last executing test programs: 677.116115ms ago: executing program 0 (id=10135): r0 = openat$autofs(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) ioctl$AUTOFS_DEV_IOCTL_VERSION(r0, 0xc0189371, &(0x7f0000000140)={{0x1, 0x1, 0x18, 0xffffffffffffffff}, './file0\x00'}) tee(r1, 0xffffffffffffffff, 0x0, 0x0) 555.62085ms ago: executing program 1 (id=10136): fcntl$setsig(0xffffffffffffffff, 0xa, 0x0) r0 = semget(0xffffffffffffffff, 0x8, 0x0) semctl$SETVAL(r0, 0x4, 0x10, 0x0) 555.279241ms ago: executing program 0 (id=10137): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = dup3(r1, r0, 0x0) ioctl$TUNSETPERSIST(r2, 0x5450, 0x0) 467.845141ms ago: executing program 1 (id=10138): socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000002b00)={0xffffffffffffffff, 0xffffffffffffffff}) prlimit64(0x0, 0x7, &(0x7f0000000000), 0x0) getsockopt$sock_cred(r0, 0x1, 0x4d, 0x0, &(0x7f0000cab000)=0x2) 467.649561ms ago: executing program 0 (id=10139): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) prlimit64(0x0, 0x7, &(0x7f00000003c0), 0x0) ioctl$AUTOFS_IOC_ASKUMOUNT(r0, 0x894c, 0xfffffffffffffffe) 467.512141ms ago: executing program 1 (id=10140): r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) write$UHID_CREATE(r0, &(0x7f00000012c0)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000001280)=""/27, 0x1b}}, 0x120) write$UHID_CREATE(r0, &(0x7f0000001480)={0x0, {'syz0\x00', 'syz0\x00', 'syz0\x00', &(0x7f0000001400)=""/87, 0x57}}, 0x120) 327.856729ms ago: executing program 0 (id=10141): r0 = socket$inet_tcp(0x2, 0x1, 0x0) getsockname(r0, &(0x7f0000001d40)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}}}, &(0x7f0000001dc0)=0x80) ioctl$VT_RESIZE(r1, 0x5451, 0x0) 266.866117ms ago: executing program 1 (id=10142): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = dup(r0) ioctl$EVIOCGPHYS(r1, 0x80404507, 0x0) 131.028944ms ago: executing program 0 (id=10143): r0 = socket$nl_rdma(0x10, 0x3, 0x14) getpeername(r0, &(0x7f0000000300)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev}}}, &(0x7f0000000100)=0x49) ioctl$FIOCLEX(r1, 0x5451) 130.809774ms ago: executing program 1 (id=10144): r0 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETPLANE(0xffffffffffffffff, 0xc02064b6, 0x0) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000500)) 262.46µs ago: executing program 0 (id=10145): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000003940)=ANY=[@ANYBLOB="210000000000000000000000000010000004"], 0x48) mmap(&(0x7f0000001000/0x2000)=nil, 0x2000, 0x2, 0x13, r0, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000001780)={0x3, 0x5, &(0x7f00000001c0)=@framed={{0x18, 0x2}, [@map_val={0x18, 0x2, 0x2, 0x0, r0, 0x0, 0x0, 0x0, 0xb98e}]}, &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x41100}, 0x94) 0s ago: executing program 1 (id=10146): r0 = openat$tun(0xffffff9c, &(0x7f0000000000), 0x0, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$NS_GET_OWNER_UID(r1, 0xb704, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:30917' (ED25519) to the list of known hosts. syzkaller login: [ 70.224296][ T3304] cgroup: Unknown subsys name 'net' [ 70.445082][ T3304] cgroup: Unknown subsys name 'cpuset' [ 70.475012][ T3304] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 70.938914][ T3304] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 80.403850][ T3318] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 80.417993][ T3318] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 80.539769][ T3319] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 80.556892][ T3319] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 81.322239][ T3319] hsr_slave_0: entered promiscuous mode [ 81.329743][ T3319] hsr_slave_1: entered promiscuous mode [ 81.470261][ T3318] hsr_slave_0: entered promiscuous mode [ 81.475694][ T3318] hsr_slave_1: entered promiscuous mode [ 81.479890][ T3318] debugfs: 'hsr0' already exists in 'hsr' [ 81.481545][ T3318] Cannot create hsr debugfs directory [ 82.245025][ T3319] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 82.314391][ T3319] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 82.332659][ T3319] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 82.377922][ T3319] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 82.540167][ T3318] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 82.561740][ T3318] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 82.588511][ T3318] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 82.613365][ T3318] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 83.163302][ T3319] 8021q: adding VLAN 0 to HW filter on device bond0 [ 83.573868][ T3318] 8021q: adding VLAN 0 to HW filter on device bond0 [ 86.177735][ T3319] veth0_vlan: entered promiscuous mode [ 86.233205][ T3319] veth1_vlan: entered promiscuous mode [ 86.355479][ T3319] veth0_macvtap: entered promiscuous mode [ 86.378740][ T3319] veth1_macvtap: entered promiscuous mode [ 86.488429][ T1281] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 86.492812][ T1281] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 86.498164][ T41] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 86.499650][ T41] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 86.764717][ T3319] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 86.934971][ T3318] veth0_vlan: entered promiscuous mode [ 86.993232][ T3318] veth1_vlan: entered promiscuous mode [ 87.195455][ T3318] veth0_macvtap: entered promiscuous mode [ 87.238842][ T3318] veth1_macvtap: entered promiscuous mode [ 87.450946][ T1289] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 87.451313][ T1289] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 87.452630][ T1289] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 87.452800][ T1289] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.445649][ T3530] syz.1.31 uses obsolete (PF_INET,SOCK_PACKET) [ 90.873024][ T3541] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 100.929110][ T3828] Zero length message leads to an empty skb [ 109.260817][ T4082] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 140.903294][ T4929] misc userio: Invalid payload size [ 184.611418][ T6118] dlm: no local IP address has been set [ 184.611870][ T6118] dlm: cannot start dlm midcomms -107 [ 216.200594][ T7056] syz.0.1776 (7056): drop_caches: 0 [ 263.920530][ T8565] random: crng reseeded on system resumption [ 309.458665][T10186] random: crng reseeded on system resumption [ 330.706654][ T10] usb 1-1: new full-speed USB device number 2 using dummy_hcd [ 330.909489][ T10] usb 1-1: config 1 interface 1 altsetting 1 endpoint 0x3 has invalid maxpacket 1023, setting to 64 [ 330.949930][ T10] usb 1-1: string descriptor 0 read error: -22 [ 330.951123][ T10] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 330.951281][ T10] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 331.207579][ T10] cdc_ncm 1-1:1.0: bind() failure [ 331.260942][ T10] cdc_ncm 1-1:1.1: CDC Union missing and no IAD found [ 331.261327][ T10] cdc_ncm 1-1:1.1: bind() failure [ 331.311490][ T10] usb 1-1: USB disconnect, device number 2 [ 340.640435][T11469] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 340.654913][T11469] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 344.597243][T11617] capability: warning: `syz.0.3837' uses 32-bit capabilities (legacy support in use) [ 345.638682][T11657] syz.1.3856 (11657): drop_caches: 0 [ 352.230917][T11936] kernel profiling enabled (shift: 0) [ 354.552244][T12014] TCP: TCP_TX_DELAY enabled [ 362.894956][T12346] capability: warning: `syz.0.4145' uses deprecated v2 capabilities in a way that may be insecure [ 390.210957][T13355] nvme_fabrics: missing parameter 'transport=%s' [ 390.211241][T13355] nvme_fabrics: missing parameter 'nqn=%s' [ 408.989638][T14043] nvme_fabrics: missing parameter 'transport=%s' [ 408.990077][T14043] nvme_fabrics: missing parameter 'nqn=%s' [ 416.519750][T14318] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 416.539686][T14318] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 460.817071][ T3473] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 460.976911][ T3473] usb 1-1: Using ep0 maxpacket: 16 [ 461.010272][ T3473] usb 1-1: config 1 interface 1 altsetting 1 bulk endpoint 0x82 has invalid maxpacket 16 [ 461.010698][ T3473] usb 1-1: config 1 interface 1 altsetting 1 bulk endpoint 0x3 has invalid maxpacket 1024 [ 461.047596][ T3473] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 461.047968][ T3473] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 461.050355][ T3473] usb 1-1: Product: syz [ 461.050512][ T3473] usb 1-1: Manufacturer: syz [ 461.050588][ T3473] usb 1-1: SerialNumber: syz [ 461.557881][ T3473] cdc_ncm 1-1:1.0: bind() failure [ 461.597642][ T3473] cdc_ncm 1-1:1.1: CDC Union missing and no IAD found [ 461.597927][ T3473] cdc_ncm 1-1:1.1: bind() failure [ 461.631995][ T3473] usb 1-1: USB disconnect, device number 3 [ 478.006894][T16973] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 478.014144][T16973] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 524.207987][T19195] EXT4-fs (loop3): unable to read superblock [ 524.707195][T19218] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 524.708664][T19218] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 537.812502][T19664] netlink: 248 bytes leftover after parsing attributes in process `syz.0.7488'. [ 538.269278][T19684] ======================================================= [ 538.269278][T19684] WARNING: The mand mount option has been deprecated and [ 538.269278][T19684] and is ignored by this kernel. Remove the mand [ 538.269278][T19684] option from the mount to silence this warning. [ 538.269278][T19684] ======================================================= [ 540.065680][T19767] netlink: 'syz.0.7533': attribute type 4 has an invalid length. [ 540.069803][T19767] netlink: 17 bytes leftover after parsing attributes in process `syz.0.7533'. [ 540.693126][ T30] audit: type=1326 audit(540.540:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=19788 comm="syz.0.7545" exe="/syz-executor" sig=31 arch=c00000b7 syscall=172 compat=0 ip=0xffff7f553d8c code=0x0 [ 547.407260][ T3404] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 547.600035][ T3404] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 547.601297][ T3404] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 547.602521][ T3404] usb 1-1: Product: syz [ 547.602610][ T3404] usb 1-1: Manufacturer: syz [ 547.602702][ T3404] usb 1-1: SerialNumber: syz [ 557.155728][ T3404] usb 1-1: USB disconnect, device number 4 [ 557.623754][T20048] netlink: 164 bytes leftover after parsing attributes in process `syz.1.7663'. [ 562.762676][T20264] input: syz1 as /devices/virtual/input/input14 [ 563.480423][T12558] netdevsim netdevsim0 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 563.481024][T12558] netdevsim netdevsim0 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 563.481166][T12558] netdevsim netdevsim0 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 563.481289][T12558] netdevsim netdevsim0 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 563.854415][ T3404] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 563.854834][ T3404] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 563.868708][ T3404] hid-generic 0000:0000:0000.0001: hidraw0: HID v0.00 Device [syz0] on syz1 [ 564.219732][T20306] fido_id[20306]: Failed to open report descriptor at '/sys/devices/virtual/misc/uhid/report_descriptor': No such file or directory [ 569.142042][T20548] lo speed is unknown, defaulting to 1000 [ 569.145154][T20548] lo speed is unknown, defaulting to 1000 [ 569.152150][T20548] lo speed is unknown, defaulting to 1000 [ 569.178659][T20548] iwpm_register_pid: Unable to send a nlmsg (client = 2) [ 569.202646][T20548] infiniband syz2: RDMA CMA: cma_listen_on_dev, error -98 [ 569.288565][T20548] lo speed is unknown, defaulting to 1000 [ 569.294921][T20548] lo speed is unknown, defaulting to 1000 [ 580.871007][T20945] rdma_op 00000000064c2732 conn xmit_rdma 0000000000000000 [ 581.216910][T19463] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 581.217222][T19463] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 581.243206][T19463] hid-generic 0000:0000:0000.0002: hidraw0: HID v0.00 Device [syz0] on syz1 [ 581.462548][T20968] fido_id[20968]: Failed to open report descriptor at '/sys/devices/virtual/misc/uhid/report_descriptor': No such file or directory [ 585.441955][T21185] ucma_write: process 8203 (syz.0.8194) changed security contexts after opening file descriptor, this is not allowed. [ 597.734953][T21538] binder: 21537:21538 ioctl c018620b 20000080 returned -14 [ 640.929963][T23044] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 640.932840][T23044] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 645.288493][T23211] netlink: 36 bytes leftover after parsing attributes in process `syz.0.9162'. [ 666.758768][T23720] netlink: 12 bytes leftover after parsing attributes in process `syz.0.9403'. [ 693.358816][ T783] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 693.388718][ T783] hid-generic 0000:0000:0000.0003: hidraw0: HID v0.00 Device [syz1] on syz0 [ 693.589071][T24377] fido_id[24377]: Failed to open report descriptor at '/sys/devices/virtual/misc/uhid/report_descriptor': No such file or directory [ 693.720447][T24387] binder: 24385:24387 ioctl c018620c 0 returned -14 [ 695.429457][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.431015][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.432583][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.434067][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.437289][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.439563][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.447999][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.449737][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.451247][ T9] hid-generic 0001:0008:0003.0004: unknown main item tag 0x0 [ 695.468762][ T9] hid-generic 0001:0008:0003.0004: hidraw0: HID vec.36 Device [syz1] on syz1 [ 695.680642][T24460] fido_id[24460]: Failed to open report descriptor at '/sys/devices/virtual/misc/uhid/report_descriptor': No such file or directory [ 707.484775][T24896] lo speed is unknown, defaulting to 1000 [ 714.238758][T19728] hid-generic 0000:0000:0000.0005: item fetching failed at offset 0/1 [ 714.240013][T19728] hid-generic 0000:0000:0000.0005: probe with driver hid-generic failed with error -22 [ 720.393081][T19728] hid_parser_main: 85 callbacks suppressed [ 720.393441][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393531][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393590][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393631][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393665][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393753][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393808][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393869][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393910][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.393969][T19728] hid-generic 0000:0000:0000.0006: unknown main item tag 0x0 [ 720.423151][T19728] hid-generic 0000:0000:0000.0006: hidraw0: HID v0.00 Device [syz1] on syz1 [ 720.683074][T25312] fido_id[25312]: Failed to open report descriptor at '/sys/devices/virtual/misc/uhid/report_descriptor': No such file or directory [ 720.879027][T12546] ================================================================== [ 720.883353][T12546] BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc [ 720.885607][T12546] Write at addr f6f0000029d2e720 by task kworker/u8:11/12546 [ 720.886301][T12546] Pointer tag: [f6], memory tag: [fe] [ 720.886394][T12546] [ 720.887441][T12546] CPU: 1 UID: 0 PID: 12546 Comm: kworker/u8:11 Tainted: G L syzkaller #0 PREEMPT [ 720.887917][T12546] Tainted: [L]=SOFTLOCKUP [ 720.887964][T12546] Hardware name: linux,dummy-virt (DT) [ 720.888423][T12546] Workqueue: events_unbound bpf_map_free_deferred [ 720.889640][T12546] Call trace: [ 720.889951][T12546] show_stack+0x18/0x24 (C) [ 720.890263][T12546] dump_stack_lvl+0x78/0x90 [ 720.890382][T12546] print_report+0x108/0x61c [ 720.890435][T12546] kasan_report+0x88/0xac [ 720.890476][T12546] __do_kernel_fault+0x170/0x1c8 [ 720.890520][T12546] do_bad_area+0x68/0x78 [ 720.890560][T12546] do_tag_check_fault+0x34/0x44 [ 720.890605][T12546] do_mem_abort+0x44/0x94 [ 720.890651][T12546] el1_abort+0x44/0x68 [ 720.890692][T12546] el1h_64_sync_handler+0x50/0xac [ 720.890731][T12546] el1h_64_sync+0x6c/0x70 [ 720.890909][T12546] defer_free+0x3c/0xbc (P) [ 720.890966][T12546] kfree_nolock+0x1a0/0x1d4 [ 720.891011][T12546] range_tree_destroy+0x74/0x90 [ 720.891056][T12546] arena_map_free+0x64/0x90 [ 720.891099][T12546] bpf_map_free_deferred+0x70/0x180 [ 720.891145][T12546] process_one_work+0x178/0x2cc [ 720.891192][T12546] worker_thread+0x24c/0x354 [ 720.891235][T12546] kthread+0x130/0x1fc [ 720.891278][T12546] ret_from_fork+0x10/0x20 [ 720.891521][T12546] [ 720.891590][T12546] Allocated by task 25322: [ 720.891789][T12546] kasan_save_stack+0x3c/0x64 [ 720.891935][T12546] save_stack_info+0x40/0x158 [ 720.891974][T12546] kasan_save_alloc_info+0x14/0x20 [ 720.892008][T12546] __kasan_kmalloc+0xb4/0xb8 [ 720.892040][T12546] kmalloc_nolock_noprof+0x1dc/0x4fc [ 720.892079][T12546] range_tree_set+0x644/0x778 [ 720.892116][T12546] arena_map_alloc+0x11c/0x17c [ 720.892152][T12546] map_create+0x19c/0xa98 [ 720.892224][T12546] __sys_bpf+0x348/0x1a88 [ 720.892257][T12546] __arm64_sys_bpf+0x24/0x34 [ 720.892288][T12546] invoke_syscall+0x48/0x110 [ 720.892323][T12546] el0_svc_common.constprop.0+0x40/0xe0 [ 720.892367][T12546] do_el0_svc+0x1c/0x28 [ 720.892404][T12546] el0_svc+0x34/0x128 [ 720.892438][T12546] el0t_64_sync_handler+0xa0/0xe4 [ 720.892471][T12546] el0t_64_sync+0x1a4/0x1a8 [ 720.892546][T12546] [ 720.892594][T12546] Freed by task 12546: [ 720.892674][T12546] kasan_save_stack+0x3c/0x64 [ 720.892716][T12546] save_stack_info+0x40/0x158 [ 720.892749][T12546] kasan_save_free_info+0x18/0x24 [ 720.892783][T12546] __kasan_slab_free+0x7c/0x8c [ 720.892815][T12546] kfree_nolock+0xcc/0x1d4 [ 720.892878][T12546] range_tree_destroy+0x74/0x90 [ 720.892917][T12546] arena_map_free+0x64/0x90 [ 720.892952][T12546] bpf_map_free_deferred+0x70/0x180 [ 720.892989][T12546] process_one_work+0x178/0x2cc [ 720.893022][T12546] worker_thread+0x24c/0x354 [ 720.893056][T12546] kthread+0x130/0x1fc [ 720.893086][T12546] ret_from_fork+0x10/0x20 [ 720.893132][T12546] [ 720.893207][T12546] The buggy address belongs to the object at fff0000029d2e700 [ 720.893207][T12546] which belongs to the cache kmalloc-64 of size 64 [ 720.893308][T12546] The buggy address is located 32 bytes inside of [ 720.893308][T12546] 64-byte region [fff0000029d2e700, fff0000029d2e740) [ 720.893352][T12546] [ 720.893635][T12546] The buggy address belongs to the physical page: [ 720.894069][T12546] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xf1f0000029d2e940 pfn:0x69d2e [ 720.894449][T12546] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 720.894911][T12546] page_type: f5(slab) [ 720.895467][T12546] raw: 01ffc00000000000 f3f0000003001600 dead000000000122 0000000000000000 [ 720.895533][T12546] raw: f1f0000029d2e940 000000008040003c 00000000f5000000 0000000000000000 [ 720.895656][T12546] page dumped because: kasan: bad access detected [ 720.895700][T12546] [ 720.895731][T12546] Memory state around the buggy address: [ 720.896129][T12546] fff0000029d2e500: fe fe fe fe fb fb fb fe f6 f6 f6 fe f0 f0 f0 fe [ 720.896277][T12546] fff0000029d2e600: f6 f6 f6 fe fe fe fe fe fe fe fe fe f7 f7 f7 fe [ 720.896344][T12546] >fff0000029d2e700: fe fe fe fe f4 f4 f4 fe fe fe fe fe fe fe fe fe [ 720.896426][T12546] ^ [ 720.896538][T12546] fff0000029d2e800: f9 f9 f9 fe fe fe fe fe f1 f1 f1 fe fe fe fe fe [ 720.896568][T12546] fff0000029d2e900: f2 f2 f2 fe fe fe fe fe fe fe fe fe fe fe fe fe [ 720.896644][T12546] ================================================================== [ 720.897753][T12546] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 722.223855][T12556] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 722.277576][T12556] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 722.319815][T12556] bond0 (unregistering): Released all slaves [ 722.440455][T12556] hsr_slave_0: left promiscuous mode [ 722.443748][T12556] hsr_slave_1: left promiscuous mode [ 723.330979][T12556] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 723.399625][T12556] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 723.484564][T12556] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 723.566755][T12556] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 724.125011][T12556] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 724.164017][T12556] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 724.205349][T12556] bond0 (unregistering): Released all slaves [ 724.341223][T12556] hsr_slave_0: left promiscuous mode [ 724.343268][T12556] hsr_slave_1: left promiscuous mode [ 724.354101][T12556] veth1_macvtap: left promiscuous mode [ 724.354552][T12556] veth0_macvtap: left promiscuous mode [ 724.357241][T12556] veth1_vlan: left promiscuous mode [ 724.357531][T12556] veth0_vlan: left promiscuous mode [ 724.843690][ T783] lo speed is unknown, defaulting to 1000 [ 724.845362][ T783] syz2: Port: 1 Link DOWN VM DIAGNOSIS: 06:57:39 Registers: info registers vcpu 0 CPU#0 PC=ffff80008092c760 X00=0000000000000002 X01=0000000000000018 X02=ffff800082e05018 X03=ffff800082b9ddf0 X04=f9f00000030e5880 X05=0000000000000072 X06=000000000000005d X07=0000000000000000 X08=7f7f7f7f7f7f7f7f X09=ffff800082b9de20 X10=0000000000000001 X11=ffff8000831dbe20 X12=ffff800082acf280 X13=ffff8000831dbb8d X14=ffff8000831dbb98 X15=ffff8000831dba00 X16=0000000000000000 X17=0000000000000000 X18=00000000ffffffff X19=fbf000000304302f X20=ffff80008092c904 X21=f9f00000030e5880 X22=fbf000000304302f X23=ffff80008092c904 X24=000000000000003b X25=f2f000000323b180 X26=0000000000000001 X27=0000000000000000 X28=0000000000000000 X29=ffff8000831dbca0 X30=ffff80008092c92c SP=ffff8000831dbca0 PSTATE=814020c9 N--- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00524f5252450040:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00524f5252450040:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000fffff624b660:0000fffff624b660 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000fffff624b630 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800080110f74 X00=0000000000008851 X01=00000000000000cb X02=00000000000038f8 X03=000000000000891c X04=ffff800081bd4318 X05=0000000000000001 X06=0000000000c59875 X07=f8f0000003eae380 X08=f8f0000003eae440 X09=0000000000000001 X10=00000000f5257d14 X11=0000000000000001 X12=0000000000000022 X13=0000000000000000 X14=000038f84c472bd8 X15=ffff800081bd4430 X16=ffff800082de0000 X17=fff07ffffcf1d000 X18=0000000000000001 X19=f3f0000008441c00 X20=f8f0000003eae380 X21=00000097dbf47143 X22=0000000000000001 X23=0000000000000001 X24=f7f0000004d85280 X25=ffff800086303c88 X26=f0f0000003024028 X27=f7f0000004d85970 X28=fff000007f8f0b80 X29=ffff800086303ad0 X30=a99f8000800fd6cc SP=ffff800086303ad0 PSTATE=204020c9 --C- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000001 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:01c71000080147a4:00786d74702f7665 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0146a20c80080004:100022100006006d Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0100040004080000:0401000000080608 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0022100006006df2:0004000008000004 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0100000008060801:46a20c8008000410 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:2f2e01ffffffffff:ffffffd708028003 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6d6f747375632f32:73667265646e6962 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000001f40000000a Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000fffff77e3190:0000fffff77e3190 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000fffff77e3160 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000