last executing test programs: 308.766251ms ago: executing program 4 (id=5): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x40, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2}) r1 = socket$netlink(0x10, 0x3, 0x0) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r2, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000001c0)=@newqdisc={0x34, 0x24, 0x4ee4e6a52ff56541, 0x70bd26, 0xffffffff, {0x0, 0x0, 0x0, r4, {0x0, 0xfff1}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_codel={{0xa}, {0x4}}]}, 0x34}}, 0x20040084) sendmsg$nl_route_sched(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000540)={&(0x7f00000006c0)=@newqdisc={0x24, 0x28, 0x4ee4e6a52ff56541, 0x4001, 0xfffffdfc, {0x0, 0x0, 0x0, r4, {0xffff}, {0xffff, 0xffff}, {0x2, 0x1}}}, 0x24}, 0x1, 0x0, 0x0, 0x400dc}, 0x0) 261.777182ms ago: executing program 1 (id=2): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000200)=0x474c, 0x4) bind$inet(r0, &(0x7f0000000240)={0x2, 0x0, @local}, 0x6f) connect$inet(r0, &(0x7f0000000480)={0x2, 0x0, @multicast1}, 0x10) sendmmsg(r0, &(0x7f0000007fc0), 0x800001d, 0x300) setsockopt$inet_int(r0, 0x0, 0xd, &(0x7f0000000180)=0x80, 0x4) setsockopt$inet_int(r0, 0x0, 0x6, &(0x7f0000000000)=0x8, 0x4) recvmmsg(r0, &(0x7f0000000b80)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000000a80)=""/223, 0xdf}}], 0x1, 0x45833af92e4b39ff, 0x0) 91.310997ms ago: executing program 2 (id=3): r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) bind$bt_l2cap(r0, &(0x7f0000000280)={0x1f, 0xfffe, @any, 0x7ff, 0x1}, 0xe) listen(r0, 0x0) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000180)) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x2, 0xb, &(0x7f00000009c0)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x3}, [@printk={@li, {0x3, 0x3, 0x3, 0xa, 0x0}, {0x5}, {0x7, 0x0, 0x5}, {}, {}, {0x85, 0x0, 0x0, 0x19}}]}, &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x22, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) openat$cgroup_int(0xffffffffffffffff, 0x0, 0x2, 0x0) pselect6(0x900, 0x0, 0x0, &(0x7f0000000240)={0x1f}, &(0x7f0000000280)={0x0, 0x3938700}, 0x0) syz_clone3(&(0x7f00000076c0)={0x60208200, 0x0, 0x0, 0x0, {}, &(0x7f00000074c0)=""/138, 0x8a, 0x0, 0x0}, 0x58) 6.73898ms ago: executing program 4 (id=6): r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$netlink(0x10, 0x3, 0x0) r2 = socket(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={0x0, 0x24}}, 0x0) getsockname$packet(r2, &(0x7f0000000080)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000008c0)=ANY=[@ANYBLOB='H\x00\x00', @ANYBLOB], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000005c0)=@newqdisc={0x30, 0x24, 0xf1d, 0x0, 0x0, {0x0, 0x0, 0x0, r3, {}, {0xfff1, 0xffff}}, [@qdisc_kind_options=@q_clsact={0xb}]}, 0x30}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000140)=@delchain={0x24, 0x2e, 0x501, 0x70bd25, 0x40000000, {0x0, 0x0, 0x0, r3, {0xd}, {0xfff3, 0x5}, {0x0, 0xd}}}, 0x24}, 0x1, 0x0, 0x0, 0x4000000}, 0x24000004) 6.628ms ago: executing program 0 (id=1): r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x1}}, 0x2}}, 0x2e) close(r0) r2 = socket$pppl2tp(0x18, 0x1, 0x1) connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x2, 0x0, 0x6, 0x1, {0xa, 0x4e23, 0x1, @mcast2, 0x9}}}, 0x3a) ioctl$PPPIOCGFLAGS(r2, 0x8004745a, &(0x7f0000000200)) 6.48084ms ago: executing program 3 (id=4): r0 = bpf$PROG_LOAD(0x5, &(0x7f0000008000)={0x1, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="b70000000000000007000000000000009500000000000000a9171809f8dcf159569d5475991f7de1a0d0c119cfcf6b98741c23fb7f8d3002ec85db75af955427e91496087a51a0a78f269a9e216a0d0177c4fe3552396a180330807a5b6e8c79aa92038c78d1f16c1323f0e0c8d45c641a21757847cb22230e4321cc3581e40c62c4defee8cffe359cfeef7f58fffdb48647d28ae810f6d22d20271e9e88e94aa6982bf48356652b08e2fbd404e41e0058aae0478fbe542b648421d1b4486a542a7d478fbe6b5e000000293853f9c68e235184b7ad5b6c4fe70ec8320500db0db7fda3da6171a05509ffecef2cb9802d4f36c9a1ce46d3b355fec188ccfc2f0fc89e164561fb06ee9a0153981a47b5de9edd3536d5534f9a699f73b2c9341d2d05043748ce1f4577ed76cdf5b3c697089daa4abda69a8c0c992404610a6be9e103c972459065dec0488e85a6a0418fc87dd8019ef7bb4ef4fa6ee08d81797570578f2e8198e687012f25a69a90e7515e35f8abbddfa96c3f0485f01f0e9e144a2bd31c1b594c50de7c9efd826f1e19b7bd89ca4052b1985287bd13957a48467e0eeddf564d175bf4340885b63976df609806c3b2a3667539dfd66a7400000000003be6026e60205f761ce85cdf75cdb95ca5d32b5bf87eed4184d49f8f48181ef2419efe82ebb18ee55772d562b3b49551714e805a5211a3f4e8e703c03e23b2074bc573dbb66d59e269b722637c4a2efb5241cae2f14774609ad91d66724c438455dc4fcf0b4c8fc235f6c190b4c82bb2556d1fbcd4468369e98e900c743162ce2c7e60610acf0c8e4ba94a7e7127c7de0e6c35acecee1b8434fdca4579f9ebc6a515f7d910b466eb583fb0a7e65fbecb2b8ee0e9da33afb88aa5da8da3a5e0e58fcb48de6f165826b046a8951a47e040bd419d0efa0f54e8e3694085a7bde6f6494968d8200000000000"], &(0x7f0000003ff6)='syzkaller\x00', 0x1, 0xc3, &(0x7f00000002c0)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0xffffffffffffff37}, 0x48) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$sock_int(r1, 0x1, 0x1000000000000f, &(0x7f0000000080)=0x7fffffff, 0x4) setsockopt$sock_attach_bpf(r1, 0x1, 0x34, &(0x7f0000000040)=r0, 0x4) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000008000)={0x1, 0x3, &(0x7f0000000140)=ANY=[@ANYBLOB="b7000000ecffffff0c0000000000000095000000000000005e0c83dfb64a3eb1cdfa541cd3957aa8a96b9fa4591c1eb556e38defc504b011face5a06294c2115a9ad943bac350e8d7961537181f79ead9176dc7c3ed2d45004deb987fa0d"], &(0x7f0000003ff6)='syzkaller\x00', 0x1, 0xc3, &(0x7f00000002c0)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0xffffffffffffff37}, 0x48) syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) r3 = dup2(r2, r0) setsockopt$sock_attach_bpf(r1, 0x1, 0x34, &(0x7f00000000c0)=r3, 0x4) 0s ago: executing program 0 (id=7): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x20940, 0x0) keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x74, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) mprotect(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.23' (ED25519) to the list of known hosts. [ 22.676769][ T24] audit: type=1400 audit(1782157280.290:64): avc: denied { mounton } for pid=272 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 22.680402][ T272] cgroup: Unknown subsys name 'net' [ 22.700456][ T24] audit: type=1400 audit(1782157280.290:65): avc: denied { mount } for pid=272 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.727803][ T24] audit: type=1400 audit(1782157280.330:66): avc: denied { unmount } for pid=272 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.728297][ T272] cgroup: Unknown subsys name 'devices' [ 22.870421][ T272] cgroup: Unknown subsys name 'hugetlb' [ 22.876105][ T272] cgroup: Unknown subsys name 'rlimit' [ 23.017865][ T24] audit: type=1400 audit(1782157280.630:67): avc: denied { setattr } for pid=272 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.041769][ T24] audit: type=1400 audit(1782157280.630:68): avc: denied { mounton } for pid=272 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 23.066710][ T24] audit: type=1400 audit(1782157280.630:69): avc: denied { mount } for pid=272 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 23.094691][ T274] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 23.103784][ T24] audit: type=1400 audit(1782157280.720:70): avc: denied { relabelto } for pid=274 comm="mkswap" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.129679][ T24] audit: type=1400 audit(1782157280.720:71): avc: denied { write } for pid=274 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.159953][ T24] audit: type=1400 audit(1782157280.780:72): avc: denied { read } for pid=272 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.185536][ T24] audit: type=1400 audit(1782157280.780:73): avc: denied { open } for pid=272 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.185606][ T272] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 23.651274][ T280] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.658524][ T280] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.666035][ T280] device bridge_slave_0 entered promiscuous mode [ 23.674212][ T280] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.681428][ T280] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.688914][ T280] device bridge_slave_1 entered promiscuous mode [ 23.799171][ T286] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.806271][ T286] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.813768][ T286] device bridge_slave_0 entered promiscuous mode [ 23.822016][ T286] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.829137][ T286] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.836875][ T286] device bridge_slave_1 entered promiscuous mode [ 23.879885][ T280] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.886970][ T280] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.894396][ T280] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.901647][ T280] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.930227][ T281] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.937659][ T281] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.945648][ T281] device bridge_slave_0 entered promiscuous mode [ 23.952761][ T281] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.960024][ T281] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.967494][ T281] device bridge_slave_1 entered promiscuous mode [ 23.982515][ T282] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.990217][ T282] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.998116][ T282] device bridge_slave_0 entered promiscuous mode [ 24.005368][ T282] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.012721][ T282] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.020185][ T282] device bridge_slave_1 entered promiscuous mode [ 24.085216][ T283] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.092465][ T283] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.100396][ T283] device bridge_slave_0 entered promiscuous mode [ 24.109355][ T283] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.116820][ T283] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.124365][ T283] device bridge_slave_1 entered promiscuous mode [ 24.193401][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.201311][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.209796][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.217304][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.260588][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.269251][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.276693][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.293277][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.301646][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.308980][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.337768][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.350783][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.360359][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.383430][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.391835][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.398938][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.406459][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.414950][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.422024][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.429579][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 24.450768][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.458998][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.481879][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.490607][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.498778][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.507476][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.514555][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.522631][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.530785][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.538120][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.545820][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 24.561421][ T286] device veth0_vlan entered promiscuous mode [ 24.572782][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.581723][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 24.590322][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.597912][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.606361][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.614577][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.621658][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.629588][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.637804][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.644914][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.653608][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 24.669546][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 24.677763][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.686509][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 24.695716][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.707198][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 24.715800][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.723980][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 24.732169][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.748103][ T280] device veth0_vlan entered promiscuous mode [ 24.760324][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 24.769279][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.777605][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.785644][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.793308][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 24.802830][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.811396][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.818480][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.826063][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 24.834392][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.842568][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 24.851038][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.859518][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.866545][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.874137][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 24.881988][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 24.889631][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.908560][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 24.916866][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.925001][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 24.933240][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.941295][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 24.949893][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.968845][ T280] device veth1_macvtap entered promiscuous mode [ 24.979318][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 24.988011][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.997213][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.006136][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.015075][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 25.022835][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.030926][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.039402][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.047522][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.056096][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.063649][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.071969][ T282] device veth0_vlan entered promiscuous mode [ 25.080724][ T286] device veth1_macvtap entered promiscuous mode [ 25.092350][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 25.100161][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.108287][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.116977][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 25.126006][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.134664][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.142254][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.150929][ T281] device veth0_vlan entered promiscuous mode [ 25.164005][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.172611][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.181640][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.190812][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.202481][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.211084][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.219832][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.228244][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.243581][ T283] device veth0_vlan entered promiscuous mode [ 25.254116][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.263105][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.271655][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.280519][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.288804][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.296295][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.313132][ T286] request_module fs-gadgetfs succeeded, but still no fs? [ 25.328163][ T286] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 25.334802][ T283] device veth1_macvtap entered promiscuous mode [ 25.347823][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.360351][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.370044][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 25.380191][ T282] device veth1_macvtap entered promiscuous mode [ 25.387573][ T281] device veth1_macvtap entered promiscuous mode [ 25.399514][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 25.407187][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.421272][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.429950][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 25.444138][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.452901][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.461728][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.470860][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.480002][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.488718][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.497855][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.507180][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.531566][ T307] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.547709][ T307] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.565656][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.579375][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.614020][ T314] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=314 comm=syz.4.6 [ 25.668297][ T320] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 25.684981][ C0] ================================================================== [ 25.693663][ C0] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x6c/0xb0 [ 25.701232][ C0] Read of size 8 at addr ffff88810eddb190 by task ksoftirqd/0/12 [ 25.709068][ C0] [ 25.711444][ C0] CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted syzkaller #0 [ 25.718948][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 25.729038][ C0] Call Trace: [ 25.732359][ C0] __dump_stack+0x21/0x24 [ 25.736723][ C0] dump_stack_lvl+0x1a7/0x208 [ 25.741435][ C0] ? show_regs_print_info+0x18/0x18 [ 25.746770][ C0] ? thaw_kernel_threads+0x220/0x220 [ 25.752093][ C0] print_address_description+0x7f/0x2c0 [ 25.758326][ C0] ? rcu_cblist_dequeue+0x6c/0xb0 [ 25.763399][ C0] kasan_report+0x100/0x140 [ 25.767946][ C0] ? rcu_cblist_dequeue+0x6c/0xb0 [ 25.773514][ C0] __asan_report_load8_noabort+0x14/0x20 [ 25.779833][ C0] rcu_cblist_dequeue+0x6c/0xb0 [ 25.784829][ C0] rcu_do_batch+0x448/0xaf0 [ 25.789648][ C0] ? try_to_wake_up+0x64e/0xdf0 [ 25.794524][ C0] ? local_bh_enable+0x20/0x20 [ 25.799300][ C0] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 25.805113][ C0] ? rcu_report_qs_rnp+0x37e/0x390 [ 25.810339][ C0] rcu_core+0x50a/0xca0 [ 25.815120][ C0] ? __kfree_skb_flush+0xc5/0x120 [ 25.820277][ C0] ? rcu_cpu_kthread_park+0x90/0x90 [ 25.825496][ C0] ? net_tx_action+0x530/0x530 [ 25.830276][ C0] ? __schedule+0xc0b/0x13e0 [ 25.834882][ C0] rcu_core_si+0x9/0x10 [ 25.839081][ C0] __do_softirq+0x255/0x563 [ 25.843598][ C0] ? ksoftirqd_should_run+0x20/0x20 [ 25.848828][ C0] run_ksoftirqd+0x23/0x30 [ 25.853584][ C0] smpboot_thread_fn+0x464/0x820 [ 25.858543][ C0] kthread+0x324/0x3b0 [ 25.862630][ C0] ? cpu_report_death+0x1b0/0x1b0 [ 25.867846][ C0] ? kthread_blkcg+0xd0/0xd0 [ 25.872447][ C0] ret_from_fork+0x1f/0x30 [ 25.876888][ C0] [ 25.879234][ C0] Allocated by task 316: [ 25.883506][ C0] __kasan_kmalloc+0xd4/0x100 [ 25.888201][ C0] __kmalloc+0x19f/0x330 [ 25.892489][ C0] l2tp_session_create+0x39/0xb60 [ 25.897609][ C0] pppol2tp_connect+0xbf5/0x1640 [ 25.902575][ C0] __sys_connect+0x3ce/0x450 [ 25.907642][ C0] __x64_sys_connect+0x7a/0x90 [ 25.912513][ C0] do_syscall_64+0x31/0x40 [ 25.916956][ C0] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 25.922871][ C0] [ 25.925252][ C0] Freed by task 7: [ 25.929043][ C0] kasan_set_track+0x4a/0x70 [ 25.933681][ C0] kasan_set_free_info+0x23/0x40 [ 25.938649][ C0] ____kasan_slab_free+0x125/0x160 [ 25.943786][ C0] __kasan_slab_free+0x11/0x20 [ 25.948604][ C0] slab_free_freelist_hook+0xc5/0x190 [ 25.954159][ C0] kfree+0xc0/0x270 [ 25.958099][ C0] l2tp_session_put+0xb2/0x1a0 [ 25.963020][ C0] l2tp_session_delete+0x3a9/0x4a0 [ 25.968176][ C0] l2tp_tunnel_del_work+0x180/0x3d0 [ 25.973382][ C0] process_one_work+0x6fd/0xbc0 [ 25.978250][ C0] worker_thread+0xa8e/0x13c0 [ 25.982932][ C0] kthread+0x324/0x3b0 [ 25.987003][ C0] ret_from_fork+0x1f/0x30 [ 25.992039][ C0] [ 25.994385][ C0] Last potentially related work creation: [ 26.000221][ C0] kasan_save_stack+0x3a/0x60 [ 26.005201][ C0] __kasan_record_aux_stack+0xd2/0x100 [ 26.010937][ C0] kasan_record_aux_stack_noalloc+0xb/0x10 [ 26.016763][ C0] call_rcu+0x11a/0x1090 [ 26.021252][ C0] pppol2tp_release+0x1e3/0x2b0 [ 26.026227][ C0] sock_close+0xb8/0x200 [ 26.030537][ C0] __fput+0x2dc/0x730 [ 26.034564][ C0] ____fput+0x15/0x20 [ 26.038558][ C0] task_work_run+0x127/0x190 [ 26.043336][ C0] exit_to_user_mode_loop+0xcb/0xe0 [ 26.049253][ C0] exit_to_user_mode_prepare+0x76/0xa0 [ 26.055179][ C0] syscall_exit_to_user_mode+0x1d/0x40 [ 26.060650][ C0] do_syscall_64+0x3d/0x40 [ 26.065072][ C0] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 26.071044][ C0] [ 26.073394][ C0] The buggy address belongs to the object at ffff88810eddb000 [ 26.073394][ C0] which belongs to the cache kmalloc-512 of size 512 [ 26.087534][ C0] The buggy address is located 400 bytes inside of [ 26.087534][ C0] 512-byte region [ffff88810eddb000, ffff88810eddb200) [ 26.100911][ C0] The buggy address belongs to the page: [ 26.106582][ C0] page:ffffea00043b7600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10edd8 [ 26.116818][ C0] head:ffffea00043b7600 order:2 compound_mapcount:0 compound_pincount:0 [ 26.125244][ C0] flags: 0x4000000000010200(slab|head) [ 26.130719][ C0] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080 [ 26.139337][ C0] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 26.147940][ C0] page dumped because: kasan: bad access detected [ 26.154495][ C0] page_owner tracks the page as allocated [ 26.160499][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 306, ts 25611589126, free_ts 25609771859 [ 26.181428][ C0] prep_new_page+0x176/0x190 [ 26.186042][ C0] get_page_from_freelist+0x225f/0x23f0 [ 26.191643][ C0] __alloc_pages_nodemask+0x29a/0x640 [ 26.197040][ C0] new_slab+0x84/0x3f0 [ 26.201121][ C0] ___slab_alloc+0x2f8/0x4c0 [ 26.205721][ C0] __slab_alloc+0x63/0xa0 [ 26.210512][ C0] __kmalloc_track_caller+0x1e4/0x310 [ 26.216076][ C0] __alloc_skb+0xdc/0x520 [ 26.220543][ C0] alloc_skb_with_frags+0xa3/0x560 [ 26.226116][ C0] sock_alloc_send_pskb+0x87f/0x9a0 [ 26.231609][ C0] sock_alloc_send_skb+0x32/0x40 [ 26.236652][ C0] __ip_append_data+0x1f8a/0x30b0 [ 26.241799][ C0] ip_make_skb+0x1e5/0x400 [ 26.246322][ C0] udp_sendmsg+0x1771/0x2140 [ 26.250933][ C0] inet_sendmsg+0xa5/0xc0 [ 26.255499][ C0] ____sys_sendmsg+0x5be/0x8f0 [ 26.260278][ C0] page last free stack trace: [ 26.264997][ C0] __free_pages_ok+0x80b/0x830 [ 26.269768][ C0] __free_pages+0xd8/0x390 [ 26.274189][ C0] __free_slab+0xcf/0x190 [ 26.278533][ C0] unfreeze_partials+0x150/0x180 [ 26.283474][ C0] put_cpu_partial+0xc1/0x180 [ 26.288158][ C0] __slab_free+0x2c9/0x3a0 [ 26.292579][ C0] ___cache_free+0x10e/0x130 [ 26.297173][ C0] qlink_free+0x50/0x90 [ 26.301331][ C0] qlist_free_all+0x5f/0xb0 [ 26.305854][ C0] kasan_quarantine_reduce+0x14a/0x160 [ 26.311320][ C0] __kasan_slab_alloc+0x2f/0xe0 [ 26.316185][ C0] slab_post_alloc_hook+0x5d/0x2f0 [ 26.321304][ C0] __kmalloc+0x17b/0x330 [ 26.325900][ C0] kvmalloc_node+0x88/0x130 [ 26.330599][ C0] seq_read_iter+0x1f1/0xce0 [ 26.335195][ C0] kernfs_fop_read_iter+0x146/0x460 [ 26.340485][ C0] [ 26.342820][ C0] Memory state around the buggy address: [ 26.348503][ C0] ffff88810eddb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.356574][ C0] ffff88810eddb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.364728][ C0] >ffff88810eddb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.372809][ C0] ^ [ 26.377431][ C0] ffff88810eddb200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.385492][ C0] ffff88810eddb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.393771][ C0] ================================================================== [ 26.401918][ C0] Disabling lock debugging due to kernel taint