syzkaller login: [ 91.839916][ T54] cfg80211: failed to load regulatory.db
Warning: Permanently added '[localhost]:19190' (ED25519) to the list of known hosts.
2025/09/10 19:05:13 parsed 1 programs
[ 140.871949][ T5373] cgroup: Unknown subsys name 'net'
[ 140.940664][ T5373] cgroup: Unknown subsys name 'cpuset'
[ 140.946282][ T5373] cgroup: Unknown subsys name 'rlimit'
[ 142.519990][ T5373] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 146.433600][ T5381] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 146.790345][ T5393] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 146.794221][ T5393] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 146.799435][ T5393] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 146.803694][ T5393] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 146.809821][ T5393] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 147.770692][ T1040] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 147.774032][ T1040] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 147.805352][ T1040] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 147.810358][ T1040] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 150.321840][ T5449] chnl_net:caif_netlink_parms(): no params data found
[ 150.385582][ T5449] bridge0: port 1(bridge_slave_0) entered blocking state
[ 150.390069][ T5449] bridge0: port 1(bridge_slave_0) entered disabled state
[ 150.393251][ T5449] bridge_slave_0: entered allmulticast mode
[ 150.397503][ T5449] bridge_slave_0: entered promiscuous mode
[ 150.402907][ T5449] bridge0: port 2(bridge_slave_1) entered blocking state
[ 150.406046][ T5449] bridge0: port 2(bridge_slave_1) entered disabled state
[ 150.410229][ T5449] bridge_slave_1: entered allmulticast mode
[ 150.413697][ T5449] bridge_slave_1: entered promiscuous mode
[ 150.436452][ T5449] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 150.442797][ T5449] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 150.467108][ T5449] team0: Port device team_slave_0 added
[ 150.471115][ T5449] team0: Port device team_slave_1 added
[ 150.493070][ T5449] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 150.495988][ T5449] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 150.507034][ T5449] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 150.514075][ T5449] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 150.518982][ T5449] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 150.530916][ T5449] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 150.563607][ T5449] hsr_slave_0: entered promiscuous mode
[ 150.567667][ T5449] hsr_slave_1: entered promiscuous mode
[ 150.710744][ T5449] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 150.721049][ T5449] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 150.729696][ T5449] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 150.735536][ T5449] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 150.764620][ T5449] bridge0: port 2(bridge_slave_1) entered blocking state
[ 150.767891][ T5449] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 150.771870][ T5449] bridge0: port 1(bridge_slave_0) entered blocking state
[ 150.774875][ T5449] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 150.834626][ T5449] 8021q: adding VLAN 0 to HW filter on device bond0
[ 150.850773][ T1040] bridge0: port 1(bridge_slave_0) entered disabled state
[ 150.854732][ T1040] bridge0: port 2(bridge_slave_1) entered disabled state
[ 150.866328][ T5449] 8021q: adding VLAN 0 to HW filter on device team0
[ 150.876482][ T1040] bridge0: port 1(bridge_slave_0) entered blocking state
[ 150.879783][ T1040] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 150.899166][ T1040] bridge0: port 2(bridge_slave_1) entered blocking state
[ 150.902287][ T1040] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 151.063195][ T5449] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 151.093142][ T5449] veth0_vlan: entered promiscuous mode
[ 151.103515][ T5449] veth1_vlan: entered promiscuous mode
[ 151.136143][ T5449] veth0_macvtap: entered promiscuous mode
[ 151.143792][ T5449] veth1_macvtap: entered promiscuous mode
[ 151.162773][ T5449] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 151.173956][ T5449] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 151.186018][ T1040] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 151.193520][ T1040] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 151.206282][ T1040] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 151.220909][ T43] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 151.335958][ T43] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 151.379115][ T43] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 151.420864][ T43] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 151.469495][ T43] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
2025/09/10 19:05:26 executed programs: 0
[ 151.814309][ T4705] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 151.821161][ T4705] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 151.824592][ T4705] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 151.828810][ T4705] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 151.832211][ T4705] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 152.029583][ T5475] chnl_net:caif_netlink_parms(): no params data found
[ 152.098045][ T5475] bridge0: port 1(bridge_slave_0) entered blocking state
[ 152.101203][ T5475] bridge0: port 1(bridge_slave_0) entered disabled state
[ 152.104257][ T5475] bridge_slave_0: entered allmulticast mode
[ 152.108795][ T5475] bridge_slave_0: entered promiscuous mode
[ 152.113533][ T5475] bridge0: port 2(bridge_slave_1) entered blocking state
[ 152.118023][ T5475] bridge0: port 2(bridge_slave_1) entered disabled state
[ 152.121214][ T5475] bridge_slave_1: entered allmulticast mode
[ 152.125053][ T5475] bridge_slave_1: entered promiscuous mode
[ 152.150311][ T5475] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 152.156542][ T5475] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 152.186520][ T5475] team0: Port device team_slave_0 added
[ 152.191910][ T5475] team0: Port device team_slave_1 added
[ 152.214642][ T5475] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 152.218620][ T5475] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 152.229930][ T5475] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 152.235990][ T5475] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 152.241537][ T5475] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 152.252717][ T5475] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 152.291757][ T5475] hsr_slave_0: entered promiscuous mode
[ 152.294894][ T5475] hsr_slave_1: entered promiscuous mode
[ 152.299104][ T5475] debugfs: 'hsr0' already exists in 'hsr'
[ 152.301660][ T5475] Cannot create hsr debugfs directory
[ 153.918259][ T4705] Bluetooth: hci0: command tx timeout
[ 154.099372][ T43] bridge_slave_1: left allmulticast mode
[ 154.102004][ T43] bridge_slave_1: left promiscuous mode
[ 154.105177][ T43] bridge0: port 2(bridge_slave_1) entered disabled state
[ 154.140694][ T43] bridge_slave_0: left allmulticast mode
[ 154.143236][ T43] bridge_slave_0: left promiscuous mode
[ 154.145742][ T43] bridge0: port 1(bridge_slave_0) entered disabled state
[ 154.558189][ T43] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 154.563423][ T43] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 154.568423][ T43] bond0 (unregistering): Released all slaves
[ 154.643926][ T43] hsr_slave_0: left promiscuous mode
[ 154.660269][ T43] hsr_slave_1: left promiscuous mode
[ 154.663497][ T43] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 154.667220][ T43] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 154.671158][ T43] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 154.674424][ T43] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 154.687510][ T43] veth1_macvtap: left promiscuous mode
[ 154.690014][ T43] veth0_macvtap: left promiscuous mode
[ 154.692886][ T43] veth1_vlan: left promiscuous mode
[ 154.695137][ T43] veth0_vlan: left promiscuous mode
[ 154.963952][ T43] team0 (unregistering): Port device team_slave_1 removed
[ 154.986270][ T43] team0 (unregistering): Port device team_slave_0 removed
[ 155.478964][ T5475] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 155.499367][ T5475] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 155.512854][ T5475] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 155.529160][ T5475] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 155.779492][ T5475] 8021q: adding VLAN 0 to HW filter on device bond0
[ 155.808882][ T5475] 8021q: adding VLAN 0 to HW filter on device team0
[ 155.832541][ T3095] bridge0: port 1(bridge_slave_0) entered blocking state
[ 155.836100][ T3095] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 155.857896][ T3095] bridge0: port 2(bridge_slave_1) entered blocking state
[ 155.860686][ T3095] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 156.001890][ T4705] Bluetooth: hci0: command tx timeout
[ 156.161811][ T5475] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 156.226246][ T5475] veth0_vlan: entered promiscuous mode
[ 156.238978][ T5475] veth1_vlan: entered promiscuous mode
[ 156.286839][ T5475] veth0_macvtap: entered promiscuous mode
[ 156.299558][ T5475] veth1_macvtap: entered promiscuous mode
[ 156.330955][ T5475] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 156.350334][ T5475] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 156.389851][ T3095] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 156.393924][ T3095] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 156.417302][ T3095] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 156.420860][ T3095] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 156.488933][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 156.492217][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 156.537240][ T12] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 156.540860][ T12] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
2025/09/10 19:05:31 executed programs: 7
[ 158.077038][ T4705] Bluetooth: hci0: command tx timeout
[ 160.156748][ T4705] Bluetooth: hci0: command tx timeout
2025/09/10 19:05:36 executed programs: 244
2025/09/10 19:05:42 executed programs: 496
[ 169.057652][ T5393] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 169.061926][ T5393] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 169.065331][ T5393] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 169.069358][ T5393] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 169.081944][ T5393] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 169.215656][ T3095] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 169.265136][ T3095] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 169.305625][ T3095] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 169.333971][ T6117] chnl_net:caif_netlink_parms(): no params data found
[ 169.363567][ T3095] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 169.470674][ T6117] bridge0: port 1(bridge_slave_0) entered blocking state
[ 169.473631][ T6117] bridge0: port 1(bridge_slave_0) entered disabled state
[ 169.476510][ T6117] bridge_slave_0: entered allmulticast mode
[ 169.484615][ T6117] bridge_slave_0: entered promiscuous mode
[ 169.521251][ T3095] bridge_slave_1: left allmulticast mode
[ 169.523661][ T3095] bridge_slave_1: left promiscuous mode
[ 169.526236][ T3095] bridge0: port 2(bridge_slave_1) entered disabled state
[ 169.548649][ T3095] bridge_slave_0: left allmulticast mode
[ 169.551034][ T3095] bridge_slave_0: left promiscuous mode
[ 169.553569][ T3095] bridge0: port 1(bridge_slave_0) entered disabled state
[ 169.944686][ T3095] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 169.950933][ T3095] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 169.958052][ T3095] bond0 (unregistering): Released all slaves
[ 169.968501][ T6117] bridge0: port 2(bridge_slave_1) entered blocking state
[ 169.971503][ T6117] bridge0: port 2(bridge_slave_1) entered disabled state
[ 169.974607][ T6117] bridge_slave_1: entered allmulticast mode
[ 169.982268][ T6117] bridge_slave_1: entered promiscuous mode
[ 170.064999][ T6117] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 170.090156][ T6117] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 170.201099][ T6117] team0: Port device team_slave_0 added
[ 170.205689][ T6117] team0: Port device team_slave_1 added
[ 170.260836][ T3095] hsr_slave_0: left promiscuous mode
[ 170.263727][ T3095] hsr_slave_1: left promiscuous mode
[ 170.277288][ T3095] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 170.280379][ T3095] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 170.285336][ T3095] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 170.298963][ T3095] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 170.324808][ T3095] veth1_macvtap: left promiscuous mode
[ 170.328880][ T3095] veth0_macvtap: left promiscuous mode
[ 170.332591][ T3095] veth1_vlan: left promiscuous mode
[ 170.335511][ T3095] veth0_vlan: left promiscuous mode
[ 170.672048][ T3095] team0 (unregistering): Port device team_slave_1 removed
[ 170.695875][ T3095] team0 (unregistering): Port device team_slave_0 removed
[ 170.940799][ T6117] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 170.943806][ T6117] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 170.965757][ T6117] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 170.993447][ T6117] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 170.996343][ T6117] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 171.027788][ T6117] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 171.121528][ T5393] Bluetooth: hci0: command tx timeout
[ 171.142826][ T6117] hsr_slave_0: entered promiscuous mode
[ 171.151317][ T6117] hsr_slave_1: entered promiscuous mode
[ 171.680932][ T6117] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 171.702317][ T6117] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 171.719872][ T6117] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 171.727483][ T6117] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 171.876157][ T6117] 8021q: adding VLAN 0 to HW filter on device bond0
[ 171.918932][ T6117] 8021q: adding VLAN 0 to HW filter on device team0
[ 171.930049][ T13] bridge0: port 1(bridge_slave_0) entered blocking state
[ 171.933193][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 171.948468][ T12] bridge0: port 2(bridge_slave_1) entered blocking state
[ 171.951641][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 172.023059][ T6117] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 172.038589][ T6117] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 172.328532][ T6117] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 172.392869][ T6117] veth0_vlan: entered promiscuous mode
[ 172.417659][ T6117] veth1_vlan: entered promiscuous mode
[ 172.476122][ T6117] veth0_macvtap: entered promiscuous mode
[ 172.483702][ T6117] veth1_macvtap: entered promiscuous mode
[ 172.521164][ T6117] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 172.533485][ T6117] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 172.542593][ T3095] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 172.552805][ T3095] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 172.556517][ T3095] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 172.579775][ T3095] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 172.622873][ T3095] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 172.626161][ T3095] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 172.661328][ T12] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 172.664595][ T12] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
2025/09/10 19:05:47 executed programs: 602
[ 173.197245][ T5393] Bluetooth: hci0: command tx timeout
[ 175.276722][ T5393] Bluetooth: hci0: command tx timeout
[ 177.362720][ T5393] Bluetooth: hci0: command tx timeout
2025/09/10 19:05:52 executed programs: 851
[ 180.161410][ T3095] ==================================================================
[ 180.164848][ T3095] BUG: KASAN: slab-use-after-free in drm_atomic_helper_wait_for_vblanks+0x367/0x980
[ 180.168992][ T3095] Read of size 1 at addr ffff88805660d409 by task kworker/u4:9/3095
[ 180.172990][ T3095]
[ 180.174045][ T3095] CPU: 0 UID: 0 PID: 3095 Comm: kworker/u4:9 Not tainted syzkaller #0 PREEMPT(full)
[ 180.174059][ T3095] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 180.174067][ T3095] Workqueue: events_unbound commit_work
[ 180.174086][ T3095] Call Trace:
[ 180.174093][ T3095]
[ 180.174098][ T3095] dump_stack_lvl+0x189/0x250
[ 180.174112][ T3095] ? __kasan_check_byte+0x12/0x40
[ 180.174125][ T3095] ? __pfx_dump_stack_lvl+0x10/0x10
[ 180.174136][ T3095] ? lock_release+0x4b/0x3e0
[ 180.174152][ T3095] ? __virt_addr_valid+0x4a5/0x5c0
[ 180.174165][ T3095] print_report+0xca/0x240
[ 180.174180][ T3095] ? drm_atomic_helper_wait_for_vblanks+0x367/0x980
[ 180.174192][ T3095] kasan_report+0x118/0x150
[ 180.174203][ T3095] ? preempt_schedule+0xae/0xc0
[ 180.174260][ T3095] ? drm_atomic_helper_wait_for_vblanks+0x367/0x980
[ 180.174274][ T3095] drm_atomic_helper_wait_for_vblanks+0x367/0x980
[ 180.174288][ T3095] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 180.174302][ T3095] ? __pfx_drm_atomic_helper_wait_for_vblanks+0x10/0x10
[ 180.174314][ T3095] ? complete_all+0x11c/0x330
[ 180.174326][ T3095] ? drm_atomic_helper_commit_hw_done+0x3da/0x410
[ 180.174339][ T3095] drm_atomic_helper_commit_tail+0x302/0x520
[ 180.174353][ T3095] commit_tail+0x29a/0x3a0
[ 180.174366][ T3095] ? process_scheduled_works+0x9ef/0x17b0
[ 180.174376][ T3095] process_scheduled_works+0xae1/0x17b0
[ 180.174391][ T3095] ? __pfx_process_scheduled_works+0x10/0x10
[ 180.174403][ T3095] worker_thread+0x8a0/0xda0
[ 180.174414][ T3095] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 180.174429][ T3095] ? __kthread_parkme+0x7b/0x200
[ 180.174441][ T3095] kthread+0x70e/0x8a0
[ 180.174454][ T3095] ? __pfx_worker_thread+0x10/0x10
[ 180.174464][ T3095] ? __pfx_kthread+0x10/0x10
[ 180.174476][ T3095] ? _raw_spin_unlock_irq+0x23/0x50
[ 180.174488][ T3095] ? lockdep_hardirqs_on+0x9c/0x150
[ 180.174502][ T3095] ? __pfx_kthread+0x10/0x10
[ 180.174513][ T3095] ret_from_fork+0x3fc/0x770
[ 180.174524][ T3095] ? __pfx_ret_from_fork+0x10/0x10
[ 180.174536][ T3095] ? __pfx_kthread+0x10/0x10
[ 180.174547][ T3095] ret_from_fork_asm+0x1a/0x30
[ 180.174564][ T3095]
[ 180.174568][ T3095]
[ 180.264517][ T3095] Allocated by task 6545:
[ 180.266364][ T3095] kasan_save_track+0x3e/0x80
[ 180.268244][ T3095] __kasan_kmalloc+0x93/0xb0
[ 180.270064][ T3095] __kmalloc_cache_noprof+0x230/0x3d0
[ 180.272433][ T3095] drm_atomic_helper_crtc_duplicate_state+0x72/0xb0
[ 180.275111][ T3095] drm_atomic_get_crtc_state+0x19a/0x460
[ 180.277561][ T3095] page_flip_common+0x56/0x2a0
[ 180.279656][ T3095] drm_atomic_helper_page_flip+0xa5/0x160
[ 180.282100][ T3095] drm_mode_page_flip_ioctl+0xc6d/0x11d0
[ 180.284550][ T3095] drm_ioctl_kernel+0x2cf/0x390
[ 180.286675][ T3095] drm_ioctl+0x67f/0xb10
[ 180.288497][ T3095] __se_sys_ioctl+0xfc/0x170
[ 180.290428][ T3095] do_syscall_64+0xfa/0x3b0
[ 180.292281][ T3095] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 180.294799][ T3095]
[ 180.295833][ T3095] Freed by task 10:
[ 180.297471][ T3095] kasan_save_track+0x3e/0x80
[ 180.299557][ T3095] kasan_save_free_info+0x46/0x50
[ 180.301782][ T3095] __kasan_slab_free+0x5b/0x80
[ 180.303907][ T3095] kfree+0x18e/0x440
[ 180.305480][ T3095] drm_atomic_state_default_clear+0x41f/0xbe0
[ 180.307793][ T3095] __drm_atomic_state_free+0xaf/0x210
[ 180.309815][ T3095] drm_atomic_helper_dirtyfb+0xe2d/0xee0
[ 180.312012][ T3095] drm_fbdev_shmem_helper_fb_dirty+0x160/0x2f0
[ 180.314538][ T3095] drm_fb_helper_damage_work+0x224/0x710
[ 180.316723][ T3095] process_scheduled_works+0xae1/0x17b0
[ 180.319043][ T3095] worker_thread+0x8a0/0xda0
[ 180.320912][ T3095] kthread+0x70e/0x8a0
[ 180.322484][ T3095] ret_from_fork+0x3fc/0x770
[ 180.324412][ T3095] ret_from_fork_asm+0x1a/0x30
[ 180.326467][ T3095]
[ 180.327532][ T3095] The buggy address belongs to the object at ffff88805660d400
[ 180.327532][ T3095] which belongs to the cache kmalloc-512 of size 512
[ 180.333505][ T3095] The buggy address is located 9 bytes inside of
[ 180.333505][ T3095] freed 512-byte region [ffff88805660d400, ffff88805660d600)
[ 180.339219][ T3095]
[ 180.340263][ T3095] The buggy address belongs to the physical page:
[ 180.343109][ T3095] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5660c
[ 180.346972][ T3095] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 180.350477][ T3095] anon flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 180.354009][ T3095] page_type: f5(slab)
[ 180.355727][ T3095] raw: 04fff00000000040 ffff88801a441c80 0000000000000000 dead000000000001
[ 180.359416][ T3095] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 180.362985][ T3095] head: 04fff00000000040 ffff88801a441c80 0000000000000000 dead000000000001
[ 180.366581][ T3095] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 180.370115][ T3095] head: 04fff00000000001 ffffea0001598301 00000000ffffffff 00000000ffffffff
[ 180.373760][ T3095] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[ 180.377252][ T3095] page dumped because: kasan: bad access detected
[ 180.379939][ T3095] page_owner tracks the page as allocated
[ 180.382728][ T3095] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5449, tgid 5449 (syz-executor), ts 151190717606, free_ts 0
[ 180.390800][ T3095] post_alloc_hook+0x240/0x2a0
[ 180.392868][ T3095] get_page_from_freelist+0x21e4/0x22c0
[ 180.395142][ T3095] __alloc_frozen_pages_noprof+0x181/0x370
[ 180.397591][ T3095] alloc_pages_mpol+0x232/0x4a0
[ 180.399697][ T3095] allocate_slab+0x8a/0x370
[ 180.401875][ T3095] ___slab_alloc+0xbeb/0x1420
[ 180.403854][ T3095] __kmalloc_noprof+0x305/0x4f0
[ 180.405968][ T3095] fib6_info_alloc+0x30/0xf0
[ 180.407981][ T3095] ip6_route_info_create+0x142/0x860
[ 180.410284][ T3095] ip6_route_add+0x49/0x1b0
[ 180.412224][ T3095] addrconf_add_dev+0x24f/0x340
[ 180.414339][ T3095] inet6_addr_add+0x1a1/0xc00
[ 180.416309][ T3095] inet6_rtm_newaddr+0x93d/0xd20
[ 180.418718][ T3095] rtnetlink_rcv_msg+0x7cf/0xb70
[ 180.421243][ T3095] netlink_rcv_skb+0x205/0x470
[ 180.423650][ T3095] netlink_unicast+0x82f/0x9e0
[ 180.425770][ T3095] page_owner free stack trace missing
[ 180.428052][ T3095]
[ 180.429010][ T3095] Memory state around the buggy address:
[ 180.431528][ T3095] ffff88805660d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 180.435080][ T3095] ffff88805660d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 180.438525][ T3095] >ffff88805660d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 180.441877][ T3095] ^
[ 180.443791][ T3095] ffff88805660d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 180.447178][ T3095] ffff88805660d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 180.450559][ T3095] ==================================================================
[ 180.485147][ T3095] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 180.488296][ T3095] CPU: 0 UID: 0 PID: 3095 Comm: kworker/u4:9 Not tainted syzkaller #0 PREEMPT(full)
[ 180.492241][ T3095] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 180.496621][ T3095] Workqueue: events_unbound commit_work
[ 180.498821][ T3095] Call Trace:
[ 180.500212][ T3095]
[ 180.501421][ T3095] dump_stack_lvl+0x99/0x250
[ 180.503298][ T3095] ? __asan_memcpy+0x40/0x70
[ 180.505139][ T3095] ? __pfx_dump_stack_lvl+0x10/0x10
[ 180.507377][ T3095] ? __pfx__printk+0x10/0x10
[ 180.509326][ T3095] vpanic+0x281/0x750
[ 180.511088][ T3095] ? preempt_schedule+0xae/0xc0
[ 180.513053][ T3095] ? __pfx_vpanic+0x10/0x10
[ 180.514982][ T3095] ? preempt_schedule_common+0x83/0xd0
[ 180.517319][ T3095] ? preempt_schedule+0xae/0xc0
[ 180.519514][ T3095] ? __pfx_preempt_schedule+0x10/0x10
[ 180.521798][ T3095] panic+0xb9/0xc0
[ 180.523505][ T3095] ? __pfx_panic+0x10/0x10
[ 180.525513][ T3095] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 180.528075][ T3095] ? drm_atomic_helper_wait_for_vblanks+0x367/0x980
[ 180.530862][ T3095] check_panic_on_warn+0x89/0xb0
[ 180.532987][ T3095] ? drm_atomic_helper_wait_for_vblanks+0x367/0x980
[ 180.535780][ T3095] end_report+0x78/0x160
[ 180.537709][ T3095] kasan_report+0x129/0x150
[ 180.539631][ T3095] ? preempt_schedule+0xae/0xc0
[ 180.541732][ T3095] ? drm_atomic_helper_wait_for_vblanks+0x367/0x980
[ 180.544526][ T3095] drm_atomic_helper_wait_for_vblanks+0x367/0x980
[ 180.547208][ T3095] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 180.549934][ T3095] ? __pfx_drm_atomic_helper_wait_for_vblanks+0x10/0x10
[ 180.552923][ T3095] ? complete_all+0x11c/0x330
[ 180.555032][ T3095] ? drm_atomic_helper_commit_hw_done+0x3da/0x410
[ 180.557869][ T3095] drm_atomic_helper_commit_tail+0x302/0x520
[ 180.560508][ T3095] commit_tail+0x29a/0x3a0
[ 180.562470][ T3095] ? process_scheduled_works+0x9ef/0x17b0
[ 180.564974][ T3095] process_scheduled_works+0xae1/0x17b0
[ 180.567411][ T3095] ? __pfx_process_scheduled_works+0x10/0x10
[ 180.570047][ T3095] worker_thread+0x8a0/0xda0
[ 180.572031][ T3095] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 180.574845][ T3095] ? __kthread_parkme+0x7b/0x200
[ 180.576988][ T3095] kthread+0x70e/0x8a0
[ 180.578795][ T3095] ? __pfx_worker_thread+0x10/0x10
[ 180.581082][ T3095] ? __pfx_kthread+0x10/0x10
[ 180.583130][ T3095] ? _raw_spin_unlock_irq+0x23/0x50
[ 180.585436][ T3095] ? lockdep_hardirqs_on+0x9c/0x150
[ 180.587755][ T3095] ? __pfx_kthread+0x10/0x10
[ 180.589805][ T3095] ret_from_fork+0x3fc/0x770
[ 180.591874][ T3095] ? __pfx_ret_from_fork+0x10/0x10
[ 180.594118][ T3095] ? __pfx_kthread+0x10/0x10
[ 180.596149][ T3095] ret_from_fork_asm+0x1a/0x30
[ 180.598280][ T3095]
[ 180.599973][ T3095] Kernel Offset: disabled
[ 180.601901][ T3095] Rebooting in 86400 seconds..
VM DIAGNOSIS:
19:05:55 Registers:
info registers vcpu 0
CPU#0
RAX=1ffffffff33bfd60 RBX=00000000000003fd RCX=0000000000000000 RDX=00000000000003fd
RSI=0000000000000000 RDI=0000000000000020 RBP=ffffffff99dfeab0 RSP=ffffc9000d8d7110
R8 =ffff888033be0237 R9 =1ffff1100677c046 R10=dffffc0000000000 R11=ffffffff8550fcb0
R12=dffffc0000000000 R13=0000000000000000 R14=ffffffff99dfe820 R15=0000000000000000
RIP=ffffffff8550fd27 RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88808d20c000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000001000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=0000555592e5c808 CR3=000000000df36000 CR4=00352ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=00000000ffffc000 Opmask01=0000000000000000 Opmask02=000000000000003f Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007ffd79dbd1c0 0000003000000018
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007ffd79dbd566
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007ffd79dbd566 00007ffd79dbd56c
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007f97aba12e46
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007f97aba12e53
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007f97aba12e4d
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007f97aba12e61
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007f97aba12ee7
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007f97aba12fc5
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2323232323232323 2323232323232323 2323232323232323 2323232323232323
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000032647261632f 6972000700080006
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000011475142400c 4a51470c5546470c
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000