last executing test programs: 2.560530934s ago: executing program 1 (id=2): r0 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000000c80)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000a80)={{0x2, 0xffff, @private=0xa010100}, {0x0, @multicast}, 0x0, {0x2, 0x4e23, @multicast1}, 'wg1\x00'}) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x10, &(0x7f0000001cc0)=ANY=[@ANYBLOB='\f@\x00N']) syz_usb_ep_write$ath9k_ep2(r0, 0x83, 0x12, &(0x7f0000000340)=@conn_svc_rsp={0x0, 0x0, 0xa, "68eab02f", {0x3, 0x107, 0x0, 0xe, 0x7, 0x5, 0x9}}) capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2}) r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x8002, 0x0) ioctl$TIOCSLCKTRMIOS(r2, 0x5457, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000380), 0x80a000, 0x0) sysinfo(&(0x7f0000000000)=""/196) r3 = openat$full(0xffffffffffffff9c, &(0x7f0000000000), 0x6c080, 0x0) ioctl$KVM_SET_IRQCHIP(r3, 0x8208ae63, &(0x7f0000000100)={0x0, 0x0, @pic={0x1, 0xa8, 0x0, 0x4, 0xfe, 0x6, 0x5, 0x8, 0x40, 0xa0, 0x1, 0x3, 0x7, 0xe, 0x7f, 0x8}}) r4 = socket(0x10, 0x3, 0x0) sendmsg$kcm(r4, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)="2e00000010008188040f80ec59acbc0413a1f8480d0000005e140602000000000e000a000f00000002800000121f", 0x2e}], 0x1}, 0x404c080) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x4, &(0x7f0000000040)=ANY=[@ANYBLOB="0000004e13b0a252320c9adc29075cf6e4fccac849fe7745ff149d68486993116ebbc12e1d6e99eb1e40ae9b156cf82c581eb7c216a8977855c26a91796082b4cd63be9fa53acce0cc1cc7dbdf9a0906a3d834ba3660384a4de4fc5ddb439b4d92979ac51f21a9ed976d15272357079257a5d4d91b7c796b2db93a09de6ee207aaa16d1748b8138998fffd16476b92fc25e6cde289fe282ff49bdee55d2c2a76abb8560f7726fda70540b5abd461c3606c5971d378fb6d7600"]) 2.182178137s ago: executing program 0 (id=1): r0 = syz_open_dev$mouse(&(0x7f00000000c0), 0x0, 0x2042) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') (async, rerun: 64) syz_usb_connect$cdc_ncm(0x0, 0x72, &(0x7f0000000140)=ANY=[@ANYBLOB="1201000002000040257d15a4400001040001090260004201000000090400000102090000052406000105240000000d240f01000004eaffffff1e0006031a000008048002000905", @ANYRES64], 0x0) (async, rerun: 64) close(0x3) (async) r2 = socket$nl_audit(0x10, 0x3, 0x9) (async) r3 = getpgid(0x0) r4 = socket$nl_generic(0x10, 0x3, 0x10) fstat(r4, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x0, 0x0}) setuid(r5) (async) sendmsg$netlink(r2, &(0x7f0000000bc0)={0x0, 0x0, &(0x7f0000000880)=[{0x0, 0x790}], 0x1, &(0x7f0000000b00)=[@cred={{0x1c, 0x1, 0x2, {r3, r5, 0xee01}}}], 0x20, 0x40000}, 0x400c810) (async) syz_open_dev$char_usb(0xc, 0xb4, 0x0) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f00000017c0)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r0]) 1.941932289s ago: executing program 0 (id=5): r0 = syz_open_dev$dri(&(0x7f0000000140), 0x1, 0x0) r1 = syz_open_dev$dri(&(0x7f00000005c0), 0x4a7, 0x0) ioctl$DRM_IOCTL_MODE_GET_LEASE(r1, 0xc01064c8, &(0x7f00000002c0)={0x2, 0x0, &(0x7f0000000080)=[0x0, 0x0]}) ioctl$DRM_IOCTL_MODE_GETPROPERTY(r1, 0xc04064aa, &(0x7f000001f880)={0x0, &(0x7f0000000280)=[{}], r3, 0x0, '\x00', 0x0, 0x1}) ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f00000000c0)={&(0x7f0000000080)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x400000000000027b, r3, 0x0}) ioctl$DRM_IOCTL_MODE_ADDFB2(r0, 0xc06864b8, &(0x7f0000000180)={r4, 0xbd, 0x80, 0x20203843, 0x2, [0x2], [0x800], [0xb9d], [0x4]}) r5 = memfd_secret(0x80000) ioctl$DRM_IOCTL_MODE_GETPROPERTY(r0, 0xc04064aa, &(0x7f00000004c0)={&(0x7f0000000480)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000600)=[{}, {}, {}, {}, {}, {}, {}, {}], r2, 0x0, '\x00', 0x8, 0x8}) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x2, 0x13, r5, 0x0) ftruncate(r5, 0x3) prctl$PR_SET_THP_DISABLE(0x29, 0x1) openat$vsock(0xffffffffffffff9c, &(0x7f0000000000), 0x44a101, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r1, 0xc06864a1, &(0x7f0000000300)={&(0x7f0000000200)=[0x0], 0x1, r3, 0x0}) ioctl$DRM_IOCTL_MODE_ATOMIC(r0, 0xc03864bc, &(0x7f0000000440)={0x0, 0x3, &(0x7f0000000240)=[r3, r6, r3], &(0x7f0000000380)=[0x0], &(0x7f00000003c0)=[r3, r3, r3, r3, r3, r2, r2, r2, r3, r2], &(0x7f0000000400)=[0x3, 0x9, 0xff, 0x3, 0x6, 0xbc, 0x2, 0xffffffffffff8000], 0x0, 0x7ff}) ioctl$DRM_IOCTL_MODE_GETGAMMA(r5, 0xc02064a4, &(0x7f0000000740)={r6, 0x4, &(0x7f0000000500)=[0x3, 0x9, 0x0, 0xc62e], &(0x7f0000000540)=[0x7ff], &(0x7f0000000580)=[0x8, 0x0, 0x8, 0x1f]}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) syz_usb_connect(0x5, 0x36, &(0x7f0000000000)=ANY=[@ANYRES16=r0, @ANYBLOB="e684ede3444c342b3a683d5b6059a5e9cf97c7758d2d1fe94983f52a4a09e136087347c2b8b84446023a01534e194011a1a99ad5dafc4d623bae8d545c57aa38334ce494344f34b1ccddc18b28c81ec5136d64e53a", @ANYRESHEX=r0], 0x0) 1.648305687s ago: executing program 3 (id=4): r0 = socket$inet_sctp(0x2, 0x1, 0x84) (async) ioctl$X86_IOC_RDMSR_REGS(0xffffffffffffffff, 0xc02063a0, &(0x7f0000001140)=[0xfffffffd, 0xffffffff, 0x8004, 0x0, 0x7f, 0x8000, 0x0, 0x5]) setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f0000000580)=[@in={0x2, 0x4e21, @local}], 0x10) r1 = syz_open_dev$vim2m(&(0x7f0000000200), 0x401, 0x2) (async) r2 = landlock_create_ruleset(0x0, 0x0, 0x2) (async, rerun: 32) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f00000ab000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f23fc48b8e7320000000000000f21f80f23e1f8440f014a000f2221c7c4c3fd01ce002063800000002c24f30f556797c483fd005b02ea64267b470f1fcfcf666466430f3833af00580000", 0x4c}], 0x1, 0x3c, 0x0, 0x0) (async, rerun: 32) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000000c0)={{0x14, 0x10, 0x1, 0x2}, [@NFT_MSG_NEWSET={0x14, 0x9, 0xa, 0x401, 0x0, 0x0, {0x1}}], {0x14, 0x10}}, 0x3c}}, 0x0) (async, rerun: 32) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) (rerun: 32) r5 = dup(r4) (async, rerun: 64) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000840)={0x1fe, 0x2, 0x2000, 0x1000, &(0x7f0000003000/0x1000)=nil}) (rerun: 64) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r5, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000100)=[@text32={0x20, 0x0}], 0x1, 0x4b, 0x0, 0x0) (async) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f0000000000/0x18000)=nil, &(0x7f00000002c0)=[@text64={0x40, 0x0}], 0x1, 0x11, 0x0, 0x0) ioctl$KVM_RUN(r6, 0xae80, 0x0) (async) ioctl$vim2m_VIDIOC_S_FMT(r1, 0xc0d05605, &(0x7f0000000240)={0x1, @raw_data="a425e2f1a54d24f16242413860608d70566e425a6c36af37b33fac9d31c8a9c7044410d324b03e044e454d2092a62fea8f13441431ce248bfc73a6726ee61ba491d15d8f392ff66fe0b17f0e11f5d2367d5593205ab1efa97d40619a553e7da2518125b850a186ef691daa55c9e50ffaf6ddc25220ded32aeba4524cec1afbd17abba1d15ea05e97ed3dcad452db6e08a991e2c78b057f55de7fdeba7411ce65700c0a1ad7946ff7c355db87566e3e5abb7a37a06731ed19ddfa970bb58a27fd9fa194c092730319"}) (async, rerun: 64) sendmsg$inet_sctp(r0, &(0x7f0000000700)={&(0x7f0000000340)=@in={0x2, 0x4e21, @local}, 0x10, &(0x7f00000006c0)=[{&(0x7f0000000380)='N', 0x1}], 0x1, 0x0, 0x0, 0x804c040}, 0x1) (rerun: 64) r7 = dup(r0) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='new default'], 0x2a, 0xfffffffffffffff9) (async) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) (async) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(r7, 0xc018937c, &(0x7f0000000000)={{0x1, 0x1, 0x18, r2, {0x4}}, './file0\x00'}) ioctl$EXT4_IOC_MIGRATE(r8, 0x6609) (async) r9 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r9, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000340)=@updsa={0x13c, 0x10, 0x1, 0x0, 0x0, {{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @in6=@dev, 0x0, 0x0, 0x0, 0xfffd, 0xa, 0x20, 0x0, 0x5c}, {@in6=@loopback, 0x0, 0x46}, @in=@dev={0xac, 0x14, 0x14, 0x13}, {0x0, 0xffffffffffffffff}, {0x0, 0x2ab9}, {0x0, 0x11, 0xff}, 0x0, 0x0, 0xa, 0x2, 0x80}, [@algo_auth_trunc={0x4c, 0x14, {{'sm3\x00'}}}]}, 0x13c}, 0x1, 0x0, 0x0, 0x20004005}, 0x0) (async) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x8, &(0x7f00000001c0)={0x1, &(0x7f0000000000)=[{0x6, 0x3, 0x1, 0x7fff0001}]}) dup(r8) (async) r10 = syz_open_dev$dri(&(0x7f0000000440), 0x1, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r10, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) (async) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000200)={0x24, 0x2b, 0x107, 0xfffffffe, 0x0, {0x3, 0x7c}, [@nested={0xc, 0x1, 0x0, 0x1, [@typed={0x8, 0x6, 0x0, 0x0, @ipv4=@broadcast}]}, @nested={0x4, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4048011}, 0x8010) (async) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r10, 0xc01064b5, &(0x7f0000000040)={&(0x7f0000000100)=[0x0], 0x1}) 1.378846072s ago: executing program 2 (id=3): r0 = socket$inet_sctp(0x2, 0x1, 0x84) r1 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000001180)=ANY=[@ANYBLOB="12010000090003206d0414c34000ffff000109022400010400a000090400000103010100093700086ce82201000905815f"], 0x0) syz_usb_control_io$hid(r1, &(0x7f00000001c0)={0x24, &(0x7f0000000780)=ANY=[@ANYBLOB="00020c0000000c0002"], 0x0, 0x0, 0x0}, 0x0) r2 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0) ioctl$IOCTL_VMCI_VERSION2(r2, 0x7a7, &(0x7f0000000040)=0x90000) (async) r3 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r3, 0x6, 0x1b, &(0x7f0000000000)=0x1, 0x4) ioctl$IOCTL_VMCI_INIT_CONTEXT(r2, 0x7a0, &(0x7f0000000240)={@hyper}) (async) ioctl$IOCTL_VMCI_QUEUEPAIR_ALLOC(r2, 0x7a8, &(0x7f0000000540)={{@hyper, 0xffffffff}, @hyper, 0x0, 0x0, 0x5e, 0xfffffffffffffff9}) (async) syz_usb_control_io(r1, 0x0, &(0x7f00000007c0)={0x84, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="200000000700000000006c5060f44d3e4aa342c19cdefa89670b84251f3d35da89fe2935aa651a88daec6c893cfb7e0065034d3abaeef9a6d07b53455ad312222c553224a7c9ff24c93513ea5992b2e9500b0a4f8e66b6d217f65e60b18736c1be33d60364064148fc602d14fc16037280f990efa10708acd14dd00a03a5f02eb76f86a91663b5edaf366c6f8aab6ba1226a645ff02ba4c47fa6812d47e37c1428a2e5624e8236f52f9a892e7b3672e2d4113f5f472b3e7f64151e496cfea85155b66311e556a239b4f9dde9bf7138f779954860ea8a6c0a33b228d781905c65e83a7c92"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$hid(r1, 0x0, 0x0) (async) setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f00000003c0)=[@in={0x2, 0x4e21, @local}], 0x10) sendmsg$inet_sctp(r0, &(0x7f0000000700)={&(0x7f0000000340)=@in={0x2, 0x4e21, @local}, 0x10, &(0x7f00000006c0)=[{&(0x7f0000000380)='N', 0x1}], 0x1, 0x0, 0x0, 0x804c040}, 0x1) (async, rerun: 64) setsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000240)={0x0, 0x1, 0x30}, 0xc) (rerun: 64) r4 = dup(r0) write$RDMA_USER_CM_CMD_CREATE_ID(r4, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x2, 0x0, 0x13f, 0x1}}, 0xfed7) r5 = socket$can_raw(0x1d, 0x3, 0x1) ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000040)={'veth0_to_batadv\x00', 0x0}) (async) mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0) (async) r7 = openat$fuse(0xffffffffffffff9c, &(0x7f00000005c0), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r7, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) (async) write$FUSE_NOTIFY_STORE(r7, &(0x7f0000000100)=ANY=[@ANYBLOB="310000000400000000000000000000000100000000000000000000000000e4ff0900"/49], 0x31) (async, rerun: 32) sendmsg$can_raw(r5, &(0x7f0000000440)={&(0x7f0000000000)={0x1d, r6}, 0x10, &(0x7f00000005c0)={&(0x7f00000004c0)=@can={{}, 0x80, 0x3, 0x4, 0x2, "07000000008000"}, 0x10}, 0x1, 0x0, 0x0, 0x48004}, 0x40) (async, rerun: 32) setsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(r4, 0x84, 0x72, &(0x7f0000000040)={0x0, 0x8d5, 0x10}, 0xc) r8 = dup(r4) write$P9_RATTACH(r8, &(0x7f0000000000)={0x14, 0x69, 0x1, {0x0, 0xbc83, 0x4}}, 0x14) (async, rerun: 64) setsockopt$inet_sctp_SCTP_DELAYED_SACK(r8, 0x84, 0x10, &(0x7f0000000080)=@sack_info={0x0, 0x40, 0xa}, 0xc) (rerun: 64) 743.435931ms ago: executing program 3 (id=6): openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0xcccc0000, 0x1000, &(0x7f0000f15000/0x1000)=nil}) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440), 0x0, 0x0) pipe(&(0x7f00000000c0)={0xffffffffffffffff}) r2 = openat$cuse(0xffffff9c, &(0x7f0000000180), 0x2, 0x0) splice(r1, 0x0, r2, 0x0, 0x2000, 0x6) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000340), 0x0, 0x0) ioctl$KVM_GET_REG_LIST(0xffffffffffffffff, 0xc008aeb0, &(0x7f0000000040)={0x7, [0x8, 0x4, 0x4, 0xce, 0x5, 0x57a, 0xd747]}) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2) ioctl$KVM_RUN(r5, 0xae80, 0x0) r6 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, 0xae04) mmap$KVM_VCPU(&(0x7f0000001000/0x3000)=nil, r6, 0x2, 0x13, r5, 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r4, 0x4010ae67, &(0x7f0000000040)={0x0, 0x12000, 0x1}) ioctl$KVM_RUN(r5, 0xae80, 0x0) syz_usb_connect(0x1, 0x24, &(0x7f00000002c0)={{0x12, 0x1, 0x300, 0xb1, 0xfe, 0x92, 0x8, 0x1415, 0x3, 0x655d, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xd3, 0xa5, 0x3e}}]}}]}}, &(0x7f0000000e80)={0x0, 0x0, 0xf, &(0x7f0000000b80)=ANY=[@ANYBLOB="050f0f00010c"], 0x1, [{0x0, 0x0}]}) 259.138166ms ago: executing program 1 (id=7): r0 = syz_usb_connect(0x0, 0x36, &(0x7f0000000200)=ANY=[@ANYBLOB="1201000014da2108ab12a390eb1e000000010902240001b30000040904410017ff5d810009050f1f01040000000905830300b3"], 0x0) syz_usb_connect$printer(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="867b"], 0x0) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nbd(&(0x7f0000000000), 0xffffffffffffffff) sendmsg$NBD_CMD_DISCONNECT(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)={0x1c, r2, 0x1, 0x70bd2a, 0x2, {}, [@NBD_ATTR_INDEX={0x8, 0x1, 0x0}]}, 0x1c}, 0x1, 0x0, 0x0, 0x8004}, 0x0) r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f00000002c0), r4) sendmsg$NLBL_UNLABEL_C_STATICADD(r4, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000040)=ANY=[@ANYBLOB='L\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="010226bd7000feffffff030026f807000400ac14143114000600736974300000000000000000000000001400070000000000000000000000ffff7f000001080005"], 0x4c}, 0x8, 0x3000000000002}, 0x844) sendmsg$NLBL_UNLABEL_C_LIST(r1, &(0x7f00000014c0)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000000480)={&(0x7f0000000380)={0x58, r5, 0x100, 0x70bd28, 0x25dfdbfb, {}, [@NLBL_UNLABEL_A_IPV4MASK={0x8, 0x5, @local}, @NLBL_UNLABEL_A_IPV4MASK={0x8, 0x5, @initdev={0xac, 0x1e, 0x1, 0x0}}, @NLBL_UNLABEL_A_IPV4MASK={0x8, 0x5, @private=0xa010100}, @NLBL_UNLABEL_A_SECCTX={0xf, 0x7, 'unconfined\x00'}, @NLBL_UNLABEL_A_IPV4MASK={0x8, 0x5, @remote}, @NLBL_UNLABEL_A_IPV6ADDR={0x14, 0x2, @local}]}, 0x58}, 0x1, 0x0, 0x0, 0x48845}, 0x24044004) r6 = syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000440), r3) sendmsg$NLBL_UNLABEL_C_STATICLISTDEF(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000080)={0x14, r6, 0xc8036ab6d6cbef07, 0x70bd28, 0x25dfdbfb}, 0x14}, 0x1, 0x0, 0x0, 0x1}, 0x45080) r7 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0) ioctl$TUNSETIFF(r7, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) sendmsg$NBD_CMD_DISCONNECT(r1, &(0x7f0000000300)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000002c0)={&(0x7f0000000280)={0x20, r2, 0x100, 0x70bd27, 0x25dfdbfc, {}, [@NBD_ATTR_CLIENT_FLAGS={0xc, 0x6, 0x5}]}, 0x20}, 0x1, 0x0, 0x0, 0x801}, 0x20000040) r8 = socket$alg(0x26, 0x5, 0x0) bind$alg(r8, &(0x7f0000000000)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb-camellia-asm\x00'}, 0x58) setsockopt$ALG_SET_KEY(r8, 0x117, 0x1, &(0x7f0000c18000)="ad56b6c5820fae9d6dcd3292ea54c7beef915d564c90c200", 0x18) r9 = accept4(r8, 0x0, 0x0, 0x800) sendmmsg$alg(r9, &(0x7f0000000400)=[{0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000140)="f78d9ca38fff48f3be52163448412ba8", 0xfffffe1a}], 0x1, &(0x7f0000000a40)=ANY=[@ANYBLOB="18000000000000001701000003000000010000000000000000000000000000001701000002000000000000007005baa38d33e2e1650de8f13f421b2d4b60252e76171216e42961c3b08d4d3dacb0a7089ff7cbfd613d46fa95d6e2f6e76ac3266c9b1a531c4bcf0e7071f117cca4e883b4a6eb5dee7a9ab4d05d7ee311ab1c55b817285e0c3714ee6137e3b8553de667701a7c93437583b5f0b285a188098c1ac4ebac40b315ff8db6f736992497879a42b95248fed4d4888970573d0e88ceead26d97e172588a3ad30fbd01b7bbeeaa668e835f7ae3113fe2d949bb47bc0b2c62541714cc0538601ae4bab19d69a5addee134dd447034da6dd89704603d31a3d25b9d5f46cfd43d9e29aac7422920d98e1463256bd4cc929373ad9000000000faf6a95a04ad3b9db9b230f8224a3d6db187a94e5dadfe181d20d3a4bd08e8b0e6eeb79fdee230dd852a36dfc9046d03b8f316b2d460ca5d08c515d914db8ce430ea0237911c440ee750fe787aaffa83b809651c529e4cf68c8219a827ea003c59e3e51b00cd7f9464f37be2eb3e1475819ad37edcc238b85ab205a2b394916815d9cf7bf3f8e3d19a4697756299e21f2afd3ae31e0f09b8153965635216de47156f4e5fc97cb04f9c5e13256be1d9e0a94f9c6387940de1bcd7b532d16ebba216601cf23be6a7c259550bd059a5a7aee85eb558de8201c1d9c7b29e27313f61cf0b07dd790071bdbceabdd32ce2bcc279b1575a1431b03e5dc37307d15a2782175c87dad1a3aadf48b382bea4ae0b423edee0e12ada4c1dacc40bf387630792ab5c7ed6e2ef7e8a77268b0ff8978ccddfa8da4521d24b3fddc70d181c20caa9a584df9b2e"], 0x18}], 0x4924924924924fd, 0x0) r10 = socket$inet_smc(0x2b, 0x1, 0x0) listen(r10, 0xfffffffb) r11 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x7fff7ffc}]}) close_range(r11, 0xffffffffffffffff, 0x0) recvmsg(r9, &(0x7f00000005c0)={0x0, 0x10, &(0x7f00000001c0)=[{&(0x7f00000000c0)=""/81, 0x51}, {&(0x7f0000000200)=""/83, 0x20000253}], 0x2}, 0x0) r12 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r12, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r7, &(0x7f0000000600)=ANY=[@ANYBLOB="000086dd0000120000080000000000000002e700000000000000000000000000000000680000000000000000000058a3a63ecb9d27560610f99c9dd10ab79da0a06d27dff4d9cf5b3a5406a93c0b97f370df32102aeac2d523cbbd0f8c0bb429ef29887cf5b81b4c6a1f8172e2e1f8d6ccd6cb43f087c9d68617ed58accda97977bed07b062c812fcdd57e645a117dba3b5bd3e4b2e103bda0b031b0e9c16cfa28d087e02c562a5c58ef8cd33cf1987d12d0f0f2ad3fce128af1b0f99467e86372db1a5da058cc2ac80a5215fc732702f45702c778d73cf240158220a3b81967908b88718c463709d2cde4fc389e71d77d391be3"], 0x2e) sendmsg$NLBL_UNLABEL_C_ACCEPT(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000140)={&(0x7f0000000080)={0x84, r6, 0x400, 0x70bd28, 0x25dfdbfb, {}, [@NLBL_UNLABEL_A_IPV4MASK={0x8, 0x5, @rand_addr=0x64010102}, @NLBL_UNLABEL_A_ACPTFLG={0x5}, @NLBL_UNLABEL_A_IPV6ADDR={0x14, 0x2, @remote}, @NLBL_UNLABEL_A_IPV4MASK={0x8, 0x5, @multicast2}, @NLBL_UNLABEL_A_IPV6ADDR={0x14, 0x2, @private1={0xfc, 0x1, '\x00', 0x1}}, @NLBL_UNLABEL_A_IPV4ADDR={0x8, 0x4, @remote}, @NLBL_UNLABEL_A_IFACE={0x14, 0x6, 'macvtap0\x00'}, @NLBL_UNLABEL_A_IPV6MASK={0x14, 0x3, @private1}]}, 0x84}, 0x1, 0x0, 0x0, 0x874}, 0x80) syz_usb_ep_write$ath9k_ep2(r0, 0x83, 0x8, &(0x7f00000000c0)=ANY=[]) 0s ago: executing program 2 (id=8): r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000040)=ANY=[@ANYBLOB="1c0000001000010700000000000000000a000000060001"], 0x1c}}, 0x0) (async) syz_usb_connect(0x0, 0x36, &(0x7f0000000580)={{0x12, 0x1, 0x0, 0x3f, 0x74, 0x34, 0x20, 0x711, 0x200, 0x1bb7, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xe0, 0x0, [{{0x9, 0x4, 0x9d, 0x0, 0x2, 0x50, 0x84, 0x31, 0x0, [], [{{0x9, 0x5, 0xa, 0x3, 0x20, 0x86, 0x2, 0xf}}, {{0x9, 0x5, 0x1, 0x3, 0x20, 0x4, 0x13, 0x8}}]}}]}}]}}, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.10.8' (ED25519) to the list of known hosts. [ 84.949424][ T5817] cgroup: Unknown subsys name 'net' [ 85.062940][ T5817] cgroup: Unknown subsys name 'cpuset' [ 85.072364][ T5817] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 86.772303][ T5817] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 91.157581][ T5834] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 91.188116][ T5833] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 91.197588][ T5833] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 91.205511][ T5833] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 91.212088][ T5842] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 91.213715][ T5833] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 91.228384][ T5833] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 91.232091][ T5841] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 91.237207][ T5833] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 91.250211][ T5842] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 91.251335][ T5833] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 91.258120][ T5841] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 91.265919][ T5833] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 91.280170][ T5841] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 91.288365][ T5842] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 91.295792][ T5841] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 91.299186][ T5842] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 91.303713][ T5841] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 91.322305][ T5844] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 91.330769][ T5839] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 91.885258][ T5827] chnl_net:caif_netlink_parms(): no params data found [ 92.064063][ T5826] chnl_net:caif_netlink_parms(): no params data found [ 92.104505][ T5828] chnl_net:caif_netlink_parms(): no params data found [ 92.215394][ T5829] chnl_net:caif_netlink_parms(): no params data found [ 92.246457][ T5827] bridge0: port 1(bridge_slave_0) entered blocking state [ 92.254564][ T5827] bridge0: port 1(bridge_slave_0) entered disabled state [ 92.262274][ T5827] bridge_slave_0: entered allmulticast mode [ 92.270017][ T5827] bridge_slave_0: entered promiscuous mode [ 92.298183][ T5827] bridge0: port 2(bridge_slave_1) entered blocking state [ 92.305498][ T5827] bridge0: port 2(bridge_slave_1) entered disabled state [ 92.313057][ T5827] bridge_slave_1: entered allmulticast mode [ 92.320521][ T5827] bridge_slave_1: entered promiscuous mode [ 92.451698][ T5826] bridge0: port 1(bridge_slave_0) entered blocking state [ 92.459457][ T5826] bridge0: port 1(bridge_slave_0) entered disabled state [ 92.466656][ T5826] bridge_slave_0: entered allmulticast mode [ 92.474517][ T5826] bridge_slave_0: entered promiscuous mode [ 92.499554][ T5827] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 92.518706][ T5827] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 92.529477][ T5826] bridge0: port 2(bridge_slave_1) entered blocking state [ 92.536761][ T5826] bridge0: port 2(bridge_slave_1) entered disabled state [ 92.544385][ T5826] bridge_slave_1: entered allmulticast mode [ 92.551828][ T5826] bridge_slave_1: entered promiscuous mode [ 92.559672][ T5828] bridge0: port 1(bridge_slave_0) entered blocking state [ 92.566888][ T5828] bridge0: port 1(bridge_slave_0) entered disabled state [ 92.574337][ T5828] bridge_slave_0: entered allmulticast mode [ 92.581944][ T5828] bridge_slave_0: entered promiscuous mode [ 92.637234][ T5828] bridge0: port 2(bridge_slave_1) entered blocking state [ 92.644470][ T5828] bridge0: port 2(bridge_slave_1) entered disabled state [ 92.651856][ T5828] bridge_slave_1: entered allmulticast mode [ 92.659554][ T5828] bridge_slave_1: entered promiscuous mode [ 92.721398][ T5827] team0: Port device team_slave_0 added [ 92.727659][ T5829] bridge0: port 1(bridge_slave_0) entered blocking state [ 92.735040][ T5829] bridge0: port 1(bridge_slave_0) entered disabled state [ 92.742344][ T5829] bridge_slave_0: entered allmulticast mode [ 92.749876][ T5829] bridge_slave_0: entered promiscuous mode [ 92.761276][ T5826] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 92.785482][ T5827] team0: Port device team_slave_1 added [ 92.792046][ T5829] bridge0: port 2(bridge_slave_1) entered blocking state [ 92.799925][ T5829] bridge0: port 2(bridge_slave_1) entered disabled state [ 92.807170][ T5829] bridge_slave_1: entered allmulticast mode [ 92.815053][ T5829] bridge_slave_1: entered promiscuous mode [ 92.824725][ T5826] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 92.837485][ T5828] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 92.893291][ T5828] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 92.957966][ T5827] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 92.964992][ T5827] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 92.991028][ T5827] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 93.005744][ T5829] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 93.017539][ T5826] team0: Port device team_slave_0 added [ 93.037839][ T5827] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 93.045217][ T5827] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 93.072090][ T5827] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 93.087772][ T5829] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 93.121380][ T5826] team0: Port device team_slave_1 added [ 93.129372][ T5828] team0: Port device team_slave_0 added [ 93.169775][ T5828] team0: Port device team_slave_1 added [ 93.178622][ T5829] team0: Port device team_slave_0 added [ 93.214903][ T5829] team0: Port device team_slave_1 added [ 93.221714][ T5826] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 93.228678][ T5826] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 93.255099][ T5826] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 93.306592][ T5826] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 93.314062][ T5826] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 93.340524][ T5826] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 93.351668][ T5841] Bluetooth: hci1: command tx timeout [ 93.359310][ T5839] Bluetooth: hci0: command tx timeout [ 93.365002][ T5834] Bluetooth: hci3: command tx timeout [ 93.371925][ T5828] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 93.380291][ T5828] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 93.406715][ T5828] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 93.439016][ T5834] Bluetooth: hci2: command tx timeout [ 93.449736][ T5829] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 93.456763][ T5829] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 93.483095][ T5829] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 93.496139][ T5829] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 93.503664][ T5829] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 93.530082][ T5829] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 93.542154][ T5828] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 93.549459][ T5828] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 93.575587][ T5828] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 93.592411][ T5827] hsr_slave_0: entered promiscuous mode [ 93.599251][ T5827] hsr_slave_1: entered promiscuous mode [ 93.683012][ T5826] hsr_slave_0: entered promiscuous mode [ 93.689823][ T5826] hsr_slave_1: entered promiscuous mode [ 93.696134][ T5826] debugfs: 'hsr0' already exists in 'hsr' [ 93.703060][ T5826] Cannot create hsr debugfs directory [ 93.776057][ T5829] hsr_slave_0: entered promiscuous mode [ 93.782808][ T5829] hsr_slave_1: entered promiscuous mode [ 93.790378][ T5829] debugfs: 'hsr0' already exists in 'hsr' [ 93.796157][ T5829] Cannot create hsr debugfs directory [ 93.814089][ T5828] hsr_slave_0: entered promiscuous mode [ 93.821487][ T5828] hsr_slave_1: entered promiscuous mode [ 93.827824][ T5828] debugfs: 'hsr0' already exists in 'hsr' [ 93.833659][ T5828] Cannot create hsr debugfs directory [ 94.357811][ T5827] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 94.372228][ T5827] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 94.403142][ T5827] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 94.414567][ T5827] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 94.502316][ T5826] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 94.518734][ T5826] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 94.531549][ T5826] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 94.564118][ T5826] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 94.661869][ T5829] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 94.683743][ T5829] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 94.695040][ T5829] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 94.728626][ T5829] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 94.828695][ T5828] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 94.840967][ T5828] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 94.852986][ T5828] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 94.865333][ T5828] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 95.025534][ T5827] 8021q: adding VLAN 0 to HW filter on device bond0 [ 95.074666][ T5827] 8021q: adding VLAN 0 to HW filter on device team0 [ 95.097510][ T5826] 8021q: adding VLAN 0 to HW filter on device bond0 [ 95.116894][ T3515] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.124245][ T3515] bridge0: port 1(bridge_slave_0) entered forwarding state [ 95.145183][ T3515] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.152382][ T3515] bridge0: port 2(bridge_slave_1) entered forwarding state [ 95.185978][ T5829] 8021q: adding VLAN 0 to HW filter on device bond0 [ 95.212856][ T5826] 8021q: adding VLAN 0 to HW filter on device team0 [ 95.237240][ T3015] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.244473][ T3015] bridge0: port 1(bridge_slave_0) entered forwarding state [ 95.276932][ T3015] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.284134][ T3015] bridge0: port 2(bridge_slave_1) entered forwarding state [ 95.309879][ T5828] 8021q: adding VLAN 0 to HW filter on device bond0 [ 95.326032][ T5829] 8021q: adding VLAN 0 to HW filter on device team0 [ 95.347517][ T3015] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.354755][ T3015] bridge0: port 1(bridge_slave_0) entered forwarding state [ 95.391696][ T3015] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.398990][ T3015] bridge0: port 2(bridge_slave_1) entered forwarding state [ 95.430365][ T5834] Bluetooth: hci1: command tx timeout [ 95.436498][ T5828] 8021q: adding VLAN 0 to HW filter on device team0 [ 95.443920][ T5834] Bluetooth: hci3: command tx timeout [ 95.443964][ T5839] Bluetooth: hci0: command tx timeout [ 95.463939][ T3015] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.471128][ T3015] bridge0: port 1(bridge_slave_0) entered forwarding state [ 95.504670][ T60] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.511962][ T60] bridge0: port 2(bridge_slave_1) entered forwarding state [ 95.519614][ T5839] Bluetooth: hci2: command tx timeout [ 95.851340][ T5827] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 96.041182][ T5827] veth0_vlan: entered promiscuous mode [ 96.068550][ T5827] veth1_vlan: entered promiscuous mode [ 96.082480][ T5826] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 96.142929][ T5827] veth0_macvtap: entered promiscuous mode [ 96.169156][ T5827] veth1_macvtap: entered promiscuous mode [ 96.242920][ T5827] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 96.267515][ T5826] veth0_vlan: entered promiscuous mode [ 96.280984][ T5827] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 96.294735][ T5829] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 96.321014][ T5826] veth1_vlan: entered promiscuous mode [ 96.338114][ T5828] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 96.346946][ T3515] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.361638][ T3515] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.372205][ T3515] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.390843][ T3515] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.505458][ T5829] veth0_vlan: entered promiscuous mode [ 96.532902][ T5826] veth0_macvtap: entered promiscuous mode [ 96.565592][ T5826] veth1_macvtap: entered promiscuous mode [ 96.576637][ T3515] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 96.601349][ T3515] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 96.614018][ T5829] veth1_vlan: entered promiscuous mode [ 96.645094][ T5828] veth0_vlan: entered promiscuous mode [ 96.674528][ T1573] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 96.683607][ T5826] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 96.690287][ T1573] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 96.714186][ T5826] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 96.733403][ T5828] veth1_vlan: entered promiscuous mode [ 96.751282][ T60] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.773287][ T60] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.793940][ T60] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.797119][ T5827] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 96.807423][ T60] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.847486][ T5829] veth0_macvtap: entered promiscuous mode [ 96.903736][ T5829] veth1_macvtap: entered promiscuous mode [ 97.014179][ T3515] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 97.024217][ T5828] veth0_macvtap: entered promiscuous mode [ 97.028902][ T3515] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 97.043403][ T5829] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 97.078102][ T5829] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 97.086171][ T5828] veth1_macvtap: entered promiscuous mode [ 97.118942][ T1340] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 97.126883][ T1340] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 97.136118][ T3015] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 97.145663][ T3015] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 97.170561][ T3015] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 97.186621][ T5828] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 97.200110][ T3015] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 97.228130][ T5828] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 97.239190][ T5916] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 97.296254][ T3515] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 97.325601][ T3515] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 97.354006][ T795] cfg80211: failed to load regulatory.db [ 97.365214][ T3515] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 97.379398][ T3515] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 97.412948][ T5916] usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 97.425778][ T5916] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 97.440209][ T5916] usb 2-1: Product: syz [ 97.445531][ T5916] usb 2-1: Manufacturer: syz [ 97.462396][ T5916] usb 2-1: SerialNumber: syz [ 97.471824][ T148] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 97.490439][ T148] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 97.509947][ T5839] Bluetooth: hci3: command tx timeout [ 97.510389][ T5834] Bluetooth: hci1: command tx timeout [ 97.515432][ T5841] Bluetooth: hci0: command tx timeout [ 97.549782][ T5916] usb 2-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 97.589495][ T5841] Bluetooth: hci2: command tx timeout [ 97.634687][ T148] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 97.659095][ T148] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 97.666130][ T5919] usb 2-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 97.755488][ T3015] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 97.772259][ T3015] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 97.867076][ T5934] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 97.884750][ T1573] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 97.896460][ T1573] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 97.927284][ T5923] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 97.949027][ T795] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 98.048169][ T5935] trusted_key: encrypted_key: master key parameter is missing [ 98.101191][ T795] usb 1-1: device descriptor read/64, error -71 [ 98.361837][ T795] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 98.392116][ T5923] capability: warning: `syz.1.2' uses deprecated v2 capabilities in a way that may be insecure [ 98.419790][ T5888] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 98.498967][ T795] usb 1-1: device descriptor read/64, error -71 [ 98.579284][ T5888] usb 3-1: Using ep0 maxpacket: 32 [ 98.586850][ T5888] usb 3-1: config 4 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 98.606116][ T5888] usb 3-1: config 4 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 98.619673][ T795] usb usb1-port1: attempt power cycle [ 98.626456][ T5937] usb 2-1: USB disconnect, device number 2 [ 98.645842][ T5888] usb 3-1: New USB device found, idVendor=046d, idProduct=c314, bcdDevice= 0.40 [ 98.659012][ T5888] usb 3-1: New USB device strings: Mfr=255, Product=255, SerialNumber=0 [ 98.667663][ T5888] usb 3-1: Product: syz [ 98.674511][ T5888] usb 3-1: Manufacturer: syz [ 98.708177][ T5888] hub 3-1:4.0: USB hub found [ 98.800563][ T5919] ath9k_htc 2-1:1.0: ath9k_htc: Target is unresponsive [ 98.807906][ T5919] ath9k_htc: Failed to initialize the device [ 98.815076][ T5937] usb 2-1: ath9k_htc: USB layer deinitialized [ 98.907480][ T5888] hub 3-1:4.0: 2 ports detected [ 98.999014][ T795] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 99.021632][ T795] usb 1-1: device descriptor read/8, error -71 [ 99.099001][ T5889] usb 4-1: new low-speed USB device number 2 using dummy_hcd [ 99.269118][ T795] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 99.281279][ T5889] usb 4-1: No LPM exit latency info found, disabling LPM. [ 99.315342][ T5889] usb 4-1: string descriptor 0 read error: -22 [ 99.332893][ T795] usb 1-1: device descriptor read/8, error -71 [ 99.339572][ T5889] usb 4-1: New USB device found, idVendor=1415, idProduct=0003, bcdDevice=65.5d [ 99.339607][ T5889] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 99.351359][ T5889] usb 4-1: config 0 descriptor?? [ 99.436456][ T5888] usb 3-1: USB disconnect, device number 2 [ 99.489295][ T795] usb usb1-port1: unable to enumerate USB device [ 99.548889][ T5937] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 99.589618][ T5839] Bluetooth: hci3: command tx timeout [ 99.592331][ T5834] Bluetooth: hci1: command tx timeout [ 99.595859][ T5841] Bluetooth: hci0: command tx timeout [ 99.670876][ T5834] Bluetooth: hci2: command tx timeout [ 99.718925][ T5937] usb 2-1: Using ep0 maxpacket: 8 [ 99.726969][ T5937] usb 2-1: config 179 has an invalid interface number: 65 but max is 0 [ 99.736551][ T5937] usb 2-1: config 179 has no interface number 0 [ 99.743312][ T5937] usb 2-1: config 179 interface 65 altsetting 0 endpoint 0xF has an invalid bInterval 0, changing to 7 [ 99.760871][ T5937] usb 2-1: config 179 interface 65 altsetting 0 endpoint 0xF has invalid maxpacket 1025, setting to 1024 [ 99.773547][ T5937] usb 2-1: config 179 interface 65 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 99.786845][ T5937] usb 2-1: config 179 interface 65 altsetting 0 endpoint 0x83 has invalid maxpacket 41728, setting to 1024 [ 99.803267][ T5937] usb 2-1: config 179 interface 65 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 23 [ 99.817513][ T5937] usb 2-1: New USB device found, idVendor=12ab, idProduct=90a3, bcdDevice=1e.eb [ 99.828362][ T5937] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 99.847788][ T5947] raw-gadget.3 gadget.1: fail, usb_ep_enable returned -22 [ 99.899009][ T5888] usb 3-1: new high-speed USB device number 3 using dummy_hcd [ 100.058950][ T5888] usb 3-1: Using ep0 maxpacket: 32 [ 100.076597][ T5888] usb 3-1: config 0 has an invalid interface number: 157 but max is 0 [ 100.078870][ T5947] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 100.094931][ T5888] usb 3-1: config 0 has no interface number 0 [ 100.097078][ T5947] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 100.119079][ T5888] usb 3-1: config 0 interface 157 altsetting 0 endpoint 0xA has an invalid bInterval 134, changing to 11 [ 100.142886][ T5888] usb 3-1: New USB device found, idVendor=0711, idProduct=0200, bcdDevice=1b.b7 [ 100.158949][ T5888] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 100.167157][ T5888] usb 3-1: Product: syz [ 100.183824][ T5888] usb 3-1: Manufacturer: syz [ 100.188711][ T5888] usb 3-1: SerialNumber: syz [ 100.218500][ T5888] usb 3-1: config 0 descriptor?? [ 100.230279][ T5930] usb 2-1: USB disconnect, device number 3 [ 100.230364][ C0] xpad 2-1:179.65: xpad_irq_in - usb_submit_urb failed with result -19 [ 100.244617][ C0] xpad 2-1:179.65: xpad_irq_out - usb_submit_urb failed with result -19 [ 100.253456][ C0] ================================================================== [ 100.261551][ C0] BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x23d/0x290 [ 100.269394][ C0] Read of size 4 at addr ffff888059b9185c by task kworker/u8:0/12 [ 100.277242][ C0] [ 100.279614][ C0] CPU: 0 UID: 0 PID: 12 Comm: kworker/u8:0 Not tainted syzkaller #0 PREEMPT(full) [ 100.279640][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 100.279654][ C0] Workqueue: events_unbound nsim_dev_trap_report_work [ 100.279688][ C0] Call Trace: [ 100.279697][ C0] [ 100.279705][ C0] dump_stack_lvl+0x189/0x250 [ 100.279725][ C0] ? __kasan_check_byte+0x12/0x40 [ 100.279747][ C0] ? __pfx_dump_stack_lvl+0x10/0x10 [ 100.279772][ C0] ? lock_release+0x4b/0x3b0 [ 100.279808][ C0] ? __virt_addr_valid+0x4a5/0x5c0 [ 100.279836][ C0] print_report+0xca/0x240 [ 100.279858][ C0] ? do_raw_spin_lock+0x23d/0x290 [ 100.279879][ C0] kasan_report+0x118/0x150 [ 100.279909][ C0] ? do_raw_spin_lock+0x23d/0x290 [ 100.279935][ C0] do_raw_spin_lock+0x23d/0x290 [ 100.279957][ C0] ? __wake_up_common_lock+0x2f/0x1f0 [ 100.279982][ C0] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 100.280009][ C0] _raw_spin_lock_irqsave+0xb3/0xf0 [ 100.280037][ C0] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 100.280063][ C0] ? kcov_remote_stop+0x78/0x6f0 [ 100.280088][ C0] __wake_up_common_lock+0x2f/0x1f0 [ 100.280114][ C0] __usb_hcd_giveback_urb+0x3b0/0x540 [ 100.280139][ C0] dummy_timer+0x85f/0x45b0 [ 100.280168][ C0] ? dummy_timer+0x447c/0x45b0 [ 100.280196][ C0] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 100.280230][ C0] ? __pfx_dummy_timer+0x10/0x10 [ 100.280251][ C0] ? debug_object_deactivate+0x6d/0x360 [ 100.280283][ C0] ? __pfx_dummy_timer+0x10/0x10 [ 100.280305][ C0] ? __pfx_dummy_timer+0x10/0x10 [ 100.280326][ C0] __hrtimer_run_queues+0x51c/0xc30 [ 100.280347][ C0] ? ktime_get_update_offsets_now+0x67/0x3d0 [ 100.280386][ C0] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 100.280406][ C0] ? read_tsc+0x9/0x20 [ 100.280433][ C0] ? __pfx___local_bh_disable_ip+0x10/0x10 [ 100.280465][ C0] hrtimer_run_softirq+0x187/0x2b0 [ 100.280490][ C0] handle_softirqs+0x27d/0x850 [ 100.280520][ C0] ? __irq_exit_rcu+0xca/0x1f0 [ 100.280550][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 100.280580][ C0] ? irqtime_account_irq+0xb6/0x1c0 [ 100.280604][ C0] __irq_exit_rcu+0xca/0x1f0 [ 100.280632][ C0] ? __pfx___irq_exit_rcu+0x10/0x10 [ 100.280664][ C0] irq_exit_rcu+0x9/0x30 [ 100.280690][ C0] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 100.280718][ C0] [ 100.280725][ C0] [ 100.280732][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 100.280753][ C0] RIP: 0010:filter_irq_stacks+0x6c/0xa0 [ 100.280780][ C0] Code: 30 02 00 81 0f 93 c1 48 3d 70 16 00 81 0f 92 c2 84 d1 75 27 48 3d c0 4f 68 8b 0f 92 c1 48 3d db 4f 68 8b 0f 93 c0 08 c8 74 11 <48> ff c3 49 83 c7 08 49 39 dc 75 ae 44 89 e3 eb 06 ff c3 eb 02 31 [ 100.280796][ C0] RSP: 0018:ffffc90000117028 EFLAGS: 00000202 [ 100.280813][ C0] RAX: ffffffff8219f401 RBX: 0000000000000000 RCX: 0000000000000001 [ 100.280827][ C0] RDX: 00000000000d2800 RSI: 0000000000000010 RDI: ffffc90000117100 [ 100.280840][ C0] RBP: ffffc900001171f0 R08: ffffc90000117050 R09: 000000000000000f [ 100.280856][ C0] R10: ffffc90000116fd8 R11: ffffffff81ade390 R12: 0000000000000010 [ 100.280874][ C0] R13: dffffc0000000000 R14: ffffc90000117100 R15: ffffc90000117100 [ 100.280893][ C0] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 100.280924][ C0] ? post_alloc_hook+0x1a1/0x290 [ 100.280960][ C0] stack_depot_save_flags+0x40/0x850 [ 100.280983][ C0] save_stack+0x103/0x1f0 [ 100.281012][ C0] ? __pfx_save_stack+0x10/0x10 [ 100.281038][ C0] ? post_alloc_hook+0x234/0x290 [ 100.281062][ C0] ? get_page_from_freelist+0x2365/0x2440 [ 100.281081][ C0] ? __alloc_frozen_pages_noprof+0x181/0x370 [ 100.281099][ C0] ? alloc_pages_mpol+0x232/0x4a0 [ 100.281116][ C0] ? allocate_slab+0x86/0x3b0 [ 100.281136][ C0] ? ___slab_alloc+0xf2b/0x1960 [ 100.281154][ C0] ? __slab_alloc+0x65/0x100 [ 100.281171][ C0] ? __kmalloc_node_track_caller_noprof+0x5d4/0x820 [ 100.281200][ C0] ? kmalloc_reserve+0x136/0x290 [ 100.281227][ C0] ? __alloc_skb+0x27e/0x430 [ 100.281252][ C0] ? nsim_dev_trap_report_work+0x29a/0xb80 [ 100.281271][ C0] ? process_one_work+0x93a/0x15a0 [ 100.281297][ C0] ? worker_thread+0x9b0/0xee0 [ 100.281324][ C0] ? kthread+0x711/0x8a0 [ 100.281342][ C0] ? ret_from_fork+0x599/0xb30 [ 100.281366][ C0] ? ret_from_fork_asm+0x1a/0x30 [ 100.281388][ C0] ? seqcount_lockdep_reader_access+0x102/0x180 [ 100.281416][ C0] __set_page_owner+0x8d/0x4c0 [ 100.281495][ C0] ? __pfx___set_page_owner+0x10/0x10 [ 100.281540][ C0] post_alloc_hook+0x234/0x290 [ 100.281569][ C0] get_page_from_freelist+0x2365/0x2440 [ 100.281587][ C0] ? unwind_next_frame+0xa5/0x23d0 [ 100.281614][ C0] ? unwind_next_frame+0xa5/0x23d0 [ 100.281639][ C0] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 100.281668][ C0] ? __pfx_get_page_from_freelist+0x10/0x10 [ 100.281688][ C0] ? prepare_alloc_pages+0x22b/0x650 [ 100.281709][ C0] __alloc_frozen_pages_noprof+0x181/0x370 [ 100.281727][ C0] ? stack_depot_save_flags+0x40/0x850 [ 100.281760][ C0] ? __pfx___alloc_frozen_pages_noprof+0x10/0x10 [ 100.281780][ C0] ? kasan_save_track+0x4f/0x80 [ 100.281807][ C0] ? kasan_save_track+0x3e/0x80 [ 100.281834][ C0] ? policy_nodemask+0x27c/0x720 [ 100.281855][ C0] alloc_pages_mpol+0x232/0x4a0 [ 100.281877][ C0] allocate_slab+0x86/0x3b0 [ 100.281900][ C0] ___slab_alloc+0xf2b/0x1960 [ 100.281922][ C0] ? __alloc_skb+0x27e/0x430 [ 100.281950][ C0] ? __alloc_skb+0x27e/0x430 [ 100.281984][ C0] __slab_alloc+0x65/0x100 [ 100.282009][ C0] __kmalloc_node_track_caller_noprof+0x5d4/0x820 [ 100.282041][ C0] ? __alloc_skb+0x27e/0x430 [ 100.282071][ C0] ? __alloc_skb+0x27e/0x430 [ 100.282098][ C0] kmalloc_reserve+0x136/0x290 [ 100.282142][ C0] __alloc_skb+0x27e/0x430 [ 100.282174][ C0] ? __pfx___alloc_skb+0x10/0x10 [ 100.282206][ C0] ? kmem_cache_free+0x197/0x620 [ 100.282237][ C0] ? nsim_dev_trap_report_work+0x7cf/0xb80 [ 100.282263][ C0] nsim_dev_trap_report_work+0x29a/0xb80 [ 100.282297][ C0] ? process_one_work+0x868/0x15a0 [ 100.282327][ C0] process_one_work+0x93a/0x15a0 [ 100.282369][ C0] ? __pfx_process_one_work+0x10/0x10 [ 100.282403][ C0] ? assign_work+0x3c7/0x5b0 [ 100.282443][ C0] worker_thread+0x9b0/0xee0 [ 100.282488][ C0] kthread+0x711/0x8a0 [ 100.282513][ C0] ? __pfx_worker_thread+0x10/0x10 [ 100.282543][ C0] ? __pfx_kthread+0x10/0x10 [ 100.282565][ C0] ? _raw_spin_unlock_irq+0x23/0x50 [ 100.282594][ C0] ? lockdep_hardirqs_on+0x98/0x140 [ 100.282624][ C0] ? __pfx_kthread+0x10/0x10 [ 100.282647][ C0] ret_from_fork+0x599/0xb30 [ 100.282678][ C0] ? __pfx_ret_from_fork+0x10/0x10 [ 100.282712][ C0] ? __switch_to_asm+0x39/0x70 [ 100.282735][ C0] ? __switch_to_asm+0x33/0x70 [ 100.282757][ C0] ? __pfx_kthread+0x10/0x10 [ 100.282780][ C0] ret_from_fork_asm+0x1a/0x30 [ 100.282813][ C0] [ 100.282821][ C0] [ 100.944958][ C0] Allocated by task 5937: [ 100.949297][ C0] kasan_save_track+0x3e/0x80 [ 100.953998][ C0] __kasan_kmalloc+0x93/0xb0 [ 100.958595][ C0] __kmalloc_cache_noprof+0x3e2/0x700 [ 100.963985][ C0] xpad_probe+0x428/0x1fc0 [ 100.968414][ C0] usb_probe_interface+0x668/0xc90 [ 100.973541][ C0] really_probe+0x26d/0xad0 [ 100.978057][ C0] __driver_probe_device+0x18c/0x320 [ 100.983353][ C0] driver_probe_device+0x4f/0x240 [ 100.988482][ C0] __device_attach_driver+0x279/0x430 [ 100.993867][ C0] bus_for_each_drv+0x251/0x2e0 [ 100.998736][ C0] __device_attach+0x2b8/0x430 [ 101.003532][ C0] device_initial_probe+0xa1/0xd0 [ 101.008581][ C0] bus_probe_device+0x12a/0x220 [ 101.013476][ C0] device_add+0x7b6/0xb80 [ 101.017814][ C0] usb_set_configuration+0x1a87/0x2110 [ 101.023282][ C0] usb_generic_driver_probe+0x8d/0x150 [ 101.028766][ C0] usb_probe_device+0x1c4/0x3c0 [ 101.033646][ C0] really_probe+0x26d/0xad0 [ 101.038207][ C0] __driver_probe_device+0x18c/0x320 [ 101.043523][ C0] driver_probe_device+0x4f/0x240 [ 101.048653][ C0] __device_attach_driver+0x279/0x430 [ 101.054040][ C0] bus_for_each_drv+0x251/0x2e0 [ 101.058996][ C0] __device_attach+0x2b8/0x430 [ 101.063765][ C0] device_initial_probe+0xa1/0xd0 [ 101.068800][ C0] bus_probe_device+0x12a/0x220 [ 101.073665][ C0] device_add+0x7b6/0xb80 [ 101.077998][ C0] usb_new_device+0xa39/0x1720 [ 101.082777][ C0] hub_event+0x29b1/0x4ef0 [ 101.087227][ C0] process_one_work+0x93a/0x15a0 [ 101.092185][ C0] worker_thread+0x9b0/0xee0 [ 101.096789][ C0] kthread+0x711/0x8a0 [ 101.100865][ C0] ret_from_fork+0x599/0xb30 [ 101.105467][ C0] ret_from_fork_asm+0x1a/0x30 [ 101.110243][ C0] [ 101.112576][ C0] Freed by task 5930: [ 101.116561][ C0] kasan_save_track+0x3e/0x80 [ 101.121283][ C0] kasan_save_free_info+0x46/0x50 [ 101.126319][ C0] __kasan_slab_free+0x5c/0x80 [ 101.131087][ C0] kfree+0x1c0/0x660 [ 101.135004][ C0] xpad_disconnect+0x350/0x480 [ 101.139782][ C0] usb_unbind_interface+0x26e/0x910 [ 101.145006][ C0] device_release_driver_internal+0x4d9/0x800 [ 101.151181][ C0] bus_remove_device+0x34d/0x440 [ 101.156168][ C0] device_del+0x511/0x8e0 [ 101.160507][ C0] usb_disable_device+0x3d4/0x8e0 [ 101.165547][ C0] usb_disconnect+0x32f/0x990 [ 101.170242][ C0] hub_event+0x1ca9/0x4ef0 [ 101.174674][ C0] process_one_work+0x93a/0x15a0 [ 101.179624][ C0] worker_thread+0x9b0/0xee0 [ 101.184260][ C0] kthread+0x711/0x8a0 [ 101.188338][ C0] ret_from_fork+0x599/0xb30 [ 101.192939][ C0] ret_from_fork_asm+0x1a/0x30 [ 101.197712][ C0] [ 101.200041][ C0] The buggy address belongs to the object at ffff888059b91800 [ 101.200041][ C0] which belongs to the cache kmalloc-1k of size 1024 [ 101.214113][ C0] The buggy address is located 92 bytes inside of [ 101.214113][ C0] freed 1024-byte region [ffff888059b91800, ffff888059b91c00) [ 101.227921][ C0] [ 101.230251][ C0] The buggy address belongs to the physical page: [ 101.236685][ C0] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x59b90 [ 101.245483][ C0] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 101.254003][ C0] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 101.261574][ C0] page_type: f5(slab) [ 101.265568][ C0] raw: 00fff00000000040 ffff88813fe26dc0 dead000000000122 0000000000000000 [ 101.274165][ C0] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 101.282954][ C0] head: 00fff00000000040 ffff88813fe26dc0 dead000000000122 0000000000000000 [ 101.291654][ C0] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 101.300345][ C0] head: 00fff00000000003 ffffea000166e401 00000000ffffffff 00000000ffffffff [ 101.309033][ C0] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 101.317709][ C0] page dumped because: kasan: bad access detected [ 101.324150][ C0] page_owner tracks the page as allocated [ 101.329873][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3015, tgid 3015 (kworker/u8:12), ts 99801431795, free_ts 30690854296 [ 101.349260][ C0] post_alloc_hook+0x234/0x290 [ 101.354059][ C0] get_page_from_freelist+0x2365/0x2440 [ 101.359618][ C0] __alloc_frozen_pages_noprof+0x181/0x370 [ 101.365438][ C0] alloc_pages_mpol+0x232/0x4a0 [ 101.370318][ C0] allocate_slab+0x86/0x3b0 [ 101.374832][ C0] ___slab_alloc+0xf2b/0x1960 [ 101.379522][ C0] __slab_alloc+0x65/0x100 [ 101.383945][ C0] __kmalloc_noprof+0x47d/0x800 [ 101.388813][ C0] ieee802_11_parse_elems_full+0x152/0x2ab0 [ 101.394734][ C0] ieee80211_ibss_rx_queued_mgmt+0x48e/0x2af0 [ 101.400817][ C0] ieee80211_iface_work+0x85f/0x12d0 [ 101.406114][ C0] cfg80211_wiphy_work+0x2ab/0x450 [ 101.411258][ C0] process_one_work+0x93a/0x15a0 [ 101.416247][ C0] worker_thread+0x9b0/0xee0 [ 101.420856][ C0] kthread+0x711/0x8a0 [ 101.424940][ C0] ret_from_fork+0x599/0xb30 [ 101.429549][ C0] page last free pid 1 tgid 1 stack trace: [ 101.435359][ C0] __free_frozen_pages+0xbc8/0xd30 [ 101.440500][ C0] free_contig_range+0x1bd/0x490 [ 101.445482][ C0] destroy_args+0x69/0x660 [ 101.449919][ C0] debug_vm_pgtable+0x38f/0x3a0 [ 101.454787][ C0] do_one_initcall+0x1fb/0x820 [ 101.459562][ C0] do_initcall_level+0x104/0x190 [ 101.464511][ C0] do_initcalls+0x59/0xa0 [ 101.468855][ C0] kernel_init_freeable+0x334/0x4b0 [ 101.474066][ C0] kernel_init+0x1d/0x1d0 [ 101.478410][ C0] ret_from_fork+0x599/0xb30 [ 101.483017][ C0] ret_from_fork_asm+0x1a/0x30 [ 101.487800][ C0] [ 101.490137][ C0] Memory state around the buggy address: [ 101.495780][ C0] ffff888059b91700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 101.503853][ C0] ffff888059b91780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 101.511925][ C0] >ffff888059b91800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.519993][ C0] ^ [ 101.526933][ C0] ffff888059b91880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.535027][ C0] ffff888059b91900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.543108][ C0] ================================================================== [ 101.551195][ C0] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 101.558429][ C0] CPU: 0 UID: 0 PID: 12 Comm: kworker/u8:0 Not tainted syzkaller #0 PREEMPT(full) [ 101.567740][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 101.577822][ C0] Workqueue: events_unbound nsim_dev_trap_report_work [ 101.584607][ C0] Call Trace: [ 101.587903][ C0] [ 101.590758][ C0] dump_stack_lvl+0x99/0x250 [ 101.595368][ C0] ? __asan_memcpy+0x40/0x70 [ 101.599979][ C0] ? __pfx_dump_stack_lvl+0x10/0x10 [ 101.605192][ C0] ? __pfx__printk+0x10/0x10 [ 101.609820][ C0] vpanic+0x237/0x6d0 [ 101.613818][ C0] ? __pfx_vpanic+0x10/0x10 [ 101.618345][ C0] panic+0xb9/0xc0 [ 101.622081][ C0] ? __pfx_panic+0x10/0x10 [ 101.626514][ C0] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 101.632547][ C0] ? do_raw_spin_lock+0x23d/0x290 [ 101.637600][ C0] check_panic_on_warn+0x89/0xb0 [ 101.642560][ C0] ? do_raw_spin_lock+0x23d/0x290 [ 101.647608][ C0] end_report+0x6f/0x140 [ 101.651866][ C0] kasan_report+0x129/0x150 [ 101.656393][ C0] ? do_raw_spin_lock+0x23d/0x290 [ 101.661455][ C0] do_raw_spin_lock+0x23d/0x290 [ 101.666329][ C0] ? __wake_up_common_lock+0x2f/0x1f0 [ 101.671721][ C0] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 101.677133][ C0] _raw_spin_lock_irqsave+0xb3/0xf0 [ 101.682378][ C0] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 101.688322][ C0] ? kcov_remote_stop+0x78/0x6f0 [ 101.693289][ C0] __wake_up_common_lock+0x2f/0x1f0 [ 101.698518][ C0] __usb_hcd_giveback_urb+0x3b0/0x540 [ 101.703918][ C0] dummy_timer+0x85f/0x45b0 [ 101.708447][ C0] ? dummy_timer+0x447c/0x45b0 [ 101.713231][ C0] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 101.718641][ C0] ? __pfx_dummy_timer+0x10/0x10 [ 101.723594][ C0] ? debug_object_deactivate+0x6d/0x360 [ 101.729171][ C0] ? __pfx_dummy_timer+0x10/0x10 [ 101.734129][ C0] ? __pfx_dummy_timer+0x10/0x10 [ 101.739093][ C0] __hrtimer_run_queues+0x51c/0xc30 [ 101.744312][ C0] ? ktime_get_update_offsets_now+0x67/0x3d0 [ 101.750331][ C0] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 101.756123][ C0] ? read_tsc+0x9/0x20 [ 101.760216][ C0] ? __pfx___local_bh_disable_ip+0x10/0x10 [ 101.766068][ C0] hrtimer_run_softirq+0x187/0x2b0 [ 101.771218][ C0] handle_softirqs+0x27d/0x850 [ 101.776044][ C0] ? __irq_exit_rcu+0xca/0x1f0 [ 101.780833][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 101.786142][ C0] ? irqtime_account_irq+0xb6/0x1c0 [ 101.791368][ C0] __irq_exit_rcu+0xca/0x1f0 [ 101.796042][ C0] ? __pfx___irq_exit_rcu+0x10/0x10 [ 101.801267][ C0] irq_exit_rcu+0x9/0x30 [ 101.805585][ C0] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 101.811247][ C0] [ 101.814189][ C0] [ 101.817134][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 101.823139][ C0] RIP: 0010:filter_irq_stacks+0x6c/0xa0 [ 101.828707][ C0] Code: 30 02 00 81 0f 93 c1 48 3d 70 16 00 81 0f 92 c2 84 d1 75 27 48 3d c0 4f 68 8b 0f 92 c1 48 3d db 4f 68 8b 0f 93 c0 08 c8 74 11 <48> ff c3 49 83 c7 08 49 39 dc 75 ae 44 89 e3 eb 06 ff c3 eb 02 31 [ 101.848336][ C0] RSP: 0018:ffffc90000117028 EFLAGS: 00000202 [ 101.854435][ C0] RAX: ffffffff8219f401 RBX: 0000000000000000 RCX: 0000000000000001 [ 101.862434][ C0] RDX: 00000000000d2800 RSI: 0000000000000010 RDI: ffffc90000117100 [ 101.870426][ C0] RBP: ffffc900001171f0 R08: ffffc90000117050 R09: 000000000000000f [ 101.878409][ C0] R10: ffffc90000116fd8 R11: ffffffff81ade390 R12: 0000000000000010 [ 101.886399][ C0] R13: dffffc0000000000 R14: ffffc90000117100 R15: ffffc90000117100 [ 101.894396][ C0] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 101.900577][ C0] ? post_alloc_hook+0x1a1/0x290 [ 101.905544][ C0] stack_depot_save_flags+0x40/0x850 [ 101.910847][ C0] save_stack+0x103/0x1f0 [ 101.915201][ C0] ? __pfx_save_stack+0x10/0x10 [ 101.920071][ C0] ? post_alloc_hook+0x234/0x290 [ 101.925034][ C0] ? get_page_from_freelist+0x2365/0x2440 [ 101.930765][ C0] ? __alloc_frozen_pages_noprof+0x181/0x370 [ 101.936760][ C0] ? alloc_pages_mpol+0x232/0x4a0 [ 101.941800][ C0] ? allocate_slab+0x86/0x3b0 [ 101.946499][ C0] ? ___slab_alloc+0xf2b/0x1960 [ 101.951363][ C0] ? __slab_alloc+0x65/0x100 [ 101.955981][ C0] ? __kmalloc_node_track_caller_noprof+0x5d4/0x820 [ 101.962589][ C0] ? kmalloc_reserve+0x136/0x290 [ 101.967549][ C0] ? __alloc_skb+0x27e/0x430 [ 101.972157][ C0] ? nsim_dev_trap_report_work+0x29a/0xb80 [ 101.977979][ C0] ? process_one_work+0x93a/0x15a0 [ 101.983112][ C0] ? worker_thread+0x9b0/0xee0 [ 101.987912][ C0] ? kthread+0x711/0x8a0 [ 101.992174][ C0] ? ret_from_fork+0x599/0xb30 [ 101.996961][ C0] ? ret_from_fork_asm+0x1a/0x30 [ 102.001923][ C0] ? seqcount_lockdep_reader_access+0x102/0x180 [ 102.008209][ C0] __set_page_owner+0x8d/0x4c0 [ 102.013030][ C0] ? __pfx___set_page_owner+0x10/0x10 [ 102.018443][ C0] post_alloc_hook+0x234/0x290 [ 102.023233][ C0] get_page_from_freelist+0x2365/0x2440 [ 102.028810][ C0] ? unwind_next_frame+0xa5/0x23d0 [ 102.033945][ C0] ? unwind_next_frame+0xa5/0x23d0 [ 102.039080][ C0] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 102.045259][ C0] ? __pfx_get_page_from_freelist+0x10/0x10 [ 102.051172][ C0] ? prepare_alloc_pages+0x22b/0x650 [ 102.056479][ C0] __alloc_frozen_pages_noprof+0x181/0x370 [ 102.062302][ C0] ? stack_depot_save_flags+0x40/0x850 [ 102.067782][ C0] ? __pfx___alloc_frozen_pages_noprof+0x10/0x10 [ 102.074130][ C0] ? kasan_save_track+0x4f/0x80 [ 102.079009][ C0] ? kasan_save_track+0x3e/0x80 [ 102.083878][ C0] ? policy_nodemask+0x27c/0x720 [ 102.088833][ C0] alloc_pages_mpol+0x232/0x4a0 [ 102.093710][ C0] allocate_slab+0x86/0x3b0 [ 102.098236][ C0] ___slab_alloc+0xf2b/0x1960 [ 102.102957][ C0] ? __alloc_skb+0x27e/0x430 [ 102.107570][ C0] ? __alloc_skb+0x27e/0x430 [ 102.112180][ C0] __slab_alloc+0x65/0x100 [ 102.116610][ C0] __kmalloc_node_track_caller_noprof+0x5d4/0x820 [ 102.123058][ C0] ? __alloc_skb+0x27e/0x430 [ 102.127675][ C0] ? __alloc_skb+0x27e/0x430 [ 102.132284][ C0] kmalloc_reserve+0x136/0x290 [ 102.137097][ C0] __alloc_skb+0x27e/0x430 [ 102.141560][ C0] ? __pfx___alloc_skb+0x10/0x10 [ 102.146532][ C0] ? kmem_cache_free+0x197/0x620 [ 102.151494][ C0] ? nsim_dev_trap_report_work+0x7cf/0xb80 [ 102.157338][ C0] nsim_dev_trap_report_work+0x29a/0xb80 [ 102.163008][ C0] ? process_one_work+0x868/0x15a0 [ 102.168154][ C0] process_one_work+0x93a/0x15a0 [ 102.173131][ C0] ? __pfx_process_one_work+0x10/0x10 [ 102.178545][ C0] ? assign_work+0x3c7/0x5b0 [ 102.183192][ C0] worker_thread+0x9b0/0xee0 [ 102.187822][ C0] kthread+0x711/0x8a0 [ 102.191915][ C0] ? __pfx_worker_thread+0x10/0x10 [ 102.197069][ C0] ? __pfx_kthread+0x10/0x10 [ 102.201685][ C0] ? _raw_spin_unlock_irq+0x23/0x50 [ 102.206914][ C0] ? lockdep_hardirqs_on+0x98/0x140 [ 102.212161][ C0] ? __pfx_kthread+0x10/0x10 [ 102.216777][ C0] ret_from_fork+0x599/0xb30 [ 102.221392][ C0] ? __pfx_ret_from_fork+0x10/0x10 [ 102.226528][ C0] ? __switch_to_asm+0x39/0x70 [ 102.231315][ C0] ? __switch_to_asm+0x33/0x70 [ 102.236096][ C0] ? __pfx_kthread+0x10/0x10 [ 102.240711][ C0] ret_from_fork_asm+0x1a/0x30 [ 102.245513][ C0] [ 102.248922][ C0] Kernel Offset: disabled [ 102.253254][ C0] Rebooting in 86400 seconds..