last executing test programs: 8.341902032s ago: executing program 0 (id=15): r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="640000001000ffff25bd7000fddbdf2500000000", @ANYRES32=0x0, @ANYBLOB="fa0a050023080000440012800b000100697036746e6c00003400028014000300fec0ffffffffffff000000000000000114000200fe88"], 0x64}, 0x1, 0x0, 0x0, 0x4000000}, 0x24000800) 8.211093898s ago: executing program 0 (id=16): r0 = socket(0xa, 0x1, 0x84) setsockopt$inet_group_source_req(r0, 0x0, 0x2e, &(0x7f00000002c0)={0x1, {{0x2, 0x4e24, @multicast2}}, {{0x2, 0x4e23, @multicast2}}}, 0x108) r1 = socket(0xa, 0x1, 0x84) dup3(r1, r0, 0x0) r2 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_mreqn(r2, 0x0, 0x23, &(0x7f0000000740)={@multicast2, @loopback}, 0xc) 7.558412441s ago: executing program 0 (id=19): sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) capset(0x0, &(0x7f0000000000)={0x9, 0x0, 0x1, 0x4, 0x1}) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f0000000100)={{0x80a0000, 0xdddd1000, 0xa, 0x0, 0x8, 0x8, 0x1, 0x2, 0x0, 0x4, 0x9, 0x10}, {0x8080000, 0x0, 0x4, 0x8, 0x0, 0x0, 0x0, 0x0, 0xe, 0x7, 0x0, 0xfb}, {0x3000, 0x5000, 0xc, 0x0, 0x7, 0x4, 0x0, 0x0, 0x3, 0x0, 0x0, 0xfc}, {0x100000, 0xd000, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4}, {0xeeee8000, 0x3000, 0x9, 0x0, 0xff, 0x4, 0x0, 0xe, 0x0, 0x3c}, {0x0, 0x0, 0xd, 0x8, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x80}, {0x8080000, 0x0, 0xa, 0x6, 0x5, 0x0, 0x3}, {0x80a0000, 0xdddd0000, 0x0, 0x0, 0x0, 0x1, 0x0, 0xa, 0x26}, {0x80a0000}, {0xeeef0000}, 0xfdfcffdb, 0x0, 0x0, 0x28, 0xb, 0xf801, 0x0, [0x0, 0x0, 0x1]}) 7.349428157s ago: executing program 0 (id=21): r0 = openat$rtc(0xffffffffffffff9c, &(0x7f00000002c0), 0x840, 0x0) ioctl$RTC_WKALM_SET(r0, 0x4028700f, &(0x7f0000000300)={0x1, 0x0, {0x12, 0x8, 0x11, 0x9, 0x3, 0x9, 0x2, 0xe3}}) 7.199601907s ago: executing program 0 (id=22): mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0xd3283d0368e269b3, 0x8031, 0xffffffffffffffff, 0x0) move_pages(0x0, 0x20000000000000fe, &(0x7f0000000080)=[&(0x7f0000fff000/0x1000)=nil, &(0x7f0000ffb000/0x3000)=nil], 0x0, &(0x7f00000000c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000300)={&(0x7f0000001000/0x1000)=nil, &(0x7f0000ffa000/0x3000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ffa000/0x3000)=nil, &(0x7f000000f000/0x3000)=nil, &(0x7f0000000000/0x2000)=nil, &(0x7f0000019000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffe000/0x1000)=nil, 0x0}, 0x68) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='cmdline\x00') preadv(r0, &(0x7f0000001200)=[{&(0x7f0000001440)=""/4097, 0x1001}], 0x1, 0x9, 0x6a76) 3.7786782s ago: executing program 1 (id=36): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000080)={0x1a, 0x3, &(0x7f0000000180)=@framed, &(0x7f00000001c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x40, '\x00', 0x0, 0x18, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x2ab4d}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000500)={r0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6}, 0x50) 3.699739661s ago: executing program 1 (id=37): r0 = socket$netlink(0x10, 0x3, 0x0) ioctl$sock_inet_SIOCGIFADDR(r0, 0x8915, &(0x7f0000000540)={'erspan0\x00', {0x2, 0x0, @multicast1}}) r1 = socket(0x10, 0x803, 0x0) sendmsg$IPVS_CMD_SET_INFO(r1, &(0x7f0000000b00)={0x0, 0x0, &(0x7f0000000ac0)={0x0, 0x14}}, 0x0) getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000380)=ANY=[@ANYBLOB="3c0000001000850600"/20, @ANYRES32=r2, @ANYBLOB="01000000000000001c0012000c000100626f6e64000000000c0002000800010005"], 0x3c}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket(0x1, 0x803, 0x0) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14) sendmsg$nl_route(r3, &(0x7f0000000400)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x100000}, 0xc, &(0x7f0000000340)={&(0x7f00000004c0)=@RTM_NEWMDB={0x58, 0x54, 0x800, 0x70bd2b, 0x25dfdbfd, {0x7, r2}, [@MDBA_SET_ENTRY={0x20, 0x1, {r2, 0x1, 0x1, 0x3, {@in6_addr=@mcast1}}}, @MDBA_SET_ENTRY={0x20, 0x1, {r5, 0x0, 0x2, 0x1, {@ip4=@dev={0xac, 0x14, 0x14, 0xa}, 0x86dd}}}]}, 0x58}, 0x1, 0x0, 0x0, 0x20000000}, 0x804) r6 = socket$nl_netfilter(0x10, 0x3, 0xc) ioctl$ifreq_SIOCGIFINDEX_team(r6, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) sendmsg$nl_route(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000380)=@newlink={0x44, 0x10, 0x401, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x300}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @macvlan={{0xc}, {0x4}}}, @IFLA_LINK={0x8, 0x5, r5}, @IFLA_MASTER={0x8, 0xa, r7}]}, 0x44}}, 0x0) r8 = socket$nl_route(0x10, 0x3, 0x0) r9 = socket(0x1, 0x803, 0x0) getsockname$packet(r9, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14) sendmsg$nl_route(r8, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000440)=@newlink={0x44, 0x10, 0x403, 0x70bd25, 0x0, {0x0, 0x0, 0x0, 0x0, 0x2610}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @ip6gretap={{0xe}, {0x8, 0x2, 0x0, 0x1, [@IFLA_GRE_COLLECT_METADATA={0x4}]}}}, @IFLA_MASTER={0x8, 0xa, r10}]}, 0x44}, 0x1, 0x0, 0x0, 0x24000804}, 0x8000) ioctl$sock_FIOGETOWN(r9, 0x8903, 0x0) ioctl$sock_SIOCSPGRP(r0, 0x8902, &(0x7f00000005c0)) 3.179963466s ago: executing program 1 (id=38): r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000280)={0x0, 0x18, 0xfa00, {0x1, &(0x7f0000000200), 0x2, 0x3}}, 0x20) r1 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000480)=[{0x6, 0x0, 0x0, 0x4}]}) io_setup(0x20, 0x0) close_range(r1, 0xffffffffffffffff, 0x0) 911.519444ms ago: executing program 0 (id=39): unshare(0x28000600) syz_clone(0x4000180, 0x0, 0x0, 0x0, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) syz_open_procfs(0xffffffffffffffff, 0x0) syz_clone(0x20000, 0x0, 0x0, 0x0, 0x0, 0x0) 599.209524ms ago: executing program 1 (id=40): r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f00000006c0)={0x26, 'hash\x00', 0x0, 0x0, 'vmac64(aes-generic)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000480)="b19ccccf6bf531d9ec214627c11430c1", 0x10) r1 = accept4$alg(r0, 0x0, 0x0, 0x800) sendmsg$alg(r1, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000005c0)=[{&(0x7f0000000300)=':', 0x1}], 0x1, 0x0, 0x0, 0x20000005}, 0x200080c0) sendmmsg$sock(r1, &(0x7f0000000b40)=[{{0x0, 0x0, 0x0}}], 0x1, 0x804) 179.956187ms ago: executing program 1 (id=41): r0 = bpf$MAP_CREATE(0x0, &(0x7f0000003940)=ANY=[@ANYBLOB="210000000000000000000000000010000004"], 0x48) madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19) openat$cgroup_ro(0xffffffffffffffff, 0x0, 0x275a, 0x0) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x3000001, 0x11, r0, 0x0) msgctl$IPC_SET(0x0, 0x1, &(0x7f0000258f88)={{0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x96}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff}) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xd, 0x4, 0x0, 0x0, 0x405, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x25}, 0x94) openat(0xffffffffffffff9c, &(0x7f000000c380)='./file0\x00', 0x20842, 0x0) r1 = socket$netlink(0x10, 0x3, 0xb) bind$netlink(r1, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2fffffffd}, 0xc) 0s ago: executing program 1 (id=42): mmap$IORING_OFF_SQES(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x4, 0x93031, 0xffffffffffffffff, 0x10000000) mmap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x2000004, 0x3b071, 0xffffffffffffffff, 0x0) prctl$PR_SET_VMA(0x53564d41, 0x0, &(0x7f0000ffb000/0x1000)=nil, 0x1000, &(0x7f0000002d80)=',') prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff0000/0x1000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0}, 0x68) getsockopt$bt_hci(0xffffffffffffffff, 0x84, 0x81, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='smaps\x00') mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) read$FUSE(r0, &(0x7f0000002dc0)={0x2020}, 0x2020) read$FUSE(r0, &(0x7f0000005780)={0x2020}, 0x2020) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:13088' (ED25519) to the list of known hosts. syzkaller login: [ 83.141064][ T3314] cgroup: Unknown subsys name 'net' [ 83.328157][ T3314] cgroup: Unknown subsys name 'cpuset' [ 83.357718][ T3314] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 83.793534][ T3314] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 94.981653][ T3321] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 95.008497][ T3321] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 95.287272][ T3319] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 95.313710][ T3319] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 96.098175][ T3321] hsr_slave_0: entered promiscuous mode [ 96.104545][ T3321] hsr_slave_1: entered promiscuous mode [ 96.484794][ T3319] hsr_slave_0: entered promiscuous mode [ 96.490236][ T3319] hsr_slave_1: entered promiscuous mode [ 96.495612][ T3319] debugfs: 'hsr0' already exists in 'hsr' [ 96.497675][ T3319] Cannot create hsr debugfs directory [ 97.349764][ T3321] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 97.391659][ T3321] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 97.432614][ T3321] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 97.478692][ T3321] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 97.629169][ T3319] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 97.657784][ T3319] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 97.681498][ T3319] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 97.707937][ T3319] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 98.261276][ T3321] 8021q: adding VLAN 0 to HW filter on device bond0 [ 98.615742][ T3319] 8021q: adding VLAN 0 to HW filter on device bond0 [ 101.267317][ T3321] veth0_vlan: entered promiscuous mode [ 101.329641][ T3321] veth1_vlan: entered promiscuous mode [ 101.508314][ T3321] veth0_macvtap: entered promiscuous mode [ 101.539359][ T3321] veth1_macvtap: entered promiscuous mode [ 101.678986][ T3319] veth0_vlan: entered promiscuous mode [ 101.766044][ T1547] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.766768][ T1547] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.766938][ T1547] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.767123][ T1547] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.782405][ T3319] veth1_vlan: entered promiscuous mode [ 102.067576][ T3319] veth0_macvtap: entered promiscuous mode [ 102.098631][ T3319] veth1_macvtap: entered promiscuous mode [ 102.257208][ T3321] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 102.261558][ T2132] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.261957][ T2132] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.262390][ T2132] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.262622][ T2132] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 104.494609][ T3498] netlink: 8 bytes leftover after parsing attributes in process `syz.0.15'. [ 106.896910][ T3533] Illegal XDP return value 33 on prog (id 2) dev N/A, expect packet loss! [ 109.151133][ T3558] netlink: 'syz.1.37': attribute type 1 has an invalid length. [ 109.437989][ T3558] macvlan2: entered promiscuous mode [ 109.439707][ T3558] macvlan2: entered allmulticast mode [ 109.470954][ T3558] ip6gretap1: entered allmulticast mode [ 109.684042][ T30] audit: type=1326 audit(109.480:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3561 comm="syz.1.38" exe="/syz-executor" sig=31 arch=c00000b7 syscall=98 compat=0 ip=0xffffa275c3e8 code=0x0 [ 112.763456][ T1547] ================================================================== [ 112.768559][ T1547] BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc [ 112.770949][ T1547] Write at addr f9f0000009180220 by task kworker/u8:11/1547 [ 112.771409][ T1547] Pointer tag: [f9], memory tag: [fe] [ 112.771498][ T1547] [ 112.772376][ T1547] CPU: 1 UID: 0 PID: 1547 Comm: kworker/u8:11 Not tainted syzkaller #0 PREEMPT [ 112.772766][ T1547] Hardware name: linux,dummy-virt (DT) [ 112.773341][ T1547] Workqueue: events_unbound bpf_map_free_deferred [ 112.774751][ T1547] Call trace: [ 112.775072][ T1547] show_stack+0x18/0x24 (C) [ 112.775455][ T1547] dump_stack_lvl+0x78/0x90 [ 112.775596][ T1547] print_report+0x108/0x61c [ 112.775657][ T1547] kasan_report+0x88/0xac [ 112.775705][ T1547] __do_kernel_fault+0x170/0x1c8 [ 112.775758][ T1547] do_bad_area+0x68/0x78 [ 112.775802][ T1547] do_tag_check_fault+0x34/0x44 [ 112.775848][ T1547] do_mem_abort+0x44/0x94 [ 112.775893][ T1547] el1_abort+0x44/0x68 [ 112.775941][ T1547] el1h_64_sync_handler+0x50/0xac [ 112.775986][ T1547] el1h_64_sync+0x6c/0x70 [ 112.776174][ T1547] defer_free+0x3c/0xbc (P) [ 112.776259][ T1547] kfree_nolock+0x1a0/0x1d4 [ 112.776315][ T1547] range_tree_destroy+0x74/0x90 [ 112.776369][ T1547] arena_map_free+0x64/0x90 [ 112.776417][ T1547] bpf_map_free_deferred+0x70/0x180 [ 112.776478][ T1547] process_one_work+0x178/0x2cc [ 112.776534][ T1547] worker_thread+0x24c/0x354 [ 112.776584][ T1547] kthread+0x130/0x1fc [ 112.776632][ T1547] ret_from_fork+0x10/0x20 [ 112.776894][ T1547] [ 112.776966][ T1547] Allocated by task 3574: [ 112.777178][ T1547] kasan_save_stack+0x3c/0x64 [ 112.777448][ T1547] save_stack_info+0x40/0x158 [ 112.777499][ T1547] kasan_save_alloc_info+0x14/0x20 [ 112.777537][ T1547] __kasan_kmalloc+0xb4/0xb8 [ 112.777572][ T1547] kmalloc_nolock_noprof+0x1dc/0x4fc [ 112.777611][ T1547] range_tree_set+0x644/0x778 [ 112.777687][ T1547] arena_map_alloc+0x11c/0x17c [ 112.777729][ T1547] map_create+0x19c/0xa98 [ 112.777764][ T1547] __sys_bpf+0x348/0x1a88 [ 112.777797][ T1547] __arm64_sys_bpf+0x24/0x34 [ 112.777830][ T1547] invoke_syscall+0x48/0x110 [ 112.777863][ T1547] el0_svc_common.constprop.0+0x40/0xe0 [ 112.777897][ T1547] do_el0_svc+0x1c/0x28 [ 112.777932][ T1547] el0_svc+0x34/0x128 [ 112.777966][ T1547] el0t_64_sync_handler+0xa0/0xe4 [ 112.778001][ T1547] el0t_64_sync+0x1a4/0x1a8 [ 112.778079][ T1547] [ 112.778124][ T1547] Freed by task 1547: [ 112.778166][ T1547] kasan_save_stack+0x3c/0x64 [ 112.778203][ T1547] save_stack_info+0x40/0x158 [ 112.778240][ T1547] kasan_save_free_info+0x18/0x24 [ 112.778273][ T1547] __kasan_slab_free+0x7c/0x8c [ 112.778304][ T1547] kfree_nolock+0xcc/0x1d4 [ 112.778336][ T1547] range_tree_destroy+0x74/0x90 [ 112.778370][ T1547] arena_map_free+0x64/0x90 [ 112.778401][ T1547] bpf_map_free_deferred+0x70/0x180 [ 112.778436][ T1547] process_one_work+0x178/0x2cc [ 112.778481][ T1547] worker_thread+0x24c/0x354 [ 112.778517][ T1547] kthread+0x130/0x1fc [ 112.778551][ T1547] ret_from_fork+0x10/0x20 [ 112.778598][ T1547] [ 112.778641][ T1547] The buggy address belongs to the object at fff0000009180200 [ 112.778641][ T1547] which belongs to the cache kmalloc-64 of size 64 [ 112.778750][ T1547] The buggy address is located 32 bytes inside of [ 112.778750][ T1547] 64-byte region [fff0000009180200, fff0000009180240) [ 112.778805][ T1547] [ 112.779060][ T1547] The buggy address belongs to the physical page: [ 112.779530][ T1547] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x49180 [ 112.779934][ T1547] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 112.780647][ T1547] page_type: f5(slab) [ 112.781199][ T1547] raw: 01ffc00000000000 f6f0000003001600 dead000000000122 0000000000000000 [ 112.781264][ T1547] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 112.781391][ T1547] page dumped because: kasan: bad access detected [ 112.781441][ T1547] [ 112.781491][ T1547] Memory state around the buggy address: [ 112.781761][ T1547] fff0000009180000: fc fc fc fc f0 f0 f0 f0 f0 f0 f0 f0 fb fb fb fe [ 112.781862][ T1547] fff0000009180100: f3 f3 f3 f3 f6 f6 f6 f6 fc fc fc fe f1 f1 f1 fe [ 112.781922][ T1547] >fff0000009180200: fe fe fe fe fd fd fd fd f4 f4 f4 f4 fe fe fe fe [ 112.781988][ T1547] ^ [ 112.782138][ T1547] fff0000009180300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 112.782172][ T1547] fff0000009180400: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 112.782254][ T1547] ================================================================== [ 112.783758][ T1547] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 113.761594][ T12] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 113.834021][ T12] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 113.924458][ T12] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 113.990443][ T12] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 114.748218][ T12] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 114.808133][ T12] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 114.840317][ T12] bond0 (unregistering): Released all slaves [ 114.977770][ T12] hsr_slave_0: left promiscuous mode [ 114.987161][ T12] hsr_slave_1: left promiscuous mode [ 115.013009][ T12] veth1_macvtap: left promiscuous mode [ 115.014640][ T12] veth0_macvtap: left promiscuous mode [ 115.017737][ T12] veth1_vlan: left promiscuous mode [ 115.018462][ T12] veth0_vlan: left promiscuous mode [ 116.140611][ T12] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 116.214854][ T12] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 116.291363][ T12] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 116.370802][ T12] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 116.891635][ T12] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 116.924005][ T12] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 116.958070][ T12] bond0 (unregistering): Released all slaves [ 117.031108][ T12] hsr_slave_0: left promiscuous mode [ 117.036351][ T12] hsr_slave_1: left promiscuous mode [ 117.052656][ T12] veth1_macvtap: left promiscuous mode [ 117.054084][ T12] veth0_macvtap: left promiscuous mode [ 117.054396][ T12] veth1_vlan: left promiscuous mode [ 117.054667][ T12] veth0_vlan: left promiscuous mode VM DIAGNOSIS: 03:49:08 Registers: info registers vcpu 0 CPU#0 PC=ffff800081b83bfc X00=ffff800081b83bf8 X01=f3f0000003198000 X02=fff07ffffcef4000 X03=0000000000000000 X04=ffff800082a2daa0 X05=0000000000000001 X06=0000000baca95fd9 X07=fff000007f8d7c00 X08=fff000007f8d7c80 X09=0000000000002340 X10=000000000000013f X11=0000000000000001 X12=0000000000000001 X13=0000000000000000 X14=000000000000013f X15=ffff800081bd4430 X16=ffff800082de8000 X17=fff07ffffcef4000 X18=0000000000000001 X19=0000000000000000 X20=ffff800082b11888 X21=ffff800082b11880 X22=f3f0000003198000 X23=0000000000000004 X24=ffff800082b11888 X25=0000000000000028 X26=f3f0000003198000 X27=0000000000000000 X28=0000000000000000 X29=ffff800082e9bcb0 X30=ffff800080188b50 SP=ffff800082e9bcb0 PSTATE=804020c9 N--- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000001 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:08000480e2100001:93cac4b09f91a284 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:8004010000000806:06014ea400100001 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:10000193cac4b09f:91a284a110000b9b Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00080606014ea400:10000108000480e2 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:72a0001000010800:0480e21000061000 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000c016f9203ffff:ffff040108000401 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000001f40000000a Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffdc09e8f0:0000ffffdc09e8f0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffdc09e8c0 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800080cc82b0 X00=ffffffffffffe03d X01=000000000000000a X02=0000000000005562 X03=0000001a13b86000 X04=000000000000dd86 X05=0000000000000000 X06=fbf0000007203400 X07=0000000000000000 X08=f4f0000005e81abc X09=000000000000000f X10=0000000000000344 X11=0000000000000004 X12=0000000000000004 X13=0000000000000001 X14=0000000000000344 X15=ffff8000831eba00 X16=ffff800082df0000 X17=fff07ffffcf0d000 X18=00000000ffffffff X19=ffff800082df3dd0 X20=0000000000000000 X21=ffff800082df3dd0 X22=f1f000000bae0000 X23=f1f000000bae0068 X24=f1f000000bae007c X25=f8f000000b969050 X26=000000000000a888 X27=f8f000000b969000 X28=0000000000000002 X29=ffff800082df3d50 X30=ffff800080cc8044 SP=ffff800082df3d50 PSTATE=60402009 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0800000000000000:0800000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000800000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000008:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00d000a800000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000002 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000008:0000000000000002 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffc0f091c0:0000ffffc0f091c0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffc0f09190 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000