================================================================================ UBSAN: array-index-out-of-bounds in net/netfilter/nfnetlink.c:697:28 index 19 is out of range for type 'int [10]' CPU: 1 PID: 12595 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-11972-gd1dc87763f40 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x1e0/0x270 arch/arm64/kernel/stacktrace.c:198 show_stack+0x18/0x70 arch/arm64/kernel/stacktrace.c:205 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x9c/0xd8 lib/dump_stack.c:106 dump_stack+0x1c/0x38 lib/dump_stack.c:113 ubsan_epilogue+0x10/0x50 lib/ubsan.c:151 __ubsan_handle_out_of_bounds+0x80/0x90 lib/ubsan.c:283 nfnetlink_unbind+0x2bc/0x300 net/netfilter/nfnetlink.c:697 netlink_release+0x5b0/0x1430 net/netlink/af_netlink.c:773 __sock_release+0xa0/0x214 net/socket.c:650 sock_close+0x18/0x2c net/socket.c:1365 __fput+0x19c/0x730 fs/file_table.c:317 ____fput+0x10/0x20 fs/file_table.c:350 task_work_run+0xd0/0x240 kernel/task_work.c:177 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x1308/0x2a80 arch/arm64/kernel/signal.c:1113 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_svc_compat+0x190/0x210 arch/arm64/kernel/entry-common.c:761 el0t_32_sync_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:770 el0t_32_sync+0x190/0x194 arch/arm64/kernel/entry.S:586 ================================================================================ ================================================================== BUG: KASAN: global-out-of-bounds in nfnetlink_unbind+0x2a0/0x300 net/netfilter/nfnetlink.c:697 Read of size 4 at addr ffff80000d49376c by task syz-executor.1/12595 CPU: 1 PID: 12595 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-11972-gd1dc87763f40 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x1e0/0x270 arch/arm64/kernel/stacktrace.c:198 show_stack+0x18/0x70 arch/arm64/kernel/stacktrace.c:205 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x9c/0xd8 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:313 [inline] print_report+0x148/0x6e0 mm/kasan/report.c:429 kasan_report+0xb4/0xf0 mm/kasan/report.c:491 __asan_report_load4_noabort+0x34/0x60 mm/kasan/report_generic.c:306 nfnetlink_unbind+0x2a0/0x300 net/netfilter/nfnetlink.c:697 netlink_release+0x5b0/0x1430 net/netlink/af_netlink.c:773 __sock_release+0xa0/0x214 net/socket.c:650 sock_close+0x18/0x2c net/socket.c:1365 __fput+0x19c/0x730 fs/file_table.c:317 ____fput+0x10/0x20 fs/file_table.c:350 task_work_run+0xd0/0x240 kernel/task_work.c:177 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x1308/0x2a80 arch/arm64/kernel/signal.c:1113 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_svc_compat+0x190/0x210 arch/arm64/kernel/entry-common.c:761 el0t_32_sync_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:770 el0t_32_sync+0x190/0x194 arch/arm64/kernel/entry.S:586 The buggy address belongs to the variable: nfnl_group2type+0x4c/0x60 The buggy address belongs to the virtual mapping at [ffff80000c8a0000, ffff80000dc10000) created by: map_kernel arch/arm64/mm/mmu.c:726 [inline] paging_init+0x284/0x870 arch/arm64/mm/mmu.c:769 The buggy address belongs to the physical page: page:00000000154e3dda refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x45693 flags: 0x1ffc00000001000(reserved|node=0|zone=0|lastcpupid=0x7ff) raw: 01ffc00000001000 fffffc000015a4c8 fffffc000015a4c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff80000d493600: 00 00 00 03 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 ffff80000d493680: 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 00 00 06 f9 >ffff80000d493700: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 ^ ffff80000d493780: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 ffff80000d493800: f9 f9 f9 f9 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 ==================================================================