last executing test programs: 7.90738263s ago: executing program 0 (id=456): r0 = syz_open_dev$sndctrl(&(0x7f0000000100), 0x1, 0x2002) ioctl$SNDRV_CTL_IOCTL_ELEM_ADD(r0, 0xc1105517, &(0x7f00000001c0)={{0x4, 0x2, 0x400, 0x5, 'syz0\x00', 0x4}, 0x1, 0x242, 0x200, 0x0, 0x0, 0xffffffff, 'syz1\x00', 0x0}) 7.705680575s ago: executing program 0 (id=457): r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000080), 0x14d802, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x28011, r0, 0x2c93a000) sendmsg$kcm(0xffffffffffffffff, 0x0, 0x0) openat$nullb(0xffffffffffffff9c, 0x0, 0x4000000004002, 0x0) r1 = syz_io_uring_setup(0x1644, &(0x7f0000000580)={0x0, 0x4, 0x10101, 0xffffffff, 0x64}, &(0x7f0000000000)=0x0, &(0x7f0000000100)=0x0) syz_io_uring_submit(r2, r3, &(0x7f00000009c0)=@IORING_OP_WRITE={0x17, 0x0, 0x0, @fd_index=0x3, 0x0, 0x0, 0xffffffffffffff31}) io_uring_enter(r1, 0x207a98, 0x0, 0x0, 0x0, 0x0) 7.705297475s ago: executing program 1 (id=458): bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x7, 0xc, &(0x7f0000000200)=ANY=[@ANYBLOB="180000000000000000000000fdffffff18000000", @ANYRES32, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000003800000095"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) 7.58324713s ago: executing program 1 (id=459): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000003c0)={0x11, 0x4, 0x0, &(0x7f0000000100)='syzkaller\x00', 0x4, 0x0, 0x0, 0x41100, 0x43, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x7fff}, 0x94) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e23, @local}, 0x23) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000040)='highspeed', 0x9) r1 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000180)={0x0, 0x1f00, &(0x7f0000000000)={&(0x7f0000000440)=@newqdisc={0x54, 0x10, 0x1, 0xfffffffc, 0x0, {0x0, 0x0, 0x0, 0x0, {0xffe0, 0xffe0}, {0xf}, {0xe}}, [@TCA_RATE={0x6, 0x5, {0x9, 0x1}}, @TCA_STAB={0x28, 0x8, 0x0, 0x1, [{{0x1c, 0x1a, {0x0, 0x0, 0x491, 0x0, 0x0, 0x4, 0x8, 0x2}}, {0x8, 0x1b, [0x0, 0x0]}}]}]}, 0x54}, 0x1, 0x0, 0x0, 0x80}, 0x4040c00) sendmmsg$inet6(r0, &(0x7f0000003d40)=[{{0x0, 0x0, &(0x7f0000000280)=[{&(0x7f0000000140)="ce", 0x1}], 0x1}}], 0x1, 0x20040001) 7.582897601s ago: executing program 0 (id=460): socket$netlink(0x10, 0x3, 0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(0x0, 0x4, 0x0, 0x0, 0x4) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x2, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', r0}, 0x10) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './cgroup\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) mount(&(0x7f0000000100)=@nullb, &(0x7f0000000040)='.\x00', &(0x7f0000000300)='gfs2\x00', 0x5, 0x0) r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0) socket$nl_xfrm(0x10, 0x3, 0x6) r5 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r5, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000b80)=@migrate={0xec, 0x21, 0x1, 0x0, 0xfffffffe, {{@in6=@private2, @in6=@private2={0xfc, 0x2, '\x00', 0x1}, 0xfffc, 0x0, 0x0, 0x0, 0xa, 0xe0, 0x80}, 0x2}, [@migrate={0x9c, 0x11, [{@in=@local, @in6=@private0={0xfc, 0x0, '\x00', 0x1}, @in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @in6=@local, 0x32, 0x3, 0x0, 0x2, 0x2, 0x2}, {@in6=@ipv4={'\x00', '\xff\xff', @loopback}, @in6=@ipv4={'\x00', '\xff\xff', @private=0xa010102}, @in6=@empty, @in6=@private2, 0x3c, 0x0, 0x0, 0x0, 0x8, 0x8}]}]}, 0xec}, 0x1, 0x0, 0x0, 0x800}, 0x42000) r6 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0) write$binfmt_register(0xffffffffffffffff, &(0x7f0000000140)={0x3a, 'syz2', 0x3a, 'M', 0x3a, 0x9, 0x3a, 'M', 0x3a, 'N', 0x3a, './file0', 0x3a, [0x4f, 0x4f, 0x46, 0x46, 0x43]}, 0x2e) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) dup3(r6, r4, 0x0) 4.288307173s ago: executing program 1 (id=461): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', r0}, 0x10) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_REGISTER_FRAME(r4, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000180)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="010025bd7000fbdbdf253a00000008000300", @ANYRES32=r6, @ANYBLOB="08005b002813250d3fbe4b9f75b3153f414f94953db3a71114af0f9a15325ed6efe14b716a9fdbf600ddd13e55b89384a69fef89f2"], 0x24}, 0x1, 0x0, 0x0, 0x24000850}, 0x8040) 4.194266295s ago: executing program 0 (id=462): r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000200)=@delnexthop={0x20, 0x69, 0x503, 0x0, 0x0, {}, [{0x8, 0x1, 0x2}]}, 0x20}}, 0x0) 4.018507086s ago: executing program 0 (id=463): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000000040)={0x3, &(0x7f0000000140)=[{0x20, 0x0, 0x0, 0xfffff00c}, {0x20, 0x0, 0x0, 0xfffff024}, {0x6, 0x0, 0x0, 0xfffffffe}]}, 0x10) sendmmsg(r0, &(0x7f0000020800)=[{{0x0, 0x0, 0x0}}], 0x1, 0x2004c840) 3.868132515s ago: executing program 0 (id=464): socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) lsetxattr$security_capability(&(0x7f0000000080)='./file0\x00', 0x0, &(0x7f00000006c0)=@v3={0x3000000, [{0xffffffff, 0x2}, {0x8009, 0x56}], 0xee01}, 0x18, 0x0) connect$unix(r0, 0x0, 0x0) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0) r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000200), 0x48000, 0x0) ioctl$TIOCMGET(r2, 0x5415, &(0x7f0000000280)) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) syz_open_dev$char_usb(0xc, 0xb4, 0x0) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0) 470.051731ms ago: executing program 1 (id=465): r0 = syz_usb_connect$cdc_ecm(0x0, 0x56, &(0x7f0000000300)=ANY=[@ANYBLOB="12010000020000082505a5a4400000000101090244000101000000090400000302060000052406000005240000000d240f010000000000000000000905"], 0x0) syz_usb_control_io(r0, 0x0, 0x0) 296.867623ms ago: executing program 1 (id=466): mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0x5dd93000) r0 = socket(0x2a, 0x2, 0x0) getsockname$packet(r0, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14) 0s ago: executing program 1 (id=467): bpf$MAP_CREATE(0x0, &(0x7f0000003940)=ANY=[@ANYBLOB="210000000000000000000000000010000004"], 0x48) r0 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000040)='/proc/vmallocinfo\x00', 0x0, 0x0) read$char_usb(r0, &(0x7f00000000c0)=""/104, 0x12) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:37243' (ED25519) to the list of known hosts. syzkaller login: [ 71.744236][ T3308] cgroup: Unknown subsys name 'net' [ 71.929180][ T3308] cgroup: Unknown subsys name 'cpuset' [ 71.954183][ T3308] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 72.425636][ T3308] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 81.911472][ T3316] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 81.955375][ T3316] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 82.011263][ T3315] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 82.072362][ T3315] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 82.714948][ T3316] hsr_slave_0: entered promiscuous mode [ 82.720726][ T3316] hsr_slave_1: entered promiscuous mode [ 83.173141][ T3315] hsr_slave_0: entered promiscuous mode [ 83.187244][ T3315] hsr_slave_1: entered promiscuous mode [ 83.192081][ T3315] debugfs: 'hsr0' already exists in 'hsr' [ 83.196853][ T3315] Cannot create hsr debugfs directory [ 83.493523][ T3316] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 83.538744][ T3316] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 83.583469][ T3316] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 83.662584][ T3316] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 84.038479][ T3315] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 84.061513][ T3315] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 84.079171][ T3315] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 84.095404][ T3315] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 84.714272][ T3316] 8021q: adding VLAN 0 to HW filter on device bond0 [ 85.039064][ T3315] 8021q: adding VLAN 0 to HW filter on device bond0 [ 87.703471][ T3316] veth0_vlan: entered promiscuous mode [ 87.723997][ T3315] veth0_vlan: entered promiscuous mode [ 87.751941][ T3316] veth1_vlan: entered promiscuous mode [ 87.774749][ T3315] veth1_vlan: entered promiscuous mode [ 87.903145][ T3315] veth0_macvtap: entered promiscuous mode [ 87.956381][ T3315] veth1_macvtap: entered promiscuous mode [ 87.971677][ T3316] veth0_macvtap: entered promiscuous mode [ 87.997144][ T3316] veth1_macvtap: entered promiscuous mode [ 88.151549][ T815] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.171725][ T815] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.177595][ T815] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.188458][ T815] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.211914][ T815] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.214384][ T815] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.224057][ T815] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.225650][ T815] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.623094][ T3315] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 88.623108][ T3316] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 89.180474][ T3468] faux_driver vkms: [drm] Unknown color mode 6; guessing buffer size. [ 89.366915][ T10] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 89.564981][ T10] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 89.565468][ T10] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 89.567835][ T10] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 21 [ 89.568744][ T10] usb 1-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 89.568873][ T10] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 89.584690][ T10] usb 1-1: config 0 descriptor?? [ 90.080638][ T10] hid-generic 0003:047F:FFFF.0001: hidraw0: USB HID v0.40 Device [HID 047f:ffff] on usb-dummy_hcd.0-1/input0 [ 90.267351][ T35] usb 1-1: USB disconnect, device number 2 [ 90.285410][ T3474] fido_id[3474]: Failed to open report descriptor at '/sys/devices/platform/dummy_hcd.0/usb1/1-1/report_descriptor': No such file or directory [ 90.699584][ C1] vxcan1: j1939_tp_rxtimer: 0x000000005a955038: rx timeout, send abort [ 90.703072][ C1] vxcan1: j1939_xtp_rx_abort_one: 0x000000005a955038: 0x40000: (3) A timeout occurred and this is the connection abort to close the session. [ 91.082737][ T3487] capability: warning: `syz.0.10' uses deprecated v2 capabilities in a way that may be insecure [ 91.423184][ T3495] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 91.424711][ T3495] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 91.600667][ T3499] netlink: 16 bytes leftover after parsing attributes in process `syz.0.17'. [ 91.611872][ T3499] netlink: 12 bytes leftover after parsing attributes in process `syz.0.17'. [ 91.614152][ T3499] netlink: 12 bytes leftover after parsing attributes in process `syz.0.17'. [ 92.948598][ T3520] netlink: 4 bytes leftover after parsing attributes in process `syz.1.26'. [ 93.335741][ T3524] serio: Serial port ptm0 [ 94.577770][ T3535] loop9: detected capacity change from 0 to 7 [ 94.584845][ T3535] Buffer I/O error on dev loop9, logical block 0, async page read [ 94.588770][ T3535] Buffer I/O error on dev loop9, logical block 0, async page read [ 94.591208][ T3535] loop9: unable to read partition table [ 94.593038][ T3535] loop_reread_partitions: partition scan of loop9 (被xڬdGݡ [ 94.593038][ T3535] ) failed (rc=-5) [ 94.842970][ T3524] serio: Serial port ptm0 [ 97.474957][ T3576] netlink: 12 bytes leftover after parsing attributes in process `syz.0.52'. [ 97.475567][ T3576] netlink: 3 bytes leftover after parsing attributes in process `syz.0.52'. [ 97.890372][ T3583] netlink: 16 bytes leftover after parsing attributes in process `syz.0.55'. [ 98.321190][ T3589] syz.1.58 uses obsolete (PF_INET,SOCK_PACKET) [ 98.614967][ T3598] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 100.198691][ T3626] netlink: 'syz.0.72': attribute type 1 has an invalid length. [ 100.334920][ T3626] 8021q: adding VLAN 0 to HW filter on device bond1 [ 100.394193][ T3626] bond1: (slave geneve2): making interface the new active one [ 100.409068][ T3626] bond1: (slave geneve2): Enslaving as an active interface with an up link [ 101.912075][ T3634] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 101.917097][ T3634] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 102.104515][ T3638] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 102.109907][ T3638] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 103.457927][ T3647] netlink: 4 bytes leftover after parsing attributes in process `syz.0.81'. [ 104.292016][ T3662] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 113.434927][ T30] audit: type=1326 audit(113.260:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.437435][ T30] audit: type=1326 audit(113.260:3): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.445486][ T30] audit: type=1326 audit(113.270:4): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.450425][ T30] audit: type=1326 audit(113.270:5): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.452652][ T30] audit: type=1326 audit(113.270:6): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.454094][ T30] audit: type=1326 audit(113.270:7): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=198 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.462318][ T30] audit: type=1326 audit(113.290:8): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.467895][ T30] audit: type=1326 audit(113.290:9): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.471328][ T30] audit: type=1326 audit(113.300:10): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.474563][ T30] audit: type=1326 audit(113.300:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3742 comm="syz.1.116" exe="/syz-executor" sig=0 arch=c00000b7 syscall=204 compat=0 ip=0xffff8275c3e8 code=0x7ffc0000 [ 113.850116][ T3754] netlink: 'syz.1.121': attribute type 3 has an invalid length. [ 115.406899][ T10] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 115.562418][ T10] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 115.562745][ T10] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x3 has invalid wMaxPacketSize 0 [ 115.563753][ T10] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 2 [ 115.563910][ T10] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9375, bcdDevice=1a.de [ 115.563955][ T10] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 115.578351][ T10] usb 1-1: config 0 descriptor?? [ 115.797429][ T10] usb 1-1: USB disconnect, device number 3 [ 115.909630][ T3789] Zero length message leads to an empty skb [ 120.950206][ T3835] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 120.951842][ T3835] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 121.891539][ T3849] netlink: 204 bytes leftover after parsing attributes in process `syz.1.158'. [ 122.614160][ T3859] netlink: 596 bytes leftover after parsing attributes in process `syz.0.162'. [ 123.028494][ T10] usb 1-1: new full-speed USB device number 4 using dummy_hcd [ 123.187171][ T10] usb 1-1: unable to get BOS descriptor or descriptor too short [ 123.194842][ T10] usb 1-1: not running at top speed; connect to a high speed hub [ 123.210468][ T10] usb 1-1: config 155 has an invalid interface number: 229 but max is 0 [ 123.213794][ T10] usb 1-1: config 155 has no interface number 0 [ 123.217287][ T10] usb 1-1: config 155 interface 229 has no altsetting 0 [ 123.266289][ T10] usb 1-1: New USB device found, idVendor=1de1, idProduct=f105, bcdDevice=41.1a [ 123.268387][ T10] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 123.270171][ T10] usb 1-1: Product: syz [ 123.271175][ T10] usb 1-1: Manufacturer: syz [ 123.272081][ T10] usb 1-1: SerialNumber: syz [ 123.531682][ T10] usb 1-1: USB disconnect, device number 4 [ 124.476795][ T24] usb 1-1: new full-speed USB device number 5 using dummy_hcd [ 124.712804][ T24] usb 1-1: New USB device found, idVendor=133e, idProduct=0815, bcdDevice=7e.66 [ 124.713050][ T24] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 124.714559][ T24] usb 1-1: Product: syz [ 124.714606][ T24] usb 1-1: Manufacturer: syz [ 124.714637][ T24] usb 1-1: SerialNumber: syz [ 124.728806][ T24] usb 1-1: config 0 descriptor?? [ 124.757688][ T24] snd-usb-audio 1-1:0.0: probe with driver snd-usb-audio failed with error -22 [ 124.944558][ T3725] usb 1-1: USB disconnect, device number 5 [ 125.467184][ T3725] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 125.617598][ T3725] usb 1-1: Using ep0 maxpacket: 8 [ 125.637106][ T3725] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 125.637605][ T3725] usb 1-1: config 1 interface 0 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 8 [ 125.637715][ T3725] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x3 has invalid wMaxPacketSize 0 [ 125.637778][ T3725] usb 1-1: config 1 interface 0 altsetting 0 bulk endpoint 0x3 has invalid maxpacket 0 [ 125.654690][ T3725] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 0.40 [ 125.654918][ T3725] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=1 [ 125.656818][ T3725] usb 1-1: SerialNumber: syz [ 125.677695][ T3901] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 125.695357][ T3725] cdc_ether 1-1:1.0: probe with driver cdc_ether failed with error -22 [ 125.705758][ T3725] usb-storage 1-1:1.0: USB Mass Storage device detected [ 125.730136][ T3725] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000 [ 125.740682][ T3725] scsi host0: usb-storage 1-1:1.0 [ 126.358643][ T3913] netlink: 272 bytes leftover after parsing attributes in process `syz.1.184'. [ 126.474610][ T3915] netlink: 'syz.1.185': attribute type 2 has an invalid length. [ 126.957037][ T3910] usb 1-1: reset high-speed USB device number 6 using dummy_hcd [ 127.657216][ T3910] usb 1-1: device descriptor read/64, error -71 [ 127.939426][ T3910] usb 1-1: reset high-speed USB device number 6 using dummy_hcd [ 127.959568][ T3910] usb 1-1: device reset changed ep0 maxpacket size! [ 127.973835][ T899] usb 1-1: USB disconnect, device number 6 [ 128.297492][ T899] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 128.495149][ T899] usb 1-1: config 0 has no interfaces? [ 128.495635][ T899] usb 1-1: New USB device found, idVendor=056a, idProduct=0063, bcdDevice= 0.00 [ 128.497973][ T899] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 128.520258][ T899] usb 1-1: config 0 descriptor?? [ 128.748003][ T788] usb 1-1: USB disconnect, device number 7 [ 129.041528][ T3933] mmap: syz.0.192 (3933) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 129.440438][ T3939] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 129.447906][ T3939] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 130.069822][ T3947] netlink: 4 bytes leftover after parsing attributes in process `syz.1.198'. [ 130.223181][ T3957] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 130.239074][ T3957] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 130.468829][ T3957] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 130.470074][ T3957] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 130.727864][ T3968] netlink: 100 bytes leftover after parsing attributes in process `syz.1.207'. [ 131.013030][ T3976] lo speed is unknown, defaulting to 1000 [ 131.027914][ T3976] lo speed is unknown, defaulting to 1000 [ 131.031889][ T3976] lo speed is unknown, defaulting to 1000 [ 131.050546][ T3976] iwpm_register_pid: Unable to send a nlmsg (client = 2) [ 131.067033][ T3976] infiniband syz2: RDMA CMA: cma_listen_on_dev, error -98 [ 131.102231][ T3976] lo speed is unknown, defaulting to 1000 [ 131.105839][ T3976] lo speed is unknown, defaulting to 1000 [ 131.978787][ T3996] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 131.981187][ T3996] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 132.271829][ T4002] binder: 4001:4002 tried to acquire reference to desc 0, got 1 instead [ 132.280353][ T4002] binder_alloc: 4001: pid 4001 spamming oneway? 1 buffers allocated for a total size of 4096 [ 132.284778][ T10] binder: undelivered TRANSACTION_COMPLETE [ 132.290546][ T10] binder: undelivered TRANSACTION_COMPLETE [ 132.304887][ T10] binder: undelivered transaction 6, process died. [ 132.305800][ T10] binder: undelivered transaction 5, process died. [ 132.444689][ T4006] netdevsim netdevsim0 netdevsim0: entered allmulticast mode [ 132.895159][ T4015] netlink: 168 bytes leftover after parsing attributes in process `syz.1.229'. [ 133.173460][ T4023] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 133.179166][ T4023] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 133.671126][ T4030] binder: 4028:4030 BC_ACQUIRE_DONE node 7 has no pending acquire request [ 134.389914][ T4045] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 134.394113][ T4045] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 135.318786][ T4061] process 'syz.1.250' launched '/dev/fd/3' with NULL argv: empty string added [ 137.157251][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 137.159312][ T30] audit: type=1326 audit(136.980:15): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4052 comm="syz.0.247" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8855c3e8 code=0x7fc00000 [ 138.316641][ T899] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 138.466886][ T899] usb 1-1: Using ep0 maxpacket: 16 [ 138.484975][ T899] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x84 has invalid wMaxPacketSize 0 [ 138.506687][ T899] usb 1-1: New USB device found, idVendor=2040, idProduct=0264, bcdDevice=4e.d1 [ 138.507892][ T899] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 138.507963][ T899] usb 1-1: Product: syz [ 138.508012][ T899] usb 1-1: Manufacturer: syz [ 138.508086][ T899] usb 1-1: SerialNumber: syz [ 138.521300][ T899] usb 1-1: config 0 descriptor?? [ 139.371542][ T4096] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 139.375982][ T4096] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 141.133993][ T4106] can0: slcan on ttyS3. [ 141.209420][ T4106] can0 (unregistered): slcan off ttyS3. [ 144.631893][ T4123] netlink: 'syz.1.274': attribute type 10 has an invalid length. [ 144.884019][ T4127] bond1: option mode: invalid value (7) [ 144.894478][ T4127] bond1 (unregistering): Released all slaves [ 148.780671][ T3725] usb 1-1: USB disconnect, device number 8 [ 150.207582][ T30] audit: type=1326 audit(150.030:16): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4183 comm="syz.0.300" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8855c3e8 code=0x7ffc0000 [ 150.227969][ T30] audit: type=1326 audit(150.060:17): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4183 comm="syz.0.300" exe="/syz-executor" sig=0 arch=c00000b7 syscall=71 compat=0 ip=0xffff8855c3e8 code=0x7ffc0000 [ 150.230794][ T30] audit: type=1326 audit(150.060:18): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4183 comm="syz.0.300" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8855c3e8 code=0x7ffc0000 [ 151.095229][ T4202] hsr0: entered promiscuous mode [ 151.101133][ T4202] netlink: 4 bytes leftover after parsing attributes in process `syz.0.308'. [ 151.116646][ T4202] hsr_slave_0: left promiscuous mode [ 151.129192][ T4202] hsr_slave_1: left promiscuous mode [ 151.194984][ T4202] hsr0 (unregistering): left promiscuous mode [ 151.877761][ T899] usb 1-1: new high-speed USB device number 9 using dummy_hcd [ 152.036889][ T899] usb 1-1: Using ep0 maxpacket: 16 [ 152.061821][ T899] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 152.062179][ T899] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 152.062382][ T899] usb 1-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 [ 152.062513][ T899] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 152.094381][ T899] usb 1-1: config 0 descriptor?? [ 152.395440][ T899] usbhid 1-1:0.0: can't add hid device: -71 [ 152.396832][ T899] usbhid 1-1:0.0: probe with driver usbhid failed with error -71 [ 152.486974][ T899] usb 1-1: USB disconnect, device number 9 [ 154.736914][ T10] usb 1-1: new high-speed USB device number 10 using dummy_hcd [ 154.830287][ T4278] tap0: tun_chr_ioctl cmd 1074025677 [ 154.831201][ T4278] tap0: linktype set to 780 [ 154.867167][ T10] usb 1-1: device descriptor read/64, error -71 [ 155.124173][ T10] usb 1-1: new high-speed USB device number 11 using dummy_hcd [ 155.268012][ T10] usb 1-1: device descriptor read/64, error -71 [ 155.380039][ T10] usb usb1-port1: attempt power cycle [ 155.726616][ T10] usb 1-1: new high-speed USB device number 12 using dummy_hcd [ 155.762354][ T10] usb 1-1: device descriptor read/8, error -71 [ 156.007555][ T10] usb 1-1: new high-speed USB device number 13 using dummy_hcd [ 156.033120][ T10] usb 1-1: device descriptor read/8, error -71 [ 156.139175][ T10] usb usb1-port1: unable to enumerate USB device [ 156.351524][ T4307] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 156.352488][ T4307] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 156.557730][ T4311] netlink: 'syz.1.359': attribute type 1 has an invalid length. [ 156.860304][ T4317] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 156.865275][ T4317] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 156.963041][ T4319] Illegal XDP return value 3212316672 on prog (id 5) dev N/A, expect packet loss! [ 157.402045][ T4327] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 157.403524][ T4327] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 158.897331][ T4358] netlink: 40 bytes leftover after parsing attributes in process `syz.1.381'. [ 158.900538][ T4358] netlink: 40 bytes leftover after parsing attributes in process `syz.1.381'. [ 158.903202][ T4358] netlink: 40 bytes leftover after parsing attributes in process `syz.1.381'. [ 168.818732][ T10] usb 1-1: new high-speed USB device number 14 using dummy_hcd [ 168.976816][ T10] usb 1-1: device descriptor read/64, error -71 [ 169.226974][ T10] usb 1-1: new high-speed USB device number 15 using dummy_hcd [ 169.367157][ T10] usb 1-1: device descriptor read/64, error -71 [ 169.478909][ T10] usb usb1-port1: attempt power cycle [ 169.826989][ T10] usb 1-1: new high-speed USB device number 16 using dummy_hcd [ 169.850561][ T10] usb 1-1: device descriptor read/8, error -71 [ 170.096779][ T10] usb 1-1: new high-speed USB device number 17 using dummy_hcd [ 170.119368][ T10] usb 1-1: device descriptor read/8, error -71 [ 170.238953][ T10] usb usb1-port1: unable to enumerate USB device [ 176.277897][ T4456] netlink: 'syz.1.412': attribute type 3 has an invalid length. [ 176.278081][ T4456] netlink: 8 bytes leftover after parsing attributes in process `syz.1.412'. [ 177.422586][ T4468] input: syz1 as /devices/virtual/input/input1 [ 183.432519][ T4488] binder: 4487:4488 tried to acquire reference to desc 0, got 1 instead [ 183.435926][ T4488] binder: 4487:4488 got transaction with invalid data ptr [ 183.439762][ T4488] binder: 4487:4488 transaction call to 4487:0 failed 13/29201/-14, code 0 size 252-0 line 3723 [ 183.445720][ T3462] binder: undelivered TRANSACTION_COMPLETE [ 183.450238][ T3462] binder: undelivered TRANSACTION_ERROR: 29201 [ 183.462332][ T3462] binder: undelivered transaction 12, process died. [ 183.635657][ T4490] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 183.659307][ T4490] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 184.057074][ T3725] usb 1-1: new high-speed USB device number 18 using dummy_hcd [ 184.199572][ T3725] usb 1-1: device descriptor read/64, error -71 [ 184.436976][ T3725] usb 1-1: new high-speed USB device number 19 using dummy_hcd [ 184.566838][ T3725] usb 1-1: device descriptor read/64, error -71 [ 184.679218][ T3725] usb usb1-port1: attempt power cycle [ 185.017470][ T3725] usb 1-1: new high-speed USB device number 20 using dummy_hcd [ 185.051636][ T3725] usb 1-1: device descriptor read/8, error -71 [ 185.287152][ T3725] usb 1-1: new high-speed USB device number 21 using dummy_hcd [ 185.315170][ T3725] usb 1-1: device descriptor read/8, error -71 [ 185.420385][ T3725] usb usb1-port1: unable to enumerate USB device [ 188.099121][ T4516] netlink: 8 bytes leftover after parsing attributes in process `syz.1.434'. [ 188.101439][ T4516] netlink: 24 bytes leftover after parsing attributes in process `syz.1.434'. [ 190.994456][ T4525] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 190.995798][ T4525] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 193.962534][ T4542] binder: 4541:4542 tried to acquire reference to desc 0, got 1 instead [ 193.965730][ T4542] binder: 4541:4542 got transaction with invalid offset (48, min 48 max 72) or object. [ 193.970763][ T4542] binder: 4541:4542 transaction async to 4541:0 failed 18/29201/-22, code 0 size 72-24 line 3505 [ 193.975389][ T24] binder: undelivered TRANSACTION_ERROR: 29201 [ 196.164867][ T4552] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 196.175251][ T4552] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 202.287931][ T4583] binder: 4576:4583 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 203.403714][ T165] netdevsim netdevsim1 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 203.405436][ T165] netdevsim netdevsim1 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 203.409390][ T165] netdevsim netdevsim1 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 203.412150][ T165] netdevsim netdevsim1 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 207.388241][ T4602] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 207.392009][ T4602] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 208.125449][ T815] ================================================================== [ 208.129744][ T815] BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc [ 208.131945][ T815] Write at addr fbf000000d934420 by task kworker/u8:10/815 [ 208.132500][ T815] Pointer tag: [fb], memory tag: [fe] [ 208.132575][ T815] [ 208.133555][ T815] CPU: 0 UID: 0 PID: 815 Comm: kworker/u8:10 Not tainted syzkaller #0 PREEMPT [ 208.133993][ T815] Hardware name: linux,dummy-virt (DT) [ 208.134444][ T815] Workqueue: events_unbound bpf_map_free_deferred [ 208.135821][ T815] Call trace: [ 208.136279][ T815] show_stack+0x18/0x24 (C) [ 208.136692][ T815] dump_stack_lvl+0x78/0x90 [ 208.136809][ T815] print_report+0x108/0x61c [ 208.136858][ T815] kasan_report+0x88/0xac [ 208.136902][ T815] __do_kernel_fault+0x170/0x1c8 [ 208.136950][ T815] do_bad_area+0x68/0x78 [ 208.136997][ T815] do_tag_check_fault+0x34/0x44 [ 208.137041][ T815] do_mem_abort+0x44/0x94 [ 208.137088][ T815] el1_abort+0x44/0x68 [ 208.137132][ T815] el1h_64_sync_handler+0x50/0xac [ 208.137177][ T815] el1h_64_sync+0x6c/0x70 [ 208.137333][ T815] defer_free+0x3c/0xbc (P) [ 208.137403][ T815] kfree_nolock+0x1a0/0x1d4 [ 208.137448][ T815] range_tree_destroy+0x74/0x90 [ 208.137494][ T815] arena_map_free+0x64/0x90 [ 208.137538][ T815] bpf_map_free_deferred+0x70/0x180 [ 208.137585][ T815] process_one_work+0x178/0x2cc [ 208.137703][ T815] worker_thread+0x24c/0x354 [ 208.137748][ T815] kthread+0x130/0x1fc [ 208.137795][ T815] ret_from_fork+0x10/0x20 [ 208.138037][ T815] [ 208.138098][ T815] Allocated by task 4609: [ 208.138292][ T815] kasan_save_stack+0x3c/0x64 [ 208.138547][ T815] save_stack_info+0x40/0x158 [ 208.138584][ T815] kasan_save_alloc_info+0x14/0x20 [ 208.138621][ T815] __kasan_kmalloc+0xb4/0xb8 [ 208.138654][ T815] kmalloc_nolock_noprof+0x1dc/0x4fc [ 208.138691][ T815] range_tree_set+0x644/0x778 [ 208.138728][ T815] arena_map_alloc+0x11c/0x17c [ 208.138765][ T815] map_create+0x19c/0xa98 [ 208.138799][ T815] __sys_bpf+0x348/0x1a88 [ 208.138890][ T815] __arm64_sys_bpf+0x24/0x34 [ 208.138933][ T815] invoke_syscall+0x48/0x110 [ 208.138972][ T815] el0_svc_common.constprop.0+0x40/0xe0 [ 208.139007][ T815] do_el0_svc+0x1c/0x28 [ 208.139044][ T815] el0_svc+0x34/0x128 [ 208.139080][ T815] el0t_64_sync_handler+0xa0/0xe4 [ 208.139117][ T815] el0t_64_sync+0x1a4/0x1a8 [ 208.139192][ T815] [ 208.139235][ T815] Freed by task 815: [ 208.139280][ T815] kasan_save_stack+0x3c/0x64 [ 208.139317][ T815] save_stack_info+0x40/0x158 [ 208.139363][ T815] kasan_save_free_info+0x18/0x24 [ 208.139398][ T815] __kasan_slab_free+0x7c/0x8c [ 208.139430][ T815] kfree_nolock+0xcc/0x1d4 [ 208.139466][ T815] range_tree_destroy+0x74/0x90 [ 208.139496][ T815] arena_map_free+0x64/0x90 [ 208.139526][ T815] bpf_map_free_deferred+0x70/0x180 [ 208.139558][ T815] process_one_work+0x178/0x2cc [ 208.139587][ T815] worker_thread+0x24c/0x354 [ 208.139620][ T815] kthread+0x130/0x1fc [ 208.139650][ T815] ret_from_fork+0x10/0x20 [ 208.139691][ T815] [ 208.139739][ T815] The buggy address belongs to the object at fff000000d934400 [ 208.139739][ T815] which belongs to the cache kmalloc-64 of size 64 [ 208.139846][ T815] The buggy address is located 32 bytes inside of [ 208.139846][ T815] 64-byte region [fff000000d934400, fff000000d934440) [ 208.139897][ T815] [ 208.140182][ T815] The buggy address belongs to the physical page: [ 208.140650][ T815] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xf1f000000d934300 pfn:0x4d934 [ 208.141036][ T815] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 208.141528][ T815] page_type: f5(slab) [ 208.142084][ T815] raw: 01ffc00000000000 f3f0000003001600 dead000000000122 0000000000000000 [ 208.142140][ T815] raw: f1f000000d934300 000000008040001f 00000000f5000000 0000000000000000 [ 208.142264][ T815] page dumped because: kasan: bad access detected [ 208.142307][ T815] [ 208.142339][ T815] Memory state around the buggy address: [ 208.142670][ T815] fff000000d934200: fe fe fe fe fe fe fe fe fe fe fe fe fb fb fb fb [ 208.142782][ T815] fff000000d934300: fe fe fe fe f8 f8 f8 fe fe fe fe fe fb fb fb fe [ 208.142841][ T815] >fff000000d934400: fe fe fe fe fe fe fe fe f0 f0 f0 f0 fe fe fe fe [ 208.142894][ T815] ^ [ 208.143002][ T815] fff000000d934500: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 208.143030][ T815] fff000000d934600: f0 f0 f0 f0 fe fe fe fe fe fe fe fe fe fe fe fe [ 208.143115][ T815] ================================================================== [ 208.144354][ T815] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 15:32:29 Registers: info registers vcpu 0 CPU#0 PC=ffff800080126818 X00=f4f0000003199080 X01=0000000000000000 X02=0000000000000004 X03=0000000000000010 X04=0000000000000000 X05=f4f0000003199100 X06=0000000000155cc0 X07=f5f00000030e3800 X08=000000171e0dd367 X09=fff000007f8f0c00 X10=fffffffffffb89cd X11=0000000000155cc0 X12=0000000000000000 X13=0000000000000001 X14=00000000000001f4 X15=fff000007f8d7b80 X16=ffff800082de8000 X17=fff07ffffcef4000 X18=0000000000000001 X19=f4f0000003199080 X20=fff000007f8f0b80 X21=0000000000000000 X22=0000000000000004 X23=0000000000000001 X24=f4f0000003199923 X25=ffff800082a045b0 X26=0000000000000001 X27=fff07ffffcf0d000 X28=0000000000000101 X29=ffff800082debce0 X30=ffff800080126818 SP=ffff800082debce0 PSTATE=404020c9 -Z-- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff82976438:0000ffff82976450 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff82976448:0000ffff82976490 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff834dca20:0000ffff82976430 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff82976468:0000ffff82976440 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff82976478:0000ffff82976470 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff82976478:0000ffff82976470 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff82976488:0000ffff82976480 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffc4ee0480:0000ffffc4ee0480 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffc4ee0450 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081b86404 X00=ffff800081b86400 X01=ffff8000814623f8 X02=fff000007f8e9bf0 X03=fff000007f8e9c30 X04=f2f000000300b580 X05=0000000000000001 X06=0000000000000001 X07=0000000000000000 X08=7f7f7f7f7f7f7f7f X09=00000000000000c0 X10=0000000000000000 X11=ffff8000831ebe20 X12=ffff800082adf208 X13=ffff8000831ebb8d X14=ffff8000831ebb98 X15=ffff8000831eba00 X16=ffff800082df0000 X17=fff07ffffcf0d000 X18=00000000ffffffff X19=ffff800082d17cc0 X20=000000306dc42000 X21=fff000007f8e9bb0 X22=fff000007f8e9c30 X23=fff000007f8e9bf0 X24=000000000000a0e6 X25=fff000007f8e9b0c X26=fff000007f8e9c30 X27=fff000007f8e9bf0 X28=fff000007f8e9bb0 X29=ffff800082df3ea0 X30=ffff800081462410 SP=ffff800082df3ea0 PSTATE=004020c9 ---- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00524f5252450040:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00524f5252450040:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffc7e17480:0000ffffc7e17480 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffc7e17450 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000