bisecting fixing commit since 18445bf405cb331117bc98427b1ba6f12418ad17 building syzkaller on 94b457068cf474d9fcbfc5ca4cdb71b346166187 testing commit 18445bf405cb331117bc98427b1ba6f12418ad17 with gcc (GCC) 8.4.1 20210217 kernel signature: af8ff090745913032cc0123a8a0705386efd3aff441334f5b38f46a7ed65673e run #0: crashed: inconsistent lock state in sco_conn_del run #1: crashed: inconsistent lock state in sco_sock_timeout run #2: crashed: inconsistent lock state in sco_sock_timeout run #3: crashed: inconsistent lock state in sco_conn_del run #4: crashed: inconsistent lock state in sco_conn_del run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_sock_timeout run #8: crashed: inconsistent lock state in sco_conn_del run #9: crashed: inconsistent lock state in sco_conn_del run #10: crashed: inconsistent lock state in sco_conn_del run #11: crashed: inconsistent lock state in sco_conn_del run #12: crashed: inconsistent lock state in sco_conn_del run #13: crashed: inconsistent lock state in sco_conn_del run #14: crashed: inconsistent lock state in sco_conn_del run #15: crashed: inconsistent lock state in sco_conn_del run #16: OK run #17: OK run #18: OK run #19: OK testing current HEAD 17ae69aba89dbfa2139b7f8024b757ab3cc42f59 testing commit 17ae69aba89dbfa2139b7f8024b757ab3cc42f59 with gcc (GCC) 10.2.1 20210217 kernel signature: ef857d65c4d84760bee16e5b4398c2802ea9c6bb50252ebab9622f30683727d7 run #0: crashed: WARNING in __nf_unregister_net_hook run #1: crashed: WARNING in __nf_unregister_net_hook run #2: crashed: WARNING in __nf_unregister_net_hook run #3: crashed: WARNING in __nf_unregister_net_hook run #4: crashed: WARNING in __nf_unregister_net_hook run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: WARNING in __nf_unregister_net_hook run #7: crashed: WARNING in __nf_unregister_net_hook run #8: crashed: inconsistent lock state in sco_conn_del run #9: crashed: WARNING in __nf_unregister_net_hook revisions tested: 2, total time: 32m12.196912582s (build: 14m14.335034012s, test: 16m53.851002477s) the crash still happens on HEAD commit msg: Merge tag 'landlock_v34' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security crash: WARNING in __nf_unregister_net_hook ------------[ cut here ]------------ hook not found, pf 3 num 0 WARNING: CPU: 0 PID: 315 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x17a/0x510 net/netfilter/core.c:480 Modules linked in: CPU: 0 PID: 315 Comm: kworker/u4:5 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:__nf_unregister_net_hook+0x17a/0x510 net/netfilter/core.c:480 Code: 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 76 03 00 00 8b 53 1c 44 89 e6 48 c7 c7 20 e0 7e 88 4c 89 04 24 e8 13 fe 61 01 <0f> 0b 4c 8b 04 24 e9 9e 00 00 00 48 89 ea 48 c1 e2 04 49 8d 7c 10 RSP: 0018:ffffc900012b7bf0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881129dcb00 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffff52000256f70 RBP: 0000000000000001 R08: 0000000000000001 R09: ffff8881f642095b R10: ffffed103ec8412b R11: 0000000000000001 R12: 0000000000000003 R13: ffff8881019b0180 R14: ffff8881129dcb1c R15: ffff8881019b10a0 FS: 0000000000000000(0000) GS:ffff8881f6400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe5244b0000 CR3: 000000011ba73000 CR4: 0000000000350ef0 Call Trace: nf_unregister_net_hook net/netfilter/core.c:502 [inline] nf_unregister_net_hooks+0xb1/0xf0 net/netfilter/core.c:576 ops_pre_exit_list net/core/net_namespace.c:165 [inline] cleanup_net+0x3a4/0x990 net/core/net_namespace.c:583 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 irq event stamp: 9861647 hardirqs last enabled at (9861675): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] hardirqs last enabled at (9861675): [] _raw_spin_unlock_irq+0x1f/0x80 kernel/locking/spinlock.c:199 hardirqs last disabled at (9861756): [] __schedule+0x1411/0x2400 kernel/sched/core.c:5043 softirqs last enabled at (9861832): [] invoke_softirq kernel/softirq.c:433 [inline] softirqs last enabled at (9861832): [] __irq_exit_rcu kernel/softirq.c:637 [inline] softirqs last enabled at (9861832): [] irq_exit_rcu+0x250/0x2a0 kernel/softirq.c:649 softirqs last disabled at (9861845): [] invoke_softirq kernel/softirq.c:433 [inline] softirqs last disabled at (9861845): [] __irq_exit_rcu kernel/softirq.c:637 [inline] softirqs last disabled at (9861845): [] irq_exit_rcu+0x250/0x2a0 kernel/softirq.c:649 ---[ end trace 9521324741c7857b ]--- netdevsim netdevsim5 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim5 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim5 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim5 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 device hsr_slave_0 left promiscuous mode device hsr_slave_1 left promiscuous mode batman_adv: batadv0: Interface deactivated: batadv_slave_0 batman_adv: batadv0: Removing interface: batadv_slave_0 batman_adv: batadv0: Interface deactivated: batadv_slave_1 batman_adv: batadv0: Removing interface: batadv_slave_1 device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device veth1_macvtap left promiscuous mode device veth0_macvtap left promiscuous mode device veth1_vlan left promiscuous mode device veth0_vlan left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): (slave bond_slave_1): Releasing backup interface bond0 (unregistering): (slave bond_slave_0): Releasing backup interface bond0 (unregistering): Released all slaves ================================================================== BUG: KASAN: use-after-free in hooks_validate+0xcf/0xe0 net/netfilter/core.c:177 Read of size 4 at addr ffff888117302c48 by task kworker/u4:5/315 CPU: 0 PID: 315 Comm: kworker/u4:5 Tainted: G W 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x10c/0x14b lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436 hooks_validate+0xcf/0xe0 net/netfilter/core.c:177 __nf_hook_entries_try_shrink+0x209/0x3e0 net/netfilter/core.c:260 __nf_unregister_net_hook+0x22e/0x510 net/netfilter/core.c:483 ops_exit_list+0x8c/0x140 net/core/net_namespace.c:175 cleanup_net+0x423/0x990 net/core/net_namespace.c:595 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Allocated by task 6098: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:428 [inline] ____kasan_kmalloc mm/kasan/common.c:507 [inline] __kasan_kmalloc+0x7a/0x90 mm/kasan/common.c:516 kasan_kmalloc include/linux/kasan.h:246 [inline] __do_kmalloc mm/slab.c:3702 [inline] __kmalloc_track_caller+0x236/0x480 mm/slab.c:3717 kmemdup+0x1a/0x40 mm/util.c:128 kmemdup include/linux/fortify-string.h:270 [inline] arpt_register_table+0x183/0x300 net/ipv4/netfilter/arp_tables.c:1537 arptable_filter_table_init+0x33/0x50 net/ipv4/netfilter/arptable_filter.c:50 xt_find_table_lock+0x42b/0x7f0 net/netfilter/x_tables.c:1244 xt_request_find_table_lock+0x17/0x90 net/netfilter/x_tables.c:1275 get_info+0x136/0x600 net/ipv4/netfilter/arp_tables.c:807 do_arpt_get_ctl+0x393/0x700 net/ipv4/netfilter/arp_tables.c:1443 nf_getsockopt+0x57/0xb0 net/netfilter/nf_sockopt.c:116 ip_getsockopt net/ipv4/ip_sockglue.c:1777 [inline] ip_getsockopt+0xec/0x130 net/ipv4/ip_sockglue.c:1756 __sys_getsockopt+0x1a8/0x550 net/socket.c:2161 __do_sys_getsockopt net/socket.c:2176 [inline] __se_sys_getsockopt net/socket.c:2173 [inline] __x64_sys_getsockopt+0xb5/0x150 net/socket.c:2173 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 315: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xb2/0xe0 mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:212 [inline] __cache_free mm/slab.c:3445 [inline] kfree+0x111/0x2e0 mm/slab.c:3803 xt_unregister_table+0x1f5/0x320 net/netfilter/x_tables.c:1501 __arpt_unregister_table+0x43/0x1a0 net/ipv4/netfilter/arp_tables.c:1488 ops_exit_list+0x8c/0x140 net/core/net_namespace.c:175 cleanup_net+0x423/0x990 net/core/net_namespace.c:595 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the object at ffff888117302c00 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 72 bytes inside of 128-byte region [ffff888117302c00, ffff888117302c80) The buggy address belongs to the page: page:00000000f705099b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117302 flags: 0x17ffe0000000200(slab|node=0|zone=2|lastcpupid=0x3fff) raw: 017ffe0000000200 ffffea000492cf88 ffffea00045cf588 ffff888100040400 raw: 0000000000000000 ffff888117302000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888117302b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc ffff888117302b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888117302c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888117302c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888117302d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================