last executing test programs: 1.889328049s ago: executing program 0 (id=12): mknod$loop(&(0x7f0000000140)='./file0\x00', 0xfff, 0x0) r0 = open$dir(&(0x7f0000000000)='./file1\x00', 0x48c40, 0x10) fchmodat(r0, &(0x7f0000000100)='./file0\x00', 0x1) r1 = socket(0x1e, 0x1, 0x0) recvmsg$unix(r1, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000180)=""/202, 0xca}], 0x1}, 0x2) mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0) mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1/file2\x00', 0x8000, 0x0) r2 = landlock_create_ruleset(&(0x7f00000002c0)={0x2001}, 0x18, 0x0) landlock_restrict_self(r2, 0x0) renameat2(0xffffffffffffff9c, &(0x7f0000000480)='./file1/file2\x00', 0xffffffffffffff9c, &(0x7f00000004c0)='./file0\x00', 0x2) mprotect(&(0x7f00005ad000/0x4000)=nil, 0x4000, 0x5) r3 = syz_open_dev$tty1(0xc, 0x4, 0x1) ioctl$TIOCL_PASTESEL(r3, 0x4bfb, &(0x7f00000010c0)) 1.826239601s ago: executing program 0 (id=13): mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0) (async) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f0000000000)={'netdevsim0\x00', &(0x7f00000002c0)=@ethtool_sfeatures={0x13}}) (async) mount$bind(&(0x7f0000000000)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0) (async) ioctl$X86_IOC_RDMSR_REGS(0xffffffffffffffff, 0xc02063a0, &(0x7f0000000100)=[0x1, 0x80000000, 0x401, 0xfffffffe, 0x8, 0x40, 0x3, 0x6]) mount$bind(0x0, &(0x7f00000005c0)='./file0\x00', 0x0, 0x100000, 0x0) mount$bind(&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)='./file0/../file0\x00', 0x0, 0x8b101a, 0x0) (async) bpf$BPF_BTF_LOAD(0x12, &(0x7f0000001140)={&(0x7f0000001080)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@restrict]}}, &(0x7f0000001100)=""/43, 0x26, 0x2b, 0x1, 0x5}, 0x20) (async) r1 = fsopen(&(0x7f0000000200)='ramfs\x00', 0x0) fsconfig$FSCONFIG_CMD_CREATE(r1, 0x6, 0x0, 0x0, 0x0) (async) r2 = fsmount(r1, 0x0, 0x3) (async, rerun: 32) mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0) (rerun: 32) mount$tmpfs(0x0, &(0x7f0000000800)='./file0\x00', &(0x7f0000000180), 0x10410, &(0x7f0000000540)={[{@mpol={'mpol', 0x3d, {'bind', '', @void}}}]}) (async, rerun: 64) mount$tmpfs(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x420, &(0x7f00000000c0)=ANY=[@ANYBLOB="6d706f6c3d696e74650100974b6f4140a2c5d9aadb0000000000"]) (rerun: 64) quotactl_fd$Q_SETQUOTA(r2, 0xffffffff80000802, 0xee01, 0x0) (async) ioctl$CDROM_SEND_PACKET(r2, 0x5393, &(0x7f0000000740)={"2c8eaa0ed1e624a8e21a7262", &(0x7f0000000680)="1d549230a7e42d", 0x7, 0x6, &(0x7f00000006c0)={0x6f, 0x1, 0x1, 0x2, 0x0, 0x1, 0x0, "504c93c4", 0x7, "ac7ce534", 0x6, 0x3, 0x0, "89fd91", "d5c4afab0c57eef8104328c6a1d86784ddf29a54bc6ccdff3cbb36ebad72912306080bfda88604187c7b224070f1"}, 0x2, 0x250729bc, 0x7, &(0x7f0000000700)}) (async) lstat(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x0, 0x0}) fstat(0xffffffffffffffff, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) (async) getresgid(&(0x7f0000000340)=0x0, &(0x7f00000004c0), &(0x7f0000000500)) mount$bind(&(0x7f0000000580)='./file0/../file0\x00', &(0x7f0000000600)='./file0\x00', &(0x7f0000000640), 0x24c91, 0x0) (async) lsetxattr$system_posix_acl(&(0x7f0000000280)='./file0/file0\x00', &(0x7f00000002c0)='system.posix_acl_default\x00', &(0x7f0000000780)=ANY=[@ANYBLOB="02000004000ac2d7b098ca4fe15c7f48d407d96cd50dc331d60b80400b63b1206c63c1c45c84350f9b38e42ea634f494a6bdd04db1191ef306b8ada97dd1abc1232dbfb430", @ANYRES32=r3, @ANYBLOB="040000000000000008000100", @ANYRES32=r4, @ANYBLOB="08000600", @ANYRES32=r5, @ANYBLOB="10000400000000002000010000000000"], 0x3c, 0x0) (async, rerun: 64) fsconfig$FSCONFIG_SET_PATH(0xffffffffffffffff, 0x3, &(0x7f00000001c0)='/dev/cpu/#/msr\x00', &(0x7f0000000240)='./file0\x00', 0xffffffffffffff9c) (async, rerun: 64) mount$bind(&(0x7f0000000180)='./file0/file0\x00', &(0x7f0000000140)='./file0\x00', 0x0, 0x2181099, 0x0) (async) umount2(&(0x7f0000000380)='./file0\x00', 0x0) 1.825938892s ago: executing program 0 (id=14): r0 = socket$nl_route(0x10, 0x3, 0x0) (async, rerun: 64) r1 = socket(0x10, 0x803, 0x2) (rerun: 64) syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0), r1) (async, rerun: 32) getsockname$packet(r1, &(0x7f0000000680)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000003c0)=0x14) (async, rerun: 32) r3 = socket$netlink(0x10, 0x3, 0x0) (async) r4 = socket(0x10, 0x803, 0x0) sendmsg$nl_route_sched(r4, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={0x0, 0x24}}, 0x0) (async) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x2ba) sendmsg$nl_route(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=ANY=[@ANYBLOB="3c0000001000850619fbb7c75150926b00000000", @ANYRES32=r5, @ANYBLOB="fe000000000000001c0012000c000100626f6e64000000000c0002000800010004"], 0x3c}}, 0x0) (async, rerun: 64) r6 = socket(0x1, 0x803, 0x0) (rerun: 64) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14) sendmsg$nl_route(r4, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000940)=@newlink={0x3c, 0x10, 0x401, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x12}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @bridge={{0xb}, {0x4}}}, @IFLA_MASTER={0x8, 0xa, r7}]}, 0x3c}}, 0x0) (async) sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="3c0000001000010400eeffff11ffffffff000000", @ANYRES32=r2], 0x3c}}, 0x0) (async) syz_open_dev$tty1(0xc, 0x4, 0x1) 1.094269958s ago: executing program 2 (id=15): r0 = socket$inet_mptcp(0x2, 0x1, 0x106) setsockopt$sock_int(r0, 0x1, 0x20, &(0x7f0000000000)=0xfff, 0x4) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$netlbl_mgmt(&(0x7f0000000040), r1) sendmsg$NLBL_MGMT_C_ADDDEF(r1, &(0x7f00000002c0)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000280)=ANY=[@ANYBLOB="14000000", @ANYRES16=r2, @ANYBLOB="310500000000feffffff05000000"], 0x21}}, 0xa000000) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000500)=ANY=[@ANYBLOB="5800000002060300000034e40000000000000008050005000a000000050001000600000005000400000000000900020073797a310000000011000300686173683a69702c706f7274000000000c0007800800064051"], 0x58}, 0x1, 0x0, 0x0, 0x24000801}, 0x0) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$ethtool(&(0x7f00000001c0), 0xffffffffffffffff) mbind(&(0x7f00005b4000/0x4000)=nil, 0x100000000004000, 0x0, 0x0, 0x0, 0x2) socket$inet(0x2, 0x0, 0x5) sendmsg$ETHTOOL_MSG_RINGS_SET(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000200)={0x3c, r5, 0x1, 0x0, 0xfffffffc, {}, [@ETHTOOL_A_RINGS_RX={0x8, 0x6, 0x2}, @ETHTOOL_A_RINGS_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'wlan0\x00'}]}, @ETHTOOL_A_RINGS_RX_MINI={0x8, 0x7, 0x2}]}, 0x3c}, 0x1, 0x0, 0x0, 0x2}, 0x4040880) r6 = socket$nl_netfilter(0x10, 0x3, 0xc) ioctl$OCFS2_IOC_MOVE_EXT(r6, 0x40406f06, &(0x7f0000000200)={0x8, 0x3, 0x2c9, 0x3, 0x7}) sendmsg$IPSET_CMD_ADD(r6, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)=ANY=[@ANYBLOB="54000000090601020000000000000000020000000900020073797a310000000005000100070000002c0007801800018014000240fe80000000000000000000007649ec6106000440000400000500070006"], 0x54}, 0x1, 0x0, 0x0, 0x10000082}, 0x80) sendmsg$NLBL_MGMT_C_ADDDEF(0xffffffffffffffff, &(0x7f00000000c0)={&(0x7f0000000040), 0xc, &(0x7f0000000080)={&(0x7f0000000140)={0x90, r2, 0x200, 0x70bd24, 0x25dfdbfe, {}, [@NLBL_MGMT_A_CV4DOI={0x0, 0x4, 0xffffffffffffffff}, @NLBL_MGMT_A_PROTOCOL={0x8, 0x2, 0x5}, @NLBL_MGMT_A_IPV4MASK={0x8, 0x8, @local}, @NLBL_MGMT_A_CLPDOI={0x8, 0xc, 0x2}, @NLBL_MGMT_A_IPV6ADDR={0xc, 0x5, @mcast1}, @NLBL_MGMT_A_IPV6MASK={0x14, 0x6, @remote}, @NLBL_MGMT_A_IPV6MASK={0x14, 0x6, @mcast2}, @NLBL_MGMT_A_IPV6ADDR={0x14, 0x5, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}, @NLBL_MGMT_A_DOMAIN={0xb, 0x1, '\a-@}]/\x00'}]}, 0x90}, 0x1, 0x0, 0x0, 0x8000}, 0x0) connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @remote}, 0x10) 1.091186085s ago: executing program 0 (id=21): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x2400, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = syz_kvm_setup_syzos_vm$x86(r1, &(0x7f0000bff000/0x400000)=nil) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r3 = syz_kvm_add_vcpu$x86(r2, &(0x7f0000000080)={0x0, 0x0}) ioctl$KVM_SET_SREGS(r3, 0x4138ae84, &(0x7f0000000200)={{0x50000, 0x1, 0x9, 0x1, 0xcd, 0x9, 0x6, 0x1, 0x0, 0x3, 0x5, 0xeb}, {0x3000, 0x80a0000, 0xd, 0xe, 0x5, 0x7, 0x4, 0x14, 0x4, 0x5, 0x0, 0x1}, {0xeeee0000, 0x102f8000, 0x19, 0x7f, 0x6, 0x7, 0x81, 0x3, 0x80, 0x1, 0xe, 0x78}, {0xeeef0000, 0x200000, 0x0, 0x3, 0x6, 0x9, 0xc3, 0x0, 0x0, 0x0, 0x80, 0x2e}, {0xc000, 0x2000, 0xa, 0xff, 0x8, 0x8, 0x6, 0x7, 0x6, 0x6, 0x4, 0xfc}, {0x10d000, 0x0, 0x9, 0xb9, 0x6, 0x5, 0x42, 0x6, 0x5, 0x1, 0xd, 0x9}, {0xdddd1000, 0x0, 0x0, 0x1, 0xa, 0x8, 0x4, 0x63, 0x1c, 0x5, 0x1, 0xd}, {0xdddd1000, 0x4000, 0xa, 0x23, 0xc, 0x3, 0xb, 0x4a, 0x7, 0x8, 0x43, 0xb}, {0x60000, 0x5}, {0xffff1000}, 0x0, 0x0, 0xdddd0000, 0x150690, 0x3, 0x4000, 0xeeee0c00, [0x1, 0x1004, 0x4, 0x1000]}) ioctl$KVM_GET_LAPIC(r3, 0x8400ae8e, &(0x7f0000000b40)) syz_open_procfs(0x0, &(0x7f0000000240)='clear_refs\x00') r4 = socket$nl_xfrm(0x10, 0x3, 0x6) lseek(r4, 0xc738, 0x4) r5 = syz_clone(0x2280, 0x0, 0x0, 0x0, 0x0, 0x0) pread64(0xffffffffffffffff, 0x0, 0x0, 0x0) r6 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r6, 0x6, 0x13, &(0x7f0000000040)=0x100000001, 0x76dc) connect$inet6(r6, &(0x7f0000000100)={0xa, 0x0, 0x7, @ipv4={'\x00', '\xff\xff', @local}, 0x1}, 0x1c) setsockopt$inet6_tcp_TCP_ULP(r6, 0x6, 0x1f, &(0x7f00000002c0), 0x4) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r6, 0x6, 0x14, &(0x7f0000000400)=0x1, 0x4) setsockopt$inet6_tcp_TLS_TX(r6, 0x11a, 0x2, &(0x7f00000001c0)=@ccm_128={{0x304}, "b39625e03be22ead", "8da0640c9e8f6b81143f1a1a6d81ee2b", "3b0e7088", "19a4216dfdbf6602"}, 0x28) syz_genetlink_get_family_id$ethtool(&(0x7f0000000200), r6) rt_sigqueueinfo(r5, 0x13, &(0x7f0000000000)={0x24, 0xfe81, 0xffffffff}) tkill(0x0, 0x13) openat$procfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$SG_BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0xc806, 0x0, 0x0) sendmsg$nl_xfrm(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000340)=ANY=[@ANYBLOB="94010000100001002bbd700000000000fe8800000000000000000000000000017f0000010007000000000000000000000000ecdf000002000000000000000000e646", @ANYRES32=0x0, @ANYRES32=0x0, @ANYRESHEX=r5], 0x194}}, 0x4050) r7 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r7, 0x84, 0x13, &(0x7f0000000140)=0xe, 0x4) bind$inet6(r7, &(0x7f00004b8fe4)={0xa, 0x4e23, 0xfffffffd, @loopback, 0x3}, 0x1c) sendto$inet6(r7, &(0x7f0000847fff)='X', 0x34000, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) 992.252666ms ago: executing program 2 (id=16): r0 = syz_open_dev$vim2m(&(0x7f0000000440), 0x8, 0x2) r1 = openat$autofs(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xb, 0x0, &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) ioctl$AUTOFS_DEV_IOCTL_CATATONIC(r1, 0xc018937e, &(0x7f0000000200)={{0x1, 0x1, 0x29}, './file0\x00'}) ioctl$vim2m_VIDIOC_REQBUFS(r0, 0xc0145608, &(0x7f00000000c0)={0xffff, 0x2, 0x4}) ioctl$vim2m_VIDIOC_EXPBUF(r0, 0xc0405668, &(0x7f0000000100)={0x3, 0x3, 0x2}) r2 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi0\x00', 0x400, 0x0) ioctl$COMEDI_DEVCONFIG(r2, 0x40946400, 0x0) (async) ioctl$COMEDI_DEVCONFIG(r2, 0x40946400, 0x0) ioctl$vim2m_VIDIOC_QUERYCAP(r0, 0x80685600, &(0x7f0000000000)) (async) ioctl$vim2m_VIDIOC_QUERYCAP(r0, 0x80685600, &(0x7f0000000000)) ioctl$COMEDI_DEVCONFIG(r2, 0x40946400, &(0x7f00000000c0)={'aio_iiro_16\x00', [0x8001, 0xa, 0x1, 0xffffffff, 0x0, 0xccb, 0x8, 0x7, 0xe, 0x2, 0x8, 0xe, 0x8, 0x4, 0x6, 0xffffffff, 0x1, 0x1a449, 0x3, 0x40000003, 0x89, 0x2, 0xf27, 0x6, 0xb, 0x8, 0x5, 0x8, 0x4, 0x1ae, 0xfffffff5]}) (async) ioctl$COMEDI_DEVCONFIG(r2, 0x40946400, &(0x7f00000000c0)={'aio_iiro_16\x00', [0x8001, 0xa, 0x1, 0xffffffff, 0x0, 0xccb, 0x8, 0x7, 0xe, 0x2, 0x8, 0xe, 0x8, 0x4, 0x6, 0xffffffff, 0x1, 0x1a449, 0x3, 0x40000003, 0x89, 0x2, 0xf27, 0x6, 0xb, 0x8, 0x5, 0x8, 0x4, 0x1ae, 0xfffffff5]}) 917.402225ms ago: executing program 2 (id=17): r0 = openat$tun(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) socket$netlink(0x10, 0x3, 0x0) (async) r1 = socket$netlink(0x10, 0x3, 0x0) r2 = socket$nl_route(0x10, 0x3, 0x0) socket$unix(0x1, 0x1, 0x0) (async) r3 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000100)={'syzkaller0\x00'}) (async) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r2, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=@newqdisc={0x2c, 0x24, 0x4ee4e6a52ff56541, 0x70bd26, 0xffffffff, {0x0, 0x0, 0x0, r4, {0x0, 0x6}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_qfg={0x8}]}, 0x2c}}, 0x24040084) sendmsg$nl_route_sched(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000540)={&(0x7f0000000400)=@newqdisc={0x34, 0x28, 0x4ee4e6a52ff56541, 0x4001, 0xfffffdfc, {0x0, 0x0, 0x0, r4, {0xffff}, {0xffff, 0xffff}, {0x2, 0xa}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x4}}]}, 0x34}, 0x1, 0x0, 0x0, 0x400dc}, 0x20004000) r5 = socket$netlink(0x10, 0x3, 0x0) r6 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) userfaultfd(0x801) (async) r8 = userfaultfd(0x801) ioctl$UFFDIO_API(r8, 0xc018aa3f, &(0x7f00000000c0)) mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x4000002, 0x5d031, 0xffffffffffffffff, 0x0) r9 = userfaultfd(0x80001) ioctl$UFFDIO_API(r9, 0xc018aa3f, &(0x7f0000000100)) ioctl$UFFDIO_REGISTER(r9, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5}) ioctl$UFFDIO_CONTINUE(r9, 0xc020aa08, &(0x7f00000000c0)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}}) ioctl$UFFDIO_CONTINUE(r8, 0xc020aa08, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}}) (async) ioctl$UFFDIO_CONTINUE(r8, 0xc020aa08, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}}) sendmsg$nl_route_sched(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000000c0)=@newqdisc={0x30, 0x28, 0x4ee4e6a52ff56541, 0x3fff, 0x25dfdbfb, {0x0, 0x0, 0x0, r7, {0x4}, {0xffff, 0xffff}, {0xfff1, 0x1}}, [@qdisc_kind_options=@q_hhf={{0x8}, {0x4}}]}, 0x30}, 0x1, 0x0, 0x0, 0xdc}, 0x0) (async) sendmsg$nl_route_sched(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000000c0)=@newqdisc={0x30, 0x28, 0x4ee4e6a52ff56541, 0x3fff, 0x25dfdbfb, {0x0, 0x0, 0x0, r7, {0x4}, {0xffff, 0xffff}, {0xfff1, 0x1}}, [@qdisc_kind_options=@q_hhf={{0x8}, {0x4}}]}, 0x30}, 0x1, 0x0, 0x0, 0xdc}, 0x0) socket$nl_route(0x10, 0x3, 0x0) (async) r10 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r10, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)=@newtaction={0x6c, 0x30, 0xffff, 0x0, 0x0, {}, [{0x58, 0x1, [@m_ife={0x54, 0x1, 0x0, 0x0, {{0x8}, {0x2c, 0x2, 0x0, 0x1, [@TCA_IFE_PARMS={0x1c, 0x1, {{}, 0x1}}, @TCA_IFE_SMAC={0xa, 0x4, @remote}]}, {0x4}, {0xc}, {0xc}}}]}]}, 0x6c}}, 0x0) 917.168871ms ago: executing program 0 (id=18): r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_RES_MR_GET(r0, &(0x7f00000004c0)={0x0, 0x0, &(0x7f0000000480)={&(0x7f0000000440)={0x10, 0x140d, 0x1, 0x70bd2c, 0x25dfdbfc}, 0x10}}, 0x4000000) syz_emit_ethernet(0x36, &(0x7f0000000080)={@local, @random="429e82211cf8", @void, {@ipv6={0x86dd, @generic={0xa, 0x6, "7abd6a", 0x0, 0x67, 0x1, @private0, @mcast2}}}}, 0x0) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000640), 0x400000, 0x0) r2 = openat$nvme_fabrics(0xffffffffffffff9c, &(0x7f00000000c0), 0x204000, 0x0) write$P9_ROPEN(r2, &(0x7f0000000100)={0x18, 0x71, 0x1, {{0x0, 0x1}, 0x5}}, 0x18) copy_file_range(r1, &(0x7f0000000000)=0x8, r0, 0x0, 0x3, 0x0) ioctl$SNDCTL_DSP_SETFMT(r1, 0xc0045005, &(0x7f0000000040)=0xfffffffd) mmap$dsp(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x100000b, 0x8012, r1, 0x0) 898.557091ms ago: executing program 1 (id=2): r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) sendmsg$nl_route_sched(r1, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000003c0)={0x0, 0x24}}, 0x0) getsockname$packet(r1, &(0x7f00000000c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000180)=0x14) sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="3c0000001000010400eeffffffff00f687000000", @ANYRES32=r2, @ANYBLOB="01000000010000001c0012000c00010062"], 0x3c}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000940)=@newqdisc={0x470, 0x24, 0xe0b, 0x0, 0x0, {0x0, 0x0, 0x0, r2, {}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x444, 0x2, [@TCA_TBF_PARMS={0x28, 0x1, {{0x7, 0x1, 0x4, 0x0, 0xc, 0x1ff}, {0xa, 0xc4caa398de48f0ed, 0x8, 0x0, 0x1000, 0x10001}, 0x40004, 0x2, 0xcb8}}, @TCA_TBF_PBURST={0x8, 0x7, 0x1fc0}, @TCA_TBF_RATE64={0xc, 0x4, 0x539f006f006f6a1d}, @TCA_TBF_PTAB={0x404, 0x3, [0x0, 0x5, 0x2, 0xde2d, 0x1b5, 0xc0000000, 0x0, 0x0, 0x2, 0x9, 0x1, 0x9, 0xf, 0x3, 0x8, 0x5, 0x1, 0xc, 0x5, 0x1, 0x1, 0x3, 0x8, 0x73, 0x2, 0x5, 0x6f3, 0x1, 0x8, 0x4, 0x8, 0x0, 0x2, 0xffff, 0x7, 0x5, 0x4, 0xe, 0x4, 0x7fffffff, 0x200, 0x8, 0x0, 0x8c, 0x1000, 0xfffffff9, 0x2, 0x0, 0x5, 0x1, 0x8, 0x1, 0x1, 0x4, 0x4, 0x7fffffff, 0x2, 0x400, 0x3, 0x9, 0x5, 0x401, 0x200, 0x2009, 0x7fffffff, 0x8, 0x8, 0x99ab, 0xffffffff, 0x9, 0x9, 0x6, 0xb95e, 0x10000, 0x5, 0x2, 0x1, 0x7ff, 0x1, 0x0, 0x0, 0x4, 0x38a1df6b, 0x6, 0xfff, 0x8, 0x0, 0xf05, 0xffffffb2, 0x400004, 0x6, 0x2ea, 0x2, 0x1, 0x8, 0x80000000, 0x3c38, 0xfffffffe, 0xd, 0xfffffffb, 0xfffffffa, 0x3, 0x9, 0x1, 0x7, 0x6, 0x7fff, 0x8, 0x61f8, 0x0, 0xfffff20d, 0x26, 0x5, 0x1, 0x7, 0x101, 0xffffffff, 0x4, 0x1, 0x40, 0x6, 0x380, 0x510b, 0x9, 0xcca9, 0x4, 0x80000, 0x1ff, 0x7, 0x0, 0x4, 0x7, 0x5, 0x0, 0x9, 0x8, 0x4, 0x1, 0x33, 0x8, 0x0, 0xd9c, 0xfffffff8, 0xffff00, 0xfffffff5, 0x5162, 0xe5b, 0x1, 0xe, 0x3, 0x2, 0x4, 0x2, 0x32b6, 0x40, 0x2, 0xb2, 0x400, 0x80, 0x6, 0x3, 0xfffffffa, 0x2, 0x18f, 0x10000, 0x2, 0x4, 0xfffff48f, 0x0, 0x2800000, 0x100, 0x3d, 0x2, 0x1, 0x0, 0xd, 0x6, 0x3, 0x4a, 0x4, 0xffffffff, 0x5, 0x1, 0x1, 0x2, 0x2, 0x2, 0x6, 0x7a2, 0x40, 0x4, 0xe, 0x7, 0x2340214f, 0x6, 0x5, 0x9, 0x6, 0x3, 0x7, 0x4aff, 0x5, 0xffffffff, 0x4, 0xfff, 0x0, 0x5, 0x7, 0x8, 0x7, 0xfffffff9, 0x80000001, 0x1, 0xe, 0x0, 0xfff, 0x3ff, 0x8, 0x7fff, 0x7ff, 0x5, 0x3, 0x6, 0x1, 0x1ff, 0xd4, 0xfffffff7, 0x7, 0x518, 0xffffffff, 0x7ef, 0x2, 0x2, 0x8, 0x80, 0xffff, 0x0, 0x1, 0x2, 0xe, 0x401, 0x3, 0x800, 0x6, 0x9, 0xfffffffb, 0x2, 0x8, 0x80, 0x6, 0x2, 0x7, 0xd9f, 0x7f, 0x2, 0x3]}]}}]}, 0x470}}, 0x4000080) 767.754667ms ago: executing program 2 (id=19): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYRES8=r0], 0x7c}, 0x1, 0x0, 0x0, 0x24040881}, 0x11) r2 = socket$nl_xfrm(0x10, 0x3, 0x6) r3 = socket$netlink(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'ip6tnl0\x00', 0x0}) sendmsg$nl_route(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000300)=ANY=[@ANYRESHEX=r2, @ANYRES32=r4, @ANYBLOB="4000100a14000100000000000000000000000000000000010a000200", @ANYRES32=0x0, @ANYRES16=r3, @ANYRESOCT=r1, @ANYRES8=r0, @ANYRES32], 0x3c}, 0x1, 0x0, 0x0, 0x40000}, 0x0) r5 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000080), 0x400000000a882, 0x0) r6 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r6, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) listen(r6, 0x10040) setsockopt$SO_BINDTODEVICE(r6, 0x1, 0x19, &(0x7f0000000040)='wg0\x00', 0x10) syz_emit_ethernet(0x36, &(0x7f0000000280)=ANY=[@ANYBLOB="aaaaaaaaaaaaaaaaaaaaaa32080045000028006700000206907864010001ac1414aa00004e22", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="5cc200009078000094c8c1c20f10907750d8528434a1d50298af3d3a8c0e958115c7ce929355b6fc"], 0x0) syz_emit_ethernet(0x36, &(0x7f0000000200)={@local, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x32}, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x65, 0x0, 0x2, 0x6, 0x0, @rand_addr=0x64010001, @local}, {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x6, 0x5, 0x40}}}}}}, 0x0) r7 = dup(r5) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000002, 0x28011, r7, 0x0) r8 = socket$nl_netfilter(0x10, 0x3, 0xc) recvmsg(r8, &(0x7f0000001700)={0x0, 0x0, 0x0}, 0x0) sendmsg$IPSET_CMD_LIST(r8, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)={0x1c, 0x7, 0x6, 0x801, 0x0, 0x0, {0xa, 0x0, 0x4}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000005}, 0x80) ioctl$KDSKBENT(0xffffffffffffffff, 0x4b47, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x15) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x17) sendmsg$NFT_BATCH(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000b00)={&(0x7f0000000040)={{0x14, 0x10, 0x1, 0x0, 0x0, {0xa}}, [@NFT_MSG_NEWRULE={0x74, 0x6, 0xa, 0x401, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x48, 0x4, 0x0, 0x1, [{0x44, 0x1, 0x0, 0x1, @match={{0xa}, @val={0x34, 0x2, 0x0, 0x1, [@NFTA_MATCH_NAME={0x9, 0x1, 'time\x00'}, @NFTA_MATCH_INFO={0x1c, 0x3, "07682c020b7b37f27f5101007f51010049f4e34e86f469eb"}, @NFTA_MATCH_REV={0x8}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x9c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0) r9 = socket$l2tp6(0xa, 0x2, 0x73) r10 = syz_genetlink_get_family_id$nl80211(&(0x7f0000003840), 0xffffffffffffffff) r11 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r11, 0x8933, &(0x7f0000000040)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_REGISTER_BEACONS(r11, &(0x7f0000003900)={0x0, 0x0, &(0x7f00000038c0)={&(0x7f0000001500)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16=r10, @ANYBLOB="010007bd7000fddbdf2555000000080001006400000008000300", @ANYRES32=r12], 0x30}, 0x1, 0x0, 0x0, 0x40000a0}, 0x810) bind$l2tp6(r9, &(0x7f0000000080)={0xa, 0x0, 0x7, @remote, 0x0, 0x4}, 0x20) openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0) openat$cgroup_ro(r7, &(0x7f0000000180)='cgroup.controllers\x00', 0x0, 0x0) 767.286764ms ago: executing program 0 (id=26): r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r0, &(0x7f00000002c0)={0x1f, 0x0, @any, 0xfffa}, 0xe) r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000000)={0x1b, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x5, '\x00', 0x0, 0xffffffffffffffff, 0x5, 0x1, 0x1}, 0x50) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = socket$can_j1939(0x1d, 0x2, 0x7) ioctl$ifreq_SIOCGIFINDEX_vcan(r3, 0x8933, &(0x7f00000000c0)={'vcan0\x00', 0x0}) bind$can_j1939(r3, &(0x7f0000000340)={0x1d, r4, 0x0, {0x2, 0x0, 0x6}, 0xfe}, 0x18) sendmsg$nl_route_sched(r2, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000080)=@newtfilter={0x24, 0x11, 0x1, 0x70bd26, 0x25dfdbfc, {0x0, 0x0, 0x74, r4, {0xb, 0xfff2}, {0xfff1, 0x9}, {0x2, 0xd}}}, 0x24}, 0x1, 0xf0ffffffffffff, 0x0, 0x4012}, 0x20000050) r5 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000340)={{0xffffffffffffffff, 0xffffffffffffffff}, &(0x7f0000000280), &(0x7f0000000300)='%-5lx \x00'}, 0x20) r8 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xe, 0x4, &(0x7f0000000540)=ANY=[@ANYBLOB="b4050000fdff7f006110580000000000c60000000000000095000000000000009f33ef60916e6e713f1eeb0b725ad99b817fd98cd824498949714ffaac8a6f770600dcca55f21f3ca9e822d182054d54d53cd2b6db714e4beb5447000001000000008f2b9000f22425e4097ed62cbc891061017cfa6fa26fa7088c60897d4a6148a1c1e43f00001bde60beac671e8e8fdecb03588aa623fa71f31bf0f871ab5c2ff88afc60027f4e5b5271ed58e835cf0d0000000098b51fe6b1b8d9dbe87dcff414ed000000000000000000000000000000000000000000000000000000b347abe6352a080f8140e5fd10747b6ecdb3540546bf636e3d6e700e5b0500000000000000eb9e1403e6c8f7a187eaf60f3a17f0f046a307a403c19d9829c90bd2114252581567acae715cbe1b57d5cda432c5b910400623d24195405f2e76ccb7b37b41215c184e731fb1"], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sk_skb, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x366, 0x10, &(0x7f0000000000), 0x1dd}, 0x48) r9 = bpf$MAP_CREATE(0x0, &(0x7f0000000200)=ANY=[@ANYBLOB="0f000000040000000400000012"], 0x48) bpf$BPF_LINK_CREATE(0x1c, &(0x7f00000001c0)={r8, r9, 0x26, 0x0, @void}, 0x10) r10 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/debug/binder/transaction_log\x00', 0x0, 0x0) lseek(r10, 0x851, 0x1) r11 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000380)={0x3, 0x4, 0x4, 0xa, 0x0, 0x1, 0x47, '\x00', 0x0, 0xffffffffffffffff, 0x2, 0x0, 0x2}, 0x50) r12 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000400)={0x2, 0x4, 0x8, 0x1, 0x80, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x5, 0x3}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x1b, 0x14, &(0x7f0000000080)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x2}, {{0x18, 0x1, 0x1, 0x0, r1}}, {}, [@cb_func={0x18, 0x9, 0x4, 0x0, 0x6}, @generic={0xd, 0x1, 0x0, 0x80, 0x7}, @btf_id={0x18, 0xb, 0x3, 0x0, 0x2}], {{}, {}, {0x85, 0x0, 0x0, 0x1}}}, &(0x7f0000000140)='GPL\x00', 0x360d, 0x5a, &(0x7f0000000180)=""/90, 0x41000, 0x25, '\x00', r4, @fallback=0x2e, r5, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8, &(0x7f0000000480)=[r6, r7, r9, r10, r11, r12], &(0x7f00000004c0)=[{0x0, 0x4, 0xe, 0xb}, {0x2, 0x2, 0xf}, {0x2, 0x3, 0xc, 0x3}, {0x3, 0x4, 0x6, 0x1}, {0x3, 0x2, 0x7}, {0x1, 0x4, 0xc, 0x3}, {0x0, 0x5, 0x1, 0x7}, {0x3, 0x4, 0x5, 0xa}], 0x10, 0x800}, 0x94) listen(r0, 0x0) 477.676449ms ago: executing program 3 (id=4): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$batadv(&(0x7f0000000400), 0xffffffffffffffff) (async) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r0, 0x8933, &(0x7f0000000440)={'batadv0\x00', 0x0}) capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040)={0x200000, 0x200003, 0x0, 0x0, 0x3}) r3 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) open_by_handle_at(r3, &(0x7f00000000c0)=@ceph_nfs_snapfh={0x1c, 0x4e, {0x9, 0x9, 0x7, 0x5a12}}, 0x1110a0) (async) sendmsg$BATADV_CMD_SET_MESH(r0, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)={0x24, r1, 0x1, 0x4070bd28, 0x5, {}, [@BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r2}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5, 0x2f, 0x1}]}, 0x24}}, 0x18) 361.815798ms ago: executing program 2 (id=20): r0 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x2, 0x0, 0x7fff0000}]}) r1 = socket$inet6_sctp(0xa, 0x1, 0x84) bind$inet6(r1, &(0x7f0000000000)={0xa, 0x4e23, 0x0, @empty}, 0x1c) sendto$inet6(r1, &(0x7f0000000180)=':', 0x1, 0x24044013, &(0x7f0000000200)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) sendto$inet6(r1, &(0x7f0000000c80)="7cffa9061b2f8b082b6f69ae50430c8a8b6aa3162ba083c4a52e1ab0ac50ed4a19b1a69988000d5bed4433daaa4932dbb1cb3550dee8b23579d76ce37d574b43fca1eed8ebd38d1303240ed0d84517692128dd5aef5c4d60a6659952a1437c6f0ac3ed75806011ccbaa504f41a7e0abcf8823bc4a71ef8c52c2b297b539eaf752c56ebfe9b0542543069257dafcbf76c958d4cbf4eaaa67c5c2bd9e6518be34b56add7613ab83d389724b664e62c154e1a5aac073a53a0e8cadcf51ef495ebbcc77d5e36ff24c3f282289cc077374b714e08fbfecbdc8f14ef3fd409af4caf6fcb7d663beab335f239a1e93b399c93d7c036e1b39a7c477945f82b6dde53b1c21b590a58ba688ac4fb530d2c5b1195a127d2eaec840ab59f090d7047c278611e080cebe7b28588c11a44be99fe6f88c73441bf625b70565669997f4c3cda5afe1d6429908a69a459d35ba8c2f28076d8711f2667de749a783fac94ebd02680f20fb723c35c287a1f45064846385750665ffa74579083fbb1b1d6b7c90168252b1c5313544569203e7adb8e271a94f7413e5cfd6aa3157c4fc29bddba3683fcd032aecb513b2f27530fbefa0000000000000003c058e812d8db87de5e3eceae268b91f7d59daf77646fa4df99877dd5a9540934c7af91b96486eea62897be6acbe1bae8e46b112f1385e7cea9e4daccc6f1b98ce3b4322af8299a45ddcb5be8d3e469fdde9896ca324a2f3c88c616a7dccde331698ce2d39f96220251011b4dfbec953b5c30e94adb5586cec0af234859805bb7df1101ae80318ff127e913178d79cfa918d54585b6184255e872e2dc33a5c7c30a756bbd63c32a3e6a22863781747d185acb64583976c4289394d642b07d18e2932d0a78bd2ccf92b3e94e82f1e9239fa272402f4c9efcf068709a44d6f652a4f23df89f9a15e6bf0c7e65d8f3e32c35e83d30298074d16cb5ff4ded1df81009bbae888fceb9a8109ba319605e1776e52d2069b5cd7de07cf8dc488ba6a9c7559ff49674a490991f323736f302004007d0ccf2e5eaceac6b56f48f2b00592d7a378f118d8b3e5ecd2035c8252374c91bc79cf26ac11ddffe2c09e1aa032da0713732387f950e3f4e301eb1d26e5a2b19318e50d555c832e279894d8c9b03e8940738c0fe391b29907d0d5f9214d6e697a19247f4e8221aca2ac47debd7c45b8344941cbecbaf44af343b24a4f88caf207d72002fb8b7d156997cb7275f535e6a9d6480046246e60bea0cf6f54abc69ff9418b6cb9301eb6890227215b633a886fb13c89698e51e482c42ca99613b20e22e5ce15272f5bda8b18cf53d49130a94135dd8a9692c", 0x34000, 0xbcff, 0x0, 0x0) shutdown(r1, 0x1) r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2}) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$unix(0x1, 0x5, 0x0) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r3, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000140)=@newqdisc={0x44, 0x24, 0x4ee4e6a52ff56541, 0x70bd28, 0xffffffff, {0x0, 0x0, 0x0, r5, {0x0, 0xfff1}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_FSC={0x10, 0x2, {0x5, 0x7, 0x8000b3}}}}]}, 0x44}, 0x1, 0x0, 0x0, 0x4000000}, 0x20000884) r6 = socket$nl_route(0x10, 0x3, 0x0) r7 = socket$unix(0x1, 0x5, 0x0) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000400)=@newqdisc={0x48, 0x28, 0x4ee4e6a52ff56541, 0x4001, 0xffffbddc, {0x0, 0x0, 0x0, r8, {0x6}, {}, {0xfff2, 0x1}}, [@qdisc_kind_options=@q_cbs={{0x8}, {0x1c, 0x2, @TCA_CBS_PARMS={0x18, 0x1, {0x2, '\x00', 0x9, 0x0, 0x3, 0xfffffffd}}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x4040098}, 0x0) r9 = socket$nl_route(0x10, 0x3, 0x0) r10 = socket$unix(0x1, 0x5, 0x0) ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r9, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000c00)=@newtfilter={0x24, 0x2c, 0xd3f, 0x70bd24, 0x25dfdbfc, {0x0, 0x0, 0x0, r11, {0xfff1, 0xffe0}, {}, {0x7, 0x2}}}, 0x24}, 0x1, 0x0, 0x0, 0x8848}, 0x20004804) sendmsg$nl_route_sched(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000400)=@newqdisc={0x48, 0x28, 0x4ee4e6a52ff56541, 0x4001, 0xffffbddc, {0x0, 0x0, 0x0, r5, {0x10}, {0x6}, {0xfff2, 0x1}}, [@qdisc_kind_options=@q_cbs={{0x8}, {0x1c, 0x2, @TCA_CBS_PARMS={0x18, 0x1, {0x2, '\x00', 0x9, 0x0, 0x3, 0xfffffffd}}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x4040098}, 0x880) close_range(r0, 0xffffffffffffffff, 0x0) 86.362457ms ago: executing program 2 (id=22): mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) r0 = socket$netlink(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000300)=ANY=[@ANYBLOB="380000002000010027bd7200fddbdf250a0020400000000017004e244e241400020067cf0000000000000000000000000017000000000000"], 0x38}, 0x1, 0x0, 0x0, 0x24040804}, 0x0) timer_create(0x0, &(0x7f0000000080)={0x0, 0x11, 0x2}, &(0x7f0000000000)) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$sock_linger(r2, 0x1, 0xd, &(0x7f0000000000)={0x1, 0x3ff}, 0x8) close(r2) timer_settime(0x0, 0x0, &(0x7f0000000240)={{0x0, 0x8}, {0x0, 0x9}}, 0x0) sendmsg$nl_route(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYBLOB='\\\x00\x00\x00!'], 0x5c}}, 0x0) mkdir(&(0x7f0000000300)='./bus\x00', 0x80) r3 = userfaultfd(0x801) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f0000000140)={0xaa, 0x298}) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x2}) ioctl$UFFDIO_COPY(r3, 0xc028aa03, &(0x7f0000000040)={&(0x7f00002b9000/0x400000)=nil, &(0x7f00001b1000/0x4000)=nil, 0x400000, 0x2, 0x2}) mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x80800, 0x0) ioctl$KVM_GET_MSRS_sys(r4, 0x4018aee2, &(0x7f0000000500)={0x59}) mount(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f0000000380)='binder\x00', 0x1214040, 0x0) mount$overlay(0x0, &(0x7f0000000000)='./bus\x00', &(0x7f00000005c0), 0x8040, &(0x7f0000000600)={[{@lowerdir={'lowerdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@userxattr}, {@workdir={'workdir', 0x3d, './bus'}}]}) landlock_create_ruleset(&(0x7f0000000040)={0x24, 0x5, 0x1}, 0x18, 0x1) 0s ago: executing program 3 (id=4): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$batadv(&(0x7f0000000400), 0xffffffffffffffff) (async) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r0, 0x8933, &(0x7f0000000440)={'batadv0\x00', 0x0}) capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040)={0x200000, 0x200003, 0x0, 0x0, 0x3}) r3 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) open_by_handle_at(r3, &(0x7f00000000c0)=@ceph_nfs_snapfh={0x1c, 0x4e, {0x9, 0x9, 0x7, 0x5a12}}, 0x1110a0) (async) sendmsg$BATADV_CMD_SET_MESH(r0, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)={0x24, r1, 0x1, 0x4070bd28, 0x5, {}, [@BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r2}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5, 0x2f, 0x1}]}, 0x24}}, 0x18) kernel console output (not intermixed with test programs): [ 52.876474][ T40] audit: type=1400 audit(1773976925.941:60): avc: denied { rlimitinh } for pid=5871 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 52.882707][ T40] audit: type=1400 audit(1773976925.941:61): avc: denied { siginh } for pid=5871 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '[localhost]:44253' (ED25519) to the list of known hosts. [ 54.938148][ T40] audit: type=1400 audit(1773976928.021:62): avc: denied { name_bind } for pid=5918 comm="sshd-session" src=30000 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 54.967631][ T40] audit: type=1400 audit(1773976928.051:63): avc: denied { execute } for pid=5919 comm="sh" name="syz-executor" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 54.976594][ T40] audit: type=1400 audit(1773976928.051:64): avc: denied { execute_no_trans } for pid=5919 comm="sh" path="/syz-executor" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 57.215794][ T40] audit: type=1400 audit(1773976930.301:65): avc: denied { mounton } for pid=5919 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 57.226595][ T40] audit: type=1400 audit(1773976930.311:66): avc: denied { mount } for pid=5919 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 57.229484][ T5919] cgroup: Unknown subsys name 'net' [ 57.403085][ T5919] cgroup: Unknown subsys name 'cpuset' [ 57.407411][ T5919] cgroup: Unknown subsys name 'rlimit' [ 57.655154][ T5926] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 58.385446][ T5919] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 61.713222][ T40] kauditd_printk_skb: 15 callbacks suppressed [ 61.713234][ T40] audit: type=1400 audit(1773976934.801:82): avc: denied { execmem } for pid=5932 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 61.863641][ T40] audit: type=1400 audit(1773976934.951:83): avc: denied { create } for pid=5935 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 61.873879][ T40] audit: type=1400 audit(1773976934.951:84): avc: denied { create } for pid=5936 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 61.880973][ T40] audit: type=1400 audit(1773976934.951:85): avc: denied { read write } for pid=5936 comm="syz-executor" name="vhci" dev="devtmpfs" ino=1291 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 61.889806][ T40] audit: type=1400 audit(1773976934.951:86): avc: denied { open } for pid=5936 comm="syz-executor" path="/dev/vhci" dev="devtmpfs" ino=1291 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 61.898477][ T40] audit: type=1400 audit(1773976934.961:87): avc: denied { ioctl } for pid=5935 comm="syz-executor" path="socket:[6679]" dev="sockfs" ino=6679 ioctlcmd=0x48c9 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 61.905804][ T5945] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 61.912699][ T5945] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 61.920477][ T5945] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 61.922930][ T5949] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 61.923152][ T5950] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 61.923794][ T5945] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 61.924268][ T5945] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 61.925058][ T5945] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 61.925524][ T5945] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 61.927537][ T5949] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 61.928285][ T5945] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 61.933307][ T40] audit: type=1400 audit(1773976935.021:88): avc: denied { read } for pid=5936 comm="syz-executor" dev="nsfs" ino=4026531833 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 61.940088][ T5945] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 61.946495][ T5293] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 61.956710][ T5945] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 61.959283][ T5293] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 61.960300][ T40] audit: type=1400 audit(1773976935.021:89): avc: denied { open } for pid=5936 comm="syz-executor" path="net:[4026531833]" dev="nsfs" ino=4026531833 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 61.960329][ T40] audit: type=1400 audit(1773976935.021:90): avc: denied { mounton } for pid=5936 comm="syz-executor" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 61.961293][ T5945] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 61.964754][ T5293] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 61.966437][ T5945] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 61.975053][ T5293] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 61.982721][ T5945] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 62.123363][ T40] audit: type=1400 audit(1773976935.211:91): avc: denied { module_request } for pid=5936 comm="syz-executor" kmod="rtnl-link-nicvf" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 62.161662][ T5936] chnl_net:caif_netlink_parms(): no params data found [ 62.265572][ T5938] chnl_net:caif_netlink_parms(): no params data found [ 62.339786][ T5936] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.343143][ T5936] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.346053][ T5936] bridge_slave_0: entered allmulticast mode [ 62.348847][ T5936] bridge_slave_0: entered promiscuous mode [ 62.353165][ T5935] chnl_net:caif_netlink_parms(): no params data found [ 62.367917][ T5936] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.370882][ T5936] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.373708][ T5936] bridge_slave_1: entered allmulticast mode [ 62.376941][ T5936] bridge_slave_1: entered promiscuous mode [ 62.441133][ T5938] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.443687][ T5938] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.446231][ T5938] bridge_slave_0: entered allmulticast mode [ 62.449328][ T5938] bridge_slave_0: entered promiscuous mode [ 62.454093][ T5938] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.456515][ T5938] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.459041][ T5938] bridge_slave_1: entered allmulticast mode [ 62.462541][ T5938] bridge_slave_1: entered promiscuous mode [ 62.472743][ T5942] chnl_net:caif_netlink_parms(): no params data found [ 62.481095][ T5936] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 62.513059][ T5936] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 62.523539][ T5938] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 62.546838][ T5938] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 62.559357][ T5935] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.562185][ T5935] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.564702][ T5935] bridge_slave_0: entered allmulticast mode [ 62.567808][ T5935] bridge_slave_0: entered promiscuous mode [ 62.571546][ T5935] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.573967][ T5935] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.576340][ T5935] bridge_slave_1: entered allmulticast mode [ 62.579494][ T5935] bridge_slave_1: entered promiscuous mode [ 62.590350][ T5936] team0: Port device team_slave_0 added [ 62.603603][ T5936] team0: Port device team_slave_1 added [ 62.644103][ T5942] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.646531][ T5942] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.648885][ T5942] bridge_slave_0: entered allmulticast mode [ 62.651810][ T5942] bridge_slave_0: entered promiscuous mode [ 62.656222][ T5938] team0: Port device team_slave_0 added [ 62.660053][ T5935] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 62.665101][ T5935] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 62.668575][ T5936] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 62.671158][ T5936] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 62.679412][ T5936] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 62.684530][ T5942] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.687606][ T5942] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.690034][ T5942] bridge_slave_1: entered allmulticast mode [ 62.692848][ T5942] bridge_slave_1: entered promiscuous mode [ 62.696933][ T5938] team0: Port device team_slave_1 added [ 62.710817][ T5936] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 62.713118][ T5936] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 62.722099][ T5936] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 62.757984][ T5942] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 62.763984][ T5942] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 62.768062][ T5935] team0: Port device team_slave_0 added [ 62.773212][ T5935] team0: Port device team_slave_1 added [ 62.781931][ T5938] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 62.784309][ T5938] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 62.793333][ T5938] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 62.830034][ T5935] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 62.832564][ T5935] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 62.841541][ T5935] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 62.847092][ T5938] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 62.849667][ T5938] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 62.860386][ T5938] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 62.865749][ T5942] team0: Port device team_slave_0 added [ 62.871756][ T5936] hsr_slave_0: entered promiscuous mode [ 62.874347][ T5936] hsr_slave_1: entered promiscuous mode [ 62.877156][ T5935] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 62.880084][ T5935] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 62.889520][ T5935] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 62.902023][ T5942] team0: Port device team_slave_1 added [ 62.936183][ T5942] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 62.939155][ T5942] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 62.948843][ T5942] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 62.981144][ T5935] hsr_slave_0: entered promiscuous mode [ 62.984070][ T5935] hsr_slave_1: entered promiscuous mode [ 62.986531][ T5935] debugfs: 'hsr0' already exists in 'hsr' [ 62.988459][ T5935] Cannot create hsr debugfs directory [ 62.990854][ T5942] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 62.993136][ T5942] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 63.002163][ T5942] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 63.021425][ T5938] hsr_slave_0: entered promiscuous mode [ 63.024372][ T5938] hsr_slave_1: entered promiscuous mode [ 63.026909][ T5938] debugfs: 'hsr0' already exists in 'hsr' [ 63.028871][ T5938] Cannot create hsr debugfs directory [ 63.133826][ T5942] hsr_slave_0: entered promiscuous mode [ 63.136683][ T5942] hsr_slave_1: entered promiscuous mode [ 63.139577][ T5942] debugfs: 'hsr0' already exists in 'hsr' [ 63.143315][ T5942] Cannot create hsr debugfs directory [ 63.327392][ T5936] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 63.334600][ T5936] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 63.339588][ T5936] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 63.348921][ T5936] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 63.387273][ T5938] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 63.393505][ T5938] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 63.398127][ T5938] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 63.404356][ T5938] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 63.454020][ T5935] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 63.461899][ T5935] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 63.466227][ T5935] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 63.476626][ T5935] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 63.519781][ T5942] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 63.526131][ T5942] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 63.530237][ T5942] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 63.534971][ T5942] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 63.554886][ T5936] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.579074][ T5936] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.596635][ T5938] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.600727][ T108] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.603180][ T108] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.614917][ T108] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.617421][ T108] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.628543][ T5938] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.645963][ T46] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.648466][ T46] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.677265][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.680426][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.692031][ T5935] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.727824][ T5935] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.743746][ T5942] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.752205][ T46] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.754925][ T46] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.758287][ T46] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.760668][ T46] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.776406][ T5942] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.788541][ T61] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.790962][ T61] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.805661][ T212] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.808028][ T212] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.853542][ T5936] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.860524][ T5938] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.883659][ T5936] veth0_vlan: entered promiscuous mode [ 63.894368][ T5936] veth1_vlan: entered promiscuous mode [ 63.909795][ T5938] veth0_vlan: entered promiscuous mode [ 63.917553][ T5938] veth1_vlan: entered promiscuous mode [ 63.923913][ T5935] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.936703][ T5936] veth0_macvtap: entered promiscuous mode [ 63.944311][ T5936] veth1_macvtap: entered promiscuous mode [ 63.958189][ T5938] veth0_macvtap: entered promiscuous mode [ 63.960981][ T5941] Bluetooth: hci0: command tx timeout [ 63.966687][ T5936] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 63.973373][ T5938] veth1_macvtap: entered promiscuous mode [ 63.979154][ T5936] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 63.984077][ T5942] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.995151][ T212] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.002615][ T212] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.005521][ T212] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.009276][ T5938] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 64.015757][ T212] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.029034][ T5938] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 64.045059][ T5935] veth0_vlan: entered promiscuous mode [ 64.049013][ T108] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.050393][ T5941] Bluetooth: hci1: command tx timeout [ 64.050453][ T63] Bluetooth: hci2: command tx timeout [ 64.051019][ T63] Bluetooth: hci3: command tx timeout [ 64.073103][ T5935] veth1_vlan: entered promiscuous mode [ 64.075850][ T108] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.088899][ T108] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.093951][ T108] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.131362][ T5942] veth0_vlan: entered promiscuous mode [ 64.138214][ T5935] veth0_macvtap: entered promiscuous mode [ 64.143628][ T212] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 64.146340][ T212] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.159761][ T5935] veth1_macvtap: entered promiscuous mode [ 64.170557][ T5942] veth1_vlan: entered promiscuous mode [ 64.179493][ T99] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 64.181177][ T46] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 64.183386][ T99] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.188334][ T46] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.217075][ T5935] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 64.217142][ T61] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 64.223263][ T61] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.229276][ T5936] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 64.233106][ T5942] veth0_macvtap: entered promiscuous mode [ 64.238358][ T5942] veth1_macvtap: entered promiscuous mode [ 64.251198][ T5935] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 64.255546][ T5942] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 64.285196][ T61] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.290284][ T5942] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 64.295352][ T61] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.300229][ T61] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.303339][ T61] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.332867][ T108] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.335839][ T108] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.345611][ T108] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.348482][ T108] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.353768][ T61] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 64.357050][ T61] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.736475][ T6046] netlink: 12 bytes leftover after parsing attributes in process `syz.0.10'. [ 64.940129][ T6065] netlink: 'syz.0.14': attribute type 1 has an invalid length. [ 64.943360][ T6065] netlink: 'syz.0.14': attribute type 1 has an invalid length. [ 64.943968][ T6066] netlink: 28 bytes leftover after parsing attributes in process `syz.0.14'. [ 65.790965][ T6071] netlink: 164 bytes leftover after parsing attributes in process `syz.0.21'. [ 65.920032][ T212] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 65.964296][ T6094] netlink: 4 bytes leftover after parsing attributes in process `syz.0.26'. [ 66.003426][ T5945] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 66.007240][ T5945] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 66.010479][ T5945] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 66.014615][ T5945] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 66.017745][ T5945] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 66.028440][ T6095] Failed to initialize the IGMP autojoin socket (err -2) [ 66.040943][ T5941] Bluetooth: hci0: command tx timeout [ 66.130364][ T5941] Bluetooth: hci2: command tx timeout [ 66.141623][ T6093] netlink: 12 bytes leftover after parsing attributes in process `syz.2.19'. [ 66.210415][ T6095] chnl_net:caif_netlink_parms(): no params data found [ 66.383842][ T6095] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.392062][ T6095] bridge0: port 1(bridge_slave_0) entered disabled state [ 66.394850][ T6095] bridge_slave_0: entered allmulticast mode [ 66.397924][ T6095] bridge_slave_0: entered promiscuous mode [ 66.409866][ T6095] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.412719][ T6095] bridge0: port 2(bridge_slave_1) entered disabled state [ 66.415357][ T6095] bridge_slave_1: entered allmulticast mode [ 66.418378][ T6095] bridge_slave_1: entered promiscuous mode [ 66.442453][ T5945] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 66.445600][ T5945] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 66.449461][ T5945] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 66.453538][ T5945] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 66.456590][ T5945] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 66.477201][ T6095] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 66.492581][ T6095] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 66.525438][ T6116] Failed to initialize the IGMP autojoin socket (err -2) [ 66.539664][ T6095] team0: Port device team_slave_0 added [ 66.553684][ T6095] team0: Port device team_slave_1 added [ 66.582458][ T6095] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 66.585526][ T6095] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 66.595526][ T6095] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 66.600538][ T6095] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 66.602916][ T6095] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 66.613290][ T6095] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 66.639297][ T6119] netlink: 28 bytes leftover after parsing attributes in process `syz.2.22'. [ 66.679153][ T6095] hsr_slave_0: entered promiscuous mode [ 66.683130][ T6095] hsr_slave_1: entered promiscuous mode [ 66.685546][ T6095] debugfs: 'hsr0' already exists in 'hsr' [ 66.687878][ T6095] Cannot create hsr debugfs directory [ 66.702738][ T6120] netlink: 64 bytes leftover after parsing attributes in process `syz.2.22'. [ 66.789878][ T6092] [ 66.790778][ T6092] ========================= [ 66.792222][ T6092] WARNING: held lock freed! [ 66.793653][ T6092] syzkaller #0 Not tainted [ 66.795196][ T6092] ------------------------- [ 66.796707][ T6092] syz.0.26/6092 is freeing memory ffff888057299000-ffff8880572997ff, with a lock still held there! [ 66.800213][ T6092] ffff888057299260 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: bt_accept_dequeue+0x244/0x690 [ 66.804062][ T6092] 3 locks held by syz.0.26/6092: [ 66.805763][ T6092] #0: ffff88803f81aa48 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: __sock_release+0x86/0x260 [ 66.809289][ T6092] #1: ffff888024f65260 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP/2){+.+.}-{0:0}, at: l2cap_sock_release+0x61/0x280 [ 66.812931][ T6092] #2: ffff888057299260 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: bt_accept_dequeue+0x244/0x690 [ 66.816668][ T6092] [ 66.816668][ T6092] stack backtrace: [ 66.818606][ T6092] CPU: 0 UID: 0 PID: 6092 Comm: syz.0.26 Not tainted syzkaller #0 PREEMPT(full) [ 66.818619][ T6092] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 66.818625][ T6092] Call Trace: [ 66.818630][ T6092] [ 66.818655][ T6092] dump_stack_lvl+0x100/0x190 [ 66.818683][ T6092] debug_check_no_locks_freed+0x115/0x120 [ 66.818706][ T6092] ? __sk_destruct+0x8ab/0xbb0 [ 66.818718][ T6092] kfree+0x18b/0x6b0 [ 66.818731][ T6092] __sk_destruct+0x8ab/0xbb0 [ 66.818742][ T6092] ? do_raw_spin_lock+0x128/0x260 [ 66.818754][ T6092] sk_destruct+0xc8/0xf0 [ 66.818765][ T6092] __sk_free+0xf4/0x3e0 [ 66.818776][ T6092] sk_free+0x61/0x90 [ 66.818787][ T6092] bt_accept_unlink+0x1e4/0x2f0 [ 66.818799][ T6092] bt_accept_dequeue+0x576/0x690 [ 66.818810][ T6092] l2cap_sock_cleanup_listen+0x5c/0x2d0 [ 66.818825][ T6092] l2cap_sock_release+0x69/0x280 [ 66.818840][ T6092] __sock_release+0xb3/0x260 [ 66.818853][ T6092] ? __pfx_sock_close+0x10/0x10 [ 66.818867][ T6092] sock_close+0x1c/0x30 [ 66.818880][ T6092] __fput+0x3ff/0xb40 [ 66.818892][ T6092] ? _raw_spin_unlock_irq+0x23/0x50 [ 66.818905][ T6092] task_work_run+0x150/0x240 [ 66.818917][ T6092] ? __pfx_task_work_run+0x10/0x10 [ 66.818929][ T6092] exit_to_user_mode_loop+0x100/0x4a0 [ 66.818940][ T6092] do_syscall_64+0x67c/0xf80 [ 66.818954][ T6092] ? clear_bhb_loop+0x40/0x90 [ 66.818966][ T6092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.818977][ T6092] RIP: 0033:0x7fc9ea79c799 [ 66.818986][ T6092] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 66.818996][ T6092] RSP: 002b:00007ffd39740f28 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 66.819006][ T6092] RAX: 0000000000000000 RBX: 00007fc9eaa17da0 RCX: 00007fc9ea79c799 [ 66.819012][ T6092] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 66.819018][ T6092] RBP: 00007fc9eaa17da0 R08: 0000000000000006 R09: 0000000000000000 [ 66.819024][ T6092] R10: 00007fc9eaa17cb0 R11: 0000000000000246 R12: 000000000001046a [ 66.819030][ T6092] R13: 00007fc9eaa1609c R14: 00000000000101a3 R15: 00007fc9eaa16090 [ 66.819039][ T6092] [ 66.904263][ T6092] ================================================================== [ 66.906883][ T6092] BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x23b/0x260 [ 66.909320][ T6092] Read of size 4 at addr ffff8880572991cc by task syz.0.26/6092 [ 66.911826][ T6092] [ 66.912625][ T6092] CPU: 0 UID: 0 PID: 6092 Comm: syz.0.26 Not tainted syzkaller #0 PREEMPT(full) [ 66.912639][ T6092] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 66.912645][ T6092] Call Trace: [ 66.912649][ T6092] SYZFAIL: failed to recv rpc [ 66.912654][ T6092] dump_stack_lvl+0x100/0x190 fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 66.912673][ T6092] print_report+0x156/0x4c9 [ 66.912689][ T6092] ? __virt_addr_valid+0x81/0x620 [ 66.912705][ T6092] ? __phys_addr+0xe8/0x180 [ 66.912720][ T6092] ? do_raw_spin_lock+0x23b/0x260 [ 66.912731][ T6092] kasan_report+0xdf/0x1e0 [ 66.912741][ T6092] ? do_raw_spin_lock+0x23b/0x260 [ 66.912754][ T6092] do_raw_spin_lock+0x23b/0x260 [ 66.912766][ T6092] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 66.912778][ T6092] ? sk_destruct+0xcd/0xf0 [ 66.912791][ T6092] release_sock+0x21/0x220 [ 66.912804][ T6092] bt_accept_dequeue+0x564/0x690 [ 66.912816][ T6092] l2cap_sock_cleanup_listen+0x5c/0x2d0 [ 66.912831][ T6092] l2cap_sock_release+0x69/0x280 [ 66.912846][ T6092] __sock_release+0xb3/0x260 [ 66.912860][ T6092] ? __pfx_sock_close+0x10/0x10 [ 66.912874][ T6092] sock_close+0x1c/0x30 [ 66.912887][ T6092] __fput+0x3ff/0xb40 [ 66.912900][ T6092] ? _raw_spin_unlock_irq+0x23/0x50 [ 66.912934][ T6092] task_work_run+0x150/0x240 [ 66.912946][ T6092] ? __pfx_task_work_run+0x10/0x10 [ 66.912958][ T6092] exit_to_user_mode_loop+0x100/0x4a0 [ 66.912970][ T6092] do_syscall_64+0x67c/0xf80 [ 66.912984][ T6092] ? clear_bhb_loop+0x40/0x90 [ 66.912999][ T6092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.913011][ T6092] RIP: 0033:0x7fc9ea79c799 [ 66.913020][ T6092] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 66.913030][ T6092] RSP: 002b:00007ffd39740f28 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 66.913040][ T6092] RAX: 0000000000000000 RBX: 00007fc9eaa17da0 RCX: 00007fc9ea79c799 [ 66.913047][ T6092] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 66.913053][ T6092] RBP: 00007fc9eaa17da0 R08: 0000000000000006 R09: 0000000000000000 [ 66.913059][ T6092] R10: 00007fc9eaa17cb0 R11: 0000000000000246 R12: 000000000001046a [ 66.913066][ T6092] R13: 00007fc9eaa1609c R14: 00000000000101a3 R15: 00007fc9eaa16090 [ 66.913076][ T6092] [ 66.913079][ T6092] [ 66.988008][ T6092] Allocated by task 5941: [ 66.989436][ T6092] kasan_save_stack+0x30/0x50 [ 66.990997][ T6092] kasan_save_track+0x14/0x30 [ 66.992598][ T6092] __kasan_kmalloc+0xaa/0xb0 [ 66.994146][ T6092] __kmalloc_noprof+0x301/0x850 [ 66.995888][ T6092] sk_prot_alloc+0x10b/0x2a0 [ 66.997421][ T6092] sk_alloc+0x36/0xe80 [ 66.998886][ T6092] bt_sock_alloc+0x3b/0x3a0 [ 67.000386][ T6092] l2cap_sock_alloc.constprop.0+0x33/0x1e0 [ 67.002305][ T6092] l2cap_sock_new_connection_cb+0x101/0x260 [ 67.004282][ T6092] l2cap_connect_cfm+0x4e2/0x1050 [ 67.006155][ T6092] hci_remote_features_evt+0x4f4/0x9b0 [ 67.008016][ T6092] hci_event_packet+0xa86/0x11c0 [ 67.009627][ T6092] hci_rx_work+0x451/0xfc0 [ 67.011118][ T6092] process_one_work+0xa23/0x19a0 [ 67.012740][ T6092] worker_thread+0x5ef/0xe50 [ 67.014260][ T6092] kthread+0x370/0x450 [ 67.015633][ T6092] ret_from_fork+0x754/0xd80 [ 67.017161][ T6092] ret_from_fork_asm+0x1a/0x30 [ 67.018934][ T6092] [ 67.019802][ T6092] Freed by task 6092: [ 67.021196][ T6092] kasan_save_stack+0x30/0x50 [ 67.022850][ T6092] kasan_save_track+0x14/0x30 [ 67.024503][ T6092] kasan_save_free_info+0x3b/0x70 [ 67.026265][ T6092] __kasan_slab_free+0x5f/0x80 [ 67.027899][ T6092] kfree+0x1f6/0x6b0 [ 67.029234][ T6092] __sk_destruct+0x8ab/0xbb0 [ 67.030792][ T6092] sk_destruct+0xc8/0xf0 [ 67.032344][ T6092] __sk_free+0xf4/0x3e0 [ 67.033755][ T6092] sk_free+0x61/0x90 [ 67.035115][ T6092] bt_accept_unlink+0x1e4/0x2f0 [ 67.036856][ T6092] bt_accept_dequeue+0x576/0x690 [ 67.038537][ T6092] l2cap_sock_cleanup_listen+0x5c/0x2d0 [ 67.040633][ T6092] l2cap_sock_release+0x69/0x280 [ 67.042253][ T6092] __sock_release+0xb3/0x260 [ 67.043838][ T6092] sock_close+0x1c/0x30 [ 67.045247][ T6092] __fput+0x3ff/0xb40 [ 67.046563][ T6092] task_work_run+0x150/0x240 [ 67.048073][ T6092] exit_to_user_mode_loop+0x100/0x4a0 [ 67.049837][ T6092] do_syscall_64+0x67c/0xf80 [ 67.051369][ T6092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 67.053377][ T6092] [ 67.054213][ T6092] The buggy address belongs to the object at ffff888057299000 [ 67.054213][ T6092] which belongs to the cache kmalloc-2k of size 2048 [ 67.058933][ T6092] The buggy address is located 460 bytes inside of [ 67.058933][ T6092] freed 2048-byte region [ffff888057299000, ffff888057299800) [ 67.063654][ T6092] [ 67.064506][ T6092] The buggy address belongs to the physical page: [ 67.066816][ T6092] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x57298 [ 67.069781][ T6092] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 67.072502][ T6092] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 67.075004][ T6092] page_type: f5(slab) [ 67.076391][ T6092] raw: 00fff00000000040 ffff88801b842f00 dead000000000100 dead000000000122 [ 67.079499][ T6092] raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 [ 67.082454][ T6092] head: 00fff00000000040 ffff88801b842f00 dead000000000100 dead000000000122 [ 67.085304][ T6092] head: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 [ 67.088149][ T6092] head: 00fff00000000003 ffffea00015ca601 00000000ffffffff 00000000ffffffff [ 67.091147][ T6092] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 67.094422][ T6092] page dumped because: kasan: bad access detected [ 67.096660][ T6092] page_owner tracks the page as allocated [ 67.098560][ T6092] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5938, tgid 5938 (syz-executor), ts 63445995742, free_ts 0 [ 67.105217][ T6092] post_alloc_hook+0x153/0x170 [ 67.106886][ T6092] get_page_from_freelist+0x111d/0x3140 [ 67.109032][ T6092] __alloc_frozen_pages_noprof+0x27c/0x2ba0 [ 67.111131][ T6092] new_slab+0xa6/0x6b0 [ 67.112611][ T6092] refill_objects+0x26b/0x400 [ 67.114328][ T6092] __pcs_replace_empty_main+0x1ab/0x660 [ 67.116278][ T6092] __kmalloc_cache_noprof+0x493/0x6f0 [ 67.118133][ T6092] rtnl_newlink+0x126/0x2380 [ 67.120155][ T6092] rtnetlink_rcv_msg+0x95e/0xe90 [ 67.121823][ T6092] netlink_rcv_skb+0x159/0x420 [ 67.123502][ T6092] netlink_unicast+0x5aa/0x870 [ 67.125194][ T6092] netlink_sendmsg+0x8b0/0xda0 [ 67.126907][ T6092] __sys_sendto+0x468/0x4b0 [ 67.128507][ T6092] __x64_sys_sendto+0xe0/0x1c0 [ 67.130129][ T6092] do_syscall_64+0x106/0xf80 [ 67.131669][ T6092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 67.133591][ T6092] page_owner free stack trace missing [ 67.135501][ T6092] [ 67.136325][ T6092] Memory state around the buggy address: [ 67.138230][ T6092] ffff888057299080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.141298][ T6092] ffff888057299100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.143960][ T6092] >ffff888057299180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.146739][ T6092] ^ [ 67.148853][ T6092] ffff888057299200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.151458][ T6092] ffff888057299280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.154177][ T6092] ================================================================== [ 67.157172][ T6092] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 67.160067][ T6092] CPU: 0 UID: 0 PID: 6092 Comm: syz.0.26 Not tainted syzkaller #0 PREEMPT(full) [ 67.163443][ T6092] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 67.166713][ T6092] Call Trace: [ 67.167815][ T6092] [ 67.168862][ T6092] dump_stack_lvl+0x100/0x190 [ 67.170681][ T6092] vpanic+0x552/0x970 [ 67.172029][ T6092] ? __pfx_vpanic+0x10/0x10 [ 67.173541][ T6092] ? __pfx_vprintk_emit+0x10/0x10 [ 67.175308][ T6092] ? rcu_is_watching+0x12/0xc0 [ 67.177049][ T6092] ? do_raw_spin_lock+0x23b/0x260 [ 67.179012][ T6092] panic+0xd1/0xe0 [ 67.180271][ T6092] ? __pfx_panic+0x10/0x10 [ 67.181731][ T6092] ? check_panic_on_warn+0x1f/0x90 [ 67.183585][ T6092] check_panic_on_warn.cold+0x19/0x34 [ 67.185464][ T6092] end_report.part.0+0x3a/0x90 [ 67.187246][ T6092] kasan_report.cold+0xe/0x18 [ 67.188814][ T6092] ? do_raw_spin_lock+0x23b/0x260 [ 67.190556][ T6092] do_raw_spin_lock+0x23b/0x260 [ 67.192338][ T6092] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 67.194368][ T6092] ? sk_destruct+0xcd/0xf0 [ 67.196001][ T6092] release_sock+0x21/0x220 [ 67.197543][ T6092] bt_accept_dequeue+0x564/0x690 [ 67.199647][ T6092] l2cap_sock_cleanup_listen+0x5c/0x2d0 [ 67.201484][ T6092] l2cap_sock_release+0x69/0x280 [ 67.203159][ T6092] __sock_release+0xb3/0x260 [ 67.204793][ T6092] ? __pfx_sock_close+0x10/0x10 [ 67.206448][ T6092] sock_close+0x1c/0x30 [ 67.208014][ T6092] __fput+0x3ff/0xb40 [ 67.209543][ T6092] ? _raw_spin_unlock_irq+0x23/0x50 [ 67.211421][ T6092] task_work_run+0x150/0x240 [ 67.213036][ T6092] ? __pfx_task_work_run+0x10/0x10 [ 67.214830][ T6092] exit_to_user_mode_loop+0x100/0x4a0 [ 67.216592][ T6092] do_syscall_64+0x67c/0xf80 [ 67.218400][ T6092] ? clear_bhb_loop+0x40/0x90 [ 67.220136][ T6092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 67.222328][ T6092] RIP: 0033:0x7fc9ea79c799 [ 67.223921][ T6092] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 67.230095][ T6092] RSP: 002b:00007ffd39740f28 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 67.232878][ T6092] RAX: 0000000000000000 RBX: 00007fc9eaa17da0 RCX: 00007fc9ea79c799 [ 67.235799][ T6092] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 67.238524][ T6092] RBP: 00007fc9eaa17da0 R08: 0000000000000006 R09: 0000000000000000 [ 67.241185][ T6092] R10: 00007fc9eaa17cb0 R11: 0000000000000246 R12: 000000000001046a [ 67.243791][ T6092] R13: 00007fc9eaa1609c R14: 00000000000101a3 R15: 00007fc9eaa16090 [ 67.246429][ T6092] [ 67.248413][ T6092] Kernel Offset: disabled [ 67.249834][ T6092] Rebooting in 86400 seconds..