last executing test programs: 12.693810859s ago: executing program 0 (id=28): r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000001940)=@newsa={0x138, 0x10, 0x1, 0x0, 0x25dfdbfc, {{@in=@empty, @in6=@dev={0xfe, 0x80, '\x00', 0x42}, 0x0, 0x0, 0x81e, 0x4, 0x0, 0x20, 0x80, 0x21}, {@in=@multicast1, 0x0, 0x33}, @in=@loopback, {0x401, 0x0, 0x8, 0x0, 0xffffffff, 0x3, 0x0, 0x8000000}, {0xfffffffffffffffd, 0x0, 0xfffffffffffffffd, 0x80000001}, {0x0, 0x1, 0xfffffffc}, 0x2, 0x0, 0xa, 0x2, 0x1, 0x40}, [@algo_auth={0x48, 0x1, {{'rmd160\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x24040021}, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000003c0)={0x11, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000008000000000000001000000940000000fad413ec50000000f00000095"], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000340)={&(0x7f0000000040)='netlink_extack\x00', r1}, 0x18) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = syz_usb_connect(0x2, 0x24, &(0x7f0000000640)=ANY=[@ANYBLOB="12010000d972a440b72040155ab70102030109021200010000"], 0x0) syz_usb_control_io(r3, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r3, 0x0, 0x0) syz_usb_control_io$lan78xx(r3, 0x0, 0x0) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) sendmsg$nl_route(r2, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000001200)={&(0x7f00000000c0)=ANY=[@ANYRES32=0x0, @ANYBLOB="20000100", @ANYRES32=0x0, @ANYBLOB="010300000000000000000000000000000000000008000000"], 0x38}}, 0x8000) prctl$PR_CAPBSET_READ(0x17, 0x85d8) mknodat(0xffffffffffffff9c, &(0x7f0000000180)='./file5\x00', 0x61c0, 0x700) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r4, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0) socket$key(0xf, 0x3, 0x2) 1.281404335s ago: executing program 1 (id=77): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd2c, 0xffffffff, {0x0, 0x0, 0x0, r3, {0x0, 0xfff1}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x8, 0x4}}]}}]}, 0x48}}, 0x20040084) r4 = socket$netlink(0x10, 0x3, 0x0) r5 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000008c0)=@newqdisc={0x24, 0x28, 0x4ee4e6a52ff56541, 0x4001, 0xfffffdfc, {0x0, 0x0, 0x0, r6, {}, {0xffff, 0xffff}, {0x2, 0x1}}}, 0x24}, 0x1, 0x0, 0x0, 0x400dc}, 0x0) 1.279895945s ago: executing program 0 (id=78): openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x48241, 0x0) r0 = syz_io_uring_setup(0x88f, &(0x7f0000000140)={0x0, 0xaee2, 0x0, 0x1, 0xbfdffffc}, &(0x7f00000000c0)=0x0, &(0x7f00000003c0)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd_index=0x3, 0x0, 0x0, 0x0, {0x85c3}}) io_uring_enter(r0, 0x47f6, 0x0, 0x0, 0x0, 0x0) 915.938009ms ago: executing program 0 (id=79): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000000c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000001000900030073797a320000000014000000110001"], 0x7c}, 0x1, 0x0, 0x0, 0x20000000}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a3c000000120a01080000000000000000020000000900020073797a2a0000000008000440000000000900010073797a3000000000080003"], 0x64}}, 0x0) bpf$ENABLE_STATS(0x20, 0x0, 0x0) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b7030000e8ffffff850000000400000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r1}, 0x10) 841.884904ms ago: executing program 1 (id=80): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000006c0)={0x18, 0xb, &(0x7f0000000640)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020000000000000000000007b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000600000095"], &(0x7f00000004c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000300)='rcu_utilization\x00', r0}, 0x10) r1 = syz_usb_connect(0x2, 0x4a, &(0x7f0000000040)=ANY=[@ANYBLOB="120100005520f010402038b1420104000001090238000100000000090400000544fb2f00090582eb1000000001020009050276"], 0x0) syz_usb_control_io$cdc_ecm(r1, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000000000)={0x0, 0x3, 0x1a, {0x1a}}}, 0x0) syz_usb_ep_write$ath9k_ep1(r1, 0x82, 0xc38, &(0x7f0000000700)=ANY=[]) 672.723125ms ago: executing program 1 (id=81): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000003a80)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x101, 0x0, 0x0, {0x5}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x48, 0x3, 0xa, 0x3, 0x0, 0x0, {0x5}, [@NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_NAME={0x9, 0x3, 'syz0\x00'}, @NFTA_CHAIN_FLAGS={0x8, 0xa, 0x1, 0x0, 0x3}, @NFTA_CHAIN_HOOK={0x14, 0x4, 0x0, 0x1, [@NFTA_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x12}, @NFTA_HOOK_HOOKNUM={0x8}]}]}], {0x14}}, 0x90}}, 0x2) 504.110096ms ago: executing program 1 (id=82): seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000140)=[{0x6, 0x0, 0xe, 0x7fff0000}]}) openat$cuse(0xffffffffffffff9c, 0x0, 0x2, 0x0) execveat(0xffffffffffffff9c, 0x0, 0x0, 0x0, 0x0) 432.530541ms ago: executing program 0 (id=83): sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a25c4e36aa5c4c6d30000010000000900010073797a30000000002c000000030a01020000000000000000010000000900010073797a30000000000900030073797a300000000054000000060a010400000000000000000100000008000b40000000002c00048028000180080001006e6174001c00028008000240000000000800014000"], 0xc8}}, 0x0) r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000640)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="2c00000015000504e1ff4319918e00352d"], 0x2c}}, 0x60040050) 431.786201ms ago: executing program 1 (id=84): r0 = syz_usb_connect$cdc_ncm(0x0, 0x6e, &(0x7f0000000480)={{0x12, 0x1, 0x0, 0x2, 0x0, 0x0, 0x40, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x5c, 0x2, 0x1, 0x0, 0x0, 0x0, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x5}, {0x5}, {0xd}, {0x6}}, {{0x9, 0x5, 0x81, 0x3, 0x200}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x200}}, {{0x9, 0x5, 0x3, 0x2, 0x200}}}}}}}]}}, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000940)={0x44, &(0x7f0000000500)={0x0, 0xb}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, &(0x7f0000000080)={0x14, 0x0, &(0x7f0000000040)={0x0, 0x3, 0x1a, {0x1a}}}, 0x0) 218.950325ms ago: executing program 0 (id=85): r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000007, 0x38011, r0, 0x0) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe) ioctl$LOOP_SET_STATUS64(r0, 0x4c04, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x9, 0x6, 0x0, 0x8, 0x2, 0x9, "600d66de6a4389fabcdb0861942cb70b2358e398d4633beec307baeafdd84d9839d119503ca3a49ce9f574465e18986e8f3344bcb63d2ad012c05de20c996bbd", "364a949ec7f9884b5716ce0244a6453d6fdc5c1fce9a40bf40107a3b32b3d18bb61f4b97d24368a8aefadc1a50920e0fdc2e7b1d21b0955e1d65db45cec819fd", "3a545c86deff78e7a67ce68fc3bb22d62ae6d01a25e4f503ede534c74c5de4d4", [0x40]}) ioctl$BLKRRPART(r0, 0x125f, 0x0) 218.722035ms ago: executing program 1 (id=86): r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000003c0), 0x1c1341, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller0\x00', 0x84aebfbd6349b7f2}) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0) close(r1) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000200), 0xffffffffffffffff) sendmsg$TIPC_CMD_ENABLE_BEARER(r2, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000680)=ANY=[@ANYBLOB='8\x00\x00\x00', @ANYRES16=r3, @ANYBLOB="010000000d0000000000010000000000000001410000001c001700000000000000006574683a73797a6b616c6c657230"], 0x38}}, 0x0) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast}) 0s ago: executing program 0 (id=87): r0 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f0000002c40)={0x1, 0x17, &(0x7f00000007c0)=@ringbuf={{}, {{0x18, 0x1, 0x1, 0x0, r0}, {}, {}, {0x85, 0x0, 0x0, 0x5}, {0x7, 0x1, 0xb, 0x9, 0x0, 0x20}}, {{0x6, 0x0, 0x6}, {0x6, 0x0, 0x0, 0xb}}, [@printk={@p, {0x3, 0x3, 0x3, 0xa, 0x9}, {0x5, 0x1, 0xa, 0x1, 0x9}, {0x7, 0x0, 0x3}, {}, {0x7, 0x0, 0xb, 0x3, 0x0, 0x0, 0x2}, {0x56}}], {{0x4, 0x1, 0x2, 0x3}, {0x5, 0x0, 0xb, 0x3}, {0x85, 0x0, 0x0, 0x76}}}, &(0x7f0000000780)='syzkaller\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:17423' (ED25519) to the list of known hosts. syzkaller login: [ 92.143286][ T3316] cgroup: Unknown subsys name 'net' [ 92.402753][ T3316] cgroup: Unknown subsys name 'cpuset' [ 92.427479][ T3316] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 92.991763][ T3316] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 104.361675][ T3322] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.380024][ T3321] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.397153][ T3322] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 104.410431][ T3321] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 105.786288][ T3322] hsr_slave_0: entered promiscuous mode [ 105.791935][ T3322] hsr_slave_1: entered promiscuous mode [ 105.821896][ T3321] hsr_slave_0: entered promiscuous mode [ 105.827341][ T3321] hsr_slave_1: entered promiscuous mode [ 105.830362][ T3321] debugfs: 'hsr0' already exists in 'hsr' [ 105.832969][ T3321] Cannot create hsr debugfs directory [ 107.065650][ T3322] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 107.121217][ T3322] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 107.144493][ T3322] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 107.200894][ T3322] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 107.477931][ T3321] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 107.513040][ T3321] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 107.540401][ T3321] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 107.578392][ T3321] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 108.693855][ T3322] 8021q: adding VLAN 0 to HW filter on device bond0 [ 108.912472][ T3321] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.510481][ T3321] veth0_vlan: entered promiscuous mode [ 112.562350][ T3321] veth1_vlan: entered promiscuous mode [ 112.787687][ T3322] veth0_vlan: entered promiscuous mode [ 112.831577][ T3321] veth0_macvtap: entered promiscuous mode [ 112.852725][ T3322] veth1_vlan: entered promiscuous mode [ 112.871410][ T3321] veth1_macvtap: entered promiscuous mode [ 113.160400][ T40] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.161243][ T40] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.161422][ T40] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.161567][ T40] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.173235][ T3322] veth0_macvtap: entered promiscuous mode [ 113.242266][ T3322] veth1_macvtap: entered promiscuous mode [ 113.560049][ T40] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.560536][ T40] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.564021][ T40] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.564303][ T40] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.763354][ T3321] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 116.283211][ T3505] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 116.283734][ T3505] IPv6: NLM_F_CREATE should be set when creating new route [ 116.621860][ T3511] netlink: 'syz.0.13': attribute type 1 has an invalid length. [ 116.746924][ T3511] macvlan2: entered promiscuous mode [ 116.747510][ T3511] macvlan2: entered allmulticast mode [ 116.750298][ T3511] bond0: entered promiscuous mode [ 116.750640][ T3511] bond_slave_0: entered promiscuous mode [ 116.751545][ T3511] bond_slave_1: entered promiscuous mode [ 116.762870][ T3511] 8021q: adding VLAN 0 to HW filter on device macvlan2 [ 116.837750][ T3511] bond0: left promiscuous mode [ 116.839602][ T3511] bond_slave_0: left promiscuous mode [ 116.846574][ T3511] bond_slave_1: left promiscuous mode [ 117.056780][ T3510] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 117.061340][ T3510] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 117.073397][ T3511] macvlan2: entered promiscuous mode [ 117.073954][ T3511] macvlan2: entered allmulticast mode [ 117.080467][ T3511] bond0: entered promiscuous mode [ 117.081001][ T3511] bond_slave_0: entered promiscuous mode [ 117.081846][ T3511] bond_slave_1: entered promiscuous mode [ 117.091564][ T3511] 8021q: adding VLAN 0 to HW filter on device macvlan2 [ 117.126759][ T3511] bond0: left promiscuous mode [ 117.127077][ T3511] bond_slave_0: left promiscuous mode [ 117.129491][ T3511] bond_slave_1: left promiscuous mode [ 117.224390][ T3516] netlink: 12 bytes leftover after parsing attributes in process `syz.1.15'. [ 119.616664][ T3391] usb 1-1: new full-speed USB device number 2 using dummy_hcd [ 119.620985][ T3557] netlink: 32 bytes leftover after parsing attributes in process `syz.1.31'. [ 119.822793][ T3391] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 119.824777][ T3391] usb 1-1: config 0 has 0 interfaces, different from the descriptor's value: 1 [ 119.859697][ T3391] usb 1-1: New USB device found, idVendor=20b7, idProduct=1540, bcdDevice=b7.5a [ 119.866181][ T3391] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 119.868379][ T3391] usb 1-1: Product: syz [ 119.870237][ T3391] usb 1-1: Manufacturer: syz [ 119.871441][ T3391] usb 1-1: SerialNumber: syz [ 119.897202][ T3391] usb 1-1: config 0 descriptor?? [ 120.761520][ T3570] binder: 3569:3570 tried to acquire reference to desc 0, got 1 instead [ 120.768468][ T3570] binder: 3569:3570 got transaction to invalid handle, 1025 [ 120.770591][ T3570] binder: 3569:3570 cannot find target node [ 120.772724][ T3570] binder: 3569:3570 transaction call to 0:0 failed 5/29201/-22, code 0 size 0-0 line 3232 [ 120.782312][ T3391] binder: undelivered TRANSACTION_ERROR: 29201 [ 121.419144][ T3573] syz.1.37 uses obsolete (PF_INET,SOCK_PACKET) [ 122.882834][ T3588] IPv6: NLM_F_CREATE should be specified when creating new route [ 124.192955][ T3605] netlink: 'syz.1.51': attribute type 1 has an invalid length. [ 124.193626][ T3605] netlink: 16 bytes leftover after parsing attributes in process `syz.1.51'. [ 124.607572][ T3611] netlink: 52 bytes leftover after parsing attributes in process `syz.1.54'. [ 124.608932][ T3611] Zero length message leads to an empty skb [ 124.913678][ T3615] process 'syz.1.56' launched './file2' with NULL argv: empty string added [ 128.764262][ T3633] binder: 3632:3633 tried to acquire reference to desc 0, got 1 instead [ 128.784650][ T787] binder: release 3632:3633 transaction 10 out, still active [ 128.787755][ T787] binder: undelivered TRANSACTION_COMPLETE [ 128.802973][ T787] binder: send failed reply for transaction 10, target dead [ 129.278870][ T3641] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 129.280388][ T3641] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 130.205927][ T3467] usb 1-1: USB disconnect, device number 2 [ 130.733149][ T3665] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 130.734060][ T3665] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 131.157225][ T3673] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 131.158603][ T3673] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 131.166990][ T3674] netlink: 'syz.0.83': attribute type 1 has an invalid length. [ 131.747201][ T3681] ================================================================== [ 131.751066][ T3681] BUG: KASAN: invalid-access in __memcpy+0xc/0x54 [ 131.753459][ T3681] Write at addr fbff800085e9595f by task syz.0.87/3681 [ 131.753982][ T3681] Pointer tag: [fb], memory tag: [fe] [ 131.754073][ T3681] [ 131.755039][ T3681] CPU: 0 UID: 0 PID: 3681 Comm: syz.0.87 Not tainted syzkaller #0 PREEMPT [ 131.755442][ T3681] Hardware name: linux,dummy-virt (DT) [ 131.755835][ T3681] Call trace: [ 131.756207][ T3681] show_stack+0x18/0x24 (C) [ 131.756552][ T3681] dump_stack_lvl+0x78/0x90 [ 131.756671][ T3681] print_report+0x108/0x61c [ 131.756732][ T3681] kasan_report+0x88/0xac [ 131.756779][ T3681] __do_kernel_fault+0x170/0x1c8 [ 131.756845][ T3681] do_bad_area+0x68/0x78 [ 131.756897][ T3681] do_tag_check_fault+0x34/0x44 [ 131.756987][ T3681] do_mem_abort+0x44/0x94 [ 131.757053][ T3681] el1_abort+0x44/0x68 [ 131.757104][ T3681] el1h_64_sync_handler+0x50/0xac [ 131.757155][ T3681] el1h_64_sync+0x6c/0x70 [ 131.757315][ T3681] __memcpy+0xc/0x54 (P) [ 131.757377][ T3681] do_misc_fixups+0x1554/0x1afc [ 131.757433][ T3681] bpf_check+0x1384/0x293c [ 131.757485][ T3681] bpf_prog_load+0x63c/0xd40 [ 131.757534][ T3681] __sys_bpf+0x2e0/0x1a88 [ 131.757584][ T3681] __arm64_sys_bpf+0x24/0x34 [ 131.757636][ T3681] invoke_syscall+0x48/0x110 [ 131.757689][ T3681] el0_svc_common.constprop.0+0x40/0xe0 [ 131.757743][ T3681] do_el0_svc+0x1c/0x28 [ 131.757796][ T3681] el0_svc+0x34/0x128 [ 131.757856][ T3681] el0t_64_sync_handler+0xa0/0xe4 [ 131.757908][ T3681] el0t_64_sync+0x1a4/0x1a8 [ 131.758176][ T3681] [ 131.758458][ T3681] The buggy address belongs to a 1-page vmalloc region starting at 0xfbff800085e95000 allocated at bpf_check+0x8c/0x293c [ 131.760411][ T3681] The buggy address belongs to the physical page: [ 131.760816][ T3681] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43a16 [ 131.761249][ T3681] flags: 0x1ffd00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x4) [ 131.762257][ T3681] raw: 01ffd00000000000 0000000000000000 dead000000000122 0000000000000000 [ 131.762323][ T3681] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 131.762454][ T3681] page dumped because: kasan: bad access detected [ 131.762538][ T3681] [ 131.762576][ T3681] Memory state around the buggy address: [ 131.762877][ T3681] ffff800085e95700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 131.762986][ T3681] ffff800085e95800: fb fb fb fb fb fb fb fb fb fb fe fe fe fe fe fe SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 131.763052][ T3681] >ffff800085e95900: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 131.763118][ T3681] ^ [ 131.763391][ T3681] ffff800085e95a00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 131.763425][ T3681] ffff800085e95b00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 131.763508][ T3681] ================================================================== [ 131.765529][ T3681] Disabling lock debugging due to kernel taint [ 131.836952][ C1] hrtimer: interrupt took 14454369 ns [ 132.074994][ T3677] syzkaller0: entered promiscuous mode [ 132.076685][ T3677] syzkaller0: entered allmulticast mode [ 132.719167][ T1278] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 132.834057][ T1278] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 132.883157][ T1278] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 132.964419][ T1278] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 133.744558][ T1278] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 133.784867][ T1278] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 133.814435][ T1278] bond0 (unregistering): Released all slaves [ 133.913690][ T1278] hsr_slave_0: left promiscuous mode [ 133.920688][ T1278] hsr_slave_1: left promiscuous mode [ 133.936136][ T1278] veth1_macvtap: left promiscuous mode [ 133.936674][ T1278] veth0_macvtap: left promiscuous mode [ 133.936975][ T1278] veth1_vlan: left promiscuous mode [ 133.937247][ T1278] veth0_vlan: left promiscuous mode [ 135.183372][ T1278] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 135.244780][ T1278] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 135.331417][ T1278] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 135.413826][ T1278] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 136.158437][ T1278] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 136.188398][ T1278] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 136.218718][ T1278] bond0 (unregistering): Released all slaves [ 136.319234][ T1278] hsr_slave_0: left promiscuous mode [ 136.323737][ T1278] hsr_slave_1: left promiscuous mode [ 136.342031][ T1278] veth1_macvtap: left promiscuous mode [ 136.343997][ T1278] veth0_macvtap: left promiscuous mode [ 136.347739][ T1278] veth1_vlan: left promiscuous mode [ 136.350118][ T1278] veth0_vlan: left promiscuous mode VM DIAGNOSIS: 22:01:49 Registers: info registers vcpu 0 CPU#0 PC=ffff800080012164 X00=ffff800082e00000 X01=0000000000010005 X02=0000000000000005 X03=0000000000000001 X04=0000000000000001 X05=ffff800082a03000 X06=0000000000000001 X07=ffff800082a03b18 X08=ffffffffffffffff X09=0000000000000066 X10=ffff800082debd78 X11=000000000000005a X12=ffff800082a012d0 X13=0000000000000000 X14=0000000000000211 X15=ffff80008629b420 X16=ffff800082de8000 X17=fff07ffffcef4000 X18=fffffffffff8e1af X19=fcf0000003048c30 X20=f3f00000065ad280 X21=ffff800081cfff18 X22=ffff800082b1ab40 X23=0000000000002820 X24=ffff800082a01000 X25=0000000000000600 X26=f4f0000004942a80 X27=0000000000004e10 X28=f9f000000bafce10 X29=ffff800082deb6d0 X30=ffff800080151ad4 SP=ffff800082deb6d0 PSTATE=004023c9 ---- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00524f5252450040:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00524f5252450040:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffdd2315f0:0000ffffdd2315f0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffdd2315c0 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081b7b948 X00=ffff8000831ebc17 X01=ffff8001031ebc15 X02=ffff8000831ebb8c X03=00000006ffff0a00 X04=0000000000000000 X05=ffff80008210f340 X06=ffff8000831ebb40 X07=0000000000000004 X08=f4f00000031ae300 X09=ffff8000831ebb10 X10=fffffffffffcd838 X11=fffffffffffcd848 X12=ffff800082adf268 X13=ffff8000831ebb8d X14=ffff8000831ebb98 X15=ffff8000831eba00 X16=ffff800082df0000 X17=fff07ffffcf0d000 X18=00000000ffffffff X19=0000000000000005 X20=0000000000000405 X21=ffff8000824f5ad4 X22=ffff8001031ebc15 X23=0000000000000004 X24=ffff8000831ebb40 X25=00000000ffffffd8 X26=000000007fffffff X27=ffff8000831ebc17 X28=ffff8000824f5ad4 X29=ffff8000831eba20 X30=ffff800081b7eb98 SP=ffff8000831eba20 PSTATE=a04020c9 N-C- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0100000000000000:0100000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000100000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000001:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00d000a800000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000002 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000001:0000000000000002 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffedd23af0:0000ffffedd23af0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffedd23ac0 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000