ci starts bisection 2025-07-14 13:27:38.925793833 +0000 UTC m=+45.266521056 bisecting cause commit starting from 5d5d62298b8b5017d6677af28e021f7ad13f7a62 building syzkaller on 3cda49cfaa8556b73277ccd7e75952f0f2de2d74 ensuring issue is reproducible on original commit 5d5d62298b8b5017d6677af28e021f7ad13f7a62 testing commit 5d5d62298b8b5017d6677af28e021f7ad13f7a62 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 9abe58a606cc61de9b1ff70a99b91ce0c092834662f9bd80e5d088affb5806b6 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] check whether we can drop unnecessary instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 5d5d62298b8b5017d6677af28e021f7ad13f7a62 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 489355ed880aa1e66ae944f8d77e27b4f2d9b89d16b5f064fd8ba6b595895754 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] the bug reproduces without the instrumentation disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed kconfig minimization: base=4095 full=8481 leaves diff=2186 split chunks (needed=false): <2186> split chunk #0 of len 2186 into 5 parts testing without sub-chunk 1/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit 5d5d62298b8b5017d6677af28e021f7ad13f7a62 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 0f0704b738824cf0a293f729bb84e41c8a16fd245ff5dd9c9d1fb7fb46878547 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit 5d5d62298b8b5017d6677af28e021f7ad13f7a62 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: e33f5f80e8e57a97d174995d4e1be87dd7692db973f48a8387df7f57a6641da9 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 5d5d62298b8b5017d6677af28e021f7ad13f7a62 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b1dc782844a046e6491fc5a2ef888eb793dc8a614b2e8f107a32454ec85cee37 all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 5d5d62298b8b5017d6677af28e021f7ad13f7a62 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a7ed46eaf3601601daf5341f5808d08d60841ce67453b336d69b0508332c559d all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 5d5d62298b8b5017d6677af28e021f7ad13f7a62 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 8d80a95c06df3d93df1361310fa2ce8a2bdca28be8687481f4bfe0b0b1deb3c3 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] the chunk can be dropped minimized to 438 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB_CORE HAMRADIO HID_LOGITECH HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_ROUTE_CLASSID IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_IMON_RAW IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TOY IR_TTUSBIR ISDN ISDN_CAPI JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_PXRC JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_ELIDE_TLB_FLUSH_IF_YOUNG KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRE_FAULT_MEMORY KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_MMIO KVM_MMU_LOCKLESS_AGING KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_X86 KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_CLASS_MULTICOLOR LEGACY_PTYS LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGITECH_FF LOGIWHEELS_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MCTP MDIO_MVUSB MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MIN_HEAP MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MITIGATION_TSA MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MM_ID MODULE_SRCVERSION_ALL MOST MOST_USB_HDM MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_CRC32C NET_DEVLINK NET_DEVMEM NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SHAPER NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_COMPAT_ARP NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_TFTP NF_FLOW_TABLE NF_TABLES NF_TABLES_ARP NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV PAGE_POOL PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25] disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: e568c71c4e76d3c5f95c1ba2a82d92f933b6a6834a3bd329d3a2f246606f1630 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v6.14 testing commit 38fec10eb60d687e30c8c6b5420d86e8149f7557 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: eede885a1c58e4567f0061607faf7e6ce5dc66403d189c49431707d13f49b1ff all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v6.13 testing commit ffd294d346d185b70e28b1a28abe367bbfe53c04 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a1c21ac8519bc3b47c347e663758a64fe37d9685377074aa3e780da66c3bf363 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v6.11 testing commit 98f7e32f20d28ec452afb208f9cffc08448a2652 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: e74616fe1d922d07e2e316ef88277cc4dc928c424c6a904414be836ac19bd321 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v6.9 testing commit a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a14b24b097f0dfce4869bc9a090c0add82df87010c5ea2e6dcf75080c9e6d341 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v6.7 testing commit 0dd3ee31125508cd67f7e7172247f05b7fd1753a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: c7e2bf2edc8b51c4796e037f7e95e0273e29f2049e4ab83524bb61f5dd6e632a all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 88821f76df624eb3dca38ed695d81e9b8d6a9dc3584fb3c45dec8dd1113b285f all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 28fd34185055cd9d8ce1c8ec52fd683f4f375b1ad99d13fd06285c9df3675b2a all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 failed building 4fe89d07dcc2804c8b562f6c7896a45643d34b2f: ld.lld: error: version script assignment of 'LINUX_2.6' to symbol '__vdso_sgx_enter_enclave' failed: symbol not defined llvm-objdump: error: 'arch/x86/entry/vdso/vdso64.so.dbg': No such file or directory llvm-objcopy: error: 'arch/x86/entry/vdso/vdso64.so.dbg': No such file or directory testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 failed building f443e374ae131c168a065ea1748feac6b2e76613: scripts/sign-file.c:89:14: warning: 'ERR_get_error_line' is deprecated [-Wdeprecated-declarations] /usr/include/openssl/err.h:422:1: note: 'ERR_get_error_line' has been explicitly marked deprecated here scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated [-Wdeprecated-declarations] certs/extract-cert.c:46:14: warning: 'ERR_get_error_line' is deprecated [-Wdeprecated-declarations] certs/extract-cert.c:59:9: warning: 'ERR_get_error_line' is deprecated [-Wdeprecated-declarations] ld.lld: error: version script assignment of 'LINUX_2.6' to symbol '__vdso_sgx_enter_enclave' failed: symbol not defined llvm-objdump: error: 'arch/x86/entry/vdso/vdso64.so.dbg': No such file or directory llvm-objcopy: error: 'arch/x86/entry/vdso/vdso64.so.dbg': No such file or directory testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 72f13497f10a093082362ee492e22e845a70cd729190c1af6736ddc5ff453143 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 29fa015240f4ba9184db119fc9223bfb431ebff01f39fd9cf8f63a4b9de5c58d all runs: OK false negative chance: 0.000 # git bisect start 7d2a07b769330c34b4deabeed939325c77a7ec2f f40ddce88593482919761f74910f42f4b84c004b Bisecting: 24610 revisions left to test after this (roughly 15 steps) [85f3f17b5db2dd9f8a094a0ddc665555135afd22] Merge branch 'md-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md into block-5.13 testing commit 85f3f17b5db2dd9f8a094a0ddc665555135afd22 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 29e68b55810ac9a0ce150f1732a3e9686e9ee37d61dd9b667f4c90004d000882 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad 85f3f17b5db2dd9f8a094a0ddc665555135afd22 Bisecting: 11313 revisions left to test after this (roughly 14 steps) [e216674a5b5781694223ff3f0c4f2cc721a36ab0] Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue testing commit e216674a5b5781694223ff3f0c4f2cc721a36ab0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0cbc73d6b31964e2d93981ba39a0fe32b0fcb01c02fc93daa5fb5fc1635e5934 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad e216674a5b5781694223ff3f0c4f2cc721a36ab0 Bisecting: 5786 revisions left to test after this (roughly 13 steps) [de1617578849acab8e16c9ffdce39b91fb50639d] Merge tag 'media/v5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit de1617578849acab8e16c9ffdce39b91fb50639d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c59b0e8813abfd8e4b80ee3216f7566d98d3a1c778077bfb470414b63538dc07 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad de1617578849acab8e16c9ffdce39b91fb50639d Bisecting: 2703 revisions left to test after this (roughly 12 steps) [e767b3530acbf651593e3d357fe1168a024d8061] Merge tag 'arm-drivers-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit e767b3530acbf651593e3d357fe1168a024d8061 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c0d16f7fc8d2a3da8cb58d0ed3056851918963f06d59f997f6ec99e434ef7df0 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad e767b3530acbf651593e3d357fe1168a024d8061 Bisecting: 1466 revisions left to test after this (roughly 11 steps) [295f830e53f4838344c97e12ce69637e2128ca8d] rxrpc: Fix dependency on IPv6 in udp tunnel config testing commit 295f830e53f4838344c97e12ce69637e2128ca8d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ab408de046543bb049431431bf494098c41c2f1d4e15928c734a8611bf21db4 all runs: OK false negative chance: 0.000 # git bisect good 295f830e53f4838344c97e12ce69637e2128ca8d Bisecting: 736 revisions left to test after this (roughly 10 steps) [56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b] Merge tag 'arm-defconfig-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c0d16f7fc8d2a3da8cb58d0ed3056851918963f06d59f997f6ec99e434ef7df0 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad 56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b Bisecting: 367 revisions left to test after this (roughly 9 steps) [9ec5eea5b6acfae7279203097eeec5d02d01d9b7] lib/parman: Delete newline testing commit 9ec5eea5b6acfae7279203097eeec5d02d01d9b7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 67006aaaed081d8488816873f6bfcffd2bdc93771a0f9fd048585dc7017487e2 all runs: OK false negative chance: 0.000 # git bisect good 9ec5eea5b6acfae7279203097eeec5d02d01d9b7 Bisecting: 195 revisions left to test after this (roughly 8 steps) [86dd9868b8788a9063893a97649594af93cd5aa6] net: dsa: tag_rtl4_a: Support also egress tags testing commit 86dd9868b8788a9063893a97649594af93cd5aa6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fb0fd7a46be9b086e8157b1088f63a09c443c87e078a1a6a0cff1913595571cd all runs: OK false negative chance: 0.000 # git bisect good 86dd9868b8788a9063893a97649594af93cd5aa6 Bisecting: 95 revisions left to test after this (roughly 7 steps) [584ce3c9b408a89fe5b7ac5b5b246b85c78defed] Merge tag 'arm-platform-removal-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 584ce3c9b408a89fe5b7ac5b5b246b85c78defed gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c0d16f7fc8d2a3da8cb58d0ed3056851918963f06d59f997f6ec99e434ef7df0 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad 584ce3c9b408a89fe5b7ac5b5b246b85c78defed Bisecting: 49 revisions left to test after this (roughly 6 steps) [7d3a7b9ea59ddb223aec59b45fa1713c633aaed4] ibmvnic: skip send_request_unmap for timeout reset testing commit 7d3a7b9ea59ddb223aec59b45fa1713c633aaed4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4ca40eecaf9d06e65170f476bd4b3e88199babf3878a64faf770cff8c223c629 all runs: OK false negative chance: 0.000 # git bisect good 7d3a7b9ea59ddb223aec59b45fa1713c633aaed4 Bisecting: 24 revisions left to test after this (roughly 5 steps) [797d3186544fcd5bfd7a03b9ef3e20c1db3802b8] ptp: ptp_clockmatrix: Add wait_for_sys_apll_dpll_lock. testing commit 797d3186544fcd5bfd7a03b9ef3e20c1db3802b8 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bb4d3699431a86eab1017a0a0b71b4c99ec909a97b220f0f7e6da447cb26b8bb all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad 797d3186544fcd5bfd7a03b9ef3e20c1db3802b8 Bisecting: 12 revisions left to test after this (roughly 4 steps) [597565556581d59641c0be50acaae87f7391a91b] net: mscc: ocelot: select PACKING in the Kconfig testing commit 597565556581d59641c0be50acaae87f7391a91b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cd0f6b35e8012e46e3fb47c923e40150e5ab7fdf8d037470d3c4ea15891b9c8f all runs: OK false negative chance: 0.000 # git bisect good 597565556581d59641c0be50acaae87f7391a91b Bisecting: 6 revisions left to test after this (roughly 3 steps) [80a2a40bd29646d6d411be9b4f06e10282844a74] r8169: use macro pm_ptr testing commit 80a2a40bd29646d6d411be9b4f06e10282844a74 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bb4d3699431a86eab1017a0a0b71b4c99ec909a97b220f0f7e6da447cb26b8bb all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad 80a2a40bd29646d6d411be9b4f06e10282844a74 Bisecting: 2 revisions left to test after this (roughly 2 steps) [6001a930ce0378b62210d4f83583fc88a903d89d] netfilter: nftables: introduce table ownership testing commit 6001a930ce0378b62210d4f83583fc88a903d89d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 16cd0db3f606fca442b4b9cdc011479508e9f14f2610ff55fcec115d646d9277 all runs: crashed: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry representative crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry, types: [KASAN-READ] # git bisect bad 6001a930ce0378b62210d4f83583fc88a903d89d Bisecting: 0 revisions left to test after this (roughly 1 step) [00dfe9bebdf09c37827fb71db89c66a396f1a38c] netfilter: nftables: add helper function to release hooks of one single table testing commit 00dfe9bebdf09c37827fb71db89c66a396f1a38c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b3244bfdecc96bb872e6c8b32eee81336b49fec803e616b90c8d01f82d2da1e0 all runs: OK false negative chance: 0.000 # git bisect good 00dfe9bebdf09c37827fb71db89c66a396f1a38c 6001a930ce0378b62210d4f83583fc88a903d89d is the first bad commit commit 6001a930ce0378b62210d4f83583fc88a903d89d Author: Pablo Neira Ayuso Date: Mon Feb 15 12:28:07 2021 +0100 netfilter: nftables: introduce table ownership A userspace daemon like firewalld might need to monitor for netlink updates to detect its ruleset removal by the (global) flush ruleset command to ensure ruleset persistency. This adds extra complexity from userspace and, for some little time, the firewall policy is not in place. This patch adds the NFT_TABLE_F_OWNER flag which allows a userspace program to own the table that creates in exclusivity. Tables that are owned... - can only be updated and removed by the owner, non-owners hit EPERM if they try to update it or remove it. - are destroyed when the owner closes the netlink socket or the process is gone (implicit netlink socket closure). - are skipped by the global flush ruleset command. - are listed in the global ruleset. The userspace process that sets on the NFT_TABLE_F_OWNER flag need to leave open the netlink socket. A new NFTA_TABLE_OWNER netlink attribute specifies the netlink port ID to identify the owner from userspace. This patch also updates error reporting when an unknown table flag is specified to change it from EINVAL to EOPNOTSUPP given that EINVAL is usually reserved to report for malformed netlink messages to userspace. Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_tables.h | 6 ++ include/uapi/linux/netfilter/nf_tables.h | 5 + net/netfilter/nf_tables_api.c | 163 ++++++++++++++++++++++--------- 3 files changed, 128 insertions(+), 46 deletions(-) accumulated error probability: 0.00 culprit signature: 16cd0db3f606fca442b4b9cdc011479508e9f14f2610ff55fcec115d646d9277 parent signature: b3244bfdecc96bb872e6c8b32eee81336b49fec803e616b90c8d01f82d2da1e0 revisions tested: 32, total time: 10h55m7.629943817s (build: 5h5m57.201052009s, test: 5h23m18.287085372s) first bad commit: 6001a930ce0378b62210d4f83583fc88a903d89d netfilter: nftables: introduce table ownership recipients (to): ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@netfilter.org" "kuba@kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org" "pablo@netfilter.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: slab-out-of-bounds Read in nfacct_mt_checkentry ================================================================== BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:611 [inline] BUG: KASAN: slab-out-of-bounds in string+0x39c/0x3d0 lib/vsprintf.c:693 Read of size 1 at addr ffff888106b80bc8 by task syz.2.16/5298 CPU: 0 PID: 5298 Comm: syz.2.16 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xbe/0xf9 lib/dump_stack.c:120 print_address_description.constprop.0+0x18/0x170 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x7f/0x10e mm/kasan/report.c:413 string_nocheck lib/vsprintf.c:611 [inline] string+0x39c/0x3d0 lib/vsprintf.c:693 vsnprintf+0xa3f/0x16c0 lib/vsprintf.c:2619 vprintk_store+0x15d/0x790 kernel/printk/printk.c:1983 vprintk_emit+0xa2/0x330 kernel/printk/printk.c:2075 vprintk_func+0x8b/0x140 kernel/printk/printk_safe.c:393 printk+0xba/0xed kernel/printk/printk.c:2140 nfacct_mt_checkentry.cold+0x1a/0x1f net/netfilter/xt_nfacct.c:41 xt_check_match+0x278/0x650 net/netfilter/x_tables.c:501 __nft_match_init+0x43d/0x620 net/netfilter/nft_compat.c:474 nf_tables_newexpr net/netfilter/nf_tables_api.c:2669 [inline] nf_tables_newrule+0xd6e/0x2740 net/netfilter/nf_tables_api.c:3321 nfnetlink_rcv_batch+0x7a0/0x1e20 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x64e/0x8f0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd80 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0x151/0x190 net/socket.c:672 ____sys_sendmsg+0x709/0x870 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x34/0x50 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f0522e1a929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f052288b038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f0523041fa0 RCX: 00007f0522e1a929 RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000003 RBP: 00007f0522e9cb39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f0523041fa0 R15: 00007ffc7aea58a8 Allocated by task 5298: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x84/0xa0 mm/kasan/common.c:429 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:682 [inline] nf_tables_newrule+0xadd/0x2740 net/netfilter/nf_tables_api.c:3303 nfnetlink_rcv_batch+0x7a0/0x1e20 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x64e/0x8f0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd80 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0x151/0x190 net/socket.c:672 ____sys_sendmsg+0x709/0x870 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x34/0x50 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xbc/0xe0 mm/kasan/generic.c:344 __call_rcu kernel/rcu/tree.c:2965 [inline] call_rcu+0xb6/0x670 kernel/rcu/tree.c:3038 nf_hook_entries_free net/netfilter/core.c:88 [inline] nf_hook_entries_free net/netfilter/core.c:75 [inline] __nf_unregister_net_hook+0x1f8/0x4a0 net/netfilter/core.c:489 nf_unregister_net_hook net/netfilter/core.c:502 [inline] nf_unregister_net_hooks+0x117/0x160 net/netfilter/core.c:576 ip6table_mangle_net_pre_exit+0x4c/0x60 net/ipv6/netfilter/ip6table_mangle.c:99 ops_pre_exit_list net/core/net_namespace.c:165 [inline] cleanup_net+0x452/0xb10 net/core/net_namespace.c:583 process_one_work+0x910/0x1250 kernel/workqueue.c:2275 worker_thread+0x4d4/0xe70 kernel/workqueue.c:2421 kthread+0x347/0x420 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the object at ffff888106b80b80 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 72 bytes inside of 96-byte region [ffff888106b80b80, ffff888106b80be0) The buggy address belongs to the page: page:00000000cae82224 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106b80 flags: 0x200000000000200(slab) raw: 0200000000000200 ffffea0004095900 0000000400000004 ffff888100041780 raw: 0000000000000000 0000000080200020 00000001ffffffff ffff88810e6b0601 page dumped because: kasan: bad access detected pages's memcg:ffff88810e6b0601 page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 1977, ts 11687336174 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x136/0x1a0 mm/page_alloc.c:2297 prep_new_page mm/page_alloc.c:2306 [inline] get_page_from_freelist+0x20ee/0x2da0 mm/page_alloc.c:3945 __alloc_pages_nodemask+0x275/0x5b0 mm/page_alloc.c:4995 alloc_pages_current+0x1c9/0x370 mm/mempolicy.c:2267 alloc_pages include/linux/gfp.h:547 [inline] alloc_slab_page mm/slub.c:1618 [inline] allocate_slab+0x27f/0x450 mm/slub.c:1758 new_slab mm/slub.c:1821 [inline] new_slab_objects mm/slub.c:2578 [inline] ___slab_alloc+0x40e/0x6c0 mm/slub.c:2741 __slab_alloc mm/slub.c:2781 [inline] slab_alloc_node mm/slub.c:2857 [inline] slab_alloc mm/slub.c:2900 [inline] __kmalloc+0x299/0x2b0 mm/slub.c:3981 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:682 [inline] tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45 tomoyo_encode2 security/tomoyo/realpath.c:31 [inline] tomoyo_encode+0x28/0x50 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x188/0x620 security/tomoyo/realpath.c:288 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x255/0x350 security/tomoyo/file.c:771 tomoyo_file_open security/tomoyo/tomoyo.c:313 [inline] tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:308 security_file_open+0x58/0x500 security/security.c:1576 do_dentry_open+0x4ec/0x1070 fs/open.c:804 do_open fs/namei.c:3254 [inline] path_openat+0x18c5/0x26b0 fs/namei.c:3371 do_filp_open+0x17e/0x3c0 fs/namei.c:3398 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1271 [inline] free_pcp_prepare+0x44a/0x5a0 mm/page_alloc.c:1306 free_unref_page_prepare mm/page_alloc.c:3200 [inline] free_unref_page+0x39/0x1f0 mm/page_alloc.c:3248 kasan_depopulate_vmalloc_pte+0x59/0x70 mm/kasan/shadow.c:346 apply_to_pte_range mm/memory.c:2408 [inline] apply_to_pmd_range mm/memory.c:2444 [inline] apply_to_pud_range mm/memory.c:2472 [inline] apply_to_p4d_range mm/memory.c:2500 [inline] __apply_to_page_range+0x7bc/0x1350 mm/memory.c:2527 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:456 __purge_vmap_area_lazy+0x8cf/0x1c80 mm/vmalloc.c:1381 _vm_unmap_aliases.part.0+0x2d7/0x3c0 mm/vmalloc.c:1784 _vm_unmap_aliases mm/vmalloc.c:1753 [inline] vm_unmap_aliases+0x2f/0x40 mm/vmalloc.c:1807 change_page_attr_set_clr+0x23f/0x4f0 arch/x86/mm/pat/set_memory.c:1732 change_page_attr_set arch/x86/mm/pat/set_memory.c:1782 [inline] set_memory_nx+0xb2/0x110 arch/x86/mm/pat/set_memory.c:1930 free_init_pages+0x52/0x80 arch/x86/mm/init.c:878 free_kernel_image_pages+0x20/0x50 arch/x86/mm/init.c:897 kernel_init+0x17/0x1bc init/main.c:1426 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Memory state around the buggy address: ffff888106b80a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106b80b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106b80b80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ^ ffff888106b80c00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff888106b80c80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ==================================================================