last executing test programs: 2.221687994s ago: executing program 1 (id=2): r0 = syz_genetlink_get_family_id$nl802154(&(0x7f0000000040), 0xffffffffffffffff) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_802154(r1, 0x8933, &(0x7f0000000180)={'wpan0\x00', 0x0}) sendmsg$NL802154_CMD_SET_SEC_PARAMS(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000380)=ANY=[@ANYBLOB="7c010000", @ANYRES16=r0, @ANYBLOB="0100269d7000ffdbdf271500000008000300", @ANYRES32=r3, @ANYBLOB="08000300", @ANYRES32=r3, @ANYBLOB="b4002b800800010002000000050002000200000008000400"], 0x17c}, 0x1, 0x0, 0x0, 0x2c008005}, 0x20040400) 1.631106479s ago: executing program 2 (id=3): r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r1, 0x0, 0x0) bind$bt_l2cap(r0, &(0x7f0000002080)={0x1f, 0x0, @any, 0x0, 0x1}, 0xe) 1.6193706s ago: executing program 1 (id=10): openat$ptp0(0xffffffffffffff9c, &(0x7f0000001040), 0x2401, 0x0) clock_adjtime(0xffffffd3, &(0x7f0000000000)={0x5, 0x6, 0xffffffffffffffff, 0x8000000000000003, 0x7, 0x9, 0x651, 0x12c8000000000000, 0x8000009655, 0x2, 0x62db, 0x9a3f, 0x10, 0xb, 0x80000000000000, 0x5, 0x6, 0x1, 0x94d6, 0x0, 0x3, 0xfffffffffffffff7, 0x0, 0xffffffffffff9d06, 0x3, 0x9}) 737.01494ms ago: executing program 3 (id=4): r0 = syz_genetlink_get_family_id$nl802154(&(0x7f00000001c0), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, &(0x7f0000000ec0)={'wpan0\x00', 0x0}) sendmsg$NL802154_CMD_DEL_SEC_KEY(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB='L\x00\x00\x00', @ANYRES16=r0, @ANYBLOB="010000000000000000001800000008000300", @ANYRES32=r1, @ANYBLOB="300030802c00018008000100000000002000038008000200f0ffffff0b0004"], 0x4c}, 0x1, 0x0, 0x0, 0x4000}, 0x0) 716.758344ms ago: executing program 1 (id=12): r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r1, 0x0, 0x0) bind$bt_l2cap(r0, &(0x7f0000002080)={0x1f, 0x0, @any, 0x0, 0x1}, 0xe) 707.405676ms ago: executing program 2 (id=13): openat$ptp0(0xffffffffffffff9c, &(0x7f0000001040), 0x2401, 0x0) clock_adjtime(0xffffffd3, &(0x7f0000000000)={0x5, 0x6, 0xffffffffffffffff, 0x8000000000000003, 0x7, 0x9, 0x651, 0x12c8000000000000, 0x8000009655, 0x2, 0x62db, 0x9a3f, 0x10, 0xb, 0x80000000000000, 0x5, 0x6, 0x1, 0x94d6, 0x0, 0x3, 0xfffffffffffffff7, 0x0, 0xffffffffffff9d06, 0x3, 0x9}) 603.901458ms ago: executing program 0 (id=1): r0 = epoll_create1(0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r2, &(0x7f0000000100)={0x20000014}) epoll_ctl$EPOLL_CTL_ADD(r3, 0x1, r0, &(0x7f0000000000)={0xa0000001}) ppoll(&(0x7f0000000200)=[{r3, 0x1}], 0x1, 0x0, 0x0, 0x3) epoll_wait(r0, &(0x7f0000000040)=[{}], 0x1, 0x4d0d) 340.550842ms ago: executing program 3 (id=5): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) write$binfmt_aout(0xffffffffffffffff, &(0x7f0000000000)=ANY=[], 0xff2e) sendmsg$NFT_BATCH(r0, 0x0, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000009b40)={0x0, 0x0, &(0x7f0000009b00)={&(0x7f0000000100)=ANY=[@ANYBLOB="140000001000010000000000000000000500000a5c000000090a010400000000000000000a0000040900010073797a31000000000800054000000002"], 0x84}, 0x1, 0x0, 0x0, 0x40008d0}, 0x40) r1 = socket$netlink(0x10, 0x3, 0xc) bind$netlink(r1, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) setsockopt$netlink_NETLINK_BROADCAST_ERROR(r1, 0x10e, 0x4, &(0x7f0000000140)=0x6, 0x4) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000940)=ANY=[@ANYBLOB="940000000001010400000000000000000a0000003c0001802c000180140003000000000000000000000000000000000014000400ff0100000000000000000000000000010c00028005000100000000003c0002802c00018014000300fe8000000000000000000000000000aa14000400fe80000000000000000000a2ef816aaa0c0002800500010000000000080007"], 0x94}}, 0x0) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPCTNL_MSG_CT_DELETE(r2, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000640)={0x14, 0x2, 0x1, 0x5, 0x0, 0x0, {0x2, 0x0, 0x8}}, 0x14}, 0x1, 0x0, 0x0, 0x20044804}, 0x40040) sendmsg$IPCTNL_MSG_CT_GET_DYING(r3, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000040)={0x14, 0x6, 0x1, 0x101, 0x0, 0x0, {0x2, 0x0, 0x4}}, 0x14}, 0x1, 0x0, 0x0, 0x2404c031}, 0x40) 339.044494ms ago: executing program 1 (id=16): r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r1, 0x0, 0x0) bind$bt_l2cap(r0, &(0x7f0000002080)={0x1f, 0x0, @any, 0x0, 0x1}, 0xe) 336.308061ms ago: executing program 2 (id=6): r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000001c0)='net\x00') fchdir(r0) exit(0x3) creat(&(0x7f00000002c0)='./file0\x00', 0x0) 0s ago: executing program 1 (id=7): r0 = socket(0x2, 0x80805, 0x0) getsockopt$inet_sctp_SCTP_MAX_BURST(r0, 0x84, 0xc, &(0x7f0000000040)=@assoc_value={0x0}, &(0x7f0000000000)=0x8) setsockopt$inet_sctp6_SCTP_ASSOCINFO(0xffffffffffffffff, 0x84, 0x1, &(0x7f0000000380)={r1, 0x415d, 0x2, 0x3, 0x1, 0x80}, 0x14) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.178' (ED25519) to the list of known hosts. [ 85.792660][ T5597] cgroup: Unknown subsys name 'net' [ 86.052200][ T5597] cgroup: Unknown subsys name 'cpuset' [ 86.127185][ T5597] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 88.223571][ T5597] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 90.862898][ T5618] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 90.883634][ T5621] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 90.891490][ T5618] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 90.893817][ T5624] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 90.894107][ T5618] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 90.908213][ T5618] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 90.954081][ T5618] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 90.958044][ T5618] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 90.958662][ T5618] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 90.959717][ T5624] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 90.963775][ T5618] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 90.976984][ T5624] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 90.994383][ T5618] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 90.996733][ T5624] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 90.998106][ T5624] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 91.004905][ T5624] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 91.018107][ T60] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 91.038110][ T60] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 91.060818][ T5624] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 91.122545][ T5624] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 91.920731][ T822] cfg80211: failed to load regulatory.db [ 93.127907][ T5614] Bluetooth: hci3: command tx timeout [ 93.128344][ T5617] Bluetooth: hci0: command tx timeout [ 93.206733][ T5614] Bluetooth: hci2: command tx timeout [ 93.207889][ T5614] Bluetooth: hci1: command tx timeout [ 93.410877][ T5611] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.412026][ T5611] bridge0: port 1(bridge_slave_0) entered disabled state [ 93.412258][ T5611] bridge_slave_0: entered allmulticast mode [ 93.415826][ T5611] bridge_slave_0: entered promiscuous mode [ 93.495469][ T5611] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.495773][ T5611] bridge0: port 2(bridge_slave_1) entered disabled state [ 93.495982][ T5611] bridge_slave_1: entered allmulticast mode [ 93.508012][ T5611] bridge_slave_1: entered promiscuous mode [ 93.512766][ T5609] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.513714][ T5609] bridge0: port 1(bridge_slave_0) entered disabled state [ 93.514453][ T5609] bridge_slave_0: entered allmulticast mode [ 93.524458][ T5609] bridge_slave_0: entered promiscuous mode [ 93.612293][ T5609] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.612578][ T5609] bridge0: port 2(bridge_slave_1) entered disabled state [ 93.612788][ T5609] bridge_slave_1: entered allmulticast mode [ 93.615403][ T5609] bridge_slave_1: entered promiscuous mode [ 93.714307][ T5608] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.714582][ T5608] bridge0: port 1(bridge_slave_0) entered disabled state [ 93.715020][ T5608] bridge_slave_0: entered allmulticast mode [ 93.722436][ T5608] bridge_slave_0: entered promiscuous mode [ 93.744537][ T5610] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.744917][ T5610] bridge0: port 1(bridge_slave_0) entered disabled state [ 93.745190][ T5610] bridge_slave_0: entered allmulticast mode [ 93.752694][ T5610] bridge_slave_0: entered promiscuous mode [ 93.779006][ T5611] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 93.807772][ T5608] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.808050][ T5608] bridge0: port 2(bridge_slave_1) entered disabled state [ 93.808258][ T5608] bridge_slave_1: entered allmulticast mode [ 93.810821][ T5608] bridge_slave_1: entered promiscuous mode [ 93.822565][ T5610] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.824313][ T5610] bridge0: port 2(bridge_slave_1) entered disabled state [ 93.825156][ T5610] bridge_slave_1: entered allmulticast mode [ 93.834355][ T5610] bridge_slave_1: entered promiscuous mode [ 93.902097][ T5611] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 93.918836][ T5609] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 93.990428][ T5609] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 94.080912][ T5608] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 94.090336][ T5610] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 94.106817][ T5611] team0: Port device team_slave_0 added [ 94.140939][ T5608] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 94.145495][ T5610] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 94.163231][ T5611] team0: Port device team_slave_1 added [ 94.174407][ T5609] team0: Port device team_slave_0 added [ 94.252982][ T5609] team0: Port device team_slave_1 added [ 94.328852][ T5608] team0: Port device team_slave_0 added [ 94.333278][ T5610] team0: Port device team_slave_0 added [ 94.335648][ T5611] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 94.335661][ T5611] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 94.335681][ T5611] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 94.411104][ T5608] team0: Port device team_slave_1 added [ 94.414562][ T5610] team0: Port device team_slave_1 added [ 94.416324][ T5611] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 94.416334][ T5611] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 94.416355][ T5611] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 94.425659][ T5609] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 94.425699][ T5609] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 94.425773][ T5609] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 94.547863][ T5609] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 94.547876][ T5609] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 94.547896][ T5609] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 94.633411][ T5608] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 94.633424][ T5608] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 94.633444][ T5608] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 94.635807][ T5610] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 94.635818][ T5610] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 94.635839][ T5610] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 94.685232][ T5608] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 94.685281][ T5608] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 94.685390][ T5608] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 94.700967][ T5610] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 94.701017][ T5610] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 94.701080][ T5610] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 94.879923][ T5611] hsr_slave_0: entered promiscuous mode [ 94.882060][ T5611] hsr_slave_1: entered promiscuous mode [ 95.213955][ T5614] Bluetooth: hci3: command tx timeout [ 95.214424][ T5614] Bluetooth: hci0: command tx timeout [ 95.242533][ T5609] hsr_slave_0: entered promiscuous mode [ 95.244271][ T5609] hsr_slave_1: entered promiscuous mode [ 95.245731][ T5609] debugfs: 'hsr0' already exists in 'hsr' [ 95.245822][ T5609] Cannot create hsr debugfs directory [ 95.286667][ T5614] Bluetooth: hci2: command tx timeout [ 95.286685][ T5617] Bluetooth: hci1: command tx timeout [ 95.394498][ T5608] hsr_slave_0: entered promiscuous mode [ 95.402886][ T5608] hsr_slave_1: entered promiscuous mode [ 95.404441][ T5608] debugfs: 'hsr0' already exists in 'hsr' [ 95.404472][ T5608] Cannot create hsr debugfs directory [ 95.425877][ T5610] hsr_slave_0: entered promiscuous mode [ 95.431519][ T5610] hsr_slave_1: entered promiscuous mode [ 95.436424][ T5610] debugfs: 'hsr0' already exists in 'hsr' [ 95.438423][ T5610] Cannot create hsr debugfs directory [ 96.312583][ T5611] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 96.356188][ T5611] 8021q: adding VLAN 0 to HW filter on device netdevsim0 [ 96.375429][ T5611] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 96.415136][ T5611] 8021q: adding VLAN 0 to HW filter on device netdevsim1 [ 96.429964][ T5611] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 96.450997][ T5611] 8021q: adding VLAN 0 to HW filter on device netdevsim2 [ 96.485472][ T5611] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 96.523097][ T5611] 8021q: adding VLAN 0 to HW filter on device netdevsim3 [ 96.664036][ T5609] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 96.704765][ T5609] 8021q: adding VLAN 0 to HW filter on device netdevsim0 [ 96.716547][ T5609] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 96.742061][ T5609] 8021q: adding VLAN 0 to HW filter on device netdevsim1 [ 96.756189][ T5609] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 96.812204][ T5609] 8021q: adding VLAN 0 to HW filter on device netdevsim2 [ 96.849808][ T5609] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 96.897798][ T5609] 8021q: adding VLAN 0 to HW filter on device netdevsim3 [ 97.021675][ T5608] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 97.071056][ T5608] 8021q: adding VLAN 0 to HW filter on device netdevsim0 [ 97.089435][ T5608] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 97.123048][ T5608] 8021q: adding VLAN 0 to HW filter on device netdevsim1 [ 97.138675][ T5608] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 97.173669][ T5608] 8021q: adding VLAN 0 to HW filter on device netdevsim2 [ 97.207895][ T5608] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 97.241740][ T5608] 8021q: adding VLAN 0 to HW filter on device netdevsim3 [ 97.288881][ T5617] Bluetooth: hci0: command tx timeout [ 97.288917][ T5617] Bluetooth: hci3: command tx timeout [ 97.368002][ T5617] Bluetooth: hci2: command tx timeout [ 97.368091][ T5614] Bluetooth: hci1: command tx timeout [ 97.435502][ T5610] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 97.466401][ T5610] 8021q: adding VLAN 0 to HW filter on device netdevsim0 [ 97.484762][ T5610] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 97.524448][ T5610] 8021q: adding VLAN 0 to HW filter on device netdevsim1 [ 97.539721][ T5610] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 97.572075][ T5610] 8021q: adding VLAN 0 to HW filter on device netdevsim2 [ 97.590821][ T5610] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 97.627719][ T5610] 8021q: adding VLAN 0 to HW filter on device netdevsim3 [ 97.730538][ T5611] 8021q: adding VLAN 0 to HW filter on device bond0 [ 97.861989][ T5611] 8021q: adding VLAN 0 to HW filter on device team0 [ 97.924954][ T5609] 8021q: adding VLAN 0 to HW filter on device bond0 [ 97.957091][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 97.957370][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 98.015908][ T100] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.016267][ T100] bridge0: port 2(bridge_slave_1) entered forwarding state [ 98.143877][ T5609] 8021q: adding VLAN 0 to HW filter on device team0 [ 98.197602][ T5608] 8021q: adding VLAN 0 to HW filter on device bond0 [ 98.223570][ T3357] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.223747][ T3357] bridge0: port 1(bridge_slave_0) entered forwarding state [ 98.299457][ T3327] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.299628][ T3327] bridge0: port 2(bridge_slave_1) entered forwarding state [ 98.388946][ T5608] 8021q: adding VLAN 0 to HW filter on device team0 [ 98.444876][ T5610] 8021q: adding VLAN 0 to HW filter on device bond0 [ 98.457868][ T3390] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.458114][ T3390] bridge0: port 1(bridge_slave_0) entered forwarding state [ 98.554494][ T3357] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.554703][ T3357] bridge0: port 2(bridge_slave_1) entered forwarding state [ 98.674579][ T5610] 8021q: adding VLAN 0 to HW filter on device team0 [ 98.760390][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.761866][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 98.859687][ T3390] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.859838][ T3390] bridge0: port 2(bridge_slave_1) entered forwarding state [ 99.374794][ T5614] Bluetooth: hci3: command tx timeout [ 99.374832][ T5614] Bluetooth: hci0: command tx timeout [ 99.446860][ T5617] Bluetooth: hci1: command tx timeout [ 99.446890][ T5617] Bluetooth: hci2: command tx timeout [ 99.804658][ T5611] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 99.952033][ T5609] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 100.347315][ T5611] veth0_vlan: entered promiscuous mode [ 100.413846][ T5609] veth0_vlan: entered promiscuous mode [ 100.433015][ T5608] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 100.482837][ T5611] veth1_vlan: entered promiscuous mode [ 100.544300][ T5609] veth1_vlan: entered promiscuous mode [ 100.612280][ T5610] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 100.751847][ T5611] veth0_macvtap: entered promiscuous mode [ 100.785275][ T5609] veth0_macvtap: entered promiscuous mode [ 100.812242][ T5608] veth0_vlan: entered promiscuous mode [ 100.822032][ T5611] veth1_macvtap: entered promiscuous mode [ 100.849057][ T5609] veth1_macvtap: entered promiscuous mode [ 100.902876][ T5608] veth1_vlan: entered promiscuous mode [ 100.963472][ T5611] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 100.965296][ T5610] veth0_vlan: entered promiscuous mode [ 100.991311][ T5609] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 101.017319][ T5611] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 101.036383][ T5609] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 101.078652][ T5610] veth1_vlan: entered promiscuous mode [ 101.082562][ T100] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.106173][ T100] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.122948][ T100] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.143489][ T100] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.160351][ T100] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.184203][ T100] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.265765][ T100] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.283817][ T100] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.390966][ T5608] veth0_macvtap: entered promiscuous mode [ 101.507560][ T5608] veth1_macvtap: entered promiscuous mode [ 101.905538][ T5610] veth0_macvtap: entered promiscuous mode [ 101.954337][ T5608] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 101.965784][ T5610] veth1_macvtap: entered promiscuous mode [ 102.026236][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 102.026264][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 102.073169][ T5608] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 102.141546][ T1443] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 102.141568][ T1443] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 102.144197][ T12] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.168841][ T12] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.181784][ T12] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.196687][ T12] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.205669][ T5610] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 102.287477][ T5610] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 102.295189][ T3327] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 102.295206][ T3327] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 102.497189][ T1007] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.509341][ T1007] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.544373][ T1035] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 102.544395][ T1035] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 102.544704][ T1007] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.593257][ T3327] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.234645][ T5766] netlink: 164 bytes leftover after parsing attributes in process `syz.1.2'. [ 103.337662][ T5766] netlink: 152 bytes leftover after parsing attributes in process `syz.1.2'. [ 103.461767][ T3390] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.461787][ T3390] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.868575][ T3327] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.868597][ T3327] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.990688][ T3357] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.991708][ T3357] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 104.124215][ T3390] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 104.124236][ T3390] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 105.061668][ T5790] netlink: 52 bytes leftover after parsing attributes in process `syz.3.5'. [ 105.733290][ T5792] ================================================================== [ 105.733309][ T5792] BUG: KASAN: slab-use-after-free in reverse_path_check_proc+0x5b/0x240 [ 105.733348][ T5792] Read of size 8 at addr ffff88803af21b60 by task syz.0.1/5792 [ 105.733366][ T5792] [ 105.733390][ T5792] CPU: 1 UID: 0 PID: 5792 Comm: syz.0.1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 105.733416][ T5792] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 105.733447][ T5792] Call Trace: [ 105.733459][ T5792] [ 105.733468][ T5792] dump_stack_lvl+0xe8/0x150 [ 105.733494][ T5792] print_address_description+0x55/0x1e0 [ 105.733521][ T5792] ? reverse_path_check_proc+0x5b/0x240 [ 105.733551][ T5792] print_report+0x58/0x70 [ 105.733575][ T5792] kasan_report+0x117/0x150 [ 105.733602][ T5792] ? reverse_path_check_proc+0x5b/0x240 [ 105.733634][ T5792] ? ep_insert+0xbbb/0x1820 [ 105.733661][ T5792] reverse_path_check_proc+0x5b/0x240 [ 105.733696][ T5792] ? ep_insert+0xbbb/0x1820 [ 105.733722][ T5792] ep_insert+0xc6c/0x1820 [ 105.733758][ T5792] ? __pfx_ep_insert+0x10/0x10 [ 105.733786][ T5792] ? lockdep_hardirqs_on+0x7a/0x110 [ 105.733825][ T5792] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 105.733858][ T5792] ? mutex_lock_nested+0x152/0x1d0 [ 105.733882][ T5792] ? do_epoll_ctl_file+0xc69/0xed0 [ 105.733914][ T5792] do_epoll_ctl_file+0x8bb/0xed0 [ 105.733945][ T5792] ? do_epoll_ctl_file+0xac3/0xed0 [ 105.733976][ T5792] ? __pfx_do_epoll_ctl_file+0x10/0x10 [ 105.734005][ T5792] ? __fget_files+0x3a6/0x420 [ 105.734027][ T5792] ? __fget_files+0x2a/0x420 [ 105.734054][ T5792] __se_sys_epoll_ctl+0x14e/0x210 [ 105.734084][ T5792] ? __pfx___se_sys_epoll_ctl+0x10/0x10 [ 105.734117][ T5792] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.734139][ T5792] do_syscall_64+0x174/0x580 [ 105.734171][ T5792] ? trace_irq_disable+0x3b/0x140 [ 105.734195][ T5792] ? clear_bhb_loop+0x40/0x90 [ 105.734217][ T5792] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.734238][ T5792] RIP: 0033:0x7f81c580ce59 [ 105.734264][ T5792] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 105.734287][ T5792] RSP: 002b:00007f81c35f9028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 105.734309][ T5792] RAX: ffffffffffffffda RBX: 00007f81c5a86270 RCX: 00007f81c580ce59 [ 105.734324][ T5792] RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000006 [ 105.734337][ T5792] RBP: 00007f81c58a2d6f R08: 0000000000000000 R09: 0000000000000000 [ 105.734351][ T5792] R10: 0000200000000000 R11: 0000000000000246 R12: 0000000000000000 [ 105.734366][ T5792] R13: 00007f81c5a86308 R14: 00007f81c5a86270 R15: 00007ffe1f968b18 [ 105.734390][ T5792] [ 105.734397][ T5792] [ 105.734402][ T5792] Allocated by task 5785: [ 105.734411][ T5792] kasan_save_track+0x3e/0x80 [ 105.734443][ T5792] __kasan_slab_alloc+0x6c/0x80 [ 105.734465][ T5792] kmem_cache_alloc_noprof+0x33b/0x680 [ 105.734487][ T5792] ep_insert+0x512/0x1820 [ 105.734512][ T5792] do_epoll_ctl_file+0x8bb/0xed0 [ 105.734537][ T5792] __se_sys_epoll_ctl+0x14e/0x210 [ 105.734565][ T5792] do_syscall_64+0x174/0x580 [ 105.734597][ T5792] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.734617][ T5792] [ 105.734622][ T5792] Freed by task 5781: [ 105.734632][ T5792] kasan_save_track+0x3e/0x80 [ 105.734652][ T5792] kasan_save_free_info+0x46/0x50 [ 105.734683][ T5792] __kasan_slab_free+0x5c/0x80 [ 105.734707][ T5792] kmem_cache_free+0x187/0x6c0 [ 105.734731][ T5792] eventpoll_release_file+0xc2/0x240 [ 105.734756][ T5792] __fput+0x83c/0xa70 [ 105.734778][ T5792] task_work_run+0x1d9/0x270 [ 105.734800][ T5792] get_signal+0x11eb/0x1330 [ 105.734827][ T5792] arch_do_signal_or_restart+0xbc/0x840 [ 105.734848][ T5792] exit_to_user_mode_loop+0xa9/0x680 [ 105.734871][ T5792] do_syscall_64+0x353/0x580 [ 105.734904][ T5792] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.734925][ T5792] [ 105.734930][ T5792] The buggy address belongs to the object at ffff88803af21b60 [ 105.734930][ T5792] which belongs to the cache ep_head of size 16 [ 105.734949][ T5792] The buggy address is located 0 bytes inside of [ 105.734949][ T5792] freed 16-byte region [ffff88803af21b60, ffff88803af21b70) [ 105.734972][ T5792] [ 105.734978][ T5792] The buggy address belongs to the physical page: [ 105.734999][ T5792] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803af21040 pfn:0x3af21 [ 105.735021][ T5792] memcg:ffff8880322ff001 [ 105.735030][ T5792] flags: 0x80000000000200(workingset|node=0|zone=1) [ 105.735057][ T5792] page_type: f5(slab) [ 105.735077][ T5792] raw: 0080000000000200 ffff88814041cdc0 ffff88801af25088 ffffea0000fcfc10 [ 105.735099][ T5792] raw: ffff88803af21040 000000080080003c 00000000f5000000 ffff8880322ff001 [ 105.735111][ T5792] page dumped because: kasan: bad access detected [ 105.735125][ T5792] page_owner tracks the page as allocated [ 105.735133][ T5792] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4983, tgid 4983 (udevd), ts 40845688121, free_ts 40815425889 [ 105.735169][ T5792] post_alloc_hook+0x1f9/0x250 [ 105.735193][ T5792] get_page_from_freelist+0x265c/0x26e0 [ 105.735223][ T5792] __alloc_frozen_pages_noprof+0x18d/0x380 [ 105.735250][ T5792] allocate_slab+0x74/0x5e0 [ 105.735279][ T5792] refill_objects+0x33c/0x3d0 [ 105.735307][ T5792] __pcs_replace_empty_main+0x373/0x720 [ 105.735339][ T5792] kmem_cache_alloc_noprof+0x433/0x680 [ 105.735360][ T5792] ep_insert+0x512/0x1820 [ 105.735386][ T5792] do_epoll_ctl_file+0x8bb/0xed0 [ 105.735413][ T5792] __se_sys_epoll_ctl+0x14e/0x210 [ 105.735467][ T5792] do_syscall_64+0x174/0x580 [ 105.735500][ T5792] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.735521][ T5792] page last free pid 4983 tgid 4983 stack trace: [ 105.735531][ T5792] __free_frozen_pages+0x10af/0x1190 [ 105.735551][ T5792] __slab_free+0x252/0x2a0 [ 105.735571][ T5792] qlist_free_all+0x99/0x100 [ 105.735587][ T5792] kasan_quarantine_reduce+0x148/0x160 [ 105.735604][ T5792] __kasan_slab_alloc+0x22/0x80 [ 105.735623][ T5792] kmem_cache_alloc_noprof+0x33b/0x680 [ 105.735641][ T5792] anon_vma_fork+0x14d/0x570 [ 105.735660][ T5792] dup_mmap+0x997/0x1d70 [ 105.735680][ T5792] copy_mm+0x11a/0x480 [ 105.735704][ T5792] copy_process+0x1e30/0x43d0 [ 105.735728][ T5792] kernel_clone+0x2d7/0x940 [ 105.735756][ T5792] __x64_sys_clone+0x1b6/0x230 [ 105.735771][ T5792] do_syscall_64+0x174/0x580 [ 105.735796][ T5792] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.735812][ T5792] [ 105.735816][ T5792] Memory state around the buggy address: [ 105.735826][ T5792] ffff88803af21a00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 105.735838][ T5792] ffff88803af21a80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 105.735850][ T5792] >ffff88803af21b00: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 105.735859][ T5792] ^ [ 105.735869][ T5792] ffff88803af21b80: 00 00 fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 105.735880][ T5792] ffff88803af21c00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 105.735889][ T5792] ================================================================== [ 105.798436][ T5792] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 105.798498][ T5792] CPU: 0 UID: 0 PID: 5792 Comm: syz.0.1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 105.798567][ T5792] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 105.798614][ T5792] Call Trace: [ 105.798635][ T5792] [ 105.798664][ T5792] vpanic+0x56c/0xa60 [ 105.798768][ T5792] ? __pfx_vpanic+0x10/0x10 [ 105.798870][ T5792] panic+0xc5/0xd0 [ 105.798935][ T5792] ? __pfx_panic+0x10/0x10 [ 105.798969][ T5792] ? preempt_schedule_thunk+0x16/0x40 [ 105.799054][ T5792] ? preempt_schedule_thunk+0x16/0x40 [ 105.799153][ T5792] ? reverse_path_check_proc+0x5b/0x240 [ 105.799244][ T5792] check_panic_on_warn+0x89/0xb0 [ 105.799325][ T5792] ? reverse_path_check_proc+0x5b/0x240 [ 105.799367][ T5792] end_report+0x73/0x170 [ 105.799397][ T5792] ? reverse_path_check_proc+0x5b/0x240 [ 105.799472][ T5792] kasan_report+0x128/0x150 [ 105.799552][ T5792] ? reverse_path_check_proc+0x5b/0x240 [ 105.799650][ T5792] ? ep_insert+0xbbb/0x1820 [ 105.799689][ T5792] reverse_path_check_proc+0x5b/0x240 [ 105.799727][ T5792] ? ep_insert+0xbbb/0x1820 [ 105.799754][ T5792] ep_insert+0xc6c/0x1820 [ 105.799794][ T5792] ? __pfx_ep_insert+0x10/0x10 [ 105.799830][ T5792] ? lockdep_hardirqs_on+0x7a/0x110 [ 105.799865][ T5792] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 105.799901][ T5792] ? mutex_lock_nested+0x152/0x1d0 [ 105.799935][ T5792] ? do_epoll_ctl_file+0xc69/0xed0 [ 105.799968][ T5792] do_epoll_ctl_file+0x8bb/0xed0 [ 105.800001][ T5792] ? do_epoll_ctl_file+0xac3/0xed0 [ 105.800034][ T5792] ? __pfx_do_epoll_ctl_file+0x10/0x10 [ 105.800067][ T5792] ? __fget_files+0x3a6/0x420 [ 105.800094][ T5792] ? __fget_files+0x2a/0x420 [ 105.800125][ T5792] __se_sys_epoll_ctl+0x14e/0x210 [ 105.800160][ T5792] ? __pfx___se_sys_epoll_ctl+0x10/0x10 [ 105.800195][ T5792] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.800218][ T5792] do_syscall_64+0x174/0x580 [ 105.800250][ T5792] ? trace_irq_disable+0x3b/0x140 [ 105.800273][ T5792] ? clear_bhb_loop+0x40/0x90 [ 105.800294][ T5792] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.800312][ T5792] RIP: 0033:0x7f81c580ce59 [ 105.800329][ T5792] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 105.800345][ T5792] RSP: 002b:00007f81c35f9028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 105.800365][ T5792] RAX: ffffffffffffffda RBX: 00007f81c5a86270 RCX: 00007f81c580ce59 [ 105.800379][ T5792] RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000006 [ 105.800390][ T5792] RBP: 00007f81c58a2d6f R08: 0000000000000000 R09: 0000000000000000 [ 105.800401][ T5792] R10: 0000200000000000 R11: 0000000000000246 R12: 0000000000000000 [ 105.800413][ T5792] R13: 00007f81c5a86308 R14: 00007f81c5a86270 R15: 00007ffe1f968b18 [ 105.800437][ T5792] [ 105.801053][ T5792] Kernel Offset: disabled