last executing test programs: 24.311984038s ago: executing program 0 (id=1387): r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_int(r0, 0x0, 0x18, &(0x7f0000000040)=0x4, 0x4) bind$inet(r0, &(0x7f0000000380)={0x2, 0x0, @multicast2}, 0x10) 23.063839728s ago: executing program 1 (id=1388): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x2, 0x4, 0x1, 0xbf22, 0x0, 0xffffffffffffffff, 0xe0d}, 0x50) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=@base={0xd, 0xa, 0x4, 0x5, 0x0, r0}, 0x48) bpf$MAP_CREATE(0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="0d0000000a000000040000000500000000000000", @ANYRES32=r1], 0x48) 20.694941981s ago: executing program 0 (id=1389): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="1b00000000000000000000000080"], 0x48) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x4, 0x8, &(0x7f0000000040)=@framed={{0x18, 0x2, 0x0, 0x0, 0xfffffffc, 0x0, 0x0, 0x0, 0x2}, [@call={0x85, 0x0, 0x0, 0x2f}, @ringbuf_query={{0x18, 0x1, 0x1, 0x0, r0}}]}, &(0x7f00000000c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x0, 0xe40, 0x0, &(0x7f0000000900)="e02742e8680d85ff9782762f0800", 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x48) 19.254029242s ago: executing program 1 (id=1390): r0 = socket$netlink(0x10, 0x3, 0xc) bind$netlink(r0, &(0x7f0000000000)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) close(r0) 15.739337628s ago: executing program 0 (id=1391): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_PAUSE_SET(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)={0x3c, r1, 0x431, 0x70bd2c, 0x25dfdbfc, {}, [@ETHTOOL_A_PAUSE_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'netdevsim0\x00'}]}, @ETHTOOL_A_PAUSE_AUTONEG={0x5}, @ETHTOOL_A_PAUSE_TX={0x5, 0x4, 0xfc}]}, 0x3c}, 0x1, 0x0, 0x0, 0x4c810}, 0x20000000) 14.924335634s ago: executing program 1 (id=1392): r0 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x48) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x6, 0x17, &(0x7f00000006c0)=ANY=[@ANYBLOB="1800000000000000000000000000000218110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf090000000000005509010000000000950000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b702000000000080850000001700000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7020000000000008500000086000000bf91000000000000b7020000010000008500000084000000b70000000000000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x35, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r1, 0xfca804a0, 0x10, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c) 11.746668862s ago: executing program 0 (id=1393): syz_io_uring_setup(0x6908, &(0x7f0000000280)={0x0, 0x0, 0x10100}, &(0x7f0000000140), &(0x7f0000000100)) r0 = syz_open_procfs(0x0, &(0x7f0000000340)='fdinfo/3\x00') read$FUSE(r0, &(0x7f0000001640)={0x2020}, 0x2020) 9.983157631s ago: executing program 1 (id=1394): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$ethtool(&(0x7f00000004c0), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_LINKINFO_GET(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000005c0)={0x2c, r1, 0x1, 0x0, 0x0, {0x1a}, [@HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'dummy0\x00'}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000800}, 0x0) 5.108556784s ago: executing program 0 (id=1395): r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000400), 0x2, 0x0) ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x0, 0x0, &(0x7f0000000500)=""/69, 0x0}) 4.433566992s ago: executing program 1 (id=1396): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0x1, 0x7, 0x8, 0x9, 0x1}, 0x50) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x11, 0xd, &(0x7f0000000280)=ANY=[@ANYBLOB="18000000000000000000000000000000850000000700000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000640)={r1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x50) 1.020384723s ago: executing program 1 (id=1397): r0 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r0, &(0x7f00000001c0)={0x40000000, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="02030609100000000000004c9e000000020013000200000000000000ff0800ed05000600200000000a0006000000000026b900000000000000001ffeff0001000003f1dc7f7c6e7c0200010000000000004000020000000005000500000000000a"], 0x80}}, 0x0) sendmsg$key(r0, &(0x7f00000001c0)={0x40000000, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=ANY=[@ANYBLOB="02030609100000000000004c9e0000000200130002eb0e00000000000000000105000600200000000a00000040010000000500e50000070000001f00001a000000030000a95a6e870200010000e9ff070040000200000000050005000000cc580a"], 0x80}}, 0x4000000) 0s ago: executing program 0 (id=1398): r0 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0) ioctl$COMEDI_DEVCONFIG(r0, 0x40946400, &(0x7f00000000c0)={'comedi_parport\x00', [0x4f27, 0x0, 0x8, 0x6, 0x5, 0x5, 0x9, 0x7, 0x54c6cff3, 0xfd, 0x2, 0x8401, 0x6, 0x5da31c5d, 0x6, 0x101, 0x0, 0x892, 0xa418, 0x40000001, 0x5, 0xcaa3, 0x8, 0x20001e5b, 0x0, 0xe66, 0x4, 0x8, 0x5, 0x0, 0xfffffff8]}) ioctl$COMEDI_DEVINFO(r0, 0x80b06401, &(0x7f0000000180)) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:56261' (ED25519) to the list of known hosts. syzkaller login: [ 406.492706][ T41] sched: DL replenish lagged too much [ 410.505826][ T3199] cgroup: Unknown subsys name 'net' [ 411.234488][ T3199] cgroup: Unknown subsys name 'cpuset' [ 411.371182][ T3199] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 478.143532][ T3199] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 597.662399][ T3211] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 597.782121][ T3211] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 601.564225][ T3212] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 601.684167][ T3212] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 609.586219][ T3211] hsr_slave_0: entered promiscuous mode [ 609.656633][ T3211] hsr_slave_1: entered promiscuous mode [ 613.052561][ T3212] hsr_slave_0: entered promiscuous mode [ 613.083206][ T3212] hsr_slave_1: entered promiscuous mode [ 613.096953][ T3212] debugfs: 'hsr0' already exists in 'hsr' [ 613.101821][ T3212] Cannot create hsr debugfs directory [ 619.185538][ T3211] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 619.364562][ T3211] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 619.475497][ T3211] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 619.831336][ T3211] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 621.245328][ T3212] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 621.437468][ T3212] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 621.674303][ T3212] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 621.872654][ T3212] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 630.393419][ T3211] 8021q: adding VLAN 0 to HW filter on device bond0 [ 634.379697][ T3212] 8021q: adding VLAN 0 to HW filter on device bond0 [ 669.424976][ T3211] veth0_vlan: entered promiscuous mode [ 670.086040][ T3211] veth1_vlan: entered promiscuous mode [ 671.705233][ T3211] veth0_macvtap: entered promiscuous mode [ 672.044008][ T3211] veth1_macvtap: entered promiscuous mode [ 673.683679][ T3819] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 673.690055][ T3819] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 673.692397][ T3819] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 673.694481][ T3819] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 674.401483][ T3212] veth0_vlan: entered promiscuous mode [ 675.844946][ T3212] veth1_vlan: entered promiscuous mode [ 677.574514][ T3212] veth0_macvtap: entered promiscuous mode [ 677.961856][ T3212] veth1_macvtap: entered promiscuous mode [ 678.007764][ T3211] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 680.390848][ T14] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 680.436712][ T14] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 680.456845][ T14] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 680.472937][ T14] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 687.383618][ T3915] netlink: 12 bytes leftover after parsing attributes in process `syz.1.2'. [ 690.678198][ T35] audit: type=1400 audit(689.750:2): apparmor="DENIED" operation="change_hat" class="file" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=3918 comm="syz.1.4" [ 691.529174][ T35] audit: type=1800 audit(690.630:3): pid=3921 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.0.5" name="SYSV00000000" dev="hugetlbfs" ino=0 res=0 errno=0 [ 703.357904][ T3931] [U] Ϧ:Kț.G8X4QTZ.|| [ 711.475451][ T3937] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 730.745087][ T3958] netlink: 12 bytes leftover after parsing attributes in process `syz.1.21'. [ 739.095930][ T3967] netlink: 8 bytes leftover after parsing attributes in process `syz.0.25'. [ 740.186568][ T3967] gretap0: entered promiscuous mode [ 759.504352][ T3908] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 759.675272][ T3908] hid-generic 0000:0000:0000.0001: hidraw0: HID v0.00 Device [syz1] on syz0 [ 783.867004][ T4016] random: crng reseeded on system resumption [ 785.233254][ T4016] Restarting kernel threads ... [ 785.284533][ T4016] Done restarting kernel threads. [ 791.525692][ T4024] (unnamed net_device) (uninitialized): Removing last arp target with arp_interval on [ 793.916463][ T4024] bond1: entered promiscuous mode [ 793.961139][ T4024] bond1: entered allmulticast mode [ 793.988277][ T4024] 8021q: adding VLAN 0 to HW filter on device bond1 [ 796.205198][ T4059] netlink: 12 bytes leftover after parsing attributes in process `syz.0.48'. [ 905.143339][ T4151] netlink: 140 bytes leftover after parsing attributes in process `syz.1.89'. [ 919.437783][ T4169] devpts: Bad value for 'max' [ 993.791609][ T4246] capability: warning: `syz.1.130' uses deprecated v2 capabilities in a way that may be insecure [ 996.953906][ T36] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 997.303323][ T36] usb 2-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 997.307426][ T36] usb 2-1: config 0 interface 0 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 21 [ 997.327848][ T36] usb 2-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 997.336867][ T36] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 997.603529][ T36] usb 2-1: config 0 descriptor?? [ 997.912263][ T36] usbhid 2-1:0.0: couldn't find an input interrupt endpoint [ 999.664513][ T3909] usb 2-1: USB disconnect, device number 2 [ 1017.197801][ T4274] kernel profiling enabled (shift: 3) [ 1036.654833][ T4291] binder: 4290:4291 ioctl c0306201 200000000340 returned -22 [ 1040.036510][ T4293] A link change request failed with some changes committed already. Interface bond_slave_0 may have been left with an inconsistent configuration, please check. [ 1053.142468][ T4308] netlink: 24 bytes leftover after parsing attributes in process `syz.0.152'. [ 1087.687110][ T4343] netlink: 72 bytes leftover after parsing attributes in process `syz.0.166'. [ 1087.702430][ T4343] netlink: 72 bytes leftover after parsing attributes in process `syz.0.166'. [ 1089.064341][ T4345] binder_alloc: binder_alloc_mmap_handler: 4344 200000ffc000-200001000000 already mapped failed -16 [ 1100.715332][ T4355] netlink: 'syz.0.172': attribute type 7 has an invalid length. [ 1100.717556][ T4355] netlink: 'syz.0.172': attribute type 8 has an invalid length. [ 1115.032894][ T4373] netlink: 16 bytes leftover after parsing attributes in process `syz.1.181'. [ 1121.369935][ T4379] binder: 4378:4379 ioctl 400c620e 200000000000 returned -22 [ 1127.450874][ T4385] Illegal XDP return value 65535 on prog (id 20) dev N/A, expect packet loss! [ 1130.644183][ T4387] netlink: 8 bytes leftover after parsing attributes in process `syz.1.188'. [ 1140.239144][ C0] hrtimer: interrupt took 759400 ns [ 1143.090989][ T4398] netlink: 256 bytes leftover after parsing attributes in process `syz.1.194'. [ 1143.093387][ T4398] netlink: 64 bytes leftover after parsing attributes in process `syz.1.194'. [ 1148.511248][ T3908] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 1148.763335][ T3908] usb 2-1: Using ep0 maxpacket: 16 [ 1148.832479][ T3908] usb 2-1: New USB device found, idVendor=09da, idProduct=0006, bcdDevice= 0.00 [ 1148.834676][ T3908] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1149.005199][ T3908] usb 2-1: config 0 descriptor?? [ 1150.637379][ T3908] a4tech 0003:09DA:0006.0002: unknown main item tag 0x0 [ 1150.664695][ T3908] a4tech 0003:09DA:0006.0002: unknown main item tag 0x0 [ 1150.698110][ T3908] a4tech 0003:09DA:0006.0002: unknown main item tag 0x0 [ 1150.704371][ T3908] a4tech 0003:09DA:0006.0002: unknown main item tag 0x0 [ 1150.706609][ T3908] a4tech 0003:09DA:0006.0002: unknown main item tag 0x0 [ 1150.729578][ T3908] a4tech 0003:09DA:0006.0002: unknown main item tag 0x0 [ 1151.014943][ T3908] a4tech 0003:09DA:0006.0002: hidraw0: USB HID v0.05 Device [HID 09da:0006] on usb-dummy_hcd.1-1/input0 [ 1151.662015][ T3908] usb 2-1: USB disconnect, device number 3 [ 1164.912944][ T4439] netlink: 20 bytes leftover after parsing attributes in process `syz.1.203'. [ 1164.937625][ T4439] (unnamed net_device) (uninitialized): option ad_user_port_key: mode dependency failed, not supported in mode balance-rr(0) [ 1165.001843][ T4439] Zero length message leads to an empty skb [ 1166.930322][ T35] audit: type=1400 audit(1166.030:4): apparmor="DENIED" operation="change_hat" class="file" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=4440 comm="syz.0.204" [ 1207.997406][ T4488] mmap: syz.0.224 (4488) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 1222.311900][ T4509] netlink: 8 bytes leftover after parsing attributes in process `syz.0.235'. [ 1249.456613][ T35] audit: type=1326 audit(1248.530:5): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4537 comm="syz.1.248" exe="/syz-executor" sig=31 arch=c00000f3 syscall=98 compat=0 ip=0xdbd46 code=0x0 [ 1284.784574][ T4569] futex_wake_op: syz.1.261 tries to shift op by -1; fix this program [ 1291.284209][ T4576] Invalid logical block size (4093) [ 1296.034996][ T4583] usb usb2: Requested nonsensical USBDEVFS_URB_ZERO_PACKET. [ 1303.604022][ T4589] CUSE: unknown device info "" [ 1303.605677][ T4589] CUSE: zero length info key specified [ 1312.413814][ T4596] pim6reg: entered allmulticast mode [ 1336.933851][ T4623] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 1352.604366][ T4636] netlink: 16 bytes leftover after parsing attributes in process `syz.0.288'. [ 1415.783021][ T4674] x_tables: ip_tables: udp match: only valid for protocol 17 [ 1423.068187][ T4677] xt_AUDIT: Audit type out of range (valid range: 0..2) [ 1428.115710][ T4680] comedi comedi4: bad chanlist[0]=0x0400000b chan=11 range length=2 [ 1605.902535][ T4828] binder: 4827:4828 ioctl c0306201 200000000100 returned -22 [ 1610.723080][ T4832] netlink: 'syz.0.375': attribute type 2 has an invalid length. [ 1610.730902][ T4832] netlink: 784 bytes leftover after parsing attributes in process `syz.0.375'. [ 1615.577968][ C1] vkms_vblank_simulate: vblank timer overrun [ 1655.896414][ C0] vkms_vblank_simulate: vblank timer overrun [ 1680.474316][ T4710] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1680.604002][ T4710] hid-generic 0000:0000:0000.0003: hidraw0: HID v0.00 Device [syz1] on syz0 [ 1699.146903][ T4898] netlink: 8 bytes leftover after parsing attributes in process `syz.0.404'. [ 1699.160928][ T4898] netlink: 4 bytes leftover after parsing attributes in process `syz.0.404'. [ 1699.164351][ T4898] netlink: 'syz.0.404': attribute type 14 has an invalid length. [ 1699.197523][ T4898] netlink: 'syz.0.404': attribute type 13 has an invalid length. [ 1721.535935][ T4917] netlink: 132 bytes leftover after parsing attributes in process `syz.1.412'. [ 1766.110878][ T4952] netdevsim netdevsim1 netdevsim0: entered promiscuous mode [ 1766.527696][ T4952] netlink: 40 bytes leftover after parsing attributes in process `syz.1.429'. [ 1766.534254][ T4952] A link change request failed with some changes committed already. Interface netdevsim0 may have been left with an inconsistent configuration, please check. [ 1769.914004][ T4955] random: crng reseeded on system resumption [ 1770.753671][ T4955] Restarting kernel threads ... [ 1770.766075][ T4955] Done restarting kernel threads. [ 1796.727886][ T4984] process 'syz.0.440' launched './file2' with NULL argv: empty string added [ 1802.756045][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.757439][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.769569][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.771127][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.772880][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.774178][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.775390][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.776673][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.778014][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1802.794298][ T3852] hid-generic 0000:0000:0000.0004: unknown main item tag 0x0 [ 1803.075281][ T3852] hid-generic 0000:0000:0000.0004: hidraw0: HID v0.00 Device [syz0] on syz0 [ 1820.354142][ T5012] netlink: 192 bytes leftover after parsing attributes in process `syz.0.450'. [ 1823.988095][ T5016] xt_l2tp: invalid flags combination: 0 [ 1845.393902][ T5038] random: crng reseeded on system resumption [ 1857.252547][ T5047] 8021q: adding VLAN 0 to HW filter on device ipvlan2 [ 1869.752736][ T5058] netlink: 'syz.1.471': attribute type 27 has an invalid length. [ 1875.516916][ T5067] capability: warning: `syz.0.474' uses 32-bit capabilities (legacy support in use) [ 1883.518165][ T5077] rdma_op ffffaf80197c09f0 conn xmit_rdma 0000000000000000 [ 1932.580083][ T5130] netlink: 12 bytes leftover after parsing attributes in process `syz.1.502'. [ 1945.129793][ T4989] hid_parser_main: 7 callbacks suppressed [ 1945.130149][ T4989] hid-generic 0000:0000:0000.0005: unknown main item tag 0x0 [ 1945.171036][ T4989] hid-generic 0000:0000:0000.0005: hidraw0: HID v0.00 Device [syz0] on syz0 [ 1954.901734][ T5176] netlink: 1 bytes leftover after parsing attributes in process `syz.1.521'. [ 1959.195987][ T5182] vlan2: entered allmulticast mode [ 1959.210619][ T5182] gretap0: entered allmulticast mode [ 1959.267226][ T5185] netdevsim netdevsim1: Firmware load for '../file0' refused, path contains '..' component [ 1970.837270][ T5200] netlink: 8 bytes leftover after parsing attributes in process `syz.1.532'. [ 1970.847698][ T5200] netlink: 8 bytes leftover after parsing attributes in process `syz.1.532'. [ 1970.862476][ T5200] netlink: 'syz.1.532': attribute type 30 has an invalid length. [ 1989.542241][ T5221] netlink: 148 bytes leftover after parsing attributes in process `syz.0.542'. [ 1989.567510][ T5221] netlink: 8 bytes leftover after parsing attributes in process `syz.0.542'. [ 1994.362186][ T5229] A link change request failed with some changes committed already. Interface ip6gretap0 may have been left with an inconsistent configuration, please check. [ 1994.394197][ T24] ip6_tunnel: ip6gretap0 xmit: Local address not yet configured! [ 1995.211828][ T24] ip6_tunnel: ip6gretap0 xmit: Local address not yet configured! [ 2011.014209][ T5262] netlink: 'syz.1.559': attribute type 2 has an invalid length. [ 2041.467987][ T5303] pimreg4: entered allmulticast mode [ 2061.536101][ T5339] netlink: 12 bytes leftover after parsing attributes in process `syz.0.593'. [ 2061.537417][ T5339] nbd: must specify a size in bytes for the device [ 2064.001610][ T5342] binder: 5341:5342 ioctl c0306201 200000000100 returned -14 [ 2082.992474][ T5382] netlink: 12 bytes leftover after parsing attributes in process `syz.1.614'. [ 2085.276626][ T5385] can0: slcan on ttynull. [ 2085.710946][ T5386] can0 (unregistered): slcan off ttynull. [ 2107.311392][ T5414] xt_policy: too many policy elements [ 2118.827363][ T5433] netlink: 8 bytes leftover after parsing attributes in process `syz.1.635'. [ 2118.861811][ T5433] netlink: 8 bytes leftover after parsing attributes in process `syz.1.635'. [ 2123.087761][ T5441] netlink: 'syz.0.638': attribute type 18 has an invalid length. [ 2144.915065][ T5480] ======================================================= [ 2144.915065][ T5480] WARNING: The mand mount option has been deprecated and [ 2144.915065][ T5480] and is ignored by this kernel. Remove the mand [ 2144.915065][ T5480] option from the mount to silence this warning. [ 2144.915065][ T5480] ======================================================= [ 2163.722719][ T5507] netlink: 8 bytes leftover after parsing attributes in process `syz.1.669'. [ 2163.724897][ T5507] netlink: 12 bytes leftover after parsing attributes in process `syz.1.669'. [ 2173.762354][ T5522] netlink: 12 bytes leftover after parsing attributes in process `syz.0.677'. [ 2196.221947][ T5555] xt_policy: neither incoming nor outgoing policy selected [ 2221.944718][ T5596] tmpfs: Bad value for 'mpol' [ 2244.005826][ T35] audit: type=1800 audit(2243.103:6): pid=5627 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.728" name="memory.events" dev="tmpfs" ino=1756 res=0 errno=0 [ 2244.038220][ T35] audit: type=1800 audit(2243.133:7): pid=5627 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.728" name="memory.events" dev="tmpfs" ino=1756 res=0 errno=0 [ 2280.837301][ T5692] netlink: 40 bytes leftover after parsing attributes in process `syz.0.758'. [ 2301.937761][ T5723] [U]  [ 2319.225328][ T5752] tmpfs: Bad value for 'size' [ 2356.166120][ T5798] comedi comedi3: comedi_test: 20263 microvolt, 5 microsecond waveform attached [ 2369.195013][ T5817] netlink: 60 bytes leftover after parsing attributes in process `syz.0.807'. [ 2396.074190][ T5858] [U] ^C [ 2447.296531][ T5925] netlink: 20 bytes leftover after parsing attributes in process `syz.1.854'. [ 2455.061349][ T5933] netlink: 40 bytes leftover after parsing attributes in process `syz.1.858'. [ 2512.737731][ C1] ip6_tunnel: ip6gretap0 xmit: Local address not yet configured! [ 2521.012804][ T6011] netlink: 12 bytes leftover after parsing attributes in process `syz.0.894'. [ 2521.014705][ T6011] netlink: 12 bytes leftover after parsing attributes in process `syz.0.894'. [ 2583.725807][ T6077] netlink: 209852 bytes leftover after parsing attributes in process `syz.1.920'. [ 2677.156427][ T6150] can0: slcan on ttyprintk. [ 2679.011177][ T6148] can0 (unregistered): slcan off ttyprintk. [ 2699.630675][ T35] audit: type=1326 audit(2698.683:8): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6179 comm="syz.0.959" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd46 code=0x7ffc0000 [ 2699.707449][ T35] audit: type=1326 audit(2698.803:9): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6179 comm="syz.0.959" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd46 code=0x7ffc0000 [ 2699.834709][ T35] audit: type=1326 audit(2698.883:10): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6179 comm="syz.0.959" exe="/syz-executor" sig=0 arch=c00000f3 syscall=277 compat=0 ip=0xdbd46 code=0x7ffc0000 [ 2699.912116][ T35] audit: type=1326 audit(2698.973:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6179 comm="syz.0.959" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd46 code=0x7ffc0000 [ 2699.995104][ T35] audit: type=1326 audit(2699.033:12): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6179 comm="syz.0.959" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd46 code=0x7ffc0000 [ 2700.062016][ T35] audit: type=1326 audit(2699.153:13): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6179 comm="syz.0.959" exe="/syz-executor" sig=0 arch=c00000f3 syscall=436 compat=0 ip=0xdbd46 code=0x7ffc0000 [ 2700.065253][ T35] audit: type=1326 audit(2699.153:14): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6179 comm="syz.0.959" exe="/syz-executor" sig=0 arch=c00000f3 syscall=94 compat=0 ip=0xdbd46 code=0x7ffc0000 [ 2718.132054][ T6195] autofs: Bad value for 'fd' [ 2756.731969][ T6226] netlink: 24 bytes leftover after parsing attributes in process `syz.0.977'. [ 2757.033527][ T6226] netlink: 8 bytes leftover after parsing attributes in process `syz.0.977'. [ 2757.068049][ T6226] netlink: 12 bytes leftover after parsing attributes in process `syz.0.977'. [ 2780.968193][ T6248] netlink: 104 bytes leftover after parsing attributes in process `syz.1.986'. [ 2807.410523][ T6273] gtp0: entered promiscuous mode [ 2807.412398][ T6273] gtp0: entered allmulticast mode [ 2883.807123][ T6341] PKCS7: Unknown OID: [5] (bad) [ 2883.824392][ T6341] PKCS7: Only support pkcs7_signedData type [ 2889.107734][ T6348] netlink: 12 bytes leftover after parsing attributes in process `syz.1.1027'. [ 2889.134325][ T6348] netlink: 'syz.1.1027': attribute type 1 has an invalid length. [ 2889.136823][ T6348] netlink: 'syz.1.1027': attribute type 2 has an invalid length. [ 2889.194811][ T6348] netlink: 24 bytes leftover after parsing attributes in process `syz.1.1027'. [ 2939.088090][ T6388] netlink: 12 bytes leftover after parsing attributes in process `syz.1.1045'. [ 2950.832408][ T6406] usb usb2: Requested nonsensical USBDEVFS_URB_ZERO_PACKET. [ 2969.515542][ C1] vkms_vblank_simulate: vblank timer overrun [ 3024.357583][ T6465] netlink: 'syz.0.1076': attribute type 4 has an invalid length. [ 3024.362575][ T6465] netlink: 17 bytes leftover after parsing attributes in process `syz.0.1076'. [ 3037.036972][ T6472] netlink: 40 bytes leftover after parsing attributes in process `syz.0.1079'. [ 3065.410196][ T6502] netlink: 20 bytes leftover after parsing attributes in process `syz.1.1093'. [ 3065.494853][ T6502] netlink: 20 bytes leftover after parsing attributes in process `syz.1.1093'. [ 3088.287255][ C1] vkms_vblank_simulate: vblank timer overrun [ 3090.572147][ C1] vkms_vblank_simulate: vblank timer overrun [ 3091.437902][ C1] vkms_vblank_simulate: vblank timer overrun [ 3112.464452][ T6541] nbd: socks must be embedded in a SOCK_ITEM attr [ 3141.122444][ T6571] netlink: 8 bytes leftover after parsing attributes in process `syz.0.1123'. [ 3177.597830][ T6605] netlink: 24 bytes leftover after parsing attributes in process `syz.0.1137'. [ 3181.443255][ T6608] netlink: 304 bytes leftover after parsing attributes in process `syz.1.1138'. [ 3200.252189][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x4 [ 3200.255527][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x2 [ 3200.285681][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x0 [ 3200.294807][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x0 [ 3200.323488][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x0 [ 3200.326976][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x0 [ 3200.344490][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x0 [ 3200.360435][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x0 [ 3200.364071][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x0 [ 3200.367077][ T4649] hid-generic 0000:3000000:0000.0006: unknown main item tag 0x0 [ 3200.512484][ T4649] hid-generic 0000:3000000:0000.0006: hidraw0: HID v0.00 Device [sy] on syz0 [ 3247.373879][ T6666] sch_tbf: burst 0 is lower than device ip6gre0 mtu (1448) ! [ 3265.263989][ T6679] netlink: 4 bytes leftover after parsing attributes in process `syz.0.1169'. [ 3333.582729][ T6749] (unnamed net_device) (uninitialized): option lacp_active: mode dependency failed, not supported in mode balance-rr(0) [ 3334.317116][ T6749] netlink: 8 bytes leftover after parsing attributes in process `syz.1.1193'. [ 3334.342426][ T6749] netlink: 12 bytes leftover after parsing attributes in process `syz.1.1193'. [ 3345.158149][ T35] audit: type=1326 audit(3344.223:15): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6760 comm="syz.1.1197" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd46 code=0x7fc00000 [ 3378.525323][ T6807] netlink: 8 bytes leftover after parsing attributes in process `syz.0.1218'. [ 3408.757636][ T6841] netlink: 4 bytes leftover after parsing attributes in process `syz.1.1236'. [ 3440.163480][ T6876] netlink: 36 bytes leftover after parsing attributes in process `syz.1.1253'. [ 3445.703098][ T6882] netlink: 8 bytes leftover after parsing attributes in process `syz.0.1256'. [ 3445.706313][ T6882] netlink: 4 bytes leftover after parsing attributes in process `syz.0.1256'. [ 3445.747825][ T6882] netlink: 'syz.0.1256': attribute type 13 has an invalid length. [ 3445.756292][ T6882] netlink: 'syz.0.1256': attribute type 11 has an invalid length. [ 3460.935049][ T6890] syz.1.1260 (6890): drop_caches: 2 [ 3475.440595][ T6907] netlink: 24 bytes leftover after parsing attributes in process `syz.1.1268'. [ 3500.934986][ T6936] netlink: 'syz.1.1281': attribute type 7 has an invalid length. [ 3500.939924][ T6936] netlink: 137592 bytes leftover after parsing attributes in process `syz.1.1281'. [ 3537.764521][ T6970] loop1: detected capacity change from 0 to 7 [ 3547.856250][ T6982] pimreg: entered allmulticast mode [ 3600.787424][ T7027] netlink: 8 bytes leftover after parsing attributes in process `syz.0.1320'. [ 3610.024339][ T7037] syz.0.1324 (7037): drop_caches: 2 [ 3615.062113][ T7041] vlan3: entered allmulticast mode [ 3615.063850][ T7041] vlan1: entered allmulticast mode [ 3615.065388][ T7041] veth0_vlan: entered allmulticast mode [ 3632.013406][ T7055] tmpfs: Bad value for 'mpol' [ 3718.216311][ T7136] netlink: 116 bytes leftover after parsing attributes in process `syz.0.1365'. [ 3726.315390][ T7144] netlink: 27 bytes leftover after parsing attributes in process `syz.0.1368'. [ 3796.221547][ T7210] ================================================================== [ 3796.223838][ T7210] BUG: KASAN: slab-use-after-free in __xfrm_state_insert+0x23c6/0x2522 [ 3796.225527][ T7210] Read of size 1 at addr ffffaf801f3d8770 by task syz.1.1397/7210 [ 3796.226619][ T7210] [ 3796.228828][ T7210] CPU: 0 UID: 0 PID: 7210 Comm: syz.1.1397 Not tainted syzkaller #0 PREEMPT [ 3796.229488][ T7210] Hardware name: riscv-virtio,qemu (DT) [ 3796.230090][ T7210] Call Trace: [ 3796.230789][ T7210] [] dump_backtrace+0x2e/0x3c [ 3796.231772][ T7210] [] show_stack+0x30/0x3c [ 3796.232316][ T7210] [] dump_stack_lvl+0x12e/0x1a6 [ 3796.233104][ T7210] [] print_report+0x28e/0x5a2 [ 3796.233773][ T7210] [] kasan_report+0xf0/0x214 [ 3796.234389][ T7210] [] __asan_report_load1_noabort+0x12/0x1a [ 3796.235103][ T7210] [] __xfrm_state_insert+0x23c6/0x2522 [ 3796.235616][ T7210] [] xfrm_state_insert+0x54/0x76 [ 3796.236211][ T7210] [] ipcomp6_init_state+0x580/0x812 [ 3796.236996][ T7210] [] __xfrm_init_state+0x838/0x1a28 [ 3796.237607][ T7210] [] xfrm_init_state+0x1e/0x9e [ 3796.238279][ T7210] [] pfkey_add+0x284c/0x35be [ 3796.238887][ T7210] [] pfkey_process+0x674/0x802 [ 3796.239461][ T7210] [] pfkey_sendmsg+0x3ee/0x726 [ 3796.240067][ T7210] [] __sock_sendmsg+0xcc/0x160 [ 3796.240569][ T7210] [] ____sys_sendmsg+0x63e/0x79c [ 3796.241090][ T7210] [] ___sys_sendmsg+0x144/0x1e6 [ 3796.241629][ T7210] [] __sys_sendmsg+0x188/0x246 [ 3796.242200][ T7210] [] __riscv_sys_sendmsg+0x70/0xa2 [ 3796.242842][ T7210] [] syscall_handler+0x94/0x118 [ 3796.243522][ T7210] [] do_trap_ecall_u+0x396/0x530 [ 3796.244354][ T7210] [] handle_exception+0x146/0x152 [ 3796.245439][ T7210] [ 3796.262035][ T7210] Allocated by task 6802: [ 3796.263040][ T7210] stack_trace_save+0xa0/0xd2 [ 3796.264354][ T7210] kasan_save_stack+0x3e/0x6a [ 3796.265478][ T7210] kasan_save_track+0x16/0x28 [ 3796.266607][ T7210] kasan_save_alloc_info+0x30/0x3e [ 3796.267896][ T7210] __kasan_slab_alloc+0x7c/0x82 [ 3796.268959][ T7210] kmem_cache_alloc_noprof+0x104/0x3bc [ 3796.270167][ T7210] xfrm_state_alloc+0x2e/0x4ca [ 3796.271138][ T7210] __find_acq_core+0xdd2/0x29d2 [ 3796.272213][ T7210] xfrm_find_acq+0x64/0x8c [ 3796.273239][ T7210] xfrm_alloc_userspi+0x5b0/0xc10 [ 3796.274553][ T7210] xfrm_user_rcv_msg+0x40c/0x9be [ 3796.275857][ T7210] netlink_rcv_skb+0x206/0x3be [ 3796.276877][ T7210] xfrm_netlink_rcv+0x7c/0xa6 [ 3796.278089][ T7210] netlink_unicast+0x544/0x88a [ 3796.279032][ T7210] netlink_sendmsg+0x860/0xdd8 [ 3796.280081][ T7210] __sock_sendmsg+0xcc/0x160 [ 3796.281074][ T7210] ____sys_sendmsg+0x63e/0x79c [ 3796.282078][ T7210] ___sys_sendmsg+0x144/0x1e6 [ 3796.283213][ T7210] __sys_sendmsg+0x188/0x246 [ 3796.284349][ T7210] __riscv_sys_sendmsg+0x70/0xa2 [ 3796.285523][ T7210] syscall_handler+0x94/0x118 [ 3796.286713][ T7210] do_trap_ecall_u+0x396/0x530 [ 3796.288009][ T7210] handle_exception+0x146/0x152 [ 3796.289191][ T7210] [ 3796.289790][ T7210] Freed by task 24: [ 3796.290538][ T7210] stack_trace_save+0xa0/0xd2 [ 3796.291787][ T7210] kasan_save_stack+0x3e/0x6a [ 3796.292846][ T7210] kasan_save_track+0x16/0x28 [ 3796.293943][ T7210] kasan_save_free_info+0x40/0x5a [ 3796.295077][ T7210] __kasan_slab_free+0x4a/0x62 [ 3796.296241][ T7210] kmem_cache_free+0x230/0x4d4 [ 3796.297478][ T7210] xfrm_state_gc_task+0x4b2/0x6ec [ 3796.298721][ T7210] process_one_work+0x96a/0x1f32 [ 3796.299829][ T7210] worker_thread+0x5ce/0xde8 [ 3796.300934][ T7210] kthread+0x39c/0x7d4 [ 3796.301908][ T7210] ret_from_fork_kernel+0x2a/0xbb4 [ 3796.303043][ T7210] ret_from_fork_kernel_asm+0x16/0x18 [ 3796.304604][ T7210] [ 3796.305364][ T7210] The buggy address belongs to the object at ffffaf801f3d8440 [ 3796.305364][ T7210] which belongs to the cache xfrm_state of size 928 [ 3796.306994][ T7210] The buggy address is located 816 bytes inside of [ 3796.306994][ T7210] freed 928-byte region [ffffaf801f3d8440, ffffaf801f3d87e0) [ 3796.308840][ T7210] [ 3796.309523][ T7210] The buggy address belongs to the physical page: [ 3796.311858][ T7210] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9f3d8 [ 3796.313502][ T7210] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 3796.314836][ T7210] flags: 0xffe000000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 3796.316927][ T7210] page_type: f5(slab) [ 3796.318836][ T7210] raw: 0ffe000000000040 ffffaf8012f7b640 dead000000000122 0000000000000000 [ 3796.320129][ T7210] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 3796.321467][ T7210] head: 0ffe000000000040 ffffaf8012f7b640 dead000000000122 0000000000000000 [ 3796.322711][ T7210] head: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 3796.324011][ T7210] head: 0ffe000000000002 ffff8d80007cf601 00000000ffffffff 00000000ffffffff [ 3796.325214][ T7210] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 3796.326461][ T7210] page dumped because: kasan: bad access detected [ 3796.327823][ T7210] page_owner tracks the page as allocated [ 3796.329076][ T7210] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4530, tgid 4529 (syz.0.244), ts 1238504562000, free_ts 1227992598300 [ 3796.331273][ T7210] __set_page_owner+0x94/0x4a8 [ 3796.332391][ T7210] post_alloc_hook+0xdc/0x1ba [ 3796.333576][ T7210] get_page_from_freelist+0x7fa/0x359a [ 3796.334902][ T7210] __alloc_frozen_pages_noprof+0x22e/0x2120 [ 3796.336446][ T7210] alloc_pages_mpol+0x1fa/0x5bc [ 3796.337523][ T7210] alloc_frozen_pages_noprof+0x174/0x2f0 [ 3796.338799][ T7210] new_slab+0x27c/0x37e [ 3796.339886][ T7210] ___slab_alloc+0xb54/0x112a [ 3796.341135][ T7210] __slab_alloc.constprop.0+0x60/0xb0 [ 3796.342375][ T7210] kmem_cache_alloc_noprof+0xd0/0x3bc [ 3796.343629][ T7210] xfrm_state_alloc+0x2e/0x4ca [ 3796.344620][ T7210] __find_acq_core+0xdd2/0x29d2 [ 3796.345701][ T7210] xfrm_find_acq+0x64/0x8c [ 3796.346763][ T7210] xfrm_alloc_userspi+0x5b0/0xc10 [ 3796.348167][ T7210] xfrm_user_rcv_msg+0x40c/0x9be [ 3796.349281][ T7210] netlink_rcv_skb+0x206/0x3be [ 3796.350391][ T7210] page last free pid 4517 tgid 4516 stack trace: [ 3796.351321][ T7210] __reset_page_owner+0x78/0x1ba [ 3796.352386][ T7210] __free_frozen_pages+0x836/0x145e [ 3796.353675][ T7210] ___free_pages+0x146/0x1c8 [ 3796.354821][ T7210] free_pages.part.0+0x274/0x4d4 [ 3796.356025][ T7210] free_pages+0xe/0x18 [ 3796.357123][ T7210] stack_depot_save_flags+0x462/0x992 [ 3796.358420][ T7210] kasan_save_stack+0x52/0x6a [ 3796.359387][ T7210] kasan_save_track+0x16/0x28 [ 3796.360419][ T7210] kasan_save_alloc_info+0x30/0x3e [ 3796.362132][ T7210] __kasan_kmalloc+0xa0/0xa6 [ 3796.363170][ T7210] __kmalloc_cache_noprof+0x15a/0x3d4 [ 3796.364373][ T7210] __rdma_create_id+0x62/0x62e [ 3796.365483][ T7210] rdma_create_user_id+0x72/0xc8 [ 3796.366723][ T7210] ucma_create_id+0x16e/0x316 [ 3796.367914][ T7210] ucma_write+0x1f8/0x326 [ 3796.368852][ T7210] vfs_writev+0x49c/0x8f2 [ 3796.370146][ T7210] [ 3796.370736][ T7210] Memory state around the buggy address: [ 3796.372340][ T7210] ffffaf801f3d8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3796.373525][ T7210] ffffaf801f3d8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3796.374666][ T7210] >ffffaf801f3d8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 3796.375797][ T7210] ^ [ 3796.376998][ T7210] ffffaf801f3d8780: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 3796.378162][ T7210] ffffaf801f3d8800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 3796.379272][ T7210] ================================================================== [ 3796.383004][ T7210] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 3796.385094][ T7210] CPU: 0 UID: 0 PID: 7210 Comm: syz.1.1397 Not tainted syzkaller #0 PREEMPT [ 3796.386466][ T7210] Hardware name: riscv-virtio,qemu (DT) [ 3796.387338][ T7210] Call Trace: [ 3796.388356][ T7210] [] dump_backtrace+0x2e/0x3c [ 3796.389705][ T7210] [] show_stack+0x30/0x3c [ 3796.390848][ T7210] [] dump_stack_lvl+0x110/0x1a6 [ 3796.392263][ T7210] [] dump_stack+0x1c/0x24 [ 3796.393630][ T7210] [] vpanic+0x368/0x74e [ 3796.394685][ T7210] [] trace_suspend_resume+0x0/0x2de [ 3796.396032][ T7210] [] check_panic_on_warn+0xc0/0xe4 [ 3796.397326][ T7210] [] end_report.part.0+0x4e/0xae [ 3796.399089][ T7210] [] kasan_report+0x13a/0x214 [ 3796.400335][ T7210] [] __asan_report_load1_noabort+0x12/0x1a [ 3796.401705][ T7210] [] __xfrm_state_insert+0x23c6/0x2522 [ 3796.403469][ T7210] [] xfrm_state_insert+0x54/0x76 [ 3796.404962][ T7210] [] ipcomp6_init_state+0x580/0x812 [ 3796.406359][ T7210] [] __xfrm_init_state+0x838/0x1a28 [ 3796.407695][ T7210] [] xfrm_init_state+0x1e/0x9e [ 3796.408885][ T7210] [] pfkey_add+0x284c/0x35be [ 3796.410117][ T7210] [] pfkey_process+0x674/0x802 [ 3796.411434][ T7210] [] pfkey_sendmsg+0x3ee/0x726 [ 3796.412828][ T7210] [] __sock_sendmsg+0xcc/0x160 [ 3796.414057][ T7210] [] ____sys_sendmsg+0x63e/0x79c [ 3796.415234][ T7210] [] ___sys_sendmsg+0x144/0x1e6 [ 3796.416515][ T7210] [] __sys_sendmsg+0x188/0x246 [ 3796.417730][ T7210] [] __riscv_sys_sendmsg+0x70/0xa2 [ 3796.418953][ T7210] [] syscall_handler+0x94/0x118 [ 3796.420222][ T7210] [] do_trap_ecall_u+0x396/0x530 [ 3796.421587][ T7210] [] handle_exception+0x146/0x152 [ 3796.423419][ T7210] SMP: stopping secondary CPUs [ 3796.426474][ T7210] Rebooting in 86400 seconds.. VM DIAGNOSIS: 23:29:33 Registers: info registers vcpu 0 CPU#0 V = 0 pc ffffffff8031cce2 mhartid 0000000000000000 mstatus 0000000a000000a0 hstatus 0000000200000000 vsstatus 0000000a00000000 mip 0000000000000220 mie 000000000000022a mideleg 0000000000001666 hideleg 0000000000000444 medeleg 0000000000f0b509 hedeleg 000000000000b10d mtvec 00000000800004f0 stvec ffffffff864444bc vstvec 0000000000000000 mepc ffffffff80090a1a sepc ffffffff8643fe36 vsepc 0000000000000000 mcause 0000000000000009 scause 8000000000000005 vscause 0000000000000000 mtval 0000000000000000 stval 0000000000000000 htval 0000000000000000 mtval2 0000000000000000 mscratch 000000008004a000 sscratch 0000000000000000 satp 90785000000b303a x0/zero 0000000000000000 x1/ra ffffffff8031ccde x2/sp ffff8f8001e76af0 x3/gp ffffffff89e9c4c0 x4/tp ffffaf801c4c0000 x5/t0 ffff8f8001e7693a x6/t1 fffffffef13f523c x7/t2 756d65712c6f6974 x8/s0 ffff8f8001e76cb0 x9/s1 ffffffff884e9b20 x10/a0 0000000000000006 x11/a1 0000000000000040 x12/a2 0000000000080000 x13/a3 ffffffff8031ccde x14/a4 ffff8f800797e360 x15/a5 0000000000035360 x16/a6 0000000000000003 x17/a7 0000000000000003 x18/s2 ffff8f8001e76c40 x19/s3 0000000000000040 x20/s4 0000000200000020 x21/s5 0000000000000012 x22/s6 ffff8f8001e76d80 x23/s7 0000000000000031 x24/s8 0000000000000000 x25/s9 ffff8f8001e76d80 x26/s10 ffff8f8001e76d40 x27/s11 1ffff1f0003ceda0 x28/t3 1ffff1f0003cec80 x29/t4 fffffffef13f523c x30/t5 fffffffef13f523d x31/t6 ffff8f8001e766b4 fcsr 0000000000000000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 CPU#1 V = 0 pc ffffffff809ec358 mhartid 0000000000000001 mstatus 0000000a000000a2 hstatus 0000000200000000 vsstatus 0000000a00000000 mip 0000000000000000 mie 000000000000022a mideleg 0000000000001666 hideleg 0000000000000444 medeleg 0000000000f0b509 hedeleg 000000000000b10d mtvec 00000000800004f0 stvec ffffffff864444bc vstvec 0000000000000000 mepc ffffffff804fea2c sepc 00000000000fb7e6 vsepc 0000000000000000 mcause 8000000000000003 scause 0000000000000008 vscause 0000000000000000 mtval 0000000000000000 stval 0000000000000000 htval 0000000000000000 mtval2 0000000000000000 mscratch 0000000080048000 sscratch 0000000000000000 satp 90131000000afed1 x0/zero 0000000000000000 x1/ra ffffffff804fe56c x2/sp ffff8f80001f7200 x3/gp ffffffff89e9c4c0 x4/tp ffffaf8018a68000 x5/t0 ffff8f80001f7630 x6/t1 fffff1ef0003ee3c x7/t2 0000000000000008 x8/s0 ffff8f80001f76d0 x9/s1 1ffff5f005f1b794 x10/a0 ffff8d8000ac7100 x11/a1 0000000000000000 x12/a2 0000000000000002 x13/a3 ffffffff809a11fc x14/a4 0000000000000000 x15/a5 ffffaf8018a69000 x16/a6 0000000000000003 x17/a7 0000000000000003 x18/s2 0000000000000000 x19/s3 dfffffff00000000 x20/s4 0000000000000000 x21/s5 ffff8d8000ac7100 x22/s6 ffffaf80305a6ca0 x23/s7 ffff8d8000ac7100 x24/s8 0000000000000004 x25/s9 0000000000000000 x26/s10 ffffaf802f8dbca0 x27/s11 1ffff1b000158e26 x28/t3 e67dd77c00000000 x29/t4 fffff1af00158e26 x30/t5 fffff1af00158e27 x31/t6 0000000000000002 fcsr 0000000000000000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000