last executing test programs: 6.821769886s ago: executing program 3 (id=4): setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000280)={{{@in6=@remote, @in=@loopback, 0xfffd, 0x0, 0x4e20, 0x0, 0x2}, {0x0, 0x4, 0x1, 0x0, 0x0, 0x9}, {0x1ff, 0xffffffffe, 0x4053e5, 0x20}, 0x6, 0x1, 0x1, 0x0, 0x2, 0x2}, {{@in=@empty, 0x1, 0x32}, 0xa, @in6=@private0, 0x3502, 0x1, 0x0, 0x0, 0x400, 0xfffffffd}}, 0xe8) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000240)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) socket$tipc(0x1e, 0x5, 0x0) r3 = syz_open_dev$tty1(0xc, 0x4, 0x1) ioctl$GIO_UNIMAP(r3, 0x4b66, &(0x7f0000000000)={0x12f, &(0x7f0000000080)=[{}, {}, {}]}) 6.443670995s ago: executing program 2 (id=5): r0 = socket(0xa, 0x3, 0x3a) setsockopt$MRT6_ADD_MIF(r0, 0x29, 0xca, &(0x7f00000000c0)={0x4, 0x1, 0x78, 0x0, 0xfffffff8}, 0xc) setsockopt$MRT6_FLUSH(r0, 0x29, 0xd4, &(0x7f0000000080)=0x6, 0x4) 5.743241468s ago: executing program 2 (id=6): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPCTNL_MSG_CT_GET_CTRZERO(r0, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000480)={0x14, 0x3, 0x1, 0x101, 0x0, 0x0, {0x2}}, 0x14}, 0x1, 0x0, 0x0, 0x8}, 0x10) 5.692736537s ago: executing program 3 (id=7): openat$tun(0xffffffffffffff9c, 0x0, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0xe3}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000640)=0x6) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x2000000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) sched_setaffinity(0x0, 0x8, &(0x7f0000000280)=0x2) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) execveat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x1000) msync(&(0x7f0000952000/0x2000)=nil, 0x87abbe8d1cc6ad9, 0x0) mremap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x2000, 0x3, &(0x7f0000ffd000/0x2000)=nil) pipe(&(0x7f0000000500)={0xffffffffffffffff, 0xffffffffffffffff}) r4 = fsopen(&(0x7f0000000080)='autofs\x00', 0x0) fsconfig$FSCONFIG_SET_FD(r4, 0x5, &(0x7f00000005c0)='fd', 0x0, r3) fsconfig$FSCONFIG_CMD_CREATE(r4, 0x6, 0x0, 0x0, 0x0) r5 = fsmount(r4, 0x0, 0x2) symlinkat(&(0x7f0000000080)='./file0\x00', r5, &(0x7f00000000c0)='./file0\x00') bind$alg(0xffffffffffffffff, &(0x7f0000000200)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-serpent-avx2\x00'}, 0x58) setsockopt$ALG_SET_KEY(0xffffffffffffffff, 0x117, 0x1, 0x0, 0x0) r6 = accept(0xffffffffffffffff, 0x0, 0x0) sendmmsg$alg(r6, &(0x7f0000000740)=[{0x0, 0x0, 0x0}], 0x1, 0x0) socket(0x27, 0x2, 0x0) 4.563605633s ago: executing program 2 (id=8): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbee6, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x804e20}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r3 = fsopen(&(0x7f0000000100)='ocfs2_dlmfs\x00', 0x0) fsconfig$FSCONFIG_CMD_CREATE(r3, 0x6, 0x0, 0x0, 0x0) r4 = fsmount(r3, 0x1, 0x4) fchdir(r4) mkdir(&(0x7f0000000040)='./file1\x00', 0x2a) 4.532419334s ago: executing program 3 (id=9): r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000600)={{0x12, 0x1, 0x0, 0x35, 0xff, 0xaa, 0x20, 0xccd, 0x10af, 0x384e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x59, 0x2, 0x1, 0x9b, 0x1e, 0x2a, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000500)={0x2c, &(0x7f00000002c0)={0x20, 0x14, 0x1, 'q'}, 0x0, 0x0, 0x0, 0x0}) 3.508709337s ago: executing program 0 (id=1): r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCADDRT(r0, 0x890b, 0x0) syz_usb_connect$uac1(0x3, 0xa2, 0x0, 0x0) ioctl$sock_SIOCSIFBR(r0, 0x890c, 0x0) openat$sysctl(0xffffffffffffff9c, 0x0, 0x1, 0x0) prlimit64(0x0, 0xe, &(0x7f00000007c0)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) syz_open_dev$I2C(&(0x7f0000000040), 0x10001, 0x240000) mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x136) r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) r2 = syz_open_dev$dri(&(0x7f0000000000), 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f00000001c0)={0x0, &(0x7f00000000c0)=[0x0], 0x0, 0x0, 0x0, 0x1}) r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r4, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x3}, 0x6) write$bt_hci(r4, &(0x7f0000000380)=ANY=[@ANYBLOB="0e000100020075"], 0x8) ioctl$DRM_IOCTL_MODE_GETCRTC(0xffffffffffffffff, 0xc06864a1, &(0x7f0000000d40)={0x0, 0x0, r3, 0x0}) ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, &(0x7f0000000340)={r5, 0x0, 0x0, 0x0, 0x1, [], [0x0, 0x7], [0x0, 0x80000002, 0x2], [0x0, 0x0, 0x1, 0x1]}) bind$inet6(0xffffffffffffffff, &(0x7f0000000240)={0xa, 0x4e23, 0x1, @empty, 0x3}, 0x1c) socket$inet_icmp(0x2, 0x2, 0x1) syz_open_procfs(0x0, 0x0) ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, 0x0) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(0xffffffffffffffff, 0xc00c642e, &(0x7f0000000300)) close_range(r1, 0xffffffffffffffff, 0x0) 3.494032028s ago: executing program 1 (id=2): sendmsg$key(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={0x0}}, 0x0) sendmsg$key(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)=ANY=[@ANYBLOB="020e000010000000000000000004830008001200000001000000ff000000400000001ea0abff7f00000000000000d41f9ab9000100700000ebdf000008000000c4fc0000100000000000e2ffff1c004f030006000020080002000080f5008e24ce6e4ae300a5000003000500001e001e02"], 0x80}}, 0x4814) r0 = socket$key(0xf, 0x3, 0x2) sendmmsg(r0, &(0x7f0000000180), 0x229ffa1c4ce5369, 0x0) 3.443525335s ago: executing program 2 (id=10): r0 = socket$unix(0x1, 0x1, 0x0) ioctl$int_in(r0, 0x5421, &(0x7f0000000300)=0x101) connect$unix(r0, &(0x7f0000000100)=@file={0x1, './file0\x00'}, 0x6e) 3.333121708s ago: executing program 2 (id=11): r0 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f0000000080)=ANY=[], 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f00000001c0)={0x24, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x22, 0x7, {[@global=@item_012={0x1, 0x1, 0x8, "1f"}, @main=@item_012={0x2, 0x0, 0x8, 'Q;'}, @local=@item_012={0x1, 0x2, 0x5, "94"}]}}, 0x0}, 0x0) syz_usb_connect(0x0, 0x0, 0x0, 0x0) 3.314023736s ago: executing program 1 (id=12): mkdir(&(0x7f0000000000)='./file0\x00', 0x40) mount$overlay(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000000), 0x0, &(0x7f0000000140)={[{@workdir={'workdir', 0x3d, './file0'}}], [], 0x2c}) 1.4556384s ago: executing program 1 (id=13): openat$ttyS3(0xffffffffffffff9c, 0x0, 0x401, 0x0) socketpair$unix(0x1, 0x3, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) write$binfmt_aout(r0, &(0x7f0000000340)=ANY=[], 0xff2e) r1 = gettid() timer_create(0x1, &(0x7f0000533fa0)={0x0, 0x21, 0x4, @tid=r1}, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) ioctl$TCXONC(r0, 0x540a, 0x3) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_RX_RING(r2, 0x11b, 0x2, 0x0, 0x0) setsockopt$XDP_UMEM_COMPLETION_RING(r2, 0x11b, 0x6, 0x0, 0x0) setsockopt$XDP_UMEM_FILL_RING(r2, 0x11b, 0x5, 0x0, 0x0) 322.841814ms ago: executing program 0 (id=14): r0 = syz_usb_connect(0x0, 0x1cb, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000122f0d4071040403dfe4000000010902b901010000003f0904"], 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000280)={0x1c, &(0x7f0000000140)={0x20, 0x16}, 0x0, 0x0}) 311.469861ms ago: executing program 3 (id=15): r0 = openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000040), 0x141100, 0x0) ioctl$SW_SYNC_IOC_CREATE_FENCE(r0, 0xc0285700, &(0x7f0000000140)={0x1000, "340b7832ceefd131b8e6498c25f58fad9987ffe93bbabd18cf501922de974a27", 0xffffffffffffffff}) io_setup(0x6, &(0x7f0000001380)=0x0) io_submit(r2, 0x1, &(0x7f0000000340)=[&(0x7f0000000100)={0x0, 0x0, 0x0, 0x5, 0x40, r1, 0x0}]) 199.596766ms ago: executing program 2 (id=16): r0 = syz_usb_connect$uac1(0x0, 0xac, &(0x7f0000000240)=ANY=[@ANYBLOB="12010000000000106b1d010140000102030109029a0003010000000904000000010100000a24010000000201020c24020000000000000800000524050000082407000000009e0c240700000000a3e82f07070d240701060000fd80000000e80924030000000001"], 0x0) syz_usb_control_io(r0, &(0x7f0000000140)={0x2c, 0x0, &(0x7f0000000040)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x2801}}, 0x0, 0x0, 0x0}, 0x0) syz_usb_control_io$uac1(r0, &(0x7f0000001840)={0x14, 0x0, &(0x7f0000000340)={0x0, 0x3, 0x2, @string={0x2}}}, 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000b80)={0x84, &(0x7f00000006c0)={0x0, 0x3, 0x2, "519c"}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io(r0, 0x0, &(0x7f0000000d80)={0x84, &(0x7f0000000a80)=ANY=[@ANYBLOB="40015c00000084"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io(r0, 0x0, 0x0) 0s ago: executing program 3 (id=17): r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000280)={0x0, 0x0, 0x0}, 0x0) sendmsg$nl_xfrm(r0, &(0x7f00000000c0)={0x0, 0x0, 0x0}, 0x0) openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x801, 0x0) openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) syz_open_dev$media(&(0x7f00000006c0), 0x4007, 0x0) openat$qrtrtun(0xffffffffffffff9c, &(0x7f0000000100), 0x8000) pselect6(0x40, &(0x7f0000000080)={0x5, 0x0, 0x120000000000, 0x2, 0x500, 0x0, 0x1000001000, 0x49}, 0x0, &(0x7f0000000180)={0x3fe, 0x7, 0x0, 0x9, 0x86, 0x800, 0x80000002}, 0x0, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.80' (ED25519) to the list of known hosts. [ 80.751965][ T5851] cgroup: Unknown subsys name 'net' [ 80.905935][ T5851] cgroup: Unknown subsys name 'cpuset' [ 80.915222][ T5851] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 82.612870][ T5851] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 85.262429][ T5874] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 85.270330][ T5874] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 85.279610][ T5874] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 85.281375][ T5873] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 85.287154][ T5874] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 85.301711][ T5874] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 85.310006][ T5874] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 85.318504][ T5874] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 85.324032][ T5876] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 85.334657][ T5876] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 85.334665][ T5874] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 85.335225][ T5874] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 85.341725][ T5873] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 85.350587][ T5876] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 85.357829][ T5873] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 85.364798][ T5878] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 85.370795][ T5873] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 85.379038][ T5878] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 85.408250][ T5878] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 85.419022][ T5878] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 85.939372][ T5860] chnl_net:caif_netlink_parms(): no params data found [ 85.984594][ T5862] chnl_net:caif_netlink_parms(): no params data found [ 86.213334][ T5863] chnl_net:caif_netlink_parms(): no params data found [ 86.226234][ T5861] chnl_net:caif_netlink_parms(): no params data found [ 86.277546][ T5860] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.285410][ T5860] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.293684][ T5860] bridge_slave_0: entered allmulticast mode [ 86.300929][ T5860] bridge_slave_0: entered promiscuous mode [ 86.360802][ T5860] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.368140][ T5860] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.375495][ T5860] bridge_slave_1: entered allmulticast mode [ 86.383160][ T5860] bridge_slave_1: entered promiscuous mode [ 86.402390][ T5862] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.409535][ T5862] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.416872][ T5862] bridge_slave_0: entered allmulticast mode [ 86.424138][ T5862] bridge_slave_0: entered promiscuous mode [ 86.463731][ T5862] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.470851][ T5862] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.478401][ T5862] bridge_slave_1: entered allmulticast mode [ 86.485992][ T5862] bridge_slave_1: entered promiscuous mode [ 86.553851][ T5862] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.580554][ T5860] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.597763][ T5862] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 86.641507][ T5860] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 86.677259][ T5861] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.685275][ T5861] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.692702][ T5861] bridge_slave_0: entered allmulticast mode [ 86.699782][ T5861] bridge_slave_0: entered promiscuous mode [ 86.733469][ T5862] team0: Port device team_slave_0 added [ 86.739576][ T5863] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.746924][ T5863] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.754441][ T5863] bridge_slave_0: entered allmulticast mode [ 86.761473][ T5863] bridge_slave_0: entered promiscuous mode [ 86.770548][ T5861] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.777909][ T5861] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.785850][ T5861] bridge_slave_1: entered allmulticast mode [ 86.793771][ T5861] bridge_slave_1: entered promiscuous mode [ 86.814868][ T5862] team0: Port device team_slave_1 added [ 86.820895][ T5863] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.828583][ T5863] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.836445][ T5863] bridge_slave_1: entered allmulticast mode [ 86.845120][ T5863] bridge_slave_1: entered promiscuous mode [ 86.874276][ T5860] team0: Port device team_slave_0 added [ 86.951304][ T5860] team0: Port device team_slave_1 added [ 86.961280][ T5861] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.975178][ T5861] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 87.068583][ T5862] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 87.076478][ T5862] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.102666][ T5862] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 87.118071][ T5863] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 87.155391][ T5860] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 87.166074][ T5860] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.195634][ T5860] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 87.231607][ T5862] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 87.244203][ T5862] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.270647][ T5862] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 87.285277][ T5863] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 87.309775][ T5860] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 87.316854][ T5860] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.342929][ T5860] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 87.365324][ T5861] team0: Port device team_slave_0 added [ 87.382737][ T5861] team0: Port device team_slave_1 added [ 87.404558][ T5863] team0: Port device team_slave_0 added [ 87.414300][ T5863] team0: Port device team_slave_1 added [ 87.463186][ T5878] Bluetooth: hci1: command tx timeout [ 87.463191][ T5865] Bluetooth: hci2: command tx timeout [ 87.463356][ T5865] Bluetooth: hci3: command tx timeout [ 87.468772][ T5878] Bluetooth: hci0: command tx timeout [ 87.543752][ T5860] hsr_slave_0: entered promiscuous mode [ 87.550064][ T5860] hsr_slave_1: entered promiscuous mode [ 87.559356][ T5863] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 87.566415][ T5863] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.592731][ T5863] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 87.606764][ T5863] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 87.614235][ T5863] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.640288][ T5863] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 87.651879][ T5861] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 87.659276][ T5861] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.685374][ T5861] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 87.717441][ T5862] hsr_slave_0: entered promiscuous mode [ 87.724360][ T5862] hsr_slave_1: entered promiscuous mode [ 87.730758][ T5862] debugfs: 'hsr0' already exists in 'hsr' [ 87.736847][ T5862] Cannot create hsr debugfs directory [ 87.749886][ T5861] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 87.757385][ T5861] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.783768][ T5861] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 87.960292][ T5863] hsr_slave_0: entered promiscuous mode [ 87.967285][ T5863] hsr_slave_1: entered promiscuous mode [ 87.973841][ T5863] debugfs: 'hsr0' already exists in 'hsr' [ 87.979581][ T5863] Cannot create hsr debugfs directory [ 88.008567][ T5861] hsr_slave_0: entered promiscuous mode [ 88.015297][ T5861] hsr_slave_1: entered promiscuous mode [ 88.021352][ T5861] debugfs: 'hsr0' already exists in 'hsr' [ 88.027443][ T5861] Cannot create hsr debugfs directory [ 88.458678][ T5860] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 88.472535][ T5860] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 88.485405][ T5860] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 88.507233][ T5860] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 88.560727][ T5863] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 88.582701][ T5863] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 88.612657][ T5863] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 88.637061][ T5863] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 88.686441][ T5862] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 88.701068][ T5862] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 88.716238][ T5862] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 88.730139][ T5862] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 88.853405][ T5861] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 88.864812][ T5861] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 88.901018][ T5861] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 88.935805][ T5861] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 88.963358][ T5860] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.040426][ T5863] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.050668][ T5860] 8021q: adding VLAN 0 to HW filter on device team0 [ 89.087681][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.094947][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.109285][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.116427][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.135435][ T5863] 8021q: adding VLAN 0 to HW filter on device team0 [ 89.167859][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.175102][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.218916][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.226233][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.307470][ T5862] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.356877][ T5860] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 89.418221][ T5861] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.453208][ T5862] 8021q: adding VLAN 0 to HW filter on device team0 [ 89.488902][ T5861] 8021q: adding VLAN 0 to HW filter on device team0 [ 89.513793][ T998] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.521054][ T998] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.543620][ T52] Bluetooth: hci1: command tx timeout [ 89.543829][ T5865] Bluetooth: hci2: command tx timeout [ 89.549117][ T5878] Bluetooth: hci3: command tx timeout [ 89.554945][ T5865] Bluetooth: hci0: command tx timeout [ 89.569929][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.577492][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.637154][ T998] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.644426][ T998] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.719882][ T998] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.727157][ T998] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.941158][ T5860] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 89.956297][ T5863] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 90.154195][ T5860] veth0_vlan: entered promiscuous mode [ 90.170636][ T5863] veth0_vlan: entered promiscuous mode [ 90.218109][ T5860] veth1_vlan: entered promiscuous mode [ 90.246206][ T5863] veth1_vlan: entered promiscuous mode [ 90.334390][ T5863] veth0_macvtap: entered promiscuous mode [ 90.357219][ T5863] veth1_macvtap: entered promiscuous mode [ 90.369933][ T5862] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 90.400808][ T5860] veth0_macvtap: entered promiscuous mode [ 90.420762][ T5860] veth1_macvtap: entered promiscuous mode [ 90.455747][ T5863] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 90.480624][ T5863] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.515875][ T5860] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 90.525701][ T5861] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 90.550856][ T1090] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.560536][ T1090] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.580563][ T1090] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.599973][ T5860] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.610498][ T69] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.643136][ T69] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.674801][ T69] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.684711][ T69] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.698731][ T69] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.726201][ T5862] veth0_vlan: entered promiscuous mode [ 90.750749][ T5862] veth1_vlan: entered promiscuous mode [ 90.856545][ T5861] veth0_vlan: entered promiscuous mode [ 90.878953][ T1090] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.889765][ T1090] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.908567][ T5861] veth1_vlan: entered promiscuous mode [ 90.952334][ T69] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.965677][ T69] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.995158][ T1090] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.008299][ T5862] veth0_macvtap: entered promiscuous mode [ 91.013021][ T1090] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.051444][ T5862] veth1_macvtap: entered promiscuous mode [ 91.075002][ T36] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.097643][ T36] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.158054][ T5863] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 91.163916][ T5861] veth0_macvtap: entered promiscuous mode [ 91.187442][ T5862] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 91.203574][ T5862] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 91.214410][ T5861] veth1_macvtap: entered promiscuous mode [ 91.231202][ T50] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.428770][ T50] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.523802][ T50] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.557532][ T50] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.622231][ T5865] Bluetooth: hci0: command tx timeout [ 91.623424][ T52] Bluetooth: hci2: command tx timeout [ 91.627943][ T5865] Bluetooth: hci1: command tx timeout [ 91.633944][ T5878] Bluetooth: hci3: command tx timeout [ 91.864264][ T5861] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 92.016610][ T43] cfg80211: failed to load regulatory.db [ 92.197276][ T5960] pim6reg: entered allmulticast mode [ 92.235683][ T5861] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 92.437278][ T36] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.451636][ T36] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.466685][ T36] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.475815][ T36] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.695795][ T36] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 92.703738][ T36] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 92.709096][ T1094] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 92.730144][ T1094] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 93.629199][ T50] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 93.650706][ T50] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 93.707582][ T1094] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 93.725829][ T1094] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 93.804991][ T5878] Bluetooth: hci2: command tx timeout [ 93.811170][ T52] Bluetooth: hci0: command tx timeout [ 93.816672][ T5182] Bluetooth: hci1: command tx timeout [ 93.822233][ T5865] Bluetooth: hci3: command tx timeout [ 93.856958][ T10] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 93.935663][ T5974] o2cb: This node has not been configured. [ 93.941678][ T5974] o2cb: Cluster check failed. Fix errors before retrying. [ 93.949173][ T5974] (syz.2.8,5974,0):user_dlm_register:674 ERROR: status = -22 [ 93.956776][ T5974] (syz.2.8,5974,0):dlmfs_mkdir:438 ERROR: Error -22 could not register domain "file1" [ 94.062515][ T10] usb 4-1: Using ep0 maxpacket: 32 [ 94.166008][ T10] usb 4-1: config 0 has an invalid interface number: 89 but max is 0 [ 94.320267][ T10] usb 4-1: config 0 has no interface number 0 [ 94.438949][ T10] usb 4-1: config 0 interface 89 has no altsetting 0 [ 94.490428][ T10] usb 4-1: New USB device found, idVendor=0ccd, idProduct=10af, bcdDevice=38.4e [ 94.543932][ T10] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 94.622135][ T10] usb 4-1: Product: syz [ 94.626895][ T10] usb 4-1: Manufacturer: syz [ 94.680731][ T10] usb 4-1: SerialNumber: syz [ 94.705162][ T10] usb 4-1: config 0 descriptor?? [ 94.795230][ T10] em28xx 4-1:0.89: New device syz syz @ 480 Mbps (0ccd:10af, interface 89, class 89) [ 94.828046][ T5984] overlayfs: option "workdir=./file0" is useless in a non-upper mount, ignore [ 94.836529][ T10] em28xx 4-1:0.89: Video interface 89 found: bulk [ 94.862185][ T0] NOHZ tick-stop error: local softirq work is pending, handler #100!!! [ 94.871935][ T0] NOHZ tick-stop error: local softirq work is pending, handler #100!!! [ 94.882270][ T0] NOHZ tick-stop error: local softirq work is pending, handler #100!!! [ 94.905741][ T5984] overlayfs: missing 'lowerdir' [ 94.911879][ T0] NOHZ tick-stop error: local softirq work is pending, handler #140!!! [ 94.946811][ T5986] Bluetooth: MGMT ver 1.23 [ 94.983503][ T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!! [ 94.995252][ T0] NOHZ tick-stop error: local softirq work is pending, handler #100!!! [ 95.032470][ T981] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 95.042646][ T0] NOHZ tick-stop error: local softirq work is pending, handler #100!!! [ 95.052430][ T0] NOHZ tick-stop error: local softirq work is pending, handler #100!!! [ 95.062946][ T0] NOHZ tick-stop error: local softirq work is pending, handler #108!!! [ 95.162100][ T0] NOHZ tick-stop error: local softirq work is pending, handler #82!!! [ 95.387293][ T981] usb 3-1: device descriptor read/64, error -71 [ 95.713293][ T10] em28xx 4-1:0.89: chip ID is em28174 [ 95.772431][ T981] usb 3-1: new high-speed USB device number 3 using dummy_hcd [ 96.098549][ T981] usb 3-1: device descriptor read/64, error -71 [ 96.377139][ T981] usb usb3-port1: attempt power cycle [ 96.506446][ T10] em28xx 4-1:0.89: reading from i2c device at 0xa0 failed (error=-5) [ 96.688312][ T10] em28xx 4-1:0.89: board has no eeprom [ 96.867549][ T10] em28xx 4-1:0.89: Identified as Terratec Grabby (card=67) [ 96.955966][ T981] usb 3-1: new high-speed USB device number 4 using dummy_hcd [ 97.021326][ T10] em28xx 4-1:0.89: analog set to bulk mode. [ 97.161986][ T981] usb 3-1: device descriptor read/8, error -71 [ 97.331968][ T5992] em28xx 4-1:0.89: Registering V4L2 extension [ 97.562317][ T10] usb 4-1: USB disconnect, device number 2 [ 97.599707][ T981] usb 3-1: new high-speed USB device number 5 using dummy_hcd [ 97.743639][ T10] em28xx 4-1:0.89: Disconnecting em28xx [ 97.787495][ T981] usb 3-1: device descriptor read/8, error -71 [ 97.890895][ T5992] usb 4-1: Decoder not found [ 97.918975][ T5992] em28xx 4-1:0.89: failed to create media graph [ 97.939088][ T5992] em28xx 4-1:0.89: V4L2 device video103 deregistered [ 97.962633][ T981] usb usb3-port1: unable to enumerate USB device [ 98.000511][ T5992] em28xx 4-1:0.89: Registering snapshot button... [ 98.050711][ T5992] input: em28xx snapshot button as /devices/platform/dummy_hcd.3/usb4/4-1/4-1:0.89/input/input5 [ 98.095110][ T5992] em28xx 4-1:0.89: Remote control support is not available for this card. [ 98.108433][ T10] em28xx 4-1:0.89: Closing input extension [ 98.119623][ T10] em28xx 4-1:0.89: Deregistering snapshot button [ 98.163152][ T10] ================================================================== [ 98.171361][ T10] BUG: KASAN: slab-use-after-free in media_devnode_unregister+0xe2/0xf0 [ 98.179729][ T10] Read of size 4 at addr ffff8880626364f0 by task kworker/0:1/10 [ 98.187477][ T10] [ 98.189823][ T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted syzkaller #0 PREEMPT(full) [ 98.189848][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 [ 98.189862][ T10] Workqueue: usb_hub_wq hub_event [ 98.189889][ T10] Call Trace: [ 98.189898][ T10] [ 98.189907][ T10] dump_stack_lvl+0x189/0x250 [ 98.189938][ T10] ? rcu_is_watching+0x15/0xb0 [ 98.189964][ T10] ? __kasan_check_byte+0x12/0x40 [ 98.189989][ T10] ? __pfx_dump_stack_lvl+0x10/0x10 [ 98.190007][ T10] ? rcu_is_watching+0x15/0xb0 [ 98.190033][ T10] ? lock_release+0x4b/0x3e0 [ 98.190057][ T10] ? __virt_addr_valid+0x1c8/0x5c0 [ 98.190088][ T10] ? __virt_addr_valid+0x4a5/0x5c0 [ 98.190120][ T10] print_report+0xca/0x240 [ 98.190140][ T10] ? media_devnode_unregister+0xe2/0xf0 [ 98.190166][ T10] kasan_report+0x118/0x150 [ 98.190190][ T10] ? media_devnode_unregister+0xe2/0xf0 [ 98.190221][ T10] media_devnode_unregister+0xe2/0xf0 [ 98.190248][ T10] media_device_unregister+0x37c/0x400 [ 98.190277][ T10] em28xx_release_resources+0xac/0x240 [ 98.190310][ T10] em28xx_usb_disconnect+0x19f/0x2f0 [ 98.190342][ T10] usb_unbind_interface+0x26e/0x910 [ 98.190370][ T10] ? __pfx_usb_unbind_interface+0x10/0x10 [ 98.190395][ T10] device_release_driver_internal+0x4d9/0x800 [ 98.190426][ T10] bus_remove_device+0x34d/0x410 [ 98.190448][ T10] device_del+0x511/0x8e0 [ 98.190475][ T10] ? __pfx_device_del+0x10/0x10 [ 98.190497][ T10] ? kobject_put+0x446/0x480 [ 98.190521][ T10] usb_disable_device+0x3e9/0x8a0 [ 98.190547][ T10] usb_disconnect+0x330/0x950 [ 98.190582][ T10] hub_event+0x1cf5/0x4a20 [ 98.190617][ T10] ? do_raw_spin_lock+0x121/0x290 [ 98.190649][ T10] ? register_lock_class+0x51/0x320 [ 98.190678][ T10] ? __pfx_hub_event+0x10/0x10 [ 98.190700][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 98.190727][ T10] ? _raw_spin_unlock_irq+0x23/0x50 [ 98.190755][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 98.190778][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 98.190803][ T10] process_scheduled_works+0xae1/0x17b0 [ 98.190840][ T10] ? __pfx_process_scheduled_works+0x10/0x10 [ 98.190873][ T10] worker_thread+0x8a0/0xda0 [ 98.190910][ T10] kthread+0x711/0x8a0 [ 98.190948][ T10] ? __pfx_worker_thread+0x10/0x10 [ 98.190973][ T10] ? __pfx_kthread+0x10/0x10 [ 98.191002][ T10] ? _raw_spin_unlock_irq+0x23/0x50 [ 98.191030][ T10] ? lockdep_hardirqs_on+0x9c/0x150 [ 98.191059][ T10] ? __pfx_kthread+0x10/0x10 [ 98.191089][ T10] ret_from_fork+0x47c/0x820 [ 98.191114][ T10] ? __pfx_ret_from_fork+0x10/0x10 [ 98.191140][ T10] ? __switch_to_asm+0x39/0x70 [ 98.191160][ T10] ? __switch_to_asm+0x33/0x70 [ 98.191181][ T10] ? __pfx_kthread+0x10/0x10 [ 98.191210][ T10] ret_from_fork_asm+0x1a/0x30 [ 98.191240][ T10] [ 98.191247][ T10] [ 98.213309][ T43] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 98.216195][ T10] Allocated by task 10: [ 98.216211][ T10] kasan_save_track+0x3e/0x80 [ 98.216234][ T10] __kasan_kmalloc+0x93/0xb0 [ 98.216253][ T10] __kmalloc_cache_noprof+0x3d5/0x6f0 [ 98.216272][ T10] __media_device_register+0x58/0x280 [ 98.216293][ T10] em28xx_usb_probe+0x1764/0x2a20 [ 98.216317][ T10] usb_probe_interface+0x665/0xc30 [ 98.216337][ T10] really_probe+0x26d/0x9e0 [ 98.216357][ T10] __driver_probe_device+0x18c/0x2f0 [ 98.216376][ T10] driver_probe_device+0x4f/0x430 [ 98.216398][ T10] __device_attach_driver+0x2ce/0x530 [ 98.216421][ T10] bus_for_each_drv+0x24e/0x2e0 [ 98.216450][ T10] __device_attach+0x2b8/0x400 [ 98.216469][ T10] bus_probe_device+0x185/0x260 [ 98.216482][ T10] device_add+0x7b6/0xb50 [ 98.216498][ T10] usb_set_configuration+0x1a87/0x20e0 [ 98.216515][ T10] usb_generic_driver_probe+0x8d/0x150 [ 98.216536][ T10] usb_probe_device+0x1c1/0x390 [ 98.216557][ T10] really_probe+0x26d/0x9e0 [ 98.216580][ T10] __driver_probe_device+0x18c/0x2f0 [ 98.216602][ T10] driver_probe_device+0x4f/0x430 [ 98.216625][ T10] __device_attach_driver+0x2ce/0x530 [ 98.216649][ T10] bus_for_each_drv+0x24e/0x2e0 [ 98.216676][ T10] __device_attach+0x2b8/0x400 [ 98.216696][ T10] bus_probe_device+0x185/0x260 [ 98.216712][ T10] device_add+0x7b6/0xb50 [ 98.216729][ T10] usb_new_device+0xa39/0x16f0 [ 98.216754][ T10] hub_event+0x2958/0x4a20 [ 98.216771][ T10] process_scheduled_works+0xae1/0x17b0 [ 98.216790][ T10] worker_thread+0x8a0/0xda0 [ 98.216812][ T10] kthread+0x711/0x8a0 [ 98.216836][ T10] ret_from_fork+0x47c/0x820 [ 98.632508][ T10] ret_from_fork_asm+0x1a/0x30 [ 98.637375][ T10] [ 98.639701][ T10] Freed by task 10: [ 98.643498][ T10] kasan_save_track+0x3e/0x80 [ 98.648180][ T10] __kasan_save_free_info+0x46/0x50 [ 98.653378][ T10] __kasan_slab_free+0x5b/0x80 [ 98.658140][ T10] kfree+0x199/0x6d0 [ 98.662046][ T10] media_devnode_release+0x61/0xa0 [ 98.667181][ T10] device_release+0x99/0x1c0 [ 98.671775][ T10] kobject_put+0x228/0x480 [ 98.676182][ T10] media_devnode_unregister+0x6d/0xf0 [ 98.681630][ T10] media_device_unregister+0x37c/0x400 [ 98.687338][ T10] em28xx_release_resources+0xac/0x240 [ 98.692807][ T10] em28xx_usb_disconnect+0x19f/0x2f0 [ 98.698095][ T10] usb_unbind_interface+0x26e/0x910 [ 98.703304][ T10] device_release_driver_internal+0x4d9/0x800 [ 98.709386][ T10] bus_remove_device+0x34d/0x410 [ 98.714330][ T10] device_del+0x511/0x8e0 [ 98.718660][ T10] usb_disable_device+0x3e9/0x8a0 [ 98.723682][ T10] usb_disconnect+0x330/0x950 [ 98.728377][ T10] hub_event+0x1cf5/0x4a20 [ 98.732802][ T10] process_scheduled_works+0xae1/0x17b0 [ 98.738345][ T10] worker_thread+0x8a0/0xda0 [ 98.742933][ T10] kthread+0x711/0x8a0 [ 98.747000][ T10] ret_from_fork+0x47c/0x820 [ 98.751666][ T10] ret_from_fork_asm+0x1a/0x30 [ 98.756437][ T10] [ 98.758752][ T10] The buggy address belongs to the object at ffff888062636000 [ 98.758752][ T10] which belongs to the cache kmalloc-2k of size 2048 [ 98.772958][ T10] The buggy address is located 1264 bytes inside of [ 98.772958][ T10] freed 2048-byte region [ffff888062636000, ffff888062636800) [ 98.786930][ T10] [ 98.789248][ T10] The buggy address belongs to the physical page: [ 98.795653][ T10] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62630 [ 98.804404][ T10] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 98.812979][ T10] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 98.820511][ T10] page_type: f5(slab) [ 98.824505][ T10] raw: 00fff00000000040 ffff88801a842000 dead000000000122 0000000000000000 [ 98.833082][ T10] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 98.841655][ T10] head: 00fff00000000040 ffff88801a842000 dead000000000122 0000000000000000 [ 98.850573][ T10] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 98.859242][ T10] head: 00fff00000000003 ffffea0001898c01 00000000ffffffff 00000000ffffffff [ 98.867932][ T10] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 98.876600][ T10] page dumped because: kasan: bad access detected [ 98.883325][ T10] page_owner tracks the page as allocated [ 98.889053][ T10] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1090, tgid 1090 (kworker/u8:6), ts 96949628739, free_ts 96893959234 [ 98.910404][ T10] post_alloc_hook+0x240/0x2a0 [ 98.915178][ T10] get_page_from_freelist+0x21e4/0x22c0 [ 98.920903][ T10] __alloc_frozen_pages_noprof+0x181/0x370 [ 98.926714][ T10] alloc_pages_mpol+0x232/0x4a0 [ 98.931557][ T10] allocate_slab+0x8a/0x330 [ 98.936075][ T10] ___slab_alloc+0xbd1/0x13f0 [ 98.940747][ T10] __slab_alloc+0x55/0xa0 [ 98.945068][ T10] __kmalloc_node_track_caller_noprof+0x5c7/0x800 [ 98.951486][ T10] kmalloc_reserve+0x136/0x290 [ 98.956263][ T10] __alloc_skb+0x142/0x2d0 [ 98.960693][ T10] mld_newpack+0x13c/0xc40 [ 98.965120][ T10] add_grhead+0x5a/0x2a0 [ 98.969402][ T10] add_grec+0x1452/0x1740 [ 98.973747][ T10] mld_send_initial_cr+0x288/0x550 [ 98.978857][ T10] ipv6_mc_dad_complete+0x88/0x410 [ 98.983975][ T10] addrconf_dad_completed+0x6d5/0xd60 [ 98.989342][ T10] page last free pid 5862 tgid 5862 stack trace: [ 98.995659][ T10] __free_frozen_pages+0xbc4/0xd30 [ 99.000763][ T10] __slab_free+0x2e7/0x390 [ 99.005179][ T10] qlist_free_all+0x97/0x140 [ 99.009770][ T10] kasan_quarantine_reduce+0x148/0x160 [ 99.015223][ T10] __kasan_slab_alloc+0x22/0x80 [ 99.020066][ T10] kmem_cache_alloc_noprof+0x367/0x6e0 [ 99.025517][ T10] security_inode_alloc+0x39/0x330 [ 99.030640][ T10] inode_init_always_gfp+0x9ed/0xdc0 [ 99.035919][ T10] alloc_inode+0x82/0x1b0 [ 99.040238][ T10] __sock_create+0x12d/0x9f0 [ 99.044836][ T10] __sys_socket+0xd7/0x1b0 [ 99.049288][ T10] __x64_sys_socket+0x7a/0x90 [ 99.053959][ T10] do_syscall_64+0xfa/0xfa0 [ 99.058457][ T10] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 99.064342][ T10] [ 99.066657][ T10] Memory state around the buggy address: [ 99.072365][ T10] ffff888062636380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.080418][ T10] ffff888062636400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.088468][ T10] >ffff888062636480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.096514][ T10] ^ [ 99.104214][ T10] ffff888062636500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.112265][ T10] ffff888062636580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.120316][ T10] ================================================================== [ 99.278349][ T10] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 99.285605][ T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted syzkaller #0 PREEMPT(full) [ 99.294811][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 [ 99.304875][ T10] Workqueue: usb_hub_wq hub_event [ 99.309913][ T10] Call Trace: [ 99.313199][ T10] [ 99.316133][ T10] dump_stack_lvl+0x99/0x250 [ 99.320737][ T10] ? __asan_memcpy+0x40/0x70 [ 99.325339][ T10] ? __pfx_dump_stack_lvl+0x10/0x10 [ 99.330544][ T10] ? __pfx__printk+0x10/0x10 [ 99.335152][ T10] vpanic+0x237/0x6d0 [ 99.339151][ T10] ? __pfx_vpanic+0x10/0x10 [ 99.343665][ T10] ? preempt_schedule+0xae/0xc0 [ 99.348525][ T10] ? __pfx_preempt_schedule+0x10/0x10 [ 99.353909][ T10] panic+0xb9/0xc0 [ 99.357633][ T10] ? __pfx_panic+0x10/0x10 [ 99.362059][ T10] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 99.368839][ T10] ? media_devnode_unregister+0xe2/0xf0 [ 99.374395][ T10] check_panic_on_warn+0x89/0xb0 [ 99.379347][ T10] ? media_devnode_unregister+0xe2/0xf0 [ 99.384906][ T10] end_report+0x78/0x160 [ 99.389155][ T10] kasan_report+0x129/0x150 [ 99.393673][ T10] ? media_devnode_unregister+0xe2/0xf0 [ 99.399356][ T10] media_devnode_unregister+0xe2/0xf0 [ 99.404734][ T10] media_device_unregister+0x37c/0x400 [ 99.410212][ T10] em28xx_release_resources+0xac/0x240 [ 99.415687][ T10] em28xx_usb_disconnect+0x19f/0x2f0 [ 99.420985][ T10] usb_unbind_interface+0x26e/0x910 [ 99.426201][ T10] ? __pfx_usb_unbind_interface+0x10/0x10 [ 99.431964][ T10] device_release_driver_internal+0x4d9/0x800 [ 99.438046][ T10] bus_remove_device+0x34d/0x410 [ 99.442984][ T10] device_del+0x511/0x8e0 [ 99.447323][ T10] ? __pfx_device_del+0x10/0x10 [ 99.452183][ T10] ? kobject_put+0x446/0x480 [ 99.456795][ T10] usb_disable_device+0x3e9/0x8a0 [ 99.461827][ T10] usb_disconnect+0x330/0x950 [ 99.466604][ T10] hub_event+0x1cf5/0x4a20 [ 99.471030][ T10] ? do_raw_spin_lock+0x121/0x290 [ 99.476064][ T10] ? register_lock_class+0x51/0x320 [ 99.481268][ T10] ? __pfx_hub_event+0x10/0x10 [ 99.486032][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 99.491758][ T10] ? _raw_spin_unlock_irq+0x23/0x50 [ 99.496960][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 99.502681][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 99.508404][ T10] process_scheduled_works+0xae1/0x17b0 [ 99.513969][ T10] ? __pfx_process_scheduled_works+0x10/0x10 [ 99.519963][ T10] worker_thread+0x8a0/0xda0 [ 99.524567][ T10] kthread+0x711/0x8a0 [ 99.528650][ T10] ? __pfx_worker_thread+0x10/0x10 [ 99.533762][ T10] ? __pfx_kthread+0x10/0x10 [ 99.538360][ T10] ? _raw_spin_unlock_irq+0x23/0x50 [ 99.543569][ T10] ? lockdep_hardirqs_on+0x9c/0x150 [ 99.548779][ T10] ? __pfx_kthread+0x10/0x10 [ 99.553393][ T10] ret_from_fork+0x47c/0x820 [ 99.557995][ T10] ? __pfx_ret_from_fork+0x10/0x10 [ 99.563118][ T10] ? __switch_to_asm+0x39/0x70 [ 99.567887][ T10] ? __switch_to_asm+0x33/0x70 [ 99.572650][ T10] ? __pfx_kthread+0x10/0x10 [ 99.577247][ T10] ret_from_fork_asm+0x1a/0x30 [ 99.582022][ T10] [ 99.585201][ T10] Kernel Offset: disabled [ 99.589522][ T10] Rebooting in 86400 seconds..