last executing test programs: 9.651565127s ago: executing program 1 (id=80): prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x0, 0x0, &(0x7f0000006680)) openat$kvm(0xffffffffffffff9c, 0x0, 0x1, 0x0) semget(0x3, 0x1, 0x3c4) semctl$SETALL(0x0, 0x0, 0x11, &(0x7f0000000300)) 9.588982705s ago: executing program 1 (id=81): r0 = openat$dsp1(0xffffffffffffff9c, &(0x7f00000000c0), 0x801, 0x0) read$FUSE(0xffffffffffffffff, 0x0, 0x0) socket$inet6(0xa, 0x1, 0x84) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7) r1 = syz_open_dev$sndmidi(&(0x7f0000000240), 0x2, 0x40102) writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2f) mount(0x0, 0x0, &(0x7f0000000000)='iso9660\x00', 0x208000, 0x0) r2 = syz_io_uring_setup(0x496, &(0x7f0000000f80)={0x0, 0x79af, 0x3180, 0x7ffc, 0x40024e}, &(0x7f0000000340), &(0x7f0000000080)) syz_io_uring_setup(0x641a, &(0x7f0000000300)={0x0, 0x235d, 0x10100, 0x0, 0x400002d8, 0x0, r2}, &(0x7f0000000200), &(0x7f00000001c0)) io_uring_enter(r2, 0x627, 0x4c1, 0x43, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x2) ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000000080)=0x74000000) write$dsp(r0, &(0x7f0000002000)='`', 0x88020) 5.597423701s ago: executing program 0 (id=93): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff) sendmsg$L2TP_CMD_TUNNEL_CREATE(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000580)={0x24, r1, 0x917, 0x1000, 0x0, {}, [@L2TP_ATTR_CONN_ID={0x8}, @L2TP_ATTR_PEER_CONN_ID={0x8}]}, 0x24}, 0x1, 0x0, 0x0, 0x44}, 0x0) 5.518305811s ago: executing program 0 (id=94): get_mempolicy(0x0, &(0x7f0000000300), 0x1, &(0x7f000000d000/0x4000)=nil, 0x8) 5.44815385s ago: executing program 0 (id=95): capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040)={0x200000, 0x200000}) mq_open(&(0x7f00000000c0)='${$\x00', 0x40, 0x0, 0x0) 5.358438021s ago: executing program 0 (id=96): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x11, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000820004000000000000000c00850000000f00000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000140)={'pim6reg1\x00', 0x1}) ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8914, &(0x7f0000000140)={'pim6reg1\x00', @broadcast}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000280)=0x8) r0 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x2, &(0x7f0000000180)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$IPT_SO_SET_REPLACE(r3, 0x4000000000000, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x701, 0x3, 0x258, 0x1c0, 0xb, 0x108, 0x108, 0x0, 0x1c0, 0x1c8, 0x1c8, 0x1c0, 0x1c8, 0x3, 0x0, {[{{@ip={@rand_addr, @remote, 0x0, 0x0, 'ip6erspan0\x00', '\x00', {}, {0xff}, 0x32}, 0x0, 0xa0, 0x108, 0x0, {}, [@common=@inet=@esp={{0x30}}]}, @unspec=@CT1={0x20, 'CT\x00', 0x1, {0x0, 0x0, 0x0, 0x0, 'netbios-ns\x00', 'syz0\x00'}}}, {{@ip={@loopback, @empty, 0xffffff00, 0x0, 'veth1_to_batadv\x00', 'ip6erspan0\x00'}, 0x0, 0x70, 0xb8}, @unspec=@CT0={0x48, 'CT\x00', 0x0, {0x0, 0x0, 0x0, 0x0, 'snmp_trap\x00'}}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28, '\x00', 0x4}}}}, 0x2b8) socket$unix(0x1, 0x5, 0x0) 3.056439813s ago: executing program 1 (id=97): r0 = syz_io_uring_setup(0x370a, &(0x7f00000001c0)={0x0, 0xfffffffc, 0x2, 0x3, 0x2cf}, &(0x7f0000000500)=0x0, &(0x7f0000000380)) syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, 0x0, 0x0, 0x4) io_uring_enter(r0, 0xe7f, 0xe876, 0x3, 0x0, 0x0) io_uring_register$IORING_UNREGISTER_IOWQ_AFF(r0, 0x12, 0x0, 0x0) 2.469624377s ago: executing program 0 (id=98): bpf$MAP_CREATE(0x0, &(0x7f0000001d40)=ANY=[@ANYBLOB="12000000060000020400000002"], 0x50) 2.380393138s ago: executing program 0 (id=99): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000140)={0xa, 0x4e22, 0xab, @loopback, 0x10001}, 0x1c) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22, 0x7, @loopback, 0x23}, 0x1c) connect$inet6(0xffffffffffffffff, 0x0, 0x0) fcntl$setstatus(r0, 0x4, 0x42800) r1 = dup(r0) write$FUSE_NOTIFY_STORE(r1, 0x0, 0x28) r2 = socket(0xa, 0x3, 0xff) connect$inet6(r2, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @empty, 0x4000002}, 0x1c) syz_emit_ethernet(0x6e, &(0x7f00000001c0)={@random="cfb14e407d33", @dev={'\xaa\xaa\xaa\xaa\xaa', 0x2e}, @void, {@ipv6={0x86dd, @icmpv6={0x9, 0x6, 'z&-', 0x38, 0x3a, 0x1, @local, @mcast2, {[], @pkt_toobig={0x2, 0x0, 0x0, 0x8001, {0x2, 0x6, "081331", 0x9, 0xff, 0x0, @loopback, @loopback, [@fragment={0x3b, 0x0, 0xe, 0x0, 0x0, 0x3, 0x65}]}}}}}}}, 0x0) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0) openat$zero(0xffffffffffffff9c, 0x0, 0x400980, 0x0) bpf$BPF_BTF_GET_FD_BY_ID(0x13, 0x0, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) sendmsg$TIPC_NL_NODE_GET(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000240)={0xb0, 0x0, 0x4, 0x70bd26, 0x25dfdbfc, {}, [@TIPC_NLA_MEDIA={0x40, 0x5, 0x0, 0x1, [@TIPC_NLA_MEDIA_PROP={0x3c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x10001}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}]}, @TIPC_NLA_SOCK={0x18, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_CON={0x14, 0x3, 0x0, 0x1, [@TIPC_NLA_CON_FLAG={0x8, 0x1, 0x5}, @TIPC_NLA_CON_FLAG={0x8, 0x1, 0x5}]}]}, @TIPC_NLA_NET={0x3c, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_NODEID_W1={0xc}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x6}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x9}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x7}]}, @TIPC_NLA_NODE={0x8, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_UP={0x4}]}]}, 0xb0}, 0x1, 0x0, 0x0, 0x88d0}, 0x40480d4) write$RDMA_USER_CM_CMD_LISTEN(r1, &(0x7f00000000c0)={0x7, 0xffffffffffffffa0, 0xfa00, {0xffffffffffffffff, 0x10c}}, 0xfffffd88) 422.486776ms ago: executing program 1 (id=100): r0 = socket$inet6(0xa, 0x80003, 0x6) setsockopt$MRT6_DEL_MIF(r0, 0x29, 0x31, 0x0, 0x0) 347.471036ms ago: executing program 1 (id=101): r0 = socket$can_raw(0x1d, 0x3, 0x1) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000780), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000002d00)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_SET_BSS(r1, &(0x7f0000002e00)={0x0, 0x0, &(0x7f0000002dc0)={&(0x7f00000000c0)={0x24, r2, 0x1, 0x70bd29, 0x25dfdbfd, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_BSS_HT_OPMODE={0x6, 0x6d, 0x5}]}, 0x24}}, 0x10) 0s ago: executing program 1 (id=102): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000003940)=ANY=[@ANYBLOB="210000000000000000000000000100000004"], 0x48) mmap(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x200000a, 0x13, r0, 0x0) munmap(&(0x7f0000002000/0x1000)=nil, 0x1000) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:54378' (ED25519) to the list of known hosts. syzkaller login: [ 75.990532][ T3308] cgroup: Unknown subsys name 'net' [ 76.164237][ T3308] cgroup: Unknown subsys name 'cpuset' [ 76.188404][ T3308] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 76.679477][ T3308] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 84.726888][ T3314] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 84.774344][ T3314] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 84.813657][ T3313] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 84.868970][ T3313] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 85.665630][ T3314] hsr_slave_0: entered promiscuous mode [ 85.671163][ T3314] hsr_slave_1: entered promiscuous mode [ 85.935989][ T3313] hsr_slave_0: entered promiscuous mode [ 85.943661][ T3313] hsr_slave_1: entered promiscuous mode [ 85.946164][ T3313] debugfs: 'hsr0' already exists in 'hsr' [ 85.947438][ T3313] Cannot create hsr debugfs directory [ 86.785425][ T3314] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 86.823193][ T3314] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 86.837183][ T3314] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 86.874028][ T3314] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 87.091873][ T3313] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 87.119684][ T3313] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 87.133620][ T3313] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 87.146264][ T3313] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 87.957300][ T3314] 8021q: adding VLAN 0 to HW filter on device bond0 [ 87.971817][ T3313] 8021q: adding VLAN 0 to HW filter on device bond0 [ 91.212669][ T3313] veth0_vlan: entered promiscuous mode [ 91.274988][ T3314] veth0_vlan: entered promiscuous mode [ 91.293399][ T3313] veth1_vlan: entered promiscuous mode [ 91.319601][ T3314] veth1_vlan: entered promiscuous mode [ 91.447873][ T3313] veth0_macvtap: entered promiscuous mode [ 91.464992][ T3314] veth0_macvtap: entered promiscuous mode [ 91.474422][ T3313] veth1_macvtap: entered promiscuous mode [ 91.489271][ T3314] veth1_macvtap: entered promiscuous mode [ 91.685995][ T100] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.689504][ T100] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.690908][ T100] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.692219][ T100] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.758714][ T2472] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.759085][ T2472] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.761077][ T2472] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.761372][ T2472] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.238333][ T3313] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 92.241448][ T3314] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 92.942227][ T3465] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 92.978773][ T3465] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 93.313423][ T3468] fuse: Unknown parameter 'use00000000000000000000' [ 93.784667][ T3472] netlink: 24 bytes leftover after parsing attributes in process `syz.1.5'. [ 93.944692][ T3474] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 93.946022][ T3474] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 94.542783][ T3474] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 95.018582][ T3474] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 96.495694][ T3490] netlink: 112 bytes leftover after parsing attributes in process `syz.0.12'. [ 96.696116][ T3495] netlink: 12 bytes leftover after parsing attributes in process `syz.0.14'. [ 100.903981][ T3510] fuse: Unknown parameter 'user_i00000000000000000000' [ 101.124103][ T3514] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 101.137784][ T3514] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 101.564600][ T3520] fuse: Unknown parameter 'user_i00000000000000000000' [ 102.050345][ T3526] vxcan1: entered promiscuous mode [ 102.439216][ T3532] fuse: Unknown parameter 'user_i00000000000000000000' [ 102.549521][ T3534] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 102.551097][ T3534] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 107.985800][ T3543] fuse: Unknown parameter 'user_id00000000000000000000' [ 108.939792][ T3549] syzkaller0: entered promiscuous mode [ 108.940105][ T3549] syzkaller0: entered allmulticast mode [ 109.438440][ T3551] could not allocate digest TFM handle cryptd(blake2b-160) [ 110.605992][ T3558] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 111.809125][ T3561] syzkaller0: entered promiscuous mode [ 111.809279][ T3561] syzkaller0: entered allmulticast mode [ 112.005040][ T3563] fuse: Unknown parameter 'user_id00000000000000000000' [ 112.152504][ C1] vxcan1: j1939_tp_rxtimer: 0x0000000099af33d0: Timeout. Failed to send simple message. [ 112.656697][ T3569] Illegal XDP return value 3212296192 on prog (id 4) dev syz_tun, expect packet loss! [ 113.057953][ T3575] fuse: Unknown parameter 'user_id00000000000000000000' [ 117.415662][ T3592] fuse: Bad value for 'fd' [ 118.612276][ T3599] netlink: 28 bytes leftover after parsing attributes in process `syz.1.51'. [ 118.612486][ T3599] netlink: 72 bytes leftover after parsing attributes in process `syz.1.51'. [ 118.787829][ T3603] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 118.796029][ T3603] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 123.518318][ T3625] semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant. [ 123.518318][ T3625] The task syz.1.62 (3625) triggered the difference, watch for misbehavior. [ 126.127774][ T3477] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 126.307374][ T3477] usb 1-1: Using ep0 maxpacket: 32 [ 126.333805][ T3477] usb 1-1: config 0 has an invalid interface number: 188 but max is 0 [ 126.334421][ T3477] usb 1-1: config 0 has no interface number 0 [ 126.338164][ T3477] usb 1-1: config 0 interface 188 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 32 [ 126.388699][ T3477] usb 1-1: New USB device found, idVendor=17ef, idProduct=7203, bcdDevice=2e.36 [ 126.389062][ T3477] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 126.391478][ T3477] usb 1-1: Product: syz [ 126.391636][ T3477] usb 1-1: Manufacturer: syz [ 126.391720][ T3477] usb 1-1: SerialNumber: syz [ 126.406376][ T3477] usb 1-1: config 0 descriptor?? [ 126.439950][ T3637] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 126.663538][ T3637] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 126.855010][ T3641] sch_tbf: burst 19872 is lower than device lo mtu (65550) ! [ 127.496154][ T3477] asix 1-1:0.188 (unnamed net_device) (uninitialized): Failed to read reg index 0x0000: -71 [ 127.501049][ T3477] asix 1-1:0.188 (unnamed net_device) (uninitialized): Error reading PHY_ID register: ffffffb9 [ 127.503009][ T3477] asix 1-1:0.188: probe with driver asix failed with error -71 [ 127.539313][ T3477] usb 1-1: USB disconnect, device number 2 [ 127.951778][ T3649] Zero length message leads to an empty skb [ 128.462520][ T3661] netlink: 'syz.1.75': attribute type 1 has an invalid length. [ 128.550167][ T3661] 8021q: adding VLAN 0 to HW filter on device bond1 [ 128.573055][ T3661] bond1: (slave vcan0): Device is not bonding slave [ 128.573581][ T3661] bond1: option active_slave: invalid value (vcan0) [ 132.427449][ T3477] usb 1-1: new full-speed USB device number 3 using dummy_hcd [ 132.586052][ T3477] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 132.587090][ T3477] usb 1-1: config 0 has 1 interface, different from the descriptor's value: 2 [ 132.590349][ T3477] usb 1-1: New USB device found, idVendor=05d8, idProduct=810a, bcdDevice=92.b8 [ 132.590725][ T3477] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 132.602554][ T3477] usb 1-1: config 0 descriptor?? [ 132.844311][ T3477] usb 1-1: USB disconnect, device number 3 [ 134.053360][ T3712] capability: warning: `syz.0.95' uses deprecated v2 capabilities in a way that may be insecure [ 135.731327][ T3716] x_tables: ip_tables: CT.1 target: invalid size 72 (kernel) != (user) 0 [ 139.559036][ T40] ================================================================== [ 139.563118][ T40] BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc [ 139.565225][ T40] Write at addr f4f000000572bb60 by task kworker/u8:2/40 [ 139.565642][ T40] Pointer tag: [f4], memory tag: [fe] [ 139.565717][ T40] [ 139.566584][ T40] CPU: 1 UID: 0 PID: 40 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT [ 139.567057][ T40] Hardware name: linux,dummy-virt (DT) [ 139.567482][ T40] Workqueue: events_unbound bpf_map_free_deferred [ 139.568677][ T40] Call trace: [ 139.568984][ T40] show_stack+0x18/0x24 (C) [ 139.569293][ T40] dump_stack_lvl+0x78/0x90 [ 139.569402][ T40] print_report+0x108/0x61c [ 139.569451][ T40] kasan_report+0x88/0xac [ 139.569491][ T40] __do_kernel_fault+0x170/0x1c8 [ 139.569536][ T40] do_bad_area+0x68/0x78 [ 139.569578][ T40] do_tag_check_fault+0x34/0x44 [ 139.569621][ T40] do_mem_abort+0x44/0x94 [ 139.569661][ T40] el1_abort+0x44/0x68 [ 139.569705][ T40] el1h_64_sync_handler+0x50/0xac [ 139.569751][ T40] el1h_64_sync+0x6c/0x70 [ 139.569907][ T40] defer_free+0x3c/0xbc (P) [ 139.569962][ T40] kfree_nolock+0x1a0/0x1d4 [ 139.570009][ T40] range_tree_destroy+0x74/0x90 [ 139.570058][ T40] arena_map_free+0x64/0x90 [ 139.570103][ T40] bpf_map_free_deferred+0x70/0x180 [ 139.570151][ T40] process_one_work+0x178/0x2cc [ 139.570201][ T40] worker_thread+0x24c/0x354 [ 139.570246][ T40] kthread+0x130/0x1fc [ 139.570290][ T40] ret_from_fork+0x10/0x20 [ 139.570547][ T40] [ 139.570614][ T40] Allocated by task 3734: [ 139.570908][ T40] kasan_save_stack+0x3c/0x64 [ 139.571147][ T40] save_stack_info+0x40/0x158 [ 139.571186][ T40] kasan_save_alloc_info+0x14/0x20 [ 139.571221][ T40] __kasan_kmalloc+0xb4/0xb8 [ 139.571252][ T40] kmalloc_nolock_noprof+0x1dc/0x4fc [ 139.571288][ T40] range_tree_set+0x644/0x778 [ 139.571323][ T40] arena_map_alloc+0x11c/0x17c [ 139.571357][ T40] map_create+0x19c/0xa98 [ 139.571393][ T40] __sys_bpf+0x348/0x1a88 [ 139.571425][ T40] __arm64_sys_bpf+0x24/0x34 [ 139.571460][ T40] invoke_syscall+0x48/0x110 [ 139.571497][ T40] el0_svc_common.constprop.0+0x40/0xe0 [ 139.571535][ T40] do_el0_svc+0x1c/0x28 [ 139.571571][ T40] el0_svc+0x34/0x128 [ 139.571607][ T40] el0t_64_sync_handler+0xa0/0xe4 [ 139.571643][ T40] el0t_64_sync+0x1a4/0x1a8 [ 139.571734][ T40] [ 139.571780][ T40] Freed by task 40: [ 139.571825][ T40] kasan_save_stack+0x3c/0x64 [ 139.571882][ T40] save_stack_info+0x40/0x158 [ 139.571926][ T40] kasan_save_free_info+0x18/0x24 [ 139.571960][ T40] __kasan_slab_free+0x7c/0x8c [ 139.571992][ T40] kfree_nolock+0xcc/0x1d4 [ 139.572027][ T40] range_tree_destroy+0x74/0x90 [ 139.572062][ T40] arena_map_free+0x64/0x90 [ 139.572097][ T40] bpf_map_free_deferred+0x70/0x180 [ 139.572134][ T40] process_one_work+0x178/0x2cc [ 139.572170][ T40] worker_thread+0x24c/0x354 [ 139.572205][ T40] kthread+0x130/0x1fc [ 139.572237][ T40] ret_from_fork+0x10/0x20 [ 139.572282][ T40] [ 139.572321][ T40] The buggy address belongs to the object at fff000000572bb40 [ 139.572321][ T40] which belongs to the cache kmalloc-64 of size 64 [ 139.572403][ T40] The buggy address is located 32 bytes inside of [ 139.572403][ T40] 64-byte region [fff000000572bb40, fff000000572bb80) [ 139.572450][ T40] [ 139.572662][ T40] The buggy address belongs to the physical page: [ 139.573078][ T40] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xf8f000000572bac0 pfn:0x4572b [ 139.573426][ T40] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 139.573831][ T40] page_type: f5(slab) [ 139.574351][ T40] raw: 01ffc00000000000 f3f0000003001600 dead000000000122 0000000000000000 [ 139.574409][ T40] raw: f8f000000572bac0 0000000080400036 00000000f5000000 0000000000000000 [ 139.574523][ T40] page dumped because: kasan: bad access detected [ 139.574566][ T40] [ 139.574596][ T40] Memory state around the buggy address: [ 139.574903][ T40] fff000000572b900: f2 f2 f2 fe fe fe fe fe f1 f1 f1 f1 f4 f4 f4 fe [ 139.575002][ T40] fff000000572ba00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 139.575065][ T40] >fff000000572bb00: f4 f4 f4 fe fe fe fe fe fe fe fe fe fe fe fe fe [ 139.575129][ T40] ^ [ 139.575240][ T40] fff000000572bc00: f5 f5 f5 f5 fe fe fe fe fe fe fe fe f0 f0 f0 fe [ 139.575269][ T40] fff000000572bd00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 139.575339][ T40] ================================================================== [ 139.576314][ T40] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 140.135515][ T2472] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 140.239339][ T2472] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 140.331876][ T2472] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 140.406089][ T2472] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 140.965845][ T2472] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 141.008404][ T2472] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 141.043532][ T2472] bond0 (unregistering): Released all slaves [ 141.124323][ T2472] hsr_slave_0: left promiscuous mode [ 141.131116][ T2472] hsr_slave_1: left promiscuous mode [ 141.148827][ T2472] veth1_macvtap: left promiscuous mode [ 141.149342][ T2472] veth0_macvtap: left promiscuous mode [ 141.149777][ T2472] veth1_vlan: left promiscuous mode [ 141.150147][ T2472] veth0_vlan: left promiscuous mode VM DIAGNOSIS: 20:02:08 Registers: info registers vcpu 0 CPU#0 PC=ffff80008075e9f4 X00=ffff800082e00000 X01=0000000000010005 X02=0000000000000005 X03=0000000000000001 X04=0000000000000001 X05=ffff800082a03000 X06=0000000000000001 X07=ffff800082a03ad8 X08=ffffffffffffffff X09=000000000000002e X10=ffff800082debd78 X11=000000000000005a X12=ffff800082adf208 X13=ffff8000831ebb8d X14=ffff8000831ebb98 X15=ffff8000831eba00 X16=ffff800082de8000 X17=fff07ffffcef4000 X18=00000000ffffffff X19=fbf0000003048c30 X20=fcf000000323b180 X21=ffff800081cfff18 X22=ffff800082b1aac0 X23=00000000ffffffff X24=ffff8000816c0800 X25=0000000000000280 X26=f9f0000005608a80 X27=ffff800082a01000 X28=f9f000000b4a9810 X29=ffff800082deb6c0 X30=ffff8000801526b4 SP=ffff800082deb6c0 PSTATE=40402009 -Z-- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000000000074616e:00007265746c6966 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffffffff000000:ffff000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:fffff000ff000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000000524f525245:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000000524f525245:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffe06a9d30:0000ffffe06a9d30 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffe06a9d00 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800080112848 X00=f5f0000008e6a000 X01=0000000000000002 X02=0000000000794e41 X03=ffff800082a2d8f0 X04=fff07ffffcf0d000 X05=ffff800082a2d8f0 X06=0000000000000010 X07=ffff8000829f60e0 X08=0000000000000017 X09=0000000000000017 X10=d1f35ca99b590208 X11=ffff800082cd3000 X12=0000000000000000 X13=0000000000000000 X14=00000000000003e3 X15=000000002c93eb5b X16=ffff800082df0000 X17=fff07ffffcf0d000 X18=0000000000000014 X19=f2f00000064f0000 X20=0000000000794e41 X21=0000000000000002 X22=f9f00000031aa100 X23=ffff80008a143ad0 X24=00000020777056bd X25=00000000000000c0 X26=0000000000000001 X27=ffff8000801893d0 X28=0000000000000000 X29=ffff800082df3da0 X30=ffff800080112854 SP=ffff800082df3da0 PSTATE=604020c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00524f5252450040:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00524f5252450040:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffde4ecfc0:0000ffffde4ecfc0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffde4ecf90 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000