Warning: Permanently added '10.128.0.13' (ED25519) to the list of known hosts.
syzkaller login: [ 92.123515][ T23] cfg80211: failed to load regulatory.db
2025/12/31 03:09:03 parsed 1 programs
[ 96.194304][ T5777] cgroup: Unknown subsys name 'net'
[ 96.359942][ T5777] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 98.050313][ T5777] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 100.087196][ T51] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 100.100777][ T51] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 100.109514][ T51] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 100.117887][ T51] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 100.127850][ T51] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 100.135527][ T51] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 100.994028][ T1327] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 101.002556][ T1327] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 101.049337][ T173] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 101.057292][ T173] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 103.377854][ T5852] chnl_net:caif_netlink_parms(): no params data found
[ 103.462167][ T5852] bridge0: port 1(bridge_slave_0) entered blocking state
[ 103.470152][ T5852] bridge0: port 1(bridge_slave_0) entered disabled state
[ 103.477456][ T5852] bridge_slave_0: entered allmulticast mode
[ 103.485709][ T5852] bridge_slave_0: entered promiscuous mode
[ 103.497099][ T5852] bridge0: port 2(bridge_slave_1) entered blocking state
[ 103.504351][ T5852] bridge0: port 2(bridge_slave_1) entered disabled state
[ 103.512509][ T5852] bridge_slave_1: entered allmulticast mode
[ 103.520137][ T5852] bridge_slave_1: entered promiscuous mode
[ 103.554973][ T5852] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 103.567204][ T5852] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 103.611014][ T5852] team0: Port device team_slave_0 added
[ 103.620633][ T5852] team0: Port device team_slave_1 added
[ 103.649943][ T5852] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 103.657585][ T5852] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 103.683600][ T5852] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 103.696852][ T5852] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 103.703973][ T5852] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 103.733169][ T5852] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 103.787643][ T5852] hsr_slave_0: entered promiscuous mode
[ 103.794416][ T5852] hsr_slave_1: entered promiscuous mode
[ 103.972147][ T5852] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 103.985528][ T5852] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 103.995706][ T5852] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 104.016673][ T5852] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 104.053057][ T5852] bridge0: port 2(bridge_slave_1) entered blocking state
[ 104.060362][ T5852] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 104.068697][ T5852] bridge0: port 1(bridge_slave_0) entered blocking state
[ 104.075875][ T5852] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 104.138825][ T173] bridge0: port 1(bridge_slave_0) entered disabled state
[ 104.147980][ T173] bridge0: port 2(bridge_slave_1) entered disabled state
[ 104.182372][ T5852] 8021q: adding VLAN 0 to HW filter on device bond0
[ 104.203829][ T5852] 8021q: adding VLAN 0 to HW filter on device team0
[ 104.217708][ T1327] bridge0: port 1(bridge_slave_0) entered blocking state
[ 104.224963][ T1327] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 104.253126][ T173] bridge0: port 2(bridge_slave_1) entered blocking state
[ 104.260751][ T173] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 104.485269][ T5852] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 104.530615][ T5852] veth0_vlan: entered promiscuous mode
[ 104.554762][ T5852] veth1_vlan: entered promiscuous mode
[ 104.586118][ T5852] veth0_macvtap: entered promiscuous mode
[ 104.608079][ T5852] veth1_macvtap: entered promiscuous mode
[ 104.628201][ T5852] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 104.644794][ T5852] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 104.657020][ T5852] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 104.666127][ T5852] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 104.676171][ T5852] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 104.685088][ T5852] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 104.850164][ T5852] syz-executor (5852) used greatest stack depth: 20840 bytes left
[ 104.935499][ T59] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
2025/12/31 03:09:14 executed programs: 0
[ 105.463500][ T5082] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 105.472692][ T5082] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 105.480749][ T5082] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 105.491740][ T5082] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 105.502459][ T5082] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 105.509878][ T5082] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 105.675163][ T5877] chnl_net:caif_netlink_parms(): no params data found
[ 105.753022][ T5877] bridge0: port 1(bridge_slave_0) entered blocking state
[ 105.760239][ T5877] bridge0: port 1(bridge_slave_0) entered disabled state
[ 105.768222][ T5877] bridge_slave_0: entered allmulticast mode
[ 105.775953][ T5877] bridge_slave_0: entered promiscuous mode
[ 105.784792][ T5877] bridge0: port 2(bridge_slave_1) entered blocking state
[ 105.792074][ T5877] bridge0: port 2(bridge_slave_1) entered disabled state
[ 105.799216][ T5877] bridge_slave_1: entered allmulticast mode
[ 105.808120][ T5877] bridge_slave_1: entered promiscuous mode
[ 105.846338][ T5877] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 105.858530][ T5877] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 105.895106][ T5877] team0: Port device team_slave_0 added
[ 105.904032][ T5877] team0: Port device team_slave_1 added
[ 105.936132][ T5877] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 105.943213][ T5877] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 105.969950][ T5877] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 105.983223][ T5877] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 105.990280][ T5877] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 106.016244][ T5877] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 106.069341][ T5877] hsr_slave_0: entered promiscuous mode
[ 106.076252][ T5877] hsr_slave_1: entered promiscuous mode
[ 106.083431][ T5877] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 106.091256][ T5877] Cannot create hsr debugfs directory
[ 107.562763][ T5082] Bluetooth: hci0: command tx timeout
[ 107.573285][ T59] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 109.641883][ T5082] Bluetooth: hci0: command tx timeout
[ 109.886529][ T59] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 109.957476][ T59] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 110.863172][ T5877] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 110.876843][ T5877] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 110.888731][ T5877] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 110.909010][ T59] hsr_slave_0: left promiscuous mode
[ 110.915298][ T59] hsr_slave_1: left promiscuous mode
[ 110.922187][ T59] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 110.929651][ T59] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 110.939237][ T59] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 110.947216][ T59] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 110.956450][ T59] bridge_slave_1: left allmulticast mode
[ 110.962546][ T59] bridge_slave_1: left promiscuous mode
[ 110.969224][ T59] bridge0: port 2(bridge_slave_1) entered disabled state
[ 110.983620][ T59] bridge_slave_0: left allmulticast mode
[ 110.989328][ T59] bridge_slave_0: left promiscuous mode
[ 110.995596][ T59] bridge0: port 1(bridge_slave_0) entered disabled state
[ 111.027247][ T59] veth1_macvtap: left promiscuous mode
[ 111.035562][ T59] veth0_macvtap: left promiscuous mode
[ 111.041264][ T59] veth1_vlan: left promiscuous mode
[ 111.048093][ T59] veth0_vlan: left promiscuous mode
[ 111.427562][ T59] team0 (unregistering): Port device team_slave_1 removed
[ 111.459445][ T59] team0 (unregistering): Port device team_slave_0 removed
[ 111.488807][ T59] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 111.520394][ T59] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 111.725783][ T5082] Bluetooth: hci0: command tx timeout
[ 111.834996][ T59] bond0 (unregistering): Released all slaves
[ 111.913749][ T5877] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 112.012198][ T5877] 8021q: adding VLAN 0 to HW filter on device bond0
[ 112.048136][ T5877] 8021q: adding VLAN 0 to HW filter on device team0
[ 112.065908][ T49] bridge0: port 1(bridge_slave_0) entered blocking state
[ 112.073118][ T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 112.096418][ T173] bridge0: port 2(bridge_slave_1) entered blocking state
[ 112.103706][ T173] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 112.324381][ T5877] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 112.365956][ T5877] veth0_vlan: entered promiscuous mode
[ 112.380647][ T5877] veth1_vlan: entered promiscuous mode
[ 112.411051][ T5877] veth0_macvtap: entered promiscuous mode
[ 112.425801][ T5877] veth1_macvtap: entered promiscuous mode
[ 112.447649][ T5877] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 112.466233][ T5877] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 112.482992][ T5877] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 112.492156][ T5877] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 112.500896][ T5877] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 112.510194][ T5877] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 112.584836][ T49] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 112.593474][ T49] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
2025/12/31 03:09:21 executed programs: 2
[ 112.632579][ T1104] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 112.640556][ T1104] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 112.689143][ T5925] syz.0.17[5925]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
[ 112.702644][ T5925] loop0: detected capacity change from 0 to 16
[ 112.718339][ T5925] erofs: (device loop0): mounted with root inode @ nid 36.
[ 112.730333][ T5925] syz.0.17: attempt to access beyond end of device
[ 112.730333][ T5925] loop0: rw=524288, sector=16, nr_sectors = 32 limit=16
[ 112.746715][ T5925] syz.0.17: attempt to access beyond end of device
[ 112.746715][ T5925] loop0: rw=524288, sector=8, nr_sectors = 32 limit=16
[ 112.767402][ T5925] process 'syz.0.17' launched '/dev/fd/4/./file1' with NULL argv: empty string added
[ 112.788274][ T5925] syz.0.17: attempt to access beyond end of device
[ 112.788274][ T5925] loop0: rw=0, sector=8, nr_sectors = 32 limit=16
[ 112.814324][ T5877] BUG: Bad page state in process syz-executor pfn:7515c
[ 112.822046][ T5877] page:ffffea0001d45700 refcount:0 mapcount:0 mapping:ffff8880609b07c8 index:0x2 pfn:0x7515c
[ 112.832393][ T5877] aops:z_erofs_cache_aops ino:0
[ 112.837302][ T5877] flags: 0xfff00000000001(locked|node=0|zone=1|lastcpupid=0x7ff)
[ 112.845167][ T5877] page_type: 0xffffffff()
[ 112.849526][ T5877] raw: 00fff00000000001 dead000000000100 dead000000000122 ffff8880609b07c8
[ 112.858218][ T5877] raw: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[ 112.866915][ T5877] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 112.874774][ T5877] page_owner tracks the page as allocated
[ 112.880840][ T5877] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x192840(GFP_NOWAIT|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5925, tgid 5925 (syz.0.17), ts 112729830117, free_ts 112679933796
[ 112.902837][ T5877] post_alloc_hook+0x1cd/0x210
[ 112.907660][ T5877] get_page_from_freelist+0x195c/0x19f0
[ 112.913405][ T5877] __alloc_pages+0x1e3/0x460
[ 112.918051][ T5877] z_erofs_do_read_page+0x20c0/0x3680
[ 112.923584][ T5877] z_erofs_readahead+0x862/0xd50
[ 112.928536][ T5877] read_pages+0x177/0x840
[ 112.932966][ T5877] page_cache_ra_unbounded+0x692/0x770
[ 112.938463][ T5877] force_page_cache_ra+0x2c1/0x320
[ 112.944345][ T5877] generic_fadvise+0x44f/0x730
[ 112.949132][ T5877] __x64_sys_fadvise64+0x140/0x180
[ 112.954339][ T5877] do_syscall_64+0x55/0xb0
[ 112.958794][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 112.964812][ T5877] page last free stack trace:
[ 112.969515][ T5877] free_unref_page_prepare+0x7ce/0x8e0
[ 112.975475][ T5877] free_unref_page+0x32/0x2e0
[ 112.980210][ T5877] __slab_free+0x35e/0x410
[ 112.984848][ T5877] qlist_free_all+0x75/0xe0
[ 112.989400][ T5877] kasan_quarantine_reduce+0x143/0x160
[ 112.994964][ T5877] __kasan_slab_alloc+0x22/0x80
[ 112.999858][ T5877] slab_post_alloc_hook+0x6e/0x4d0
[ 113.005225][ T5877] kmem_cache_alloc+0x11e/0x2e0
[ 113.010125][ T5877] getname_flags+0xbb/0x500
[ 113.014765][ T5877] do_sys_openat2+0xcb/0x1c0
[ 113.019404][ T5877] __x64_sys_openat+0x139/0x160
[ 113.024386][ T5877] do_syscall_64+0x55/0xb0
[ 113.028843][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 113.034848][ T5877] Modules linked in:
[ 113.038786][ T5877] CPU: 0 PID: 5877 Comm: syz-executor Not tainted syzkaller #0
[ 113.046334][ T5877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 113.056402][ T5877] Call Trace:
[ 113.059683][ T5877]
[ 113.062626][ T5877] dump_stack_lvl+0x16c/0x230
[ 113.067349][ T5877] ? show_regs_print_info+0x20/0x20
[ 113.072580][ T5877] ? swiotlb_print_info+0x70/0x70
[ 113.077645][ T5877] bad_page+0x14b/0x170
[ 113.081811][ T5877] free_unref_page_prepare+0x887/0x8e0
[ 113.087313][ T5877] free_unref_page+0x32/0x2e0
[ 113.092014][ T5877] ? __folio_put+0xef/0x210
[ 113.096565][ T5877] erofs_try_to_free_all_cached_pages+0x295/0x600
[ 113.103027][ T5877] erofs_shrink_workstation+0x118/0x290
[ 113.108599][ T5877] ? erofs_shrinker_unregister+0x170/0x170
[ 113.114412][ T5877] ? io_schedule+0xd0/0xd0
[ 113.118849][ T5877] ? kobject_put+0x43c/0x470
[ 113.123457][ T5877] erofs_shrinker_unregister+0x5d/0x170
[ 113.129028][ T5877] erofs_put_super+0x4e/0x150
[ 113.133726][ T5877] ? erofs_free_inode+0xb0/0xb0
[ 113.138585][ T5877] generic_shutdown_super+0x134/0x2b0
[ 113.143997][ T5877] kill_block_super+0x44/0x90
[ 113.148705][ T5877] erofs_kill_sb+0x4c/0x140
[ 113.153256][ T5877] deactivate_locked_super+0x97/0x100
[ 113.158687][ T5877] cleanup_mnt+0x429/0x4c0
[ 113.163217][ T5877] task_work_run+0x1ce/0x250
[ 113.167842][ T5877] ? task_work_cancel+0x240/0x240
[ 113.172923][ T5877] ? exit_to_user_mode_loop+0x3b/0x110
[ 113.178449][ T5877] exit_to_user_mode_loop+0xe6/0x110
[ 113.183771][ T5877] exit_to_user_mode_prepare+0xf6/0x180
[ 113.189347][ T5877] syscall_exit_to_user_mode+0x1a/0x50
[ 113.194832][ T5877] do_syscall_64+0x61/0xb0
[ 113.199270][ T5877] ? clear_bhb_loop+0x40/0x90
[ 113.203972][ T5877] ? clear_bhb_loop+0x40/0x90
[ 113.208676][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 113.214605][ T5877] RIP: 0033:0x7fac92590a77
[ 113.219052][ T5877] Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
[ 113.238697][ T5877] RSP: 002b:00007fffcdd61338 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 113.247145][ T5877] RAX: 0000000000000000 RBX: 00007fac92613d7d RCX: 00007fac92590a77
[ 113.255137][ T5877] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffcdd613f0
[ 113.263125][ T5877] RBP: 00007fffcdd613f0 R08: 0000000000000000 R09: 0000000000000000
[ 113.271120][ T5877] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffcdd62480
[ 113.279107][ T5877] R13: 00007fac92613d7d R14: 000000000001b87b R15: 00007fffcdd624c0
[ 113.287114][ T5877]
[ 113.290988][ T5877] Disabling lock debugging due to kernel taint
[ 113.297284][ T5877] BUG: Bad page state in process syz-executor pfn:75196
[ 113.304383][ T5877] page:ffffea0001d46580 refcount:0 mapcount:0 mapping:ffff8880609b07c8 index:0x3 pfn:0x75196
[ 113.314606][ T5877] aops:z_erofs_cache_aops ino:0
[ 113.319488][ T5877] flags: 0xfff00000000001(locked|node=0|zone=1|lastcpupid=0x7ff)
[ 113.327349][ T5877] page_type: 0xffffffff()
[ 113.331745][ T5877] raw: 00fff00000000001 dead000000000100 dead000000000122 ffff8880609b07c8
[ 113.340350][ T5877] raw: 0000000000000003 0000000000000000 00000000ffffffff 0000000000000000
[ 113.349022][ T5877] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 113.356346][ T5877] page_owner tracks the page as allocated
[ 113.362117][ T5877] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x192840(GFP_NOWAIT|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5925, tgid 5925 (syz.0.17), ts 112729846790, free_ts 112679916564
[ 113.384300][ T5877] post_alloc_hook+0x1cd/0x210
[ 113.389081][ T5877] get_page_from_freelist+0x195c/0x19f0
[ 113.394752][ T5877] __alloc_pages+0x1e3/0x460
[ 113.399418][ T5877] z_erofs_do_read_page+0x20c0/0x3680
[ 113.405020][ T5877] z_erofs_readahead+0x862/0xd50
[ 113.410053][ T5877] read_pages+0x177/0x840
[ 113.414458][ T5877] page_cache_ra_unbounded+0x692/0x770
[ 113.419961][ T5877] force_page_cache_ra+0x2c1/0x320
[ 113.425143][ T5877] generic_fadvise+0x44f/0x730
[ 113.429936][ T5877] __x64_sys_fadvise64+0x140/0x180
[ 113.435109][ T5877] do_syscall_64+0x55/0xb0
[ 113.439565][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 113.445559][ T5877] page last free stack trace:
[ 113.450254][ T5877] free_unref_page_prepare+0x7ce/0x8e0
[ 113.455787][ T5877] free_unref_page+0x32/0x2e0
[ 113.460499][ T5877] __slab_free+0x35e/0x410
[ 113.464995][ T5877] qlist_free_all+0x75/0xe0
[ 113.469531][ T5877] kasan_quarantine_reduce+0x143/0x160
[ 113.475070][ T5877] __kasan_slab_alloc+0x22/0x80
[ 113.479951][ T5877] slab_post_alloc_hook+0x6e/0x4d0
[ 113.485564][ T5877] kmem_cache_alloc+0x11e/0x2e0
[ 113.490444][ T5877] getname_flags+0xbb/0x500
[ 113.495088][ T5877] do_sys_openat2+0xcb/0x1c0
[ 113.499717][ T5877] __x64_sys_openat+0x139/0x160
[ 113.504633][ T5877] do_syscall_64+0x55/0xb0
[ 113.509100][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 113.515055][ T5877] Modules linked in:
[ 113.518966][ T5877] CPU: 0 PID: 5877 Comm: syz-executor Tainted: G B syzkaller #0
[ 113.527991][ T5877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 113.538045][ T5877] Call Trace:
[ 113.541319][ T5877]
[ 113.544252][ T5877] dump_stack_lvl+0x16c/0x230
[ 113.548938][ T5877] ? show_regs_print_info+0x20/0x20
[ 113.554144][ T5877] ? swiotlb_print_info+0x70/0x70
[ 113.559274][ T5877] bad_page+0x14b/0x170
[ 113.563430][ T5877] free_unref_page_prepare+0x887/0x8e0
[ 113.568895][ T5877] free_unref_page+0x32/0x2e0
[ 113.573604][ T5877] ? __folio_put+0xef/0x210
[ 113.578128][ T5877] erofs_try_to_free_all_cached_pages+0x295/0x600
[ 113.584569][ T5877] erofs_shrink_workstation+0x118/0x290
[ 113.590137][ T5877] ? erofs_shrinker_unregister+0x170/0x170
[ 113.595969][ T5877] ? io_schedule+0xd0/0xd0
[ 113.600417][ T5877] ? kobject_put+0x43c/0x470
[ 113.605038][ T5877] erofs_shrinker_unregister+0x5d/0x170
[ 113.610602][ T5877] erofs_put_super+0x4e/0x150
[ 113.615309][ T5877] ? erofs_free_inode+0xb0/0xb0
[ 113.620180][ T5877] generic_shutdown_super+0x134/0x2b0
[ 113.625577][ T5877] kill_block_super+0x44/0x90
[ 113.630273][ T5877] erofs_kill_sb+0x4c/0x140
[ 113.634795][ T5877] deactivate_locked_super+0x97/0x100
[ 113.640190][ T5877] cleanup_mnt+0x429/0x4c0
[ 113.644623][ T5877] task_work_run+0x1ce/0x250
[ 113.649227][ T5877] ? task_work_cancel+0x240/0x240
[ 113.654276][ T5877] ? exit_to_user_mode_loop+0x3b/0x110
[ 113.659758][ T5877] exit_to_user_mode_loop+0xe6/0x110
[ 113.665073][ T5877] exit_to_user_mode_prepare+0xf6/0x180
[ 113.670655][ T5877] syscall_exit_to_user_mode+0x1a/0x50
[ 113.676135][ T5877] do_syscall_64+0x61/0xb0
[ 113.680570][ T5877] ? clear_bhb_loop+0x40/0x90
[ 113.685269][ T5877] ? clear_bhb_loop+0x40/0x90
[ 113.689968][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 113.695904][ T5877] RIP: 0033:0x7fac92590a77
[ 113.700342][ T5877] Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
[ 113.719976][ T5877] RSP: 002b:00007fffcdd61338 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 113.728407][ T5877] RAX: 0000000000000000 RBX: 00007fac92613d7d RCX: 00007fac92590a77
[ 113.736399][ T5877] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffcdd613f0
[ 113.744381][ T5877] RBP: 00007fffcdd613f0 R08: 0000000000000000 R09: 0000000000000000
[ 113.752370][ T5877] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffcdd62480
[ 113.760359][ T5877] R13: 00007fac92613d7d R14: 000000000001b87b R15: 00007fffcdd624c0
[ 113.768343][ T5877]
[ 113.772089][ T5877] BUG: Bad page state in process syz-executor pfn:75185
[ 113.779211][ T5877] page:ffffea0001d46140 refcount:0 mapcount:0 mapping:ffff8880609b07c8 index:0x4 pfn:0x75185
[ 113.789430][ T5877] aops:z_erofs_cache_aops ino:0
[ 113.794773][ T5877] flags: 0xfff00000000001(locked|node=0|zone=1|lastcpupid=0x7ff)
[ 113.802669][ T5877] page_type: 0xffffffff()
[ 113.803303][ T5082] Bluetooth: hci0: command tx timeout
[ 113.807019][ T5877] raw: 00fff00000000001 dead000000000100 dead000000000122 ffff8880609b07c8
[ 113.821063][ T5877] raw: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 113.829694][ T5877] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 113.837017][ T5877] page_owner tracks the page as allocated
[ 113.842777][ T5877] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x192840(GFP_NOWAIT|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5925, tgid 5925 (syz.0.17), ts 112729880383, free_ts 112679891111
[ 113.864643][ T5877] post_alloc_hook+0x1cd/0x210
[ 113.869423][ T5877] get_page_from_freelist+0x195c/0x19f0
[ 113.875029][ T5877] __alloc_pages+0x1e3/0x460
[ 113.879651][ T5877] z_erofs_do_read_page+0x20c0/0x3680
[ 113.885149][ T5877] z_erofs_readahead+0x862/0xd50
[ 113.890114][ T5877] read_pages+0x177/0x840
[ 113.894915][ T5877] page_cache_ra_unbounded+0x692/0x770
[ 113.900389][ T5877] force_page_cache_ra+0x2c1/0x320
[ 113.905613][ T5877] generic_fadvise+0x44f/0x730
[ 113.910432][ T5877] __x64_sys_fadvise64+0x140/0x180
[ 113.915603][ T5877] do_syscall_64+0x55/0xb0
[ 113.920017][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 113.925978][ T5877] page last free stack trace:
[ 113.930673][ T5877] free_unref_page_prepare+0x7ce/0x8e0
[ 113.936208][ T5877] free_unref_page+0x32/0x2e0
[ 113.940889][ T5877] __slab_free+0x35e/0x410
[ 113.945371][ T5877] qlist_free_all+0x75/0xe0
[ 113.949951][ T5877] kasan_quarantine_reduce+0x143/0x160
[ 113.955472][ T5877] __kasan_slab_alloc+0x22/0x80
[ 113.960342][ T5877] slab_post_alloc_hook+0x6e/0x4d0
[ 113.965517][ T5877] kmem_cache_alloc+0x11e/0x2e0
[ 113.970396][ T5877] getname_flags+0xbb/0x500
[ 113.974964][ T5877] do_sys_openat2+0xcb/0x1c0
[ 113.979597][ T5877] __x64_sys_openat+0x139/0x160
[ 113.984513][ T5877] do_syscall_64+0x55/0xb0
[ 113.988951][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 113.994905][ T5877] Modules linked in:
[ 113.999105][ T5877] CPU: 0 PID: 5877 Comm: syz-executor Tainted: G B syzkaller #0
[ 114.008138][ T5877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 114.018194][ T5877] Call Trace:
[ 114.021486][ T5877]
[ 114.024422][ T5877] dump_stack_lvl+0x16c/0x230
[ 114.029107][ T5877] ? show_regs_print_info+0x20/0x20
[ 114.034309][ T5877] ? swiotlb_print_info+0x70/0x70
[ 114.039340][ T5877] bad_page+0x14b/0x170
[ 114.043523][ T5877] free_unref_page_prepare+0x887/0x8e0
[ 114.048995][ T5877] free_unref_page+0x32/0x2e0
[ 114.053695][ T5877] ? __folio_put+0xef/0x210
[ 114.058237][ T5877] erofs_try_to_free_all_cached_pages+0x295/0x600
[ 114.064678][ T5877] erofs_shrink_workstation+0x118/0x290
[ 114.070240][ T5877] ? erofs_shrinker_unregister+0x170/0x170
[ 114.076074][ T5877] ? io_schedule+0xd0/0xd0
[ 114.080512][ T5877] ? kobject_put+0x43c/0x470
[ 114.085116][ T5877] erofs_shrinker_unregister+0x5d/0x170
[ 114.090669][ T5877] erofs_put_super+0x4e/0x150
[ 114.095410][ T5877] ? erofs_free_inode+0xb0/0xb0
[ 114.100281][ T5877] generic_shutdown_super+0x134/0x2b0
[ 114.105678][ T5877] kill_block_super+0x44/0x90
[ 114.110452][ T5877] erofs_kill_sb+0x4c/0x140
[ 114.114981][ T5877] deactivate_locked_super+0x97/0x100
[ 114.120383][ T5877] cleanup_mnt+0x429/0x4c0
[ 114.124817][ T5877] task_work_run+0x1ce/0x250
[ 114.129431][ T5877] ? task_work_cancel+0x240/0x240
[ 114.134474][ T5877] ? exit_to_user_mode_loop+0x3b/0x110
[ 114.139954][ T5877] exit_to_user_mode_loop+0xe6/0x110
[ 114.145272][ T5877] exit_to_user_mode_prepare+0xf6/0x180
[ 114.150844][ T5877] syscall_exit_to_user_mode+0x1a/0x50
[ 114.156330][ T5877] do_syscall_64+0x61/0xb0
[ 114.160758][ T5877] ? clear_bhb_loop+0x40/0x90
[ 114.165458][ T5877] ? clear_bhb_loop+0x40/0x90
[ 114.170156][ T5877] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 114.176062][ T5877] RIP: 0033:0x7fac92590a77
[ 114.180488][ T5877] Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
[ 114.200103][ T5877] RSP: 002b:00007fffcdd61338 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 114.208536][ T5877] RAX: 0000000000000000 RBX: 00007fac92613d7d RCX: 00007fac92590a77
[ 114.216516][ T5877] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffcdd613f0
[ 114.224507][ T5877] RBP: 00007fffcdd613f0 R08: 0000000000000000 R09: 0000000000000000
[ 114.232495][ T5877] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffcdd62480
[ 114.240479][ T5877] R13: 00007fac92613d7d R14: 000000000001b87b R15: 00007fffcdd624c0
[ 114.248471][ T5877]