------------[ cut here ]------------
hook not found, pf 3 num 0
WARNING: CPU: 0 PID: 2349 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17c/0x4f0 net/netfilter/core.c:480
Modules linked in:
CPU: 0 PID: 2349 Comm: kworker/u4:8 Not tainted 5.12.0-syzkaller-13670-g5e321ded302d #0
Hardware name: linux,dummy-virt (DT)
Workqueue: netns cleanup_net
pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--)
pc : __nf_unregister_net_hook+0x17c/0x4f0 net/netfilter/core.c:480
lr : __nf_unregister_net_hook+0x17c/0x4f0 net/netfilter/core.c:480
sp : ffff80001db679e0
x29: ffff80001db679e0 x28: 0000000000000003 
x27: 0000000000000001 x26: ffff00000a740f10 
x25: 0000000000000007 x24: ffff0000141a801c 
x23: ffff80001711f9a0 x22: ffff00000a740000 
x21: 0000000000000001 x20: ffff00000ac9b820 
x19: ffff0000141a8000 x18: ffff00006ab03b48 
x17: 0000000000000000 x16: 0000000000000000 
x15: ffff00006ab03b7c x14: 1ffff00003b6ce6a 
x13: 0000000000000001 x12: ffff60000d560784 
x11: 1fffe0000d560783 x10: ffff60000d560783 
x9 : dfff800000000000 x8 : ffff00006ab03c1b 
x7 : 0000000000000001 x6 : 00009ffff2a9f87d 
x5 : ffff00006ab03c18 x4 : 1fffe0000155e691 
x3 : dfff800000000000 x2 : 0000000000000000 
x1 : 0000000000000000 x0 : ffff00000aaf3480 
Call trace:
 __nf_unregister_net_hook+0x17c/0x4f0 net/netfilter/core.c:480
 nf_unregister_net_hook net/netfilter/core.c:502 [inline]
 nf_unregister_net_hooks+0xd4/0x120 net/netfilter/core.c:576
 arpt_unregister_table_pre_exit+0x6c/0x8c net/ipv4/netfilter/arp_tables.c:1565
 arptable_filter_net_pre_exit+0x20/0x2c net/ipv4/netfilter/arptable_filter.c:57
 ops_pre_exit_list net/core/net_namespace.c:165 [inline]
 cleanup_net+0x328/0x820 net/core/net_namespace.c:583
 process_one_work+0x798/0x1764 kernel/workqueue.c:2275
 worker_thread+0x3d4/0xcd0 kernel/workqueue.c:2421
 kthread+0x320/0x3bc kernel/kthread.c:313
 ret_from_fork+0x10/0x3c arch/arm64/kernel/entry.S:1006
irq event stamp: 42600
hardirqs last  enabled at (42599): [<ffff8000102aaaa8>] console_unlock+0x7f8/0xbf4 kernel/printk/printk.c:2668
hardirqs last disabled at (42600): [<ffff800014483114>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:241
softirqs last  enabled at (42338): [<ffff8000100109e0>] _stext+0x9e0/0x1084
softirqs last disabled at (42269): [<ffff80001015dfd4>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (42269): [<ffff80001015dfd4>] invoke_softirq kernel/softirq.c:440 [inline]
softirqs last disabled at (42269): [<ffff80001015dfd4>] __irq_exit_rcu+0x494/0x550 kernel/softirq.c:637
---[ end trace 40e17dd1c3929428 ]---
netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
device veth1_macvtap left promiscuous mode
device veth0_macvtap left promiscuous mode
device veth1_vlan left promiscuous mode
device veth0_vlan left promiscuous mode
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves
==================================================================
BUG: KASAN: use-after-free in hooks_validate+0x164/0x1ac net/netfilter/core.c:177
Read of size 4 at addr ffff00000ac9b748 by task kworker/u4:8/2349

CPU: 0 PID: 2349 Comm: kworker/u4:8 Tainted: G        W         5.12.0-syzkaller-13670-g5e321ded302d #0
Hardware name: linux,dummy-virt (DT)
Workqueue: netns cleanup_net
Call trace:
 ptrauth_strip_insn_pac arch/arm64/include/asm/pointer_auth.h:95 [inline]
 dump_backtrace+0x0/0x3e0 arch/arm64/kernel/stacktrace.c:133
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:215
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x120/0x1a8 lib/dump_stack.c:120
 print_address_description.constprop.0+0x2c/0x300 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x1ec/0x200 mm/kasan/report.c:436
 __asan_report_load4_noabort+0x34/0x60 mm/kasan/report_generic.c:308
 hooks_validate+0x164/0x1ac net/netfilter/core.c:177
 __nf_hook_entries_try_shrink+0x1d4/0x2c4 net/netfilter/core.c:260
 __nf_unregister_net_hook+0x240/0x4f0 net/netfilter/core.c:483
 nf_unregister_net_hook+0xb8/0x100 net/netfilter/core.c:502
 clusterip_net_exit+0x13c/0x204 net/ipv4/netfilter/ipt_CLUSTERIP.c:853
 ops_exit_list+0x78/0x124 net/core/net_namespace.c:175
 cleanup_net+0x3a4/0x820 net/core/net_namespace.c:595
 process_one_work+0x798/0x1764 kernel/workqueue.c:2275
 worker_thread+0x3d4/0xcd0 kernel/workqueue.c:2421
 kthread+0x320/0x3bc kernel/kthread.c:313
 ret_from_fork+0x10/0x3c arch/arm64/kernel/entry.S:1006

Allocated by task 0:
(stack is not available)

Freed by task 2349:
 kasan_save_stack+0x28/0x60 mm/kasan/common.c:38
 kasan_set_track+0x28/0x40 mm/kasan/common.c:46
 kasan_set_free_info+0x28/0x50 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xfc/0x150 mm/kasan/common.c:368
 kasan_slab_free include/linux/kasan.h:212 [inline]
 slab_free_hook mm/slub.c:1581 [inline]
 slab_free_freelist_hook+0x140/0x264 mm/slub.c:1606
 slab_free mm/slub.c:3166 [inline]
 kfree+0x154/0x7d0 mm/slub.c:4225
 xt_unregister_table+0x1cc/0x2ec net/netfilter/x_tables.c:1501
 __arpt_unregister_table+0x44/0x1b4 net/ipv4/netfilter/arp_tables.c:1488
 arpt_unregister_table+0x30/0x40 net/ipv4/netfilter/arp_tables.c:1574
 arptable_filter_net_exit+0x18/0x24 net/ipv4/netfilter/arptable_filter.c:62
 ops_exit_list+0x78/0x124 net/core/net_namespace.c:175
 cleanup_net+0x3a4/0x820 net/core/net_namespace.c:595
 process_one_work+0x798/0x1764 kernel/workqueue.c:2275
 worker_thread+0x3d4/0xcd0 kernel/workqueue.c:2421
 kthread+0x320/0x3bc kernel/kthread.c:313
 ret_from_fork+0x10/0x3c arch/arm64/kernel/entry.S:1006

The buggy address belongs to the object at ffff00000ac9b700
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 72 bytes inside of
 128-byte region [ffff00000ac9b700, ffff00000ac9b780)
The buggy address belongs to the page:
page:000000001be8bdf3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ac9b
flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff)
raw: 01ffc00000000200 dead000000000100 dead000000000122 ffff000008802300
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff00000ac9b600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff00000ac9b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff00000ac9b700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff00000ac9b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff00000ac9b800: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
==================================================================