last executing test programs: 17.139627033s ago: executing program 1 (id=409): r0 = socket$kcm(0x29, 0x2, 0x0) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x5, &(0x7f0000001000)=ANY=[@ANYBLOB="bf16000000000000b70700000100f0ff5070000000000000300000000000c00095000000000000002ba728041598d6fbd30cb599e83d24bd8137a3aa81e0ed139a85d36bb3019d13bd2321af3c2bd67ce68f15c0ec71d0e6adfefcf1d8f7faf75e0f226bd917060000007142fa9ea4318123751c0a0e168c1886d0d4d35379bd223ec839bc16ee988e6e0dc8cedf3ceb9fbfbf9b0a49ef42d430f6296b72a83438810720a159cda90363db3d221e152dfca64057ff3c4744aeaccd3641110bec4e9027a0c8055bbfc3a96d2e8910c2c39e4babe802f5ab3e89cf6c662ed40000000022278d00031e5388ee5c867ddd58211d6ece3ccb0cd2b6d3cffd962867a3a2f624f992daa94a6a556f3218ce740068725c37074e468ee207d2f73902ebcfcf49822775985bf31b715f5888b24efa190000000000000000000000000000ddffffff020000000000000000ddffffff0000b27cf3d1848a54d7132be1bfb0adf9deab3323aa9fdfb52faf9cb09c3bfd09000000b91ab219ef00bb7b3de8f67ffcad3f6c3c2b1f03550000000000001cf41ab11f12fb1e0a494034007de7c6592df1a6c64d8f20a67745409e011f1264d43f153b3d34889f40159e800ea2474b540500a30b23bcee46762e2093bcc9eae5ee3e980026c96f80ee1a00000000740750fa4d9aaa705989b8e673e3296e52d337c56abf112874ec51d6fe048ba6866adebab53168770a71ad901ace383e41d277b103923a9d961f7a2591dbe4a912ffaf6f658f3f9cd16286744f83a83f138f8f92efd92239eafcc5c1b3f97a297c9e49a0c3300ef7b7fb5f09e0c8a868a353409e34d3e82279637599f35ad3f7ffffff3cac394c7bbdcd0e0eb52162e0c410ade7000026a4e739c60f03cc4146a77af02c1d4cefd4a2b94c0aed8477dfa8ceefb467f05c6977c78cdbf3f704ec73754910fe050038ec9e47de89298b7bf4d769ccc18eedd9068ca1457870eb30d219e23ccc8e06dddeb61799257ab5000013c86ba99523d61a00000000c270246c878d01160e6c07bf6cf8809c3a0d062357ba2515567230a6f8b2ad1e1f4933545fc3c741374211663f6b63b1dd044dd0a2768e825972fc4300001467c89fa0f82e8440105051e5510a33dcda5e4e202bd622549c4cffffff501d3a5dd7143fbf221fff161c12ca389cbe0000000000000fff2ecf631c6c5fd9c26a54d43fa050b88d1d43a8645bd9109b7e07869bba7131421c0f397073943330baafd243c0c6ffe673bab4113be7664e08bdd7115c61afcb718cf3c4680b2f6c7a8400e378a9b15bc20f49e298727340e87cdefb40e56e9cfad9931b8c552b2c7c503f3d0e7ab0e958adb8629aeec90e6d1857da822e40009995ae166deb9856291a43a6f7eb2e32cefbf463789eaf79b8d4c22be89f44b032dad13007b82e6044f643fc8cd07ae636a5dbe9864a117d27326850a7c3b570863f532c218b10af13d7be94987005088a83880ccab9c9920c2d2af8c5e13d52c83ac3fa7c3ae6c08384865b66d2204c2e4f3ae200f279b512b4dcb5dd9cba16b62040bf8702ae12c77e6e34991af603e3856a346cf708feeb708ab22b560cf8a4a6f31ba6d9b8cb0908000000000000001a342c010000000000e667a7592b33406f1f71c739b55db91d2309dc7ae401005f52053a39e7307c09ff3ac3e820b01c57dd74d4aafc4c383a17bc1de5347bb71ca16dcbbbaa2935ae662082b56cf666e63a759e0ef3ea7af6881513be94b362e15ffca8ec453b3a2a67be70c17b0f9c2eac765816c30c2e7133dca1c7669522e8dff8bc570a93fbdb688c3aef810000007a6ea6b11163392a19d87995b51cb6febd5f34a34998d2010fd5facf68c4f84e2f66e27c81a149d7b331983d3b74444953fc1216dfec10b724be3733c26f12538376e177ffef6fd2020000000000000008e4919a463d5332a2546032a3c06b94f168e8fc4bda0c294723fe306f26c477af4b926644672985fab7cc67bc5b5f5d38cdd8df95147ebe1cd88b0a4c6cde9951be10ba7dfddfefb238fac2303cc8982f1e55b005afcfea5eb037248fefad6bb02c162ce92ab17744c8ec3d2e80cf3205d36699fd381bc81231fb5e12e45f3059f361d08d6a6d019ebf105eaf43083c29512bcedd79ca9bf24e063d0c273ed70a2b70be521ea27dc8cf3c9bdf83b93405db07e82e2db484f8673e0e97dd7e8a872148613c3a04f3d67f4375ba5c7f1b00ffffff7f000000000801f71d79d812ced782646b5f79c8fc08bb5c11020108d702edd2ea9c96cf0d2d48aa5fc0a7bf1b51afd85350ad00b78c598fa8701b000884de790b54e5ab2e8ff0c7ae23e0b6eeac95c4c2eef2e5eb1d019d52099fbd404e8ece970f67856ba7e960bd8b1e4105ce7e31f7c9c3e3fa61aaa967b90087e91d703e98535b107b8f4653be4c46a3a1adb07d226952b8573b417018316fa96e2b8e7370baa16d4122c863709b08d4639a19a46ac90ac48a13ee9bcaa875fc700000000000003b40dc5c745fe2491e8425e600000000000000000000000000000000000000000000000000000000000000250318a44ad31baac0520a913301e630ae540f3289aebde8633f6f450c0738e16df6c7f1e0832a2a16fe6e39959735758248032cdf7320c6dc87b01e3f9a7811b200000000ae189de4b9b25f7c7a9c070000002af1c06315270de4a6605e4b4b58bef76fac54f11b84bd7bcd6b6a485edfb7684c770a39b38b08e18a51a4d4e66ca21c06a4b4198e1bc2ef990c9ba911efed626e5ee341a17bf8132b09000000d31df213c802d74797056fd3bca8b2d6cb134437cba0193ba4360bdcc98aad2560aa48291c4eb9d4e08ad7a9c5f04be1ab597124d84dfc7bd8cca8f68154a0ed356e773a797ca6d66748857b4abbf8830abeea2a46342e6a7378173cb29d5cdcd698a0203f78116b710008000000000000007c2d86b94472807c10eb9a8e2fb8bd79fe3a8316deff3ee641c9a080a2173642e673a672279bae4e7e28055da9497d7edb53be6e80482bd4d9a74b8dd4221fff0f0000705d7257ff7f76c78ba0b44ec0bdfa0d32d7042059b13a079639f14f9032b856d892ad6af5124c9c3130485e9682ff1f3c54e475d5bb496aef4bb537d7e191dfdeba109fdcf7864763f87a6d711cf52e520a6ce30e134c55e0caac037209d2f14fcddd00000000000000000000000000000000e609893bdce015e8ccfb36399844db61f6171b0b0e845e48728450c6ba4f7098f8e000676b59ab9f851f3ab77847ce05c89411277ec69c409b7ec50a3337a78675f38a568612c235ab5f2cd6d035d5f5f6a693c381adbbf7b37e37292783b2c7efe7d3a067906552f76d419e0300000000000000000000008f3a20b49fe7636806867283e35cff8d00e7b251bab3cf6377a24f8e8d4bda7503674bc94bf7f4d2fa6f25944bf0a186436d9f6831995976328a1fdc78492c65c1434855dc35c3cf7cf9610c5387794443c99b304799114132362849c3fa85d6379729ff9094933db0cfbe8887c50b87e1469fdf454cef4cbc5f7bf384000000000000a4e8c1a25f47c440144a9776be6cb40aafdb9d3cc8f6a6050974e1c4000000000000008b753f4e1bef9556efcc087a99dbf231167013a4b2eaf6338a0b100c98a331dffc09"], &(0x7f0000000140)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48) r2 = socket$kcm(0x2, 0x1, 0x0) sendmsg$inet(r2, &(0x7f0000000fc0)={&(0x7f0000000000)={0x2, 0x4001, @remote}, 0x10, 0x0}, 0x20000811) ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x89e0, &(0x7f0000000040)={r2, r1}) setsockopt$sock_int(r2, 0x1, 0x7, &(0x7f0000000440)=0x7ff, 0x4) 14.01966802s ago: executing program 0 (id=410): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000100)=0x3915, 0x4) bind$inet(r0, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x10) setsockopt$sock_int(r0, 0x1, 0x1d, 0x0, 0x0) connect$inet(r0, &(0x7f0000000480)={0x2, 0x0, @multicast2}, 0x10) sendmmsg(r0, &(0x7f0000007fc0), 0x2d, 0x0) 12.445394954s ago: executing program 1 (id=411): r0 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="180000000000000000000000fcffffff18110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b702000000000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000001580)={&(0x7f0000000180)='kmem_cache_free\x00', r1}, 0x10) r2 = socket(0x10, 0x3, 0x0) connect$netlink(r2, &(0x7f00000014c0)=@proc={0x10, 0x0, 0x1}, 0xc) sendmsg$nl_route(r2, &(0x7f0000000380)={&(0x7f00000001c0), 0xc, &(0x7f0000000340)={&(0x7f00000002c0)=@bridge_getlink={0x34, 0x12, 0x1, 0x0, 0x0, {}, [@IFLA_ALT_IFNAME={0x14, 0x35, 'wg0\x00'}]}, 0x34}}, 0x0) 10.920076847s ago: executing program 0 (id=412): r0 = socket$netlink(0x10, 0x3, 0xf) bind$netlink(r0, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) sendmsg$netlink(r0, &(0x7f00000010c0)={0x0, 0x0, &(0x7f00000004c0)=[{0x0, 0x2a4}], 0x1}, 0x0) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000000), 0x4) syz_genetlink_get_family_id$SEG6(&(0x7f0000000280), r0) 8.845546777s ago: executing program 0 (id=413): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000540), 0x3c) setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x1, &(0x7f0000000000)=@gcm_256={{0x303}, "41328ac34a4ad2ba", "e8582491a0c4050000000000f6542a9b6800000000000000003967d2daa45b4e", "61241765", "89b06aff130000fd"}, 0x38) sendmsg$inet(r0, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="140005"], 0x28}, 0x8040) 8.520334983s ago: executing program 1 (id=414): r0 = bpf$MAP_CREATE(0x100000000000000, &(0x7f0000000440)=@base={0x14, 0x4, 0x8, 0x6, 0x0, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) r1 = socket$inet6(0xa, 0x80002, 0x0) setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000180)=0x80000004, 0x4) bind$inet6(r1, &(0x7f0000000040)={0xa, 0x0, 0x0, @empty}, 0x1c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000340)={r0, &(0x7f0000000280), &(0x7f0000001840)=@udp6=r1}, 0x20) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000200)={r0, &(0x7f0000000140), &(0x7f0000000000)=""/82}, 0x20) 6.321535715s ago: executing program 1 (id=415): r0 = eventfd2(0x0, 0x0) r1 = syz_io_uring_setup(0x5169, &(0x7f0000000080)={0x0, 0x0, 0x10100}, &(0x7f0000000100), &(0x7f0000000000)=0x0) syz_io_uring_setup(0x2292, &(0x7f0000000640), &(0x7f0000000400)=0x0, &(0x7f0000000180)) syz_io_uring_submit(r3, r2, &(0x7f00000001c0)=@IORING_OP_READ=@pass_buffer={0x16, 0x0, 0x0, @fd_index=0x3, 0x0, 0x0, 0xfffffffffffffe54}) io_uring_enter(r1, 0xb15, 0x0, 0x0, 0x0, 0x0) write$eventfd(r0, &(0x7f0000000000), 0x8) 5.832946972s ago: executing program 0 (id=416): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000100)=0x3915, 0x4) bind$inet(r0, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x10) setsockopt$sock_int(r0, 0x1, 0x1d, 0x0, 0x0) connect$inet(r0, &(0x7f0000000480)={0x2, 0x0, @multicast2}, 0x10) sendmmsg(r0, &(0x7f0000007fc0), 0x2d, 0x0) 3.563792866s ago: executing program 0 (id=417): r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0) sendmsg$TIPC_NL_KEY_SET(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=ANY=[@ANYBLOB='T\x00\x00\x00', @ANYRES16, @ANYBLOB="0100000000000000000003000000400001"], 0x54}, 0x1, 0x0, 0x0, 0x8008080}, 0x0) sendmsg$WG_CMD_SET_DEVICE(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000fc0)={&(0x7f0000000000)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16, @ANYBLOB="0100000000000000000001"], 0x24}}, 0x0) openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/consoles\x00', 0x0, 0x0) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000340)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="140100001d00"], 0x114}], 0x1}, 0x0) 2.868923107s ago: executing program 1 (id=418): r0 = socket$netlink(0x10, 0x3, 0xf) bind$netlink(r0, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) sendmsg$netlink(r0, &(0x7f00000010c0)={0x0, 0x0, &(0x7f00000004c0)=[{0x0, 0x2a4}], 0x1}, 0x0) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000000), 0x4) syz_genetlink_get_family_id$SEG6(&(0x7f0000000280), r0) 1.06192ms ago: executing program 0 (id=419): r0 = socket$inet6_sctp(0xa, 0x1, 0x84) r1 = socket$inet(0x2, 0x80001, 0x84) getsockopt(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000c35fff)=""/1, &(0x7f0000000000)=0x1) getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000300)=0x8) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(0xffffffffffffffff, 0x84, 0x7b, &(0x7f0000000080)={r2, 0x8001}, 0x8) getsockopt$bt_hci(r0, 0x84, 0x7f, &(0x7f0000000080)=""/4057, &(0x7f0000000000)=0xfd9) 0s ago: executing program 1 (id=420): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x40046207, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0}) dup3(r1, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000080)={0x10, 0x0, &(0x7f0000000400)=[@request_death={0x400c6313}], 0x0, 0x0, 0x0}) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:14330' (ED25519) to the list of known hosts. syzkaller login: [ 325.650111][ T3153] cgroup: Unknown subsys name 'net' [ 326.058046][ T3153] cgroup: Unknown subsys name 'cpuset' [ 326.121181][ T3153] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 379.518403][ T3153] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 436.707139][ T3159] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 437.341876][ T3159] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 437.480760][ T3158] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 438.009515][ T3158] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 448.097346][ T3159] hsr_slave_0: entered promiscuous mode [ 448.145205][ T3159] hsr_slave_1: entered promiscuous mode [ 449.841588][ T3158] hsr_slave_0: entered promiscuous mode [ 449.871318][ T3158] hsr_slave_1: entered promiscuous mode [ 449.911237][ T3158] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 449.916918][ T3158] Cannot create hsr debugfs directory [ 455.170007][ T3159] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 455.329286][ T3159] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 455.396074][ T3159] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 455.469824][ T3159] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 456.432245][ T3158] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 456.542574][ T3158] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 456.639750][ T3158] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 456.742688][ T3158] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 465.011044][ T3159] 8021q: adding VLAN 0 to HW filter on device bond0 [ 468.195240][ T3158] 8021q: adding VLAN 0 to HW filter on device bond0 [ 492.998352][ T3159] veth0_vlan: entered promiscuous mode [ 493.166365][ T3159] veth1_vlan: entered promiscuous mode [ 494.499084][ T3159] veth0_macvtap: entered promiscuous mode [ 495.041182][ T3159] veth1_macvtap: entered promiscuous mode [ 497.106937][ T3159] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 497.109208][ T3159] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 497.110502][ T3159] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 497.111778][ T3159] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 497.876647][ T3158] veth0_vlan: entered promiscuous mode [ 498.661213][ T3158] veth1_vlan: entered promiscuous mode [ 500.121418][ T3158] veth0_macvtap: entered promiscuous mode [ 500.462213][ T3158] veth1_macvtap: entered promiscuous mode [ 500.611046][ T3159] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 501.628160][ T3158] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 501.630773][ T3158] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 501.633096][ T3158] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 501.668687][ T3158] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 506.558091][ T3852] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 506.837328][ T3852] usb 2-1: Using ep0 maxpacket: 32 [ 506.978931][ T3852] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 506.987427][ T3852] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 506.990518][ T3852] usb 2-1: New USB device found, idVendor=1e7d, idProduct=2d5a, bcdDevice= 0.00 [ 506.992510][ T3852] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 507.156090][ T3852] usb 2-1: config 0 descriptor?? [ 509.580345][ T3852] savu 0003:1E7D:2D5A.0001: hiddev0,hidraw0: USB HID v0.00 Device [HID 1e7d:2d5a] on usb-dummy_hcd.1-1/input0 [ 509.814981][ T3852] usb 2-1: USB disconnect, device number 2 [ 510.280815][ T3862] input: syz1 as /devices/virtual/input/input0 [ 531.540461][ T3917] capability: warning: `syz.1.8' uses deprecated v2 capabilities in a way that may be insecure [ 565.148616][ T3958] skbuff: bad partial csum: csum=65506/2 headroom=144 headlen=65526 [ 571.947506][ T32] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 572.437728][ T32] usb 2-1: config 1 has 1 interface, different from the descriptor's value: 2 [ 572.440144][ T32] usb 2-1: config 1 has no interface number 0 [ 572.442196][ T32] usb 2-1: config 1 interface 1 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 572.452296][ T32] usb 2-1: Duplicate descriptor for config 1 interface 1 altsetting 0, skipping [ 572.456673][ T32] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x3 has an invalid bInterval 255, changing to 11 [ 572.460596][ T32] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x3 has invalid maxpacket 59391, setting to 1024 [ 573.038147][ T32] usb 2-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 573.041860][ T32] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 573.043636][ T32] usb 2-1: Product: syz [ 573.046305][ T32] usb 2-1: Manufacturer: syz [ 573.047886][ T32] usb 2-1: SerialNumber: syz [ 573.951786][ T3975] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 574.991263][ T3975] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 575.042325][ T32] cdc_ncm 2-1:1.1: bind() failure [ 575.418684][ T3782] usb 2-1: USB disconnect, device number 3 [ 586.210563][ T34] audit: type=1326 audit(585.400:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 586.248297][ T34] audit: type=1326 audit(585.460:3): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 586.323091][ T34] audit: type=1326 audit(585.540:4): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=277 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 586.400403][ T34] audit: type=1326 audit(585.590:5): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 586.417438][ T34] audit: type=1326 audit(585.630:6): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 586.671038][ T34] audit: type=1326 audit(585.820:7): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 586.720138][ T34] audit: type=1326 audit(585.840:8): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 586.745180][ T34] audit: type=1326 audit(585.870:9): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=277 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 587.257187][ T34] audit: type=1326 audit(586.470:10): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 587.278238][ T34] audit: type=1326 audit(586.490:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4001 comm="syz.1.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x7ffc0000 [ 594.729073][ T4013] binder: 4012:4013 ioctl c018620b 0 returned -14 [ 600.429117][ T4026] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 608.562976][ T4032] syz.0.48 uses obsolete (PF_INET,SOCK_PACKET) [ 613.522043][ T4040] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 645.228632][ T4093] process 'syz.1.66' launched './file2' with NULL argv: empty string added [ 665.669367][ T4126] binder: 4125:4126 ioctl c0306201 20000380 returned -14 [ 697.618466][ T4169] netlink: 104 bytes leftover after parsing attributes in process `syz.1.94'. [ 697.652005][ T4169] Zero length message leads to an empty skb [ 731.008673][ T25] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 731.432520][ T25] usb 1-1: config 0 has no interfaces? [ 731.441589][ T25] usb 1-1: New USB device found, idVendor=06cb, idProduct=73f5, bcdDevice= 0.00 [ 731.453125][ T25] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 731.509180][ T25] usb 1-1: config 0 descriptor?? [ 734.070441][ T8] usb 1-1: USB disconnect, device number 2 [ 743.754353][ T4240] TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies. [ 768.662005][ C0] IPv4: Oversized IP packet from 172.20.20.24 [ 787.126379][ T4309] tap0: tun_chr_ioctl cmd 1074025678 [ 787.132767][ T4309] tap0: group set to 0 [ 791.496033][ T4318] input: syz0 as /devices/virtual/input/input1 [ 822.107621][ T4367] netlink: 8 bytes leftover after parsing attributes in process `syz.0.164'. [ 832.270705][ T4386] loop0: detected capacity change from 0 to 16384 [ 832.318127][ T4386] I/O error, dev loop0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 [ 836.985413][ T34] kauditd_printk_skb: 55 callbacks suppressed [ 836.985847][ T34] audit: type=1800 audit(836.180:67): pid=4393 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.1.174" name="SYSV00000000" dev="hugetlbfs" ino=0 res=0 errno=0 [ 854.570311][ T4416] input: syz0 as /devices/virtual/input/input2 [ 863.202990][ T4426] sctp: failed to load transform for md5: -2 [ 876.337610][ T4446] input: syz0 as /devices/virtual/input/input3 [ 887.698602][ T4465] netlink: 8 bytes leftover after parsing attributes in process `syz.1.199'. [ 890.985509][ T4470] input: syz0 as /devices/virtual/input/input4 [ 892.271770][ T4474] netlink: 8 bytes leftover after parsing attributes in process `syz.1.201'. [ 892.555311][ T4474] netlink: 8 bytes leftover after parsing attributes in process `syz.1.201'. [ 898.376326][ T4484] Driver unsupported XDP return value 0 on prog (id 17) dev N/A, expect packet loss! [ 898.560914][ T4486] binder: 4485:4486 ioctl c018620c 0 returned -14 [ 900.668186][ T4488] ALSA: seq fatal error: cannot create timer (-22) [ 905.552769][ T4498] netlink: 92 bytes leftover after parsing attributes in process `syz.1.210'. [ 910.375420][ T34] audit: type=1326 audit(909.590:68): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4503 comm="syz.0.213" exe="/syz-executor" sig=31 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x0 [ 926.003541][ T4525] input: syz0 as /devices/virtual/input/input5 [ 931.155087][ T4533] input: syz0 as /devices/virtual/input/input6 [ 959.213356][ T4570] netlink: 96 bytes leftover after parsing attributes in process `syz.0.235'. [ 962.183207][ T4576] TCP: request_sock_subflow_v6: Possible SYN flooding on port [fe80::aa]:20002. Sending cookies. [ 964.522919][ T4583] nbd: device at index 0 is going down [ 968.612261][ T4588] TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies. [ 999.672394][ T3000] nci: nci_extract_activation_params_nfc_dep: unsupported activation_rf_tech_and_mode 0x6 [ 1004.881568][ T4642] TCP: tcp_parse_options: Illegal window scaling value 253 > 14 received [ 1033.960521][ T4684] TCP: request_sock_TCP: Possible SYN flooding on port 0.0.0.0:20002. Sending cookies. [ 1098.937839][ T25] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 1099.185995][ T25] usb 1-1: Using ep0 maxpacket: 32 [ 1099.280565][ T25] usb 1-1: config 0 has no interfaces? [ 1099.451288][ T25] usb 1-1: New USB device found, idVendor=0f11, idProduct=1021, bcdDevice=86.66 [ 1099.452734][ T25] usb 1-1: New USB device strings: Mfr=85, Product=120, SerialNumber=172 [ 1099.455994][ T25] usb 1-1: Product: syz [ 1099.456930][ T25] usb 1-1: Manufacturer: syz [ 1099.457834][ T25] usb 1-1: SerialNumber: syz [ 1099.536623][ T25] usb 1-1: config 0 descriptor?? [ 1100.831880][ T9] usb 1-1: USB disconnect, device number 3 [ 1122.566367][ T4780] input: syz1 as /devices/virtual/input/input7 [ 1131.702280][ T32] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 1131.992042][ T32] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 93, changing to 10 [ 1131.997607][ T32] usb 1-1: config 1 interface 1 altsetting 1 bulk endpoint 0x82 has invalid maxpacket 64 [ 1132.086451][ T32] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 1132.087880][ T32] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1132.088980][ T32] usb 1-1: Product: syz [ 1132.089846][ T32] usb 1-1: Manufacturer: syz [ 1132.105472][ T32] usb 1-1: SerialNumber: syz [ 1132.690731][ T4797] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 1133.626668][ T4797] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 1133.915256][ T32] cdc_ncm 1-1:1.0: MAC-Address: 42:42:42:42:42:42 [ 1133.917618][ T32] cdc_ncm 1-1:1.0: dwNtbInMaxSize=0 is too small. Using 2048 [ 1133.919098][ T32] cdc_ncm 1-1:1.0: setting rx_max = 2048 [ 1134.141468][ T32] cdc_ncm 1-1:1.0: setting tx_max = 28 [ 1134.329702][ T32] cdc_ncm 1-1:1.0 eth1: register 'cdc_ncm' at usb-dummy_hcd.0-1, CDC NCM (NO ZLP), 42:42:42:42:42:42 [ 1134.657854][ T32] usb 1-1: USB disconnect, device number 4 [ 1134.688954][ T32] cdc_ncm 1-1:1.0 eth1: unregister 'cdc_ncm' usb-dummy_hcd.0-1, CDC NCM (NO ZLP) [ 1166.596587][ T32] usb 2-1: new high-speed USB device number 4 using dummy_hcd [ 1166.825750][ T32] usb 2-1: Using ep0 maxpacket: 8 [ 1166.988096][ T32] usb 2-1: config 1 contains an unexpected descriptor of type 0x2, skipping [ 1166.990991][ T32] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has invalid wMaxPacketSize 0 [ 1166.993399][ T32] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 1167.168065][ T32] usb 2-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 1167.170508][ T32] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1167.172511][ T32] usb 2-1: Product: syz [ 1167.175525][ T32] usb 2-1: Manufacturer: syz [ 1167.177298][ T32] usb 2-1: SerialNumber: syz [ 1168.839158][ T4863] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1168.852890][ T4863] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1169.157569][ T32] usb 2-1: 2:1 : no UAC_FORMAT_TYPE desc [ 1169.759460][ T32] usb 2-1: USB disconnect, device number 4 [ 1191.044862][ T4950] mmap: syz.0.338 (4950) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 1191.576237][ T34] audit: type=1326 audit(1190.790:69): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4951 comm="syz.1.339" exe="/syz-executor" sig=31 arch=c00000f3 syscall=98 compat=0 ip=0xdbd52 code=0x0 [ 1205.410971][ T4970] PF_CAN: dropped non conform CAN skbuff: dev type 65534, len 68 [ 1216.099331][ T9] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 1216.557668][ T9] usb 1-1: Using ep0 maxpacket: 8 [ 1216.661616][ T9] usb 1-1: config 179 has an invalid interface number: 65 but max is 0 [ 1216.676278][ T9] usb 1-1: config 179 has no interface number 0 [ 1216.679004][ T9] usb 1-1: config 179 interface 65 altsetting 0 endpoint 0xF has an invalid bInterval 0, changing to 7 [ 1216.681476][ T9] usb 1-1: config 179 interface 65 altsetting 0 endpoint 0xF has invalid maxpacket 1025, setting to 1024 [ 1216.699646][ T9] usb 1-1: config 179 interface 65 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 1216.702259][ T9] usb 1-1: config 179 interface 65 altsetting 0 endpoint 0x83 has invalid maxpacket 41728, setting to 1024 [ 1216.723560][ T9] usb 1-1: config 179 interface 65 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 23 [ 1216.728419][ T9] usb 1-1: New USB device found, idVendor=12ab, idProduct=90a3, bcdDevice=1e.eb [ 1216.730744][ T9] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1216.889733][ T4990] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 1218.567920][ T9] input: Generic X-Box pad as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:179.65/input/input8 [ 1218.681672][ T4990] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1218.850479][ T4990] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1219.978217][ T3780] usb 1-1: USB disconnect, device number 5 [ 1219.986588][ C0] xpad 1-1:179.65: xpad_irq_in - usb_submit_urb failed with result -19 [ 1219.988993][ C0] xpad 1-1:179.65: xpad_irq_out - usb_submit_urb failed with result -19 [ 1220.088365][ T3780] xpad 1-1:179.65: xpad_try_sending_next_out_packet - usb_submit_urb failed with result -19 [ 1230.235354][ T5024] TCP: request_sock_subflow_v6: Possible SYN flooding on port [fe80::aa]:20002. Sending cookies. [ 1233.111065][ T5028] netlink: 28 bytes leftover after parsing attributes in process `syz.0.362'. [ 1233.112685][ T5028] netlink: 28 bytes leftover after parsing attributes in process `syz.0.362'. [ 1234.572167][ T25] usb 2-1: new high-speed USB device number 5 using dummy_hcd [ 1234.938326][ T25] usb 2-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 255, changing to 11 [ 1235.061708][ T25] usb 2-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 1235.063212][ T25] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1235.069229][ T25] usb 2-1: Product: syz [ 1235.070297][ T25] usb 2-1: Manufacturer: syz [ 1235.071293][ T25] usb 2-1: SerialNumber: syz [ 1238.426141][ T25] cdc_ncm 2-1:1.0: MAC-Address: 42:42:42:42:42:42 [ 1238.428408][ T25] cdc_ncm 2-1:1.0: dwNtbInMaxSize=0 is too small. Using 2048 [ 1238.430247][ T25] cdc_ncm 2-1:1.0: setting rx_max = 2048 [ 1238.812781][ T25] cdc_ncm 2-1:1.0: setting tx_max = 184 [ 1238.897385][ T25] cdc_ncm 2-1:1.0 eth1: register 'cdc_ncm' at usb-dummy_hcd.1-1, CDC NCM (NO ZLP), 42:42:42:42:42:42 [ 1239.107348][ T25] usb 2-1: USB disconnect, device number 5 [ 1239.182693][ T25] cdc_ncm 2-1:1.0 eth1: unregister 'cdc_ncm' usb-dummy_hcd.1-1, CDC NCM (NO ZLP) [ 1277.496330][ T5115] input: syz1 as /devices/virtual/input/input9 [ 1295.082781][ T5152] TCP: request_sock_subflow_v6: Possible SYN flooding on port [fe80::aa]:20002. Sending cookies. [ 1305.327088][ T5169] netlink: 8 bytes leftover after parsing attributes in process `syz.1.402'. [ 1305.329072][ T5169] netlink: 4 bytes leftover after parsing attributes in process `syz.1.402'. [ 1305.331023][ T5169] netlink: 36 bytes leftover after parsing attributes in process `syz.1.402'. [ 1329.751267][ T5205] netlink: 'syz.0.417': attribute type 1 has an invalid length. [ 1329.756588][ T5205] netlink: 192 bytes leftover after parsing attributes in process `syz.0.417'. [ 1331.439401][ T9] ================================================================== [ 1331.440883][ T9] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0xb4/0x158 [ 1331.443107][ T9] Read of size 8 at addr ff6000002ef9ce88 by task kworker/0:1/9 [ 1331.444140][ T9] [ 1331.446856][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-rc6-syzkaller-g57f7c7dc78cd #0 [ 1331.448583][ T9] Hardware name: riscv-virtio,qemu (DT) [ 1331.449701][ T9] Workqueue: events binder_deferred_func [ 1331.450949][ T9] Call Trace: [ 1331.451641][ T9] [] dump_backtrace+0x2e/0x3c [ 1331.452563][ T9] [] show_stack+0x34/0x40 [ 1331.453466][ T9] [] dump_stack_lvl+0x122/0x196 [ 1331.454384][ T9] [] print_report+0x290/0x5a0 [ 1331.455269][ T9] [] kasan_report+0xec/0x118 [ 1331.456204][ T9] [] __asan_report_load8_noabort+0x12/0x1a [ 1331.457078][ T9] [] __list_del_entry_valid_or_report+0xb4/0x158 [ 1331.458161][ T9] [] binder_release_work+0xb6/0x47c [ 1331.459103][ T9] [] binder_deferred_func+0xd40/0x123e [ 1331.459985][ T9] [] process_one_work+0x956/0x1dae [ 1331.460894][ T9] [] worker_thread+0x5be/0xdc6 [ 1331.461782][ T9] [] kthread+0x28c/0x3a6 [ 1331.462582][ T9] [] ret_from_fork+0xe/0x18 [ 1331.463640][ T9] [ 1331.464191][ T9] Allocated by task 5209: [ 1331.464915][ T9] stack_trace_save+0xa0/0xd2 [ 1331.465639][ T9] kasan_save_stack+0x3e/0x6a [ 1331.466448][ T9] kasan_save_track+0x16/0x28 [ 1331.467280][ T9] kasan_save_alloc_info+0x30/0x3e [ 1331.468057][ T9] __kasan_kmalloc+0xa0/0xa6 [ 1331.468910][ T9] __kmalloc_cache_noprof+0x1f4/0x318 [ 1331.469712][ T9] binder_thread_write+0x148e/0x4af6 [ 1331.470479][ T9] binder_ioctl+0x200e/0x727a [ 1331.471369][ T9] __riscv_sys_ioctl+0x182/0x1e6 [ 1331.472167][ T9] syscall_handler+0x94/0x118 [ 1331.473022][ T9] do_trap_ecall_u+0x1aa/0x216 [ 1331.474287][ T9] _new_vmalloc_restore_context_a0+0xc2/0xce [ 1331.475292][ T9] [ 1331.475754][ T9] Freed by task 9: [ 1331.476303][ T9] stack_trace_save+0xa0/0xd2 [ 1331.476985][ T9] kasan_save_stack+0x3e/0x6a [ 1331.477895][ T9] kasan_save_track+0x16/0x28 [ 1331.478716][ T9] kasan_save_free_info+0x40/0x5a [ 1331.479599][ T9] __kasan_slab_free+0x4e/0x68 [ 1331.480506][ T9] kfree+0x13c/0x4ce [ 1331.481294][ T9] binder_deferred_func+0xcb8/0x123e [ 1331.482095][ T9] process_one_work+0x956/0x1dae [ 1331.482986][ T9] worker_thread+0x5be/0xdc6 [ 1331.483921][ T9] kthread+0x28c/0x3a6 [ 1331.484666][ T9] ret_from_fork+0xe/0x18 [ 1331.485578][ T9] [ 1331.486101][ T9] The buggy address belongs to the object at ff6000002ef9ce80 [ 1331.486101][ T9] which belongs to the cache kmalloc-64 of size 64 [ 1331.487364][ T9] The buggy address is located 8 bytes inside of [ 1331.487364][ T9] freed 64-byte region [ff6000002ef9ce80, ff6000002ef9cec0) [ 1331.488528][ T9] [ 1331.489107][ T9] The buggy address belongs to the physical page: [ 1331.490348][ T9] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaef9c [ 1331.491584][ T9] ksm flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) [ 1331.493086][ T9] page_type: f5(slab) [ 1331.494539][ T9] raw: 0ffe000000000000 ff600000114018c0 ff1c0000006a1340 dead000000000003 [ 1331.495536][ T9] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 1331.496492][ T9] page dumped because: kasan: bad access detected [ 1331.497635][ T9] page_owner tracks the page as allocated [ 1331.498440][ T9] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1959, tgid 1959 (kworker/u10:5), ts 442396036100, free_ts 442390411400 [ 1331.500285][ T9] __set_page_owner+0xa2/0x70c [ 1331.501258][ T9] post_alloc_hook+0xec/0x1e4 [ 1331.502225][ T9] get_page_from_freelist+0xdaa/0x295a [ 1331.503334][ T9] __alloc_pages_noprof+0x1e2/0x1e96 [ 1331.504302][ T9] alloc_pages_mpol_noprof+0xf8/0x48a [ 1331.505077][ T9] alloc_pages_noprof+0x174/0x2f0 [ 1331.505825][ T9] new_slab+0x2b6/0x40c [ 1331.506559][ T9] ___slab_alloc+0xaca/0x114c [ 1331.507461][ T9] __slab_alloc.constprop.0+0x60/0xb2 [ 1331.508340][ T9] __kmalloc_node_noprof+0x1f8/0x522 [ 1331.509213][ T9] __vmalloc_node_range_noprof+0x36e/0x1450 [ 1331.510014][ T9] copy_process+0x3658/0x8e52 [ 1331.510790][ T9] kernel_clone+0x11e/0x92c [ 1331.511566][ T9] user_mode_thread+0xea/0x11a [ 1331.512532][ T9] call_usermodehelper_exec_work+0xd4/0x1ac [ 1331.513907][ T9] process_one_work+0x956/0x1dae [ 1331.515491][ T9] page last free pid 9 tgid 9 stack trace: [ 1331.516679][ T9] __reset_page_owner+0x8c/0x400 [ 1331.518123][ T9] free_unref_page+0x592/0xf08 [ 1331.519634][ T9] __free_pages+0x13c/0x1bc [ 1331.521032][ T9] vfree+0x1b6/0xc88 [ 1331.521768][ T9] delayed_vfree_work+0x58/0x7a [ 1331.522857][ T9] process_one_work+0x956/0x1dae [ 1331.524696][ T9] worker_thread+0x5be/0xdc6 [ 1331.526096][ T9] kthread+0x28c/0x3a6 [ 1331.527365][ T9] ret_from_fork+0xe/0x18 [ 1331.529001][ T9] [ 1331.529826][ T9] Memory state around the buggy address: [ 1331.531648][ T9] ff6000002ef9cd80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1331.533080][ T9] ff6000002ef9ce00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 1331.535484][ T9] >ff6000002ef9ce80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1331.536853][ T9] ^ [ 1331.537853][ T9] ff6000002ef9cf00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1331.539207][ T9] ff6000002ef9cf80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 1331.540774][ T9] ================================================================== [ 1331.549643][ T9] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 1331.552101][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-rc6-syzkaller-g57f7c7dc78cd #0 [ 1331.553752][ T9] Hardware name: riscv-virtio,qemu (DT) [ 1331.554841][ T9] Workqueue: events binder_deferred_func [ 1331.556407][ T9] Call Trace: [ 1331.557275][ T9] [] dump_backtrace+0x2e/0x3c [ 1331.558717][ T9] [] show_stack+0x34/0x40 [ 1331.560243][ T9] [] dump_stack_lvl+0x108/0x196 [ 1331.561719][ T9] [] dump_stack+0x1c/0x24 [ 1331.563173][ T9] [] panic+0x388/0x86c [ 1331.564511][ T9] [] check_panic_on_warn+0xc0/0xe4 [ 1331.565969][ T9] [] end_report.part.0+0x4a/0xaa [ 1331.567747][ T9] [] kasan_report+0x102/0x118 [ 1331.569374][ T9] [] __asan_report_load8_noabort+0x12/0x1a [ 1331.570884][ T9] [] __list_del_entry_valid_or_report+0xb4/0x158 [ 1331.572583][ T9] [] binder_release_work+0xb6/0x47c [ 1331.574208][ T9] [] binder_deferred_func+0xd40/0x123e [ 1331.575793][ T9] [] process_one_work+0x956/0x1dae [ 1331.577441][ T9] [] worker_thread+0x5be/0xdc6 [ 1331.579009][ T9] [] kthread+0x28c/0x3a6 [ 1331.580402][ T9] [] ret_from_fork+0xe/0x18 [ 1331.582301][ T9] SMP: stopping secondary CPUs [ 1331.586232][ T9] Rebooting in 86400 seconds.. VM DIAGNOSIS: 05:19:44 Registers: info registers vcpu 0 CPU#0 V = 0 pc ffffffff800c4e2e mhartid 0000000000000000 mstatus 0000000a000000a0 hstatus 0000000200000000 vsstatus 0000000a00000000 mip 0000000000000220 mie 000000000000022a mideleg 0000000000001666 hideleg 0000000000000444 medeleg 0000000000f0b509 hedeleg 000000000000b109 mtvec 00000000800003f8 stvec ffffffff860a3964 vstvec 0000000000000000 mepc ffffffff8001fb0e sepc ffffffff802497ac vsepc 0000000000000000 mcause 0000000000000009 scause 8000000000000005 vscause 0000000000000000 mtval 0000000000000000 stval 0000000000000000 htval 0000000000000000 mtval2 0000000000000000 mscratch 0000000080049000 sscratch 0000000000000000 satp a039c0000009b4bb x0/zero 0000000000000000 x1/ra ffffffff800c4e2e x2/sp ff200000000a76d0 x3/gp ffffffff899d48a0 x4/tp ff600000126a8000 x5/t0 ff200000000a7474 x6/t1 fffffffef133b8d8 x7/t2 7320666f20646165 x8/s0 ff200000000a77f0 x9/s1 0000000000000130 x10/a0 0000000000000006 x11/a1 0000000000000130 x12/a2 0000000000000002 x13/a3 ffffffff800c4e2e x14/a4 0000000000000000 x15/a5 ff600000126a9000 x16/a6 0000000000000003 x17/a7 0000000000000003 x18/s2 ffffffff89b370e0 x19/s3 000000000000000b x20/s4 ff60000011e9e800 x21/s5 0000000000000000 x22/s6 dfffffff00000000 x23/s7 ffffffff89ad1500 x24/s8 ff200000000a7780 x25/s9 ffffffff90db1660 x26/s10 0000000000001000 x27/s11 ffffffff90db1660 x28/t3 ff600000126a8008 x29/t4 fffffffef133b8d8 x30/t5 fffffffef133b8d9 x31/t6 ffffffff89b370ec f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 CPU#1 V = 0 pc 00000000000d456e mhartid 0000000000000001 mstatus 0000000a000040a2 hstatus 0000000200000000 vsstatus 0000000a00000000 mip 0000000000000000 mie 000000000000022a mideleg 0000000000001666 hideleg 0000000000000444 medeleg 0000000000f0b509 hedeleg 000000000000b109 mtvec 00000000800003f8 stvec ffffffff860a3964 vstvec 0000000000000000 mepc ffffffff8014f9ba sepc 00000000000d4ddc vsepc 0000000000000000 mcause 8000000000000003 scause 0000000000000008 vscause 0000000000000000 mtval 0000000000000000 stval 0000000000000000 htval 0000000000000000 mtval2 0000000000000000 mscratch 0000000080047000 sscratch ff60000018c2b480 satp a012a000000aeac0 x0/zero 0000000000000000 x1/ra 00000000000d4ed0 x2/sp 00007ffff86d00e0 x3/gp 000000000022c918 x4/tp 0000000006c26760 x5/t0 00000000000001f4 x6/t1 0000000000000018 x7/t2 0000000000003a98 x8/s0 0000000000000000 x9/s1 00007ffff86d017c x10/a0 0000000000000000 x11/a1 0000000000000000 x12/a2 00007ffff86d0128 x13/a3 0000000000000000 x14/a4 0000000000989680 x15/a5 0000000000000000 x16/a6 0000000064000000 x17/a7 0000000000000073 x18/s2 0000000000240000 x19/s3 0000000040000001 x20/s4 0000000000002328 x21/s5 00007ffff86d01d0 x22/s6 0000000000144cc6 x23/s7 0000000000000006 x24/s8 00000000000001f4 x25/s9 0000000000144dd3 x26/s10 00000000000f4240 x27/s11 0000000000000005 x28/t3 002756cd00000000 x29/t4 ffffffffffffffff x30/t5 000000031da2f5b1 x31/t6 0000000000000000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000