last executing test programs:

7.469221394s ago: executing program 5 (id=206):
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000680)=ANY=[@ANYBLOB="1b00000000000000000000000080"], 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x7, &(0x7f0000000540)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b702000003000010850000008600000095"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000300)={&(0x7f00000002c0)='percpu_alloc_percpu\x00', r1, 0x0, 0x9}, 0x18)
syz_io_uring_setup(0x49a, &(0x7f00000000c0)={0x0, 0x79af, 0x4000, 0x8000, 0x40024e}, 0x0, 0x0)

6.614087892s ago: executing program 5 (id=211):
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000001fc0)=ANY=[@ANYBLOB="19000000040000000800000008"], 0x48)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
r3 = dup(r2)
r4 = bpf$MAP_CREATE(0x0, &(0x7f00000008c0)=ANY=[@ANYBLOB="0700000004000000000100000100000028"], 0x50)
r5 = bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18000000bb00551a000000000000000018120000", @ANYRES32=r4, @ANYBLOB="0000000000000000b703000000000000850000001b000000b70000000000000095"], &(0x7f0000000780)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0x2d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000080)='kfree\x00', r5, 0x0, 0x7}, 0x18)
sendmsg$IPSET_CMD_CREATE(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)=ANY=[@ANYBLOB="640000000206030000000000fffff0000000000016000300686173683a6e65742c706f72742c6e6574000000050004000000000005000500020000000900020073797a3200000000050001000700000014000780080013400000000008001240"], 0x64}}, 0x0)
sendmsg$IPSET_CMD_DESTROY(r2, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000240)={0x1c, 0x3, 0x6, 0x5, 0x0, 0x0, {0x2, 0x0, 0xa}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x40841}, 0x4)
r6 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="180000000000000000000000000001b518110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x22, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000040)={{r1}, &(0x7f0000000000), &(0x7f00000005c0)=r6}, 0x20)
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x25, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000300)='sys_enter\x00', r7}, 0x10)
timer_create(0xfffffffffffffffc, 0x0, &(0x7f0000000040)=<r8=>0x0)
timer_gettime(r8, &(0x7f0000000340))
r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001880), 0xffffffffffffffff)
mkdirat(0xffffffffffffff9c, &(0x7f0000000540)='./file7\x00', 0x1c0)
prctl$PR_SET_NAME(0xf, &(0x7f0000000140)='+}[@\x00')
r10 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r10, 0x0, 0x0)
listen(r10, 0x0)
r11 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(r11, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="d800000026000186"], 0xd8}, 0x1, 0x0, 0x0, 0x4004041}, 0x20004440)
syz_emit_ethernet(0x36, &(0x7f00000010c0)={@local, @link_local, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x5, 0x0, 0x0, 0x6, 0x0, @rand_addr=0x64010100, @local}, {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x6, 0x5, 0xc2}}}}}}, 0x0)
r12 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x11, 0x8, &(0x7f00000009c0)=ANY=[@ANYBLOB="620af8ffa1dc0021bfa100000000000007010000f8ffffffb702000007000000bd120000000000008500000010000000b70000000000000095000000000000003faf4f2aa3d9b18ed812a2e2c49e8020a6f4e0e4a9446c7670568982b4e020f698393aa0f3881f9c24561f1b2607995daa56f151905ea23c22624c9f87f9793f3bbb546040677b0c5077da80fb982c1e9400e693146cea484a415b76966118b64b751a0f241b072e90080008002d75593a286cecc93e64c227c95aa0b784625704f07372c29184ff7f4a7c0000070000006056feb4cc664c0af9360a1f7a5e6b607130c89f18c0c1089d8b8588d72ec29c48b45e0000000000000401d01aa27ae8b09e00e79ab20b0b8ed8fb7a68000000000000000000006fa03c6468978089b302d7ff6023cdcedb5e0125ebbcebdde510cb2364149215108337719acd97cfa107d40224edc5465a932b77a74e802a0dc6bf25d8a242bc6099ad2300000480006ef6c1ff0900ff0000000010c63a949e8b7955394ffaff03000000000000ab87b1bfeda7be586602d985430cea080000000000000026abfb0767192361448279b05d96a703a660581eecdbf5bcd3de227a167ca17a0faf60fd6ad9b97aa5fa68480366c9c6fd6fa5043aa3926b81e3b59c9b081d6a08000000ea2b1a52496dfcaf99431412fd134a996382a1a04d5bb924cfe5f3185418d605ffff9c4d2ec7c32f2095e63c80af740b5b7632d5933a1c1fa5605bd7603f2ba2a790d62d6faec2fed44da4928b30142ba1fde5c5d50b83bae616b5054d1e7c13b1355d6f4a8245ffa4997da9c77af4c0cb97fca585ec6bf58351d578be00d952aab9c71764b0a8a7583c90b3433b809bdb9fbd48bc877505ebf6c9d13330ca006bce1a84521f14518c9b476fccbd6c712016219848624b87cec2dbe98223d8d9e86c5ea06d108d8f80a0eb4fa39f6b5c02e6d6d90756ff578f57000000009700cf0b4b8bc229413300000000000000000003000000000000000000000000001000000000559711e6e8fcffffffffffffffb2d02edc3e01dd271c896249ed85b980680b09000000000f0000169cdcacc413b48dafb7a2c8cb482bac0ac502d9ba96ffffffd897ef3b7cda42f93d53046da21b40216e14ba2d6af8656b01e17addaedab25b30002abbba7fa725f38400be7c1f001b2cd3170400000085be9e48dccf1f9f3282830689da6b53b263339863297771d74732d400003341bf4a00fc9fec2271ff01589646efd1cf870cd7bb2366fde4a594290c405ff870ce5dfd3467decb05cfd9fcb32c8ed1dbd9d30a64c108285e71b5565b1768ee58969c41595229df17bcad70fb4021428ce970275d13b78249788f11f761038b75d4fe32b561d46ea3abe0fa4d30dc94ef241875f3b4b6ab7929a57affe760e717a04becff0f719197724f4fce1093b62d7e8c7123d890cec55bf404e4e1f74b7eed82571be54c72d978cf906df08f11f1c4042e36acd37d7f9e109f2c06f815312e0cfe222a06f56dd022c074eb8a322fb0bf47c0a8d154b405c37feaf3dd95f6ef2acd1fe582786105c70600000000000000b7561301bb997316dbf17866fb84d4173731efe895ff2e1c5560926e90109b598502d3e959efc71f665c542c9062ece84c99a061887a20639b41c8c12ee86c50804042b3eac1f871b136345cf67ca3fb5aac518a75f9e7d7101da841735e186c489b3a06fb99e0347f23a054de2f4d92d6bd72ee2c9f0390a6f01e3e483b4ad05573af403269b4a39ce40293947d9a631bcbf3583784acbda216550d7aec6b79e30cbd128f91e358c3b377327ac9ecc34f24c9ae153ec60ac0694da85bff9f5f4df90400000000000000d6b2c5eaff07000000000000b99c9cc0ad1857216f000000009191ae954febb3df464bfe0f7f3ee9afe7befb89d2777399f5874c553aeb3729cffe86e669261192899d4562db0e22d564ae09bb6d163118e401e024fd452277c3887d6116c6cc9d8046c216c1f895778cb26e22a2a798de44aeadea2a40da8daccf080842a486721737390cbf3a74cb2003016f1514216bdf57d2a40d40b51ab63e96ec8485b3b8a8c9ae3d14f93100c2e0893862eef552fcde2981f48c482bde8a168c3f5db2fea6f26e4a4304e50c349f4f9ecee27defc93871c5f99a3594191e104d417e60fc3541a2c905a1a95e9571bf38ae1981c4238ecaee6f75cd0a6881bd1517a8250df98674152f94e32409e2a3bce109b6000000000000a1fec9000000d694210d7560eb92d6a97a27602b81f76386f1535bef1497f92186086e29c6bc5a1fad6ec9a31137ab79a404abde7750898b59270b939b81367ac91bd627e87306703be8672d70d1ab57075228a9f46ed9bd1f00fb8191bbab2dc591dda61f0868afc4294859323e7a45319f18101288a0268893373750d1a8fe64680b0a3fc22dd704e4214de5946912d6c98cd1a9fbe1e7d58c08acaf30065b928a31d2eca55f74a23641f61f2d5b308cf01cfaed9ef0ce21d69993e9960ff5f76015e6009756237badf4e7965bbe2777e808fcba821a00e8c5c39609ff854356cb490000000000c1fee30a3f7a85d1b29e58c77685efc0ceb1c8e5729c66018d169fc03aa188546bb2e51935ab9067ec3ad2a182068e1e3a0e2505bc7f41019645466ac96e0d0b3bc19faa5449209b085f3c334b47f067bbab40743b2a428f1da1f626602111b40e761fd21081920382f14d12ca3c471c7868e7da7eaa69eb7f7f80572fdd11bb1d070080fbc22bf73468788df51710eb0b428ee751c47d8e894f745a868404a0bf35f0121008b722b1eaa6aedfa1bf2e7ccb2d61d5d76331ff5e20fa26b8471d9e1cc9eb3d541e407cc2dae5e690cd628ab84875f2c50ba830d3f474b079b407000000deff000040430a537a395dc73bda367bf12cb7d81691a5fe8c47be395656a297e9df902aeec50e71b967ce7daac4be290159f6bcd75f0dda9de5532e66ae9e48b0ed1254a81faae79b6af6fbb869604d51de44c4e0973171ad47d6c00ebc7603093f000000fdec743af930cd6db49a47613808bad959719c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f15d6533f78a1f4e2df4ca23d867693fd42de9b49a1b36d48a44ba6a4530e59bec53e876dc660dd6d89f80a4377b1b1292a893a516dab183ee65744fb8fc4f9ce2242e0f000000000100000000d77480e0345effff6413258d1f6eb190aa28cbb4bafe3436b176c7ed4b132fb805d5edd9d188daf28d89c014c3ecca10ae55704544673e1fb03b84f63e022fe755f4007a4a899eaf52c4f491f1e97c862e29e4570600000091c691faee1e0c8fe056a07474e6e5490a7d3c3402000000b60600d837c6befc63ddf2f594ad7cbc56a1e44d218c956a5392a995f1fae8e9f206efbb33854dc70104d74dc07748f9745cb796da2dfb714a0500000000000000faed94fc39acfb3fd25dfa8116a154cd1226e1bb72b59fed817072a0da60160761fd3dffda0f7c592eabd8ab68334d2a1693cb187539049e331272bf5135044df8161400211b8012b6eb1ed5656e83f65509bb4b323c5bd61bff949d3bade2f6ffda1360c2786e16937ab61d6dcafed319c7167d0885f9c6d1f442954c167dd9b4acd9468ce3674c82bbb2e31389179b025dbe063b7f906217b2cf8410c7023aa3e5cc3ba1000000000000000000000000000000006ae6301a2da44394275c582a6516bb92ea1980a0a659f2f1811c8b281c209647c4241f292b20508b215dde27bb2487a6e2b5e4a8ccfab90c23827ef06cbe364073005f8a6d1456aaeb85ffb7858f24eced67a67ab825e863928ed64c83f62ffdaa997657335b63c6b4163aff094059e626766845fd779c9e6cdbbd64c2499ce3ffe2fef03f7cdd0d90f3a7579579a142c0f7b318264d5c13c31cf475829528267ead38523cab7e1664e8426cfce471fef821c8a02a7e7d954d05b68a9c28f79429b09e2bb3681ae2b831e27c735123361c193d66ed4d71f19b199d371ec6bfada7cd370e3fdd3cd980fa1e145fd3f3e96b1feb53c865e1ada08f5d16ed652ee0c7f45352222692fbd679212c225d097aa90f7e1fb1f983415f43e75a19ecf7fd21bfa150ef563aa72ba3c43c5f3d9be128ec26b691f31f9cab931631606a81622f120675c962be2d3b5e95f74f0b209e42e6bdd76e6e725295b1d78d928f6f63e4581d5cc41cbde2ba66adc1168070c8c6e18a6a234f5f9311ef0f78924b68dbb4712efdb6974667bdb54f16fd2061b9ba93638dd177227e94e4ebd0ec1d437db948062bf41742000000000000000000305f70dd02fa0c61d5fe6d8ff35389246037e18d34c1375ae04f44f0c2543c772c5ccb137be7dc1874c514b37c668554d77d4ea5ed144a648257f4a0301067bbcd9b91072659d872f26b796e2b81025edb5f45f785e2c2602b248ecdd80f019ca659be7e8ae953325a27564f33c9d458a60be3dab38baab7eb1a66ab1ffd6308f7fd51beb356fe75eb985b7581bb5584c53984ba9c3340f97e8d3825681c53de5f554e595b00000000000000006a8fa9f05d64c4be42f981f00051a39938613067dbd1427e01bfec016e51844cefa8a855bf23ac887b4a88eed6d9443857242f28e31a41d20105fbf3394ff910e734b4d9101265ff729c426e01c1ab13dda8c388b909006f19eecb87e39175e85e17000000000000000000009431807e43886903526074e6b40244c938a4c68a38c25ddd7c143b3f1400010000ec66815cf8d1f56aa1424bc9b5d58790298e5b310969e50c222563b54e60854e1b0100448aca8c5ccbf5546ce4c3cd5a733fec25fb94e1e0f966bcbd28a4d8fe4f556eaa1104a793006619700798354c6ae05025040965e3083562bfa20968c04007d21dc02c9fd1f75e1ff40f439bdde4e784012e52049b483d02f81b88f5f57816b3fecec79cfca8d37203e769759d6b6a56b7605ced8ee18475a77ff0963a565fb6021d216c01b1098e40550a1cfd80e918d685a7b099a4f8ed654cd76ca61fe5ad8a31ec558fdbfa706d5e738bceae81fe777c307d5bc72183a4c2d35732ab916a781b9912160a3fd2a2e74dd690c57bdfdc1f069f949170ef8cb9c13c12138116bca7a8c59363799be7005c51bc25a8bbe2cf5ddf6aa161693782b0e7feb8a768f391b49d4c978c96dbb52f21c122eba9f17c8bed10591958cf06321a248b5f76ceedfe0d080d6aeadc11b237b3326dd04b86ac37c0d131544888db9e128d059761ad9a393e96c3b41c13c5a381bff187a75de560ba6eb3faa5ff8d2bb3c88f8de5efc2fb2200cfda6d07ceae22577064334fbf76a23e62e6059211d995b879f6b7d3f7fcf03652b81e6b7cdeff947ad185d3c6269ca247b429c3b872a8f1ef60407d29a874f4ec31c9effed55543a65a6b4d778cebcd43b7905f3960140bd783540a7353014bda8e9c7a34a5f428fd1f8eb11e837dd9d586487fdebcb1ecd3a003ff0fda4be617fecf1ff0ef2c74664d60a4b9423f3297bc8eb91b4ee1d73272abbef3e7a828a7d7ab055a8eb58fe379de85338304e26e3620941b463e9049fd105c74c91cc4d71b0f76e2c2e4825106aa7ce2a3adbbc7a0443ece58e752b47e6f677eff7c5c568a89d6e36b165c39132a0f27080ece2a94c320b002c77f82662675a7713c7067081cac15994698c41ff4754268ae1676384ff799783f55d7e5a1a0920300000000000000d98440c355927629f2bcf9dc405a18ca0264400abf38e90000000000000000008faf2cddffbfa69bf32eb718e88ec75603ed7c7a8825ce0f27a114bd7a4ab74d0c7b8d90ccc1c3ca6620def782e24d75aed70eb676437f62677a69e0994cd82d72e95493c830fe9515329f40b7025326dec33a527c5d999298eaa3690fd0d38a02fc6e0bc16dbe19f353027edc014411e1138087221492f5d5e5cc9d0a1acd3f581eda9a807aa0e609f935f626d96351e0ff116686cbeb8939feecd5dac8cf45101942cc7cec21b7f337df5431bcf7e504b7c427f70a10e1cb8993a661306a0576b638a0171e6800b5b35589d676eb30ed1a72e8f7b057eb281c4504195635b6b285ebaba019913a2520e43ed790231f047f7d3789c10ae7d724929f77aec1d33d9587580268ee14396f71e7ef588cb2560d6bd0795a9b97281229eb16de086553469fad7214ffc3e416f8b8e442dce1d37f9b1c88a5d8a8d9f2fe45bd8df213ecb4194c8554aea13cadcd502e51f6fec80418e772b5bd8d0228949058038b185909ee542848680f9ad43f4057d676d5e21ae3d7e0e4a28c04f112a94707f032b35915e42993ff148291b8babe026646ee41905992db217561b90811c4702a14f312fe5d2ae7257db6be1034cc1c346b76a853ce274bf0435e18f7e86c660c18c80f30505dd4cf2ae2a1893b83c62d61bfeadc1f913e4cab2b897e096dd3fe3525090410cb23bab36cdf200a36014032cf6e5121803c5a0c4a273a19f340163fc6265425d513a1294b8439276394945d94a589708e32a1cb30f1fa4b2f08e01dc5e8c6732e6dc59b5c8cb400000000000000592c9b68f09c8f5ddb20b4ae08b4d9df548e5ed6cd47b91a4bea8b6aa52edf64576aef1e43f2958437fdc20fbbd0d4e13d8cce1193b2f9b4f107e25af178d056e1b1e40bd75b013f7484fae0bc447b1ffaf34819fe3ad1a634c94345e26e1e68dec08723a37b05d1594a66a4718a51d4d67fc880c9d640f4eacc509873f1a103c87f69"], &(0x7f0000000100)='GPL\x00'}, 0x41)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000340)='kfree\x00', r12}, 0x18)
pipe2$9p(&(0x7f00000005c0)={<r13=>0xffffffffffffffff, <r14=>0xffffffffffffffff}, 0x800)
mount$9p_fd(0x0, &(0x7f0000002500)='./file7\x00', &(0x7f0000002540), 0x2, &(0x7f0000000200)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r13, @ANYBLOB=',wfdno=', @ANYRESHEX=r14, @ANYBLOB=',aname=b'])
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000004c0)={0x1b, 0x0, 0x0, 0x40001, 0x0, 0x0, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x3}, 0x50)
sendmsg$NL80211_CMD_START_AP(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000380)=ANY=[@ANYBLOB="20000000620223fa472df40736a67151e268976ced55ae049840592e0479a9e55d2f51773a69ab9116074df3febf03e41fc4a30e74faa6a7ab15f77a344704bb15182ff57d9ba07cfc7fb4e46c017ea0c6b9fab5a0af8f617bf9946ed0e554b4b16f6303dcabbf80a9ab751bbc62c22f705d1260cf191655a3ec5c17c6d6f463264b", @ANYRES16=r9, @ANYBLOB="a1830000000000000000050000000c00990000000000ffffffff"], 0x20}}, 0x0)

6.531087265s ago: executing program 2 (id=212):
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB], 0x48)
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000c80)={0x11, 0xf, &(0x7f0000000340)=ANY=[], &(0x7f0000000080)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x3, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000340)='kfree\x00', r0}, 0x10)
sched_yield()
r1 = socket$igmp(0x2, 0x3, 0x2)
r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000600)={0x20, 0x3, &(0x7f0000000200)=@framed, &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @netfilter=0x2d, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x99f0}, 0x94)
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000002380)={r2, 0x0, 0x2d, 0x0, @val=@netfilter={0x2, 0x4, 0x600, 0x1}}, 0x20)
r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=@base={0x16, 0x0, 0x4, 0x1, 0x0, 0x1}, 0x50)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000000000000b704000000000000850000005700000095"], 0x0}, 0x94)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000980)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000008000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008"], 0x0, 0x0, 0x0, 0x0, 0x41100, 0x4, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0xfffffd13}, 0x94)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1a, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000f00)='kfree\x00', r4}, 0x10)
setsockopt$MRT_INIT(r1, 0x0, 0xc8, &(0x7f0000000000), 0x4)
setsockopt$MRT_ADD_VIF(r1, 0x0, 0xca, &(0x7f00000002c0)={0x1, 0x4, 0x7, 0xfffffffe, @vifc_lcl_ifindex, @remote}, 0x10)
setsockopt$MRT_FLUSH(r1, 0x0, 0xd4, &(0x7f0000000040)=0x6, 0x4)

6.448798672s ago: executing program 1 (id=213):
r0 = socket$kcm(0xa, 0x5, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="1e000000000000000700490009"], 0x50)
sendmsg$NL80211_CMD_SET_REKEY_OFFLOAD(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)=ANY=[@ANYBLOB='l\x00\x00\x00', @ANYRES16, @ANYBLOB="01002abd7000fcdbdf254f000000", @ANYRES32, @ANYBLOB="50007a800c"], 0x6c}, 0x1, 0x0, 0x0, 0x20002804}, 0x10)
ioctl$sock_kcm_SIOCKCMCLONE(r0, 0x890b, &(0x7f0000000000))
r1 = socket$kcm(0xa, 0x2, 0x0)
sendmsg$inet(r1, &(0x7f0000000380)={&(0x7f0000000040)={0xa, 0xa, @local}, 0x1b, &(0x7f0000000180)=[{&(0x7f0000000080)="a2", 0xff0e}], 0x4, 0x0, 0x0, 0xa6820000}, 0x0)

6.192107905s ago: executing program 0 (id=215):
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="1b00000000000000000000000080"], 0x48)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080), 0x41, 0x0)
write$binfmt_aout(r1, &(0x7f0000000300)=ANY=[], 0xff2e)
ioctl$TCSETS(r1, 0x40045431, &(0x7f0000000dc0)={0x0, 0x0, 0x0, 0x0, 0xfe, "0062ba7d82000000160000000000f738096304"})
r2 = syz_open_pts(r1, 0x80)
r3 = dup3(r2, r1, 0x80000)
read$watch_queue(r3, &(0x7f0000001d40)=""/4095, 0xfff)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000380)={0x11, 0x7, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b702000001000000850000008600000095"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x3, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000740)={&(0x7f00000006c0)='sched_switch\x00', r4}, 0x10)

6.019080619s ago: executing program 1 (id=217):
bpf$MAP_CREATE(0x0, &(0x7f00000008c0)=ANY=[@ANYBLOB="1e0000000000000004000000ff"], 0x48)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000000000000b70400000000000085000000570000"], 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x2}, 0x94)
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000b00)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f00000043c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xf, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000f00)='kfree\x00', r0}, 0x18)
syz_open_dev$usbfs(&(0x7f0000000480), 0x77, 0x41341)
syz_emit_ethernet(0x0, 0x0, 0x0)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0)
munmap(&(0x7f0000470000/0x400000)=nil, 0xe06500)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x4, @loopback}, 0x10)
bpf$MAP_CREATE(0x0, 0x0, 0x48)
socket$nl_generic(0x10, 0x3, 0x10)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100), 0xffffffffffffffff)
sendmsg$TIPC_NL_BEARER_ENABLE(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000004c0)={0x5c, r3, 0x1, 0x0, 0x0, {}, [@TIPC_NLA_BEARER={0x40, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x0, @local}}, {0x14, 0x2, @in={0x2, 0x0, @multicast2}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}]}, @TIPC_NLA_SOCK={0x8, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}]}]}, 0x5c}}, 0x4004004)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100), 0xffffffffffffffff)
sendmsg$TIPC_NL_KEY_SET(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000005c0)=ANY=[@ANYBLOB="8c000000", @ANYRES16=r5, @ANYBLOB="0100000000000000000017000000500006804c00040067636d286165732900"/53], 0x8c}, 0x1, 0x0, 0x0, 0x4}, 0x4000004)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
r7 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000e40), 0xffffffffffffffff)
sendmsg$TIPC_NL_BEARER_ENABLE(r6, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000400)={0x2c, r7, 0x1, 0x0, 0x25dfdbfe, {}, [@TIPC_NLA_BEARER={0x18, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'ip6_vti0\x00'}}]}]}, 0x2c}}, 0x8000)

5.715864169s ago: executing program 2 (id=218):
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x9, 0x4, 0x1, 0x4}, 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x14, &(0x7f0000000280)=ANY=[@ANYBLOB="180000000000000000000000000000001801000020646c2100000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000001000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='kfree\x00', r1}, 0x10)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_GET(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="60000000010101020000000000000040000000000c0019800800020005000000"], 0x60}}, 0x0)

5.691341986s ago: executing program 5 (id=219):
r0 = socket(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'veth1_to_bond\x00', <r2=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000001c0)=ANY=[@ANYBLOB="300000001c000104000000000000000002000000", @ANYRES32=r2], 0x30}}, 0x0)

5.525824286s ago: executing program 3 (id=221):
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000001000)=ANY=[@ANYBLOB="0b00000005"], 0x50)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000740)=ANY=[@ANYBLOB="1800000000000900000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000f9ffffff7b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='sys_enter\x00', r1}, 0x10)
shmat(0x0, &(0x7f0000ffd000/0x3000)=nil, 0x5800)

5.445563307s ago: executing program 1 (id=222):
r0 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r0, &(0x7f0000000040)={0x3, 0x0, &(0x7f0000000340)={&(0x7f0000001800)=ANY=[@ANYBLOB="020200030f0000002cbd7040fedbdf2503000900800000001cdc0dca1d9f68846960e56de42944af030006000000000002004e22ac1414bb000000000000000002000100000000000000070c00000080030005000000000002004e20ac1414bb0000000000000000020013"], 0x78}, 0x1, 0x7}, 0x8000)

5.203865788s ago: executing program 2 (id=223):
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$netlink(0x10, 0x3, 0x0)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000001380)=ANY=[@ANYBLOB="0e000000040000000800000008"], 0x50)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000c00)={0x11, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000000000000000000000818110000", @ANYRES32=r2, @ANYBLOB="0000000000000000b7080000000019007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], &(0x7f0000000900)='syzkaller\x00', 0x0, 0x0, 0x0, 0x41000, 0x41, '\x00', 0x0, @fallback=0x16, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000280)='kfree\x00', r3}, 0x10)
r4 = socket(0x10, 0x803, 0x0)
connect$netlink(r4, &(0x7f00000014c0)=@proc={0x10, 0x0, 0x25dfdbfc}, 0xc)
getsockname$packet(r4, &(0x7f0000000180)={0x11, 0x0, <r5=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$nl_route(r1, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000380)=ANY=[@ANYBLOB="3c0000001000850600"/20, @ANYRES32=r5, @ANYBLOB="01000000000000001c0012000c000100626f6e64000000000c0002000800010005"], 0x3c}}, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000000c0)=@getchain={0x24, 0x11, 0x43d, 0x70bd2b, 0x10008, {0x0, 0x0, 0x0, r5, {0x5, 0x2}, {0x0, 0xffef}, {0xfff3, 0x10}}}, 0x24}, 0x1, 0x0, 0x0, 0x8014}, 0x4004000)

5.119404221s ago: executing program 5 (id=224):
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000800000000000000000000850000006d00"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000180)='sys_enter\x00', r0}, 0x10)
move_pages(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)

4.998880232s ago: executing program 3 (id=225):
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, 0x0)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$tipc(0x1e, 0x5, 0x0)
r3 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r3, &(0x7f00000000c0)=@nameseq={0x1e, 0x1, 0x0, {0x42}}, 0x10)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000005c0)={0x0}, 0x18)
add_key(&(0x7f0000000040)='ceph\x00', 0x0, &(0x7f00000000c0)="010001000000000000001000015b097ead85847817353d2dbad05d", 0x1b, 0xfffffffffffffffd)
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x11, 0xb, &(0x7f00000009c0)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702520000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000083850000007100000095"], &(0x7f0000000200)='GPL\x00', 0x100, 0x0, 0x0, 0x40e00, 0x0, '\x00', 0x0, @fallback=0x16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x94)
r4 = add_key$keyring(&(0x7f0000000100), &(0x7f0000000180)={'syz', 0x2}, 0x0, 0x0, 0xffffffffffffffff)
keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, r4, &(0x7f0000000200)='asymmetric\x00', &(0x7f00000002c0)=@chain)
add_key$keyring(&(0x7f0000000040), &(0x7f00000003c0)={'syz', 0x2}, 0x0, 0x0, r4)
r5 = socket$nl_rdma(0x10, 0x3, 0x14)
sendmsg$RDMA_NLDEV_CMD_NEWLINK(r5, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)=ANY=[@ANYBLOB="3800000003140100c68f7bec9aff068609000200737962320000000008004100736977001400330062726964676530"], 0x38}, 0x1, 0x0, 0x0, 0x44805}, 0x50)
r6 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000380)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x40, '\x00', 0x0, @fallback=0xa, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
waitid(0x2, r0, &(0x7f0000000180), 0x1, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000240)='sched_switch\x00', r6}, 0x18)
syz_clone(0x640c7000, 0x0, 0x0, 0x0, 0x0, 0x0)

4.948050253s ago: executing program 5 (id=226):
syz_io_uring_setup(0x49a, &(0x7f00000000c0)={0x0, 0x79af, 0x4000, 0x8000, 0x40024e}, 0x0, 0x0)

4.947440196s ago: executing program 0 (id=227):
socket$nl_route(0x10, 0x3, 0x0)
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="0a000000040000009c0000000b"], 0x50)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x14, &(0x7f0000000280)=ANY=[@ANYBLOB="180000000000000000000000000000001801000020646c2100000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000600000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b70400000000000085000000c300000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0xa, '\x00', 0x0, @fallback=0x21, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000280)='kmem_cache_free\x00', r1, 0x0, 0x200000000000006}, 0x18)
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000880)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x840e, &(0x7f00000004c0)={[{@discard}, {@jqfmt_vfsold}, {@debug_want_extra_isize={'debug_want_extra_isize', 0x3d, 0x6a}}, {@jqfmt_vfsold}, {@auto_da_alloc_val={'auto_da_alloc', 0x3d, 0x9}}, {@quota}]}, 0x3, 0x43a, &(0x7f0000001100)="$eJzs28tvG1UXAPAzfrRfX19CVR59AIGCqHgkTVpKF2xAILEACQkWZRmStCp1G9QEiVYRBITKCqFK7BFLJP4CVrBBwAqJLexRpQpl08LKaOyZxHYcNzFOnOLfT5r23plr3XM8c+07c+MABtZI+k8SsTcifouIoXq1ucFI/b/bSwtTfy0tTCVRrb7xZ1Jrd2tpYSpvmr9uT14pRRQ+SeJwm37nrly9MFmpzFzO6mPzF98dm7ty9ZnzFyfPzZybuTRx+vTJE+PPnZp4tid5pnndOvTB7JGDr7x1/bWpM9ff/umbJM+/JY8eGel08PFqtcfd9de+hnJS6mMgbEixPkyjXBv/Q1GMlZM3FC9/3NfggE1VrVar9619eLEK/Icl0e8IgP7Iv+jT+99826Kpx7Zw84X6DVCa9+1sqx8pRSFrU265v+2lkYg4s/j3l+kWm/McAgCgyXfp/OfpdvO/QjQ+F/p/toYyHBH3RMT+iDgVEQci4t6IWtv7I+KBDfbfukiyev5TuNFVYuuUzv+ez9a2mud/+ewvhotZbV8t/3Jy9nxl5nj2nhyL8s60Pt6hj+9f+vXztY41zv/SLe0/nwtmcdwo7Wx+zfTk/GRziN27+VHEoVK7/JPllYAkIg5GxKEu+zj/5NdH1jp25/w76ME6U/WriCfq538xWvLPJZ3XJ8f+F5WZ42P5VbHaz79ce32t/v9V/j2Qnv/dba//5fyHk8b12rmN93Ht90/XvKfp9vrfkbzZtO/9yfn5y+MRO5JX60E37p9oaTex0j7N/9jR9uN/f6y8E4cjIr2IH4yIhyLi4Sz2RyLi0Yg42iH/H1987J3u899caf7TGzr/K4Ud0bqnfaF44Ydvmzod3kj+6fk/WSsdy/Ysf/51sJ64uruaAQAA4O5TiIi9kRRGl8uFwuho/W/4D8TuQmV2bv6ps7PvXZqu/0ZgOMqF/EnXUMPz0PHstj6vT7TUT2TPjb8o7qrVR6dmK9P9Th4G3J4otR3/qT+K/Y4O2HR+rwWDy/iHwWX8w+Ay/mFwtRn/u/oRB7D12n3/f9iHOICt1zL+LfvBAHH/D4PL+IfBZfzDQJrbFXf+kbyCwqpCFLZFGOssfFbeFmHcRYV+fzIBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD0xj8BAAD//3g65pw=")
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={0x0}, 0x18)
r2 = creat(&(0x7f0000000000)='./bus\x00', 0x0)
write$cgroup_int(r2, &(0x7f0000000540), 0xfffffdd8)

4.665156868s ago: executing program 5 (id=228):
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
socket$netlink(0x10, 0x3, 0x10)
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000580)={0x11, 0xb, &(0x7f0000000500)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b703000000000000850000002d00000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x2, '\x00', 0x0, @fallback=0x10, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000180)='kfree\x00', r0}, 0x32)
setsockopt$EBT_SO_SET_ENTRIES(0xffffffffffffffff, 0x0, 0x80, &(0x7f0000001d80)=@broute={'broute\x00', 0x20, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000000c0], 0x11, 0x0, 0x0}, 0x108)
setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0)
syz_genetlink_get_family_id$devlink(0x0, 0xffffffffffffffff)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
open(0x0, 0x0, 0x0)
socket$inet6(0xa, 0x3, 0x3c)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f00000005c0)={0x50, 0x2, 0x6, 0x5, 0x0, 0x0, {}, [@IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_TYPENAME={0x15, 0x3, 'hash:ip,port,net\x00'}]}, 0x50}}, 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_ADD(r2, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000300)={0x60, 0x9, 0x6, 0x3, 0x0, 0x0, {0x5, 0x0, 0x40}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0x38, 0x7, 0x0, 0x1, [@IPSET_ATTR_PORT={0x6, 0x4, 0x1, 0x0, 0x4e21}, @IPSET_ATTR_PROTO={0x5, 0x7, 0xff}, @IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @private=0xe0004000}}, @IPSET_ATTR_IP_TO={0xc, 0x2, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @multicast2}}, @IPSET_ATTR_IP2={0xc, 0x14, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @broadcast}}]}]}, 0x60}, 0x1, 0x0, 0x0, 0x10004893}, 0x80)

4.40904225s ago: executing program 4 (id=229):
r0 = socket$kcm(0xa, 0x5, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="1e000000000000000700490009"], 0x50)
sendmsg$NL80211_CMD_SET_REKEY_OFFLOAD(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)=ANY=[@ANYBLOB='l\x00\x00\x00', @ANYRES16, @ANYBLOB="01002abd7000fcdbdf254f000000", @ANYRES32, @ANYBLOB="50007a800c"], 0x6c}, 0x1, 0x0, 0x0, 0x20002804}, 0x10)
ioctl$sock_kcm_SIOCKCMCLONE(r0, 0x890b, &(0x7f0000000000))
r1 = socket$kcm(0xa, 0x2, 0x0)
sendmsg$inet(r1, &(0x7f0000000380)={&(0x7f0000000040)={0xa, 0xa, @local}, 0x1b, &(0x7f0000000180)=[{&(0x7f0000000080)="a2", 0xff0e}], 0x4, 0x0, 0x0, 0xa6820000}, 0x0)

4.075987786s ago: executing program 1 (id=230):
prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000340)={0x1, &(0x7f0000000640)=[{0x200000000006, 0x0, 0x80, 0x7ffc1ffb}]})
getpeername$packet(0xffffffffffffffff, 0x0, &(0x7f0000000380))

4.071143687s ago: executing program 4 (id=231):
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000180)='./file0\x00', 0x22d140a, &(0x7f00000001c0), 0xff, 0x546, &(0x7f0000000a40)="$eJzs3V9rXGkZAPDnTDNp2qabrHqhC7su7kq7rJ1pNu5u8GLdgujVgrje15hMQ+gkU5LJbhMWnX4CQUQFr/TGG8EPIEhBEC9FKOi1woqyaFdBL7RH5syZJk7OJNPsNNNMfj84Pe97/j3PO8175vzjTACn1vMR8WZEPEjT9KWImMmnl/IhWp2hvdyH999bag9JpOnbf0siyad1t5Xk4wv5alMR8bWvRHwz2R93c3vn5mK9XtvI69Xm2q3q5vbOldW1xZXaSm19fn7utYXXF15duDqUdl6MiDe+9Ofvf+enX37jl59790/X/3r5W+20pvP5e9vxiCYOmtlpevnsVM8KG0cM9iRqt6fcrZwbbJ07jzEfAAD6ax/jfywiPhMRL8VMnDn4cBYAAAA4gdIvTsd/koi02GSf6QAAAMAJUsqegU1KlfxZgOkolSqVzjO8n4jzpXpjs/nyjcbW+nLnWdnZKJdurNZrV/NnhWejnLTrc1l5t/5KT30+Ip6OiO/NnMvqlaVGfXnUFz8AAADglLjQc/7/z5nO+T8AAAAwZmZHnQAAAADw2Dn/BwAAgPHn/B8AAADG2lffeqs9pN3fv15+Z3vrZuOdK8u1zZuVta2lylJj41ZlpdFYyd7Zt3bY9uqNxq3Px/rW7WqzttmsXtzeub7W2FpvXl+NqWNpEAAAALDP05+++4ckIlpfOJcNbZOjTgo4FhMPS0k+Luj9f3yqM37/mJICjsWZAZZ5/2zxko4T4GSb6J1wdjR5AMevfMA8N+zhdEgOmd93X/Dbzqg05HwAAIDhu/Sp4vv/hx/PtxzywwmnE8Pp1XNXP50ZVSLAscvu/w/6II+DBRgr5YGeAATG2Ue9/3+4NH2khAAAgKGbzoakVMkv701HqVSpRFzMfhagnNxYrdeuRsRTEfH7mfLZdn0uWzM59JwBAAAAAAAAAAAAAAAAAAAAAAAAAOhI0yRSAAAAYKxFlP6S/KrzLv9LMy9O914fmEz+nf0k8GREvPujt39we7HZ3JhrT//7w+nNH+bTXxnFFQwAAACgV/c8PRv/a9TZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADBuPrz/3lJ3GGDxc8OK+8G1ly/HbFH8iZjKxlNRjojz/0hiYs96SUScGUL81p2I+GRR/KSd1sOQRfGH8SG0pqKVZgrjx2z+KRTFvzCE+HCa3b0WEW8W9f9SPJ+Ni/vfRMT/1Y/qg2tZJy/c/3b3f2f69P+LA8Z45t7Pq33j34l4ZqJ4/9eNn/SJ/8KA8b/x9Z2dfvPSH0dc6n7/ZHu8vRF2S9Xm2q3q5vbOldW1xZXaSm19fn7utYXXF15duFq9sVqv5f8Wxvjus794cFD7zxd+/yV5Nv3b/2LB9oq+k/577/b9j3crrf3xL79QEP83P8mX2B+/lMf5bF5uz7/ULbc65b2e+9nvnjuo/cu77S8/yv//5X4b7bWvozw76J8OAPAYbG7v3Fys12sbY1ton6U/AWkcpTAZT0Qa41v4drtwb1gbTNM0bfepgll3I2KQ7STRf5lfHyWxUnE+u4W+e4BR75kAAIBh2z3oH3UmAAAAAAAAAAAAAAAAAAAAcHodx1vWemPuvgI5GcYrtAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAhuJ/AQAA//+wk9e+")
prctl$PR_SET_SECCOMP(0x4e, 0x1, 0x0)
socket$nl_audit(0x10, 0x3, 0x9)
io_uring_setup(0x1b7f, &(0x7f0000000040)={0x0, 0x8d02, 0x2, 0x3, 0x20002f7})

3.591826112s ago: executing program 1 (id=232):
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000001740)=ANY=[@ANYBLOB="1b00000000000000000000000080"], 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000001800)={0x11, 0xc, &(0x7f0000000600)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000fa540000850000008200000095"], &(0x7f00000001c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x9, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000bc0)={&(0x7f0000000040)='kmem_cache_free\x00', r1}, 0x10)
name_to_handle_at(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0)

3.587183233s ago: executing program 2 (id=233):
socket$nl_route(0x10, 0x3, 0x0)
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={0x0, 0x24}}, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x2ba)
sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=ANY=[@ANYBLOB="3c0000001000850619fb", @ANYRES32=r2, @ANYBLOB="fe000000000000001c0012000c000100626f6e64000000000c0002000800010004"], 0x3c}}, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
r4 = socket(0x1, 0x803, 0x0)
getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, <r5=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14)
sendmsg$nl_route(r3, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000480)=ANY=[@ANYBLOB="540000001000010400"/20, @ANYRES32=0x0, @ANYBLOB="00000000000000002c0012800e0001006970366772657461700000001800028014000700fc00000000000000000000000000000008000a00", @ANYRES32=r5], 0x54}}, 0x0)
r6 = socket$netlink(0x10, 0x3, 0x0)
r7 = socket$packet(0x11, 0x3, 0x300)
getsockname$packet(r7, &(0x7f0000000100)={0x11, 0x0, <r8=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200))
sendmsg$nl_route(r6, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000400)=ANY=[@ANYBLOB="200000001000250800170000000000000a000000", @ANYRES32=r8, @ANYBLOB="0174dfdb"], 0x20}}, 0x0)

3.44164367s ago: executing program 0 (id=234):
bpf$MAP_CREATE(0x0, &(0x7f00000008c0)=ANY=[@ANYBLOB="1e0000000000000004000000ff"], 0x48)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000000000000b70400000000000085000000570000"], 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x2}, 0x94)
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000b00)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f00000043c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xf, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000f00)='kfree\x00', r0}, 0x18)
syz_open_dev$usbfs(&(0x7f0000000480), 0x77, 0x41341)
syz_emit_ethernet(0x0, 0x0, 0x0)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0)
munmap(&(0x7f0000470000/0x400000)=nil, 0xe06500)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x4, @loopback}, 0x10)
bpf$MAP_CREATE(0x0, 0x0, 0x48)
socket$nl_generic(0x10, 0x3, 0x10)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100), 0xffffffffffffffff)
sendmsg$TIPC_NL_BEARER_ENABLE(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000004c0)={0x5c, r3, 0x1, 0x0, 0x0, {}, [@TIPC_NLA_BEARER={0x40, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x0, @local}}, {0x14, 0x2, @in={0x2, 0x0, @multicast2}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}]}, @TIPC_NLA_SOCK={0x8, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}]}]}, 0x5c}}, 0x4004004)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100), 0xffffffffffffffff)
sendmsg$TIPC_NL_KEY_SET(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000005c0)=ANY=[@ANYBLOB="8c000000", @ANYRES16=r5, @ANYBLOB="0100000000000000000017000000500006804c00040067636d286165732900"/53], 0x8c}, 0x1, 0x0, 0x0, 0x4}, 0x4000004)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
r7 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000e40), 0xffffffffffffffff)
sendmsg$TIPC_NL_BEARER_ENABLE(r6, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000400)={0x2c, r7, 0x1, 0x0, 0x25dfdbfe, {}, [@TIPC_NLA_BEARER={0x18, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'ip6_vti0\x00'}}]}]}, 0x2c}}, 0x8000)

3.383939003s ago: executing program 4 (id=235):
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x9, 0x4, 0x1, 0x4}, 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x14, &(0x7f0000000280)=ANY=[@ANYBLOB="180000000000000000000000000000001801000020646c2100000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000001000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='kfree\x00', r1}, 0x10)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_GET(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="60000000010101020000000000000040000000000c0019800800020005000000"], 0x60}}, 0x0)

3.005338151s ago: executing program 1 (id=236):
r0 = socket$netlink(0x10, 0x3, 0x4)
writev(r0, &(0x7f0000000080)=[{&(0x7f00000000c0)="480000001400190d09004beafc0d8c560a84696080040000000000000000bc5603ca00000f7f89000000200000000101ff0000000309ff5bffff00c7e5ed51000000000000000000", 0x48}], 0x1)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000540), 0xffffffffffffffff)
sendmsg$NL80211_CMD_VENDOR(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000002c0)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="bbfb2bbd7000fddbdf25670000000800c400020000000800c3"], 0x24}, 0x1, 0x0, 0x0, 0x801}, 0x0)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x11, 0xb, &(0x7f0000000640)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000004000000b703000000000000850000007200000095"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0x2a, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000004c0)={&(0x7f0000000080)='kfree\x00', r3, 0x0, 0xffffffffffffffff}, 0x18)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r4, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000480)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a030000000000000000f0070000000900010073797a300000000080000000090a010400000000000000000700000008000a40000000000900020073797a30000000000900010073797a3000000000080005400000000d3c00128014000180090001006c617374000000000400028010000180090001006c61737400000000140001800c000100636f756e746572000400028008000340000001"], 0xc8}, 0x1, 0x0, 0x0, 0x40000}, 0x20050800)
sendmsg$NL80211_CMD_REQ_SET_REG(r1, &(0x7f0000000980)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000400)={&(0x7f0000000340)={0x8c, r2, 0x8, 0x70bd27, 0x25dfdbfd, {}, [@NL80211_ATTR_REG_RULES={0x6c, 0x22, 0x0, 0x1, [{0x24, 0x0, 0x0, 0x1, [@NL80211_ATTR_FREQ_RANGE_END={0x8, 0x3, 0x6}, @NL80211_ATTR_POWER_RULE_MAX_EIRP={0x8, 0x6, 0x2}, @NL80211_ATTR_FREQ_RANGE_END={0x8, 0x3, 0x5}, @NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN={0x8, 0x5, 0xe}]}, {0x44, 0x0, 0x0, 0x1, [@NL80211_ATTR_POWER_RULE_MAX_EIRP={0x8, 0x6, 0x2}, @NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN={0x8, 0x5, 0x4}, @NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN={0x8, 0x5, 0x4b}, @NL80211_ATTR_REG_RULE_FLAGS={0x8, 0x1, 0x3be}, @NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN={0x8, 0x5, 0x6}, @NL80211_ATTR_FREQ_RANGE_END={0x8, 0x3, 0x80000000}, @NL80211_ATTR_FREQ_RANGE_START={0x8, 0x2, 0x75eac444}, @NL80211_ATTR_DFS_CAC_TIME={0x8, 0x7, 0x401}]}]}, @NL80211_ATTR_USER_REG_HINT_TYPE={0x8, 0x9a, 0x1}, @NL80211_ATTR_SOCKET_OWNER={0x4}]}, 0x8c}, 0x1, 0x0, 0x0, 0xc004}, 0x4000)
syz_mount_image$ext4(&(0x7f0000000280)='ext4\x00', &(0x7f0000000000)='./file0\x00', 0x0, &(0x7f0000000240)={[{@discard}, {@noload}]}, 0x64, 0x53f, &(0x7f0000000440)="$eJzs3c9vI1cdAPDveO3t/sjWKXCAHkqhRbsrWHvT0Dbi0BaB4FQJKPclJE4UxYmjxGk3UUUT8QdwQYDECS5ckPgPUCUuHCukIjiDKAIh2MKBA3TQ2ONsNuuJvcGJ0+TzkWbnvfn1fc/e+fFmXsYBnFtPR8QrEfFBmqY3I6KaTy/lQ+x0h2y59++9OZcNSaTpa39PIsmn9baV5OOr+WqXIuIbX434dvJw3I2t7eXZZrOxnufr7ZW1+sbW9q2lldnFxmJjdXp66oWZF2een7k9knpei4iXvvznH3zvZ1956Zefe+OPd/564ztZsb6Uz99fj0dUPmxmt+qVzmexf4X1iJePGO/UKXdqmLs83Dq7x1geAACKZdf4H4mIT0fEzajGhcMvZwEAAIAPofTlifhPEpH2d7HfxEtRuDwAAABwCpUiYiKSUi3vCzARpVKt1u3D+7G4kr4V0f7sQmtzdT6bFzEZldLCUrNxO+8rPBmVJMtPddL3889187vvRXTy0xHxRER8v3q5k6/NtZrz4775AQAAAOfE1QPt/39Vu+1/AAAA4IyZHHcBAAAAgGOn/Q8AAABnn/Y/AAAAnGlfe/XVbEh7v389//rW5nLr9VvzjY3l2srmXG2utb5WW2y1Fjvv7FsZtL1mq7X2+VjdvFtvNzba9Y2t7Tsrrc3V9p2lB34CGwAAADhBT3zy7d8nEbHzhcudIXOxYNkLJ1oy4LiV91JJPu6z9//h8e74vRMqFHAiBp3Tf1s9oYIAJ6487gIAY1N5lIX9nQCcScmA+YWdd97Jx58abXkAAIDRu/6J4uf/pUPX3Dl8NnDq2Ynh/Oo9/3/8QB44+zrP/4s6/B7kYgHOlIozPpx7A5//F3UAeGfYCGn6aCUCAABGbaIzJKVafntvIkqlWi3iWqe7fyVZWGo2bufPB35XrTyW5ac6ayYD2wwAAAAAAAAAAAAAAAAAAAAAAAAAQFeaJpEO47GhlgIAAABOoYjSX5Jfdd/lf7367MTB+wMXk39XI/+J0Dd+/NoP78622+tT2fR/7E1v/yif/tw47mAAAAAAB/Xa6b12PAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACM0vv33pzrDb1pafX44/7tixEx2S9+OS51xpeiEhFX/plEed96SURcGEH8nd2I+Hi/+ElWrL2Q/eJfPv74MZl/Cv3iXx1BfDjP3s6OP69k+9/FiNi//5Xi6c64//5Xjnggf1Sd4192gOtz/O0d/y4U7P/XDmxrsiDGk+/+ol4YfzfiyXL/408vflIQ/5kh6/itb25vF81LfxJxve/5J3kgVr29slbf2Nq+tbQyu9hYbKxOT0+9MPPizPMzt+sLS81G/u9D268UBS7dr/+VgviTA+r/7JD1/++7d+99tKA4Wfwbz/SJ/+uf5ks8HL+Un/s+k6ez+dd76Z1uer+nfv6bp4rKlsWfL6j/oO//xpD1v/n17/4pIj7Y95UCAGO0sbW9PNtsNtYPTWSXLYOWOa2JrJV+CoohcbTEsP9Fj5R4a6QbTNM0jf9vT0li7B94LzHuIxMAADBq9y/6x10SAAAAAAAAAAAAAAAAAAAAOL9O4nViB2Pu7KWSUbxCGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgJP4XAAD//6H70dw=")
bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="1b00000000000000000000000080", @ANYRES32=0x0], 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000740)={&(0x7f00000006c0)='sched_switch\x00'}, 0x10)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8)
setrlimit(0xc, &(0x7f0000000280)={0x9, 0x1})
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff})
connect$unix(r5, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r6, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r5, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socketpair$nbd(0x1, 0x1, 0x0, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r7 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f00000000c0)="d8000000180081054e81f782db4cb904021d0800ff207c05e8fe55a10a0015000200142603600e12080005007f370401a8001600200006000500027c035c0461c1d67f6f94007134cf6efb8000a007a290457f0189b316277ce06bbace8017cbec4c2e98a61e284ce5a7cef4090000001fb791643a5ee4ce1b14d6d930dfe1d9d322fe7c9f8775730d16a4683f5aeb4edbb57a5025ccca9e00360db798262f3d40fad95667e006dcdf63951f215ce3bb9ad809d5e1cace81ed0bffece0b42a9ecbee5de6ccd40dd6e4edef3d93452a92954b43370e970392", 0xd8}], 0x1}, 0x0)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000300))
syz_clone(0x6a000000, 0x0, 0x0, 0x0, 0x0, 0x0)

2.753909089s ago: executing program 3 (id=237):
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="04000000040000000400000005"], 0x48)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x1b, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b70800000000e7057b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000001600000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe8c}, 0x94)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000380)={0x1, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000680)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
r4 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000180)={0x3, 0x4, 0x4, 0xa, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000040)={{r4}, &(0x7f0000000280), &(0x7f0000000240)=r1}, 0x20)
r5 = bpf$PROG_LOAD(0x5, &(0x7f0000000880)={0x1, 0x10, &(0x7f0000000bc0)=ANY=[@ANYBLOB="1808000000000000000000000000000018120000", @ANYRES32=r4, @ANYBLOB="0000000000000000b703000000000000850000000c000000b7000000000000001801000000082c2500000000002120207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000700000095"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x2, '\x00', 0x0, @fallback=0x2, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
setsockopt$sock_attach_bpf(r2, 0x1, 0x32, &(0x7f00000000c0)=r5, 0x4)
sendmsg$inet(r3, 0x0, 0x0)

2.616048105s ago: executing program 4 (id=238):
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000001000)=ANY=[@ANYBLOB="0b00000005"], 0x50)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000740)=ANY=[@ANYBLOB="1800000000000900000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000f9ffffff7b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='sys_enter\x00', r1}, 0x10)
shmat(0x0, &(0x7f0000ffd000/0x3000)=nil, 0x5800)

2.19033122s ago: executing program 2 (id=239):
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000800000000000000000000850000006d00"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000180)='sys_enter\x00', r0}, 0x10)
move_pages(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)

2.187669939s ago: executing program 3 (id=240):
syz_io_uring_setup(0x49a, &(0x7f00000000c0)={0x0, 0x79af, 0x4000, 0x8000, 0x40024e}, 0x0, 0x0)

2.186877168s ago: executing program 4 (id=241):
mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.net/syz0\x00', 0x1ff)
r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
r1 = socket(0x10, 0x803, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0xa, 0x200000000000008b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000240)=0x8)
r2 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r2, 0x2, &(0x7f0000000000)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r3, 0x0, 0x0, 0x2, 0x0)
r5 = bpf$MAP_CREATE(0x0, &(0x7f0000000400)=ANY=[@ANYBLOB="07000000040000000800000001"], 0x48)
r6 = bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x11, 0x8, &(0x7f0000000740)=ANY=[@ANYBLOB="1800000000000000000000000000000018120000", @ANYRES32=r5, @ANYBLOB="0000000000000000b703000000030000850000001b000000b700000000"], &(0x7f0000000780)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000100)={&(0x7f0000000080)='sched_switch\x00', r6}, 0x18)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x13, 0x13, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000d0ff000200000000e1ffffff851000000600000018000000", @ANYBLOB="000000000000000066080200ffd00000180000000000000000000000000000009500000000000000360a020000000000180100002020782500000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222, 0x0, 0x8, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x1}, 0x94)
getsockopt$inet_sctp6_SCTP_HMAC_IDENT(r1, 0x84, 0x16, &(0x7f0000001180)={0x4, [0x0, 0x1, 0x6, 0x1]}, &(0x7f00000011c0)=0xc)
ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f0000000140)={'veth0_to_team\x00', &(0x7f0000000280)=@ethtool_channels={0x3d, 0xffffffff, 0x0, 0x0, 0x4, 0x2, 0x1}})
ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f00000002c0)={'veth0_to_team\x00', &(0x7f0000000000)=@ethtool_cmd={0x2c, 0x6, 0x4, 0x0, 0x0, 0x0, 0x0, 0x9, 0xff, 0x0, 0x3, 0xfffffffe, 0x3}})
r7 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r8, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000008c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
ioctl$TIOCL_BLANKSCREEN(r7, 0x4b67, &(0x7f0000000180))
fchdir(r0)
mkdirat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x10)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0)
rename(&(0x7f0000000040)='./file0\x00', &(0x7f0000000100)='./file1\x00')
close(0x3)

1.685478298s ago: executing program 2 (id=242):
creat(&(0x7f00000002c0)='./file0\x00', 0xecf86c37d53048d6)
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="1f00000000000000000000000010"], 0x48)
io_setup(0x2, &(0x7f0000000180)=<r1=>0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r2 = syz_open_dev$evdev(&(0x7f0000000040), 0x800002, 0x800)
ioctl$EVIOCGRAB(r2, 0x40044590, &(0x7f0000000200)=0x7ffffffc)
bpf$MAP_CREATE(0x0, 0x0, 0x48)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x7, &(0x7f0000000240)={0x1, &(0x7f0000000000)=[{0x6, 0x85, 0x7, 0x7ffc0001}]})
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x11, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000006900000000000001000000940000000fad413e850000000700000095"], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$OBJ_GET_MAP(0x7, &(0x7f0000000140)=@generic={&(0x7f0000000100)='./file1\x00', 0x0, 0x10}, 0x18)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000002c0), 0x80, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000080)=0xf)
fcntl$dupfd(r3, 0x0, r3)
ioctl$TCFLSH(r3, 0x400455c8, 0x0)
ioctl$TIOCSTI(r3, 0x5412, &(0x7f0000000040)=0x5)
ioctl$EVIOCGRAB(r2, 0x40044590, 0x0)
r4 = socket$netlink(0x10, 0x3, 0x8000000004)
writev(r4, &(0x7f0000000040)=[{&(0x7f0000000080)="580000001400192340834b80040d8c560a067f0202ff000000000000000058000b4824ca945f64009400ff0325010ebc000000000000008000f0fffeffe809005300fff5dd00000010000100080c100000000100ffffffff", 0x58}], 0x1)
io_submit(r1, 0x1, &(0x7f0000000040)=[&(0x7f00000000c0)={0x0, 0x300, 0x0, 0x5, 0x0, r0, 0x0}])

1.683289068s ago: executing program 3 (id=243):
r0 = socket$nl_route(0x10, 0x3, 0x0)
write$binfmt_misc(0xffffffffffffffff, 0x0, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="0b00000007000000010001000900000001"], 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000000)={{r1, <r2=>0xffffffffffffffff}, &(0x7f0000000580), &(0x7f00000005c0)}, 0x20)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xd, &(0x7f00000002c0)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r2, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000003000000650000000800000095"], &(0x7f0000000380)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000600)={&(0x7f0000000640)='kfree\x00', r3}, 0x18)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_read_part_table(0x59d, &(0x7f0000000000)="$eJzs0r1Le1cYB/CTgIRCJSKCgx0Eg0ujQhx0SAYrMWQxIlYcnAUHHQQHB0mJzr78A4pvIC5iZ0cxgijESTKKc0FxyZTS9hZq7dIWU/rj81ku55znuc89fG/gfy0efmo2m7EQQjPx97u/P8tPFHunxqZnQoiF+RBC/puvfz2JRRW/v/UiWpeidTGRqR3cjr+eddz1PVRTR/Ho/DIewg8hhKWn4+S/vRtfvvPcdXJjc6WwtZZbfCysPw8vDOR7tvPLuyOH2fJsd3Yu+rEu462Zn6qNntw3Sy977YNt1VojcxPVpWOfM5//1p/z3++q1CuNyf7T1aF0Z/2qvBPl/iZ/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgk53nrpMbmyuFrbXc4mNh/Xl4YSDfs51f3h05zJZnu7Nz8d/qLuOtmZ+qjZ7cN0sve+2DbdVaI3MT1aVjH1q/+/FzPokW+ja8z3+/q1KvNCb7T1eH0p31q/JOlPvbx/wBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP5SfqLYOzU2PRNCLMyHEMbjHce/7DcT7+suomcp2i8mMrWD2/HXs467vodq6mgqEcIfW5aejpNfteoS/GM/BwAA//8394ZP")
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000040)={'veth0\x00', <r5=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="440000001000030500"/20, @ANYRES32=0x0, @ANYBLOB="0000000000000000140012800c0001006d616376746170000400028008000500", @ANYRES32=r5, @ANYBLOB="080003"], 0x44}}, 0x0)

1.675945805s ago: executing program 0 (id=244):
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, &(0x7f0000000740)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b703000000000080850000000400000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x8, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000002c0)={&(0x7f0000000300)='kmem_cache_free\x00', r0}, 0x10)
r1 = memfd_create(&(0x7f0000000bc0)='[\v\xdbX\xae[\x1a\xa9\xfd\xfa\xad\xd1md\xc8\x85HX\xa9%\f\x1ae\xe0\x00\x00\x00\x00\xfb\xff\x00\x00\x81\x9eG\xd9,\xe2\xc6a\x9f\xe8\xf1\xb3\x86\xe2+Op\xd0\xa2\x82\x1eb;(\xb5\xe1jS\xd6\x91%||\xa0\x8ez\xadT\xc8\f\xe5\x89\xbf#2\x99\x1e\xa1`\xc3\xcf\xd3\xae\xd2\a\x11\xa9\xa5^\xff\xf5\x95\f<\x8f\xc1\x99\x89r\xe1?\xbdu\x98\xc3\xf8\xd2Q#\xc6g\xa0\x85\xd6G\x85\x11X\x8d,\x02\xd45\xb8\xca\x97\x9d\xcb\x1e\x80\xd6\xd5>N&\xf8#\x80z8Z\xd2}\xf5\xe4\x9f5\x9b\x01\xf9t\xbb\x1er\x14\xdb\xd3\xcd\xfd\xbdnC\xec\x8aog\x87BR\x9d\xad\xd4FcB\xda\x95\xc3\xdd\x9d\x8f\x1a\xce\x18\x80\"j\xe1\xba\x1e\x97uX\xccv\xd6\vcz\x92A^\xbc\xceF\xf7\xe5:\xaf\xc5~\xbcJ e\r\x88c\x9d\xb92\xb6i4zq\xb3c\x0f\xb2t\x93\xf2E6b\xfa\xcdJ5\xe3W]`4\xd8D\x05\v\xfc)\xca\xedQ\xd0]Ot\'\xc2tDF\xf9\xa7\xb5(\x83\xa5\x0f\x1d\x1d\x06Dg\x13>\x19\xe85#\aaT\x89=\x104\xd5\x85Q\x96\x91\xea\x172P\xb3:\xadZ\xbc\xbe\x00\xf0\x14\x96\xd9M\xd7\x88QZs\xb2\xe1+$jfQodH\x05/y`~Mx\x02\x00(v\xe6`\x026\xfcgC\xb5\xf0\x13.zb\xc5bj+@\x00\x00\x00\x00\x00\x00\x00.\xd4`=z\xd1n\x8d\x8f\xa5hS\x8e[\xb3\xa3\x87\xb9\xe2_Z\x11\xef\xc2]V\xf3\x03\x94\xb9\xe1\xa68\x8d\\\xe5\xef\xacpM\xf0\xa6\x04\x10\xb7\xc0t\x83\\\xf7\x12k\x9f\x10\xd5Z\x19\xc1\xc1\x80\\o\x97\xce=U\xdd\xaa\x1b\x05\x14\x13\xa6\xbd#\xde\x04\xe6$\xec$3\xf6\x97\xc6\xeaSL\xb7A72M\x88k@\xe5\xa3\n&\x1e\xc84\xa9\xe2\xccM\x906\x95xQ-2p\xd62\'\xec\x0f\x13;I\x95fE_\r\xe7\t!A\x05\xe4\x8f\x9e0\xf8/T\x18\xf7\xa1\x9f\xde1\xd5\x80<\xf5\b\xa9\xec\x85\xaeW\xb3\xd8#)bn \xfb\xf2\x88\xfaR\xff\xdd\x80\x96_\xec5\xf0\x1c\a\x8a\x80\x00@=\r8u+%f:\x1e\x82\xfap\xf6\x89\xea\xba\xe3\xbbM%F\xdb\\\xd1eJJ*\xc67\xca\x03\xa3\xf7(\xbb\xecN\xd4\xe7\xf2:u\x8a\b\xd5\v\xca\xfd\\\xd6\xe3\x05\xb3\x03\xd5\xe0\xd2\xf2{\'\x8b\xdf\xa1\xbe}\xb2\xe4y\xbb\xe6\x1f\x10c\xf5WQ\x82\x04\x01C\x83,\x90\x1a\xfa\x8e\x17\x89\xe2\xedX\x8d\rmq\t\xb5$\xb4\x9b\x92z\xd6/-\x13,\xb5%\x8eM/\x04\xa7\x7f\x1b\x85\xf1\xa4X\x17\xbb\x1cR14\xfb!\b\x10\xe8\xb2\xd41gK\xe4\xea\xe39d\bL\xe5\x1b\xbd[\x9bWD:\r&\xe9\vn^\xcc\x86\xe3\xce1>3{\xaa{\xbd0P\x9f\xa68\xf5\x82\xb8\x9aD\x9c{\xe6\xf8\xcbD\xb5aJ\xb0\x92\x89\xbc\x80\x1ch\x89\xe7\xdd]q,\xec\xc4\xa5\x93\xe5,\x0e,>/\xaf|\xf0\x01V\x7f\xc9?\xba\x16\xe4$+}5dy\xb1\xef\xf1m\xa5\x94d9\xaf\xcfq\x8b=\x026\xef\r\x91\x18\xc5\xb6\xb9fM\x8ayZ\xbcd\xa5\x8a\x88\x98\xc3\xfc`\xa6\xba\x1f\x17\v$\x88g\xb4\xadz\xc1\xddW\xa6\xc1\xb7\xb0\xa3\x84Q\x13GoU\xe2\xb7\x03\x9c\xd5\x0f\xa8\x0ef\"\x15\x82\xe7\xbd\xf8\xca\x10f\xfe6h\xe9\xc3\xc2\xa0O:\xac~\x1a\xf7\xbeF\xbe\xe5\xf0\x81\xd6&\xc0<Q8\xbeX\xde\xd6 \xef\x0e\xc2.\x9c=1\x15d\xddIv\x0fh\xe6M(D\xad\xeb\xcfX8\xb9\x8d\xbe(\xd3\x16?x\xbd@\x0f\xf5\xdb\xeb\xd7i*\xea\x86JX\xff;\x96\xbb\xa7\xa8u5R\xa2,\xba\xbc\x01\x12\xb3q,\x9d\xf8\xbdb`\xb3\xc6\x0f\xb3\xac\xc7\xa4O@\x81\xfc\x1a4$\x885\x97\xa9|\x99\x86*.\xda\x96RQ\xe5\xb1\xef\xb7\x10\x99\xd4\xa7\b\xcd\xe9\xa5\xf6wR\xc1\xdfH).\a\x9a\xab\x9e&+\xc4#\x90\xc9%\xb9\xd7o\x86\x13\a\xc0\x01w9u6\xdd\x9fJ^o\x1d\xda\x11?\xc1\xf5\xf7\xff\xec\x916\xceQ\xcfU\x035\x96\x8f\xc7\x84\"2\xef\x02\xcf\a+\x8a\xd1\x11\xb5\xa8\x92\f\xb3R\",\xfc!_&pD\xeb5\xc6\xc8\xff2\xee\x14\x83\x14l\x04\x80\xaa7\x80\xf1\x18\xf5\xa5\xd23\xe5\b\x00\xe8\x9c\xd4\xd0\a\x93#\xb9Z\xc0y\x97<\xe5i\xe9\xe4\xb02Cu\xe1d\r\x0e\xc1\xf1\x81^\xa7\xffz)\x19U\xe5\xd4\xf5@O#W\x8a\xbb3c+\n\x97\xa6\xf7\x90$\xd6*\xd0\x1b\x10\xe4HM:XO\x1b\rx\xc7\x12|\x7fN\xc9\xf9i\xe4\xe5-\x9b\xe407\x9d\xe8\xc6\x90\x9f_Jf\x05\r\x1b\x9af\v\xbcv\x83\xf3j\xaf\xd0F91 ^x\x85\x80[\xa3B\n#!\xc2R\xdd\xf4)\xba\x1e\xfb6U\xabc\xda\x9a)\xc3\x9a\x06\xc5\xccP)\xdf.\xa7-\x84\xdf8\xbf\xfc1^}B\xee\xccR/z\x1e\xe8\x1e\x99\x99\n\xf4u\xd4\xbd^L\xb2j\xda\xff\x1d\x10\xc8\xad\xbd_OI\xb1\xe8y\x003\a\x06\x92\x8e\n\x8b\xf3\xd4G\x85\xbd\x1a\x81+3\x99jq\xd1\xacK^\xef\xb6!8\xcd?\x1e\\\x16W2\xbd4$zn\xa9\x7f\x9dE\xaf\x0f\xdb\xe0\xfa\x10\xc3\xb2\xf8\x80\x8c\xec$\xda\xc0\x94y1\t\xc5`\xda\xca\xd1\xab:\x18\x10\x9b\xd0w', 0x0)
write$binfmt_misc(r1, &(0x7f0000000180)="e502", 0x2)
execveat(r1, &(0x7f0000000000)='\x00', 0x0, 0x0, 0x1000)

931.324484ms ago: executing program 0 (id=245):
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="0b0000000700000008000000a6ad6a1a05"], 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000800)={0x11, 0xc, &(0x7f0000000280)=ANY=[@ANYBLOB, @ANYRES32=r0], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0x33, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='kfree\x00', r1}, 0x10)
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000200)='./file1\x00', 0x0, &(0x7f00000001c0)={[{@noinit_itable}]}, 0x1, 0x512, &(0x7f0000000c40)="$eJzs3W1rZFcdAPD/vcmk2d3UTFVkLdgWW9ktujNJY9so0lYQfVVQ6/s1JpMQMsmEzKRuQtEsfgBBRAU/gG8EP4Ag+xFEWND3oqKI7upL3St35kbzMJMMySSzTn4/OJlz7sP5n3PJ3LkPh3sDuLJeioh3ImIsIl6NiOlielqk2OukfLnHjz5YzFMSWfbe35JIimn7deXl8Yi4Uaw2GRFf/0rEt5LjcZs7u2sL9XptqyhXW+ub1ebO7p3V9YWV2kptY25u9o35N+dfn5/JCufqZzki3vrSn370/Z99+a1ffebbv7/7l9vfyZv1hY912h0Ri+cK0EOn7lJ7W+zLt9HWRQQbkrw/pbFhtwIAgH7kx/gfjohPto//p2OsfTQHAAAAjJLs7an4VxKRAQAAACMrjYipSNJKMRZgKtK0UumM4f1oXE/rjWbr08uN7Y2lfF5EOUrp8mq9NlOMFS5HKcnLs8UY2/3ya0fKcxHxXET8cPpau1xZbNSXhn3xAwAAAK6IGy8ePv//53TazgMAAAAjptyzAAAAAIwKp/wAAAAw+pz/AwAAwEj76rvv5inbf4/30vs722uN9+8s1ZprlfXtxcpiY2uzstJorLSf2bd+Wn31RmPzs7Gxfa/aqjVb1ebO7t31xvZG6+7qoVdgAwAAAJfouRcf/C6JiL3PX2unKJ4DCHDIH4fdAGCQxobdAGBoxofdAGBoSqcuYQ8Boy45Zf7xwTuda4Xx64tpDwAAMHi3Pn78/v9EMe/0awPA/zNjfQDg6nF3D66u0llHAN4cdEuAYflQ5+OZXvN7Pryjj/v/nWsMWXamhgEAAAMz1U5JWimO06ciTSuViGfbrwUoJcur9dpMcX7w2+nSM3l5tr1mcuqYYQAAAAAAAAAAAAAAAAAAAAAAAACgI8uSyAAAAICRFpH+OWk/zT/i1vQrU4evDhx569dP3/vxvYVWa2s2YiL5+3Q+aSIiWj8ppr+WeSUAAAAAPAU65+nF5+ywWwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAqHn86IPF/XSZcf/6xYgod4s/HpPtz8koRcT1fyQxfmC9JCLGBhB/735E3OwWP4knWZaVi1Z0i3/tguOX25ume/w0Im4MID5cZQ/y/c873b5/abzU/uz+/Rsv0nn13v+l/93/jfXY/zx7pNzL8w9/Ue0Z/37E8+Pd9z/78ZNO/EMh8sLLffbxm9/Y3e0640CV3eIfjFVtrW9Wmzu7d1bXF1ZqK7WNubnZN+bfnH99fqa6vFqvFX+7hvnBJ3755KT+X+8Rv3y4/8e2/yt99T6Lfz+89+gjnUKpW/zbL3f//b3ZI35a/PZ9qsjn82/t5/c6+YNe+PlvXjip/0s9+j95Sv9v99X/+NyrX/veH7rOObY1AIDL0NzZXVuo12tbJ2Qm+1jmkjNvPx3NGGAmno5mDCuTfbfz/3i+es65+rFMdp7Vx2MAzZg49j0di7NWmETs5XX1+Q8JAACMmP8d9J90BwkAAAAAAAAAAAAAAAAAAAC4SGd8LNlkRPS98NGYe8PpKgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAif4TAAD//4RX0Xo=")

914.065348ms ago: executing program 4 (id=246):
bpf$TOKEN_CREATE(0x24, 0x0, 0x0)
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000640)=ANY=[@ANYBLOB="160000000000000004000000ff"], 0x48)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000005900000095"], 0x0, 0x0, 0x0, 0x0, 0x41100, 0x59}, 0x94)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000007c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000880)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000080)='kfree\x00', r1}, 0x10)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000240)={'veth1_to_bridge\x00', <r3=>0x0})
sendmsg$nl_route_sched(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000580)={&(0x7f00000001c0)=@newqdisc={0x2c, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, r3, {0x0, 0xb}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_mq={0x7}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20000001}, 0x0)

208.155µs ago: executing program 3 (id=247):
timer_settime(0x0, 0x1, 0x0, 0x0)
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000900)={0x11, 0xb, &(0x7f00000002c0)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020782500000000002020207b1af8fe00000000bfa100000000000007010000f8ffffffb702000008000000b703000007000000850000001100000095"], &(0x7f0000000100)='GPL\x00', 0x4, 0x0, 0x0, 0x41000, 0x9, '\x00', 0x0, @fallback=0x3, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r0}, 0x78)
syz_mount_image$vfat(&(0x7f0000000000), &(0x7f0000000280)='./file1\x00', 0x14552, &(0x7f0000000b40)=ANY=[], 0xfb, 0x1219, &(0x7f0000001100)="$eJzs28FrXEUcB/BfkqapqclGrdUWxEEvFeTR5OBFL0FSkC4obSO0gvBqXnTJczfkLYEVsXry6t8hggjeBPGml1z8DwRvuXisID7JrrZd3RVWQjfI53PZH8z7zs7ssAuzzBy+8tn7O9tVtp13Y3ZmJmZ3I9LdFClm4y8fxwsvf//DM9dv3rq63mxuXEvpyvqN1ZdSSsvPfvvWh18891337JtfL3+zEAcrbx/+svbzwfmDC4e/33ivVaVWldqdbsrT7U6nm98ui7TVqnaylN4oi7wqUqtdFXtD7dtlZ3e3l/L21tLi7l5RVSlv99JO0UvdTuru9VL+bt5qpyzL0tJiMLlT96rNz+/WdR1R1/NxOuq6rh+JxTgbj8ZSLEcjVuKxeDyeiHPxZJyPp+Lp+OqnL3tHCQAAAAAAAAAAAAAAAAAAAOD4THr//0L/qWmPGgAAAAAAAAAAAAAAAAAAAP5frt+8dXW92dy4ltKZiPLT/c39zcHroH19O1pRRhGXoxG/Rf/2/8CgvvJac+Ny6luJT8o7f+bv7G/ODedXoxEvjs6vDvJpOL8Qiw/m16IR50bl52NtZP5MXHr+gXwWjfjxnehEGVtxlL3//h+tpvTq682/5S/2nxtv7mEsDwAAAByLLN0zcv+eZePaB/kJ/h8Y2l8fZS+emurUiYiq98FOXpbFnmJkcelkDKNfnD7ODucjYrLUr3VdT/9DmFIx/puyEBH/ueeZiDgZE/xHMe1fJh6G+4s+7ZEAAAAAAAAAAAAwibHHABf+7YTg3ETHCac9RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+YAeOBQAAAACE+Vun0bEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfBUAAP//0AbP3Q==")
openat(0xffffffffffffff9c, &(0x7f0000000200)='./bus\x00', 0x141842, 0x0)
r1 = open(&(0x7f0000000080)='./bus\x00', 0x181102, 0x0)
ftruncate(r1, 0x2007ffb)

0s ago: executing program 0 (id=248):
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x200000}, 0x1c)
r1 = socket$netlink(0x10, 0x3, 0x10)
bind$netlink(r1, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc)
listen(r0, 0x9)
r2 = socket$inet_mptcp(0x2, 0x1, 0x106)
sendmmsg(r2, &(0x7f0000002840)=[{{0x0, 0x0, 0x0}}], 0x1, 0x20044000)
connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000740), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_FLUSH_ADDRS(r3, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000004c0)=ANY=[@ANYBLOB="14000000", @ANYRES16=r4, @ANYBLOB="01002cbd7000ffdbdf2504"], 0x14}, 0x1, 0x1000000, 0x0, 0x20000800}, 0x800)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.41' (ED25519) to the list of known hosts.
[   93.412937][ T5809] cgroup: Unknown subsys name 'net'
[   93.624370][ T5809] cgroup: Unknown subsys name 'cpuset'
[   93.633872][ T5809] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   95.364332][ T5809] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   97.789918][ T5823] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   97.798388][ T5823] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   97.806445][ T5823] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   97.815616][ T5823] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   97.823007][ T5823] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   97.830438][ T5823] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   97.839907][ T5824] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   97.847983][ T5824] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   97.848208][ T5823] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   97.861215][ T5824] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   97.870156][ T5824] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   97.877331][ T5823] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   97.885210][ T5823] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   97.885923][ T5824] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   97.900611][ T5823] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   97.960041][ T5142] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1
[   97.967993][ T5142] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9
[   97.976876][ T5142] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9
[   97.985632][ T5142] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4
[   97.993505][ T5142] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2
[   98.007729][ T5823] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   98.016104][ T5823] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   98.024285][ T5823] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   98.033383][ T5823] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   98.034199][ T5824] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   98.050845][ T5824] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   98.058640][ T5826] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   98.066627][ T5826] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   98.082276][ T5824] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   98.091441][ T5824] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   98.823784][ T5825] chnl_net:caif_netlink_parms(): no params data found
[   98.926943][ T5820] chnl_net:caif_netlink_parms(): no params data found
[   99.032917][ T5833] chnl_net:caif_netlink_parms(): no params data found
[   99.158974][ T5821] chnl_net:caif_netlink_parms(): no params data found
[   99.284935][ T5834] chnl_net:caif_netlink_parms(): no params data found
[   99.357020][ T5825] bridge0: port 1(bridge_slave_0) entered blocking state
[   99.364478][ T5825] bridge0: port 1(bridge_slave_0) entered disabled state
[   99.372249][ T5825] bridge_slave_0: entered allmulticast mode
[   99.379833][ T5825] bridge_slave_0: entered promiscuous mode
[   99.454906][ T5825] bridge0: port 2(bridge_slave_1) entered blocking state
[   99.462448][ T5825] bridge0: port 2(bridge_slave_1) entered disabled state
[   99.469566][ T5825] bridge_slave_1: entered allmulticast mode
[   99.477148][ T5825] bridge_slave_1: entered promiscuous mode
[   99.511089][ T5831] chnl_net:caif_netlink_parms(): no params data found
[   99.570726][ T5820] bridge0: port 1(bridge_slave_0) entered blocking state
[   99.577880][ T5820] bridge0: port 1(bridge_slave_0) entered disabled state
[   99.585456][ T5820] bridge_slave_0: entered allmulticast mode
[   99.593057][ T5820] bridge_slave_0: entered promiscuous mode
[   99.655837][ T5820] bridge0: port 2(bridge_slave_1) entered blocking state
[   99.663059][ T5820] bridge0: port 2(bridge_slave_1) entered disabled state
[   99.670177][ T5820] bridge_slave_1: entered allmulticast mode
[   99.678193][ T5820] bridge_slave_1: entered promiscuous mode
[   99.712609][ T5825] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   99.737098][ T5821] bridge0: port 1(bridge_slave_0) entered blocking state
[   99.744693][ T5821] bridge0: port 1(bridge_slave_0) entered disabled state
[   99.751925][ T5821] bridge_slave_0: entered allmulticast mode
[   99.759608][ T5821] bridge_slave_0: entered promiscuous mode
[   99.767513][ T5833] bridge0: port 1(bridge_slave_0) entered blocking state
[   99.774882][ T5833] bridge0: port 1(bridge_slave_0) entered disabled state
[   99.782281][ T5833] bridge_slave_0: entered allmulticast mode
[   99.789693][ T5833] bridge_slave_0: entered promiscuous mode
[   99.840873][ T5825] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   99.850095][ T5821] bridge0: port 2(bridge_slave_1) entered blocking state
[   99.857581][ T5821] bridge0: port 2(bridge_slave_1) entered disabled state
[   99.865693][ T5821] bridge_slave_1: entered allmulticast mode
[   99.873255][ T5821] bridge_slave_1: entered promiscuous mode
[   99.880535][ T5833] bridge0: port 2(bridge_slave_1) entered blocking state
[   99.887692][ T5833] bridge0: port 2(bridge_slave_1) entered disabled state
[   99.895639][ T5833] bridge_slave_1: entered allmulticast mode
[   99.900887][   T53] Bluetooth: hci2: command tx timeout
[   99.903614][ T5833] bridge_slave_1: entered promiscuous mode
[   99.933892][ T5834] bridge0: port 1(bridge_slave_0) entered blocking state
[   99.941128][ T5834] bridge0: port 1(bridge_slave_0) entered disabled state
[   99.948245][ T5834] bridge_slave_0: entered allmulticast mode
[   99.955912][ T5834] bridge_slave_0: entered promiscuous mode
[   99.970340][   T53] Bluetooth: hci0: command tx timeout
[   99.980297][   T53] Bluetooth: hci1: command tx timeout
[  100.015253][ T5820] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  100.031394][ T5834] bridge0: port 2(bridge_slave_1) entered blocking state
[  100.038501][ T5834] bridge0: port 2(bridge_slave_1) entered disabled state
[  100.046576][ T5834] bridge_slave_1: entered allmulticast mode
[  100.054117][ T5834] bridge_slave_1: entered promiscuous mode
[  100.060829][   T53] Bluetooth: hci5: command tx timeout
[  100.104975][ T5820] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  100.130401][ T5142] Bluetooth: hci4: command tx timeout
[  100.136432][   T53] Bluetooth: hci3: command tx timeout
[  100.161781][ T5825] team0: Port device team_slave_0 added
[  100.170423][ T5821] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  100.182614][ T5833] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  100.236504][ T5825] team0: Port device team_slave_1 added
[  100.244889][ T5821] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  100.256465][ T5833] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  100.279809][ T5831] bridge0: port 1(bridge_slave_0) entered blocking state
[  100.287041][ T5831] bridge0: port 1(bridge_slave_0) entered disabled state
[  100.294344][ T5831] bridge_slave_0: entered allmulticast mode
[  100.302096][ T5831] bridge_slave_0: entered promiscuous mode
[  100.312544][ T5834] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  100.364513][ T5820] team0: Port device team_slave_0 added
[  100.371041][ T5831] bridge0: port 2(bridge_slave_1) entered blocking state
[  100.378519][ T5831] bridge0: port 2(bridge_slave_1) entered disabled state
[  100.385711][ T5831] bridge_slave_1: entered allmulticast mode
[  100.393677][ T5831] bridge_slave_1: entered promiscuous mode
[  100.403155][ T5834] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  100.456939][ T5820] team0: Port device team_slave_1 added
[  100.491253][ T5825] batman_adv: batadv0: Adding interface: batadv_slave_0
[  100.498186][ T5825] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  100.524365][ T5825] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  100.537913][ T5821] team0: Port device team_slave_0 added
[  100.546428][ T5833] team0: Port device team_slave_0 added
[  100.593401][ T5825] batman_adv: batadv0: Adding interface: batadv_slave_1
[  100.600717][ T5825] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  100.627510][ T5825] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  100.643200][ T5821] team0: Port device team_slave_1 added
[  100.651858][ T5833] team0: Port device team_slave_1 added
[  100.673635][ T5831] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  100.686044][ T5834] team0: Port device team_slave_0 added
[  100.701676][ T5834] team0: Port device team_slave_1 added
[  100.748592][ T5820] batman_adv: batadv0: Adding interface: batadv_slave_0
[  100.755827][ T5820] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  100.782797][ T5820] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  100.797987][ T5831] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  100.875043][ T5820] batman_adv: batadv0: Adding interface: batadv_slave_1
[  100.882045][ T5820] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  100.908716][ T5820] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  100.942663][ T5834] batman_adv: batadv0: Adding interface: batadv_slave_0
[  100.949605][ T5834] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  100.975881][ T5834] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  100.987848][ T5821] batman_adv: batadv0: Adding interface: batadv_slave_0
[  100.995096][ T5821] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.021291][ T5821] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  101.033747][ T5833] batman_adv: batadv0: Adding interface: batadv_slave_0
[  101.040951][ T5833] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.067282][ T5833] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  101.098974][ T5831] team0: Port device team_slave_0 added
[  101.105449][ T5834] batman_adv: batadv0: Adding interface: batadv_slave_1
[  101.112773][ T5834] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.138960][ T5834] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  101.152963][ T5821] batman_adv: batadv0: Adding interface: batadv_slave_1
[  101.159910][ T5821] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.191069][ T5821] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  101.203684][ T5833] batman_adv: batadv0: Adding interface: batadv_slave_1
[  101.210813][ T5833] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.237551][ T5833] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  101.304559][ T5825] hsr_slave_0: entered promiscuous mode
[  101.311641][ T5825] hsr_slave_1: entered promiscuous mode
[  101.326023][ T5831] team0: Port device team_slave_1 added
[  101.399151][ T5831] batman_adv: batadv0: Adding interface: batadv_slave_0
[  101.406248][ T5831] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.434534][  T974] cfg80211: failed to load regulatory.db
[  101.440479][ T5831] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  101.512334][ T5831] batman_adv: batadv0: Adding interface: batadv_slave_1
[  101.519268][ T5831] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.545702][ T5831] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  101.569784][ T5820] hsr_slave_0: entered promiscuous mode
[  101.576268][ T5820] hsr_slave_1: entered promiscuous mode
[  101.582911][ T5820] debugfs: 'hsr0' already exists in 'hsr'
[  101.588672][ T5820] Cannot create hsr debugfs directory
[  101.666840][ T5821] hsr_slave_0: entered promiscuous mode
[  101.673802][ T5821] hsr_slave_1: entered promiscuous mode
[  101.679964][ T5821] debugfs: 'hsr0' already exists in 'hsr'
[  101.686212][ T5821] Cannot create hsr debugfs directory
[  101.698644][ T5834] hsr_slave_0: entered promiscuous mode
[  101.707293][ T5834] hsr_slave_1: entered promiscuous mode
[  101.714509][ T5834] debugfs: 'hsr0' already exists in 'hsr'
[  101.721204][ T5834] Cannot create hsr debugfs directory
[  101.783561][ T5833] hsr_slave_0: entered promiscuous mode
[  101.790016][ T5833] hsr_slave_1: entered promiscuous mode
[  101.796563][ T5833] debugfs: 'hsr0' already exists in 'hsr'
[  101.802328][ T5833] Cannot create hsr debugfs directory
[  101.971200][   T53] Bluetooth: hci2: command tx timeout
[  101.972568][ T5831] hsr_slave_0: entered promiscuous mode
[  101.983340][ T5831] hsr_slave_1: entered promiscuous mode
[  101.989484][ T5831] debugfs: 'hsr0' already exists in 'hsr'
[  101.995514][ T5831] Cannot create hsr debugfs directory
[  102.050747][   T53] Bluetooth: hci1: command tx timeout
[  102.050778][ T5142] Bluetooth: hci0: command tx timeout
[  102.130896][ T5142] Bluetooth: hci5: command tx timeout
[  102.210744][ T5142] Bluetooth: hci3: command tx timeout
[  102.210758][   T53] Bluetooth: hci4: command tx timeout
[  102.557864][ T5825] netdevsim netdevsim1 netdevsim0: renamed from eth0
[  102.594187][ T5825] netdevsim netdevsim1 netdevsim1: renamed from eth1
[  102.612325][ T5825] netdevsim netdevsim1 netdevsim2: renamed from eth2
[  102.641850][ T5825] netdevsim netdevsim1 netdevsim3: renamed from eth3
[  102.715463][ T5821] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  102.740005][ T5821] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  102.752412][ T5821] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  102.777301][ T5821] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  102.867074][ T5820] netdevsim netdevsim2 netdevsim0: renamed from eth0
[  102.888679][ T5820] netdevsim netdevsim2 netdevsim1: renamed from eth1
[  102.904119][ T5820] netdevsim netdevsim2 netdevsim2: renamed from eth2
[  102.915623][ T5820] netdevsim netdevsim2 netdevsim3: renamed from eth3
[  103.028468][ T5834] netdevsim netdevsim5 netdevsim0: renamed from eth0
[  103.044903][ T5834] netdevsim netdevsim5 netdevsim1: renamed from eth1
[  103.058291][ T5834] netdevsim netdevsim5 netdevsim2: renamed from eth2
[  103.075009][ T5834] netdevsim netdevsim5 netdevsim3: renamed from eth3
[  103.116904][ T5825] 8021q: adding VLAN 0 to HW filter on device bond0
[  103.214828][ T5833] netdevsim netdevsim3 netdevsim0: renamed from eth0
[  103.237346][ T5825] 8021q: adding VLAN 0 to HW filter on device team0
[  103.246770][ T5833] netdevsim netdevsim3 netdevsim1: renamed from eth1
[  103.267375][ T5833] netdevsim netdevsim3 netdevsim2: renamed from eth2
[  103.310800][ T5821] 8021q: adding VLAN 0 to HW filter on device bond0
[  103.317745][ T5833] netdevsim netdevsim3 netdevsim3: renamed from eth3
[  103.350343][ T1100] bridge0: port 1(bridge_slave_0) entered blocking state
[  103.357567][ T1100] bridge0: port 1(bridge_slave_0) entered forwarding state
[  103.394258][ T1100] bridge0: port 2(bridge_slave_1) entered blocking state
[  103.401381][ T1100] bridge0: port 2(bridge_slave_1) entered forwarding state
[  103.467075][ T5821] 8021q: adding VLAN 0 to HW filter on device team0
[  103.476541][ T5831] netdevsim netdevsim4 netdevsim0: renamed from eth0
[  103.499050][ T5831] netdevsim netdevsim4 netdevsim1: renamed from eth1
[  103.522258][ T5831] netdevsim netdevsim4 netdevsim2: renamed from eth2
[  103.537769][ T1153] bridge0: port 1(bridge_slave_0) entered blocking state
[  103.544906][ T1153] bridge0: port 1(bridge_slave_0) entered forwarding state
[  103.558281][ T5831] netdevsim netdevsim4 netdevsim3: renamed from eth3
[  103.597476][ T1153] bridge0: port 2(bridge_slave_1) entered blocking state
[  103.604596][ T1153] bridge0: port 2(bridge_slave_1) entered forwarding state
[  103.632123][ T5820] 8021q: adding VLAN 0 to HW filter on device bond0
[  103.740097][ T5834] 8021q: adding VLAN 0 to HW filter on device bond0
[  103.786974][ T5820] 8021q: adding VLAN 0 to HW filter on device team0
[  103.839106][ T3414] bridge0: port 1(bridge_slave_0) entered blocking state
[  103.846274][ T3414] bridge0: port 1(bridge_slave_0) entered forwarding state
[  103.903773][ T5834] 8021q: adding VLAN 0 to HW filter on device team0
[  103.929838][ T3414] bridge0: port 2(bridge_slave_1) entered blocking state
[  103.937004][ T3414] bridge0: port 2(bridge_slave_1) entered forwarding state
[  103.950141][ T3414] bridge0: port 1(bridge_slave_0) entered blocking state
[  103.957305][ T3414] bridge0: port 1(bridge_slave_0) entered forwarding state
[  103.993855][ T5833] 8021q: adding VLAN 0 to HW filter on device bond0
[  104.023505][ T3549] bridge0: port 2(bridge_slave_1) entered blocking state
[  104.030703][ T3549] bridge0: port 2(bridge_slave_1) entered forwarding state
[  104.051145][   T53] Bluetooth: hci2: command tx timeout
[  104.135204][   T53] Bluetooth: hci0: command tx timeout
[  104.135217][ T5142] Bluetooth: hci1: command tx timeout
[  104.183772][ T5833] 8021q: adding VLAN 0 to HW filter on device team0
[  104.211039][ T5142] Bluetooth: hci5: command tx timeout
[  104.224315][ T5831] 8021q: adding VLAN 0 to HW filter on device bond0
[  104.247372][ T1100] bridge0: port 1(bridge_slave_0) entered blocking state
[  104.254530][ T1100] bridge0: port 1(bridge_slave_0) entered forwarding state
[  104.285999][ T1153] bridge0: port 2(bridge_slave_1) entered blocking state
[  104.293116][ T1153] bridge0: port 2(bridge_slave_1) entered forwarding state
[  104.301589][ T5142] Bluetooth: hci4: command tx timeout
[  104.301765][   T53] Bluetooth: hci3: command tx timeout
[  104.323966][ T5825] 8021q: adding VLAN 0 to HW filter on device batadv0
[  104.387700][ T5831] 8021q: adding VLAN 0 to HW filter on device team0
[  104.442807][ T3549] bridge0: port 1(bridge_slave_0) entered blocking state
[  104.449945][ T3549] bridge0: port 1(bridge_slave_0) entered forwarding state
[  104.505640][ T5821] 8021q: adding VLAN 0 to HW filter on device batadv0
[  104.541377][ T4322] bridge0: port 2(bridge_slave_1) entered blocking state
[  104.548513][ T4322] bridge0: port 2(bridge_slave_1) entered forwarding state
[  104.815231][ T5825] veth0_vlan: entered promiscuous mode
[  104.823933][ T5820] 8021q: adding VLAN 0 to HW filter on device batadv0
[  104.880983][ T5825] veth1_vlan: entered promiscuous mode
[  104.961658][ T5821] veth0_vlan: entered promiscuous mode
[  105.003022][ T5834] 8021q: adding VLAN 0 to HW filter on device batadv0
[  105.033860][ T5821] veth1_vlan: entered promiscuous mode
[  105.134158][ T5825] veth0_macvtap: entered promiscuous mode
[  105.175220][ T5825] veth1_macvtap: entered promiscuous mode
[  105.204544][ T5833] 8021q: adding VLAN 0 to HW filter on device batadv0
[  105.230177][ T5820] veth0_vlan: entered promiscuous mode
[  105.280826][ T5821] veth0_macvtap: entered promiscuous mode
[  105.312772][ T5825] batman_adv: batadv0: Interface activated: batadv_slave_0
[  105.327773][ T5831] 8021q: adding VLAN 0 to HW filter on device batadv0
[  105.354040][ T5821] veth1_macvtap: entered promiscuous mode
[  105.378922][ T5820] veth1_vlan: entered promiscuous mode
[  105.409339][ T5825] batman_adv: batadv0: Interface activated: batadv_slave_1
[  105.486181][ T1138] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  105.520835][ T1138] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  105.529581][ T1138] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  105.556015][ T1138] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  105.629550][ T5821] batman_adv: batadv0: Interface activated: batadv_slave_0
[  105.639124][ T5820] veth0_macvtap: entered promiscuous mode
[  105.653714][ T5833] veth0_vlan: entered promiscuous mode
[  105.682673][ T5821] batman_adv: batadv0: Interface activated: batadv_slave_1
[  105.694016][ T5820] veth1_macvtap: entered promiscuous mode
[  105.746055][ T1153] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  105.757419][ T5833] veth1_vlan: entered promiscuous mode
[  105.778450][ T1153] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  105.796338][   T51] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  105.819831][   T51] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  105.828939][ T1153] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  105.850482][ T1153] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  105.916597][ T5820] batman_adv: batadv0: Interface activated: batadv_slave_0
[  105.954657][   T51] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  105.967519][   T51] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  105.968469][ T5820] batman_adv: batadv0: Interface activated: batadv_slave_1
[  106.058166][ T5834] veth0_vlan: entered promiscuous mode
[  106.085794][   T51] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  106.096408][ T3414] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  106.116988][ T3414] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  106.117810][ T5825] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[  106.140522][   T53] Bluetooth: hci2: command tx timeout
[  106.161959][   T51] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  106.191069][   T51] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  106.209396][ T1138] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  106.212830][ T5833] veth0_macvtap: entered promiscuous mode
[  106.221209][   T53] Bluetooth: hci1: command tx timeout
[  106.223057][ T5142] Bluetooth: hci0: command tx timeout
[  106.234126][ T1138] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  106.291102][ T5142] Bluetooth: hci5: command tx timeout
[  106.297380][   T51] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  106.307657][ T5834] veth1_vlan: entered promiscuous mode
[  106.339945][ T5833] veth1_macvtap: entered promiscuous mode
[  106.351824][ T5831] veth0_vlan: entered promiscuous mode
[  106.365770][ T5966] tipc: Started in network mode
[  106.371163][ T5142] Bluetooth: hci4: command tx timeout
[  106.377694][ T5966] tipc: Node identity ac1414aa, cluster identity 4711
[  106.384631][ T5142] Bluetooth: hci3: command tx timeout
[  106.392868][ T5966] tipc: Enabled bearer <udp:syz2>, priority 10
[  106.411458][ T5831] veth1_vlan: entered promiscuous mode
[  106.424154][ T5966] tipc: Enabled bearer <eth:ip6_vti0>, priority 10
[  106.565661][ T5833] batman_adv: batadv0: Interface activated: batadv_slave_0
[  106.633982][   T31] audit: type=1326 audit(1766901974.405:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5968 comm="syz.0.1" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  106.658957][ T5831] veth0_macvtap: entered promiscuous mode
[  106.683268][ T5833] batman_adv: batadv0: Interface activated: batadv_slave_1
[  106.693727][ T5969] loop0: detected capacity change from 0 to 512
[  106.701658][   T31] audit: type=1326 audit(1766901974.405:3): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5968 comm="syz.0.1" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  106.705841][ T5971] netlink: 'syz.1.7': attribute type 1 has an invalid length.
[  106.732081][ T1153] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  106.740200][ T1153] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  106.742598][ T5969] EXT4-fs (loop0): feature flags set on rev 0 fs, running e2fsck is recommended
[  106.760047][   T31] audit: type=1326 audit(1766901974.405:4): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5968 comm="syz.0.1" exe="/root/syz-executor" sig=0 arch=c000003e syscall=321 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  106.764505][ T5831] veth1_macvtap: entered promiscuous mode
[  106.812257][ T5969] EXT4-fs (loop0): orphan cleanup on readonly fs
[  106.829342][   T31] audit: type=1326 audit(1766901974.405:5): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5968 comm="syz.0.1" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  106.835884][ T5834] veth0_macvtap: entered promiscuous mode
[  106.873252][ T5969] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:4214: comm syz.0.1: Allocating blocks 41-42 which overlap fs metadata
[  106.881712][   T31] audit: type=1326 audit(1766901974.405:6): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5968 comm="syz.0.1" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  106.894487][ T5969] Quota error (device loop0): write_blk: dquota write failed
[  106.920495][ T5969] Quota error (device loop0): find_free_dqentry: Can't write quota data block 5
[  106.944039][ T5969] Quota error (device loop0): qtree_write_dquot: Error -117 occurred while creating quota
[  106.955289][   T31] audit: type=1326 audit(1766901974.415:7): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5968 comm="syz.0.1" exe="/root/syz-executor" sig=0 arch=c000003e syscall=257 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  106.978994][ T5969] EXT4-fs error (device loop0): ext4_acquire_dquot:6984: comm syz.0.1: Failed to acquire dquot type 1
[  106.992922][   T31] audit: type=1326 audit(1766901974.415:8): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5968 comm="syz.0.1" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  107.012196][ T5969] EXT4-fs error (device loop0): mb_free_blocks:2034: group 0, inode 12: block 14:freeing already freed block (bit 14); block bitmap corrupt.
[  107.034956][ T5969] EXT4-fs error (device loop0): ext4_do_update_inode:5617: inode #12: comm syz.0.1: corrupted inode contents
[  107.036517][ T3414] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  107.052593][ T5969] EXT4-fs error (device loop0): ext4_dirty_inode:6502: inode #12: comm syz.0.1: mark_inode_dirty error
[  107.060866][ T5834] veth1_macvtap: entered promiscuous mode
[  107.075769][ T5969] EXT4-fs error (device loop0): ext4_do_update_inode:5617: inode #12: comm syz.0.1: corrupted inode contents
[  107.088764][ T5969] EXT4-fs error (device loop0): __ext4_ext_dirty:206: inode #12: comm syz.0.1: mark_inode_dirty error
[  107.113176][ T3414] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  107.125597][ T5969] EXT4-fs error (device loop0): ext4_do_update_inode:5617: inode #12: comm syz.0.1: corrupted inode contents
[  107.134609][ T5831] batman_adv: batadv0: Interface activated: batadv_slave_0
[  107.145852][ T5969] EXT4-fs error (device loop0) in ext4_orphan_del:303: Corrupt filesystem
[  107.157756][ T5969] EXT4-fs error (device loop0): ext4_do_update_inode:5617: inode #12: comm syz.0.1: corrupted inode contents
[  107.169487][ T3414] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  107.190765][ T5969] EXT4-fs error (device loop0): ext4_truncate:4635: inode #12: comm syz.0.1: mark_inode_dirty error
[  107.203818][ T5969] EXT4-fs error (device loop0) in ext4_process_orphan:345: Corrupt filesystem
[  107.207742][ T1153] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  107.225002][ T3414] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  107.230296][ T1153] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  107.257338][ T5969] EXT4-fs (loop0): 1 truncate cleaned up
[  107.269070][ T5969] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 ro without journal. Quota mode: writeback.
[  107.292942][ T5969] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  107.307992][ T5834] batman_adv: batadv0: Interface activated: batadv_slave_0
[  107.335281][ T5831] batman_adv: batadv0: Interface activated: batadv_slave_1
[  107.372966][ T5834] batman_adv: batadv0: Interface activated: batadv_slave_1
[  107.438943][   T12] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  107.461796][  T788] tipc: Node number set to 2886997162
[  107.468623][   T12] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  107.571708][   T12] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  107.667814][   T12] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  107.704221][   T12] netdevsim netdevsim5 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  108.454662][   T12] netdevsim netdevsim5 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  108.520346][   T61] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  108.572379][   T61] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  108.603268][   T12] netdevsim netdevsim5 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  108.667589][   T12] netdevsim netdevsim5 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  108.783157][ T5992] loop0: detected capacity change from 0 to 512
[  108.812007][ T5991] loop1: detected capacity change from 0 to 1024
[  108.826309][ T5992] EXT4-fs (loop0): feature flags set on rev 0 fs, running e2fsck is recommended
[  108.831169][   T61] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  108.861481][   T61] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  108.861637][ T5991] EXT4-fs: Ignoring removed nomblk_io_submit option
[  108.886194][ T5992] EXT4-fs (loop0): orphan cleanup on readonly fs
[  108.954291][ T5992] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:4214: comm syz.0.14: Allocating blocks 41-42 which overlap fs metadata
[  109.003599][ T5992] EXT4-fs error (device loop0): ext4_acquire_dquot:6984: comm syz.0.14: Failed to acquire dquot type 1
[  109.053194][ T5992] EXT4-fs error (device loop0): mb_free_blocks:2034: group 0, inode 12: block 14:freeing already freed block (bit 14); block bitmap corrupt.
[  109.064716][ T1100] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  109.071811][ T5991] EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[  109.103348][ T1100] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  109.136421][ T5992] EXT4-fs error (device loop0): ext4_do_update_inode:5617: inode #12: comm syz.0.14: corrupted inode contents
[  109.192877][ T5992] EXT4-fs error (device loop0): ext4_dirty_inode:6502: inode #12: comm syz.0.14: mark_inode_dirty error
[  109.230862][ T5992] EXT4-fs error (device loop0): ext4_do_update_inode:5617: inode #12: comm syz.0.14: corrupted inode contents
[  109.245827][ T1138] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  109.267699][ T1138] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  109.277462][ T5992] EXT4-fs error (device loop0): __ext4_ext_dirty:206: inode #12: comm syz.0.14: mark_inode_dirty error
[  109.316155][ T5992] EXT4-fs error (device loop0): ext4_do_update_inode:5617: inode #12: comm syz.0.14: corrupted inode contents
[  109.378402][ T5992] EXT4-fs error (device loop0) in ext4_orphan_del:303: Corrupt filesystem
[  109.390420][ T3549] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  109.403815][ T5992] EXT4-fs error (device loop0): ext4_do_update_inode:5617: inode #12: comm syz.0.14: corrupted inode contents
[  109.425376][ T3549] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  109.461682][ T5992] EXT4-fs error (device loop0): ext4_truncate:4635: inode #12: comm syz.0.14: mark_inode_dirty error
[  109.483685][ T6006] syz_tun: entered allmulticast mode
[  109.517188][ T3549] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  109.532247][ T5992] EXT4-fs error (device loop0) in ext4_process_orphan:345: Corrupt filesystem
[  109.543629][ T3549] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  109.563126][ T5992] EXT4-fs (loop0): 1 truncate cleaned up
[  109.578048][ T6002] syz_tun: left allmulticast mode
[  109.586240][ T5992] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 ro without journal. Quota mode: writeback.
[  109.845923][ T5992] =======================================================
[  109.845923][ T5992] WARNING: The mand mount option has been deprecated and
[  109.845923][ T5992]          and is ignored by this kernel. Remove the mand
[  109.845923][ T5992]          option from the mount to silence this warning.
[  109.845923][ T5992] =======================================================
[  109.849538][ T5992] EXT4-fs: Journaled quota options ignored when QUOTA feature is enabled
[  110.048133][ T5821] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  110.524129][ T5825] EXT4-fs (loop1): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  111.259777][ T6042] netlink: 64 bytes leftover after parsing attributes in process `syz.1.27'.
[  111.312331][ T6044] syz_tun: entered allmulticast mode
[  111.346382][ T6043] loop4: detected capacity change from 0 to 1024
[  111.378685][ T6041] syz_tun: left allmulticast mode
[  111.493826][ T6043] EXT4-fs (loop4): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[  112.034622][ T6056] netlink: 'syz.2.34': attribute type 10 has an invalid length.
[  112.090342][ T6056] netlink: 32 bytes leftover after parsing attributes in process `syz.2.34'.
[  112.197474][ T6056] ipvlan2: entered promiscuous mode
[  112.200688][   T31] kauditd_printk_skb: 150 callbacks suppressed
[  112.200710][   T31] audit: type=1326 audit(1766901979.975:156): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6059 comm="syz.3.35" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ffab858f749 code=0x7ffc0000
[  112.258062][   T31] audit: type=1326 audit(1766901979.975:157): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6059 comm="syz.3.35" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ffab858f749 code=0x7ffc0000
[  112.308014][ T6056] bridge0: port 3(ipvlan2) entered blocking state
[  112.359362][ T6056] bridge0: port 3(ipvlan2) entered disabled state
[  112.377953][ T5831] EXT4-fs (loop4): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  112.419153][ T6056] ipvlan2: entered allmulticast mode
[  112.438370][ T6056] bridge0: entered allmulticast mode
[  112.495341][ T6056] ipvlan2: left allmulticast mode
[  112.510425][ T6056] bridge0: left allmulticast mode
[  112.976765][ T6083] sg_write: data in/out 1768/64507 bytes for SCSI command 0xfe-- guessing data in;
[  112.976765][ T6083]    program syz.3.43 not setting count and/or reply_len properly
[  113.230306][   T31] audit: type=1326 audit(1766901980.985:158): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6087 comm="syz.2.44" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  113.304559][   T31] audit: type=1326 audit(1766901980.985:159): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6087 comm="syz.2.44" exe="/root/syz-executor" sig=0 arch=c000003e syscall=222 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  113.399520][   T31] audit: type=1326 audit(1766901980.985:160): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6087 comm="syz.2.44" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  113.483198][   T31] audit: type=1326 audit(1766901980.985:161): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6087 comm="syz.2.44" exe="/root/syz-executor" sig=0 arch=c000003e syscall=226 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  113.569691][   T31] audit: type=1326 audit(1766901980.985:162): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6087 comm="syz.2.44" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  113.706342][   T31] audit: type=1326 audit(1766901981.335:163): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6104 comm="syz.2.51" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  113.790296][   T31] audit: type=1326 audit(1766901981.335:164): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6104 comm="syz.2.51" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  113.868364][   T31] audit: type=1326 audit(1766901981.345:165): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6104 comm="syz.2.51" exe="/root/syz-executor" sig=0 arch=c000003e syscall=321 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  113.985744][ T6116] netlink: 96 bytes leftover after parsing attributes in process `syz.2.55'.
[  114.324762][ T6125] loop3: detected capacity change from 0 to 764
[  114.816951][ T6140] usb usb1: usbfs: interface 0 claimed by hub while 'syz.5.63' sets config #1
[  115.186067][ T6149] netlink: 'syz.1.69': attribute type 1 has an invalid length.
[  115.292023][ T6157] netlink: 64 bytes leftover after parsing attributes in process `syz.3.73'.
[  115.359314][ T6154] netlink: 96 bytes leftover after parsing attributes in process `syz.5.72'.
[  115.790351][ T6168] bridge_slave_0: left allmulticast mode
[  115.796128][ T6168] bridge_slave_0: left promiscuous mode
[  115.826663][ T6171] mmap: syz.3.76 (6171) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[  115.898778][ T6168] bridge0: port 1(bridge_slave_0) entered disabled state
[  116.077236][ T6168] bridge_slave_1: left allmulticast mode
[  116.169267][ T6168] bridge_slave_1: left promiscuous mode
[  116.169534][ T6168] bridge0: port 2(bridge_slave_1) entered disabled state
[  116.213490][ T6168] bond0: (slave bond_slave_0): Releasing backup interface
[  116.221967][ T6168] bond0: (slave bond_slave_1): Releasing backup interface
[  116.256484][ T6168] team0: Port device team_slave_0 removed
[  116.332550][ T6168] team0: Port device team_slave_1 removed
[  116.339213][ T6168] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  116.339242][ T6168] batman_adv: batadv0: Removing interface: batadv_slave_0
[  116.352909][ T6168] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  116.352937][ T6168] batman_adv: batadv0: Removing interface: batadv_slave_1
[  116.377094][ T6168] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check.
[  117.121960][ T6205] tipc: Started in network mode
[  117.129703][ T6205] tipc: Node identity ac1414aa, cluster identity 4711
[  117.161394][ T6205] tipc: Enabled bearer <udp:syz2>, priority 10
[  117.194047][ T6205] netlink: 40 bytes leftover after parsing attributes in process `syz.2.87'.
[  117.290022][ T6209] netlink: 64 bytes leftover after parsing attributes in process `syz.5.88'.
[  117.341171][ T5945] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[  117.420001][ T6212] loop3: detected capacity change from 0 to 512
[  117.428567][ T6212] EXT4-fs: Journaled quota options ignored when QUOTA feature is enabled
[  117.450675][ T6212] EXT4-fs (loop3): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[  117.463765][ T6212] ext4 filesystem being mounted at /15/bus supports timestamps until 2038-01-19 (0x7fffffff)
[  117.571775][ T5945] usb 5-1: Using ep0 maxpacket: 32
[  117.610206][ T5945] usb 5-1: config 0 has an invalid interface number: 215 but max is 0
[  117.645572][ T5945] usb 5-1: config 0 has no interface number 0
[  117.676046][ T5945] usb 5-1: New USB device found, idVendor=1608, idProduct=0301, bcdDevice=f1.24
[  117.707196][ T5945] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  117.731222][ T5945] usb 5-1: Product: syz
[  117.744601][ T5945] usb 5-1: Manufacturer: syz
[  117.762714][ T5945] usb 5-1: SerialNumber: syz
[  117.783904][ T5945] usb 5-1: config 0 descriptor??
[  117.805987][ T6223] netdevsim netdevsim5 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  117.836540][ T5945] io_ti 5-1:0.215: required endpoints missing
[  118.079279][ T5833] EXT4-fs (loop3): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  118.108841][ T6223] netdevsim netdevsim5 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  118.124924][   T49] usb 5-1: USB disconnect, device number 2
[  118.160524][ T5945] tipc: Node number set to 2886997162
[  118.286991][ T6223] netdevsim netdevsim5 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  118.300342][   T31] kauditd_printk_skb: 54 callbacks suppressed
[  118.300365][   T31] audit: type=1326 audit(1766901986.075:220): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.429575][   T31] audit: type=1326 audit(1766901986.085:221): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.500412][   T31] audit: type=1326 audit(1766901986.085:222): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.590332][   T31] audit: type=1326 audit(1766901986.085:223): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=321 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.590420][   T31] audit: type=1326 audit(1766901986.085:224): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.590502][   T31] audit: type=1326 audit(1766901986.085:225): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.590591][   T31] audit: type=1326 audit(1766901986.085:226): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.590733][   T31] audit: type=1326 audit(1766901986.085:227): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=321 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.590823][   T31] audit: type=1326 audit(1766901986.085:228): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.590911][   T31] audit: type=1326 audit(1766901986.085:229): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6235 comm="syz.0.99" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  118.674484][ T6223] netdevsim netdevsim5 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  118.935656][ T6251] loop1: detected capacity change from 0 to 128
[  118.989505][ T6251] EXT4-fs (loop1): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: writeback.
[  118.991626][ T6251] ext4 filesystem being mounted at /22/file1 supports timestamps until 2038-01-19 (0x7fffffff)
[  118.991797][   T12] netdevsim netdevsim5 eth0: set [1, 0] type 2 family 0 port 6081 - 0
[  119.030900][ T6254] netlink: 64 bytes leftover after parsing attributes in process `syz.4.105'.
[  119.067421][   T13] netdevsim netdevsim5 eth1: set [1, 0] type 2 family 0 port 6081 - 0
[  119.067560][   T13] netdevsim netdevsim5 eth2: set [1, 0] type 2 family 0 port 6081 - 0
[  119.067618][   T13] netdevsim netdevsim5 eth3: set [1, 0] type 2 family 0 port 6081 - 0
[  119.353371][ T5825] EXT4-fs (loop1): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09.
[  119.484129][ T6263] netlink: 4 bytes leftover after parsing attributes in process `syz.1.110'.
[  119.664032][ T6265] loop0: detected capacity change from 0 to 2048
[  119.756083][ T6265] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[  120.445724][ T6288] loop4: detected capacity change from 0 to 512
[  120.502102][ T5821] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  120.547235][ T6288] EXT4-fs (loop4): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[  120.560564][ T6288] ext4 filesystem being mounted at /18/file0 supports timestamps until 2038-01-19 (0x7fffffff)
[  120.915923][ T5831] EXT4-fs (loop4): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  121.006042][ T6302] 9p: Bad value for 'source'
[  121.230163][ T6304] netlink: 64 bytes leftover after parsing attributes in process `syz.4.121'.
[  121.439359][ T6306] x_tables: ip6_tables: rpfilter match: used from hooks OUTPUT, but only valid from PREROUTING
[  121.624370][ T6313] ALSA: seq fatal error: cannot create timer (-22)
[  122.191413][ T6322] loop1: detected capacity change from 0 to 512
[  122.230720][ T6328] netlink: 96 bytes leftover after parsing attributes in process `syz.0.131'.
[  122.241375][ T6322] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!
[  122.298588][ T6322] EXT4-fs (loop1): encrypted files will use data=ordered instead of data journaling mode
[  122.392834][ T6322] EXT4-fs error (device loop1): ext4_mb_generate_buddy:1303: group 0, block bitmap and bg descriptor inconsistent: 191 vs 220 free clusters
[  122.495034][ T6322] EXT4-fs warning (device loop1): ext4_expand_extra_isize_ea:2856: Unable to expand inode 15. Delete some EAs or run e2fsck.
[  122.577114][ T6297] loop5: detected capacity change from 0 to 512
[  122.679387][ T6322] EXT4-fs (loop1): 1 truncate cleaned up
[  122.699368][ T6322] EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[  122.757107][ T6297] EXT4-fs warning (device loop5): ext4_xattr_inode_get:559: inode #11: comm syz.5.120: EA inode hash validation failed
[  122.780984][ T6297] EXT4-fs error (device loop5): ext4_do_update_inode:5617: inode #15: comm syz.5.120: corrupted inode contents
[  122.813662][ T6339] loop3: detected capacity change from 0 to 512
[  122.832617][ T6339] EXT4-fs: Journaled quota options ignored when QUOTA feature is enabled
[  122.912727][ T6297] EXT4-fs error (device loop5): ext4_dirty_inode:6502: inode #15: comm syz.5.120: mark_inode_dirty error
[  122.941513][ T6339] EXT4-fs (loop3): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[  122.954338][ T6339] ext4 filesystem being mounted at /19/bus supports timestamps until 2038-01-19 (0x7fffffff)
[  122.983210][ T6297] EXT4-fs error (device loop5): ext4_do_update_inode:5617: inode #15: comm syz.5.120: corrupted inode contents
[  123.029111][ T6297] EXT4-fs error (device loop5): ext4_xattr_delete_inode:3000: inode #15: comm syz.5.120: mark_inode_dirty error
[  123.045293][ T6297] EXT4-fs error (device loop5): ext4_xattr_delete_inode:3002: inode #15: comm syz.5.120: mark inode dirty (error -117)
[  123.060056][ T6297] EXT4-fs warning (device loop5): ext4_evict_inode:273: xattr delete (err -117)
[  123.078289][ T5825] EXT4-fs (loop1): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  123.103778][ T6297] EXT4-fs (loop5): 1 orphan inode deleted
[  123.156526][ T6297] EXT4-fs (loop5): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[  123.359647][   T31] kauditd_printk_skb: 13 callbacks suppressed
[  123.359670][   T31] audit: type=1326 audit(1766901991.135:243): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6347 comm="syz.2.138" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  123.446133][ T6297] EXT4-fs (loop5): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  123.485415][ T5833] EXT4-fs (loop3): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  123.558392][   T31] audit: type=1326 audit(1766901991.175:244): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6347 comm="syz.2.138" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  123.700689][   T31] audit: type=1326 audit(1766901991.185:245): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6347 comm="syz.2.138" exe="/root/syz-executor" sig=0 arch=c000003e syscall=237 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  123.833519][   T31] audit: type=1326 audit(1766901991.185:246): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6347 comm="syz.2.138" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  123.925358][ T6356] netlink: 4 bytes leftover after parsing attributes in process `syz.3.139'.
[  123.937518][   T31] audit: type=1326 audit(1766901991.185:247): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6347 comm="syz.2.138" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  124.092875][   T31] audit: type=1326 audit(1766901991.185:248): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6347 comm="syz.2.138" exe="/root/syz-executor" sig=0 arch=c000003e syscall=450 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  124.269708][   T31] audit: type=1326 audit(1766901991.185:249): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6347 comm="syz.2.138" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  124.387796][   T31] audit: type=1326 audit(1766901991.185:250): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6347 comm="syz.2.138" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  124.793781][   T31] audit: type=1326 audit(1766901992.575:251): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6376 comm="syz.0.146" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  124.917576][ T6379] netlink: 96 bytes leftover after parsing attributes in process `syz.5.147'.
[  124.957892][ T6381] IPv6: NLM_F_CREATE should be specified when creating new route
[  124.982173][   T31] audit: type=1326 audit(1766901992.765:252): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6380 comm="syz.0.148" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  125.013627][ T6381] loop0: detected capacity change from 0 to 1024
[  125.075603][ T6381] EXT4-fs: Ignoring removed orlov option
[  125.190910][ T6381] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[  125.353077][ T6390] 9p: Bad value for 'source'
[  125.468833][ T6392] netlink: 64 bytes leftover after parsing attributes in process `syz.4.152'.
[  125.504080][ T6395] netlink: 8 bytes leftover after parsing attributes in process `syz.0.148'.
[  125.803133][ T6401] tipc: Enabled bearer <eth:syzkaller0>, priority 0
[  125.893969][ T6395] syz.0.148 (6395) used greatest stack depth: 16888 bytes left
[  125.941911][ T6400] loop3: detected capacity change from 0 to 4096
[  125.967417][ T6399] tipc: Disabling bearer <eth:syzkaller0>
[  126.012836][ T6400] EXT4-fs (loop3): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[  126.083228][ T6405] netlink: 'syz.4.155': attribute type 1 has an invalid length.
[  126.106778][ T5821] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  126.261610][ T6400] debugfs: 'ttyS3' already exists in 'caif_serial'
[  126.664890][ T5833] EXT4-fs (loop3): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  127.287113][ T6424] netlink: 96 bytes leftover after parsing attributes in process `syz.4.162'.
[  128.464192][ T6441] loop5: detected capacity change from 0 to 1024
[  128.642666][ T6441] EXT4-fs (loop5): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[  129.363669][ T6463] netlink: 8 bytes leftover after parsing attributes in process `syz.2.171'.
[  130.105419][ T6468] IPVS: set_ctl: invalid protocol: 44 100.1.1.2:20002
[  130.374837][ T6469] netlink: 4 bytes leftover after parsing attributes in process `syz.2.171'.
[  130.484550][ T6469] netlink: 4 bytes leftover after parsing attributes in process `syz.2.171'.
[  130.619544][ T6472] iwpm_register_pid: Unable to send a nlmsg (client = 2)
[  130.636292][ T6472] infiniband syb2: RDMA CMA: cma_listen_on_dev, error -98
[  131.391158][ T5834] EXT4-fs (loop5): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[  131.738652][   T31] kauditd_printk_skb: 61 callbacks suppressed
[  131.738677][   T31] audit: type=1326 audit(1766901999.515:314): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6490 comm="syz.5.176" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  132.702908][ T6517] netlink: 64 bytes leftover after parsing attributes in process `syz.5.185'.
[  134.135477][   T31] audit: type=1326 audit(1766902001.915:315): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6540 comm="syz.0.192" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7fc0b1b8f749 code=0x7ffc0000
[  134.440167][ T6552] syz.4.195 uses obsolete (PF_INET,SOCK_PACKET)
[  134.473352][ T6552] syzkaller1: entered promiscuous mode
[  134.499166][ T6552] syzkaller1: entered allmulticast mode
[  134.812397][   T31] audit: type=1326 audit(1766902002.595:316): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6564 comm="syz.5.200" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  134.851121][   T31] audit: type=1326 audit(1766902002.615:317): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6564 comm="syz.5.200" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  135.125333][   T31] audit: type=1326 audit(1766902002.735:318): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6564 comm="syz.5.200" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  135.148355][   T31] audit: type=1326 audit(1766902002.735:319): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6564 comm="syz.5.200" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  135.244027][   T31] audit: type=1326 audit(1766902002.745:320): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6564 comm="syz.5.200" exe="/root/syz-executor" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  135.311686][   T31] audit: type=1326 audit(1766902002.745:321): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6564 comm="syz.5.200" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  135.468823][ T6579] netlink: 64 bytes leftover after parsing attributes in process `syz.5.202'.
[  135.477807][   T31] audit: type=1326 audit(1766902002.745:322): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6564 comm="syz.5.200" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  135.563027][   T31] audit: type=1326 audit(1766902002.745:323): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6564 comm="syz.5.200" exe="/root/syz-executor" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7ff03c98f749 code=0x7ffc0000
[  136.869377][ T6610] pimreg: entered allmulticast mode
[  136.880667][ T6605] netlink: 180 bytes leftover after parsing attributes in process `+}[@'.
[  136.889946][ T6611] pimreg: left allmulticast mode
[  137.334167][ T6630] tipc: Enabling of bearer <udp:syz2> rejected, already enabled
[  137.389329][ T6630] netlink: 40 bytes leftover after parsing attributes in process `syz.1.217'.
[  137.484147][ T6630] tipc: Enabling of bearer <eth:ip6_vti0> rejected, already enabled
[  137.594323][ T6633] netlink: 64 bytes leftover after parsing attributes in process `syz.2.218'.
[  137.691109][ T6636] netlink: 20 bytes leftover after parsing attributes in process `syz.5.219'.
[  138.209836][ T6649] netlink: 'syz.2.223': attribute type 1 has an invalid length.
[  138.273872][ T6656] netlink: 4 bytes leftover after parsing attributes in process `syz.2.223'.
[  138.458174][ T6649] 8021q: adding VLAN 0 to HW filter on device bond1
[  139.097183][ T6656] bond1 (unregistering): Released all slaves
[  139.260463][   T31] kauditd_printk_skb: 10 callbacks suppressed
[  139.260494][   T31] audit: type=1326 audit(1766902007.035:334): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6676 comm="syz.1.230" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f6d5b58f749 code=0x7ffc0000
[  139.323339][ T6678] loop4: detected capacity change from 0 to 512
[  139.390335][   T31] audit: type=1326 audit(1766902007.035:335): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6676 comm="syz.1.230" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f6d5b58f749 code=0x7ffc0000
[  139.500312][   T31] audit: type=1326 audit(1766902007.065:336): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6676 comm="syz.1.230" exe="/root/syz-executor" sig=0 arch=c000003e syscall=52 compat=0 ip=0x7f6d5b58f749 code=0x7ffc0000
[  139.635069][   T31] audit: type=1326 audit(1766902007.065:337): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6676 comm="syz.1.230" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f6d5b58f749 code=0x7ffc0000
[  139.752282][ T6689] netlink: 28 bytes leftover after parsing attributes in process `syz.2.233'.
[  139.763720][   T31] audit: type=1326 audit(1766902007.065:338): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6676 comm="syz.1.230" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f6d5b58f749 code=0x7ffc0000
[  139.820783][ T6690] siw: device registration error -23
[  140.228983][ T6695] netlink: 64 bytes leftover after parsing attributes in process `syz.4.235'.
[  140.761877][ T6700] tipc: Started in network mode
[  140.766826][ T6700] tipc: Node identity ac1414aa, cluster identity 4711
[  140.875403][ T6700] tipc: Enabled bearer <udp:syz2>, priority 10
[  141.006800][ T6703] netlink: 'syz.1.236': attribute type 21 has an invalid length.
[  141.014650][ T6703] netlink: 'syz.1.236': attribute type 6 has an invalid length.
[  141.022356][ T6703] netlink: 132 bytes leftover after parsing attributes in process `syz.1.236'.
[  141.747693][ T6728] process 'syz.0.244' launched '/dev/fd/5' with NULL argv: empty string added
[  141.773249][ T6726] loop3: detected capacity change from 0 to 2048
[  141.790611][   T31] audit: type=1326 audit(1766902009.565:340): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6727 comm="syz.2.242" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  141.867640][ T5890] Alternate GPT is invalid, using primary GPT.
[  141.885398][   T31] audit: type=1326 audit(1766902009.565:339): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6727 comm="syz.2.242" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  141.912982][ T6158] Bluetooth: hci6: Frame reassembly failed (-90)
[  141.932711][ T5890]  loop3: p2 p3 p7
[  141.942040][ T6158] Bluetooth: hci6: Frame reassembly failed (-84)
[  141.950491][   T31] audit: type=1326 audit(1766902009.565:342): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6727 comm="syz.2.242" exe="/root/syz-executor" sig=0 arch=c000003e syscall=321 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  141.975534][   T31] audit: type=1326 audit(1766902009.565:341): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6727 comm="syz.2.242" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  141.998901][   T31] audit: type=1326 audit(1766902009.565:343): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=6727 comm="syz.2.242" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7ff15518f749 code=0x7ffc0000
[  142.252241][ T6726] Alternate GPT is invalid, using primary GPT.
[  142.280003][ T6726]  loop3: p2 p3 p7
[  142.376713][ T1296] ieee802154 phy0 wpan0: encryption failed: -22
[  142.384341][ T1296] ieee802154 phy1 wpan1: encryption failed: -22
[  143.156215][ T5890] udevd[5890]: inotify_add_watch(7, /dev/loop3p2, 10) failed: No such file or directory
[  143.190495][ T5878] udevd[5878]: inotify_add_watch(7, /dev/loop3p7, 10) failed: No such file or directory
[  143.228292][ T5994] udevd[5994]: inotify_add_watch(7, /dev/loop3p3, 10) failed: No such file or directory
[  143.946256][ T6754] netlink: 64 bytes leftover after parsing attributes in process `syz.1.250'.
[  143.980119][ T6752] loop3: detected capacity change from 0 to 8192
[  144.358062][ T6759] netlink: 28 bytes leftover after parsing attributes in process `syz.1.252'.
[  154.419817][ T1296] ==================================================================
[  154.427925][ T1296] BUG: KASAN: slab-use-after-free in handle_tx+0x5dc/0x630
[  154.435142][ T1296] Read of size 1 at addr ffff888078e19490 by task aoe_tx0/1296
[  154.442689][ T1296] 
[  154.445016][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Not tainted syzkaller #0 PREEMPT(full) 
[  154.445059][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  154.445081][ T1296] Call Trace:
[  154.445092][ T1296]  <TASK>
[  154.445105][ T1296]  dump_stack_lvl+0x116/0x1f0
[  154.445164][ T1296]  print_report+0xcd/0x630
[  154.445204][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.445249][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.445293][ T1296]  ? __phys_addr+0xe8/0x180
[  154.445329][ T1296]  ? handle_tx+0x5dc/0x630
[  154.445364][ T1296]  kasan_report+0xe0/0x110
[  154.445406][ T1296]  ? handle_tx+0x5dc/0x630
[  154.445453][ T1296]  handle_tx+0x5dc/0x630
[  154.445497][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  154.445542][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  154.445587][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.445631][ T1296]  ? rcu_is_watching+0x12/0xc0
[  154.445665][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  154.445724][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.445769][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  154.445809][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.445857][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.445901][ T1296]  ? __lock_acquire+0x436/0x2890
[  154.445945][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.445989][ T1296]  ? ref_tracker_free+0x37c/0x830
[  154.446034][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.446078][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  154.446129][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.446173][ T1296]  ? find_held_lock+0x2b/0x80
[  154.446229][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.446273][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.446317][ T1296]  ? find_held_lock+0x2b/0x80
[  154.446375][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.446419][ T1296]  ? rcu_is_watching+0x12/0xc0
[  154.446473][ T1296]  tx+0xcc/0x190
[  154.446529][ T1296]  ? __pfx_tx+0x10/0x10
[  154.446582][ T1296]  kthread+0x1e4/0x3e0
[  154.446632][ T1296]  ? find_held_lock+0x2b/0x80
[  154.446687][ T1296]  ? __pfx_kthread+0x10/0x10
[  154.446741][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  154.446801][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  154.446857][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.446902][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.446947][ T1296]  ? __kthread_parkme+0x19e/0x250
[  154.446983][ T1296]  ? __pfx_kthread+0x10/0x10
[  154.447031][ T1296]  kthread+0x3c5/0x780
[  154.447074][ T1296]  ? __pfx_kthread+0x10/0x10
[  154.447118][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.447161][ T1296]  ? rcu_is_watching+0x12/0xc0
[  154.447195][ T1296]  ? __pfx_kthread+0x10/0x10
[  154.447239][ T1296]  ret_from_fork+0x983/0xb10
[  154.447280][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  154.447322][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  154.447366][ T1296]  ? __switch_to+0x7af/0x10d0
[  154.447414][ T1296]  ? __pfx_kthread+0x10/0x10
[  154.447463][ T1296]  ret_from_fork_asm+0x1a/0x30
[  154.447533][ T1296]  </TASK>
[  154.447546][ T1296] 
[  154.736136][ T1296] Allocated by task 6336:
[  154.740459][ T1296]  kasan_save_stack+0x33/0x60
[  154.745148][ T1296]  kasan_save_track+0x14/0x30
[  154.749833][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  154.754430][ T1296]  alloc_tty_struct+0x96/0x8c0
[  154.759229][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  154.764281][ T1296]  tty_open+0xa4f/0xf90
[  154.768465][ T1296]  chrdev_open+0x234/0x6a0
[  154.772905][ T1296]  do_dentry_open+0x748/0x1590
[  154.777684][ T1296]  vfs_open+0x82/0x3f0
[  154.781777][ T1296]  path_openat+0x2078/0x3140
[  154.786387][ T1296]  do_filp_open+0x20b/0x470
[  154.790914][ T1296]  do_sys_openat2+0x121/0x290
[  154.795615][ T1296]  __x64_sys_openat+0x174/0x210
[  154.800492][ T1296]  do_syscall_64+0xcd/0xf80
[  154.805029][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  154.810933][ T1296] 
[  154.813252][ T1296] Freed by task 6433:
[  154.817224][ T1296]  kasan_save_stack+0x33/0x60
[  154.821909][ T1296]  kasan_save_track+0x14/0x30
[  154.826594][ T1296]  kasan_save_free_info+0x3b/0x60
[  154.831644][ T1296]  __kasan_slab_free+0x5f/0x80
[  154.836418][ T1296]  kfree+0x2f8/0x6e0
[  154.840344][ T1296]  process_one_work+0x9ba/0x1b20
[  154.845303][ T1296]  worker_thread+0x6c8/0xf10
[  154.849910][ T1296]  kthread+0x3c5/0x780
[  154.853994][ T1296]  ret_from_fork+0x983/0xb10
[  154.858599][ T1296]  ret_from_fork_asm+0x1a/0x30
[  154.863397][ T1296] 
[  154.865720][ T1296] Last potentially related work creation:
[  154.871425][ T1296]  kasan_save_stack+0x33/0x60
[  154.876117][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  154.881338][ T1296]  insert_work+0x36/0x230
[  154.885685][ T1296]  __queue_work+0x94f/0x10e0
[  154.890298][ T1296]  queue_work_on+0x1a4/0x1f0
[  154.894913][ T1296]  release_tty+0x4de/0x5d0
[  154.899358][ T1296]  tty_release_struct+0xb7/0xe0
[  154.904228][ T1296]  tty_release+0xe2d/0x1470
[  154.908758][ T1296]  __fput+0x402/0xb70
[  154.912763][ T1296]  task_work_run+0x150/0x240
[  154.917374][ T1296]  do_exit+0x87f/0x2bd0
[  154.921548][ T1296]  do_group_exit+0xd3/0x2a0
[  154.926046][ T1296]  get_signal+0x2671/0x26d0
[  154.930558][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  154.936121][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  154.941411][ T1296]  do_syscall_64+0x4ee/0xf80
[  154.946009][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  154.951891][ T1296] 
[  154.954194][ T1296] The buggy address belongs to the object at ffff888078e19000
[  154.954194][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  154.968491][ T1296] The buggy address is located 1168 bytes inside of
[  154.968491][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  154.982451][ T1296] 
[  154.984757][ T1296] The buggy address belongs to the physical page:
[  154.991144][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  154.999892][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  155.008373][ T1296] memcg:ffff888055c9fe01
[  155.012593][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  155.020125][ T1296] page_type: f5(slab)
[  155.024096][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  155.032672][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  155.041246][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  155.049907][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  155.058569][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  155.067229][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  155.075887][ T1296] page dumped because: kasan: bad access detected
[  155.082291][ T1296] page_owner tracks the page as allocated
[  155.087986][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  155.109431][ T1296]  post_alloc_hook+0x1af/0x220
[  155.114207][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  155.119672][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  155.125572][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  155.130421][ T1296]  new_slab+0x2c3/0x430
[  155.134580][ T1296]  ___slab_alloc+0xe18/0x1c90
[  155.139255][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  155.144713][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  155.150086][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  155.154681][ T1296]  addrconf_notify+0x53e/0x19f0
[  155.159542][ T1296]  notifier_call_chain+0xbc/0x3e0
[  155.164562][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  155.170467][ T1296]  register_netdevice+0x1792/0x21d0
[  155.175678][ T1296]  nsim_create+0xdd5/0x13f0
[  155.180209][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  155.185333][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  155.190089][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  155.196395][ T1296]  __free_frozen_pages+0x7df/0x1170
[  155.201596][ T1296]  __put_partials+0x130/0x170
[  155.206275][ T1296]  qlist_free_all+0x4c/0xf0
[  155.210789][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  155.216238][ T1296]  __kasan_slab_alloc+0x69/0x90
[  155.221080][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  155.226980][ T1296]  __alloc_skb+0x156/0x410
[  155.231389][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  155.236771][ T1296]  netlink_sendmsg+0x698/0xdd0
[  155.241539][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  155.246311][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  155.250985][ T1296]  __sys_sendmsg+0x16d/0x220
[  155.255574][ T1296]  do_syscall_64+0xcd/0xf80
[  155.260091][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  155.265974][ T1296] 
[  155.268277][ T1296] Memory state around the buggy address:
[  155.273891][ T1296]  ffff888078e19380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  155.281942][ T1296]  ffff888078e19400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  155.289991][ T1296] >ffff888078e19480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  155.298033][ T1296]                          ^
[  155.302605][ T1296]  ffff888078e19500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  155.310653][ T1296]  ffff888078e19580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  155.318696][ T1296] ==================================================================
[  155.326790][ T1296] Disabling lock debugging due to kernel taint
[  155.332967][ T1296] ==================================================================
[  155.341028][ T1296] BUG: KASAN: slab-use-after-free in handle_tx+0x5c8/0x630
[  155.348236][ T1296] Read of size 1 at addr ffff888078e19491 by task aoe_tx0/1296
[  155.355765][ T1296] 
[  155.358076][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  155.358114][ T1296] Tainted: [B]=BAD_PAGE
[  155.358123][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  155.358140][ T1296] Call Trace:
[  155.358149][ T1296]  <TASK>
[  155.358158][ T1296]  dump_stack_lvl+0x116/0x1f0
[  155.358202][ T1296]  print_report+0xcd/0x630
[  155.358232][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358265][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358298][ T1296]  ? __phys_addr+0xe8/0x180
[  155.358324][ T1296]  ? handle_tx+0x5c8/0x630
[  155.358350][ T1296]  kasan_report+0xe0/0x110
[  155.358382][ T1296]  ? handle_tx+0x5c8/0x630
[  155.358413][ T1296]  handle_tx+0x5c8/0x630
[  155.358449][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  155.358482][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  155.358516][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358548][ T1296]  ? rcu_is_watching+0x12/0xc0
[  155.358574][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  155.358618][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358652][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  155.358682][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358718][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358750][ T1296]  ? __lock_acquire+0x436/0x2890
[  155.358783][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358816][ T1296]  ? ref_tracker_free+0x37c/0x830
[  155.358850][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358882][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  155.358921][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.358953][ T1296]  ? find_held_lock+0x2b/0x80
[  155.358996][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.359029][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.359061][ T1296]  ? find_held_lock+0x2b/0x80
[  155.359104][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.359137][ T1296]  ? rcu_is_watching+0x12/0xc0
[  155.359165][ T1296]  tx+0xcc/0x190
[  155.359206][ T1296]  ? __pfx_tx+0x10/0x10
[  155.359246][ T1296]  kthread+0x1e4/0x3e0
[  155.359284][ T1296]  ? find_held_lock+0x2b/0x80
[  155.359325][ T1296]  ? __pfx_kthread+0x10/0x10
[  155.359374][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  155.359419][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  155.359466][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.359500][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.359532][ T1296]  ? __kthread_parkme+0x19e/0x250
[  155.359559][ T1296]  ? __pfx_kthread+0x10/0x10
[  155.359596][ T1296]  kthread+0x3c5/0x780
[  155.359628][ T1296]  ? __pfx_kthread+0x10/0x10
[  155.359661][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.359693][ T1296]  ? rcu_is_watching+0x12/0xc0
[  155.359718][ T1296]  ? __pfx_kthread+0x10/0x10
[  155.359751][ T1296]  ret_from_fork+0x983/0xb10
[  155.359783][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  155.359815][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  155.359848][ T1296]  ? __switch_to+0x7af/0x10d0
[  155.359884][ T1296]  ? __pfx_kthread+0x10/0x10
[  155.359916][ T1296]  ret_from_fork_asm+0x1a/0x30
[  155.359968][ T1296]  </TASK>
[  155.359977][ T1296] 
[  155.653716][ T1296] Allocated by task 6336:
[  155.658030][ T1296]  kasan_save_stack+0x33/0x60
[  155.662698][ T1296]  kasan_save_track+0x14/0x30
[  155.667364][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  155.671940][ T1296]  alloc_tty_struct+0x96/0x8c0
[  155.676710][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  155.681738][ T1296]  tty_open+0xa4f/0xf90
[  155.685896][ T1296]  chrdev_open+0x234/0x6a0
[  155.690313][ T1296]  do_dentry_open+0x748/0x1590
[  155.695113][ T1296]  vfs_open+0x82/0x3f0
[  155.699184][ T1296]  path_openat+0x2078/0x3140
[  155.703780][ T1296]  do_filp_open+0x20b/0x470
[  155.708282][ T1296]  do_sys_openat2+0x121/0x290
[  155.712962][ T1296]  __x64_sys_openat+0x174/0x210
[  155.717818][ T1296]  do_syscall_64+0xcd/0xf80
[  155.722344][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  155.728228][ T1296] 
[  155.730543][ T1296] Freed by task 6433:
[  155.734505][ T1296]  kasan_save_stack+0x33/0x60
[  155.739167][ T1296]  kasan_save_track+0x14/0x30
[  155.743830][ T1296]  kasan_save_free_info+0x3b/0x60
[  155.748858][ T1296]  __kasan_slab_free+0x5f/0x80
[  155.753615][ T1296]  kfree+0x2f8/0x6e0
[  155.757513][ T1296]  process_one_work+0x9ba/0x1b20
[  155.762450][ T1296]  worker_thread+0x6c8/0xf10
[  155.767043][ T1296]  kthread+0x3c5/0x780
[  155.771106][ T1296]  ret_from_fork+0x983/0xb10
[  155.775690][ T1296]  ret_from_fork_asm+0x1a/0x30
[  155.780459][ T1296] 
[  155.782764][ T1296] Last potentially related work creation:
[  155.788453][ T1296]  kasan_save_stack+0x33/0x60
[  155.793118][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  155.798319][ T1296]  insert_work+0x36/0x230
[  155.802644][ T1296]  __queue_work+0x94f/0x10e0
[  155.807231][ T1296]  queue_work_on+0x1a4/0x1f0
[  155.811825][ T1296]  release_tty+0x4de/0x5d0
[  155.816256][ T1296]  tty_release_struct+0xb7/0xe0
[  155.821108][ T1296]  tty_release+0xe2d/0x1470
[  155.825618][ T1296]  __fput+0x402/0xb70
[  155.829603][ T1296]  task_work_run+0x150/0x240
[  155.834190][ T1296]  do_exit+0x87f/0x2bd0
[  155.838339][ T1296]  do_group_exit+0xd3/0x2a0
[  155.842835][ T1296]  get_signal+0x2671/0x26d0
[  155.847341][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  155.852889][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  155.858176][ T1296]  do_syscall_64+0x4ee/0xf80
[  155.862771][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  155.868655][ T1296] 
[  155.870959][ T1296] The buggy address belongs to the object at ffff888078e19000
[  155.870959][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  155.885260][ T1296] The buggy address is located 1169 bytes inside of
[  155.885260][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  155.899220][ T1296] 
[  155.901530][ T1296] The buggy address belongs to the physical page:
[  155.907918][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  155.916665][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  155.925153][ T1296] memcg:ffff888055c9fe01
[  155.929373][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  155.936900][ T1296] page_type: f5(slab)
[  155.940872][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  155.949450][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  155.958023][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  155.966683][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  155.975348][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  155.984019][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  155.992671][ T1296] page dumped because: kasan: bad access detected
[  155.999065][ T1296] page_owner tracks the page as allocated
[  156.004758][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  156.026202][ T1296]  post_alloc_hook+0x1af/0x220
[  156.030969][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  156.036437][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  156.042335][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  156.047178][ T1296]  new_slab+0x2c3/0x430
[  156.051334][ T1296]  ___slab_alloc+0xe18/0x1c90
[  156.056012][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  156.061473][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  156.066848][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  156.071444][ T1296]  addrconf_notify+0x53e/0x19f0
[  156.076288][ T1296]  notifier_call_chain+0xbc/0x3e0
[  156.081304][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  156.087204][ T1296]  register_netdevice+0x1792/0x21d0
[  156.092405][ T1296]  nsim_create+0xdd5/0x13f0
[  156.096919][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  156.102038][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  156.106794][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  156.113099][ T1296]  __free_frozen_pages+0x7df/0x1170
[  156.118294][ T1296]  __put_partials+0x130/0x170
[  156.122976][ T1296]  qlist_free_all+0x4c/0xf0
[  156.127487][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  156.132933][ T1296]  __kasan_slab_alloc+0x69/0x90
[  156.137783][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  156.143686][ T1296]  __alloc_skb+0x156/0x410
[  156.148094][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  156.153473][ T1296]  netlink_sendmsg+0x698/0xdd0
[  156.158250][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  156.163022][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  156.167694][ T1296]  __sys_sendmsg+0x16d/0x220
[  156.172280][ T1296]  do_syscall_64+0xcd/0xf80
[  156.176794][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  156.182677][ T1296] 
[  156.184981][ T1296] Memory state around the buggy address:
[  156.190593][ T1296]  ffff888078e19380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  156.198639][ T1296]  ffff888078e19400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  156.206692][ T1296] >ffff888078e19480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  156.214735][ T1296]                          ^
[  156.219303][ T1296]  ffff888078e19500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  156.227384][ T1296]  ffff888078e19580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  156.235438][ T1296] ==================================================================
[  156.243542][ T1296] ==================================================================
[  156.251599][ T1296] BUG: KASAN: slab-use-after-free in handle_tx+0x5b4/0x630
[  156.258818][ T1296] Read of size 1 at addr ffff888078e194e9 by task aoe_tx0/1296
[  156.266365][ T1296] 
[  156.268679][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  156.268717][ T1296] Tainted: [B]=BAD_PAGE
[  156.268726][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  156.268743][ T1296] Call Trace:
[  156.268751][ T1296]  <TASK>
[  156.268761][ T1296]  dump_stack_lvl+0x116/0x1f0
[  156.268805][ T1296]  print_report+0xcd/0x630
[  156.268834][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.268867][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.268900][ T1296]  ? __phys_addr+0xe8/0x180
[  156.268926][ T1296]  ? handle_tx+0x5b4/0x630
[  156.268952][ T1296]  kasan_report+0xe0/0x110
[  156.268983][ T1296]  ? handle_tx+0x5b4/0x630
[  156.269014][ T1296]  handle_tx+0x5b4/0x630
[  156.269047][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  156.269079][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  156.269113][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269145][ T1296]  ? rcu_is_watching+0x12/0xc0
[  156.269170][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  156.269215][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269249][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  156.269278][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269314][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269347][ T1296]  ? __lock_acquire+0x436/0x2890
[  156.269379][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269412][ T1296]  ? ref_tracker_free+0x37c/0x830
[  156.269465][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269498][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  156.269536][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269569][ T1296]  ? find_held_lock+0x2b/0x80
[  156.269612][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269644][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269677][ T1296]  ? find_held_lock+0x2b/0x80
[  156.269720][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.269752][ T1296]  ? rcu_is_watching+0x12/0xc0
[  156.269780][ T1296]  tx+0xcc/0x190
[  156.269822][ T1296]  ? __pfx_tx+0x10/0x10
[  156.269861][ T1296]  kthread+0x1e4/0x3e0
[  156.269899][ T1296]  ? find_held_lock+0x2b/0x80
[  156.269940][ T1296]  ? __pfx_kthread+0x10/0x10
[  156.269978][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  156.270023][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  156.270065][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.270099][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.270131][ T1296]  ? __kthread_parkme+0x19e/0x250
[  156.270158][ T1296]  ? __pfx_kthread+0x10/0x10
[  156.270195][ T1296]  kthread+0x3c5/0x780
[  156.270231][ T1296]  ? __pfx_kthread+0x10/0x10
[  156.270277][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.270321][ T1296]  ? rcu_is_watching+0x12/0xc0
[  156.270346][ T1296]  ? __pfx_kthread+0x10/0x10
[  156.270379][ T1296]  ret_from_fork+0x983/0xb10
[  156.270410][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  156.270445][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  156.270478][ T1296]  ? __switch_to+0x7af/0x10d0
[  156.270514][ T1296]  ? __pfx_kthread+0x10/0x10
[  156.270547][ T1296]  ret_from_fork_asm+0x1a/0x30
[  156.270598][ T1296]  </TASK>
[  156.270608][ T1296] 
[  156.564390][ T1296] Allocated by task 6336:
[  156.568697][ T1296]  kasan_save_stack+0x33/0x60
[  156.573365][ T1296]  kasan_save_track+0x14/0x30
[  156.578030][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  156.582609][ T1296]  alloc_tty_struct+0x96/0x8c0
[  156.587376][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  156.592409][ T1296]  tty_open+0xa4f/0xf90
[  156.596576][ T1296]  chrdev_open+0x234/0x6a0
[  156.600987][ T1296]  do_dentry_open+0x748/0x1590
[  156.605762][ T1296]  vfs_open+0x82/0x3f0
[  156.609835][ T1296]  path_openat+0x2078/0x3140
[  156.614443][ T1296]  do_filp_open+0x20b/0x470
[  156.618946][ T1296]  do_sys_openat2+0x121/0x290
[  156.623629][ T1296]  __x64_sys_openat+0x174/0x210
[  156.628485][ T1296]  do_syscall_64+0xcd/0xf80
[  156.632992][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  156.638876][ T1296] 
[  156.641179][ T1296] Freed by task 6433:
[  156.645137][ T1296]  kasan_save_stack+0x33/0x60
[  156.649803][ T1296]  kasan_save_track+0x14/0x30
[  156.654467][ T1296]  kasan_save_free_info+0x3b/0x60
[  156.659492][ T1296]  __kasan_slab_free+0x5f/0x80
[  156.664249][ T1296]  kfree+0x2f8/0x6e0
[  156.668144][ T1296]  process_one_work+0x9ba/0x1b20
[  156.673078][ T1296]  worker_thread+0x6c8/0xf10
[  156.677665][ T1296]  kthread+0x3c5/0x780
[  156.681728][ T1296]  ret_from_fork+0x983/0xb10
[  156.686309][ T1296]  ret_from_fork_asm+0x1a/0x30
[  156.691083][ T1296] 
[  156.693389][ T1296] Last potentially related work creation:
[  156.699078][ T1296]  kasan_save_stack+0x33/0x60
[  156.703746][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  156.708947][ T1296]  insert_work+0x36/0x230
[  156.713272][ T1296]  __queue_work+0x94f/0x10e0
[  156.717865][ T1296]  queue_work_on+0x1a4/0x1f0
[  156.722457][ T1296]  release_tty+0x4de/0x5d0
[  156.726872][ T1296]  tty_release_struct+0xb7/0xe0
[  156.731722][ T1296]  tty_release+0xe2d/0x1470
[  156.736225][ T1296]  __fput+0x402/0xb70
[  156.740208][ T1296]  task_work_run+0x150/0x240
[  156.744816][ T1296]  do_exit+0x87f/0x2bd0
[  156.748961][ T1296]  do_group_exit+0xd3/0x2a0
[  156.753454][ T1296]  get_signal+0x2671/0x26d0
[  156.757964][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  156.763509][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  156.768798][ T1296]  do_syscall_64+0x4ee/0xf80
[  156.773394][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  156.779281][ T1296] 
[  156.781587][ T1296] The buggy address belongs to the object at ffff888078e19000
[  156.781587][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  156.795887][ T1296] The buggy address is located 1257 bytes inside of
[  156.795887][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  156.809850][ T1296] 
[  156.812157][ T1296] The buggy address belongs to the physical page:
[  156.818551][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  156.827297][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  156.835782][ T1296] memcg:ffff888055c9fe01
[  156.840004][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  156.847537][ T1296] page_type: f5(slab)
[  156.851508][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  156.860080][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  156.868653][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  156.877313][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  156.885994][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  156.894655][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  156.903304][ T1296] page dumped because: kasan: bad access detected
[  156.909702][ T1296] page_owner tracks the page as allocated
[  156.915414][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  156.936877][ T1296]  post_alloc_hook+0x1af/0x220
[  156.941645][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  156.947113][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  156.953013][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  156.957858][ T1296]  new_slab+0x2c3/0x430
[  156.962011][ T1296]  ___slab_alloc+0xe18/0x1c90
[  156.966691][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  156.972151][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  156.977528][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  156.982120][ T1296]  addrconf_notify+0x53e/0x19f0
[  156.986965][ T1296]  notifier_call_chain+0xbc/0x3e0
[  156.991984][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  156.997886][ T1296]  register_netdevice+0x1792/0x21d0
[  157.003087][ T1296]  nsim_create+0xdd5/0x13f0
[  157.007599][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  157.012701][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  157.017454][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  157.023759][ T1296]  __free_frozen_pages+0x7df/0x1170
[  157.028958][ T1296]  __put_partials+0x130/0x170
[  157.033635][ T1296]  qlist_free_all+0x4c/0xf0
[  157.038145][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  157.043596][ T1296]  __kasan_slab_alloc+0x69/0x90
[  157.048445][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  157.054345][ T1296]  __alloc_skb+0x156/0x410
[  157.058756][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  157.064134][ T1296]  netlink_sendmsg+0x698/0xdd0
[  157.068901][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  157.073669][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  157.078341][ T1296]  __sys_sendmsg+0x16d/0x220
[  157.082928][ T1296]  do_syscall_64+0xcd/0xf80
[  157.087438][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  157.093320][ T1296] 
[  157.095625][ T1296] Memory state around the buggy address:
[  157.101235][ T1296]  ffff888078e19380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  157.109282][ T1296]  ffff888078e19400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  157.117332][ T1296] >ffff888078e19480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  157.125376][ T1296]                                                           ^
[  157.132815][ T1296]  ffff888078e19500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  157.140866][ T1296]  ffff888078e19580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  157.148908][ T1296] ==================================================================
[  157.157011][ T1296] ==================================================================
[  157.165069][ T1296] BUG: KASAN: slab-use-after-free in tty_write_room+0x7d/0x90
[  157.172542][ T1296] Read of size 8 at addr ffff888078e19020 by task aoe_tx0/1296
[  157.180070][ T1296] 
[  157.182388][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  157.182426][ T1296] Tainted: [B]=BAD_PAGE
[  157.182440][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  157.182456][ T1296] Call Trace:
[  157.182465][ T1296]  <TASK>
[  157.182475][ T1296]  dump_stack_lvl+0x116/0x1f0
[  157.182520][ T1296]  print_report+0xcd/0x630
[  157.182549][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.182582][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.182614][ T1296]  ? __phys_addr+0xe8/0x180
[  157.182641][ T1296]  ? tty_write_room+0x7d/0x90
[  157.182667][ T1296]  kasan_report+0xe0/0x110
[  157.182698][ T1296]  ? tty_write_room+0x7d/0x90
[  157.182730][ T1296]  tty_write_room+0x7d/0x90
[  157.182758][ T1296]  handle_tx+0x14f/0x630
[  157.182791][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  157.182824][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  157.182857][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.182890][ T1296]  ? rcu_is_watching+0x12/0xc0
[  157.182915][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  157.182961][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.182994][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  157.183024][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183060][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183093][ T1296]  ? __lock_acquire+0x436/0x2890
[  157.183125][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183158][ T1296]  ? ref_tracker_free+0x37c/0x830
[  157.183192][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183224][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  157.183263][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183295][ T1296]  ? find_held_lock+0x2b/0x80
[  157.183338][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183370][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183403][ T1296]  ? find_held_lock+0x2b/0x80
[  157.183453][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183485][ T1296]  ? rcu_is_watching+0x12/0xc0
[  157.183513][ T1296]  tx+0xcc/0x190
[  157.183555][ T1296]  ? __pfx_tx+0x10/0x10
[  157.183595][ T1296]  kthread+0x1e4/0x3e0
[  157.183632][ T1296]  ? find_held_lock+0x2b/0x80
[  157.183674][ T1296]  ? __pfx_kthread+0x10/0x10
[  157.183712][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  157.183756][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  157.183798][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183832][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.183865][ T1296]  ? __kthread_parkme+0x19e/0x250
[  157.183892][ T1296]  ? __pfx_kthread+0x10/0x10
[  157.183928][ T1296]  kthread+0x3c5/0x780
[  157.183960][ T1296]  ? __pfx_kthread+0x10/0x10
[  157.183993][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.184026][ T1296]  ? rcu_is_watching+0x12/0xc0
[  157.184050][ T1296]  ? __pfx_kthread+0x10/0x10
[  157.184083][ T1296]  ret_from_fork+0x983/0xb10
[  157.184113][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  157.184145][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  157.184177][ T1296]  ? __switch_to+0x7af/0x10d0
[  157.184213][ T1296]  ? __pfx_kthread+0x10/0x10
[  157.184246][ T1296]  ret_from_fork_asm+0x1a/0x30
[  157.184298][ T1296]  </TASK>
[  157.184307][ T1296] 
[  157.483109][ T1296] Allocated by task 6336:
[  157.487418][ T1296]  kasan_save_stack+0x33/0x60
[  157.492090][ T1296]  kasan_save_track+0x14/0x30
[  157.496755][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  157.501332][ T1296]  alloc_tty_struct+0x96/0x8c0
[  157.506102][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  157.511130][ T1296]  tty_open+0xa4f/0xf90
[  157.515295][ T1296]  chrdev_open+0x234/0x6a0
[  157.519708][ T1296]  do_dentry_open+0x748/0x1590
[  157.524465][ T1296]  vfs_open+0x82/0x3f0
[  157.528542][ T1296]  path_openat+0x2078/0x3140
[  157.533127][ T1296]  do_filp_open+0x20b/0x470
[  157.537630][ T1296]  do_sys_openat2+0x121/0x290
[  157.542308][ T1296]  __x64_sys_openat+0x174/0x210
[  157.547162][ T1296]  do_syscall_64+0xcd/0xf80
[  157.551673][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  157.557558][ T1296] 
[  157.559861][ T1296] Freed by task 6433:
[  157.563818][ T1296]  kasan_save_stack+0x33/0x60
[  157.568484][ T1296]  kasan_save_track+0x14/0x30
[  157.573149][ T1296]  kasan_save_free_info+0x3b/0x60
[  157.578175][ T1296]  __kasan_slab_free+0x5f/0x80
[  157.582928][ T1296]  kfree+0x2f8/0x6e0
[  157.586822][ T1296]  process_one_work+0x9ba/0x1b20
[  157.591761][ T1296]  worker_thread+0x6c8/0xf10
[  157.596349][ T1296]  kthread+0x3c5/0x780
[  157.600410][ T1296]  ret_from_fork+0x983/0xb10
[  157.605000][ T1296]  ret_from_fork_asm+0x1a/0x30
[  157.609773][ T1296] 
[  157.612078][ T1296] Last potentially related work creation:
[  157.617772][ T1296]  kasan_save_stack+0x33/0x60
[  157.622444][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  157.627645][ T1296]  insert_work+0x36/0x230
[  157.631971][ T1296]  __queue_work+0x94f/0x10e0
[  157.636562][ T1296]  queue_work_on+0x1a4/0x1f0
[  157.641150][ T1296]  release_tty+0x4de/0x5d0
[  157.645566][ T1296]  tty_release_struct+0xb7/0xe0
[  157.650416][ T1296]  tty_release+0xe2d/0x1470
[  157.654927][ T1296]  __fput+0x402/0xb70
[  157.658907][ T1296]  task_work_run+0x150/0x240
[  157.663495][ T1296]  do_exit+0x87f/0x2bd0
[  157.667642][ T1296]  do_group_exit+0xd3/0x2a0
[  157.672135][ T1296]  get_signal+0x2671/0x26d0
[  157.676641][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  157.682187][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  157.687475][ T1296]  do_syscall_64+0x4ee/0xf80
[  157.692070][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  157.697954][ T1296] 
[  157.700262][ T1296] The buggy address belongs to the object at ffff888078e19000
[  157.700262][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  157.714566][ T1296] The buggy address is located 32 bytes inside of
[  157.714566][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  157.728350][ T1296] 
[  157.730660][ T1296] The buggy address belongs to the physical page:
[  157.737062][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  157.745824][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  157.754322][ T1296] memcg:ffff888055c9fe01
[  157.758551][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  157.766094][ T1296] page_type: f5(slab)
[  157.770077][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  157.778667][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  157.787256][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  157.795931][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  157.804612][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  157.813287][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  157.821950][ T1296] page dumped because: kasan: bad access detected
[  157.828353][ T1296] page_owner tracks the page as allocated
[  157.834052][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  157.855519][ T1296]  post_alloc_hook+0x1af/0x220
[  157.860310][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  157.865802][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  157.871725][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  157.876591][ T1296]  new_slab+0x2c3/0x430
[  157.880764][ T1296]  ___slab_alloc+0xe18/0x1c90
[  157.885461][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  157.890937][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  157.896311][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  157.900905][ T1296]  addrconf_notify+0x53e/0x19f0
[  157.905751][ T1296]  notifier_call_chain+0xbc/0x3e0
[  157.910768][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  157.916670][ T1296]  register_netdevice+0x1792/0x21d0
[  157.921873][ T1296]  nsim_create+0xdd5/0x13f0
[  157.926380][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  157.931479][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  157.936231][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  157.942539][ T1296]  __free_frozen_pages+0x7df/0x1170
[  157.947756][ T1296]  __put_partials+0x130/0x170
[  157.952440][ T1296]  qlist_free_all+0x4c/0xf0
[  157.956950][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  157.962396][ T1296]  __kasan_slab_alloc+0x69/0x90
[  157.967240][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  157.973138][ T1296]  __alloc_skb+0x156/0x410
[  157.977547][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  157.982922][ T1296]  netlink_sendmsg+0x698/0xdd0
[  157.987689][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  157.992459][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  157.997132][ T1296]  __sys_sendmsg+0x16d/0x220
[  158.001717][ T1296]  do_syscall_64+0xcd/0xf80
[  158.006225][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  158.012109][ T1296] 
[  158.014416][ T1296] Memory state around the buggy address:
[  158.020034][ T1296]  ffff888078e18f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  158.028080][ T1296]  ffff888078e18f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  158.036126][ T1296] >ffff888078e19000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  158.044172][ T1296]                                ^
[  158.049275][ T1296]  ffff888078e19080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  158.057321][ T1296]  ffff888078e19100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  158.065366][ T1296] ==================================================================
[  158.073457][ T1296] ==================================================================
[  158.081511][ T1296] BUG: KASAN: slab-use-after-free in uart_write_room+0x85e/0x940
[  158.089246][ T1296] Read of size 8 at addr ffff888078e195f8 by task aoe_tx0/1296
[  158.096778][ T1296] 
[  158.099091][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  158.099129][ T1296] Tainted: [B]=BAD_PAGE
[  158.099138][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  158.099154][ T1296] Call Trace:
[  158.099163][ T1296]  <TASK>
[  158.099173][ T1296]  dump_stack_lvl+0x116/0x1f0
[  158.099217][ T1296]  print_report+0xcd/0x630
[  158.099246][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.099279][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.099312][ T1296]  ? __phys_addr+0xe8/0x180
[  158.099349][ T1296]  ? uart_write_room+0x85e/0x940
[  158.099382][ T1296]  kasan_report+0xe0/0x110
[  158.099414][ T1296]  ? uart_write_room+0x85e/0x940
[  158.099451][ T1296]  ? __pfx_uart_write_room+0x10/0x10
[  158.099486][ T1296]  uart_write_room+0x85e/0x940
[  158.099520][ T1296]  ? __pfx_uart_write_room+0x10/0x10
[  158.099555][ T1296]  tty_write_room+0x66/0x90
[  158.099583][ T1296]  handle_tx+0x14f/0x630
[  158.099617][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  158.099650][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  158.099687][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.099720][ T1296]  ? rcu_is_watching+0x12/0xc0
[  158.099745][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  158.099790][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.099824][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  158.099853][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.099889][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.099922][ T1296]  ? __lock_acquire+0x436/0x2890
[  158.099955][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.099988][ T1296]  ? ref_tracker_free+0x37c/0x830
[  158.100021][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.100054][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  158.100093][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.100125][ T1296]  ? find_held_lock+0x2b/0x80
[  158.100167][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.100200][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.100239][ T1296]  ? find_held_lock+0x2b/0x80
[  158.100299][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.100344][ T1296]  ? rcu_is_watching+0x12/0xc0
[  158.100383][ T1296]  tx+0xcc/0x190
[  158.100429][ T1296]  ? __pfx_tx+0x10/0x10
[  158.100469][ T1296]  kthread+0x1e4/0x3e0
[  158.100508][ T1296]  ? find_held_lock+0x2b/0x80
[  158.100549][ T1296]  ? __pfx_kthread+0x10/0x10
[  158.100587][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  158.100632][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  158.100674][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.100713][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.100746][ T1296]  ? __kthread_parkme+0x19e/0x250
[  158.100773][ T1296]  ? __pfx_kthread+0x10/0x10
[  158.100809][ T1296]  kthread+0x3c5/0x780
[  158.100841][ T1296]  ? __pfx_kthread+0x10/0x10
[  158.100874][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.100907][ T1296]  ? rcu_is_watching+0x12/0xc0
[  158.100931][ T1296]  ? __pfx_kthread+0x10/0x10
[  158.100965][ T1296]  ret_from_fork+0x983/0xb10
[  158.100995][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  158.101027][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  158.101059][ T1296]  ? __switch_to+0x7af/0x10d0
[  158.101095][ T1296]  ? __pfx_kthread+0x10/0x10
[  158.101128][ T1296]  ret_from_fork_asm+0x1a/0x30
[  158.101180][ T1296]  </TASK>
[  158.101189][ T1296] 
[  158.415750][ T1296] Allocated by task 6336:
[  158.420059][ T1296]  kasan_save_stack+0x33/0x60
[  158.424730][ T1296]  kasan_save_track+0x14/0x30
[  158.429408][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  158.433991][ T1296]  alloc_tty_struct+0x96/0x8c0
[  158.438760][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  158.443787][ T1296]  tty_open+0xa4f/0xf90
[  158.447946][ T1296]  chrdev_open+0x234/0x6a0
[  158.452361][ T1296]  do_dentry_open+0x748/0x1590
[  158.457147][ T1296]  vfs_open+0x82/0x3f0
[  158.461218][ T1296]  path_openat+0x2078/0x3140
[  158.465807][ T1296]  do_filp_open+0x20b/0x470
[  158.470308][ T1296]  do_sys_openat2+0x121/0x290
[  158.474986][ T1296]  __x64_sys_openat+0x174/0x210
[  158.479840][ T1296]  do_syscall_64+0xcd/0xf80
[  158.484349][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  158.490237][ T1296] 
[  158.492552][ T1296] Freed by task 6433:
[  158.496510][ T1296]  kasan_save_stack+0x33/0x60
[  158.501176][ T1296]  kasan_save_track+0x14/0x30
[  158.505865][ T1296]  kasan_save_free_info+0x3b/0x60
[  158.510891][ T1296]  __kasan_slab_free+0x5f/0x80
[  158.515647][ T1296]  kfree+0x2f8/0x6e0
[  158.519543][ T1296]  process_one_work+0x9ba/0x1b20
[  158.524481][ T1296]  worker_thread+0x6c8/0xf10
[  158.529069][ T1296]  kthread+0x3c5/0x780
[  158.533130][ T1296]  ret_from_fork+0x983/0xb10
[  158.537716][ T1296]  ret_from_fork_asm+0x1a/0x30
[  158.542483][ T1296] 
[  158.544786][ T1296] Last potentially related work creation:
[  158.550478][ T1296]  kasan_save_stack+0x33/0x60
[  158.555149][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  158.560374][ T1296]  insert_work+0x36/0x230
[  158.564705][ T1296]  __queue_work+0x94f/0x10e0
[  158.569291][ T1296]  queue_work_on+0x1a4/0x1f0
[  158.573877][ T1296]  release_tty+0x4de/0x5d0
[  158.578290][ T1296]  tty_release_struct+0xb7/0xe0
[  158.583137][ T1296]  tty_release+0xe2d/0x1470
[  158.587641][ T1296]  __fput+0x402/0xb70
[  158.591620][ T1296]  task_work_run+0x150/0x240
[  158.596208][ T1296]  do_exit+0x87f/0x2bd0
[  158.600356][ T1296]  do_group_exit+0xd3/0x2a0
[  158.604855][ T1296]  get_signal+0x2671/0x26d0
[  158.609363][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  158.614909][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  158.620212][ T1296]  do_syscall_64+0x4ee/0xf80
[  158.624839][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  158.630723][ T1296] 
[  158.633025][ T1296] The buggy address belongs to the object at ffff888078e19000
[  158.633025][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  158.647322][ T1296] The buggy address is located 1528 bytes inside of
[  158.647322][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  158.661281][ T1296] 
[  158.663592][ T1296] The buggy address belongs to the physical page:
[  158.669979][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  158.678722][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  158.687205][ T1296] memcg:ffff888055c9fe01
[  158.691424][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  158.698957][ T1296] page_type: f5(slab)
[  158.702933][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  158.711511][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  158.720087][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  158.728748][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  158.737426][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  158.746094][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  158.754746][ T1296] page dumped because: kasan: bad access detected
[  158.761141][ T1296] page_owner tracks the page as allocated
[  158.766837][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  158.788281][ T1296]  post_alloc_hook+0x1af/0x220
[  158.793048][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  158.798512][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  158.804410][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  158.809257][ T1296]  new_slab+0x2c3/0x430
[  158.813413][ T1296]  ___slab_alloc+0xe18/0x1c90
[  158.818094][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  158.823554][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  158.828930][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  158.833534][ T1296]  addrconf_notify+0x53e/0x19f0
[  158.838378][ T1296]  notifier_call_chain+0xbc/0x3e0
[  158.843397][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  158.849302][ T1296]  register_netdevice+0x1792/0x21d0
[  158.854502][ T1296]  nsim_create+0xdd5/0x13f0
[  158.859008][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  158.864108][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  158.868862][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  158.875166][ T1296]  __free_frozen_pages+0x7df/0x1170
[  158.880368][ T1296]  __put_partials+0x130/0x170
[  158.885063][ T1296]  qlist_free_all+0x4c/0xf0
[  158.889578][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  158.895024][ T1296]  __kasan_slab_alloc+0x69/0x90
[  158.899868][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  158.905765][ T1296]  __alloc_skb+0x156/0x410
[  158.910173][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  158.915560][ T1296]  netlink_sendmsg+0x698/0xdd0
[  158.920333][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  158.925103][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  158.929774][ T1296]  __sys_sendmsg+0x16d/0x220
[  158.934358][ T1296]  do_syscall_64+0xcd/0xf80
[  158.938865][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  158.944750][ T1296] 
[  158.947055][ T1296] Memory state around the buggy address:
[  158.952664][ T1296]  ffff888078e19480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  158.960711][ T1296]  ffff888078e19500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  158.968769][ T1296] >ffff888078e19580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  158.976813][ T1296]                                                                 ^
[  158.984772][ T1296]  ffff888078e19600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  158.992821][ T1296]  ffff888078e19680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  159.000863][ T1296] ==================================================================
[  159.008957][ T1296] ==================================================================
[  159.017013][ T1296] BUG: KASAN: slab-use-after-free in handle_tx+0x5a5/0x630
[  159.024228][ T1296] Read of size 8 at addr ffff888078e19020 by task aoe_tx0/1296
[  159.031777][ T1296] 
[  159.034090][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  159.034128][ T1296] Tainted: [B]=BAD_PAGE
[  159.034137][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  159.034153][ T1296] Call Trace:
[  159.034162][ T1296]  <TASK>
[  159.034172][ T1296]  dump_stack_lvl+0x116/0x1f0
[  159.034216][ T1296]  print_report+0xcd/0x630
[  159.034245][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034278][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034311][ T1296]  ? __phys_addr+0xe8/0x180
[  159.034338][ T1296]  ? handle_tx+0x5a5/0x630
[  159.034364][ T1296]  kasan_report+0xe0/0x110
[  159.034395][ T1296]  ? handle_tx+0x5a5/0x630
[  159.034426][ T1296]  handle_tx+0x5a5/0x630
[  159.034464][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  159.034497][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  159.034530][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034563][ T1296]  ? rcu_is_watching+0x12/0xc0
[  159.034588][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  159.034633][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034666][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  159.034702][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034742][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034774][ T1296]  ? __lock_acquire+0x436/0x2890
[  159.034807][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034839][ T1296]  ? ref_tracker_free+0x37c/0x830
[  159.034875][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034910][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  159.034955][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.034988][ T1296]  ? find_held_lock+0x2b/0x80
[  159.035032][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.035064][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.035097][ T1296]  ? find_held_lock+0x2b/0x80
[  159.035140][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.035172][ T1296]  ? rcu_is_watching+0x12/0xc0
[  159.035200][ T1296]  tx+0xcc/0x190
[  159.035242][ T1296]  ? __pfx_tx+0x10/0x10
[  159.035281][ T1296]  kthread+0x1e4/0x3e0
[  159.035319][ T1296]  ? find_held_lock+0x2b/0x80
[  159.035360][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.035398][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  159.035451][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  159.035493][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.035527][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.035560][ T1296]  ? __kthread_parkme+0x19e/0x250
[  159.035586][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.035623][ T1296]  kthread+0x3c5/0x780
[  159.035655][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.035687][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.035720][ T1296]  ? rcu_is_watching+0x12/0xc0
[  159.035745][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.035778][ T1296]  ret_from_fork+0x983/0xb10
[  159.035808][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  159.035839][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.035872][ T1296]  ? __switch_to+0x7af/0x10d0
[  159.035908][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.035940][ T1296]  ret_from_fork_asm+0x1a/0x30
[  159.035992][ T1296]  </TASK>
[  159.036002][ T1296] 
[  159.329803][ T1296] Allocated by task 6336:
[  159.334109][ T1296]  kasan_save_stack+0x33/0x60
[  159.338780][ T1296]  kasan_save_track+0x14/0x30
[  159.343451][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  159.348028][ T1296]  alloc_tty_struct+0x96/0x8c0
[  159.352806][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  159.357854][ T1296]  tty_open+0xa4f/0xf90
[  159.362032][ T1296]  chrdev_open+0x234/0x6a0
[  159.366450][ T1296]  do_dentry_open+0x748/0x1590
[  159.371210][ T1296]  vfs_open+0x82/0x3f0
[  159.375286][ T1296]  path_openat+0x2078/0x3140
[  159.379895][ T1296]  do_filp_open+0x20b/0x470
[  159.384397][ T1296]  do_sys_openat2+0x121/0x290
[  159.389083][ T1296]  __x64_sys_openat+0x174/0x210
[  159.393936][ T1296]  do_syscall_64+0xcd/0xf80
[  159.398443][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  159.404326][ T1296] 
[  159.406632][ T1296] Freed by task 6433:
[  159.410595][ T1296]  kasan_save_stack+0x33/0x60
[  159.415274][ T1296]  kasan_save_track+0x14/0x30
[  159.419938][ T1296]  kasan_save_free_info+0x3b/0x60
[  159.424962][ T1296]  __kasan_slab_free+0x5f/0x80
[  159.429717][ T1296]  kfree+0x2f8/0x6e0
[  159.433614][ T1296]  process_one_work+0x9ba/0x1b20
[  159.438553][ T1296]  worker_thread+0x6c8/0xf10
[  159.443140][ T1296]  kthread+0x3c5/0x780
[  159.447206][ T1296]  ret_from_fork+0x983/0xb10
[  159.451788][ T1296]  ret_from_fork_asm+0x1a/0x30
[  159.456555][ T1296] 
[  159.458857][ T1296] Last potentially related work creation:
[  159.464548][ T1296]  kasan_save_stack+0x33/0x60
[  159.469213][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  159.474412][ T1296]  insert_work+0x36/0x230
[  159.478744][ T1296]  __queue_work+0x94f/0x10e0
[  159.483333][ T1296]  queue_work_on+0x1a4/0x1f0
[  159.487921][ T1296]  release_tty+0x4de/0x5d0
[  159.492333][ T1296]  tty_release_struct+0xb7/0xe0
[  159.497187][ T1296]  tty_release+0xe2d/0x1470
[  159.501689][ T1296]  __fput+0x402/0xb70
[  159.505673][ T1296]  task_work_run+0x150/0x240
[  159.510260][ T1296]  do_exit+0x87f/0x2bd0
[  159.514411][ T1296]  do_group_exit+0xd3/0x2a0
[  159.518907][ T1296]  get_signal+0x2671/0x26d0
[  159.523413][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  159.528967][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  159.534255][ T1296]  do_syscall_64+0x4ee/0xf80
[  159.538852][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  159.544734][ T1296] 
[  159.547037][ T1296] The buggy address belongs to the object at ffff888078e19000
[  159.547037][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  159.561337][ T1296] The buggy address is located 32 bytes inside of
[  159.561337][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  159.575123][ T1296] 
[  159.577432][ T1296] The buggy address belongs to the physical page:
[  159.583823][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  159.592573][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  159.601065][ T1296] memcg:ffff888055c9fe01
[  159.605286][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  159.612815][ T1296] page_type: f5(slab)
[  159.616786][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  159.625357][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  159.633932][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  159.642595][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  159.651261][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  159.659934][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  159.668586][ T1296] page dumped because: kasan: bad access detected
[  159.674977][ T1296] page_owner tracks the page as allocated
[  159.680674][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  159.702143][ T1296]  post_alloc_hook+0x1af/0x220
[  159.706909][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  159.712373][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  159.718277][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  159.723120][ T1296]  new_slab+0x2c3/0x430
[  159.727275][ T1296]  ___slab_alloc+0xe18/0x1c90
[  159.731952][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  159.737414][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  159.742793][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  159.747387][ T1296]  addrconf_notify+0x53e/0x19f0
[  159.752233][ T1296]  notifier_call_chain+0xbc/0x3e0
[  159.757250][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  159.763154][ T1296]  register_netdevice+0x1792/0x21d0
[  159.768355][ T1296]  nsim_create+0xdd5/0x13f0
[  159.772859][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  159.777959][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  159.782716][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  159.789036][ T1296]  __free_frozen_pages+0x7df/0x1170
[  159.794234][ T1296]  __put_partials+0x130/0x170
[  159.798911][ T1296]  qlist_free_all+0x4c/0xf0
[  159.803422][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  159.808880][ T1296]  __kasan_slab_alloc+0x69/0x90
[  159.813726][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  159.819626][ T1296]  __alloc_skb+0x156/0x410
[  159.824035][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  159.829411][ T1296]  netlink_sendmsg+0x698/0xdd0
[  159.834182][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  159.838971][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  159.843644][ T1296]  __sys_sendmsg+0x16d/0x220
[  159.848230][ T1296]  do_syscall_64+0xcd/0xf80
[  159.852735][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  159.858617][ T1296] 
[  159.860921][ T1296] Memory state around the buggy address:
[  159.866532][ T1296]  ffff888078e18f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  159.874580][ T1296]  ffff888078e18f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  159.882629][ T1296] >ffff888078e19000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  159.890671][ T1296]                                ^
[  159.895762][ T1296]  ffff888078e19080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  159.903828][ T1296]  ffff888078e19100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  159.911870][ T1296] ==================================================================
[  159.919972][ T1296] ==================================================================
[  159.928031][ T1296] BUG: KASAN: slab-use-after-free in uart_write+0x9ff/0xb30
[  159.935341][ T1296] Read of size 8 at addr ffff888078e195f8 by task aoe_tx0/1296
[  159.942871][ T1296] 
[  159.945186][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  159.945223][ T1296] Tainted: [B]=BAD_PAGE
[  159.945233][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  159.945249][ T1296] Call Trace:
[  159.945258][ T1296]  <TASK>
[  159.945268][ T1296]  dump_stack_lvl+0x116/0x1f0
[  159.945312][ T1296]  print_report+0xcd/0x630
[  159.945342][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.945375][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.945407][ T1296]  ? __phys_addr+0xe8/0x180
[  159.945440][ T1296]  ? uart_write+0x9ff/0xb30
[  159.945478][ T1296]  kasan_report+0xe0/0x110
[  159.945510][ T1296]  ? uart_write+0x9ff/0xb30
[  159.945554][ T1296]  uart_write+0x9ff/0xb30
[  159.945597][ T1296]  handle_tx+0x204/0x630
[  159.945630][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  159.945663][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  159.945697][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.945734][ T1296]  ? rcu_is_watching+0x12/0xc0
[  159.945759][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  159.945804][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.945838][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  159.945867][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.945903][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.945936][ T1296]  ? __lock_acquire+0x436/0x2890
[  159.945969][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946001][ T1296]  ? ref_tracker_free+0x37c/0x830
[  159.946035][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946068][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  159.946106][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946139][ T1296]  ? find_held_lock+0x2b/0x80
[  159.946182][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946214][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946247][ T1296]  ? find_held_lock+0x2b/0x80
[  159.946290][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946322][ T1296]  ? rcu_is_watching+0x12/0xc0
[  159.946350][ T1296]  tx+0xcc/0x190
[  159.946392][ T1296]  ? __pfx_tx+0x10/0x10
[  159.946436][ T1296]  kthread+0x1e4/0x3e0
[  159.946473][ T1296]  ? find_held_lock+0x2b/0x80
[  159.946515][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.946553][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  159.946597][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  159.946640][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946673][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946706][ T1296]  ? __kthread_parkme+0x19e/0x250
[  159.946733][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.946769][ T1296]  kthread+0x3c5/0x780
[  159.946801][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.946834][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.946867][ T1296]  ? rcu_is_watching+0x12/0xc0
[  159.946891][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.946924][ T1296]  ret_from_fork+0x983/0xb10
[  159.946955][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  159.946987][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  159.947019][ T1296]  ? __switch_to+0x7af/0x10d0
[  159.947057][ T1296]  ? __pfx_kthread+0x10/0x10
[  159.947094][ T1296]  ret_from_fork_asm+0x1a/0x30
[  159.947146][ T1296]  </TASK>
[  159.947155][ T1296] 
[  160.245365][ T1296] Allocated by task 6336:
[  160.249671][ T1296]  kasan_save_stack+0x33/0x60
[  160.254338][ T1296]  kasan_save_track+0x14/0x30
[  160.259005][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  160.263584][ T1296]  alloc_tty_struct+0x96/0x8c0
[  160.268353][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  160.273379][ T1296]  tty_open+0xa4f/0xf90
[  160.277545][ T1296]  chrdev_open+0x234/0x6a0
[  160.281962][ T1296]  do_dentry_open+0x748/0x1590
[  160.286717][ T1296]  vfs_open+0x82/0x3f0
[  160.290788][ T1296]  path_openat+0x2078/0x3140
[  160.295379][ T1296]  do_filp_open+0x20b/0x470
[  160.299908][ T1296]  do_sys_openat2+0x121/0x290
[  160.304593][ T1296]  __x64_sys_openat+0x174/0x210
[  160.309447][ T1296]  do_syscall_64+0xcd/0xf80
[  160.313956][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  160.319838][ T1296] 
[  160.322142][ T1296] Freed by task 6433:
[  160.326101][ T1296]  kasan_save_stack+0x33/0x60
[  160.330782][ T1296]  kasan_save_track+0x14/0x30
[  160.335450][ T1296]  kasan_save_free_info+0x3b/0x60
[  160.340479][ T1296]  __kasan_slab_free+0x5f/0x80
[  160.345235][ T1296]  kfree+0x2f8/0x6e0
[  160.349129][ T1296]  process_one_work+0x9ba/0x1b20
[  160.354063][ T1296]  worker_thread+0x6c8/0xf10
[  160.358650][ T1296]  kthread+0x3c5/0x780
[  160.362715][ T1296]  ret_from_fork+0x983/0xb10
[  160.367298][ T1296]  ret_from_fork_asm+0x1a/0x30
[  160.372065][ T1296] 
[  160.374373][ T1296] Last potentially related work creation:
[  160.380064][ T1296]  kasan_save_stack+0x33/0x60
[  160.384729][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  160.389931][ T1296]  insert_work+0x36/0x230
[  160.394257][ T1296]  __queue_work+0x94f/0x10e0
[  160.398850][ T1296]  queue_work_on+0x1a4/0x1f0
[  160.403478][ T1296]  release_tty+0x4de/0x5d0
[  160.407893][ T1296]  tty_release_struct+0xb7/0xe0
[  160.412741][ T1296]  tty_release+0xe2d/0x1470
[  160.417244][ T1296]  __fput+0x402/0xb70
[  160.421226][ T1296]  task_work_run+0x150/0x240
[  160.425813][ T1296]  do_exit+0x87f/0x2bd0
[  160.429956][ T1296]  do_group_exit+0xd3/0x2a0
[  160.434449][ T1296]  get_signal+0x2671/0x26d0
[  160.438955][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  160.444500][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  160.449788][ T1296]  do_syscall_64+0x4ee/0xf80
[  160.454381][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  160.460271][ T1296] 
[  160.462587][ T1296] The buggy address belongs to the object at ffff888078e19000
[  160.462587][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  160.476885][ T1296] The buggy address is located 1528 bytes inside of
[  160.476885][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  160.490847][ T1296] 
[  160.493152][ T1296] The buggy address belongs to the physical page:
[  160.499546][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  160.508307][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  160.516793][ T1296] memcg:ffff888055c9fe01
[  160.521014][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  160.528546][ T1296] page_type: f5(slab)
[  160.532516][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  160.541091][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  160.549667][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  160.558329][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  160.566992][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  160.575654][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  160.584304][ T1296] page dumped because: kasan: bad access detected
[  160.590697][ T1296] page_owner tracks the page as allocated
[  160.596391][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  160.617841][ T1296]  post_alloc_hook+0x1af/0x220
[  160.622611][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  160.628076][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  160.633973][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  160.638817][ T1296]  new_slab+0x2c3/0x430
[  160.642972][ T1296]  ___slab_alloc+0xe18/0x1c90
[  160.647651][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  160.653108][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  160.658490][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  160.663085][ T1296]  addrconf_notify+0x53e/0x19f0
[  160.667932][ T1296]  notifier_call_chain+0xbc/0x3e0
[  160.672950][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  160.678854][ T1296]  register_netdevice+0x1792/0x21d0
[  160.684055][ T1296]  nsim_create+0xdd5/0x13f0
[  160.688584][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  160.693688][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  160.698443][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  160.704753][ T1296]  __free_frozen_pages+0x7df/0x1170
[  160.709974][ T1296]  __put_partials+0x130/0x170
[  160.714658][ T1296]  qlist_free_all+0x4c/0xf0
[  160.719169][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  160.724616][ T1296]  __kasan_slab_alloc+0x69/0x90
[  160.729460][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  160.735357][ T1296]  __alloc_skb+0x156/0x410
[  160.739766][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  160.745142][ T1296]  netlink_sendmsg+0x698/0xdd0
[  160.749909][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  160.754679][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  160.759353][ T1296]  __sys_sendmsg+0x16d/0x220
[  160.763939][ T1296]  do_syscall_64+0xcd/0xf80
[  160.768450][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  160.774335][ T1296] 
[  160.776640][ T1296] Memory state around the buggy address:
[  160.782250][ T1296]  ffff888078e19480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.790306][ T1296]  ffff888078e19500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.798356][ T1296] >ffff888078e19580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.806397][ T1296]                                                                 ^
[  160.814359][ T1296]  ffff888078e19600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.822411][ T1296]  ffff888078e19680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  160.830457][ T1296] ==================================================================
[  160.838568][ T1296] ==================================================================
[  160.846623][ T1296] BUG: KASAN: slab-use-after-free in handle_tx+0x5dc/0x630
[  160.853839][ T1296] Read of size 1 at addr ffff888078e19490 by task aoe_tx0/1296
[  160.861387][ T1296] 
[  160.863702][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  160.863740][ T1296] Tainted: [B]=BAD_PAGE
[  160.863750][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  160.863767][ T1296] Call Trace:
[  160.863776][ T1296]  <TASK>
[  160.863786][ T1296]  dump_stack_lvl+0x116/0x1f0
[  160.863833][ T1296]  print_report+0xcd/0x630
[  160.863862][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.863895][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.863928][ T1296]  ? __phys_addr+0xe8/0x180
[  160.863955][ T1296]  ? handle_tx+0x5dc/0x630
[  160.863982][ T1296]  kasan_report+0xe0/0x110
[  160.864013][ T1296]  ? handle_tx+0x5dc/0x630
[  160.864045][ T1296]  handle_tx+0x5dc/0x630
[  160.864078][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  160.864111][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  160.864144][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864178][ T1296]  ? rcu_is_watching+0x12/0xc0
[  160.864203][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  160.864248][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864282][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  160.864312][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864354][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864389][ T1296]  ? __lock_acquire+0x436/0x2890
[  160.864422][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864463][ T1296]  ? ref_tracker_free+0x37c/0x830
[  160.864497][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864530][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  160.864569][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864601][ T1296]  ? find_held_lock+0x2b/0x80
[  160.864644][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864677][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864710][ T1296]  ? find_held_lock+0x2b/0x80
[  160.864753][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.864786][ T1296]  ? rcu_is_watching+0x12/0xc0
[  160.864815][ T1296]  tx+0xcc/0x190
[  160.864856][ T1296]  ? __pfx_tx+0x10/0x10
[  160.864896][ T1296]  kthread+0x1e4/0x3e0
[  160.864935][ T1296]  ? find_held_lock+0x2b/0x80
[  160.864976][ T1296]  ? __pfx_kthread+0x10/0x10
[  160.865015][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  160.865060][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  160.865102][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.865137][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.865170][ T1296]  ? __kthread_parkme+0x19e/0x250
[  160.865197][ T1296]  ? __pfx_kthread+0x10/0x10
[  160.865233][ T1296]  kthread+0x3c5/0x780
[  160.865265][ T1296]  ? __pfx_kthread+0x10/0x10
[  160.865299][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.865332][ T1296]  ? rcu_is_watching+0x12/0xc0
[  160.865357][ T1296]  ? __pfx_kthread+0x10/0x10
[  160.865390][ T1296]  ret_from_fork+0x983/0xb10
[  160.865420][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  160.865456][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  160.865489][ T1296]  ? __switch_to+0x7af/0x10d0
[  160.865525][ T1296]  ? __pfx_kthread+0x10/0x10
[  160.865558][ T1296]  ret_from_fork_asm+0x1a/0x30
[  160.865610][ T1296]  </TASK>
[  160.865620][ T1296] 
[  161.159444][ T1296] Allocated by task 6336:
[  161.163752][ T1296]  kasan_save_stack+0x33/0x60
[  161.168421][ T1296]  kasan_save_track+0x14/0x30
[  161.173091][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  161.177672][ T1296]  alloc_tty_struct+0x96/0x8c0
[  161.182445][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  161.187478][ T1296]  tty_open+0xa4f/0xf90
[  161.191643][ T1296]  chrdev_open+0x234/0x6a0
[  161.196057][ T1296]  do_dentry_open+0x748/0x1590
[  161.200816][ T1296]  vfs_open+0x82/0x3f0
[  161.204891][ T1296]  path_openat+0x2078/0x3140
[  161.209479][ T1296]  do_filp_open+0x20b/0x470
[  161.213978][ T1296]  do_sys_openat2+0x121/0x290
[  161.218662][ T1296]  __x64_sys_openat+0x174/0x210
[  161.223539][ T1296]  do_syscall_64+0xcd/0xf80
[  161.228070][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  161.233971][ T1296] 
[  161.236274][ T1296] Freed by task 6433:
[  161.240235][ T1296]  kasan_save_stack+0x33/0x60
[  161.244924][ T1296]  kasan_save_track+0x14/0x30
[  161.249590][ T1296]  kasan_save_free_info+0x3b/0x60
[  161.254619][ T1296]  __kasan_slab_free+0x5f/0x80
[  161.259390][ T1296]  kfree+0x2f8/0x6e0
[  161.263290][ T1296]  process_one_work+0x9ba/0x1b20
[  161.268246][ T1296]  worker_thread+0x6c8/0xf10
[  161.272832][ T1296]  kthread+0x3c5/0x780
[  161.276897][ T1296]  ret_from_fork+0x983/0xb10
[  161.281479][ T1296]  ret_from_fork_asm+0x1a/0x30
[  161.286251][ T1296] 
[  161.288557][ T1296] Last potentially related work creation:
[  161.294248][ T1296]  kasan_save_stack+0x33/0x60
[  161.298914][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  161.304115][ T1296]  insert_work+0x36/0x230
[  161.308443][ T1296]  __queue_work+0x94f/0x10e0
[  161.313031][ T1296]  queue_work_on+0x1a4/0x1f0
[  161.317621][ T1296]  release_tty+0x4de/0x5d0
[  161.322040][ T1296]  tty_release_struct+0xb7/0xe0
[  161.326893][ T1296]  tty_release+0xe2d/0x1470
[  161.331403][ T1296]  __fput+0x402/0xb70
[  161.335391][ T1296]  task_work_run+0x150/0x240
[  161.339981][ T1296]  do_exit+0x87f/0x2bd0
[  161.344128][ T1296]  do_group_exit+0xd3/0x2a0
[  161.348625][ T1296]  get_signal+0x2671/0x26d0
[  161.353130][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  161.358677][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  161.363964][ T1296]  do_syscall_64+0x4ee/0xf80
[  161.368562][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  161.374442][ T1296] 
[  161.376745][ T1296] The buggy address belongs to the object at ffff888078e19000
[  161.376745][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  161.391042][ T1296] The buggy address is located 1168 bytes inside of
[  161.391042][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  161.405000][ T1296] 
[  161.407303][ T1296] The buggy address belongs to the physical page:
[  161.413690][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  161.422448][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  161.430947][ T1296] memcg:ffff888055c9fe01
[  161.435166][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  161.442715][ T1296] page_type: f5(slab)
[  161.446689][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  161.455261][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  161.463838][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  161.472501][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  161.481161][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  161.489822][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  161.498473][ T1296] page dumped because: kasan: bad access detected
[  161.504866][ T1296] page_owner tracks the page as allocated
[  161.510562][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  161.532007][ T1296]  post_alloc_hook+0x1af/0x220
[  161.536774][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  161.542239][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  161.548138][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  161.552980][ T1296]  new_slab+0x2c3/0x430
[  161.557135][ T1296]  ___slab_alloc+0xe18/0x1c90
[  161.561813][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  161.567272][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  161.572649][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  161.577287][ T1296]  addrconf_notify+0x53e/0x19f0
[  161.582133][ T1296]  notifier_call_chain+0xbc/0x3e0
[  161.587152][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  161.593053][ T1296]  register_netdevice+0x1792/0x21d0
[  161.598253][ T1296]  nsim_create+0xdd5/0x13f0
[  161.602761][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  161.607868][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  161.612625][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  161.618930][ T1296]  __free_frozen_pages+0x7df/0x1170
[  161.624128][ T1296]  __put_partials+0x130/0x170
[  161.628808][ T1296]  qlist_free_all+0x4c/0xf0
[  161.633319][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  161.638771][ T1296]  __kasan_slab_alloc+0x69/0x90
[  161.643618][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  161.649518][ T1296]  __alloc_skb+0x156/0x410
[  161.653927][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  161.659303][ T1296]  netlink_sendmsg+0x698/0xdd0
[  161.664081][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  161.668851][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  161.673542][ T1296]  __sys_sendmsg+0x16d/0x220
[  161.678127][ T1296]  do_syscall_64+0xcd/0xf80
[  161.682638][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  161.688549][ T1296] 
[  161.690854][ T1296] Memory state around the buggy address:
[  161.696465][ T1296]  ffff888078e19380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  161.704514][ T1296]  ffff888078e19400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  161.712561][ T1296] >ffff888078e19480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  161.720610][ T1296]                          ^
[  161.725180][ T1296]  ffff888078e19500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  161.733228][ T1296]  ffff888078e19580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  161.741274][ T1296] ==================================================================
[  161.749370][ T1296] ==================================================================
[  161.757426][ T1296] BUG: KASAN: slab-use-after-free in handle_tx+0x5c8/0x630
[  161.764649][ T1296] Read of size 1 at addr ffff888078e19491 by task aoe_tx0/1296
[  161.772196][ T1296] 
[  161.774508][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  161.774546][ T1296] Tainted: [B]=BAD_PAGE
[  161.774556][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  161.774573][ T1296] Call Trace:
[  161.774582][ T1296]  <TASK>
[  161.774592][ T1296]  dump_stack_lvl+0x116/0x1f0
[  161.774637][ T1296]  print_report+0xcd/0x630
[  161.774666][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.774700][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.774732][ T1296]  ? __phys_addr+0xe8/0x180
[  161.774760][ T1296]  ? handle_tx+0x5c8/0x630
[  161.774785][ T1296]  kasan_report+0xe0/0x110
[  161.774817][ T1296]  ? handle_tx+0x5c8/0x630
[  161.774848][ T1296]  handle_tx+0x5c8/0x630
[  161.774881][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  161.774914][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  161.774948][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.774981][ T1296]  ? rcu_is_watching+0x12/0xc0
[  161.775007][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  161.775051][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775086][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  161.775116][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775152][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775185][ T1296]  ? __lock_acquire+0x436/0x2890
[  161.775218][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775251][ T1296]  ? ref_tracker_free+0x37c/0x830
[  161.775286][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775319][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  161.775358][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775391][ T1296]  ? find_held_lock+0x2b/0x80
[  161.775438][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775471][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775503][ T1296]  ? find_held_lock+0x2b/0x80
[  161.775546][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775579][ T1296]  ? rcu_is_watching+0x12/0xc0
[  161.775608][ T1296]  tx+0xcc/0x190
[  161.775650][ T1296]  ? __pfx_tx+0x10/0x10
[  161.775690][ T1296]  kthread+0x1e4/0x3e0
[  161.775728][ T1296]  ? find_held_lock+0x2b/0x80
[  161.775770][ T1296]  ? __pfx_kthread+0x10/0x10
[  161.775808][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  161.775853][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  161.775895][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775929][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.775962][ T1296]  ? __kthread_parkme+0x19e/0x250
[  161.775989][ T1296]  ? __pfx_kthread+0x10/0x10
[  161.776026][ T1296]  kthread+0x3c5/0x780
[  161.776058][ T1296]  ? __pfx_kthread+0x10/0x10
[  161.776091][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.776124][ T1296]  ? rcu_is_watching+0x12/0xc0
[  161.776150][ T1296]  ? __pfx_kthread+0x10/0x10
[  161.776182][ T1296]  ret_from_fork+0x983/0xb10
[  161.776213][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  161.776244][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  161.776278][ T1296]  ? __switch_to+0x7af/0x10d0
[  161.776314][ T1296]  ? __pfx_kthread+0x10/0x10
[  161.776347][ T1296]  ret_from_fork_asm+0x1a/0x30
[  161.776399][ T1296]  </TASK>
[  161.776408][ T1296] 
[  162.070182][ T1296] Allocated by task 6336:
[  162.074491][ T1296]  kasan_save_stack+0x33/0x60
[  162.079159][ T1296]  kasan_save_track+0x14/0x30
[  162.083827][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  162.088405][ T1296]  alloc_tty_struct+0x96/0x8c0
[  162.093176][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  162.098205][ T1296]  tty_open+0xa4f/0xf90
[  162.102363][ T1296]  chrdev_open+0x234/0x6a0
[  162.106778][ T1296]  do_dentry_open+0x748/0x1590
[  162.111535][ T1296]  vfs_open+0x82/0x3f0
[  162.115604][ T1296]  path_openat+0x2078/0x3140
[  162.120188][ T1296]  do_filp_open+0x20b/0x470
[  162.124698][ T1296]  do_sys_openat2+0x121/0x290
[  162.129377][ T1296]  __x64_sys_openat+0x174/0x210
[  162.134234][ T1296]  do_syscall_64+0xcd/0xf80
[  162.138748][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  162.144652][ T1296] 
[  162.146955][ T1296] Freed by task 6433:
[  162.150914][ T1296]  kasan_save_stack+0x33/0x60
[  162.155582][ T1296]  kasan_save_track+0x14/0x30
[  162.160252][ T1296]  kasan_save_free_info+0x3b/0x60
[  162.165299][ T1296]  __kasan_slab_free+0x5f/0x80
[  162.170053][ T1296]  kfree+0x2f8/0x6e0
[  162.173947][ T1296]  process_one_work+0x9ba/0x1b20
[  162.178887][ T1296]  worker_thread+0x6c8/0xf10
[  162.183476][ T1296]  kthread+0x3c5/0x780
[  162.187805][ T1296]  ret_from_fork+0x983/0xb10
[  162.192391][ T1296]  ret_from_fork_asm+0x1a/0x30
[  162.197164][ T1296] 
[  162.199468][ T1296] Last potentially related work creation:
[  162.205161][ T1296]  kasan_save_stack+0x33/0x60
[  162.209834][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  162.215035][ T1296]  insert_work+0x36/0x230
[  162.219360][ T1296]  __queue_work+0x94f/0x10e0
[  162.223946][ T1296]  queue_work_on+0x1a4/0x1f0
[  162.228535][ T1296]  release_tty+0x4de/0x5d0
[  162.232946][ T1296]  tty_release_struct+0xb7/0xe0
[  162.237796][ T1296]  tty_release+0xe2d/0x1470
[  162.242391][ T1296]  __fput+0x402/0xb70
[  162.246402][ T1296]  task_work_run+0x150/0x240
[  162.250997][ T1296]  do_exit+0x87f/0x2bd0
[  162.255143][ T1296]  do_group_exit+0xd3/0x2a0
[  162.259635][ T1296]  get_signal+0x2671/0x26d0
[  162.264146][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  162.269694][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  162.274980][ T1296]  do_syscall_64+0x4ee/0xf80
[  162.279575][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  162.285460][ T1296] 
[  162.287763][ T1296] The buggy address belongs to the object at ffff888078e19000
[  162.287763][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  162.302062][ T1296] The buggy address is located 1169 bytes inside of
[  162.302062][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  162.316021][ T1296] 
[  162.318324][ T1296] The buggy address belongs to the physical page:
[  162.324712][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  162.333462][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  162.341946][ T1296] memcg:ffff888055c9fe01
[  162.346165][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  162.353696][ T1296] page_type: f5(slab)
[  162.357665][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  162.366237][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  162.374814][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  162.383475][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  162.392136][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  162.400796][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  162.409446][ T1296] page dumped because: kasan: bad access detected
[  162.415844][ T1296] page_owner tracks the page as allocated
[  162.421538][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  162.442985][ T1296]  post_alloc_hook+0x1af/0x220
[  162.447753][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  162.453219][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  162.459119][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  162.463966][ T1296]  new_slab+0x2c3/0x430
[  162.468128][ T1296]  ___slab_alloc+0xe18/0x1c90
[  162.472806][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  162.478265][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  162.483641][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  162.488235][ T1296]  addrconf_notify+0x53e/0x19f0
[  162.493078][ T1296]  notifier_call_chain+0xbc/0x3e0
[  162.498098][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  162.503998][ T1296]  register_netdevice+0x1792/0x21d0
[  162.509201][ T1296]  nsim_create+0xdd5/0x13f0
[  162.513707][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  162.518808][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  162.523564][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  162.529870][ T1296]  __free_frozen_pages+0x7df/0x1170
[  162.535064][ T1296]  __put_partials+0x130/0x170
[  162.539744][ T1296]  qlist_free_all+0x4c/0xf0
[  162.544255][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  162.549710][ T1296]  __kasan_slab_alloc+0x69/0x90
[  162.554574][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  162.560474][ T1296]  __alloc_skb+0x156/0x410
[  162.564884][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  162.570264][ T1296]  netlink_sendmsg+0x698/0xdd0
[  162.575037][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  162.579804][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  162.584475][ T1296]  __sys_sendmsg+0x16d/0x220
[  162.589063][ T1296]  do_syscall_64+0xcd/0xf80
[  162.593569][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  162.599453][ T1296] 
[  162.601760][ T1296] Memory state around the buggy address:
[  162.607370][ T1296]  ffff888078e19380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  162.615416][ T1296]  ffff888078e19400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  162.623470][ T1296] >ffff888078e19480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  162.631516][ T1296]                          ^
[  162.636085][ T1296]  ffff888078e19500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  162.644131][ T1296]  ffff888078e19580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  162.652186][ T1296] ==================================================================
[  162.660289][ T1296] ==================================================================
[  162.668351][ T1296] BUG: KASAN: slab-use-after-free in handle_tx+0x5b4/0x630
[  162.675572][ T1296] Read of size 1 at addr ffff888078e194e9 by task aoe_tx0/1296
[  162.683104][ T1296] 
[  162.685419][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  162.685464][ T1296] Tainted: [B]=BAD_PAGE
[  162.685474][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  162.685491][ T1296] Call Trace:
[  162.685500][ T1296]  <TASK>
[  162.685510][ T1296]  dump_stack_lvl+0x116/0x1f0
[  162.685555][ T1296]  print_report+0xcd/0x630
[  162.685584][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.685618][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.685650][ T1296]  ? __phys_addr+0xe8/0x180
[  162.685677][ T1296]  ? handle_tx+0x5b4/0x630
[  162.685703][ T1296]  kasan_report+0xe0/0x110
[  162.685735][ T1296]  ? handle_tx+0x5b4/0x630
[  162.685766][ T1296]  handle_tx+0x5b4/0x630
[  162.685799][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  162.685832][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  162.685866][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.685899][ T1296]  ? rcu_is_watching+0x12/0xc0
[  162.685924][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  162.685969][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686003][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  162.686033][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686069][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686102][ T1296]  ? __lock_acquire+0x436/0x2890
[  162.686135][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686168][ T1296]  ? ref_tracker_free+0x37c/0x830
[  162.686202][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686235][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  162.686274][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686307][ T1296]  ? find_held_lock+0x2b/0x80
[  162.686349][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686382][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686415][ T1296]  ? find_held_lock+0x2b/0x80
[  162.686462][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686495][ T1296]  ? rcu_is_watching+0x12/0xc0
[  162.686523][ T1296]  tx+0xcc/0x190
[  162.686565][ T1296]  ? __pfx_tx+0x10/0x10
[  162.686605][ T1296]  kthread+0x1e4/0x3e0
[  162.686644][ T1296]  ? find_held_lock+0x2b/0x80
[  162.686685][ T1296]  ? __pfx_kthread+0x10/0x10
[  162.686724][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  162.686769][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  162.686811][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686846][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.686879][ T1296]  ? __kthread_parkme+0x19e/0x250
[  162.686906][ T1296]  ? __pfx_kthread+0x10/0x10
[  162.686943][ T1296]  kthread+0x3c5/0x780
[  162.686975][ T1296]  ? __pfx_kthread+0x10/0x10
[  162.687009][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.687045][ T1296]  ? rcu_is_watching+0x12/0xc0
[  162.687070][ T1296]  ? __pfx_kthread+0x10/0x10
[  162.687102][ T1296]  ret_from_fork+0x983/0xb10
[  162.687133][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  162.687165][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  162.687198][ T1296]  ? __switch_to+0x7af/0x10d0
[  162.687234][ T1296]  ? __pfx_kthread+0x10/0x10
[  162.687267][ T1296]  ret_from_fork_asm+0x1a/0x30
[  162.687320][ T1296]  </TASK>
[  162.687329][ T1296] 
[  162.981000][ T1296] Allocated by task 6336:
[  162.985307][ T1296]  kasan_save_stack+0x33/0x60
[  162.989974][ T1296]  kasan_save_track+0x14/0x30
[  162.994638][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  162.999215][ T1296]  alloc_tty_struct+0x96/0x8c0
[  163.003983][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  163.009014][ T1296]  tty_open+0xa4f/0xf90
[  163.013170][ T1296]  chrdev_open+0x234/0x6a0
[  163.017584][ T1296]  do_dentry_open+0x748/0x1590
[  163.022340][ T1296]  vfs_open+0x82/0x3f0
[  163.026411][ T1296]  path_openat+0x2078/0x3140
[  163.030999][ T1296]  do_filp_open+0x20b/0x470
[  163.035500][ T1296]  do_sys_openat2+0x121/0x290
[  163.040176][ T1296]  __x64_sys_openat+0x174/0x210
[  163.045039][ T1296]  do_syscall_64+0xcd/0xf80
[  163.049548][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  163.055435][ T1296] 
[  163.057741][ T1296] Freed by task 6433:
[  163.061704][ T1296]  kasan_save_stack+0x33/0x60
[  163.066390][ T1296]  kasan_save_track+0x14/0x30
[  163.071059][ T1296]  kasan_save_free_info+0x3b/0x60
[  163.076087][ T1296]  __kasan_slab_free+0x5f/0x80
[  163.080842][ T1296]  kfree+0x2f8/0x6e0
[  163.084739][ T1296]  process_one_work+0x9ba/0x1b20
[  163.089672][ T1296]  worker_thread+0x6c8/0xf10
[  163.094257][ T1296]  kthread+0x3c5/0x780
[  163.098318][ T1296]  ret_from_fork+0x983/0xb10
[  163.102901][ T1296]  ret_from_fork_asm+0x1a/0x30
[  163.107670][ T1296] 
[  163.109971][ T1296] Last potentially related work creation:
[  163.115664][ T1296]  kasan_save_stack+0x33/0x60
[  163.120337][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  163.125543][ T1296]  insert_work+0x36/0x230
[  163.129868][ T1296]  __queue_work+0x94f/0x10e0
[  163.134456][ T1296]  queue_work_on+0x1a4/0x1f0
[  163.139043][ T1296]  release_tty+0x4de/0x5d0
[  163.143454][ T1296]  tty_release_struct+0xb7/0xe0
[  163.148304][ T1296]  tty_release+0xe2d/0x1470
[  163.152809][ T1296]  __fput+0x402/0xb70
[  163.156793][ T1296]  task_work_run+0x150/0x240
[  163.161382][ T1296]  do_exit+0x87f/0x2bd0
[  163.165545][ T1296]  do_group_exit+0xd3/0x2a0
[  163.170042][ T1296]  get_signal+0x2671/0x26d0
[  163.174549][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  163.180097][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  163.185401][ T1296]  do_syscall_64+0x4ee/0xf80
[  163.190003][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  163.195886][ T1296] 
[  163.198189][ T1296] The buggy address belongs to the object at ffff888078e19000
[  163.198189][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  163.212490][ T1296] The buggy address is located 1257 bytes inside of
[  163.212490][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  163.226452][ T1296] 
[  163.228756][ T1296] The buggy address belongs to the physical page:
[  163.235143][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  163.243894][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  163.252380][ T1296] memcg:ffff888055c9fe01
[  163.256600][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  163.264131][ T1296] page_type: f5(slab)
[  163.268102][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  163.276679][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  163.285255][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  163.293918][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  163.302581][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  163.311240][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  163.319889][ T1296] page dumped because: kasan: bad access detected
[  163.326278][ T1296] page_owner tracks the page as allocated
[  163.331973][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  163.353419][ T1296]  post_alloc_hook+0x1af/0x220
[  163.358190][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  163.363651][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  163.369553][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  163.374402][ T1296]  new_slab+0x2c3/0x430
[  163.378563][ T1296]  ___slab_alloc+0xe18/0x1c90
[  163.383246][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  163.388707][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  163.394080][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  163.398673][ T1296]  addrconf_notify+0x53e/0x19f0
[  163.403518][ T1296]  notifier_call_chain+0xbc/0x3e0
[  163.408538][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  163.414439][ T1296]  register_netdevice+0x1792/0x21d0
[  163.419640][ T1296]  nsim_create+0xdd5/0x13f0
[  163.424146][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  163.429246][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  163.434017][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  163.440330][ T1296]  __free_frozen_pages+0x7df/0x1170
[  163.445543][ T1296]  __put_partials+0x130/0x170
[  163.450219][ T1296]  qlist_free_all+0x4c/0xf0
[  163.454750][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  163.460199][ T1296]  __kasan_slab_alloc+0x69/0x90
[  163.465054][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  163.470960][ T1296]  __alloc_skb+0x156/0x410
[  163.475397][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  163.480778][ T1296]  netlink_sendmsg+0x698/0xdd0
[  163.485547][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  163.490320][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  163.495012][ T1296]  __sys_sendmsg+0x16d/0x220
[  163.499599][ T1296]  do_syscall_64+0xcd/0xf80
[  163.504107][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  163.509991][ T1296] 
[  163.512293][ T1296] Memory state around the buggy address:
[  163.517901][ T1296]  ffff888078e19380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  163.525948][ T1296]  ffff888078e19400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  163.533997][ T1296] >ffff888078e19480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  163.542041][ T1296]                                                           ^
[  163.549475][ T1296]  ffff888078e19500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  163.557523][ T1296]  ffff888078e19580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  163.565568][ T1296] ==================================================================
[  163.573683][ T1296] ==================================================================
[  163.581741][ T1296] BUG: KASAN: slab-use-after-free in tty_write_room+0x7d/0x90
[  163.589219][ T1296] Read of size 8 at addr ffff888078e19020 by task aoe_tx0/1296
[  163.596788][ T1296] 
[  163.599101][ T1296] CPU: 1 UID: 0 PID: 1296 Comm: aoe_tx0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[  163.599140][ T1296] Tainted: [B]=BAD_PAGE
[  163.599150][ T1296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  163.599167][ T1296] Call Trace:
[  163.599176][ T1296]  <TASK>
[  163.599186][ T1296]  dump_stack_lvl+0x116/0x1f0
[  163.599231][ T1296]  print_report+0xcd/0x630
[  163.599260][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.599294][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.599327][ T1296]  ? __phys_addr+0xe8/0x180
[  163.599367][ T1296]  ? tty_write_room+0x7d/0x90
[  163.599394][ T1296]  kasan_report+0xe0/0x110
[  163.599426][ T1296]  ? tty_write_room+0x7d/0x90
[  163.599461][ T1296]  tty_write_room+0x7d/0x90
[  163.599489][ T1296]  handle_tx+0x14f/0x630
[  163.599523][ T1296]  dev_hard_start_xmit+0x97/0x6e0
[  163.599556][ T1296]  __dev_queue_xmit+0x6d7/0x4650
[  163.599590][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.599623][ T1296]  ? rcu_is_watching+0x12/0xc0
[  163.599649][ T1296]  ? finish_task_switch.isra.0+0x207/0xbd0
[  163.599694][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.599728][ T1296]  ? __pfx___dev_queue_xmit+0x10/0x10
[  163.599758][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.599795][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.599828][ T1296]  ? __lock_acquire+0x436/0x2890
[  163.599861][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.599894][ T1296]  ? ref_tracker_free+0x37c/0x830
[  163.599928][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.599961][ T1296]  ? do_raw_spin_lock+0x12c/0x2b0
[  163.600000][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.600033][ T1296]  ? find_held_lock+0x2b/0x80
[  163.600076][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.600109][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.600142][ T1296]  ? find_held_lock+0x2b/0x80
[  163.600185][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.600219][ T1296]  ? rcu_is_watching+0x12/0xc0
[  163.600258][ T1296]  tx+0xcc/0x190
[  163.600315][ T1296]  ? __pfx_tx+0x10/0x10
[  163.600366][ T1296]  kthread+0x1e4/0x3e0
[  163.600404][ T1296]  ? find_held_lock+0x2b/0x80
[  163.600451][ T1296]  ? __pfx_kthread+0x10/0x10
[  163.600489][ T1296]  ? __pfx_default_wake_function+0x10/0x10
[  163.600534][ T1296]  ? lockdep_hardirqs_on+0x7c/0x110
[  163.600576][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.600611][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.600644][ T1296]  ? __kthread_parkme+0x19e/0x250
[  163.600671][ T1296]  ? __pfx_kthread+0x10/0x10
[  163.600708][ T1296]  kthread+0x3c5/0x780
[  163.600740][ T1296]  ? __pfx_kthread+0x10/0x10
[  163.600773][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.600807][ T1296]  ? rcu_is_watching+0x12/0xc0
[  163.600832][ T1296]  ? __pfx_kthread+0x10/0x10
[  163.600865][ T1296]  ret_from_fork+0x983/0xb10
[  163.600896][ T1296]  ? __pfx_ret_from_fork+0x10/0x10
[  163.600927][ T1296]  ? srso_alias_return_thunk+0x5/0xfbef5
[  163.600960][ T1296]  ? __switch_to+0x7af/0x10d0
[  163.600996][ T1296]  ? __pfx_kthread+0x10/0x10
[  163.601030][ T1296]  ret_from_fork_asm+0x1a/0x30
[  163.601081][ T1296]  </TASK>
[  163.601091][ T1296] 
[  163.899816][ T1296] Allocated by task 6336:
[  163.904122][ T1296]  kasan_save_stack+0x33/0x60
[  163.908797][ T1296]  kasan_save_track+0x14/0x30
[  163.913462][ T1296]  __kasan_kmalloc+0xaa/0xb0
[  163.918040][ T1296]  alloc_tty_struct+0x96/0x8c0
[  163.922810][ T1296]  tty_init_dev.part.0+0x1e/0x500
[  163.927843][ T1296]  tty_open+0xa4f/0xf90
[  163.932005][ T1296]  chrdev_open+0x234/0x6a0
[  163.936420][ T1296]  do_dentry_open+0x748/0x1590
[  163.941181][ T1296]  vfs_open+0x82/0x3f0
[  163.945254][ T1296]  path_openat+0x2078/0x3140
[  163.949844][ T1296]  do_filp_open+0x20b/0x470
[  163.954344][ T1296]  do_sys_openat2+0x121/0x290
[  163.959024][ T1296]  __x64_sys_openat+0x174/0x210
[  163.963886][ T1296]  do_syscall_64+0xcd/0xf80
[  163.968395][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  163.974282][ T1296] 
[  163.976589][ T1296] Freed by task 6433:
[  163.980547][ T1296]  kasan_save_stack+0x33/0x60
[  163.985215][ T1296]  kasan_save_track+0x14/0x30
[  163.989884][ T1296]  kasan_save_free_info+0x3b/0x60
[  163.994909][ T1296]  __kasan_slab_free+0x5f/0x80
[  163.999662][ T1296]  kfree+0x2f8/0x6e0
[  164.003559][ T1296]  process_one_work+0x9ba/0x1b20
[  164.008500][ T1296]  worker_thread+0x6c8/0xf10
[  164.013085][ T1296]  kthread+0x3c5/0x780
[  164.017148][ T1296]  ret_from_fork+0x983/0xb10
[  164.021732][ T1296]  ret_from_fork_asm+0x1a/0x30
[  164.026502][ T1296] 
[  164.028804][ T1296] Last potentially related work creation:
[  164.034502][ T1296]  kasan_save_stack+0x33/0x60
[  164.039166][ T1296]  kasan_record_aux_stack+0xa7/0xc0
[  164.044366][ T1296]  insert_work+0x36/0x230
[  164.048694][ T1296]  __queue_work+0x94f/0x10e0
[  164.053283][ T1296]  queue_work_on+0x1a4/0x1f0
[  164.057873][ T1296]  release_tty+0x4de/0x5d0
[  164.062284][ T1296]  tty_release_struct+0xb7/0xe0
[  164.067135][ T1296]  tty_release+0xe2d/0x1470
[  164.071635][ T1296]  __fput+0x402/0xb70
[  164.075618][ T1296]  task_work_run+0x150/0x240
[  164.080202][ T1296]  do_exit+0x87f/0x2bd0
[  164.084365][ T1296]  do_group_exit+0xd3/0x2a0
[  164.088889][ T1296]  get_signal+0x2671/0x26d0
[  164.093398][ T1296]  arch_do_signal_or_restart+0x8f/0x7e0
[  164.098948][ T1296]  exit_to_user_mode_loop+0x8c/0x540
[  164.104235][ T1296]  do_syscall_64+0x4ee/0xf80
[  164.108834][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  164.114717][ T1296] 
[  164.117020][ T1296] The buggy address belongs to the object at ffff888078e19000
[  164.117020][ T1296]  which belongs to the cache kmalloc-cg-2k of size 2048
[  164.131324][ T1296] The buggy address is located 32 bytes inside of
[  164.131324][ T1296]  freed 2048-byte region [ffff888078e19000, ffff888078e19800)
[  164.145125][ T1296] 
[  164.147437][ T1296] The buggy address belongs to the physical page:
[  164.153828][ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78e18
[  164.162593][ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  164.171077][ T1296] memcg:ffff888055c9fe01
[  164.175294][ T1296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  164.182822][ T1296] page_type: f5(slab)
[  164.186803][ T1296] raw: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  164.195412][ T1296] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  164.203994][ T1296] head: 00fff00000000040 ffff88813ff303c0 dead000000000100 dead000000000122
[  164.212660][ T1296] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888055c9fe01
[  164.221321][ T1296] head: 00fff00000000003 ffffea0001e38601 00000000ffffffff 00000000ffffffff
[  164.229983][ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  164.238632][ T1296] page dumped because: kasan: bad access detected
[  164.245026][ T1296] page_owner tracks the page as allocated
[  164.250722][ T1296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5821, tgid 5821 (syz-executor), ts 102699648920, free_ts 69207062978
[  164.272166][ T1296]  post_alloc_hook+0x1af/0x220
[  164.276934][ T1296]  get_page_from_freelist+0xd0b/0x31a0
[  164.282398][ T1296]  __alloc_frozen_pages_noprof+0x25f/0x2430
[  164.288308][ T1296]  alloc_pages_mpol+0x1fb/0x550
[  164.293173][ T1296]  new_slab+0x2c3/0x430
[  164.297329][ T1296]  ___slab_alloc+0xe18/0x1c90
[  164.302004][ T1296]  __slab_alloc.constprop.0+0x63/0x110
[  164.307464][ T1296]  __kmalloc_cache_noprof+0x485/0x800
[  164.312837][ T1296]  ipv6_add_dev+0x1c9/0x15f0
[  164.317436][ T1296]  addrconf_notify+0x53e/0x19f0
[  164.322278][ T1296]  notifier_call_chain+0xbc/0x3e0
[  164.327296][ T1296]  call_netdevice_notifiers_info+0xbe/0x110
[  164.333196][ T1296]  register_netdevice+0x1792/0x21d0
[  164.338397][ T1296]  nsim_create+0xdd5/0x13f0
[  164.342908][ T1296]  __nsim_dev_port_add+0x451/0x7a0
[  164.348009][ T1296]  nsim_drv_probe+0xebb/0x15c0
[  164.352762][ T1296] page last free pid 5192 tgid 5192 stack trace:
[  164.359066][ T1296]  __free_frozen_pages+0x7df/0x1170
[  164.364261][ T1296]  __put_partials+0x130/0x170
[  164.368941][ T1296]  qlist_free_all+0x4c/0xf0
[  164.373452][ T1296]  kasan_quarantine_reduce+0x195/0x1e0
[  164.378901][ T1296]  __kasan_slab_alloc+0x69/0x90
[  164.383750][ T1296]  kmem_cache_alloc_node_noprof+0x298/0x800
[  164.389649][ T1296]  __alloc_skb+0x156/0x410
[  164.394058][ T1296]  netlink_alloc_large_skb+0x69/0x140
[  164.399440][ T1296]  netlink_sendmsg+0x698/0xdd0
[  164.404206][ T1296]  ____sys_sendmsg+0xa5d/0xc30
[  164.408976][ T1296]  ___sys_sendmsg+0x134/0x1d0
[  164.413654][ T1296]  __sys_sendmsg+0x16d/0x220
[  164.418240][ T1296]  do_syscall_64+0xcd/0xf80
[  164.422746][ T1296]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  164.428632][ T1296] 
[  164.430934][ T1296] Memory state around the buggy address:
[  164.436546][ T1296]  ffff888078e18f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  164.444596][ T1296]  ffff888078e18f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  164.452644][ T1296] >ffff888078e19000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  164.460690][ T1296]                                ^