last executing test programs:

2.39064119s ago: executing program 0 (id=276):
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f0000000100)=0x1, 0x4)
connect$inet6(r0, &(0x7f00000001c0)={0xa, 0x4000, 0x0, @empty}, 0x1c)
setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000240)='tunl0\x00', 0x10)
setsockopt$inet6_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f0000000000), 0x4)

2.26040388s ago: executing program 0 (id=279):
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}})
write$tun(r0, &(0x7f00000005c0)=ANY=[@ANYBLOB="020086dd0300000000001400000060ec9700123011"], 0xfdef)

2.181774408s ago: executing program 2 (id=281):
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_int(r0, 0x29, 0x2, &(0x7f0000000040)=0x7, 0x5f)
setsockopt$inet6_int(r0, 0x29, 0x8, &(0x7f0000000000)=0x7, 0x4)
getsockopt$inet6_buf(r0, 0x29, 0x6, &(0x7f0000000100)=""/92, &(0x7f00000001c0)=0x24)

2.085987894s ago: executing program 2 (id=282):
syz_emit_ethernet(0x3e, &(0x7f0000000080)={@link_local={0x3, 0x80, 0xc2, 0x18}, @empty, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x30, 0x67, 0x0, 0x0, 0x1, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}, @local}, @dest_unreach={0x3, 0xd4aa6c3a0ba5a270, 0x0, 0x0, 0x9, 0x7, {0x5, 0x4, 0x0, 0x30, 0xc07, 0x64, 0x5, 0xea, 0x32, 0x0, @broadcast, @loopback}}}}}}, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f00000000c0)={'geneve0\x00', <r0=>0x0})
r1 = bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f0000000100), 0x4)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$tipc2(&(0x7f00000000c0), 0xffffffffffffffff)
sendmsg$TIPC_NL_NAME_TABLE_GET(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000240)={0x14, r3, 0x2ac6d477bcf2db69, 0x70bd2a, 0x25dfdbfc}, 0x14}, 0x1, 0x0, 0x0, 0x801}, 0x4004880)
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f0000000600)={0x1, <r4=>0xffffffffffffffff}, 0x4)
r5 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000340)={0x18, 0x3, &(0x7f0000000d00)=ANY=[@ANYBLOB="1800"/16], &(0x7f0000000000)='GPL\x00'}, 0x94)
r6 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000001c0)='task_newtask\x00', r5}, 0x10)
r7 = bpf$ITER_CREATE(0xb, &(0x7f0000000100)={r6}, 0x8)
openat$ppp(0xffffffffffffff9c, &(0x7f0000000780), 0x400, 0x0)
close(r7)
r8 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="09000000070000000080000001"], 0x48)
r9 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000900)={0x3, 0x4, 0x4, 0xa, 0x0, r4, 0xf18, '\x00', r0, r7, 0x2, 0x2, 0x4}, 0x50)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x12, &(0x7f0000000080)=ANY=[@ANYBLOB="180200"/14, @ANYRES32, @ANYBLOB="0000000000000000660000000000000018000000005000000000000000000000950004e00000000018010000202070250000000000202020db1af8ff01000000bfa100000000000007010000f8ffffffb702000008000000b502000000000000850000000600000095"], &(0x7f0000000000)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x6c}, 0x94)
bpf$PROG_LOAD_XDP(0x5, &(0x7f00000009c0)={0x6, 0x11, &(0x7f00000007c0)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0xffff}, [@func={0x85, 0x0, 0x1, 0x0, 0x5}, @map_val={0x18, 0x2, 0x2, 0x0, r4, 0x0, 0x0, 0x0, 0xec}, @cb_func={0x18, 0x3, 0x4, 0x0, 0x5}, @exit, @printk={@s, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x3, 0x0, 0x0, 0x5}}]}, &(0x7f0000000880)='GPL\x00', 0x519d, 0x1000, &(0x7f0000001b40)=""/4096, 0x41100, 0x18, '\x00', 0x0, 0x25, r7, 0x8, 0x0, 0x0, 0x10, &(0x7f00000008c0)={0x1, 0xe, 0x7, 0x8}, 0x10, 0x0, 0x0, 0x0, &(0x7f0000000980)=[r9, r7], 0x0, 0x10, 0x4}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f00000001c0)={{r8, <r10=>0xffffffffffffffff}, &(0x7f00000002c0), &(0x7f0000000280)}, 0x20)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f00000006c0)=@bpf_tracing={0x1a, 0x6, &(0x7f0000000000)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4f, 0x0, 0x0, 0x0, 0x80}, [@map_idx_val={0x18, 0x2, 0x6, 0x0, 0xe, 0x0, 0x0, 0x0, 0x5}, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffff9}]}, &(0x7f0000000040)='GPL\x00', 0xfffffff8, 0x0, 0x0, 0x41000, 0x20, '\x00', r0, 0x1a, r1, 0x8, &(0x7f0000000180)={0x8, 0x1}, 0x8, 0x10, &(0x7f00000001c0)={0x2, 0x8, 0x7, 0x1}, 0x10, 0x221ed, 0xffffffffffffffff, 0x1, &(0x7f0000000640)=[r4, r7, r10], &(0x7f0000000680)=[{0xfffffff9, 0x2, 0xa, 0xa}], 0x10, 0x8}, 0x94)
r11 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r11, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000001ac0)={&(0x7f0000001b00)={0x18, 0x2d, 0x1, 0x70bd26, 0x25dfdbfc, {0x4}, [@nested={0x4, 0xd}]}, 0x18}, 0x1, 0x0, 0x0, 0x4000d}, 0x20000000)

1.000086687s ago: executing program 2 (id=283):
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
close(r0)
r1 = socket$inet6_sctp(0xa, 0x1, 0x84)
sendmmsg$inet6(r1, &(0x7f0000000200)=[{{&(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback={0xfec0ffff00000000}}, 0x1c, &(0x7f0000000580)=[{&(0x7f0000000180)='i', 0x20086}], 0x1}}], 0x1, 0x0)
sendto$inet6(r0, &(0x7f0000847fff)='X', 0x34000, 0x600, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000a00)={0x0, @in6={{0xa, 0x4e23, 0x0, @loopback}}, 0x100, 0x0, 0x0, 0x0, 0x54}, 0x9c)

999.324854ms ago: executing program 0 (id=285):
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000005c0)=@newtfilter={0x34, 0x11, 0x1, 0x691522eb, 0x0, {0x0, 0x0, 0x74, 0x0, {0x10, 0x4}, {}, {0x5, 0x5}}, [@filter_kind_options=@f_cgroup={{0xb}, {0x4}}]}, 0x34}, 0x1, 0xf0ffffffffffff}, 0x0)

940.800289ms ago: executing program 0 (id=288):
r0 = socket(0x10, 0x3, 0x6)
sendmsg$nl_route_sched(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000004640)={&(0x7f0000000840)=@newqdisc={0x24, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0xffff, 0xffff}, {0x1, 0x9}}}, 0x24}, 0x1, 0x0, 0x0, 0x200040c4}, 0x0)

860.904897ms ago: executing program 0 (id=290):
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000100)=@newlink={0x44, 0x10, 0x437, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x24, 0x12, 0x0, 0x1, @ipip6={{0xb}, {0x14, 0x2, 0x0, 0x1, [@IFLA_IPTUN_ENCAP_DPORT={0x6}, @IFLA_IPTUN_ENCAP_TYPE={0x6, 0xf, 0x11}]}}}]}, 0x44}}, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="3c0000001000030500"/20, @ANYRES32=0x0, @ANYBLOB="000000000000000014001280090001007663616e000000000400028008000a"], 0x3c}}, 0x0)
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="500000001000010425bbe5ad600027842cf52300", @ANYRES32=0x0, @ANYBLOB="0000000000008000280012800a00010076786c616e00000018"], 0x50}}, 0x4000000)

789.780608ms ago: executing program 0 (id=292):
socket$netlink(0x10, 0x3, 0x9)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x26e1, 0x0)
close(r0)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000400)=@bpf_lsm={0x6, 0x5, &(0x7f0000000000)=@framed={{}, [@ldst={0x1, 0x0, 0x3, 0x0, 0x1}, @ldst={0x2, 0x0, 0x3, 0x0, 0x0, 0x2}]}, 0x0, 0x5, 0x0, 0x0, 0x0, 0x5}, 0x94)
ioctl$SIOCSIFHWADDR(r0, 0x8b19, &(0x7f0000000000)={'wlan0\x00', @random="7cf1e97c9e4f"})
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r3, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @null, @bpq0, 0x0, [@bcast, @bcast, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
connect$rose(r4, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c)
connect$rose(r4, &(0x7f0000000100)=@full={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x0, [@null, @null, @null, @default, @bcast, @default]}, 0x40)

789.660315ms ago: executing program 1 (id=293):
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000002c40)={&(0x7f0000000040)={{0xeb9f, 0x1, 0x0, 0x18, 0x2, 0xc, 0x0, 0x2, [@enum={0x0, 0x0, 0x0, 0x6, 0x4, [{}, {}, {}, {}]}]}}, &(0x7f0000002b80)=""/176, 0x26, 0xb0, 0x1}, 0x20)

720.180346ms ago: executing program 1 (id=294):
bpf$PROG_LOAD(0x5, 0x0, 0x0)
socket$inet6_tcp(0xa, 0x1, 0x0)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f0000000240)=ANY=[@ANYBLOB="6d616e676c6500000000000000000000000000000000800000000000000000000200000000000000000000000020000000000000000000000000000000000000000000d8ac9159fd7248ee3622b161ac67de126ec06a89d86c6adc"], 0x48)

619.865446ms ago: executing program 1 (id=295):
r0 = socket$netlink(0x10, 0x3, 0x8000000004)
writev(r0, &(0x7f0000000140)=[{&(0x7f0000000080)="580000001400192340834b80040d8c560a067f0200ff000000000000000058000b4824ca945f64009400ff0325010ebc000000000000008000f0fffeffe809005300fff5dd000000100001000a0c100000000000000fff00", 0x58}], 0x1)

531.357039ms ago: executing program 1 (id=296):
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
bind$ax25(r2, &(0x7f0000000100)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null]}, 0x48)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0x10)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
r4 = syz_init_net_socket$ax25(0x3, 0x2, 0xcc)
setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f00000001c0)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x1, 'syz1\x00', @default, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]})
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))

519.882316ms ago: executing program 1 (id=297):
r0 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000080)={0x1b, 0x0, 0x0, 0x8000}, 0x50)
bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0xd, 0x18, &(0x7f0000000440)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6}, {{0x18, 0x1, 0x1, 0x0, r0}}, {{0x5, 0x0, 0x5, 0x9, 0x0, 0x1, 0x20}}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {}, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x4, 0x0, 0x0, 0x1}}], {{}, {}, {0x85, 0x0, 0x0, 0x84}}}, &(0x7f0000000000)='syzkaller\x00', 0x6, 0x106, &(0x7f0000000280)=""/262, 0x41000, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x800}, 0x94)

440.708123ms ago: executing program 1 (id=298):
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f00000000c0)={0xfffc, 0xc}, 0x8)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x1c, &(0x7f00000001c0)=[@in6={0xa, 0x0, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', 0xfffffffb}]}, &(0x7f0000000140)=0x10)
getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, 0x0, &(0x7f0000000300))

121.780414ms ago: executing program 2 (id=299):
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x20000000ec071, 0xffffffffffffffff, 0xffffd000)
mmap$xdp(&(0x7f0000791000/0x4000)=nil, 0x4000, 0x0, 0x4188031, 0xffffffffffffffff, 0x0)

59.92034ms ago: executing program 2 (id=300):
r0 = socket(0x11, 0x3, 0x0)
ioctl$sock_inet_SIOCGIFADDR(r0, 0x8915, &(0x7f00000000c0)={'team0\x00', {0x2, 0x0, @private}})

0s ago: executing program 2 (id=301):
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x3, 0xc, &(0x7f0000000540)=ANY=[@ANYBLOB="18020000070000000000000000000000850000009b0000001801000020756c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000006000000850000007b00000095"], &(0x7f0000000040)='GPL\x00', 0xb, 0x0, 0x0, 0x41000}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000400)={r0, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000003c0)="b9ff030768442650e04e7a8c09a5", 0x0, 0x0, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)

kernel console output (not intermixed with test programs):

Warning: Permanently added '[localhost]:25738' (ED25519) to the list of known hosts.
syzkaller login: [   49.416273][ T5760] cgroup: Unknown subsys name 'net'
[   49.492661][ T5760] cgroup: Unknown subsys name 'cpuset'
[   49.500165][ T5760] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   51.432065][ T5760] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   57.162731][ T5837] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   57.166532][ T5837] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   57.170244][ T5837] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   57.174032][ T5837] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   57.177515][ T5837] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   57.181557][   T54] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   57.186475][ T5837] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   57.190620][ T5221] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   57.196550][ T5221] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   57.202075][ T5221] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   57.205514][ T5837] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   57.210958][ T5837] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   57.211814][ T5838] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   57.217774][ T5838] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   57.220539][ T5838] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   57.582438][ T5831] chnl_net:caif_netlink_parms(): no params data found
[   57.594068][ T5840] chnl_net:caif_netlink_parms(): no params data found
[   57.650604][ T5830] chnl_net:caif_netlink_parms(): no params data found
[   57.722739][ T5831] bridge0: port 1(bridge_slave_0) entered blocking state
[   57.725803][ T5831] bridge0: port 1(bridge_slave_0) entered disabled state
[   57.729007][ T5831] bridge_slave_0: entered allmulticast mode
[   57.732589][ T5831] bridge_slave_0: entered promiscuous mode
[   57.742270][ T5831] bridge0: port 2(bridge_slave_1) entered blocking state
[   57.744602][ T5831] bridge0: port 2(bridge_slave_1) entered disabled state
[   57.746866][ T5831] bridge_slave_1: entered allmulticast mode
[   57.750266][ T5831] bridge_slave_1: entered promiscuous mode
[   57.795595][ T5840] bridge0: port 1(bridge_slave_0) entered blocking state
[   57.798832][ T5840] bridge0: port 1(bridge_slave_0) entered disabled state
[   57.801665][ T5840] bridge_slave_0: entered allmulticast mode
[   57.805169][ T5840] bridge_slave_0: entered promiscuous mode
[   57.823400][ T5831] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   57.828736][ T5831] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   57.839687][ T5840] bridge0: port 2(bridge_slave_1) entered blocking state
[   57.842494][ T5840] bridge0: port 2(bridge_slave_1) entered disabled state
[   57.845286][ T5840] bridge_slave_1: entered allmulticast mode
[   57.849683][ T5840] bridge_slave_1: entered promiscuous mode
[   57.895777][ T5831] team0: Port device team_slave_0 added
[   57.901170][ T5831] team0: Port device team_slave_1 added
[   57.914067][ T5830] bridge0: port 1(bridge_slave_0) entered blocking state
[   57.916876][ T5830] bridge0: port 1(bridge_slave_0) entered disabled state
[   57.920612][ T5830] bridge_slave_0: entered allmulticast mode
[   57.924029][ T5830] bridge_slave_0: entered promiscuous mode
[   57.948758][ T5830] bridge0: port 2(bridge_slave_1) entered blocking state
[   57.951074][ T5830] bridge0: port 2(bridge_slave_1) entered disabled state
[   57.953832][ T5830] bridge_slave_1: entered allmulticast mode
[   57.956719][ T5830] bridge_slave_1: entered promiscuous mode
[   57.972409][ T5840] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   57.976431][ T5831] batman_adv: batadv0: Adding interface: batadv_slave_0
[   57.981579][ T5831] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   57.991795][ T5831] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   58.010963][ T5830] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   58.016677][ T5830] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   58.022604][ T5840] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   58.036296][ T5831] batman_adv: batadv0: Adding interface: batadv_slave_1
[   58.041110][ T5831] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   58.051904][ T5831] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   58.108743][ T5830] team0: Port device team_slave_0 added
[   58.115292][ T5840] team0: Port device team_slave_0 added
[   58.120636][ T5840] team0: Port device team_slave_1 added
[   58.125805][ T5830] team0: Port device team_slave_1 added
[   58.194070][ T5830] batman_adv: batadv0: Adding interface: batadv_slave_0
[   58.196811][ T5830] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   58.207343][ T5830] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   58.213348][ T5830] batman_adv: batadv0: Adding interface: batadv_slave_1
[   58.216023][ T5830] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   58.226746][ T5830] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   58.244693][ T5840] batman_adv: batadv0: Adding interface: batadv_slave_0
[   58.247747][ T5840] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   58.257957][ T5840] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   58.278429][ T5831] hsr_slave_0: entered promiscuous mode
[   58.281745][ T5831] hsr_slave_1: entered promiscuous mode
[   58.285918][ T5840] batman_adv: batadv0: Adding interface: batadv_slave_1
[   58.289736][ T5840] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   58.300309][ T5840] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   58.348423][ T5830] hsr_slave_0: entered promiscuous mode
[   58.351562][ T5830] hsr_slave_1: entered promiscuous mode
[   58.354456][ T5830] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[   58.357868][ T5830] Cannot create hsr debugfs directory
[   58.445199][ T5840] hsr_slave_0: entered promiscuous mode
[   58.450821][ T5840] hsr_slave_1: entered promiscuous mode
[   58.453719][ T5840] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[   58.456769][ T5840] Cannot create hsr debugfs directory
[   58.788291][ T5831] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   58.799846][ T5831] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   58.806947][ T5831] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   58.826412][ T5831] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   58.874536][ T5830] netdevsim netdevsim2 netdevsim0: renamed from eth0
[   58.893984][ T5830] netdevsim netdevsim2 netdevsim1: renamed from eth1
[   58.900777][ T5830] netdevsim netdevsim2 netdevsim2: renamed from eth2
[   58.915235][ T5830] netdevsim netdevsim2 netdevsim3: renamed from eth3
[   58.950197][ T5840] netdevsim netdevsim1 netdevsim0: renamed from eth0
[   58.970041][ T5840] netdevsim netdevsim1 netdevsim1: renamed from eth1
[   58.978367][ T5840] netdevsim netdevsim1 netdevsim2: renamed from eth2
[   58.984227][ T5840] netdevsim netdevsim1 netdevsim3: renamed from eth3
[   59.077804][ T5831] 8021q: adding VLAN 0 to HW filter on device bond0
[   59.115275][ T5831] 8021q: adding VLAN 0 to HW filter on device team0
[   59.135619][   T32] bridge0: port 1(bridge_slave_0) entered blocking state
[   59.138603][   T32] bridge0: port 1(bridge_slave_0) entered forwarding state
[   59.146599][   T32] bridge0: port 2(bridge_slave_1) entered blocking state
[   59.149482][   T32] bridge0: port 2(bridge_slave_1) entered forwarding state
[   59.206430][ T5830] 8021q: adding VLAN 0 to HW filter on device bond0
[   59.230072][ T5840] 8021q: adding VLAN 0 to HW filter on device bond0
[   59.230504][ T5838] Bluetooth: hci0: command tx timeout
[   59.232784][   T54] Bluetooth: hci1: command tx timeout
[   59.260986][ T5830] 8021q: adding VLAN 0 to HW filter on device team0
[   59.276171][   T27] bridge0: port 1(bridge_slave_0) entered blocking state
[   59.279294][   T27] bridge0: port 1(bridge_slave_0) entered forwarding state
[   59.294488][ T5840] 8021q: adding VLAN 0 to HW filter on device team0
[   59.305264][   T27] bridge0: port 2(bridge_slave_1) entered blocking state
[   59.308488][   T27] bridge0: port 2(bridge_slave_1) entered forwarding state
[   59.312912][   T54] Bluetooth: hci2: command tx timeout
[   59.335055][   T27] bridge0: port 1(bridge_slave_0) entered blocking state
[   59.337494][   T27] bridge0: port 1(bridge_slave_0) entered forwarding state
[   59.362539][   T27] bridge0: port 2(bridge_slave_1) entered blocking state
[   59.365508][   T27] bridge0: port 2(bridge_slave_1) entered forwarding state
[   59.400165][ T5830] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   59.424759][ T5840] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   59.431109][ T5840] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   59.471885][ T5831] 8021q: adding VLAN 0 to HW filter on device batadv0
[   59.519594][ T5831] veth0_vlan: entered promiscuous mode
[   59.539295][ T5831] veth1_vlan: entered promiscuous mode
[   59.594280][ T5831] veth0_macvtap: entered promiscuous mode
[   59.599904][ T5831] veth1_macvtap: entered promiscuous mode
[   59.613973][ T5831] batman_adv: batadv0: Interface activated: batadv_slave_0
[   59.638381][ T5831] batman_adv: batadv0: Interface activated: batadv_slave_1
[   59.646153][ T5831] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   59.650637][ T5831] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   59.653555][ T5831] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   59.656392][ T5831] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   59.712456][ T5840] 8021q: adding VLAN 0 to HW filter on device batadv0
[   59.718865][ T5830] 8021q: adding VLAN 0 to HW filter on device batadv0
[   59.740173][ T5840] veth0_vlan: entered promiscuous mode
[   59.778838][ T5840] veth1_vlan: entered promiscuous mode
[   59.815726][   T32] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   59.820728][   T32] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   59.834617][ T5840] veth0_macvtap: entered promiscuous mode
[   59.846941][ T5840] veth1_macvtap: entered promiscuous mode
[   59.882736][   T32] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   59.883005][ T5830] veth0_vlan: entered promiscuous mode
[   59.885790][   T32] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   59.898696][ T5840] batman_adv: batadv0: Interface activated: batadv_slave_0
[   59.918906][ T5830] veth1_vlan: entered promiscuous mode
[   59.922890][ T5840] batman_adv: batadv0: Interface activated: batadv_slave_1
[   59.940935][ T5840] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   59.943756][ T5840] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   59.949352][ T5840] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   59.952121][ T5840] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   59.963697][ T5831] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   59.973482][ T5830] veth0_macvtap: entered promiscuous mode
[   59.983541][ T5830] veth1_macvtap: entered promiscuous mode
[   60.000948][ T5830] batman_adv: batadv0: Interface activated: batadv_slave_0
[   60.013166][ T5830] batman_adv: batadv0: Interface activated: batadv_slave_1
[   60.049714][ T5830] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   60.052406][ T5830] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   60.064845][ T5830] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   60.069745][ T5830] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   60.163394][   T27] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   60.165849][   T27] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   60.239193][ T3048] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   60.246049][ T3048] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   60.256113][ T5903] netlink: 4 bytes leftover after parsing attributes in process `syz.0.5'.
[   60.304061][ T3048] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   60.314986][ T3048] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   60.390154][ T3048] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   60.396240][ T3048] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   60.870896][ T5925] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   60.942846][ T5905] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   61.093104][ T5909] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   61.097293][ T5942] netlink: 4 bytes leftover after parsing attributes in process `syz.1.17'.
[   61.185717][ T5946] Bluetooth: MGMT ver 1.23
[   61.308484][ T5838] Bluetooth: hci0: command tx timeout
[   61.310656][ T5838] Bluetooth: hci1: command tx timeout
[   61.388224][ T5838] Bluetooth: hci2: command tx timeout
[   61.760809][ T5909] syz.0.6 (5909) used greatest stack depth: 19112 bytes left
[   62.265305][ T5993] netlink: 'syz.1.38': attribute type 3 has an invalid length.
[   62.774292][ T6022] netlink: 28 bytes leftover after parsing attributes in process `syz.1.54'.
[   62.781391][ T6022] netlink: 32 bytes leftover after parsing attributes in process `syz.1.54'.
[   62.789385][ T6022] netlink: 28 bytes leftover after parsing attributes in process `syz.1.54'.
[   62.793456][ T6022] netlink: 32 bytes leftover after parsing attributes in process `syz.1.54'.
[   63.003385][ T6034] syz.2.58 uses obsolete (PF_INET,SOCK_PACKET)
[   63.176318][ T6047] A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
[   63.227893][   T54] Bluetooth: hci2: Opcode 0x0401 failed: -110
[   63.387493][   T54] Bluetooth: hci1: command tx timeout
[   63.389638][   T54] Bluetooth: hci0: command tx timeout
[   63.477602][ T5838] Bluetooth: hci2: command 0x040f tx timeout
[   63.521147][ T6068] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   63.530712][ T6068] xt_hashlimit: overflow, try lower: 72057594037927936/255
[   63.538171][ T6070] xt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks
[   63.874220][ T6091] openvswitch: netlink: VXLAN extension message has 4 unknown bytes.
[   64.062906][ T6103] netlink: 34 bytes leftover after parsing attributes in process `syz.1.90'.
[   64.883972][ T6153] netlink: 'syz.1.110': attribute type 13 has an invalid length.
[   64.891131][ T6153] netlink: 'syz.1.110': attribute type 17 has an invalid length.
[   64.951689][   T10] IPVS: starting estimator thread 0...
[   65.003737][ T6149] netlink: 40 bytes leftover after parsing attributes in process `syz.0.109'.
[   65.053003][ T6157] IPVS: using max 54 ests per chain, 129600 per kthread
[   65.269635][   T33] audit: type=1800 audit(1752764576.765:2): pid=6142 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.0.109" name="cgroup.controllers" dev="tmpfs" ino=179 res=0 errno=0
[   65.469892][ T5838] Bluetooth: hci0: command tx timeout
[   65.469943][   T54] Bluetooth: hci1: command tx timeout
[   65.547725][   T54] Bluetooth: hci2: command 0x040f tx timeout
[   65.708017][ T6153] A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check.
[   66.213510][ T6202] Zero length message leads to an empty skb
[   66.241367][ T6204] netlink: 24 bytes leftover after parsing attributes in process `syz.0.123'.
[   66.466044][ T6214] IPv6: addrconf: prefix option has invalid lifetime
[   66.468802][ T6214] IPv6: addrconf: prefix option has invalid lifetime
[   66.694391][ T6221] netlink: 'syz.0.131': attribute type 1 has an invalid length.
[   66.704984][ T6221] netlink: 204 bytes leftover after parsing attributes in process `syz.0.131'.
[   66.709733][ T6221] netlink: 'syz.0.131': attribute type 1 has an invalid length.
[   66.885579][ T6227] netlink: 8 bytes leftover after parsing attributes in process `syz.1.134'.
[   66.919460][ T6231] netlink: 'syz.0.137': attribute type 7 has an invalid length.
[   67.627294][   T54] Bluetooth: hci2: command 0x040f tx timeout
[   68.076909][ T6268] netlink: 36 bytes leftover after parsing attributes in process `syz.2.150'.
[   68.469373][ T6282] syzkaller1: entered promiscuous mode
[   68.471767][ T6282] syzkaller1: entered allmulticast mode
[   68.853431][ T6296] openvswitch: netlink: nsh attribute has 2 unknown bytes.
[   69.106124][ T6314] netlink: 'syz.2.172': attribute type 1 has an invalid length.
[   69.302517][ T6327] netlink: 404 bytes leftover after parsing attributes in process `syz.2.178'.
[   69.305948][ T6327] netlink: 88 bytes leftover after parsing attributes in process `syz.2.178'.
[   69.324401][ T6327] netlink: 88 bytes leftover after parsing attributes in process `syz.2.178'.
[   69.367573][ T6329] tipc: Started in network mode
[   69.369680][ T6329] tipc: Node identity aaaaaaaaaa32, cluster identity 4711
[   69.390057][ T6329] tipc: Enabled bearer <eth:vlan0>, priority 18
[   69.456241][ T6333] netlink: 136784 bytes leftover after parsing attributes in process `syz.0.181'.
[   69.461044][ T6333] netlink: zone id is out of range
[   69.463114][ T6333] netlink: zone id is out of range
[   69.465278][ T6333] netlink: zone id is out of range
[   69.468193][ T6333] netlink: zone id is out of range
[   69.473271][ T6333] netlink: zone id is out of range
[   69.475491][ T6333] netlink: zone id is out of range
[   69.479765][ T6333] netlink: zone id is out of range
[   69.481952][ T6333] netlink: zone id is out of range
[   69.483964][ T6333] netlink: zone id is out of range
[   70.349960][ T6355] netlink: 4 bytes leftover after parsing attributes in process `syz.0.193'.
[   70.365943][ T6357] net veth1_virt_wifi : renamed from virt_wifi0
[   70.488341][  T789] tipc: Node number set to 10005162
[   70.583586][ T6374] netlink: 4 bytes leftover after parsing attributes in process `syz.2.201'.
[   70.631038][ T6374] bridge_slave_0: left allmulticast mode
[   70.632818][ T6374] bridge_slave_0: left promiscuous mode
[   70.635775][ T6374] bridge0: port 1(bridge_slave_0) entered disabled state
[   70.645004][ T6374] bridge_slave_1: left allmulticast mode
[   70.646786][ T6374] bridge_slave_1: left promiscuous mode
[   70.678852][ T6374] bridge0: port 2(bridge_slave_1) entered disabled state
[   70.694686][ T6374] bond0: (slave bond_slave_0): Releasing backup interface
[   70.706352][ T6374] bond0: (slave bond_slave_1): Releasing backup interface
[   70.747783][ T6374] team0: Port device team_slave_0 removed
[   70.763616][ T6374] team0: Port device team_slave_1 removed
[   70.781830][ T6374] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[   70.784918][ T6374] batman_adv: batadv0: Removing interface: batadv_slave_0
[   70.791969][ T6374] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[   70.794904][ T6374] batman_adv: batadv0: Removing interface: batadv_slave_1
[   70.839378][ T6382] netlink: 'syz.0.204': attribute type 6 has an invalid length.
[   70.842516][ T6382] netlink: 'syz.0.204': attribute type 7 has an invalid length.
[   70.845699][ T6382] netlink: 'syz.0.204': attribute type 8 has an invalid length.
[   71.069433][ T6390] netlink: 'syz.0.208': attribute type 15 has an invalid length.
[   71.155023][ T1360] ieee802154 phy0 wpan0: encryption failed: -22
[   71.158409][ T1360] ieee802154 phy1 wpan1: encryption failed: -22
[   71.270690][ T6396] netlink: 4 bytes leftover after parsing attributes in process `syz.2.212'.
[   71.394499][ T6403] netlink: 4 bytes leftover after parsing attributes in process `syz.1.214'.
[   71.799673][ T6442] netlink: 'syz.0.231': attribute type 1 has an invalid length.
[   72.019205][ T6459] warning: `syz.0.240' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
[   72.410470][ T6483] bond0: option ad_select: unable to set because the bond device is up
[   73.055440][ T6512] netlink: 'syz.0.266': attribute type 1 has an invalid length.
[   73.321661][ T6530] xt_addrtype: ipv6 PROHIBIT (THROW, NAT ..) matching not supported
[   73.484973][ T6536] syzkaller0: entered promiscuous mode
[   73.488576][ T6536] syzkaller0: entered allmulticast mode
[   74.696980][ T6554] netlink: 'syz.0.285': attribute type 5 has an invalid length.
[   74.761752][ T6561] netlink: 16 bytes leftover after parsing attributes in process `syz.0.288'.
[   74.809393][ T6566] netlink: 8 bytes leftover after parsing attributes in process `syz.0.290'.
[   74.813049][ T6566] netlink: 4 bytes leftover after parsing attributes in process `syz.0.290'.
[   75.701346][ T6570] ==================================================================
[   75.704533][ T6570] BUG: KASAN: slab-use-after-free in rose_transmit_link+0x5c3/0x740
[   75.707645][ T6570] Read of size 1 at addr ffff888038263032 by task syz.0.292/6570
[   75.711526][ T6570] 
[   75.712549][ T6570] CPU: 1 UID: 0 PID: 6570 Comm: syz.0.292 Not tainted 6.16.0-rc5-syzkaller-00159-g47c84997c686-dirty #0 PREEMPT(full) 
[   75.712569][ T6570] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   75.712581][ T6570] Call Trace:
[   75.712589][ T6570]  <TASK>
[   75.712619][ T6570]  dump_stack_lvl+0x189/0x250
[   75.712643][ T6570]  ? __kasan_check_byte+0x12/0x40
[   75.712666][ T6570]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.712682][ T6570]  ? lock_release+0x4b/0x3e0
[   75.712699][ T6570]  ? __virt_addr_valid+0x4a5/0x5c0
[   75.712718][ T6570]  print_report+0xd2/0x2b0
[   75.712732][ T6570]  ? rose_transmit_link+0x5c3/0x740
[   75.712746][ T6570]  kasan_report+0x118/0x150
[   75.712770][ T6570]  ? kmem_cache_alloc_node_noprof+0x217/0x3c0
[   75.712824][ T6570]  ? rose_transmit_link+0x5c3/0x740
[   75.712840][ T6570]  rose_transmit_link+0x5c3/0x740
[   75.712853][ T6570]  ? skb_put+0x11b/0x210
[   75.712875][ T6570]  rose_write_internal+0x11dc/0x1ac0
[   75.712896][ T6570]  ? __pfx_rose_write_internal+0x10/0x10
[   75.712912][ T6570]  ? __timer_delete+0x5d/0x390
[   75.712934][ T6570]  rose_release+0x24e/0x520
[   75.712956][ T6570]  sock_close+0xc3/0x240
[   75.712970][ T6570]  ? __pfx_sock_close+0x10/0x10
[   75.712985][ T6570]  __fput+0x44c/0xa70
[   75.713004][ T6570]  task_work_run+0x1d4/0x260
[   75.713027][ T6570]  ? __pfx_task_work_run+0x10/0x10
[   75.713047][ T6570]  ? task_work_add+0x377/0x420
[   75.713068][ T6570]  ? __pfx_task_work_add+0x10/0x10
[   75.713088][ T6570]  get_signal+0x11ed/0x1340
[   75.713111][ T6570]  arch_do_signal_or_restart+0x9a/0x750
[   75.713136][ T6570]  ? __pfx___sys_connect+0x10/0x10
[   75.713154][ T6570]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   75.713180][ T6570]  ? exit_to_user_mode_loop+0x40/0x110
[   75.713196][ T6570]  exit_to_user_mode_loop+0x75/0x110
[   75.713211][ T6570]  do_syscall_64+0x2bd/0x3b0
[   75.713228][ T6570]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.713242][ T6570]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.713257][ T6570]  ? exc_page_fault+0x9f/0xf0
[   75.713269][ T6570]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.713281][ T6570] RIP: 0033:0x7f2ed3b8e929
[   75.713296][ T6570] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.713322][ T6570] RSP: 002b:00007f2ed4aa8038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   75.713340][ T6570] RAX: fffffffffffffe00 RBX: 00007f2ed3db5fa0 RCX: 00007f2ed3b8e929
[   75.713349][ T6570] RDX: 0000000000000040 RSI: 0000200000000100 RDI: 000000000000000a
[   75.713357][ T6570] RBP: 00007f2ed3c10ca1 R08: 0000000000000000 R09: 0000000000000000
[   75.713364][ T6570] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   75.713371][ T6570] R13: 0000000000000000 R14: 00007f2ed3db5fa0 R15: 00007ffc4c5f8308
[   75.713385][ T6570]  </TASK>
[   75.713390][ T6570] 
[   75.809185][ T6570] Allocated by task 6570:
[   75.810887][ T6570]  kasan_save_track+0x3e/0x80
[   75.812432][ T6570]  __kasan_kmalloc+0x93/0xb0
[   75.813877][ T6570]  __kmalloc_cache_noprof+0x230/0x3d0
[   75.815553][ T6570]  rose_add_node+0x23a/0xde0
[   75.817052][ T6570]  rose_rt_ioctl+0xa48/0xfb0
[   75.818510][ T6570]  rose_ioctl+0x3ce/0x8b0
[   75.819949][ T6570]  sock_do_ioctl+0xdc/0x300
[   75.821474][ T6570]  sock_ioctl+0x576/0x790
[   75.822914][ T6570]  __se_sys_ioctl+0xfc/0x170
[   75.824450][ T6570]  do_syscall_64+0xfa/0x3b0
[   75.825961][ T6570]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.828084][ T6570] 
[   75.829030][ T6570] Freed by task 6581:
[   75.830565][ T6570]  kasan_save_track+0x3e/0x80
[   75.832357][ T6570]  kasan_save_free_info+0x46/0x50
[   75.834259][ T6570]  __kasan_slab_free+0x62/0x70
[   75.835970][ T6570]  kfree+0x18e/0x440
[   75.837482][ T6570]  rose_rt_device_down+0x473/0x4c0
[   75.839415][ T6570]  rose_device_event+0x603/0x6a0
[   75.841264][ T6570]  notifier_call_chain+0x1b6/0x3e0
[   75.843129][ T6570]  __dev_notify_flags+0x18d/0x2e0
[   75.844740][ T6570]  netif_change_flags+0xe8/0x1a0
[   75.846282][ T6570]  dev_change_flags+0x130/0x260
[   75.847859][ T6570]  dev_ioctl+0x7b4/0x1150
[   75.849238][ T6570]  sock_do_ioctl+0x22c/0x300
[   75.850983][ T6570]  sock_ioctl+0x576/0x790
[   75.852591][ T6570]  __se_sys_ioctl+0xfc/0x170
[   75.854362][ T6570]  do_syscall_64+0xfa/0x3b0
[   75.856056][ T6570]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.857931][ T6570] 
[   75.858739][ T6570] The buggy address belongs to the object at ffff888038263000
[   75.858739][ T6570]  which belongs to the cache kmalloc-512 of size 512
[   75.863549][ T6570] The buggy address is located 50 bytes inside of
[   75.863549][ T6570]  freed 512-byte region [ffff888038263000, ffff888038263200)
[   75.867824][ T6570] 
[   75.868588][ T6570] The buggy address belongs to the physical page:
[   75.870611][ T6570] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x38260
[   75.873453][ T6570] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   75.876055][ T6570] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   75.878756][ T6570] page_type: f5(slab)
[   75.880020][ T6570] raw: 00fff00000000040 ffff88801a441c80 0000000000000000 dead000000000001
[   75.882539][ T6570] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   75.885228][ T6570] head: 00fff00000000040 ffff88801a441c80 0000000000000000 dead000000000001
[   75.888109][ T6570] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   75.891257][ T6570] head: 00fff00000000002 ffffea0000e09801 00000000ffffffff 00000000ffffffff
[   75.894071][ T6570] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   75.897074][ T6570] page dumped because: kasan: bad access detected
[   75.899449][ T6570] page_owner tracks the page as allocated
[   75.901634][ T6570] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5831, tgid 5831 (syz-executor), ts 58884393901, free_ts 58883892046
[   75.909807][ T6570]  post_alloc_hook+0x240/0x2a0
[   75.911732][ T6570]  get_page_from_freelist+0x21e4/0x22c0
[   75.913547][ T6570]  __alloc_frozen_pages_noprof+0x181/0x370
[   75.915518][ T6570]  alloc_pages_mpol+0x232/0x4a0
[   75.917266][ T6570]  allocate_slab+0x8a/0x3b0
[   75.919122][ T6570]  ___slab_alloc+0xbfc/0x1480
[   75.921003][ T6570]  __kmalloc_noprof+0x305/0x4f0
[   75.922950][ T6570]  fib6_info_alloc+0x30/0xf0
[   75.924796][ T6570]  ip6_route_info_create+0x142/0x860
[   75.926910][ T6570]  addrconf_f6i_alloc+0x1d2/0x450
[   75.928917][ T6570]  ipv6_add_addr+0x56e/0x1090
[   75.930807][ T6570]  add_addr+0x8b/0x2d0
[   75.932435][ T6570]  add_v4_addrs+0x70c/0xbd0
[   75.934206][ T6570]  addrconf_init_auto_addrs+0x393/0xab0
[   75.936318][ T6570]  addrconf_notify+0xacc/0x1010
[   75.938244][ T6570]  notifier_call_chain+0x1b6/0x3e0
[   75.940264][ T6570] page last free pid 5831 tgid 5831 stack trace:
[   75.942743][ T6570]  __free_frozen_pages+0xc71/0xe70
[   75.944831][ T6570]  stack_depot_save_flags+0x445/0x900
[   75.946969][ T6570]  ref_tracker_alloc+0x18a/0x460
[   75.948939][ T6570]  netdev_get_by_index+0x79/0xb0
[   75.950916][ T6570]  fib6_nh_init+0x1cd/0x1ff0
[   75.952743][ T6570]  ip6_route_info_create_nh+0x16a/0xab0
[   75.954961][ T6570]  addrconf_f6i_alloc+0x203/0x450
[   75.956978][ T6570]  addrconf_permanent_addr+0x274/0x9d0
[   75.959061][ T6570]  addrconf_notify+0x887/0x1010
[   75.960974][ T6570]  notifier_call_chain+0x1b6/0x3e0
[   75.962909][ T6570]  __dev_notify_flags+0x18d/0x2e0
[   75.964847][ T6570]  netif_change_flags+0xe8/0x1a0
[   75.966741][ T6570]  do_setlink+0xc55/0x41c0
[   75.968538][ T6570]  rtnl_newlink+0x160b/0x1c70
[   75.970412][ T6570]  rtnetlink_rcv_msg+0x7cf/0xb70
[   75.972359][ T6570]  netlink_rcv_skb+0x208/0x470
[   75.974262][ T6570] 
[   75.975232][ T6570] Memory state around the buggy address:
[   75.977464][ T6570]  ffff888038262f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   75.980613][ T6570]  ffff888038262f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   75.983731][ T6570] >ffff888038263000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.986828][ T6570]                                      ^
[   75.988995][ T6570]  ffff888038263080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.992125][ T6570]  ffff888038263100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.995275][ T6570] ==================================================================
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   76.028112][ T6570] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   76.031036][ T6570] CPU: 1 UID: 0 PID: 6570 Comm: syz.0.292 Not tainted 6.16.0-rc5-syzkaller-00159-g47c84997c686-dirty #0 PREEMPT(full) 
[   76.035854][ T6570] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   76.039830][ T6570] Call Trace:
[   76.041137][ T6570]  <TASK>
[   76.042330][ T6570]  dump_stack_lvl+0x99/0x250
[   76.044195][ T6570]  ? __asan_memcpy+0x40/0x70
[   76.046068][ T6570]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.048287][ T6570]  ? __pfx__printk+0x10/0x10
[   76.050143][ T6570]  panic+0x2db/0x790
[   76.051720][ T6570]  ? __pfx_preempt_schedule+0x10/0x10
[   76.053824][ T6570]  ? __pfx_panic+0x10/0x10
[   76.055634][ T6570]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   76.058009][ T6570]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.060552][ T6570]  ? rose_transmit_link+0x5c3/0x740
[   76.062619][ T6570]  check_panic_on_warn+0x89/0xb0
[   76.064630][ T6570]  ? rose_transmit_link+0x5c3/0x740
[   76.066709][ T6570]  end_report+0x78/0x160
[   76.068406][ T6570]  kasan_report+0x129/0x150
[   76.070356][ T6570]  ? kmem_cache_alloc_node_noprof+0x217/0x3c0
[   76.072823][ T6570]  ? rose_transmit_link+0x5c3/0x740
[   76.074909][ T6570]  rose_transmit_link+0x5c3/0x740
[   76.076933][ T6570]  ? skb_put+0x11b/0x210
[   76.078633][ T6570]  rose_write_internal+0x11dc/0x1ac0
[   76.080742][ T6570]  ? __pfx_rose_write_internal+0x10/0x10
[   76.083014][ T6570]  ? __timer_delete+0x5d/0x390
[   76.084930][ T6570]  rose_release+0x24e/0x520
[   76.086740][ T6570]  sock_close+0xc3/0x240
[   76.088484][ T6570]  ? __pfx_sock_close+0x10/0x10
[   76.090433][ T6570]  __fput+0x44c/0xa70
[   76.092047][ T6570]  task_work_run+0x1d4/0x260
[   76.093841][ T6570]  ? __pfx_task_work_run+0x10/0x10
[   76.095887][ T6570]  ? task_work_add+0x377/0x420
[   76.097803][ T6570]  ? __pfx_task_work_add+0x10/0x10
[   76.099866][ T6570]  get_signal+0x11ed/0x1340
[   76.101703][ T6570]  arch_do_signal_or_restart+0x9a/0x750
[   76.103932][ T6570]  ? __pfx___sys_connect+0x10/0x10
[   76.105975][ T6570]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   76.108428][ T6570]  ? exit_to_user_mode_loop+0x40/0x110
[   76.110592][ T6570]  exit_to_user_mode_loop+0x75/0x110
[   76.112692][ T6570]  do_syscall_64+0x2bd/0x3b0
[   76.114552][ T6570]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.116596][ T6570]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.119031][ T6570]  ? exc_page_fault+0x9f/0xf0
[   76.120919][ T6570]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.123245][ T6570] RIP: 0033:0x7f2ed3b8e929
[   76.125032][ T6570] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   76.132476][ T6570] RSP: 002b:00007f2ed4aa8038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   76.135775][ T6570] RAX: fffffffffffffe00 RBX: 00007f2ed3db5fa0 RCX: 00007f2ed3b8e929
[   76.138883][ T6570] RDX: 0000000000000040 RSI: 0000200000000100 RDI: 000000000000000a
[   76.142009][ T6570] RBP: 00007f2ed3c10ca1 R08: 0000000000000000 R09: 0000000000000000
[   76.145095][ T6570] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   76.148198][ T6570] R13: 0000000000000000 R14: 00007f2ed3db5fa0 R15: 00007ffc4c5f8308
[   76.151320][ T6570]  </TASK>
[   76.153203][ T6570] Kernel Offset: disabled
[   76.154966][ T6570] Rebooting in 86400 seconds..

VM DIAGNOSIS:
15:03:07  Registers:
info registers vcpu 0

CPU#0
RAX=000000000002001a RBX=0000000000000007 RCX=0000000000020000 RDX=0000000000000008
RSI=ffff888104f9a8c8 RDI=ffff888104f99cc0 RBP=0000000000000000 RSP=ffffc90003def1c8
R8 =0000000000000000 R9 =ffffffff822d77ba R10=dffffc0000000000 R11=fffff94000878891
R12=0000000000000003 R13=0000000000000001 R14=ffff888104f9a8c8 R15=ffff888104f9a8e8
RIP=ffffffff819e6e55 RFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000555588fd8500 ffffffff 00c00000
GS =0000 ffff8880b8626000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007fdbc9ee56c0 CR3=0000000028bcc000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000 0000000000000000 XMM01=ffffffffffffffff ffffffffffffffff
XMM02=0000000000000000 0000000000000000 XMM03=ffffffffffffffff ffffffffffffffff
XMM04=0000000000000000 00000000000000ff XMM05=0000000000000000 0000000000000000
XMM06=0000000000000000 000000524f525245 XMM07=0000000000000000 0000000000000000
XMM08=0000000000000000 00524f5252450040 XMM09=0000000000000000 00007f2ed3c11df9
XMM10=0000000000000000 0000000000000000 XMM11=0000000000000000 0000000000000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000
info registers vcpu 1

CPU#1
RAX=0000000000000074 RBX=0000000000000074 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000001386 RDI=0000000000001387 RBP=00000000000003f8 RSP=ffffc9000774f210
R8 =ffff888108c38237 R9 =1ffff11021187046 R10=dffffc0000000000 R11=ffffffff85460dc0
R12=dffffc0000000000 R13=ffffffff99aee8c3 R14=ffffffff99df32e0 R15=0000000000000000
RIP=ffffffff85460e3c RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 00007f2ed4aa86c0 ffffffff 00c00000
GS =0000 ffff8881a3c26000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000048000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=0000001b3050fff8 CR3=0000000111990000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000 0000000000000000 XMM01=ffffffffffffffff ffffffffffffffff
XMM02=0000000000000000 0000000000000000 XMM03=ffffffffffffffff ffffffffffffffff
XMM04=0000000000000000 00000000000000ff XMM05=0000000000000000 0000000000000000
XMM06=0000000000000000 000000524f525245 XMM07=0000000000000000 0000000000000000
XMM08=0000000000000000 00524f5252450040 XMM09=0000000000000000 00007fa1fa211df9
XMM10=0000000000000000 0000000000000000 XMM11=0000000000000000 0000000000000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000
