last executing test programs: 14.029804375s ago: executing program 0 (id=119): move_pages(0x0, 0x20a0, &(0x7f0000000040), &(0x7f0000001180), &(0x7f0000000000), 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x2041, 0x0) ioctl$TCSETAF(r0, 0x5408, 0x0) write$binfmt_aout(r0, &(0x7f00000000c0)=ANY=[], 0xff2e) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000600)={0x11, 0x3, &(0x7f0000000200)=@framed, &(0x7f00000003c0)='GPL\x00'}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000140)='contention_end\x00', r1}, 0x10) ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000dc0)={0x0, 0x0, 0x0, 0x0, 0x10, "0062ba5d8200"}) r2 = syz_open_pts(r0, 0x20800) dup3(r2, r0, 0x0) ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000000)=0x44) 10.398750639s ago: executing program 0 (id=122): syz_open_procfs(0x0, &(0x7f0000000000)='clear_refs\x00') r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') read$eventfd(r0, 0x0, 0x0) 10.12827075s ago: executing program 0 (id=123): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) r0 = fcntl$getown(0xffffffffffffffff, 0x9) sched_setscheduler(r0, 0x2, &(0x7f0000000080)=0x8) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeea, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) openat$vnet(0xffffffffffffff9c, &(0x7f0000000100), 0x2, 0x0) r4 = socket$kcm(0x2, 0x1, 0x0) r5 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r5, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4}, 0x0) sendmsg$inet(r4, &(0x7f0000000fc0)={&(0x7f0000000000)={0x2, 0x4001, @remote}, 0x10, 0x0}, 0x20000811) socket$kcm(0x29, 0x2, 0x0) mount(0x0, &(0x7f0000000180)='./file0\x00', 0x0, 0x1214040, 0x0) 2.159608775s ago: executing program 0 (id=124): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x2, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0) r2 = dup3(r1, r0, 0x80000) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000640)={0x8, 0x0, &(0x7f0000000000)=[@decrefs={0x400c6314}], 0x0, 0x0, 0x0}) 2.003409201s ago: executing program 0 (id=125): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x48241, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8914, &(0x7f0000000280)={'syzkaller1\x00', @link_local}) write$tun(r0, 0x0, 0x0) 1.561385759s ago: executing program 0 (id=126): r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000), 0x442, 0x0) getsockopt$inet6_tcp_int(0xffffffffffffffff, 0x6, 0x1e, &(0x7f0000000000), &(0x7f0000000180)=0x4) bpf$PROG_LOAD(0x5, 0x0, 0x0) write$dsp(r0, &(0x7f00000001c0)="5cba91a4", 0xffffffd9) mprotect(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1) ioctl$SNDCTL_DSP_SUBDIVIDE(r0, 0xc0045009, &(0x7f0000000180)=0x6) 819.214298ms ago: executing program 1 (id=130): close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x50) r1 = bpf$MAP_CREATE(0x0, &(0x7f00000003c0)=@base={0xb, 0x8, 0xc, 0x80000000, 0x1}, 0x50) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x10, &(0x7f0000000180)=@framed={{0x18, 0x0, 0x0, 0x0, 0x20}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r1}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}, @ringbuf_query={{0x18, 0x1, 0x1, 0x0, r0}}]}, &(0x7f0000000700)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1a, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000027c0)=ANY=[@ANYBLOB="04000000040000000400000005"], 0x48) bpf$PROG_BIND_MAP(0x23, &(0x7f00000002c0)={r2, r3}, 0xc) 619.891465ms ago: executing program 1 (id=131): bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="0a000000010000003f0000004000000042000000", @ANYRES32, @ANYBLOB='\x00'/17, @ANYRES32=0x0, @ANYRES32, @ANYBLOB='\x00\x00\x00\a\x00\x00\x00'], 0x48) 507.61937ms ago: executing program 1 (id=132): r0 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) sendmsg$nl_route_sched(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000001c0)=@newqdisc={0x48, 0x24, 0xd0f, 0x0, 0x0, {0x60, 0x0, 0x0, r2, {0x0, 0x2}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_prio={{0x9}, {0x18, 0x2, {0x8, '\x00\x00\x00\x00\x00\x00\x00\x00\b\b\x00'}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x4000}, 0x0) 389.831895ms ago: executing program 1 (id=133): r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(r0, 0x3b81, &(0x7f00000000c0)={0xc, 0x0, 0x0}) ioctl$IOMMU_IOAS_MAP(r0, 0x3b85, &(0x7f0000000340)={0x28, 0x5, r1, 0x0, &(0x7f0000000300)='V', 0x1, 0x100000001}) ioctl$IOMMU_IOAS_MAP$PAGES(r0, 0x3b85, &(0x7f00000008c0)={0x28, 0x2, r1, 0x0, &(0x7f000039e000/0x1000)=nil, 0x1000, 0x80008}) ioctl$IOMMU_IOAS_MAP(r0, 0x3b85, &(0x7f0000000740)={0x28, 0x4, r1, 0x0, &(0x7f0000000780)='\r', 0x1, 0xd372}) 167.761463ms ago: executing program 1 (id=134): r0 = socket(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000080)={'ip6tnl0\x00', 0x0}) sendmsg$nl_route_sched(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000001c0)=@newqdisc={0x38, 0x24, 0x3fe3aa0262d8c583, 0x70bd29, 0x0, {0x0, 0x0, 0x0, r1, {}, {0xffff, 0xffff}, {0x0, 0x10}}, [@qdisc_kind_options=@q_hhf={{0x8}, {0xc, 0x2, [@TCA_HHF_ADMIT_BYTES={0x8, 0x5, 0x22}]}}]}, 0x38}}, 0x0) 0s ago: executing program 1 (id=135): r0 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xe, 0x4, &(0x7f0000000540)=ANY=[@ANYBLOB="b4050000fdff7f006110580000000000c60000000000000095000000000000009f33ef60916e6e713f1eeb0b725ad99b817fd98cd824498949714ffaac8a6f770600dcca55f21f3ca9e822d182054d54d53cd2b6db714e4beb5447000001000000008f2b9000f22425e4097ed62cbc891061017cfa6fa26fa7088c60897d4a6148a1c1e43f00001bde60beac671e8e8fdecb03588aa623fa71f31bf0f871ab5c2ff88afc60027f4e5b5271ed58e835cf0d0000000098b51fe6b1b8d9dbe87dcff414ed000000000000000000000000000000000000000000000000000000b347abe6352a080f8140e5fd10747b6ecdb3540546bf636e3d6e700e5b0500000000000000eb9e1403e6c8f7a187eaf60f3a17f0f046a307a403c19d9829c90bd2114252581567acae715cbe1b57d5cda432c5b910400623d24195405f2e76ccb7b37b41215c184e731fb1"], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sk_skb, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x366, 0x10, &(0x7f0000000000), 0x1dd}, 0x48) bpf$BPF_LINK_CREATE(0x1c, &(0x7f00000004c0)={r0, 0xffffffffffffffff, 0xb, 0x0, @void}, 0x10) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:51707' (ED25519) to the list of known hosts. syzkaller login: [ 123.576158][ T3312] cgroup: Unknown subsys name 'net' [ 123.753108][ T3312] cgroup: Unknown subsys name 'cpuset' [ 123.792084][ T3312] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 124.466166][ T3312] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 135.902336][ T3317] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 135.934927][ T3317] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 136.344828][ T3319] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 136.383669][ T3319] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 137.905662][ T3317] hsr_slave_0: entered promiscuous mode [ 137.917658][ T3317] hsr_slave_1: entered promiscuous mode [ 138.164257][ T3319] hsr_slave_0: entered promiscuous mode [ 138.175807][ T3319] hsr_slave_1: entered promiscuous mode [ 138.186405][ T3319] debugfs: 'hsr0' already exists in 'hsr' [ 138.187668][ T3319] Cannot create hsr debugfs directory [ 139.522018][ T3317] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 139.592673][ T3317] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 139.636270][ T3317] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 139.719880][ T3317] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 140.017256][ T3319] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 140.047679][ T3319] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 140.087234][ T3319] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 140.134299][ T3319] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 141.585899][ T3317] 8021q: adding VLAN 0 to HW filter on device bond0 [ 141.779615][ T3319] 8021q: adding VLAN 0 to HW filter on device bond0 [ 146.948335][ T3317] veth0_vlan: entered promiscuous mode [ 146.986592][ T3317] veth1_vlan: entered promiscuous mode [ 147.109959][ T3317] veth0_macvtap: entered promiscuous mode [ 147.130735][ T3317] veth1_macvtap: entered promiscuous mode [ 147.385040][ T3319] veth0_vlan: entered promiscuous mode [ 147.479332][ T12] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 147.491540][ T12] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 147.492341][ T12] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 147.493024][ T12] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 147.519280][ T3319] veth1_vlan: entered promiscuous mode [ 147.954932][ T3319] veth0_macvtap: entered promiscuous mode [ 147.979255][ T3319] veth1_macvtap: entered promiscuous mode [ 148.207944][ T1144] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 148.208681][ T1144] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 148.209062][ T1144] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 148.209374][ T1144] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 148.274308][ T3317] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 150.204515][ T3473] iommufd_mock iommufd_mock0: Adding to iommu group 0 [ 151.899338][ T3488] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 153.061536][ T11] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 153.367300][ T11] usb 1-1: New USB device found, idVendor=0bda, idProduct=8153, bcdDevice=e2.3d [ 153.371935][ T11] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 153.376452][ T11] usb 1-1: Product: syz [ 153.378808][ T11] usb 1-1: Manufacturer: syz [ 153.381708][ T11] usb 1-1: SerialNumber: syz [ 153.457734][ T11] r8152-cfgselector 1-1: Unknown version 0x0000 [ 153.462751][ T11] r8152-cfgselector 1-1: config 0 descriptor?? [ 153.707159][ T11] r8152-cfgselector 1-1: Unknown version 0x0000 [ 153.713724][ T11] r8152-cfgselector 1-1: bad CDC descriptors [ 153.741356][ T11] r8152-cfgselector 1-1: USB disconnect, device number 2 [ 154.271400][ T11] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 154.528166][ T11] usb 1-1: New USB device found, idVendor=0bda, idProduct=8153, bcdDevice=e2.3d [ 154.533285][ T11] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 154.541576][ T11] usb 1-1: Product: syz [ 154.544385][ T11] usb 1-1: Manufacturer: syz [ 154.546944][ T11] usb 1-1: SerialNumber: syz [ 154.607600][ T11] r8152-cfgselector 1-1: Unknown version 0x0000 [ 154.608152][ T11] r8152-cfgselector 1-1: config 0 descriptor?? [ 154.853911][ T11] r8152-cfgselector 1-1: Needed 2 retries to read version [ 154.854309][ T11] r8152-cfgselector 1-1: Unknown version 0x0000 [ 154.855440][ T11] r8152-cfgselector 1-1: bad CDC descriptors [ 155.067742][ T3406] r8152-cfgselector 1-1: USB disconnect, device number 3 [ 156.397150][ T3512] netlink: 'syz.1.14': attribute type 1 has an invalid length. [ 160.471886][ T31] usb 1-1: new full-speed USB device number 4 using dummy_hcd [ 160.724523][ T31] usb 1-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 160.725041][ T31] usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 160.725436][ T31] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 160.726507][ T31] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 160.758959][ T31] usb 1-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 160.759453][ T31] usb 1-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 160.761632][ T31] usb 1-1: Product: syz [ 160.761755][ T31] usb 1-1: Manufacturer: syz [ 160.801993][ T31] cdc_wdm 1-1:1.0: skipping garbage [ 160.803191][ T31] cdc_wdm 1-1:1.0: skipping garbage [ 160.806934][ T31] cdc_wdm 1-1:1.0: probe with driver cdc_wdm failed with error -22 [ 161.001501][ T11] usb 1-1: USB disconnect, device number 4 [ 165.851241][ T3406] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 166.185303][ T3406] usb 1-1: New USB device found, idVendor=0424, idProduct=7850, bcdDevice= 0.00 [ 166.185968][ T3406] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 166.186454][ T3406] usb 1-1: Product: syz [ 166.186640][ T3406] usb 1-1: Manufacturer: syz [ 166.186754][ T3406] usb 1-1: SerialNumber: syz [ 167.802513][ T3406] lan78xx 1-1:1.0 (unnamed net_device) (uninitialized): Failed to read register index 0x00000010. ret = -EPIPE [ 168.022138][ T3406] lan78xx 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write register index 0x00001004. ret = -EPROTO [ 168.026587][ T3406] lan78xx 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write register index 0x0000011c. ret = -EPROTO [ 168.027060][ T3406] lan78xx 1-1:1.0 (unnamed net_device) (uninitialized): Registers INIT FAILED.... [ 168.030219][ T3406] lan78xx 1-1:1.0 (unnamed net_device) (uninitialized): Bind routine FAILED [ 168.114453][ T3406] lan78xx 1-1:1.0: probe with driver lan78xx failed with error -71 [ 168.211471][ T3406] usb 1-1: USB disconnect, device number 5 [ 168.776148][ T3544] ªªªªªª: renamed from wg2 (while UP) [ 171.221501][ T3406] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 171.261641][ T3576] capability: warning: `syz.1.45' uses 32-bit capabilities (legacy support in use) [ 171.484621][ T3406] usb 1-1: New USB device found, idVendor=0af0, idProduct=7a05, bcdDevice=f6.00 [ 171.485200][ T3406] usb 1-1: New USB device strings: Mfr=0, Product=2, SerialNumber=3 [ 171.485411][ T3406] usb 1-1: Product: syz [ 171.485606][ T3406] usb 1-1: SerialNumber: syz [ 171.537551][ T3406] usb 1-1: config 0 descriptor?? [ 171.924467][ T3406] hso 1-1:0.0: Failed to find BULK IN ep [ 172.101150][ T11] usb 1-1: USB disconnect, device number 6 [ 173.583441][ T3600] netlink: 12 bytes leftover after parsing attributes in process `syz.0.57'. [ 174.026235][ T3600] netlink: 8 bytes leftover after parsing attributes in process `syz.0.57'. [ 174.737442][ T3607] syz.0.59 uses obsolete (PF_INET,SOCK_PACKET) [ 176.748754][ T3610] syz.1.56 (3610): drop_caches: 2 [ 176.971215][ T3610] syz.1.56 (3610): drop_caches: 2 [ 179.248281][ T3614] fanotify: failed to encode fid (type=0, len=0, err=-2) [ 180.842356][ T3624] binder: BC_ATTEMPT_ACQUIRE not supported [ 180.845109][ T3624] binder: 3618:3624 ioctl c0306201 20000100 returned -22 [ 192.492961][ T3658] netlink: 'syz.1.71': attribute type 10 has an invalid length. [ 192.494231][ T3658] netlink: 40 bytes leftover after parsing attributes in process `syz.1.71'. [ 192.665855][ T3658] A link change request failed with some changes committed already. Interface netdevsim3 may have been left with an inconsistent configuration, please check. [ 200.353400][ T3680] binder: 3679:3680 tried to acquire reference to desc 0, got 1 instead [ 200.413344][ T3680] binder: 3679:3680 got transaction with invalid parent offset or type [ 200.430114][ T3680] binder: 3680:3679 failed to fixup parent [ 200.437194][ T3680] binder: 3679:3680 transaction async to 3679:0 failed 5/29201/-22, code 0 size 88-24 line 3644 [ 200.464193][ T3406] binder: undelivered TRANSACTION_ERROR: 29201 [ 207.693973][ T3704] syz.1.89 (3704): drop_caches: 1 [ 207.755575][ T3704] syz.1.89 (3704): drop_caches: 1 [ 214.036563][ T3730] mmap: syz.1.100 (3730) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 219.401347][ T3419] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 219.505447][ T3772] pimreg: entered allmulticast mode [ 219.514941][ T3772] pimreg: left allmulticast mode [ 219.572512][ T3419] usb 1-1: Using ep0 maxpacket: 32 [ 219.617088][ T3419] usb 1-1: New USB device found, idVendor=0c72, idProduct=000d, bcdDevice=27.9b [ 219.617613][ T3419] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 219.617828][ T3419] usb 1-1: Product: syz [ 219.618011][ T3419] usb 1-1: Manufacturer: syz [ 219.618178][ T3419] usb 1-1: SerialNumber: syz [ 219.682782][ T3419] usb 1-1: config 0 descriptor?? [ 219.888011][ T3774] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 219.899265][ T3774] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 221.025753][ T3419] peak_usb 1-1:0.0 can0: unable to request usb[type=2 value=5] err=-71 [ 221.186756][ T3419] peak_usb 1-1:0.0: probe with driver peak_usb failed with error -71 [ 221.324565][ T3419] usb 1-1: USB disconnect, device number 7 [ 235.403913][ T3803] binder: 3802:3803 BC_CLEAR_FREEZE_NOTIFICATION invalid ref 0 [ 235.409903][ T3803] binder: 3802:3803 ioctl c0306201 20000640 returned -22 [ 236.219676][ T3813] binder: 3811:3813 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 236.578791][ T3815] Zero length message leads to an empty skb [ 237.568919][ T3829] ================================================================== [ 237.572562][ T3829] BUG: KASAN: invalid-access in __memcpy+0xc/0x54 [ 237.574725][ T3829] Write at addr f5ff8000833b51b7 by task syz.1.135/3829 [ 237.575323][ T3829] Pointer tag: [f5], memory tag: [fe] [ 237.575467][ T3829] [ 237.576326][ T3829] CPU: 1 UID: 0 PID: 3829 Comm: syz.1.135 Not tainted syzkaller #0 PREEMPT [ 237.576906][ T3829] Hardware name: linux,dummy-virt (DT) [ 237.577291][ T3829] Call trace: [ 237.577693][ T3829] show_stack+0x18/0x24 (C) [ 237.578190][ T3829] dump_stack_lvl+0x78/0x90 [ 237.578473][ T3829] print_report+0x108/0x61c [ 237.578697][ T3829] kasan_report+0x88/0xac [ 237.578909][ T3829] __do_kernel_fault+0x170/0x1c8 [ 237.579151][ T3829] do_bad_area+0x68/0x78 [ 237.579371][ T3829] do_tag_check_fault+0x34/0x44 [ 237.579631][ T3829] do_mem_abort+0x44/0x94 [ 237.579843][ T3829] el1_abort+0x44/0x68 [ 237.580072][ T3829] el1h_64_sync_handler+0x50/0xac [ 237.580289][ T3829] el1h_64_sync+0x6c/0x70 [ 237.580679][ T3829] __memcpy+0xc/0x54 (P) [ 237.580912][ T3829] convert_ctx_accesses+0x694/0xb28 [ 237.581133][ T3829] bpf_check+0x1338/0x2a24 [ 237.581349][ T3829] bpf_prog_load+0x63c/0xcd4 [ 237.581551][ T3829] __sys_bpf+0x2e0/0x1a88 [ 237.581757][ T3829] __arm64_sys_bpf+0x24/0x34 [ 237.581960][ T3829] invoke_syscall+0x48/0x110 [ 237.582145][ T3829] el0_svc_common.constprop.0+0x40/0xe0 [ 237.582345][ T3829] do_el0_svc+0x1c/0x28 [ 237.582545][ T3829] el0_svc+0x34/0x10c [ 237.582730][ T3829] el0t_64_sync_handler+0xa0/0xe4 [ 237.582922][ T3829] el0t_64_sync+0x1a4/0x1a8 [ 237.583335][ T3829] [ 237.583631][ T3829] The buggy address belongs to a 1-page vmalloc region starting at 0xf5ff8000833b5000 allocated at bpf_check+0x8c/0x2a24 [ 237.585199][ T3829] The buggy address belongs to the physical page: [ 237.585622][ T3829] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xf0f0000000000000 pfn:0x461a9 [ 237.586111][ T3829] flags: 0x1ffe80000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xa) [ 237.587191][ T3829] raw: 01ffe80000000000 0000000000000000 dead000000000122 0000000000000000 [ 237.587417][ T3829] raw: f0f0000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 237.587627][ T3829] page dumped because: kasan: bad access detected [ 237.587774][ T3829] [ 237.587869][ T3829] Memory state around the buggy address: [ 237.588439][ T3829] Unable to handle kernel paging request at virtual address ffff8000833b4f00 [ 237.588604][ T3829] Mem abort info: [ 237.588691][ T3829] ESR = 0x0000000096000007 [ 237.588827][ T3829] EC = 0x25: DABT (current EL), IL = 32 bits [ 237.588981][ T3829] SET = 0, FnV = 0 [ 237.589106][ T3829] EA = 0, S1PTW = 0 [ 237.589234][ T3829] FSC = 0x07: level 3 translation fault [ 237.589371][ T3829] Data abort info: [ 237.589469][ T3829] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 [ 237.589585][ T3829] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 237.589742][ T3829] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 237.589974][ T3829] swapper pgtable: 4k pages, 52-bit VAs, pgdp=0000000042981000 SYZFAIL: failed to recv rpc [ 237.590146][ T3829] [ffff8000833b4f00] pgd=1000000042ed3003, p4d=1000000042ed4003, pud=1000000042ed5003, pmd=100000004416b403, pte=0000000000000000 [ 237.592219][ T3829] Internal error: Oops: 0000000096000007 [#1] SMP [ 237.629200][ T3829] Modules linked in: [ 237.630545][ T3829] CPU: 1 UID: 0 PID: 3829 Comm: syz.1.135 Not tainted syzkaller #0 PREEMPT [ 237.631980][ T3829] Hardware name: linux,dummy-virt (DT) [ 237.632920][ T3829] pstate: 624020c9 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 237.633762][ T3829] pc : kasan_metadata_fetch_row+0xc/0x28 [ 237.635284][ T3829] lr : print_report+0x29c/0x61c [ 237.635930][ T3829] sp : ffff800089e535e0 [ 237.636495][ T3829] x29: ffff800089e535e0 x28: f5f000000a583840 x27: f9ff8000833ad060 [ 237.637868][ T3829] x26: 0000000000000058 x25: ffff800082448a80 x24: ffff800082448a88 [ 237.639136][ T3829] x23: ffff8000833b51b7 x22: ffff800082419508 x21: ffff8000833b5000 [ 237.640591][ T3829] x20: 00000000fffffffe x19: ffff8000833b4f00 x18: 0000000000000010 [ 237.641940][ T3829] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800089e53460 [ 237.643084][ T3829] x14: ffff800089e5365c x13: ffff800089e53649 x12: ffff8000829ff3c0 [ 237.644204][ T3829] x11: 0000000000000001 x10: 0000000000000001 x9 : 000000000002ffe8 [ 237.645493][ T3829] x8 : f5f000000a583840 x7 : 0000000000000010 x6 : ffff800081c70640 [ 237.646718][ T3829] x5 : 0000000000000030 x4 : 0000000000000002 x3 : ffff8000833b5000 [ 237.648169][ T3829] x2 : ffff8000833b4f00 x1 : ffff8000833b4f10 x0 : ffff800089e53638 [ 237.649820][ T3829] Call trace: fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 237.650674][ T3829] kasan_metadata_fetch_row+0xc/0x28 (P) [ 237.652148][ T3829] kasan_report+0x88/0xac [ 237.652856][ T3829] __do_kernel_fault+0x170/0x1c8 [ 237.653585][ T3829] do_bad_area+0x68/0x78 [ 237.654249][ T3829] do_tag_check_fault+0x34/0x44 [ 237.654965][ T3829] do_mem_abort+0x44/0x94 [ 237.655676][ T3829] el1_abort+0x44/0x68 [ 237.656461][ T3829] el1h_64_sync_handler+0x50/0xac [ 237.657269][ T3829] el1h_64_sync+0x6c/0x70 [ 237.658339][ T3829] __memcpy+0xc/0x54 (P) [ 237.659182][ T3829] convert_ctx_accesses+0x694/0xb28 [ 237.659935][ T3829] bpf_check+0x1338/0x2a24 [ 237.660865][ T3829] bpf_prog_load+0x63c/0xcd4 [ 237.661584][ T3829] __sys_bpf+0x2e0/0x1a88 [ 237.662269][ T3829] __arm64_sys_bpf+0x24/0x34 [ 237.662938][ T3829] invoke_syscall+0x48/0x110 [ 237.663679][ T3829] el0_svc_common.constprop.0+0x40/0xe0 [ 237.664443][ T3829] do_el0_svc+0x1c/0x28 [ 237.665119][ T3829] el0_svc+0x34/0x10c [ 237.665819][ T3829] el0t_64_sync_handler+0xa0/0xe4 [ 237.666600][ T3829] el0t_64_sync+0x1a4/0x1a8 [ 237.667819][ T3829] Code: d65f03c0 91040023 aa0103e2 91004021 (d9600042) [ 237.669446][ T3829] ---[ end trace 0000000000000000 ]--- [ 237.670847][ T3829] Kernel panic - not syncing: Oops: Fatal exception [ 237.671988][ T3829] SMP: stopping secondary CPUs [ 237.673370][ T3829] Kernel Offset: disabled [ 237.673981][ T3829] CPU features: 0x000000,0000d198,2fbe33e0,557ffebf [ 237.675065][ T3829] Memory Limit: none [ 237.676308][ T3829] Rebooting in 86400 seconds.. VM DIAGNOSIS: 13:18:18 Registers: info registers vcpu 0 CPU#0 PC=ffff8000808b187c X00=0000000000000001 X01=ffff80008310d004 X02=fbf0000005b97240 X03=0000000000000004 X04=0000000000000001 X05=0000000000000004 X06=fcf0000005b38000 X07=fbf0000005b96000 X08=0000000000000128 X09=0000000000000010 X10=fbf0000005a6f200 X11=f5f000000521f828 X12=0000000000000005 X13=0000000000000001 X14=f1f0000006386a00 X15=ffff800081b63e30 X16=ffff800082ce8000 X17=fff07ffffcfd3000 X18=0000000000000000 X19=f0f0000003bbf100 X20=0000000000000000 X21=f5f000000521f800 X22=f9f000000310ac00 X23=f5f000000521f800 X24=f5f000000521f808 X25=0000000000000000 X26=0000000000000040 X27=000000000000000c X28=f8f0000006168500 X29=ffff800082ceb2c0 X30=ffff8000808a8398 SP=ffff800082ceb2c0 PSTATE=00402009 ---- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000065676e616863:00746e657665752f Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffff000000000000:ff00000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ff000000f0000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3303330333033303:3303330333033303 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:bcbcbcc0c00000fc:bcbcbcc0c00000fc Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000073:0000aaab0fc69c90 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000074:0000aaab0fc66f70 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffe0b83570:0000ffffe0b83570 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffe0b83540 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff8000808ff5f0 X00=0000000000000002 X01=0000000000000018 X02=ffff800082d15018 X03=ffff800082abef10 X04=f3f00000032db880 X05=0000000000000072 X06=0000000000000029 X07=0000000000000000 X08=7f7f7f7f7f7f7f7f X09=ffff800082abef40 X10=0000000000000001 X11=ffff800089e53090 X12=ffff8000829ff3c0 X13=ffff800089e52e5d X14=ffff800089e52e68 X15=ffff800089e52cd0 X16=0000000000000000 X17=0000000000000000 X18=00000000ffffffff X19=f2f0000003043035 X20=ffff8000808ff794 X21=f3f00000032db880 X22=f2f000000304303c X23=0000000000000000 X24=0000000000000000 X25=ffff8000829211f0 X26=00000000000000c0 X27=ffff80008267c000 X28=ffffffffffffffff X29=ffff800089e52f80 X30=ffff8000808ff7bc SP=ffff800089e52f80 PSTATE=804020c9 N--- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:2525252525252525:2525252525252525 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000000756c6c2570:6f6f6c2f7665642f Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000000f0000000f0 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff000000ff00:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:fff000f000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:bb448243222c92da:e3914ed4e87380b0 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffc7bb5ec0:0000ffffc7bb5ec0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffc7bb5e90 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000