last executing test programs:

4.664266871s ago: executing program 0 (id=22):
r0 = socket(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'lo\x00', <r2=>0x0})
sendmsg$nl_route_sched(r0, 0x0, 0x44080)
sendmsg$nl_route_sched(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000100)=@newqdisc={0x78, 0x24, 0xd0f, 0x70bd2c, 0x25dfdbfb, {0x60, 0x0, 0x0, r2, {}, {0xffe0, 0xa}, {0x1, 0x10}}, [@qdisc_kind_options=@q_sfq={{0x8}, {0x4c, 0x2, {{0x52, 0x40, 0x7, 0x200, 0x101}, 0x1ff, 0x0, 0x7, 0x4, 0x7, 0x3, 0x13, 0x14, 0x0, 0x4, {0x4, 0xffff, 0xb9, 0xe0000000, 0x8000, 0x73d34e52}}}}]}, 0x78}, 0x1, 0x0, 0x0, 0x2}, 0x4000)

4.461137297s ago: executing program 0 (id=23):
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x48241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32})
r1 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local})
write$tun(r0, &(0x7f0000000580)={@val, @void, @eth={@broadcast, @remote, @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x20, 0x0, 0x0, 0x0, 0x2f, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}, @broadcast}, {0x0, 0x86dd, 0xc, 0x0, @gue={{0x1, 0x1, 0x3, 0x9, 0x0, @void}}}}}}}}, 0x32)

4.257622713s ago: executing program 1 (id=25):
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_int(r0, 0x29, 0x2, &(0x7f0000000000)=0x1, 0x4)
bind$inet6(r0, &(0x7f0000000280)={0xa, 0x4e22, 0x9, @loopback, 0x6}, 0x1c)
setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000080)=0x40, 0x4)
connect$inet6(r0, &(0x7f0000000140)={0xa, 0x4e22, 0x56202329, @empty, 0x4000005}, 0x1c)
sendmmsg$inet6(r0, &(0x7f0000000900)=[{{0x0, 0x0, &(0x7f0000003640)=[{&(0x7f0000000680)="4137a29b582bd471798f15f967e7f8118e1abf61ebd7d146a12a42f6ffd2340daaa8dcf6da818cc0efac75e8c35abbde7a18e0226b424f5557c71db5d327baccef203377178ddb12221cdaf45711a2535ae87e6ab62ecba71b6f2ac0f6c9ead0ec52116d305204537900daaad0d6e4dd9d3ad654711b72964f28b8b5d231d709bf3cd4a0477ef446e7da5eaa15cc39e9c57d89217e33a93e080000000000000086448a8e871cf560229a3cc36317ac47bae1596458badc9ebde2c707dea2e18f859e20f7595cce0a88485e5223b2c8fc383e37cbbfe8353e2a8eb6dc65d76746a31d8f206f3152176a502d3e582a31933e40cff645d93afca045741f99af1cba5b3b6dd6c2edd5e6c4505ae594aa23cbc8a143512180028d9b3984a2517ac9a15154460ff0f654df3f8cf1c13455cb5f440a67de7a6dad269c76e2625c35222985a47aa3b920d97dea05c43bc937361d33781f8057097ca11a9d90eea3d8ae56f0e57f3a6f32f8786e165305301a3d86367337d2651a27b8c222f349491648ba165a6ed9a1e5e5397a1ee963651c2d9c79d6d5b34941375b6b53abcc7882c4e57a63de2e32c30e41030f24ae6efee9e3446eab3b5407cc20f581095dde95241e3853c4864ea7ecd07888956d9375b9ef74be4454d7693b53ed6bd0644cd93945b2eb35a6ac7c34aa11facf27ca4463e2bb1eef7126a982f0de190da6ca5b992c9fecf37053894f4b8001fa9902cb9544f8394c96faa2767c0af169cf7c3e0c49d962d47061f788999120bc2144d3bdd4cd8dc5c6f00b10958416318ef9ea9b4f2e", 0x241}], 0x1}}], 0x1, 0x4000001)
r1 = dup(r0)
syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0), r1)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, 0x0)
syz_genetlink_get_family_id$ethtool(0x0, r1)

3.998481625s ago: executing program 0 (id=26):
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil)
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[], 0x48)
mremap(&(0x7f0000000000/0x9000)=nil, 0x600600, 0x200000, 0x3, &(0x7f0000a00000/0x600000)=nil)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeea, 0x8031, 0xffffffffffffffff, 0x28f43000)

3.070140572s ago: executing program 1 (id=27):
add_key$fscrypt_v1(&(0x7f0000000040), 0x0, &(0x7f00000000c0)={0x0, "f1a1173fb9462d3589e67197f90be6e423ceb0ab4912f9f6a31854ec98e950cfed21fcad7ff0fbcb566a0982f8938caa52dd8d39af14c31ed56ad59300"}, 0x48, 0xffffffffffffffff)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000500)={0x3, 0xc, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000080)='kfree\x00'}, 0x10)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000140)='cachefiles_ref\x00', 0xffffffffffffffff, 0x0, 0x47bf}, 0x18)
r0 = openat$nci(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$IOCTL_GET_NCIDEV_IDX(r0, 0x0, &(0x7f00000000c0)=<r1=>0x0)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nfc(&(0x7f0000000100), r2)
sendmsg$NFC_CMD_DEV_UP(r2, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000280)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r3, @ANYBLOB="010023010000340200000200000008000100", @ANYRES32=r1], 0x1c}}, 0x0)
write$nci(r0, &(0x7f0000000000)=ANY=[@ANYBLOB="710601010101"], 0x6)

3.001243811s ago: executing program 0 (id=28):
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000001c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'xchacha20\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000300)="c99b57381801238c09d0ff0f1d0dbd301e5a47b2f3caa73dcd2a6a370554375a", 0x20)
r1 = accept4(r0, 0x0, 0x0, 0x0)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f00000002c0), r1)
sendmsg$NL80211_CMD_VENDOR(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x24, r2, 0x100, 0x70bd28, 0x25dfdbfe, {{}, {@val={0x8, 0x1, 0x2e}, @val={0x8}, @void}}}, 0x24}, 0x1, 0x0, 0x0, 0x20048085}, 0x8000)

489.698628ms ago: executing program 1 (id=29):
r0 = socket$inet6(0xa, 0x800000000000002, 0x0)
connect$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @initdev={0xfe, 0x88, '\x00', 0xfc, 0x0}, 0x2}, 0x1c)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20, 0x0, @ipv4={'\x00', '\xff\xff', @loopback}}, 0x1c)

416.242167ms ago: executing program 0 (id=30):
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
sendmmsg$inet6(r0, &(0x7f00000004c0)=[{{&(0x7f0000000000)={0xa, 0x4e23, 0x0, @ipv4={'\x00', '\xff\xff', @local}}, 0x1c, 0x0, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="2400000000000000290000003200000000000000000000000000ffffac1414aa", @ANYRES32, @ANYBLOB='\x00\x00\x00\x00(\x00'], 0x50}}], 0x1, 0x44000)

349.236066ms ago: executing program 1 (id=31):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000280)={0x73622a85, 0x100b, 0x1})
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0xffffffffffffff61, 0x0, 0x0})
dup3(r1, r0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x8, 0x0, &(0x7f0000000300)=[@release={0x40046306, 0x2}], 0x0, 0x0, 0x0})

170.539258ms ago: executing program 1 (id=32):
r0 = socket$inet6(0xa, 0x80001, 0x0)
setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f0000fca000)={0x100000001, {{0xa, 0x0, 0x0, @mcast1}}}, 0x88)
setsockopt$inet6_MCAST_MSFILTER(r0, 0x29, 0x30, &(0x7f0000000240)={0x1, {{0xa, 0x4e20, 0x1, @mcast1, 0x5}}, 0x1}, 0x90)

110.669186ms ago: executing program 0 (id=33):
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000003940)=ANY=[@ANYBLOB="210000000000000000000000000010000004"], 0x48)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x40010002, 0x0)
mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x3000001, 0x11, r0, 0x0)
mbind(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x3, &(0x7f0000002100)=0x9, 0x4, 0x1)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x8, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @cgroup_skb, 0xffffffffffffffff, 0x19}, 0x94)
openat(0xffffffffffffff9c, &(0x7f000000c380)='./file0\x00', 0x20842, 0x0)
r1 = socket$inet6(0x10, 0x3, 0x0)
sendto$inet6(r1, &(0x7f0000000000)='s', 0x10a73, 0x800, 0x0, 0x4b6ae4f95a5de35b)

0s ago: executing program 1 (id=34):
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='rdma.current\x00', 0x26e1, 0x0)
close(r0)
socket$nl_audit(0x10, 0x3, 0x9)
ioctl$SIOCSIFHWADDR(r0, 0x8b19, &(0x7f0000000000)={'wlan0\x00', @random="7cf1e97c9e4f"})

kernel console output (not intermixed with test programs):

Warning: Permanently added '[localhost]:25061' (ED25519) to the list of known hosts.
syzkaller login: [   86.356459][ T3311] cgroup: Unknown subsys name 'net'
[   86.535113][ T3311] cgroup: Unknown subsys name 'cpuset'
[   86.561388][ T3311] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   87.085458][ T3311] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   97.910854][ T3317] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   97.933848][ T3317] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   98.179473][ T3316] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   98.195178][ T3316] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   98.853577][ T3317] hsr_slave_0: entered promiscuous mode
[   98.860364][ T3317] hsr_slave_1: entered promiscuous mode
[   99.325188][ T3316] hsr_slave_0: entered promiscuous mode
[   99.329927][ T3316] hsr_slave_1: entered promiscuous mode
[   99.338164][ T3316] debugfs: 'hsr0' already exists in 'hsr'
[   99.339473][ T3316] Cannot create hsr debugfs directory
[   99.649392][ T3317] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   99.693833][ T3317] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   99.738322][ T3317] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   99.787933][ T3317] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  100.271154][ T3316] netdevsim netdevsim1 netdevsim0: renamed from eth0
[  100.315956][ T3316] netdevsim netdevsim1 netdevsim1: renamed from eth1
[  100.338982][ T3316] netdevsim netdevsim1 netdevsim2: renamed from eth2
[  100.366321][ T3316] netdevsim netdevsim1 netdevsim3: renamed from eth3
[  101.167629][ T3317] 8021q: adding VLAN 0 to HW filter on device bond0
[  101.608447][ T3316] 8021q: adding VLAN 0 to HW filter on device bond0
[  104.581770][ T3317] veth0_vlan: entered promiscuous mode
[  104.704983][ T3317] veth1_vlan: entered promiscuous mode
[  104.874957][ T3317] veth0_macvtap: entered promiscuous mode
[  104.904810][ T3317] veth1_macvtap: entered promiscuous mode
[  105.152874][   T55] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  105.153716][   T55] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  105.153915][   T55] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  105.154076][   T55] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  105.645748][ T3316] veth0_vlan: entered promiscuous mode
[  105.755811][ T3316] veth1_vlan: entered promiscuous mode
[  105.825534][ T3317] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[  105.941702][ T3316] veth0_macvtap: entered promiscuous mode
[  105.980663][ T3316] veth1_macvtap: entered promiscuous mode
[  106.283549][  T991] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  106.285394][  T991] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  106.306680][  T991] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  106.310263][  T991] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  107.099700][ T3469] binder: 3468:3469 ioctl 4018620d 0 returned -22
[  107.101866][ T3469] binder: 3468:3469 Acquire 1 refcount change on invalid ref 0 ret -22
[  107.106842][ T3469] binder: 3468:3469 Acquire 1 refcount change on invalid ref 0 ret -22
[  107.108233][ T3469] binder: 3468:3469 got transaction to invalid handle, 1
[  107.108504][ T3469] binder: 3468:3469 cannot find target node
[  107.108784][ T3469] binder: 3468:3469 transaction call to 0:0 failed 1/29201/-22, code 0 size 0-0 line 3232
[  107.128565][   T24] binder: undelivered TRANSACTION_ERROR: 29201
[  107.255558][ T3472] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
[  107.283839][ T3472] misc raw-gadget: fail, usb_gadget_register_driver returned -16
[  107.399589][ T3474] netlink: 'syz.0.4': attribute type 1 has an invalid length.
[  107.707663][ T3479] netlink: 8 bytes leftover after parsing attributes in process `syz.0.6'.
[  108.279382][ T3489] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[  108.433771][ T3462] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[  108.613735][ T3462] usb 1-1: Using ep0 maxpacket: 16
[  108.644559][ T3462] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7
[  108.646808][ T3462] usb 1-1: New USB device found, idVendor=04d8, idProduct=00dd, bcdDevice= 0.00
[  108.647467][ T3462] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[  108.684880][ T3462] usb 1-1: config 0 descriptor??
[  109.169889][ T3498] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
[  109.183500][ T3462] hid-generic 0003:04D8:00DD.0001: hidraw0: USB HID v0.05 Device [HID 04d8:00dd] on usb-dummy_hcd.0-1/input0
[  109.187962][ T3498] misc raw-gadget: fail, usb_gadget_register_driver returned -16
[  109.205262][ T3498] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
[  109.218118][ T3498] misc raw-gadget: fail, usb_gadget_register_driver returned -16
[  109.564870][ T3503] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
[  109.566421][ T3503] misc raw-gadget: fail, usb_gadget_register_driver returned -16
[  109.584326][   T24] usb 1-1: USB disconnect, device number 2
[  109.917996][ T3500] fido_id[3500]: Failed to open report descriptor at '/sys/devices/platform/dummy_hcd.0/usb1/report_descriptor': No such file or directory
[  110.566466][ T3516] syz.0.23 uses obsolete (PF_INET,SOCK_PACKET)
[  114.589884][ T3538] binder: 3537:3538 ioctl c0306201 20000080 returned -14
[  114.600017][ T3538] binder: 3537:3538 Release 1 refcount change on invalid ref 2 ret -22
[  114.964699][   T13] ==================================================================
[  114.969171][   T13] BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc
[  114.971568][   T13] Write at addr f8f00000033c8de0 by task kworker/u8:1/13
[  114.972133][   T13] Pointer tag: [f8], memory tag: [fe]
[  114.972249][   T13] 
[  114.973183][   T13] CPU: 0 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT 
[  114.973554][   T13] Hardware name: linux,dummy-virt (DT)
[  114.974020][   T13] Workqueue: events_unbound bpf_map_free_deferred
[  114.975261][   T13] Call trace:
[  114.975631][   T13]  show_stack+0x18/0x24 (C)
[  114.975961][   T13]  dump_stack_lvl+0x78/0x90
[  114.976074][   T13]  print_report+0x108/0x61c
[  114.976121][   T13]  kasan_report+0x88/0xac
[  114.976164][   T13]  __do_kernel_fault+0x170/0x1c8
[  114.976209][   T13]  do_bad_area+0x68/0x78
[  114.976252][   T13]  do_tag_check_fault+0x34/0x44
[  114.976294][   T13]  do_mem_abort+0x44/0x94
[  114.976340][   T13]  el1_abort+0x44/0x68
[  114.976383][   T13]  el1h_64_sync_handler+0x50/0xac
[  114.976428][   T13]  el1h_64_sync+0x6c/0x70
[  114.976588][   T13]  defer_free+0x3c/0xbc (P)
[  114.976650][   T13]  kfree_nolock+0x1a0/0x1d4
[  114.976697][   T13]  range_tree_destroy+0x74/0x90
[  114.976745][   T13]  arena_map_free+0x64/0x90
[  114.976789][   T13]  bpf_map_free_deferred+0x70/0x180
[  114.976840][   T13]  process_one_work+0x178/0x2cc
[  114.976902][   T13]  worker_thread+0x24c/0x354
[  114.976947][   T13]  kthread+0x130/0x1fc
[  114.976991][   T13]  ret_from_fork+0x10/0x20
[  114.977274][   T13] 
[  114.977343][   T13] Allocated by task 3543:
[  114.977626][   T13]  kasan_save_stack+0x3c/0x64
[  114.977898][   T13]  save_stack_info+0x40/0x158
[  114.977941][   T13]  kasan_save_alloc_info+0x14/0x20
[  114.977978][   T13]  __kasan_kmalloc+0xb4/0xb8
[  114.978014][   T13]  kmalloc_nolock_noprof+0x1dc/0x4fc
[  114.978054][   T13]  range_tree_clear+0x3a4/0x6a8
[  114.978092][   T13]  arena_vm_fault+0xf0/0x1a8
[  114.978129][   T13]  __do_fault+0x3c/0x234
[  114.978173][   T13]  do_fault+0x314/0x680
[  114.978213][   T13]  __handle_mm_fault+0x440/0xc2c
[  114.978250][   T13]  handle_mm_fault+0x15c/0x30c
[  114.978286][   T13]  do_page_fault+0x194/0x680
[  114.978326][   T13]  do_translation_fault+0x60/0x6c
[  114.978366][   T13]  do_mem_abort+0x44/0x94
[  114.978405][   T13]  el1_abort+0x44/0x68
[  114.978443][   T13]  el1h_64_sync_handler+0x50/0xac
[  114.978481][   T13]  el1h_64_sync+0x6c/0x70
[  114.978515][   T13]  __arch_copy_from_user+0x14/0x23c
[  114.978558][   T13]  __sys_bpf+0xe0/0x1a88
[  114.978594][   T13]  __arm64_sys_bpf+0x24/0x34
[  114.978634][   T13]  invoke_syscall+0x48/0x110
[  114.978675][   T13]  el0_svc_common.constprop.0+0x40/0xe0
[  114.978715][   T13]  do_el0_svc+0x1c/0x28
[  114.978756][   T13]  el0_svc+0x34/0x128
[  114.978796][   T13]  el0t_64_sync_handler+0xa0/0xe4
[  114.978835][   T13]  el0t_64_sync+0x1a4/0x1a8
[  114.978924][   T13] 
[  114.978970][   T13] Freed by task 13:
[  114.979019][   T13]  kasan_save_stack+0x3c/0x64
[  114.979060][   T13]  save_stack_info+0x40/0x158
[  114.979096][   T13]  kasan_save_free_info+0x18/0x24
[  114.979132][   T13]  __kasan_slab_free+0x7c/0x8c
[  114.979168][   T13]  kfree_nolock+0xcc/0x1d4
[  114.979206][   T13]  range_tree_destroy+0x74/0x90
[  114.979244][   T13]  arena_map_free+0x64/0x90
[  114.979283][   T13]  bpf_map_free_deferred+0x70/0x180
[  114.979325][   T13]  process_one_work+0x178/0x2cc
[  114.979365][   T13]  worker_thread+0x24c/0x354
[  114.979403][   T13]  kthread+0x130/0x1fc
[  114.979484][   T13]  ret_from_fork+0x10/0x20
[  114.979535][   T13] 
[  114.979577][   T13] The buggy address belongs to the object at fff00000033c8dc0
[  114.979577][   T13]  which belongs to the cache kmalloc-64 of size 64
[  114.979665][   T13] The buggy address is located 32 bytes inside of
[  114.979665][   T13]  64-byte region [fff00000033c8dc0, fff00000033c8e00)
[  114.979717][   T13] 
[  114.979952][   T13] The buggy address belongs to the physical page:
[  114.980437][   T13] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xf6f00000033c8ac0 pfn:0x433c8
[  114.980867][   T13] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
[  114.981329][   T13] page_type: f5(slab)
[  114.981935][   T13] raw: 01ffc00000000000 f3f0000003001600 dead000000000122 0000000000000000
[  114.982002][   T13] raw: f6f00000033c8ac0 000000008040003f 00000000f5000000 0000000000000000
[  114.982212][   T13] page dumped because: kasan: bad access detected
[  114.982289][   T13] 
[  114.982326][   T13] Memory state around the buggy address:
[  114.982649][   T13]  fff00000033c8b00: f7 f7 f7 fe f4 f4 f4 fe f7 f7 f7 fe f8 f8 f8 fe
[  114.982751][   T13]  fff00000033c8c00: f3 f3 f3 fe f7 f7 f7 fe fe fe fe fe fb fb fb fe
[  114.982815][   T13] >fff00000033c8d00: fa fa fa fe f4 f4 f4 f4 f0 f0 f0 fe fe fe fe fe
[  114.982887][   T13]                                                              ^
[  114.983007][   T13]  fff00000033c8e00: f6 f6 f6 fe f8 f8 f8 fe fc fc fc fe f1 f1 f1 fe
[  114.983040][   T13]  fff00000033c8f00: fa fa fa fe fd fd fd fe f8 f8 f8 fe fd fd fd fe
[  114.983116][   T13] ==================================================================
[  114.985249][   T13] Disabling lock debugging due to kernel taint
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[  116.119706][  T991] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  116.191001][  T991] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  116.276241][  T991] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  116.394076][  T991] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  117.097215][  T991] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[  117.135904][  T991] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[  117.171061][  T991] bond0 (unregistering): Released all slaves
[  117.305330][  T991] hsr_slave_0: left promiscuous mode
[  117.311052][  T991] hsr_slave_1: left promiscuous mode
[  117.347643][  T991] veth1_macvtap: left promiscuous mode
[  117.348338][  T991] veth0_macvtap: left promiscuous mode
[  117.349060][  T991] veth1_vlan: left promiscuous mode
[  117.350104][  T991] veth0_vlan: left promiscuous mode
[  118.608238][  T991] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  118.686394][  T991] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  118.759912][  T991] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  118.840306][  T991] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  119.553740][  T991] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[  119.605177][  T991] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[  119.669971][  T991] bond0 (unregistering): Released all slaves
[  119.801936][  T991] hsr_slave_0: left promiscuous mode
[  119.805768][  T991] hsr_slave_1: left promiscuous mode
[  119.820611][  T991] veth1_macvtap: left promiscuous mode
[  119.820882][  T991] veth0_macvtap: left promiscuous mode
[  119.821499][  T991] veth1_vlan: left promiscuous mode
[  119.821763][  T991] veth0_vlan: left promiscuous mode

VM DIAGNOSIS:
16:11:13  Registers:
info registers vcpu 0

CPU#0
 PC=ffff80008075b680 X00=0000000000000005 X01=ffff80008075b630
X02=fff000007f8d3c40 X03=000000008040003e X04=ffffc1ffc00cf220
X05=f6f00000033c8ac0 X06=000000008040003f X07=0000000000000000
X08=0000000000000000 X09=00000000000000c0 X10=209f7c220014615a
X11=00000000000000c0 X12=ffff800082a01290 X13=0000000000000000
X14=000000000000020f X15=ffff800081bd4430 X16=ffff800082de8000
X17=fff07ffffcef4000 X18=0000000000000000 X19=f6f0000003048c30
X20=0000000000000005 X21=0000000000000000 X22=0000000000000006
X23=ffff800082e20000 X24=ffff8000829e0f00 X25=0000000000000000
X26=f6f0000003024028 X27=0000000000000000 X28=faf000000318d280
X29=ffff800082debf50 X30=34cf80008014a718  SP=ffff800082debf50
PSTATE=804020c9 N--- EL2h  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
P00=0000000000000000 P01=0000000000000000 P02=0000000000000000
P03=0000000000000000 P04=0000000000000000 P05=0000000000000000
P06=0000000000000000 P07=0000000000000000 P08=0000000000000000
P09=0000000000000000 P10=0000000000000000 P11=0000000000000000
P12=0000000000000000 P13=0000000000000000 P14=0000000000000000
P15=0000000000000000 FFR=0000000000000000
Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000001
Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:01048082a0881000:0004010000000806
Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:040030dc03200400:30d8030066706201
Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:30e80308040030e4:030c040030e00304
Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0a040030f4030804:0030f00300040030
Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0010004003021000:3003781000059003
Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffffffffdf0800:0312080006100020
Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000030:6e616c7701ffffff
Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000001f40000000a
Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffee4acce0:0000ffffee4acce0
Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffee4accb0
Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
info registers vcpu 1

CPU#1
 PC=ffff80008092c008 X00=0000000000000002 X01=0000000000000030
X02=ffff800082e15030 X03=ffff800082badea8 X04=0000000000000001
X05=0a0a0a0a0a0a0a0a X06=0000000000000029 X07=0000000000000000
X08=7f7f7f7f7f7f7f7f X09=ffff800082baded8 X10=0000000000000001
X11=ffff8000831ebe20 X12=ffff800082adf208 X13=ffff8000831ebb8d
X14=ffff8000831ebb98 X15=ffff8000831eba00 X16=ffff800082df0000
X17=fff07ffffcf0d000 X18=00000000ffffffff X19=ffff8000831ebe20
X20=fbf0000003354080 X21=0000000000000000 X22=0000000000000000
X23=0000000000000000 X24=0000000000000000 X25=f6f00000031ae300
X26=0000000000000001 X27=0000000000000000 X28=0000000000000000
X29=ffff8000831ebce0 X30=ffff80008092c478  SP=ffff8000831ebce0
PSTATE=804020c9 N--- EL2h  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
P00=0000000000000000 P01=0000000000000000 P02=0000000000000000
P03=0000000000000000 P04=0000000000000000 P05=0000000000000000
P06=0000000000000000 P07=0000000000000000 P08=0000000000000000
P09=0000000000000000 P10=0000000000000000 P11=0000000000000000
P12=0000000000000000 P13=0000000000000000 P14=0000000000000000
P15=0000000000000000 FFR=0000000000000000
Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffffffffffffff:ffff00ff00000000
Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffffffff0f0000
Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ff0000ff0000:ffff000000ff0000
Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00f00f00ff000f00
Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00000000cccccc00
Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000073:0000aaaad850bc90
Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000074:0000aaaad8508f70
Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffe6b5bd00:0000ffffe6b5bd00
Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffe6b5bcd0
Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000