BUG: MAX_LOCKDEP_CHAINS too low!
turning off the locking correctness validator.
CPU: 1 UID: 0 PID: 811 Comm: kworker/u8:8 Tainted: G             L      syzkaller #0 PREEMPT 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Workqueue: btrfs-qgroup-rescan btrfs_work_helper
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 add_chain_cache kernel/locking/lockdep.c:-1 [inline]
 lookup_chain_cache_add kernel/locking/lockdep.c:3855 [inline]
 validate_chain kernel/locking/lockdep.c:3876 [inline]
 __lock_acquire+0xf9c/0x30a4 kernel/locking/lockdep.c:5237
 reacquire_held_locks+0x13c/0x1f8 kernel/locking/lockdep.c:5385
 __lock_release kernel/locking/lockdep.c:5574 [inline]
 lock_release+0x18c/0x39c kernel/locking/lockdep.c:5889
 up_write+0x3c/0x5e0 kernel/locking/rwsem.c:1642
 btrfs_tree_unlock+0xc4/0x298 fs/btrfs/locking.c:200
 btrfs_force_cow_block+0xcec/0x2058 fs/btrfs/ctree.c:604
 btrfs_cow_block+0x328/0x940 fs/btrfs/ctree.c:708
 btrfs_search_slot+0x96c/0x2228 fs/btrfs/ctree.c:2130
 update_qgroup_info_item fs/btrfs/qgroup.c:866 [inline]
 btrfs_run_qgroups+0x2f8/0x650 fs/btrfs/qgroup.c:3088
 commit_cowonly_roots+0x1b4/0x700 fs/btrfs/transaction.c:1363
 btrfs_commit_transaction+0x10e8/0x2d30 fs/btrfs/transaction.c:2477
 btrfs_qgroup_rescan_worker+0x12b8/0x19e8 fs/btrfs/qgroup.c:3815
 btrfs_work_helper+0x360/0xca8 fs/btrfs/async-thread.c:312
 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3421
 kthread+0x5fc/0x75c kernel/kthread.c:463
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
BTRFS info (device loop3): qgroup scan completed (inconsistency flag cleared)
netdevsim netdevsim3 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim5 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim5 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim5 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim5 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
bridge_slave_1: left allmulticast mode
bridge_slave_1: left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
bridge_slave_0: left allmulticast mode
bridge_slave_0: left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
bridge_slave_1: left allmulticast mode
bridge_slave_1: left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
bridge_slave_0: left allmulticast mode
bridge_slave_0: left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
bridge_slave_1: left allmulticast mode
bridge_slave_1: left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
bridge_slave_0: left allmulticast mode
bridge_slave_0: left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
bridge_slave_1: left allmulticast mode
bridge_slave_1: left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
bridge_slave_0: left allmulticast mode
bridge_slave_0: left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): Released all slaves
bond0 (unregistering): (slave wlan1): Releasing backup interface
==================================================================
BUG: KASAN: slab-out-of-bounds in ieee80211_add_virtual_monitor+0xa24/0xe1c net/mac80211/iface.c:1255
Read of size 1 at addr ffff0000d5c6bd90 by task kworker/u8:8/811

CPU: 0 UID: 0 PID: 811 Comm: kworker/u8:8 Tainted: G             L      syzkaller #0 PREEMPT 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Workqueue: netns cleanup_net
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x238 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:482
 kasan_report+0xb0/0x110 mm/kasan/report.c:595
 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
 ieee80211_add_virtual_monitor+0xa24/0xe1c net/mac80211/iface.c:1255
 ieee80211_do_stop+0x13a4/0x1a84 net/mac80211/iface.c:746
 ieee80211_stop+0x1ac/0x220 net/mac80211/iface.c:828
 __dev_close_many+0x3a8/0x704 net/core/dev.c:1756
 netif_close_many+0x1e8/0x448 net/core/dev.c:1781
 netif_close+0x148/0x1f8 net/core/dev.c:1798
 dev_close+0xf8/0x1e4 net/core/dev_api.c:220
 __bond_release_one+0x98c/0xe00 drivers/net/bonding/bond_main.c:2472
 bond_uninit+0x264/0x3c4 drivers/net/bonding/bond_main.c:5954
 unregister_netdevice_many_notify+0x1914/0x2110 net/core/dev.c:12402
 unregister_netdevice_many+0x28/0x38 net/core/dev.c:12444
 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
 ops_undo_list+0x32c/0x7ec net/core/net_namespace.c:248
 cleanup_net+0x3fc/0x638 net/core/net_namespace.c:696
 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3421
 kthread+0x5fc/0x75c kernel/kthread.c:463
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d5c6ba80 pfn:0x115c68
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff0000cacad802
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f8(unknown)
raw: 05ffc00000000040 0000000000000000 dead000000000122 0000000000000000
raw: ffff0000d5c6ba80 0000000000000000 00000000f8000000 ffff0000cacad802
head: 05ffc00000000040 0000000000000000 dead000000000122 0000000000000000
head: ffff0000d5c6ba80 0000000000000000 00000000f8000000 ffff0000cacad802
head: 05ffc00000000002 fffffdffc3571a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d5c6bc80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff0000d5c6bd00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff0000d5c6bd80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                         ^
 ffff0000d5c6be00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff0000d5c6be80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================
bond0 (unregistering): Released all slaves
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): Released all slaves
gretap0 (unregistering): left promiscuous mode
team0: Port device geneve0 removed
bond0 (unregistering): left promiscuous mode
bond_slave_0: left promiscuous mode
bond_slave_1: left promiscuous mode
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): Released all slaves
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): Released all slaves
batman_adv: batadv0: Removing interface: batadv_slave_0
hsr_slave_0: left promiscuous mode
hsr_slave_1: left promiscuous mode
hsr_slave_0: left promiscuous mode
hsr_slave_1: left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
hsr_slave_0: left promiscuous mode
hsr_slave_1: left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
hsr_slave_0: left promiscuous mode
hsr_slave_1: left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
veth1_macvtap: left promiscuous mode
veth0_macvtap: left promiscuous mode
veth1_vlan: left promiscuous mode
veth0_vlan: left promiscuous mode
veth1_macvtap: left promiscuous mode
veth0_macvtap: left promiscuous mode
veth1_vlan: left promiscuous mode
veth0_vlan: left promiscuous mode
veth1_macvtap: left promiscuous mode
veth0_macvtap: left promiscuous mode
veth1_vlan: left promiscuous mode
veth0_vlan: left promiscuous mode
veth1_macvtap: left promiscuous mode
veth0_macvtap: left promiscuous mode
veth1_vlan: left promiscuous mode
veth0_vlan: left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed