last executing test programs: 444.269251ms ago: executing program 4 (id=5): sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000001140)={&(0x7f0000000040)=ANY=[], 0x68}}, 0x0) r0 = socket(0x40000000002, 0x3, 0x2) recvmmsg(r0, &(0x7f0000000240)=[{{0x0, 0xfffffffffffffea7, 0x0, 0x0, 0x0, 0xfffffffffffffec8}}], 0x4000000000002c5, 0x2, 0x0) r1 = socket(0x40000000002, 0x3, 0x80000000002) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f0000000140)='veth1_virt_wifi\x00', 0x10) sendto$unix(r1, 0x0, 0x0, 0x0, &(0x7f0000000180)=@abs={0x0, 0x0, 0x10000e0}, 0x6e) 318.980321ms ago: executing program 4 (id=6): r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(r0, &(0x7f0000000180)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) listen(r0, 0x0) connect$unix(r0, &(0x7f0000000100)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) accept4$unix(r0, 0x0, 0x0, 0x80800) 201.74991ms ago: executing program 1 (id=7): r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl802154(&(0x7f0000000080), r0) ioctl(0xffffffffffffffff, 0x8b32, 0x0) sendmsg$NL802154_CMD_DEL_SEC_DEV(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000001c0)=ANY=[@ANYBLOB='t\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="01002cbd7000ffdbdf251b0000000c000600020000000200000010002e800c0004000200aaaaaaaaaaaa10002e800c0004000201aaaaaaaaaaaa10002e800c00040000000000000000000c00060001"], 0x74}, 0x1, 0x0, 0x0, 0x44000180}, 0x40000) 201.46973ms ago: executing program 1 (id=8): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f00000005c0), 0xffffffffffffffff) sendmsg$TIPC_NL_NET_SET(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000440)={&(0x7f0000000000)={0x20, r1, 0x1, 0x0, 0x0, {}, [@TIPC_NLA_NET={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ADDR={0x8}]}]}, 0x20}, 0x1, 0x0, 0x0, 0x20024}, 0x0) 135.12299ms ago: executing program 1 (id=9): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000080)=0x474c, 0x4) connect$inet(r0, &(0x7f0000000480)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x3c}}, 0x10) sendmmsg(r0, &(0x7f0000007fc0), 0x800001d, 0x0) setsockopt$inet_int(r0, 0x0, 0x12, &(0x7f0000000040)=0xfffffffc, 0x4) recvmmsg(r0, &(0x7f0000000040), 0x291962b, 0x45833af92e4b39ff, 0x0) 97.17985ms ago: executing program 1 (id=10): r0 = socket$inet6_udp(0xa, 0x2, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) r1 = socket$pppl2tp(0x18, 0x1, 0x1) connect$pppl2tp(r1, &(0x7f0000000100)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x0, @loopback}, 0x4}}, 0x2e) syz_emit_ethernet(0x4c, &(0x7f0000001d40)={@link_local, @random="ece66dbc6a55", @void, {@ipv6={0x86dd, @udp={0x0, 0x6, "010100", 0x16, 0x11, 0x0, @remote, @local, {[], {0x4e23, 0xe22, 0x16, 0x0, @gue={{0x2, 0x0, 0x0, 0x2}, "30b00afe4e70"}}}}}}}, 0x0) 25.74318ms ago: executing program 1 (id=11): r0 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) sendmsg$nl_route_sched(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000400)=@newqdisc={0x6c, 0x24, 0xd0f, 0x200000, 0x0, {0x60, 0x0, 0x0, r2, {}, {0xffff, 0xffff}, {0x0, 0xfff3}}, [@qdisc_kind_options=@q_gred={{0x9}, {0x3c, 0x2, [@TCA_GRED_PARMS={0x38, 0x1, {0xffff, 0xeb, 0xfff, 0x7, 0x4, 0x9, 0x1, 0x1, 0x0, 0x4, 0x14, 0x10, 0xd, 0x27, 0x6, 0x1}}]}}]}, 0x6c}}, 0x0) 25.61674ms ago: executing program 0 (id=1): r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYBLOB="18000000240001030000000000000000010000000400ae"], 0x18}}, 0x4000) recvmmsg(r0, &(0x7f00000086c0)=[{{0x0, 0x0, 0x0}, 0x8101}, {{0x0, 0x0, 0x0}, 0x10000}, {{0x0, 0x0, 0x0}, 0x1}, {{0x0, 0x0, &(0x7f0000001a00)=[{&(0x7f0000000380)=""/188, 0xbc}, {&(0x7f0000000840)=""/245, 0xf5}, {&(0x7f00000000c0)=""/35, 0x23}, {&(0x7f0000000440)=""/84, 0x54}, {&(0x7f0000000940)=""/4096, 0x1000}, {&(0x7f00000006c0)=""/243, 0xf3}, {&(0x7f0000000240)=""/92, 0x5c}, {&(0x7f0000000540)=""/207, 0xcf}], 0x8}, 0x80000000}], 0x4, 0x20, 0x0) 17.4128ms ago: executing program 1 (id=12): r0 = socket(0x2a, 0x2, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000780)=@newqdisc={0x24}, 0x24}}, 0x0) getsockname$packet(r0, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000040)=0x14) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000380)=@newqdisc={0x24, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, r1, {}, {0xffff, 0xffff}}}, 0x24}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000f80)=@newtfilter={0x44, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r1, {0x0, 0xfff3}, {}, {0x1c}}, [@filter_kind_options=@f_fw={{0x7}, {0x19, 0x2, [@TCA_FW_INDEV={0x14, 0x3, 'pim6reg1\x00'}]}}]}, 0x44}}, 0x50051) r2 = socket$netlink(0x10, 0x3, 0x0) sendmmsg(r2, &(0x7f00000002c0), 0x40000000000009f, 0x0) 0s ago: executing program 2 (id=3): socketpair(0x23, 0x80009, 0x88, &(0x7f00000000c0)) r0 = socket$inet6(0xa, 0x2, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x101000, 0x0) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000004c0)={{{@in=@remote, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}}, {{@in6=@mcast2, 0x0, 0x2b}, 0x0, @in=@empty}}, 0xe8) r1 = socket$key(0xf, 0x3, 0x2) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f00000001c0), 0x4) sendmsg$key(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000005c0)=ANY=[@ANYBLOB="020b000102"], 0x10}}, 0x0) sendmsg$key(r1, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)=ANY=[@ANYBLOB="0212000002"], 0x10}}, 0x0) r2 = socket$nl_xfrm(0x10, 0x3, 0x6) r3 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r3, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)=ANY=[@ANYBLOB="b80000001300e9990000000000000000fc000000000000000100000000000000ac1e000100000000000000000000000000000000000000000a0060"], 0xb8}}, 0x0) r4 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r4, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)=@updpolicy={0xb8, 0x13, 0xcb23c9c9931e99e9, 0x0, 0x0, {{@in6=@private0, @in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0xa, 0x60, 0x0, 0x0, 0x0, 0xee01}}}, 0xb8}, 0x1, 0x0, 0x0, 0x80}, 0x0) sendmsg$nl_xfrm(r2, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)=@updpolicy={0xb8, 0x13, 0xcb23c9c9931e99e9, 0x0, 0x0, {{@in6=@private0, @in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0xa, 0x40, 0x0, 0x0, 0x0, 0xee01}, {0x0, 0x0, 0x9}}}, 0xb8}}, 0x4000) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.143' (ED25519) to the list of known hosts. [ 22.794897][ T23] audit: type=1400 audit(1738290797.640:66): avc: denied { mounton } for pid=341 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1925 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 22.796952][ T341] cgroup1: Unknown subsys name 'net' [ 22.822473][ T23] audit: type=1400 audit(1738290797.640:67): avc: denied { mount } for pid=341 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.845795][ T341] cgroup1: Unknown subsys name 'net_prio' [ 22.851584][ T341] cgroup1: Unknown subsys name 'devices' [ 22.857931][ T23] audit: type=1400 audit(1738290797.700:68): avc: denied { unmount } for pid=341 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.993985][ T341] cgroup1: Unknown subsys name 'hugetlb' [ 22.999625][ T341] cgroup1: Unknown subsys name 'rlimit' [ 23.147313][ T23] audit: type=1400 audit(1738290797.990:69): avc: denied { setattr } for pid=341 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10748 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.170465][ T23] audit: type=1400 audit(1738290797.990:70): avc: denied { mounton } for pid=341 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 23.192283][ T344] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 23.195654][ T23] audit: type=1400 audit(1738290797.990:71): avc: denied { mount } for pid=341 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 23.226588][ T23] audit: type=1400 audit(1738290798.050:72): avc: denied { read } for pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 23.248312][ T23] audit: type=1400 audit(1738290798.050:73): avc: denied { relabelto } for pid=344 comm="mkswap" name="swap-file" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.273550][ T23] audit: type=1400 audit(1738290798.050:74): avc: denied { write } for pid=344 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.298871][ T23] audit: type=1400 audit(1738290798.080:75): avc: denied { read } for pid=341 comm="syz-executor" name="swap-file" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.298921][ T341] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 23.930622][ T352] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.937640][ T352] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.945699][ T352] device bridge_slave_0 entered promiscuous mode [ 23.972006][ T352] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.979032][ T352] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.986743][ T352] device bridge_slave_1 entered promiscuous mode [ 24.003502][ T353] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.010345][ T353] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.018021][ T353] device bridge_slave_0 entered promiscuous mode [ 24.045789][ T353] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.052668][ T353] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.060054][ T353] device bridge_slave_1 entered promiscuous mode [ 24.111931][ T355] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.118771][ T355] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.126397][ T355] device bridge_slave_0 entered promiscuous mode [ 24.162007][ T355] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.168839][ T355] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.176463][ T355] device bridge_slave_1 entered promiscuous mode [ 24.190567][ T354] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.197680][ T354] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.205249][ T354] device bridge_slave_0 entered promiscuous mode [ 24.215934][ T354] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.222812][ T354] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.230182][ T354] device bridge_slave_1 entered promiscuous mode [ 24.303224][ T356] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.310152][ T356] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.317895][ T356] device bridge_slave_0 entered promiscuous mode [ 24.341165][ T356] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.348005][ T356] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.355557][ T356] device bridge_slave_1 entered promiscuous mode [ 24.447527][ T352] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.454478][ T352] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.461638][ T352] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.468465][ T352] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.486255][ T353] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.493113][ T353] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.500520][ T353] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.507308][ T353] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.548094][ T354] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.555051][ T354] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.562199][ T354] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.569027][ T354] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.610110][ T355] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.616987][ T355] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.624144][ T355] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.631068][ T355] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.664810][ T103] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.672015][ T103] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.679209][ T103] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.687039][ T103] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.694482][ T103] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.701681][ T103] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.708671][ T103] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.716052][ T103] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.724185][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.731582][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.751604][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.759071][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.767378][ T103] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.774227][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.781559][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.789590][ T103] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.796435][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.803622][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.811890][ T103] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.818708][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.825981][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.834503][ T103] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.841358][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.872956][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.880843][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.914126][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.922363][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.930184][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.937999][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.960974][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 24.969569][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.986524][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.993992][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.002400][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 25.009623][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.026599][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.034409][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.042764][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 25.051093][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.059317][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 25.067862][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.076333][ T103] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.083271][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.090636][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 25.099235][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.107390][ T103] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.114219][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.139850][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 25.148971][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.157478][ T103] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.164328][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.172198][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.179905][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.187764][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 25.196042][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.204440][ T103] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.211293][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.218690][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 25.226933][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.234960][ T103] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.241803][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.248992][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 25.257556][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.266033][ T103] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.272862][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.280095][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 25.312716][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.321124][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.329255][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 25.339014][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.347354][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 25.355514][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.363389][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.372015][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.380147][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.388359][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.396544][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.404882][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.413258][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 25.421307][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.429111][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 25.437408][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.472146][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.480842][ T353] request_module fs-gadgetfs succeeded, but still no fs? [ 25.488705][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.499066][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.508688][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.543424][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 25.551959][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.559733][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 25.568758][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.576973][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.585057][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.592984][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 25.601354][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.602127][ T378] raw_sendmsg: syz.4.5 forgot to set AF_INET. Fix it! [ 25.644864][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 25.660609][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.699228][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.708727][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.717094][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.725839][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.734332][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.743464][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.751678][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.759741][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.768196][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.776885][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.792784][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.801026][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.821567][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.829789][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.838738][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.847001][ T381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.894314][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.945125][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.962059][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.971618][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.974510][ T400] ================================================================== [ 25.979882][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.987338][ T400] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x599/0x650 [ 25.987349][ T400] Read of size 1 at addr ffff8881eb263bd8 by task syz.2.3/400 [ 25.987351][ T400] [ 25.987367][ T400] CPU: 1 PID: 400 Comm: syz.2.3 Not tainted 5.4.289-syzkaller-00025-g49530c73f82d #0 [ 25.987380][ T400] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 26.032870][ T400] Call Trace: [ 26.036001][ T400] dump_stack+0x1d8/0x241 [ 26.040169][ T400] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 26.045804][ T400] ? printk+0xd1/0x111 [ 26.049710][ T400] ? xfrm_policy_inexact_list_reinsert+0x599/0x650 [ 26.056047][ T400] ? wake_up_klogd+0xb2/0xf0 [ 26.060476][ T400] ? xfrm_policy_inexact_list_reinsert+0x599/0x650 [ 26.066985][ T400] print_address_description+0x8c/0x600 [ 26.072362][ T400] ? panic+0x89d/0x89d [ 26.076269][ T400] ? xfrm_policy_inexact_list_reinsert+0x599/0x650 [ 26.082606][ T400] __kasan_report+0xf3/0x120 [ 26.087032][ T400] ? xfrm_policy_inexact_list_reinsert+0x599/0x650 [ 26.093368][ T400] kasan_report+0x30/0x60 [ 26.097544][ T400] xfrm_policy_inexact_list_reinsert+0x599/0x650 [ 26.103695][ T400] ? xfrm_policy_addr_delta+0x234/0x340 [ 26.109081][ T400] xfrm_policy_inexact_insert_node+0x8f3/0xb00 [ 26.115068][ T400] ? xfrm_policy_inexact_alloc_bin+0x5b2/0x1440 [ 26.121172][ T400] xfrm_policy_inexact_alloc_chain+0x4f9/0xb10 [ 26.127139][ T400] xfrm_policy_inexact_insert+0x69/0x10e0 [ 26.132694][ T400] ? _raw_spin_lock_bh+0xa4/0x1b0 [ 26.137579][ T400] ? _raw_spin_lock_irq+0x1b0/0x1b0 [ 26.142580][ T400] ? policy_hash_bysel+0x12c/0x6f0 [ 26.147523][ T400] ? memcpy+0x38/0x50 [ 26.151344][ T400] xfrm_policy_insert+0xe1/0x8a0 [ 26.156121][ T400] xfrm_add_policy+0x4f2/0x980 [ 26.160723][ T400] ? __nla_validate+0x50/0x50 [ 26.165230][ T400] ? xfrm_dump_sa_done+0xc0/0xc0 [ 26.170004][ T400] ? __nla_parse+0x3a/0x50 [ 26.174261][ T400] xfrm_user_rcv_msg+0x689/0x9b0 [ 26.179034][ T400] ? xfrm_netlink_rcv+0x80/0x80 [ 26.183725][ T400] ? avc_has_perm+0xd2/0x260 [ 26.188141][ T400] ? avc_has_perm+0x16f/0x260 [ 26.192657][ T400] ? avc_has_perm_noaudit+0x3d0/0x3d0 [ 26.197866][ T400] netlink_rcv_skb+0x1d5/0x420 [ 26.202464][ T400] ? xfrm_netlink_rcv+0x80/0x80 [ 26.207148][ T400] ? nla_put_string+0x30/0x30 [ 26.211667][ T400] ? mutex_trylock+0xa0/0xa0 [ 26.216090][ T400] ? __netlink_lookup+0x369/0x390 [ 26.220958][ T400] xfrm_netlink_rcv+0x6e/0x80 [ 26.225472][ T400] netlink_unicast+0x936/0xb20 [ 26.230090][ T400] ? netlink_detachskb+0x90/0x90 [ 26.234837][ T400] ? __virt_addr_valid+0x20e/0x2a0 [ 26.239785][ T400] netlink_sendmsg+0xa18/0xcf0 [ 26.244387][ T400] ? netlink_getsockopt+0x550/0x550 [ 26.249417][ T400] ? import_iovec+0x1bb/0x380 [ 26.253941][ T400] ? security_socket_sendmsg+0x7d/0xa0 [ 26.259227][ T400] ? netlink_getsockopt+0x550/0x550 [ 26.264262][ T400] ____sys_sendmsg+0x5ac/0x8f0 [ 26.268892][ T400] ? __sys_sendmsg_sock+0x2b0/0x2b0 [ 26.273984][ T400] ? percpu_counter_add_batch+0x14d/0x170 [ 26.279539][ T400] __sys_sendmsg+0x28b/0x380 [ 26.283964][ T400] ? ____sys_sendmsg+0x8f0/0x8f0 [ 26.288748][ T400] ? security_socket_post_create+0x96/0xc0 [ 26.294388][ T400] do_syscall_64+0xca/0x1c0 [ 26.298733][ T400] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 26.304463][ T400] RIP: 0033:0x7fd4c6255da9 [ 26.308698][ T400] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 26.328142][ T400] RSP: 002b:00007fd4c48c0038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 26.336476][ T400] RAX: ffffffffffffffda RBX: 00007fd4c646efa0 RCX: 00007fd4c6255da9 [ 26.344279][ T400] RDX: 0000000000004000 RSI: 0000000020000580 RDI: 0000000000000006 [ 26.352091][ T400] RBP: 00007fd4c62d72a0 R08: 0000000000000000 R09: 0000000000000000 [ 26.359904][ T400] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 26.367734][ T400] R13: 0000000000000000 R14: 00007fd4c646efa0 R15: 00007ffe3e5d40e8 [ 26.375523][ T400] [ 26.377799][ T400] Allocated by task 400: [ 26.381883][ T400] __kasan_kmalloc+0x171/0x210 [ 26.386464][ T400] sk_prot_alloc+0xbd/0x3e0 [ 26.390814][ T400] sk_alloc+0x35/0x2f0 [ 26.394705][ T400] pfkey_create+0x122/0x670 [ 26.399046][ T400] __sock_create+0x3cb/0x7a0 [ 26.403476][ T400] __sys_socket+0x132/0x370 [ 26.407813][ T400] __x64_sys_socket+0x76/0x80 [ 26.412333][ T400] do_syscall_64+0xca/0x1c0 [ 26.416672][ T400] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 26.422387][ T400] [ 26.424559][ T400] Freed by task 173: [ 26.428298][ T400] __kasan_slab_free+0x1b5/0x270 [ 26.433181][ T400] kfree+0x123/0x370 [ 26.436915][ T400] consume_skb+0xa5/0x2a0 [ 26.441059][ T400] netlink_unicast+0x93e/0xb20 [ 26.445655][ T400] netlink_sendmsg+0xa18/0xcf0 [ 26.450257][ T400] ____sys_sendmsg+0x5ac/0x8f0 [ 26.454857][ T400] __sys_sendmsg+0x28b/0x380 [ 26.459285][ T400] do_syscall_64+0xca/0x1c0 [ 26.463621][ T400] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 26.469342][ T400] [ 26.471522][ T400] The buggy address belongs to the object at ffff8881eb263800 [ 26.471522][ T400] which belongs to the cache kmalloc-1k of size 1024 [ 26.485408][ T400] The buggy address is located 984 bytes inside of [ 26.485408][ T400] 1024-byte region [ffff8881eb263800, ffff8881eb263c00) [ 26.498600][ T400] The buggy address belongs to the page: [ 26.504087][ T400] page:ffffea0007ac9800 refcount:1 mapcount:0 mapping:ffff8881f5c02280 index:0x0 compound_mapcount: 0 [ 26.515175][ T400] flags: 0x8000000000010200(slab|head) [ 26.520475][ T400] raw: 8000000000010200 ffffea0007ac7800 0000000400000004 ffff8881f5c02280 [ 26.528892][ T400] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 26.537302][ T400] page dumped because: kasan: bad access detected [ 26.543561][ T400] page_owner tracks the page as allocated [ 26.549116][ T400] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 26.564046][ T400] prep_new_page+0x18f/0x370 [ 26.568465][ T400] get_page_from_freelist+0x2d13/0x2d90 [ 26.573850][ T400] __alloc_pages_nodemask+0x393/0x840 [ 26.579054][ T400] alloc_slab_page+0x39/0x3c0 [ 26.583566][ T400] new_slab+0x97/0x440 [ 26.587475][ T400] ___slab_alloc+0x2fe/0x490 [ 26.591900][ T400] __slab_alloc+0x62/0xa0 [ 26.596065][ T400] __kmalloc_track_caller+0x16d/0x2b0 [ 26.601273][ T400] __alloc_skb+0xb4/0x4d0 [ 26.605443][ T400] netlink_sendmsg+0x797/0xcf0 [ 26.610060][ T400] ____sys_sendmsg+0x5ac/0x8f0 [ 26.614638][ T400] __sys_sendmsg+0x28b/0x380 [ 26.619065][ T400] do_syscall_64+0xca/0x1c0 [ 26.623405][ T400] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 26.629164][ T400] page_owner free stack trace missing [ 26.634345][ T400] [ 26.636503][ T400] Memory state around the buggy address: [ 26.641979][ T400] ffff8881eb263a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.649876][ T400] ffff8881eb263b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.657774][ T400] >ffff8881eb263b80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 26.665677][ T400] ^ [ 26.672441][ T400] ffff8881eb263c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.680425][ T400] ffff8881eb263c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.688320][ T400] ================================================================== [ 26.696218][ T400] Disabling lock debugging due to kernel taint [ 26.714064][ T398] netlink: 24 bytes leftover after parsing attributes in process `syz.1.12'.