==================================================================
BUG: KASAN: use-after-free in __nft_trace_packet+0x14f/0x180 net/netfilter/nf_tables_core.c:30
Read of size 1 at addr ffff88812fb14800 by task ksoftirqd/1/18

CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 5.15.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x8e/0xdd lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:451
 __nft_trace_packet+0x14f/0x180 net/netfilter/nf_tables_core.c:30
 nft_trace_verdict net/netfilter/nf_tables_core.c:110 [inline]
 nft_do_chain+0xc25/0x10d0 net/netfilter/nf_tables_core.c:256
 nft_do_chain_inet+0x149/0x310 net/netfilter/nft_chain_filter.c:161
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xc5/0x1f0 net/netfilter/core.c:584
 nf_hook include/linux/netfilter.h:257 [inline]
 NF_HOOK include/linux/netfilter.h:300 [inline]
 ip_local_deliver+0x261/0x370 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:453 [inline]
 ip_rcv_finish+0x1da/0x2b0 net/ipv4/ip_input.c:447
 NF_HOOK include/linux/netfilter.h:302 [inline]
 NF_HOOK include/linux/netfilter.h:296 [inline]
 ip_rcv+0x209/0x230 net/ipv4/ip_input.c:566
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5493
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5607
 process_backlog+0x2ae/0x6b0 net/core/dev.c:6484
 __napi_poll+0xb3/0x570 net/core/dev.c:7043
 napi_poll net/core/dev.c:7110 [inline]
 net_rx_action+0x856/0xb90 net/core/dev.c:7200
 handle_softirqs+0x14f/0x4f0 kernel/softirq.c:558
 run_ksoftirqd kernel/softirq.c:925 [inline]
 run_ksoftirqd+0x1a/0x20 kernel/softirq.c:917
 smpboot_thread_fn+0x35e/0x730 kernel/smpboot.c:164
 kthread+0x327/0x3e0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 18:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x61/0x80 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3220 [inline]
 kmem_cache_alloc_node+0x22b/0x340 mm/slub.c:3256
 __alloc_skb+0x20b/0x340 net/core/skbuff.c:415
 alloc_skb include/linux/skbuff.h:1162 [inline]
 synproxy_send_client_synack+0x1b7/0xd20 net/netfilter/nf_synproxy_core.c:482
 nft_synproxy_eval_v4 net/netfilter/nft_synproxy.c:59 [inline]
 nft_synproxy_do_eval+0xb2e/0xe90 net/netfilter/nft_synproxy.c:141
 expr_call_ops_eval net/netfilter/nf_tables_core.c:198 [inline]
 nft_do_chain+0x28c/0x10d0 net/netfilter/nf_tables_core.c:238
 nft_do_chain_inet+0x149/0x310 net/netfilter/nft_chain_filter.c:161
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xc5/0x1f0 net/netfilter/core.c:584
 nf_hook include/linux/netfilter.h:257 [inline]
 NF_HOOK include/linux/netfilter.h:300 [inline]
 ip_local_deliver+0x261/0x370 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:453 [inline]
 ip_rcv_finish+0x1da/0x2b0 net/ipv4/ip_input.c:447
 NF_HOOK include/linux/netfilter.h:302 [inline]
 NF_HOOK include/linux/netfilter.h:296 [inline]
 ip_rcv+0x209/0x230 net/ipv4/ip_input.c:566
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5493
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5607
 process_backlog+0x2ae/0x6b0 net/core/dev.c:6484
 __napi_poll+0xb3/0x570 net/core/dev.c:7043
 napi_poll net/core/dev.c:7110 [inline]
 net_rx_action+0x856/0xb90 net/core/dev.c:7200
 handle_softirqs+0x14f/0x4f0 kernel/softirq.c:558
 run_ksoftirqd kernel/softirq.c:925 [inline]
 run_ksoftirqd+0x1a/0x20 kernel/softirq.c:917
 smpboot_thread_fn+0x35e/0x730 kernel/smpboot.c:164
 kthread+0x327/0x3e0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Freed by task 18:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xe0/0x110 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook mm/slub.c:1731 [inline]
 slab_free mm/slub.c:3499 [inline]
 kmem_cache_free+0x7e/0x450 mm/slub.c:3515
 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:700
 __kfree_skb net/core/skbuff.c:757 [inline]
 consume_skb net/core/skbuff.c:914 [inline]
 consume_skb+0x11d/0x290 net/core/skbuff.c:908
 nft_synproxy_eval_v4 net/netfilter/nft_synproxy.c:60 [inline]
 nft_synproxy_do_eval+0xb36/0xe90 net/netfilter/nft_synproxy.c:141
 expr_call_ops_eval net/netfilter/nf_tables_core.c:198 [inline]
 nft_do_chain+0x28c/0x10d0 net/netfilter/nf_tables_core.c:238
 nft_do_chain_inet+0x149/0x310 net/netfilter/nft_chain_filter.c:161
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xc5/0x1f0 net/netfilter/core.c:584
 nf_hook include/linux/netfilter.h:257 [inline]
 NF_HOOK include/linux/netfilter.h:300 [inline]
 ip_local_deliver+0x261/0x370 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:453 [inline]
 ip_rcv_finish+0x1da/0x2b0 net/ipv4/ip_input.c:447
 NF_HOOK include/linux/netfilter.h:302 [inline]
 NF_HOOK include/linux/netfilter.h:296 [inline]
 ip_rcv+0x209/0x230 net/ipv4/ip_input.c:566
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5493
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5607
 process_backlog+0x2ae/0x6b0 net/core/dev.c:6484
 __napi_poll+0xb3/0x570 net/core/dev.c:7043
 napi_poll net/core/dev.c:7110 [inline]
 net_rx_action+0x856/0xb90 net/core/dev.c:7200
 handle_softirqs+0x14f/0x4f0 kernel/softirq.c:558
 run_ksoftirqd kernel/softirq.c:925 [inline]
 run_ksoftirqd+0x1a/0x20 kernel/softirq.c:917
 smpboot_thread_fn+0x35e/0x730 kernel/smpboot.c:164
 kthread+0x327/0x3e0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

The buggy address belongs to the object at ffff88812fb14780
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 128 bytes inside of
 232-byte region [ffff88812fb14780, ffff88812fb14868)
The buggy address belongs to the page:
page:ffffea0004bec500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12fb14
flags: 0x200000000000200(slab|node=0|zone=2)
raw: 0200000000000200 0000000000000000 dead000000000122 ffff8881089e7000
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 18, ts 85669653430, free_ts 85646339738
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x12ff/0x3170 mm/page_alloc.c:4192
 __alloc_pages+0x1b2/0x420 mm/page_alloc.c:5465
 alloc_pages+0x16f/0x3d0 mm/mempolicy.c:2185
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab+0x2eb/0x430 mm/slub.c:1912
 new_slab mm/slub.c:1975 [inline]
 ___slab_alloc+0xb1c/0xf80 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 kmem_cache_alloc_node+0x2e3/0x340 mm/slub.c:3256
 __alloc_skb+0x20b/0x340 net/core/skbuff.c:415
 alloc_skb include/linux/skbuff.h:1162 [inline]
 synproxy_send_client_synack+0x1b7/0xd20 net/netfilter/nf_synproxy_core.c:482
 nft_synproxy_eval_v4 net/netfilter/nft_synproxy.c:59 [inline]
 nft_synproxy_do_eval+0xb2e/0xe90 net/netfilter/nft_synproxy.c:141
 expr_call_ops_eval net/netfilter/nf_tables_core.c:198 [inline]
 nft_do_chain+0x28c/0x10d0 net/netfilter/nf_tables_core.c:238
 nft_do_chain_inet+0x149/0x310 net/netfilter/nft_chain_filter.c:161
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xc5/0x1f0 net/netfilter/core.c:584
 nf_hook include/linux/netfilter.h:257 [inline]
 NF_HOOK include/linux/netfilter.h:300 [inline]
 ip_local_deliver+0x261/0x370 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:453 [inline]
 ip_rcv_finish+0x1da/0x2b0 net/ipv4/ip_input.c:447
 NF_HOOK include/linux/netfilter.h:302 [inline]
 NF_HOOK include/linux/netfilter.h:296 [inline]
 ip_rcv+0x209/0x230 net/ipv4/ip_input.c:566
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5493
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare+0x34e/0x730 mm/page_alloc.c:1391
 free_unref_page_prepare mm/page_alloc.c:3317 [inline]
 free_unref_page_list+0x16f/0xbb0 mm/page_alloc.c:3433
 release_pages+0x4b9/0x19b0 mm/swap.c:963
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x165/0x8c0 mm/mmu_gather.c:338
 exit_mmap+0x1ea/0x6d0 mm/mmap.c:3206
 __mmput+0xd6/0x440 kernel/fork.c:1127
 mmput+0x40/0x50 kernel/fork.c:1148
 exit_mm kernel/exit.c:550 [inline]
 do_exit+0x9e1/0x2690 kernel/exit.c:861
 do_group_exit+0x125/0x310 kernel/exit.c:996
 __do_sys_exit_group kernel/exit.c:1007 [inline]
 __se_sys_exit_group kernel/exit.c:1005 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:1005
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff88812fb14700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
 ffff88812fb14780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88812fb14800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                   ^
 ffff88812fb14880: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff88812fb14900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================