================================================================================
UBSAN: array-index-out-of-bounds in net/netfilter/nfnetlink.c:697:28
index 21 is out of range for type 'int [10]'
CPU: 1 PID: 5262 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller-11972-gd1dc87763f40 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x1e0/0x270 arch/arm64/kernel/stacktrace.c:198
 show_stack+0x18/0x70 arch/arm64/kernel/stacktrace.c:205
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x9c/0xd8 lib/dump_stack.c:106
 dump_stack+0x1c/0x38 lib/dump_stack.c:113
 ubsan_epilogue+0x10/0x50 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0x80/0x90 lib/ubsan.c:283
 nfnetlink_unbind+0x2bc/0x300 net/netfilter/nfnetlink.c:697
 netlink_setsockopt+0x648/0xc10 net/netlink/af_netlink.c:1661
 __sys_setsockopt+0x150/0x3f0 net/socket.c:2259
 __do_sys_setsockopt net/socket.c:2270 [inline]
 __se_sys_setsockopt net/socket.c:2267 [inline]
 __arm64_sys_setsockopt+0xa4/0x100 net/socket.c:2267
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x6c/0x260 arch/arm64/kernel/syscall.c:52
 el0_svc_common.constprop.0+0xc4/0x254 arch/arm64/kernel/syscall.c:142
 do_el0_svc_compat+0x40/0x80 arch/arm64/kernel/syscall.c:212
 el0_svc_compat+0x70/0x210 arch/arm64/kernel/entry-common.c:760
 el0t_32_sync_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:770
 el0t_32_sync+0x190/0x194 arch/arm64/kernel/entry.S:586
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in nfnetlink_unbind+0x2a0/0x300 net/netfilter/nfnetlink.c:697
Read of size 4 at addr ffff80000d493774 by task syz-executor.0/5262

CPU: 1 PID: 5262 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller-11972-gd1dc87763f40 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x1e0/0x270 arch/arm64/kernel/stacktrace.c:198
 show_stack+0x18/0x70 arch/arm64/kernel/stacktrace.c:205
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x9c/0xd8 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:313 [inline]
 print_report+0x148/0x6e0 mm/kasan/report.c:429
 kasan_report+0xb4/0xf0 mm/kasan/report.c:491
 __asan_report_load4_noabort+0x34/0x60 mm/kasan/report_generic.c:306
 nfnetlink_unbind+0x2a0/0x300 net/netfilter/nfnetlink.c:697
 netlink_setsockopt+0x648/0xc10 net/netlink/af_netlink.c:1661
 __sys_setsockopt+0x150/0x3f0 net/socket.c:2259
 __do_sys_setsockopt net/socket.c:2270 [inline]
 __se_sys_setsockopt net/socket.c:2267 [inline]
 __arm64_sys_setsockopt+0xa4/0x100 net/socket.c:2267
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x6c/0x260 arch/arm64/kernel/syscall.c:52
 el0_svc_common.constprop.0+0xc4/0x254 arch/arm64/kernel/syscall.c:142
 do_el0_svc_compat+0x40/0x80 arch/arm64/kernel/syscall.c:212
 el0_svc_compat+0x70/0x210 arch/arm64/kernel/entry-common.c:760
 el0t_32_sync_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:770
 el0t_32_sync+0x190/0x194 arch/arm64/kernel/entry.S:586

The buggy address belongs to the variable:
 nfnl_group2type+0x54/0x60

The buggy address belongs to the virtual mapping at
 [ffff80000c8a0000, ffff80000dc10000) created by:
 map_kernel arch/arm64/mm/mmu.c:726 [inline]
 paging_init+0x284/0x870 arch/arm64/mm/mmu.c:769

The buggy address belongs to the physical page:
page:00000000bb8e759c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x45693
flags: 0x1ffc00000001000(reserved|node=0|zone=0|lastcpupid=0x7ff)
raw: 01ffc00000001000 fffffc000015a4c8 fffffc000015a4c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff80000d493600: 00 00 00 03 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
 ffff80000d493680: 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 00 00 06 f9
>ffff80000d493700: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
                                                             ^
 ffff80000d493780: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
 ffff80000d493800: f9 f9 f9 f9 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
==================================================================