last executing test programs: 2.591340867s ago: executing program 2 (id=164): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$auto_nl802154(&(0x7f0000000180), r0) close_range$auto(0x2, 0x8, 0x0) socket(0x29, 0x2, 0x0) socket(0x10, 0x2, 0x0) sendmsg$auto_NL802154_CMD_SET_WPAN_PHY_NETNS(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000200)={0x24, r1, 0x1, 0x70bd2d, 0x25dfdbff, {}, [@NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_WPAN_PHY={0x8, 0x1, 0x6}]}, 0x24}, 0x1, 0x0, 0x0, 0x4000c00}, 0x4000000) 2.4253347s ago: executing program 3 (id=165): mmap$auto(0x0, 0x400009, 0xdf, 0x9b72, 0x2, 0x8000) r0 = openat$auto_proc_clear_refs_operations_internal(0xffffffffffffff9c, &(0x7f0000000600)='/proc/self/clear_refs\x00', 0x2, 0x0) r1 = socket(0x10, 0x2, 0x0) sendmsg$auto_NL80211_CMD_GET_REG(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYBLOB=' \x00\x00\x00', @ANYBLOB="1200", @ANYBLOB=']'], 0x1ac}}, 0x40000) recvmmsg$auto(r1, &(0x7f0000000140)={{0x0, 0x1, &(0x7f0000000080)={0x0, 0x400}, 0x5, 0x0, 0x200002, 0x8}, 0x803}, 0xfffffff9, 0x10, 0x0) write$auto_proc_clear_refs_operations_internal(r0, 0x0, 0xffffff4b) 2.356150314s ago: executing program 2 (id=166): socket(0x10, 0x2, 0x0) mmap$auto(0x0, 0x2000a, 0x10000000000df, 0xeb2, 0x401, 0x8000) sendmsg$auto_HSR_C_GET_NODE_STATUS(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000140)={0x6c, 0x0, 0x200, 0x70bd26, 0x25dfdbfe, {}, [@HSR_A_IF1_AGE={0x8, 0x3, 0x200}, @HSR_A_IF2_SEQ={0x6, 0x7, 0x8000}, @HSR_A_IFINDEX={0x8}, @HSR_A_NODE_ADDR_B={0xa}, @HSR_A_NODE_ADDR={0xa}, @HSR_A_NODE_ADDR={0xa}, @HSR_A_IF2_SEQ={0x6, 0x7, 0x5}, @HSR_A_IF1_AGE={0x8, 0x3, 0x5}, @HSR_A_NODE_ADDR={0xa}]}, 0x6c}, 0x1, 0x0, 0x0, 0x40080}, 0x40090) sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)={0x0, 0x1ac}, 0x1, 0x0, 0x0, 0x4004810}, 0x800) sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000180)=ANY=[@ANYBLOB="72010000", @ANYBLOB="13"], 0x1ac}}, 0x4004) sendmmsg$auto(0x3, &(0x7f0000000080)={{0x0, 0x2, &(0x7f00000002c0)={0x0, 0xc4}, 0x1, 0x0, 0x0, 0x9}, 0x7}, 0x3, 0x0) 2.329548496s ago: executing program 1 (id=167): mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000) waitid$auto_P_PIDFD(0x3, 0xffffffffffffffff, 0x0, 0x1, &(0x7f00000001c0)={{0xa748, 0x7}, {0x4, 0xc}, 0x5, 0x100000000, 0x9, 0x8b6e, 0xc, 0xffffffff, 0x932c, 0x8, 0x4, 0x6, 0x7fff, 0x6, 0x6, 0x3}) sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)={0x0, 0x1ac}, 0x1, 0x0, 0x0, 0x4004810}, 0x800) r0 = socket(0x11, 0x3, 0x9) capset$auto(0x0, &(0x7f0000000000)={0x1, 0x6, 0x48}) sendmmsg$auto(r0, &(0x7f00000006c0)={{&(0x7f0000000000), 0x5ac, &(0x7f0000000100)={&(0x7f0000000200)='L', 0x49}, 0x5, 0x0, 0x5, 0x1}, 0x5}, 0x2, 0x100) 2.113370615s ago: executing program 1 (id=168): mmap$auto(0x0, 0x40009, 0xdf, 0x9b72, 0x7, 0x28000) process_vm_writev$auto(0x0, &(0x7f00000011c0)={&(0x7f00000001c0)="42777dd1330b458d0b5c44ca32e94fc00cfbce962ee7d8f31c0f90c327830f55adfdceafcc0f7b5a21ea23bdf5344d47d49d60218e57bb33118d04fdd37f5fd17f96a318132a5dd282784244bd58b9a0c8adc60d2f8535b3", 0x8}, 0x7, 0x0, 0x7, 0xb5) sendmsg$auto_TIPC_NL_LINK_SET(0xffffffffffffffff, &(0x7f0000002ac0)={0x0, 0x0, &(0x7f0000002a80)={&(0x7f0000000200)=ANY=[@ANYBLOB="18000000", @ANYRES16=0x0, @ANYBLOB="01000200000000006bbc9d65365cbf8013"], 0x18}, 0x1, 0x0, 0x0, 0x4000094}, 0x8080) r0 = socket(0x11, 0x3, 0x9) capset$auto(0x0, &(0x7f0000000000)={0x1, 0x6, 0x48}) sendmmsg$auto(r0, &(0x7f00000006c0)={{&(0x7f0000000000), 0x5ac, &(0x7f0000000100)={&(0x7f0000000200)="4c0300000000000000a3677337f9eca9075f6bba4416", 0x49}, 0x5, 0x0, 0x5, 0x1}, 0x5}, 0x2, 0x100) 2.063397158s ago: executing program 2 (id=169): mmap$auto(0x0, 0x8, 0x1000000004, 0x9b72, 0x2, 0x8000) socket$nl_generic(0x10, 0x3, 0x10) socket$nl_generic(0x10, 0x3, 0x10) socket$nl_generic(0x10, 0x3, 0x10) socket(0x2c, 0x3, 0x0) getsockopt$auto(0x6, 0x11b, 0x8, 0xfffffffffffffffd, 0x0) 1.87154245s ago: executing program 1 (id=170): mmap$auto(0x0, 0xe97f, 0xdf, 0xeb1, 0x401, 0x8000) socketpair$auto(0x1, 0x2, 0x8000000000000000, 0x0) mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000) sendmmsg$auto(0x3, 0x0, 0x3, 0x0) recvmmsg$auto(0x3, 0x0, 0x10000, 0x700, 0x0) connect$auto(0x4, 0x0, 0x10) 1.848547398s ago: executing program 2 (id=172): mmap$auto(0x0, 0x400005, 0x800000000000df, 0x9b72, 0x2, 0x8000) close_range$auto(0x2, 0x8, 0x0) r0 = openat$auto_kvm_chardev_ops_kvm_main(0xffffffffffffff9c, &(0x7f00000011c0), 0xe0180, 0x0) ioctl$auto_KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$auto(0x3, 0xae60, 0x10000000000402) ioctl$auto(0x3, 0x8208ae63, 0x38) 1.475778319s ago: executing program 1 (id=173): mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000) r0 = socket(0x10, 0x2, 0x0) sendmsg$auto_ETHTOOL_MSG_DEBUG_SET(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={0x0}, 0x1, 0x0, 0x0, 0x2000000}, 0x4) sendmsg$auto_NL80211_CMD_GET_REG(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYBLOB=' \x00\x00\x00', @ANYBLOB="1200", @ANYBLOB="5de1"], 0x1ac}}, 0x40000) recvmmsg$auto(r0, &(0x7f0000000140)={{0x0, 0xfffffffe, 0x0, 0x5, 0x0, 0x200002, 0x8}, 0x801}, 0xfffffff9, 0x10, 0x0) ioctl$auto(r0, 0x8946, 0x24) 1.384567734s ago: executing program 0 (id=174): mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000) capget$auto(0x0, 0xfffffffffffffffe) capset$auto(0x0, &(0x7f0000000100)={0x1ff, 0xfff, 0x1000}) r0 = openat$auto_proc_iter_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000400)='/proc/tty/driver/serial\x00', 0x43102, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) sendfile$auto(r1, r0, 0x0, 0x8) 1.267792328s ago: executing program 3 (id=175): mmap$auto(0x0, 0x99c0, 0x4000000000df, 0xeb1, 0x401, 0x8000) close_range$auto(0x2, 0x8, 0x0) socket(0x2, 0x1, 0x84) r0 = socket(0xa, 0x3, 0xff) connect$auto(r0, &(0x7f00000018c0)=@generic={0xa}, 0x55) write$auto(0x3, 0x0, 0xfdef) 1.113675766s ago: executing program 3 (id=176): mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000) r0 = openat$auto_snd_pcm_oss_f_reg_pcm_oss(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x20342, 0x0) ioctl$auto_SNDCTL_DSP_SPEED(r0, 0xc0045002, 0x0) modify_ldt$auto(0x1, 0x0, 0x10) madvise$auto(0x0, 0x7fffffffffffffff, 0xa) clone$auto(0x21002, 0x9, 0xfffffffffffffffe, 0xfffffffffffffffd, 0x9) 1.086886662s ago: executing program 0 (id=177): openat$auto_tty_fops_tty_io(0xffffffffffffff9c, &(0x7f0000000000)='/dev/pts/ptmx\x00', 0x20540, 0x0) mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x40000000000a5, 0x8000) mknod$auto(&(0x7f0000000040)='\xfd\x90\x8f2\x14\x92\x00\xbf\xdf\xcf\x9a\xae}\xd9\xf95\xc5gV\x82\f\xe5h\xfe\x83\xe4\xbe\x8c\x1f\xa5\xf1_T\xde\xf7\xd4\x83D\x9eXS\xd6\x90T\xc1v\xad#\xc4q\x8b\xed2\xadW:0\xef\x9c.=\xba\x0fy\x8f\xcd\xd6\xde\xa9i\xec\xe8\xca\x9f\xf3\x82b\xa2y\xa87J\xfc \xc5\xd8\x80\xba\xaaV\x8f{\x1f\x1b\xb0\n\x97\\\xa7\xe3\xdf\xc29-*;#r\xc8\xd1\x14RcF\x87\xe4\x1c\x1fGL\xa5\x19\x90\xd6\x8d*\xe6\b(\x1a\xea\x95\xdc\xa6)5\xae&yAl\x1e\xe3j Lp\x91\r\xed%\xafZ\xf8w\xf2}\xcdGS\xce\xb9\xdck\x86\x00.6\xe6{\xc1\x00\x1bW5\x81\xda!\xcb.O\xa9\xf3\xa7\x88+\xb9\xf3\x9a7\xa4\xe6)<\xa79\xa4\x87\\\xb4\xbf\v\x03\x87\xac\x87r\x02\x05\xdb\xe4\xde,V\xb6G\xba.WR\xe2<~\xdd\xb2\xe53hj_;\xa5qm\x92\xc7P\xc9.\x82w8\x1f\xfcX\xe4\x14\xc72cC\xd3\x00'/263, 0x2, 0x8b) lstat$auto(&(0x7f0000000200)='\xfd\x90\x8f2\x14\x92\x00\xbf\xdf\xcf\x9a\xae}\xd9\xf95\xc5gV\x82\f\xe5h\xfe\x83\xe4\xbe\x8c\x1f\xa5\xf1_T\xde\xf7\xd4\x83D\x9eXS\xd6\x90T\xc1v\xad#\xc4q\x8b\xed2\xadW:0\xef\x9c.=\xba\x0fy\x8f\xcd\xd6\xde\xa9i\xec\xe8\xca\x9f\xf3\x82b\xa2y\xa87J\xfc \xc5\xd8\x80\xba\xaaV\x8f{\x1f\x1b\xb0\n\x97\\\xa7\xe3\xdf\xc29-*;#r\xc8\xd1\x14RcF\x87\xe4\x1c\x1fGL\xa5\x19\x90\xd6\x8d*\xe6\b(\x1a\xea\x95\xdc\xa6)5\xae&yAl\x1e\xe3j Lp\x91\r\xed%\xafZ\xf8w\xf2}\xcdGS\xce\xb9\xdck\x86\x00.6\xe6{\xc1\x00\x1bW5\x81\xda!\xcb.O\xa9\xf3\xa7\x88+\xb9\xf3\x9a7\xa4\xe6)<\xa79\xa4\x87\\\xb4\xbf\v\x03\x87\xac\x87r\x02\x05\xdb\xe4\xde,V\xb6G\xba.WR\xe2<~\xdd\xb2\xe53hj_;\xa5qm\x92\xc7P\xc9.\x82w8\x1f\xfcX\xe4\x14\xc72cC\xd3\x00', 0x0) ioctl$auto(0x3, 0x5420, 0x38) ioctl$auto(0x3, 0x5420, 0x38) 1.068136036s ago: executing program 2 (id=178): mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000) r0 = openat$auto_proc_fail_nth_operations_base(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/fail-nth\x00', 0x802, 0x0) close_range$auto(0x2, 0x8, 0x0) r1 = openat$auto_bch_chardev_fops_chardev(0xffffffffffffff9c, &(0x7f0000000580), 0x400, 0x0) ioctl$auto_BCH_IOCTL_FSCK_OFFLINE(r1, 0x4018bc13, 0x0) writev$auto(r0, &(0x7f0000000200)={0x0, 0x3}, 0x3) 891.430028ms ago: executing program 0 (id=179): mmap$auto(0x0, 0xe983, 0xdf, 0xeb1, 0x401, 0x8000) socketpair$auto(0x1, 0x2, 0x8000000000000000, 0x0) sendmmsg$auto(0x3, 0x0, 0x9a6, 0x7000000) mmap$auto(0x0, 0x9, 0x3ff57697, 0x9b72, 0x2, 0x8000000000008000) connect$auto(0x3, 0x0, 0x54) connect$auto(0x4, 0x0, 0x10) 880.192009ms ago: executing program 3 (id=180): unshare$auto(0x40000080) socket(0x2, 0x801, 0x100) mmap$auto(0x0, 0x20009, 0x4000000000df, 0x40000000000eb1, 0x401, 0x8000) bind$auto(0x3, &(0x7f0000000100)=@in={0x2, 0x3, @empty}, 0x6a) connect$auto(0x3, &(0x7f0000000080)=@in={0x2, 0x3, @dev={0xac, 0x14, 0x14, 0x10}}, 0x54) recvmmsg$auto(0x3, 0x0, 0x10000, 0x700, 0x0) 560.264002ms ago: executing program 0 (id=181): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r1, &(0x7f0000000380)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000340)={&(0x7f00000001c0)={0x14, 0x0, 0x4, 0x70bd28, 0x25dfdbfc}, 0x14}, 0x1, 0x0, 0x0, 0x4000000}, 0x80) syz_genetlink_get_family_id$auto_tipcv2(&(0x7f0000001bc0), r1) r2 = syz_genetlink_get_family_id$auto_net_shaper(&(0x7f0000004a80), r1) sendmsg$auto_NET_SHAPER_CMD_DELETE(r0, &(0x7f0000004b80)={0x0, 0x700, &(0x7f0000004b40)={&(0x7f0000004ac0)={0x28, r2, 0x425, 0x70bd29, 0x25dfdbff, {}, [@NET_SHAPER_A_HANDLE={0x14, 0x1, 0x0, 0x1, [@NET_SHAPER_A_HANDLE_ID={0x8, 0x2, 0xdd}, @NET_SHAPER_A_HANDLE_SCOPE={0x8, 0x1, 0x101}]}]}, 0x28}, 0x1, 0x0, 0x0, 0x8000}, 0x10) 410.408058ms ago: executing program 1 (id=182): socket$nl_generic(0x10, 0x3, 0x10) socket$nl_generic(0x10, 0x3, 0x10) socket(0x1e, 0x1, 0x0) socket$nl_generic(0x10, 0x3, 0x10) mmap$auto(0x0, 0x9, 0xdf, 0xeb1, 0x1, 0x8000) getsockopt$auto(0x6, 0x1, 0x38, 0xfffffffffffffffe, 0x0) 394.55947ms ago: executing program 2 (id=183): mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000) socket(0x2, 0x801, 0x106) clone$auto(0x20003b46, 0x2, 0x0, 0x0, 0x2) setsockopt$auto(0x3, 0x1, 0x3e, 0x0, 0x9) connect$auto(0x3, &(0x7f00000000c0)=@in={0x2, 0x0, @rand_addr=0xfffffffe}, 0x55) ioctl$auto(0x3, 0x800005411, 0x38) 343.103602ms ago: executing program 3 (id=184): mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x40000000000a5, 0x8000) statmount$auto(0x0, 0x0, 0xe, 0xfffffff8) r0 = openat$auto_ppp_device_fops_ppp_generic(0xffffffffffffff9c, &(0x7f0000000400), 0x189002, 0x0) ioctl$auto_PPPIOCSMRU(r0, 0xc004743e, 0x0) ioctl$auto_PPPIOCSPASS(r0, 0x40107447, &(0x7f0000000040)={0x6, 0x0}) ioctl$auto_PPPIOCSPASS(r0, 0x40107447, &(0x7f00000000c0)={0x9, &(0x7f0000000000)={0x28, 0xf3, 0xb0, @raw=0xfffff01c}}) 283.062458ms ago: executing program 0 (id=185): close_range$auto(0x2, 0x8, 0x0) socket(0x2, 0x80002, 0x73) r0 = socket(0xa, 0x801, 0x84) connect$auto(r0, &(0x7f0000000000)=@in={0x2, 0x4e21, @rand_addr=0xfffffffe}, 0x56) listen$auto(0x3, 0x83) accept$auto(0x3, 0xffffffffffffffff, 0xfffffffffffffffd) 181.881367ms ago: executing program 1 (id=186): close_range$auto(0x0, 0xfffffffffffff000, 0x2) syz_open_procfs$namespace(0xffffffffffffffff, &(0x7f00000000c0)='ns/ipc\x00') r0 = syz_open_procfs$namespace(0x0, &(0x7f0000000040)='ns/net\x00') ioctl$NS_GET_PARENT(r0, 0xb701, 0x0) socket(0x1d, 0x2, 0x7) setsockopt$auto(0x3, 0x6b, 0x3, 0xffffffffffffffff, 0x4) 83.187271ms ago: executing program 0 (id=187): openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000000)='/sys/devices/virtual/vtconsole/vtcon1/bind\x00', 0x182b02, 0x0) mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000) writev$auto(0x3, &(0x7f0000000100)={0x0, 0x7111}, 0x8) r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000080)='/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/adr\x00', 0x0, 0x0) read$auto(r0, 0x0, 0x20) write$auto(0x3, 0x0, 0xfffffdef) 0s ago: executing program 3 (id=188): mmap$auto(0x0, 0x20009, 0xe2, 0xeb1, 0x405, 0x8000) r0 = socket(0xa, 0x2, 0x88) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000040)={'team0\x00', 0x0}) bpf$auto(0x0, &(0x7f00000000c0)=@bpf_attr_5={@target_ifindex=r2, r1, 0x4, 0x1, r0, @relative_id=0x13, 0xe600}, 0xf) bpf$auto(0x4, &(0x7f00000001c0)=@raw_tracepoint={0x5, r0, 0x0, 0x3}, 0xc) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.114' (ED25519) to the list of known hosts. [ 97.886726][ T5834] cgroup: Unknown subsys name 'net' [ 98.004390][ T5834] cgroup: Unknown subsys name 'cpuset' [ 98.013793][ T5834] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 99.844340][ T5834] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 102.181323][ T978] cfg80211: failed to load regulatory.db [ 102.382550][ T5845] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 102.403197][ T5850] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 102.412108][ T5851] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 102.421649][ T5855] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 102.429466][ T5855] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 102.438878][ T5855] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 102.446876][ T5855] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 102.460837][ T5166] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 102.483881][ T5855] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 102.491723][ T5855] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 102.502642][ T5855] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 102.515378][ T5856] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 102.523754][ T5855] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 102.531119][ T5855] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 102.537332][ T5857] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 102.545641][ T5855] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 102.561187][ T5855] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 102.569064][ T5855] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 102.598636][ T5855] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 102.607114][ T5855] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 103.142402][ T5844] chnl_net:caif_netlink_parms(): no params data found [ 103.325957][ T5847] chnl_net:caif_netlink_parms(): no params data found [ 103.366269][ T5854] chnl_net:caif_netlink_parms(): no params data found [ 103.430997][ T5848] chnl_net:caif_netlink_parms(): no params data found [ 103.505330][ T5844] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.512720][ T5844] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.521189][ T5844] bridge_slave_0: entered allmulticast mode [ 103.528639][ T5844] bridge_slave_0: entered promiscuous mode [ 103.547801][ T5844] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.554987][ T5844] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.562263][ T5844] bridge_slave_1: entered allmulticast mode [ 103.570320][ T5844] bridge_slave_1: entered promiscuous mode [ 103.712555][ T5844] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 103.722509][ T5847] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.730519][ T5847] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.737748][ T5847] bridge_slave_0: entered allmulticast mode [ 103.745328][ T5847] bridge_slave_0: entered promiscuous mode [ 103.777489][ T5844] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 103.802946][ T5847] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.810299][ T5847] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.817485][ T5847] bridge_slave_1: entered allmulticast mode [ 103.825096][ T5847] bridge_slave_1: entered promiscuous mode [ 103.847525][ T5854] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.854877][ T5854] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.862210][ T5854] bridge_slave_0: entered allmulticast mode [ 103.869634][ T5854] bridge_slave_0: entered promiscuous mode [ 103.918872][ T5854] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.927983][ T5854] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.936044][ T5854] bridge_slave_1: entered allmulticast mode [ 103.944274][ T5854] bridge_slave_1: entered promiscuous mode [ 103.968819][ T5844] team0: Port device team_slave_0 added [ 103.977710][ T5847] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.016881][ T5848] bridge0: port 1(bridge_slave_0) entered blocking state [ 104.024667][ T5848] bridge0: port 1(bridge_slave_0) entered disabled state [ 104.032265][ T5848] bridge_slave_0: entered allmulticast mode [ 104.039662][ T5848] bridge_slave_0: entered promiscuous mode [ 104.048959][ T5844] team0: Port device team_slave_1 added [ 104.058249][ T5847] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 104.076035][ T5854] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.085939][ T5848] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.093723][ T5848] bridge0: port 2(bridge_slave_1) entered disabled state [ 104.101007][ T5848] bridge_slave_1: entered allmulticast mode [ 104.109790][ T5848] bridge_slave_1: entered promiscuous mode [ 104.163672][ T5854] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 104.252086][ T5848] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.266562][ T5848] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 104.276997][ T5844] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 104.285456][ T5844] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.312022][ T5844] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 104.327411][ T5847] team0: Port device team_slave_0 added [ 104.340534][ T5854] team0: Port device team_slave_0 added [ 104.361873][ T5844] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 104.368864][ T5844] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.395207][ T5844] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 104.408409][ T5847] team0: Port device team_slave_1 added [ 104.430672][ T5854] team0: Port device team_slave_1 added [ 104.454581][ T5848] team0: Port device team_slave_0 added [ 104.480899][ T5855] Bluetooth: hci0: command tx timeout [ 104.520592][ T5848] team0: Port device team_slave_1 added [ 104.527186][ T5847] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 104.534739][ T5847] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.560911][ T5847] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 104.587047][ T5854] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 104.594288][ T5854] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.620700][ T5854] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 104.633712][ T5854] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 104.640938][ T5845] Bluetooth: hci1: command tx timeout [ 104.640946][ T51] Bluetooth: hci3: command tx timeout [ 104.641751][ T5854] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.646787][ T5855] Bluetooth: hci2: command tx timeout [ 104.655896][ T5854] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 104.709189][ T5847] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 104.716281][ T5847] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.742714][ T5847] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 104.800997][ T5844] hsr_slave_0: entered promiscuous mode [ 104.807577][ T5844] hsr_slave_1: entered promiscuous mode [ 104.817893][ T5848] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 104.824914][ T5848] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.850887][ T5848] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 104.863855][ T5848] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 104.870890][ T5848] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.896948][ T5848] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 105.033023][ T5848] hsr_slave_0: entered promiscuous mode [ 105.041801][ T5848] hsr_slave_1: entered promiscuous mode [ 105.048002][ T5848] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 105.055846][ T5848] Cannot create hsr debugfs directory [ 105.066627][ T5847] hsr_slave_0: entered promiscuous mode [ 105.073771][ T5847] hsr_slave_1: entered promiscuous mode [ 105.080610][ T5847] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 105.088197][ T5847] Cannot create hsr debugfs directory [ 105.099277][ T5854] hsr_slave_0: entered promiscuous mode [ 105.105753][ T5854] hsr_slave_1: entered promiscuous mode [ 105.112099][ T5854] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 105.119734][ T5854] Cannot create hsr debugfs directory [ 105.622272][ T5844] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 105.643628][ T5844] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 105.656639][ T5844] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 105.667777][ T5844] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 105.742994][ T5848] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 105.754676][ T5848] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 105.774435][ T5848] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 105.799852][ T5848] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 105.887509][ T5854] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 105.916550][ T5854] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 105.928165][ T5854] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 105.969759][ T5854] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 106.064412][ T5847] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 106.078248][ T5847] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 106.090341][ T5847] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 106.103154][ T5847] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 106.185267][ T5844] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.238618][ T5844] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.275413][ T5848] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.287492][ T1114] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.294826][ T1114] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.328389][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.335666][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.376851][ T5854] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.439267][ T5848] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.456863][ T5847] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.494097][ T1082] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.501277][ T1082] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.523411][ T5854] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.535391][ T57] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.542591][ T57] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.573687][ T5855] Bluetooth: hci0: command tx timeout [ 106.578853][ T5847] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.596410][ T1114] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.603605][ T1114] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.626952][ T57] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.634165][ T57] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.666672][ T57] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.673900][ T57] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.703082][ T1082] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.710315][ T1082] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.721050][ T5855] Bluetooth: hci3: command tx timeout [ 106.726654][ T5845] Bluetooth: hci2: command tx timeout [ 106.726664][ T51] Bluetooth: hci1: command tx timeout [ 107.196152][ T5844] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.367540][ T5844] veth0_vlan: entered promiscuous mode [ 107.413803][ T5844] veth1_vlan: entered promiscuous mode [ 107.503602][ T5844] veth0_macvtap: entered promiscuous mode [ 107.523253][ T5848] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.536833][ T5844] veth1_macvtap: entered promiscuous mode [ 107.570412][ T5854] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.594851][ T5844] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 107.617799][ T5844] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 107.629856][ T5844] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.638713][ T5844] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.648090][ T5844] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.657829][ T5844] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.685711][ T5847] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.809212][ T5848] veth0_vlan: entered promiscuous mode [ 107.816135][ T5854] veth0_vlan: entered promiscuous mode [ 107.867513][ T3467] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.872571][ T5854] veth1_vlan: entered promiscuous mode [ 107.879207][ T3467] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 107.942031][ T5847] veth0_vlan: entered promiscuous mode [ 107.948247][ T5848] veth1_vlan: entered promiscuous mode [ 107.957459][ T57] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.982931][ T57] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.008352][ T5847] veth1_vlan: entered promiscuous mode [ 108.037848][ T5854] veth0_macvtap: entered promiscuous mode [ 108.054795][ T5854] veth1_macvtap: entered promiscuous mode [ 108.086962][ T5844] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 108.112038][ T5848] veth0_macvtap: entered promiscuous mode [ 108.137847][ T5848] veth1_macvtap: entered promiscuous mode [ 108.159220][ T5854] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.187652][ T5847] veth0_macvtap: entered promiscuous mode [ 108.220874][ T5854] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.244837][ T5847] veth1_macvtap: entered promiscuous mode [ 108.270752][ T5848] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.293514][ T5854] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.305386][ T5854] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.316520][ T5854] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.331430][ T5854] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.366518][ T5848] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.396332][ T5847] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.415934][ T5848] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.425993][ T5848] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.439724][ T5848] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.448476][ T5848] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.508474][ T5847] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.551323][ T5847] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.571737][ T5847] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.581885][ T5847] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.592656][ T5847] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.641318][ T51] Bluetooth: hci0: command tx timeout [ 108.710956][ T1082] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.718843][ T1082] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.801668][ T51] Bluetooth: hci1: command tx timeout [ 108.801974][ T5855] Bluetooth: hci3: command tx timeout [ 108.812829][ T5845] Bluetooth: hci2: command tx timeout [ 108.866481][ T3467] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.892802][ T3467] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.991716][ T3467] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.991744][ T3467] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.087227][ T1114] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.131190][ T1114] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.145073][ T3467] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.204072][ T3467] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.274247][ T1114] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.306861][ T1114] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.692211][ T5960] netlink: 342 bytes leftover after parsing attributes in process `syz.0.10'. [ 109.723586][ T5961] blkio.reset_stats is deprecated [ 109.729236][ T5960] Zero length message leads to an empty skb [ 110.306437][ T5976] FAULT_INJECTION: forcing a failure. [ 110.306437][ T5976] name failslab, interval 1, probability 0, space 0, times 1 [ 110.327387][ T5976] CPU: 1 UID: 0 PID: 5976 Comm: syz.0.15 Not tainted 6.16.0-rc4-syzkaller-00123-g4c06e63b9203 #0 PREEMPT(full) [ 110.327435][ T5976] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 110.327459][ T5976] Call Trace: [ 110.327470][ T5976] [ 110.327486][ T5976] dump_stack_lvl+0x16c/0x1f0 [ 110.327550][ T5976] should_fail_ex+0x512/0x640 [ 110.327598][ T5976] ? __kmalloc_noprof+0xbf/0x510 [ 110.327653][ T5976] ? __register_sysctl_table+0xea2/0x1900 [ 110.327684][ T5976] should_failslab+0xc2/0x120 [ 110.327718][ T5976] __kmalloc_noprof+0xd2/0x510 [ 110.327778][ T5976] ? __register_sysctl_table+0xe8e/0x1900 [ 110.327820][ T5976] __register_sysctl_table+0xea2/0x1900 [ 110.327865][ T5976] ? __pfx___register_sysctl_table+0x10/0x10 [ 110.327897][ T5976] ? is_module_address+0x69/0xf0 [ 110.327943][ T5976] ? register_net_sysctl_sz+0x228/0x3e0 [ 110.327980][ T5976] ? __asan_memcpy+0x3c/0x60 [ 110.328028][ T5976] ? __pfx_nf_lwtunnel_net_init+0x10/0x10 [ 110.328066][ T5976] nf_lwtunnel_net_init+0x60/0xf0 [ 110.328104][ T5976] ops_init+0x1df/0x5f0 [ 110.328140][ T5976] setup_net+0x1ff/0x510 [ 110.328168][ T5976] ? lockdep_init_map_type+0x5c/0x280 [ 110.328217][ T5976] ? __pfx_setup_net+0x10/0x10 [ 110.328251][ T5976] ? debug_mutex_init+0x37/0x70 [ 110.328289][ T5976] copy_net_ns+0x2a6/0x5f0 [ 110.328333][ T5976] create_new_namespaces+0x3ea/0xa90 [ 110.328381][ T5976] unshare_nsproxy_namespaces+0xc0/0x1f0 [ 110.328418][ T5976] ksys_unshare+0x45b/0xa40 [ 110.328466][ T5976] ? __pfx_ksys_unshare+0x10/0x10 [ 110.328515][ T5976] ? xfd_validate_state+0x61/0x180 [ 110.328573][ T5976] __x64_sys_unshare+0x31/0x40 [ 110.328620][ T5976] do_syscall_64+0xcd/0x490 [ 110.328676][ T5976] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.328711][ T5976] RIP: 0033:0x7f3b6438e929 [ 110.328751][ T5976] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 110.328782][ T5976] RSP: 002b:00007f3b651df038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 [ 110.328813][ T5976] RAX: ffffffffffffffda RBX: 00007f3b645b5fa0 RCX: 00007f3b6438e929 [ 110.328834][ T5976] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000080 [ 110.328853][ T5976] RBP: 00007f3b64410b39 R08: 0000000000000000 R09: 0000000000000000 [ 110.328872][ T5976] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 110.328890][ T5976] R13: 0000000000000000 R14: 00007f3b645b5fa0 R15: 00007ffd199497d8 [ 110.328930][ T5976] [ 110.329050][ T5976] sysctl could not get directory: /net -12 [ 110.723458][ T5845] Bluetooth: hci0: command tx timeout [ 110.881029][ T5845] Bluetooth: hci2: command tx timeout [ 110.886513][ T5845] Bluetooth: hci3: command tx timeout [ 110.892222][ T5855] Bluetooth: hci1: command tx timeout [ 111.470606][ T5996] netlink: 334 bytes leftover after parsing attributes in process `syz.2.24'. [ 112.183994][ T30] audit: type=1326 audit(1751632417.384:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6012 comm="syz.3.34" exe="/root/syz-executor" sig=9 arch=c000003e syscall=231 compat=0 ip=0x7febf5b8e929 code=0x0 [ 113.321353][ T30] audit: type=1806 audit(1751632418.514:3): xattr="0x00060000" res=-22 [ 114.861221][ T6085] FAULT_INJECTION: forcing a failure. [ 114.861221][ T6085] name fail_page_alloc, interval 1, probability 0, space 0, times 1 [ 114.890709][ T6085] CPU: 1 UID: 0 PID: 6085 Comm: syz.0.61 Not tainted 6.16.0-rc4-syzkaller-00123-g4c06e63b9203 #0 PREEMPT(full) [ 114.890752][ T6085] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 114.890770][ T6085] Call Trace: [ 114.890779][ T6085] [ 114.890792][ T6085] dump_stack_lvl+0x16c/0x1f0 [ 114.890848][ T6085] should_fail_ex+0x512/0x640 [ 114.890904][ T6085] should_fail_alloc_page+0xe7/0x130 [ 114.890941][ T6085] prepare_alloc_pages+0x3c2/0x610 [ 114.890982][ T6085] ? rcu_is_watching+0x12/0xc0 [ 114.891021][ T6085] __alloc_frozen_pages_noprof+0x18b/0x23f0 [ 114.891080][ T6085] ? rcu_is_watching+0x12/0xc0 [ 114.891115][ T6085] ? trace_mm_page_alloc+0x11f/0x1a0 [ 114.891155][ T6085] ? __alloc_frozen_pages_noprof+0x294/0x23f0 [ 114.891210][ T6085] ? _raw_spin_unlock_irqrestore+0x3b/0x80 [ 114.891256][ T6085] ? __pfx___alloc_frozen_pages_noprof+0x10/0x10 [ 114.891320][ T6085] ? kmem_cache_alloc_node_noprof+0x1d5/0x3b0 [ 114.891371][ T6085] ? __get_vm_area_node+0x1ca/0x330 [ 114.891409][ T6085] ? __vmalloc_node_noprof+0xad/0xf0 [ 114.891449][ T6085] ? pcpu_mem_zalloc+0x54/0xb0 [ 114.891487][ T6085] ? pcpu_create_chunk+0x432/0x730 [ 114.891537][ T6085] ? pcpu_alloc_noprof+0x11e3/0x1470 [ 114.891583][ T6085] ? bpf_map_alloc_percpu+0x9a/0x4b0 [ 114.891649][ T6085] ? htab_map_alloc+0x10ca/0x1570 [ 114.891676][ T6085] ? map_create+0x58f/0x1db0 [ 114.891740][ T6085] alloc_pages_bulk_noprof+0x71c/0x1410 [ 114.891798][ T6085] ? __sanitizer_cov_trace_switch+0x54/0x90 [ 114.891855][ T6085] ? policy_nodemask+0xea/0x4e0 [ 114.891894][ T6085] ? __pfx_alloc_pages_bulk_noprof+0x10/0x10 [ 114.891951][ T6085] ? __pfx_alloc_pages_mpol+0x10/0x10 [ 114.892006][ T6085] kasan_populate_vmalloc+0xf1/0x1f0 [ 114.892063][ T6085] alloc_vmap_area+0x959/0x29c0 [ 114.892121][ T6085] ? __pfx_alloc_vmap_area+0x10/0x10 [ 114.892172][ T6085] __get_vm_area_node+0x1ca/0x330 [ 114.892223][ T6085] __vmalloc_node_range_noprof+0x271/0x14b0 [ 114.892269][ T6085] ? pcpu_mem_zalloc+0x54/0xb0 [ 114.892324][ T6085] ? pcpu_mem_zalloc+0x54/0xb0 [ 114.892379][ T6085] ? __pfx___vmalloc_node_range_noprof+0x10/0x10 [ 114.892442][ T6085] ? pcpu_mem_zalloc+0x54/0xb0 [ 114.892484][ T6085] __vmalloc_node_noprof+0xad/0xf0 [ 114.892536][ T6085] ? pcpu_mem_zalloc+0x54/0xb0 [ 114.892584][ T6085] pcpu_mem_zalloc+0x54/0xb0 [ 114.892629][ T6085] pcpu_create_chunk+0x432/0x730 [ 114.892681][ T6085] pcpu_alloc_noprof+0x11e3/0x1470 [ 114.892751][ T6085] bpf_map_alloc_percpu+0x9a/0x4b0 [ 114.892802][ T6085] htab_map_alloc+0x10ca/0x1570 [ 114.892842][ T6085] ? ns_capable+0xd7/0x110 [ 114.892894][ T6085] map_create+0x58f/0x1db0 [ 114.892957][ T6085] ? __pfx_map_create+0x10/0x10 [ 114.893003][ T6085] ? __might_fault+0xe3/0x190 [ 114.893051][ T6085] ? __might_fault+0xe3/0x190 [ 114.893116][ T6085] ? __might_fault+0x13b/0x190 [ 114.893182][ T6085] __sys_bpf+0x47cc/0x4d80 [ 114.893211][ T6085] ? __pfx_futex_wake+0x10/0x10 [ 114.893264][ T6085] ? __pfx___sys_bpf+0x10/0x10 [ 114.893297][ T6085] ? do_writev+0x218/0x340 [ 114.893352][ T6085] ? do_futex+0x122/0x350 [ 114.893395][ T6085] ? __pfx_do_futex+0x10/0x10 [ 114.893454][ T6085] ? fput+0x70/0xf0 [ 114.893490][ T6085] ? xfd_validate_state+0x61/0x180 [ 114.893550][ T6085] ? __pfx_do_writev+0x10/0x10 [ 114.893606][ T6085] __x64_sys_bpf+0x78/0xc0 [ 114.893639][ T6085] ? lockdep_hardirqs_on+0x7c/0x110 [ 114.893687][ T6085] do_syscall_64+0xcd/0x490 [ 114.893743][ T6085] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 114.893777][ T6085] RIP: 0033:0x7f3b6438e929 [ 114.893803][ T6085] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 114.893835][ T6085] RSP: 002b:00007f3b651df038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 114.893867][ T6085] RAX: ffffffffffffffda RBX: 00007f3b645b5fa0 RCX: 00007f3b6438e929 [ 114.893888][ T6085] RDX: 00000000000000a3 RSI: 0000200000000780 RDI: 0000000000000000 [ 114.893907][ T6085] RBP: 00007f3b64410b39 R08: 0000000000000000 R09: 0000000000000000 [ 114.893926][ T6085] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 114.893944][ T6085] R13: 0000000000000000 R14: 00007f3b645b5fa0 R15: 00007ffd199497d8 [ 114.893986][ T6085] [ 115.516443][ T5855] Bluetooth: hci3: unexpected event 0x03 length: 725 > 11 [ 115.750433][ T6105] netlink: 'syz.0.67': attribute type 1 has an invalid length. [ 116.007267][ T6113] netlink: 334 bytes leftover after parsing attributes in process `syz.3.71'. [ 116.369314][ T6117] openvswitch: netlink: Unknown nsh attribute 0 [ 116.663810][ T6123] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 116.675278][ T6125] netlink: 330 bytes leftover after parsing attributes in process `syz.1.78'. [ 117.064786][ T6136] netlink: 28 bytes leftover after parsing attributes in process `syz.0.81'. [ 117.460272][ T6146] netlink: 'syz.1.85': attribute type 21 has an invalid length. [ 117.468490][ T6146] netlink: 334 bytes leftover after parsing attributes in process `syz.1.85'. [ 117.788495][ T6154] netlink: 74 bytes leftover after parsing attributes in process `syz.0.88'. [ 118.710850][ T6177] netlink: 342 bytes leftover after parsing attributes in process `syz.1.98'. [ 119.292771][ T6189] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 119.744121][ T6201] netlink: 342 bytes leftover after parsing attributes in process `syz.2.107'. [ 120.015171][ T6206] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 121.373690][ T6231] syz.0.118 (6231) used greatest stack depth: 21160 bytes left [ 121.576035][ T6230] zswap: compressor not available [ 122.490810][ T6261] FAULT_INJECTION: forcing a failure. [ 122.490810][ T6261] name failslab, interval 1, probability 0, space 0, times 0 [ 122.521449][ T6261] CPU: 1 UID: 0 PID: 6261 Comm: syz.1.130 Not tainted 6.16.0-rc4-syzkaller-00123-g4c06e63b9203 #0 PREEMPT(full) [ 122.521494][ T6261] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 122.521513][ T6261] Call Trace: [ 122.521524][ T6261] [ 122.521536][ T6261] dump_stack_lvl+0x16c/0x1f0 [ 122.521594][ T6261] should_fail_ex+0x512/0x640 [ 122.521645][ T6261] ? fs_reclaim_acquire+0xae/0x150 [ 122.521690][ T6261] ? security_inode_init_security+0x13f/0x390 [ 122.521758][ T6261] should_failslab+0xc2/0x120 [ 122.521793][ T6261] __kmalloc_noprof+0xd2/0x510 [ 122.521856][ T6261] security_inode_init_security+0x13f/0x390 [ 122.521927][ T6261] ? __pfx_shmem_initxattrs+0x10/0x10 [ 122.521964][ T6261] ? __pfx_security_inode_init_security+0x10/0x10 [ 122.522033][ T6261] shmem_mknod+0x22e/0x450 [ 122.522079][ T6261] shmem_mkdir+0x31/0x80 [ 122.522118][ T6261] vfs_mkdir+0x590/0x8c0 [ 122.522166][ T6261] do_mkdirat+0x304/0x3e0 [ 122.522218][ T6261] ? __pfx_do_mkdirat+0x10/0x10 [ 122.522273][ T6261] ? getname_flags.part.0+0x1c5/0x550 [ 122.522317][ T6261] __x64_sys_mkdir+0xef/0x140 [ 122.522369][ T6261] do_syscall_64+0xcd/0x490 [ 122.522423][ T6261] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 122.522456][ T6261] RIP: 0033:0x7fe91f58e929 [ 122.522482][ T6261] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 122.522519][ T6261] RSP: 002b:00007fe9204b3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000053 [ 122.522548][ T6261] RAX: ffffffffffffffda RBX: 00007fe91f7b5fa0 RCX: 00007fe91f58e929 [ 122.522568][ T6261] RDX: 0000000000000000 RSI: 0000000000008001 RDI: 0000000000000000 [ 122.522586][ T6261] RBP: 00007fe91f610b39 R08: 0000000000000000 R09: 0000000000000000 [ 122.522605][ T6261] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 122.522623][ T6261] R13: 0000000000000000 R14: 00007fe91f7b5fa0 R15: 00007ffe39802eb8 [ 122.522665][ T6261] [ 124.476820][ T6309] input: = as /devices/virtual/input/input5 [ 124.590817][ T6315] netlink: 28 bytes leftover after parsing attributes in process `syz.3.154'. [ 124.817145][ T6320] FAULT_INJECTION: forcing a failure. [ 124.817145][ T6320] name failslab, interval 1, probability 0, space 0, times 0 [ 124.843371][ T6320] CPU: 1 UID: 0 PID: 6320 Comm: syz.0.156 Not tainted 6.16.0-rc4-syzkaller-00123-g4c06e63b9203 #0 PREEMPT(full) [ 124.843414][ T6320] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 124.843433][ T6320] Call Trace: [ 124.843443][ T6320] [ 124.843455][ T6320] dump_stack_lvl+0x16c/0x1f0 [ 124.843509][ T6320] should_fail_ex+0x512/0x640 [ 124.843558][ T6320] ? __kmalloc_cache_noprof+0x57/0x3e0 [ 124.843609][ T6320] should_failslab+0xc2/0x120 [ 124.843644][ T6320] __kmalloc_cache_noprof+0x6a/0x3e0 [ 124.843692][ T6320] ? snd_timer_user_open+0x6b/0x180 [ 124.843728][ T6320] ? __pfx_snd_timer_user_open+0x10/0x10 [ 124.843766][ T6320] snd_timer_user_open+0x6b/0x180 [ 124.843805][ T6320] snd_open+0x201/0x450 [ 124.843835][ T6320] ? __pfx_snd_open+0x10/0x10 [ 124.843862][ T6320] chrdev_open+0x231/0x6a0 [ 124.843890][ T6320] ? __pfx_apparmor_file_open+0x10/0x10 [ 124.843933][ T6320] ? __pfx_chrdev_open+0x10/0x10 [ 124.843966][ T6320] ? file_set_fsnotify_mode_from_watchers+0x163/0x640 [ 124.844021][ T6320] do_dentry_open+0x744/0x1c10 [ 124.844076][ T6320] ? __pfx_chrdev_open+0x10/0x10 [ 124.844116][ T6320] vfs_open+0x82/0x3f0 [ 124.844159][ T6320] path_openat+0x1de4/0x2cb0 [ 124.844224][ T6320] ? __pfx_path_openat+0x10/0x10 [ 124.844290][ T6320] ? __lock_acquire+0xb8a/0x1c90 [ 124.844355][ T6320] do_filp_open+0x20b/0x470 [ 124.844406][ T6320] ? __pfx_do_filp_open+0x10/0x10 [ 124.844484][ T6320] ? alloc_fd+0x471/0x7d0 [ 124.844542][ T6320] do_sys_openat2+0x11b/0x1d0 [ 124.844579][ T6320] ? __pfx_do_sys_openat2+0x10/0x10 [ 124.844633][ T6320] __x64_sys_openat+0x174/0x210 [ 124.844674][ T6320] ? __pfx___x64_sys_openat+0x10/0x10 [ 124.844730][ T6320] do_syscall_64+0xcd/0x490 [ 124.844782][ T6320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 124.844814][ T6320] RIP: 0033:0x7f3b6438e929 [ 124.844839][ T6320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 124.844870][ T6320] RSP: 002b:00007f3b651df038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 124.844900][ T6320] RAX: ffffffffffffffda RBX: 00007f3b645b5fa0 RCX: 00007f3b6438e929 [ 124.844921][ T6320] RDX: 0000000000000420 RSI: 0000200000000080 RDI: ffffffffffffff9c [ 124.844940][ T6320] RBP: 00007f3b64410b39 R08: 0000000000000000 R09: 0000000000000000 [ 124.844958][ T6320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 124.844982][ T6320] R13: 0000000000000000 R14: 00007f3b645b5fa0 R15: 00007ffd199497d8 [ 124.845022][ T6320] [ 125.311961][ T6330] netlink: 4 bytes leftover after parsing attributes in process `syz.2.159'. [ 125.363965][ T6330] netlink: 354 bytes leftover after parsing attributes in process `syz.2.159'. [ 125.565080][ T6337] netlink: 342 bytes leftover after parsing attributes in process `syz.3.161'. [ 125.955037][ T6355] netlink: 326 bytes leftover after parsing attributes in process `syz.2.166'. [ 127.700431][ T6408] netlink: 4 bytes leftover after parsing attributes in process `syz.0.181'. [ 128.126878][ T6421] Console: switching to colour VGA+ 80x25 [ 128.202366][ T6421] ================================================================== [ 128.202389][ T6421] BUG: KASAN: slab-out-of-bounds in fbcon_prepare_logo+0xa03/0xc70 [ 128.202455][ T6421] Read of size 256 at addr ffff888029c5f860 by task syz.0.187/6421 [ 128.202484][ T6421] [ 128.202500][ T6421] CPU: 0 UID: 0 PID: 6421 Comm: syz.0.187 Not tainted 6.16.0-rc4-syzkaller-00123-g4c06e63b9203 #0 PREEMPT(full) [ 128.202540][ T6421] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 128.202560][ T6421] Call Trace: [ 128.202570][ T6421] [ 128.202583][ T6421] dump_stack_lvl+0x116/0x1f0 [ 128.202634][ T6421] print_report+0xcd/0x680 [ 128.202666][ T6421] ? __virt_addr_valid+0x81/0x610 [ 128.202701][ T6421] ? __phys_addr+0xe8/0x180 [ 128.202739][ T6421] ? fbcon_prepare_logo+0xa03/0xc70 [ 128.202790][ T6421] kasan_report+0xe0/0x110 [ 128.202822][ T6421] ? fbcon_prepare_logo+0xa03/0xc70 [ 128.202881][ T6421] kasan_check_range+0x100/0x1b0 [ 128.202921][ T6421] __asan_memcpy+0x23/0x60 [ 128.202976][ T6421] fbcon_prepare_logo+0xa03/0xc70 [ 128.203040][ T6421] fbcon_init+0xd77/0x1900 [ 128.203098][ T6421] ? __pfx_drm_fb_helper_set_par+0x10/0x10 [ 128.203134][ T6421] visual_init+0x320/0x620 [ 128.203178][ T6421] do_bind_con_driver.isra.0+0x57a/0xbf0 [ 128.203237][ T6421] store_bind+0x61d/0x760 [ 128.203289][ T6421] ? sysfs_file_kobj+0xe4/0x290 [ 128.203331][ T6421] ? __pfx_store_bind+0x10/0x10 [ 128.203380][ T6421] dev_attr_store+0x58/0x80 [ 128.203412][ T6421] ? __pfx_dev_attr_store+0x10/0x10 [ 128.203444][ T6421] sysfs_kf_write+0xf2/0x150 [ 128.203486][ T6421] kernfs_fop_write_iter+0x351/0x510 [ 128.203522][ T6421] ? __pfx_sysfs_kf_write+0x10/0x10 [ 128.203566][ T6421] vfs_write+0x6c4/0x1150 [ 128.203615][ T6421] ? __pfx_kernfs_fop_write_iter+0x10/0x10 [ 128.203654][ T6421] ? __pfx___mutex_lock+0x10/0x10 [ 128.203706][ T6421] ? __pfx_vfs_write+0x10/0x10 [ 128.203768][ T6421] ksys_write+0x12a/0x250 [ 128.203816][ T6421] ? __pfx_ksys_write+0x10/0x10 [ 128.203871][ T6421] do_syscall_64+0xcd/0x490 [ 128.203932][ T6421] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 128.203967][ T6421] RIP: 0033:0x7f3b6438e929 [ 128.203992][ T6421] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 128.204026][ T6421] RSP: 002b:00007f3b651df038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 128.204058][ T6421] RAX: ffffffffffffffda RBX: 00007f3b645b5fa0 RCX: 00007f3b6438e929 [ 128.204080][ T6421] RDX: 00000000fffffdef RSI: 0000000000000000 RDI: 0000000000000003 [ 128.204101][ T6421] RBP: 00007f3b64410b39 R08: 0000000000000000 R09: 0000000000000000 [ 128.204121][ T6421] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 128.204141][ T6421] R13: 0000000000000000 R14: 00007f3b645b5fa0 R15: 00007ffd199497d8 [ 128.204174][ T6421] [ 128.204184][ T6421] [ 128.204192][ T6421] Allocated by task 6421: [ 128.204208][ T6421] kasan_save_stack+0x33/0x60 [ 128.204256][ T6421] kasan_save_track+0x14/0x30 [ 128.204305][ T6421] __kasan_kmalloc+0xaa/0xb0 [ 128.204352][ T6421] __kmalloc_noprof+0x223/0x510 [ 128.204400][ T6421] vc_do_resize+0x1de/0x10e0 [ 128.204445][ T6421] fbcon_startup+0x427/0xba0 [ 128.204493][ T6421] do_bind_con_driver.isra.0+0x207/0xbf0 [ 128.204542][ T6421] store_bind+0x61d/0x760 [ 128.204588][ T6421] dev_attr_store+0x58/0x80 [ 128.204617][ T6421] sysfs_kf_write+0xf2/0x150 [ 128.204654][ T6421] kernfs_fop_write_iter+0x351/0x510 [ 128.204688][ T6421] vfs_write+0x6c4/0x1150 [ 128.204732][ T6421] ksys_write+0x12a/0x250 [ 128.204777][ T6421] do_syscall_64+0xcd/0x490 [ 128.204825][ T6421] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 128.204857][ T6421] [ 128.204864][ T6421] Freed by task 6421: [ 128.204878][ T6421] kasan_save_stack+0x33/0x60 [ 128.204933][ T6421] kasan_save_track+0x14/0x30 [ 128.204981][ T6421] kasan_save_free_info+0x3b/0x60 [ 128.205021][ T6421] __kasan_slab_free+0x51/0x70 [ 128.205048][ T6421] kfree+0x2b4/0x4d0 [ 128.205086][ T6421] vc_do_resize+0xe29/0x10e0 [ 128.205132][ T6421] fbcon_startup+0x427/0xba0 [ 128.205179][ T6421] do_bind_con_driver.isra.0+0x207/0xbf0 [ 128.205228][ T6421] store_bind+0x61d/0x760 [ 128.205274][ T6421] dev_attr_store+0x58/0x80 [ 128.205302][ T6421] sysfs_kf_write+0xf2/0x150 [ 128.205339][ T6421] kernfs_fop_write_iter+0x351/0x510 [ 128.205373][ T6421] vfs_write+0x6c4/0x1150 [ 128.205418][ T6421] ksys_write+0x12a/0x250 [ 128.205463][ T6421] do_syscall_64+0xcd/0x490 [ 128.205511][ T6421] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 128.205542][ T6421] [ 128.205549][ T6421] The buggy address belongs to the object at ffff888029c5f000 [ 128.205549][ T6421] which belongs to the cache kmalloc-2k of size 2048 [ 128.205575][ T6421] The buggy address is located 96 bytes to the right of [ 128.205575][ T6421] allocated 2048-byte region [ffff888029c5f000, ffff888029c5f800) [ 128.205610][ T6421] [ 128.205618][ T6421] The buggy address belongs to the physical page: [ 128.205637][ T6421] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29c58 [ 128.205671][ T6421] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 128.205698][ T6421] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 128.205734][ T6421] page_type: f5(slab) [ 128.205763][ T6421] raw: 00fff00000000040 ffff88801b842000 ffffea0001dca200 dead000000000002 [ 128.205793][ T6421] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 128.205825][ T6421] head: 00fff00000000040 ffff88801b842000 ffffea0001dca200 dead000000000002 [ 128.205855][ T6421] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 128.205886][ T6421] head: 00fff00000000003 ffffea0000a71601 00000000ffffffff 00000000ffffffff [ 128.205916][ T6421] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 128.205941][ T6421] page dumped because: kasan: bad access detected [ 128.205961][ T6421] page_owner tracks the page as allocated [ 128.205971][ T6421] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5847, tgid 5847 (syz-executor), ts 105876347002, free_ts 71443710020 [ 128.206026][ T6421] post_alloc_hook+0x1c0/0x230 [ 128.206071][ T6421] get_page_from_freelist+0x1321/0x3890 [ 128.206120][ T6421] __alloc_frozen_pages_noprof+0x261/0x23f0 [ 128.206169][ T6421] alloc_pages_mpol+0x1fb/0x550 [ 128.206198][ T6421] new_slab+0x23b/0x330 [ 128.206237][ T6421] ___slab_alloc+0xd9c/0x1940 [ 128.206277][ T6421] __slab_alloc.constprop.0+0x56/0xb0 [ 128.206321][ T6421] __kmalloc_cache_noprof+0xfb/0x3e0 [ 128.206363][ T6421] new_device_store+0x205/0x730 [ 128.206395][ T6421] bus_attr_store+0x74/0xb0 [ 128.206430][ T6421] sysfs_kf_write+0xf2/0x150 [ 128.206468][ T6421] kernfs_fop_write_iter+0x351/0x510 [ 128.206502][ T6421] vfs_write+0x6c4/0x1150 [ 128.206545][ T6421] ksys_write+0x12a/0x250 [ 128.206591][ T6421] do_syscall_64+0xcd/0x490 [ 128.206639][ T6421] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 128.206670][ T6421] page last free pid 5511 tgid 5511 stack trace: [ 128.206688][ T6421] __free_frozen_pages+0x7fe/0x1180 [ 128.206728][ T6421] __put_partials+0x16d/0x1c0 [ 128.206771][ T6421] qlist_free_all+0x4d/0x120 [ 128.206816][ T6421] kasan_quarantine_reduce+0x195/0x1e0 [ 128.206864][ T6421] __kasan_slab_alloc+0x69/0x90 [ 128.206891][ T6421] kmem_cache_alloc_noprof+0x1cb/0x3b0 [ 128.206950][ T6421] alloc_empty_file+0x55/0x1e0 [ 128.206985][ T6421] alloc_file_pseudo+0x13a/0x230 [ 128.207020][ T6421] sock_alloc_file+0x50/0x210 [ 128.207048][ T6421] __sys_socketpair+0x31c/0x5a0 [ 128.207085][ T6421] __x64_sys_socketpair+0x96/0x100 [ 128.207124][ T6421] do_syscall_64+0xcd/0x490 [ 128.207172][ T6421] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 128.207204][ T6421] [ 128.207211][ T6421] Memory state around the buggy address: [ 128.207228][ T6421] ffff888029c5f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 128.207252][ T6421] ffff888029c5f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 128.207275][ T6421] >ffff888029c5f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 128.207293][ T6421] ^ [ 128.207312][ T6421] ffff888029c5f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 128.207335][ T6421] ffff888029c5f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 128.207354][ T6421] ================================================================== [ 128.207371][ T6421] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 128.207391][ T6421] CPU: 0 UID: 0 PID: 6421 Comm: syz.0.187 Not tainted 6.16.0-rc4-syzkaller-00123-g4c06e63b9203 #0 PREEMPT(full) [ 128.207433][ T6421] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 128.207453][ T6421] Call Trace: [ 128.207464][ T6421] [ 128.207476][ T6421] dump_stack_lvl+0x3d/0x1f0 [ 128.207527][ T6421] panic+0x71c/0x800 [ 128.207575][ T6421] ? __pfx_panic+0x10/0x10 [ 128.207627][ T6421] ? __pfx__printk+0x10/0x10 [ 128.207681][ T6421] ? fbcon_prepare_logo+0xa03/0xc70 [ 128.207734][ T6421] check_panic_on_warn+0xab/0xb0 [ 128.207785][ T6421] end_report+0x107/0x170 [ 128.207832][ T6421] kasan_report+0xee/0x110 [ 128.207866][ T6421] ? fbcon_prepare_logo+0xa03/0xc70 [ 128.207930][ T6421] kasan_check_range+0x100/0x1b0 [ 128.207972][ T6421] __asan_memcpy+0x23/0x60 [ 128.208018][ T6421] fbcon_prepare_logo+0xa03/0xc70 [ 128.208081][ T6421] fbcon_init+0xd77/0x1900 [ 128.208135][ T6421] ? __pfx_drm_fb_helper_set_par+0x10/0x10 [ 128.208170][ T6421] visual_init+0x320/0x620 [ 128.208216][ T6421] do_bind_con_driver.isra.0+0x57a/0xbf0 [ 128.208276][ T6421] store_bind+0x61d/0x760 [ 128.208329][ T6421] ? sysfs_file_kobj+0xe4/0x290 [ 128.208370][ T6421] ? __pfx_store_bind+0x10/0x10 [ 128.208420][ T6421] dev_attr_store+0x58/0x80 [ 128.208453][ T6421] ? __pfx_dev_attr_store+0x10/0x10 [ 128.208486][ T6421] sysfs_kf_write+0xf2/0x150 [ 128.208529][ T6421] kernfs_fop_write_iter+0x351/0x510 [ 128.208565][ T6421] ? __pfx_sysfs_kf_write+0x10/0x10 [ 128.208610][ T6421] vfs_write+0x6c4/0x1150 [ 128.208660][ T6421] ? __pfx_kernfs_fop_write_iter+0x10/0x10 [ 128.208699][ T6421] ? __pfx___mutex_lock+0x10/0x10 [ 128.208750][ T6421] ? __pfx_vfs_write+0x10/0x10 [ 128.208813][ T6421] ksys_write+0x12a/0x250 [ 128.208862][ T6421] ? __pfx_ksys_write+0x10/0x10 [ 128.208918][ T6421] do_syscall_64+0xcd/0x490 [ 128.208979][ T6421] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 128.209013][ T6421] RIP: 0033:0x7f3b6438e929 [ 128.209037][ T6421] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 128.209070][ T6421] RSP: 002b:00007f3b651df038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 128.209103][ T6421] RAX: ffffffffffffffda RBX: 00007f3b645b5fa0 RCX: 00007f3b6438e929 [ 128.209126][ T6421] RDX: 00000000fffffdef RSI: 0000000000000000 RDI: 0000000000000003 [ 128.209147][ T6421] RBP: 00007f3b64410b39 R08: 0000000000000000 R09: 0000000000000000 [ 128.209168][ T6421] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 128.209188][ T6421] R13: 0000000000000000 R14: 00007f3b645b5fa0 R15: 00007ffd199497d8 [ 128.209221][ T6421] [ 128.209551][ T6421] Kernel Offset: disabled