Extracting prog: 2m41.337130907s Minimizing prog: 23m58.364829921s Simplifying prog options: 0s Extracting C: 49.35094157s Simplifying C: 19m20.862967356s extracting reproducer from 1 programs testing a last program of every proc single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash single: failed to extract reproducer single: executing 1 programs separately with timeout 1m40s testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program crashed: BUG: corrupted list in flow_block_cb_setup_simple single: successfully extracted reproducer found reproducer with 3 syscalls minimizing guilty program testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, 0x0, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={0x0, 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, 0x0, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={0x0, 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program did not crash extracting C reproducer testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple simplifying C reproducer testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program did not crash testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program did not crash testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program did not crash testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: KASAN: slab-use-after-free Read in flow_block_cb_setup_simple a never seen crash title: KASAN: slab-use-after-free Read in flow_block_cb_setup_simple, ignore testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program did not crash testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: corrupted list in flow_block_cb_setup_simple testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: BUG: unable to handle kernel paging request in flow_block_cb_setup_simple a never seen crash title: BUG: unable to handle kernel paging request in flow_block_cb_setup_simple, ignore testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH program crashed: KASAN: slab-use-after-free Read in flow_block_cb_setup_simple a never seen crash title: KASAN: slab-use-after-free Read in flow_block_cb_setup_simple, ignore testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program crashed: BUG: corrupted list in flow_block_cb_setup_simple validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program crashed: BUG: corrupted list in flow_block_cb_setup_simple validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000000900010073797a300000000064000000030a01030000000000000000050000000900010073797a30000000000900030073797a300000000008000a40000000032800048008000240000000120800014000000000140003006e657464657673696d30000000000000080000000000000014000000110001"], 0xac}, 0x1, 0x0, 0x0, 0x4008855}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000ac0)={&(0x7f0000000bc0)=ANY=[@ANYBLOB="14000000100001f500000000000000000100000a14000000020a497f75241d4e1deb00000500000614000000110001"], 0x3c}, 0x1, 0x0, 0x0, 0x2004c040}, 0xc050) program crashed: KASAN: slab-use-after-free Read in flow_block_cb_setup_simple validation run: crashed=true reproducing took 50m24.276314001s repro crashed as (corrupted=false): slab kmalloc-192 start ffff0000c6514400 pointer offset 0 size 192 ================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_repor BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x164/0x1b4 lib/list_debug.c:62 Read of size 8 at addr ffff0000c6514400 by task syz.0.903/5920 CPU: 1 UID: 0 PID: 5920 Comm: syz.0.903 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xb0/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0x8c/0xc4 mm/kasan/report.c:595 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __list_del_entry_valid_or_report+0x164/0x1b4 lib/list_debug.c:62 __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del include/linux/list.h:237 [inline] flow_block_cb_setup_simple+0x584/0x694 net/core/flow_offload.c:367 nsim_setup_tc+0xfc/0x220 drivers/net/netdevsim/tc.c:72 nft_block_offload_cmd net/netfilter/nf_tables_offload.c:397 [inline] nft_chain_offload_cmd+0x1c0/0x48c net/netfilter/nf_tables_offload.c:451 nft_flow_block_chain+0xfc/0x2c4 net/netfilter/nf_tables_offload.c:471 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline] nft_flow_rule_offload_commit+0x44c/0xaa0 net/netfilter/nf_tables_offload.c:-1 nf_tables_commit+0x558/0x6b70 net/netfilter/nf_tables_api.c:10912 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:574 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:647 [inline] nfnetlink_rcv+0x1108/0x16f8 net/netfilter/nfnetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x418/0x70c net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Allocated by task 5919: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:78 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x2d4/0x624 mm/slub.c:5419 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] flow_block_cb_alloc net/core/flow_offload.c:265 [inline] flow_block_cb_setup_simple+0x278/0x694 net/core/flow_offload.c:354 nsim_setup_tc+0xfc/0x220 drivers/net/netdevsim/tc.c:72 nft_block_offload_cmd net/netfilter/nf_tables_offload.c:397 [inline] nft_chain_offload_cmd+0x1c0/0x48c net/netfilter/nf_tables_offload.c:451 nft_flow_block_chain+0xfc/0x2c4 net/netfilter/nf_tables_offload.c:471 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline] nft_flow_rule_offload_commit+0x44c/0xaa0 net/netfilter/nf_tables_offload.c:-1 nf_tables_commit+0x558/0x6b70 net/netfilter/nf_tables_api.c:10912 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:574 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:647 [inline] nfnetlink_rcv+0x1108/0x16f8 net/netfilter/nfnetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x418/0x70c net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Freed by task 5919: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:78 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6250 [inline] kfree+0x188/0x690 mm/slub.c:6565 flow_block_cb_free+0x78/0x8c net/core/flow_offload.c:283 nft_flow_offload_unbind+0x2d4/0x364 net/netfilter/nf_tables_offload.c:344 nft_block_setup net/netfilter/nf_tables_offload.c:361 [inline] nft_block_offload_cmd net/netfilter/nf_tables_offload.c:401 [inline] nft_chain_offload_cmd+0x1e8/0x48c net/netfilter/nf_tables_offload.c:451 nft_flow_block_chain+0xfc/0x2c4 net/netfilter/nf_tables_offload.c:471 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline] nft_flow_rule_offload_commit+0x44c/0xaa0 net/netfilter/nf_tables_offload.c:-1 nf_tables_commit+0x558/0x6b70 net/netfilter/nf_tables_api.c:10912 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:574 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:647 [inline] nfnetlink_rcv+0x1108/0x16f8 net/netfilter/nfnetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x418/0x70c net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 The buggy address belongs to the object at ffff0000c6514400 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 0 bytes inside of freed 192-byte region [ffff0000c6514400, ffff0000c65144c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106514 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000000 ffff0000c00013c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c6514300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000c6514380: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000c6514400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000c6514480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff0000c6514500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== list_del corruption. prev->next should be ffff0000d29de900, but was ffff0000d552c000. (prev=ffff0000c6514400) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:64! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 5920 Comm: syz.0.903 Tainted: G B syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 lr : __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 sp : ffff800095cd6780 x29: ffff800095cd6780 x28: 1fffe0001a0aa801 x27: ffff800095cd6860 x26: dfff800000000000 x25: ffff0000d0554108 x24: 1ffff00012b9ad4a x23: 1fffe00018ca2880 x22: dfff800000000000 x21: ffff0000c6514400 x20: ffff800089396320 x19: ffff0000d29de900 x18: 1fffe00035c1ea20 x17: 20747562202c3030 x16: 3965643932643030 x15: 3030666666662065 x14: 6220646c756f6873 x13: 0000000000000001 x12: 0000000000000000 x11: 0000000000000648 x10: 0000000000ff0100 x9 : dc34dd657c44ad00 x8 : dc34dd657c44ad00 x7 : 0000000000000000 x6 : ffff80008047caa0 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000804876e0 x2 : 0000000100000000 x1 : ffff0000ddb79d00 x0 : 000000000000006d Call trace: __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 (P) __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del include/linux/list.h:237 [inline] flow_block_cb_setup_simple+0x584/0x694 net/core/flow_offload.c:367 nsim_setup_tc+0xfc/0x220 drivers/net/netdevsim/tc.c:72 nft_block_offload_cmd net/netfilter/nf_tables_offload.c:397 [inline] nft_chain_offload_cmd+0x1c0/0x48c net/netfilter/nf_tables_offload.c:451 nft_flow_block_chain+0xfc/0x2c4 net/netfilter/nf_tables_offload.c:471 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline] nft_flow_rule_offload_commit+0x44c/0xaa0 net/netfilter/nf_tables_offload.c:-1 nf_tables_commit+0x558/0x6b70 net/netfilter/nf_tables_api.c:10912 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:574 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:647 [inline] nfnetlink_rcv+0x1108/0x16f8 net/netfilter/nfnetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x418/0x70c net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Code: 913a0000 aa1303e1 aa1503e3 979d9425 (d4210000) ---[ end trace 0000000000000000 ]--- final repro crashed as (corrupted=false): slab kmalloc-192 start ffff0000c6514400 pointer offset 0 size 192 ================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_repor BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x164/0x1b4 lib/list_debug.c:62 Read of size 8 at addr ffff0000c6514400 by task syz.0.903/5920 CPU: 1 UID: 0 PID: 5920 Comm: syz.0.903 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xb0/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0x8c/0xc4 mm/kasan/report.c:595 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __list_del_entry_valid_or_report+0x164/0x1b4 lib/list_debug.c:62 __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del include/linux/list.h:237 [inline] flow_block_cb_setup_simple+0x584/0x694 net/core/flow_offload.c:367 nsim_setup_tc+0xfc/0x220 drivers/net/netdevsim/tc.c:72 nft_block_offload_cmd net/netfilter/nf_tables_offload.c:397 [inline] nft_chain_offload_cmd+0x1c0/0x48c net/netfilter/nf_tables_offload.c:451 nft_flow_block_chain+0xfc/0x2c4 net/netfilter/nf_tables_offload.c:471 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline] nft_flow_rule_offload_commit+0x44c/0xaa0 net/netfilter/nf_tables_offload.c:-1 nf_tables_commit+0x558/0x6b70 net/netfilter/nf_tables_api.c:10912 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:574 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:647 [inline] nfnetlink_rcv+0x1108/0x16f8 net/netfilter/nfnetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x418/0x70c net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Allocated by task 5919: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:78 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x2d4/0x624 mm/slub.c:5419 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] flow_block_cb_alloc net/core/flow_offload.c:265 [inline] flow_block_cb_setup_simple+0x278/0x694 net/core/flow_offload.c:354 nsim_setup_tc+0xfc/0x220 drivers/net/netdevsim/tc.c:72 nft_block_offload_cmd net/netfilter/nf_tables_offload.c:397 [inline] nft_chain_offload_cmd+0x1c0/0x48c net/netfilter/nf_tables_offload.c:451 nft_flow_block_chain+0xfc/0x2c4 net/netfilter/nf_tables_offload.c:471 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline] nft_flow_rule_offload_commit+0x44c/0xaa0 net/netfilter/nf_tables_offload.c:-1 nf_tables_commit+0x558/0x6b70 net/netfilter/nf_tables_api.c:10912 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:574 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:647 [inline] nfnetlink_rcv+0x1108/0x16f8 net/netfilter/nfnetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x418/0x70c net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Freed by task 5919: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:78 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6250 [inline] kfree+0x188/0x690 mm/slub.c:6565 flow_block_cb_free+0x78/0x8c net/core/flow_offload.c:283 nft_flow_offload_unbind+0x2d4/0x364 net/netfilter/nf_tables_offload.c:344 nft_block_setup net/netfilter/nf_tables_offload.c:361 [inline] nft_block_offload_cmd net/netfilter/nf_tables_offload.c:401 [inline] nft_chain_offload_cmd+0x1e8/0x48c net/netfilter/nf_tables_offload.c:451 nft_flow_block_chain+0xfc/0x2c4 net/netfilter/nf_tables_offload.c:471 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline] nft_flow_rule_offload_commit+0x44c/0xaa0 net/netfilter/nf_tables_offload.c:-1 nf_tables_commit+0x558/0x6b70 net/netfilter/nf_tables_api.c:10912 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:574 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:647 [inline] nfnetlink_rcv+0x1108/0x16f8 net/netfilter/nfnetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x418/0x70c net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 The buggy address belongs to the object at ffff0000c6514400 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 0 bytes inside of freed 192-byte region [ffff0000c6514400, ffff0000c65144c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106514 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000000 ffff0000c00013c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c6514300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000c6514380: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000c6514400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000c6514480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff0000c6514500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== list_del corruption. prev->next should be ffff0000d29de900, but was ffff0000d552c000. (prev=ffff0000c6514400) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:64! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 5920 Comm: syz.0.903 Tainted: G B syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 lr : __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 sp : ffff800095cd6780 x29: ffff800095cd6780 x28: 1fffe0001a0aa801 x27: ffff800095cd6860 x26: dfff800000000000 x25: ffff0000d0554108 x24: 1ffff00012b9ad4a x23: 1fffe00018ca2880 x22: dfff800000000000 x21: ffff0000c6514400 x20: ffff800089396320 x19: ffff0000d29de900 x18: 1fffe00035c1ea20 x17: 20747562202c3030 x16: 3965643932643030 x15: 3030666666662065 x14: 6220646c756f6873 x13: 0000000000000001 x12: 0000000000000000 x11: 0000000000000648 x10: 0000000000ff0100 x9 : dc34dd657c44ad00 x8 : dc34dd657c44ad00 x7 : 0000000000000000 x6 : ffff80008047caa0 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000804876e0 x2 : 0000000100000000 x1 : ffff0000ddb79d00 x0 : 000000000000006d Call trace: __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 (P) __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del include/linux/list.h:237 [inline] flow_block_cb_setup_simple+0x584/0x694 net/core/flow_offload.c:367 nsim_setup_tc+0xfc/0x220 drivers/net/netdevsim/tc.c:72 nft_block_offload_cmd net/netfilter/nf_tables_offload.c:397 [inline] nft_chain_offload_cmd+0x1c0/0x48c net/netfilter/nf_tables_offload.c:451 nft_flow_block_chain+0xfc/0x2c4 net/netfilter/nf_tables_offload.c:471 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline] nft_flow_rule_offload_commit+0x44c/0xaa0 net/netfilter/nf_tables_offload.c:-1 nf_tables_commit+0x558/0x6b70 net/netfilter/nf_tables_api.c:10912 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:574 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:647 [inline] nfnetlink_rcv+0x1108/0x16f8 net/netfilter/nfnetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x418/0x70c net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Code: 913a0000 aa1303e1 aa1503e3 979d9425 (d4210000) ---[ end trace 0000000000000000 ]---