last executing test programs: 1.322499663s ago: executing program 0 (id=1): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=@base={0x9, 0x2, 0x7fe2, 0x3, 0x12}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x1b, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000500)='percpu_free_percpu\x00', r1}, 0x10) bpf$MAP_CREATE(0x0, &(0x7f0000000840)=@base={0xa, 0x101, 0x7fff, 0xcc, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x4}, 0x50) 814.620237ms ago: executing program 1 (id=2): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="070000000400000008000000d9"], 0x50) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x11, 0x8, &(0x7f00000008c0)=ANY=[@ANYBLOB="1800000000000000000000000000000018120000", @ANYRES32=r0, @ANYBLOB="0000000000000000b70300000088b000850000001b000000b70000000000000095"], &(0x7f0000000780)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000040)='kfree\x00', r1}, 0x18) r2 = socket$inet_udp(0x2, 0x2, 0x0) mremap(&(0x7f0000000000/0x9000)=nil, 0x600600, 0x200000, 0x3, &(0x7f0000a00000/0x600000)=nil) setsockopt$inet_MCAST_MSFILTER(r2, 0x0, 0x30, 0x0, 0x310) 333.502588ms ago: executing program 0 (id=3): r0 = socket$inet6(0xa, 0x3, 0x5) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f00000000c0)={@rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x800, 0x0, 0x3, 0x9}, 0x20) setsockopt$inet6_int(r0, 0x29, 0x1000000000021, &(0x7f0000000000)=0xffffffc3, 0x4) sendmsg$can_bcm(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, 0x0}, 0x0) sendmmsg(r0, &(0x7f0000001500)=[{{&(0x7f0000000040)=@l2tp6={0xa, 0x0, 0x7080000, @ipv4={'\x00', '\xff\xff', @rand_addr=0x64010102}, 0x4, 0x1}, 0x80, 0x0, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="28000000000000002900000002"], 0x28}}], 0x1, 0x0) 173.324369ms ago: executing program 1 (id=4): setsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x11, 0x0, 0x0) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x13, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000000001000000000000000000851000000600000018000000", @ANYRES32, @ANYBLOB="00000000000100006608000000000000180000000000000000000000000000009500000000000000360a020000000000180100002020782500000000002020207b1af8ff000000"], &(0x7f0000000000)='GPL\x00', 0xa, 0x0, 0x0, 0x0, 0x8}, 0x94) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x11, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000ed07449e000000000000000018010000", @ANYRES32, @ANYBLOB="0000000000000008b70800000000396f7b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000002400000095"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2c, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000003c0)={&(0x7f0000000080)='kfree\x00', r1, 0x0, 0x8}, 0x18) r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x40, 0x0) ioctl$TIOCMIWAIT(r2, 0x5453, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000300)={&(0x7f0000000a80)='kfree\x00', r0, 0x0, 0xfffffffffffffffd}, 0x18) r3 = syz_io_uring_setup(0x4b5, &(0x7f0000010400)={0x0, 0x86e1, 0x1, 0x8, 0xa0}, &(0x7f0000010080), &(0x7f0000000000)) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0) r4 = socket$kcm(0x29, 0x2, 0x0) sendmmsg$inet(r4, &(0x7f0000000780)=[{{0x0, 0x0, &(0x7f0000000b00)=[{&(0x7f0000000080)="da", 0x1}], 0x1, &(0x7f0000000040)=ANY=[], 0xd0}}, {{0x0, 0x0, &(0x7f0000000280)}}], 0x2, 0x0) close(r4) io_uring_register$IORING_REGISTER_BUFFERS(r3, 0x0, &(0x7f0000000140)=[{0x0}, {0x0}], 0x2) bind$netlink(0xffffffffffffffff, &(0x7f0000514ff4), 0xc) io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r3, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20) 103.888327ms ago: executing program 0 (id=5): mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0) setsockopt$inet6_buf(0xffffffffffffffff, 0x29, 0x6, 0x0, 0x3a) socket$key(0xf, 0x3, 0x2) socket$nl_route(0x10, 0x3, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) sched_setaffinity(0x0, 0x0, 0x0) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000100)=0x5) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000001480)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f00000004c0)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000400)={0x11, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020148100000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b70300000000000085000000"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) sched_setaffinity(0x0, 0x0, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000300)={&(0x7f0000000000)='sched_switch\x00', r3}, 0x18) syz_clone(0x41200111, 0x0, 0x0, 0x0, 0x0, 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="09000000000100"/20, @ANYRES32, @ANYBLOB="00000000000000000000000000000000000000007f571cd56360b8bfdd09387e8dab83c4dc45a702bd3886a4bcdde08e48727e569eb18df1fc0968bf36f606f13a22a354844ea57a6e63c4a42934ee589f5d818794e8faa7a62d928bcd4e", @ANYRES32=0x0, @ANYRES32, @ANYBLOB='\x00'/28], 0x48) openat$dir(0xffffffffffffff9c, &(0x7f0000000200)='./file0\x00', 0x90000, 0x8) capset(&(0x7f0000000380)={0x20080522}, &(0x7f0000000040)={0x200000, 0x3, 0x2, 0x6, 0x7, 0x4}) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x14, &(0x7f0000000340)=ANY=[@ANYBLOB, @ANYRES32, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf090000000000005509010000000000950000000000000018120000"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, 0x94) r4 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x3, &(0x7f0000000a80)=ANY=[@ANYBLOB="1800000000000000000000200000000095000000000000001fbed69609d2aef25ad9e70cda281ab4628bdfe0551753782ad9f5d3dff8f6799bde154a2b2d30363a5ea6315080521393dbf72897bc4135cad8cae4741294564c6288a9fedf1f34d1b811b72a3e0a801aae3e0c3761e6211775f2014b4a597db1edfda0c09a12f9993662915483f8c87a7e890da6dc03cf05aa7994aec58a7c378cb2436ee91f6d3b4ac88e0ca1245f5016dd08ce2137b660d9f35b37209341773b75aeee41e87e0a4effd06c459676ae657e2b8e875757edd5895f9c76e6c1872d00a0df2bdf1af2fb7a1a1585b699c555274b09a35ca60e583aa76461e89335d8def8d87f8a4d41be88735ff4c7053151911a829c6eaa7ae119a0d6d0978a8aa6c4b7c23195ca54794bfed9acc4dce1650d778a4a2f3d9d91d7f8bd17db22483f844d471e6cb29177e6f5ac977ae88237351c17f2465c4ca3e080b00b9e597da236386d2000266d4bed6fd67ccd2b34320eb4ca31815937dac420f035c0e3d389feeefb912789063cc326415eb494d4b18988342498f9dd693dcac917c1e57a415eb9d0360033954d23ef7f14ae6afa7700aec9a866abb0446a0f552ee0663028adf8d3ea75155d680fe7706ee519cd66dcf3ef3258568fcd"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r4}, 0x10) r5 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="0300000004000000040000000a"], 0x48) r6 = bpf$PROG_LOAD(0x5, &(0x7f00000009c0)={0x3, 0x8, &(0x7f0000000940)=ANY=[@ANYBLOB="1809000000000000000000000000000018120000", @ANYRES32=r5, @ANYBLOB="0000000000000000b703000000000000850000000c000000b70000000100000095"], &(0x7f00000003c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f00000005c0)={{r5}, &(0x7f0000000540), &(0x7f0000000580)=r6}, 0x20) 0s ago: executing program 1 (id=6): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000003940)=ANY=[@ANYBLOB="210000000000000000000000000010000004"], 0x48) mmap(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x200000a, 0x13, r0, 0x0) r1 = gettid() process_vm_writev(r1, &(0x7f0000000000)=[{&(0x7f00008f9f09)=""/247, 0x7ffff000}], 0x1, &(0x7f0000121000)=[{&(0x7f0000217f28)=""/231, 0xffffff4e}], 0x23a, 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="07000000040000000800000001"], 0x48) r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x11, 0x8, &(0x7f0000000740)=ANY=[@ANYBLOB="1800000000000000000000000000000018120000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000000030000850000001b000000b70000000000000095"], &(0x7f0000000780)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0x36, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000100)={&(0x7f0000000080)='sched_switch\x00', r3, 0x0, 0x3}, 0x18) bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0xd) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:25636' (ED25519) to the list of known hosts. syzkaller login: [ 73.757714][ T3310] cgroup: Unknown subsys name 'net' [ 74.029681][ T3310] cgroup: Unknown subsys name 'cpuset' [ 74.055280][ T3310] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 74.405082][ T3310] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 83.622729][ T3315] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 83.637788][ T3315] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 83.856074][ T3316] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 83.874146][ T3316] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 84.598353][ T3315] hsr_slave_0: entered promiscuous mode [ 84.604503][ T3315] hsr_slave_1: entered promiscuous mode [ 84.826173][ T3316] hsr_slave_0: entered promiscuous mode [ 84.831365][ T3316] hsr_slave_1: entered promiscuous mode [ 84.834014][ T3316] debugfs: 'hsr0' already exists in 'hsr' [ 84.835926][ T3316] Cannot create hsr debugfs directory [ 85.556872][ T3315] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 85.599907][ T3315] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 85.627568][ T3315] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 85.669820][ T3315] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 85.814862][ T3316] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 85.834886][ T3316] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 85.864527][ T3316] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 85.890147][ T3316] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 86.510109][ T3315] 8021q: adding VLAN 0 to HW filter on device bond0 [ 86.732625][ T3316] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.120702][ T3315] veth0_vlan: entered promiscuous mode [ 89.166628][ T3315] veth1_vlan: entered promiscuous mode [ 89.337611][ T3315] veth0_macvtap: entered promiscuous mode [ 89.365302][ T3315] veth1_macvtap: entered promiscuous mode [ 89.500699][ T12] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.503420][ T12] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.504713][ T12] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.506209][ T12] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 89.652605][ T3316] veth0_vlan: entered promiscuous mode [ 89.738417][ T3316] veth1_vlan: entered promiscuous mode [ 89.847185][ T3316] veth0_macvtap: entered promiscuous mode [ 89.876910][ T3316] veth1_macvtap: entered promiscuous mode [ 90.018297][ T3315] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 90.067941][ T113] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.073530][ T113] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.073960][ T113] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 90.074095][ T113] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 91.816381][ T3475] ================================================================== [ 91.819052][ T3475] BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc [ 91.820458][ T3475] Write at addr f6f00000063c7620 by task syz.1.6/3475 [ 91.820785][ T3475] Pointer tag: [f6], memory tag: [fe] [ 91.820831][ T3475] [ 91.821329][ T3475] CPU: 1 UID: 0 PID: 3475 Comm: syz.1.6 Not tainted syzkaller #0 PREEMPT [ 91.821537][ T3475] Hardware name: linux,dummy-virt (DT) [ 91.821713][ T3475] Call trace: [ 91.821929][ T3475] show_stack+0x18/0x24 (C) [ 91.822150][ T3475] dump_stack_lvl+0x78/0x90 [ 91.822280][ T3475] print_report+0x108/0x61c [ 91.822311][ T3475] kasan_report+0x88/0xac [ 91.822334][ T3475] __do_kernel_fault+0x170/0x1c8 [ 91.822360][ T3475] do_bad_area+0x68/0x78 [ 91.822386][ T3475] do_tag_check_fault+0x34/0x44 [ 91.822432][ T3475] do_mem_abort+0x44/0x94 [ 91.822457][ T3475] el1_abort+0x44/0x68 [ 91.822482][ T3475] el1h_64_sync_handler+0x50/0xac [ 91.822508][ T3475] el1h_64_sync+0x6c/0x70 [ 91.822592][ T3475] defer_free+0x3c/0xbc (P) [ 91.822620][ T3475] kfree_nolock+0x1a0/0x1d4 [ 91.822644][ T3475] range_tree_clear+0x24c/0x6a8 [ 91.822670][ T3475] arena_vm_fault+0xf0/0x1a8 [ 91.822694][ T3475] __do_fault+0x3c/0x234 [ 91.822721][ T3475] do_fault+0xb8/0x680 [ 91.822746][ T3475] __handle_mm_fault+0x440/0xc2c [ 91.822769][ T3475] handle_mm_fault+0x15c/0x30c [ 91.822791][ T3475] __get_user_pages+0x1e0/0xcb4 [ 91.822816][ T3475] __gup_longterm_locked+0x35c/0x724 [ 91.822840][ T3475] pin_user_pages_remote+0x80/0xa8 [ 91.822865][ T3475] process_vm_rw_core.constprop.0+0x190/0x3f0 [ 91.822890][ T3475] process_vm_rw+0x140/0x164 [ 91.822913][ T3475] __arm64_sys_process_vm_writev+0x28/0x34 [ 91.822938][ T3475] invoke_syscall+0x48/0x110 [ 91.822969][ T3475] el0_svc_common.constprop.0+0x40/0xe0 [ 91.822996][ T3475] do_el0_svc+0x1c/0x28 [ 91.823021][ T3475] el0_svc+0x34/0x128 [ 91.823047][ T3475] el0t_64_sync_handler+0xa0/0xe4 [ 91.823072][ T3475] el0t_64_sync+0x1a4/0x1a8 [ 91.823209][ T3475] [ 91.823244][ T3475] Allocated by task 3475: [ 91.823360][ T3475] kasan_save_stack+0x3c/0x64 [ 91.823505][ T3475] save_stack_info+0x40/0x158 [ 91.823524][ T3475] kasan_save_alloc_info+0x14/0x20 [ 91.823542][ T3475] __kasan_kmalloc+0xb4/0xb8 [ 91.823558][ T3475] kmalloc_nolock_noprof+0x1dc/0x4fc [ 91.823578][ T3475] range_tree_clear+0x3a4/0x6a8 [ 91.823598][ T3475] arena_vm_fault+0xf0/0x1a8 [ 91.823616][ T3475] __do_fault+0x3c/0x234 [ 91.823636][ T3475] do_fault+0xb8/0x680 [ 91.823655][ T3475] __handle_mm_fault+0x440/0xc2c [ 91.823672][ T3475] handle_mm_fault+0x15c/0x30c [ 91.823689][ T3475] __get_user_pages+0x1e0/0xcb4 [ 91.823708][ T3475] __gup_longterm_locked+0x35c/0x724 [ 91.823727][ T3475] pin_user_pages_remote+0x80/0xa8 [ 91.823746][ T3475] process_vm_rw_core.constprop.0+0x190/0x3f0 [ 91.823777][ T3475] process_vm_rw+0x140/0x164 [ 91.823840][ T3475] __arm64_sys_process_vm_writev+0x28/0x34 [ 91.823879][ T3475] invoke_syscall+0x48/0x110 [ 91.823907][ T3475] el0_svc_common.constprop.0+0x40/0xe0 [ 91.823928][ T3475] do_el0_svc+0x1c/0x28 [ 91.823947][ T3475] el0_svc+0x34/0x128 [ 91.823972][ T3475] el0t_64_sync_handler+0xa0/0xe4 [ 91.823992][ T3475] el0t_64_sync+0x1a4/0x1a8 [ 91.824039][ T3475] [ 91.824064][ T3475] Freed by task 3475: [ 91.824090][ T3475] kasan_save_stack+0x3c/0x64 [ 91.824108][ T3475] save_stack_info+0x40/0x158 [ 91.824125][ T3475] kasan_save_free_info+0x18/0x24 [ 91.824142][ T3475] __kasan_slab_free+0x7c/0x8c [ 91.824159][ T3475] kfree_nolock+0xcc/0x1d4 [ 91.824177][ T3475] range_tree_clear+0x24c/0x6a8 [ 91.824195][ T3475] arena_vm_fault+0xf0/0x1a8 [ 91.824212][ T3475] __do_fault+0x3c/0x234 [ 91.824234][ T3475] do_fault+0xb8/0x680 [ 91.824253][ T3475] __handle_mm_fault+0x440/0xc2c [ 91.824270][ T3475] handle_mm_fault+0x15c/0x30c [ 91.824286][ T3475] __get_user_pages+0x1e0/0xcb4 [ 91.824304][ T3475] __gup_longterm_locked+0x35c/0x724 [ 91.824323][ T3475] pin_user_pages_remote+0x80/0xa8 [ 91.824341][ T3475] process_vm_rw_core.constprop.0+0x190/0x3f0 [ 91.824359][ T3475] process_vm_rw+0x140/0x164 [ 91.824377][ T3475] __arm64_sys_process_vm_writev+0x28/0x34 [ 91.824396][ T3475] invoke_syscall+0x48/0x110 [ 91.824417][ T3475] el0_svc_common.constprop.0+0x40/0xe0 [ 91.824437][ T3475] do_el0_svc+0x1c/0x28 [ 91.824456][ T3475] el0_svc+0x34/0x128 [ 91.824474][ T3475] el0t_64_sync_handler+0xa0/0xe4 [ 91.824492][ T3475] el0t_64_sync+0x1a4/0x1a8 [ 91.824514][ T3475] [ 91.824535][ T3475] The buggy address belongs to the object at fff00000063c7600 [ 91.824535][ T3475] which belongs to the cache kmalloc-64 of size 64 [ 91.824594][ T3475] The buggy address is located 32 bytes inside of [ 91.824594][ T3475] 64-byte region [fff00000063c7600, fff00000063c7640) [ 91.824617][ T3475] [ 91.824769][ T3475] The buggy address belongs to the physical page: [ 91.825069][ T3475] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x463c7 [ 91.825344][ T3475] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 91.825612][ T3475] page_type: f5(slab) [ 91.826044][ T3475] raw: 01ffc00000000000 f3f0000003001600 dead000000000122 0000000000000000 [ 91.826082][ T3475] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000 [ 91.826151][ T3475] page dumped because: kasan: bad access detected [ 91.826173][ T3475] [ 91.826191][ T3475] Memory state around the buggy address: [ 91.826374][ T3475] fff00000063c7400: f0 f0 f0 fe f5 f5 f5 f5 f0 f0 f0 f0 f0 f0 f0 fe [ 91.826428][ T3475] fff00000063c7500: f4 f4 f4 fe f4 f4 f4 f4 fa fa fa fe f6 f6 f6 f6 [ 91.826461][ T3475] >fff00000063c7600: fe fe fe fe fc fc fc fc fb fb fb fe f9 f9 f9 fe [ 91.826494][ T3475] ^ [ 91.826580][ T3475] fff00000063c7700: f9 f9 f9 fe f1 f1 f1 f1 f2 f2 f2 fe f3 f3 f3 f3 [ 91.826597][ T3475] fff00000063c7800: f0 f0 f0 f0 fd fd fd fd f4 f4 f4 f4 fd fd fd fd [ 91.826640][ T3475] ================================================================== [ 91.827337][ T3475] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 92.958379][ T12] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 93.032376][ T12] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 93.101281][ T12] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 93.176144][ T12] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 93.547368][ T12] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 93.615566][ T12] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 93.695470][ T12] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 93.784521][ T12] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 94.443021][ T12] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 94.501471][ T12] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 94.543284][ T12] bond0 (unregistering): Released all slaves [ 94.646870][ T12] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 94.695886][ T12] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 94.743305][ T12] bond0 (unregistering): Released all slaves [ 94.836221][ T12] hsr_slave_0: left promiscuous mode [ 94.846132][ T12] hsr_slave_1: left promiscuous mode [ 94.865537][ T12] hsr_slave_0: left promiscuous mode [ 94.868330][ T12] hsr_slave_1: left promiscuous mode [ 94.894110][ T12] veth1_macvtap: left promiscuous mode [ 94.894613][ T12] veth0_macvtap: left promiscuous mode [ 94.895074][ T12] veth1_vlan: left promiscuous mode [ 94.895533][ T12] veth0_vlan: left promiscuous mode [ 94.904098][ T12] veth1_macvtap: left promiscuous mode [ 94.904394][ T12] veth0_macvtap: left promiscuous mode [ 94.904719][ T12] veth1_vlan: left promiscuous mode [ 94.904959][ T12] veth0_vlan: left promiscuous mode VM DIAGNOSIS: 01:26:38 Registers: info registers vcpu 0 CPU#0 PC=ffff8000803b1b5c X00=0000000000000004 X01=ffffffffffffffff X02=0000000000000000 X03=0000000000000000 X04=ffff800082d193b8 X05=ffff800089babd70 X06=ffff8000816b36c0 X07=f2f0000004e949b8 X08=f0f0000005af1018 X09=98cd971f4b32f7db X10=3c7cafd373fd5e22 X11=00000000000000c0 X12=0000000000000002 X13=0000000000000001 X14=000000000000033c X15=ffff8000831eba00 X16=0000000000000000 X17=0000000000000000 X18=00000000ffffffff X19=0000000000000041 X20=0000000000000000 X21=f8f0000008d68980 X22=0000000000000000 X23=0000000000000001 X24=00000000000027ff X25=f6f000000606ec00 X26=f6f000000606ec00 X27=0000000000000018 X28=ffff800089c2ba3c X29=ffff800089c2b910 X30=ffff80008189a8cc SP=ffff800089c2b980 PSTATE=61402009 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000008300000085:00000000000003b7 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0001095500000000:000009bf00000083 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000121800000000:0000009500000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:8ee0ddbca48638bd:02a745dcc483ab8d Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:f106f636bf6809fc:f18db19e567e7248 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffd8735d10:0000ffffd8735d10 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffd8735ce0 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800080111e9c X00=00000014105d5b89 X01=0000000000000076 X02=0000000000000000 X03=000000141011d800 X04=0000000000001356 X05=0000000000291316 X06=00000000000012e0 X07=fff000007f8f0b80 X08=fff000007f8f17c0 X09=0000000000000000 X10=0000000000000004 X11=0000000000000000 X12=0000000000000000 X13=00000a3d9834a756 X14=0000000000000002 X15=0000000000000000 X16=ffff800082df0000 X17=fff07ffffcf0d000 X18=0000000000000001 X19=fff000007f8f0b80 X20=f1f000000477d280 X21=ffff800082a045b0 X22=0000000000000001 X23=ffff80008a703490 X24=0000001557738df3 X25=00000000000000c0 X26=0000000000000001 X27=ffff80008018a4d0 X28=0000000000000000 X29=ffff800082df3dd0 X30=5bcf8000800f4428 SP=ffff800082df3dd0 PSTATE=204020c9 --C- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000002007000000:0000002007000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000020 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000028:0000000000000220 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffd8735d10:0000ffffd8735d10 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffd8735ce0 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000