================================================================== BUG: KASAN: use-after-free in nft_commit_release net/netfilter/nf_tables_api.c:8332 [inline] BUG: KASAN: use-after-free in nf_tables_trans_destroy_work+0xd32/0xdb0 net/netfilter/nf_tables_api.c:8378 Read of size 1 at addr ffff88806acae054 by task kworker/1:2/1519 CPU: 1 PID: 1519 Comm: kworker/1:2 Not tainted 5.18.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Workqueue: events nf_tables_trans_destroy_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x163/0x213 lib/dump_stack.c:106 print_address_description+0x65/0x4b0 mm/kasan/report.c:313 print_report+0xf4/0x210 mm/kasan/report.c:429 kasan_report+0xfb/0x130 mm/kasan/report.c:491 nft_commit_release net/netfilter/nf_tables_api.c:8332 [inline] nf_tables_trans_destroy_work+0xd32/0xdb0 net/netfilter/nf_tables_api.c:8378 process_one_work+0x794/0xc10 kernel/workqueue.c:2289 worker_thread+0x8ff/0xfe0 kernel/workqueue.c:2436 kthread+0x228/0x2a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 Allocated by task 4360: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:515 kasan_kmalloc include/linux/kasan.h:234 [inline] kmem_cache_alloc_trace+0x94/0x310 mm/slub.c:3255 kmalloc include/linux/slab.h:588 [inline] kzalloc include/linux/slab.h:721 [inline] nf_tables_addchain net/netfilter/nf_tables_api.c:2253 [inline] nf_tables_newchain+0x1098/0x2920 net/netfilter/nf_tables_api.c:2586 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv+0xc5a/0x1fa0 net/netfilter/nfnetlink.c:652 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x5d8/0x850 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x752/0xb00 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x487/0x780 net/socket.c:2492 ___sys_sendmsg net/socket.c:2546 [inline] __sys_sendmsg+0x1f5/0x2b0 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 4359: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x70 mm/kasan/common.c:45 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370 ____kasan_slab_free+0xd8/0x110 mm/kasan/common.c:366 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1727 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1753 slab_free mm/slub.c:3507 [inline] kfree+0xc6/0x210 mm/slub.c:4555 __nft_release_table+0xbb4/0xd90 net/netfilter/nf_tables_api.c:9837 nft_rcv_nl_event+0x3cd/0x480 net/netfilter/nf_tables_api.c:9888 notifier_call_chain kernel/notifier.c:84 [inline] blocking_notifier_call_chain+0xff/0x140 kernel/notifier.c:319 netlink_release+0xce2/0x13c0 net/netlink/af_netlink.c:790 __sock_release net/socket.c:650 [inline] sock_close+0xcc/0x230 net/socket.c:1365 __fput+0x2de/0x650 fs/file_table.c:317 task_work_run+0xd6/0x160 kernel/task_work.c:177 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169 exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The buggy address belongs to the object at ffff88806acae000 which belongs to the cache kmalloc-cg-128 of size 128 The buggy address is located 84 bytes inside of 128-byte region [ffff88806acae000, ffff88806acae080) The buggy address belongs to the physical page: page:ffffea0001ab2b80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6acae memcg:ffff888074a84a01 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888010c42a00 raw: 0000000000000000 0000000080100010 00000001ffffffff ffff888074a84a01 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 4360, tgid 4359 (syz-executor.0), ts 96984445763, free_ts 96958463163 prep_new_page mm/page_alloc.c:2441 [inline] get_page_from_freelist+0x72e/0x7a0 mm/page_alloc.c:4182 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5408 alloc_slab_page+0x70/0xf0 mm/slub.c:1797 allocate_slab+0x5e/0x520 mm/slub.c:1942 new_slab mm/slub.c:2002 [inline] ___slab_alloc+0x41e/0xcd0 mm/slub.c:3002 __slab_alloc mm/slub.c:3089 [inline] slab_alloc_node mm/slub.c:3180 [inline] slab_alloc mm/slub.c:3222 [inline] kmem_cache_alloc_trace+0x25c/0x310 mm/slub.c:3253 kmalloc include/linux/slab.h:588 [inline] kzalloc include/linux/slab.h:721 [inline] nf_tables_addchain net/netfilter/nf_tables_api.c:2253 [inline] nf_tables_newchain+0x1098/0x2920 net/netfilter/nf_tables_api.c:2586 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv+0xc5a/0x1fa0 net/netfilter/nfnetlink.c:652 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x5d8/0x850 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x752/0xb00 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x487/0x780 net/socket.c:2492 ___sys_sendmsg net/socket.c:2546 [inline] __sys_sendmsg+0x1f5/0x2b0 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1356 [inline] free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1406 free_unref_page_prepare mm/page_alloc.c:3328 [inline] free_unref_page_list+0x12c/0x890 mm/page_alloc.c:3460 release_pages+0x1cfc/0x1ed0 mm/swap.c:980 tlb_batch_pages_flush mm/mmu_gather.c:50 [inline] tlb_flush_mmu_free mm/mmu_gather.c:243 [inline] tlb_flush_mmu+0x58e/0x700 mm/mmu_gather.c:250 tlb_finish_mmu+0xad/0x1c0 mm/mmu_gather.c:341 exit_mmap+0x1b0/0x480 mm/mmap.c:3142 __mmput+0xc7/0x2f0 kernel/fork.c:1189 exit_mm+0x1e5/0x290 kernel/exit.c:510 do_exit+0x427/0x1ae0 kernel/exit.c:782 do_group_exit+0x104/0x2b0 kernel/exit.c:925 get_signal+0x11f4/0x1240 kernel/signal.c:2875 arch_do_signal_or_restart+0x8d/0x750 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop+0x74/0x160 kernel/entry/common.c:166 exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Memory state around the buggy address: ffff88806acadf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806acadf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88806acae000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88806acae080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806acae100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================