Extracting prog: 28m42.205178966s Minimizing prog: 36m48.010103298s Simplifying prog options: 16m25.473481011s Extracting C: 5m13.070837897s Simplifying C: 0s extracting reproducer from 30 programs testing a last program of every proc single: executing 5 programs separately with timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-socket$rds-socket$rds-bind$rds-sendmsg$rds-sendmsg$rds-socket$nl_route-socket$nl_route-socket-socket-sendmsg$nl_route-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) socket$rds(0x15, 0x5, 0x0) (async) r1 = socket$rds(0x15, 0x5, 0x0) bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10) sendmsg$rds(r1, &(0x7f0000001600)={&(0x7f0000000040)={0x2, 0x0, @private=0xa010100}, 0x10, 0x0}, 0x0) sendmsg$rds(r1, &(0x7f0000000480)={&(0x7f0000000200)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x39}}, 0x10, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x40) socket$nl_route(0x10, 0x3, 0x0) (async) r2 = socket$nl_route(0x10, 0x3, 0x0) socket(0x10, 0x803, 0x0) (async) r3 = socket(0x10, 0x803, 0x0) sendmsg$nl_route(r2, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000380)=ANY=[@ANYBLOB="500000001000810500"/20, @ANYRES32=0x0, @ANYBLOB="01000000000000002800128009000100766c616e000000001800028006000100030000000c0002001c0000000f49000008000500", @ANYRES32=r3], 0x50}}, 0xc0) sendmsg$NFT_BATCH(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000300)=ANY=[@ANYBLOB="140000001000010000000000000000000100000a20000000000a01040000000000000000010000030900010073797a30000000002c000000030a01010000000000000000010000000900010073797a30000000000900030073797a32000000009c000000060a010400000000000000000100000008000b400000000074000480340001800b000100657874686472000024000280080001400000000c0800034000000000080004400000002205000200070000003c0001800c00010062697477697365002c0002800800034000000002080001400000001408000240000000120800064000000000080006400000000a0900010073797a30"], 0x110}}, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-getsockopt$IP_VS_SO_GET_SERVICE-sendmsg$RDMA_NLDEV_CMD_SET detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) getsockopt$IP_VS_SO_GET_SERVICE(0xffffffffffffffff, 0x0, 0x483, &(0x7f0000000000), &(0x7f0000000080)=0x68) sendmsg$RDMA_NLDEV_CMD_SET(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000001c0)=ANY=[@ANYBLOB="240000001b1401002abdd444d446df250800010000000000090002"], 0x24}, 0x1, 0x0, 0x0, 0x4000801}, 0x40810) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched-socket$nl_route-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route detailed listing: executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000005c0)=@newtaction={0x90, 0x30, 0x871a15abc695fa3d, 0x0, 0xfffffffd, {}, [{0x7c, 0x1, [@m_ctinfo={0x48, 0x1, 0x0, 0x0, {{0xb}, {0x1c, 0x2, 0x0, 0x1, [@TCA_CTINFO_ACT={0x18}]}, {0x4}, {0xc}, {0xc}}}, @m_mirred={0x30, 0x2, 0x0, 0x0, {{0xb}, {0x4}, {0x4}, {0xc}, {0xc}}}]}]}, 0x90}}, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000080)={'bond0\x00', 0x0}) sendmsg$nl_route(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000900)=@newlink={0x5c, 0x10, 0x403, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, 0x0, 0x215}, [@IFLA_MASTER={0x8}, @IFLA_LINK={0x8, 0x5, r2}, @IFLA_LINKINFO={0x2c, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x1c, 0x2, 0x0, 0x1, [@IFLA_VLAN_ID={0x6}, @IFLA_VLAN_INGRESS_QOS={0x10, 0x4, 0x0, 0x1, [@IFLA_VLAN_QOS_MAPPING={0xc, 0x1, {0x3, 0x8}}]}]}}}]}, 0x5c}, 0x1, 0xba01}, 0x4000040) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-ioctl$sock_SIOCGIFINDEX-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-openat$tun-ioctl$TUNSETIFF-socket$kcm-ioctl$SIOCSIFHWADDR-socket$nl_netfilter-sendmsg$NFT_BATCH-write$tun-sendmsg$nl_route_sched-socket$nl_route-poll-sendmsg$nl_route-sendmsg$nl_route detailed listing: executing program 0: r0 = socket$netlink(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000200)={'geneve0\x00', 0x0}) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x48241, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r3 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r4, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000240)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a03000000000000000000010000000900010073797a30000000006c000000160a01020000000000000000010000000900010073797a30000000000900020073797a3000000000400003802c00038004000100766c616e31000000000000000000000014000100776c616e3100000000000000000000000800014000000000080002"], 0xfc}}, 0x0) write$tun(r2, &(0x7f0000000100)={@val, @void, @eth={@random="8c5d673ef776", @local, @val={@val={0x88a8, 0x5, 0x1, 0x4}, {0x8100, 0x6, 0x0, 0x6}}, {@ipv4={0x800, @generic={{0x5, 0x4, 0x1, 0x6, 0x1c, 0xe4, 0x0, 0x8, 0x11, 0x0, @dev={0xac, 0x14, 0x14, 0x29}, @loopback}, "c72975ea5f954511"}}}}}, 0x36) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000100)=@newqdisc={0x3c, 0x24, 0x400, 0x70bd29, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {}, {0x1, 0xffff}}, [@qdisc_kind_options=@q_cake={{0x9}, {0xc, 0x2, [@TCA_CAKE_NAT={0x8, 0xb, 0x1}]}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x24008080}, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) poll(&(0x7f0000000040), 0x55, 0x0) sendmsg$nl_route(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="500000001000010400"/20, @ANYRES32=0x0, @ANYBLOB="0000000000000000280012800a00010076786c616e"], 0x50}}, 0x0) sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="4400000010000100"/20, @ANYRES32=r1, @ANYBLOB="00000000000000001c0012800b00010067656e65766500000c00028008000200ac1414bb080004"], 0x44}, 0x1, 0x2}, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)={0x88, 0x1403, 0x1, 0x70bd28, 0x25dfdbfc, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'veth0_to_team\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'gre0\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'ipvlan1\x00'}}]}, 0x88}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program crashed: KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings single: successfully extracted reproducer found reproducer with 2 syscalls minimizing guilty program testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma detailed listing: executing program 0: socket$nl_rdma(0x10, 0x3, 0x14) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: sendmsg$RDMA_NLDEV_CMD_NEWLINK(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)={0x88, 0x1403, 0x1, 0x70bd28, 0x25dfdbfc, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'veth0_to_team\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'gre0\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'ipvlan1\x00'}}]}, 0x88}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, 0x0, 0x44014) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={0x0}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)={0x10, 0x1403, 0x1, 0x70bd28, 0x25dfdbfc}, 0x10}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program did not crash extracting C reproducer testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK program crashed: no output from test machine a never seen crash title: no output from test machine, ignore simplifying guilty program options testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)={0x88, 0x1403, 0x1, 0x70bd28, 0x25dfdbfc, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'veth0_to_team\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'gre0\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'ipvlan1\x00'}}]}, 0x88}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program crashed: KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings extracting C reproducer testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK program crashed: no output from test machine a never seen crash title: no output from test machine, ignore testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)={0x88, 0x1403, 0x1, 0x70bd28, 0x25dfdbfc, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'veth0_to_team\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'gre0\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'ipvlan1\x00'}}]}, 0x88}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program did not crash testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)={0x88, 0x1403, 0x1, 0x70bd28, 0x25dfdbfc, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'veth0_to_team\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'gre0\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'ipvlan1\x00'}}]}, 0x88}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program crashed: KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings validation run: crashed=true testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)={0x88, 0x1403, 0x1, 0x70bd28, 0x25dfdbfc, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'veth0_to_team\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'gre0\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'ipvlan1\x00'}}]}, 0x88}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program crashed: KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings validation run: crashed=true testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-sendmsg$RDMA_NLDEV_CMD_NEWLINK detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)={0x88, 0x1403, 0x1, 0x70bd28, 0x25dfdbfc, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'veth0_to_team\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'gre0\x00'}}, {{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'ipvlan1\x00'}}]}, 0x88}, 0x1, 0x0, 0x0, 0x8001}, 0x44014) program crashed: KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings validation run: crashed=true reproducing took 1h37m27.957466298s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in __ethtool_get_link_ksettings+0x6e/0x190 net/ethtool/ioctl.c:443 Read of size 8 at addr ffff88802e7a02e8 by task kworker/0:1/10 CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.16.0-rc7-syzkaller-00100-gafd8c2c9e2e2 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Workqueue: events smc_ib_port_event_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x230 mm/kasan/report.c:480 kasan_report+0x118/0x150 mm/kasan/report.c:593 __ethtool_get_link_ksettings+0x6e/0x190 net/ethtool/ioctl.c:443 ib_get_eth_speed+0x15e/0x7b0 drivers/infiniband/core/verbs.c:1996 rxe_query_port+0x93/0x3b0 drivers/infiniband/sw/rxe/rxe_verbs.c:62 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x170/0x830 drivers/infiniband/core/device.c:2143 smc_ib_remember_port_attr net/smc/smc_ib.c:364 [inline] smc_ib_port_event_work+0x15a/0x940 net/smc/smc_ib.c:388 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5971: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kvmalloc_node_noprof+0x30d/0x5f0 mm/slub.c:5015 alloc_netdev_mqs+0xa6/0x11e0 net/core/dev.c:11711 rtnl_create_link+0x31f/0xd10 net/core/rtnetlink.c:3631 rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3813 __rtnl_newlink net/core/rtnetlink.c:3940 [inline] rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1335: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x18e/0x440 mm/slub.c:4842 device_release+0x9c/0x1c0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x22b/0x480 lib/kobject.c:737 netdev_run_todo+0xd2e/0xea0 net/core/dev.c:11412 default_device_exit_batch+0x81e/0x890 net/core/dev.c:12645 ops_exit_list net/core/net_namespace.c:206 [inline] ops_undo_list+0x525/0x990 net/core/net_namespace.c:253 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff88802e7a0000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 744 bytes inside of freed 4096-byte region [ffff88802e7a0000, ffff88802e7a1000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2e7a0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88806904f0c1 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801a44b500 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000040004 00000000f5000000 ffff88806904f0c1 head: 00fff00000000040 ffff88801a44b500 dead000000000122 0000000000000000 head: 0000000000000000 0000000000040004 00000000f5000000 ffff88806904f0c1 head: 00fff00000000003 ffffea0000b9e801 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5971, tgid 5971 (syz-executor), ts 119566126057, free_ts 118367885244 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab+0x8a/0x3b0 mm/slub.c:2619 new_slab mm/slub.c:2673 [inline] ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859 __slab_alloc mm/slub.c:3949 [inline] __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kvmalloc_node_noprof+0x429/0x5f0 mm/slub.c:5015 alloc_netdev_mqs+0xa6/0x11e0 net/core/dev.c:11711 rtnl_create_link+0x31f/0xd10 net/core/rtnetlink.c:3631 rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3813 __rtnl_newlink net/core/rtnetlink.c:3940 [inline] rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:727 page last free pid 1327 tgid 1327 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706 __slab_free+0x326/0x400 mm/slub.c:4554 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4249 __alloc_skb+0x112/0x2d0 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1336 [inline] nlmsg_new include/net/netlink.h:1041 [inline] mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1189 mpls_dev_notify+0x533/0x7a0 net/mpls/af_mpls.c:1641 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] unregister_netdevice_many_notify+0x15d8/0x2320 net/core/dev.c:12077 ops_exit_rtnl_list net/core/net_namespace.c:188 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:249 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 Memory state around the buggy address: ffff88802e7a0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802e7a0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802e7a0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802e7a0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802e7a0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in __ethtool_get_link_ksettings+0x6e/0x190 net/ethtool/ioctl.c:443 Read of size 8 at addr ffff88802e7a02e8 by task kworker/0:1/10 CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.16.0-rc7-syzkaller-00100-gafd8c2c9e2e2 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Workqueue: events smc_ib_port_event_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x230 mm/kasan/report.c:480 kasan_report+0x118/0x150 mm/kasan/report.c:593 __ethtool_get_link_ksettings+0x6e/0x190 net/ethtool/ioctl.c:443 ib_get_eth_speed+0x15e/0x7b0 drivers/infiniband/core/verbs.c:1996 rxe_query_port+0x93/0x3b0 drivers/infiniband/sw/rxe/rxe_verbs.c:62 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x170/0x830 drivers/infiniband/core/device.c:2143 smc_ib_remember_port_attr net/smc/smc_ib.c:364 [inline] smc_ib_port_event_work+0x15a/0x940 net/smc/smc_ib.c:388 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5971: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kvmalloc_node_noprof+0x30d/0x5f0 mm/slub.c:5015 alloc_netdev_mqs+0xa6/0x11e0 net/core/dev.c:11711 rtnl_create_link+0x31f/0xd10 net/core/rtnetlink.c:3631 rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3813 __rtnl_newlink net/core/rtnetlink.c:3940 [inline] rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1335: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x18e/0x440 mm/slub.c:4842 device_release+0x9c/0x1c0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x22b/0x480 lib/kobject.c:737 netdev_run_todo+0xd2e/0xea0 net/core/dev.c:11412 default_device_exit_batch+0x81e/0x890 net/core/dev.c:12645 ops_exit_list net/core/net_namespace.c:206 [inline] ops_undo_list+0x525/0x990 net/core/net_namespace.c:253 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff88802e7a0000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 744 bytes inside of freed 4096-byte region [ffff88802e7a0000, ffff88802e7a1000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2e7a0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88806904f0c1 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801a44b500 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000040004 00000000f5000000 ffff88806904f0c1 head: 00fff00000000040 ffff88801a44b500 dead000000000122 0000000000000000 head: 0000000000000000 0000000000040004 00000000f5000000 ffff88806904f0c1 head: 00fff00000000003 ffffea0000b9e801 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5971, tgid 5971 (syz-executor), ts 119566126057, free_ts 118367885244 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab+0x8a/0x3b0 mm/slub.c:2619 new_slab mm/slub.c:2673 [inline] ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859 __slab_alloc mm/slub.c:3949 [inline] __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kvmalloc_node_noprof+0x429/0x5f0 mm/slub.c:5015 alloc_netdev_mqs+0xa6/0x11e0 net/core/dev.c:11711 rtnl_create_link+0x31f/0xd10 net/core/rtnetlink.c:3631 rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3813 __rtnl_newlink net/core/rtnetlink.c:3940 [inline] rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:727 page last free pid 1327 tgid 1327 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706 __slab_free+0x326/0x400 mm/slub.c:4554 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4249 __alloc_skb+0x112/0x2d0 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1336 [inline] nlmsg_new include/net/netlink.h:1041 [inline] mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1189 mpls_dev_notify+0x533/0x7a0 net/mpls/af_mpls.c:1641 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] unregister_netdevice_many_notify+0x15d8/0x2320 net/core/dev.c:12077 ops_exit_rtnl_list net/core/net_namespace.c:188 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:249 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 Memory state around the buggy address: ffff88802e7a0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802e7a0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802e7a0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802e7a0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802e7a0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================