last executing test programs: 14.77964725s ago: executing program 0 (id=268): r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="180000000000000000000000000000001801000020207025000000002dba513d7b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000008fd8850000000400000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x7, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000180)='kfree\x00', r0, 0x0, 0x3}, 0x18) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000980)={0x20, 0x3, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @netfilter=0x2d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000580)={r1, 0x0, 0x44, 0x0, &(0x7f0000000080)="f6f4e9a10000502468da5eb1c6b2feff8833c0000000000000c548dc7914cb11ad63bf3707164aac031971c4be105eb953f86fbc6b204e076aa7a493e796123bbbd8e3b7e62d8fd097cf21d6d431a069ebc0aefd5fce80cc99fb38c771fa46e2c32a95fe99", 0x0, 0x86, 0x0, 0xffffffffffffff80, 0x0, &(0x7f0000000000)="daf9e846ab156efc71b59652333536dbfd26a6d0546366e36eb77dd0aaa2dbe567d168904cf0d5bce1771889c98ffc0abf", 0x0}, 0x15) 14.669705204s ago: executing program 0 (id=269): r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="1b00000000000000000000000080"], 0x50) r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000600)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000900850000008200000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000bc0)={&(0x7f0000000040)='kfree\x00', r1}, 0x10) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)=ANY=[@ANYBLOB="140000001000010600000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff1b000000020000000900010073797a30000001000900030073797a320000000014000000110001"], 0x7c}}, 0x0) sendmsg$NFT_BATCH(r2, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000680)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a3c000000120a01020000000000000000020000000900020073797a310000000008000440000000000900010073797a3000000000080003400000000a14000000110001"], 0x64}, 0x1, 0x0, 0x0, 0x24048011}, 0x0) sendmsg$NFT_BATCH(r2, &(0x7f0000000d80)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000d00)=ANY=[@ANYBLOB="140000001000010000000000000000020220000a3c000000120a09080000000000000000020000000900020073797a310000000008000440000000000900010073797a3000000000080003400000000a"], 0x64}, 0x1, 0x0, 0x0, 0x5}, 0x0) 14.297847282s ago: executing program 0 (id=270): bpf$PROG_LOAD(0x5, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="04000000040000000400000005"], 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0xa, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b70800000000e7057b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000016000000"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x9, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe8c}, 0x94) r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x4, '\x00', 0x0, @fallback=0x2f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000f00)='kfree\x00', r1}, 0x10) r2 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) write$UHID_CREATE(r2, &(0x7f0000000a00)={0x0, {'syz0\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000500)=""/18, 0x12, 0x3, 0x4, 0x0, 0x0, 0xc04}}, 0x120) readv(r2, &(0x7f0000000140)=[{&(0x7f0000000080)=""/155, 0x9b}, {0x0, 0x4}], 0x2) write$UHID_DESTROY(r2, &(0x7f0000000740), 0x4) 13.678896171s ago: executing program 0 (id=274): bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0x14, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b70400000000000085000000010000001801000020756c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000020850000000400000095"], 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x40, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="180000000000000000000000000000008500000007"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000300)='fib_table_lookup\x00', r0}, 0x10) r1 = socket$netlink(0x10, 0x3, 0x0) sendmsg(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000300)=[{&(0x7f0000000140)="5500000018007f5f00fe01b2a4a2809302060000ff41fd01020400000a00120002002800000019002d007fffffff0022de1330d54400009b84136ef75afb83de066a5900e1baac968300000000f2ff000001000000", 0x55}], 0x1, 0x0, 0x0, 0x7a000000}, 0x0) 13.518789361s ago: executing program 0 (id=275): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)=ANY=[@ANYBLOB="140000001000010600000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff1b000000020000000900010073797a30000001000900030073797a320000000014000000110001"], 0x7c}}, 0x0) socket(0x1, 0x803, 0x0) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000780)={0x11, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b7030000ddffffff850000002d00000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$MAP_CREATE(0x0, &(0x7f0000000280)=ANY=[], 0x50) getpeername(0xffffffffffffffff, &(0x7f0000000100)=@xdp, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000240)={0x8, 0x248}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) sched_setscheduler(0x0, 0x2, &(0x7f0000000040)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0xffffe000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f00000004c0)=@abs={0x0, 0x0, 0x4e21}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x3fffffffffffeda, 0x2, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000002c0)={&(0x7f0000000300)='sched_switch\x00', r1}, 0x10) sendmsg$NFT_BATCH(r0, &(0x7f0000000d80)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000d00)=ANY=[@ANYBLOB="140000001000010000000000000000000220000a3c000000120a09080000000000000000020000000900020073797a310000000008000440000000000900010073797a3000000000080003400000000a"], 0x64}, 0x1, 0x0, 0x0, 0x5}, 0x0) 1.390526672s ago: executing program 1 (id=285): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$smc(&(0x7f0000000000), 0xffffffffffffffff) sendmsg$SMC_PNETID_GET(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)=ANY=[@ANYBLOB=' \x00\x00\x00', @ANYRES16=r1, @ANYBLOB="03002cbd7600fedbdf2501"], 0x20}, 0x1, 0x0, 0x0, 0x20000815}, 0x200408c0) 1.16821071s ago: executing program 1 (id=286): bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="020000000400000005000000020000000010"], 0x48) r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x35, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000040)='kmem_cache_free\x00', r0}, 0x10) r1 = memfd_create(&(0x7f0000000180)='[\v\xdbX\xae[\x1a\xa9\xfd\xfa\xad\xd1md\xc8\x85HX\xa9%\f\x1ae\xe0\x00\x00\x00\x00\xfb\xff\x00\x00\x81\x9eG\xd9,\xe2\xc6a\x9f\xe8\xf1\xb3\x86\xe2+Op\xd0\xa2\x82\x1eb;(\xb5\xe1jS\xd6\x91%||\xa0\x8ez\xadT\xc8\f\xe5\x89\xbf3:\x99\x1e\xac`\xc3\xcf\xd3\xae\xd2\a\x11\xa9\xa5^\xff\xf5\x95\xd2q#\xc6\xca\x97\x9d\xcb\x1e\x80\xd6\xd5%N&\xf8#\x80z8Z\xd2}\xf5\xe4\x9f5\x9b\x01\xf9t\xbb\x1er\x14\xdb\xd3\xcd\xfd\xbdnC\xecz\xabq\x95t*T9\xa9\b X \x04\"\x17\xbf\xcb\xccF\xda\xcf\xdd^\xa0\x15\xc0\xcb^h>\x1b\xb5d\xc7\x7f0\x9a&\xb0\x12#\x9c`\xa6\xed\x05\x95g\a\xccYb\xaf\xe9\xb6G?\x9f\xf5\xfe\xc1\xc0JJ\xc8\xd9d\x80\x13\x8fX\xb4\x19\xc4\\\xcb\x89-)\x90\x01\v\xac^\xdbBQ|\xaej;\x92\\\xf8u\x19Y\xee\x99EI\xf1t\xadn<\x9b\xc9\x87\xd0\xa7\x1a\x81\xb9\xc87sq\xd7\x15\xd6\x91O\x9c\x99!9>\xff\xa8\xfa\xe6=d\xcf\xca\xa9\xc61!\xc6P\x13\xd0\x88gZ\xbe\xdfl\xfa\xff\xb0m;d07tx\xbb\xabd\xe5\x16\xc4\xae\xf0', 0x0) write$binfmt_script(r1, &(0x7f0000000340)={'#! ', './file0'}, 0xb) execveat(r1, &(0x7f0000000000)='\x00', 0x0, 0x0, 0x1000) 1.16770572s ago: executing program 0 (id=287): bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000002000000b704000000000000850000005700000095"], 0x0}, 0x90) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000640)=ANY=[@ANYBLOB="17000000000000000400000003"], 0x48) bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="19000000040000000800"], 0x48) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000008000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008"], 0x0}, 0x94) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000740)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x1, '\x00', 0x0, @fallback=0x38, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000100)='kmem_cache_free\x00', r1}, 0x18) prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000000)={0x1, &(0x7f00000000c0)=[{0x200000000006, 0x0, 0x0, 0x7ffc1ffb}]}) mlock(&(0x7f0000c00000/0x400000)=nil, 0x400000) r2 = mq_open(&(0x7f0000000080)='eth0\x00#~\x02\x00\x00\xfbu0*\xf3\x11i\xdd\xd9\xc6\x87\xde\xbf_\xa0\xf6\xdfk\xbf.\"\xa6\xc0#p\xcd\x1c/\xa6\xf2\xbcyL\x85a\xb5\xbb~+>\xbc\x93\xf8\xab\x9a3\x85l\x1d\x15\x11\x1a{@!2\xb6!\xae\xf79k\x90\x88\v8I$\xfd\x05\x00\x00\x00\x00\x00\x80\x00\t/\x8dv\xb8\x93\xc3C\xae\x9dc\xd1T\xdd\x14\xd3\xe1\xbe_$A=z\xee\xbd/X\xbemOX)s\x94uu_\v\x01\xbe\xeb\xbb\x91\x11z\xc2|d\x1b\x04\xd2\xf9yx\xb2\x1b\bLTrw\x88\x9e0\t\xc6\xe2\x9c\xed\\\xd8[\xc8\x04 \xf3\xac]V\x1d:\xfc\xc3\x9e\x02\ax\xef\xfe\x1c.TT\xcf\xbf\xf5\x80a%\xdcQ\xb3CuT\xcc7\x8avs\xb2\a\xfe\xb3j*\xad\x18A\xcc\xe9\xaa{]\xef\xb7\xf2\xee*\xf95\bJt\xd0s\xc4\xaa\xc8\x05\x00\x00\x000\xbdf\xdb\xaeG\xe3\xfb\xef\x94\xef:Q\x1b\xe3\xa3\xa4}\xef`e\xcdL\xab\xdb\r\xf2y\x9fg1\xf4\t\x18i/!\x13\xf1,\x8cu\xaa\xbf~)\x94\x1b2\x93\x86\xe7\x9a\xf2j\xa8\x96\xa6\xa2\xfcN\x81\xafTh\xce\x00\x00\x00\xe8\vq+\xbb\xc7\xaf\xf3L\xa0\x9c\x97B\x12\x10\x9d\xaa\x7fq\x06\xb9(\xf6\x1c\x83\xb1J\xec\x926\xb5a0\xa0B\xae|', 0x42, 0x0, 0x0) mq_timedreceive(r2, &(0x7f000001a600)=""/102385, 0x18ff1, 0x0, 0x0) 990.138803ms ago: executing program 1 (id=288): r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b7030000000000f7850000002d00000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000140)='kmem_cache_free\x00', r0}, 0x10) r1 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000080)={0x2, 0x13, 0x0, 0x0, 0x2}, 0x10}}, 0x0) 819.907415ms ago: executing program 1 (id=289): r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000540)={&(0x7f0000000640)=ANY=[@ANYBLOB="3c000000100005ff00000000000000000000004a", @ANYRES32=0x0, @ANYBLOB="0000000000000000140012800b00010062617461647600000400028008000a00", @ANYRES32], 0x3c}}, 0x0) 538.9713ms ago: executing program 1 (id=290): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000003940)=ANY=[@ANYBLOB="210000000000000000000000000010000004"], 0x48) mmap(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x200000a, 0x13, r0, 0x0) r1 = gettid() process_vm_writev(r1, &(0x7f0000000000)=[{&(0x7f00008f9f09)=""/247, 0x7ffff000}], 0x1, &(0x7f0000121000)=[{&(0x7f0000217f28)=""/231, 0xffffff4e}], 0x23a, 0x0) io_uring_register$IORING_REGISTER_BUFFERS(0xffffffffffffffff, 0x0, 0x0, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) read(0xffffffffffffffff, 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(0xffffffffffffffff, 0x4040534e, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION(0xffffffffffffffff, 0xc0505350, 0x0) futex(&(0x7f000000cffc), 0x80000000000b, 0x0, 0x0, &(0x7f0000048000), 0x20000000) 0s ago: executing program 1 (id=291): r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000740)={0x11, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000ed07449e000000000000000018010000", @ANYRES32, @ANYBLOB="0000000000000000b70800000000396f7b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000002400000095"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x45, '\x00', 0x0, @fallback=0x2b, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000080)='kfree\x00', r0}, 0x10) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f00000012c0), 0xffffffffffffffff) sendmsg$NL80211_CMD_DEAUTHENTICATE(r1, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000003c0)={0x24, r2, 0xfc5, 0x0, 0x0, {{0x11}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x8, 0x2a, [@perr={0x84, 0xffffffffffffff21}]}]}, 0x24}}, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:3785' (ED25519) to the list of known hosts. syzkaller login: [ 78.060287][ T3313] cgroup: Unknown subsys name 'net' [ 78.318809][ T3313] cgroup: Unknown subsys name 'cpuset' [ 78.341460][ T3313] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 78.836873][ T3313] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 86.336374][ T3319] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.390732][ T3319] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 86.397852][ T3318] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.434960][ T3318] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 87.384465][ T3319] hsr_slave_0: entered promiscuous mode [ 87.391329][ T3319] hsr_slave_1: entered promiscuous mode [ 87.530142][ T3318] hsr_slave_0: entered promiscuous mode [ 87.533344][ T3318] hsr_slave_1: entered promiscuous mode [ 87.537709][ T3318] debugfs: 'hsr0' already exists in 'hsr' [ 87.540504][ T3318] Cannot create hsr debugfs directory [ 88.283036][ T3319] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 88.334680][ T3319] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 88.352309][ T3319] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 88.383041][ T3319] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 88.518278][ T3318] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 88.557359][ T3318] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 88.575340][ T3318] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 88.587982][ T3318] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 89.437398][ T3319] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.456414][ T3318] 8021q: adding VLAN 0 to HW filter on device bond0 [ 92.450550][ T3318] veth0_vlan: entered promiscuous mode [ 92.488841][ T3318] veth1_vlan: entered promiscuous mode [ 92.648455][ T3318] veth0_macvtap: entered promiscuous mode [ 92.677929][ T3318] veth1_macvtap: entered promiscuous mode [ 92.823974][ T12] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.824811][ T12] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.824955][ T12] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.825091][ T12] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 93.027755][ T3319] veth0_vlan: entered promiscuous mode [ 93.108773][ T3319] veth1_vlan: entered promiscuous mode [ 93.286983][ T3319] veth0_macvtap: entered promiscuous mode [ 93.287064][ T3318] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 93.319977][ T3319] veth1_macvtap: entered promiscuous mode [ 93.712335][ T12] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 93.714248][ T12] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 93.717959][ T12] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 93.718385][ T12] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.276235][ T3603] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 104.250796][ T3406] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 104.450811][ T3406] usb 1-1: Using ep0 maxpacket: 32 [ 104.496930][ T3406] usb 1-1: config 0 has an invalid interface number: 247 but max is 0 [ 104.497599][ T3406] usb 1-1: config 0 has no interface number 0 [ 104.545786][ T3406] usb 1-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=62.9b [ 104.546185][ T3406] usb 1-1: New USB device strings: Mfr=1, Product=3, SerialNumber=0 [ 104.547780][ T3406] usb 1-1: Product: syz [ 104.547887][ T3406] usb 1-1: Manufacturer: syz [ 104.575336][ T3406] usb 1-1: config 0 descriptor?? [ 105.923515][ T9] usb 1-1: USB disconnect, device number 2 [ 105.987954][ T3631] binder: 3630:3631 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 30) [ 105.988483][ T3631] binder: 3631 RLIMIT_NICE not set [ 106.106055][ T3633] binder: 3632:3633 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 106.600591][ T24] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 106.770053][ T24] usb 1-1: Using ep0 maxpacket: 8 [ 106.792796][ T24] usb 1-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 106.794434][ T24] usb 1-1: config 16 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 106.796428][ T24] usb 1-1: config 16 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 32 [ 106.797879][ T24] usb 1-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 106.801916][ T24] usb 1-1: New USB device found, idVendor=ee8d, idProduct=db1a, bcdDevice=61.23 [ 106.803361][ T24] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 107.036818][ T24] usb 1-1: GET_CAPABILITIES returned 0 [ 107.037833][ T24] usbtmc 1-1:16.0: can't read capabilities [ 107.254002][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.260638][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.262765][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.263573][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.263707][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.264461][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.265079][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.265918][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.266064][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.266832][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.268068][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.269011][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.274895][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.275554][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.275632][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.276213][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 107.288724][ T9] usb 1-1: USB disconnect, device number 3 [ 114.166602][ T3709] faux_driver vgem: [drm] Unknown color mode 181; guessing buffer size. [ 114.443258][ T3713] loop2: detected capacity change from 0 to 7 [ 114.711446][ T3406] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 114.905350][ T3406] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 114.908034][ T3406] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 114.912577][ T3406] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 21 [ 114.919379][ T3406] usb 1-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 114.923661][ T3406] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 114.937448][ T3406] usb 1-1: config 0 descriptor?? [ 115.417665][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.423175][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.428655][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.431204][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.431295][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.431370][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.431444][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.431516][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.431592][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.431675][ T3406] hid-generic 0003:047F:FFFF.0001: unknown main item tag 0x0 [ 115.458439][ T3406] hid-generic 0003:047F:FFFF.0001: hidraw0: USB HID v0.40 Device [HID 047f:ffff] on usb-dummy_hcd.0-1/input0 [ 115.597744][ T3406] usb 1-1: USB disconnect, device number 4 [ 116.203720][ T3725] fido_id[3725]: Failed to open report descriptor at '/sys/devices/platform/dummy_hcd.0/usb1/report_descriptor': No such file or directory [ 116.403865][ T3739] syz.1.108 uses obsolete (PF_INET,SOCK_PACKET) [ 117.296148][ T3750] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 117.298649][ T3750] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 118.846320][ T3746] md: async del_gendisk mode will be removed in future, please upgrade to mdadm-4.5+ [ 118.854001][ T3746] block device autoloading is deprecated and will be removed. [ 119.036275][ T3768] netlink: 12 bytes leftover after parsing attributes in process `syz.0.119'. [ 119.169164][ T3768] Zero length message leads to an empty skb [ 122.993769][ T3800] TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies. [ 123.185751][ T3465] hid_parser_main: 5 callbacks suppressed [ 123.197131][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.197494][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.199039][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.199144][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.199216][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.199283][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.199350][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.215418][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.217421][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.217862][ T3465] hid-generic 00A0:0006:0003.0002: unknown main item tag 0x0 [ 123.241340][ T3465] hid-generic 00A0:0006:0003.0002: hidraw0: HID v0.05 Device [syz1] on syz0 [ 123.470271][ T784] usb 1-1: new full-speed USB device number 5 using dummy_hcd [ 123.637470][ T784] usb 1-1: config 0 has an invalid interface number: 212 but max is 0 [ 123.639247][ T784] usb 1-1: config 0 has no interface number 0 [ 123.642138][ T784] usb 1-1: config 0 interface 212 has no altsetting 0 [ 123.668862][ T784] usb 1-1: New USB device found, idVendor=1ae7, idProduct=0525, bcdDevice=ca.e6 [ 123.671194][ T784] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 123.672618][ T784] usb 1-1: Product: syz [ 123.673567][ T784] usb 1-1: Manufacturer: syz [ 123.674615][ T784] usb 1-1: SerialNumber: syz [ 123.684892][ T784] usb 1-1: config 0 descriptor?? [ 123.905037][ T3469] usb 1-1: USB disconnect, device number 5 [ 124.137607][ T3812] binder: 3810:3812 tried to acquire reference to desc 0, got 1 instead [ 124.147700][ T3812] binder: 3810:3812 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 124.148082][ T3812] binder: 3812 RLIMIT_NICE not set [ 124.168640][ T3812] binder: undelivered transaction 7, put_user failed [ 124.169515][ T3812] binder: 3810:3812 ioctl c0306201 20000680 returned -14 [ 124.185260][ T3469] binder: undelivered TRANSACTION_COMPLETE [ 126.089953][ T3832] netlink: 4 bytes leftover after parsing attributes in process `syz.0.142'. [ 126.211919][ T3832] hsr_slave_1 (unregistering): left promiscuous mode [ 127.134499][ T3843] binder: 3842:3843 tried to acquire reference to desc 0, got 1 instead [ 127.146129][ T3843] binder: 3842:3843 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 127.148164][ T3843] binder: 3843 RLIMIT_NICE not set [ 127.158150][ T3843] binder: 3843 RLIMIT_NICE not set [ 127.166962][ T3843] binder: 3843 RLIMIT_NICE not set [ 127.195096][ T3465] binder: undelivered TRANSACTION_COMPLETE [ 127.772072][ T3803] udevd[3803]: setting mode of /dev/gsmtty13 to 020600 failed: No such file or directory [ 127.773064][ T3803] udevd[3803]: setting owner of /dev/gsmtty13 to uid=0, gid=0 failed: No such file or directory [ 129.490732][ T3865] binder: 3864:3865 got transaction to invalid handle, 1 [ 129.491147][ T3865] binder: 3864:3865 cannot find target node [ 129.494617][ T3865] binder: 3864:3865 transaction call to 0:0 failed 14/29201/-22, code 0 size 0-0 line 3232 [ 129.501897][ T3469] binder: undelivered TRANSACTION_ERROR: 29201 [ 139.500759][ T4020] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 139.502134][ T4020] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 140.348515][ T4044] xt_SECMARK: only valid in 'mangle' or 'security' table, not 'raw' [ 140.921576][ T30] audit: type=1326 audit(140.760:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.922017][ T30] audit: type=1326 audit(140.760:3): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.922884][ T30] audit: type=1326 audit(140.760:4): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=280 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.922979][ T30] audit: type=1326 audit(140.760:5): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.942809][ T30] audit: type=1326 audit(140.790:6): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.952968][ T30] audit: type=1326 audit(140.790:7): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=280 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.953393][ T30] audit: type=1326 audit(140.790:8): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.953802][ T30] audit: type=1326 audit(140.790:9): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=280 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.962510][ T30] audit: type=1326 audit(140.800:10): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 140.963407][ T30] audit: type=1326 audit(140.810:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4051 comm="syz.1.234" exe="/syz-executor" sig=0 arch=c00000b7 syscall=280 compat=0 ip=0xffffaa95c3e8 code=0x7ffc0000 [ 141.048740][ T4055] netlink: 'syz.0.235': attribute type 12 has an invalid length. [ 141.381872][ T4064] netlink: 'syz.1.239': attribute type 4 has an invalid length. [ 141.385070][ T4064] netlink: 152 bytes leftover after parsing attributes in process `syz.1.239'. [ 141.395724][ T4064] .`: renamed from dummy0 (while UP) [ 141.424881][ T4065] netlink: 52 bytes leftover after parsing attributes in process `syz.0.240'. [ 141.513806][ T4065] netlink: 4 bytes leftover after parsing attributes in process `syz.0.240'. [ 142.018331][ T4081] syz.1.248 calls setitimer() with new_value NULL pointer. Misfeature support will be removed [ 143.028712][ T4095] netlink: 12 bytes leftover after parsing attributes in process `syz.0.255'. [ 143.353836][ T4101] md: async del_gendisk mode will be removed in future, please upgrade to mdadm-4.5+ [ 144.843230][ T4134] netlink: 4 bytes leftover after parsing attributes in process `syz.0.269'. [ 144.894414][ T4134] netlink: 4 bytes leftover after parsing attributes in process `syz.0.269'. [ 145.098954][ T3464] hid_parser_main: 5 callbacks suppressed [ 145.103666][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.105827][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.111655][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.116783][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.121180][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.126035][ T4115] netlink: 4 bytes leftover after parsing attributes in process `gtp'. [ 145.128339][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.131399][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.133094][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.134549][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.141564][ T3464] hid-generic 0003:0004:0000.0003: unknown main item tag 0x0 [ 145.150685][ T3464] hid-generic 0003:0004:0000.0003: hidraw0: USB HID v0.00 Device [syz0] on syz1 [ 147.301458][ T4155] netlink: 4 bytes leftover after parsing attributes in process `syz.0.275'. [ 150.425892][ T4160] mmap: syz.1.277 (4160) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 155.408033][ T4169] netlink: 4 bytes leftover after parsing attributes in process `syz.1.280'. [ 158.106980][ T4184] netlink: 12 bytes leftover after parsing attributes in process `syz.1.285'. [ 158.254802][ T4186] process 'syz.1.286' launched '/dev/fd/4' with NULL argv: empty string added [ 158.400133][ T30] kauditd_printk_skb: 14 callbacks suppressed [ 158.403018][ T30] audit: type=1326 audit(158.240:26): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4187 comm="syz.0.287" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff9435c3e8 code=0x7ffc0000 [ 158.408794][ T30] audit: type=1326 audit(158.240:27): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4187 comm="syz.0.287" exe="/syz-executor" sig=0 arch=c00000b7 syscall=228 compat=0 ip=0xffff9435c3e8 code=0x7ffc0000 [ 158.594691][ T30] audit: type=1326 audit(158.440:28): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4187 comm="syz.0.287" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff9435c3e8 code=0x7ffc0000 [ 158.600151][ T30] audit: type=1326 audit(158.440:29): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4187 comm="syz.0.287" exe="/syz-executor" sig=0 arch=c00000b7 syscall=180 compat=0 ip=0xffff9435c3e8 code=0x7ffc0000 [ 158.606212][ T30] audit: type=1326 audit(158.450:30): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4187 comm="syz.0.287" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff9435c3e8 code=0x7ffc0000 [ 158.611126][ T30] audit: type=1326 audit(158.460:31): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4187 comm="syz.0.287" exe="/syz-executor" sig=0 arch=c00000b7 syscall=183 compat=0 ip=0xffff9435c3e8 code=0x7ffc0000 [ 159.423212][ T1173] ================================================================== [ 159.427192][ T1173] BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc [ 159.429347][ T1173] Write at addr fbf00000090d7ea0 by task kworker/u8:7/1173 [ 159.430005][ T1173] Pointer tag: [fb], memory tag: [fe] [ 159.430084][ T1173] [ 159.431027][ T1173] CPU: 1 UID: 0 PID: 1173 Comm: kworker/u8:7 Not tainted syzkaller #0 PREEMPT [ 159.431367][ T1173] Hardware name: linux,dummy-virt (DT) [ 159.431793][ T1173] Workqueue: events_unbound bpf_map_free_deferred [ 159.433288][ T1173] Call trace: [ 159.433627][ T1173] show_stack+0x18/0x24 (C) [ 159.433953][ T1173] dump_stack_lvl+0x78/0x90 [ 159.434065][ T1173] print_report+0x108/0x61c [ 159.434117][ T1173] kasan_report+0x88/0xac [ 159.434161][ T1173] __do_kernel_fault+0x170/0x1c8 [ 159.434212][ T1173] do_bad_area+0x68/0x78 [ 159.434258][ T1173] do_tag_check_fault+0x34/0x44 [ 159.434305][ T1173] do_mem_abort+0x44/0x94 [ 159.434351][ T1173] el1_abort+0x44/0x68 [ 159.434400][ T1173] el1h_64_sync_handler+0x50/0xac [ 159.434448][ T1173] el1h_64_sync+0x6c/0x70 [ 159.434595][ T1173] defer_free+0x3c/0xbc (P) [ 159.434660][ T1173] kfree_nolock+0x1a0/0x1d4 [ 159.434709][ T1173] range_tree_destroy+0x74/0x90 [ 159.434762][ T1173] arena_map_free+0x64/0x90 [ 159.434857][ T1173] bpf_map_free_deferred+0x70/0x180 [ 159.434909][ T1173] process_one_work+0x178/0x2cc [ 159.434957][ T1173] worker_thread+0x24c/0x354 [ 159.434999][ T1173] kthread+0x130/0x1fc [ 159.435078][ T1173] ret_from_fork+0x10/0x20 [ 159.435389][ T1173] [ 159.435458][ T1173] Allocated by task 4196: [ 159.435740][ T1173] kasan_save_stack+0x3c/0x64 [ 159.436000][ T1173] save_stack_info+0x40/0x158 [ 159.436040][ T1173] kasan_save_alloc_info+0x14/0x20 [ 159.436073][ T1173] __kasan_kmalloc+0xb4/0xb8 [ 159.436104][ T1173] kmalloc_nolock_noprof+0x1dc/0x4fc [ 159.436141][ T1173] range_tree_set+0x644/0x778 [ 159.436178][ T1173] arena_map_alloc+0x11c/0x17c [ 159.436213][ T1173] map_create+0x19c/0xa98 [ 159.436248][ T1173] __sys_bpf+0x348/0x1a88 [ 159.436282][ T1173] __arm64_sys_bpf+0x24/0x34 [ 159.436318][ T1173] invoke_syscall+0x48/0x110 [ 159.436356][ T1173] el0_svc_common.constprop.0+0x40/0xe0 [ 159.436394][ T1173] do_el0_svc+0x1c/0x28 [ 159.436432][ T1173] el0_svc+0x34/0x128 [ 159.436469][ T1173] el0t_64_sync_handler+0xa0/0xe4 [ 159.436505][ T1173] el0t_64_sync+0x1a4/0x1a8 [ 159.436577][ T1173] [ 159.436620][ T1173] Freed by task 1173: [ 159.436675][ T1173] kasan_save_stack+0x3c/0x64 [ 159.436711][ T1173] save_stack_info+0x40/0x158 [ 159.436743][ T1173] kasan_save_free_info+0x18/0x24 [ 159.436774][ T1173] __kasan_slab_free+0x7c/0x8c [ 159.436807][ T1173] kfree_nolock+0xcc/0x1d4 [ 159.436842][ T1173] range_tree_destroy+0x74/0x90 [ 159.436877][ T1173] arena_map_free+0x64/0x90 [ 159.436911][ T1173] bpf_map_free_deferred+0x70/0x180 [ 159.436948][ T1173] process_one_work+0x178/0x2cc [ 159.436983][ T1173] worker_thread+0x24c/0x354 [ 159.437018][ T1173] kthread+0x130/0x1fc [ 159.437050][ T1173] ret_from_fork+0x10/0x20 [ 159.437096][ T1173] [ 159.437135][ T1173] The buggy address belongs to the object at fff00000090d7e80 [ 159.437135][ T1173] which belongs to the cache kmalloc-64 of size 64 [ 159.437274][ T1173] The buggy address is located 32 bytes inside of [ 159.437274][ T1173] 64-byte region [fff00000090d7e80, fff00000090d7ec0) SYZFAIL: failed to recv rpc [ 159.437325][ T1173] [ 159.437534][ T1173] The buggy address belongs to the physical page: [ 159.438004][ T1173] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x490d7 [ 159.438371][ T1173] anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 159.438813][ T1173] page_type: f5(slab) [ 159.439393][ T1173] raw: 01ffc00000000000 f5f0000003001600 0000000000000000 dead000000000001 [ 159.439630][ T1173] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000 [ 159.439774][ T1173] page dumped because: kasan: bad access detected [ 159.439881][ T1173] [ 159.439920][ T1173] Memory state around the buggy address: [ 159.440201][ T1173] fff00000090d7c00: fb fb fb fb f4 f4 f4 f4 f3 f3 f3 fe fd fd fd fd [ 159.440298][ T1173] fff00000090d7d00: f7 f7 f7 f7 f4 f4 f4 fe f2 f2 f2 f2 f2 f2 f2 fe [ 159.440357][ T1173] >fff00000090d7e00: fc fc fc fc f7 f7 f7 f7 fe fe fe fe f3 f3 f3 f3 [ 159.440456][ T1173] ^ [ 159.440576][ T1173] fff00000090d7f00: f5 f5 f5 f5 f3 f3 f3 f3 fa fa fa fa f5 f5 f5 f5 [ 159.440611][ T1173] fff00000090d8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 159.440696][ T1173] ================================================================== [ 159.442377][ T1173] Disabling lock debugging due to kernel taint fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 160.221613][ T1173] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 160.307068][ T1173] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 160.363647][ T1173] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 160.444279][ T1173] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 161.048902][ T1173] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 161.100745][ T1173] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 161.146136][ T1173] bond0 (unregistering): Released all slaves [ 161.239126][ T1173] hsr_slave_0: left promiscuous mode [ 161.244050][ T1173] hsr_slave_1: left promiscuous mode [ 161.258090][ T1173] veth1_macvtap: left promiscuous mode [ 161.258556][ T1173] veth0_macvtap: left promiscuous mode [ 161.259079][ T1173] veth1_vlan: left promiscuous mode [ 161.261875][ T1173] veth0_vlan: left promiscuous mode VM DIAGNOSIS: 02:54:55 Registers: info registers vcpu 0 CPU#0 PC=ffff800080756158 X00=faf0000006a0d320 X01=0000000000000000 X02=f7f0000004c3bb9c X03=ffff800082d7c948 X04=f8f0000010936a00 X05=f4f0000010936a3f X06=f4f0000010936ac0 X07=0000000000000000 X08=ffff800082deb790 X09=0000000000002820 X10=ffff800082debd78 X11=000000000000005a X12=ffff800082a01290 X13=0000000000000000 X14=0000000000000276 X15=0000000000000000 X16=ffff800082de8000 X17=fff07ffffcef4000 X18=0000000000000000 X19=ffff800080171f78 X20=ffff800082deb750 X21=f5f0000004d09080 X22=0000000000000000 X23=aa8f800080172170 X24=0000000000000000 X25=0000000000000001 X26=00000000000000e8 X27=f6f000000329d500 X28=f1f000000b84e010 X29=ffff800082deb640 X30=ffff800081b83878 SP=ffff800082deb640 PSTATE=60402009 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:2525252525252525:2525252525252525 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:65642f000a732520:7325207334362e25 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6665645f65657266:5f70616d5f667062 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000000ff0000ff00:00ff0000000000ff Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000f00f00f00000f Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:70616d5f66706220:646e756f626e755f Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6d6d6f4320333731:31203a4449502030 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:4e20373a38752f72:656b726f776b203a Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffd1ec2b20:0000ffffd1ec2b20 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffd1ec2af0 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff8000801416c8 X00=ffff800082a2f208 X01=00000000ffffe3c7 X02=ffff8000831ebc00 X03=ffff8000831ebb60 X04=0000000000000000 X05=ffff800082a43e70 X06=0000000000014c68 X07=ffff800082a2f188 X08=80000000ffffe3c7 X09=0000000000005aa8 X10=fffffffffffd0498 X11=fffffffffffd04c0 X12=ffff800082adf208 X13=ffff8000831ebc00 X14=00000000000003c7 X15=ffff8000831eba00 X16=ffff800082df0000 X17=fff07ffffcf0d000 X18=00000000ffffffff X19=00000000000003c7 X20=00000000ffffe3c7 X21=ffff8000831ebc38 X22=ffff8000831ebc90 X23=00000000000003c7 X24=ffff800082a2f188 X25=ffff800082a2f208 X26=0000000000000001 X27=0000000000000000 X28=0000000000000b55 X29=ffff8000831ebb50 X30=ffff80008014173c SP=ffff8000831ebb50 PSTATE=814020c9 N--- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00d000a800000000:0000000030303031 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ff00ff00ffffffff:ffffffff00000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:f0f0ffffffff0000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffffff00000000:ff00000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffff0000f0000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000001:0000000000000002 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffc796a470:0000ffffc796a470 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffc796a440 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000