last executing test programs: 1.335282861s ago: executing program 1 (id=2): syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000a00)) 1.09813574s ago: executing program 0 (id=1): r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000280)=ANY=[@ANYBLOB="180100002e00010000000000ffdbdf250601f2090c00180008ac0f000000000014000a"], 0x118}], 0x1, 0x0, 0x0, 0x400c445}, 0x0) 909.260975ms ago: executing program 0 (id=5): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0xa0b41, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller0\x00', 0x84aebfbd6349b7f2}) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) ioctl$TUNSETQUEUE(r0, 0x400454d9, &(0x7f0000000000)={'bridge_slave_0\x00', 0x400}) close(r1) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000029c0)) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local}) 650.932477ms ago: executing program 1 (id=6): syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff) sendmsg$TIPC_NL_NET_SET(0xffffffffffffffff, 0x0, 0x20000000) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() fcntl$lock(0xffffffffffffffff, 0x26, &(0x7f00000031c0)={0x1, 0x0, 0x0, 0x5}) fcntl$lock(0xffffffffffffffff, 0x26, &(0x7f0000000080)) fcntl$lock(0xffffffffffffffff, 0x7, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x3}) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r1, 0x0, 0x0, 0x0) syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, 0x0) r2 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000080)=ANY=[@ANYBLOB="12010000000000105509147200ed0000000109022400010000000009040000030300000009210000000122050009058103"], 0x0) syz_usb_control_io(r2, 0x0, 0x0) openat$snapshot(0xffffffffffffff9c, 0x0, 0x3f, 0x0) sched_setscheduler(r0, 0x1, &(0x7f00000000c0)=0x1) syz_usb_control_io$hid(r2, &(0x7f00000005c0)={0x24, 0x0, 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="002205000000a8874d"], 0x0}, 0x0) r3 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x0, 0x0}) close_range(r3, 0xffffffffffffffff, 0x0) sched_setscheduler(0x0, 0x2, 0x0) ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(0xffffffffffffffff, 0x3ba0, &(0x7f00000001c0)={0x48, 0x4}) 326.778395ms ago: executing program 3 (id=4): close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) r0 = socket(0x2b, 0x1, 0x0) bind$unix(r0, 0x0, 0x0) 167.04914ms ago: executing program 3 (id=7): r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000640), 0x80000, 0x0) ioctl$SOUND_MIXER_READ_RECSRC(r0, 0x80044dff, &(0x7f0000000480)) 92.577532ms ago: executing program 3 (id=8): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0xf, 0x0, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000180)=0x800001, 0x4) bind$inet6(r1, &(0x7f0000000140)={0xa, 0x4e22, 0x0, @empty}, 0x1c) setsockopt$inet6_int(r0, 0x29, 0x4b, &(0x7f0000000100)=0x401, 0x4) setsockopt$sock_int(r0, 0x1, 0xf, &(0x7f0000000180)=0x800001, 0x4) bind$inet6(r0, &(0x7f0000000140)={0xa, 0x4e22, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, 0x1c) 0s ago: executing program 3 (id=9): unshare(0xc040680) socket$inet6_mptcp(0xa, 0x1, 0x106) openat$vmci(0xffffffffffffff9c, 0x0, 0x2, 0x0) socket$nl_generic(0x10, 0x3, 0x10) socket$inet6(0xa, 0x3, 0x4) prlimit64(0x0, 0xe, &(0x7f0000000000)={0xa, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000640)=0x2) sched_setaffinity(0x0, 0x8, &(0x7f0000000280)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$NL80211_CMD_REMAIN_ON_CHANNEL(r1, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)={0x14, r2, 0x9c3fa077fa966179, 0x0, 0x0, {{0x7e}, {@void, @void}}}, 0x14}, 0x1, 0x0, 0x0, 0x8}, 0x4040800) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.164' (ED25519) to the list of known hosts. [ 91.839854][ T5812] cgroup: Unknown subsys name 'net' [ 92.037746][ T5812] cgroup: Unknown subsys name 'cpuset' [ 92.047535][ T5812] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 93.875058][ T5812] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 97.524477][ T5827] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 97.535882][ T5827] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 97.548494][ T5834] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 97.558191][ T5834] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 97.565928][ T5834] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 97.574868][ T5834] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 97.582376][ T5837] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 97.583723][ T5834] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 97.597670][ T5837] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 97.598208][ T5834] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 97.613616][ T5837] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 97.614751][ T5834] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 97.625354][ T5837] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 97.631234][ T5834] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 97.636584][ T5837] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 97.650602][ T5837] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 97.683666][ T5836] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 97.692693][ T5836] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 97.701584][ T5836] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 97.710999][ T5836] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 98.297214][ T5823] chnl_net:caif_netlink_parms(): no params data found [ 98.357658][ T5822] chnl_net:caif_netlink_parms(): no params data found [ 98.436319][ T5821] chnl_net:caif_netlink_parms(): no params data found [ 98.534990][ T5824] chnl_net:caif_netlink_parms(): no params data found [ 98.681732][ T5823] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.689639][ T5823] bridge0: port 1(bridge_slave_0) entered disabled state [ 98.697225][ T5823] bridge_slave_0: entered allmulticast mode [ 98.705385][ T5823] bridge_slave_0: entered promiscuous mode [ 98.725644][ T5822] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.732890][ T5822] bridge0: port 1(bridge_slave_0) entered disabled state [ 98.740230][ T5822] bridge_slave_0: entered allmulticast mode [ 98.747579][ T5822] bridge_slave_0: entered promiscuous mode [ 98.756131][ T5822] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.763615][ T5822] bridge0: port 2(bridge_slave_1) entered disabled state [ 98.770961][ T5822] bridge_slave_1: entered allmulticast mode [ 98.778745][ T5822] bridge_slave_1: entered promiscuous mode [ 98.786723][ T5823] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.794356][ T5823] bridge0: port 2(bridge_slave_1) entered disabled state [ 98.801599][ T5823] bridge_slave_1: entered allmulticast mode [ 98.809455][ T5823] bridge_slave_1: entered promiscuous mode [ 98.918731][ T5821] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.926157][ T5821] bridge0: port 1(bridge_slave_0) entered disabled state [ 98.933674][ T5821] bridge_slave_0: entered allmulticast mode [ 98.941068][ T5821] bridge_slave_0: entered promiscuous mode [ 98.966380][ T5822] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 98.978449][ T5823] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 98.989029][ T5821] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.996484][ T5821] bridge0: port 2(bridge_slave_1) entered disabled state [ 99.004356][ T5821] bridge_slave_1: entered allmulticast mode [ 99.011738][ T5821] bridge_slave_1: entered promiscuous mode [ 99.035071][ T5822] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.046839][ T5823] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.085452][ T5824] bridge0: port 1(bridge_slave_0) entered blocking state [ 99.092693][ T5824] bridge0: port 1(bridge_slave_0) entered disabled state [ 99.100440][ T5824] bridge_slave_0: entered allmulticast mode [ 99.108345][ T5824] bridge_slave_0: entered promiscuous mode [ 99.155265][ T5824] bridge0: port 2(bridge_slave_1) entered blocking state [ 99.162685][ T5824] bridge0: port 2(bridge_slave_1) entered disabled state [ 99.170832][ T5824] bridge_slave_1: entered allmulticast mode [ 99.178737][ T5824] bridge_slave_1: entered promiscuous mode [ 99.203718][ T5823] team0: Port device team_slave_0 added [ 99.214226][ T5821] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.238244][ T5822] team0: Port device team_slave_0 added [ 99.246676][ T5823] team0: Port device team_slave_1 added [ 99.256018][ T5822] team0: Port device team_slave_1 added [ 99.264949][ T5821] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.328737][ T5824] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.381072][ T5824] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.391905][ T5823] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 99.399496][ T5823] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.426183][ T5823] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 99.440434][ T5822] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 99.448193][ T5822] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.474421][ T5822] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 99.488068][ T5821] team0: Port device team_slave_0 added [ 99.507697][ T5823] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 99.514716][ T5823] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.544179][ T5823] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 99.557102][ T5822] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 99.564650][ T5822] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.591613][ T5822] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 99.605270][ T5821] team0: Port device team_slave_1 added [ 99.651632][ T5824] team0: Port device team_slave_0 added [ 99.660430][ T5824] team0: Port device team_slave_1 added [ 99.682175][ T5821] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 99.690619][ T5821] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.691098][ T5836] Bluetooth: hci0: command tx timeout [ 99.717350][ T5821] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 99.734016][ T5827] Bluetooth: hci2: command tx timeout [ 99.740066][ T5146] Bluetooth: hci3: command tx timeout [ 99.763862][ T5836] Bluetooth: hci1: command tx timeout [ 99.776699][ T5821] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 99.785262][ T5821] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.813083][ T5821] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 99.871587][ T5824] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 99.879708][ T5824] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.907194][ T5824] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 99.943744][ T5823] hsr_slave_0: entered promiscuous mode [ 99.950613][ T5823] hsr_slave_1: entered promiscuous mode [ 99.959632][ T5824] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 99.966687][ T5824] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.992967][ T5824] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 100.013356][ T5822] hsr_slave_0: entered promiscuous mode [ 100.020772][ T5822] hsr_slave_1: entered promiscuous mode [ 100.027575][ T5822] debugfs: 'hsr0' already exists in 'hsr' [ 100.033418][ T5822] Cannot create hsr debugfs directory [ 100.123391][ T5821] hsr_slave_0: entered promiscuous mode [ 100.130330][ T5821] hsr_slave_1: entered promiscuous mode [ 100.137326][ T5821] debugfs: 'hsr0' already exists in 'hsr' [ 100.143192][ T5821] Cannot create hsr debugfs directory [ 100.230817][ T5824] hsr_slave_0: entered promiscuous mode [ 100.237632][ T5824] hsr_slave_1: entered promiscuous mode [ 100.245272][ T5824] debugfs: 'hsr0' already exists in 'hsr' [ 100.251152][ T5824] Cannot create hsr debugfs directory [ 100.733642][ T5823] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 100.749524][ T5823] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 100.761628][ T5823] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 100.794642][ T5823] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 100.900806][ T5822] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 100.916079][ T5822] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 100.929305][ T5822] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 100.941570][ T5822] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 101.105825][ T5821] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 101.128203][ T5821] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 101.147807][ T5821] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 101.160488][ T5821] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 101.312480][ T5824] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 101.337240][ T5824] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 101.349097][ T5824] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 101.363641][ T5824] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 101.378864][ T5823] 8021q: adding VLAN 0 to HW filter on device bond0 [ 101.415785][ T5822] 8021q: adding VLAN 0 to HW filter on device bond0 [ 101.459352][ T5823] 8021q: adding VLAN 0 to HW filter on device team0 [ 101.489377][ T163] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.496801][ T163] bridge0: port 1(bridge_slave_0) entered forwarding state [ 101.526886][ T5822] 8021q: adding VLAN 0 to HW filter on device team0 [ 101.553076][ T50] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.560315][ T50] bridge0: port 2(bridge_slave_1) entered forwarding state [ 101.582434][ T50] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.589647][ T50] bridge0: port 1(bridge_slave_0) entered forwarding state [ 101.617105][ T50] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.624343][ T50] bridge0: port 2(bridge_slave_1) entered forwarding state [ 101.686852][ T5821] 8021q: adding VLAN 0 to HW filter on device bond0 [ 101.757250][ T5821] 8021q: adding VLAN 0 to HW filter on device team0 [ 101.764199][ T5836] Bluetooth: hci0: command tx timeout [ 101.764238][ T5836] Bluetooth: hci2: command tx timeout [ 101.773079][ T5827] Bluetooth: hci3: command tx timeout [ 101.816872][ T50] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.824168][ T50] bridge0: port 1(bridge_slave_0) entered forwarding state [ 101.851006][ T1034] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.854998][ T5827] Bluetooth: hci1: command tx timeout [ 101.858306][ T1034] bridge0: port 2(bridge_slave_1) entered forwarding state [ 101.981009][ T5824] 8021q: adding VLAN 0 to HW filter on device bond0 [ 102.062689][ T5824] 8021q: adding VLAN 0 to HW filter on device team0 [ 102.140706][ T1034] bridge0: port 1(bridge_slave_0) entered blocking state [ 102.148113][ T1034] bridge0: port 1(bridge_slave_0) entered forwarding state [ 102.201457][ T1034] bridge0: port 2(bridge_slave_1) entered blocking state [ 102.208873][ T1034] bridge0: port 2(bridge_slave_1) entered forwarding state [ 102.270042][ T5823] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 102.331859][ T5822] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 102.442975][ T5823] veth0_vlan: entered promiscuous mode [ 102.493322][ T5823] veth1_vlan: entered promiscuous mode [ 102.550758][ T5822] veth0_vlan: entered promiscuous mode [ 102.571446][ T5821] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 102.619746][ T5822] veth1_vlan: entered promiscuous mode [ 102.656347][ T5823] veth0_macvtap: entered promiscuous mode [ 102.695838][ T5823] veth1_macvtap: entered promiscuous mode [ 102.773268][ T5823] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 102.802562][ T5821] veth0_vlan: entered promiscuous mode [ 102.819848][ T5823] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 102.828090][ T5822] veth0_macvtap: entered promiscuous mode [ 102.842274][ T5824] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 102.857868][ T5821] veth1_vlan: entered promiscuous mode [ 102.879991][ T5822] veth1_macvtap: entered promiscuous mode [ 102.888635][ T163] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.896521][ T39] cfg80211: failed to load regulatory.db [ 102.914762][ T163] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.924667][ T163] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.933444][ T163] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.989027][ T5822] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 103.022785][ T5822] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 103.055689][ T3555] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.083234][ T3555] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.092536][ T3555] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.119233][ T3555] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.154965][ T3555] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.163054][ T3555] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.184821][ T5821] veth0_macvtap: entered promiscuous mode [ 103.231016][ T3555] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.241050][ T3555] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.246071][ T5821] veth1_macvtap: entered promiscuous mode [ 103.263371][ T5824] veth0_vlan: entered promiscuous mode [ 103.352538][ T5824] veth1_vlan: entered promiscuous mode [ 103.356459][ T5823] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 103.358543][ T1034] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.397995][ T5821] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 103.406200][ T1034] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.433366][ T5821] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 103.493378][ T3493] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.502056][ T163] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.525245][ T3493] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.544181][ T163] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.553069][ T163] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.586408][ T163] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.648835][ T5824] veth0_macvtap: entered promiscuous mode [ 103.686630][ T5824] veth1_macvtap: entered promiscuous mode [ 103.769238][ T5920] netlink: 'syz.0.1': attribute type 10 has an invalid length. [ 103.781309][ T5920] netlink: 228 bytes leftover after parsing attributes in process `syz.0.1'. [ 103.781990][ T5824] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 103.812994][ T3493] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.821751][ T5824] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 103.842521][ T3493] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.851275][ T5834] Bluetooth: hci0: command tx timeout [ 103.853734][ T5146] Bluetooth: hci3: command tx timeout [ 103.856939][ T5827] Bluetooth: hci2: command tx timeout [ 103.925125][ T5827] Bluetooth: hci1: command tx timeout [ 103.933303][ T3555] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.955285][ T3555] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.969635][ T3555] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.987516][ T3555] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.993706][ T50] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 104.025041][ T50] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 104.673952][ T39] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 104.845600][ T39] usb 2-1: Using ep0 maxpacket: 16 [ 104.867432][ T39] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 104.879542][ T39] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 104.901703][ T39] usb 2-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 3 [ 104.918382][ T39] usb 2-1: New USB device found, idVendor=0955, idProduct=7214, bcdDevice=ed.00 [ 104.927916][ T39] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 105.033000][ T39] usb 2-1: config 0 descriptor?? [ 105.073751][ T0] NOHZ tick-stop error: local softirq work is pending, handler #100!!! [ 105.502105][ T39] hid (null): bogus close delimiter [ 105.611701][ T5836] ================================================================== [ 105.620017][ T5836] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2b0 [ 105.622879][ T39] shield 0003:0955:7214.0001: bogus close delimiter [ 105.627717][ T5836] Write of size 4 at addr ffff888021718010 by task kworker/u9:5/5836 [ 105.627742][ T5836] [ 105.627771][ T5836] CPU: 0 UID: 0 PID: 5836 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) [ 105.627795][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 105.627807][ T5836] Workqueue: hci3 hci_cmd_sync_work [ 105.627846][ T5836] Call Trace: [ 105.627855][ T5836] [ 105.627862][ T5836] dump_stack_lvl+0x189/0x250 [ 105.627881][ T5836] ? __virt_addr_valid+0x1c8/0x5c0 [ 105.627906][ T5836] ? rcu_is_watching+0x15/0xb0 [ 105.627932][ T5836] ? __pfx_dump_stack_lvl+0x10/0x10 [ 105.627954][ T5836] ? rcu_is_watching+0x15/0xb0 [ 105.627978][ T5836] ? lock_release+0x4b/0x3b0 [ 105.628011][ T5836] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 105.628044][ T5836] ? __virt_addr_valid+0x1c8/0x5c0 [ 105.628069][ T5836] ? __virt_addr_valid+0x4a5/0x5c0 [ 105.628097][ T5836] print_report+0xca/0x240 [ 105.628122][ T5836] ? hci_conn_drop+0x34/0x2b0 [ 105.628141][ T5836] kasan_report+0x118/0x150 [ 105.628163][ T5836] ? hci_conn_valid+0x21/0x230 [ 105.628186][ T5836] ? hci_conn_drop+0x34/0x2b0 [ 105.628212][ T5836] kasan_check_range+0x2b0/0x2c0 [ 105.628238][ T5836] hci_conn_drop+0x34/0x2b0 [ 105.628258][ T5836] ? __pfx_le_read_features_complete+0x10/0x10 [ 105.628293][ T5836] hci_cmd_sync_work+0x262/0x400 [ 105.628331][ T5836] ? process_one_work+0x868/0x15a0 [ 105.628362][ T5836] process_one_work+0x93a/0x15a0 [ 105.628414][ T5836] ? __pfx_process_one_work+0x10/0x10 [ 105.628452][ T5836] ? assign_work+0x3a1/0x410 [ 105.628484][ T5836] worker_thread+0x9b0/0xee0 [ 105.628534][ T5836] kthread+0x711/0x8a0 [ 105.628560][ T5836] ? __pfx_worker_thread+0x10/0x10 [ 105.628592][ T5836] ? __pfx_kthread+0x10/0x10 [ 105.628618][ T5836] ? _raw_spin_unlock_irq+0x23/0x50 [ 105.628647][ T5836] ? lockdep_hardirqs_on+0x98/0x140 [ 105.628681][ T5836] ? __pfx_kthread+0x10/0x10 [ 105.628706][ T5836] ret_from_fork+0x599/0xb30 [ 105.628739][ T5836] ? __pfx_ret_from_fork+0x10/0x10 [ 105.628776][ T5836] ? __switch_to_asm+0x39/0x70 [ 105.628799][ T5836] ? __switch_to_asm+0x33/0x70 [ 105.628823][ T5836] ? __pfx_kthread+0x10/0x10 [ 105.628847][ T5836] ret_from_fork_asm+0x1a/0x30 [ 105.628882][ T5836] [ 105.628891][ T5836] [ 105.636454][ T39] shield 0003:0955:7214.0001: item 0 0 2 10 parsing failed [ 105.643810][ T5836] Allocated by task 5827: [ 105.643830][ T5836] kasan_save_track+0x3e/0x80 [ 105.643861][ T5836] __kasan_kmalloc+0x93/0xb0 [ 105.643890][ T5836] __kmalloc_cache_noprof+0x3e2/0x700 [ 105.651516][ T39] shield 0003:0955:7214.0001: Parse failed [ 105.655920][ T5836] __hci_conn_add+0x3c5/0x1b30 [ 105.655950][ T5836] le_conn_complete_evt+0x6f6/0x1420 [ 105.655971][ T5836] hci_le_enh_conn_complete_evt+0x189/0x4a0 [ 105.655991][ T5836] hci_event_packet+0x78f/0x1260 [ 105.656017][ T5836] hci_rx_work+0x3ee/0x1060 [ 105.656045][ T5836] process_one_work+0x93a/0x15a0 [ 105.656072][ T5836] worker_thread+0x9b0/0xee0 [ 105.690166][ T39] shield 0003:0955:7214.0001: probe with driver shield failed with error -22 [ 105.693413][ T5836] kthread+0x711/0x8a0 [ 105.693442][ T5836] ret_from_fork+0x599/0xb30 [ 105.693468][ T5836] ret_from_fork_asm+0x1a/0x30 [ 105.693489][ T5836] [ 105.693495][ T5836] Freed by task 5827: [ 105.693506][ T5836] kasan_save_track+0x3e/0x80 [ 105.968195][ T5836] kasan_save_free_info+0x46/0x50 [ 105.974123][ T5836] __kasan_slab_free+0x5c/0x80 [ 105.979377][ T5836] kfree+0x1c0/0x660 [ 105.983687][ T5836] device_release+0x9e/0x1d0 [ 105.988685][ T5836] kobject_put+0x228/0x570 [ 105.993117][ T5836] hci_conn_del+0xc36/0x1240 [ 105.997840][ T5836] hci_disconn_complete_evt+0x64e/0x950 [ 106.003437][ T5836] hci_event_packet+0x7e3/0x1260 [ 106.008594][ T5836] hci_rx_work+0x3ee/0x1060 [ 106.013127][ T5836] process_one_work+0x93a/0x15a0 [ 106.018263][ T5836] worker_thread+0x9b0/0xee0 [ 106.022874][ T5836] kthread+0x711/0x8a0 [ 106.027006][ T5836] ret_from_fork+0x599/0xb30 [ 106.031784][ T5836] ret_from_fork_asm+0x1a/0x30 [ 106.036667][ T5836] [ 106.039006][ T5836] The buggy address belongs to the object at ffff888021718000 [ 106.039006][ T5836] which belongs to the cache kmalloc-8k of size 8192 [ 106.053262][ T5836] The buggy address is located 16 bytes inside of [ 106.053262][ T5836] freed 8192-byte region [ffff888021718000, ffff88802171a000) [ 106.067270][ T5836] [ 106.069725][ T5836] The buggy address belongs to the physical page: [ 106.076572][ T5836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21718 [ 106.085886][ T5836] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 106.095094][ T5836] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 106.103169][ T5836] page_type: f5(slab) [ 106.107185][ T5836] raw: 00fff00000000040 ffff88813fe27280 ffffea000083de00 0000000000000006 [ 106.117226][ T5836] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 106.127629][ T5836] head: 00fff00000000040 ffff88813fe27280 ffffea000083de00 0000000000000006 [ 106.136944][ T5836] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 106.145926][ T5836] head: 00fff00000000003 ffffea000085c601 00000000ffffffff 00000000ffffffff [ 106.155248][ T5836] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 106.164818][ T5836] page dumped because: kasan: bad access detected [ 106.171254][ T5836] page_owner tracks the page as allocated [ 106.176979][ T5836] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5569, tgid 5569 (rcS), ts 68338574688, free_ts 68334936586 [ 106.196971][ T5836] post_alloc_hook+0x234/0x290 [ 106.201930][ T5836] get_page_from_freelist+0x2365/0x2440 [ 106.207496][ T5836] __alloc_frozen_pages_noprof+0x181/0x370 [ 106.213326][ T5836] alloc_pages_mpol+0x232/0x4a0 [ 106.218188][ T5836] allocate_slab+0x86/0x3b0 [ 106.222804][ T5836] ___slab_alloc+0xf2b/0x1960 [ 106.227584][ T5836] __slab_alloc+0x65/0x100 [ 106.232055][ T5836] __kmalloc_cache_noprof+0x41e/0x700 [ 106.237628][ T5836] tomoyo_init_log+0x111f/0x1f70 [ 106.242775][ T5836] tomoyo_supervisor+0x340/0x1480 [ 106.247833][ T5836] tomoyo_env_perm+0x149/0x1e0 [ 106.252868][ T5836] tomoyo_find_next_domain+0x15ce/0x1aa0 [ 106.258542][ T5836] tomoyo_bprm_check_security+0x11c/0x180 [ 106.264475][ T5836] security_bprm_check+0x89/0x270 [ 106.269515][ T5836] bprm_execve+0x887/0x1400 [ 106.274059][ T5836] do_execveat_common+0x510/0x6a0 [ 106.279116][ T5836] page last free pid 5490 tgid 5490 stack trace: [ 106.285453][ T5836] __free_frozen_pages+0xbc8/0xd30 [ 106.290674][ T5836] __put_partials+0x146/0x170 [ 106.295368][ T5836] put_cpu_partial+0x1f2/0x2d0 [ 106.300156][ T5836] __slab_free+0x288/0x2a0 [ 106.304604][ T5836] qlist_free_all+0x97/0x100 [ 106.309383][ T5836] kasan_quarantine_reduce+0x148/0x160 [ 106.314867][ T5836] __kasan_slab_alloc+0x22/0x80 [ 106.319779][ T5836] __kmalloc_noprof+0x3cf/0x800 [ 106.324651][ T5836] tomoyo_encode+0x28b/0x550 [ 106.329724][ T5836] tomoyo_realpath_from_path+0x58d/0x5d0 [ 106.335404][ T5836] tomoyo_path_number_perm+0x1e8/0x5a0 [ 106.341146][ T5836] security_file_ioctl+0xcb/0x2d0 [ 106.346233][ T5836] __se_sys_ioctl+0x47/0x170 [ 106.350931][ T5836] do_syscall_64+0xfa/0xf80 [ 106.355462][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 106.361376][ T5836] [ 106.363708][ T5836] Memory state around the buggy address: [ 106.369345][ T5836] ffff888021717f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.377718][ T5836] ffff888021717f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.385793][ T5836] >ffff888021718000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.393950][ T5836] ^ [ 106.398740][ T5836] ffff888021718080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.406903][ T5836] ffff888021718100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.415061][ T5836] ================================================================== [ 106.425690][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 106.457373][ T5836] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 106.464615][ T5836] CPU: 0 UID: 0 PID: 5836 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) [ 106.474459][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 106.484781][ T5836] Workqueue: hci3 hci_cmd_sync_work [ 106.490134][ T5836] Call Trace: [ 106.493445][ T5836] [ 106.496406][ T5836] dump_stack_lvl+0x99/0x250 [ 106.501045][ T5836] ? __asan_memcpy+0x40/0x70 [ 106.505768][ T5836] ? __pfx_dump_stack_lvl+0x10/0x10 [ 106.510996][ T5836] ? __pfx__printk+0x10/0x10 [ 106.515618][ T5836] vpanic+0x237/0x6d0 [ 106.519619][ T5836] ? __pfx_vpanic+0x10/0x10 [ 106.524165][ T5836] ? preempt_schedule+0xae/0xc0 [ 106.529050][ T5836] ? __pfx_preempt_schedule+0x10/0x10 [ 106.534459][ T5836] panic+0xb9/0xc0 [ 106.538199][ T5836] ? __pfx_panic+0x10/0x10 [ 106.542635][ T5836] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 106.548639][ T5836] ? is_module_address+0x17/0xf0 [ 106.553690][ T5836] ? hci_conn_drop+0x34/0x2b0 [ 106.558387][ T5836] check_panic_on_warn+0x89/0xb0 [ 106.563340][ T5836] ? hci_conn_drop+0x34/0x2b0 [ 106.568034][ T5836] end_report+0x6f/0x140 [ 106.572288][ T5836] kasan_report+0x129/0x150 [ 106.576887][ T5836] ? hci_conn_valid+0x21/0x230 [ 106.581995][ T5836] ? hci_conn_drop+0x34/0x2b0 [ 106.586691][ T5836] kasan_check_range+0x2b0/0x2c0 [ 106.591646][ T5836] hci_conn_drop+0x34/0x2b0 [ 106.596249][ T5836] ? __pfx_le_read_features_complete+0x10/0x10 [ 106.602434][ T5836] hci_cmd_sync_work+0x262/0x400 [ 106.607392][ T5836] ? process_one_work+0x868/0x15a0 [ 106.612609][ T5836] process_one_work+0x93a/0x15a0 [ 106.617575][ T5836] ? __pfx_process_one_work+0x10/0x10 [ 106.623158][ T5836] ? assign_work+0x3a1/0x410 [ 106.627797][ T5836] worker_thread+0x9b0/0xee0 [ 106.632704][ T5836] kthread+0x711/0x8a0 [ 106.636884][ T5836] ? __pfx_worker_thread+0x10/0x10 [ 106.642150][ T5836] ? __pfx_kthread+0x10/0x10 [ 106.646840][ T5836] ? _raw_spin_unlock_irq+0x23/0x50 [ 106.652088][ T5836] ? lockdep_hardirqs_on+0x98/0x140 [ 106.657443][ T5836] ? __pfx_kthread+0x10/0x10 [ 106.662053][ T5836] ret_from_fork+0x599/0xb30 [ 106.666664][ T5836] ? __pfx_ret_from_fork+0x10/0x10 [ 106.671904][ T5836] ? __switch_to_asm+0x39/0x70 [ 106.676697][ T5836] ? __switch_to_asm+0x33/0x70 [ 106.681498][ T5836] ? __pfx_kthread+0x10/0x10 [ 106.686204][ T5836] ret_from_fork_asm+0x1a/0x30 [ 106.691012][ T5836] [ 106.694367][ T5836] Kernel Offset: disabled [ 106.698823][ T5836] Rebooting in 86400 seconds..