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 6238 Comm: syz-executor154 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : nf_tproxy_laddr4+0xc8/0x368 net/ipv4/netfilter/nf_tproxy_ipv4.c:62 lr : __in_dev_get_rcu include/linux/inetdevice.h:235 [inline] lr : nf_tproxy_laddr4+0xb8/0x368 net/ipv4/netfilter/nf_tproxy_ipv4.c:60 sp : ffff8000a0976870 x29: ffff8000a0976870 x28: ffff70001412ed2c x27: ffff0000ce925000 x26: ffff0000ce925010 x25: 0000000000000000 x24: 1fffe0001a927431 x23: dfff800000000000 x22: dfff800000000000 x21: 0000000000000000 x20: 0000000000000018 x19: 0000000000000000 x18: 000000000000004f x17: ffff800080607a98 x16: ffff8000805519dc x15: 0000000000000002 x14: 0000000000000000 x13: 0000000000000011 x12: dfff800000000000 x11: 000000000a95da21 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000003 x7 : ffff0000c4771ed0 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000004e20 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: nf_tproxy_laddr4+0xc8/0x368 net/ipv4/netfilter/nf_tproxy_ipv4.c:62 nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline] nft_tproxy_eval+0x8e4/0x14b0 net/netfilter/nft_tproxy.c:168 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x408/0x1498 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x31c/0x528 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow net/netfilter/core.c:626 [inline] nf_hook_slow_list+0x218/0x564 net/netfilter/core.c:665 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0xb38/0xc3c net/ipv4/ip_input.c:637 ip_list_rcv+0x3ec/0x440 net/ipv4/ip_input.c:674 __netif_receive_skb_list_ptype net/core/dev.c:5587 [inline] __netif_receive_skb_list_core+0x5cc/0x754 net/core/dev.c:5635 __netif_receive_skb_list net/core/dev.c:5687 [inline] netif_receive_skb_list_internal+0x844/0xb34 net/core/dev.c:5779 netif_receive_skb_list+0x64/0x660 net/core/dev.c:5831 xdp_recv_frames net/bpf/test_run.c:278 [inline] xdp_test_run_batch net/bpf/test_run.c:356 [inline] bpf_test_run_xdp_live+0x14d0/0x1924 net/bpf/test_run.c:384 bpf_prog_test_run_xdp+0x6a8/0xfc0 net/bpf/test_run.c:1267 bpf_prog_test_run+0x2dc/0x364 kernel/bpf/syscall.c:4269 __sys_bpf+0x314/0x5f0 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __arm64_sys_bpf+0x80/0x98 kernel/bpf/syscall.c:5765 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: 14000002 979476d5 910062b4 d343fe88 (38776908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 14000002 b 0x8 4: 979476d5 bl 0xfffffffffe51db58 8: 910062b4 add x20, x21, #0x18 c: d343fe88 lsr x8, x20, #3 * 10: 38776908 ldrb w8, [x8, x23] <-- trapping instruction