last executing test programs: 5.027594354s ago: executing program 0 (id=204): r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='blkio.bfq.time\x00', 0x26e1, 0x0) close(r0) bpf$PROG_LOAD(0x5, &(0x7f0000000b00)={0x6, 0xc, &(0x7f0000000bc0)=ANY=[@ANYBLOB="180200000400000000000000000000008500000041000000180100002020732500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000007300000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x20, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f00000011c0)={r0, 0x18000000000002a0, 0xe, 0x0, &(0x7f0000001240)="b9ff03076804268c989e14f088a8", 0x0, 0x4068, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50) 4.46605404s ago: executing program 0 (id=209): prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x0, 0x0, &(0x7f0000006680)) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xf, 0x4008031, 0xffffffffffffffff, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x9) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) 2.813536905s ago: executing program 4 (id=219): r0 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xe, 0x4, &(0x7f0000000540)=ANY=[@ANYBLOB="b4050000fdff7f006110580000000000c60000000000000095000000000000009f33ef60916e6e713f1eeb0b725ad99b817fd98cd824498949714ffaac8a6f770600dcca55f21f3ca9e822d182054d54d53cd2b6db714e4beb5447000001000000008f2b9000f22425e4097ed62cbc891061017cfa6fa26fa7088c60897d4a6148a1c1e43f00001bde60beac671e8e8fdecb03588aa623fa71f31bf0f871ab5c2ff88afc60027f4e5b5271ed58e835cf0d0000000098b51fe6b1b8d9dbe87dcff414ed000000000000000000000000000000000000000000000000000000b347abe6352a080f8140e5fd10747b6ecdb3540546bf636e3d6e700e5b0500000000000000eb9e1403e6c8f7a187eaf60f3a17f0f046a307a403c19d9829c90bd2114252581567acae715cbe1b57d5cda432c5b910400623d24195405f2e76ccb7b37b41215c184e731fb1"], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sk_skb, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x366, 0x10, &(0x7f0000000000), 0x1dd}, 0x48) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000200)=ANY=[@ANYBLOB="0f000000040000000400000012"], 0x48) bpf$BPF_LINK_CREATE(0x1c, &(0x7f00000001c0)={r0, r1, 0x5, 0x0, @void}, 0x10) bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000440)={r0, r1, 0x26, 0x0, @val=@kprobe_multi=@addrs={0x1, 0x0, 0x0, 0x0}}, 0x30) 2.548593645s ago: executing program 1 (id=221): r0 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000040), 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000080)={{0x0, 0x1, 0x0, 0x1, 0x3}}) ioctl$SNDRV_TIMER_IOCTL_START(r0, 0x54a0) ioctl$SNDRV_TIMER_IOCTL_STOP(r0, 0x54a1) 2.498660662s ago: executing program 4 (id=222): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000640)=ANY=[@ANYBLOB="170000000000000004000000ff"], 0x48) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000080)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000005900000095"], 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x4b}, 0x94) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1d, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000340)={r1, 0x2000002, 0xe, 0x0, &(0x7f0000000200)="df33c9f7b9a60000000000000000", 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x50) 2.198048934s ago: executing program 1 (id=224): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0x95c000)=nil, 0x95c000, 0x3000003, 0x8c4b815a5465c2b1, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x400000, 0x3, &(0x7f0000c00000/0x400000)=nil) 2.103130298s ago: executing program 4 (id=225): r0 = socket$inet6(0xa, 0x3, 0xff) connect$inet6(r0, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty}, 0x1c) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000040)=0x26ec, 0x4) sendto(r0, &(0x7f0000000100)="cec17299253d97363be011fae774c95eff3d8fd74ca2974f22ee90adb120661dae2d9d1a15e80b3f", 0x28, 0x800, 0x0, 0x0) 1.823936272s ago: executing program 0 (id=227): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000440)=@base={0x1, 0x42, 0x6, 0x8, 0x0, 0x1}, 0x48) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000040)=@base={0xc, 0x4, 0x4, 0x8001, 0x0, r0}, 0x50) bpf$MAP_LOOKUP_BATCH(0x18, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x8000, r1}, 0x38) mmap(&(0x7f0000000000/0x95c000)=nil, 0x95c000, 0xb, 0x8c4b815a5465c2b1, 0xffffffffffffffff, 0x0) 1.778988225s ago: executing program 4 (id=228): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt(r0, 0x1, 0x10000000000009, &(0x7f00000000c0)="f5c89e1e", 0x4) connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4e22, 0x2, @local, 0x9}, 0x1c) setsockopt$inet6_tcp_int(r0, 0x6, 0x4, &(0x7f0000000040)=0x2, 0x4) 1.633987909s ago: executing program 1 (id=230): r0 = socket$can_bcm(0x1d, 0x2, 0x2) connect$can_bcm(r0, &(0x7f00000005c0), 0x10) recvmmsg(r0, &(0x7f0000001d40)=[{{0x0, 0x0, &(0x7f0000000480)=[{0x0}, {&(0x7f0000000340)=""/97, 0x38}], 0x2}, 0x7f}], 0x1, 0x10103, 0x0) sendmsg$can_bcm(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="050000007f0000000000010000000000", @ANYRES64=0x0, @ANYRES64=0x2710], 0x48}}, 0x0) 1.553791373s ago: executing program 3 (id=231): r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bpf$PROG_BIND_MAP(0xa, 0x0, 0x0) bind$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) getsockopt$bt_l2cap_L2CAP_OPTIONS(r0, 0x6, 0x1, 0x0, &(0x7f0000000080)) 1.486197412s ago: executing program 2 (id=232): r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) r1 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r1, &(0x7f0000000ac0)={0x0, 0x18, 0xfa00, {0x2, &(0x7f0000000340)={0xffffffffffffffff}, 0x13f, 0x8}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_ROUTE(r0, &(0x7f0000000040)={0x4, 0x8, 0xfa00, {r2, 0x5}}, 0x10) 1.318964937s ago: executing program 3 (id=233): r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000000)={'wlan1\x00', 0x0}) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000100), 0xffffffffffffffff) sendmsg$NL80211_CMD_FRAME(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000fc0)={&(0x7f0000000480)={0x34, r2, 0x1, 0x0, 0x0, {{0x2}, {@val={0x8, 0x3, r1}, @void}}, [@chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}], @chandef_params=[@NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x1}, @NL80211_ATTR_CENTER_FREQ1={0x8, 0xa0, 0x96c}]]}, 0x34}}, 0x40) 1.268840932s ago: executing program 1 (id=234): openat$comedi(0xffffffffffffff9c, &(0x7f0000000240)='/dev/comedi0\x00', 0x80882, 0x0) r0 = syz_io_uring_setup(0x234, &(0x7f0000000580)={0x0, 0x0, 0x10100, 0x3}, &(0x7f0000000000)=0x0, &(0x7f0000000100)=0x0) syz_io_uring_submit(r1, r2, &(0x7f00000009c0)=@IORING_OP_WRITE={0x17, 0x0, 0x0, @fd_index=0x3, 0x0, 0x0, 0xffffffffffffff31}) io_uring_enter(r0, 0x207a98, 0x0, 0x0, 0x0, 0x0) 1.231825897s ago: executing program 2 (id=235): r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r1 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000340)={r0, r0, 0x8, 0xfffffe5e, 0x0, 0x82, 0x4a, 0x15c2, 0x5886, 0x801, 0x0, 0xd9, 'syz1\x00'}) 1.10457757s ago: executing program 3 (id=236): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000000000)={0x2, &(0x7f0000000440)=[{0x20, 0x0, 0x0, 0xfffff00c}, {0x6}]}, 0x10) sendmsg$TIPC_NL_BEARER_ENABLE(r0, &(0x7f00000010c0)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000040)=ANY=[@ANYBLOB="2800b5"], 0x28}}, 0x0) 1.088881677s ago: executing program 0 (id=237): sendmsg$NL80211_CMD_FRAME(0xffffffffffffffff, 0x0, 0x0) r0 = syz_open_dev$evdev(&(0x7f0000000100), 0x2, 0x862b01) ioctl$EVIOCSFF(0xffffffffffffffff, 0x40304580, &(0x7f00000003c0)={0x54, 0x0, 0x0, {0xffff, 0x1}, {0x4d, 0x2}, @period={0x59, 0x80, 0x100, 0xc, 0x2, {0x7, 0xdd, 0xff91, 0x5}, 0x0, 0x0}}) write$char_usb(r0, &(0x7f0000000040)="e2", 0x2250) 988.596808ms ago: executing program 1 (id=238): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x2) ioctl$KVM_CAP_DIRTY_LOG_RING(r1, 0x4068aea3, &(0x7f0000000080)={0xc0, 0x0, 0x8000}) 929.913528ms ago: executing program 2 (id=239): socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000540)={0xffffffffffffffff}) r1 = socket(0x400000000010, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'veth1_to_team\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=@newqdisc={0x54, 0x24, 0x4ee4e6a52ff56541, 0x70bd2b, 0xffffffff, {0x0, 0x0, 0x0, r2, {0x0, 0xfff1}, {0xffff, 0xffff}, {0xf, 0x8}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x4}}, @TCA_STAB={0x24, 0x8, 0x0, 0x1, [{{0x1c, 0x1, {0x6, 0x3, 0x8bf, 0x9, 0x2, 0x8}}, {0x4}}]}]}, 0x54}}, 0x0) 780.402086ms ago: executing program 3 (id=240): r0 = socket$kcm(0x2, 0x5, 0x84) setsockopt$sock_attach_bpf(r0, 0x84, 0xb, &(0x7f0000000000), 0x4) sendmsg$inet(r0, &(0x7f0000000ac0)={&(0x7f00000001c0)={0x2, 0x4e23, @remote}, 0x10, &(0x7f0000000940)=[{&(0x7f0000001880)="04", 0x1}], 0x1}, 0x8054) close(r0) 746.561958ms ago: executing program 4 (id=241): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000800000000000000000000850000006d00000095"], 0x0, 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x2}, 0x94) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000040)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x9, [@typedef={0x7}]}, {0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x61]}}, 0x0, 0x2d}, 0x12) bpf$BPF_GET_MAP_INFO(0xf, &(0x7f0000000340)={r0, 0x58, &(0x7f00000002c0)}, 0x10) 686.544116ms ago: executing program 2 (id=242): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180100001c0000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000100)={&(0x7f00000000c0)='sys_enter\x00', r0}, 0x10) rt_sigprocmask(0x0, &(0x7f0000000000)={[0xfffffffffffffffd]}, 0x0, 0x8) io_destroy(0x0) 630.984319ms ago: executing program 0 (id=243): r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = dup(r0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'bridge0\x00', 0x0}) sendmsg$nl_route(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=@newlink={0x74, 0x10, 0x401, 0xfffffffc, 0x80, {0x0, 0x0, 0x0, 0x0, 0x1503}, [@IFLA_LINKINFO={0x4c, 0x12, 0x0, 0x1, @macvlan={{0xc}, {0x3c, 0x2, 0x0, 0x1, [@IFLA_MACVLAN_MACADDR_DATA={0x28, 0x5, 0x0, 0x1, [{0xa, 0x4, @local}, {0xa, 0x4, @local}, {0xa, 0x4, @local}]}, @IFLA_MACVLAN_MACADDR_MODE={0x8, 0x3, 0x3}, @IFLA_MACVLAN_MODE={0x8, 0x1, 0x10}]}}}, @IFLA_LINK={0x8, 0x5, r2}]}, 0x74}, 0x1, 0x0, 0x0, 0x4001}, 0x0) 523.543748ms ago: executing program 4 (id=244): syz_usb_connect(0x0, 0x24, &(0x7f00000000c0)=ANY=[@ANYBLOB="12010000bcb7f620e90f01d55023010203010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) ioctl$I2C_RDWR(r0, 0x707, &(0x7f0000000080)={&(0x7f0000001740)=[{0x3, 0x0, 0x0, 0x0}, {0x951a, 0x3a00, 0x0, 0x0}], 0x2}) write$RDMA_USER_CM_CMD_BIND(0xffffffffffffffff, 0x0, 0x0) 503.270919ms ago: executing program 3 (id=245): r0 = socket(0x10, 0x803, 0x0) sendmsg$SMC_PNETID_GET(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000001c0)={0x0, 0x14}}, 0x0) getsockname$packet(r0, &(0x7f0000000180)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000000c0)=0x14) sendmsg$nl_route(r0, &(0x7f0000000380)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000100)=@newlink={0x64, 0x10, 0x437, 0x3, 0xffffffff, {0x0, 0x0, 0x0, r1, 0x51b0b}, [@IFLA_LINKINFO={0x44, 0x12, 0x0, 0x1, @ip6gre={{0xb}, {0x34, 0x2, 0x0, 0x1, [@IFLA_GRE_LINK={0x8, 0x1, r1}, @IFLA_GRE_LOCAL={0x14, 0x6, @local}, @IFLA_GRE_REMOTE={0x14, 0x7, @private0}]}}}]}, 0x64}, 0x1, 0x0, 0x0, 0x48800}, 0x4000010) 463.549688ms ago: executing program 1 (id=246): r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, &(0x7f0000000080)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0) syz_usb_ep_write(r0, 0x81, 0x1, &(0x7f00000000c0)='P') 302.188564ms ago: executing program 0 (id=247): creat(&(0x7f00000002c0)='./file0\x00', 0x0) truncate(&(0x7f0000000180)='./file0\x00', 0x8fff5) r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x2, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="180000000300000000000000feffff10850000000700000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40e00, 0x5a, '\x00', 0x0, @fallback=0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000012c0)={r0, 0x0, 0x30, 0x0, @val=@uprobe_multi={&(0x7f0000000140)='./file0\x00', &(0x7f00000002c0)=[0x1], 0x0, 0x0, 0x20000000000000b2, 0x1}}, 0x40) 284.591586ms ago: executing program 2 (id=248): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000100)=ANY=[@ANYBLOB="180000000000a636000000007fffffff8500000050000000850000000700000095"], &(0x7f00000002c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000380)={&(0x7f0000000040)='virtio_transport_alloc_pkt\x00', r0}, 0x18) r1 = socket$vsock_stream(0x28, 0x1, 0x0) connect$vsock_stream(r1, &(0x7f0000000140)={0x28, 0x0, 0x0, @host}, 0x10) 114.118507ms ago: executing program 3 (id=249): r0 = syz_clone(0x81000000, 0x0, 0x0, 0x0, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x6a855000) r1 = syz_pidfd_open(r0, 0x0) setns(r1, 0x10000000) 0s ago: executing program 2 (id=250): r0 = syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x8d, 0x1e, 0x50, 0x20, 0x1039, 0x2120, 0x2a7, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xff, 0xc0, 0x0, [{{0x9, 0x4, 0x7d, 0xf6, 0x0, 0xe4, 0x40, 0x98, 0x2}}]}}]}}, 0x0) syz_usb_disconnect(r0) r1 = syz_usb_connect$rtl8150(0x5, 0x3f, &(0x7f0000000fc0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xbda, 0x8150, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d}}]}}, 0x0) syz_usb_control_io$rtl8150(r1, 0x0, &(0x7f0000000300)={0x2c, 0x0, &(0x7f0000000200)={0x0, 0xa, 0x1, 0x2}, 0x0, 0x0, 0x0}) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.89' (ED25519) to the list of known hosts. [ 90.568444][ T5789] cgroup: Unknown subsys name 'net' [ 90.821309][ T5789] cgroup: Unknown subsys name 'cpuset' [ 90.874359][ T5789] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 92.152320][ T31] cfg80211: failed to load regulatory.db [ 92.922579][ T5789] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 95.949360][ T5803] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 95.952589][ T5804] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 95.957935][ T5803] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 95.960237][ T5804] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 95.984355][ T5803] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 95.985534][ T5804] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 95.992079][ T5804] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 95.992083][ T5803] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 96.025604][ T5118] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 96.040571][ T5118] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 96.052629][ T5118] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 96.062836][ T5118] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 96.066152][ T61] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 96.086269][ T61] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 96.087396][ T61] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 96.196565][ T61] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 96.211698][ T61] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 96.222668][ T61] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 96.228941][ T61] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 96.231662][ T61] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 96.285327][ T5803] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 96.291941][ T5803] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 96.293341][ T5803] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 96.297274][ T5803] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 96.298188][ T5803] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 97.277051][ T5801] chnl_net:caif_netlink_parms(): no params data found [ 97.343197][ T5802] chnl_net:caif_netlink_parms(): no params data found [ 97.372945][ T5815] chnl_net:caif_netlink_parms(): no params data found [ 97.505705][ T5813] chnl_net:caif_netlink_parms(): no params data found [ 97.752961][ T5809] chnl_net:caif_netlink_parms(): no params data found [ 98.065601][ T61] Bluetooth: hci0: command tx timeout [ 98.065606][ T5803] Bluetooth: hci1: command tx timeout [ 98.143851][ T61] Bluetooth: hci2: command tx timeout [ 98.303744][ T5803] Bluetooth: hci3: command tx timeout [ 98.304046][ T61] Bluetooth: hci4: command tx timeout [ 98.315590][ T5801] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.317235][ T5801] bridge0: port 1(bridge_slave_0) entered disabled state [ 98.318500][ T5801] bridge_slave_0: entered allmulticast mode [ 98.322939][ T5801] bridge_slave_0: entered promiscuous mode [ 98.502209][ T5801] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.502310][ T5801] bridge0: port 2(bridge_slave_1) entered disabled state [ 98.502532][ T5801] bridge_slave_1: entered allmulticast mode [ 98.507767][ T5801] bridge_slave_1: entered promiscuous mode [ 98.604646][ T5802] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.604782][ T5802] bridge0: port 1(bridge_slave_0) entered disabled state [ 98.604968][ T5802] bridge_slave_0: entered allmulticast mode [ 98.607199][ T5802] bridge_slave_0: entered promiscuous mode [ 98.796649][ T5815] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.796770][ T5815] bridge0: port 1(bridge_slave_0) entered disabled state [ 98.796916][ T5815] bridge_slave_0: entered allmulticast mode [ 98.798859][ T5815] bridge_slave_0: entered promiscuous mode [ 98.801284][ T5802] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.801422][ T5802] bridge0: port 2(bridge_slave_1) entered disabled state [ 98.801604][ T5802] bridge_slave_1: entered allmulticast mode [ 98.805083][ T5802] bridge_slave_1: entered promiscuous mode [ 98.957387][ T5815] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.957534][ T5815] bridge0: port 2(bridge_slave_1) entered disabled state [ 98.957744][ T5815] bridge_slave_1: entered allmulticast mode [ 98.961134][ T5815] bridge_slave_1: entered promiscuous mode [ 99.094731][ T5813] bridge0: port 1(bridge_slave_0) entered blocking state [ 99.094877][ T5813] bridge0: port 1(bridge_slave_0) entered disabled state [ 99.095019][ T5813] bridge_slave_0: entered allmulticast mode [ 99.097025][ T5813] bridge_slave_0: entered promiscuous mode [ 99.103024][ T5801] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.404578][ T5813] bridge0: port 2(bridge_slave_1) entered blocking state [ 99.404733][ T5813] bridge0: port 2(bridge_slave_1) entered disabled state [ 99.405261][ T5813] bridge_slave_1: entered allmulticast mode [ 99.407355][ T5813] bridge_slave_1: entered promiscuous mode [ 99.410753][ T5801] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.518851][ T5802] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.519195][ T5809] bridge0: port 1(bridge_slave_0) entered blocking state [ 99.519352][ T5809] bridge0: port 1(bridge_slave_0) entered disabled state [ 99.519543][ T5809] bridge_slave_0: entered allmulticast mode [ 99.521664][ T5809] bridge_slave_0: entered promiscuous mode [ 99.709644][ T5815] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.712572][ T5802] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.712826][ T5809] bridge0: port 2(bridge_slave_1) entered blocking state [ 99.712954][ T5809] bridge0: port 2(bridge_slave_1) entered disabled state [ 99.713082][ T5809] bridge_slave_1: entered allmulticast mode [ 99.717658][ T5809] bridge_slave_1: entered promiscuous mode [ 99.908973][ T5815] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 100.078608][ T5813] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 100.080995][ T5801] team0: Port device team_slave_0 added [ 100.144181][ T5803] Bluetooth: hci1: command tx timeout [ 100.144304][ T61] Bluetooth: hci0: command tx timeout [ 100.223646][ T61] Bluetooth: hci2: command tx timeout [ 100.267723][ T5813] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 100.269594][ T5801] team0: Port device team_slave_1 added [ 100.366721][ T5802] team0: Port device team_slave_0 added [ 100.383718][ T5803] Bluetooth: hci3: command tx timeout [ 100.383835][ T61] Bluetooth: hci4: command tx timeout [ 100.668263][ T5809] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 100.866364][ T5815] team0: Port device team_slave_0 added [ 100.868699][ T5802] team0: Port device team_slave_1 added [ 100.871607][ T5809] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 101.046615][ T5815] team0: Port device team_slave_1 added [ 101.186999][ T5813] team0: Port device team_slave_0 added [ 101.189322][ T5801] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 101.189339][ T5801] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.189366][ T5801] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 101.386912][ T5813] team0: Port device team_slave_1 added [ 101.387943][ T5801] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 101.387959][ T5801] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.387979][ T5801] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 101.475982][ T5802] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 101.476012][ T5802] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.476043][ T5802] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 101.479874][ T5809] team0: Port device team_slave_0 added [ 101.667542][ T5815] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 101.667560][ T5815] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.667589][ T5815] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 101.669096][ T5802] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 101.669111][ T5802] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.669140][ T5802] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 101.671865][ T5809] team0: Port device team_slave_1 added [ 101.779004][ T5815] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 101.779019][ T5815] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.779039][ T5815] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 101.866679][ T5813] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 101.866697][ T5813] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.866717][ T5813] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 101.966819][ T5813] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 101.966838][ T5813] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.966867][ T5813] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 102.087755][ T5809] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 102.087769][ T5809] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 102.087789][ T5809] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 102.223725][ T5803] Bluetooth: hci1: command tx timeout [ 102.223829][ T61] Bluetooth: hci0: command tx timeout [ 102.265164][ T5809] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 102.265183][ T5809] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 102.265214][ T5809] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 102.303651][ T61] Bluetooth: hci2: command tx timeout [ 102.371058][ T5801] hsr_slave_0: entered promiscuous mode [ 102.372358][ T5801] hsr_slave_1: entered promiscuous mode [ 102.484764][ T61] Bluetooth: hci4: command tx timeout [ 102.484801][ T61] Bluetooth: hci3: command tx timeout [ 102.572162][ T5802] hsr_slave_0: entered promiscuous mode [ 102.573299][ T5802] hsr_slave_1: entered promiscuous mode [ 102.574727][ T5802] debugfs: 'hsr0' already exists in 'hsr' [ 102.574880][ T5802] Cannot create hsr debugfs directory [ 102.670809][ T5815] hsr_slave_0: entered promiscuous mode [ 102.671846][ T5815] hsr_slave_1: entered promiscuous mode [ 102.672611][ T5815] debugfs: 'hsr0' already exists in 'hsr' [ 102.672633][ T5815] Cannot create hsr debugfs directory [ 103.011971][ T5813] hsr_slave_0: entered promiscuous mode [ 103.013006][ T5813] hsr_slave_1: entered promiscuous mode [ 103.015143][ T5813] debugfs: 'hsr0' already exists in 'hsr' [ 103.015176][ T5813] Cannot create hsr debugfs directory [ 103.302362][ T5809] hsr_slave_0: entered promiscuous mode [ 103.304426][ T5809] hsr_slave_1: entered promiscuous mode [ 103.305810][ T5809] debugfs: 'hsr0' already exists in 'hsr' [ 103.305843][ T5809] Cannot create hsr debugfs directory [ 104.303697][ T5803] Bluetooth: hci0: command tx timeout [ 104.303734][ T5803] Bluetooth: hci1: command tx timeout [ 104.384991][ T61] Bluetooth: hci2: command tx timeout [ 104.544917][ T61] Bluetooth: hci3: command tx timeout [ 104.544958][ T61] Bluetooth: hci4: command tx timeout [ 104.811542][ T5801] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 104.866241][ T5801] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 104.901689][ T5801] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 104.955780][ T5801] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 105.100095][ T5802] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 105.134455][ T5802] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 105.177041][ T5802] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 105.225641][ T5802] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 105.382961][ T5815] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 105.424079][ T5815] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 105.464306][ T5815] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 105.519472][ T5815] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 105.685970][ T5801] 8021q: adding VLAN 0 to HW filter on device bond0 [ 105.690967][ T5813] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 105.748277][ T5813] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 105.787149][ T5813] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 105.839484][ T5813] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 105.966692][ T5801] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.008421][ T5809] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 106.045822][ T3582] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.046399][ T3582] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.056899][ T5809] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 106.111959][ T5809] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 106.150816][ T5809] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 106.189610][ T3582] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.189791][ T3582] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.263031][ T5802] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.372560][ T5802] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.433904][ T3582] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.434057][ T3582] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.480216][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.480370][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.488836][ T5815] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.628418][ T5815] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.652230][ T5813] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.674942][ T158] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.675093][ T158] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.744999][ T1139] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.745178][ T1139] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.807645][ T5813] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.817596][ T5809] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.863334][ T1139] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.871330][ T1139] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.921483][ T1139] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.921719][ T1139] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.998309][ T5809] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.039903][ T5801] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.056944][ T3582] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.061572][ T3582] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.123823][ T3582] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.123987][ T3582] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.381864][ T5802] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.769244][ T5802] veth0_vlan: entered promiscuous mode [ 107.835793][ T5815] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.850553][ T5802] veth1_vlan: entered promiscuous mode [ 108.049699][ T5813] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 108.063181][ T5801] veth0_vlan: entered promiscuous mode [ 108.072190][ T5802] veth0_macvtap: entered promiscuous mode [ 108.101824][ T5802] veth1_macvtap: entered promiscuous mode [ 108.136186][ T5801] veth1_vlan: entered promiscuous mode [ 108.149693][ T5815] veth0_vlan: entered promiscuous mode [ 108.195141][ T5809] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 108.212011][ T5802] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.213028][ T5815] veth1_vlan: entered promiscuous mode [ 108.250151][ T5802] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.300160][ T3582] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.317086][ T3582] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.335499][ T3582] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.342456][ T3582] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.343124][ T5813] veth0_vlan: entered promiscuous mode [ 108.363736][ T5801] veth0_macvtap: entered promiscuous mode [ 108.440098][ T5801] veth1_macvtap: entered promiscuous mode [ 108.482938][ T5813] veth1_vlan: entered promiscuous mode [ 108.580704][ T5815] veth0_macvtap: entered promiscuous mode [ 108.616911][ T5815] veth1_macvtap: entered promiscuous mode [ 108.640215][ T5801] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.642280][ T5809] veth0_vlan: entered promiscuous mode [ 108.703733][ T5801] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.727242][ T68] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.727274][ T68] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.748579][ T5809] veth1_vlan: entered promiscuous mode [ 108.769785][ T1303] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.772968][ T5815] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.782991][ T1303] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.812528][ T1303] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.832452][ T1303] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.832987][ T5813] veth0_macvtap: entered promiscuous mode [ 108.866265][ T5815] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.931621][ T5813] veth1_macvtap: entered promiscuous mode [ 108.941069][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.941091][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.964942][ T12] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.028123][ T12] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.039945][ T12] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.052705][ T12] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.212421][ T5813] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 109.270678][ T5809] veth0_macvtap: entered promiscuous mode [ 109.311073][ T5813] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 109.323936][ T1303] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.323957][ T1303] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.363260][ T5809] veth1_macvtap: entered promiscuous mode [ 109.433239][ T12] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.444045][ T12] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.472037][ T12] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.502061][ T12] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.532007][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.532029][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.601757][ T5920] netlink: 8 bytes leftover after parsing attributes in process `syz.1.6'. [ 109.601797][ T5920] netlink: 8 bytes leftover after parsing attributes in process `syz.1.6'. [ 109.636385][ T5809] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 109.722891][ T5809] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 109.735053][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.735073][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.787678][ T5922] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 109.893553][ T12] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.894013][ T12] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.897356][ T12] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.912129][ T12] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 110.066070][ T3582] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 110.066092][ T3582] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 110.168486][ T5930] netlink: 4 bytes leftover after parsing attributes in process `syz.1.9'. [ 110.189814][ T5930] netlink: 4 bytes leftover after parsing attributes in process `syz.1.9'. [ 110.380761][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 110.380783][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 110.531238][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 110.531258][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 110.777598][ T3582] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 110.777620][ T3582] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 110.878518][ T1551] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 110.878540][ T1551] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 110.923910][ T5940] team0: Device gtp0 is of different type [ 112.174897][ T5959] iommufd_mock iommufd_mock0: Adding to iommu group 0 [ 113.166342][ T5984] mmap: syz.0.28 (5984) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 113.564114][ T5993] netlink: 4 bytes leftover after parsing attributes in process `syz.0.32'. [ 113.867633][ T5888] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 114.036027][ T5888] usb 2-1: Using ep0 maxpacket: 32 [ 114.376868][ T5888] usb 2-1: New USB device found, idVendor=0fd9, idProduct=0025, bcdDevice=29.40 [ 114.376899][ T5888] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 114.427652][ T5888] usb 2-1: config 0 descriptor?? [ 114.689010][ T5888] dvb-usb: found a 'Elgato EyeTV Sat' in warm state. [ 114.747197][ T5888] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 114.784243][ T5888] dvbdev: DVB: registering new adapter (Elgato EyeTV Sat) [ 114.784371][ T5888] usb 2-1: media controller created [ 114.862512][ T5888] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 115.013125][ T5888] az6027: usb out operation failed. (-71) [ 115.015025][ T5888] az6027: usb out operation failed. (-71) [ 115.015048][ T5888] stb0899_attach: Driver disabled by Kconfig [ 115.015059][ T5888] az6027: no front-end attached [ 115.015059][ T5888] [ 115.015508][ T5888] az6027: usb out operation failed. (-71) [ 115.015536][ T5888] dvb-usb: no frontend was attached by 'Elgato EyeTV Sat' [ 115.020984][ T5888] input: IR-receiver inside an USB DVB receiver as /devices/platform/dummy_hcd.1/usb2/2-1/input/input5 [ 115.138781][ T5888] dvb-usb: schedule remote query interval to 400 msecs. [ 115.138808][ T5888] dvb-usb: Elgato EyeTV Sat successfully initialized and connected. [ 115.174517][ T5888] usb 2-1: USB disconnect, device number 2 [ 115.853096][ T5888] dvb-usb: Elgato EyeTV Sat successfully deinitialized and disconnected. [ 116.019611][ T6012] block device autoloading is deprecated and will be removed. [ 116.295346][ T6025] Zero length message leads to an empty skb [ 116.744341][ T5888] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 116.903724][ T5888] usb 2-1: Using ep0 maxpacket: 32 [ 116.909297][ T6036] nbd0: detected capacity change from 0 to 127 [ 116.911119][ T5888] usb 2-1: config 0 has an invalid interface number: 12 but max is 0 [ 116.911147][ T5888] usb 2-1: config 0 has no interface number 0 [ 116.911208][ T5888] usb 2-1: config 0 interface 12 has no altsetting 0 [ 116.972703][ T5888] usb 2-1: New USB device found, idVendor=2c42, idProduct=1202, bcdDevice=85.40 [ 116.972735][ T5888] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 116.972758][ T5888] usb 2-1: Product: syz [ 116.972775][ T5888] usb 2-1: Manufacturer: syz [ 116.972791][ T5888] usb 2-1: SerialNumber: syz [ 116.986085][ T5803] block nbd0: Receive control failed (result -32) [ 117.014739][ T5855] block nbd0: Dead connection, failed to find a fallback [ 117.014769][ T5855] block nbd0: shutting down sockets [ 117.014864][ T5855] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.014961][ T5855] Buffer I/O error on dev nbd0, logical block 0, async page read [ 117.015339][ T5855] I/O error, dev nbd0, sector 2 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.015367][ T5855] Buffer I/O error on dev nbd0, logical block 1, async page read [ 117.015536][ T5855] I/O error, dev nbd0, sector 4 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.015559][ T5855] Buffer I/O error on dev nbd0, logical block 2, async page read [ 117.015721][ T5855] I/O error, dev nbd0, sector 6 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.015748][ T5855] Buffer I/O error on dev nbd0, logical block 3, async page read [ 117.015928][ T5855] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.015955][ T5855] Buffer I/O error on dev nbd0, logical block 0, async page read [ 117.016115][ T5855] I/O error, dev nbd0, sector 2 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.016141][ T5855] Buffer I/O error on dev nbd0, logical block 1, async page read [ 117.016311][ T5855] I/O error, dev nbd0, sector 4 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.016337][ T5855] Buffer I/O error on dev nbd0, logical block 2, async page read [ 117.016517][ T5855] I/O error, dev nbd0, sector 6 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.016544][ T5855] Buffer I/O error on dev nbd0, logical block 3, async page read [ 117.016718][ T5855] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.016744][ T5855] Buffer I/O error on dev nbd0, logical block 0, async page read [ 117.016906][ T5855] I/O error, dev nbd0, sector 2 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 [ 117.016933][ T5855] Buffer I/O error on dev nbd0, logical block 1, async page read [ 117.217476][ T5888] usb 2-1: config 0 descriptor?? [ 117.234352][ T5855] ldm_validate_partition_table(): Disk read failed. [ 117.237000][ T5855] Dev nbd0: unable to read RDB block 0 [ 117.239710][ T5855] nbd0: unable to read partition table [ 117.348730][ T5855] ldm_validate_partition_table(): Disk read failed. [ 117.379743][ T5855] Dev nbd0: unable to read RDB block 0 [ 117.399413][ T5855] nbd0: unable to read partition table [ 117.945059][ T5888] f81534 2-1:0.12: f81534_get_register: reg: 1003 failed: -71 [ 117.945133][ T5888] f81534 2-1:0.12: f81534_find_config_idx: read failed: -71 [ 117.945153][ T5888] f81534 2-1:0.12: f81534_calc_num_ports: find idx failed: -71 [ 117.945263][ T5888] f81534 2-1:0.12: probe with driver f81534 failed with error -71 [ 118.001343][ T5888] usb 2-1: USB disconnect, device number 3 [ 118.172014][ T6052] loop6: detected capacity change from 0 to 7 [ 118.256846][ T5925] ldm_validate_partition_table(): Disk read failed. [ 118.257314][ T5925] Dev loop6: unable to read RDB block 0 [ 118.265679][ T5925] loop6: unable to read partition table [ 118.265996][ T5925] loop6: partition table beyond EOD, truncated [ 118.297984][ T6052] ldm_validate_partition_table(): Disk read failed. [ 118.314052][ T6052] Dev loop6: unable to read RDB block 0 [ 118.314683][ T6052] loop6: unable to read partition table [ 118.314939][ T6052] loop6: partition table beyond EOD, truncated [ 118.314975][ T6052] loop_reread_partitions: partition scan of loop6 (Sj̖P=ý?}X %`ր5) failed (rc=-5) [ 119.134313][ T6071] dummy0: entered promiscuous mode [ 119.134612][ T6071] macvtap1: entered allmulticast mode [ 119.134631][ T6071] dummy0: entered allmulticast mode [ 119.367117][ T6071] dummy0: left allmulticast mode [ 119.367233][ T6071] dummy0: left promiscuous mode [ 120.728601][ T49] kernel write not supported for file /vbi3 (pid: 49 comm: kworker/1:1) [ 121.868269][ T6121] warning: `syz.3.86' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211 [ 123.902605][ T6164] syz.3.113 (6164) used greatest stack depth: 18040 bytes left [ 124.731600][ T5915] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 124.908226][ T5915] usb 1-1: Using ep0 maxpacket: 8 [ 124.936035][ T5915] usb 1-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid maxpacket 56832, setting to 1024 [ 124.936445][ T5915] usb 1-1: config 16 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 1024 [ 124.936564][ T5915] usb 1-1: config 16 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 32 [ 124.936613][ T5915] usb 1-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 124.936660][ T5915] usb 1-1: New USB device found, idVendor=ee8d, idProduct=db1a, bcdDevice=61.23 [ 124.936687][ T5915] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 125.248938][ T5915] usb 1-1: GET_CAPABILITIES returned 0 [ 125.248996][ T5915] usbtmc 1-1:16.0: can't read capabilities [ 125.484393][ T10] usb 1-1: USB disconnect, device number 2 [ 126.618785][ T5915] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 126.752601][ T6219] netlink: 12 bytes leftover after parsing attributes in process `syz.1.125'. [ 126.789334][ T5915] usb 4-1: config 0 interface 0 altsetting 3 endpoint 0x81 has invalid wMaxPacketSize 0 [ 126.789369][ T5915] usb 4-1: config 0 interface 0 altsetting 3 has 1 endpoint descriptor, different from the interface descriptor's value: 5 [ 126.789408][ T5915] usb 4-1: config 0 interface 0 has no altsetting 0 [ 126.789448][ T5915] usb 4-1: New USB device found, idVendor=0fc5, idProduct=b080, bcdDevice= 0.00 [ 126.789473][ T5915] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 126.816072][ T5915] usb 4-1: config 0 descriptor?? [ 127.083626][ T5915] usbhid 4-1:0.0: can't add hid device: -71 [ 127.083768][ T5915] usbhid 4-1:0.0: probe with driver usbhid failed with error -71 [ 127.096931][ T5915] usb 4-1: USB disconnect, device number 2 [ 127.150129][ T6230] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 127.592965][ T6240] ptrace attach of "./syz-executor exec"[5801] was attempted by ""[6240] [ 127.660554][ T6242] netlink: 'syz.2.138': attribute type 19 has an invalid length. [ 128.308320][ T6265] netlink: 8 bytes leftover after parsing attributes in process `syz.1.149'. [ 129.063276][ T6284] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 131.032378][ T6336] semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant. [ 131.032378][ T6336] The task syz.0.177 (6336) triggered the difference, watch for misbehavior. [ 131.751481][ T5915] kernel read not supported for file /cpu/0/msr (pid: 5915 comm: kworker/1:5) [ 132.074448][ T6362] capability: warning: `syz.1.189' uses 32-bit capabilities (legacy support in use) [ 132.200965][ T49] kernel read not supported for file /rfkill (pid: 49 comm: kworker/1:1) [ 132.434951][ T6371] capability: warning: `syz.3.194' uses deprecated v2 capabilities in a way that may be insecure [ 132.858268][ T6382] netlink: 'syz.2.199': attribute type 11 has an invalid length. [ 132.860668][ T6382] netlink: 190972 bytes leftover after parsing attributes in process `syz.2.199'. [ 134.025134][ T6405] program syz.3.208 is using a deprecated SCSI ioctl, please convert it to SG_IO [ 136.084542][ T6434] Illegal XDP return value 4294967294 on prog (id 24) dev N/A, expect packet loss! [ 136.376894][ T6438] bond0: Unable to set down delay as MII monitoring is disabled [ 137.958102][ T6478] bridge0: entered promiscuous mode [ 137.958302][ T6478] macvlan0: entered promiscuous mode [ 138.084823][ T6484] ip6gre1: entered promiscuous mode [ 138.084850][ T6484] ip6gre1: entered allmulticast mode [ 138.141495][ T13] ip6_tunnel: ip6gre1 xmit: Local address not yet configured! [ 138.141803][ T5915] ip6_tunnel: ip6gre1 xmit: Local address not yet configured! [ 138.173369][ T13] ip6_tunnel: ip6gre1 xmit: Local address not yet configured! [ 138.232126][ T1322] ieee802154 phy0 wpan0: encryption failed: -22 [ 138.232227][ T1322] ieee802154 phy1 wpan1: encryption failed: -22 [ 138.253965][ T49] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 138.303738][ T5868] usb 2-1: new high-speed USB device number 4 using dummy_hcd [ 138.423988][ T49] usb 5-1: Using ep0 maxpacket: 32 [ 138.447711][ T49] usb 5-1: New USB device found, idVendor=0fe9, idProduct=d501, bcdDevice=23.50 [ 138.447744][ T49] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 138.447766][ T49] usb 5-1: Product: syz [ 138.447782][ T49] usb 5-1: Manufacturer: syz [ 138.447798][ T49] usb 5-1: SerialNumber: syz [ 138.454320][ T5868] usb 2-1: Using ep0 maxpacket: 16 [ 138.460094][ T5868] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 138.460155][ T5868] usb 2-1: New USB device found, idVendor=04d8, idProduct=00dd, bcdDevice= 0.00 [ 138.460184][ T5868] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 138.497586][ T5868] usb 2-1: config 0 descriptor?? [ 138.535227][ T49] usb 5-1: config 0 descriptor?? [ 138.567392][ T49] dvb-usb: found a 'DViCO FusionHDTV5 USB Gold' in warm state. [ 138.568030][ T49] dvb-usb: bulk message failed: -22 (2/0) [ 138.672130][ T49] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 138.685316][ T49] dvbdev: DVB: registering new adapter (DViCO FusionHDTV5 USB Gold) [ 138.685395][ T49] usb 5-1: media controller created [ 138.845507][ T6482] dvb-usb: bulk message failed: -22 (3/0) [ 138.966636][ T49] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 139.046409][ T5868] mcp2221 0003:04D8:00DD.0001: USB HID v0.05 Device [HID 04d8:00dd] on usb-dummy_hcd.1-1/input0 [ 139.081939][ T49] usb 5-1: selecting invalid altsetting 7 [ 139.083115][ T49] cxusb: set interface failed [ 139.083142][ T49] dvb-usb: bulk message failed: -22 (1/0) [ 139.107369][ T974] ip6_tunnel: ip6gre1 xmit: Local address not yet configured! [ 139.107750][ T974] ip6_tunnel: ip6gre1 xmit: Local address not yet configured! [ 139.171387][ T49] DVB: Unable to find symbol lgdt330x_attach() [ 139.171400][ T49] dvb-usb: no frontend was attached by 'DViCO FusionHDTV5 USB Gold' [ 139.185941][ C1] =============================[ 139.185941][ C1] ================================================================== [ 139.185965][ C1] BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x106a/0x1240 [ 139.186020][ C1] Read of size 1 at addr ffff88805af5bfff by task ktimers/1/29 [ 139.186048][ C1] [ 139.186096][ C1] CPU: 1 UID: 0 PID: 29 Comm: ktimers/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 139.186133][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 139.186163][ C1] Call Trace: [ 139.186181][ C1] [ 139.186195][ C1] dump_stack_lvl+0x189/0x250 [ 139.186251][ C1] ? __kasan_check_byte+0x12/0x40 [ 139.186301][ C1] ? __pfx_dump_stack_lvl+0x10/0x10 [ 139.186349][ C1] ? lock_release+0x4b/0x3e0 [ 139.186398][ C1] ? __virt_addr_valid+0x4a5/0x5c0 [ 139.186451][ C1] print_report+0xca/0x240 [ 139.186499][ C1] ? mcp2221_raw_event+0x106a/0x1240 [ 139.186533][ C1] kasan_report+0x118/0x150 [ 139.186581][ C1] ? mcp2221_raw_event+0x106a/0x1240 [ 139.186623][ C1] mcp2221_raw_event+0x106a/0x1240 [ 139.186659][ C1] ? down_trylock+0x50/0xb0 [ 139.186710][ C1] hid_input_report+0x40f/0x530 [ 139.186759][ C1] ? __pfx_mcp2221_raw_event+0x10/0x10 [ 139.186798][ C1] hid_irq_in+0x47e/0x6d0 [ 139.186840][ C1] __usb_hcd_giveback_urb+0x3b4/0x5e0 [ 139.186890][ C1] dummy_timer+0x8a0/0x4610 [ 139.186970][ C1] ? lockdep_hardirqs_on+0x9c/0x150 [ 139.187020][ C1] ? __pfx_dummy_timer+0x10/0x10 [ 139.187067][ C1] ? __pfx_dummy_timer+0x10/0x10 [ 139.187115][ C1] __hrtimer_run_queues+0x552/0xd40 [ 139.187179][ C1] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 139.187230][ C1] ? ktime_get_update_offsets_now+0x3b2/0x3d0 [ 139.187280][ C1] hrtimer_run_softirq+0x1a3/0x2e0 [ 139.187313][ C1] handle_softirqs+0x22f/0x710 [ 139.187360][ C1] ? __pfx_handle_softirqs+0x10/0x10 [ 139.187408][ C1] run_ktimerd+0xcf/0x190 [ 139.187452][ C1] ? __pfx_run_ktimerd+0x10/0x10 [ 139.187495][ C1] ? schedule+0x91/0x360 [ 139.187542][ C1] ? smpboot_thread_fn+0x4d/0xa60 [ 139.187583][ C1] smpboot_thread_fn+0x542/0xa60 [ 139.187625][ C1] ? smpboot_thread_fn+0x4d/0xa60 [ 139.187671][ C1] kthread+0x711/0x8a0 [ 139.187724][ C1] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 139.187767][ C1] ? __pfx_kthread+0x10/0x10 [ 139.187819][ C1] ? rt_spin_unlock+0x150/0x200 [ 139.187858][ C1] ? rt_spin_unlock+0x161/0x200 [ 139.187895][ C1] ? __pfx_kthread+0x10/0x10 [ 139.187942][ C1] ret_from_fork+0x4bc/0x870 [ 139.187983][ C1] ? __pfx_ret_from_fork+0x10/0x10 [ 139.188028][ C1] ? __switch_to_asm+0x39/0x70 [ 139.188059][ C1] ? __switch_to_asm+0x33/0x70 [ 139.188142][ C1] ? __pfx_kthread+0x10/0x10 [ 139.188191][ C1] ret_from_fork_asm+0x1a/0x30 [ 139.188236][ C1] [ 139.188248][ C1] [ 139.188262][ C1] Allocated by task 16: [ 139.188277][ C1] kasan_save_track+0x3e/0x80 [ 139.188323][ C1] __kasan_slab_alloc+0x6c/0x80 [ 139.188363][ C1] kmem_cache_alloc_node_noprof+0x23b/0x6e0 [ 139.188406][ C1] kmalloc_reserve+0xbd/0x290 [ 139.188437][ C1] __alloc_skb+0x142/0x2d0 [ 139.188465][ C1] skb_copy+0x188/0x800 [ 139.188500][ C1] mac80211_hwsim_tx_frame_no_nl+0xcd3/0x11c0 [ 139.188546][ C1] mac80211_hwsim_tx_frame+0x1b5/0x200 [ 139.188592][ C1] mac80211_hwsim_beacon_tx+0x3f0/0x860 [ 139.188640][ C1] __iterate_interfaces+0x2ab/0x590 [ 139.188668][ C1] ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 [ 139.188700][ C1] mac80211_hwsim_beacon+0xbb/0x180 [ 139.188735][ C1] __hrtimer_run_queues+0x552/0xd40 [ 139.188782][ C1] hrtimer_run_softirq+0x1a3/0x2e0 [ 139.188807][ C1] handle_softirqs+0x22f/0x710 [ 139.188843][ C1] run_ktimerd+0xcf/0x190 [ 139.188883][ C1] smpboot_thread_fn+0x542/0xa60 [ 139.188919][ C1] kthread+0x711/0x8a0 [ 139.188963][ C1] ret_from_fork+0x4bc/0x870 [ 139.188996][ C1] ret_from_fork_asm+0x1a/0x30 [ 139.189026][ C1] [ 139.189032][ C1] Freed by task 158: [ 139.189047][ C1] kasan_save_track+0x3e/0x80 [ 139.189092][ C1] __kasan_save_free_info+0x46/0x50 [ 139.189123][ C1] __kasan_slab_free+0x5c/0x80 [ 139.189163][ C1] kmem_cache_free+0x19a/0x910 [ 139.189203][ C1] skb_release_data+0x62d/0x7c0 [ 139.189234][ C1] sk_skb_reason_drop+0x127/0x170 [ 139.189261][ C1] ieee80211_iface_work+0xb30/0x12d0 [ 139.189299][ C1] cfg80211_wiphy_work+0x2bb/0x470 [ 139.189338][ C1] process_scheduled_works+0xae1/0x17b0 [ 139.189376][ C1] worker_thread+0x8a0/0xda0 [ 139.189413][ C1] kthread+0x711/0x8a0 [ 139.189457][ C1] ret_from_fork+0x4bc/0x870 [ 139.189490][ C1] ret_from_fork_asm+0x1a/0x30 [ 139.189520][ C1] [ 139.189528][ C1] The buggy address belongs to the object at ffff88805af5ba80 [ 139.189528][ C1] which belongs to the cache skbuff_small_head of size 704 [ 139.189555][ C1] The buggy address is located 703 bytes to the right of [ 139.189555][ C1] allocated 704-byte region [ffff88805af5ba80, ffff88805af5bd40) [ 139.189591][ C1] [ 139.189600][ C1] The buggy address belongs to the physical page: [ 139.189624][ C1] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5af58 [ 139.189654][ C1] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 139.189679][ C1] anon flags: 0x80000000000040(head|node=0|zone=1) [ 139.189711][ C1] page_type: f5(slab) [ 139.189746][ C1] raw: 0080000000000040 ffff88801cefe280 0000000000000000 0000000000000001 [ 139.189773][ C1] raw: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000 [ 139.189803][ C1] head: 0080000000000040 ffff88801cefe280 0000000000000000 0000000000000001 [ 139.189831][ C1] head: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000 [ 139.189861][ C1] head: 0080000000000002 ffffea00016bd601 00000000ffffffff 00000000ffffffff [ 139.189887][ C1] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004 [ 139.189905][ C1] page dumped because: kasan: bad access detected [ 139.189925][ C1] page_owner tracks the page as allocated [ 139.189937][ C1] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6166, tgid 6165 (syz.4.103), ts 124068096059, free_ts 124027807037 [ 139.189999][ C1] post_alloc_hook+0x240/0x2a0 [ 139.190040][ C1] get_page_from_freelist+0x28c0/0x2960 [ 139.190098][ C1] __alloc_frozen_pages_noprof+0x181/0x370 [ 139.190145][ C1] alloc_pages_mpol+0xd1/0x380 [ 139.190188][ C1] allocate_slab+0x96/0x350 [ 139.190218][ C1] ___slab_alloc+0xb10/0x1400 [ 139.190245][ C1] __slab_alloc+0xc6/0x1f0 [ 139.190269][ C1] kmem_cache_alloc_node_noprof+0x1ac/0x6e0 [ 139.190309][ C1] kmalloc_reserve+0xbd/0x290 [ 139.190336][ C1] __alloc_skb+0x142/0x2d0 [ 139.190364][ C1] sock_wmalloc+0xb2/0x130 [ 139.190399][ C1] l2tp_ip_sendmsg+0x1bb/0x15f0 [ 139.190434][ C1] __sock_sendmsg+0x19c/0x270 [ 139.190476][ C1] ____sys_sendmsg+0x534/0x820 [ 139.190509][ C1] ___sys_sendmsg+0x21f/0x2a0 [ 139.190542][ C1] __sys_sendmmsg+0x22d/0x430 [ 139.190577][ C1] page last free pid 6166 tgid 6165 stack trace: [ 139.190593][ C1] __free_frozen_pages+0xfb6/0x1140 [ 139.190635][ C1] __put_partials+0x149/0x170 [ 139.190662][ C1] __slab_free+0x29e/0x370 [ 139.190693][ C1] qlist_free_all+0x97/0x140 [ 139.190727][ C1] kasan_quarantine_reduce+0x148/0x160 [ 139.190765][ C1] __kasan_slab_alloc+0x22/0x80 [ 139.190807][ C1] kmem_cache_alloc_node_noprof+0x23b/0x6e0 [ 139.190846][ C1] __alloc_skb+0x112/0x2d0 [ 139.190876][ C1] sock_wmalloc+0xb2/0x130 [ 139.190911][ C1] l2tp_ip_sendmsg+0x1bb/0x15f0 [ 139.190942][ C1] __sock_sendmsg+0x19c/0x270 [ 139.190984][ C1] ____sys_sendmsg+0x534/0x820 [ 139.191012][ C1] ___sys_sendmsg+0x21f/0x2a0 [ 139.191036][ C1] __sys_sendmmsg+0x22d/0x430 [ 139.191062][ C1] __x64_sys_sendmmsg+0xa0/0xc0 [ 139.191101][ C1] do_syscall_64+0xfa/0xfa0 [ 139.191144][ C1] [ 139.191152][ C1] Memory state around the buggy address: [ 139.191168][ C1] ffff88805af5be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 139.191190][ C1] ffff88805af5bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 139.191213][ C1] >ffff88805af5bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 139.191229][ C1] ^ [ 139.191247][ C1] ffff88805af5c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 139.191269][ C1] ffff88805af5c080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 139.191286][ C1] ================================================================== [ 139.191313][ C1] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 139.191336][ C1] CPU: 1 UID: 0 PID: 29 Comm: ktimers/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 139.191374][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 139.191394][ C1] Call Trace: [ 139.191407][ C1] [ 139.191422][ C1] dump_stack_lvl+0x99/0x250 [ 139.191474][ C1] ? __asan_memcpy+0x40/0x70 [ 139.191511][ C1] ? __pfx_dump_stack_lvl+0x10/0x10 [ 139.191561][ C1] ? __pfx__printk+0x10/0x10 [ 139.191611][ C1] vpanic+0x237/0x6d0 [ 139.191641][ C1] ? __pfx_vpanic+0x10/0x10 [ 139.191679][ C1] panic+0xb9/0xc0 [ 139.191706][ C1] ? __pfx_panic+0x10/0x10 [ 139.191735][ C1] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 139.191787][ C1] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 139.191840][ C1] ? mcp2221_raw_event+0x106a/0x1240 [ 139.191878][ C1] check_panic_on_warn+0x89/0xb0 [ 139.191909][ C1] ? mcp2221_raw_event+0x106a/0x1240 [ 139.191943][ C1] end_report+0x78/0x160 [ 139.191990][ C1] kasan_report+0x129/0x150 [ 139.192037][ C1] ? mcp2221_raw_event+0x106a/0x1240 [ 139.192088][ C1] mcp2221_raw_event+0x106a/0x1240 [ 139.192126][ C1] ? down_trylock+0x50/0xb0 [ 139.192179][ C1] hid_input_report+0x40f/0x530 [ 139.192228][ C1] ? __pfx_mcp2221_raw_event+0x10/0x10 [ 139.192269][ C1] hid_irq_in+0x47e/0x6d0 [ 139.192311][ C1] __usb_hcd_giveback_urb+0x3b4/0x5e0 [ 139.192359][ C1] dummy_timer+0x8a0/0x4610 [ 139.192439][ C1] ? lockdep_hardirqs_on+0x9c/0x150 [ 139.192486][ C1] ? __pfx_dummy_timer+0x10/0x10 [ 139.192534][ C1] ? __pfx_dummy_timer+0x10/0x10 [ 139.192573][ C1] __hrtimer_run_queues+0x552/0xd40 [ 139.192638][ C1] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 139.192689][ C1] ? ktime_get_update_offsets_now+0x3b2/0x3d0 [ 139.192739][ C1] hrtimer_run_softirq+0x1a3/0x2e0 [ 139.192772][ C1] handle_softirqs+0x22f/0x710 [ 139.192820][ C1] ? __pfx_handle_softirqs+0x10/0x10 [ 139.192867][ C1] run_ktimerd+0xcf/0x190 [ 139.192912][ C1] ? __pfx_run_ktimerd+0x10/0x10 [ 139.192955][ C1] ? schedule+0x91/0x360 [ 139.193001][ C1] ? smpboot_thread_fn+0x4d/0xa60 [ 139.193042][ C1] smpboot_thread_fn+0x542/0xa60 [ 139.193093][ C1] ? smpboot_thread_fn+0x4d/0xa60 [ 139.193140][ C1] kthread+0x711/0x8a0 [ 139.193191][ C1] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 139.193232][ C1] ? __pfx_kthread+0x10/0x10 [ 139.193280][ C1] ? rt_spin_unlock+0x150/0x200 [ 139.193320][ C1] ? rt_spin_unlock+0x161/0x200 [ 139.193350][ C1] ? __pfx_kthread+0x10/0x10 [ 139.193398][ C1] ret_from_fork+0x4bc/0x870 [ 139.193440][ C1] ? __pfx_ret_from_fork+0x10/0x10 [ 139.193477][ C1] ? __switch_to_asm+0x39/0x70 [ 139.193503][ C1] ? __switch_to_asm+0x33/0x70 [ 139.193529][ C1] ? __pfx_kthread+0x10/0x10 [ 139.193572][ C1] ret_from_fork_asm+0x1a/0x30 [ 139.193613][ C1] [ 139.193955][ C1] Kernel Offset: disabled