==================================================================
BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: slab-use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
BUG: KASAN: slab-use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
BUG: KASAN: slab-use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
Read of size 4 at addr ffff88805e32e008 by task kworker/1:2/1203

CPU: 1 UID: 0 PID: 1203 Comm: kworker/1:2 Not tainted 6.13.0-rc5-syzkaller-gccb98ccef0e5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_power_efficient gc_worker
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 rht_key_hashfn include/linux/rhashtable.h:159 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
 rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]
 ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
 ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:185
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:269 [inline]
 NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312
 __netif_receive_skb_one_core net/core/dev.c:5672 [inline]
 __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5785
 process_backlog+0x662/0x15b0 net/core/dev.c:6117
 __napi_poll+0xcb/0x490 net/core/dev.c:6883
 napi_poll net/core/dev.c:6952 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:7074
 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0xa3/0xc0 arch/x86/kernel/smp.c:266
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:__rcu_read_unlock+0x7/0x110 kernel/rcu/tree_plugin.h:430
Code: 80 c1 03 38 c1 7c aa 4c 89 ff e8 34 eb 7f 00 eb a0 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 41 57 <41> 56 41 55 41 54 53 49 bc 00 00 00 00 00 fc ff df 65 4c 8b 34 25
RSP: 0018:ffffc9000411fa48 EFLAGS: 00000246
RAX: 9d6c84cc36532e00 RBX: ffffffff89e068cb RCX: ffffffff817ad6a0
RDX: 0000000000000000 RSI: ffffffff8c5fb0c0 RDI: ffffffff8c5fb080
RBP: ffffc9000411fbb0 R08: ffffffff90197e77 R09: 1ffffffff2032fce
R10: dffffc0000000000 R11: fffffbfff2032fcf R12: 0000000000040000
R13: dffffc0000000000 R14: ffffffff9a78b1c0 R15: 000000000000040d
 rcu_read_unlock include/linux/rcupdate.h:882 [inline]
 gc_worker+0xdcd/0x1530 net/netfilter/nf_conntrack_core.c:1609
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5883:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4298 [inline]
 __kmalloc_node_noprof+0x290/0x4d0 mm/slub.c:4304
 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650
 bucket_table_alloc lib/rhashtable.c:186 [inline]
 rhashtable_rehash_alloc+0x9e/0x290 lib/rhashtable.c:367
 rhashtable_shrink lib/rhashtable.c:411 [inline]
 rht_deferred_worker+0x2075/0x23f0 lib/rhashtable.c:429
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 1336:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x196/0x430 mm/slub.c:4761
 rhashtable_free_and_destroy+0x7c6/0x920 lib/rhashtable.c:1169
 ila_xlat_exit_net+0x4f/0xa0 net/ipv6/ila/ila_xlat.c:630
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x802/0xd50 net/core/net_namespace.c:648
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88805e32e000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 8 bytes inside of
 freed 4096-byte region [ffff88805e32e000, ffff88805e32f000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5e328
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac42140 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac42140 0000000000000000 dead000000000001
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000178ca01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1336, tgid 1336 (kworker/u8:6), ts 62809769592, free_ts 62210091411
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1558
 prep_new_page mm/page_alloc.c:1566 [inline]
 get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3476
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4753
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2269
 alloc_slab_page+0x6a/0x110 mm/slub.c:2423
 allocate_slab+0x5a/0x2b0 mm/slub.c:2589
 new_slab mm/slub.c:2642 [inline]
 ___slab_alloc+0xc27/0x14a0 mm/slub.c:3830
 __slab_alloc+0x58/0xa0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_node_track_caller_noprof+0x2e9/0x4c0 mm/slub.c:4317
 kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
 __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
 alloc_skb include/linux/skbuff.h:1323 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
 nsim_dev_trap_report_work+0x261/0xb50 drivers/net/netdevsim/dev.c:851
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
page last free pid 5999 tgid 5998 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 __free_pages_ok+0xbda/0xe60 mm/page_alloc.c:1271
 __folio_put+0x2b3/0x360 mm/swap.c:112
 folio_put include/linux/mm.h:1489 [inline]
 free_large_kmalloc+0xfe/0x180 mm/slub.c:4732
 kfree+0x212/0x430 mm/slub.c:4755
 skb_kfree_head net/core/skbuff.c:1086 [inline]
 skb_free_head net/core/skbuff.c:1098 [inline]
 pskb_expand_head+0x4fc/0x1380 net/core/skbuff.c:2307
 __skb_cow include/linux/skbuff.h:3740 [inline]
 skb_cow include/linux/skbuff.h:3759 [inline]
 __bpf_skb_change_head+0x239/0x500 net/core/filter.c:3856
 ____bpf_skb_change_head net/core/filter.c:3879 [inline]
 bpf_skb_change_head+0x33/0x1b0 net/core/filter.c:3876
 0xffffffffa000092e
 bpf_dispatcher_nop_func include/linux/bpf.h:1290 [inline]
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run include/linux/filter.h:708 [inline]
 bpf_test_run+0x4f0/0xa90 net/bpf/test_run.c:434
 bpf_prog_test_run_skb+0xca2/0x1820 net/bpf/test_run.c:1095
 bpf_prog_test_run+0x2e4/0x360 kernel/bpf/syscall.c:4402
 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5808
 __do_sys_bpf kernel/bpf/syscall.c:5897 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5895 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5895
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805e32df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805e32df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805e32e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88805e32e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805e32e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	80 c1 03             	add    $0x3,%cl
   3:	38 c1                	cmp    %al,%cl
   5:	7c aa                	jl     0xffffffb1
   7:	4c 89 ff             	mov    %r15,%rdi
   a:	e8 34 eb 7f 00       	call   0x7feb43
   f:	eb a0                	jmp    0xffffffb1
  11:	66 90                	xchg   %ax,%ax
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	90                   	nop
  1b:	90                   	nop
  1c:	90                   	nop
  1d:	90                   	nop
  1e:	90                   	nop
  1f:	90                   	nop
  20:	90                   	nop
  21:	90                   	nop
  22:	90                   	nop
  23:	f3 0f 1e fa          	endbr64
  27:	55                   	push   %rbp
  28:	41 57                	push   %r15
* 2a:	41 56                	push   %r14 <-- trapping instruction
  2c:	41 55                	push   %r13
  2e:	41 54                	push   %r12
  30:	53                   	push   %rbx
  31:	49 bc 00 00 00 00 00 	movabs $0xdffffc0000000000,%r12
  38:	fc ff df
  3b:	65                   	gs
  3c:	4c                   	rex.WR
  3d:	8b                   	.byte 0x8b
  3e:	34 25                	xor    $0x25,%al