last executing test programs: 12.716213707s ago: executing program 4 (id=452): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=ANY=[@ANYBLOB="640000000206010100000000000000000000000005000400000000000900020073797a300000000005000100"], 0x64}}, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_DESTROY(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000080)={0x1c, 0x3, 0x6, 0x201, 0x0, 0x0, {0x7, 0x0, 0xa}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4000000}, 0x40814) 12.716017131s ago: executing program 5 (id=453): r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000280)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_VENDOR(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000003c0)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16, @ANYBLOB="010200000000000000006700000008000300", @ANYRES32=r1, @ANYBLOB="0800c300741300000800c400"], 0x30}}, 0x0) 12.358818474s ago: executing program 5 (id=456): r0 = socket$igmp(0x2, 0x3, 0x2) sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{0x0}, {&(0x7f0000000580)="d4fa0c511aad03aa5ed217677bc41c027d9c830c439c7f821ddd78b6915cb170e7603acf9e433c2903bb6773f4b0130668a1e5b5e08d21d0b69c28ca3455aed65855c86f3d1e5789d26375a0d85eaf5e92e19c9affcf76e7a94e76556d2b104ebf645747fadc91460f4b3c94e1a89b51be4a6aa4c65285f988329a8163b69c51b801500a5bacd0463976e2960e2679ef2feee5e6ce6bb78a51fb0e15820d13e4a5aa9e0742a6f8d677ad28fea356657bb550c8311b682d9003c82267a15aa7334bc53b65b9119a1a7d905c7dd365b85c230bbad0d5d0a79819e112637819d9a187cfdf782c6127d2d4281926ab0e22f7346b616fe28ed0b9f4a0c9fdac6d3a90a9c38b5e31448a45546388c95045bc22fe88c43b82a0a5d3eb61c238a5159ea98db9c00aeef644ae98a8cb8dffff3b7ba14d7971910b559623af8295", 0x13c}], 0x2}, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000009b40)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4000850}, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8b18, &(0x7f0000000000)={'wlan0\x00'}) 12.272261174s ago: executing program 4 (id=459): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() r1 = mq_open(0x0, 0x6e93ebbbcc0884f2, 0x196, 0x0) mq_timedsend(r1, 0x0, 0x0, 0x0, 0x0) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x3000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file1/file0\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x11, 0x5, &(0x7f00000002c0)=ANY=[@ANYBLOB="18050000000000fe000000004b64ffec850000007d00000004"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000100)='sched_switch\x00', r4}, 0x18) fsopen(&(0x7f0000000040)='afs\x00', 0x0) r5 = syz_open_dev$tty1(0xc, 0x4, 0x1) r6 = dup(r5) ioctl$VT_GETSTATE(r6, 0x5603, &(0x7f0000000040)={0x800, 0x4, 0x6}) 10.856124382s ago: executing program 0 (id=461): openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7) r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102) writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x19, 0x4, 0x4, 0x2, 0x0, 0x1}, 0x48) bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000180)={r1, &(0x7f00000000c0), &(0x7f0000000000)=""/10, 0x2}, 0x20) 10.663371643s ago: executing program 1 (id=462): setsockopt$MRT_DEL_MFC_PROXY(0xffffffffffffffff, 0x0, 0xd3, &(0x7f0000000100)={@multicast2, @multicast1, 0x2, "c6c0e6ec8755b5dc4e305886d95f086707764f8d0e5a0358ea21274f844a69e9", 0xffffffeb, 0x200, 0x489c, 0x1}, 0x3c) r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="3c0000001000010400"/20, @ANYRES32=0x0, @ANYBLOB="00000000141000001c00128009000100626f6e64000000000c00028005001f"], 0x3c}, 0x1, 0x0, 0x0, 0x80}, 0x0) sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="500000001000010425bbe5ad600027842cf52300", @ANYRES32=0x0, @ANYBLOB="0000000000008000280012800a00010076786c61"], 0x50}}, 0x4000000) wait4(0x0, &(0x7f0000000380), 0x1, &(0x7f00000003c0)) 10.65632291s ago: executing program 2 (id=463): mkdirat(0xffffffffffffff9c, 0x0, 0x94) mount$fuse(0x0, 0x0, 0x0, 0xfc5cd7921c2c19c4, &(0x7f0000000400)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=0x0]) mount(0x0, &(0x7f0000000380)='./file1\x00', &(0x7f0000000040)='autofs\x00', 0x0, &(0x7f0000000400)) chdir(&(0x7f0000000080)='./file1\x00') r0 = open(&(0x7f0000000000)='.\x00', 0x0, 0x0) ioctl$AUTOFS_IOC_PROTOSUBVER(r0, 0x80049367, &(0x7f0000000440)) 10.642974117s ago: executing program 3 (id=464): r0 = gettid() timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x4, @tid=r0}, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) futex(&(0x7f000000cffc), 0x80, 0x0, 0x0, 0x0, 0x0) futex(0x0, 0xd, 0x0, 0x0, 0x0, 0x1) futex(&(0x7f000000cffc)=0x1, 0xd, 0x0, 0x0, 0x0, 0x0) 10.58786893s ago: executing program 0 (id=465): socket$nl_route(0x10, 0x3, 0x0) socket$unix(0x1, 0x5, 0x0) socket$inet6_sctp(0xa, 0x1, 0x84) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000600)={0x11, 0x3, &(0x7f0000000200)=@framed, &(0x7f00000003c0)='GPL\x00'}, 0x94) r1 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000a00)=ANY=[@ANYBLOB="1b00000000000000000000000080"], 0x50) r4 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x6, 0x10, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000018110000", @ANYRES32, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bca2000000000000a6020000f8ffffffb703000008000000b704000000000000850000003300000095"], &(0x7f0000000380)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000400)={{}, &(0x7f0000000240), &(0x7f00000006c0)=r0}, 0x20) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r2, 0x25, 0x2, @val=@tcx}, 0x1c) syz_emit_ethernet(0x2a, &(0x7f0000000440)={@link_local, @random, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x1c, 0x64, 0x0, 0x0, 0x2, 0x0, @empty, @multicast1}, @address_request={0x11, 0x0, 0x0, 0x5}}}}}, 0x0) 10.395284776s ago: executing program 2 (id=466): r0 = syz_open_dev$vim2m(0x0, 0x47b, 0x2) mknod$loop(&(0x7f0000000140)='./file0\x00', 0xfff, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbee2, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x4e21}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x16, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) madvise(&(0x7f0000629000/0x4000)=nil, 0x4000, 0x64) r4 = openat$binder_debug(0xffffffffffffff9c, &(0x7f00000002c0)='/sys/kernel/debug/binder/stats\x00', 0x0, 0x0) execve(&(0x7f00000190c0)='./file0\x00', 0x0, 0x0) execve(&(0x7f0000000000)='./file0\x00', 0x0, 0x0) execve(0x0, 0x0, 0x0) ioctl$vim2m_VIDIOC_S_CTRL(r0, 0xc008561c, &(0x7f0000000100)={0xf0f005, 0x2}) r5 = socket$nl_netfilter(0x10, 0x3, 0xc) socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NL80211_CMD_UNEXPECTED_FRAME(r4, &(0x7f00000003c0)={&(0x7f0000000080), 0xc, &(0x7f0000000240)={&(0x7f00000000c0)=ANY=[], 0x20}, 0x1, 0x0, 0x0, 0x8000}, 0x4000) sendmsg$IPSET_CMD_LIST(r5, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000000c0)=ANY=[@ANYBLOB="1c000000070601880000000000000000000000000500010006000000dc8f44c5dc4fdb020000000000000060f7a9376cb6"], 0x1c}, 0x1, 0x0, 0x0, 0x14}, 0x0) 10.101599484s ago: executing program 5 (id=467): setresgid(0xee00, 0x0, 0xee00) syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff) socket$nl_generic(0x10, 0x3, 0x10) r0 = bpf$MAP_CREATE(0x0, 0x0, 0x0) timerfd_gettime(0xffffffffffffffff, &(0x7f0000000000)) open_by_handle_at(0xffffffffffffffff, 0x0, 0x692280) openat$dir(0xffffffffffffff9c, &(0x7f0000004280)='./file0\x00', 0x0, 0x121) bpf$MAP_CREATE(0x0, &(0x7f0000000240)=@base={0xc, 0x4, 0x4, 0x7, 0x0, r0}, 0x50) bpf$MAP_DELETE_BATCH(0x1b, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000002200)=0x1) sched_setaffinity(0x0, 0x8, &(0x7f0000000240)=0x6) r1 = syz_open_dev$MSR(&(0x7f0000000080), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) kexec_load(0x1000d0ffc2, 0x0, 0x0, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$tipc2(0x0, 0xffffffffffffffff) sendmsg$TIPC_NL_LINK_SET(r2, &(0x7f0000000540)={0x0, 0x0, &(0x7f00000012c0)={0x0}, 0x1, 0x0, 0x0, 0x800}, 0x0) setsockopt$inet_sctp6_SCTP_AUTH_CHUNK(0xffffffffffffffff, 0x84, 0x15, 0x0, 0x0) r3 = socket(0x10, 0x3, 0x0) openat$cgroup_procs(0xffffffffffffffff, 0x0, 0x2, 0x0) sendmsg$kcm(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)="2e00000010008188040f80ec59acbc0413a1f8480d0000005e140602000000000e000a000f00000002800000121f", 0x2e}], 0x1}, 0x404c080) write(r3, &(0x7f0000000000), 0x0) 10.100809796s ago: executing program 0 (id=479): r0 = socket$igmp(0x2, 0x3, 0x2) sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{0x0}, {&(0x7f0000000580)="d4fa0c511aad03aa5ed217677bc41c027d9c830c439c7f821ddd78b6915cb170e7603acf9e433c2903bb6773f4b0130668a1e5b5e08d21d0b69c28ca3455aed65855c86f3d1e5789d26375a0d85eaf5e92e19c9affcf76e7a94e76556d2b104ebf645747fadc91460f4b3c94e1a89b51be4a6aa4c65285f988329a8163b69c51b801500a5bacd0463976e2960e2679ef2feee5e6ce6bb78a51fb0e15820d13e4a5aa9e0742a6f8d677ad28fea356657bb550c8311b682d9003c82267a15aa7334bc53b65b9119a1a7d905c7dd365b85c230bbad0d5d0a79819e112637819d9a187cfdf782c6127d2d4281926ab0e22f7346b616fe28ed0b9f4a0c9fdac6d3a90a9c38b5e31448a45546388c95045bc22fe88c43b82a0a5d3eb61c238a5159ea98db9c00aeef644ae98a8cb8dffff3b7ba14d7971910b559623af8295", 0x13c}], 0x2}, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000009b40)={0x0, 0x0, &(0x7f0000009b00)={0x0, 0x28}, 0x1, 0x0, 0x0, 0x4000850}, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8b18, &(0x7f0000000000)={'wlan0\x00'}) 9.588435338s ago: executing program 1 (id=468): r0 = socket$inet6(0xa, 0x2, 0x0) r1 = socket(0x10, 0x803, 0x0) syz_genetlink_get_family_id$nl80211(&(0x7f0000000240), r1) getsockname$packet(r1, &(0x7f0000000180)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000000c0)=0x14) sendmsg$nl_route(r1, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x40000}, 0x0) sendmmsg$inet(r0, &(0x7f00000018c0)=[{{&(0x7f0000000040)={0x2, 0x4e1c, @multicast1}, 0x10, 0x0, 0x0, &(0x7f0000000080)=[@ip_pktinfo={{0x1c, 0x0, 0x8, {r2, @empty, @multicast1}}}], 0x20}}], 0x1, 0x4880) 9.258096373s ago: executing program 2 (id=469): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x7) prlimit64(0x0, 0xe, &(0x7f0000000200)={0x8, 0x8a}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x3) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8) openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001840), 0x2982, 0x0) bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f00000003c0)=@bpf_lsm={0x1e, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x5d}, 0x94) r1 = syz_io_uring_setup(0x656f, &(0x7f0000000140)={0x0, 0xbbda, 0x13500, 0x0, 0x2b5}, &(0x7f0000000240), &(0x7f0000000480)) io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(r1, 0x21, &(0x7f0000000440), 0x1) 8.619268539s ago: executing program 4 (id=470): openat$ttyS3(0xffffffffffffff9c, 0x0, 0x26a100, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) r1 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) setpgid(r1, r1) waitid(0x2, r1, 0x0, 0x4, 0x0) 8.604622867s ago: executing program 3 (id=483): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() r1 = mq_open(0x0, 0x6e93ebbbcc0884f2, 0x196, 0x0) mq_timedsend(r1, 0x0, 0x0, 0x0, 0x0) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x3000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file1/file0\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x11, 0x5, &(0x7f00000002c0)=ANY=[@ANYBLOB="18050000000000fe000000004b64ffec850000007d0000000400000007"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000100)='sched_switch\x00', r4}, 0x18) fsopen(&(0x7f0000000040)='afs\x00', 0x0) r5 = syz_open_dev$tty1(0xc, 0x4, 0x1) r6 = dup(r5) ioctl$VT_GETSTATE(r6, 0x5603, &(0x7f0000000040)={0x800, 0x4, 0x6}) 6.890026678s ago: executing program 3 (id=471): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r1 = socket(0x400000000010, 0x3, 0x0) r2 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r3, {0x0, 0x1}, {0xffff, 0xffff}, {0x0, 0x9}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8}}]}, 0x38}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000600)=@newtfilter={0x68, 0x2c, 0xd27, 0x30bd29, 0x25dfdbfd, {0x0, 0x0, 0x0, r3, {0x0, 0xf}, {}, {0x7, 0x1}}, [@filter_kind_options=@f_flow={{0x9}, {0x38, 0x2, [@TCA_FLOW_EMATCHES={0x34, 0xb, 0x0, 0x1, [@TCA_EMATCH_TREE_HDR={0x8, 0x1, {0x2}}, @TCA_EMATCH_TREE_LIST={0x28, 0x2, 0x0, 0x1, [@TCF_EM_IPT={0x24, 0x1, 0x0, 0x0, {{0x8, 0x9, 0x40}, [@TCA_EM_IPT_HOOK={0x8, 0x1, 0x3}, @TCA_EM_IPT_MATCH_DATA={0x4}, @TCA_EM_IPT_MATCH_NAME={0xb}]}}]}]}]}}]}, 0x68}, 0x1, 0x0, 0x0, 0x40}, 0x2008c014) 6.163051698s ago: executing program 2 (id=472): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=ANY=[@ANYBLOB="640000000206010100000000000000000000000005000400000000000900020073797a300000000005000100"], 0x64}}, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_DESTROY(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000080)={0x1c, 0x3, 0x6, 0x201, 0x0, 0x0, {0x7, 0x0, 0xa}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4000000}, 0x40814) 6.125356066s ago: executing program 4 (id=473): socket$inet_sctp(0x2, 0x5, 0x84) syz_emit_ethernet(0x52, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = socket(0x40000000015, 0x5, 0x0) connect$inet(r0, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10) sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f0000000240)=0x2) bind$inet(r0, &(0x7f0000000340)={0x2, 0x0, @loopback}, 0x57) sendmsg$xdp(r0, &(0x7f0000000100)={0x0, 0x0, 0x0}, 0x0) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) recvmmsg(r0, &(0x7f0000000b40)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000000280)=""/11, 0xffffffffffffff4b}}], 0x5df, 0x2, 0x0) 6.032315047s ago: executing program 0 (id=474): writev(0xffffffffffffffff, &(0x7f0000000400)=[{&(0x7f0000000040)="aa1d484ea0fffb00f7fc08fcd111fbdf23ea32db0e8f21", 0x17}], 0x1) syz_genetlink_get_family_id$nl80211(&(0x7f00000003c0), 0xffffffffffffffff) r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000540)={'wlan0\x00'}) sendmsg$NL80211_CMD_NEW_KEY(r0, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={0x0, 0x58}}, 0x40c0) 5.665010992s ago: executing program 1 (id=475): r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) ioctl$I2C_SMBUS(r0, 0x720, &(0x7f0000000180)={0x1, 0x18, 0x1, &(0x7f0000000440)={0x1c, "a52422ffd60775c221c4031d467d6648a97569b7d49cc4492d050600000000ff00"}}) 5.651319063s ago: executing program 5 (id=476): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000180)=0x7) sched_setscheduler(0x0, 0x2, 0x0) sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0) r0 = socket$can_j1939(0x1d, 0x2, 0x7) bind$can_j1939(r0, &(0x7f00000000c0)={0x1d, 0x0, 0x0, {0x0, 0x1}}, 0x18) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x400000000000000) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, 0x0, 0x0) socket$caif_seqpacket(0x25, 0x5, 0x5) mount$overlay(0x0, 0x0, 0x0, 0x0, 0x0) r2 = syz_io_uring_setup(0x10d, &(0x7f0000000300)={0x0, 0x40000, 0x0, 0xfffffffc, 0x238}, &(0x7f0000000380)=0x0, &(0x7f0000000280)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r3, r4, &(0x7f0000000440)=@IORING_OP_ASYNC_CANCEL={0xe, 0x1, 0x0, 0x0, 0x0, 0x12345, 0x0, 0x0, 0x1}) io_uring_enter(r2, 0x3f70, 0x0, 0x0, 0x0, 0x0) syz_io_uring_setup(0x10d, 0x0, &(0x7f0000000700), &(0x7f0000000280)) 5.607544107s ago: executing program 2 (id=477): r0 = syz_mount_image$nilfs2(&(0x7f0000000040), &(0x7f0000000100)='./bus\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0xaf4, &(0x7f0000000e00)="$eJzs3V2IXFcBAOAzszv7k6RmUhO7prFNrLb1p5tmd40/wSYlQTA0RXwpBF9CmtZgjGAFtRRM8uSbLSWCT1bxqS+limBfJPTJl4INFKH4UH3wwRCxIKLRZMrOnjM7czKTO7M7O7O7831w59x7z7n3nHvnzp37e04ARla5/rmwMFMK4fIbLx/7+4N/m14cc7iRolr/HG8aqoQQSnF4PJvfe2NL4c33XzjdLiyFufpnGg5PXm9MuzWEcCHsDVdCNey+fPWlt+aeOHHx+KV9b7966NraLD0AAIyWr105tLDrL3+8d8eN1+47EibT6MWe+vF5NY7YFo/7j8QD/3T8X45haXJ5nqWm+GQitE43HrvydGu6sTbpmvOpZOnGs/Qp74ks/0qHdJPhzvmPNY1rt9ywkaXtuBpK5dmW4XJ5dnbpnDzUz+snSrPnz5575rkhFRTou3/dH0LY29QdvdQ6vN66wyuetrRWZaofW3SRrjbsdbdRuyODy+tGbcnQl3lAXW37sPdAAEvy+4W3uZBfWVidxtzGu8v/+uPl9tNDHwx6++8p/4kh5x9GPP/8YiWs0mb9/0rLlX5H2+Jwfh8hf36p8++vnM25dWx+P6LSZTk73UfYKPcXOpVzbMDlWKlO5c+3i83qyzFM6+GxLL7595N/pxvlOwba+09+/V+n061ZV+nHfELLcGU186oNef8DrF/5c3O1dH80yp/ry+MnC+KnCuKnC+K3FMRvLYiHUfab7/0kvFhaPs/Pz+l7vR6errPdFcMP9Vie/Hpkr/nnz/32arX5u0TPRvK7U0+d+cLTJ68uPf9famz/t+L2nk43qvG3dSUmSNcL8+vqjWf/q635lDukuzsrz11t0tf7d7amK+1cnk9o2s/cVo6Z1um2d0q3pzVdNUs3HbuprLz58cmWbLp0/JH2q2l9jWfLW8mWYyIrR9qv7IhhXg5YibQ9dnr+P22fM6FSeubsuTOPxuG0nf5hrDK5OP7AgMsNrF637//MhNb3f7Y1xlfKzfuF7cvjS0v7hdfj/FrHzzXyaR0/H4fT/9w3x6br42dPf+fc0/1ffBhpz/3w+W+dOnfuzHd77Fk8Hu19qjv1zE+H0NcZDqznK+WwHorRS086bVkv5dGz7nqGvGMC1tz+Hy0dBDxy9tunnj3z7Jnz8wcPzs/NHfzi/ML++nH9/uaj+2YXhlBaoJ+W//SHXRIAAAAAAAAAAACgW98/fuzqO29+/t2l9/+X3/9L7/+nJ3/T+/8/zt7/z9+TT+/Bp/cAd7SJr6fJKlidyNJVYvfhrLw7s3x2ZdN9JIaNdvzi+/8pu7xe11See7LxlQ6DWXUCt9WXMpHVQZK3F/jxGF6K4S8DDFFpuv3oGBbVb5229VQ/RVO9FDX1A28c6XtLW0OqxyS9/922XqemL3vHAMpI/w3idcJhLyPQ3j9Gqv7vfy4v+NDLouvcjaf+6kDy+9nobhO1jkfp3bZgA9Afw27/M133TOH53391arFLya4/3rq/zOsvhV786Z3W4XXd/uQA8s/b7Rt0/sNY/qke8v/Vxf7m32j/Ltv//TmOvn3/19JiXvuLx13478+vvduUbdjd7f43X/5UD/TO3vK/EfNPS/NQ6C7/2i+y/PMbQl36X5b/li7zv23596ws///H/NNqe/iBbvOvl3gylFvLkV83Tvf/8uvGyc1s+VPdnnfI/+vPt1v+FTbUeCvmD6Nso7Qz26vsOKJx0L7y9n+jC/1t/7dR2Gy3lj+H8bk4nHbE6TmHvL2TXsufnq9I/wO7svmXCv7ftP+7sX0phkW/h9T+b9oeq/Evv2m4vi7TcKXNut2s+xrYqN5b6/t/8/+u1dbBfY6+dSfXPI+poS/juu+OrHoerzzWt/LUxlYwXaOduCGvy1qttrYX1AoMNXOGvv6HfZ4w7PyHvf6L5O3/5sfwefu/eXze/m8en7f/m8dPx2+oU3ze/m++PvP2f/P4e7L55u0DzxTEf7Qgfnf7+MZp+70F0+8piP9YQfy+RvzhlhQp/r6C6e8viL+7IP6BgvhPFMR/siD+wYL4h5vim9uATvGfKph+s0vvo4zq8sMoy9/P8/uH0VG//9PUaH3++0/3hewfYPP56WsHjp789TeqS+//TzSuh6T7eEficCWeP/0gDuf3vUPT8GLcm3H4r1n8er/eAaMkrz8j/39/qCAe2LjSc15+3zCCSlPtR8ewqN6qTsf5bCyfjuFnYvjZGD4Sw9kY7o/hgRjODah8rI2jr//20Iul5fP97Vl8t8+Tl7L3gVrqiQohzHdZnvz6QK/Ps+f1+PVqtfmv8HUwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAoSnXPxcWZkohXH7j5WNPnTi7f3HM4UaKav1zvGmo0pguhEdjOBbDV2LPzfdfON0c3ophKcyFUig1xocnrzdy2hpCuBD2hiuhGnZfvvrSW3NPnLh4/NK+t189dG3t1gAAAABsfh8EAAD//9SuCeg=") lseek(0xffffffffffffffff, 0x19, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000480)={0x11, 0x5, &(0x7f00000003c0)=ANY=[@ANYRESDEC=0x0], &(0x7f0000000540)='GPL\x00', 0x6, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x8000}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000300)={&(0x7f00000005c0)='sched_switch\x00', r1, 0x0, 0x2}, 0xfffffed9) unlinkat(r0, &(0x7f0000000000)='./bus/file1\x00', 0x200) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r2 = getpid() sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x90e7d000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r3, &(0x7f0000000340)=@file={0x0, './bus/file1\x00'}, 0x6e) sendmmsg$unix(r4, &(0x7f0000000000), 0x400000000000041, 0x0) recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0) socket$inet_tcp(0x2, 0x1, 0x0) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000080), 0x82b83, 0x0) syz_open_dev$admmidi(0x0, 0xdb, 0x0) r5 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000100), 0x2, 0x0) write$RDMA_USER_CM_CMD_LISTEN(r5, &(0x7f00000001c0)={0x7, 0x8, 0xfa00, {0xffffffffffffffff, 0x2}}, 0x10) close(r5) r6 = syz_genetlink_get_family_id$devlink(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$DEVLINK_CMD_TRAP_SET(0xffffffffffffffff, &(0x7f0000000440)={&(0x7f00000000c0), 0xc, &(0x7f0000000240)={&(0x7f0000000600)={0x14, r6, 0x20, 0x70bd2a, 0x25dfdbfd}, 0x14}, 0x1, 0x0, 0x0, 0x20000041}, 0x40600c4) connect$inet6(0xffffffffffffffff, &(0x7f0000000040)={0xa, 0x3, 0x0, @loopback}, 0x1c) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, 0x0) rename(&(0x7f0000000180)='./file0\x00', &(0x7f0000000a00)='./bus/file0\x00') syz_mount_image$msdos(&(0x7f0000000940), &(0x7f0000001cc0)='.\x00', 0x1a4a438, &(0x7f00000008c0)=ANY=[], 0xb, 0x0, &(0x7f0000000000)) ioctl$LOOP_SET_BLOCK_SIZE(0xffffffffffffffff, 0x4c09, 0x100) 5.559963664s ago: executing program 0 (id=478): syz_usb_connect(0x0, 0x2d, &(0x7f00000002c0)={{0x12, 0x1, 0x0, 0x3e, 0xf6, 0x2e, 0x8, 0x424, 0xcf18, 0x3e73, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0xff, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x9a, 0x0, 0x1, 0x37, 0xc3, 0xf, 0x0, [], [{{0x9, 0x5, 0x8, 0x8, 0x3ff, 0x3, 0x6, 0x9}}]}}]}}]}}, 0x0) syz_emit_vhci(&(0x7f0000000040)=@HCI_EVENT_PKT={0x4, @hci_ev_si_device={{0x1, 0x4}, {0x8001, 0xe281}}}, 0x7) r0 = io_uring_setup(0x3cad, 0x0) io_uring_enter(r0, 0x6a8a, 0xffefffff, 0x21, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000580)=ANY=[@ANYBLOB="04030b00c700ffffffbf"], 0xe) ioctl$BTRFS_IOC_BALANCE_CTL(0xffffffffffffffff, 0x40049421, 0x1) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) futex_waitv(0x0, 0x0, 0x0, 0x0, 0x1) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4) sched_setaffinity(0x0, 0x8, &(0x7f00000000c0)=0x4002) io_setup(0x1, &(0x7f0000000080)=0x0) io_submit(r1, 0x0, 0x0) pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000940)={0xffffffffffffffff, 0xffffffffffffffff}) splice(r3, 0x0, r2, 0x0, 0x9, 0xc) 5.419176418s ago: executing program 1 (id=480): mkdirat(0xffffffffffffff9c, 0x0, 0x94) mount$fuse(0x0, 0x0, 0x0, 0xfc5cd7921c2c19c4, &(0x7f0000000400)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=0x0]) mount(0x0, &(0x7f0000000380)='./file1\x00', &(0x7f0000000040)='autofs\x00', 0x0, &(0x7f0000000400)) chdir(&(0x7f0000000080)='./file1\x00') r0 = open(&(0x7f0000000000)='.\x00', 0x0, 0x0) ioctl$AUTOFS_IOC_PROTOSUBVER(r0, 0x80049367, &(0x7f0000000440)) 5.384588684s ago: executing program 5 (id=481): socket$nl_route(0x10, 0x3, 0x0) socket$unix(0x1, 0x5, 0x0) socket$inet6_sctp(0xa, 0x1, 0x84) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000600)={0x11, 0x3, &(0x7f0000000200)=@framed, &(0x7f00000003c0)='GPL\x00'}, 0x94) r1 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000a00)=ANY=[@ANYBLOB="1b00000000000000000000000080"], 0x50) r4 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x6, 0x10, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000018110000", @ANYRES32, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bca2000000000000a6020000f8ffffffb703000008000000b704000000000000850000003300000095"], &(0x7f0000000380)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000400)={{}, &(0x7f0000000240), &(0x7f00000006c0)=r0}, 0x20) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r2, 0x25, 0x2, @val=@tcx}, 0x1c) syz_emit_ethernet(0x2a, &(0x7f0000000440)={@link_local, @random, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x1c, 0x64, 0x0, 0x0, 0x2, 0x0, @empty, @multicast1}, @address_request={0x11, 0x0, 0x0, 0x5}}}}}, 0x0) 5.32225657s ago: executing program 3 (id=482): r0 = syz_open_dev$sg(&(0x7f00000003c0), 0x0, 0x5) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x11, 0x3, &(0x7f0000000300)=ANY=[], &(0x7f0000000280)='GPL\x00', 0xa, 0xb9, &(0x7f0000000140)=""/185, 0x41100, 0x2b, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x37}, 0x94) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r1 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file1\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x400000000000041, 0x0) sched_setaffinity(r1, 0x8, &(0x7f0000000240)=0x2) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000200)=@ipv4_newrule={0x24, 0x20, 0x301, 0x0, 0x0, {0x2, 0x0, 0x20, 0x4, 0x44, 0x0, 0x0, 0x1}, [@FRA_SRC={0x8, 0x2, @private=0xa010101}]}, 0x24}, 0x1, 0x0, 0x0, 0x40001}, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r5, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="2800000021000100"], 0x28}}, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) r6 = openat$fuse(0xffffffffffffff9c, 0x0, 0x2, 0x0) read$FUSE(r6, &(0x7f0000002140)={0x2020}, 0x2020) ioctl$SG_IO(r0, 0x2285, 0x0) writev(r0, &(0x7f0000000400)=[{&(0x7f0000000080)="aefdda9d240300005a90f57f07703aeff0f64ebbee07962c22772e11b44e65d76641cb010052f436dd2a", 0x2a}, {&(0x7f0000000040)="aa1d484ea0000000f7fc08fcd111fbdf23ea32db0e8f21d5bc27bd49eb067a0689fff2a41cfbf0e9d85e44", 0x2b}], 0x2) socket$nl_route(0x10, 0x3, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000040)='sched_switch\x00'}, 0x18) r7 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0x4, &(0x7f0000000240)=@framed={{}, [@call={0x85, 0x0, 0x0, 0x11}]}, &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000400)={r7, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff03076003008cb89e08f088a8", 0x0, 0xd5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50) ioctl$SNDCTL_DSP_GETISPACE(0xffffffffffffffff, 0x8010500d, &(0x7f0000000100)) 4.255742734s ago: executing program 2 (id=484): r0 = syz_usb_connect$hid(0x5, 0x36, &(0x7f00000000c0)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x5543, 0x5, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x2, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x0, 0xc}}}}}]}}]}}, 0x0) syz_open_procfs$namespace(0x0, &(0x7f0000000280)='ns/ipc\x00') r1 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="0500000004000000ff0f"], 0x48) bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000200)={{r1}, 0x0, &(0x7f0000000040)='%pI4 \x00'}, 0x20) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) r3 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='percpu_alloc_percpu\x00', r2}, 0x10) bpf$MAP_CREATE(0x0, &(0x7f0000000440)=ANY=[], 0x50) bpf$MAP_CREATE(0x0, &(0x7f00000002c0)=ANY=[@ANYRES64=r3, @ANYRES64, @ANYRES8=r1, @ANYRES32=0x0, @ANYRES32=r3, @ANYBLOB], 0x50) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f0000000200)=0x400000bce) r4 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x1) read$msr(r4, &(0x7f0000019680)=""/102392, 0x18ff8) lsm_set_self_attr(0x69, &(0x7f0000000040)={0x6c, 0x2, 0x29, 0x9, "ab80d0be3f61d96a51"}, 0x29, 0x0) prctl$PR_SET_SECUREBITS(0x1c, 0x28) r5 = bpf$ITER_CREATE(0xb, 0x0, 0x0) close(r5) syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/net\x00') bpf$BPF_PROG_TEST_RUN(0x1c, &(0x7f00000005c0)={0xffffffffffffffff, 0x0, 0x24, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, 0xa) munmap(&(0x7f0000002000/0x1000)=nil, 0x1000) r6 = openat$uhid(0xffffff9c, &(0x7f0000000b00), 0x802, 0x0) write$UHID_CREATE(r6, 0x0, 0x0) bpf$BPF_PROG_QUERY(0x10, 0x0, 0x0) bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000640)={@cgroup, 0x24, 0x0, 0xffff, &(0x7f0000000000)=[0x0], 0x40e8, 0x0, 0x0, 0x0, 0x0}, 0x40) syz_usb_control_io(r0, 0x0, 0x0) 3.001405135s ago: executing program 1 (id=485): r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(r0, 0x3b81, &(0x7f0000000080)={0x19, 0x0, 0x0}) ioctl$IOMMU_IOAS_MAP$PAGES(r0, 0x3b85, &(0x7f0000000040)={0x28, 0x3, r1, 0x0, &(0x7f0000ffc000/0x3000)=nil, 0x3000}) ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r0, 0x3ba0, &(0x7f00000001c0)={0x48, 0x5, r1, 0x0, 0xffffffffffffffff, 0x1}) ioctl$IOMMU_TEST_OP_ACCESS_PAGES$syz(r0, 0x3ba0, &(0x7f00000002c0)={0x48, 0x7, r2, 0x0, 0x10000, 0x0, 0x4, 0xfffffff5, 0x2d9406}) 2.965602863s ago: executing program 3 (id=486): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() r1 = mq_open(0x0, 0x6e93ebbbcc0884f2, 0x196, 0x0) mq_timedsend(r1, 0x0, 0x0, 0x0, 0x0) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x3000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file1/file0\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x11, 0x5, &(0x7f00000002c0)=ANY=[@ANYBLOB="18050000000000fe000000004b64ffec850000007d0000000400000007"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000100)='sched_switch\x00', r4}, 0x18) fsopen(&(0x7f0000000040)='afs\x00', 0x0) r5 = syz_open_dev$tty1(0xc, 0x4, 0x1) r6 = dup(r5) ioctl$VT_GETSTATE(r6, 0x5603, &(0x7f0000000040)={0x800, 0x4, 0x6}) 2.939580761s ago: executing program 5 (id=487): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x7) prlimit64(0x0, 0xe, &(0x7f0000000200)={0x8, 0x8a}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x3) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8) openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001840), 0x2982, 0x0) bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f00000003c0)=@bpf_lsm={0x1e, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x5d}, 0x94) r1 = syz_io_uring_setup(0x656f, &(0x7f0000000140)={0x0, 0xbbda, 0x13500, 0x0, 0x2b5}, &(0x7f0000000240), &(0x7f0000000480)) io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(r1, 0x21, &(0x7f0000000440), 0x1) 1.728081717s ago: executing program 3 (id=488): r0 = socket$igmp(0x2, 0x3, 0x2) sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{0x0}, {&(0x7f0000000580)="d4fa0c511aad03aa5ed217677bc41c027d9c830c439c7f821ddd78b6915cb170e7603acf9e433c2903bb6773f4b0130668a1e5b5e08d21d0b69c28ca3455aed65855c86f3d1e5789d26375a0d85eaf5e92e19c9affcf76e7a94e76556d2b104ebf645747fadc91460f4b3c94e1a89b51be4a6aa4c65285f988329a8163b69c51b801500a5bacd0463976e2960e2679ef2feee5e6ce6bb78a51fb0e15820d13e4a5aa9e0742a6f8d677ad28fea356657bb550c8311b682d9003c82267a15aa7334bc53b65b9119a1a7d905c7dd365b85c230bbad0d5d0a79819e112637819d9a187cfdf782c6127d2d4281926ab0e22f7346b616fe28ed0b9f4a0c9fdac6d3a90a9c38b5e31448a45546388c95045bc22fe88c43b82a0a5d3eb61c238a5159ea98db9c00aeef644ae98a8cb8dffff3b7ba14d7971910b559623af8295", 0x13c}], 0x2}, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000009b40)={0x0, 0x0, &(0x7f0000009b00)={0x0, 0x28}, 0x1, 0x0, 0x0, 0x4000850}, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8b18, &(0x7f0000000000)={'wlan0\x00'}) 1.573865573s ago: executing program 1 (id=489): r0 = socket$inet6(0xa, 0x2, 0x0) r1 = socket(0x10, 0x803, 0x0) syz_genetlink_get_family_id$nl80211(&(0x7f0000000240), r1) getsockname$packet(r1, &(0x7f0000000180)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000000c0)=0x14) sendmsg$nl_route(r1, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x40000}, 0x0) sendmmsg$inet(r0, &(0x7f00000018c0)=[{{&(0x7f0000000040)={0x2, 0x4e1c, @multicast1}, 0x10, 0x0, 0x0, &(0x7f0000000080)=[@ip_pktinfo={{0x1c, 0x0, 0x8, {r2, @empty, @multicast1}}}], 0x20}}], 0x1, 0x4880) 1.572285352s ago: executing program 4 (id=490): syz_open_dev$radio(&(0x7f00000001c0), 0x0, 0x2) socket$nl_netfilter(0x10, 0x3, 0xc) setsockopt$packet_tx_ring(0xffffffffffffffff, 0x107, 0xd, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) socket$inet6(0xa, 0x80002, 0x0) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFNL_MSG_CTHELPER_NEW(r3, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000580)={0x70, 0x0, 0x9, 0x401, 0x0, 0x0, {0xa}, [@NFCTH_PRIV_DATA_LEN={0x8, 0x5, 0x1, 0x0, 0x16}, @NFCTH_NAME={0x9, 0x1, 'syz0\x00'}, @NFCTH_TUPLE={0x3c, 0x2, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}, @CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, {0x14, 0x4, @local}}}]}, @NFCTH_POLICY={0xc, 0x4, 0x0, 0x1, {0x37}}]}, 0x70}}, 0x0) 135.119µs ago: executing program 0 (id=491): openat$ttyS3(0xffffffffffffff9c, 0x0, 0x26a100, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) r1 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) setpgid(r1, r1) waitid(0x2, r1, 0x0, 0x4, 0x0) 0s ago: executing program 4 (id=492): writev(0xffffffffffffffff, &(0x7f0000000400)=[{&(0x7f0000000040)="aa1d484ea0fffb00f7fc08fcd111fbdf23ea32db0e8f21", 0x17}], 0x1) syz_genetlink_get_family_id$nl80211(&(0x7f00000003c0), 0xffffffffffffffff) r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000540)={'wlan0\x00'}) sendmsg$NL80211_CMD_NEW_KEY(r0, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={0x0, 0x58}}, 0x40c0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.121' (ED25519) to the list of known hosts. [ 100.316095][ T5813] cgroup: Unknown subsys name 'net' [ 100.469634][ T5813] cgroup: Unknown subsys name 'cpuset' [ 100.479642][ T5813] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 101.476584][ T24] cfg80211: failed to load regulatory.db [ 102.222145][ T5813] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 106.846069][ T5833] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 106.865323][ T5833] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 106.873198][ T5833] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 106.887062][ T5833] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 106.905548][ T5833] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 106.995223][ T5833] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 107.003864][ T5833] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 107.012850][ T5833] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 107.021234][ T5833] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 107.029076][ T5833] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 107.101159][ T5833] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 107.110416][ T5833] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 107.118139][ T5833] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 107.126887][ T5833] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 107.135325][ T5833] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 107.180439][ T5143] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 107.194887][ T5842] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 107.206342][ T5847] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 107.225836][ T5847] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 107.249242][ T5847] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 107.256192][ T5846] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 107.264228][ T5849] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 107.272021][ T5847] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 107.296117][ T5847] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 107.303217][ T5849] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 107.327066][ T5847] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 107.335174][ T5847] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 107.361447][ T5842] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 107.386734][ T5842] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 107.400279][ T5842] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 107.885797][ T5831] chnl_net:caif_netlink_parms(): no params data found [ 108.248657][ T5834] chnl_net:caif_netlink_parms(): no params data found [ 108.296558][ T5836] chnl_net:caif_netlink_parms(): no params data found [ 108.416738][ T5831] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.425020][ T5831] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.432783][ T5831] bridge_slave_0: entered allmulticast mode [ 108.442170][ T5831] bridge_slave_0: entered promiscuous mode [ 108.453123][ T5831] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.460396][ T5831] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.468059][ T5831] bridge_slave_1: entered allmulticast mode [ 108.476238][ T5831] bridge_slave_1: entered promiscuous mode [ 108.501030][ T5840] chnl_net:caif_netlink_parms(): no params data found [ 108.675965][ T5841] chnl_net:caif_netlink_parms(): no params data found [ 108.716828][ T5831] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 108.730496][ T5831] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 108.862267][ T5834] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.869723][ T5834] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.877132][ T5834] bridge_slave_0: entered allmulticast mode [ 108.885703][ T5834] bridge_slave_0: entered promiscuous mode [ 108.893699][ T5838] chnl_net:caif_netlink_parms(): no params data found [ 108.908129][ T5831] team0: Port device team_slave_0 added [ 108.946251][ T5836] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.953523][ T5836] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.961211][ T5836] bridge_slave_0: entered allmulticast mode [ 108.968945][ T5836] bridge_slave_0: entered promiscuous mode [ 108.999231][ T5834] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.005736][ T53] Bluetooth: hci0: command tx timeout [ 109.006845][ T5834] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.019056][ T5834] bridge_slave_1: entered allmulticast mode [ 109.026992][ T5834] bridge_slave_1: entered promiscuous mode [ 109.035631][ T5831] team0: Port device team_slave_1 added [ 109.059771][ T5836] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.067633][ T5836] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.074907][ T5836] bridge_slave_1: entered allmulticast mode [ 109.082479][ T5836] bridge_slave_1: entered promiscuous mode [ 109.155240][ T53] Bluetooth: hci1: command tx timeout [ 109.235008][ T53] Bluetooth: hci2: command tx timeout [ 109.235681][ T5834] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 109.251472][ T5831] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 109.258472][ T5831] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 109.285376][ T5831] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 109.319359][ T5840] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.326976][ T5840] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.334262][ T5840] bridge_slave_0: entered allmulticast mode [ 109.342603][ T5840] bridge_slave_0: entered promiscuous mode [ 109.353468][ T5836] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 109.381593][ T5834] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 109.395134][ T5842] Bluetooth: hci4: command tx timeout [ 109.401171][ T53] Bluetooth: hci5: command tx timeout [ 109.411015][ T5831] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 109.418341][ T5831] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 109.444595][ T5831] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 109.463513][ T5840] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.470856][ T5840] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.478033][ T53] Bluetooth: hci3: command tx timeout [ 109.478190][ T5840] bridge_slave_1: entered allmulticast mode [ 109.491327][ T5840] bridge_slave_1: entered promiscuous mode [ 109.500927][ T5836] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 109.567146][ T5834] team0: Port device team_slave_0 added [ 109.611056][ T5841] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.618420][ T5841] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.626040][ T5841] bridge_slave_0: entered allmulticast mode [ 109.633735][ T5841] bridge_slave_0: entered promiscuous mode [ 109.642717][ T5841] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.650294][ T5841] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.657926][ T5841] bridge_slave_1: entered allmulticast mode [ 109.666578][ T5841] bridge_slave_1: entered promiscuous mode [ 109.676491][ T5834] team0: Port device team_slave_1 added [ 109.727928][ T5836] team0: Port device team_slave_0 added [ 109.737961][ T5836] team0: Port device team_slave_1 added [ 109.812475][ T5840] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 109.873231][ T5841] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 109.883369][ T5838] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.890962][ T5838] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.899438][ T5838] bridge_slave_0: entered allmulticast mode [ 109.907236][ T5838] bridge_slave_0: entered promiscuous mode [ 109.918125][ T5840] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 109.949842][ T5831] hsr_slave_0: entered promiscuous mode [ 109.956946][ T5831] hsr_slave_1: entered promiscuous mode [ 109.972169][ T5834] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 109.979469][ T5834] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 110.005717][ T5834] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 110.020000][ T5841] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 110.043393][ T5838] bridge0: port 2(bridge_slave_1) entered blocking state [ 110.050876][ T5838] bridge0: port 2(bridge_slave_1) entered disabled state [ 110.058435][ T5838] bridge_slave_1: entered allmulticast mode [ 110.066367][ T5838] bridge_slave_1: entered promiscuous mode [ 110.088968][ T5836] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 110.096134][ T5836] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 110.123130][ T5836] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 110.136523][ T5834] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 110.143486][ T5834] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 110.169765][ T5834] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 110.231961][ T5836] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 110.239301][ T5836] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 110.265967][ T5836] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 110.287971][ T5841] team0: Port device team_slave_0 added [ 110.326349][ T5840] team0: Port device team_slave_0 added [ 110.352793][ T5841] team0: Port device team_slave_1 added [ 110.361913][ T5838] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 110.388675][ T5840] team0: Port device team_slave_1 added [ 110.430739][ T5838] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 110.569567][ T5836] hsr_slave_0: entered promiscuous mode [ 110.577313][ T5836] hsr_slave_1: entered promiscuous mode [ 110.583615][ T5836] debugfs: 'hsr0' already exists in 'hsr' [ 110.590293][ T5836] Cannot create hsr debugfs directory [ 110.597315][ T5841] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 110.604268][ T5841] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 110.630939][ T5841] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 110.665161][ T5840] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 110.672152][ T5840] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 110.698365][ T5840] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 110.716334][ T5834] hsr_slave_0: entered promiscuous mode [ 110.723161][ T5834] hsr_slave_1: entered promiscuous mode [ 110.730217][ T5834] debugfs: 'hsr0' already exists in 'hsr' [ 110.736105][ T5834] Cannot create hsr debugfs directory [ 110.761955][ T5841] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 110.769093][ T5841] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 110.795555][ T5841] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 110.809421][ T5838] team0: Port device team_slave_0 added [ 110.822426][ T5840] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 110.829763][ T5840] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 110.855875][ T5840] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 110.899197][ T5838] team0: Port device team_slave_1 added [ 111.076000][ T53] Bluetooth: hci0: command tx timeout [ 111.133308][ T5841] hsr_slave_0: entered promiscuous mode [ 111.141521][ T5841] hsr_slave_1: entered promiscuous mode [ 111.149249][ T5841] debugfs: 'hsr0' already exists in 'hsr' [ 111.155129][ T5841] Cannot create hsr debugfs directory [ 111.161471][ T5838] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 111.168775][ T5838] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 111.195396][ T5838] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 111.235047][ T53] Bluetooth: hci1: command tx timeout [ 111.271676][ T5838] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 111.278957][ T5838] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 111.305250][ T5838] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 111.315940][ T53] Bluetooth: hci2: command tx timeout [ 111.339868][ T5840] hsr_slave_0: entered promiscuous mode [ 111.346510][ T5840] hsr_slave_1: entered promiscuous mode [ 111.352788][ T5840] debugfs: 'hsr0' already exists in 'hsr' [ 111.358742][ T5840] Cannot create hsr debugfs directory [ 111.475487][ T53] Bluetooth: hci5: command tx timeout [ 111.481104][ T5842] Bluetooth: hci4: command tx timeout [ 111.555329][ T5842] Bluetooth: hci3: command tx timeout [ 111.565691][ T5838] hsr_slave_0: entered promiscuous mode [ 111.572206][ T5838] hsr_slave_1: entered promiscuous mode [ 111.579168][ T5838] debugfs: 'hsr0' already exists in 'hsr' [ 111.585266][ T5838] Cannot create hsr debugfs directory [ 111.926474][ T5831] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 111.940072][ T5831] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 111.972901][ T5831] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 112.010374][ T5831] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 112.133966][ T5836] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 112.167287][ T5836] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 112.184163][ T5836] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 112.207761][ T5836] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 112.280061][ T5834] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 112.326771][ T5834] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 112.339825][ T5834] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 112.370963][ T5834] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 112.436637][ T5841] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 112.448956][ T5841] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 112.480408][ T5841] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 112.507221][ T5841] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 112.560743][ T5831] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.616957][ T5840] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 112.628427][ T5840] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 112.668261][ T5840] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 112.679737][ T5840] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 112.761484][ T5831] 8021q: adding VLAN 0 to HW filter on device team0 [ 112.800746][ T5838] netdevsim netdevsim5 netdevsim0: renamed from eth0 [ 112.835611][ T5838] netdevsim netdevsim5 netdevsim1: renamed from eth1 [ 112.850244][ T36] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.857585][ T36] bridge0: port 1(bridge_slave_0) entered forwarding state [ 112.876985][ T36] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.884149][ T36] bridge0: port 2(bridge_slave_1) entered forwarding state [ 112.903166][ T5838] netdevsim netdevsim5 netdevsim2: renamed from eth2 [ 112.915784][ T5838] netdevsim netdevsim5 netdevsim3: renamed from eth3 [ 112.953666][ T5836] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.994394][ T5836] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.046240][ T5834] 8021q: adding VLAN 0 to HW filter on device bond0 [ 113.071290][ T51] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.078532][ T51] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.118847][ T51] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.126308][ T51] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.154700][ T5842] Bluetooth: hci0: command tx timeout [ 113.224419][ T5834] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.279162][ T5841] 8021q: adding VLAN 0 to HW filter on device bond0 [ 113.315963][ T5842] Bluetooth: hci1: command tx timeout [ 113.337084][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.344272][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.400415][ T5842] Bluetooth: hci2: command tx timeout [ 113.407198][ T1145] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.414361][ T1145] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.503162][ T5840] 8021q: adding VLAN 0 to HW filter on device bond0 [ 113.536765][ T5841] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.561274][ T5842] Bluetooth: hci4: command tx timeout [ 113.567321][ T53] Bluetooth: hci5: command tx timeout [ 113.597140][ T5838] 8021q: adding VLAN 0 to HW filter on device bond0 [ 113.620933][ T5838] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.634704][ T5842] Bluetooth: hci3: command tx timeout [ 113.644030][ T5840] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.672282][ T5834] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 113.713382][ T1107] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.720640][ T1107] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.772653][ T1107] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.779879][ T1107] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.816123][ T1107] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.823325][ T1107] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.859204][ T1107] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.866442][ T1107] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.899471][ T1107] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.906683][ T1107] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.921398][ T1107] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.928593][ T1107] bridge0: port 2(bridge_slave_1) entered forwarding state [ 114.082559][ T5831] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 114.099682][ T5836] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 114.155429][ T5834] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 114.419070][ T5836] veth0_vlan: entered promiscuous mode [ 114.437913][ T5831] veth0_vlan: entered promiscuous mode [ 114.518680][ T5831] veth1_vlan: entered promiscuous mode [ 114.537741][ T5836] veth1_vlan: entered promiscuous mode [ 114.556280][ T5834] veth0_vlan: entered promiscuous mode [ 114.611435][ T5834] veth1_vlan: entered promiscuous mode [ 114.722414][ T5836] veth0_macvtap: entered promiscuous mode [ 114.776481][ T5831] veth0_macvtap: entered promiscuous mode [ 114.788466][ T5836] veth1_macvtap: entered promiscuous mode [ 114.822564][ T5831] veth1_macvtap: entered promiscuous mode [ 114.842051][ T5834] veth0_macvtap: entered promiscuous mode [ 114.853764][ T5834] veth1_macvtap: entered promiscuous mode [ 114.897616][ T5841] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 114.907231][ T5836] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 114.923833][ T5836] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 114.947363][ T5831] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 114.964441][ T5831] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 114.976877][ T5834] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 114.997512][ T1107] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.009162][ T5838] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 115.029608][ T5834] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 115.048708][ T1107] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.069088][ T5840] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 115.110954][ T1107] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.136696][ T1107] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.178379][ T1107] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.204930][ T1107] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.213738][ T1107] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.230010][ T1107] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.240372][ T5842] Bluetooth: hci0: command tx timeout [ 115.264443][ T1107] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.339730][ T1107] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.364869][ T1107] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.394768][ T5842] Bluetooth: hci1: command tx timeout [ 115.445195][ T1107] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.475451][ T5842] Bluetooth: hci2: command tx timeout [ 115.549194][ T5841] veth0_vlan: entered promiscuous mode [ 115.603649][ T5841] veth1_vlan: entered promiscuous mode [ 115.635418][ T5842] Bluetooth: hci4: command tx timeout [ 115.641082][ T5842] Bluetooth: hci5: command tx timeout [ 115.682939][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.698268][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.715083][ T5842] Bluetooth: hci3: command tx timeout [ 115.762983][ T1145] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.776643][ T1145] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.839892][ T1107] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.848275][ T1107] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.897161][ T5841] veth0_macvtap: entered promiscuous mode [ 115.908987][ T1161] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.915619][ T5838] veth0_vlan: entered promiscuous mode [ 115.923859][ T1161] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.941474][ T1107] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.949938][ T1107] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.988449][ T5841] veth1_macvtap: entered promiscuous mode [ 116.038183][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 116.070563][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 116.070839][ T5838] veth1_vlan: entered promiscuous mode [ 116.109958][ T5840] veth0_vlan: entered promiscuous mode [ 116.119978][ T5836] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 116.129957][ T5841] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 116.199959][ T5841] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 116.221780][ T5840] veth1_vlan: entered promiscuous mode [ 116.298665][ T1145] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.337292][ T5838] veth0_macvtap: entered promiscuous mode [ 116.381688][ T1145] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.416139][ T1145] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.438093][ T1145] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.454684][ T0] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 116.458458][ T5838] veth1_macvtap: entered promiscuous mode [ 116.713045][ T5838] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 116.727162][ T5838] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 118.577819][ T1145] netdevsim netdevsim5 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 118.621963][ T5971] loop1: detected capacity change from 0 to 4096 [ 118.805449][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 118.870072][ T5971] ntfs3(loop1): Unsupported bytes per MFT record 8192. [ 118.884647][ T0] NOHZ tick-stop error: local softirq work is pending, handler #10!!! [ 118.897292][ T5971] ntfs3(loop1): try to read out of volume at offset 0x1ffe00 [ 119.040449][ T1145] netdevsim netdevsim5 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 119.108948][ T5840] veth0_macvtap: entered promiscuous mode [ 119.395511][ T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!! [ 119.395667][ T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!! [ 119.395718][ T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!! [ 119.395780][ T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!! [ 119.395838][ T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!! [ 119.395888][ T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!! [ 119.395937][ T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!! [ 119.635125][ T1145] netdevsim netdevsim5 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 119.638844][ T1145] netdevsim netdevsim5 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.488010][ T5840] veth1_macvtap: entered promiscuous mode [ 120.646896][ T5840] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 120.813526][ T5840] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 120.862993][ T5986] tty tty2: ldisc open failed (-12), clearing slot 1 [ 120.873934][ T1161] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.895486][ T1161] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.904273][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 120.914255][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 120.923913][ T1161] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 121.014877][ T1145] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 121.025801][ T1145] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 121.046916][ T1161] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 121.198091][ T1145] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 121.223990][ T5995] loop1: detected capacity change from 0 to 64 [ 121.230923][ T1145] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 121.280870][ T5995] BFS-fs: bfs_fill_super(): loop1 is unclean, continuing [ 121.379036][ T36] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 121.411490][ T36] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 123.017641][ T51] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 123.034532][ T51] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 123.339301][ T51] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 123.389360][ T51] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 123.547020][ T6016] loop5: detected capacity change from 0 to 4096 [ 123.601052][ T6016] EXT4-fs (loop5): stripe (65535) is not aligned with cluster size (16), stripe is disabled [ 123.647904][ T6019] loop1: detected capacity change from 0 to 4096 [ 123.701168][ T6016] EXT4-fs (loop5): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 123.946776][ T6029] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 124.764053][ T5838] EXT4-fs (loop5): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 125.547139][ T6039] loop3: detected capacity change from 0 to 2048 [ 125.678888][ T6043] loop1: detected capacity change from 0 to 64 [ 125.693846][ T6044] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 127.291456][ T6062] Falling back ldisc for ttyprintk. [ 127.679507][ T6067] loop4: detected capacity change from 0 to 2048 [ 127.819298][ T6070] NILFS (loop4): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 128.598013][ T6084] NILFS error (device loop3): nilfs_check_folio: bad entry in directory #12: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 [ 128.703764][ T6084] Remounting filesystem read-only [ 128.710955][ T6086] NILFS (loop3): mounting fs with errors [ 128.795384][ T24] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 128.853114][ T6079] loop0: detected capacity change from 0 to 4096 [ 128.871731][ T6079] EXT4-fs (loop0): stripe (65535) is not aligned with cluster size (16), stripe is disabled [ 128.909317][ T6079] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 129.004584][ T24] usb 3-1: Using ep0 maxpacket: 32 [ 129.024778][ T24] usb 3-1: New USB device found, idVendor=0ac8, idProduct=0321, bcdDevice=6f.be [ 129.050014][ T24] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 129.081668][ T24] usb 3-1: config 0 descriptor?? [ 129.123302][ T24] gspca_main: vc032x-2.14.0 probing 0ac8:0321 [ 129.135541][ T5834] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 129.426362][ T6092] syzkaller0: entered promiscuous mode [ 129.452382][ T6092] syzkaller0: entered allmulticast mode [ 129.610325][ T24] gspca_vc032x: reg_w err -71 [ 129.814861][ T6044] NILFS (loop3): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 130.584258][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.597784][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.603657][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.609092][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.615572][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.621237][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.627384][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.633446][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.639271][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.644682][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.650074][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.656859][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.662244][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.667865][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.673463][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.680368][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.688919][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.694304][ T24] gspca_vc032x: I2c Bus Busy Wait 00 [ 130.699940][ T24] gspca_vc032x: Unknown sensor... [ 130.707589][ T24] vc032x 3-1:0.0: probe with driver vc032x failed with error -22 [ 130.715600][ T6044] NILFS error (device loop3): nilfs_bmap_propagate: broken bmap (inode number=4) [ 130.720124][ T24] usb 3-1: USB disconnect, device number 2 [ 130.936280][ T6044] Remounting filesystem read-only [ 130.985604][ T5841] NILFS (loop3): disposed unprocessed dirty file(s) when stopping log writer [ 131.146861][ T6105] loop0: detected capacity change from 0 to 512 [ 131.396924][ T6105] EXT4-fs (loop0): Test dummy encryption mode enabled [ 131.425179][ T6105] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! [ 131.482363][ T6105] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode [ 131.840772][ T6105] EXT4-fs error (device loop0): ext4_orphan_get:1418: comm syz.0.40: bad orphan inode 131083 [ 131.893977][ T6105] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 132.159619][ T6070] NILFS (loop4): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 132.214580][ T6070] NILFS error (device loop4): nilfs_bmap_propagate: broken bmap (inode number=4) [ 132.245768][ T6070] Remounting filesystem read-only [ 132.254126][ T5840] NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer [ 132.363749][ T6116] fscrypt: AES-256-XTS using implementation "xts-aes-vaes-avx2" [ 133.020163][ T5834] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 134.800788][ T6118] loop4: detected capacity change from 0 to 32768 [ 134.864430][ T6118] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 134.877388][ T6118] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 134.958529][ T6118] gfs2: fsid=syz:syz.s: journal 0 mapped with 5 extents in 14ms [ 135.039598][ T6118] gfs2: fsid=syz:syz.s: first mount done, others may mount [ 135.572564][ T6135] loop2: detected capacity change from 0 to 4096 [ 135.971392][ T6121] netlink: 20 bytes leftover after parsing attributes in process `syz.3.43'. [ 141.660770][ T6163] loop1: detected capacity change from 0 to 2048 [ 141.927212][ T6171] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 142.457784][ T1297] ieee802154 phy0 wpan0: encryption failed: -22 [ 142.470554][ T1297] ieee802154 phy1 wpan1: encryption failed: -22 [ 143.370361][ T6169] loop2: detected capacity change from 0 to 32768 [ 143.442034][ T6169] BTRFS: device fsid ed167579-eb65-4e76-9a50-61ac97e9b59d devid 1 transid 8 /dev/loop2 (7:2) scanned by syz.2.56 (6169) [ 143.970259][ T6169] BTRFS info (device loop2): first mount of filesystem ed167579-eb65-4e76-9a50-61ac97e9b59d [ 143.991258][ T6169] BTRFS info (device loop2): using sha256 (sha256-lib) checksum algorithm [ 144.279015][ T1164] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 144.316039][ T6171] NILFS (loop1): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 144.438217][ T6201] netlink: 20 bytes leftover after parsing attributes in process `syz.0.60'. [ 144.799452][ T6171] NILFS error (device loop1): nilfs_bmap_propagate: broken bmap (inode number=4) [ 144.799536][ T1164] usb 5-1: config 0 has an invalid interface number: 1 but max is 0 [ 144.910881][ T1164] usb 5-1: config 0 has no interface number 0 [ 144.920397][ T6171] Remounting filesystem read-only [ 144.946545][ T6169] BTRFS error (device loop2): open_ctree failed: -4 [ 144.959971][ T1164] usb 5-1: New USB device found, idVendor=18b4, idProduct=fffb, bcdDevice=dc.7b [ 144.974638][ T5836] NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer [ 144.997004][ T1164] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 145.033477][ T1164] usb 5-1: Product: syz [ 145.051083][ T1164] usb 5-1: Manufacturer: syz [ 145.080801][ T1164] usb 5-1: SerialNumber: syz [ 145.155017][ T1164] usb 5-1: config 0 descriptor?? [ 145.379853][ T1164] usb 5-1: dvb_usb_v2: found a 'E3C EC168 reference design' in warm state [ 145.392096][ T6213] netlink: 240 bytes leftover after parsing attributes in process `syz.0.62'. [ 145.423668][ T1164] usb 5-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer [ 145.494980][ T1164] dvbdev: DVB: registering new adapter (E3C EC168 reference design) [ 145.541549][ T1164] usb 5-1: media controller created [ 145.657446][ T1164] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 146.732225][ T1164] i2c i2c-1: ec100: i2c rd failed=-71 reg=33 [ 146.992112][ T1164] usb 5-1: USB disconnect, device number 2 [ 150.488073][ T6248] netlink: 20 bytes leftover after parsing attributes in process `syz.0.75'. [ 152.499153][ T6278] loop5: detected capacity change from 0 to 512 [ 152.629973][ T6278] EXT4-fs (loop5): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 152.764733][ T6278] ext4 filesystem being mounted at /12/bus supports timestamps until 2038-01-19 (0x7fffffff) [ 153.575883][ T5838] EXT4-fs (loop5): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 154.059271][ T6294] loop2: detected capacity change from 0 to 2048 [ 154.181638][ T6298] NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 154.468852][ T6270] loop3: detected capacity change from 0 to 32768 [ 154.625937][ T6303] warning: `syz.5.95' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211 [ 154.723913][ T6307] NILFS error (device loop2): nilfs_check_folio: bad entry in directory #12: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 [ 155.515544][ T6307] Remounting filesystem read-only [ 155.535031][ T6308] NILFS (loop2): mounting fs with errors [ 155.816952][ T6309] netlink: 20 bytes leftover after parsing attributes in process `syz.4.93'. [ 156.349703][ T6298] NILFS (loop2): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 156.381692][ T6298] NILFS error (device loop2): nilfs_bmap_propagate: broken bmap (inode number=4) [ 156.400590][ T6298] Remounting filesystem read-only [ 156.415205][ T5831] NILFS (loop2): disposed unprocessed dirty file(s) when stopping log writer [ 157.245071][ T6326] genirq: Flags mismatch irq 4. 00200000 (aio_iiro_16) vs. 00200080 (ttyS0) [ 157.654389][ T6326] loop5: detected capacity change from 0 to 4096 [ 158.193862][ T6326] ntfs3(loop5): Mark volume as dirty due to NTFS errors [ 158.208476][ T6326] ntfs3(loop5): Failed to load $Extend (-22). [ 158.217500][ T6326] ntfs3(loop5): Failed to initialize $Extend. [ 159.465589][ T6342] netlink: 'syz.5.105': attribute type 2 has an invalid length. [ 159.473561][ T6342] netlink: 'syz.5.105': attribute type 1 has an invalid length. [ 159.481709][ T6342] netlink: 8 bytes leftover after parsing attributes in process `syz.5.105'. [ 162.927597][ T6365] netlink: 20 bytes leftover after parsing attributes in process `syz.1.111'. [ 164.083052][ T6378] loop5: detected capacity change from 0 to 2048 [ 164.166577][ T6379] NILFS (loop5): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 166.931223][ T6395] NILFS error (device loop5): nilfs_check_folio: bad entry in directory #12: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 [ 167.259653][ T6395] Remounting filesystem read-only [ 167.267426][ T6396] NILFS (loop5): mounting fs with errors [ 167.456513][ T6402] netlink: 'syz.2.124': attribute type 1 has an invalid length. [ 167.497965][ T6404] loop4: detected capacity change from 0 to 256 [ 169.179578][ T6408] netlink: 4 bytes leftover after parsing attributes in process `syz.0.121'. [ 169.444852][ T6404] FAT-fs (loop4): Directory bread(block 64) failed [ 169.451644][ T6404] FAT-fs (loop4): Directory bread(block 65) failed [ 169.507056][ T6404] FAT-fs (loop4): Directory bread(block 66) failed [ 169.531005][ T6404] FAT-fs (loop4): Directory bread(block 67) failed [ 172.142163][ T6404] FAT-fs (loop4): Directory bread(block 68) failed [ 172.253315][ T6418] netlink: 20 bytes leftover after parsing attributes in process `syz.1.127'. [ 172.937679][ T6404] FAT-fs (loop4): Directory bread(block 69) failed [ 173.069371][ T6404] FAT-fs (loop4): Directory bread(block 70) failed [ 173.121810][ T6404] FAT-fs (loop4): Directory bread(block 71) failed [ 173.214787][ T6404] FAT-fs (loop4): Directory bread(block 72) failed [ 173.284668][ T6404] FAT-fs (loop4): Directory bread(block 73) failed [ 173.329943][ T6379] NILFS (loop5): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 173.364551][ T6379] NILFS error (device loop5): nilfs_bmap_propagate: broken bmap (inode number=4) [ 173.390557][ T6379] Remounting filesystem read-only [ 173.434872][ T5838] NILFS (loop5): disposed unprocessed dirty file(s) when stopping log writer [ 176.053991][ T6450] loop0: detected capacity change from 0 to 1024 [ 176.383699][ T6443] loop2: detected capacity change from 0 to 32768 [ 176.427500][ T6443] BTRFS: device fsid 395ef67a-297e-477c-816d-cd80a5b93e5d devid 1 transid 8 /dev/loop2 (7:2) scanned by syz.2.136 (6443) [ 176.429768][ T6441] loop4: detected capacity change from 0 to 32768 [ 176.511615][ T6454] loop3: detected capacity change from 0 to 1024 [ 176.526651][ T6443] BTRFS info (device loop2): first mount of filesystem 395ef67a-297e-477c-816d-cd80a5b93e5d [ 176.584697][ T6443] BTRFS info (device loop2): using sha256 (sha256-lib) checksum algorithm [ 176.906236][ T6441] XFS (loop4): Mounting V5 Filesystem d7dc424e-7990-42cb-9f91-9cb7200a101d [ 178.083691][ T6443] workqueue: Failed to create a rescuer kthread for wq "btrfs-rmw": -EINTR [ 178.084160][ T6443] workqueue: Failed to create a rescuer kthread for wq "btrfs-endio-write": -EINTR [ 178.201332][ T6443] workqueue: Failed to create a rescuer kthread for wq "btrfs-compressed-write": -EINTR [ 178.285551][ T6441] workqueue: Failed to create a rescuer kthread for wq "xfs-log/loop4": -EINTR [ 178.361812][ T6443] workqueue: Failed to create a rescuer kthread for wq "btrfs-freespace-write": -EINTR [ 178.409280][ T6443] workqueue: Failed to create a rescuer kthread for wq "btrfs-delayed-meta": -EINTR [ 178.464395][ T6443] workqueue: Failed to create a rescuer kthread for wq "btrfs-qgroup-rescan": -EINTR [ 178.474765][ T6441] XFS (loop4): log mount failed [ 178.626171][ T6443] BTRFS error (device loop2): open_ctree failed: -12 [ 178.863745][ T6486] netlink: 20 bytes leftover after parsing attributes in process `syz.1.144'. [ 180.489333][ T6492] loop3: detected capacity change from 0 to 2048 [ 181.283598][ T6506] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 184.166191][ T6522] loop4: detected capacity change from 0 to 4096 [ 184.331800][ T6522] ntfs3(loop4): Mark volume as dirty due to NTFS errors [ 184.345903][ T6522] ntfs3(loop4): Failed to load $Extend (-22). [ 184.352016][ T6522] ntfs3(loop4): Failed to initialize $Extend. [ 184.766696][ T6506] NILFS (loop3): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 184.770270][ T6537] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 185.283776][ T6506] NILFS error (device loop3): nilfs_bmap_propagate: broken bmap (inode number=4) [ 187.112842][ T6506] Remounting filesystem read-only [ 187.133024][ T5841] NILFS (loop3): disposed unprocessed dirty file(s) when stopping log writer [ 187.270694][ T6542] netlink: 20 bytes leftover after parsing attributes in process `syz.4.163'. [ 190.475632][ T6567] loop2: detected capacity change from 0 to 128 [ 190.541403][ T6567] ======================================================= [ 190.541403][ T6567] WARNING: The mand mount option has been deprecated and [ 190.541403][ T6567] and is ignored by this kernel. Remove the mand [ 190.541403][ T6567] option from the mount to silence this warning. [ 190.541403][ T6567] ======================================================= [ 190.674739][ T6567] hpfs: filesystem error: invalid number of hotfixes: 2066844986, used: 2066844985; already mounted read-only [ 190.717835][ T6567] hpfs: filesystem error: improperly stopped [ 190.784577][ T6567] hpfs: filesystem error: warning: spare dnodes used, try chkdsk [ 190.796338][ T6576] dlm: non-version read from control device 0 [ 190.833537][ T6567] hpfs: You really don't want any checks? You are crazy... [ 190.857752][ T6572] loop0: detected capacity change from 0 to 2048 [ 190.868057][ T6567] hpfs: hpfs_map_sector(): read error [ 190.938353][ T6567] hpfs: code page support is disabled [ 191.066294][ T6567] hpfs: hpfs_map_4sectors(): unaligned read [ 191.249108][ T6567] hpfs: hpfs_map_4sectors(): unaligned read [ 191.377518][ T6567] hpfs: filesystem error: unable to find root dir [ 193.014339][ T6578] loop3: detected capacity change from 0 to 2048 [ 193.733966][ T6572] NILFS (loop0): error -4 creating segctord thread [ 193.750933][ T6587] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 194.168352][ T6592] NILFS error (device loop3): nilfs_check_folio: bad entry in directory #12: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 [ 194.982809][ T6592] Remounting filesystem read-only [ 194.989537][ T6593] NILFS (loop3): mounting fs with errors [ 195.333773][ T6587] NILFS (loop3): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 195.412789][ T6587] NILFS error (device loop3): nilfs_bmap_propagate: broken bmap (inode number=4) [ 195.487512][ T6587] Remounting filesystem read-only [ 195.521137][ T5841] NILFS (loop3): disposed unprocessed dirty file(s) when stopping log writer [ 197.385388][ T6621] loop5: detected capacity change from 0 to 40427 [ 197.459080][ T6621] F2FS-fs (loop5): Invalid log_blocksize (268), supports only 12 [ 197.467186][ T6621] F2FS-fs (loop5): Can't find valid F2FS filesystem in 1th superblock [ 197.524700][ T6621] F2FS-fs (loop5): invalid crc value [ 197.693905][ T6621] F2FS-fs (loop5): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 [ 197.708779][ T6621] F2FS-fs (loop5): Try to recover 1th superblock, ret: 0 [ 197.716183][ T6621] F2FS-fs (loop5): Mounted with checkpoint version = 48b305e5 [ 198.365920][ T6635] netlink: 20 bytes leftover after parsing attributes in process `syz.2.192'. [ 199.414554][ T30] audit: type=1800 audit(1761050056.402:2): pid=6636 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.5.191" name="file1" dev="loop5" ino=10 res=0 errno=0 [ 199.663570][ T6639] loop2: detected capacity change from 0 to 2048 [ 199.776592][ T6642] NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 202.515504][ T6657] loop1: detected capacity change from 0 to 16 [ 202.606448][ T6657] erofs (device loop1): mounted with root inode @ nid 36. [ 202.985065][ T6642] NILFS (loop2): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 203.063449][ T6642] NILFS error (device loop2): nilfs_bmap_propagate: broken bmap (inode number=4) [ 203.336344][ T6642] Remounting filesystem read-only [ 203.457505][ T5831] NILFS (loop2): disposed unprocessed dirty file(s) when stopping log writer [ 203.890814][ T1297] ieee802154 phy0 wpan0: encryption failed: -22 [ 203.907102][ T1297] ieee802154 phy1 wpan1: encryption failed: -22 [ 204.142850][ T6676] netlink: 240 bytes leftover after parsing attributes in process `syz.4.207'. [ 205.596443][ T6684] loop0: detected capacity change from 0 to 512 [ 205.626525][ T6684] EXT4-fs (loop0): mounting ext2 file system using the ext4 subsystem [ 205.733337][ T6684] EXT4-fs error (device loop0): ext4_orphan_get:1392: inode #15: comm syz.0.209: iget: bogus i_mode (5) [ 205.747916][ T6688] loop2: detected capacity change from 0 to 2048 [ 205.813589][ T6684] EXT4-fs error (device loop0): ext4_orphan_get:1395: comm syz.0.209: couldn't read orphan inode 15 (err -117) [ 205.944538][ T6691] NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 205.978641][ T6684] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 206.033879][ T6684] ext2 filesystem being mounted at /37/file2 supports timestamps until 2038-01-19 (0x7fffffff) [ 206.087595][ T6684] EXT4-fs error (device loop0): ext4_add_entry:2417: inode #2: comm syz.0.209: Directory hole found for htree leaf block 0 [ 206.296014][ T5964] kworker/u8:8: attempt to access beyond end of device [ 206.296014][ T5964] loop5: rw=1, sector=77824, nr_sectors = 1312 limit=40427 [ 206.461214][ T6695] NILFS error (device loop2): nilfs_check_folio: bad entry in directory #12: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 [ 206.643904][ T6695] Remounting filesystem read-only [ 206.651647][ T6696] NILFS (loop2): mounting fs with errors [ 207.078587][ T5834] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 207.091179][ T6691] NILFS (loop2): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 207.104284][ T6691] NILFS error (device loop2): nilfs_bmap_propagate: broken bmap (inode number=4) [ 207.116025][ T6691] Remounting filesystem read-only [ 207.123449][ T5831] NILFS (loop2): disposed unprocessed dirty file(s) when stopping log writer [ 207.766334][ T6702] tipc: Started in network mode [ 207.771473][ T6702] tipc: Node identity d6e4c3e8b803, cluster identity 4711 [ 207.797480][ T6702] tipc: Enabled bearer , priority 0 [ 207.942675][ T6707] tipc: Resetting bearer [ 208.285254][ T6701] tipc: Disabling bearer [ 208.334907][ T6709] Zero length message leads to an empty skb [ 208.953459][ T6717] loop0: detected capacity change from 0 to 736 [ 208.982982][ T6717] iso9660: Bad value for 'session' [ 209.200432][ T6724] loop5: detected capacity change from 0 to 2048 [ 209.225564][ T6724] UDF-fs: warning (device loop5): udf_load_vrs: No anchor found [ 209.233401][ T6724] UDF-fs: Scanning with blocksize 512 failed [ 209.261567][ T6724] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 209.402385][ T6728] netlink: 20 bytes leftover after parsing attributes in process `syz.4.226'. [ 209.494076][ T6730] netlink: 240 bytes leftover after parsing attributes in process `syz.3.225'. [ 212.001119][ T6746] loop2: detected capacity change from 0 to 2048 [ 212.085404][ T6750] NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 212.561387][ T6756] NILFS error (device loop2): nilfs_check_folio: bad entry in directory #12: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 [ 213.305930][ T6756] Remounting filesystem read-only [ 213.313068][ T6757] NILFS (loop2): mounting fs with errors [ 213.589800][ T6750] NILFS (loop2): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 213.601374][ T6750] NILFS error (device loop2): nilfs_bmap_propagate: broken bmap (inode number=4) [ 213.611985][ T6750] Remounting filesystem read-only [ 213.645506][ T5831] NILFS (loop2): disposed unprocessed dirty file(s) when stopping log writer [ 214.451755][ T6772] netlink: 20 bytes leftover after parsing attributes in process `syz.5.242'. [ 214.882118][ T6780] netlink: 240 bytes leftover after parsing attributes in process `syz.5.244'. [ 217.729178][ T6796] loop5: detected capacity change from 0 to 4096 [ 217.869864][ T6796] ntfs3(loop5): Mark volume as dirty due to NTFS errors [ 217.887228][ T6796] ntfs3(loop5): Failed to load $Extend (-22). [ 217.893356][ T6796] ntfs3(loop5): Failed to initialize $Extend. [ 218.692302][ T6809] ceph: No source [ 218.700514][ T6809] kAFS: unable to lookup cell '\/' [ 219.966659][ T6811] process 'syz.3.255' launched './file0' with NULL argv: empty string added [ 220.325166][ T6816] netlink: 240 bytes leftover after parsing attributes in process `syz.0.257'. [ 220.479447][ T6819] syzkaller0: entered promiscuous mode [ 220.527020][ T6819] syzkaller0: entered allmulticast mode [ 221.003546][ T6828] loop0: detected capacity change from 0 to 2048 [ 221.172932][ T6829] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds [ 221.593829][ T6832] NILFS error (device loop0): nilfs_check_folio: bad entry in directory #12: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 [ 221.707921][ T6832] Remounting filesystem read-only [ 221.717320][ T6833] NILFS (loop0): mounting fs with errors [ 223.142452][ T6829] NILFS (loop0): vblocknr = 23 has abnormal lifetime: start cno (= 4294967298) > current cno (= 3) [ 223.174786][ T6829] NILFS error (device loop0): nilfs_bmap_propagate: broken bmap (inode number=4) [ 223.184063][ T6829] Remounting filesystem read-only [ 223.191871][ T5834] NILFS (loop0): disposed unprocessed dirty file(s) when stopping log writer [ 223.267165][ T6844] loop3: detected capacity change from 0 to 64 [ 223.349779][ T6844] BFS-fs: bfs_fill_super(): loop3 is unclean, continuing [ 224.616166][ T6859] ceph: No source [ 224.623193][ T6859] kAFS: unable to lookup cell '\/' [ 226.790829][ T6877] netlink: 240 bytes leftover after parsing attributes in process `syz.1.273'. [ 227.074259][ T6880] loop3: detected capacity change from 0 to 736 [ 227.153845][ T6880] iso9660: Bad value for 'session' [ 227.301977][ T6886] syzkaller0: entered promiscuous mode [ 227.340347][ T6886] syzkaller0: entered allmulticast mode [ 227.352754][ T6890] netlink: 48 bytes leftover after parsing attributes in process `syz.1.279'. [ 227.825495][ T6059] usb 2-1: new full-speed USB device number 2 using dummy_hcd [ 228.011159][ T6059] usb 2-1: config 0 has an invalid interface number: 29 but max is 0 [ 228.048569][ T6059] usb 2-1: config 0 has no interface number 0 [ 228.092840][ T6059] usb 2-1: config 0 interface 29 has no altsetting 0 [ 228.138108][ T6059] usb 2-1: New USB device found, idVendor=0c72, idProduct=0014, bcdDevice=39.ac [ 228.175177][ T6059] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 228.205221][ T6059] usb 2-1: Product: syz [ 228.209457][ T6059] usb 2-1: Manufacturer: syz [ 228.214067][ T6059] usb 2-1: SerialNumber: syz [ 228.254166][ T6059] usb 2-1: config 0 descriptor?? [ 228.518148][ T6059] peak_usb 2-1:0.29 can0: unable to request usb[type=0 value=1] err=-32 [ 228.538717][ T6059] peak_usb 2-1:0.29: unable to read PCAN-USB X6 firmware info (err -32) [ 228.598168][ T6901] ceph: No source [ 228.605428][ T6901] kAFS: unable to lookup cell '\/' [ 229.504167][ T6059] peak_usb 2-1:0.29: probe with driver peak_usb failed with error -32 [ 230.885163][ T6059] usb 2-1: USB disconnect, device number 2 [ 231.292756][ T6917] loop0: detected capacity change from 0 to 40427 [ 231.368040][ T6917] F2FS-fs (loop0): Invalid log_blocksize (268), supports only 12 [ 231.378970][ T6917] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 231.468589][ T6917] F2FS-fs (loop0): invalid crc value [ 231.558699][ T6902] Bluetooth: hci3: command 0x0406 tx timeout [ 231.564812][ T6902] Bluetooth: hci0: command 0x0406 tx timeout [ 231.570985][ T6902] Bluetooth: hci2: command 0x0406 tx timeout [ 231.577055][ T6902] Bluetooth: hci4: command 0x0406 tx timeout [ 231.583071][ T6902] Bluetooth: hci1: command 0x0406 tx timeout [ 231.589159][ T6902] Bluetooth: hci5: command 0x0406 tx timeout [ 231.775752][ T6917] F2FS-fs (loop0): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 [ 231.873255][ T6917] F2FS-fs (loop0): Try to recover 1th superblock, ret: 0 [ 231.880444][ T6917] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 231.985048][ T6927] netlink: 4 bytes leftover after parsing attributes in process `syz.1.289'. [ 232.402872][ T6059] usb 5-1: new high-speed USB device number 3 using dummy_hcd [ 232.420968][ T30] audit: type=1800 audit(1761050089.122:3): pid=6917 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.287" name="file1" dev="loop0" ino=10 res=0 errno=0 [ 232.543001][ T36] kworker/u8:2: attempt to access beyond end of device [ 232.543001][ T36] loop0: rw=1, sector=77824, nr_sectors = 4096 limit=40427 [ 232.638407][ T6059] usb 5-1: Using ep0 maxpacket: 8 [ 232.658853][ T6059] usb 5-1: New USB device found, idVendor=0ccd, idProduct=00b3, bcdDevice=2e.04 [ 232.687473][ T6059] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 232.710061][ T36] kworker/u8:2: attempt to access beyond end of device [ 232.710061][ T36] loop0: rw=1, sector=49152, nr_sectors = 2616 limit=40427 [ 233.035614][ T6059] usb 5-1: Product: syz [ 233.039838][ T6059] usb 5-1: Manufacturer: syz [ 233.045001][ T6059] usb 5-1: SerialNumber: syz [ 233.765769][ T6059] usb 5-1: config 0 descriptor?? [ 235.599791][ T6059] dvb_usb_rtl28xxu 5-1:0.0: chip type detection failed -110 [ 235.619201][ T6059] dvb_usb_rtl28xxu 5-1:0.0: probe with driver dvb_usb_rtl28xxu failed with error -110 [ 235.669763][ T6939] syzkaller0: entered promiscuous mode [ 235.705837][ T6939] syzkaller0: entered allmulticast mode [ 235.737300][ T6059] usb 5-1: USB disconnect, device number 3 [ 235.857783][ T6943] netlink: 48 bytes leftover after parsing attributes in process `syz.1.294'. [ 237.494713][ T5916] usb 2-1: new full-speed USB device number 3 using dummy_hcd [ 238.285243][ T5916] usb 2-1: config 0 has an invalid interface number: 29 but max is 0 [ 238.845267][ T5916] usb 2-1: config 0 has no interface number 0 [ 238.872575][ T5916] usb 2-1: config 0 interface 29 has no altsetting 0 [ 238.905704][ T5916] usb 2-1: New USB device found, idVendor=0c72, idProduct=0014, bcdDevice=39.ac [ 238.922243][ T5916] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 239.247152][ T6972] loop0: detected capacity change from 0 to 40427 [ 239.274899][ T6972] F2FS-fs (loop0): Invalid log_blocksize (268), supports only 12 [ 239.282697][ T6972] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 239.310433][ T5916] usb 2-1: Product: syz [ 239.325426][ T6972] F2FS-fs (loop0): invalid crc value [ 239.326301][ T5916] usb 2-1: Manufacturer: syz [ 239.416752][ T6972] F2FS-fs (loop0): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 [ 239.455153][ T5916] usb 2-1: SerialNumber: syz [ 239.666253][ T6972] F2FS-fs (loop0): Try to recover 1th superblock, ret: 0 [ 239.673416][ T6972] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 240.168531][ T30] audit: type=1800 audit(1761050096.962:4): pid=6972 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.303" name="file1" dev="loop0" ino=10 res=0 errno=0 [ 240.606202][ T5916] usb 2-1: config 0 descriptor?? [ 240.725187][ T51] kworker/u8:3: attempt to access beyond end of device [ 240.725187][ T51] loop0: rw=1, sector=77824, nr_sectors = 2088 limit=40427 [ 240.789833][ T5916] usb 2-1: can't set config #0, error -71 [ 240.874584][ T5916] usb 2-1: USB disconnect, device number 3 [ 240.903629][ T51] kworker/u8:3: attempt to access beyond end of device [ 240.903629][ T51] loop0: rw=1, sector=79912, nr_sectors = 2008 limit=40427 [ 241.006432][ T6992] IPVS: sync thread started: state = BACKUP, mcast_ifn = wlan1, syncid = 0, id = 0 [ 241.006694][ T6994] IPVS: stopping backup sync thread 6992 ... [ 241.027190][ T6987] syzkaller0: entered promiscuous mode [ 241.032691][ T6987] syzkaller0: entered allmulticast mode [ 241.252432][ T6985] iommufd_mock iommufd_mock0: Adding to iommu group 0 [ 241.291696][ T51] kworker/u8:3: attempt to access beyond end of device [ 241.291696][ T51] loop0: rw=1, sector=49152, nr_sectors = 3928 limit=40427 [ 241.338597][ T51] kworker/u8:3: attempt to access beyond end of device [ 241.338597][ T51] loop0: rw=1, sector=53080, nr_sectors = 168 limit=40427 [ 241.368143][ T6994] iommufd_mock iommufd_mock1: Adding to iommu group 1 [ 241.618563][ T51] kworker/u8:3: attempt to access beyond end of device [ 241.618563][ T51] loop0: rw=1, sector=57344, nr_sectors = 4816 limit=40427 [ 242.096759][ T10] usb 5-1: new high-speed USB device number 4 using dummy_hcd [ 242.291785][ T10] usb 5-1: Using ep0 maxpacket: 32 [ 242.305082][ T10] usb 5-1: config 2 has an invalid interface number: 157 but max is 0 [ 242.319742][ T10] usb 5-1: config 2 has an invalid descriptor of length 0, skipping remainder of the config [ 242.344679][ T10] usb 5-1: config 2 has no interface number 0 [ 242.353991][ T10] usb 5-1: New USB device found, idVendor=15c2, idProduct=ffdc, bcdDevice=a4.1b [ 242.373260][ T10] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 242.382688][ T10] usb 5-1: Product: syz [ 242.387113][ T10] usb 5-1: Manufacturer: syz [ 242.393155][ T10] usb 5-1: SerialNumber: syz [ 242.410467][ T10] imon 5-1:2.157: unable to register, err -19 [ 242.621126][ T10] usb 5-1: USB disconnect, device number 4 [ 247.194226][ T7035] loop3: detected capacity change from 0 to 40427 [ 247.231182][ T7035] F2FS-fs (loop3): Invalid log_blocksize (268), supports only 12 [ 247.239326][ T7035] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 247.254935][ T7035] F2FS-fs (loop3): invalid crc value [ 247.268405][ T7037] loop0: detected capacity change from 0 to 736 [ 247.398877][ T7035] F2FS-fs (loop3): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 [ 247.414295][ T7037] iso9660: Bad value for 'session' [ 247.441253][ T7035] F2FS-fs (loop3): Try to recover 1th superblock, ret: 0 [ 247.448446][ T7035] F2FS-fs (loop3): Mounted with checkpoint version = 48b305e5 [ 248.284545][ T30] audit: type=1800 audit(1761050104.782:5): pid=7048 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.3.320" name="file1" dev="loop3" ino=10 res=0 errno=0 [ 248.513053][ T12] kworker/u8:0: attempt to access beyond end of device [ 248.513053][ T12] loop3: rw=1, sector=77824, nr_sectors = 2048 limit=40427 [ 249.044099][ T12] kworker/u8:0: attempt to access beyond end of device [ 249.044099][ T12] loop3: rw=1, sector=79872, nr_sectors = 2048 limit=40427 [ 249.211224][ T12] kworker/u8:0: attempt to access beyond end of device [ 249.211224][ T12] loop3: rw=1, sector=49152, nr_sectors = 2048 limit=40427 [ 249.287798][ T7062] loop2: detected capacity change from 0 to 128 [ 249.326491][ T7062] hpfs: filesystem error: invalid number of hotfixes: 2066844986, used: 2066844985; already mounted read-only [ 249.372908][ T12] kworker/u8:0: attempt to access beyond end of device [ 249.372908][ T12] loop3: rw=1, sector=51200, nr_sectors = 2048 limit=40427 [ 249.394808][ T7062] hpfs: filesystem error: improperly stopped [ 249.400866][ T7062] hpfs: filesystem error: warning: spare dnodes used, try chkdsk [ 249.661284][ T12] kworker/u8:0: attempt to access beyond end of device [ 249.661284][ T12] loop3: rw=1, sector=57344, nr_sectors = 2704 limit=40427 [ 249.699925][ T7062] hpfs: You really don't want any checks? You are crazy... [ 250.551361][ T7062] hpfs: hpfs_map_sector(): read error [ 250.602196][ T7062] hpfs: code page support is disabled [ 250.655240][ T7062] hpfs: hpfs_map_4sectors(): unaligned read [ 250.684186][ T7062] hpfs: hpfs_map_4sectors(): unaligned read [ 250.752977][ T7062] hpfs: filesystem error: unable to find root dir [ 250.776705][ T12] kworker/u8:0: attempt to access beyond end of device [ 250.776705][ T12] loop3: rw=1, sector=60048, nr_sectors = 5952 limit=40427 [ 250.779976][ T7062] hpfs: hpfs_map_4sectors(): unaligned read [ 250.857051][ T7062] hpfs: hpfs_map_sector(): read error [ 250.986875][ T7073] tipc: Enabling of bearer rejected, failed to enable media [ 251.452785][ T7082] netlink: 8 bytes leftover after parsing attributes in process `syz.2.333'. [ 251.490251][ T7082] netlink: 12 bytes leftover after parsing attributes in process `syz.2.333'. [ 252.940144][ T7092] loop2: detected capacity change from 0 to 4096 [ 253.226137][ T7092] ntfs3(loop2): Mark volume as dirty due to NTFS errors [ 253.235565][ T7092] ntfs3(loop2): Failed to load $Extend (-22). [ 253.241699][ T7092] ntfs3(loop2): Failed to initialize $Extend. [ 253.411564][ T7070] loop1: detected capacity change from 0 to 32768 [ 253.587780][ T7070] BTRFS: device fsid ed167579-eb65-4e76-9a50-61ac97e9b59d devid 1 transid 8 /dev/loop1 (7:1) scanned by syz.1.331 (7070) [ 256.517497][ T7117] ceph: No source [ 256.524491][ T7117] kAFS: unable to lookup cell '\/' [ 258.598676][ T7129] netlink: 8 bytes leftover after parsing attributes in process `syz.5.346'. [ 258.638227][ T7129] netlink: 12 bytes leftover after parsing attributes in process `syz.5.346'. [ 258.704686][ T7131] tipc: Enabling of bearer rejected, failed to enable media [ 259.088159][ T7144] netlink: 'syz.5.350': attribute type 72 has an invalid length. [ 259.143727][ T7144] netlink: 40 bytes leftover after parsing attributes in process `syz.5.350'. [ 260.252429][ T7154] loop1: detected capacity change from 0 to 4096 [ 260.419990][ T7154] ntfs3(loop1): Mark volume as dirty due to NTFS errors [ 260.432049][ T7154] ntfs3(loop1): Failed to load $Extend (-22). [ 260.438265][ T7154] ntfs3(loop1): Failed to initialize $Extend. [ 261.307548][ T7163] syzkaller0: entered promiscuous mode [ 261.325073][ T7163] syzkaller0: entered allmulticast mode [ 261.554751][ T5833] Bluetooth: hci6: command 0x1003 tx timeout [ 261.562034][ T5847] Bluetooth: hci6: Opcode 0x1003 failed: -110 [ 261.814147][ T7180] ceph: No source [ 261.823798][ T7180] kAFS: unable to lookup cell '\/' [ 264.987332][ T7204] No control pipe specified [ 265.399431][ T1297] ieee802154 phy0 wpan0: encryption failed: -22 [ 265.464227][ T1297] ieee802154 phy1 wpan1: encryption failed: -22 [ 266.660091][ T7218] netlink: 48 bytes leftover after parsing attributes in process `syz.5.371'. [ 267.429438][ T7230] syzkaller0: entered promiscuous mode [ 267.449018][ T7230] syzkaller0: entered allmulticast mode [ 267.986420][ T7238] netlink: 20 bytes leftover after parsing attributes in process `syz.5.377'. [ 269.820482][ T7259] No control pipe specified [ 269.871914][ T7260] netlink: 40 bytes leftover after parsing attributes in process `syz.5.383'. [ 272.387148][ T7284] syzkaller0: entered promiscuous mode [ 272.396013][ T7284] syzkaller0: entered allmulticast mode [ 272.969913][ T7289] netlink: 20 bytes leftover after parsing attributes in process `syz.1.394'. [ 276.045648][ T7332] syzkaller0: entered promiscuous mode [ 276.051184][ T7332] syzkaller0: entered allmulticast mode [ 277.912906][ T7326] loop3: detected capacity change from 0 to 32768 [ 278.530804][ T7326] workqueue: Failed to create a rescuer kthread for wq "ocfs2_wq": -EINTR [ 278.532357][ T7326] (syz.3.407,7326,0):ocfs2_initialize_super:2229 ERROR: status = -12 [ 278.623619][ T7326] (syz.3.407,7326,0):ocfs2_fill_super:1177 ERROR: status = -12 [ 280.284214][ T7371] netlink: 56 bytes leftover after parsing attributes in process `syz.3.422'. [ 282.035459][ T7388] netlink: 'syz.0.425': attribute type 10 has an invalid length. [ 282.047790][ T7388] bridge0: port 2(bridge_slave_1) entered disabled state [ 282.057029][ T7388] bridge0: port 1(bridge_slave_0) entered disabled state [ 282.210316][ T7388] bridge0: port 2(bridge_slave_1) entered blocking state [ 282.217848][ T7388] bridge0: port 2(bridge_slave_1) entered forwarding state [ 282.227340][ T7388] bridge0: port 1(bridge_slave_0) entered blocking state [ 282.234617][ T7388] bridge0: port 1(bridge_slave_0) entered forwarding state [ 282.324530][ T1164] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 284.706027][ T7388] bond0: (slave bridge0): Enslaving as an active interface with an up link [ 286.182745][ T7416] tipc: Enabling of bearer rejected, failed to enable media [ 289.299443][ T7453] ceph: No source [ 289.308442][ T7453] kAFS: unable to lookup cell '\/' [ 291.352550][ T7464] syzkaller0: entered promiscuous mode [ 291.406961][ T7464] syzkaller0: entered allmulticast mode [ 292.554574][ T7477] netlink: 52 bytes leftover after parsing attributes in process `syz.4.452'. [ 293.497453][ T7495] netlink: 4 bytes leftover after parsing attributes in process `syz.0.458'. [ 293.528299][ T7495] sg_write: data in/out 124/1 bytes for SCSI command 0x1c-- guessing data in; [ 293.528299][ T7495] program syz.0.458 not setting count and/or reply_len properly [ 294.675764][ T7511] netlink: 8 bytes leftover after parsing attributes in process `syz.1.462'. [ 294.694585][ T7511] netlink: 12 bytes leftover after parsing attributes in process `syz.1.462'. [ 295.917929][ T7523] netlink: 'syz.5.467': attribute type 10 has an invalid length. [ 298.898625][ T7523] bridge0: port 2(bridge_slave_1) entered disabled state [ 298.906908][ T7523] bridge0: port 1(bridge_slave_0) entered disabled state [ 298.998220][ T7523] bridge0: port 2(bridge_slave_1) entered blocking state [ 299.005428][ T7523] bridge0: port 2(bridge_slave_1) entered forwarding state [ 299.012905][ T7523] bridge0: port 1(bridge_slave_0) entered blocking state [ 299.020118][ T7523] bridge0: port 1(bridge_slave_0) entered forwarding state [ 299.260967][ T7523] bond0: (slave bridge0): Enslaving as an active interface with an up link [ 299.314627][ T7547] netlink: 52 bytes leftover after parsing attributes in process `syz.2.472'. [ 299.944922][ T977] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 301.054554][ T977] usb 1-1: Using ep0 maxpacket: 8 [ 301.078527][ T977] usb 1-1: config 255 has an invalid interface number: 154 but max is 0 [ 301.104502][ T977] usb 1-1: config 255 has no interface number 0 [ 301.110845][ T977] usb 1-1: config 255 interface 154 altsetting 0 endpoint 0x8 has invalid maxpacket 1023, setting to 64 [ 301.392590][ T7571] netlink: 4 bytes leftover after parsing attributes in process `syz.3.482'. [ 301.419906][ T7571] sg_write: data in/out 124/1 bytes for SCSI command 0x1c-- guessing data in; [ 301.419906][ T7571] program syz.3.482 not setting count and/or reply_len properly [ 302.045232][ T977] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=3e.73 [ 302.054758][ T977] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 302.470954][ T977] usb 3-1: new high-speed USB device number 3 using dummy_hcd [ 302.507413][ T5847] Bluetooth: hci1: unexpected event 0x01 length: 4 > 1 [ 303.516734][ T977] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 303.559955][ T977] usb 3-1: New USB device found, idVendor=5543, idProduct=0005, bcdDevice= 0.00 [ 303.631873][ T977] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 303.968220][ T7591] netlink: 'syz.4.490': attribute type 2 has an invalid length. [ 303.976177][ T7591] netlink: 'syz.4.490': attribute type 1 has an invalid length. [ 303.985123][ T7591] netlink: 8 bytes leftover after parsing attributes in process `syz.4.490'. [ 304.753175][ T977] usb 3-1: config 0 descriptor?? [ 305.059250][ T5923] usb 1-1: USB disconnect, device number 2 [ 305.089799][ T5923] ================================================================== [ 305.097882][ T5923] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250 [ 305.105516][ T5923] Read of size 8 at addr ffff8880542a18a0 by task kworker/1:5/5923 [ 305.113406][ T5923] [ 305.115722][ T5923] CPU: 1 UID: 0 PID: 5923 Comm: kworker/1:5 Not tainted syzkaller #0 PREEMPT(full) [ 305.115755][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 305.115780][ T5923] Workqueue: usb_hub_wq hub_event [ 305.115819][ T5923] Call Trace: [ 305.115833][ T5923] [ 305.115848][ T5923] dump_stack_lvl+0x116/0x1f0 [ 305.115889][ T5923] print_report+0xcd/0x630 [ 305.115924][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.115957][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.115990][ T5923] ? __phys_addr+0xe8/0x180 [ 305.116020][ T5923] ? hdm_disconnect+0x227/0x250 [ 305.116048][ T5923] kasan_report+0xe0/0x110 [ 305.116084][ T5923] ? hdm_disconnect+0x227/0x250 [ 305.116117][ T5923] hdm_disconnect+0x227/0x250 [ 305.116152][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 305.116189][ T5923] ? kernfs_remove_by_name_ns+0xbe/0x110 [ 305.116220][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.116253][ T5923] ? __pfx_usb_unbind_interface+0x10/0x10 [ 305.116287][ T5923] device_remove+0x125/0x170 [ 305.116325][ T5923] device_release_driver_internal+0x44b/0x620 [ 305.116369][ T5923] ? __entry_text_end+0x1020b5/0x1020b9 [ 305.116404][ T5923] bus_remove_device+0x22f/0x420 [ 305.116442][ T5923] device_del+0x396/0x9f0 [ 305.116482][ T5923] ? __pfx_device_del+0x10/0x10 [ 305.116519][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.116551][ T5923] ? kobject_put+0x210/0x5a0 [ 305.116590][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.116626][ T5923] usb_disable_device+0x355/0x7d0 [ 305.116658][ T5923] usb_disconnect+0x2e1/0x9c0 [ 305.116688][ T5923] hub_event+0x1c81/0x4fe0 [ 305.116729][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.116762][ T5923] ? __lock_acquire+0xb8a/0x1c90 [ 305.116799][ T5923] ? __pfx_hub_event+0x10/0x10 [ 305.116824][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.116857][ T5923] ? assoc_array_delete+0xb0/0xd10 [ 305.116890][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.116926][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.116960][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.116995][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.117028][ T5923] ? rcu_is_watching+0x12/0xc0 [ 305.117057][ T5923] process_one_work+0x9cf/0x1b70 [ 305.117105][ T5923] ? __pfx_process_one_work+0x10/0x10 [ 305.117150][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.117187][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.117220][ T5923] ? assign_work+0x1a0/0x250 [ 305.117257][ T5923] worker_thread+0x6c8/0xf10 [ 305.117301][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.117335][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.117367][ T5923] ? __kthread_parkme+0x19e/0x250 [ 305.117396][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.117430][ T5923] ? __pfx_worker_thread+0x10/0x10 [ 305.117470][ T5923] kthread+0x3c5/0x780 [ 305.117506][ T5923] ? __pfx_kthread+0x10/0x10 [ 305.117544][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 305.117576][ T5923] ? rcu_is_watching+0x12/0xc0 [ 305.117602][ T5923] ? __pfx_kthread+0x10/0x10 [ 305.117639][ T5923] ret_from_fork+0x675/0x7d0 [ 305.117673][ T5923] ? __pfx_kthread+0x10/0x10 [ 305.117710][ T5923] ret_from_fork_asm+0x1a/0x30 [ 305.117749][ T5923] [ 305.117759][ T5923] [ 305.426887][ T5923] Allocated by task 977: [ 305.431120][ T5923] kasan_save_stack+0x33/0x60 [ 305.435810][ T5923] kasan_save_track+0x14/0x30 [ 305.440495][ T5923] __kasan_kmalloc+0xaa/0xb0 [ 305.445092][ T5923] hdm_probe+0xb3/0x19a0 [ 305.449340][ T5923] usb_probe_interface+0x303/0xa40 [ 305.454464][ T5923] really_probe+0x241/0xa90 [ 305.458993][ T5923] __driver_probe_device+0x1de/0x440 [ 305.464298][ T5923] driver_probe_device+0x4c/0x1b0 [ 305.469338][ T5923] __device_attach_driver+0x1df/0x310 [ 305.474725][ T5923] bus_for_each_drv+0x159/0x1e0 [ 305.479582][ T5923] __device_attach+0x1e4/0x4b0 [ 305.484380][ T5923] bus_probe_device+0x17f/0x1c0 [ 305.489274][ T5923] device_add+0x1148/0x1aa0 [ 305.493778][ T5923] usb_set_configuration+0x1187/0x1e20 [ 305.499242][ T5923] usb_generic_driver_probe+0xb1/0x110 [ 305.504719][ T5923] usb_probe_device+0xef/0x3e0 [ 305.509485][ T5923] really_probe+0x241/0xa90 [ 305.513998][ T5923] __driver_probe_device+0x1de/0x440 [ 305.519295][ T5923] driver_probe_device+0x4c/0x1b0 [ 305.524333][ T5923] __device_attach_driver+0x1df/0x310 [ 305.529721][ T5923] bus_for_each_drv+0x159/0x1e0 [ 305.534573][ T5923] __device_attach+0x1e4/0x4b0 [ 305.539351][ T5923] bus_probe_device+0x17f/0x1c0 [ 305.544207][ T5923] device_add+0x1148/0x1aa0 [ 305.548707][ T5923] usb_new_device+0xd07/0x1a60 [ 305.553466][ T5923] hub_event+0x2f34/0x4fe0 [ 305.557882][ T5923] process_one_work+0x9cf/0x1b70 [ 305.562877][ T5923] worker_thread+0x6c8/0xf10 [ 305.567486][ T5923] kthread+0x3c5/0x780 [ 305.571565][ T5923] ret_from_fork+0x675/0x7d0 [ 305.576165][ T5923] ret_from_fork_asm+0x1a/0x30 [ 305.580934][ T5923] [ 305.583247][ T5923] Freed by task 5923: [ 305.587220][ T5923] kasan_save_stack+0x33/0x60 [ 305.591912][ T5923] kasan_save_track+0x14/0x30 [ 305.596593][ T5923] __kasan_save_free_info+0x3b/0x60 [ 305.601809][ T5923] __kasan_slab_free+0x5f/0x80 [ 305.606578][ T5923] kfree+0x2b8/0x6d0 [ 305.610489][ T5923] device_release+0xa4/0x240 [ 305.615079][ T5923] kobject_put+0x1e7/0x5a0 [ 305.619510][ T5923] device_unregister+0x2f/0xc0 [ 305.624286][ T5923] hdm_disconnect+0x10b/0x250 [ 305.628968][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 305.634174][ T5923] device_remove+0x125/0x170 [ 305.638777][ T5923] device_release_driver_internal+0x44b/0x620 [ 305.644862][ T5923] bus_remove_device+0x22f/0x420 [ 305.649814][ T5923] device_del+0x396/0x9f0 [ 305.654161][ T5923] usb_disable_device+0x355/0x7d0 [ 305.659184][ T5923] usb_disconnect+0x2e1/0x9c0 [ 305.663864][ T5923] hub_event+0x1c81/0x4fe0 [ 305.668297][ T5923] process_one_work+0x9cf/0x1b70 [ 305.673249][ T5923] worker_thread+0x6c8/0xf10 [ 305.677854][ T5923] kthread+0x3c5/0x780 [ 305.681936][ T5923] ret_from_fork+0x675/0x7d0 [ 305.686542][ T5923] ret_from_fork_asm+0x1a/0x30 [ 305.691310][ T5923] [ 305.693621][ T5923] The buggy address belongs to the object at ffff8880542a0000 [ 305.693621][ T5923] which belongs to the cache kmalloc-8k of size 8192 [ 305.707681][ T5923] The buggy address is located 6304 bytes inside of [ 305.707681][ T5923] freed 8192-byte region [ffff8880542a0000, ffff8880542a2000) [ 305.721659][ T5923] [ 305.723970][ T5923] The buggy address belongs to the physical page: [ 305.730369][ T5923] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880542a4000 pfn:0x542a0 [ 305.740439][ T5923] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 305.749019][ T5923] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 305.757002][ T5923] page_type: f5(slab) [ 305.760981][ T5923] raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 305.769567][ T5923] raw: ffff8880542a4000 0000000080020001 00000000f5000000 0000000000000000 [ 305.778150][ T5923] head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 305.786821][ T5923] head: ffff8880542a4000 0000000080020001 00000000f5000000 0000000000000000 [ 305.795499][ T5923] head: 00fff00000000003 ffffea000150a801 00000000ffffffff 00000000ffffffff [ 305.804168][ T5923] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 305.812831][ T5923] page dumped because: kasan: bad access detected [ 305.819230][ T5923] page_owner tracks the page as allocated [ 305.824928][ T5923] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6188, tgid 6188 (udevd), ts 144168565082, free_ts 144168477982 [ 305.845097][ T5923] post_alloc_hook+0x1c0/0x230 [ 305.849908][ T5923] get_page_from_freelist+0x10a3/0x3a30 [ 305.855479][ T5923] __alloc_frozen_pages_noprof+0x25f/0x2470 [ 305.861385][ T5923] alloc_pages_mpol+0x1fb/0x550 [ 305.866343][ T5923] new_slab+0x24a/0x360 [ 305.870524][ T5923] ___slab_alloc+0xdc4/0x1ae0 [ 305.875226][ T5923] __slab_alloc.constprop.0+0x63/0x110 [ 305.880710][ T5923] __kmalloc_cache_noprof+0x477/0x780 [ 305.886108][ T5923] tomoyo_init_log+0xc8a/0x2140 [ 305.890980][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 305.896008][ T5923] tomoyo_env_perm+0x191/0x200 [ 305.900775][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 305.906325][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 305.912049][ T5923] security_bprm_check+0x1b9/0x1e0 [ 305.917166][ T5923] bprm_execve+0x81a/0x1640 [ 305.921669][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 305.927318][ T5923] page last free pid 6188 tgid 6188 stack trace: [ 305.933639][ T5923] __free_frozen_pages+0x7df/0x1160 [ 305.938860][ T5923] __put_partials+0x130/0x170 [ 305.943553][ T5923] qlist_free_all+0x4d/0x120 [ 305.948149][ T5923] kasan_quarantine_reduce+0x195/0x1e0 [ 305.953623][ T5923] __kasan_slab_alloc+0x69/0x90 [ 305.958487][ T5923] __kmalloc_noprof+0x2e8/0x880 [ 305.963359][ T5923] tomoyo_realpath_from_path+0xc2/0x6e0 [ 305.968923][ T5923] tomoyo_init_log+0xbe6/0x2140 [ 305.973788][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 305.978810][ T5923] tomoyo_env_perm+0x191/0x200 [ 305.983574][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 305.989122][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 305.994844][ T5923] security_bprm_check+0x1b9/0x1e0 [ 305.999976][ T5923] bprm_execve+0x81a/0x1640 [ 306.004485][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 306.010122][ T5923] __x64_sys_execve+0x8e/0xb0 [ 306.014804][ T5923] [ 306.017111][ T5923] Memory state around the buggy address: [ 306.022765][ T5923] ffff8880542a1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 306.030822][ T5923] ffff8880542a1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 306.038877][ T5923] >ffff8880542a1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 306.046933][ T5923] ^ [ 306.052033][ T5923] ffff8880542a1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 306.060191][ T5923] ffff8880542a1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 306.068245][ T5923] ================================================================== [ 307.112200][ T5923] Disabling lock debugging due to kernel taint [ 307.119840][ T5923] ================================================================== [ 307.127926][ T5923] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x21d/0x250 [ 307.135578][ T5923] Read of size 8 at addr ffff8880542a04f0 by task kworker/1:5/5923 [ 307.143476][ T5923] [ 307.145807][ T5923] CPU: 1 UID: 0 PID: 5923 Comm: kworker/1:5 Tainted: G B syzkaller #0 PREEMPT(full) [ 307.145863][ T5923] Tainted: [B]=BAD_PAGE [ 307.145876][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 307.145901][ T5923] Workqueue: usb_hub_wq hub_event [ 307.145939][ T5923] Call Trace: [ 307.145951][ T5923] [ 307.145964][ T5923] dump_stack_lvl+0x116/0x1f0 [ 307.146013][ T5923] print_report+0xcd/0x630 [ 307.146061][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.146108][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.146157][ T5923] ? __phys_addr+0xe8/0x180 [ 307.146197][ T5923] ? hdm_disconnect+0x21d/0x250 [ 307.146234][ T5923] kasan_report+0xe0/0x110 [ 307.146283][ T5923] ? hdm_disconnect+0x21d/0x250 [ 307.146327][ T5923] hdm_disconnect+0x21d/0x250 [ 307.146365][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 307.146415][ T5923] ? kernfs_remove_by_name_ns+0xbe/0x110 [ 307.146457][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.146503][ T5923] ? __pfx_usb_unbind_interface+0x10/0x10 [ 307.146550][ T5923] device_remove+0x125/0x170 [ 307.146602][ T5923] device_release_driver_internal+0x44b/0x620 [ 307.146663][ T5923] ? __entry_text_end+0x1020b5/0x1020b9 [ 307.146711][ T5923] bus_remove_device+0x22f/0x420 [ 307.146762][ T5923] device_del+0x396/0x9f0 [ 307.146817][ T5923] ? __pfx_device_del+0x10/0x10 [ 307.146868][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.146913][ T5923] ? kobject_put+0x210/0x5a0 [ 307.146966][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147015][ T5923] usb_disable_device+0x355/0x7d0 [ 307.147058][ T5923] usb_disconnect+0x2e1/0x9c0 [ 307.147099][ T5923] hub_event+0x1c81/0x4fe0 [ 307.147157][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147202][ T5923] ? __lock_acquire+0xb8a/0x1c90 [ 307.147253][ T5923] ? __pfx_hub_event+0x10/0x10 [ 307.147288][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147333][ T5923] ? assoc_array_delete+0xb0/0xd10 [ 307.147378][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147427][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147475][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147523][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147568][ T5923] ? rcu_is_watching+0x12/0xc0 [ 307.147607][ T5923] process_one_work+0x9cf/0x1b70 [ 307.147673][ T5923] ? __pfx_process_one_work+0x10/0x10 [ 307.147728][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147779][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147824][ T5923] ? assign_work+0x1a0/0x250 [ 307.147876][ T5923] worker_thread+0x6c8/0xf10 [ 307.147935][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.147981][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.148026][ T5923] ? __kthread_parkme+0x19e/0x250 [ 307.148067][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.148114][ T5923] ? __pfx_worker_thread+0x10/0x10 [ 307.148172][ T5923] kthread+0x3c5/0x780 [ 307.148222][ T5923] ? __pfx_kthread+0x10/0x10 [ 307.148273][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 307.148318][ T5923] ? rcu_is_watching+0x12/0xc0 [ 307.148354][ T5923] ? __pfx_kthread+0x10/0x10 [ 307.148405][ T5923] ret_from_fork+0x675/0x7d0 [ 307.148451][ T5923] ? __pfx_kthread+0x10/0x10 [ 307.148501][ T5923] ret_from_fork_asm+0x1a/0x30 [ 307.148553][ T5923] [ 307.148566][ T5923] [ 307.463281][ T5923] Allocated by task 977: [ 307.467514][ T5923] kasan_save_stack+0x33/0x60 [ 307.472204][ T5923] kasan_save_track+0x14/0x30 [ 307.476894][ T5923] __kasan_kmalloc+0xaa/0xb0 [ 307.481493][ T5923] hdm_probe+0xb3/0x19a0 [ 307.485739][ T5923] usb_probe_interface+0x303/0xa40 [ 307.490858][ T5923] really_probe+0x241/0xa90 [ 307.495380][ T5923] __driver_probe_device+0x1de/0x440 [ 307.500685][ T5923] driver_probe_device+0x4c/0x1b0 [ 307.505725][ T5923] __device_attach_driver+0x1df/0x310 [ 307.511115][ T5923] bus_for_each_drv+0x159/0x1e0 [ 307.515971][ T5923] __device_attach+0x1e4/0x4b0 [ 307.520749][ T5923] bus_probe_device+0x17f/0x1c0 [ 307.525610][ T5923] device_add+0x1148/0x1aa0 [ 307.530116][ T5923] usb_set_configuration+0x1187/0x1e20 [ 307.535585][ T5923] usb_generic_driver_probe+0xb1/0x110 [ 307.541066][ T5923] usb_probe_device+0xef/0x3e0 [ 307.545838][ T5923] really_probe+0x241/0xa90 [ 307.550364][ T5923] __driver_probe_device+0x1de/0x440 [ 307.555667][ T5923] driver_probe_device+0x4c/0x1b0 [ 307.560707][ T5923] __device_attach_driver+0x1df/0x310 [ 307.566094][ T5923] bus_for_each_drv+0x159/0x1e0 [ 307.570950][ T5923] __device_attach+0x1e4/0x4b0 [ 307.575729][ T5923] bus_probe_device+0x17f/0x1c0 [ 307.580594][ T5923] device_add+0x1148/0x1aa0 [ 307.585100][ T5923] usb_new_device+0xd07/0x1a60 [ 307.589867][ T5923] hub_event+0x2f34/0x4fe0 [ 307.594286][ T5923] process_one_work+0x9cf/0x1b70 [ 307.599239][ T5923] worker_thread+0x6c8/0xf10 [ 307.603847][ T5923] kthread+0x3c5/0x780 [ 307.607960][ T5923] ret_from_fork+0x675/0x7d0 [ 307.612561][ T5923] ret_from_fork_asm+0x1a/0x30 [ 307.617327][ T5923] [ 307.619639][ T5923] Freed by task 5923: [ 307.623605][ T5923] kasan_save_stack+0x33/0x60 [ 307.628292][ T5923] kasan_save_track+0x14/0x30 [ 307.632980][ T5923] __kasan_save_free_info+0x3b/0x60 [ 307.638211][ T5923] __kasan_slab_free+0x5f/0x80 [ 307.643006][ T5923] kfree+0x2b8/0x6d0 [ 307.646937][ T5923] device_release+0xa4/0x240 [ 307.651540][ T5923] kobject_put+0x1e7/0x5a0 [ 307.655972][ T5923] device_unregister+0x2f/0xc0 [ 307.660749][ T5923] hdm_disconnect+0x10b/0x250 [ 307.665424][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 307.670626][ T5923] device_remove+0x125/0x170 [ 307.675226][ T5923] device_release_driver_internal+0x44b/0x620 [ 307.681314][ T5923] bus_remove_device+0x22f/0x420 [ 307.686259][ T5923] device_del+0x396/0x9f0 [ 307.690606][ T5923] usb_disable_device+0x355/0x7d0 [ 307.695631][ T5923] usb_disconnect+0x2e1/0x9c0 [ 307.700306][ T5923] hub_event+0x1c81/0x4fe0 [ 307.704717][ T5923] process_one_work+0x9cf/0x1b70 [ 307.709668][ T5923] worker_thread+0x6c8/0xf10 [ 307.714270][ T5923] kthread+0x3c5/0x780 [ 307.718347][ T5923] ret_from_fork+0x675/0x7d0 [ 307.722942][ T5923] ret_from_fork_asm+0x1a/0x30 [ 307.727706][ T5923] [ 307.730016][ T5923] The buggy address belongs to the object at ffff8880542a0000 [ 307.730016][ T5923] which belongs to the cache kmalloc-8k of size 8192 [ 307.744152][ T5923] The buggy address is located 1264 bytes inside of [ 307.744152][ T5923] freed 8192-byte region [ffff8880542a0000, ffff8880542a2000) [ 307.758211][ T5923] [ 307.760521][ T5923] The buggy address belongs to the physical page: [ 307.766923][ T5923] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x542a0 [ 307.775680][ T5923] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 307.784177][ T5923] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 307.792151][ T5923] page_type: f5(slab) [ 307.796133][ T5923] raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 307.804717][ T5923] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 307.813296][ T5923] head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 307.821966][ T5923] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 307.830640][ T5923] head: 00fff00000000003 ffffea000150a801 00000000ffffffff 00000000ffffffff [ 307.839315][ T5923] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 307.847981][ T5923] page dumped because: kasan: bad access detected [ 307.854387][ T5923] page_owner tracks the page as allocated [ 307.860086][ T5923] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6188, tgid 6188 (udevd), ts 144168565082, free_ts 144168477982 [ 307.880345][ T5923] post_alloc_hook+0x1c0/0x230 [ 307.885132][ T5923] get_page_from_freelist+0x10a3/0x3a30 [ 307.890683][ T5923] __alloc_frozen_pages_noprof+0x25f/0x2470 [ 307.896575][ T5923] alloc_pages_mpol+0x1fb/0x550 [ 307.901436][ T5923] new_slab+0x24a/0x360 [ 307.905606][ T5923] ___slab_alloc+0xdc4/0x1ae0 [ 307.910300][ T5923] __slab_alloc.constprop.0+0x63/0x110 [ 307.915773][ T5923] __kmalloc_cache_noprof+0x477/0x780 [ 307.921165][ T5923] tomoyo_init_log+0xc8a/0x2140 [ 307.926027][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 307.931046][ T5923] tomoyo_env_perm+0x191/0x200 [ 307.935812][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 307.941357][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 307.947076][ T5923] security_bprm_check+0x1b9/0x1e0 [ 307.952198][ T5923] bprm_execve+0x81a/0x1640 [ 307.956699][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 307.962354][ T5923] page last free pid 6188 tgid 6188 stack trace: [ 307.968683][ T5923] __free_frozen_pages+0x7df/0x1160 [ 307.973905][ T5923] __put_partials+0x130/0x170 [ 307.978585][ T5923] qlist_free_all+0x4d/0x120 [ 307.983182][ T5923] kasan_quarantine_reduce+0x195/0x1e0 [ 307.988648][ T5923] __kasan_slab_alloc+0x69/0x90 [ 307.993513][ T5923] __kmalloc_noprof+0x2e8/0x880 [ 307.998385][ T5923] tomoyo_realpath_from_path+0xc2/0x6e0 [ 308.003955][ T5923] tomoyo_init_log+0xbe6/0x2140 [ 308.008819][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 308.013847][ T5923] tomoyo_env_perm+0x191/0x200 [ 308.018613][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 308.024349][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 308.030091][ T5923] security_bprm_check+0x1b9/0x1e0 [ 308.035217][ T5923] bprm_execve+0x81a/0x1640 [ 308.039726][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 308.045378][ T5923] __x64_sys_execve+0x8e/0xb0 [ 308.050064][ T5923] [ 308.052387][ T5923] Memory state around the buggy address: [ 308.058026][ T5923] ffff8880542a0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 308.066089][ T5923] ffff8880542a0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 308.074148][ T5923] >ffff8880542a0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 308.082204][ T5923] ^ [ 308.089929][ T5923] ffff8880542a0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 308.097989][ T5923] ffff8880542a0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 308.106038][ T5923] ================================================================== [ 308.146322][ T977] usbhid 3-1:0.0: can't add hid device: -71 [ 308.161374][ T977] usbhid 3-1:0.0: probe with driver usbhid failed with error -71 [ 308.181285][ T977] usb 3-1: USB disconnect, device number 3 [ 308.190007][ T5923] ================================================================== [ 308.198087][ T5923] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x213/0x250 [ 308.205738][ T5923] Read of size 8 at addr ffff8880542a04f8 by task kworker/1:5/5923 [ 308.213627][ T5923] [ 308.215955][ T5923] CPU: 1 UID: 0 PID: 5923 Comm: kworker/1:5 Tainted: G B syzkaller #0 PREEMPT(full) [ 308.216002][ T5923] Tainted: [B]=BAD_PAGE [ 308.216014][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 308.216037][ T5923] Workqueue: usb_hub_wq hub_event [ 308.216072][ T5923] Call Trace: [ 308.216082][ T5923] [ 308.216095][ T5923] dump_stack_lvl+0x116/0x1f0 [ 308.216139][ T5923] print_report+0xcd/0x630 [ 308.216181][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.216221][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.216260][ T5923] ? __phys_addr+0xe8/0x180 [ 308.216296][ T5923] ? hdm_disconnect+0x213/0x250 [ 308.216328][ T5923] kasan_report+0xe0/0x110 [ 308.216372][ T5923] ? hdm_disconnect+0x213/0x250 [ 308.216410][ T5923] hdm_disconnect+0x213/0x250 [ 308.216444][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 308.216487][ T5923] ? kernfs_remove_by_name_ns+0xbe/0x110 [ 308.216524][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.216564][ T5923] ? __pfx_usb_unbind_interface+0x10/0x10 [ 308.216604][ T5923] device_remove+0x125/0x170 [ 308.216650][ T5923] device_release_driver_internal+0x44b/0x620 [ 308.216702][ T5923] ? __entry_text_end+0x1020b5/0x1020b9 [ 308.216744][ T5923] bus_remove_device+0x22f/0x420 [ 308.216789][ T5923] device_del+0x396/0x9f0 [ 308.216836][ T5923] ? __pfx_device_del+0x10/0x10 [ 308.216880][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.216924][ T5923] ? kobject_put+0x210/0x5a0 [ 308.216970][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217013][ T5923] usb_disable_device+0x355/0x7d0 [ 308.217051][ T5923] usb_disconnect+0x2e1/0x9c0 [ 308.217086][ T5923] hub_event+0x1c81/0x4fe0 [ 308.217134][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217173][ T5923] ? __lock_acquire+0xb8a/0x1c90 [ 308.217217][ T5923] ? __pfx_hub_event+0x10/0x10 [ 308.217248][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217287][ T5923] ? assoc_array_delete+0xb0/0xd10 [ 308.217326][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217369][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217410][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217451][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217490][ T5923] ? rcu_is_watching+0x12/0xc0 [ 308.217525][ T5923] process_one_work+0x9cf/0x1b70 [ 308.217581][ T5923] ? __pfx_process_one_work+0x10/0x10 [ 308.217629][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217673][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217712][ T5923] ? assign_work+0x1a0/0x250 [ 308.217757][ T5923] worker_thread+0x6c8/0xf10 [ 308.217808][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217848][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217892][ T5923] ? __kthread_parkme+0x19e/0x250 [ 308.217927][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.217968][ T5923] ? __pfx_worker_thread+0x10/0x10 [ 308.218016][ T5923] kthread+0x3c5/0x780 [ 308.218059][ T5923] ? __pfx_kthread+0x10/0x10 [ 308.218103][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 308.218142][ T5923] ? rcu_is_watching+0x12/0xc0 [ 308.218173][ T5923] ? __pfx_kthread+0x10/0x10 [ 308.218217][ T5923] ret_from_fork+0x675/0x7d0 [ 308.218257][ T5923] ? __pfx_kthread+0x10/0x10 [ 308.218300][ T5923] ret_from_fork_asm+0x1a/0x30 [ 308.218346][ T5923] [ 308.218357][ T5923] [ 308.533035][ T5923] Allocated by task 977: [ 308.537312][ T5923] kasan_save_stack+0x33/0x60 [ 308.542003][ T5923] kasan_save_track+0x14/0x30 [ 308.546688][ T5923] __kasan_kmalloc+0xaa/0xb0 [ 308.551284][ T5923] hdm_probe+0xb3/0x19a0 [ 308.555536][ T5923] usb_probe_interface+0x303/0xa40 [ 308.560662][ T5923] really_probe+0x241/0xa90 [ 308.565179][ T5923] __driver_probe_device+0x1de/0x440 [ 308.570483][ T5923] driver_probe_device+0x4c/0x1b0 [ 308.575525][ T5923] __device_attach_driver+0x1df/0x310 [ 308.580918][ T5923] bus_for_each_drv+0x159/0x1e0 [ 308.585772][ T5923] __device_attach+0x1e4/0x4b0 [ 308.590549][ T5923] bus_probe_device+0x17f/0x1c0 [ 308.595407][ T5923] device_add+0x1148/0x1aa0 [ 308.600018][ T5923] usb_set_configuration+0x1187/0x1e20 [ 308.605520][ T5923] usb_generic_driver_probe+0xb1/0x110 [ 308.610999][ T5923] usb_probe_device+0xef/0x3e0 [ 308.615762][ T5923] really_probe+0x241/0xa90 [ 308.620276][ T5923] __driver_probe_device+0x1de/0x440 [ 308.625660][ T5923] driver_probe_device+0x4c/0x1b0 [ 308.630696][ T5923] __device_attach_driver+0x1df/0x310 [ 308.636079][ T5923] bus_for_each_drv+0x159/0x1e0 [ 308.640932][ T5923] __device_attach+0x1e4/0x4b0 [ 308.645710][ T5923] bus_probe_device+0x17f/0x1c0 [ 308.650571][ T5923] device_add+0x1148/0x1aa0 [ 308.655071][ T5923] usb_new_device+0xd07/0x1a60 [ 308.659836][ T5923] hub_event+0x2f34/0x4fe0 [ 308.664256][ T5923] process_one_work+0x9cf/0x1b70 [ 308.669206][ T5923] worker_thread+0x6c8/0xf10 [ 308.673808][ T5923] kthread+0x3c5/0x780 [ 308.677889][ T5923] ret_from_fork+0x675/0x7d0 [ 308.682490][ T5923] ret_from_fork_asm+0x1a/0x30 [ 308.687254][ T5923] [ 308.689570][ T5923] Freed by task 5923: [ 308.693535][ T5923] kasan_save_stack+0x33/0x60 [ 308.698216][ T5923] kasan_save_track+0x14/0x30 [ 308.702902][ T5923] __kasan_save_free_info+0x3b/0x60 [ 308.708119][ T5923] __kasan_slab_free+0x5f/0x80 [ 308.712893][ T5923] kfree+0x2b8/0x6d0 [ 308.716804][ T5923] device_release+0xa4/0x240 [ 308.721395][ T5923] kobject_put+0x1e7/0x5a0 [ 308.725822][ T5923] device_unregister+0x2f/0xc0 [ 308.730601][ T5923] hdm_disconnect+0x10b/0x250 [ 308.735276][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 308.740477][ T5923] device_remove+0x125/0x170 [ 308.745075][ T5923] device_release_driver_internal+0x44b/0x620 [ 308.751160][ T5923] bus_remove_device+0x22f/0x420 [ 308.756105][ T5923] device_del+0x396/0x9f0 [ 308.760455][ T5923] usb_disable_device+0x355/0x7d0 [ 308.765488][ T5923] usb_disconnect+0x2e1/0x9c0 [ 308.770165][ T5923] hub_event+0x1c81/0x4fe0 [ 308.774575][ T5923] process_one_work+0x9cf/0x1b70 [ 308.779615][ T5923] worker_thread+0x6c8/0xf10 [ 308.784222][ T5923] kthread+0x3c5/0x780 [ 308.788298][ T5923] ret_from_fork+0x675/0x7d0 [ 308.792892][ T5923] ret_from_fork_asm+0x1a/0x30 [ 308.797663][ T5923] [ 308.799971][ T5923] The buggy address belongs to the object at ffff8880542a0000 [ 308.799971][ T5923] which belongs to the cache kmalloc-8k of size 8192 [ 308.814017][ T5923] The buggy address is located 1272 bytes inside of [ 308.814017][ T5923] freed 8192-byte region [ffff8880542a0000, ffff8880542a2000) [ 308.827993][ T5923] [ 308.830306][ T5923] The buggy address belongs to the physical page: [ 308.836704][ T5923] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x542a0 [ 308.845459][ T5923] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 308.853962][ T5923] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 308.861937][ T5923] page_type: f5(slab) [ 308.865920][ T5923] raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 308.874504][ T5923] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 308.883087][ T5923] head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 308.891756][ T5923] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 308.900429][ T5923] head: 00fff00000000003 ffffea000150a801 00000000ffffffff 00000000ffffffff [ 308.909096][ T5923] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 308.917755][ T5923] page dumped because: kasan: bad access detected [ 308.924151][ T5923] page_owner tracks the page as allocated [ 308.929847][ T5923] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6188, tgid 6188 (udevd), ts 144168565082, free_ts 144168477982 [ 308.950013][ T5923] post_alloc_hook+0x1c0/0x230 [ 308.954801][ T5923] get_page_from_freelist+0x10a3/0x3a30 [ 308.960344][ T5923] __alloc_frozen_pages_noprof+0x25f/0x2470 [ 308.966239][ T5923] alloc_pages_mpol+0x1fb/0x550 [ 308.971104][ T5923] new_slab+0x24a/0x360 [ 308.975275][ T5923] ___slab_alloc+0xdc4/0x1ae0 [ 308.979970][ T5923] __slab_alloc.constprop.0+0x63/0x110 [ 308.985451][ T5923] __kmalloc_cache_noprof+0x477/0x780 [ 308.990850][ T5923] tomoyo_init_log+0xc8a/0x2140 [ 308.995718][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 309.000741][ T5923] tomoyo_env_perm+0x191/0x200 [ 309.005505][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 309.011055][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 309.016775][ T5923] security_bprm_check+0x1b9/0x1e0 [ 309.021888][ T5923] bprm_execve+0x81a/0x1640 [ 309.026395][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 309.032034][ T5923] page last free pid 6188 tgid 6188 stack trace: [ 309.038349][ T5923] __free_frozen_pages+0x7df/0x1160 [ 309.043567][ T5923] __put_partials+0x130/0x170 [ 309.048248][ T5923] qlist_free_all+0x4d/0x120 [ 309.052848][ T5923] kasan_quarantine_reduce+0x195/0x1e0 [ 309.058317][ T5923] __kasan_slab_alloc+0x69/0x90 [ 309.063174][ T5923] __kmalloc_noprof+0x2e8/0x880 [ 309.068045][ T5923] tomoyo_realpath_from_path+0xc2/0x6e0 [ 309.073606][ T5923] tomoyo_init_log+0xbe6/0x2140 [ 309.078472][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 309.083495][ T5923] tomoyo_env_perm+0x191/0x200 [ 309.088261][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 309.093813][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 309.099535][ T5923] security_bprm_check+0x1b9/0x1e0 [ 309.104652][ T5923] bprm_execve+0x81a/0x1640 [ 309.109161][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 309.114797][ T5923] __x64_sys_execve+0x8e/0xb0 [ 309.119480][ T5923] [ 309.121786][ T5923] Memory state around the buggy address: [ 309.127414][ T5923] ffff8880542a0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 309.135470][ T5923] ffff8880542a0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 309.143525][ T5923] >ffff8880542a0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 309.151576][ T5923] ^ [ 309.159545][ T5923] ffff8880542a0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 309.167607][ T5923] ffff8880542a0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 309.175658][ T5923] ================================================================== [ 309.196838][ T5923] ================================================================== [ 309.204948][ T5923] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x20c/0x250 [ 309.212607][ T5923] Read of size 8 at addr ffff8880542a0508 by task kworker/1:5/5923 [ 309.220498][ T5923] [ 309.222921][ T5923] CPU: 1 UID: 0 PID: 5923 Comm: kworker/1:5 Tainted: G B syzkaller #0 PREEMPT(full) [ 309.222971][ T5923] Tainted: [B]=BAD_PAGE [ 309.222982][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 309.223005][ T5923] Workqueue: usb_hub_wq hub_event [ 309.223040][ T5923] Call Trace: [ 309.223053][ T5923] [ 309.223065][ T5923] dump_stack_lvl+0x116/0x1f0 [ 309.223109][ T5923] print_report+0xcd/0x630 [ 309.223151][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.223192][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.223231][ T5923] ? __phys_addr+0xe8/0x180 [ 309.223267][ T5923] ? hdm_disconnect+0x20c/0x250 [ 309.223300][ T5923] kasan_report+0xe0/0x110 [ 309.223344][ T5923] ? hdm_disconnect+0x20c/0x250 [ 309.223382][ T5923] hdm_disconnect+0x20c/0x250 [ 309.223416][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 309.223459][ T5923] ? kernfs_remove_by_name_ns+0xbe/0x110 [ 309.223496][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.223536][ T5923] ? __pfx_usb_unbind_interface+0x10/0x10 [ 309.223576][ T5923] device_remove+0x125/0x170 [ 309.223621][ T5923] device_release_driver_internal+0x44b/0x620 [ 309.223674][ T5923] ? __entry_text_end+0x1020b5/0x1020b9 [ 309.223716][ T5923] bus_remove_device+0x22f/0x420 [ 309.223760][ T5923] device_del+0x396/0x9f0 [ 309.223808][ T5923] ? __pfx_device_del+0x10/0x10 [ 309.223852][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.223909][ T5923] ? kobject_put+0x210/0x5a0 [ 309.223955][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.223997][ T5923] usb_disable_device+0x355/0x7d0 [ 309.224035][ T5923] usb_disconnect+0x2e1/0x9c0 [ 309.224074][ T5923] hub_event+0x1c81/0x4fe0 [ 309.224121][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224160][ T5923] ? __lock_acquire+0xb8a/0x1c90 [ 309.224205][ T5923] ? __pfx_hub_event+0x10/0x10 [ 309.224236][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224275][ T5923] ? assoc_array_delete+0xb0/0xd10 [ 309.224314][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224356][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224401][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224443][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224482][ T5923] ? rcu_is_watching+0x12/0xc0 [ 309.224516][ T5923] process_one_work+0x9cf/0x1b70 [ 309.224573][ T5923] ? __pfx_process_one_work+0x10/0x10 [ 309.224621][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224665][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224704][ T5923] ? assign_work+0x1a0/0x250 [ 309.224749][ T5923] worker_thread+0x6c8/0xf10 [ 309.224801][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224841][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224880][ T5923] ? __kthread_parkme+0x19e/0x250 [ 309.224920][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.224961][ T5923] ? __pfx_worker_thread+0x10/0x10 [ 309.225009][ T5923] kthread+0x3c5/0x780 [ 309.225052][ T5923] ? __pfx_kthread+0x10/0x10 [ 309.225096][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 309.225135][ T5923] ? rcu_is_watching+0x12/0xc0 [ 309.225166][ T5923] ? __pfx_kthread+0x10/0x10 [ 309.225210][ T5923] ret_from_fork+0x675/0x7d0 [ 309.225251][ T5923] ? __pfx_kthread+0x10/0x10 [ 309.225294][ T5923] ret_from_fork_asm+0x1a/0x30 [ 309.225341][ T5923] [ 309.225352][ T5923] [ 309.540132][ T5923] Allocated by task 977: [ 309.544362][ T5923] kasan_save_stack+0x33/0x60 [ 309.549053][ T5923] kasan_save_track+0x14/0x30 [ 309.553740][ T5923] __kasan_kmalloc+0xaa/0xb0 [ 309.558339][ T5923] hdm_probe+0xb3/0x19a0 [ 309.562586][ T5923] usb_probe_interface+0x303/0xa40 [ 309.567705][ T5923] really_probe+0x241/0xa90 [ 309.572219][ T5923] __driver_probe_device+0x1de/0x440 [ 309.577519][ T5923] driver_probe_device+0x4c/0x1b0 [ 309.582565][ T5923] __device_attach_driver+0x1df/0x310 [ 309.587954][ T5923] bus_for_each_drv+0x159/0x1e0 [ 309.592810][ T5923] __device_attach+0x1e4/0x4b0 [ 309.597762][ T5923] bus_probe_device+0x17f/0x1c0 [ 309.602620][ T5923] device_add+0x1148/0x1aa0 [ 309.607119][ T5923] usb_set_configuration+0x1187/0x1e20 [ 309.612584][ T5923] usb_generic_driver_probe+0xb1/0x110 [ 309.618061][ T5923] usb_probe_device+0xef/0x3e0 [ 309.622827][ T5923] really_probe+0x241/0xa90 [ 309.627355][ T5923] __driver_probe_device+0x1de/0x440 [ 309.632674][ T5923] driver_probe_device+0x4c/0x1b0 [ 309.637712][ T5923] __device_attach_driver+0x1df/0x310 [ 309.643101][ T5923] bus_for_each_drv+0x159/0x1e0 [ 309.648019][ T5923] __device_attach+0x1e4/0x4b0 [ 309.652798][ T5923] bus_probe_device+0x17f/0x1c0 [ 309.657657][ T5923] device_add+0x1148/0x1aa0 [ 309.662163][ T5923] usb_new_device+0xd07/0x1a60 [ 309.666928][ T5923] hub_event+0x2f34/0x4fe0 [ 309.671344][ T5923] process_one_work+0x9cf/0x1b70 [ 309.676295][ T5923] worker_thread+0x6c8/0xf10 [ 309.680903][ T5923] kthread+0x3c5/0x780 [ 309.684990][ T5923] ret_from_fork+0x675/0x7d0 [ 309.689590][ T5923] ret_from_fork_asm+0x1a/0x30 [ 309.694356][ T5923] [ 309.696666][ T5923] Freed by task 5923: [ 309.700641][ T5923] kasan_save_stack+0x33/0x60 [ 309.705324][ T5923] kasan_save_track+0x14/0x30 [ 309.710008][ T5923] __kasan_save_free_info+0x3b/0x60 [ 309.715224][ T5923] __kasan_slab_free+0x5f/0x80 [ 309.719994][ T5923] kfree+0x2b8/0x6d0 [ 309.723908][ T5923] device_release+0xa4/0x240 [ 309.728499][ T5923] kobject_put+0x1e7/0x5a0 [ 309.732929][ T5923] device_unregister+0x2f/0xc0 [ 309.737703][ T5923] hdm_disconnect+0x10b/0x250 [ 309.742469][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 309.747673][ T5923] device_remove+0x125/0x170 [ 309.752282][ T5923] device_release_driver_internal+0x44b/0x620 [ 309.758368][ T5923] bus_remove_device+0x22f/0x420 [ 309.763320][ T5923] device_del+0x396/0x9f0 [ 309.767661][ T5923] usb_disable_device+0x355/0x7d0 [ 309.772688][ T5923] usb_disconnect+0x2e1/0x9c0 [ 309.777360][ T5923] hub_event+0x1c81/0x4fe0 [ 309.781779][ T5923] process_one_work+0x9cf/0x1b70 [ 309.786737][ T5923] worker_thread+0x6c8/0xf10 [ 309.791346][ T5923] kthread+0x3c5/0x780 [ 309.795427][ T5923] ret_from_fork+0x675/0x7d0 [ 309.800027][ T5923] ret_from_fork_asm+0x1a/0x30 [ 309.804791][ T5923] [ 309.807102][ T5923] The buggy address belongs to the object at ffff8880542a0000 [ 309.807102][ T5923] which belongs to the cache kmalloc-8k of size 8192 [ 309.821161][ T5923] The buggy address is located 1288 bytes inside of [ 309.821161][ T5923] freed 8192-byte region [ffff8880542a0000, ffff8880542a2000) [ 309.835155][ T5923] [ 309.837475][ T5923] The buggy address belongs to the physical page: [ 309.843896][ T5923] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x542a0 [ 309.852657][ T5923] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 309.861242][ T5923] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 309.869222][ T5923] page_type: f5(slab) [ 309.873203][ T5923] raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 309.881790][ T5923] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 309.890468][ T5923] head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 309.899162][ T5923] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 309.907837][ T5923] head: 00fff00000000003 ffffea000150a801 00000000ffffffff 00000000ffffffff [ 309.916520][ T5923] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 309.925184][ T5923] page dumped because: kasan: bad access detected [ 309.931584][ T5923] page_owner tracks the page as allocated [ 309.937290][ T5923] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6188, tgid 6188 (udevd), ts 144168565082, free_ts 144168477982 [ 309.957452][ T5923] post_alloc_hook+0x1c0/0x230 [ 309.962242][ T5923] get_page_from_freelist+0x10a3/0x3a30 [ 309.967789][ T5923] __alloc_frozen_pages_noprof+0x25f/0x2470 [ 309.973686][ T5923] alloc_pages_mpol+0x1fb/0x550 [ 309.978547][ T5923] new_slab+0x24a/0x360 [ 309.982718][ T5923] ___slab_alloc+0xdc4/0x1ae0 [ 309.987413][ T5923] __slab_alloc.constprop.0+0x63/0x110 [ 309.992897][ T5923] __kmalloc_cache_noprof+0x477/0x780 [ 309.998290][ T5923] tomoyo_init_log+0xc8a/0x2140 [ 310.003159][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 310.008192][ T5923] tomoyo_env_perm+0x191/0x200 [ 310.012972][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 310.018530][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 310.024249][ T5923] security_bprm_check+0x1b9/0x1e0 [ 310.029358][ T5923] bprm_execve+0x81a/0x1640 [ 310.033862][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 310.039502][ T5923] page last free pid 6188 tgid 6188 stack trace: [ 310.045820][ T5923] __free_frozen_pages+0x7df/0x1160 [ 310.051032][ T5923] __put_partials+0x130/0x170 [ 310.055709][ T5923] qlist_free_all+0x4d/0x120 [ 310.060302][ T5923] kasan_quarantine_reduce+0x195/0x1e0 [ 310.065768][ T5923] __kasan_slab_alloc+0x69/0x90 [ 310.070627][ T5923] __kmalloc_noprof+0x2e8/0x880 [ 310.075492][ T5923] tomoyo_realpath_from_path+0xc2/0x6e0 [ 310.081052][ T5923] tomoyo_init_log+0xbe6/0x2140 [ 310.085914][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 310.090937][ T5923] tomoyo_env_perm+0x191/0x200 [ 310.095706][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 310.101254][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 310.106973][ T5923] security_bprm_check+0x1b9/0x1e0 [ 310.112083][ T5923] bprm_execve+0x81a/0x1640 [ 310.116581][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 310.122215][ T5923] __x64_sys_execve+0x8e/0xb0 [ 310.126892][ T5923] [ 310.129203][ T5923] Memory state around the buggy address: [ 310.134821][ T5923] ffff8880542a0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 310.142876][ T5923] ffff8880542a0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 310.150936][ T5923] >ffff8880542a0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 310.158984][ T5923] ^ [ 310.163300][ T5923] ffff8880542a0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 310.171360][ T5923] ffff8880542a0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 310.179410][ T5923] ================================================================== [ 310.201513][ T5923] ================================================================== [ 310.209600][ T5923] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x205/0x250 [ 310.217252][ T5923] Read of size 8 at addr ffff8880542a0500 by task kworker/1:5/5923 [ 310.225158][ T5923] [ 310.227481][ T5923] CPU: 1 UID: 0 PID: 5923 Comm: kworker/1:5 Tainted: G B syzkaller #0 PREEMPT(full) [ 310.227529][ T5923] Tainted: [B]=BAD_PAGE [ 310.227540][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 310.227562][ T5923] Workqueue: usb_hub_wq hub_event [ 310.227597][ T5923] Call Trace: [ 310.227608][ T5923] [ 310.227620][ T5923] dump_stack_lvl+0x116/0x1f0 [ 310.227663][ T5923] print_report+0xcd/0x630 [ 310.227705][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.227745][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.227784][ T5923] ? __phys_addr+0xe8/0x180 [ 310.227819][ T5923] ? hdm_disconnect+0x205/0x250 [ 310.227852][ T5923] kasan_report+0xe0/0x110 [ 310.227899][ T5923] ? hdm_disconnect+0x205/0x250 [ 310.227938][ T5923] hdm_disconnect+0x205/0x250 [ 310.227972][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 310.228015][ T5923] ? kernfs_remove_by_name_ns+0xbe/0x110 [ 310.228052][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.228092][ T5923] ? __pfx_usb_unbind_interface+0x10/0x10 [ 310.228132][ T5923] device_remove+0x125/0x170 [ 310.228178][ T5923] device_release_driver_internal+0x44b/0x620 [ 310.228231][ T5923] ? __entry_text_end+0x1020b5/0x1020b9 [ 310.228273][ T5923] bus_remove_device+0x22f/0x420 [ 310.228317][ T5923] device_del+0x396/0x9f0 [ 310.228364][ T5923] ? __pfx_device_del+0x10/0x10 [ 310.228408][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.228447][ T5923] ? kobject_put+0x210/0x5a0 [ 310.228492][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.228535][ T5923] usb_disable_device+0x355/0x7d0 [ 310.228573][ T5923] usb_disconnect+0x2e1/0x9c0 [ 310.228608][ T5923] hub_event+0x1c81/0x4fe0 [ 310.228656][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.228695][ T5923] ? __lock_acquire+0xb8a/0x1c90 [ 310.228739][ T5923] ? __pfx_hub_event+0x10/0x10 [ 310.228770][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.228809][ T5923] ? assoc_array_delete+0xb0/0xd10 [ 310.228848][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.228890][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.228935][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.228977][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.229016][ T5923] ? rcu_is_watching+0x12/0xc0 [ 310.229050][ T5923] process_one_work+0x9cf/0x1b70 [ 310.229107][ T5923] ? __pfx_process_one_work+0x10/0x10 [ 310.229155][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.229199][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.229238][ T5923] ? assign_work+0x1a0/0x250 [ 310.229283][ T5923] worker_thread+0x6c8/0xf10 [ 310.229334][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.229380][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.229419][ T5923] ? __kthread_parkme+0x19e/0x250 [ 310.229454][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.229494][ T5923] ? __pfx_worker_thread+0x10/0x10 [ 310.229542][ T5923] kthread+0x3c5/0x780 [ 310.229585][ T5923] ? __pfx_kthread+0x10/0x10 [ 310.229629][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 310.229668][ T5923] ? rcu_is_watching+0x12/0xc0 [ 310.229699][ T5923] ? __pfx_kthread+0x10/0x10 [ 310.229743][ T5923] ret_from_fork+0x675/0x7d0 [ 310.229783][ T5923] ? __pfx_kthread+0x10/0x10 [ 310.229826][ T5923] ret_from_fork_asm+0x1a/0x30 [ 310.229873][ T5923] [ 310.229884][ T5923] [ 310.544359][ T5923] Allocated by task 977: [ 310.548591][ T5923] kasan_save_stack+0x33/0x60 [ 310.553275][ T5923] kasan_save_track+0x14/0x30 [ 310.557955][ T5923] __kasan_kmalloc+0xaa/0xb0 [ 310.562549][ T5923] hdm_probe+0xb3/0x19a0 [ 310.566792][ T5923] usb_probe_interface+0x303/0xa40 [ 310.571910][ T5923] really_probe+0x241/0xa90 [ 310.576424][ T5923] __driver_probe_device+0x1de/0x440 [ 310.581721][ T5923] driver_probe_device+0x4c/0x1b0 [ 310.586768][ T5923] __device_attach_driver+0x1df/0x310 [ 310.592180][ T5923] bus_for_each_drv+0x159/0x1e0 [ 310.597043][ T5923] __device_attach+0x1e4/0x4b0 [ 310.601924][ T5923] bus_probe_device+0x17f/0x1c0 [ 310.606796][ T5923] device_add+0x1148/0x1aa0 [ 310.611311][ T5923] usb_set_configuration+0x1187/0x1e20 [ 310.616774][ T5923] usb_generic_driver_probe+0xb1/0x110 [ 310.622256][ T5923] usb_probe_device+0xef/0x3e0 [ 310.627025][ T5923] really_probe+0x241/0xa90 [ 310.631543][ T5923] __driver_probe_device+0x1de/0x440 [ 310.636843][ T5923] driver_probe_device+0x4c/0x1b0 [ 310.641885][ T5923] __device_attach_driver+0x1df/0x310 [ 310.647291][ T5923] bus_for_each_drv+0x159/0x1e0 [ 310.652149][ T5923] __device_attach+0x1e4/0x4b0 [ 310.656930][ T5923] bus_probe_device+0x17f/0x1c0 [ 310.661790][ T5923] device_add+0x1148/0x1aa0 [ 310.666293][ T5923] usb_new_device+0xd07/0x1a60 [ 310.671058][ T5923] hub_event+0x2f34/0x4fe0 [ 310.675476][ T5923] process_one_work+0x9cf/0x1b70 [ 310.680429][ T5923] worker_thread+0x6c8/0xf10 [ 310.685037][ T5923] kthread+0x3c5/0x780 [ 310.689125][ T5923] ret_from_fork+0x675/0x7d0 [ 310.693729][ T5923] ret_from_fork_asm+0x1a/0x30 [ 310.698497][ T5923] [ 310.700812][ T5923] Freed by task 5923: [ 310.704780][ T5923] kasan_save_stack+0x33/0x60 [ 310.709480][ T5923] kasan_save_track+0x14/0x30 [ 310.714174][ T5923] __kasan_save_free_info+0x3b/0x60 [ 310.719392][ T5923] __kasan_slab_free+0x5f/0x80 [ 310.724165][ T5923] kfree+0x2b8/0x6d0 [ 310.728074][ T5923] device_release+0xa4/0x240 [ 310.732666][ T5923] kobject_put+0x1e7/0x5a0 [ 310.737092][ T5923] device_unregister+0x2f/0xc0 [ 310.741869][ T5923] hdm_disconnect+0x10b/0x250 [ 310.746557][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 310.751759][ T5923] device_remove+0x125/0x170 [ 310.756361][ T5923] device_release_driver_internal+0x44b/0x620 [ 310.762449][ T5923] bus_remove_device+0x22f/0x420 [ 310.767391][ T5923] device_del+0x396/0x9f0 [ 310.771735][ T5923] usb_disable_device+0x355/0x7d0 [ 310.776757][ T5923] usb_disconnect+0x2e1/0x9c0 [ 310.781433][ T5923] hub_event+0x1c81/0x4fe0 [ 310.785851][ T5923] process_one_work+0x9cf/0x1b70 [ 310.790805][ T5923] worker_thread+0x6c8/0xf10 [ 310.795409][ T5923] kthread+0x3c5/0x780 [ 310.799499][ T5923] ret_from_fork+0x675/0x7d0 [ 310.804098][ T5923] ret_from_fork_asm+0x1a/0x30 [ 310.808881][ T5923] [ 310.811201][ T5923] The buggy address belongs to the object at ffff8880542a0000 [ 310.811201][ T5923] which belongs to the cache kmalloc-8k of size 8192 [ 310.825348][ T5923] The buggy address is located 1280 bytes inside of [ 310.825348][ T5923] freed 8192-byte region [ffff8880542a0000, ffff8880542a2000) [ 310.839329][ T5923] [ 310.841648][ T5923] The buggy address belongs to the physical page: [ 310.848049][ T5923] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x542a0 [ 310.856807][ T5923] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 310.865303][ T5923] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 310.873279][ T5923] page_type: f5(slab) [ 310.877261][ T5923] raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 310.885850][ T5923] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 310.894441][ T5923] head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 [ 310.903115][ T5923] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 310.911789][ T5923] head: 00fff00000000003 ffffea000150a801 00000000ffffffff 00000000ffffffff [ 310.920466][ T5923] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 310.929127][ T5923] page dumped because: kasan: bad access detected [ 310.935529][ T5923] page_owner tracks the page as allocated [ 310.941227][ T5923] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6188, tgid 6188 (udevd), ts 144168565082, free_ts 144168477982 [ 310.961392][ T5923] post_alloc_hook+0x1c0/0x230 [ 310.966187][ T5923] get_page_from_freelist+0x10a3/0x3a30 [ 310.971737][ T5923] __alloc_frozen_pages_noprof+0x25f/0x2470 [ 310.977633][ T5923] alloc_pages_mpol+0x1fb/0x550 [ 310.982495][ T5923] new_slab+0x24a/0x360 [ 310.986669][ T5923] ___slab_alloc+0xdc4/0x1ae0 [ 310.991365][ T5923] __slab_alloc.constprop.0+0x63/0x110 [ 310.996843][ T5923] __kmalloc_cache_noprof+0x477/0x780 [ 311.002240][ T5923] tomoyo_init_log+0xc8a/0x2140 [ 311.007104][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 311.012132][ T5923] tomoyo_env_perm+0x191/0x200 [ 311.016906][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 311.022463][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 311.028183][ T5923] security_bprm_check+0x1b9/0x1e0 [ 311.033319][ T5923] bprm_execve+0x81a/0x1640 [ 311.037844][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 311.043492][ T5923] page last free pid 6188 tgid 6188 stack trace: [ 311.049821][ T5923] __free_frozen_pages+0x7df/0x1160 [ 311.055046][ T5923] __put_partials+0x130/0x170 [ 311.059724][ T5923] qlist_free_all+0x4d/0x120 [ 311.064317][ T5923] kasan_quarantine_reduce+0x195/0x1e0 [ 311.069786][ T5923] __kasan_slab_alloc+0x69/0x90 [ 311.074647][ T5923] __kmalloc_noprof+0x2e8/0x880 [ 311.079525][ T5923] tomoyo_realpath_from_path+0xc2/0x6e0 [ 311.085088][ T5923] tomoyo_init_log+0xbe6/0x2140 [ 311.089954][ T5923] tomoyo_supervisor+0x302/0x13b0 [ 311.094978][ T5923] tomoyo_env_perm+0x191/0x200 [ 311.099745][ T5923] tomoyo_find_next_domain+0xec2/0x20b0 [ 311.105295][ T5923] tomoyo_bprm_check_security+0x12e/0x1d0 [ 311.111018][ T5923] security_bprm_check+0x1b9/0x1e0 [ 311.116132][ T5923] bprm_execve+0x81a/0x1640 [ 311.120638][ T5923] do_execveat_common.isra.0+0x4a5/0x610 [ 311.126277][ T5923] __x64_sys_execve+0x8e/0xb0 [ 311.130963][ T5923] [ 311.133272][ T5923] Memory state around the buggy address: [ 311.138897][ T5923] ffff8880542a0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 311.146953][ T5923] ffff8880542a0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 311.155011][ T5923] >ffff8880542a0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 311.163064][ T5923] ^ [ 311.167122][ T5923] ffff8880542a0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 311.175180][ T5923] ffff8880542a0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 311.183230][ T5923] ================================================================== [ 311.213133][ T5923] ================================================================== [ 311.221221][ T5923] BUG: KASAN: slab-use-after-free in kobject_put+0x4ed/0x5a0 [ 311.228605][ T5923] Read of size 1 at addr ffff888033af303c by task kworker/1:5/5923 [ 311.236523][ T5923] [ 311.238857][ T5923] CPU: 1 UID: 0 PID: 5923 Comm: kworker/1:5 Tainted: G B syzkaller #0 PREEMPT(full) [ 311.238902][ T5923] Tainted: [B]=BAD_PAGE [ 311.238912][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 311.238932][ T5923] Workqueue: usb_hub_wq hub_event [ 311.238962][ T5923] Call Trace: [ 311.238972][ T5923] [ 311.238983][ T5923] dump_stack_lvl+0x116/0x1f0 [ 311.239019][ T5923] print_report+0xcd/0x630 [ 311.239055][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.239088][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.239120][ T5923] ? __phys_addr+0xe8/0x180 [ 311.239152][ T5923] ? kobject_put+0x4ed/0x5a0 [ 311.239188][ T5923] kasan_report+0xe0/0x110 [ 311.239224][ T5923] ? kobject_put+0x4ed/0x5a0 [ 311.239265][ T5923] kobject_put+0x4ed/0x5a0 [ 311.239303][ T5923] put_device+0x1f/0x30 [ 311.239332][ T5923] hdm_disconnect+0x1e2/0x250 [ 311.239362][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 311.239398][ T5923] ? kernfs_remove_by_name_ns+0xbe/0x110 [ 311.239429][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.239462][ T5923] ? __pfx_usb_unbind_interface+0x10/0x10 [ 311.239496][ T5923] device_remove+0x125/0x170 [ 311.239533][ T5923] device_release_driver_internal+0x44b/0x620 [ 311.239576][ T5923] ? __entry_text_end+0x1020b5/0x1020b9 [ 311.239611][ T5923] bus_remove_device+0x22f/0x420 [ 311.239649][ T5923] device_del+0x396/0x9f0 [ 311.239703][ T5923] ? __pfx_device_del+0x10/0x10 [ 311.239746][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.239779][ T5923] ? kobject_put+0x210/0x5a0 [ 311.239817][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.239852][ T5923] usb_disable_device+0x355/0x7d0 [ 311.239884][ T5923] usb_disconnect+0x2e1/0x9c0 [ 311.239919][ T5923] hub_event+0x1c81/0x4fe0 [ 311.239959][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.239992][ T5923] ? __lock_acquire+0xb8a/0x1c90 [ 311.240028][ T5923] ? __pfx_hub_event+0x10/0x10 [ 311.240054][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240087][ T5923] ? assoc_array_delete+0xb0/0xd10 [ 311.240119][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240156][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240190][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240225][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240257][ T5923] ? rcu_is_watching+0x12/0xc0 [ 311.240286][ T5923] process_one_work+0x9cf/0x1b70 [ 311.240333][ T5923] ? __pfx_process_one_work+0x10/0x10 [ 311.240373][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240410][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240442][ T5923] ? assign_work+0x1a0/0x250 [ 311.240480][ T5923] worker_thread+0x6c8/0xf10 [ 311.240522][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240556][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240588][ T5923] ? __kthread_parkme+0x19e/0x250 [ 311.240617][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240651][ T5923] ? __pfx_worker_thread+0x10/0x10 [ 311.240691][ T5923] kthread+0x3c5/0x780 [ 311.240727][ T5923] ? __pfx_kthread+0x10/0x10 [ 311.240767][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 311.240812][ T5923] ? rcu_is_watching+0x12/0xc0 [ 311.240841][ T5923] ? __pfx_kthread+0x10/0x10 [ 311.240878][ T5923] ret_from_fork+0x675/0x7d0 [ 311.240917][ T5923] ? __pfx_kthread+0x10/0x10 [ 311.240953][ T5923] ret_from_fork_asm+0x1a/0x30 [ 311.240992][ T5923] [ 311.241002][ T5923] [ 311.563641][ T5923] Allocated by task 977: [ 311.567873][ T5923] kasan_save_stack+0x33/0x60 [ 311.572575][ T5923] kasan_save_track+0x14/0x30 [ 311.577257][ T5923] __kasan_kmalloc+0xaa/0xb0 [ 311.581852][ T5923] hdm_probe+0x10c5/0x19a0 [ 311.586277][ T5923] usb_probe_interface+0x303/0xa40 [ 311.591402][ T5923] really_probe+0x241/0xa90 [ 311.595964][ T5923] __driver_probe_device+0x1de/0x440 [ 311.601266][ T5923] driver_probe_device+0x4c/0x1b0 [ 311.606304][ T5923] __device_attach_driver+0x1df/0x310 [ 311.611709][ T5923] bus_for_each_drv+0x159/0x1e0 [ 311.616589][ T5923] __device_attach+0x1e4/0x4b0 [ 311.621378][ T5923] bus_probe_device+0x17f/0x1c0 [ 311.626243][ T5923] device_add+0x1148/0x1aa0 [ 311.630755][ T5923] usb_set_configuration+0x1187/0x1e20 [ 311.636218][ T5923] usb_generic_driver_probe+0xb1/0x110 [ 311.641698][ T5923] usb_probe_device+0xef/0x3e0 [ 311.646465][ T5923] really_probe+0x241/0xa90 [ 311.650986][ T5923] __driver_probe_device+0x1de/0x440 [ 311.656290][ T5923] driver_probe_device+0x4c/0x1b0 [ 311.661331][ T5923] __device_attach_driver+0x1df/0x310 [ 311.666806][ T5923] bus_for_each_drv+0x159/0x1e0 [ 311.671664][ T5923] __device_attach+0x1e4/0x4b0 [ 311.676443][ T5923] bus_probe_device+0x17f/0x1c0 [ 311.681303][ T5923] device_add+0x1148/0x1aa0 [ 311.685804][ T5923] usb_new_device+0xd07/0x1a60 [ 311.690567][ T5923] hub_event+0x2f34/0x4fe0 [ 311.694986][ T5923] process_one_work+0x9cf/0x1b70 [ 311.699941][ T5923] worker_thread+0x6c8/0xf10 [ 311.704548][ T5923] kthread+0x3c5/0x780 [ 311.708626][ T5923] ret_from_fork+0x675/0x7d0 [ 311.713225][ T5923] ret_from_fork_asm+0x1a/0x30 [ 311.717996][ T5923] [ 311.720309][ T5923] Freed by task 5923: [ 311.724280][ T5923] kasan_save_stack+0x33/0x60 [ 311.728970][ T5923] kasan_save_track+0x14/0x30 [ 311.733660][ T5923] __kasan_save_free_info+0x3b/0x60 [ 311.738883][ T5923] __kasan_slab_free+0x5f/0x80 [ 311.743661][ T5923] kfree+0x2b8/0x6d0 [ 311.747578][ T5923] device_release+0xa4/0x240 [ 311.752174][ T5923] kobject_put+0x1e7/0x5a0 [ 311.756607][ T5923] device_unregister+0x2f/0xc0 [ 311.761406][ T5923] hdm_disconnect+0xfa/0x250 [ 311.765999][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 311.771208][ T5923] device_remove+0x125/0x170 [ 311.775810][ T5923] device_release_driver_internal+0x44b/0x620 [ 311.781901][ T5923] bus_remove_device+0x22f/0x420 [ 311.786847][ T5923] device_del+0x396/0x9f0 [ 311.791195][ T5923] usb_disable_device+0x355/0x7d0 [ 311.796218][ T5923] usb_disconnect+0x2e1/0x9c0 [ 311.800897][ T5923] hub_event+0x1c81/0x4fe0 [ 311.805315][ T5923] process_one_work+0x9cf/0x1b70 [ 311.810271][ T5923] worker_thread+0x6c8/0xf10 [ 311.814879][ T5923] kthread+0x3c5/0x780 [ 311.818964][ T5923] ret_from_fork+0x675/0x7d0 [ 311.823562][ T5923] ret_from_fork_asm+0x1a/0x30 [ 311.828330][ T5923] [ 311.830647][ T5923] The buggy address belongs to the object at ffff888033af3000 [ 311.830647][ T5923] which belongs to the cache kmalloc-2k of size 2048 [ 311.844705][ T5923] The buggy address is located 60 bytes inside of [ 311.844705][ T5923] freed 2048-byte region [ffff888033af3000, ffff888033af3800) [ 311.858512][ T5923] [ 311.860824][ T5923] The buggy address belongs to the physical page: [ 311.867224][ T5923] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33af0 [ 311.875984][ T5923] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 311.884481][ T5923] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 311.892024][ T5923] page_type: f5(slab) [ 311.896003][ T5923] raw: 00fff00000000040 ffff88813ff27000 dead000000000100 dead000000000122 [ 311.904590][ T5923] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 311.913175][ T5923] head: 00fff00000000040 ffff88813ff27000 dead000000000100 dead000000000122 [ 311.921849][ T5923] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 311.930662][ T5923] head: 00fff00000000003 ffffea0000cebc01 00000000ffffffff 00000000ffffffff [ 311.939351][ T5923] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 311.948019][ T5923] page dumped because: kasan: bad access detected [ 311.954422][ T5923] page_owner tracks the page as allocated [ 311.960124][ T5923] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5831, tgid 5831 (syz-executor), ts 108296129069, free_ts 108276590272 [ 311.981073][ T5923] post_alloc_hook+0x1c0/0x230 [ 311.985875][ T5923] get_page_from_freelist+0x10a3/0x3a30 [ 311.991424][ T5923] __alloc_frozen_pages_noprof+0x25f/0x2470 [ 311.997320][ T5923] alloc_pages_mpol+0x1fb/0x550 [ 312.002188][ T5923] new_slab+0x24a/0x360 [ 312.006363][ T5923] ___slab_alloc+0xdc4/0x1ae0 [ 312.011061][ T5923] __slab_alloc.constprop.0+0x63/0x110 [ 312.016561][ T5923] __kmalloc_node_track_caller_noprof+0x4db/0x8a0 [ 312.022992][ T5923] kmalloc_reserve+0xef/0x2c0 [ 312.027681][ T5923] pskb_expand_head+0x238/0x1030 [ 312.032623][ T5923] netlink_trim+0x22d/0x310 [ 312.037152][ T5923] netlink_broadcast_filtered+0xf1/0xf90 [ 312.042795][ T5923] nlmsg_notify+0x9e/0x220 [ 312.047221][ T5923] rtmsg_ifinfo+0x174/0x1a0 [ 312.051909][ T5923] __dev_notify_flags+0x24c/0x2e0 [ 312.056933][ T5923] rtnl_configure_link+0x1b5/0x280 [ 312.062067][ T5923] page last free pid 5831 tgid 5831 stack trace: [ 312.068385][ T5923] __free_frozen_pages+0x7df/0x1160 [ 312.073614][ T5923] qlist_free_all+0x4d/0x120 [ 312.078211][ T5923] kasan_quarantine_reduce+0x195/0x1e0 [ 312.083678][ T5923] __kasan_slab_alloc+0x69/0x90 [ 312.088541][ T5923] __kmalloc_cache_noprof+0x274/0x780 [ 312.093937][ T5923] ref_tracker_alloc+0x18e/0x5b0 [ 312.098877][ T5923] register_netdevice+0x1689/0x2270 [ 312.104086][ T5923] veth_newlink+0x316/0xa00 [ 312.108609][ T5923] rtnl_newlink+0xc45/0x2000 [ 312.113210][ T5923] rtnetlink_rcv_msg+0x95e/0xe90 [ 312.118154][ T5923] netlink_rcv_skb+0x158/0x420 [ 312.122931][ T5923] netlink_unicast+0x5aa/0x870 [ 312.127700][ T5923] netlink_sendmsg+0x8c8/0xdd0 [ 312.132482][ T5923] __sys_sendto+0x4a3/0x520 [ 312.136981][ T5923] __x64_sys_sendto+0xe0/0x1c0 [ 312.141744][ T5923] do_syscall_64+0xcd/0xfa0 [ 312.146262][ T5923] [ 312.148575][ T5923] Memory state around the buggy address: [ 312.154193][ T5923] ffff888033af2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 312.162253][ T5923] ffff888033af2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 312.170313][ T5923] >ffff888033af3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 312.178370][ T5923] ^ [ 312.184259][ T5923] ffff888033af3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 312.192315][ T5923] ffff888033af3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 312.200370][ T5923] ================================================================== [ 312.241838][ T5923] ================================================================== [ 312.249955][ T5923] BUG: KASAN: slab-use-after-free in kobject_put+0x84/0x5a0 [ 312.257273][ T5923] Write of size 4 at addr ffff888033af3038 by task kworker/1:5/5923 [ 312.265253][ T5923] [ 312.267579][ T5923] CPU: 1 UID: 0 PID: 5923 Comm: kworker/1:5 Tainted: G B syzkaller #0 PREEMPT(full) [ 312.267628][ T5923] Tainted: [B]=BAD_PAGE [ 312.267640][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 312.267664][ T5923] Workqueue: usb_hub_wq hub_event [ 312.267699][ T5923] Call Trace: [ 312.267711][ T5923] [ 312.267724][ T5923] dump_stack_lvl+0x116/0x1f0 [ 312.267768][ T5923] print_report+0xcd/0x630 [ 312.267811][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.267853][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.267893][ T5923] ? __phys_addr+0xe8/0x180 [ 312.267930][ T5923] ? kobject_put+0x84/0x5a0 [ 312.267974][ T5923] kasan_report+0xe0/0x110 [ 312.268018][ T5923] ? kobject_put+0x84/0x5a0 [ 312.268068][ T5923] kasan_check_range+0x100/0x1b0 [ 312.268119][ T5923] kobject_put+0x84/0x5a0 [ 312.268170][ T5923] put_device+0x1f/0x30 [ 312.268207][ T5923] hdm_disconnect+0x1e2/0x250 [ 312.268243][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 312.268287][ T5923] ? kernfs_remove_by_name_ns+0xbe/0x110 [ 312.268326][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.268366][ T5923] ? __pfx_usb_unbind_interface+0x10/0x10 [ 312.268407][ T5923] device_remove+0x125/0x170 [ 312.268453][ T5923] device_release_driver_internal+0x44b/0x620 [ 312.268507][ T5923] ? __entry_text_end+0x1020b5/0x1020b9 [ 312.268550][ T5923] bus_remove_device+0x22f/0x420 [ 312.268594][ T5923] device_del+0x396/0x9f0 [ 312.268643][ T5923] ? __pfx_device_del+0x10/0x10 [ 312.268687][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.268727][ T5923] ? kobject_put+0x210/0x5a0 [ 312.268773][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.268816][ T5923] usb_disable_device+0x355/0x7d0 [ 312.268855][ T5923] usb_disconnect+0x2e1/0x9c0 [ 312.268892][ T5923] hub_event+0x1c81/0x4fe0 [ 312.268940][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.268981][ T5923] ? __lock_acquire+0xb8a/0x1c90 [ 312.269025][ T5923] ? __pfx_hub_event+0x10/0x10 [ 312.269057][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269097][ T5923] ? assoc_array_delete+0xb0/0xd10 [ 312.269141][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269185][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269227][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269270][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269309][ T5923] ? rcu_is_watching+0x12/0xc0 [ 312.269344][ T5923] process_one_work+0x9cf/0x1b70 [ 312.269402][ T5923] ? __pfx_process_one_work+0x10/0x10 [ 312.269451][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269497][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269537][ T5923] ? assign_work+0x1a0/0x250 [ 312.269583][ T5923] worker_thread+0x6c8/0xf10 [ 312.269635][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269676][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269716][ T5923] ? __kthread_parkme+0x19e/0x250 [ 312.269752][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269793][ T5923] ? __pfx_worker_thread+0x10/0x10 [ 312.269842][ T5923] kthread+0x3c5/0x780 [ 312.269886][ T5923] ? __pfx_kthread+0x10/0x10 [ 312.269931][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 312.269971][ T5923] ? rcu_is_watching+0x12/0xc0 [ 312.270002][ T5923] ? __pfx_kthread+0x10/0x10 [ 312.270047][ T5923] ret_from_fork+0x675/0x7d0 [ 312.270088][ T5923] ? __pfx_kthread+0x10/0x10 [ 312.270137][ T5923] ret_from_fork_asm+0x1a/0x30 [ 312.270184][ T5923] [ 312.270195][ T5923] [ 312.597654][ T5923] Allocated by task 977: [ 312.601885][ T5923] kasan_save_stack+0x33/0x60 [ 312.606572][ T5923] kasan_save_track+0x14/0x30 [ 312.611257][ T5923] __kasan_kmalloc+0xaa/0xb0 [ 312.615851][ T5923] hdm_probe+0x10c5/0x19a0 [ 312.620271][ T5923] usb_probe_interface+0x303/0xa40 [ 312.625390][ T5923] really_probe+0x241/0xa90 [ 312.629910][ T5923] __driver_probe_device+0x1de/0x440 [ 312.635223][ T5923] driver_probe_device+0x4c/0x1b0 [ 312.640282][ T5923] __device_attach_driver+0x1df/0x310 [ 312.645673][ T5923] bus_for_each_drv+0x159/0x1e0 [ 312.650536][ T5923] __device_attach+0x1e4/0x4b0 [ 312.655319][ T5923] bus_probe_device+0x17f/0x1c0 [ 312.660184][ T5923] device_add+0x1148/0x1aa0 [ 312.664690][ T5923] usb_set_configuration+0x1187/0x1e20 [ 312.670155][ T5923] usb_generic_driver_probe+0xb1/0x110 [ 312.675633][ T5923] usb_probe_device+0xef/0x3e0 [ 312.680400][ T5923] really_probe+0x241/0xa90 [ 312.684918][ T5923] __driver_probe_device+0x1de/0x440 [ 312.690221][ T5923] driver_probe_device+0x4c/0x1b0 [ 312.695262][ T5923] __device_attach_driver+0x1df/0x310 [ 312.700656][ T5923] bus_for_each_drv+0x159/0x1e0 [ 312.705525][ T5923] __device_attach+0x1e4/0x4b0 [ 312.710494][ T5923] bus_probe_device+0x17f/0x1c0 [ 312.715387][ T5923] device_add+0x1148/0x1aa0 [ 312.719896][ T5923] usb_new_device+0xd07/0x1a60 [ 312.724669][ T5923] hub_event+0x2f34/0x4fe0 [ 312.729087][ T5923] process_one_work+0x9cf/0x1b70 [ 312.734049][ T5923] worker_thread+0x6c8/0xf10 [ 312.738657][ T5923] kthread+0x3c5/0x780 [ 312.742736][ T5923] ret_from_fork+0x675/0x7d0 [ 312.747340][ T5923] ret_from_fork_asm+0x1a/0x30 [ 312.752117][ T5923] [ 312.754428][ T5923] Freed by task 5923: [ 312.758405][ T5923] kasan_save_stack+0x33/0x60 [ 312.763090][ T5923] kasan_save_track+0x14/0x30 [ 312.767776][ T5923] __kasan_save_free_info+0x3b/0x60 [ 312.772996][ T5923] __kasan_slab_free+0x5f/0x80 [ 312.777767][ T5923] kfree+0x2b8/0x6d0 [ 312.781682][ T5923] device_release+0xa4/0x240 [ 312.786278][ T5923] kobject_put+0x1e7/0x5a0 [ 312.790707][ T5923] device_unregister+0x2f/0xc0 [ 312.795488][ T5923] hdm_disconnect+0xfa/0x250 [ 312.800081][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 312.805306][ T5923] device_remove+0x125/0x170 [ 312.809914][ T5923] device_release_driver_internal+0x44b/0x620 [ 312.816006][ T5923] bus_remove_device+0x22f/0x420 [ 312.820959][ T5923] device_del+0x396/0x9f0 [ 312.825302][ T5923] usb_disable_device+0x355/0x7d0 [ 312.830328][ T5923] usb_disconnect+0x2e1/0x9c0 [ 312.835003][ T5923] hub_event+0x1c81/0x4fe0 [ 312.839431][ T5923] process_one_work+0x9cf/0x1b70 [ 312.844387][ T5923] worker_thread+0x6c8/0xf10 [ 312.848998][ T5923] kthread+0x3c5/0x780 [ 312.853078][ T5923] ret_from_fork+0x675/0x7d0 [ 312.857679][ T5923] ret_from_fork_asm+0x1a/0x30 [ 312.862449][ T5923] [ 312.864759][ T5923] The buggy address belongs to the object at ffff888033af3000 [ 312.864759][ T5923] which belongs to the cache kmalloc-2k of size 2048 [ 312.878809][ T5923] The buggy address is located 56 bytes inside of [ 312.878809][ T5923] freed 2048-byte region [ffff888033af3000, ffff888033af3800) [ 312.892603][ T5923] [ 312.894916][ T5923] The buggy address belongs to the physical page: [ 312.901334][ T5923] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33af0 [ 312.910091][ T5923] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 312.918584][ T5923] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 312.926126][ T5923] page_type: f5(slab) [ 312.930108][ T5923] raw: 00fff00000000040 ffff88813ff27000 dead000000000100 dead000000000122 [ 312.938694][ T5923] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 312.947286][ T5923] head: 00fff00000000040 ffff88813ff27000 dead000000000100 dead000000000122 [ 312.955962][ T5923] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 312.964636][ T5923] head: 00fff00000000003 ffffea0000cebc01 00000000ffffffff 00000000ffffffff [ 312.973318][ T5923] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 312.981980][ T5923] page dumped because: kasan: bad access detected [ 312.988381][ T5923] page_owner tracks the page as allocated [ 312.994079][ T5923] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5831, tgid 5831 (syz-executor), ts 108296129069, free_ts 108276590272 [ 313.015025][ T5923] post_alloc_hook+0x1c0/0x230 [ 313.019839][ T5923] get_page_from_freelist+0x10a3/0x3a30 [ 313.025410][ T5923] __alloc_frozen_pages_noprof+0x25f/0x2470 [ 313.031313][ T5923] alloc_pages_mpol+0x1fb/0x550 [ 313.036178][ T5923] new_slab+0x24a/0x360 [ 313.040526][ T5923] ___slab_alloc+0xdc4/0x1ae0 [ 313.045219][ T5923] __slab_alloc.constprop.0+0x63/0x110 [ 313.050699][ T5923] __kmalloc_node_track_caller_noprof+0x4db/0x8a0 [ 313.057126][ T5923] kmalloc_reserve+0xef/0x2c0 [ 313.061833][ T5923] pskb_expand_head+0x238/0x1030 [ 313.066776][ T5923] netlink_trim+0x22d/0x310 [ 313.071302][ T5923] netlink_broadcast_filtered+0xf1/0xf90 [ 313.076943][ T5923] nlmsg_notify+0x9e/0x220 [ 313.081368][ T5923] rtmsg_ifinfo+0x174/0x1a0 [ 313.085882][ T5923] __dev_notify_flags+0x24c/0x2e0 [ 313.090917][ T5923] rtnl_configure_link+0x1b5/0x280 [ 313.096054][ T5923] page last free pid 5831 tgid 5831 stack trace: [ 313.102374][ T5923] __free_frozen_pages+0x7df/0x1160 [ 313.107686][ T5923] qlist_free_all+0x4d/0x120 [ 313.112279][ T5923] kasan_quarantine_reduce+0x195/0x1e0 [ 313.117742][ T5923] __kasan_slab_alloc+0x69/0x90 [ 313.122603][ T5923] __kmalloc_cache_noprof+0x274/0x780 [ 313.127997][ T5923] ref_tracker_alloc+0x18e/0x5b0 [ 313.132937][ T5923] register_netdevice+0x1689/0x2270 [ 313.138181][ T5923] veth_newlink+0x316/0xa00 [ 313.142700][ T5923] rtnl_newlink+0xc45/0x2000 [ 313.147300][ T5923] rtnetlink_rcv_msg+0x95e/0xe90 [ 313.152245][ T5923] netlink_rcv_skb+0x158/0x420 [ 313.157015][ T5923] netlink_unicast+0x5aa/0x870 [ 313.161797][ T5923] netlink_sendmsg+0x8c8/0xdd0 [ 313.166572][ T5923] __sys_sendto+0x4a3/0x520 [ 313.171075][ T5923] __x64_sys_sendto+0xe0/0x1c0 [ 313.175844][ T5923] do_syscall_64+0xcd/0xfa0 [ 313.180365][ T5923] [ 313.182687][ T5923] Memory state around the buggy address: [ 313.188309][ T5923] ffff888033af2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 313.196371][ T5923] ffff888033af2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 313.204435][ T5923] >ffff888033af3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 313.212488][ T5923] ^ [ 313.218370][ T5923] ffff888033af3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 313.226427][ T5923] ffff888033af3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 313.234482][ T5923] ================================================================== [ 313.260020][ T5923] Kernel panic - not syncing: kasan.fault=panic_on_write set ... [ 313.267799][ T5923] CPU: 1 UID: 0 PID: 5923 Comm: kworker/1:5 Tainted: G B syzkaller #0 PREEMPT(full) [ 313.278759][ T5923] Tainted: [B]=BAD_PAGE [ 313.282915][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 313.292982][ T5923] Workqueue: usb_hub_wq hub_event [ 313.298025][ T5923] Call Trace: [ 313.301295][ T5923] [ 313.304217][ T5923] dump_stack_lvl+0x3d/0x1f0 [ 313.308822][ T5923] vpanic+0x640/0x6f0 [ 313.312819][ T5923] panic+0xca/0xd0 [ 313.316551][ T5923] ? __pfx_panic+0x10/0x10 [ 313.320982][ T5923] ? kobject_put+0x84/0x5a0 [ 313.325508][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.331170][ T5923] ? preempt_schedule_thunk+0x16/0x30 [ 313.336591][ T5923] end_report+0x159/0x170 [ 313.340942][ T5923] kasan_report+0xee/0x110 [ 313.345384][ T5923] ? kobject_put+0x84/0x5a0 [ 313.349914][ T5923] kasan_check_range+0x100/0x1b0 [ 313.354881][ T5923] kobject_put+0x84/0x5a0 [ 313.359230][ T5923] put_device+0x1f/0x30 [ 313.363392][ T5923] hdm_disconnect+0x1e2/0x250 [ 313.368083][ T5923] usb_unbind_interface+0x1dd/0x9e0 [ 313.373300][ T5923] ? kernfs_remove_by_name_ns+0xbe/0x110 [ 313.378940][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.384596][ T5923] ? __pfx_usb_unbind_interface+0x10/0x10 [ 313.390328][ T5923] device_remove+0x125/0x170 [ 313.394936][ T5923] device_release_driver_internal+0x44b/0x620 [ 313.401033][ T5923] ? __entry_text_end+0x1020b5/0x1020b9 [ 313.406591][ T5923] bus_remove_device+0x22f/0x420 [ 313.411545][ T5923] device_del+0x396/0x9f0 [ 313.415898][ T5923] ? __pfx_device_del+0x10/0x10 [ 313.420764][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.426408][ T5923] ? kobject_put+0x210/0x5a0 [ 313.431016][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.436659][ T5923] usb_disable_device+0x355/0x7d0 [ 313.441692][ T5923] usb_disconnect+0x2e1/0x9c0 [ 313.446374][ T5923] hub_event+0x1c81/0x4fe0 [ 313.450810][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.456451][ T5923] ? __lock_acquire+0xb8a/0x1c90 [ 313.461413][ T5923] ? __pfx_hub_event+0x10/0x10 [ 313.466177][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.471821][ T5923] ? assoc_array_delete+0xb0/0xd10 [ 313.476947][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.482604][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.488247][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.493894][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.499535][ T5923] ? rcu_is_watching+0x12/0xc0 [ 313.504303][ T5923] process_one_work+0x9cf/0x1b70 [ 313.509270][ T5923] ? __pfx_process_one_work+0x10/0x10 [ 313.514660][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.520314][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.525951][ T5923] ? assign_work+0x1a0/0x250 [ 313.530558][ T5923] worker_thread+0x6c8/0xf10 [ 313.535168][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.540810][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.546451][ T5923] ? __kthread_parkme+0x19e/0x250 [ 313.551521][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.557168][ T5923] ? __pfx_worker_thread+0x10/0x10 [ 313.562297][ T5923] kthread+0x3c5/0x780 [ 313.566468][ T5923] ? __pfx_kthread+0x10/0x10 [ 313.571076][ T5923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 313.576717][ T5923] ? rcu_is_watching+0x12/0xc0 [ 313.581486][ T5923] ? __pfx_kthread+0x10/0x10 [ 313.586093][ T5923] ret_from_fork+0x675/0x7d0 [ 313.590694][ T5923] ? __pfx_kthread+0x10/0x10 [ 313.595298][ T5923] ret_from_fork_asm+0x1a/0x30 [ 313.600077][ T5923] [ 313.603175][ T5923] Kernel Offset: disabled [ 313.607486][ T5923] Rebooting in 86400 seconds..