last executing test programs: 868.527143ms ago: executing program 0 (id=95): pipe2(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80) ioctl$KVM_ARM_VCPU_INIT(r0, 0x4020aeae, 0x0) (async) 718.807333ms ago: executing program 0 (id=96): r0 = syz_open_dev$tty20(0xc, 0x4, 0x1) ioctl$TIOCGPKT(r0, 0x5421, &(0x7f0000000040)) 718.660303ms ago: executing program 1 (id=97): r0 = openat$incfs(0xffffffffffffff9c, &(0x7f0000000080)='.pending_reads\x00', 0xc2242, 0x0) read$smackfs_access(r0, 0x0, 0x0) 575.436912ms ago: executing program 1 (id=98): r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000ac0), 0x400, 0x0) fsetxattr$trusted_overlay_nlink(r0, &(0x7f0000000b00), 0x0, 0x0, 0x0) 565.128023ms ago: executing program 0 (id=99): r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10) sendto$inet_nvme_pdu(r0, &(0x7f0000000580)=@icreq={{0x0, 0x4, 0x80, 0x9}, 0x0, 0x0, 0x1, 0xfffff000}, 0x80, 0x0, 0x0, 0x0) 409.396373ms ago: executing program 1 (id=100): r0 = socket$kcm(0x29, 0x5, 0x0) sendmsg$BATADV_CMD_GET_TRANSTABLE_GLOBAL(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={0x0}}, 0x0) 409.220073ms ago: executing program 0 (id=101): r0 = openat$smackfs_relabel_self(0xffffff9c, &(0x7f0000000000), 0x2, 0x0) ioctl$AUTOFS_IOC_EXPIRE_MULTI(r0, 0x5451, 0x0) 239.018835ms ago: executing program 1 (id=102): r0 = syz_open_dev$ttys(0xc, 0x2, 0x0) ioctl$sock_TIOCINQ(r0, 0x541b, &(0x7f00000013c0)) 238.892225ms ago: executing program 0 (id=103): r0 = socket$nl_sock_diag(0x10, 0x3, 0x4) write$midi(r0, &(0x7f0000000000)='R', 0x1) 118.571513ms ago: executing program 1 (id=104): r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$TIPC_NL_NET_SET(r0, &(0x7f0000000ec0)={0x0, 0x0, &(0x7f0000000e80)={&(0x7f0000000cc0)={0x14, 0x0, 0x400, 0x70bd2d, 0x25dfdbfd}, 0x14}, 0x1, 0x0, 0x0, 0x40811}, 0x80) 14.24316ms ago: executing program 0 (id=105): r0 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$TIOCGPKT(r0, 0x5451, 0x0) 0s ago: executing program 1 (id=106): pipe2$watch_queue(&(0x7f00000024c0)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80) ioctl$SNDRV_CTL_IOCTL_ELEM_UNLOCK(r0, 0x5450, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:7731' (ED25519) to the list of known hosts. syzkaller login: [ 83.921717][ T3316] cgroup: Unknown subsys name 'net' [ 84.099993][ T3316] cgroup: Unknown subsys name 'cpuset' [ 84.127473][ T3316] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 84.555746][ T3316] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 92.623798][ T3321] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 92.667240][ T3321] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 92.684419][ T3322] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 92.737151][ T3322] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 93.755329][ T3321] hsr_slave_0: entered promiscuous mode [ 93.765188][ T3321] hsr_slave_1: entered promiscuous mode [ 93.937219][ T3322] hsr_slave_0: entered promiscuous mode [ 93.946316][ T3322] hsr_slave_1: entered promiscuous mode [ 93.952070][ T3322] debugfs: 'hsr0' already exists in 'hsr' [ 93.952792][ T3322] Cannot create hsr debugfs directory [ 94.807534][ T3321] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 94.855475][ T3321] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 94.884405][ T3321] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 94.905310][ T3321] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 95.126465][ T3322] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 95.159881][ T3322] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 95.177225][ T3322] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 95.198419][ T3322] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 96.188722][ T3321] 8021q: adding VLAN 0 to HW filter on device bond0 [ 96.248180][ T3322] 8021q: adding VLAN 0 to HW filter on device bond0 [ 99.892792][ T3322] veth0_vlan: entered promiscuous mode [ 99.922988][ T3321] veth0_vlan: entered promiscuous mode [ 99.941189][ T3322] veth1_vlan: entered promiscuous mode [ 100.015826][ T3321] veth1_vlan: entered promiscuous mode [ 100.151889][ T3322] veth0_macvtap: entered promiscuous mode [ 100.176816][ T3322] veth1_macvtap: entered promiscuous mode [ 100.297837][ T3321] veth0_macvtap: entered promiscuous mode [ 100.380631][ T3321] veth1_macvtap: entered promiscuous mode [ 100.435437][ T739] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.456554][ T739] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.457041][ T739] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.457443][ T739] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.724315][ T715] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.726277][ T715] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.727875][ T715] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.730610][ T715] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.978302][ T3322] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 110.215825][ T3322] ------------[ cut here ]------------ [ 110.219554][ T3322] WARNING: mm/kfence/core.c:1224 at __kfence_free+0x60/0x100, CPU#1: syz-executor/3322 [ 110.227424][ T3322] Modules linked in: [ 110.229474][ T3322] CPU: 1 UID: 0 PID: 3322 Comm: syz-executor Not tainted syzkaller #0 PREEMPT [ 110.230246][ T3322] Hardware name: linux,dummy-virt (DT) [ 110.230923][ T3322] pstate: 81402009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 110.231382][ T3322] pc : __kfence_free+0x60/0x100 [ 110.231659][ T3322] lr : kfree+0x3bc/0x3f4 [ 110.231909][ T3322] sp : ffff800089acbab0 [ 110.232175][ T3322] x29: ffff800089acbab0 x28: fbf0000005fa0000 x27: 0000000000000000 [ 110.232980][ T3322] x26: 0000000000084008 x25: ffff800082a81000 x24: 0000000000000000 [ 110.233408][ T3322] x23: f6f0000003412e00 x22: ffff80008033b784 x21: ffffc1ffc1ffc000 [ 110.233855][ T3322] x20: 5eaf80008033b784 x19: fff000007d89df78 x18: 0000000000000002 [ 110.234372][ T3322] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 110.234784][ T3322] x14: 0000000000000000 x13: 000000000006f7ec x12: 0000000000000001 [ 110.235362][ T3322] x11: 0000000000000400 x10: 0000000000006400 x9 : 00000000000000b0 [ 110.235861][ T3322] x8 : f3f000000622c45c x7 : 0000000000000024 x6 : 0000000000000024 [ 110.236288][ T3322] x5 : 000000000000003c x4 : fff000007d87a000 x3 : ffff800082a81000 [ 110.236803][ T3322] x2 : ffff800082a815e0 x1 : f4f0000005ff0c80 x0 : fff000007ff00000 [ 110.237414][ T3322] Call trace: [ 110.237894][ T3322] __kfence_free+0x60/0x100 (P) [ 110.238510][ T3322] kfree+0x3bc/0x3f4 [ 110.238802][ T3322] kvfree+0x3c/0x58 [ 110.239324][ T3322] xt_free_table_info+0x80/0x90 [ 110.239908][ T3322] __do_replace+0x250/0x310 [ 110.240158][ T3322] do_ip6t_set_ctl+0x374/0x418 [ 110.240537][ T3322] nf_setsockopt+0x68/0xb0 [ 110.240838][ T3322] ipv6_setsockopt+0x90/0xe4 [ 110.241091][ T3322] tcp_setsockopt+0x20/0x3c [ 110.241421][ T3322] sock_common_setsockopt+0x1c/0x28 [ 110.241882][ T3322] do_sock_setsockopt+0xa4/0x198 [ 110.242136][ T3322] __sys_setsockopt+0x7c/0x100 [ 110.242434][ T3322] __arm64_sys_setsockopt+0x28/0x40 [ 110.242696][ T3322] invoke_syscall+0x48/0x104 [ 110.242985][ T3322] el0_svc_common.constprop.0+0x40/0xe0 [ 110.243284][ T3322] do_el0_svc+0x1c/0x28 [ 110.243535][ T3322] el0_svc+0x34/0x124 [ 110.243767][ T3322] el0t_64_sync_handler+0xa0/0xf0 [ 110.244010][ T3322] el0t_64_sync+0x1a4/0x1a8 [ 110.244572][ T3322] ---[ end trace 0000000000000000 ]--- SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 110.928164][ T39] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 111.002703][ T39] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 111.080190][ T39] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 111.125560][ T39] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 111.731327][ T39] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 111.785882][ T39] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 111.825537][ T39] bond0 (unregistering): Released all slaves [ 111.922362][ T39] hsr_slave_0: left promiscuous mode [ 111.926431][ T39] hsr_slave_1: left promiscuous mode [ 111.947194][ T39] veth1_macvtap: left promiscuous mode [ 111.948703][ T39] veth0_macvtap: left promiscuous mode [ 111.958172][ T39] veth1_vlan: left promiscuous mode [ 111.958771][ T39] veth0_vlan: left promiscuous mode [ 113.290916][ T39] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 113.341661][ T39] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 113.414658][ T39] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 113.483992][ T39] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 114.215858][ T39] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 114.260753][ T39] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 114.296576][ T39] bond0 (unregistering): Released all slaves [ 114.394885][ T39] hsr_slave_0: left promiscuous mode [ 114.397737][ T39] hsr_slave_1: left promiscuous mode [ 114.415484][ T39] veth1_macvtap: left promiscuous mode [ 114.415805][ T39] veth0_macvtap: left promiscuous mode [ 114.416332][ T39] veth1_vlan: left promiscuous mode [ 114.416602][ T39] veth0_vlan: left promiscuous mode