syzkaller login: [ 238.488550][ T2894] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 238.526704][ T2894] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 255.826560][ T2894] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:24950' (ECDSA) to the list of known hosts. 1970/01/01 00:04:48 fuzzer started 1970/01/01 00:05:00 dialing manager at localhost:43739 1970/01/01 00:05:03 syscalls: 2768 1970/01/01 00:05:03 code coverage: enabled 1970/01/01 00:05:03 comparison tracing: enabled 1970/01/01 00:05:03 extra coverage: enabled 1970/01/01 00:05:03 setuid sandbox: enabled 1970/01/01 00:05:03 namespace sandbox: enabled 1970/01/01 00:05:03 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:05:03 fault injection: enabled 1970/01/01 00:05:03 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:05:03 net packet injection: enabled 1970/01/01 00:05:03 net device setup: enabled 1970/01/01 00:05:03 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:05:03 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:05:03 USB emulation: enabled 1970/01/01 00:05:03 hci packet injection: /dev/vhci does not exist 1970/01/01 00:05:03 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:05:03 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:05:07 fetching corpus: 50, signal 24422/25994 (executing program) 1970/01/01 00:05:10 fetching corpus: 100, signal 33064/35918 (executing program) 1970/01/01 00:05:13 fetching corpus: 150, signal 38631/42597 (executing program) 1970/01/01 00:05:14 fetching corpus: 200, signal 41583/46662 (executing program) 1970/01/01 00:05:16 fetching corpus: 250, signal 44548/50629 (executing program) 1970/01/01 00:05:18 fetching corpus: 300, signal 47294/54283 (executing program) 1970/01/01 00:05:20 fetching corpus: 350, signal 49662/57532 (executing program) 1970/01/01 00:05:23 fetching corpus: 400, signal 51365/60119 (executing program) 1970/01/01 00:05:25 fetching corpus: 450, signal 55150/64400 (executing program) 1970/01/01 00:05:26 fetching corpus: 500, signal 57197/67153 (executing program) 1970/01/01 00:05:29 fetching corpus: 550, signal 59039/69631 (executing program) 1970/01/01 00:05:32 fetching corpus: 600, signal 60997/72118 (executing program) 1970/01/01 00:05:34 fetching corpus: 650, signal 64776/75935 (executing program) 1970/01/01 00:05:36 fetching corpus: 700, signal 66035/77771 (executing program) 1970/01/01 00:05:39 fetching corpus: 750, signal 67185/79439 (executing program) 1970/01/01 00:05:40 fetching corpus: 800, signal 68609/81278 (executing program) 1970/01/01 00:05:42 fetching corpus: 850, signal 69631/82814 (executing program) 1970/01/01 00:05:45 fetching corpus: 900, signal 70872/84407 (executing program) 1970/01/01 00:05:47 fetching corpus: 950, signal 72013/85870 (executing program) 1970/01/01 00:05:48 fetching corpus: 1000, signal 73215/87346 (executing program) 1970/01/01 00:05:50 fetching corpus: 1050, signal 75034/89161 (executing program) 1970/01/01 00:05:52 fetching corpus: 1100, signal 75745/90279 (executing program) 1970/01/01 00:05:54 fetching corpus: 1150, signal 77933/92215 (executing program) 1970/01/01 00:05:57 fetching corpus: 1200, signal 79269/93650 (executing program) 1970/01/01 00:05:59 fetching corpus: 1250, signal 80239/94807 (executing program) 1970/01/01 00:06:01 fetching corpus: 1300, signal 80871/95754 (executing program) 1970/01/01 00:06:03 fetching corpus: 1350, signal 82018/96921 (executing program) 1970/01/01 00:06:05 fetching corpus: 1400, signal 83189/98045 (executing program) 1970/01/01 00:06:07 fetching corpus: 1450, signal 83815/98820 (executing program) 1970/01/01 00:06:09 fetching corpus: 1500, signal 84614/99737 (executing program) 1970/01/01 00:06:11 fetching corpus: 1550, signal 85503/100685 (executing program) 1970/01/01 00:06:12 fetching corpus: 1600, signal 86366/101552 (executing program) 1970/01/01 00:06:15 fetching corpus: 1650, signal 87204/102351 (executing program) 1970/01/01 00:06:16 fetching corpus: 1700, signal 87694/103008 (executing program) 1970/01/01 00:06:18 fetching corpus: 1750, signal 88313/103684 (executing program) 1970/01/01 00:06:20 fetching corpus: 1800, signal 89073/104397 (executing program) 1970/01/01 00:06:21 fetching corpus: 1850, signal 89785/105037 (executing program) 1970/01/01 00:06:23 fetching corpus: 1900, signal 90770/105748 (executing program) 1970/01/01 00:06:25 fetching corpus: 1950, signal 91275/106287 (executing program) 1970/01/01 00:06:28 fetching corpus: 2000, signal 91834/106822 (executing program) 1970/01/01 00:06:30 fetching corpus: 2050, signal 92635/107435 (executing program) 1970/01/01 00:06:33 fetching corpus: 2100, signal 95448/108507 (executing program) 1970/01/01 00:06:36 fetching corpus: 2150, signal 96111/109007 (executing program) 1970/01/01 00:06:39 fetching corpus: 2200, signal 96708/109443 (executing program) 1970/01/01 00:06:43 fetching corpus: 2250, signal 97239/109838 (executing program) 1970/01/01 00:06:48 fetching corpus: 2300, signal 97695/110189 (executing program) 1970/01/01 00:06:54 fetching corpus: 2350, signal 99337/110714 (executing program) 1970/01/01 00:07:00 fetching corpus: 2400, signal 100216/111053 (executing program) 1970/01/01 00:07:04 fetching corpus: 2450, signal 100773/111361 (executing program) [ 427.021756][ C0] hrtimer: interrupt took 24864400 ns 1970/01/01 00:07:08 fetching corpus: 2479, signal 101099/111608 (executing program) 1970/01/01 00:07:08 fetching corpus: 2479, signal 101099/111820 (executing program) 1970/01/01 00:07:09 fetching corpus: 2479, signal 101099/112013 (executing program) 1970/01/01 00:07:09 fetching corpus: 2479, signal 101099/112226 (executing program) 1970/01/01 00:07:09 fetching corpus: 2479, signal 101099/112438 (executing program) 1970/01/01 00:07:09 fetching corpus: 2479, signal 101099/112629 (executing program) 1970/01/01 00:07:10 fetching corpus: 2479, signal 101099/112828 (executing program) 1970/01/01 00:07:10 fetching corpus: 2479, signal 101099/112828 (executing program) 1970/01/01 00:09:49 starting 2 fuzzer processes 00:10:06 executing program 0: semctl$IPC_RMID(0xffffffffffffffff, 0x0, 0x0) semop(0x0, &(0x7f0000000000)=[{0x4, 0x9, 0x800}, {0x2, 0x9, 0x1800}, {0xf53377090431af6e, 0xc7f5}, {0x0, 0x6, 0x1800}, {0x0, 0x9, 0xc00}, {0x4}, {0x1, 0x8, 0x1c00}, {0x6, 0x800}, {0x3, 0x9, 0x1000}, {0x3, 0x80}], 0xa) semctl$GETZCNT(0x0, 0xcbc12cc58f499c0a, 0xf, &(0x7f0000000040)=""/150) semtimedop(0xffffffffffffffff, &(0x7f0000000100)=[{0x0, 0x7, 0x1000}], 0x1, &(0x7f0000000140)={0x77359400}) r0 = semget$private(0x0, 0x0, 0x6) semctl$SEM_INFO(r0, 0x3, 0x13, &(0x7f0000000180)=""/8) semtimedop(r0, &(0x7f00000001c0)=[{0x1, 0x8000, 0x800}], 0x1, &(0x7f0000000200)={0x0, 0x3938700}) r1 = semget(0x1, 0x4, 0x50) semtimedop(r1, &(0x7f0000000240)=[{0x1, 0xfe00, 0x1000}], 0x1, &(0x7f0000000280)={0x77359400}) clock_gettime(0x0, &(0x7f0000000380)={0x0, 0x0}) rt_sigtimedwait(&(0x7f00000002c0)={[0x85]}, &(0x7f0000000300), &(0x7f00000003c0)={r2, r3+10000000}, 0x8) semop(0xffffffffffffffff, &(0x7f0000000400)=[{0x0, 0xce, 0x1000}, {0x0, 0x1, 0x1000}], 0x2) semctl$IPC_RMID(r1, 0x0, 0x0) nanosleep(&(0x7f0000000440)={0x0, 0x989680}, &(0x7f0000000480)) r4 = semget(0x0, 0x1, 0x40) statx(0xffffffffffffffff, &(0x7f00000004c0)='./file0\x00', 0x100, 0x20, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0}) semctl$IPC_SET(r4, 0x0, 0x1, &(0x7f0000000600)={{0x2, r5, 0xee00, 0xee00, 0xee00, 0x4, 0x9a4f}, 0x8, 0xe0a0, 0x0, 0x0, 0x0, 0x0, 0x7fff}) r6 = openat$char_raw_ctl(0xffffffffffffff9c, &(0x7f0000000680)='/dev/raw/rawctl\x00', 0x400400, 0x0) r7 = openat$drirender128(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/dri/renderD128\x00', 0x2, 0x0) ppoll(&(0x7f00000007c0)=[{r6, 0x80}, {r7}, {}, {0xffffffffffffffff, 0x5089}, {0xffffffffffffffff, 0xd403}, {0xffffffffffffffff, 0x4004}, {0xffffffffffffffff, 0x4080}, {0xffffffffffffffff, 0x9202}], 0x8, &(0x7f0000000800)={0x77359400}, &(0x7f0000000840), 0x8) 00:10:27 executing program 1: ioctl$sock_SIOCSIFBR(0xffffffffffffffff, 0x8941, &(0x7f0000000040)=@get={0x1, &(0x7f0000000000)=""/41, 0x10001}) setsockopt$inet6_IPV6_ADDRFORM(0xffffffffffffffff, 0x29, 0x1, &(0x7f0000000080), 0x4) ioctl$sock_SIOCSIFBR(0xffffffffffffffff, 0x8941, &(0x7f0000000100)=@get={0x1, &(0x7f00000000c0)=""/60, 0xffffffffffffffff}) r0 = socket$inet_smc(0x2b, 0x1, 0x0) getsockopt$sock_linger(r0, 0x1, 0xd, &(0x7f0000000140), &(0x7f0000000180)=0x8) r1 = syz_open_dev$tty20(0xc, 0x4, 0x1) ioctl$BTRFS_IOC_GET_FEATURES(r1, 0x80189439, &(0x7f00000001c0)) ioctl$KDADDIO(r1, 0x4b34, 0x49) setsockopt$inet6_MRT6_DEL_MFC(0xffffffffffffffff, 0x29, 0xcd, &(0x7f0000000200)={{0xa, 0x4e24, 0xfffffff8, @initdev={0xfe, 0x88, [], 0x1, 0x0}, 0x401}, {0xa, 0x4e24, 0xffffffff, @rand_addr=' \x01\x00', 0xa0000000}, 0x3f, [0x3, 0x1000, 0x81, 0x40, 0x200, 0x0, 0x8, 0xffffffff]}, 0x5c) setsockopt$inet6_IPV6_ADDRFORM(0xffffffffffffffff, 0x29, 0x1, &(0x7f0000000280), 0x4) r2 = dup3(r0, r1, 0x0) setsockopt$IP6T_SO_SET_ADD_COUNTERS(r2, 0x29, 0x41, &(0x7f00000002c0)={'mangle\x00', 0x4, [{}, {}, {}, {}]}, 0x68) ioctl$BTRFS_IOC_SCRUB_PROGRESS(r1, 0xc400941d, &(0x7f0000000340)={0x0, 0x5, 0x1f, 0x1}) ioctl$FS_IOC_RESVSP(r0, 0x40305828, &(0x7f0000000740)={0x0, 0x0, 0x3ff, 0x8}) r3 = openat$cgroup_netprio_ifpriomap(r2, &(0x7f0000000780)='net_prio.ifpriomap\x00', 0x2, 0x0) ioctl$FS_IOC_GETFLAGS(r3, 0x80086601, &(0x7f00000007c0)) ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000800)) setsockopt$inet6_tcp_TCP_ULP(0xffffffffffffffff, 0x6, 0x1f, &(0x7f0000000840)='tls\x00', 0x4) r4 = syz_open_dev$mouse(&(0x7f0000000880)='/dev/input/mouse#\x00', 0x5, 0x10000) setsockopt$inet_tcp_TCP_MD5SIG(r4, 0x6, 0xe, &(0x7f00000008c0)={@in={{0x2, 0x4e24, @broadcast}}, 0x0, 0x0, 0x41, 0x0, "749966ac8bfba7a49335f478ec28efcaba97d0968400596c88b4f5f42544f5704ddbe7e4c0b68f128b7ac1f0ba0ddaccaa3ea4fdaf854a2bb5488392c8f7a03cdc32fe6ba276cbfc8eecc247a0ae03f9"}, 0xd8) [ 631.417191][ T3082] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 631.632731][ T3082] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 639.137704][ T3082] device hsr_slave_0 entered promiscuous mode [ 639.205473][ T3082] device hsr_slave_1 entered promiscuous mode [ 643.338436][ T3082] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 643.468444][ T3082] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 643.568043][ T3082] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 644.055464][ T3082] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 652.388366][ T3082] 8021q: adding VLAN 0 to HW filter on device bond0 [ 652.757599][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 652.847042][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 660.465680][ T3242] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 660.536007][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 660.546753][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 660.756265][ T3242] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 661.426526][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 661.478250][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 661.636596][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 661.798230][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 662.976423][ T3082] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 662.978196][ T3082] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 663.127982][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 663.161467][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 663.183403][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 663.195705][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 663.295456][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 663.978085][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 663.993817][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 669.996718][ T3242] device hsr_slave_0 entered promiscuous mode [ 670.075289][ T3242] device hsr_slave_1 entered promiscuous mode [ 670.102324][ T3242] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 670.111941][ T3242] Cannot create hsr debugfs directory [ 673.727897][ T3242] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 673.857864][ T3242] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 674.043461][ T3242] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 674.162272][ T3242] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 675.644256][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 675.698709][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 682.138239][ T3082] device veth0_vlan entered promiscuous mode [ 682.307057][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 682.377391][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 682.575409][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 682.614383][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 682.933666][ T3242] 8021q: adding VLAN 0 to HW filter on device bond0 [ 683.096829][ T3082] device veth1_vlan entered promiscuous mode [ 683.551567][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 683.606700][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 684.631297][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 684.666603][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 684.870840][ T3082] device veth0_macvtap entered promiscuous mode [ 685.162032][ T3082] device veth1_macvtap entered promiscuous mode [ 685.678066][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 686.086217][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 686.118660][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 686.497180][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 686.547725][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 686.748123][ T3082] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 686.775425][ T3082] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 686.777352][ T3082] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 686.785851][ T3082] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 689.564887][ T3082] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 690.988234][ T3522] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 691.035484][ T3522] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 691.231000][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 691.276204][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 691.496929][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 691.871175][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 692.753619][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 692.818508][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 693.096487][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 693.196490][ T3218] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 693.478040][ T3242] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 694.407383][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 694.412683][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready 00:11:36 executing program 0: semctl$IPC_RMID(0xffffffffffffffff, 0x0, 0x0) semop(0x0, &(0x7f0000000000)=[{0x4, 0x9, 0x800}, {0x2, 0x9, 0x1800}, {0xf53377090431af6e, 0xc7f5}, {0x0, 0x6, 0x1800}, {0x0, 0x9, 0xc00}, {0x4}, {0x1, 0x8, 0x1c00}, {0x6, 0x800}, {0x3, 0x9, 0x1000}, {0x3, 0x80}], 0xa) semctl$GETZCNT(0x0, 0xcbc12cc58f499c0a, 0xf, &(0x7f0000000040)=""/150) semtimedop(0xffffffffffffffff, &(0x7f0000000100)=[{0x0, 0x7, 0x1000}], 0x1, &(0x7f0000000140)={0x77359400}) r0 = semget$private(0x0, 0x0, 0x6) semctl$SEM_INFO(r0, 0x3, 0x13, &(0x7f0000000180)=""/8) semtimedop(r0, &(0x7f00000001c0)=[{0x1, 0x8000, 0x800}], 0x1, &(0x7f0000000200)={0x0, 0x3938700}) r1 = semget(0x1, 0x4, 0x50) semtimedop(r1, &(0x7f0000000240)=[{0x1, 0xfe00, 0x1000}], 0x1, &(0x7f0000000280)={0x77359400}) clock_gettime(0x0, &(0x7f0000000380)={0x0, 0x0}) rt_sigtimedwait(&(0x7f00000002c0)={[0x85]}, &(0x7f0000000300), &(0x7f00000003c0)={r2, r3+10000000}, 0x8) semop(0xffffffffffffffff, &(0x7f0000000400)=[{0x0, 0xce, 0x1000}, {0x0, 0x1, 0x1000}], 0x2) semctl$IPC_RMID(r1, 0x0, 0x0) nanosleep(&(0x7f0000000440)={0x0, 0x989680}, &(0x7f0000000480)) r4 = semget(0x0, 0x1, 0x40) statx(0xffffffffffffffff, &(0x7f00000004c0)='./file0\x00', 0x100, 0x20, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0}) semctl$IPC_SET(r4, 0x0, 0x1, &(0x7f0000000600)={{0x2, r5, 0xee00, 0xee00, 0xee00, 0x4, 0x9a4f}, 0x8, 0xe0a0, 0x0, 0x0, 0x0, 0x0, 0x7fff}) r6 = openat$char_raw_ctl(0xffffffffffffff9c, &(0x7f0000000680)='/dev/raw/rawctl\x00', 0x400400, 0x0) r7 = openat$drirender128(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/dri/renderD128\x00', 0x2, 0x0) ppoll(&(0x7f00000007c0)=[{r6, 0x80}, {r7}, {}, {0xffffffffffffffff, 0x5089}, {0xffffffffffffffff, 0xd403}, {0xffffffffffffffff, 0x4004}, {0xffffffffffffffff, 0x4080}, {0xffffffffffffffff, 0x9202}], 0x8, &(0x7f0000000800)={0x77359400}, &(0x7f0000000840), 0x8) 00:11:42 executing program 0: semctl$IPC_RMID(0xffffffffffffffff, 0x0, 0x0) semop(0x0, &(0x7f0000000000)=[{0x4, 0x9, 0x800}, {0x2, 0x9, 0x1800}, {0xf53377090431af6e, 0xc7f5}, {0x0, 0x6, 0x1800}, {0x0, 0x9, 0xc00}, {0x4}, {0x1, 0x8, 0x1c00}, {0x6, 0x800}, {0x3, 0x9, 0x1000}, {0x3, 0x80}], 0xa) semctl$GETZCNT(0x0, 0xcbc12cc58f499c0a, 0xf, &(0x7f0000000040)=""/150) semtimedop(0xffffffffffffffff, &(0x7f0000000100)=[{0x0, 0x7, 0x1000}], 0x1, &(0x7f0000000140)={0x77359400}) r0 = semget$private(0x0, 0x0, 0x6) semctl$SEM_INFO(r0, 0x3, 0x13, &(0x7f0000000180)=""/8) semtimedop(r0, &(0x7f00000001c0)=[{0x1, 0x8000, 0x800}], 0x1, &(0x7f0000000200)={0x0, 0x3938700}) r1 = semget(0x1, 0x4, 0x50) semtimedop(r1, &(0x7f0000000240)=[{0x1, 0xfe00, 0x1000}], 0x1, &(0x7f0000000280)={0x77359400}) clock_gettime(0x0, &(0x7f0000000380)={0x0, 0x0}) rt_sigtimedwait(&(0x7f00000002c0)={[0x85]}, &(0x7f0000000300), &(0x7f00000003c0)={r2, r3+10000000}, 0x8) semop(0xffffffffffffffff, &(0x7f0000000400)=[{0x0, 0xce, 0x1000}, {0x0, 0x1, 0x1000}], 0x2) semctl$IPC_RMID(r1, 0x0, 0x0) nanosleep(&(0x7f0000000440)={0x0, 0x989680}, &(0x7f0000000480)) r4 = semget(0x0, 0x1, 0x40) statx(0xffffffffffffffff, &(0x7f00000004c0)='./file0\x00', 0x100, 0x20, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0}) semctl$IPC_SET(r4, 0x0, 0x1, &(0x7f0000000600)={{0x2, r5, 0xee00, 0xee00, 0xee00, 0x4, 0x9a4f}, 0x8, 0xe0a0, 0x0, 0x0, 0x0, 0x0, 0x7fff}) r6 = openat$char_raw_ctl(0xffffffffffffff9c, &(0x7f0000000680)='/dev/raw/rawctl\x00', 0x400400, 0x0) r7 = openat$drirender128(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/dri/renderD128\x00', 0x2, 0x0) ppoll(&(0x7f00000007c0)=[{r6, 0x80}, {r7}, {}, {0xffffffffffffffff, 0x5089}, {0xffffffffffffffff, 0xd403}, {0xffffffffffffffff, 0x4004}, {0xffffffffffffffff, 0x4080}, {0xffffffffffffffff, 0x9202}], 0x8, &(0x7f0000000800)={0x77359400}, &(0x7f0000000840), 0x8) [ 707.282106][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 707.346333][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready 00:11:47 executing program 0: semctl$IPC_RMID(0xffffffffffffffff, 0x0, 0x0) semop(0x0, &(0x7f0000000000)=[{0x4, 0x9, 0x800}, {0x2, 0x9, 0x1800}, {0xf53377090431af6e, 0xc7f5}, {0x0, 0x6, 0x1800}, {0x0, 0x9, 0xc00}, {0x4}, {0x1, 0x8, 0x1c00}, {0x6, 0x800}, {0x3, 0x9, 0x1000}, {0x3, 0x80}], 0xa) semctl$GETZCNT(0x0, 0xcbc12cc58f499c0a, 0xf, &(0x7f0000000040)=""/150) semtimedop(0xffffffffffffffff, &(0x7f0000000100)=[{0x0, 0x7, 0x1000}], 0x1, &(0x7f0000000140)={0x77359400}) r0 = semget$private(0x0, 0x0, 0x6) semctl$SEM_INFO(r0, 0x3, 0x13, &(0x7f0000000180)=""/8) semtimedop(r0, &(0x7f00000001c0)=[{0x1, 0x8000, 0x800}], 0x1, &(0x7f0000000200)={0x0, 0x3938700}) r1 = semget(0x1, 0x4, 0x50) semtimedop(r1, &(0x7f0000000240)=[{0x1, 0xfe00, 0x1000}], 0x1, &(0x7f0000000280)={0x77359400}) clock_gettime(0x0, &(0x7f0000000380)={0x0, 0x0}) rt_sigtimedwait(&(0x7f00000002c0)={[0x85]}, &(0x7f0000000300), &(0x7f00000003c0)={r2, r3+10000000}, 0x8) semop(0xffffffffffffffff, &(0x7f0000000400)=[{0x0, 0xce, 0x1000}, {0x0, 0x1, 0x1000}], 0x2) semctl$IPC_RMID(r1, 0x0, 0x0) nanosleep(&(0x7f0000000440)={0x0, 0x989680}, &(0x7f0000000480)) r4 = semget(0x0, 0x1, 0x40) statx(0xffffffffffffffff, &(0x7f00000004c0)='./file0\x00', 0x100, 0x20, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0}) semctl$IPC_SET(r4, 0x0, 0x1, &(0x7f0000000600)={{0x2, r5, 0xee00, 0xee00, 0xee00, 0x4, 0x9a4f}, 0x8, 0xe0a0, 0x0, 0x0, 0x0, 0x0, 0x7fff}) r6 = openat$char_raw_ctl(0xffffffffffffff9c, &(0x7f0000000680)='/dev/raw/rawctl\x00', 0x400400, 0x0) r7 = openat$drirender128(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/dri/renderD128\x00', 0x2, 0x0) ppoll(&(0x7f00000007c0)=[{r6, 0x80}, {r7}, {}, {0xffffffffffffffff, 0x5089}, {0xffffffffffffffff, 0xd403}, {0xffffffffffffffff, 0x4004}, {0xffffffffffffffff, 0x4080}, {0xffffffffffffffff, 0x9202}], 0x8, &(0x7f0000000800)={0x77359400}, &(0x7f0000000840), 0x8) [ 715.385316][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 715.438439][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 715.627119][ T3242] device veth0_vlan entered promiscuous mode [ 715.732832][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 715.764944][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 716.413614][ T3242] device veth1_vlan entered promiscuous mode [ 718.035667][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 718.058666][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 718.328219][ T3242] device veth0_macvtap entered promiscuous mode [ 718.701672][ T3242] device veth1_macvtap entered promiscuous mode [ 719.202692][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 719.238015][ T3162] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 719.741821][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 719.812582][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 720.204038][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 720.228371][ T1937] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 720.553626][ T3242] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 720.556450][ T3242] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 720.577404][ T3242] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 720.594965][ T3242] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 00:12:06 executing program 0: semctl$IPC_RMID(0xffffffffffffffff, 0x0, 0x0) semop(0x0, &(0x7f0000000000)=[{0x4, 0x9, 0x800}, {0x2, 0x9, 0x1800}, {0xf53377090431af6e, 0xc7f5}, {0x0, 0x6, 0x1800}, {0x0, 0x9, 0xc00}, {0x4}, {0x1, 0x8, 0x1c00}, {0x6, 0x800}, {0x3, 0x9, 0x1000}, {0x3, 0x80}], 0xa) semctl$GETZCNT(0x0, 0xcbc12cc58f499c0a, 0xf, &(0x7f0000000040)=""/150) semtimedop(0xffffffffffffffff, &(0x7f0000000100)=[{0x0, 0x7, 0x1000}], 0x1, &(0x7f0000000140)={0x77359400}) r0 = semget$private(0x0, 0x0, 0x6) semctl$SEM_INFO(r0, 0x3, 0x13, &(0x7f0000000180)=""/8) semtimedop(r0, &(0x7f00000001c0)=[{0x1, 0x8000, 0x800}], 0x1, &(0x7f0000000200)={0x0, 0x3938700}) r1 = semget(0x1, 0x4, 0x50) semtimedop(r1, &(0x7f0000000240)=[{0x1, 0xfe00, 0x1000}], 0x1, &(0x7f0000000280)={0x77359400}) clock_gettime(0x0, &(0x7f0000000380)={0x0, 0x0}) rt_sigtimedwait(&(0x7f00000002c0)={[0x85]}, &(0x7f0000000300), &(0x7f00000003c0)={r2, r3+10000000}, 0x8) semop(0xffffffffffffffff, &(0x7f0000000400)=[{0x0, 0xce, 0x1000}, {0x0, 0x1, 0x1000}], 0x2) semctl$IPC_RMID(r1, 0x0, 0x0) nanosleep(&(0x7f0000000440)={0x0, 0x989680}, &(0x7f0000000480)) r4 = semget(0x0, 0x1, 0x40) statx(0xffffffffffffffff, &(0x7f00000004c0)='./file0\x00', 0x100, 0x20, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0}) semctl$IPC_SET(r4, 0x0, 0x1, &(0x7f0000000600)={{0x2, r5, 0xee00, 0xee00, 0xee00, 0x4, 0x9a4f}, 0x8, 0xe0a0, 0x0, 0x0, 0x0, 0x0, 0x7fff}) r6 = openat$char_raw_ctl(0xffffffffffffff9c, &(0x7f0000000680)='/dev/raw/rawctl\x00', 0x400400, 0x0) ppoll(&(0x7f00000007c0)=[{r6, 0x80}, {}, {}, {0xffffffffffffffff, 0x5089}, {0xffffffffffffffff, 0xd403}, {0xffffffffffffffff, 0x4004}, {0xffffffffffffffff, 0x4080}, {0xffffffffffffffff, 0x9202}], 0x8, &(0x7f0000000800)={0x77359400}, &(0x7f0000000840), 0x8) 00:12:06 executing program 1: ioctl$sock_SIOCSIFBR(0xffffffffffffffff, 0x8941, &(0x7f0000000040)=@get={0x1, &(0x7f0000000000)=""/41, 0x10001}) setsockopt$inet6_IPV6_ADDRFORM(0xffffffffffffffff, 0x29, 0x1, &(0x7f0000000080), 0x4) ioctl$sock_SIOCSIFBR(0xffffffffffffffff, 0x8941, &(0x7f0000000100)=@get={0x1, &(0x7f00000000c0)=""/60, 0xffffffffffffffff}) r0 = socket$inet_smc(0x2b, 0x1, 0x0) getsockopt$sock_linger(r0, 0x1, 0xd, &(0x7f0000000140), &(0x7f0000000180)=0x8) r1 = syz_open_dev$tty20(0xc, 0x4, 0x1) ioctl$BTRFS_IOC_GET_FEATURES(r1, 0x80189439, &(0x7f00000001c0)) ioctl$KDADDIO(r1, 0x4b34, 0x49) setsockopt$inet6_MRT6_DEL_MFC(0xffffffffffffffff, 0x29, 0xcd, &(0x7f0000000200)={{0xa, 0x4e24, 0xfffffff8, @initdev={0xfe, 0x88, [], 0x1, 0x0}, 0x401}, {0xa, 0x4e24, 0xffffffff, @rand_addr=' \x01\x00', 0xa0000000}, 0x3f, [0x3, 0x1000, 0x81, 0x40, 0x200, 0x0, 0x8, 0xffffffff]}, 0x5c) setsockopt$inet6_IPV6_ADDRFORM(0xffffffffffffffff, 0x29, 0x1, &(0x7f0000000280), 0x4) r2 = dup3(r0, r1, 0x0) setsockopt$IP6T_SO_SET_ADD_COUNTERS(r2, 0x29, 0x41, &(0x7f00000002c0)={'mangle\x00', 0x4, [{}, {}, {}, {}]}, 0x68) ioctl$BTRFS_IOC_SCRUB_PROGRESS(r1, 0xc400941d, &(0x7f0000000340)={0x0, 0x5, 0x1f, 0x1}) ioctl$FS_IOC_RESVSP(r0, 0x40305828, &(0x7f0000000740)={0x0, 0x0, 0x3ff, 0x8}) r3 = openat$cgroup_netprio_ifpriomap(r2, &(0x7f0000000780)='net_prio.ifpriomap\x00', 0x2, 0x0) ioctl$FS_IOC_GETFLAGS(r3, 0x80086601, &(0x7f00000007c0)) ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000800)) setsockopt$inet6_tcp_TCP_ULP(0xffffffffffffffff, 0x6, 0x1f, &(0x7f0000000840)='tls\x00', 0x4) r4 = syz_open_dev$mouse(&(0x7f0000000880)='/dev/input/mouse#\x00', 0x5, 0x10000) setsockopt$inet_tcp_TCP_MD5SIG(r4, 0x6, 0xe, &(0x7f00000008c0)={@in={{0x2, 0x4e24, @broadcast}}, 0x0, 0x0, 0x41, 0x0, "749966ac8bfba7a49335f478ec28efcaba97d0968400596c88b4f5f42544f5704ddbe7e4c0b68f128b7ac1f0ba0ddaccaa3ea4fdaf854a2bb5488392c8f7a03cdc32fe6ba276cbfc8eecc247a0ae03f9"}, 0xd8) [ 731.614707][ T3567] Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000020000800 [ 731.666166][ T3567] Oops [#1] [ 731.667359][ T3567] Modules linked in: [ 731.668445][ T3567] CPU: 0 PID: 3567 Comm: syz-executor.1 Not tainted 5.12.0-rc5-syzkaller-00715-ga5e13c6df0e4 #0 [ 731.670846][ T3567] Hardware name: riscv-virtio,qemu (DT) [ 731.671694][ T3567] epc : sock_ioctl+0x4c4/0x66c [ 731.672569][ T3567] ra : sock_ioctl+0x4c4/0x66c [ 731.673250][ T3567] epc : ffffffe0020e60a2 ra : ffffffe0020e60a2 sp : ffffffe009e37da0 [ 731.674128][ T3567] gp : ffffffe004588b08 tp : ffffffe006808000 t0 : 0000000000000000 [ 731.674890][ T3567] t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe009e37e30 [ 731.676358][ T3567] s1 : 0000000000040000 a0 : 0000000000000000 a1 : 0000000000000007 [ 731.677541][ T3567] a2 : 1ffffffc00d01000 a3 : ffffffe002a94d2e a4 : 0000000000000000 [ 731.678650][ T3567] a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000084f3a [ 731.680501][ T3567] s2 : 0000000000000000 s3 : 0000000000008902 s4 : 0000000020000800 [ 731.681722][ T3567] s5 : ffffffe00458c0d0 s6 : ffffffe00d2e1a40 s7 : ffffffe008448000 [ 731.683091][ T3567] s8 : 0000000000008903 s9 : ffffffe00d2e1b00 s10: 0000000000000000 [ 731.684527][ T3567] s11: 0000000000020000 t3 : 955b9ce0b471eb00 t4 : ffffffc400e297b2 [ 731.686056][ T3567] t5 : ffffffc400e297ba t6 : 0000000000040000 [ 731.686998][ T3567] status: 0000000000000120 badaddr: 0000000020000800 cause: 000000000000000f [ 731.688211][ T3567] Call Trace: [ 731.689013][ T3567] [] sock_ioctl+0x4c4/0x66c [ 731.690219][ T3567] [] sys_ioctl+0x5c2/0xd56 [ 731.691019][ T3567] [] ret_from_syscall+0x0/0x2 [ 731.694614][ T3567] ---[ end trace 066c9bd803ab3aee ]--- [ 731.697474][ T3567] Kernel panic - not syncing: Fatal exception [ 731.699337][ T3567] SMP: stopping secondary CPUs [ 731.701070][ T3567] Rebooting in 86400 seconds.. VM DIAGNOSIS: 17:31:21 Registers: info registers vcpu 0 pc ffffffe002a94d90 mhartid 0000000000000000 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffe00000542c mepc ffffffe00000e9d4 sepc ffffffe0000dd9c0 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffe0001050aa x2/sp ffffffe009e378b0 x3/gp ffffffe004588b08 x4/tp ffffffe006808000 x5/t0 ffffffe004ffdbb7 x6/t1 ffffffc4013c6f1a x7/t2 0000000000000000 x8/s0 ffffffe009e379a0 x9/s1 ffffffe067d55c00 x10/a0 ffffffe067d43840 x11/a1 0000000000000003 x12/a2 1ffffffc00a092b5 x13/a3 ffffffe000105178 x14/a4 0000000000000001 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffffe009e378d7 x18/s2 ffffffe006808000 x19/s3 ffffffe006808000 x20/s4 ffffffe006808000 x21/s5 ffffffe0050495a8 x22/s6 ffffffe004589898 x23/s7 0000000000000000 x24/s8 ffffffe0050495a8 x25/s9 ffffffe006808000 x26/s10 ffffffe006808028 x27/s11 0000000000020000 x28/t3 955b9ce0b471eb00 x29/t4 ffffffc4013c6f19 x30/t5 ffffffc4013c6f1b x31/t6 ffffffe009e378d8 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffe0000d0476 mhartid 0000000000000001 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffe00000542c mepc ffffffe00000e9d4 sepc ffffffe002a9b48c mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffe0000d0476 x2/sp ffffffe0082b39a0 x3/gp ffffffe004588b08 x4/tp ffffffe0097d5f00 x5/t0 0000000000000000 x6/t1 0000000000000001 x7/t2 00000000002dc6c0 x8/s0 ffffffe0082b3a80 x9/s1 ffffffe0097d6f00 x10/a0 ffffffe0097d68a0 x11/a1 0000000000000003 x12/a2 1ffffffc012fad14 x13/a3 ffffffe0000d0476 x14/a4 0000000000000000 x15/a5 ffffffe0097d68a0 x16/a6 0000000000000000 x17/a7 ffffffe0000850dc x18/s2 00000000000c0080 x19/s3 ffffffe00459e590 x20/s4 ffffffe004cbaa00 x21/s5 ffffffe0097d68a0 x22/s6 ffffffffffffffff x23/s7 ffffffe0097d5f00 x24/s8 ffffffe0097d688c x25/s9 0000000000000001 x26/s10 ffffffe00459e580 x27/s11 ffffffe0097d68a8 x28/t3 955b9ce0b471eb00 x29/t4 ffffffc4010567b2 x30/t5 ffffffc4010567ba x31/t6 0000000000040000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000