last executing test programs: 29.059829005s ago: executing program 4 (id=133): capset(0x0, &(0x7f0000000080)={0x6, 0x6, 0x2, 0x87, 0xffffffff, 0x40}) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x27, &(0x7f0000000180)={@multicast2, @loopback}, 0xc) r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000040)={'lo\x00'}) capset(&(0x7f00000001c0)={0x20080522}, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0) sendmsg$NFT_BATCH(r1, &(0x7f0000000180)={0x0, 0x3b, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a58000000160a03020002000000000000020000000900020073797a30000000000900010073797a30000000002c00038008000140000000000800024000000000180003801400010073797a5f74756e00000000000000000014000000110001"], 0x80}}, 0x0) bind$rxrpc(0xffffffffffffffff, 0x0, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000980)=[{&(0x7f0000000040)="2e00000011008188040580ec59acbc0413a1f8480b0000005e140602000000000e0027001000000002800000121f", 0x2e}], 0x1}, 0x0) setsockopt$inet_msfilter(0xffffffffffffffff, 0x0, 0x29, &(0x7f0000000080)=ANY=[@ANYBLOB], 0x18) 26.796498023s ago: executing program 4 (id=139): syz_usb_connect$hid(0x5, 0x0, 0x0, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f0000000300)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r2 = socket$inet_udp(0x2, 0x2, 0x0) socket$key(0xf, 0x3, 0x2) bind$inet(r2, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x16) connect$inet(r2, &(0x7f0000000480)={0x2, 0x0, @multicast2}, 0x10) setsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f00000002c0)={{{@in6=@dev={0xfe, 0x80, '\x00', 0x4}, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0xee01}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffa}, {}, 0x0, 0x0, 0x1}, {{@in6=@dev, 0x0, 0x32}, 0x0, @in=@private=0xa010100, 0x0, 0x0, 0x0, 0xb7, 0x2, 0xfffffffe}}, 0xe8) sendmmsg(r2, &(0x7f0000007fc0), 0x800001d, 0x1c) 16.500475985s ago: executing program 0 (id=155): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) recvmsg(r3, &(0x7f0000000500)={&(0x7f0000000040)=@hci, 0x80, &(0x7f0000000100)=[{&(0x7f0000000400)=""/248, 0x200105d0}], 0x1}, 0x1f00) sendmsg$tipc(r4, &(0x7f0000000240)={0x0, 0xfffffff5, &(0x7f0000000200)=[{&(0x7f0000000140)="a2", 0xfffffdef}], 0x1}, 0x0) 15.181377901s ago: executing program 0 (id=158): bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', 0xffffffffffffffff, 0x0, 0xffffffffffffffff}, 0x18) prlimit64(0x0, 0xe, &(0x7f0000000140)={0xa, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f0000000340)=@abs={0x0, 0x0, 0x4e24}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r3 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r3, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000007c0)=@newsa={0x140, 0x10, 0x1, 0x8000000, 0x0, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20}, {@in=@broadcast, 0x0, 0x33}, @in=@local, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff}, {0x5680000000}, {0x10, 0x9, 0x2}, 0x0, 0x0, 0x2, 0x1}, [@algo_auth={0x48, 0x1, {{'sha256\x00'}}}, @XFRMA_SET_MARK={0x8, 0x1d, 0xfffffffe}]}, 0x140}}, 0x0) 13.720588628s ago: executing program 0 (id=159): mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2000009, 0x32, 0xffffffffffffffff, 0x6b86c000) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={0x0}, 0x18) r0 = socket$inet_udp(0x2, 0x2, 0x0) recvmmsg(r0, &(0x7f0000000c00)=[{{0x0, 0x0, &(0x7f0000000680)=[{&(0x7f0000001d40)=""/4096, 0x1000}], 0x1}, 0x1}], 0x1, 0x12, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4e20, @empty}, 0x10) pipe(&(0x7f0000000d00)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$inet_udp(0x2, 0x2, 0x0) bind$inet(r3, &(0x7f0000000140)={0x2, 0x0, @local}, 0x10) sendmmsg$inet(r4, &(0x7f0000000500)=[{{&(0x7f0000000080)={0x2, 0x4e20, @multicast1}, 0x10, 0x0, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB='p'], 0x70}}], 0x1, 0x2000c044) write$binfmt_misc(r2, &(0x7f0000000000), 0xfffffecc) splice(r1, 0x0, r3, 0x0, 0x7151, 0x0) 13.675314673s ago: executing program 2 (id=160): bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x11, 0xc, &(0x7f0000000480)=ANY=[], &(0x7f0000001480)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0x2b, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={0x0}}, 0x0) r0 = socket$kcm(0x21, 0x2, 0x2) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r1, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) write(0xffffffffffffffff, 0x0, 0x0) write(r1, &(0x7f0000000000)="0a000000010001", 0x7) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x9, 0x0, 0x0, &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0xd}, 0x94) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000040)={'wlan1\x00'}) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bpf$PROG_LOAD(0x5, &(0x7f0000001440)={0x1e, 0x3, &(0x7f0000000140)=ANY=[@ANYBLOB="85000000c4000000040000000000000095"], &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sk_lookup=0x24, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xd1}, 0x94) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) 13.407568847s ago: executing program 4 (id=161): prlimit64(0x0, 0xe, &(0x7f0000000140)={0xa, 0x8c}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x1, &(0x7f0000000300)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r3 = socket$kcm(0x2, 0x1, 0x0) r4 = socket$kcm(0x29, 0x2, 0x0) ioctl$sock_kcm_SIOCKCMUNATTACH(r4, 0x89e1, &(0x7f0000000340)={r3}) 12.871795386s ago: executing program 2 (id=162): preadv(0xffffffffffffffff, &(0x7f00000000c0)=[{&(0x7f0000000200)=""/4111, 0x100f}], 0x1, 0x142, 0x0) rt_sigaction(0x3, 0x0, &(0x7f0000000280)={&(0x7f0000000180)="f3400f1a33c48111565c6d71c401a1fa2c3500000000c4420d918c0500008000460f18def30faed926660ffdb101000000c4627d25920010000265f30f5c9aa400000005682e0000", 0x0, 0x0}, 0x0, 0x0) vmsplice(0xffffffffffffffff, &(0x7f0000000140)=[{&(0x7f0000000100)}], 0x1, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x28100, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000000)={@multicast1, @local}, 0xc) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={0x0, 0x44}}, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_NMI(r2, 0xae9a) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000440)={[0x0, 0x100000000, 0x0, 0x4000081, 0x100000, 0x0, 0x2004c8, 0x8000000, 0x0, 0x0, 0x7, 0x0, 0x5, 0x0, 0x2, 0xffffffffffffffff], 0x0, 0x200}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 11.960294893s ago: executing program 4 (id=163): sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x3) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x8000002000000, 0x0) read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8) close(0xffffffffffffffff) socket(0x10, 0x3, 0x0) pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) vmsplice(r2, &(0x7f0000001c00)=[{&(0x7f0000002000)="f8", 0x1}], 0x1, 0x9) close(r2) r3 = socket(0x1d, 0x2, 0x6) ioctl$ifreq_SIOCGIFINDEX_vcan(r3, 0x8933, &(0x7f0000000000)={'vcan0\x00', 0x0}) bind$can_j1939(r3, &(0x7f0000000040)={0x1d, r4, 0x8000000000000003, {}, 0x1}, 0x18) splice(r1, 0x0, r2, 0x0, 0x10500, 0x0) 11.755316994s ago: executing program 0 (id=164): openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x8) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80202, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) openat$procfs(0xffffffffffffff9c, &(0x7f0000001140)='/proc/zoneinfo\x00', 0x0, 0x0) pselect6(0x40, &(0x7f00000001c0)={0x0, 0x0, 0x100000000, 0xfffffffffffffffd, 0x0, 0x0, 0x1000001000, 0x49}, 0x0, &(0x7f00000002c0)={0x3ff, 0x7, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0) close_range(r0, 0xffffffffffffffff, 0x0) 11.560506312s ago: executing program 3 (id=165): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4) clock_nanosleep(0xfffffff2, 0x1, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, 0x0, 0x0, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = socket$inet_sctp(0x2, 0x1, 0x84) setsockopt$IP_VS_SO_SET_ADD(r3, 0x0, 0x482, &(0x7f0000000040)={0x84, @initdev={0xac, 0x1e, 0x1, 0x0}, 0x4e23, 0x3, 'dh\x00', 0x1, 0x7, 0x49}, 0x2c) setsockopt$IP_VS_SO_SET_FLUSH(r3, 0x0, 0x485, 0x0, 0x0) 11.207180506s ago: executing program 1 (id=166): prlimit64(0x0, 0xe, &(0x7f0000000040)={0x8, 0x20000008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setscheduler(r0, 0x1, &(0x7f0000000200)=0x7) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f0000000180)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x4) r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0xb, &(0x7f0000000380)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020000000000000000000007b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000600000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000300)='rcu_utilization\x00', r3}, 0x10) r4 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r4, &(0x7f0000000040)={0x3, 0x0, &(0x7f0000000340)={&(0x7f0000000280)={0x2, 0x3, 0x0, 0x9, 0xa, 0x0, 0x700, 0x0, [@sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x4e23, @empty}}, @sadb_address={0x3, 0x6, 0xb8, 0x0, 0x0, @in={0x2, 0x3, @private}}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x3, 0x2, 0x20000001}]}, 0x50}, 0x1, 0x7}, 0x0) 10.062016784s ago: executing program 3 (id=167): r0 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000019240)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) bind$802154_dgram(r0, 0x0, 0x0) connect$802154_dgram(r0, 0x0, 0x0) 9.966507952s ago: executing program 1 (id=168): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbee2, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) socket$nl_rdma(0x10, 0x3, 0x14) r3 = fsopen(&(0x7f0000000000)='cifs\x00', 0x0) fsconfig$FSCONFIG_SET_STRING(r3, 0x1, &(0x7f0000000080)='source', &(0x7f00000019c0)='//\xf2/\x06\b///o/\xea\x95\x9a/\x00bb\x8a\x80\x91\xdf\\/\\\xf9\rmD\x94)U\xdb\x15X.I\n}\xf3\x9d\xe4_\x05\x9cqf4I^#b?9\xde\xafu\'\x83L\xe0\x97\xe1n_\xa4%\xb1\x97\x93\xafv\xce/\\\xb4L\xf2_\xa7\xfb\xf4\x84\x1fA\xeas^\xef\xa2\x85\xa3!\xfb\x93\xd7R\xab2\x1eW\xe9h\x9b\xf7ul\xf9D\xd4\x82X5\x13\xaa\x87\xf9\xba\xa9m\x14\x14R_\x9a\\>4\xce\x8e_#\xf8D\xb1\xdep\x01\xcc:\xa6h\xd1\x1d\xac\xaa\xfb\xc7Y\xcd\xc5n\xeb\xab\xf70\x99\xef\x8b0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) kexec_load(0x0, 0x1, &(0x7f00000002c0)=[{0x0, 0x0, 0xff600000, 0x1000000}], 0x0) syz_usb_connect(0x3, 0x36, 0x0, 0x0) 9.902610033s ago: executing program 0 (id=170): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setscheduler(r0, 0x1, &(0x7f0000000100)=0x5) setsockopt$inet6_tcp_TCP_MD5SIG(0xffffffffffffffff, 0x6, 0xe, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sendmsg$alg(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000340)=[@assoc={0x18, 0x117, 0x4, 0x8}], 0x18}, 0x0) r3 = io_uring_setup(0x20, &(0x7f00000000c0)={0x0, 0x0, 0x3000, 0x80000000, 0xfefffffd}) io_uring_register$IORING_REGISTER_RESIZE_RINGS(r3, 0x21, &(0x7f0000000340)={0x0, 0xebb9, 0x8, 0x3, 0xd5}, 0x1) 8.625585225s ago: executing program 4 (id=171): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000140)={'pim6reg1\x00', 0x1}) write$uinput_user_dev(0xffffffffffffffff, 0x0, 0x0) socketpair$nbd(0x1, 0x1, 0x0, 0x0) ioctl$TUNSETLINK(r0, 0x400454cd, 0x118) r1 = socket$can_bcm(0x1d, 0x2, 0x2) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, 0x0) connect$can_bcm(r1, 0x0, 0x0) r2 = socket$can_bcm(0x1d, 0x2, 0x2) connect$can_bcm(r2, &(0x7f0000000180), 0x10) sendmsg$can_bcm(r2, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=ANY=[@ANYBLOB="05000000d8000001118006b05c"], 0x48}, 0x1, 0x0, 0x0, 0x50}, 0x0) sendmsg$can_bcm(r2, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="050000000208"], 0x80}}, 0x800) close(0x3) 8.625316428s ago: executing program 3 (id=172): r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) socket$tipc(0x1e, 0x2, 0x0) bpf$ITER_CREATE(0x21, &(0x7f0000000440), 0x8) quotactl$Q_QUOTAON(0xffffffff80000201, 0x0, 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(0xffffffffffffffff, 0x3b81, 0x0) syz_init_net_socket$ax25(0x3, 0x2, 0x0) 7.629565772s ago: executing program 1 (id=173): bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000480)={0xffffffffffffffff, 0x0, 0x25, 0x2, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x7fff, 0x0, 0x1}}, 0x40) r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0) ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0) r1 = eventfd(0xfffffff9) ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1) ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1}) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000500)=""/56, 0x0}) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/231, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/70, 0x100000}) ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0x73, &(0x7f00000001c0)=""/115}]}) ioctl$VHOST_SET_VRING_ERR(r0, 0x4008af22, &(0x7f00000002c0)={0x1, r1}) ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x800000f}, 0x94) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000440)={&(0x7f00000001c0)=@newtfilter={0x24, 0x2c, 0xd27, 0x70bd27, 0x25dfdbfd, {0x0, 0x0, 0x0, 0x0, {0xfff3, 0x7}, {}, {0x2, 0x1}}}, 0x24}, 0x1, 0x0, 0x0, 0x80}, 0x40010) 5.058239033s ago: executing program 0 (id=174): mmap$IORING_OFF_SQ_RING(&(0x7f000040d000/0x4000)=nil, 0x4000, 0xd, 0x11, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) pivot_root(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000400)='./file0\x00') recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0) r2 = syz_open_dev$dri(&(0x7f0000000000), 0x1ff, 0x0) socket(0x10, 0x3, 0x0) ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f0000000200)={0x8000, 0x101, 0x4}) r3 = syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000040)={0x0, &(0x7f00000002c0)=[0x0], 0x0, 0x0, 0xfffffd52, 0x1}) ioctl$DRM_IOCTL_MODE_CURSOR(r2, 0xc01c64a3, &(0x7f0000000280)={0x3, r4, 0x1, 0xffff, 0xa, 0x1ff, 0x1}) 5.044339209s ago: executing program 2 (id=175): io_setup(0x6, &(0x7f0000000140)) io_setup(0x4403, &(0x7f0000000000)=0x0) io_destroy(r0) io_destroy(r0) sigaltstack(&(0x7f0000000000)={0xffffffffffffffff, 0x0, 0xfffffffffffffefa}, &(0x7f0000000080)={&(0x7f0000000040)}) sigaltstack(&(0x7f0000000640)={0x0, 0x3}, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x20, 0x2d2c6d60ea1da725, 0x70bd29, 0x25dfdbfd, {0xa, 0x0, 0x0, 0xcd, 0xff, 0x0, 0x0, 0x1, 0x10002}, [@FIB_RULE_POLICY=@FRA_PRIORITY={0x8}, @FIB_RULE_POLICY=@FRA_FWMASK={0x8, 0x10, 0x6}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4040090}, 0x40000) setsockopt$MRT_ADD_MFC_PROXY(0xffffffffffffffff, 0x0, 0xd2, &(0x7f0000000800)={@remote, @multicast2, 0x0, "a4955cc634e8317ff90a0511da89bcc1886abfec611557c1a546d40d6d037a56", 0x3, 0x1, 0xcd, 0x3}, 0x3c) setsockopt$MRT_ADD_MFC_PROXY(0xffffffffffffffff, 0x0, 0xd2, &(0x7f00000002c0)={@dev={0xac, 0x14, 0x14, 0x31}, @multicast2, 0x1, "802f47dc7807c8c8d7689b2e77610c97d016f9b87f5cb27e59d7e44533243d78", 0x9, 0x0, 0x6, 0x5}, 0x3c) r2 = socket(0x10, 0x3, 0x0) setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0x4}, 0x10) write(r2, &(0x7f0000000240)="240000001a007f0214f9f4070009040803000000000000050000000008000f40fe00000e", 0x24) 4.6196206s ago: executing program 1 (id=176): r0 = userfaultfd(0x80801) r1 = socket(0x10, 0x80002, 0xfffffffe) prlimit64(0x0, 0xe, 0x0, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000640)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) socket$nl_route(0x10, 0x3, 0x0) syz_open_dev$MSR(0x0, 0x0, 0x0) sendmsg$NL80211_CMD_REMAIN_ON_CHANNEL(0xffffffffffffffff, 0x0, 0x40000) syz_emit_vhci(&(0x7f0000000080)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x11}, '|P3', 0x1}}}, 0xd) ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f0000000240)={'wlan1\x00'}) socket$nl_netfilter(0x10, 0x3, 0xc) socket$key(0xf, 0x3, 0x2) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffe000/0x2000)=nil, 0x2000}, 0x1}) 4.558482764s ago: executing program 3 (id=177): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, 0x2}, 0x94) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000880)=ANY=[@ANYBLOB="140000001500010300000000fcdbdf250b"], 0x14}}, 0x0) 4.400539746s ago: executing program 4 (id=178): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000380)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000280)='sched_switch\x00', r0}, 0x18) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, 0x0) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x6) syz_open_procfs(0xffffffffffffffff, &(0x7f0000000200)='setgroups\x00') 3.284034488s ago: executing program 3 (id=179): rt_sigaction(0x40, 0x0, 0x0, 0x8, &(0x7f0000000200)) socket$nl_route(0x10, 0x3, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_IPV6_RTHDR(r0, 0x29, 0x39, 0x0, 0x18) mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x0) mkdir(&(0x7f0000000000)='./cgroup/../file0/file0\x00', 0x0) ioctl$RTC_ALM_SET(0xffffffffffffffff, 0x8008700b, &(0x7f0000000080)={0x2e, 0x27, 0x1, 0x1d, 0x1, 0x4, 0x2, 0x16b, 0xffffffffffffffff}) r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r2 = openat$cgroup_procs(r1, &(0x7f0000000380)='cgroup.procs\x00', 0x2, 0x0) write$cgroup_pid(r2, &(0x7f0000000040), 0x12) r3 = openat$cgroup_subtree(0xffffffffffffffff, 0x0, 0x2, 0x0) write$cgroup_subtree(r3, &(0x7f0000000040), 0x0) syz_clone3(&(0x7f0000001880)={0x100000200, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58) 3.050988282s ago: executing program 1 (id=180): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000580)={0x11, 0x3, &(0x7f0000000740)=@framed, &(0x7f0000000780)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback=0x38, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000100)={&(0x7f0000000080)='sched_switch\x00', r3}, 0x18) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r4 = socket(0x10, 0x3, 0x0) write(r4, &(0x7f0000000140)="fc0000001a000708ab092504090007000aab0700a90100001d60369321000100fe800000000000000000000000039815fa2c1ec28656aaa79bb94b46fe000000bc00030026000000140000270400117c22ebc205214000000000008934d07302ade01720d7d5bbc91a3e3280772c05defd5a32e280fc83ab82f605f70c9ddef2fe082038f4f8b29d3ef3d92c83170e5bba4a46d284a710af333ae4f5566f91cf190201ded815b2ccd243f295ed94e0ad91bd0734babc7c3f2eeb57d43dd16b17e583df150c3b880f411f46a6b567b4d5715587e658a1ad0a4f01731d05b0350b0041f0d48a99c03f080548deac270e33429fd3000175e63fb8d38a87", 0x148) 3.008293495s ago: executing program 2 (id=181): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) inotify_init1(0x800) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) sendmsg$IPCTNL_MSG_EXP_DELETE(r0, &(0x7f0000000a40)={0x0, 0x0, &(0x7f0000000a00)={&(0x7f0000000100)={0x50, 0x2, 0x2, 0x401, 0x0, 0x0, {0xa, 0x0, 0x4}, [@CTA_EXPECT_TUPLE={0x3c, 0x2, 0x0, 0x1, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}, @CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @rand_addr=' \x01\x00'}, {0x14, 0x4, @mcast1}}}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x20000000}, 0x40) 272.588492ms ago: executing program 1 (id=182): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), 0xffffffffffffffff) sendmsg$MPTCP_PM_CMD_ADD_ADDR(r0, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000300)={0x38, r1, 0x1, 0x0, 0x0, {}, [@MPTCP_PM_ATTR_ADDR={0x24, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e23}, @MPTCP_PM_ADDR_ATTR_FAMILY={0x6, 0x1, 0x2}, @MPTCP_PM_ADDR_ATTR_ADDR4={0x8, 0x3, @multicast1=0xac1414aa}, @MPTCP_PM_ADDR_ATTR_FLAGS={0x8, 0x6, 0x1}]}]}, 0x38}}, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r2) r3 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r2, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r3, 0x0) r4 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r4, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000740), 0xffffffffffffffff) sendmsg$MPTCP_PM_CMD_FLUSH_ADDRS(r5, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000004c0)={0x14, r6, 0x1, 0x70bd2c, 0x25dfdbff}, 0x14}, 0x1, 0x0, 0x0, 0x20000800}, 0x800) 89.190602ms ago: executing program 2 (id=183): syz_emit_vhci(&(0x7f00000000c0)=@HCI_VENDOR_PKT={0xff, 0x40}, 0x2) syz_emit_vhci(&(0x7f0000000100)=@HCI_VENDOR_PKT={0xff, 0x1}, 0x2) r0 = socket$caif_seqpacket(0x25, 0x5, 0x5) setsockopt$CAIFSO_LINK_SELECT(r0, 0x116, 0x7f, &(0x7f0000000140)=0x8, 0x4) syz_open_dev$MSR(&(0x7f0000000180), 0xfffffffffffffff9, 0x0) setsockopt$CAIFSO_LINK_SELECT(r0, 0x116, 0x7f, &(0x7f00000011c0), 0x4) syz_emit_vhci(&(0x7f0000001200)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x10}, @l2cap_cid_le_signaling={{0xc}, @l2cap_ecred_conn_rsp={{0x18, 0x7, 0x8}, {0x1, 0x5, 0x800}}}}, 0x15) ioctl$IOCTL_VMCI_NOTIFICATIONS_RECEIVE(0xffffffffffffffff, 0x7a6, 0x0) ioctl$MEDIA_IOC_DEVICE_INFO(0xffffffffffffffff, 0xc1007c00, 0x0) syz_emit_vhci(&(0x7f0000001540)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_status={{0xf, 0x4}, {0x81, 0x0, 0x2019}}}, 0x7) r1 = openat$null(0xffffffffffffff9c, 0x0, 0x80001, 0x0) ioctl$COMEDI_CANCEL(r1, 0x6407) ioctl$IOCTL_VMCI_CTX_ADD_NOTIFICATION(0xffffffffffffffff, 0x7af, 0x0) 0s ago: executing program 3 (id=184): r0 = socket$inet_sctp(0x2, 0x1, 0x84) timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2, @thr={0x0, 0x0}}, &(0x7f0000000300)) fcntl$lock(0xffffffffffffffff, 0x24, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5}) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) clock_gettime(0x0, &(0x7f0000000240)) timer_settime(0x0, 0x1, &(0x7f0000000040)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0xec776000) bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e22, @empty}, 0x10) listen(r0, 0x1ff) accept$inet(r0, 0x0, 0x0) r1 = socket$inet_sctp(0x2, 0x5, 0x84) sendto$inet(r1, &(0x7f00000000c0)="ab", 0xffe0, 0xc1, &(0x7f0000000280)={0x2, 0x4e22, @loopback}, 0x10) socket$inet6_tcp(0xa, 0x1, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.65' (ED25519) to the list of known hosts. [ 89.502005][ T5787] cgroup: Unknown subsys name 'net' [ 89.763662][ T5787] cgroup: Unknown subsys name 'cpuset' [ 89.837905][ T5787] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 91.813017][ T5787] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 91.982066][ T10] cfg80211: failed to load regulatory.db [ 94.649499][ T5800] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 94.651359][ T5800] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 94.652127][ T5800] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 94.653555][ T5800] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 94.654400][ T5800] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 94.783974][ T5800] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 94.786116][ T5800] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 94.787469][ T5800] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 94.807585][ T5800] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 94.808820][ T5800] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 94.924677][ T5115] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 94.928731][ T5115] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 94.930002][ T5115] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 94.941691][ T5115] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 94.942843][ T5115] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 95.001518][ T5115] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 95.017386][ T5115] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 95.024379][ T5115] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 95.030322][ T5115] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 95.041371][ T5115] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 95.060081][ T5810] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 95.106039][ T5115] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 95.117125][ T5115] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 95.120858][ T5115] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 95.122005][ T5115] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 95.891814][ T5798] chnl_net:caif_netlink_parms(): no params data found [ 96.042772][ T5801] chnl_net:caif_netlink_parms(): no params data found [ 96.316514][ T5803] chnl_net:caif_netlink_parms(): no params data found [ 96.598510][ T5804] chnl_net:caif_netlink_parms(): no params data found [ 96.779183][ T5115] Bluetooth: hci0: command tx timeout [ 96.781275][ T5798] bridge0: port 1(bridge_slave_0) entered blocking state [ 96.782459][ T5798] bridge0: port 1(bridge_slave_0) entered disabled state [ 96.783127][ T5798] bridge_slave_0: entered allmulticast mode [ 96.785359][ T5798] bridge_slave_0: entered promiscuous mode [ 96.810977][ T5806] chnl_net:caif_netlink_parms(): no params data found [ 96.857448][ T5115] Bluetooth: hci1: command tx timeout [ 96.934334][ T5798] bridge0: port 2(bridge_slave_1) entered blocking state [ 96.934471][ T5798] bridge0: port 2(bridge_slave_1) entered disabled state [ 96.934688][ T5798] bridge_slave_1: entered allmulticast mode [ 96.936823][ T5798] bridge_slave_1: entered promiscuous mode [ 97.029950][ T5115] Bluetooth: hci2: command tx timeout [ 97.097637][ T5115] Bluetooth: hci3: command tx timeout [ 97.177399][ T5115] Bluetooth: hci4: command tx timeout [ 97.272484][ T5801] bridge0: port 1(bridge_slave_0) entered blocking state [ 97.272630][ T5801] bridge0: port 1(bridge_slave_0) entered disabled state [ 97.272813][ T5801] bridge_slave_0: entered allmulticast mode [ 97.276030][ T5801] bridge_slave_0: entered promiscuous mode [ 97.558342][ T5801] bridge0: port 2(bridge_slave_1) entered blocking state [ 97.558554][ T5801] bridge0: port 2(bridge_slave_1) entered disabled state [ 97.558749][ T5801] bridge_slave_1: entered allmulticast mode [ 97.561181][ T5801] bridge_slave_1: entered promiscuous mode [ 97.580710][ T5798] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 97.759021][ T5798] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 97.759323][ T5803] bridge0: port 1(bridge_slave_0) entered blocking state [ 97.759508][ T5803] bridge0: port 1(bridge_slave_0) entered disabled state [ 97.759732][ T5803] bridge_slave_0: entered allmulticast mode [ 97.761764][ T5803] bridge_slave_0: entered promiscuous mode [ 98.021171][ T5803] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.021349][ T5803] bridge0: port 2(bridge_slave_1) entered disabled state [ 98.021516][ T5803] bridge_slave_1: entered allmulticast mode [ 98.023453][ T5803] bridge_slave_1: entered promiscuous mode [ 98.083111][ T5801] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 98.381559][ T5801] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 98.381819][ T5804] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.381966][ T5804] bridge0: port 1(bridge_slave_0) entered disabled state [ 98.382103][ T5804] bridge_slave_0: entered allmulticast mode [ 98.384205][ T5804] bridge_slave_0: entered promiscuous mode [ 98.391121][ T5798] team0: Port device team_slave_0 added [ 98.618590][ T5804] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.618744][ T5804] bridge0: port 2(bridge_slave_1) entered disabled state [ 98.618930][ T5804] bridge_slave_1: entered allmulticast mode [ 98.620896][ T5804] bridge_slave_1: entered promiscuous mode [ 98.624072][ T5798] team0: Port device team_slave_1 added [ 98.631799][ T5803] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 98.637769][ T5806] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.637934][ T5806] bridge0: port 1(bridge_slave_0) entered disabled state [ 98.638191][ T5806] bridge_slave_0: entered allmulticast mode [ 98.641744][ T5806] bridge_slave_0: entered promiscuous mode [ 98.857455][ T5115] Bluetooth: hci0: command tx timeout [ 98.900786][ T5803] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 98.901169][ T5806] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.901299][ T5806] bridge0: port 2(bridge_slave_1) entered disabled state [ 98.901455][ T5806] bridge_slave_1: entered allmulticast mode [ 98.903523][ T5806] bridge_slave_1: entered promiscuous mode [ 98.909315][ T5801] team0: Port device team_slave_0 added [ 98.937487][ T5115] Bluetooth: hci1: command tx timeout [ 99.097442][ T5115] Bluetooth: hci2: command tx timeout [ 99.177402][ T5115] Bluetooth: hci3: command tx timeout [ 99.180094][ T5801] team0: Port device team_slave_1 added [ 99.183696][ T5804] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.185051][ T5798] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 99.185063][ T5798] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.185081][ T5798] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 99.267508][ T5115] Bluetooth: hci4: command tx timeout [ 99.591728][ T5804] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.592528][ T5798] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 99.592542][ T5798] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.592567][ T5798] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 99.595269][ T5803] team0: Port device team_slave_0 added [ 99.603737][ T5806] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.782611][ T5803] team0: Port device team_slave_1 added [ 99.785764][ T5806] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.786545][ T5801] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 99.786562][ T5801] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 99.786582][ T5801] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 100.019082][ T5801] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 100.019100][ T5801] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 100.019120][ T5801] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 100.021447][ T5804] team0: Port device team_slave_0 added [ 100.260246][ T5804] team0: Port device team_slave_1 added [ 100.261274][ T5803] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 100.261292][ T5803] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 100.261312][ T5803] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 100.265370][ T5806] team0: Port device team_slave_0 added [ 100.579155][ T5803] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 100.579175][ T5803] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 100.579194][ T5803] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 100.581213][ T5806] team0: Port device team_slave_1 added [ 100.593643][ T5798] hsr_slave_0: entered promiscuous mode [ 100.595806][ T5798] hsr_slave_1: entered promiscuous mode [ 100.839722][ T5804] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 100.839741][ T5804] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 100.839764][ T5804] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 100.937401][ T5115] Bluetooth: hci0: command tx timeout [ 101.000372][ T5804] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 101.000386][ T5804] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.000406][ T5804] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 101.002470][ T5806] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 101.002485][ T5806] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.002504][ T5806] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 101.018083][ T5115] Bluetooth: hci1: command tx timeout [ 101.117021][ T5801] hsr_slave_0: entered promiscuous mode [ 101.119385][ T5801] hsr_slave_1: entered promiscuous mode [ 101.121063][ T5801] debugfs: 'hsr0' already exists in 'hsr' [ 101.121215][ T5801] Cannot create hsr debugfs directory [ 101.177662][ T5115] Bluetooth: hci2: command tx timeout [ 101.249286][ T5806] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 101.249304][ T5806] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 101.249324][ T5806] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 101.258024][ T5115] Bluetooth: hci3: command tx timeout [ 101.337402][ T5115] Bluetooth: hci4: command tx timeout [ 101.564419][ T5803] hsr_slave_0: entered promiscuous mode [ 101.565440][ T5803] hsr_slave_1: entered promiscuous mode [ 101.566166][ T5803] debugfs: 'hsr0' already exists in 'hsr' [ 101.566192][ T5803] Cannot create hsr debugfs directory [ 102.084540][ T5804] hsr_slave_0: entered promiscuous mode [ 102.085587][ T5804] hsr_slave_1: entered promiscuous mode [ 102.086658][ T5804] debugfs: 'hsr0' already exists in 'hsr' [ 102.086684][ T5804] Cannot create hsr debugfs directory [ 102.216277][ T5806] hsr_slave_0: entered promiscuous mode [ 102.218339][ T5806] hsr_slave_1: entered promiscuous mode [ 102.219636][ T5806] debugfs: 'hsr0' already exists in 'hsr' [ 102.219666][ T5806] Cannot create hsr debugfs directory [ 103.017432][ T5115] Bluetooth: hci0: command tx timeout [ 103.097507][ T5115] Bluetooth: hci1: command tx timeout [ 103.257474][ T5115] Bluetooth: hci2: command tx timeout [ 103.337619][ T5115] Bluetooth: hci3: command tx timeout [ 103.417378][ T5115] Bluetooth: hci4: command tx timeout [ 103.591325][ T5798] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 103.636844][ T5798] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 103.652194][ T5798] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 103.707982][ T5798] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 103.845282][ T5801] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 103.879031][ T5801] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 103.914737][ T5801] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 103.972476][ T5801] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 104.118640][ T5803] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 104.155601][ T5803] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 104.173893][ T5803] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 104.234537][ T5803] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 104.390208][ T5804] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 104.430556][ T5804] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 104.465913][ T5804] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 104.513908][ T5804] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 104.563743][ T5798] 8021q: adding VLAN 0 to HW filter on device bond0 [ 104.675982][ T5806] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 104.714652][ T5806] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 104.746326][ T5798] 8021q: adding VLAN 0 to HW filter on device team0 [ 104.746664][ T5806] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 104.794676][ T5806] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 104.860938][ T3574] bridge0: port 1(bridge_slave_0) entered blocking state [ 104.861497][ T3574] bridge0: port 1(bridge_slave_0) entered forwarding state [ 104.913146][ T3574] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.913416][ T3574] bridge0: port 2(bridge_slave_1) entered forwarding state [ 104.931158][ T5801] 8021q: adding VLAN 0 to HW filter on device bond0 [ 105.034995][ T5801] 8021q: adding VLAN 0 to HW filter on device team0 [ 105.066600][ T5803] 8021q: adding VLAN 0 to HW filter on device bond0 [ 105.079042][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.079770][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 105.136988][ T4572] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.137109][ T4572] bridge0: port 2(bridge_slave_1) entered forwarding state [ 105.197572][ T5803] 8021q: adding VLAN 0 to HW filter on device team0 [ 105.249052][ T989] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.249211][ T989] bridge0: port 1(bridge_slave_0) entered forwarding state [ 105.265502][ T5804] 8021q: adding VLAN 0 to HW filter on device bond0 [ 105.300736][ T989] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.300929][ T989] bridge0: port 2(bridge_slave_1) entered forwarding state [ 105.414142][ T5804] 8021q: adding VLAN 0 to HW filter on device team0 [ 105.480587][ T5806] 8021q: adding VLAN 0 to HW filter on device bond0 [ 105.489983][ T1173] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.490324][ T1173] bridge0: port 1(bridge_slave_0) entered forwarding state [ 105.552020][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.552212][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 105.615571][ T5806] 8021q: adding VLAN 0 to HW filter on device team0 [ 105.681455][ T4572] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.681677][ T4572] bridge0: port 1(bridge_slave_0) entered forwarding state [ 105.740780][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.747434][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 105.809347][ T5798] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 106.012707][ T5801] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 106.164576][ T5798] veth0_vlan: entered promiscuous mode [ 106.208485][ T5798] veth1_vlan: entered promiscuous mode [ 106.260398][ T5803] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 106.460204][ T5798] veth0_macvtap: entered promiscuous mode [ 106.504257][ T5798] veth1_macvtap: entered promiscuous mode [ 106.563688][ T5804] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 106.629774][ T5803] veth0_vlan: entered promiscuous mode [ 106.649675][ T5798] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 106.684205][ T5798] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 106.705983][ T5806] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 106.715536][ T5803] veth1_vlan: entered promiscuous mode [ 106.747119][ T989] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 106.755594][ T989] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 106.778622][ T989] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 106.784524][ T989] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 106.964062][ T5804] veth0_vlan: entered promiscuous mode [ 107.088314][ T5803] veth0_macvtap: entered promiscuous mode [ 107.118876][ T5804] veth1_vlan: entered promiscuous mode [ 107.155392][ T5803] veth1_macvtap: entered promiscuous mode [ 107.181900][ T989] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.181923][ T989] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 107.201163][ T5801] veth0_vlan: entered promiscuous mode [ 107.206163][ T5806] veth0_vlan: entered promiscuous mode [ 107.275946][ T5801] veth1_vlan: entered promiscuous mode [ 107.282318][ T5806] veth1_vlan: entered promiscuous mode [ 107.303220][ T5803] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 107.320636][ T1146] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.320658][ T1146] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 107.353570][ T5803] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 107.384043][ T5804] veth0_macvtap: entered promiscuous mode [ 107.409590][ T13] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.413370][ T13] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.422551][ T5804] veth1_macvtap: entered promiscuous mode [ 107.424285][ T13] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.450976][ T13] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.589634][ T5801] veth0_macvtap: entered promiscuous mode [ 107.593728][ T5806] veth0_macvtap: entered promiscuous mode [ 107.637509][ T5804] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 107.711719][ T5801] veth1_macvtap: entered promiscuous mode [ 107.719903][ T5806] veth1_macvtap: entered promiscuous mode [ 107.729723][ T5804] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 107.781018][ T3574] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.806466][ T3574] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.832549][ T3574] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.853915][ T3574] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.866259][ T3574] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.866284][ T3574] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 107.879738][ T5801] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 107.982818][ T5801] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 107.986779][ T5806] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.208905][ T3574] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.208928][ T3574] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.209503][ T13] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.211993][ T5806] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.255992][ T13] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.339420][ T13] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.372927][ T13] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.443406][ T12] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.490292][ T12] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.500410][ T12] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.533472][ T12] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.686058][ T1146] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.686080][ T1146] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.985129][ T5918] syz_tun: entered allmulticast mode [ 109.004199][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.004220][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.195712][ T1146] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.195735][ T1146] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.319321][ T1173] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.319344][ T1173] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.719627][ T12] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.719650][ T12] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.916560][ T989] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.916584][ T989] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.197200][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.198147][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.199286][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.200437][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.201576][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.202212][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.202748][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.204080][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.205328][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.206468][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 111.961367][ T5942] vxfs: unable to read disk superblock at 1 [ 111.968782][ T5942] vxfs: unable to read disk superblock at 8 [ 111.968836][ T5942] vxfs: can't find superblock. [ 112.777431][ T38] audit: type=1800 audit(1760647372.967:2): pid=5934 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed comm="syz.1.2" name="bus" dev="ramfs" ino=8572 res=0 errno=0 [ 114.968939][ T44] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 115.147300][ T44] usb 3-1: Using ep0 maxpacket: 32 [ 115.175095][ T44] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 115.175131][ T44] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 115.175176][ T44] usb 3-1: New USB device found, idVendor=0403, idProduct=6030, bcdDevice= 0.00 [ 115.175199][ T44] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 115.561543][ T44] usb 3-1: config 0 descriptor?? [ 116.186550][ T44] ft260 0003:0403:6030.0001: unknown main item tag 0x7 [ 116.337366][ T44] ft260 0003:0403:6030.0001: chip code: 6424 8183 [ 116.538959][ T44] ft260 0003:0403:6030.0001: USB HID v0.00 Device [HID 0403:6030] on usb-dummy_hcd.2-1/input0 [ 116.747877][ T44] ft260 0003:0403:6030.0001: failed to retrieve status: -32, no wakeup [ 116.749223][ T44] ft260 0003:0403:6030.0001: failed to retrieve status: -32 [ 117.137908][ T5956] ft260 0003:0403:6030.0001: ft260_i2c_read: failed with -38 [ 117.156457][ T44] usb 3-1: USB disconnect, device number 2 [ 118.900843][ T5982] netlink: 4 bytes leftover after parsing attributes in process `syz.4.20'. [ 121.077296][ T5990] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 122.273159][ C0] vkms_vblank_simulate: vblank timer overrun [ 122.377537][ T6007] futex_wake_op: syz.2.25 tries to shift op by 36; fix this program [ 130.668987][ T3658] libceph: connect (1)[c::]:6789 error -101 [ 130.669697][ T3658] libceph: mon0 (1)[c::]:6789 connect error [ 130.765813][ T6058] ceph: No mds server is up or the cluster is laggy [ 134.386738][ T6084] netlink: 'syz.1.43': attribute type 10 has an invalid length. [ 134.386761][ T6084] netlink: 2 bytes leftover after parsing attributes in process `syz.1.43'. [ 134.413971][ T6081] bridge_slave_0: left allmulticast mode [ 134.414004][ T6081] bridge_slave_0: left promiscuous mode [ 134.414470][ T6081] bridge0: port 1(bridge_slave_0) entered disabled state [ 134.833394][ T6086] netlink: 4 bytes leftover after parsing attributes in process `syz.1.43'. [ 135.145949][ T6081] bridge_slave_1: left allmulticast mode [ 135.145971][ T6081] bridge_slave_1: left promiscuous mode [ 135.146500][ T6081] bridge0: port 2(bridge_slave_1) entered disabled state [ 135.493406][ T6081] bond0: (slave bond_slave_0): Releasing backup interface [ 135.697789][ T6081] bond0: (slave bond_slave_1): Releasing backup interface [ 135.933819][ T6068] syz.2.40 (6068): drop_caches: 2 [ 136.900224][ T6081] team0: Port device team_slave_0 removed [ 137.094007][ T6081] team0: Port device team_slave_1 removed [ 137.096505][ T6081] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 137.096537][ T6081] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 137.399777][ T6081] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 137.399799][ T6081] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 138.248926][ T1321] ieee802154 phy0 wpan0: encryption failed: -22 [ 138.249001][ T1321] ieee802154 phy1 wpan1: encryption failed: -22 [ 138.340755][ T6081] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 138.382106][ T6084] team0: entered promiscuous mode [ 138.382705][ T6084] bridge0: port 1(team0) entered blocking state [ 138.382866][ T6084] bridge0: port 1(team0) entered disabled state [ 138.383136][ T6084] team0: entered allmulticast mode [ 138.411254][ T6084] bridge0: port 1(team0) entered blocking state [ 138.411422][ T6084] bridge0: port 1(team0) entered forwarding state [ 138.444557][ T6086] team0: left allmulticast mode [ 138.445103][ T6086] bridge0: port 1(team0) entered disabled state [ 144.039158][ T5911] IPVS: starting estimator thread 0... [ 144.517621][ T6138] IPVS: using max 8 ests per chain, 19200 per kthread [ 146.339721][ T10] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 146.487425][ T10] usb 5-1: Using ep0 maxpacket: 16 [ 146.490417][ T10] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 146.490444][ T10] usb 5-1: config 0 has no interfaces? [ 146.490476][ T10] usb 5-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 [ 146.490496][ T10] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 146.626579][ T10] usb 5-1: config 0 descriptor?? [ 147.700696][ T6161] netlink: 24 bytes leftover after parsing attributes in process `syz.3.63'. [ 147.755758][ T6164] sch_tbf: burst 88 is lower than device bridge_slave_1 mtu (1514) ! [ 147.872097][ T44] usb 5-1: USB disconnect, device number 2 [ 157.140895][ T6272] F2FS-fs (nbd1): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 157.140915][ T6272] F2FS-fs (nbd1): Can't find valid F2FS filesystem in 1th superblock [ 157.193466][ T6272] F2FS-fs (nbd1): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 157.193489][ T6272] F2FS-fs (nbd1): Can't find valid F2FS filesystem in 2th superblock [ 164.834370][ C1] vkms_vblank_simulate: vblank timer overrun [ 165.212722][ C1] vkms_vblank_simulate: vblank timer overrun [ 165.574948][ C1] vkms_vblank_simulate: vblank timer overrun [ 165.751894][ C1] vkms_vblank_simulate: vblank timer overrun [ 166.948898][ C1] vkms_vblank_simulate: vblank timer overrun [ 168.031348][ C1] vkms_vblank_simulate: vblank timer overrun [ 168.147088][ C1] vkms_vblank_simulate: vblank timer overrun [ 168.418360][ T5911] IPVS: starting estimator thread 0... [ 168.507322][ T6354] IPVS: using max 11 ests per chain, 26400 per kthread [ 171.051261][ T991] usb 5-1: new full-speed USB device number 3 using dummy_hcd [ 171.563544][ T991] usb 5-1: too many endpoints for config 0 interface 0 altsetting 250: 255, using maximum allowed: 30 [ 171.563597][ T991] usb 5-1: config 0 interface 0 altsetting 250 has 1 endpoint descriptor, different from the interface descriptor's value: 255 [ 171.563625][ T991] usb 5-1: config 0 interface 0 has no altsetting 0 [ 171.563661][ T991] usb 5-1: New USB device found, idVendor=1b1c, idProduct=1d00, bcdDevice= 0.00 [ 171.563684][ T991] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 171.680738][ T991] usb 5-1: config 0 descriptor?? [ 172.212099][ T991] corsair-cpro 0003:1B1C:1D00.0002: item fetching failed at offset 1/5 [ 172.237086][ T991] corsair-cpro 0003:1B1C:1D00.0002: probe with driver corsair-cpro failed with error -22 [ 172.397307][ T5911] usb 5-1: USB disconnect, device number 3 [ 173.925060][ T6385] hub 6-0:1.0: USB hub found [ 173.935332][ T6385] hub 6-0:1.0: 1 port detected [ 182.376778][ T6429] sch_tbf: burst 19872 is lower than device lo mtu (65550) ! [ 182.768840][ T6434] bridge1: entered allmulticast mode [ 183.495213][ T6443] netlink: 'syz.4.133': attribute type 39 has an invalid length. [ 188.055003][ T6474] process 'syz.3.141' launched '/dev/fd/3' with NULL argv: empty string added [ 189.875666][ T6489] bridge0: entered allmulticast mode [ 189.877037][ T6489] netlink: 4 bytes leftover after parsing attributes in process `syz.2.146'. [ 189.877358][ T6489] bridge_slave_1: left allmulticast mode [ 189.877399][ T6489] bridge_slave_1: left promiscuous mode [ 189.877824][ T6489] bridge0: port 2(bridge_slave_1) entered disabled state [ 190.649785][ T6489] bridge_slave_0: left allmulticast mode [ 190.649807][ T6489] bridge_slave_0: left promiscuous mode [ 190.650003][ T6489] bridge0: port 1(bridge_slave_0) entered disabled state [ 192.276072][ T6489] bridge0 (unregistering): left allmulticast mode [ 193.720397][ C0] vkms_vblank_simulate: vblank timer overrun [ 193.824648][ C0] vkms_vblank_simulate: vblank timer overrun [ 194.806859][ C0] vkms_vblank_simulate: vblank timer overrun [ 194.961556][ C0] vkms_vblank_simulate: vblank timer overrun [ 195.478053][ C0] vkms_vblank_simulate: vblank timer overrun [ 196.059719][ C0] vkms_vblank_simulate: vblank timer overrun [ 196.835476][ C0] vkms_vblank_simulate: vblank timer overrun [ 197.500878][ C0] vkms_vblank_simulate: vblank timer overrun [ 198.752669][ T6551] Bluetooth: MGMT ver 1.23 [ 200.171830][ T1321] ieee802154 phy0 wpan0: encryption failed: -22 [ 200.171883][ T1321] ieee802154 phy1 wpan1: encryption failed: -22 [ 202.137692][ T3658] IPVS: starting estimator thread 0... [ 202.237309][ T6575] IPVS: using max 10 ests per chain, 24000 per kthread [ 209.699731][ T6625] netlink: 'syz.1.180': attribute type 3 has an invalid length. [ 209.761935][ C0] vkms_vblank_simulate: vblank timer overrun [ 211.613049][ C0] vkms_vblank_simulate: vblank timer overrun [ 211.890060][ T5115] Bluetooth: hci3: command tx timeout [ 212.267412][ C1] ================================================================== [ 212.267432][ C1] BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 [ 212.267491][ C1] Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 [ 212.267512][ C1] [ 212.267533][ C1] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 212.267561][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 212.267576][ C1] Workqueue: events mptcp_worker [ 212.267629][ C1] Call Trace: [ 212.267641][ C1] [ 212.267651][ C1] dump_stack_lvl+0x189/0x250 [ 212.267679][ C1] ? __kasan_check_byte+0x12/0x40 [ 212.267705][ C1] ? __pfx_dump_stack_lvl+0x10/0x10 [ 212.267732][ C1] ? lock_release+0x4b/0x3e0 [ 212.267759][ C1] ? __virt_addr_valid+0x4a5/0x5c0 [ 212.267789][ C1] print_report+0xca/0x240 [ 212.267822][ C1] ? __timer_delete_sync+0x372/0x3f0 [ 212.267856][ C1] kasan_report+0x118/0x150 [ 212.267882][ C1] ? __timer_delete_sync+0x372/0x3f0 [ 212.267921][ C1] __timer_delete_sync+0x372/0x3f0 [ 212.267957][ C1] ? __pfx___timer_delete_sync+0x10/0x10 [ 212.267993][ C1] ? __pfx_rt_mutex_slowunlock+0x10/0x10 [ 212.268029][ C1] ? mptcp_pm_del_add_timer+0x2d/0x310 [ 212.268064][ C1] sk_stop_timer_sync+0x1b/0x90 [ 212.268093][ C1] mptcp_pm_del_add_timer+0x283/0x310 [ 212.268129][ C1] ? mptcp_pm_del_add_timer+0x2d/0x310 [ 212.268163][ C1] ? mptcp_pm_add_addr_echoed+0x12b/0x260 [ 212.268188][ C1] mptcp_incoming_options+0x1357/0x1f60 [ 212.268223][ C1] ? tcp_ack+0x3a8c/0x6950 [ 212.268249][ C1] ? __pfx_mptcp_incoming_options+0x10/0x10 [ 212.268295][ C1] tcp_data_queue+0xca/0x6450 [ 212.268321][ C1] ? tcp_parse_options+0x12d3/0x13a0 [ 212.268351][ C1] ? __pfx_tcp_ack+0x10/0x10 [ 212.268378][ C1] ? __pfx_tcp_data_queue+0x10/0x10 [ 212.268409][ C1] ? __pfx_tcp_urg+0x10/0x10 [ 212.268434][ C1] ? tcp_ecn_received_counters+0x2b7/0x7f0 [ 212.268470][ C1] tcp_rcv_established+0x1335/0x2670 [ 212.268501][ C1] ? rt_is_expired+0x1c/0x2d0 [ 212.268541][ C1] ? __pfx_tcp_rcv_established+0x10/0x10 [ 212.268566][ C1] ? rt_is_expired+0x1c/0x2d0 [ 212.268600][ C1] ? rt_is_expired+0x1c/0x2d0 [ 212.268635][ C1] ? rt_is_expired+0x250/0x2d0 [ 212.268670][ C1] ? __pfx_ipv4_dst_check+0x10/0x10 [ 212.268705][ C1] ? __pfx_ipv4_dst_check+0x10/0x10 [ 212.268741][ C1] tcp_v4_do_rcv+0x98b/0xbf0 [ 212.268778][ C1] tcp_v4_rcv+0x252a/0x2dc0 [ 212.268827][ C1] ? __lock_acquire+0xab9/0xd20 [ 212.268852][ C1] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 212.268890][ C1] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 212.268924][ C1] ip_protocol_deliver_rcu+0x221/0x440 [ 212.268956][ C1] ? ip_local_deliver_finish+0x2ae/0x6f0 [ 212.268989][ C1] ip_local_deliver_finish+0x3bb/0x6f0 [ 212.269025][ C1] NF_HOOK+0x30c/0x3a0 [ 212.269055][ C1] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 212.269087][ C1] ? NF_HOOK+0x9a/0x3a0 [ 212.269116][ C1] ? __pfx_NF_HOOK+0x10/0x10 [ 212.269145][ C1] ? ip_rcv_finish_core+0xda3/0x1c00 [ 212.269178][ C1] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 212.269209][ C1] ? skb_dst+0x4f/0xd0 [ 212.269240][ C1] ? ip_local_deliver+0x12a/0x1b0 [ 212.269272][ C1] NF_HOOK+0x30c/0x3a0 [ 212.269303][ C1] ? __pfx_ip_rcv_finish+0x10/0x10 [ 212.269333][ C1] ? NF_HOOK+0x9a/0x3a0 [ 212.269362][ C1] ? __pfx_NF_HOOK+0x10/0x10 [ 212.269393][ C1] ? __pfx_ip_rcv_finish+0x10/0x10 [ 212.269430][ C1] ? __pfx_ip_rcv+0x10/0x10 [ 212.269465][ C1] __netif_receive_skb+0x143/0x380 [ 212.269497][ C1] ? process_backlog+0x27b/0x900 [ 212.269527][ C1] process_backlog+0x31e/0x900 [ 212.269564][ C1] __napi_poll+0xb6/0x540 [ 212.269594][ C1] net_rx_action+0x5f7/0xda0 [ 212.269633][ C1] ? __pfx_net_rx_action+0x10/0x10 [ 212.269670][ C1] ? kvm_sched_clock_read+0x11/0x20 [ 212.269728][ C1] ? __pfx_sched_clock_cpu+0x10/0x10 [ 212.269768][ C1] handle_softirqs+0x22f/0x710 [ 212.269811][ C1] ? __pfx_handle_softirqs+0x10/0x10 [ 212.269855][ C1] __local_bh_enable_ip+0x1a0/0x2e0 [ 212.269892][ C1] ? __pfx_rt_mutex_slowunlock+0x10/0x10 [ 212.269924][ C1] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 212.269965][ C1] ? rt_spin_unlock+0x161/0x200 [ 212.269996][ C1] ? __mptcp_pm_send_ack+0x115/0x1e0 [ 212.270034][ C1] ? mptcp_pm_addr_send_ack+0x403/0x500 [ 212.270072][ C1] mptcp_pm_addr_send_ack+0x41f/0x500 [ 212.270113][ C1] ? mptcp_pm_worker+0xe3/0x320 [ 212.270136][ C1] mptcp_pm_worker+0x174/0x320 [ 212.270161][ C1] mptcp_worker+0xd5/0x1170 [ 212.270196][ C1] ? _raw_spin_unlock_irq+0x23/0x50 [ 212.270233][ C1] ? process_scheduled_works+0x9ef/0x17b0 [ 212.270272][ C1] process_scheduled_works+0xae1/0x17b0 [ 212.270326][ C1] ? __pfx_process_scheduled_works+0x10/0x10 [ 212.270374][ C1] worker_thread+0x8a0/0xda0 [ 212.270410][ C1] kthread+0x711/0x8a0 [ 212.270439][ C1] ? __pfx_worker_thread+0x10/0x10 [ 212.270467][ C1] ? __pfx_kthread+0x10/0x10 [ 212.270492][ C1] ? rt_spin_unlock+0x150/0x200 [ 212.270524][ C1] ? rt_spin_unlock+0x161/0x200 [ 212.270553][ C1] ? __pfx_kthread+0x10/0x10 [ 212.270580][ C1] ret_from_fork+0x4bc/0x870 [ 212.270618][ C1] ? __pfx_ret_from_fork+0x10/0x10 [ 212.270658][ C1] ? __switch_to_asm+0x39/0x70 [ 212.270690][ C1] ? __switch_to_asm+0x33/0x70 [ 212.270721][ C1] ? __pfx_kthread+0x10/0x10 [ 212.270749][ C1] ret_from_fork_asm+0x1a/0x30 [ 212.270791][ C1] [ 212.270800][ C1] [ 212.270810][ C1] Allocated by task 44: [ 212.270822][ C1] kasan_save_track+0x3e/0x80 [ 212.270841][ C1] __kasan_kmalloc+0x93/0xb0 [ 212.270861][ C1] __kmalloc_cache_noprof+0x1ef/0x6c0 [ 212.270883][ C1] mptcp_pm_alloc_anno_list+0x104/0x460 [ 212.270919][ C1] mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 [ 212.270966][ C1] __mptcp_pm_kernel_worker+0x417/0x1ef0 [ 212.270999][ C1] mptcp_pm_worker+0x1ee/0x320 [ 212.271019][ C1] mptcp_worker+0xd5/0x1170 [ 212.271049][ C1] process_scheduled_works+0xae1/0x17b0 [ 212.271082][ C1] worker_thread+0x8a0/0xda0 [ 212.271099][ C1] kthread+0x711/0x8a0 [ 212.271122][ C1] ret_from_fork+0x4bc/0x870 [ 212.271153][ C1] ret_from_fork_asm+0x1a/0x30 [ 212.271182][ C1] [ 212.271187][ C1] Freed by task 6630: [ 212.271197][ C1] kasan_save_track+0x3e/0x80 [ 212.271214][ C1] __kasan_save_free_info+0x46/0x50 [ 212.271242][ C1] __kasan_slab_free+0x5c/0x80 [ 212.271261][ C1] kfree+0x197/0x950 [ 212.271292][ C1] mptcp_remove_anno_list_by_saddr+0x2d/0x40 [ 212.271327][ C1] mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 [ 212.271360][ C1] genl_family_rcv_msg_doit+0x215/0x300 [ 212.271384][ C1] genl_rcv_msg+0x60e/0x790 [ 212.271405][ C1] netlink_rcv_skb+0x208/0x470 [ 212.271434][ C1] genl_rcv+0x28/0x40 [ 212.271458][ C1] netlink_unicast+0x846/0xa10 [ 212.271484][ C1] netlink_sendmsg+0x805/0xb30 [ 212.271515][ C1] __sock_sendmsg+0x21c/0x270 [ 212.271539][ C1] ____sys_sendmsg+0x508/0x820 [ 212.271557][ C1] ___sys_sendmsg+0x21f/0x2a0 [ 212.271575][ C1] __x64_sys_sendmsg+0x1a1/0x260 [ 212.271594][ C1] do_syscall_64+0xfa/0xfa0 [ 212.271627][ C1] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 212.271656][ C1] [ 212.271661][ C1] The buggy address belongs to the object at ffff8880311e4100 [ 212.271661][ C1] which belongs to the cache kmalloc-192 of size 192 [ 212.271681][ C1] The buggy address is located 80 bytes inside of [ 212.271681][ C1] freed 192-byte region [ffff8880311e4100, ffff8880311e41c0) [ 212.271705][ C1] [ 212.271710][ C1] The buggy address belongs to the physical page: [ 212.271728][ C1] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x311e4 [ 212.271749][ C1] flags: 0x80000000000000(node=0|zone=1) [ 212.271770][ C1] page_type: f5(slab) [ 212.271791][ C1] raw: 0080000000000000 ffff88813ff263c0 ffffea0000c42a00 dead000000000004 [ 212.271811][ C1] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 212.271824][ C1] page dumped because: kasan: bad access detected [ 212.271838][ C1] page_owner tracks the page as allocated [ 212.271846][ C1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5806, tgid 5806 (syz-executor), ts 106874965631, free_ts 106848734160 [ 212.271886][ C1] post_alloc_hook+0x240/0x2a0 [ 212.271906][ C1] get_page_from_freelist+0x28c0/0x2960 [ 212.271932][ C1] __alloc_frozen_pages_noprof+0x181/0x370 [ 212.271958][ C1] alloc_pages_mpol+0xd1/0x380 [ 212.271980][ C1] allocate_slab+0x96/0x3a0 [ 212.272009][ C1] ___slab_alloc+0xb12/0x13f0 [ 212.272034][ C1] __slab_alloc+0xc6/0x1f0 [ 212.272059][ C1] __kmalloc_cache_noprof+0xec/0x6c0 [ 212.272079][ C1] addr_event+0xc3/0x470 [ 212.272107][ C1] inet6addr_event+0x9f/0xd0 [ 212.272134][ C1] notifier_call_chain+0x1b6/0x3e0 [ 212.272154][ C1] atomic_notifier_call_chain+0xda/0x180 [ 212.272174][ C1] ipv6_add_addr+0xdf1/0x10e0 [ 212.272207][ C1] inet6_addr_add+0x393/0xb40 [ 212.272226][ C1] inet6_rtm_newaddr+0x93d/0xd20 [ 212.272256][ C1] rtnetlink_rcv_msg+0x7cf/0xb70 [ 212.272285][ C1] page last free pid 28 tgid 28 stack trace: [ 212.272297][ C1] __free_frozen_pages+0xfb6/0x1140 [ 212.272323][ C1] rcu_cpu_kthread+0xbf6/0x1b50 [ 212.272346][ C1] smpboot_thread_fn+0x542/0xa60 [ 212.272365][ C1] kthread+0x711/0x8a0 [ 212.272391][ C1] ret_from_fork+0x4bc/0x870 [ 212.272422][ C1] ret_from_fork_asm+0x1a/0x30 [ 212.272457][ C1] [ 212.272462][ C1] Memory state around the buggy address: [ 212.272474][ C1] ffff8880311e4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 212.272490][ C1] ffff8880311e4080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 212.272506][ C1] >ffff8880311e4100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 212.272518][ C1] ^ [ 212.272530][ C1] ffff8880311e4180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 212.272546][ C1] ffff8880311e4200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 212.272558][ C1] ================================================================== [ 212.272685][ C1] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 212.272704][ C1] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 212.272731][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 212.272747][ C1] Workqueue: events mptcp_worker [ 212.272781][ C1] Call Trace: [ 212.272790][ C1] [ 212.272799][ C1] dump_stack_lvl+0x99/0x250 [ 212.272827][ C1] ? __asan_memcpy+0x40/0x70 [ 212.272861][ C1] ? __pfx_dump_stack_lvl+0x10/0x10 [ 212.272890][ C1] ? __pfx__printk+0x10/0x10 [ 212.272925][ C1] vpanic+0x237/0x6d0 [ 212.272946][ C1] ? __pfx_vpanic+0x10/0x10 [ 212.272966][ C1] ? preempt_schedule+0xae/0xc0 [ 212.273000][ C1] ? __pfx_preempt_schedule+0x10/0x10 [ 212.273039][ C1] panic+0xb9/0xc0 [ 212.273059][ C1] ? __pfx_panic+0x10/0x10 [ 212.273082][ C1] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 212.273124][ C1] ? __timer_delete_sync+0x372/0x3f0 [ 212.273158][ C1] check_panic_on_warn+0x89/0xb0 [ 212.273188][ C1] ? __timer_delete_sync+0x372/0x3f0 [ 212.273222][ C1] end_report+0x78/0x160 [ 212.273245][ C1] kasan_report+0x129/0x150 [ 212.273266][ C1] ? __timer_delete_sync+0x372/0x3f0 [ 212.273297][ C1] __timer_delete_sync+0x372/0x3f0 [ 212.273324][ C1] ? __pfx___timer_delete_sync+0x10/0x10 [ 212.273352][ C1] ? __pfx_rt_mutex_slowunlock+0x10/0x10 [ 212.273379][ C1] ? mptcp_pm_del_add_timer+0x2d/0x310 [ 212.273406][ C1] sk_stop_timer_sync+0x1b/0x90 [ 212.273428][ C1] mptcp_pm_del_add_timer+0x283/0x310 [ 212.273462][ C1] ? mptcp_pm_del_add_timer+0x2d/0x310 [ 212.273489][ C1] ? mptcp_pm_add_addr_echoed+0x12b/0x260 [ 212.273507][ C1] mptcp_incoming_options+0x1357/0x1f60 [ 212.273534][ C1] ? tcp_ack+0x3a8c/0x6950 [ 212.273554][ C1] ? __pfx_mptcp_incoming_options+0x10/0x10 [ 212.273590][ C1] tcp_data_queue+0xca/0x6450 [ 212.273610][ C1] ? tcp_parse_options+0x12d3/0x13a0 [ 212.273633][ C1] ? __pfx_tcp_ack+0x10/0x10 [ 212.273654][ C1] ? __pfx_tcp_data_queue+0x10/0x10 [ 212.273674][ C1] ? __pfx_tcp_urg+0x10/0x10 [ 212.273694][ C1] ? tcp_ecn_received_counters+0x2b7/0x7f0 [ 212.273720][ C1] tcp_rcv_established+0x1335/0x2670 [ 212.273744][ C1] ? rt_is_expired+0x1c/0x2d0 [ 212.273776][ C1] ? __pfx_tcp_rcv_established+0x10/0x10 [ 212.273795][ C1] ? rt_is_expired+0x1c/0x2d0 [ 212.273822][ C1] ? rt_is_expired+0x1c/0x2d0 [ 212.273850][ C1] ? rt_is_expired+0x250/0x2d0 [ 212.273876][ C1] ? __pfx_ipv4_dst_check+0x10/0x10 [ 212.273904][ C1] ? __pfx_ipv4_dst_check+0x10/0x10 [ 212.273932][ C1] tcp_v4_do_rcv+0x98b/0xbf0 [ 212.273961][ C1] tcp_v4_rcv+0x252a/0x2dc0 [ 212.273999][ C1] ? __lock_acquire+0xab9/0xd20 [ 212.274019][ C1] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 212.274048][ C1] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 212.274075][ C1] ip_protocol_deliver_rcu+0x221/0x440 [ 212.274100][ C1] ? ip_local_deliver_finish+0x2ae/0x6f0 [ 212.274147][ C1] ip_local_deliver_finish+0x3bb/0x6f0 [ 212.274174][ C1] NF_HOOK+0x30c/0x3a0 [ 212.274198][ C1] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 212.274223][ C1] ? NF_HOOK+0x9a/0x3a0 [ 212.274245][ C1] ? __pfx_NF_HOOK+0x10/0x10 [ 212.274284][ C1] ? ip_rcv_finish_core+0xda3/0x1c00 [ 212.274311][ C1] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 212.274337][ C1] ? skb_dst+0x4f/0xd0 [ 212.274361][ C1] ? ip_local_deliver+0x12a/0x1b0 [ 212.274387][ C1] NF_HOOK+0x30c/0x3a0 [ 212.274412][ C1] ? __pfx_ip_rcv_finish+0x10/0x10 [ 212.274436][ C1] ? NF_HOOK+0x9a/0x3a0 [ 212.274464][ C1] ? __pfx_NF_HOOK+0x10/0x10 [ 212.274489][ C1] ? __pfx_ip_rcv_finish+0x10/0x10 [ 212.274518][ C1] ? __pfx_ip_rcv+0x10/0x10 [ 212.274541][ C1] __netif_receive_skb+0x143/0x380 [ 212.274566][ C1] ? process_backlog+0x27b/0x900 [ 212.274590][ C1] process_backlog+0x31e/0x900 [ 212.274620][ C1] __napi_poll+0xb6/0x540 [ 212.274644][ C1] net_rx_action+0x5f7/0xda0 [ 212.274675][ C1] ? __pfx_net_rx_action+0x10/0x10 [ 212.274701][ C1] ? kvm_sched_clock_read+0x11/0x20 [ 212.274732][ C1] ? __pfx_sched_clock_cpu+0x10/0x10 [ 212.274763][ C1] handle_softirqs+0x22f/0x710 [ 212.274796][ C1] ? __pfx_handle_softirqs+0x10/0x10 [ 212.274830][ C1] __local_bh_enable_ip+0x1a0/0x2e0 [ 212.274858][ C1] ? __pfx_rt_mutex_slowunlock+0x10/0x10 [ 212.274882][ C1] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 212.274914][ C1] ? rt_spin_unlock+0x161/0x200 [ 212.274939][ C1] ? __mptcp_pm_send_ack+0x115/0x1e0 [ 212.274967][ C1] ? mptcp_pm_addr_send_ack+0x403/0x500 [ 212.274996][ C1] mptcp_pm_addr_send_ack+0x41f/0x500 [ 212.275028][ C1] ? mptcp_pm_worker+0xe3/0x320 [ 212.275045][ C1] mptcp_pm_worker+0x174/0x320 [ 212.275064][ C1] mptcp_worker+0xd5/0x1170 [ 212.275091][ C1] ? _raw_spin_unlock_irq+0x23/0x50 [ 212.275119][ C1] ? process_scheduled_works+0x9ef/0x17b0 [ 212.275149][ C1] process_scheduled_works+0xae1/0x17b0 [ 212.275191][ C1] ? __pfx_process_scheduled_works+0x10/0x10 [ 212.275230][ C1] worker_thread+0x8a0/0xda0 [ 212.275258][ C1] kthread+0x711/0x8a0 [ 212.275280][ C1] ? __pfx_worker_thread+0x10/0x10 [ 212.275296][ C1] ? __pfx_kthread+0x10/0x10 [ 212.275315][ C1] ? rt_spin_unlock+0x150/0x200 [ 212.275340][ C1] ? rt_spin_unlock+0x161/0x200 [ 212.275362][ C1] ? __pfx_kthread+0x10/0x10 [ 212.275383][ C1] ret_from_fork+0x4bc/0x870 [ 212.275412][ C1] ? __pfx_ret_from_fork+0x10/0x10 [ 212.275443][ C1] ? __switch_to_asm+0x39/0x70 [ 212.275472][ C1] ? __switch_to_asm+0x33/0x70 [ 212.275496][ C1] ? __pfx_kthread+0x10/0x10 [ 212.275528][ C1] ret_from_fork_asm+0x1a/0x30 [ 212.275559][ C1] [ 212.275892][ C1] Kernel Offset: disabled