last executing test programs: 2.781901996s ago: executing program 2 (id=3): r0 = syz_open_dev$usbfs(&(0x7f00000000c0), 0x204, 0x2) mmap(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x1000002, 0x13, r0, 0x0) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="06000000040000000200000004"], 0x50) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000980)={0x11, 0x14, &(0x7f0000000200)=ANY=[@ANYBLOB="1802000005000000000000000000000018010000786c6c2500000000070000007b1af8ff00000000bfa100000000000007010000f8ffffffb700000000000000b703000000000000850000007300000018110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b70400000000000085000000c300000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000004c0)={&(0x7f0000000300)='tlb_flush\x00', r2}, 0x10) 2.612687045s ago: executing program 2 (id=6): r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000140)={0x3, 0x9, 0x0, 0x0, 0x0, "810000cc2b000000000000fa25ffff00ffffff"}) r1 = syz_open_pts(r0, 0x4f8001) fcntl$setstatus(r1, 0x4, 0x102800) bpf$PROG_LOAD(0x5, 0x0, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) pipe2(&(0x7f0000001cc0)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80000) mount$9p_fd(0x0, &(0x7f0000000000)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000c00)=ANY=[@ANYBLOB='trans', @ANYRESHEX=r2, @ANYBLOB, @ANYRESHEX=r3, @ANYBLOB=',access=', @ANYRESDEC=0x0, @ANYBLOB=',']) socket$key(0xf, 0x3, 0x2) fsync(0xffffffffffffffff) setsockopt$inet_sctp_SCTP_RESET_ASSOC(0xffffffffffffffff, 0x84, 0x78, &(0x7f00000002c0), 0x4) socket$rds(0x15, 0x5, 0x0) r4 = syz_open_dev$sg(&(0x7f00000003c0), 0x0, 0x5) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000980)='kfree\x00', 0xffffffffffffffff, 0x0, 0x2144}, 0x18) writev(r4, &(0x7f0000000080)=[{&(0x7f00000002c0)="01000000c00000005a90f57f07703aefe7364ebbee07022c2277ae2a0000000000000000000000000000b0", 0x2b}], 0x1) socket$nl_route(0x10, 0x3, 0x0) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x3, &(0x7f0000000080)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x50000}]}) 1.916334009s ago: executing program 0 (id=1): unshare(0x22020400) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000340)={0x11, 0x3, &(0x7f0000000080)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000000)='syzkaller\x00'}, 0x94) ioctl$TIOCSPTLCK(0xffffffffffffffff, 0x40045431, 0x0) bpf$BPF_PROG_ATTACH(0x8, 0x0, 0x0) r1 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000001c0)='sched_process_wait\x00', r0}, 0x10) r2 = bpf$ITER_CREATE(0xb, &(0x7f0000000100)={r1}, 0x8) r3 = bpf$PROG_LOAD(0x5, &(0x7f00002a0fb8)={0x16, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="85000000070000006a0a00ff000000000c00000000000000950000000000000018100000", @ANYRES32, @ANYBLOB="0000000000009500"/24], &(0x7f0000000140)='GPL\x00', 0x2, 0xffa0, &(0x7f0000000180)=""/149, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x8, 0x0, 0x1e, 0x10, 0x0, 0x1e}, 0x2d) bpf$BPF_PROG_DETACH(0x8, &(0x7f00000002c0)={@ifindex, r3, 0x11, 0x0, 0x0, @void, @value=r2}, 0x20) mprotect(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(0xffffffffffffffff, 0x84, 0x7b, 0x0, 0x0) bpf$BPF_PROG_DETACH(0x9, &(0x7f00000002c0)={@map, r3, 0xf3c5227cb953423c, 0x2010}, 0x20) bpf$PROG_LOAD(0x5, 0x0, 0x0) 1.649735353s ago: executing program 0 (id=7): r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48) bpf$PROG_LOAD(0x5, &(0x7f0000000700)={0x12, 0x10, &(0x7f0000000580)=ANY=[@ANYBLOB="18050000000000000000000000000000b7080000000000007b8af8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r0, @ANYBLOB="0000000000000000b704000001000000850000007800000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, @fallback=0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0}, 0x94) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000380)={0x11, 0x10, &(0x7f0000000580)=ANY=[], &(0x7f0000000340)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback=0x2b, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000006c0)={&(0x7f0000000700)='kfree\x00', r1}, 0x10) pipe2(&(0x7f00000006c0)={0xffffffffffffffff}, 0x0) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r4, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26) socket$pppl2tp(0x18, 0x1, 0x1) openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x120002) close_range(r2, 0xffffffffffffffff, 0x0) 1.458098145s ago: executing program 0 (id=8): r0 = creat(&(0x7f0000000000)='./file0\x00', 0xd931d3864d39dcdb) r1 = gettid() timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x3938700}}, 0x0) close(r0) r2 = open(&(0x7f0000000000)='./file0\x00', 0x0, 0x1a1) fcntl$setlease(r2, 0x400, 0x1) creat(&(0x7f0000000000)='./file0\x00', 0xd931d3864d39dcdb) 1.062987991s ago: executing program 3 (id=4): r0 = gettid() r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0x4, &(0x7f0000000640)=@framed={{}, [@call={0x85, 0x0, 0x0, 0x7c}]}, &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x17, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, &(0x7f0000000400)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) r2 = mq_open(&(0x7f0000000380)='eth0\x00#\x13\xaeu\xe0\xfbu0*\xf3\x11i\xdd\xd9\xc6\x87\xde\xbf_\xa0\xf6\xdfk\xbf.\"\xa6\xc0#p\xcd\x1c/\xa6\xf2\xbcyL\x85a\xb5\xbb~+>\xbc\x93\xf8\xab\x9a3\x85l\x1d\x15\x11\x1a{@!2\xb6!\xae\xf79k\x90\x88\v8I$\xfdQ\x1d\x90=r\xd8\xc0\xd8\t/\x8dv\xb8\x93\xc3C\xae\x9dc\xd1T\xdd\x14\xd3A=z\xee\xbd/X\xbemOX)s\x94\xde\xbe_\v\x01\xbe\xeb\bLTrw\x88\x9e0\t\xc6\xe2\x9c\xed\\\xd8[\xc8\x04 \xf3\xac]V\x1d:\xfc\xc3\x9e\x02\ax\xef\xfe\x1c.TT\x01\x00\x00\x00a%\xdcQ\xb3CuT\xcc7\x8avs\xb2\a\xfe\xb3j*\xad\x18I\xcc\xe9\xaa{]\xef\xb7\xf2\xee*\xf95\bJt\xd0s\xc4\xaa\xc8\x13~\xb2\xf20\xbdf\xdb\xaeG\xe3\xfb\xef\x94\xef:Q\x1b\xe3\xa3\xa4}\xef`e\xcdL\xab\xdb\r\xf2y\x9fg1\xf4\t\x18i/!\x13\xf1,\x8cu\xaa\xbf~)\x94\x1b2\x93\x86\xe7\x9a\xf2j\xa8\x96\xa6\xa2\xfcN\x81\xafTh\xb3\x1bo:\xe8\vq7S\xe4H\xf3L\xa0\x9c\x97B\x12\x10\x9d\xaa\x7fq\x06\xb9(\xf6\x1c\x83\xb1J\xec\x926\xb5a0\xa0B\xae|\x00\x17\xc0\xa3\xd5\xf9\xaa\x98/\xa4v\xe4)I\xf3+[e\x95\x89\x99\xca\x8e\xc5\xd3\\T\xf0\x1a|5\xfff\xff\x99\xa4\xbb\x9e#oR\xa4\xf1\xba\x04c\xb3-\xf7R\xb85\xb5\xdb\xe9?\xfa/\xdf\xb4R\xbfx=\v_j\x8e\xb0\'\xf4\xe5\xff!\xe1\xbf\x82e\xb1\x9b\x8d\xf3L\t\xd21\x9cbwV\xc8\xcc\xe4\x96M_w\xbc\xdf9\b\r\xf6\x95\xae\xb5,\x92\x8c\xc0DQm\x80\xd1w\xa2\x1a\x12Z\xe5\xf4H\xf7D\n\x96J\x93\xfb\xf0$\x9f\xf7\xa2\xae$O\xa3\xb6\xf5\x98\xd3\v\x00\x86\xa5\x8b\x81\x04\xaf\x03s\xe5\x86>\x0e\xa6\xe6\x1aV\x17\x8b\xed\xa7\'\xd0\r_\xe8,XVR\x13\xe5%\xb9\x88\xb8W@D\'\x17A\xc8\x80\x02J\xd4V\x00wH(\xc5v\f\xc9\xb6\xdf..$\xe6P(_\xf1\'\xc1:\xa3\xcb\xd9\xd1\xc7\x13\x99Md\x1dc\xf1\'j\x03!\x13\xd1\xb8\xbf\xe6\xb2M\b/\rp\xa5\x00\x00\x00\x00', 0x40, 0x9, 0x0) fcntl$setlease(r2, 0x400, 0x0) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="0a000000010000000800000008"], 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000400000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f00000005c0)={{r3}, &(0x7f0000000540), &(0x7f0000000580)='%pI4 \x00'}, 0x20) r4 = socket$packet(0x11, 0x3, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'veth1_vlan\x00', 0x0}) r6 = socket(0x400000000010, 0x3, 0x0) sendmsg$nl_route_sched(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000440)=@getchain={0x24, 0x11, 0x1, 0x70bd2a, 0x2000001, {0x0, 0x0, 0x0, r5, {0x7, 0xa}, {0xd, 0xffe0}, {0x8, 0x9}}}, 0x24}, 0x1, 0x0, 0x0, 0x4000000}, 0x20048054) r7 = syz_open_dev$usbfs(&(0x7f0000000000), 0x1ff, 0x2) r8 = io_uring_setup(0xee4, &(0x7f00000002c0)={0x0, 0xe, 0x2, 0xffffffff, 0xfffffffe}) r9 = dup3(r7, r8, 0x0) ioctl$SG_SET_RESERVED_SIZE(r9, 0x4004550c, 0x0) bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x0) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000600)={{r2}, &(0x7f00000001c0), &(0x7f00000005c0)=r1}, 0x20) r10 = syz_open_procfs(0x0, &(0x7f0000000280)='net/vlan/config\x00') lseek(r10, 0x289e0cb5, 0x0) bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f0000000680)={0x1}, 0x4) bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f00000006c0)={0x2, 0x4, 0x8, 0x1, 0x80, 0x1, 0x9, '\x00', 0x0, 0xffffffffffffffff, 0x4, 0x3}, 0x50) mq_open(&(0x7f0000000ac0)='eth0\x00\xdd\xad\xff=2k\xf1\x05\x9b\x91y\xe1;F\xa2\x8df\xe9%\x00\x00\x00\x00\x0078z=\x8f\xd5F\xa4AR\xc7\x9f.\xdc\xdb\"A\x16\xd8\x19\xf1lZ\xc8\x93\xda\xf2\xc9\xe8h[u8\xc6\xfa\x9ep\xbe\a\xe2\xf5\xa3Y\x9f\xe1\x04gM\x99K$\r\xf1G\xee\xe1\xbd\x1e\xdf\xe1\x9c\x19\xda\xd3\x94EL\xca\x88\x85Q\x02\xcfL\x90\xeb%/\xb1\xeb\x11uP7\x1f\xd9b\xebF\xf8\x88\xf0\xac.\x94\xfc\v\xb1W\xef~+n\xb1\x9b\x02n]xr\xb3\x80\xbc>\xe9XX\xe6\x12\xf3\xc9\xd5\xf8\xd1\x8d\xcb9\xbf\xb0(<\xeb\x92\x8a\x16\xb7\x11^\xb6\xb7n\xd5\xb5\x00[\xdf\x94\x00\r\x95\x17\xa1h\xf8\x00\x00\x00\"\xa0\x05\xa2@\xeb\x18\xc9}\xb8\ny\xf4\xe1\xb4.\xa4\a\x05\xbb}\x91\xf4\x80\x00\x00\x00a\xdf\xb5\xd9\xe4\x01\xea|.\xc9\x1d\\\xedD\x14\xb1w\x1e\xa0\xc1E\xb5\xf8\xab\xfb\xd9J\x85p\xb5n\x1b\xe4\xd5g\xae\xe4\xeb\xca\xae\x1bs\xd4\xf0\xc0\xdag\x19R4\xd4\xd4\x04\xfc\x04Zb\xf6\xba\xf8B\xf6YU\xcd\xf2\xdb\xb5\xa2\xda\xdf\x8dD\xef`\x13\x15$\xceq\xd7j\xd7\xe3V\xf2\xa2\x95\xcf\x18T\xf1\xb0\xf3\xf8O\x9e\xef\x9b\x97\xcb\xc6\x89\xba\x8e\xf2\xfb\xd5\a\xcb\xf6\xf7{\xec\xf0@\xc2\xb2\xbcAQx\xa4\x12\xf8\x9cji\"\xf7\x1a\xbd\xac\xde\xf4\x9b\xd7#\xab\\q\xd6\xdf#>}\x97\xd0U\xe4\x9e+|\xb1MT\xa0\x1bf\v9\xcdx\xab\x83\x87\xd3q3\xbeL\xd2\x1f6\x1ffL\x9eM\x0f?\'\xc3YB0\x80!\xe9Y\xf1:\xeeX\xf7G\x85K\xbb\xbdijaA\x00&\x0e\xb3\x99\xbc9\xee\x8f\aVy!d^\r\xd1\x9b\xd5\x06\xbc$\xc9[\x8e[', 0x1, 0x50, 0x0) 1.001996952s ago: executing program 1 (id=2): r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) pread64(r0, &(0x7f0000000480), 0x1, 0x2) 710.240285ms ago: executing program 1 (id=9): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'rose0\x00', 0x112}) close(r0) 507.692047ms ago: executing program 0 (id=10): munmap(&(0x7f0000002000/0x4000)=nil, 0x4000) r0 = socket$inet_udp(0x2, 0x2, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x2d}}, 0x10) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a00)={0x5, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="1804000000000000000000000000000018010000696c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000b100000095"], 0x0, 0x0, 0x0, 0x0, 0x40f00, 0xc94284a3061bb7fe, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x56, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x7}, 0x94) r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, &(0x7f0000000180)=ANY=[], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x12, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000ac0)={&(0x7f0000000b00)='kmem_cache_free\x00', r1, 0x0, 0x1034}, 0x18) sendto$inet(r0, 0x0, 0x0, 0xc806, &(0x7f0000000180)={0x2, 0x4e21, @multicast1}, 0x10) sendto$inet(r0, &(0x7f0000000100)='J', 0xfdbe, 0x4004084, 0x0, 0x11000a00) 346.642344ms ago: executing program 0 (id=11): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b6fffec850000006d000000850000000800000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={0x0, r0}, 0x18) r1 = syz_open_dev$sg(&(0x7f0000000280), 0x0, 0x22c43) capset(&(0x7f0000000380)={0x20080522}, &(0x7f0000000040)={0x200000, 0x40200003, 0x0, 0x6, 0x7}) ioctl$SCSI_IOCTL_SEND_COMMAND(r1, 0x1, &(0x7f00000000c0)=ANY=[]) 326.835112ms ago: executing program 4 (id=5): r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000000c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) listen(r1, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1f, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1a, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$MAP_CREATE(0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='\r'], 0x50) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff0000/0x1000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ff9000/0x3000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000fec000/0x14000)=nil, 0x0}, 0x68) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x880) r2 = io_uring_setup(0x7, &(0x7f0000000040)={0x0, 0xd8a1, 0xc000, 0x8, 0xc1}) bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="1600000004"], 0x50) prlimit64(0x0, 0x7, &(0x7f0000000140)={0x4, 0xc4}, 0x0) io_uring_enter(r2, 0x2219, 0x7721, 0x16, 0x0, 0x20) connect$unix(r0, &(0x7f0000000200)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) 161.961617ms ago: executing program 0 (id=12): bpf$MAP_CREATE(0x0, 0x0, 0x48) r0 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000040)={'lo\x00', 0x0}) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000380)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x3fc, 0x0, 0x32}, 0x9c) setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000000)={0x0, @in6={{0xa, 0x0, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x8a}, 0x9c) bind$inet6(r2, &(0x7f0000000300)={0xa, 0x4e23, 0x0, @loopback, 0x3}, 0x7e) sendto$inet6(r2, &(0x7f0000847fff)='X', 0x34000, 0xe0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000002c0)=ANY=[@ANYBLOB="0b00000007000000010001000900000001"], 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x5, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="180000000000000000000000000000001811", @ANYRES32=r3, @ANYBLOB="0000000000000000b70800000d0000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2b, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={0x0, 0xffffffffffffffff, 0x0, 0x8000000000000000}, 0x18) r4 = bpf$PROG_LOAD(0x5, &(0x7f00000003c0)={0x3, 0x3, &(0x7f0000000480)=@framed, &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$PROG_BIND_MAP(0x23, &(0x7f0000000ac0)={r4}, 0xc) r5 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_MCAST_JOIN_GROUP(r5, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88) setsockopt$inet_group_source_req(r5, 0x0, 0x2e, &(0x7f00000004c0)={0x2, {{0x2, 0xfffe, @multicast2}}, {{0x2, 0x0, @remote}}}, 0x108) r6 = bpf$PROG_LOAD(0x5, &(0x7f0000000480)={0x11, 0xb, &(0x7f0000000640)=ANY=[], &(0x7f0000000380)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1c, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f00000000c0)='cachefiles_trunc\x00', r6}, 0x18) ioctl$AUTOFS_DEV_IOCTL_OPENMOUNT(0xffffffffffffffff, 0xc0189374, &(0x7f0000000100)={{0x1, 0x1, 0x18, r6, {0x1}}, './file0\x00'}) r7 = syz_open_dev$usbfs(&(0x7f0000000480), 0x77, 0x41341) ioctl$USBDEVFS_IOCTL(r7, 0xc0105512, &(0x7f0000000000)=@usbdevfs_connect) r8 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r8, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000009a40)={&(0x7f0000000500)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000010000040900010073797a30000000002c000000030a01080000000000000000010000000900030073797a32000000000900010073797a300000000050000000060a010400000000000000000100000008000b40000000000900010073797a30000000002800048024000180090001006d657461"], 0xc4}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f00000046c0)=@newqdisc={0x45c, 0x24, 0x4ee4e6a52ff56541, 0x8000000, 0x0, {0x0, 0x0, 0x0, r1, {0x0, 0xf}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x430, 0x2, [@TCA_TBF_PTAB={0x404, 0x3, [0x2, 0x0, 0x0, 0x0, 0x10000000, 0x0, 0x40000000, 0x1000, 0x6, 0x0, 0x0, 0x8000002, 0x0, 0x7e150a0b, 0x0, 0x80005, 0x0, 0x0, 0x4, 0x4, 0x0, 0x100000, 0x0, 0x43, 0x0, 0x974, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000, 0x0, 0x0, 0x0, 0x10000, 0x5d2, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf7fffffe, 0x800000, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffd, 0x0, 0x1007, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1000000, 0x40000000, 0x3, 0x3, 0x6, 0x1, 0x0, 0x0, 0x0, 0xfffffffe, 0x0, 0x0, 0x0, 0x0, 0xd, 0x0, 0x7, 0x2, 0x9, 0x0, 0x3, 0x7, 0xfbfffffd, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0xffffffff, 0x3, 0x0, 0x0, 0x4fd, 0x2000, 0x0, 0x0, 0x2, 0x0, 0x0, 0x1, 0x0, 0x7e98263b, 0x9, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x6, 0x10000000, 0x0, 0x0, 0x5, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0xd2d3, 0x0, 0x0, 0xb2e, 0x0, 0xfffffffe, 0x0, 0x0, 0x0, 0xff, 0x1000, 0x0, 0x0, 0x0, 0x0, 0xfffffffe, 0x6, 0xc3f3, 0x2, 0x9, 0x800, 0x9, 0x800, 0x0, 0x8, 0xe, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000001, 0x0, 0xfffffffe, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffe, 0x8000, 0x0, 0xfffffffd, 0x0, 0x0, 0xd819ac9, 0x1, 0x0, 0x0, 0x0, 0x4, 0x0, 0xffffffff, 0x1, 0x0, 0x80000001, 0x0, 0x10, 0x20, 0x4, 0x400000b2, 0x0, 0x0, 0x6, 0x0, 0x0, 0x8, 0x0, 0x0, 0x1000, 0x100, 0x0, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x3, 0x1, 0x1, 0xfffffffe, 0x800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x4, 0x0, 0x0, 0x20000041, 0xffffffff, 0x400, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x80, 0x0, 0x0, 0x8000, 0x1ff, 0x20, 0xaaf0]}, @TCA_TBF_PARMS={0x28, 0x1, {{0x0, 0x0, 0x0, 0x0, 0x0, 0xc0000001}, {0x3, 0x0, 0xf, 0x0, 0x1, 0xffffffff}, 0x7, 0x10, 0x2000000}}]}}]}, 0x45c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0) 54.491661ms ago: executing program 1 (id=13): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffec850000006d000000850000000700000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000100)='kfree\x00', r0}, 0x10) r1 = socket(0x1e, 0x4, 0x0) setsockopt$packet_tx_ring(r1, 0x10f, 0x87, &(0x7f0000000180)=@req={0x401, 0xfffffffe, 0x0, 0xffffffff}, 0x16) close(r1) 0s ago: executing program 4 (id=14): r0 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xc, &(0x7f00000000c0)={0x1, &(0x7f00000001c0)=[{0x6, 0x0, 0x0, 0xb}]}) socket$inet_tcp(0x2, 0x1, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) bpf$MAP_UPDATE_CONST_STR(0x2, 0x0, 0x0) socketpair(0x1, 0x1, 0x0, 0x0) r1 = socket(0x1, 0x803, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, './file0\x00'}, 0x6e) close_range(r0, 0xffffffffffffffff, 0x100000000000000) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.193' (ED25519) to the list of known hosts. [ 78.659671][ T5810] cgroup: Unknown subsys name 'net' [ 78.794916][ T5810] cgroup: Unknown subsys name 'cpuset' [ 78.803928][ T5810] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 80.428781][ T5810] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 82.856850][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 82.865299][ T5836] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 82.874250][ T5836] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 82.882103][ T5836] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 82.889754][ T5836] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 82.894134][ T5838] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 82.897761][ T5836] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 82.911772][ T5836] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 82.920727][ T5836] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 82.922292][ T5837] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 82.929478][ T5836] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 82.936643][ T5837] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 82.943600][ T5836] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 82.949710][ T5837] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 82.961221][ T5836] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 82.965669][ T5837] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 82.977328][ T5836] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 82.985688][ T5836] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 82.993488][ T5836] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 83.000988][ T5836] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 83.009226][ T5839] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 83.009757][ T5837] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 83.017138][ T5836] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 83.031633][ T5836] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 83.033118][ T5837] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 83.636032][ T5823] chnl_net:caif_netlink_parms(): no params data found [ 83.843047][ T5820] chnl_net:caif_netlink_parms(): no params data found [ 83.928773][ T5826] chnl_net:caif_netlink_parms(): no params data found [ 84.008535][ T5822] chnl_net:caif_netlink_parms(): no params data found [ 84.028868][ T5823] bridge0: port 1(bridge_slave_0) entered blocking state [ 84.036707][ T5823] bridge0: port 1(bridge_slave_0) entered disabled state [ 84.044541][ T5823] bridge_slave_0: entered allmulticast mode [ 84.052325][ T5823] bridge_slave_0: entered promiscuous mode [ 84.061846][ T5827] chnl_net:caif_netlink_parms(): no params data found [ 84.100370][ T5823] bridge0: port 2(bridge_slave_1) entered blocking state [ 84.107621][ T5823] bridge0: port 2(bridge_slave_1) entered disabled state [ 84.115181][ T5823] bridge_slave_1: entered allmulticast mode [ 84.122616][ T5823] bridge_slave_1: entered promiscuous mode [ 84.240445][ T5820] bridge0: port 1(bridge_slave_0) entered blocking state [ 84.248054][ T5820] bridge0: port 1(bridge_slave_0) entered disabled state [ 84.255386][ T5820] bridge_slave_0: entered allmulticast mode [ 84.263049][ T5820] bridge_slave_0: entered promiscuous mode [ 84.285284][ T5823] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 84.308023][ T5820] bridge0: port 2(bridge_slave_1) entered blocking state [ 84.315277][ T5820] bridge0: port 2(bridge_slave_1) entered disabled state [ 84.322686][ T5820] bridge_slave_1: entered allmulticast mode [ 84.329963][ T5820] bridge_slave_1: entered promiscuous mode [ 84.358892][ T5823] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 84.453382][ T5826] bridge0: port 1(bridge_slave_0) entered blocking state [ 84.460658][ T5826] bridge0: port 1(bridge_slave_0) entered disabled state [ 84.468299][ T5826] bridge_slave_0: entered allmulticast mode [ 84.475699][ T5826] bridge_slave_0: entered promiscuous mode [ 84.512215][ T5820] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 84.535439][ T5826] bridge0: port 2(bridge_slave_1) entered blocking state [ 84.542746][ T5826] bridge0: port 2(bridge_slave_1) entered disabled state [ 84.550090][ T5826] bridge_slave_1: entered allmulticast mode [ 84.557697][ T5826] bridge_slave_1: entered promiscuous mode [ 84.567173][ T5823] team0: Port device team_slave_0 added [ 84.573420][ T5827] bridge0: port 1(bridge_slave_0) entered blocking state [ 84.580581][ T5827] bridge0: port 1(bridge_slave_0) entered disabled state [ 84.587999][ T5827] bridge_slave_0: entered allmulticast mode [ 84.595513][ T5827] bridge_slave_0: entered promiscuous mode [ 84.605682][ T5820] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 84.615150][ T5822] bridge0: port 1(bridge_slave_0) entered blocking state [ 84.622627][ T5822] bridge0: port 1(bridge_slave_0) entered disabled state [ 84.629821][ T5822] bridge_slave_0: entered allmulticast mode [ 84.637263][ T5822] bridge_slave_0: entered promiscuous mode [ 84.662516][ T5823] team0: Port device team_slave_1 added [ 84.668330][ T5827] bridge0: port 2(bridge_slave_1) entered blocking state [ 84.675837][ T5827] bridge0: port 2(bridge_slave_1) entered disabled state [ 84.683157][ T5827] bridge_slave_1: entered allmulticast mode [ 84.690408][ T5827] bridge_slave_1: entered promiscuous mode [ 84.709524][ T5822] bridge0: port 2(bridge_slave_1) entered blocking state [ 84.716901][ T5822] bridge0: port 2(bridge_slave_1) entered disabled state [ 84.724200][ T5822] bridge_slave_1: entered allmulticast mode [ 84.731879][ T5822] bridge_slave_1: entered promiscuous mode [ 84.807068][ T5826] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 84.844012][ T5820] team0: Port device team_slave_0 added [ 84.865269][ T5826] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 84.875654][ T5823] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 84.887286][ T5823] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 84.913640][ T5823] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 84.928694][ T5827] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 84.940635][ T5820] team0: Port device team_slave_1 added [ 84.949430][ T5822] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 84.972595][ T5823] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 84.979572][ T5823] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.006613][ T5823] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 85.020281][ T5827] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 85.032084][ T5833] Bluetooth: hci1: command tx timeout [ 85.032091][ T5837] Bluetooth: hci0: command tx timeout [ 85.055014][ T5822] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 85.111180][ T5831] Bluetooth: hci4: command tx timeout [ 85.116984][ T5837] Bluetooth: hci3: command tx timeout [ 85.123353][ T5833] Bluetooth: hci2: command tx timeout [ 85.137061][ T5826] team0: Port device team_slave_0 added [ 85.158101][ T5820] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 85.165136][ T5820] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.191410][ T5820] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 85.219268][ T5826] team0: Port device team_slave_1 added [ 85.227442][ T5827] team0: Port device team_slave_0 added [ 85.233967][ T5820] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 85.241235][ T5820] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.267206][ T5820] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 85.280202][ T5822] team0: Port device team_slave_0 added [ 85.312304][ T5827] team0: Port device team_slave_1 added [ 85.327281][ T5822] team0: Port device team_slave_1 added [ 85.390283][ T5823] hsr_slave_0: entered promiscuous mode [ 85.397306][ T5823] hsr_slave_1: entered promiscuous mode [ 85.404925][ T5826] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 85.412401][ T5826] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.439143][ T5826] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 85.465289][ T5827] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 85.472342][ T5827] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.498299][ T5827] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 85.525172][ T5826] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 85.532438][ T5826] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.559454][ T5826] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 85.584359][ T5827] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 85.591384][ T5827] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.617441][ T5827] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 85.630035][ T5822] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 85.637062][ T5822] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.663285][ T5822] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 85.723050][ T5822] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 85.730566][ T5822] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 85.756974][ T5822] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 85.774337][ T5820] hsr_slave_0: entered promiscuous mode [ 85.780934][ T5820] hsr_slave_1: entered promiscuous mode [ 85.787186][ T5820] debugfs: 'hsr0' already exists in 'hsr' [ 85.793448][ T5820] Cannot create hsr debugfs directory [ 85.934089][ T5826] hsr_slave_0: entered promiscuous mode [ 85.940596][ T5826] hsr_slave_1: entered promiscuous mode [ 85.947136][ T5826] debugfs: 'hsr0' already exists in 'hsr' [ 85.953115][ T5826] Cannot create hsr debugfs directory [ 85.976511][ T5827] hsr_slave_0: entered promiscuous mode [ 85.983478][ T5827] hsr_slave_1: entered promiscuous mode [ 85.989836][ T5827] debugfs: 'hsr0' already exists in 'hsr' [ 85.996442][ T5827] Cannot create hsr debugfs directory [ 86.041012][ T5822] hsr_slave_0: entered promiscuous mode [ 86.047560][ T5822] hsr_slave_1: entered promiscuous mode [ 86.054139][ T5822] debugfs: 'hsr0' already exists in 'hsr' [ 86.059895][ T5822] Cannot create hsr debugfs directory [ 86.607872][ T5823] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 86.625052][ T5823] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 86.636832][ T5823] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 86.648041][ T5823] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 86.757788][ T5820] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 86.770343][ T5820] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 86.785818][ T5820] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 86.807077][ T5820] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 86.999489][ T5822] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 87.038475][ T5822] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 87.055804][ T5822] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 87.101671][ T5822] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 87.111349][ T5837] Bluetooth: hci0: command tx timeout [ 87.116903][ T5833] Bluetooth: hci1: command tx timeout [ 87.201725][ T5833] Bluetooth: hci2: command tx timeout [ 87.201753][ T5831] Bluetooth: hci4: command tx timeout [ 87.212617][ T5837] Bluetooth: hci3: command tx timeout [ 87.314549][ T5823] 8021q: adding VLAN 0 to HW filter on device bond0 [ 87.322464][ T5826] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 87.342017][ T5826] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 87.353780][ T5826] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 87.366526][ T5826] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 87.508791][ T5823] 8021q: adding VLAN 0 to HW filter on device team0 [ 87.527595][ T5827] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 87.548464][ T5827] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 87.564186][ T37] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.571457][ T37] bridge0: port 1(bridge_slave_0) entered forwarding state [ 87.588631][ T5827] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 87.604246][ T5827] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 87.616546][ T37] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.623725][ T37] bridge0: port 2(bridge_slave_1) entered forwarding state [ 87.639778][ T5820] 8021q: adding VLAN 0 to HW filter on device bond0 [ 87.716134][ T5820] 8021q: adding VLAN 0 to HW filter on device team0 [ 87.764112][ T1318] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.771369][ T1318] bridge0: port 1(bridge_slave_0) entered forwarding state [ 87.802108][ T1318] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.809251][ T1318] bridge0: port 2(bridge_slave_1) entered forwarding state [ 87.838158][ T5822] 8021q: adding VLAN 0 to HW filter on device bond0 [ 87.897103][ T5822] 8021q: adding VLAN 0 to HW filter on device team0 [ 87.939626][ T64] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.946859][ T64] bridge0: port 1(bridge_slave_0) entered forwarding state [ 88.015587][ T5826] 8021q: adding VLAN 0 to HW filter on device bond0 [ 88.029038][ T1318] bridge0: port 2(bridge_slave_1) entered blocking state [ 88.036326][ T1318] bridge0: port 2(bridge_slave_1) entered forwarding state [ 88.116190][ T5826] 8021q: adding VLAN 0 to HW filter on device team0 [ 88.149809][ T1152] bridge0: port 1(bridge_slave_0) entered blocking state [ 88.156985][ T1152] bridge0: port 1(bridge_slave_0) entered forwarding state [ 88.184724][ T1318] bridge0: port 2(bridge_slave_1) entered blocking state [ 88.191916][ T1318] bridge0: port 2(bridge_slave_1) entered forwarding state [ 88.213683][ T5827] 8021q: adding VLAN 0 to HW filter on device bond0 [ 88.256473][ T5823] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 88.313566][ T5827] 8021q: adding VLAN 0 to HW filter on device team0 [ 88.351850][ T37] bridge0: port 1(bridge_slave_0) entered blocking state [ 88.359031][ T37] bridge0: port 1(bridge_slave_0) entered forwarding state [ 88.392589][ T67] bridge0: port 2(bridge_slave_1) entered blocking state [ 88.399801][ T67] bridge0: port 2(bridge_slave_1) entered forwarding state [ 88.579091][ T5823] veth0_vlan: entered promiscuous mode [ 88.650370][ T5823] veth1_vlan: entered promiscuous mode [ 88.735826][ T5820] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 88.845052][ T5823] veth0_macvtap: entered promiscuous mode [ 88.887782][ T5822] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 88.901007][ T5823] veth1_macvtap: entered promiscuous mode [ 88.965048][ T5820] veth0_vlan: entered promiscuous mode [ 88.994579][ T5826] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 89.014069][ T5823] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 89.043810][ T5823] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 89.062725][ T5820] veth1_vlan: entered promiscuous mode [ 89.085836][ T4578] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.095752][ T4578] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.126709][ T4578] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.135855][ T4578] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.147589][ T5827] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 89.191915][ T5837] Bluetooth: hci0: command tx timeout [ 89.197464][ T5831] Bluetooth: hci1: command tx timeout [ 89.236426][ T5822] veth0_vlan: entered promiscuous mode [ 89.274894][ T5837] Bluetooth: hci3: command tx timeout [ 89.280342][ T5831] Bluetooth: hci4: command tx timeout [ 89.286226][ T5833] Bluetooth: hci2: command tx timeout [ 89.298321][ T5820] veth0_macvtap: entered promiscuous mode [ 89.329894][ T5822] veth1_vlan: entered promiscuous mode [ 89.349316][ T5820] veth1_macvtap: entered promiscuous mode [ 89.386163][ T5826] veth0_vlan: entered promiscuous mode [ 89.431491][ T1152] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 89.439394][ T5826] veth1_vlan: entered promiscuous mode [ 89.440115][ T1152] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 89.485809][ T5820] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 89.549414][ T5820] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 89.586227][ T1318] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 89.597435][ T1318] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 89.609914][ T64] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.627608][ T64] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.654890][ T64] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.667754][ T64] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.679887][ T5822] veth0_macvtap: entered promiscuous mode [ 89.695981][ T5823] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 89.698362][ T5826] veth0_macvtap: entered promiscuous mode [ 89.749463][ T5826] veth1_macvtap: entered promiscuous mode [ 89.782537][ T5822] veth1_macvtap: entered promiscuous mode [ 89.897077][ T5826] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 89.941749][ T5827] veth0_vlan: entered promiscuous mode [ 89.965257][ T5822] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 89.983328][ T5826] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.008337][ T37] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.020133][ T37] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.030237][ T5827] veth1_vlan: entered promiscuous mode [ 90.044430][ T5822] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.056369][ T5946] sg_write: data in/out 156/1 bytes for SCSI command 0x0-- guessing data in; [ 90.056369][ T5946] program syz.2.6 not setting count and/or reply_len properly [ 90.079513][ T37] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.097389][ T30] audit: type=1326 audit(1764344391.842:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.121933][ T30] audit: type=1326 audit(1764344391.842:3): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.155475][ T30] audit: type=1326 audit(1764344391.842:4): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.178197][ T30] audit: type=1326 audit(1764344391.842:5): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.200007][ T37] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.211006][ T37] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.220064][ T30] audit: type=1326 audit(1764344391.842:6): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.243869][ T30] audit: type=1326 audit(1764344391.842:7): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.265990][ T30] audit: type=1326 audit(1764344391.842:8): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.287671][ T37] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.296868][ T37] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.306415][ T30] audit: type=1326 audit(1764344391.842:9): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.331728][ T30] audit: type=1326 audit(1764344391.842:10): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.354940][ T1152] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.362959][ T30] audit: type=1326 audit(1764344391.842:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5945 comm="syz.2.6" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f2b4ef8f749 code=0x50000 [ 90.363337][ T1152] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.407134][ T37] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.415962][ T37] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.447456][ T37] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.542151][ T5827] veth0_macvtap: entered promiscuous mode [ 90.566465][ T5827] veth1_macvtap: entered promiscuous mode [ 90.684497][ T5827] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 90.771400][ T5827] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.783271][ T64] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.812048][ T64] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.835743][ T1318] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.850947][ T1318] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.902697][ T1318] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.929831][ T1318] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.956404][ T1318] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.981090][ T1318] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.134551][ T37] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.147055][ T1318] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.176495][ T37] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.184681][ T1318] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.274910][ T5837] Bluetooth: hci0: command tx timeout [ 91.280385][ T5831] Bluetooth: hci1: command tx timeout [ 91.351463][ T5837] Bluetooth: hci3: command tx timeout [ 91.358055][ T5831] Bluetooth: hci4: command tx timeout [ 91.364976][ T5837] Bluetooth: hci2: command tx timeout [ 91.448383][ T1005] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.466903][ T1005] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.654401][ T1152] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.678486][ T1152] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.709979][ T5957] netlink: 4 bytes leftover after parsing attributes in process `syz.3.4'. [ 91.917574][ T24] cfg80211: failed to load regulatory.db [ 92.295782][ T5968] program syz.0.11 is using a deprecated SCSI ioctl, please convert it to SG_IO [ 92.575180][ T5959] ================================================================== [ 92.583385][ T5959] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 [ 92.590871][ T5959] Read of size 1 at addr ffff8880278b0d98 by task syz.3.4/5959 [ 92.598440][ T5959] [ 92.600802][ T5959] CPU: 1 UID: 0 PID: 5959 Comm: syz.3.4 Not tainted syzkaller #0 PREEMPT(full) [ 92.600852][ T5959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 92.600875][ T5959] Call Trace: [ 92.600885][ T5959] [ 92.600894][ T5959] dump_stack_lvl+0x189/0x250 [ 92.600922][ T5959] ? __virt_addr_valid+0x1c8/0x5c0 [ 92.600950][ T5959] ? rcu_is_watching+0x15/0xb0 [ 92.600980][ T5959] ? __kasan_check_byte+0x12/0x40 [ 92.601006][ T5959] ? __pfx_dump_stack_lvl+0x10/0x10 [ 92.601029][ T5959] ? rcu_is_watching+0x15/0xb0 [ 92.601053][ T5959] ? lock_release+0x4b/0x3b0 [ 92.601075][ T5959] ? __virt_addr_valid+0x1c8/0x5c0 [ 92.601103][ T5959] ? __virt_addr_valid+0x4a5/0x5c0 [ 92.601131][ T5959] print_report+0xca/0x240 [ 92.601152][ T5959] ? _raw_spin_lock+0x2e/0x40 [ 92.601172][ T5959] kasan_report+0x118/0x150 [ 92.601196][ T5959] ? _raw_spin_lock+0x2e/0x40 [ 92.601219][ T5959] ? mqueue_flush_file+0x49/0x270 [ 92.601243][ T5959] __kasan_check_byte+0x2a/0x40 [ 92.601266][ T5959] lock_acquire+0x84/0x340 [ 92.601291][ T5959] ? __pfx_mqueue_flush_file+0x10/0x10 [ 92.601316][ T5959] _raw_spin_lock+0x2e/0x40 [ 92.601334][ T5959] ? mqueue_flush_file+0x49/0x270 [ 92.601358][ T5959] mqueue_flush_file+0x49/0x270 [ 92.601383][ T5959] ? filp_flush+0xae/0x190 [ 92.601412][ T5959] ? __pfx_mqueue_flush_file+0x10/0x10 [ 92.601437][ T5959] filp_flush+0xbd/0x190 [ 92.601466][ T5959] filp_close+0x1d/0x40 [ 92.601494][ T5959] put_files_struct+0x1ba/0x350 [ 92.601523][ T5959] do_exit+0x67f/0x2310 [ 92.601550][ T5959] ? do_raw_spin_lock+0x121/0x290 [ 92.601577][ T5959] ? __pfx_do_exit+0x10/0x10 [ 92.601608][ T5959] do_group_exit+0x21c/0x2d0 [ 92.601647][ T5959] ? lockdep_hardirqs_on+0x98/0x140 [ 92.601670][ T5959] get_signal+0x1285/0x1340 [ 92.601698][ T5959] arch_do_signal_or_restart+0x9a/0x7a0 [ 92.601727][ T5959] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 92.601755][ T5959] ? exit_to_user_mode_loop+0x55/0x4f0 [ 92.601775][ T5959] exit_to_user_mode_loop+0x87/0x4f0 [ 92.601794][ T5959] ? rcu_is_watching+0x15/0xb0 [ 92.601819][ T5959] do_syscall_64+0x2e3/0xf80 [ 92.601842][ T5959] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.601861][ T5959] ? clear_bhb_loop+0x60/0xb0 [ 92.601882][ T5959] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.601901][ T5959] RIP: 0033:0x7f6e4618f749 [ 92.601926][ T5959] Code: Unable to access opcode bytes at 0x7f6e4618f71f. [ 92.601937][ T5959] RSP: 002b:00007f6e4709f038 EFLAGS: 00000246 ORIG_RAX: 00000000000000f0 [ 92.601965][ T5959] RAX: 000000000000000b RBX: 00007f6e463e6090 RCX: 00007f6e4618f749 [ 92.601979][ T5959] RDX: 0000000000000050 RSI: 0000000000000001 RDI: 0000200000000ac0 [ 92.601992][ T5959] RBP: 00007f6e46213f91 R08: 0000000000000000 R09: 0000000000000000 [ 92.602004][ T5959] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 92.602016][ T5959] R13: 00007f6e463e6128 R14: 00007f6e463e6090 R15: 00007fffcfbc8278 [ 92.602039][ T5959] [ 92.602047][ T5959] [ 92.888165][ T5959] Allocated by task 5957: [ 92.892502][ T5959] kasan_save_track+0x3e/0x80 [ 92.897211][ T5959] __kasan_slab_alloc+0x6c/0x80 [ 92.902074][ T5959] kmem_cache_alloc_lru_noprof+0x36c/0x6e0 [ 92.907904][ T5959] mqueue_alloc_inode+0x28/0x40 [ 92.912769][ T5959] alloc_inode+0x6a/0x1b0 [ 92.917121][ T5959] new_inode+0x22/0x170 [ 92.921285][ T5959] mqueue_get_inode+0x27/0xb50 [ 92.926064][ T5959] mqueue_create_attr+0x1ac/0x2e0 [ 92.931115][ T5959] vfs_mkobj+0xcf/0x290 [ 92.935293][ T5959] do_mq_open+0x60d/0x7c0 [ 92.939633][ T5959] __x64_sys_mq_open+0x16a/0x1c0 [ 92.944580][ T5959] do_syscall_64+0xfa/0xf80 [ 92.949090][ T5959] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.955000][ T5959] [ 92.957326][ T5959] Freed by task 5946: [ 92.961306][ T5959] kasan_save_track+0x3e/0x80 [ 92.966076][ T5959] kasan_save_free_info+0x46/0x50 [ 92.971113][ T5959] __kasan_slab_free+0x5c/0x80 [ 92.975884][ T5959] kmem_cache_free+0x197/0x620 [ 92.980651][ T5959] rcu_core+0xd70/0x1870 [ 92.984908][ T5959] handle_softirqs+0x27d/0x850 [ 92.989675][ T5959] __irq_exit_rcu+0xca/0x1f0 [ 92.994268][ T5959] irq_exit_rcu+0x9/0x30 [ 92.998514][ T5959] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 93.004174][ T5959] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 93.010206][ T5959] [ 93.012534][ T5959] Last potentially related work creation: [ 93.018249][ T5959] kasan_save_stack+0x3e/0x60 [ 93.022930][ T5959] kasan_record_aux_stack+0xbd/0xd0 [ 93.028141][ T5959] call_rcu+0x157/0x9c0 [ 93.032318][ T5959] evict+0x931/0xae0 [ 93.036224][ T5959] __dentry_kill+0x209/0x660 [ 93.040824][ T5959] finish_dput+0xc9/0x480 [ 93.045185][ T5959] path_put+0x39/0x60 [ 93.049187][ T5959] do_mq_open+0x468/0x7c0 [ 93.053520][ T5959] __x64_sys_mq_open+0x16a/0x1c0 [ 93.058474][ T5959] do_syscall_64+0xfa/0xf80 [ 93.062990][ T5959] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.068899][ T5959] [ 93.071232][ T5959] The buggy address belongs to the object at ffff8880278b0d80 [ 93.071232][ T5959] which belongs to the cache mqueue_inode_cache of size 1576 [ 93.085988][ T5959] The buggy address is located 24 bytes inside of [ 93.085988][ T5959] freed 1576-byte region [ffff8880278b0d80, ffff8880278b13a8) [ 93.099808][ T5959] [ 93.102143][ T5959] The buggy address belongs to the physical page: [ 93.108604][ T5959] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x278b0 [ 93.117367][ T5959] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 93.125869][ T5959] memcg:ffff88801db54801 [ 93.130230][ T5959] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 93.137843][ T5959] page_type: f5(slab) [ 93.141840][ T5959] raw: 00fff00000000040 ffff8881462c0500 dead000000000122 0000000000000000 [ 93.150428][ T5959] raw: 0000000000000000 0000000080120012 00000000f5000000 ffff88801db54801 [ 93.159020][ T5959] head: 00fff00000000040 ffff8881462c0500 dead000000000122 0000000000000000 [ 93.167707][ T5959] head: 0000000000000000 0000000080120012 00000000f5000000 ffff88801db54801 [ 93.176387][ T5959] head: 00fff00000000003 ffffea00009e2c01 00000000ffffffff 00000000ffffffff [ 93.185063][ T5959] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 93.193734][ T5959] page dumped because: kasan: bad access detected [ 93.200163][ T5959] page_owner tracks the page as allocated [ 93.205885][ T5959] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5822, tgid 5822 (syz-executor), ts 82994660742, free_ts 82519924832 [ 93.227261][ T5959] post_alloc_hook+0x234/0x290 [ 93.232041][ T5959] get_page_from_freelist+0x2365/0x2440 [ 93.237592][ T5959] __alloc_frozen_pages_noprof+0x181/0x370 [ 93.243404][ T5959] alloc_pages_mpol+0x232/0x4a0 [ 93.248260][ T5959] allocate_slab+0x86/0x3b0 [ 93.252769][ T5959] ___slab_alloc+0xf2b/0x1960 [ 93.257453][ T5959] __slab_alloc+0x65/0x100 [ 93.261906][ T5959] kmem_cache_alloc_lru_noprof+0x3fe/0x6e0 [ 93.267725][ T5959] mqueue_alloc_inode+0x28/0x40 [ 93.272588][ T5959] alloc_inode+0x6a/0x1b0 [ 93.276977][ T5959] new_inode+0x22/0x170 [ 93.281145][ T5959] mqueue_fill_super+0xdc/0x380 [ 93.286004][ T5959] get_tree_nodev+0xbb/0x150 [ 93.290601][ T5959] vfs_get_tree+0x92/0x2a0 [ 93.295022][ T5959] fc_mount_longterm+0x1c/0x100 [ 93.299878][ T5959] mq_init_ns+0x275/0x360 [ 93.304212][ T5959] page last free pid 0 tgid 0 stack trace: [ 93.310024][ T5959] __free_frozen_pages+0xbc8/0xd30 [ 93.315143][ T5959] __folio_put+0x21b/0x2c0 [ 93.319567][ T5959] skb_release_data+0x49a/0x7c0 [ 93.324443][ T5959] napi_consume_skb+0x206/0x2c0 [ 93.329307][ T5959] skb_defer_free_flush+0x191/0x260 [ 93.334516][ T5959] net_rx_action+0x804/0xe50 [ 93.339122][ T5959] handle_softirqs+0x27d/0x850 [ 93.343887][ T5959] __irq_exit_rcu+0xca/0x1f0 [ 93.348481][ T5959] irq_exit_rcu+0x9/0x30 [ 93.352731][ T5959] common_interrupt+0xbb/0xe0 [ 93.357418][ T5959] asm_common_interrupt+0x26/0x40 [ 93.362451][ T5959] [ 93.364776][ T5959] Memory state around the buggy address: [ 93.370406][ T5959] ffff8880278b0c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 93.378470][ T5959] ffff8880278b0d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.386535][ T5959] >ffff8880278b0d80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.394593][ T5959] ^ [ 93.399439][ T5959] ffff8880278b0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.407499][ T5959] ffff8880278b0e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.415562][ T5959] ================================================================== [ 93.428401][ T5959] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 93.435650][ T5959] CPU: 1 UID: 0 PID: 5959 Comm: syz.3.4 Not tainted syzkaller #0 PREEMPT(full) [ 93.444704][ T5959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 93.454788][ T5959] Call Trace: [ 93.458090][ T5959] [ 93.461045][ T5959] dump_stack_lvl+0x99/0x250 [ 93.465670][ T5959] ? __asan_memcpy+0x40/0x70 [ 93.470298][ T5959] ? __pfx_dump_stack_lvl+0x10/0x10 [ 93.475533][ T5959] ? __pfx__printk+0x10/0x10 [ 93.480182][ T5959] vpanic+0x237/0x6d0 [ 93.484201][ T5959] ? __pfx_vpanic+0x10/0x10 [ 93.488740][ T5959] ? irqentry_exit+0x5dd/0x660 [ 93.493535][ T5959] ? trace_irq_disable+0x37/0x100 [ 93.498597][ T5959] panic+0xb9/0xc0 [ 93.502352][ T5959] ? __pfx_panic+0x10/0x10 [ 93.506801][ T5959] ? _raw_spin_unlock_irqrestore+0xa8/0x110 [ 93.512728][ T5959] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 93.519089][ T5959] ? _raw_spin_lock+0x2e/0x40 [ 93.523807][ T5959] check_panic_on_warn+0x89/0xb0 [ 93.528781][ T5959] ? _raw_spin_lock+0x2e/0x40 [ 93.533490][ T5959] end_report+0x6f/0x140 [ 93.537780][ T5959] kasan_report+0x129/0x150 [ 93.542319][ T5959] ? _raw_spin_lock+0x2e/0x40 [ 93.547027][ T5959] ? mqueue_flush_file+0x49/0x270 [ 93.552082][ T5959] __kasan_check_byte+0x2a/0x40 [ 93.556965][ T5959] lock_acquire+0x84/0x340 [ 93.561419][ T5959] ? __pfx_mqueue_flush_file+0x10/0x10 [ 93.566931][ T5959] _raw_spin_lock+0x2e/0x40 [ 93.571462][ T5959] ? mqueue_flush_file+0x49/0x270 [ 93.576520][ T5959] mqueue_flush_file+0x49/0x270 [ 93.581404][ T5959] ? filp_flush+0xae/0x190 [ 93.585859][ T5959] ? __pfx_mqueue_flush_file+0x10/0x10 [ 93.591354][ T5959] filp_flush+0xbd/0x190 [ 93.595638][ T5959] filp_close+0x1d/0x40 [ 93.599830][ T5959] put_files_struct+0x1ba/0x350 [ 93.604718][ T5959] do_exit+0x67f/0x2310 [ 93.608915][ T5959] ? do_raw_spin_lock+0x121/0x290 [ 93.613984][ T5959] ? __pfx_do_exit+0x10/0x10 [ 93.618622][ T5959] do_group_exit+0x21c/0x2d0 [ 93.623251][ T5959] ? lockdep_hardirqs_on+0x98/0x140 [ 93.628484][ T5959] get_signal+0x1285/0x1340 [ 93.633032][ T5959] arch_do_signal_or_restart+0x9a/0x7a0 [ 93.638616][ T5959] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 93.644814][ T5959] ? exit_to_user_mode_loop+0x55/0x4f0 [ 93.650285][ T5959] exit_to_user_mode_loop+0x87/0x4f0 [ 93.655581][ T5959] ? rcu_is_watching+0x15/0xb0 [ 93.660361][ T5959] do_syscall_64+0x2e3/0xf80 [ 93.664967][ T5959] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.671048][ T5959] ? clear_bhb_loop+0x60/0xb0 [ 93.675750][ T5959] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.681656][ T5959] RIP: 0033:0x7f6e4618f749 [ 93.686078][ T5959] Code: Unable to access opcode bytes at 0x7f6e4618f71f. [ 93.693097][ T5959] RSP: 002b:00007f6e4709f038 EFLAGS: 00000246 ORIG_RAX: 00000000000000f0 [ 93.701522][ T5959] RAX: 000000000000000b RBX: 00007f6e463e6090 RCX: 00007f6e4618f749 [ 93.709498][ T5959] RDX: 0000000000000050 RSI: 0000000000000001 RDI: 0000200000000ac0 [ 93.717477][ T5959] RBP: 00007f6e46213f91 R08: 0000000000000000 R09: 0000000000000000 [ 93.725456][ T5959] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 93.733436][ T5959] R13: 00007f6e463e6128 R14: 00007f6e463e6090 R15: 00007fffcfbc8278 [ 93.741426][ T5959] [ 93.744761][ T5959] Kernel Offset: disabled [ 93.749085][ T5959] Rebooting in 86400 seconds..