last executing test programs: 906.050863ms ago: executing program 0 (id=1): setsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x35, &(0x7f0000000000)=0x8000, 0x4) setsockopt$inet6_IPV6_HOPOPTS(0xffffffffffffffff, 0x29, 0x36, &(0x7f0000000140)=ANY=[], 0x8) bind$inet6(0xffffffffffffffff, &(0x7f0000f5dfe4)={0xa, 0x4e20, 0x0, @empty, 0x80}, 0x1c) r0 = socket$nl_route(0x10, 0x3, 0x0) listen(r0, 0x5) socket$netlink(0x10, 0x3, 0x9) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r1 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x26e1, 0x0) r2 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10) sendmsg$netlink(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000440)=ANY=[@ANYBLOB="1c00000014000100000080000000000007000080080002"], 0x1c}], 0x1}, 0x0) bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, 0x0, 0x0) ioctl$SIOCSIFHWADDR(r1, 0x8b19, &(0x7f0000000000)={'pim6reg1\x00', @link_local}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000)) r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2}) socket$unix(0x1, 0x1, 0x0) r6 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000280)={'syz_tun\x00', 0x0}) sendmsg$nl_route_sched(r6, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000001c0)=@newtclass={0x38, 0x28, 0x20, 0x70bd2b, 0x25dfdbfb, {0x0, 0x0, 0x0, r7, {0xffe0, 0x2}, {0x3, 0xfff2}, {0xf, 0x4}}, [@tclass_kind_options=@c_taprio={0xb}, @TCA_RATE={0x6, 0x5, {0x3}}]}, 0x38}, 0x1, 0x0, 0x0, 0x20000001}, 0x4c040) r8 = syz_init_net_socket$rose(0xb, 0x5, 0x0) ioctl$sock_rose_SIOCADDRT(r8, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @bcast, @bpq0, 0x0, [@bcast, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]}) r9 = syz_init_net_socket$rose(0xb, 0x5, 0x0) connect$rose(r9, &(0x7f0000000200)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}}, 0x1c) connect$rose(r9, &(0x7f0000000100)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @default, 0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}}, 0x1c) sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000080)=ANY=[], 0x58}}, 0x0) setsockopt$inet6_IPV6_DSTOPTS(0xffffffffffffffff, 0x29, 0x3b, &(0x7f0000000080)=ANY=[], 0x8) 443.091862ms ago: executing program 3 (id=4): r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000001ac0)=[{&(0x7f0000000a00)={0x2d0, 0x1f, 0x1, 0x0, 0x0, "", [@nested={0x2bf, 0x0, 0x0, 0x1, [@typed={0xc, 0x1, 0x0, 0x0, @u64=0x5}, @nested={0x124, 0x2f, 0x0, 0x1, [@nested={0xc, 0xa2, 0x0, 0x1, [@typed={0x8, 0xed, 0x0, 0x0, @str='syz\x00'}]}, @typed={0x14, 0x136, 0x0, 0x0, @ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}, @nested={0x8, 0x88, 0x0, 0x1, [@typed={0x4, 0xc7}]}, @nested={0xf5, 0x34, 0x0, 0x1, [@nested={0xa1, 0x58, 0x0, 0x1, [@generic="d5814ea826aa7f73f6edca3c5d5131ea47f09be4a580c1621f22b58b98dfde0bc50dc80408c634fb958a3349e70a7cc6d07d3875969a012ca44d37092de8ca6eaa444a5c6aa178a6e4e7b9497e96c5899f744933d157688bfc805a5f5e480946c8f23f08e88018474058b9ad1374ff20cdc3e9da42a4c44ed5a145460aad1349116b75058b1c9dbdadbce9d318aefabc9e3d195f540d8a2110", @nested={0x4}]}, @nested={0x8, 0xb8, 0x0, 0x1, [@nested={0x4, 0x108}]}, @generic="7558a560cc5cb15e4f38d09a7a05c4e9637e7a6cfae3f02923b74b46eeb09f54d7a254d9115d647375b576520350c2781ebe799dc9060dcf8c7b1a4f8b", @typed={0x8, 0xae, 0x0, 0x0, @u32=0x81}]}]}, @generic="50bb2d6f67d29d6fabadb107d0def49c88ea04abde1d5e8d3fb22a1b5046778bdafefc46b0449ade68bf84b36ec72dd71265fc2e882348c26c2126237dd5b37f5ae655b1086cda40e00aec58754734be31d750351dc076eb43d9621dc08c029d1608a487f26fbe8101000000010000008b9482565856555ee923c65973deb0a99b962bc0fe94a3fcae3697bd7b85b3a682167c43dbf137115a40ebddcad74875ec58e9a3ddb9ad02a078cf0d972df9e99f079767734f69ce475f55ac64337803f5eb4e5842f4d98fe3fa370d43eb640dc5061dc35817c8a66c29be82fdbebd9798785e3ed62d512eaab02faf14e764c1b01bf101ee86478dd1981937508b906e98a23c9615867bc5a86bd5e49ce0872231494c29fee4fc315c7340b47bd96f942cc707ae3596528172ed032a24053a1d27449dc197c28f06b02ed97b99ac9b995cb76ef9c78d6e830607914e325fe44684bcae218b28b230c4dd5ede4b048da336b35f7c90f3663e3303ba9f8fe2fcb69223f0d2f72f71980246d5804215601265a8469aeb46a436df7533"]}]}, 0x2d0}], 0x1}, 0x0) 290.779415ms ago: executing program 2 (id=3): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, 0x0, 0x0) sendmsg$NFT_BATCH(r0, 0x0, 0x0) unshare(0x20000400) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) r4 = syz_init_net_socket$ax25(0x3, 0x2, 0x0) bind$ax25(r4, &(0x7f0000000100)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null]}, 0x48) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r5 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0x10) ioctl$sock_netdev_private(r5, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x1, 'syz1\x00', @default, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @default]}) setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0x10) ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) 271.913975ms ago: executing program 3 (id=5): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmmsg(r0, &(0x7f0000001f40)=[{{0x0, 0x0, &(0x7f0000001900)=[{&(0x7f0000000600)="bd", 0x1}], 0x1}}, {{&(0x7f0000000200)=@nl=@proc, 0x80, 0x0, 0x0, &(0x7f0000000400)=ANY=[], 0x1}}], 0x2, 0x0) 91.729018ms ago: executing program 2 (id=6): r0 = syz_open_dev$tty20(0xc, 0x4, 0x0) r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, &(0x7f0000000180)=ANY=[], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r1}, 0x10) write$binfmt_misc(r0, &(0x7f0000000240), 0xfffffecc) ioctl$TIOCSSOFTCAR(r0, 0x541a, &(0x7f0000000040)=0x3b3) (fail_nth: 3) 39.374499ms ago: executing program 3 (id=7): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)=@base={0x9, 0x8, 0xdd, 0xff}, 0x50) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xa, 0x0, 0x0) close(0x3) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000540)=ANY=[@ANYBLOB="0b00000006000000010000007f00000001"], 0x50) bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0xe, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="18090000000000000000000000000000850000006d0000001801000020696c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000007000000095"], 0x0, 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0x6, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x14, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000001"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000bc0)={&(0x7f0000000940)='percpu_alloc_percpu\x00', r2}, 0x10) bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f00000004c0)={0x0, 0x0, &(0x7f0000000080), &(0x7f00000001c0), 0x1, r1}, 0x38) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000600)={0x6, 0x3, &(0x7f0000000180)=@framed, &(0x7f0000000280)='GPL\x00', 0x5}, 0x94) 0s ago: executing program 1 (id=2): r0 = syz_usb_connect$printer(0x0, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000000402505a8a4410001020b0109021b00010100c00009040000020701010009050102"], 0x0) syz_usb_control_io$printer(r0, 0x0, &(0x7f00000011c0)={0x34, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000001180)={0x20, 0x0, 0x1}}) syz_usb_disconnect(r0) pwritev2(0xffffffffffffffff, &(0x7f0000000040)=[{&(0x7f0000000080)="ec", 0x1}], 0x1, 0xfffff, 0x0, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.10.3' (ED25519) to the list of known hosts. syzkaller login: [ 63.910835][ T5769] cgroup: Unknown subsys name 'net' [ 64.050661][ T5769] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 65.427635][ T5769] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 66.967920][ T5785] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 66.975975][ T5785] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 66.984489][ T5785] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 66.992012][ T5785] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 67.000015][ T5785] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 67.007181][ T5785] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 67.016116][ T5785] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 67.023589][ T5785] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 67.026543][ T5792] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 67.031590][ T5785] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 67.045318][ T5785] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 67.049518][ T5794] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 67.053358][ T5785] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 67.060172][ T5792] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 67.075584][ T5794] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 67.084360][ T5794] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 67.086107][ T5795] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 67.100425][ T5795] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 67.108882][ T5795] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 67.117032][ T5796] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 67.117435][ T5795] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 67.131725][ T5796] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 67.132701][ T5795] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 67.147370][ T5795] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 67.524492][ T5782] chnl_net:caif_netlink_parms(): no params data found [ 67.575528][ T5781] chnl_net:caif_netlink_parms(): no params data found [ 67.673987][ T5779] chnl_net:caif_netlink_parms(): no params data found [ 67.760421][ T5781] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.768356][ T5781] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.775575][ T5781] bridge_slave_0: entered allmulticast mode [ 67.783053][ T5781] bridge_slave_0: entered promiscuous mode [ 67.795092][ T5781] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.802302][ T5781] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.809514][ T5781] bridge_slave_1: entered allmulticast mode [ 67.816501][ T5781] bridge_slave_1: entered promiscuous mode [ 67.836890][ T5780] chnl_net:caif_netlink_parms(): no params data found [ 67.861034][ T5782] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.868364][ T5782] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.875583][ T5782] bridge_slave_0: entered allmulticast mode [ 67.882890][ T5782] bridge_slave_0: entered promiscuous mode [ 67.892029][ T5782] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.899682][ T5782] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.906818][ T5782] bridge_slave_1: entered allmulticast mode [ 67.913901][ T5782] bridge_slave_1: entered promiscuous mode [ 67.976555][ T5781] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 67.989372][ T5781] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.009687][ T5782] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 68.022319][ T5782] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.065205][ T5779] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.072934][ T5779] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.081127][ T5779] bridge_slave_0: entered allmulticast mode [ 68.088114][ T5779] bridge_slave_0: entered promiscuous mode [ 68.123530][ T5782] team0: Port device team_slave_0 added [ 68.130018][ T5779] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.137176][ T5779] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.145015][ T5779] bridge_slave_1: entered allmulticast mode [ 68.151880][ T5779] bridge_slave_1: entered promiscuous mode [ 68.172718][ T5781] team0: Port device team_slave_0 added [ 68.181658][ T5781] team0: Port device team_slave_1 added [ 68.192930][ T5782] team0: Port device team_slave_1 added [ 68.248710][ T5779] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 68.281697][ T5782] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 68.288932][ T5782] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.315658][ T5782] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 68.330394][ T5782] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 68.337361][ T5782] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.363307][ T5782] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 68.376695][ T5779] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.392080][ T5781] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 68.399119][ T5781] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.425428][ T5781] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 68.437215][ T5780] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.444568][ T5780] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.451909][ T5780] bridge_slave_0: entered allmulticast mode [ 68.459223][ T5780] bridge_slave_0: entered promiscuous mode [ 68.490542][ T5781] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 68.497510][ T5781] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.523839][ T5781] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 68.540760][ T5780] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.547967][ T5780] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.555089][ T5780] bridge_slave_1: entered allmulticast mode [ 68.561983][ T5780] bridge_slave_1: entered promiscuous mode [ 68.587276][ T5779] team0: Port device team_slave_0 added [ 68.595746][ T5779] team0: Port device team_slave_1 added [ 68.661696][ T5780] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 68.674520][ T5780] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.697294][ T5782] hsr_slave_0: entered promiscuous mode [ 68.703953][ T5782] hsr_slave_1: entered promiscuous mode [ 68.734824][ T5779] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 68.741947][ T5779] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.768200][ T5779] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 68.781551][ T5779] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 68.788582][ T5779] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.828996][ T5779] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 68.843446][ T5781] hsr_slave_0: entered promiscuous mode [ 68.850032][ T5781] hsr_slave_1: entered promiscuous mode [ 68.856081][ T5781] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 68.864467][ T5781] Cannot create hsr debugfs directory [ 68.889942][ T5780] team0: Port device team_slave_0 added [ 68.899185][ T5780] team0: Port device team_slave_1 added [ 69.000400][ T5780] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 69.007374][ T5780] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 69.033540][ T5780] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 69.063562][ T5779] hsr_slave_0: entered promiscuous mode [ 69.070885][ T5779] hsr_slave_1: entered promiscuous mode [ 69.076942][ T5779] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 69.084843][ T5779] Cannot create hsr debugfs directory [ 69.091079][ T5780] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 69.098360][ T5780] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 69.124418][ T5780] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 69.132976][ T5795] Bluetooth: hci3: command tx timeout [ 69.188355][ T5795] Bluetooth: hci1: command tx timeout [ 69.188371][ T50] Bluetooth: hci2: command tx timeout [ 69.188622][ T5790] Bluetooth: hci0: command tx timeout [ 69.208753][ T5780] hsr_slave_0: entered promiscuous mode [ 69.214971][ T5780] hsr_slave_1: entered promiscuous mode [ 69.222089][ T5780] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 69.229720][ T5780] Cannot create hsr debugfs directory [ 69.525450][ T5782] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 69.536807][ T5782] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 69.546932][ T5782] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 69.559475][ T5782] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 69.639775][ T5781] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 69.650573][ T5781] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 69.673928][ T5781] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 69.682830][ T5781] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 69.750061][ T5779] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 69.765691][ T5779] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 69.775427][ T5779] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 69.792207][ T5779] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 69.858997][ T5780] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 69.868622][ T5780] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 69.906766][ T5780] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 69.921608][ T5780] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 69.964341][ T5782] 8021q: adding VLAN 0 to HW filter on device bond0 [ 70.036880][ T5782] 8021q: adding VLAN 0 to HW filter on device team0 [ 70.063753][ T5781] 8021q: adding VLAN 0 to HW filter on device bond0 [ 70.074516][ T3910] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.081932][ T3910] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.109049][ T5781] 8021q: adding VLAN 0 to HW filter on device team0 [ 70.122384][ T3910] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.129547][ T3910] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.174332][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.181470][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.213361][ T48] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.220474][ T48] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.250571][ T5779] 8021q: adding VLAN 0 to HW filter on device bond0 [ 70.275074][ T5780] 8021q: adding VLAN 0 to HW filter on device bond0 [ 70.340448][ T5779] 8021q: adding VLAN 0 to HW filter on device team0 [ 70.351190][ T5780] 8021q: adding VLAN 0 to HW filter on device team0 [ 70.376338][ T11] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.383526][ T11] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.415190][ T11] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.422927][ T11] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.466017][ T11] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.473241][ T11] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.498304][ T11] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.505495][ T11] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.765157][ T5781] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 70.838884][ T5782] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 70.900772][ T5781] veth0_vlan: entered promiscuous mode [ 70.927188][ T5781] veth1_vlan: entered promiscuous mode [ 71.023854][ T5780] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 71.039170][ T5782] veth0_vlan: entered promiscuous mode [ 71.073000][ T5782] veth1_vlan: entered promiscuous mode [ 71.081528][ T5781] veth0_macvtap: entered promiscuous mode [ 71.098571][ T5781] veth1_macvtap: entered promiscuous mode [ 71.120112][ T5781] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 71.140101][ T5781] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 71.153084][ T5779] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 71.171957][ T5781] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.180946][ T5781] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.189976][ T5790] Bluetooth: hci3: command tx timeout [ 71.196725][ T5781] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.206057][ T5781] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.268714][ T5790] Bluetooth: hci0: command tx timeout [ 71.268869][ T5795] Bluetooth: hci2: command tx timeout [ 71.274139][ T50] Bluetooth: hci1: command tx timeout [ 71.294496][ T5780] veth0_vlan: entered promiscuous mode [ 71.336241][ T5782] veth0_macvtap: entered promiscuous mode [ 71.352335][ T5780] veth1_vlan: entered promiscuous mode [ 71.364454][ T5779] veth0_vlan: entered promiscuous mode [ 71.390745][ T5782] veth1_macvtap: entered promiscuous mode [ 71.437078][ T48] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 71.447051][ T48] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 71.482677][ T5779] veth1_vlan: entered promiscuous mode [ 71.507019][ T5782] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 71.518896][ T5782] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 71.530727][ T5782] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 71.562816][ T1127] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 71.565225][ T5782] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 71.570764][ T1127] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 71.589907][ T5782] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 71.605544][ T1280] ieee802154 phy0 wpan0: encryption failed: -22 [ 71.608149][ T5782] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 71.618837][ T1280] ieee802154 phy1 wpan1: encryption failed: -22 [ 71.633691][ T5780] veth0_macvtap: entered promiscuous mode [ 71.646978][ T5780] veth1_macvtap: entered promiscuous mode [ 71.660377][ T5782] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.673154][ T5782] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.682634][ T5782] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.691655][ T5782] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.727752][ T5780] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 71.739101][ T5780] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 71.750720][ T5780] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 71.761264][ T5780] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 71.773525][ T5780] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 71.802188][ T5780] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 71.813432][ T5780] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 71.824040][ T5780] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 71.834620][ T5780] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 71.851004][ T5780] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 71.867040][ T5779] veth0_macvtap: entered promiscuous mode [ 71.880928][ T5780] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.894269][ T5780] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.905017][ T5780] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.915767][ T5780] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.931849][ T5779] veth1_macvtap: entered promiscuous mode [ 72.021788][ T11] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 72.031440][ T11] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 72.050236][ T5779] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 72.061640][ T5779] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 72.071801][ T5779] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 72.082294][ T5779] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 72.092296][ T5779] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 72.102786][ T5779] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 72.114708][ T5779] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 72.136201][ T5779] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 72.147388][ T5779] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 72.158308][ T5779] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 72.169487][ T5779] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 72.181391][ T5779] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 72.192223][ T5779] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 72.203519][ T5779] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 72.236872][ T5779] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 72.247236][ T5779] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 72.256169][ T5779] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 72.265114][ T5779] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 72.286532][ T48] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 72.303578][ T48] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 72.352840][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 72.374934][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 72.426813][ T48] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 72.440277][ T48] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 72.520439][ T48] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 72.548571][ T48] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 72.653402][ T60] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 72.673759][ T60] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 72.726054][ T5880] Zero length message leads to an empty skb [ 72.951700][ T5873] ================================================================== [ 72.951714][ T5873] BUG: KASAN: slab-use-after-free in rose_transmit_link+0x5ba/0x740 [ 72.951747][ T5873] Read of size 1 at addr ffff88805bc15032 by task syz.0.1/5873 [ 72.951762][ T5873] [ 72.951774][ T5873] CPU: 1 PID: 5873 Comm: syz.0.1 Not tainted syzkaller #0 [ 72.951790][ T5873] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 72.951804][ T5873] Call Trace: [ 72.951811][ T5873] [ 72.951822][ T5873] dump_stack_lvl+0x16c/0x230 [ 72.951843][ T5873] ? __lock_acquire+0x7c80/0x7c80 [ 72.951861][ T5873] ? show_regs_print_info+0x20/0x20 [ 72.951880][ T5873] ? load_image+0x3b0/0x3b0 [ 72.951895][ T5873] ? _raw_spin_lock_irqsave+0xb4/0xf0 [ 72.951920][ T5873] ? __virt_addr_valid+0x18c/0x540 [ 72.951939][ T5873] ? __virt_addr_valid+0x469/0x540 [ 72.951958][ T5873] print_report+0xac/0x220 [ 72.951975][ T5873] ? rose_transmit_link+0x5ba/0x740 [ 72.951991][ T5873] kasan_report+0x117/0x150 [ 72.952008][ T5873] ? kmem_cache_alloc_node+0x17f/0x330 [ 72.952029][ T5873] ? rose_transmit_link+0x5ba/0x740 [ 72.952047][ T5873] rose_transmit_link+0x5ba/0x740 [ 72.952065][ T5873] ? skb_put+0x11b/0x210 [ 72.952086][ T5873] rose_write_internal+0x11d1/0x1ab0 [ 72.952110][ T5873] ? rose_validate_nr+0x120/0x120 [ 72.952128][ T5873] ? __timer_delete+0x6b/0x290 [ 72.952149][ T5873] ? skb_queue_purge_reason+0x6c/0x1c0 [ 72.952174][ T5873] rose_release+0x24e/0x510 [ 72.952193][ T5873] sock_close+0xbd/0x230 [ 72.952214][ T5873] ? sock_mmap+0xa0/0xa0 [ 72.952233][ T5873] __fput+0x234/0x970 [ 72.952259][ T5873] task_work_run+0x1ce/0x250 [ 72.952280][ T5873] ? task_work_cancel+0x240/0x240 [ 72.952309][ T5873] get_signal+0x1235/0x1400 [ 72.952332][ T5873] ? task_work_add+0x3a3/0x440 [ 72.952352][ T5873] ? __ia32_sys_pidfd_getfd+0x90/0x90 [ 72.952371][ T5873] ? wake_bit_function+0x200/0x200 [ 72.952388][ T5873] ? __might_fault+0xaa/0x120 [ 72.952405][ T5873] arch_do_signal_or_restart+0x96/0x780 [ 72.952423][ T5873] ? __sys_connect+0x240/0x420 [ 72.952440][ T5873] ? get_sigframe_size+0x20/0x20 [ 72.952466][ T5873] ? exit_to_user_mode_loop+0x3b/0x110 [ 72.952487][ T5873] exit_to_user_mode_loop+0x70/0x110 [ 72.952507][ T5873] exit_to_user_mode_prepare+0xb1/0x140 [ 72.952528][ T5873] syscall_exit_to_user_mode+0x1a/0x50 [ 72.952549][ T5873] do_syscall_64+0x61/0xb0 [ 72.952567][ T5873] ? clear_bhb_loop+0x40/0x90 [ 72.952582][ T5873] ? clear_bhb_loop+0x40/0x90 [ 72.952598][ T5873] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 72.952620][ T5873] RIP: 0033:0x7fd6c5f8ebe9 [ 72.952634][ T5873] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 72.952648][ T5873] RSP: 002b:00007fd6c6e02038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 72.952667][ T5873] RAX: fffffffffffffe00 RBX: 00007fd6c61c6090 RCX: 00007fd6c5f8ebe9 [ 72.952679][ T5873] RDX: 000000000000001c RSI: 0000200000000100 RDI: 000000000000000f [ 72.952690][ T5873] RBP: 00007fd6c6011e19 R08: 0000000000000000 R09: 0000000000000000 [ 72.952700][ T5873] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 72.952711][ T5873] R13: 00007fd6c61c6128 R14: 00007fd6c61c6090 R15: 00007fff1a8352a8 [ 72.952729][ T5873] [ 72.952735][ T5873] [ 72.952743][ T5873] Allocated by task 5873: [ 72.952751][ T5873] kasan_set_track+0x4e/0x70 [ 72.952767][ T5873] __kasan_kmalloc+0x8f/0xa0 [ 72.952781][ T5873] rose_add_node+0x23a/0xdd0 [ 72.952797][ T5873] rose_rt_ioctl+0xa42/0xfb0 [ 72.952813][ T5873] rose_ioctl+0x3cf/0x8b0 [ 72.952827][ T5873] sock_do_ioctl+0xd7/0x2f0 [ 72.952845][ T5873] sock_ioctl+0x623/0x7a0 [ 72.952864][ T5873] __se_sys_ioctl+0xfd/0x170 [ 72.952880][ T5873] do_syscall_64+0x55/0xb0 [ 72.952895][ T5873] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 72.952916][ T5873] [ 72.952920][ T5873] Freed by task 5878: [ 72.952926][ T5873] kasan_set_track+0x4e/0x70 [ 72.952940][ T5873] kasan_save_free_info+0x2e/0x50 [ 72.952957][ T5873] ____kasan_slab_free+0x126/0x1e0 [ 72.952972][ T5873] slab_free_freelist_hook+0x130/0x1b0 [ 72.952992][ T5873] __kmem_cache_free+0xba/0x1f0 [ 72.953009][ T5873] rose_rt_device_down+0x43d/0x490 [ 72.953025][ T5873] rose_device_event+0x604/0x690 [ 72.953038][ T5873] notifier_call_chain+0x197/0x390 [ 72.953055][ T5873] __dev_notify_flags+0x18e/0x2e0 [ 72.953071][ T5873] dev_change_flags+0xe8/0x1a0 [ 72.953087][ T5873] dev_ifsioc+0x6a7/0xe20 [ 72.953101][ T5873] dev_ioctl+0x7e2/0x1170 [ 72.953114][ T5873] sock_do_ioctl+0x226/0x2f0 [ 72.953132][ T5873] sock_ioctl+0x623/0x7a0 [ 72.953150][ T5873] __se_sys_ioctl+0xfd/0x170 [ 72.953165][ T5873] do_syscall_64+0x55/0xb0 [ 72.953180][ T5873] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 72.953200][ T5873] [ 72.953203][ T5873] The buggy address belongs to the object at ffff88805bc15000 [ 72.953203][ T5873] which belongs to the cache kmalloc-512 of size 512 [ 72.953216][ T5873] The buggy address is located 50 bytes inside of [ 72.953216][ T5873] freed 512-byte region [ffff88805bc15000, ffff88805bc15200) [ 72.953232][ T5873] [ 72.953236][ T5873] The buggy address belongs to the physical page: [ 72.953250][ T5873] page:ffffea00016f0500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5bc14 [ 72.953272][ T5873] head:ffffea00016f0500 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 72.953286][ T5873] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 72.953314][ T5873] page_type: 0xffffffff() [ 72.953329][ T5873] raw: 00fff00000000840 ffff888017841c80 dead000000000122 0000000000000000 [ 72.953343][ T5873] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 72.953351][ T5873] page dumped because: kasan: bad access detected [ 72.953362][ T5873] page_owner tracks the page as allocated [ 72.953368][ T5873] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5780, tgid 5780 (syz-executor), ts 72046661324, free_ts 72008617092 [ 72.953395][ T5873] post_alloc_hook+0x1cd/0x210 [ 72.953415][ T5873] get_page_from_freelist+0x195c/0x19f0 [ 72.953436][ T5873] __alloc_pages+0x1e3/0x460 [ 72.953455][ T5873] alloc_slab_page+0x5d/0x170 [ 72.953474][ T5873] new_slab+0x87/0x2e0 [ 72.953491][ T5873] ___slab_alloc+0xc6d/0x12f0 [ 72.953509][ T5873] __kmem_cache_alloc_node+0x1a2/0x260 [ 72.953527][ T5873] __kmalloc+0xa4/0x240 [ 72.953543][ T5873] fib6_info_alloc+0x32/0xe0 [ 72.953559][ T5873] ip6_route_info_create+0x44f/0x1200 [ 72.953578][ T5873] addrconf_f6i_alloc+0x1c6/0x400 [ 72.953597][ T5873] addrconf_permanent_addr+0x275/0x980 [ 72.953614][ T5873] addrconf_notify+0x996/0x1010 [ 72.953631][ T5873] notifier_call_chain+0x197/0x390 [ 72.953646][ T5873] __dev_notify_flags+0x18e/0x2e0 [ 72.953663][ T5873] dev_change_flags+0xe8/0x1a0 [ 72.953679][ T5873] page last free stack trace: [ 72.953683][ T5873] free_unref_page_prepare+0x7ce/0x8e0 [ 72.953703][ T5873] free_unref_page+0x32/0x2e0 [ 72.953720][ T5873] __stack_depot_save+0x572/0x630 [ 72.953734][ T5873] kasan_set_track+0x5f/0x70 [ 72.953747][ T5873] __kasan_slab_alloc+0x6c/0x80 [ 72.953759][ T5873] slab_post_alloc_hook+0x6e/0x4d0 [ 72.953778][ T5873] kmem_cache_alloc+0x11e/0x2e0 [ 72.953793][ T5873] create_new_namespaces+0x34/0x6f0 [ 72.953806][ T5873] __se_sys_setns+0x2d0/0x1700 [ 72.953819][ T5873] do_syscall_64+0x55/0xb0 [ 72.953832][ T5873] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 72.953851][ T5873] [ 72.953853][ T5873] Memory state around the buggy address: [ 72.953861][ T5873] ffff88805bc14f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.953870][ T5873] ffff88805bc14f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.953879][ T5873] >ffff88805bc15000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.953887][ T5873] ^ [ 72.953895][ T5873] ffff88805bc15080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.953904][ T5873] ffff88805bc15100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.953911][ T5873] ================================================================== [ 72.953920][ T5873] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 72.953928][ T5873] CPU: 1 PID: 5873 Comm: syz.0.1 Not tainted syzkaller #0 [ 72.953943][ T5873] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 72.953952][ T5873] Call Trace: [ 72.953958][ T5873] [ 72.953965][ T5873] dump_stack_lvl+0x16c/0x230 [ 72.953983][ T5873] ? show_regs_print_info+0x20/0x20 [ 72.954001][ T5873] ? load_image+0x3b0/0x3b0 [ 72.954020][ T5873] panic+0x2c0/0x710 [ 72.954040][ T5873] ? bpf_jit_dump+0xd0/0xd0 [ 72.954058][ T5873] ? _raw_spin_unlock_irqrestore+0x86/0x110 [ 72.954081][ T5873] ? _raw_spin_unlock_irqrestore+0xae/0x110 [ 72.954101][ T5873] ? _raw_spin_unlock+0x40/0x40 [ 72.954121][ T5873] ? rose_transmit_link+0x5ba/0x740 [ 72.954136][ T5873] check_panic_on_warn+0x84/0xa0 [ 72.954152][ T5873] ? rose_transmit_link+0x5ba/0x740 [ 72.954166][ T5873] end_report+0x6f/0x140 [ 72.954182][ T5873] kasan_report+0x128/0x150 [ 72.954198][ T5873] ? kmem_cache_alloc_node+0x17f/0x330 [ 72.954217][ T5873] ? rose_transmit_link+0x5ba/0x740 [ 72.954237][ T5873] rose_transmit_link+0x5ba/0x740 [ 72.954253][ T5873] ? skb_put+0x11b/0x210 [ 72.954274][ T5873] rose_write_internal+0x11d1/0x1ab0 [ 72.954307][ T5873] ? rose_validate_nr+0x120/0x120 [ 72.954324][ T5873] ? __timer_delete+0x6b/0x290 [ 72.954345][ T5873] ? skb_queue_purge_reason+0x6c/0x1c0 [ 72.954369][ T5873] rose_release+0x24e/0x510 [ 72.954386][ T5873] sock_close+0xbd/0x230 [ 72.954406][ T5873] ? sock_mmap+0xa0/0xa0 [ 72.954424][ T5873] __fput+0x234/0x970 [ 72.954447][ T5873] task_work_run+0x1ce/0x250 [ 72.954467][ T5873] ? task_work_cancel+0x240/0x240 [ 72.954489][ T5873] get_signal+0x1235/0x1400 [ 72.954510][ T5873] ? task_work_add+0x3a3/0x440 [ 72.954528][ T5873] ? __ia32_sys_pidfd_getfd+0x90/0x90 [ 72.954548][ T5873] ? wake_bit_function+0x200/0x200 [ 72.954562][ T5873] ? __might_fault+0xaa/0x120 [ 72.954578][ T5873] arch_do_signal_or_restart+0x96/0x780 [ 72.954599][ T5873] ? __sys_connect+0x240/0x420 [ 72.954617][ T5873] ? get_sigframe_size+0x20/0x20 [ 72.954642][ T5873] ? exit_to_user_mode_loop+0x3b/0x110 [ 72.954663][ T5873] exit_to_user_mode_loop+0x70/0x110 [ 72.954682][ T5873] exit_to_user_mode_prepare+0xb1/0x140 [ 72.954702][ T5873] syscall_exit_to_user_mode+0x1a/0x50 [ 72.954721][ T5873] do_syscall_64+0x61/0xb0 [ 72.954737][ T5873] ? clear_bhb_loop+0x40/0x90 [ 72.954750][ T5873] ? clear_bhb_loop+0x40/0x90 [ 72.954765][ T5873] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 72.954786][ T5873] RIP: 0033:0x7fd6c5f8ebe9 [ 72.954800][ T5873] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 72.954813][ T5873] RSP: 002b:00007fd6c6e02038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 72.954832][ T5873] RAX: fffffffffffffe00 RBX: 00007fd6c61c6090 RCX: 00007fd6c5f8ebe9 [ 72.954844][ T5873] RDX: 000000000000001c RSI: 0000200000000100 RDI: 000000000000000f [ 72.954853][ T5873] RBP: 00007fd6c6011e19 R08: 0000000000000000 R09: 0000000000000000 [ 72.954864][ T5873] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 72.954873][ T5873] R13: 00007fd6c61c6128 R14: 00007fd6c61c6090 R15: 00007fff1a8352a8 [ 72.954890][ T5873] [ 72.955131][ T5873] Kernel Offset: disabled