==================================================================
BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5ef/0x760
Read of size 4 at addr ffff888070133338 by task syz-executor.2/3684

CPU: 0 PID: 3684 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 dump_stack_lvl+0x1e3/0x2cb
 print_address_description+0x62/0x360
 kasan_report+0x16b/0x1c0
 nf_hook_entries_grow+0x5ef/0x760
 __nf_register_net_hook+0x237/0x890
 nf_register_net_hook+0xac/0x180
 nft_register_flowtable_net_hooks+0x3a3/0x700
 nf_tables_newflowtable+0x18ee/0x2530
 nfnetlink_rcv+0x11b8/0x25f0
 netlink_unicast+0x7b6/0x980
 netlink_sendmsg+0x9fb/0xd00
 ____sys_sendmsg+0x59e/0x8f0
 __sys_sendmsg+0x25a/0x340
 do_syscall_64+0x44/0xd0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x56482fe0df69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3f46c130c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000056482ff3bf80 RCX: 000056482fe0df69
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 000056482fe5a4a4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 000056482ff3bf80 R15: 00007ffd57ab7d78
 </TASK>

Allocated by task 3682:
 ____kasan_kmalloc+0xdb/0x110
 kmem_cache_alloc_trace+0x148/0x270
 nf_tables_parse_netdev_hooks+0x194/0x6d0
 nft_flowtable_parse_hook+0x466/0x880
 nf_tables_newflowtable+0x12f6/0x2530
 nfnetlink_rcv+0x11b8/0x25f0
 netlink_unicast+0x7b6/0x980
 netlink_sendmsg+0x9fb/0xd00
 ____sys_sendmsg+0x59e/0x8f0
 __sys_sendmsg+0x25a/0x340
 do_syscall_64+0x44/0xd0
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3679:
 kasan_set_track+0x4b/0x70
 kasan_set_free_info+0x1f/0x40
 ____kasan_slab_free+0x11f/0x170
 slab_free_freelist_hook+0x12c/0x1a0
 kfree+0xf2/0x2a0
 nf_tables_flowtable_destroy+0x1e7/0x280
 __nft_release_table+0x4f2/0xe10
 nft_rcv_nl_event+0x447/0x520
 blocking_notifier_call_chain+0x104/0x1b0
 netlink_release+0xee5/0x1720
 sock_close+0xcd/0x230
 __fput+0x3c5/0x830
 task_work_run+0x129/0x1a0
 exit_to_user_mode_loop+0x106/0x130
 exit_to_user_mode_prepare+0xb1/0x140
 syscall_exit_to_user_mode+0x5d/0x2b0
 do_syscall_64+0x50/0xd0
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888070133300
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 56 bytes inside of
 96-byte region [ffff888070133300, ffff888070133360)
The buggy address belongs to the page:
page:ffffea0001c04cc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x70133
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888010c41780
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 3679, ts 58902601563, free_ts 56575879303
 get_page_from_freelist+0x322e/0x33d0
 __alloc_pages+0x272/0x780
 alloc_slab_page+0x3b/0x90
 new_slab+0x84/0x320
 ___slab_alloc+0x6d4/0xe00
 __kmalloc+0x1ce/0x2e0
 tomoyo_encode+0x26b/0x530
 tomoyo_realpath_from_path+0x5a2/0x5e0
 tomoyo_path_perm+0x273/0x6b0
 tomoyo_path_symlink+0xda/0x110
 security_path_symlink+0xd9/0x130
 do_symlinkat+0x129/0x600
 __x64_sys_symlinkat+0x95/0xa0
 do_syscall_64+0x44/0xd0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 free_unref_page_prepare+0xcc1/0xd90
 free_unref_page+0x95/0x2d0
 __unfreeze_partials+0x1b7/0x210
 put_cpu_partial+0x116/0x180
 ___cache_free+0xff/0x130
 qlist_free_all+0x33/0xc0
 kasan_quarantine_reduce+0x162/0x180
 __kasan_slab_alloc+0x2f/0xe0
 slab_post_alloc_hook+0x50/0x3d0
 kmem_cache_alloc_trace+0x11d/0x270
 nsim_fib_event_work+0x19b5/0x4120
 process_one_work+0x8e3/0x1230
 worker_thread+0xdc3/0x1270
 kthread+0x268/0x300
 ret_from_fork+0x1f/0x30

Memory state around the buggy address:
 ffff888070133200: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888070133280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff888070133300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                        ^
 ffff888070133380: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff888070133400: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================
