------------[ cut here ]------------ hook not found, pf 3 num 0 WARNING: CPU: 1 PID: 29 at net/netfilter/core.c:480 __nf_unregister_net_hook+0xac/0x1d0 net/netfilter/core.c:480 Modules linked in: CPU: 1 PID: 29 Comm: kworker/u4:2 Not tainted 5.12.0-syzkaller-14380-g8404c9fbc84b #0 Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) pc : __nf_unregister_net_hook+0xac/0x1d0 net/netfilter/core.c:480 lr : __nf_unregister_net_hook+0xac/0x1d0 net/netfilter/core.c:480 sp : ffff800012bcbc80 x29: ffff800012bcbc80 x28: ffff80001294d508 x27: ffff800012749838 x26: ffff800012904240 x25: ffff8000129043c0 x24: f6ff000009693900 x23: f6ff0000063d09f0 x22: f6ff0000063d0000 x21: ffff80001290c390 x20: 0000000000000003 x19: f6ff0000055ca000 x18: 00000000fffffffe x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000020 x14: ffffffffffffffff x13: 00000000000002f9 x12: ffff800012bcb950 x11: ffff800012800da0 x10: ffff80001275cbe0 x9 : ffff8000127fc648 x8 : ffff80001274c648 x7 : ffff8000127fc648 x6 : fffffffffffcbd98 x5 : ffff00007fbd0948 x4 : 0000000000015ff5 x3 : 0000000000000001 x2 : 0000000000000000 x1 : 0000000000000000 x0 : f9ff00000312bd00 Call trace: __nf_unregister_net_hook+0xac/0x1d0 net/netfilter/core.c:480 nf_unregister_net_hook net/netfilter/core.c:502 [inline] nf_unregister_net_hooks+0x88/0xac net/netfilter/core.c:576 arpt_unregister_table_pre_exit+0x40/0x50 net/ipv4/netfilter/arp_tables.c:1565 arptable_filter_net_pre_exit+0x20/0x2c net/ipv4/netfilter/arptable_filter.c:57 ops_pre_exit_list net/core/net_namespace.c:165 [inline] cleanup_net+0x200/0x410 net/core/net_namespace.c:583 process_one_work+0x1d8/0x364 kernel/workqueue.c:2275 worker_thread+0x70/0x434 kernel/workqueue.c:2421 kthread+0x174/0x180 kernel/kthread.c:313 ret_from_fork+0x10/0x34 arch/arm64/kernel/entry.S:1006 ---[ end trace 2dc55d5eadab5e82 ]--- netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 device hsr_slave_0 left promiscuous mode device hsr_slave_1 left promiscuous mode device veth1_macvtap left promiscuous mode device veth0_macvtap left promiscuous mode device veth1_vlan left promiscuous mode device veth0_vlan left promiscuous mode bond0 (unregistering): (slave bond_slave_1): Releasing backup interface bond0 (unregistering): (slave bond_slave_0): Releasing backup interface bond0 (unregistering): Released all slaves ================================================================== BUG: KASAN: invalid-access in hooks_validate+0x38/0x7c net/netfilter/core.c:174 Read at addr f6ff000009693848 by task kworker/u4:2/29 Pointer tag: [f6], memory tag: [fe] CPU: 0 PID: 29 Comm: kworker/u4:2 Tainted: G W 5.12.0-syzkaller-14380-g8404c9fbc84b #0 Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net Call trace: dump_backtrace+0x0/0x1b0 arch/arm64/kernel/stacktrace.c:136 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:215 __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xd0/0x12c lib/dump_stack.c:120 print_address_description+0x70/0x2ac mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x134/0x380 mm/kasan/report.c:436 report_tag_fault arch/arm64/mm/fault.c:324 [inline] do_tag_recovery arch/arm64/mm/fault.c:336 [inline] __do_kernel_fault+0x1a8/0x1dc arch/arm64/mm/fault.c:378 do_bad_area arch/arm64/mm/fault.c:474 [inline] do_tag_check_fault+0x74/0x90 arch/arm64/mm/fault.c:745 do_mem_abort+0x44/0xbc arch/arm64/mm/fault.c:821 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:171 el1_sync_handler+0xac/0xd0 arch/arm64/kernel/entry-common.c:263 el1_sync+0x70/0x100 arch/arm64/kernel/entry.S:719 hooks_validate+0x38/0x7c net/netfilter/core.c:174 __nf_unregister_net_hook+0x114/0x1d0 net/netfilter/core.c:483 nf_unregister_net_hook+0x64/0x74 net/netfilter/core.c:502 clusterip_net_exit+0x60/0x7c net/ipv4/netfilter/ipt_CLUSTERIP.c:853 ops_exit_list+0x44/0x80 net/core/net_namespace.c:175 cleanup_net+0x23c/0x410 net/core/net_namespace.c:595 process_one_work+0x1d8/0x364 kernel/workqueue.c:2275 worker_thread+0x70/0x434 kernel/workqueue.c:2421 kthread+0x174/0x180 kernel/kthread.c:313 ret_from_fork+0x10/0x34 arch/arm64/kernel/entry.S:1006 Allocated by task 0: (stack is not available) Freed by task 29: kasan_save_stack+0x28/0x5c mm/kasan/common.c:38 kasan_set_track+0x28/0x40 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/hw_tags.c:226 ____kasan_slab_free.constprop.0+0x1dc/0x254 mm/kasan/common.c:360 __kasan_slab_free+0x10/0x1c mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:212 [inline] slab_free_hook mm/slub.c:1581 [inline] slab_free_freelist_hook+0xc0/0x220 mm/slub.c:1606 slab_free mm/slub.c:3166 [inline] kfree+0x350/0x4c4 mm/slub.c:4225 xt_unregister_table+0x8c/0xcc net/netfilter/x_tables.c:1501 __arpt_unregister_table+0x2c/0xcc net/ipv4/netfilter/arp_tables.c:1488 arpt_unregister_table+0x30/0x40 net/ipv4/netfilter/arp_tables.c:1574 arptable_filter_net_exit+0x18/0x24 net/ipv4/netfilter/arptable_filter.c:62 ops_exit_list+0x44/0x80 net/core/net_namespace.c:175 cleanup_net+0x23c/0x410 net/core/net_namespace.c:595 process_one_work+0x1d8/0x364 kernel/workqueue.c:2275 worker_thread+0x70/0x434 kernel/workqueue.c:2421 kthread+0x174/0x180 kernel/kthread.c:313 ret_from_fork+0x10/0x34 arch/arm64/kernel/entry.S:1006 The buggy address belongs to the object at ffff000009693800 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 72 bytes inside of 128-byte region [ffff000009693800, ffff000009693880) The buggy address belongs to the page: page:00000000e0878cd4 refcount:1 mapcount:0 mapping:0000000000000000 index:0xfdff000009693500 pfn:0x49693 flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) raw: 01ffc00000000200 fffffc000018dbc0 0000000700000007 f3ff000003001200 raw: fdff000009693500 000000008010000b 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000009693600: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ffff000009693700: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe >ffff000009693800: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ ffff000009693900: f6 f6 f6 f6 fe fe fe fe fe fe fe fe fe fe fe fe ffff000009693a00: f1 f1 f1 f1 f1 fe fe fe fe fe fe fe fe fe fe fe ==================================================================