program: r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000080)={'pimreg0\x00', 0x7c2}) ioctl$TUNATTACHFILTER(r0, 0x401054d5, &(0x7f0000000040)={0x5, &(0x7f0000000000)=[{0x4d, 0x1, 0x3}, {0x61}, {0x0, 0x0, 0x0, 0x3ff}, {}, {0x6}]}) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@newqdisc={0x24, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0xffff, 0xffff}}}, 0x24}}, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000080)={'pimreg0\x00', 0x7c2}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_init_net_socket$ax25(0x3, 0x2, 0x7) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPCTNL_MSG_CT_GET(r4, &(0x7f0000000400)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000200)={0x30, 0x1, 0x1, 0x301, 0x0, 0x0, {0xa}, [@CTA_FILTER={0xc, 0x19, 0x0, 0x1, [@CTA_FILTER_REPLY_FLAGS={0x8, 0x2, 0x808}]}, @CTA_TUPLE_REPLY={0x10, 0x2, 0x0, 0x1, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x3a}}]}]}, 0x30}}, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r5 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r5, 0x8914, &(0x7f0000000000)) r6 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r6, &(0x7f0000001800)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000000c0)=ANY=[@ANYBLOB="1400000015000174000000000c00000000010000"], 0x14}}, 0x0) ioctl$sock_ax25_SIOCADDRT(r3, 0x890b, &(0x7f00000000c0)={@default, @default, 0x2, [@default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}) r7 = syz_init_net_socket$x25(0x9, 0x5, 0x0) connect$ax25(r3, &(0x7f0000000240)={{0x3, @default}, [@bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bcast, @default]}, 0x48) ioctl$sock_ax25_SIOCADDRT(r3, 0x890b, &(0x7f00000001c0)={@default, @null, 0x7, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @null, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) ioctl$sock_ifreq(r7, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 68.755097][ T5308] Bluetooth: hci0: command tx timeout [ 68.862719][ T5324] ax25_connect(): syz.0.0 uses autobind, please contact jreuter@yaina.de [ 68.891402][ T5324] ------------[ cut here ]------------ [ 68.894733][ T5324] refcount_t: decrement hit 0; leaking memory. [ 68.899250][ T5324] WARNING: CPU: 0 PID: 5324 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 [ 68.903572][ T5324] Modules linked in: [ 68.905150][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0 [ 68.909445][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.914170][ T5324] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 [ 68.916827][ T5324] Code: b2 00 00 00 e8 07 79 cc fc 5b 5d c3 cc cc cc cc e8 fb 78 cc fc c6 05 bb c5 31 0b 01 90 48 c7 c7 00 a6 80 8c e8 67 35 8c fc 90 <0f> 0b 90 90 eb d9 e8 db 78 cc fc c6 05 98 c5 31 0b 01 90 48 c7 c7 [ 68.925013][ T5324] RSP: 0018:ffffc9000d33f0e8 EFLAGS: 00010246 [ 68.927535][ T5324] RAX: 6b61f6f14c517d00 RBX: ffff88801269264c RCX: 0000000000100000 [ 68.931186][ T5324] RDX: ffffc9000e0ea000 RSI: 0000000000005060 RDI: 0000000000005061 [ 68.935396][ T5324] RBP: 0000000000000004 R08: ffffffff81817e32 R09: 1ffff11003f8519a [ 68.938783][ T5324] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff888012692608 [ 68.942028][ T5324] R13: 0000000000000000 R14: ffff88801269264c R15: dffffc0000000000 [ 68.945231][ T5324] FS: 00007ff4c282b6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 68.949170][ T5324] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 68.952636][ T5324] CR2: 00007f6c0b09f270 CR3: 000000003efa6000 CR4: 0000000000352ef0 [ 68.956083][ T5324] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 68.959005][ T5324] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 68.962187][ T5324] Call Trace: [ 68.963667][ T5324] [ 68.965018][ T5324] ? __warn+0x165/0x4d0 [ 68.966949][ T5324] ? refcount_warn_saturate+0xfa/0x1d0 [ 68.969299][ T5324] ? report_bug+0x2b3/0x500 [ 68.971267][ T5324] ? refcount_warn_saturate+0xfa/0x1d0 [ 68.973513][ T5324] ? handle_bug+0x60/0x90 [ 68.975234][ T5324] ? exc_invalid_op+0x1a/0x50 [ 68.977394][ T5324] ? asm_exc_invalid_op+0x1a/0x20 [ 68.979578][ T5324] ? __warn_printk+0x292/0x360 [ 68.981855][ T5324] ? refcount_warn_saturate+0xfa/0x1d0 [ 68.983876][ T5324] ? refcount_warn_saturate+0xf9/0x1d0 [ 68.985891][ T5324] ref_tracker_free+0x6af/0x7e0 [ 68.987733][ T5324] ? __pfx_ref_tracker_free+0x10/0x10 [ 68.990020][ T5324] ? ax25_disconnect+0x1b3/0x3d0 [ 68.992046][ T5324] ? _raw_spin_unlock+0x28/0x50 [ 68.994059][ T5324] ? ax25_disconnect+0x34a/0x3d0 [ 68.996189][ T5324] ax25_device_event+0x334/0x600 [ 68.998451][ T5324] notifier_call_chain+0x1a5/0x3f0 [ 69.000939][ T5324] dev_close_many+0x33c/0x4c0 [ 69.002753][ T5324] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.005114][ T5324] ? __pfx_dev_close_many+0x10/0x10 [ 69.007128][ T5324] ? bond_netdev_event+0x161/0xf20 [ 69.009079][ T5324] dev_close+0x1c0/0x2c0 [ 69.011146][ T5324] ? __pfx_dev_close+0x10/0x10 [ 69.013623][ T5324] ? __asan_memset+0x23/0x50 [ 69.016139][ T5324] bpq_device_event+0x372/0x8d0 [ 69.018464][ T5324] ? lockdep_rtnl_is_held+0x26/0x40 [ 69.020688][ T5324] notifier_call_chain+0x1a5/0x3f0 [ 69.023108][ T5324] dev_close_many+0x33c/0x4c0 [ 69.025220][ T5324] ? mark_lock+0x9a/0x360 [ 69.027338][ T5324] ? __pfx_dev_close_many+0x10/0x10 [ 69.029442][ T5324] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 69.031844][ T5324] dev_close+0x1c0/0x2c0 [ 69.033761][ T5324] ? __pfx_dev_close+0x10/0x10 [ 69.036292][ T5324] ? __local_bh_enable_ip+0x168/0x200 [ 69.039047][ T5324] ? bond_enslave+0x6b0/0x3910 [ 69.041033][ T5324] bond_setup_by_slave+0x64/0x420 [ 69.042857][ T5324] bond_enslave+0x7b9/0x3910 [ 69.044637][ T5324] ? mark_lock+0x9a/0x360 [ 69.046341][ T5324] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.048951][ T5324] ? aa_get_newest_label+0xff/0x6f0 [ 69.051558][ T5324] ? __pfx_bond_enslave+0x10/0x10 [ 69.053509][ T5324] ? apparmor_capable+0x13b/0x1b0 [ 69.055530][ T5324] ? full_name_hash+0x93/0xe0 [ 69.057580][ T5324] bond_do_ioctl+0x7c3/0xc00 [ 69.059734][ T5324] ? __pfx_bond_do_ioctl+0x10/0x10 [ 69.062495][ T5324] ? rcu_is_watching+0x15/0xb0 [ 69.064674][ T5324] ? full_name_hash+0x93/0xe0 [ 69.066631][ T5324] dev_ifsioc+0xb6d/0xe70 [ 69.068250][ T5324] ? __pfx_dev_ifsioc+0x10/0x10 [ 69.070318][ T5324] ? dev_load+0x21/0x1f0 [ 69.071988][ T5324] dev_ioctl+0x719/0x1340 [ 69.073576][ T5324] sock_do_ioctl+0x240/0x460 [ 69.075465][ T5324] ? __pfx_sock_do_ioctl+0x10/0x10 [ 69.077794][ T5324] sock_ioctl+0x626/0x8e0 [ 69.080242][ T5324] ? __pfx_sock_ioctl+0x10/0x10 [ 69.082346][ T5324] ? __fget_files+0x2a/0x410 [ 69.084304][ T5324] ? __fget_files+0x2a/0x410 [ 69.086205][ T5324] ? __pfx_sock_ioctl+0x10/0x10 [ 69.088066][ T5324] __se_sys_ioctl+0xf5/0x170 [ 69.090216][ T5324] do_syscall_64+0xf3/0x230 [ 69.092112][ T5324] ? clear_bhb_loop+0x35/0x90 [ 69.094319][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.097490][ T5324] RIP: 0033:0x7ff4c198d169 [ 69.099797][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 69.107446][ T5324] RSP: 002b:00007ff4c282b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 69.110703][ T5324] RAX: ffffffffffffffda RBX: 00007ff4c1ba5fa0 RCX: 00007ff4c198d169 [ 69.114196][ T5324] RDX: 0000400000000180 RSI: 0000000000008990 RDI: 000000000000000c [ 69.117314][ T5324] RBP: 00007ff4c1a0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.120927][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 69.124633][ T5324] R13: 0000000000000000 R14: 00007ff4c1ba5fa0 R15: 00007ffff5c5a528 [ 69.128278][ T5324] [ 69.129589][ T5324] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 69.132600][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0 [ 69.136785][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.140958][ T5324] Call Trace: [ 69.142406][ T5324] [ 69.143792][ T5324] dump_stack_lvl+0x241/0x360 [ 69.146284][ T5324] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.149004][ T5324] ? __pfx__printk+0x10/0x10 [ 69.151262][ T5324] ? _printk+0xd5/0x120 [ 69.152921][ T5324] ? __init_begin+0x41000/0x41000 [ 69.154896][ T5324] ? vscnprintf+0x5d/0x90 [ 69.156551][ T5324] panic+0x349/0x880 [ 69.158017][ T5324] ? __warn+0x174/0x4d0 [ 69.159780][ T5324] ? __pfx_panic+0x10/0x10 [ 69.161593][ T5324] __warn+0x344/0x4d0 [ 69.163189][ T5324] ? refcount_warn_saturate+0xfa/0x1d0 [ 69.165400][ T5324] report_bug+0x2b3/0x500 [ 69.167369][ T5324] ? refcount_warn_saturate+0xfa/0x1d0 [ 69.169760][ T5324] handle_bug+0x60/0x90 [ 69.171732][ T5324] exc_invalid_op+0x1a/0x50 [ 69.173771][ T5324] asm_exc_invalid_op+0x1a/0x20 [ 69.175946][ T5324] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 [ 69.178611][ T5324] Code: b2 00 00 00 e8 07 79 cc fc 5b 5d c3 cc cc cc cc e8 fb 78 cc fc c6 05 bb c5 31 0b 01 90 48 c7 c7 00 a6 80 8c e8 67 35 8c fc 90 <0f> 0b 90 90 eb d9 e8 db 78 cc fc c6 05 98 c5 31 0b 01 90 48 c7 c7 [ 69.187325][ T5324] RSP: 0018:ffffc9000d33f0e8 EFLAGS: 00010246 [ 69.189710][ T5324] RAX: 6b61f6f14c517d00 RBX: ffff88801269264c RCX: 0000000000100000 [ 69.192799][ T5324] RDX: ffffc9000e0ea000 RSI: 0000000000005060 RDI: 0000000000005061 [ 69.195773][ T5324] RBP: 0000000000000004 R08: ffffffff81817e32 R09: 1ffff11003f8519a [ 69.199997][ T5324] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff888012692608 [ 69.203818][ T5324] R13: 0000000000000000 R14: ffff88801269264c R15: dffffc0000000000 [ 69.206814][ T5324] ? __warn_printk+0x292/0x360 [ 69.208688][ T5324] ? refcount_warn_saturate+0xf9/0x1d0 [ 69.211150][ T5324] ref_tracker_free+0x6af/0x7e0 [ 69.213596][ T5324] ? __pfx_ref_tracker_free+0x10/0x10 [ 69.215766][ T5324] ? ax25_disconnect+0x1b3/0x3d0 [ 69.217978][ T5324] ? _raw_spin_unlock+0x28/0x50 [ 69.220179][ T5324] ? ax25_disconnect+0x34a/0x3d0 [ 69.222219][ T5324] ax25_device_event+0x334/0x600 [ 69.223991][ T5324] notifier_call_chain+0x1a5/0x3f0 [ 69.225922][ T5324] dev_close_many+0x33c/0x4c0 [ 69.227805][ T5324] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.230540][ T5324] ? __pfx_dev_close_many+0x10/0x10 [ 69.233239][ T5324] ? bond_netdev_event+0x161/0xf20 [ 69.235668][ T5324] dev_close+0x1c0/0x2c0 [ 69.237368][ T5324] ? __pfx_dev_close+0x10/0x10 [ 69.239208][ T5324] ? __asan_memset+0x23/0x50 [ 69.240948][ T5324] bpq_device_event+0x372/0x8d0 [ 69.242816][ T5324] ? lockdep_rtnl_is_held+0x26/0x40 [ 69.244873][ T5324] notifier_call_chain+0x1a5/0x3f0 [ 69.246884][ T5324] dev_close_many+0x33c/0x4c0 [ 69.249608][ T5324] ? mark_lock+0x9a/0x360 [ 69.252554][ T5324] ? __pfx_dev_close_many+0x10/0x10 [ 69.254978][ T5324] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 69.257728][ T5324] dev_close+0x1c0/0x2c0 [ 69.259407][ T5324] ? __pfx_dev_close+0x10/0x10 [ 69.261290][ T5324] ? __local_bh_enable_ip+0x168/0x200 [ 69.263411][ T5324] ? bond_enslave+0x6b0/0x3910 [ 69.265323][ T5324] bond_setup_by_slave+0x64/0x420 [ 69.267418][ T5324] bond_enslave+0x7b9/0x3910 [ 69.269291][ T5324] ? mark_lock+0x9a/0x360 [ 69.270959][ T5324] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.273684][ T5324] ? aa_get_newest_label+0xff/0x6f0 [ 69.276015][ T5324] ? __pfx_bond_enslave+0x10/0x10 [ 69.278331][ T5324] ? apparmor_capable+0x13b/0x1b0 [ 69.280167][ T5324] ? full_name_hash+0x93/0xe0 [ 69.282057][ T5324] bond_do_ioctl+0x7c3/0xc00 [ 69.283806][ T5324] ? __pfx_bond_do_ioctl+0x10/0x10 [ 69.285787][ T5324] ? rcu_is_watching+0x15/0xb0 [ 69.288158][ T5324] ? full_name_hash+0x93/0xe0 [ 69.290527][ T5324] dev_ifsioc+0xb6d/0xe70 [ 69.292360][ T5324] ? __pfx_dev_ifsioc+0x10/0x10 [ 69.294352][ T5324] ? dev_load+0x21/0x1f0 [ 69.295960][ T5324] dev_ioctl+0x719/0x1340 [ 69.297681][ T5324] sock_do_ioctl+0x240/0x460 [ 69.299575][ T5324] ? __pfx_sock_do_ioctl+0x10/0x10 [ 69.301546][ T5324] sock_ioctl+0x626/0x8e0 [ 69.303396][ T5324] ? __pfx_sock_ioctl+0x10/0x10 [ 69.305806][ T5324] ? __fget_files+0x2a/0x410 [ 69.308105][ T5324] ? __fget_files+0x2a/0x410 [ 69.309883][ T5324] ? __pfx_sock_ioctl+0x10/0x10 [ 69.311711][ T5324] __se_sys_ioctl+0xf5/0x170 [ 69.313554][ T5324] do_syscall_64+0xf3/0x230 [ 69.315446][ T5324] ? clear_bhb_loop+0x35/0x90 [ 69.317466][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.320040][ T5324] RIP: 0033:0x7ff4c198d169 [ 69.322062][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 69.329223][ T5324] RSP: 002b:00007ff4c282b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 69.332626][ T5324] RAX: ffffffffffffffda RBX: 00007ff4c1ba5fa0 RCX: 00007ff4c198d169 [ 69.336193][ T5324] RDX: 0000400000000180 RSI: 0000000000008990 RDI: 000000000000000c [ 69.339564][ T5324] RBP: 00007ff4c1a0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.342918][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 69.346232][ T5324] R13: 0000000000000000 R14: 00007ff4c1ba5fa0 R15: 00007ffff5c5a528 [ 69.349856][ T5324] [ 69.351498][ T5324] Kernel Offset: disabled [ 69.353184][ T5324] Rebooting in 86400 seconds..