bond0 (unregistering): (slave wlan1): Releasing backup interface ================================================================== BUG: KASAN: slab-out-of-bounds in ieee80211_add_virtual_monitor+0xa24/0xe1c net/mac80211/iface.c:1255 Read of size 1 at addr ffff0000f7cbfd90 by task kworker/u8:18/4889 CPU: 1 UID: 0 PID: 4889 Comm: kworker/u8:18 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Workqueue: netns cleanup_net Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0xb0/0x110 mm/kasan/report.c:595 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378 ieee80211_add_virtual_monitor+0xa24/0xe1c net/mac80211/iface.c:1255 ieee80211_do_stop+0x13a4/0x1a84 net/mac80211/iface.c:746 ieee80211_stop+0x1ac/0x220 net/mac80211/iface.c:828 __dev_close_many+0x3a8/0x704 net/core/dev.c:1756 netif_close_many+0x1e8/0x448 net/core/dev.c:1781 netif_close+0x148/0x1f8 net/core/dev.c:1798 dev_close+0xf8/0x1e4 net/core/dev_api.c:220 __bond_release_one+0x98c/0xe00 drivers/net/bonding/bond_main.c:2472 bond_uninit+0x264/0x3c4 drivers/net/bonding/bond_main.c:5954 unregister_netdevice_many_notify+0x1914/0x2110 net/core/dev.c:12402 unregister_netdevice_many+0x28/0x38 net/core/dev.c:12444 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x32c/0x7ec net/core/net_namespace.c:248 cleanup_net+0x3fc/0x638 net/core/net_namespace.c:696 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3421 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000f7cbfc00 pfn:0x137cbc head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff0000d4cbd082 flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f8(unknown) raw: 05ffc00000000040 0000000000000000 dead000000000122 0000000000000000 raw: ffff0000f7cbfc00 0000000000000000 00000000f8000000 ffff0000d4cbd082 head: 05ffc00000000040 0000000000000000 dead000000000122 0000000000000000 head: ffff0000f7cbfc00 0000000000000000 00000000f8000000 ffff0000d4cbd082 head: 05ffc00000000002 fffffdffc3df2f01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000f7cbfc80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ffff0000f7cbfd00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe >ffff0000f7cbfd80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ ffff0000f7cbfe00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ffff0000f7cbfe80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ================================================================== bond0 (unregistering): Released all slaves bond1 (unregistering): Released all slaves tipc: Disabling bearer tipc: Left network mode hsr_slave_0: left promiscuous mode hsr_slave_1: left promiscuous mode veth1_macvtap: left promiscuous mode veth0_macvtap: left promiscuous mode veth1_vlan: left promiscuous mode veth0_vlan: left promiscuous mode IPVS: stop unused estimator thread 0...