================================================================== BUG: KASAN: slab-use-after-free in read_pnet include/net/net_namespace.h:419 [inline] BUG: KASAN: slab-use-after-free in dev_net include/linux/netdevice.h:2741 [inline] BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x302/0x320 net/netfilter/core.c:319 Read of size 8 at addr ffff88802e764108 by task kworker/u8:2/36 CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595 read_pnet include/net/net_namespace.h:419 [inline] dev_net include/linux/netdevice.h:2741 [inline] nf_hook_entry_head+0x302/0x320 net/netfilter/core.c:319 __nf_unregister_net_hook+0x7e/0x6a0 net/netfilter/core.c:491 nf_unregister_net_hook+0xda/0x120 net/netfilter/core.c:536 nft_unregister_flowtable_ops net/netfilter/nf_tables_api.c:8895 [inline] __nft_unregister_flowtable_net_hooks+0xf7/0x3f0 net/netfilter/nf_tables_api.c:8910 __nft_release_hook+0x243/0x360 net/netfilter/nf_tables_api.c:11899 __nft_release_hooks net/netfilter/nf_tables_api.c:11913 [inline] nf_tables_pre_exit_net+0xc5/0x120 net/netfilter/nf_tables_api.c:12064 ops_pre_exit_list net/core/net_namespace.c:161 [inline] ops_undo_list+0x187/0xab0 net/core/net_namespace.c:234 cleanup_net+0x499/0x920 net/core/net_namespace.c:704 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 9312: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5219 [inline] __kmalloc_node_track_caller_noprof+0x304/0x850 mm/slub.c:5327 __do_krealloc mm/slub.c:6589 [inline] krealloc_node_align_noprof+0x30a/0x3e0 mm/slub.c:6648 copy_array.constprop.0+0x93/0x110 kernel/bpf/verifier.c:1400 copy_stack_state kernel/bpf/verifier.c:1460 [inline] copy_func_state kernel/bpf/verifier.c:1741 [inline] copy_verifier_state+0xad8/0x1010 kernel/bpf/verifier.c:1787 is_state_visited kernel/bpf/verifier.c:20707 [inline] do_check kernel/bpf/verifier.c:21177 [inline] do_check_common+0x632d/0xcb00 kernel/bpf/verifier.c:24589 do_check_main kernel/bpf/verifier.c:24672 [inline] bpf_check+0xbd53/0xcd50 kernel/bpf/verifier.c:25996 bpf_prog_load+0x1c86/0x2c20 kernel/bpf/syscall.c:3089 __sys_bpf+0x223a/0x4b90 kernel/bpf/syscall.c:6228 __do_sys_bpf kernel/bpf/syscall.c:6341 [inline] __se_sys_bpf kernel/bpf/syscall.c:6339 [inline] __x64_sys_bpf+0x7b/0xc0 kernel/bpf/syscall.c:6339 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 9312: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2687 [inline] slab_free mm/slub.c:6124 [inline] kfree+0x1f6/0x6b0 mm/slub.c:6442 free_func_state kernel/bpf/verifier.c:1677 [inline] free_func_state kernel/bpf/verifier.c:1673 [inline] free_verifier_state+0x99/0x270 kernel/bpf/verifier.c:1694 free_states kernel/bpf/verifier.c:24460 [inline] do_check_common+0x2917/0xcb00 kernel/bpf/verifier.c:24593 do_check_main kernel/bpf/verifier.c:24672 [inline] bpf_check+0xbd53/0xcd50 kernel/bpf/verifier.c:25996 bpf_prog_load+0x1c86/0x2c20 kernel/bpf/syscall.c:3089 __sys_bpf+0x223a/0x4b90 kernel/bpf/syscall.c:6228 __do_sys_bpf kernel/bpf/syscall.c:6341 [inline] __se_sys_bpf kernel/bpf/syscall.c:6339 [inline] __x64_sys_bpf+0x7b/0xc0 kernel/bpf/syscall.c:6339 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802e764000 which belongs to the cache kmalloc-cg-8k of size 8192 The buggy address is located 264 bytes inside of freed 8192-byte region [ffff88802e764000, ffff88802e766000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2e760 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88802d708b01 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88813fe56640 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800020002 00000000f5000000 ffff88802d708b01 head: 00fff00000000040 ffff88813fe56640 dead000000000100 dead000000000122 head: 0000000000000000 0000000800020002 00000000f5000000 ffff88802d708b01 head: 00fff00000000003 ffffea0000b9d801 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5811, tgid 5811 (syz-executor), ts 60833043834, free_ts 47273777943 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3255 [inline] allocate_slab mm/slub.c:3444 [inline] new_slab+0xa6/0x6d0 mm/slub.c:3502 refill_objects+0x26b/0x400 mm/slub.c:7134 refill_sheaf mm/slub.c:2804 [inline] alloc_full_sheaf mm/slub.c:2825 [inline] __pcs_replace_empty_main+0x19f/0x600 mm/slub.c:4588 alloc_from_pcs mm/slub.c:4681 [inline] slab_alloc_node mm/slub.c:4815 [inline] __do_kmalloc_node mm/slub.c:5218 [inline] __kvmalloc_node_noprof+0x7da/0xa00 mm/slub.c:6711 alloc_netdev_mqs+0xd7/0x14f0 net/core/dev.c:12017 rtnl_create_link+0xc13/0xf80 net/core/rtnetlink.c:3648 rtnl_newlink_create net/core/rtnetlink.c:3830 [inline] __rtnl_newlink net/core/rtnetlink.c:3957 [inline] rtnl_newlink+0x13b8/0x2380 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] __sys_sendto+0x4aa/0x520 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2209 page last free pid 5768 tgid 5768 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4501 [inline] slab_alloc_node mm/slub.c:4830 [inline] kmem_cache_alloc_noprof+0x241/0x6e0 mm/slub.c:4837 anon_vma_chain_alloc mm/rmap.c:142 [inline] __anon_vma_prepare+0xae/0x5e0 mm/rmap.c:194 __vmf_anon_prepare+0x11f/0x250 mm/memory.c:3734 vmf_anon_prepare mm/internal.h:502 [inline] do_anonymous_page+0x552/0x1fb0 mm/memory.c:5261 do_pte_missing mm/memory.c:4475 [inline] handle_pte_fault mm/memory.c:6316 [inline] __handle_mm_fault+0x1d42/0x2b60 mm/memory.c:6454 handle_mm_fault+0x36d/0xa20 mm/memory.c:6623 do_user_addr_fault+0x5a3/0x12f0 arch/x86/mm/fault.c:1334 handle_page_fault arch/x86/mm/fault.c:1474 [inline] exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 Memory state around the buggy address: ffff88802e764000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802e764080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802e764100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802e764180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802e764200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================