last executing test programs: 4.298283918s ago: executing program 0 (id=1): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setscheduler(r0, 0x1, &(0x7f0000000200)=0x7) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f0000000180)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x4) syz_emit_ethernet(0x32, &(0x7f00000009c0)={@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x1f}, @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x24, 0x0, 0x2, 0x0, 0x11, 0x0, @empty, @empty}, {0x0, 0x7, 0x10, 0x0, @gue={{0x2, 0x1, 0x3, 0xfd, 0x100, @val=0x80}}}}}}}, 0x0) r3 = shmget(0x1, 0x4000, 0x200, &(0x7f0000ffb000/0x4000)=nil) read$qrtrtun(0xffffffffffffffff, &(0x7f00000004c0)=""/57, 0x39) fsopen(&(0x7f0000000000)='msdos\x00', 0x1) shmat(r3, &(0x7f0000ff9000/0x1000)=nil, 0x4000) shmctl$IPC_RMID(r3, 0x0) mount(&(0x7f00000000c0)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000000)='iso9660\x00', 0x208000, 0x0) 4.143644351s ago: executing program 3 (id=4): r0 = syz_io_uring_setup(0x34b7, &(0x7f0000000000)={0x0, 0x0, 0x30c0, 0x0, 0x28}, &(0x7f00000001c0), &(0x7f0000000500)) io_uring_register$IORING_REGISTER_ENABLE_RINGS(r0, 0xc, 0xf0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0xf, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b703000000040000850000007200000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa00}, 0x94) openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0) r1 = socket$netlink(0x10, 0x3, 0x10) bind$netlink(r1, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r2 = socket$inet6_mptcp(0xa, 0x1, 0x106) connect$inet6(r2, &(0x7f0000000040)={0xa, 0x4001, 0x0, @loopback}, 0x1c) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) 3.276978116s ago: executing program 0 (id=5): socket$nl_netfilter(0x10, 0x3, 0xc) r0 = bpf$MAP_CREATE(0x0, 0x0, 0x50) ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x8946, &(0x7f0000000140)={'veth1_to_hsr\x00', &(0x7f00000000c0)=@ethtool_link_settings={0x4d, 0x4, 0xe, 0x4b, 0x6b, 0x5, 0x4d, 0x7, 0x4, 0x2, [0x2, 0x8, 0x7, 0xd45b, 0x5, 0x8001, 0x40], [0x4, 0x87, 0x3, 0x9, 0x7, 0x8, 0x80f]}}) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000380)={{r0}, &(0x7f0000000080), &(0x7f0000000240)}, 0x20) ioctl$sock_inet6_SIOCSIFADDR(0xffffffffffffffff, 0x8916, &(0x7f0000000040)={@private1, 0x60}) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) pipe(&(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000002c0)='contention_begin\x00', r3, 0x0, 0xd}, 0x18) r4 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$devlink(&(0x7f0000000600), 0xffffffffffffffff) openat$rtc(0xffffffffffffff9c, &(0x7f0000000000), 0x100, 0x0) sendmsg$DEVLINK_CMD_GET(r4, &(0x7f00000006c0)={0x0, 0x0, 0x0}, 0x0) syz_genetlink_get_family_id$devlink(0x0, 0xffffffffffffffff) sendmsg$DEVLINK_CMD_GET(r2, &(0x7f00000003c0)={0x0, 0x0, 0x0}, 0x0) openat$kvm(0xffffffffffffff9c, 0x0, 0x20042, 0x0) madvise(&(0x7f00000ec000/0x800000)=nil, 0x800000, 0x17) prctl$PR_SET_VMA(0x53564d41, 0x0, &(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x0) syz_genetlink_get_family_id$devlink(&(0x7f0000000080), 0xffffffffffffffff) 3.179279147s ago: executing program 2 (id=3): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f00000007c0)={0x8, 0x88}, 0x0) syz_io_uring_submit(0x0, 0x0, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) socket$nl_generic(0x10, 0x3, 0x10) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) r3 = syz_init_net_socket$rose(0xb, 0x5, 0x0) ioctl$sock_rose_SIOCADDRT(r3, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]}) r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0) connect$rose(r4, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c) connect$rose(r4, &(0x7f0000000100)=@full={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x0, [@null, @null, @null, @default, @bcast, @default]}, 0x40) 2.143508175s ago: executing program 3 (id=6): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x18, 0x4, 0x0, &(0x7f0000000100)='GPL\x00', 0x1, 0x0, 0x0, 0x40f00, 0x23, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) userfaultfd(0x80001) setrlimit(0xb, &(0x7f0000000280)={0x3, 0x3}) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0) r3 = syz_open_dev$I2C(&(0x7f00000000c0), 0x0, 0x0) ioctl$I2C_SMBUS(r3, 0x720, &(0x7f0000000600)={0x0, 0x0, 0x1, 0x0}) mremap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x2000, 0x3, &(0x7f0000ffb000/0x2000)=nil) socket$kcm(0x10, 0x2, 0x10) r4 = syz_open_dev$vim2m(0x0, 0x0, 0x2) ioctl$vim2m_VIDIOC_S_FMT(r4, 0xc0d05605, &(0x7f0000000000)={0x2, @pix_mp={0x7, 0xf05, 0x3234564e, 0x4, 0xa, [{0x4, 0x52b}, {0x1, 0x7}, {0x4, 0x4}, {0x495b, 0x7ff}, {0x8, 0xcdc}, {0x80000000}, {0xdb, 0x1}, {0x80, 0xa}], 0x7, 0x80, 0x6, 0x0, 0x3}}) r5 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000005c0)=ANY=[@ANYBLOB="fc0000003e00010000000800000000000100000004000000d8000180d4001080"], 0xfc}, 0x1, 0x0, 0x0, 0x400c841}, 0x4008094) 985.989103ms ago: executing program 3 (id=7): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f00000007c0)={0x8, 0x88}, 0x0) syz_io_uring_submit(0x0, 0x0, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) socket$nl_generic(0x10, 0x3, 0x10) socket$nl_generic(0x10, 0x3, 0x10) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)) r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000)) r2 = syz_init_net_socket$rose(0xb, 0x5, 0x0) ioctl$sock_rose_SIOCADDRT(r2, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]}) r3 = syz_init_net_socket$rose(0xb, 0x5, 0x0) connect$rose(r3, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c) connect$rose(r3, &(0x7f0000000100)=@full={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x0, [@null, @null, @null, @default, @bcast, @default]}, 0x40) 858.572206ms ago: executing program 2 (id=8): r0 = syz_io_uring_setup(0x34b7, &(0x7f0000000000)={0x0, 0x0, 0x30c0, 0x0, 0x28}, &(0x7f00000001c0), &(0x7f0000000500)) io_uring_register$IORING_REGISTER_ENABLE_RINGS(r0, 0xc, 0xf0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0xf, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b703000000040000850000007200000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa00}, 0x94) openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r2, 0x84, 0x72, &(0x7f0000000240)={0x0, 0x20, 0x30}, 0xc) bind$inet6(r2, &(0x7f0000000000)={0xa, 0x4e23, 0x3, @empty}, 0x1c) r3 = socket$netlink(0x10, 0x3, 0x10) bind$netlink(r3, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r4 = socket$netlink(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f00000002c0), r4) r5 = socket$inet6_mptcp(0xa, 0x1, 0x106) connect$inet6(r5, &(0x7f0000000040)={0xa, 0x4001, 0x0, @loopback}, 0x1c) connect$unix(r5, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r6, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0xb}, 0xe) sendmmsg$sock(r6, &(0x7f0000004100)=[{{0x0, 0x0, 0x0}}], 0xffffff80, 0x0) syz_io_uring_setup(0x39, &(0x7f0000000580)={0x0, 0xe7b7, 0x13500}, 0x0, &(0x7f0000001880)) 0s ago: executing program 0 (id=9): r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x210000000013, 0x0, 0x0) bind$inet(r0, &(0x7f0000000000)={0x2, 0x4e21, @broadcast}, 0x10) connect$inet(r0, &(0x7f0000000180)={0x2, 0x4e21, @local}, 0x10) setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r0, 0x6, 0x16, &(0x7f0000000240)=[@mss, @window={0x3, 0x0, 0x1}, @mss={0x2, 0x1}, @mss={0x2, 0x1}, @window, @timestamp, @window={0x3, 0xfff5, 0x8}, @timestamp], 0x8) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000040)='nv\x00', 0x3) setsockopt$inet_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f00000001c0), 0xc7) sendto$inet(r0, &(0x7f0000000000), 0xffffffffffffff94, 0x0, 0x0, 0x11) recvfrom$inet(r0, &(0x7f0000000080)=""/8, 0xfffffffffffffd0b, 0x700, 0x0, 0xfffffffffffffd25) shutdown(r0, 0x1) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.131' (ED25519) to the list of known hosts. [ 81.476997][ T5776] cgroup: Unknown subsys name 'net' [ 81.616693][ T5776] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 83.326027][ T5776] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 85.166934][ T5798] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 85.167668][ T5799] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 85.175906][ T5798] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 85.183404][ T5799] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 85.190974][ T5798] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 85.197096][ T5799] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 85.206077][ T5798] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 85.210639][ T5799] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 85.217488][ T5798] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 85.231821][ T5801] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 85.240922][ T5801] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 85.248121][ T5800] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 85.256242][ T5798] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 85.265103][ T5801] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 85.274273][ T5798] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 85.281919][ T5798] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 85.299731][ T5799] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 85.307969][ T5799] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 85.316806][ T5799] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 85.324125][ T5101] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 85.331733][ T5799] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 85.341924][ T5799] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 85.350311][ T5799] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 85.359712][ T5799] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 85.843810][ T5786] chnl_net:caif_netlink_parms(): no params data found [ 85.987937][ T5787] chnl_net:caif_netlink_parms(): no params data found [ 86.000542][ T5788] chnl_net:caif_netlink_parms(): no params data found [ 86.057047][ T5790] chnl_net:caif_netlink_parms(): no params data found [ 86.087316][ T5786] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.095763][ T5786] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.103600][ T5786] bridge_slave_0: entered allmulticast mode [ 86.111971][ T5786] bridge_slave_0: entered promiscuous mode [ 86.126163][ T5786] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.133520][ T5786] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.141066][ T5786] bridge_slave_1: entered allmulticast mode [ 86.148268][ T5786] bridge_slave_1: entered promiscuous mode [ 86.270376][ T5786] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.311906][ T5786] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 86.371991][ T5788] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.379922][ T5788] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.387097][ T5788] bridge_slave_0: entered allmulticast mode [ 86.394511][ T5788] bridge_slave_0: entered promiscuous mode [ 86.425773][ T5790] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.433164][ T5790] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.440467][ T5790] bridge_slave_0: entered allmulticast mode [ 86.447452][ T5790] bridge_slave_0: entered promiscuous mode [ 86.455824][ T5788] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.463220][ T5788] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.471378][ T5788] bridge_slave_1: entered allmulticast mode [ 86.478638][ T5788] bridge_slave_1: entered promiscuous mode [ 86.489390][ T5786] team0: Port device team_slave_0 added [ 86.509118][ T5787] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.516275][ T5787] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.523731][ T5787] bridge_slave_0: entered allmulticast mode [ 86.530907][ T5787] bridge_slave_0: entered promiscuous mode [ 86.538326][ T5790] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.545585][ T5790] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.553561][ T5790] bridge_slave_1: entered allmulticast mode [ 86.561204][ T5790] bridge_slave_1: entered promiscuous mode [ 86.570837][ T5786] team0: Port device team_slave_1 added [ 86.593867][ T5788] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.603306][ T5787] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.610786][ T5787] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.617976][ T5787] bridge_slave_1: entered allmulticast mode [ 86.625270][ T5787] bridge_slave_1: entered promiscuous mode [ 86.674647][ T5788] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 86.702678][ T5787] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.733709][ T5790] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.773963][ T5787] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 86.794332][ T5790] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 86.804556][ T5786] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 86.812454][ T5786] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 86.838772][ T5786] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 86.853027][ T5786] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 86.860171][ T5786] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 86.886541][ T5786] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 86.959336][ T5788] team0: Port device team_slave_0 added [ 86.969140][ T5790] team0: Port device team_slave_0 added [ 86.995388][ T5787] team0: Port device team_slave_0 added [ 87.004194][ T5788] team0: Port device team_slave_1 added [ 87.013248][ T5790] team0: Port device team_slave_1 added [ 87.034912][ T5787] team0: Port device team_slave_1 added [ 87.080684][ T5790] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 87.087690][ T5790] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.114183][ T5790] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 87.178001][ T5787] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 87.185183][ T5787] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.217635][ T5787] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 87.274582][ T5788] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 87.284196][ T5788] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.311814][ T5788] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 87.323442][ T5799] Bluetooth: hci0: command tx timeout [ 87.331709][ T5790] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 87.339218][ T5790] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.365611][ T5790] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 87.389512][ T5786] hsr_slave_0: entered promiscuous mode [ 87.396279][ T5786] hsr_slave_1: entered promiscuous mode [ 87.404346][ T5787] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 87.412359][ T5787] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.438520][ T5787] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 87.458745][ T5799] Bluetooth: hci3: command tx timeout [ 87.458768][ T5796] Bluetooth: hci2: command tx timeout [ 87.459004][ T5796] Bluetooth: hci1: command tx timeout [ 87.466921][ T5788] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 87.482520][ T5788] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.508683][ T5788] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 87.652115][ T5790] hsr_slave_0: entered promiscuous mode [ 87.669647][ T5790] hsr_slave_1: entered promiscuous mode [ 87.682225][ T5790] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 87.691326][ T5790] Cannot create hsr debugfs directory [ 87.793344][ T5787] hsr_slave_0: entered promiscuous mode [ 87.800532][ T5787] hsr_slave_1: entered promiscuous mode [ 87.806863][ T5787] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 87.814530][ T5787] Cannot create hsr debugfs directory [ 87.839468][ T5788] hsr_slave_0: entered promiscuous mode [ 87.846022][ T5788] hsr_slave_1: entered promiscuous mode [ 87.852590][ T5788] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 87.860422][ T5788] Cannot create hsr debugfs directory [ 88.278634][ T5786] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 88.292682][ T5786] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 88.304344][ T5786] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 88.331724][ T5786] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 88.388854][ T5787] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 88.400386][ T5787] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 88.419356][ T5787] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 88.430264][ T5787] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 88.542188][ T5788] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 88.554358][ T5788] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 88.572741][ T5788] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 88.584454][ T5788] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 88.676299][ T5790] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 88.686698][ T5790] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 88.699599][ T5790] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 88.713134][ T5790] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 88.777140][ T5786] 8021q: adding VLAN 0 to HW filter on device bond0 [ 88.847594][ T5787] 8021q: adding VLAN 0 to HW filter on device bond0 [ 88.872782][ T5786] 8021q: adding VLAN 0 to HW filter on device team0 [ 88.897460][ T5787] 8021q: adding VLAN 0 to HW filter on device team0 [ 88.924716][ T32] bridge0: port 1(bridge_slave_0) entered blocking state [ 88.932193][ T32] bridge0: port 1(bridge_slave_0) entered forwarding state [ 88.966851][ T32] bridge0: port 1(bridge_slave_0) entered blocking state [ 88.974190][ T32] bridge0: port 1(bridge_slave_0) entered forwarding state [ 88.986256][ T32] bridge0: port 2(bridge_slave_1) entered blocking state [ 88.993451][ T32] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.010044][ T32] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.017174][ T32] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.103301][ T5788] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.150163][ T5788] 8021q: adding VLAN 0 to HW filter on device team0 [ 89.202375][ T5790] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.229529][ T32] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.236733][ T32] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.247185][ T32] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.254430][ T32] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.315557][ T5790] 8021q: adding VLAN 0 to HW filter on device team0 [ 89.367893][ T32] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.375203][ T32] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.378552][ T5796] Bluetooth: hci0: command tx timeout [ 89.404832][ T11] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.412087][ T11] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.540272][ T5796] Bluetooth: hci3: command tx timeout [ 89.545756][ T5796] Bluetooth: hci2: command tx timeout [ 89.551744][ T5795] Bluetooth: hci1: command tx timeout [ 89.654972][ T5787] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 89.763797][ T5786] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 89.849601][ T5787] veth0_vlan: entered promiscuous mode [ 89.874896][ T5787] veth1_vlan: entered promiscuous mode [ 89.905652][ T5786] veth0_vlan: entered promiscuous mode [ 90.002688][ T5786] veth1_vlan: entered promiscuous mode [ 90.029728][ T5787] veth0_macvtap: entered promiscuous mode [ 90.057984][ T5787] veth1_macvtap: entered promiscuous mode [ 90.109338][ T5788] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 90.123121][ T5786] veth0_macvtap: entered promiscuous mode [ 90.147504][ T5786] veth1_macvtap: entered promiscuous mode [ 90.167053][ T5787] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 90.194019][ T5790] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 90.220575][ T5787] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.239855][ T5786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 90.251141][ T5786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 90.263588][ T5786] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 90.277638][ T5786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 90.289184][ T5786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 90.301328][ T5786] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.316390][ T5788] veth0_vlan: entered promiscuous mode [ 90.337211][ T5786] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.347271][ T5786] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.356089][ T5786] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.365532][ T5786] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.378478][ T5787] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.387274][ T5787] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.396203][ T5787] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.404959][ T5787] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.435764][ T5788] veth1_vlan: entered promiscuous mode [ 90.504132][ T5790] veth0_vlan: entered promiscuous mode [ 90.534239][ T5788] veth0_macvtap: entered promiscuous mode [ 90.554190][ T5790] veth1_vlan: entered promiscuous mode [ 90.594137][ T5788] veth1_macvtap: entered promiscuous mode [ 90.655255][ T11] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.678579][ T11] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.693656][ T5788] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 90.706996][ T5788] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 90.718185][ T5788] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 90.728959][ T5788] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 90.741453][ T5788] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 90.775021][ T5788] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 90.789644][ T5788] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 90.800206][ T5788] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 90.811006][ T5788] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 90.823808][ T5788] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.836722][ T11] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.838009][ T5788] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.848314][ T11] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.862449][ T5788] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.871530][ T5788] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.880415][ T5788] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.948003][ T5790] veth0_macvtap: entered promiscuous mode [ 90.957326][ T58] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.962682][ T5790] veth1_macvtap: entered promiscuous mode [ 90.971180][ T58] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.006486][ T32] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.048666][ T32] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.102390][ T5790] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 91.117928][ T5790] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 91.128839][ T5790] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 91.140854][ T5790] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 91.152009][ T5790] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 91.162889][ T5790] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 91.174949][ T5790] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 91.207620][ T1139] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.238518][ T1139] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 91.272779][ T5790] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 91.284720][ T5790] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 91.298357][ T5790] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 91.309243][ T5790] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 91.336326][ T5790] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 91.347934][ T5790] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 91.362085][ T5790] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 91.387020][ T5790] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.397581][ T5790] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.412548][ T5790] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.421805][ T5790] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.468355][ T5796] Bluetooth: hci0: command tx timeout [ 91.618389][ T5796] Bluetooth: hci2: command tx timeout [ 91.624275][ T5796] Bluetooth: hci1: command tx timeout [ 91.630237][ T5796] Bluetooth: hci3: command tx timeout [ 91.701978][ T11] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 91.853435][ T11] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 92.282793][ T788] cfg80211: failed to load regulatory.db [ 92.398422][ T0] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 92.408420][ T0] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 92.680039][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 92.782467][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 92.987387][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 93.090541][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 93.387942][ T48] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 93.428476][ T48] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 93.538509][ T5799] Bluetooth: hci0: command tx timeout [ 93.646448][ T1139] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 93.698394][ T5799] Bluetooth: hci3: command tx timeout [ 93.705154][ T5796] Bluetooth: hci1: command tx timeout [ 93.710762][ T5796] Bluetooth: hci2: command tx timeout [ 93.772293][ T5901] netlink: 12 bytes leftover after parsing attributes in process `syz.3.6'. [ 93.782124][ T5901] netlink: zone id is out of range [ 93.791769][ T5901] netlink: set zone limit has 8 unknown bytes [ 94.216044][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 94.464883][ T1139] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 94.593504][ T0] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 95.444916][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 95.696755][ T5908] ================================================================== [ 95.704890][ T5908] BUG: KASAN: slab-use-after-free in rose_transmit_link+0x5ba/0x740 [ 95.712942][ T5908] Read of size 1 at addr ffff888020c17432 by task syz.3.7/5908 [ 95.720524][ T5908] [ 95.722898][ T5908] CPU: 0 PID: 5908 Comm: syz.3.7 Not tainted 6.6.100-syzkaller #0 [ 95.730738][ T5908] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 95.740841][ T5908] Call Trace: [ 95.744156][ T5908] [ 95.747135][ T5908] dump_stack_lvl+0x16c/0x230 [ 95.751861][ T5908] ? __lock_acquire+0x7c80/0x7c80 [ 95.756924][ T5908] ? show_regs_print_info+0x20/0x20 [ 95.762167][ T5908] ? load_image+0x3b0/0x3b0 [ 95.766762][ T5908] ? _raw_spin_lock_irqsave+0xb4/0xf0 [ 95.772189][ T5908] ? __virt_addr_valid+0x18c/0x540 [ 95.777355][ T5908] ? __virt_addr_valid+0x469/0x540 [ 95.782520][ T5908] print_report+0xac/0x200 [ 95.786979][ T5908] ? rose_transmit_link+0x5ba/0x740 [ 95.792307][ T5908] kasan_report+0x117/0x150 [ 95.796859][ T5908] ? kmem_cache_alloc_node+0x17f/0x330 [ 95.802369][ T5908] ? rose_transmit_link+0x5ba/0x740 [ 95.807616][ T5908] rose_transmit_link+0x5ba/0x740 [ 95.812686][ T5908] ? skb_put+0x11b/0x210 [ 95.816985][ T5908] rose_write_internal+0x11d1/0x1ab0 [ 95.822329][ T5908] ? rose_validate_nr+0x120/0x120 [ 95.827401][ T5908] ? __timer_delete+0x6b/0x290 [ 95.832224][ T5908] ? skb_queue_purge_reason+0x6c/0x1c0 [ 95.837741][ T5908] rose_release+0x24e/0x510 [ 95.842298][ T5908] sock_close+0xbd/0x230 [ 95.846681][ T5908] ? sock_mmap+0xa0/0xa0 [ 95.851000][ T5908] __fput+0x234/0x970 [ 95.855058][ T5908] task_work_run+0x1ce/0x250 [ 95.859712][ T5908] ? task_work_cancel+0x240/0x240 [ 95.864791][ T5908] get_signal+0x1235/0x1400 [ 95.869352][ T5908] ? task_work_add+0x3a3/0x440 [ 95.874172][ T5908] ? __ia32_sys_pidfd_getfd+0x90/0x90 [ 95.879596][ T5908] ? wake_bit_function+0x200/0x200 [ 95.884764][ T5908] ? __might_fault+0xaa/0x120 [ 95.889488][ T5908] arch_do_signal_or_restart+0x96/0x780 [ 95.895109][ T5908] ? __sys_connect+0x240/0x420 [ 95.899936][ T5908] ? get_sigframe_size+0x20/0x20 [ 95.904918][ T5908] ? exit_to_user_mode_loop+0x3b/0x110 [ 95.910394][ T5908] exit_to_user_mode_loop+0x70/0x110 [ 95.915706][ T5908] exit_to_user_mode_prepare+0xb1/0x140 [ 95.921269][ T5908] syscall_exit_to_user_mode+0x1a/0x50 [ 95.926753][ T5908] do_syscall_64+0x61/0xb0 [ 95.931224][ T5908] ? clear_bhb_loop+0x40/0x90 [ 95.935933][ T5908] ? clear_bhb_loop+0x40/0x90 [ 95.940627][ T5908] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 95.946536][ T5908] RIP: 0033:0x7f5c19d8e9a9 [ 95.950988][ T5908] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 95.970632][ T5908] RSP: 002b:00007f5c1ab9a038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 95.979077][ T5908] RAX: fffffffffffffe00 RBX: 00007f5c19fb6160 RCX: 00007f5c19d8e9a9 [ 95.987061][ T5908] RDX: 0000000000000040 RSI: 0000200000000100 RDI: 000000000000000d [ 95.995037][ T5908] RBP: 00007f5c19e10d69 R08: 0000000000000000 R09: 0000000000000000 [ 96.003015][ T5908] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 96.011004][ T5908] R13: 0000000000000000 R14: 00007f5c19fb6160 R15: 00007ffff50b7ca8 [ 96.019113][ T5908] [ 96.022148][ T5908] [ 96.024487][ T5908] Allocated by task 5902: [ 96.028823][ T5908] kasan_set_track+0x4e/0x70 [ 96.033456][ T5908] __kasan_kmalloc+0x8f/0xa0 [ 96.038059][ T5908] rose_add_node+0x23a/0xdd0 [ 96.042667][ T5908] rose_rt_ioctl+0xa42/0xfb0 [ 96.047261][ T5908] rose_ioctl+0x3cf/0x8b0 [ 96.051603][ T5908] sock_do_ioctl+0xd7/0x2f0 [ 96.056122][ T5908] sock_ioctl+0x623/0x7a0 [ 96.060471][ T5908] __se_sys_ioctl+0xfd/0x170 [ 96.065085][ T5908] do_syscall_64+0x55/0xb0 [ 96.069513][ T5908] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 96.075419][ T5908] [ 96.077751][ T5908] Freed by task 5907: [ 96.081742][ T5908] kasan_set_track+0x4e/0x70 [ 96.086340][ T5908] kasan_save_free_info+0x2e/0x50 [ 96.091370][ T5908] ____kasan_slab_free+0x126/0x1e0 [ 96.096488][ T5908] slab_free_freelist_hook+0x130/0x1b0 [ 96.101965][ T5908] __kmem_cache_free+0xba/0x1f0 [ 96.106876][ T5908] rose_rt_device_down+0x43d/0x490 [ 96.111997][ T5908] rose_device_event+0x604/0x690 [ 96.117118][ T5908] notifier_call_chain+0x197/0x390 [ 96.122257][ T5908] __dev_notify_flags+0x18e/0x2e0 [ 96.127287][ T5908] dev_change_flags+0xe8/0x1a0 [ 96.132159][ T5908] dev_ifsioc+0x6a7/0xe20 [ 96.136487][ T5908] dev_ioctl+0x7e2/0x1170 [ 96.140812][ T5908] sock_do_ioctl+0x226/0x2f0 [ 96.145408][ T5908] sock_ioctl+0x623/0x7a0 [ 96.149752][ T5908] __se_sys_ioctl+0xfd/0x170 [ 96.154346][ T5908] do_syscall_64+0x55/0xb0 [ 96.158774][ T5908] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 96.164681][ T5908] [ 96.167011][ T5908] The buggy address belongs to the object at ffff888020c17400 [ 96.167011][ T5908] which belongs to the cache kmalloc-512 of size 512 [ 96.181061][ T5908] The buggy address is located 50 bytes inside of [ 96.181061][ T5908] freed 512-byte region [ffff888020c17400, ffff888020c17600) [ 96.194771][ T5908] [ 96.197125][ T5908] The buggy address belongs to the physical page: [ 96.203541][ T5908] page:ffffea0000830500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20c14 [ 96.213693][ T5908] head:ffffea0000830500 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 96.222626][ T5908] anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 96.231058][ T5908] page_type: 0xffffffff() [ 96.235397][ T5908] raw: 00fff00000000840 ffff888017841c80 0000000000000000 dead000000000001 [ 96.243988][ T5908] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 96.252577][ T5908] page dumped because: kasan: bad access detected [ 96.259017][ T5908] page_owner tracks the page as allocated [ 96.264761][ T5908] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 786, tgid 786 (kworker/u4:1), ts 8208892728, free_ts 0 [ 96.285097][ T5908] post_alloc_hook+0x1cd/0x210 [ 96.289871][ T5908] get_page_from_freelist+0x195c/0x19f0 [ 96.295422][ T5908] __alloc_pages+0x1e3/0x460 [ 96.300022][ T5908] alloc_slab_page+0x5d/0x170 [ 96.304712][ T5908] new_slab+0x87/0x2e0 [ 96.308791][ T5908] ___slab_alloc+0xc6d/0x12f0 [ 96.313488][ T5908] __kmem_cache_alloc_node+0x1a2/0x260 [ 96.318952][ T5908] kmalloc_trace+0x2a/0xe0 [ 96.323374][ T5908] alloc_bprm+0x56/0x9c0 [ 96.327618][ T5908] kernel_execve+0x98/0x9c0 [ 96.332123][ T5908] call_usermodehelper_exec_async+0x20b/0x350 [ 96.338200][ T5908] ret_from_fork+0x48/0x80 [ 96.342620][ T5908] ret_from_fork_asm+0x11/0x20 [ 96.347477][ T5908] page_owner free stack trace missing [ 96.352850][ T5908] [ 96.355173][ T5908] Memory state around the buggy address: [ 96.360799][ T5908] ffff888020c17300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.368883][ T5908] ffff888020c17380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.376974][ T5908] >ffff888020c17400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.385033][ T5908] ^ [ 96.390677][ T5908] ffff888020c17480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.398745][ T5908] ffff888020c17500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.406820][ T5908] ================================================================== [ 96.506115][ T5908] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 96.513355][ T5908] CPU: 0 PID: 5908 Comm: syz.3.7 Not tainted 6.6.100-syzkaller #0 [ 96.521185][ T5908] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 96.531271][ T5908] Call Trace: [ 96.534582][ T5908] [ 96.537543][ T5908] dump_stack_lvl+0x16c/0x230 [ 96.542265][ T5908] ? show_regs_print_info+0x20/0x20 [ 96.547516][ T5908] ? load_image+0x3b0/0x3b0 [ 96.552083][ T5908] panic+0x2c0/0x710 [ 96.556039][ T5908] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 96.562239][ T5908] ? bpf_jit_dump+0xd0/0xd0 [ 96.566787][ T5908] ? _raw_spin_unlock_irqrestore+0xfa/0x110 [ 96.572723][ T5908] ? _raw_spin_unlock+0x40/0x40 [ 96.577621][ T5908] ? rose_transmit_link+0x5ba/0x740 [ 96.582856][ T5908] check_panic_on_warn+0x84/0xa0 [ 96.587846][ T5908] ? rose_transmit_link+0x5ba/0x740 [ 96.593076][ T5908] end_report+0x6f/0x140 [ 96.597354][ T5908] kasan_report+0x128/0x150 [ 96.601894][ T5908] ? kmem_cache_alloc_node+0x17f/0x330 [ 96.607393][ T5908] ? rose_transmit_link+0x5ba/0x740 [ 96.612637][ T5908] rose_transmit_link+0x5ba/0x740 [ 96.617710][ T5908] ? skb_put+0x11b/0x210 [ 96.621989][ T5908] rose_write_internal+0x11d1/0x1ab0 [ 96.627319][ T5908] ? rose_validate_nr+0x120/0x120 [ 96.632372][ T5908] ? __timer_delete+0x6b/0x290 [ 96.637182][ T5908] ? skb_queue_purge_reason+0x6c/0x1c0 [ 96.642783][ T5908] rose_release+0x24e/0x510 [ 96.647321][ T5908] sock_close+0xbd/0x230 [ 96.651611][ T5908] ? sock_mmap+0xa0/0xa0 [ 96.655892][ T5908] __fput+0x234/0x970 [ 96.659920][ T5908] task_work_run+0x1ce/0x250 [ 96.664555][ T5908] ? task_work_cancel+0x240/0x240 [ 96.669622][ T5908] get_signal+0x1235/0x1400 [ 96.674161][ T5908] ? task_work_add+0x3a3/0x440 [ 96.678963][ T5908] ? __ia32_sys_pidfd_getfd+0x90/0x90 [ 96.684377][ T5908] ? wake_bit_function+0x200/0x200 [ 96.689538][ T5908] ? __might_fault+0xaa/0x120 [ 96.694332][ T5908] arch_do_signal_or_restart+0x96/0x780 [ 96.699929][ T5908] ? __sys_connect+0x240/0x420 [ 96.704737][ T5908] ? get_sigframe_size+0x20/0x20 [ 96.709721][ T5908] ? exit_to_user_mode_loop+0x3b/0x110 [ 96.715216][ T5908] exit_to_user_mode_loop+0x70/0x110 [ 96.720532][ T5908] exit_to_user_mode_prepare+0xb1/0x140 [ 96.726139][ T5908] syscall_exit_to_user_mode+0x1a/0x50 [ 96.731647][ T5908] do_syscall_64+0x61/0xb0 [ 96.736104][ T5908] ? clear_bhb_loop+0x40/0x90 [ 96.740816][ T5908] ? clear_bhb_loop+0x40/0x90 [ 96.745522][ T5908] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 96.751479][ T5908] RIP: 0033:0x7f5c19d8e9a9 [ 96.755927][ T5908] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 96.775567][ T5908] RSP: 002b:00007f5c1ab9a038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 96.784014][ T5908] RAX: fffffffffffffe00 RBX: 00007f5c19fb6160 RCX: 00007f5c19d8e9a9 [ 96.792018][ T5908] RDX: 0000000000000040 RSI: 0000200000000100 RDI: 000000000000000d [ 96.800026][ T5908] RBP: 00007f5c19e10d69 R08: 0000000000000000 R09: 0000000000000000 [ 96.808208][ T5908] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 96.816299][ T5908] R13: 0000000000000000 R14: 00007f5c19fb6160 R15: 00007ffff50b7ca8 [ 96.824400][ T5908] [ 96.827851][ T5908] Kernel Offset: disabled [ 96.832182][ T5908] Rebooting in 86400 seconds..