last executing test programs:

1.455004825s ago: executing program 0 (id=237):
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
ioctl$TUNSETOFFLOAD(r0, 0xc004743e, 0x110c230000)
ioctl$TUNSETOFFLOAD(r0, 0x40047459, 0xf0ff1f00000000)

1.336675845s ago: executing program 0 (id=240):
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000140)=ANY=[@ANYBLOB="f80000001600010000000000000000000a010100000000000000000000000000000000000000635ee5f99683c38600"/59, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="20010000000000000000000000000001000000003300"/47], 0xf8}}, 0x0)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="20010000120013070000000000000000e0000001000000000000000000000000fc00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000072c42572f64a264410b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fbc18c8582fc7800000000000000000000000050019000000000028001a"], 0x120}}, 0x0)

1.336106284s ago: executing program 2 (id=241):
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000340)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000001140)={{0x14}, [@NFT_MSG_NEWRULE={0x64, 0x6, 0xa, 0x40b, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x38, 0x4, 0x0, 0x1, [{0x34, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x20, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x14, 0x2, 0x0, 0x1, [@NFTA_DATA_VALUE={0xd, 0x1, "22d4ba0c226aefacfc"}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x16}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x8c}}, 0x0)

1.288259436s ago: executing program 1 (id=242):
perf_event_open(&(0x7f0000000180)={0x2, 0x80, 0x4a, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0, 0x3}, 0x0, 0x0, 0x0, 0x8, 0x3fe, 0x7fffffff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xa)
socketpair$tipc(0x1e, 0x1, 0x0, 0x0)
sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000080)={&(0x7f0000000000)=@l2tp6={0xa, 0x0, 0x0, @loopback={0x0, 0xac14140c}}, 0x80, &(0x7f00000000c0), 0x0, 0x0, 0x0, 0x900}, 0x60)
bpf$PROG_LOAD(0x5, &(0x7f0000000800)={0x3a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x14, '\x00', 0x0, @fallback=0xf}, 0x94)
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000080)={'bond_slave_0\x00', 0x800})
socketpair(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$PERF_EVENT_IOC_SET_FILTER(r0, 0x8946, &(0x7f0000000080))

1.2877484s ago: executing program 0 (id=243):
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000900)={0x18, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x41100, 0x4, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, &(0x7f00000008c0)=[{0x2, 0x1, 0x3}], 0x10, 0x5}, 0x94)
r0 = socket$kcm(0x1e, 0x2, 0x0)
setsockopt$sock_attach_bpf(r0, 0x10f, 0x87, &(0x7f00000008c0), 0x43)
socketpair(0x1e, 0x1, 0x0, &(0x7f0000000040)={<r1=>0x0, <r2=>0x0})
close(r1)
perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xec, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2101, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, @perf_config_ext={0x7, 0xffffffffffffffff}, 0x828, 0x0, 0x0, 0x0, 0x9, 0x800000, 0x0, 0x0, 0x0, 0x0, 0x40}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$sock_attach_bpf(r2, 0x10f, 0x87, &(0x7f0000000180), 0x4bd)
r3 = socket$kcm(0x1e, 0x4, 0x0)
setsockopt$sock_attach_bpf(r3, 0x10f, 0x87, &(0x7f00000008c0), 0x43)
sendmsg$kcm(r3, &(0x7f0000000100)={0x0, 0x0, 0x0}, 0x0)

1.197052964s ago: executing program 2 (id=244):
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="1b00000000000000000000000080"], 0x48)
r1 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f00000007c0)=ANY=[@ANYBLOB="0200000004000000080000000100000080"], 0x33)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000dc0)={{r1, <r2=>0xffffffffffffffff}, &(0x7f0000000500), &(0x7f00000000c0)='%ps    \x00'}, 0x20)
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f00000003c0)={r2}, 0x4)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000000)={0x11, 0x25, &(0x7f0000000340)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, {{0x18, 0x1, 0x1, 0x0, r0}}, {}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {}, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x4, 0x0, 0x0, 0x1}}, @snprintf={{}, {}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x7}, {}, {}, {}, {}, {}, {}, {0x18, 0x3, 0x2, 0x0, r2}}], {{}, {}, {0x85, 0x0, 0x0, 0x84}}}, &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={&(0x7f0000000180)='tlb_flush\x00', r3}, 0x10)

1.196685329s ago: executing program 1 (id=245):
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000080)={0x0, 0x14, &(0x7f0000000440)=[{&(0x7f0000000280)="d8000000140081054e81f782db44b9040a1d08020a000000040000a118000200fe80000000000e1208000f0100a10401a80016eaa4000640feffffffffffffffb94dcf5c0461c1d67f6f94007134cf6ee08002a0e408e8d8ef075c817bd6c496ddffaa2795edb1e61e0100000000000000cb090000001fb791643a5ee4001b14547df36745d6d930dfe1d9d322fe7c9fd68775730d96a4683f5aeb4edbb57a5025ccca9e00158c89ed6cb4d1ac95e7765e04c2360db70100000040fad95667e0060000000000000080bb9ad809d5e1cace81ed0bffece0b4", 0xd8}], 0x1, 0x0, 0x0, 0x7400}, 0x0)

1.132088586s ago: executing program 0 (id=246):
r0 = socket$kcm(0xa, 0x2, 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r1 = perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xec, 0x0, 0x0, 0x0, 0x0, 0x5, 0x83501, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0, 0x8}, 0x940, 0x4, 0x0, 0x0, 0x6d1a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
recvmsg(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x40000100)
r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000880)={0x5, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18080000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000700000095"], &(0x7f00000000c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
ioctl$PERF_EVENT_IOC_SET_BPF(r1, 0x40042408, r2)
bpf$PROG_LOAD(0x5, &(0x7f00000018c0)={0x5, 0x5, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000080)=@framed, &(0x7f0000000000)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xee, 0x0, 0x0, 0x6, 0x0, 0x0, 0x801a8, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x5, @perf_config_ext={0x6}, 0x1000, 0x4, 0x0, 0x8, 0x0, 0xfffffffc, 0x2}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r4 = socket$kcm(0x10, 0x3, 0x10)
sendmsg$kcm(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000080)="1400000038000b63d25a", 0x46}], 0x1}, 0x0)

1.130722257s ago: executing program 2 (id=247):
perf_event_open(&(0x7f0000000180)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0, 0x8}, 0x1400, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, 0x0, 0xaffffff7ffffffff, 0xffffffffffffffff, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0x0, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x44, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x94)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="02000000040000000800180001"], 0x50)

1.130405776s ago: executing program 1 (id=248):
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000003c0)=@updpolicy={0xfc, 0x19, 0x1, 0x0, 0x0, {{@in6=@private2, @in=@loopback, 0xfffd, 0x6, 0x0, 0x0, 0xa, 0x0, 0x0, 0x8}, {0x0, 0x0, 0x80000001, 0x0, 0x2, 0x0, 0x0, 0x1d}, {0x0, 0x0, 0x0, 0x2dd}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, [@tmpl={0x44, 0x5, [{{@in=@dev={0xac, 0x14, 0x14, 0x35}, 0x4d3, 0x2b}, 0x0, @in=@dev={0xac, 0x14, 0x14, 0xc}, 0x3503, 0x8, 0x0, 0xff, 0x0, 0x0, 0xff}]}]}, 0xfc}, 0x1, 0x0, 0x0, 0x40001}, 0x0)

1.004815216s ago: executing program 1 (id=249):
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000280), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'rose0\x00', 0x112})
ioctl$TUNATTACHFILTER(r0, 0x401054d5, &(0x7f0000001000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0xfc, 0xfffff030}, {0x6, 0x0, 0x0, 0x3}]})

207.841012ms ago: executing program 2 (id=250):
r0 = socket$kcm(0x2d, 0x2, 0x0)
ioctl$sock_kcm_SIOCKCMCLONE(r0, 0x89e2, &(0x7f0000000340)={<r1=>r0})
ioctl$sock_kcm_SIOCKCMCLONE(r1, 0x89e2, &(0x7f0000000140))
perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xec, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2101, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, @perf_config_ext={0x7, 0xffffffffffffffff}, 0x828, 0x0, 0x0, 0x0, 0x9, 0x800000, 0x0, 0x0, 0x0, 0x0, 0x40}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000400)={0x5, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18080000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000700000095"], &(0x7f00000000c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
sendmsg$kcm(r0, &(0x7f0000000940)={0x0, 0x0, &(0x7f0000000180)=[{&(0x7f0000000580)="d8001c00180081064e81f782db44fd38170d12a0b9b545c7", 0x18}], 0x1}, 0x0)
ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x89e3, &(0x7f0000000180)={r0, r2})

148.294919ms ago: executing program 1 (id=251):
perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0xdf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, @perf_bp={0x0, 0x1}, 0x0, 0x0, 0xfffffffc, 0x4, 0x0, 0xfffffffc}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000140)={'dummy0\x00', 0x100})
r0 = socket$kcm(0x10, 0x2, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="13000000190091c8b14a0778a8123d181d"], 0xfe33)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000000)={0x1, 0x8, &(0x7f0000000780)=ANY=[@ANYBLOB="7a0af8ff75257000bfa100000000000007010000f8ffffffb702000005000000bf130000000000008500000006000000b700000000000000950000ff00000000b25952850a84a70002b2ab3d6ffaa6ead0169191d54f8196217fc563e2fc91f6da4dad4fdc2eb1b5986fc44bc25fb591cf77b9dfb379a3f611dbc2a364916f098dab10b1a297cf528666d1ddd73f30f2382f6cda4bfdd45be583823c0f092248a57d48621f3c1c65ee19ee875daf45006a4c4ea5e15b2f9618d547244a22000000000800db583620ce7243d1aebdb638d91dbef6619358399aa9c2acd068c03efefd8bc77edf2d34b12cd48a1b20fb7dd843267e0331759f4ec6b5b0af58e604f494eff289026d5045ef08000000000000007718a09f4886afc26abba34635d0e8b598a51bc742135a6e1d33fe226c944bc76be40d435aa8b5202db761014b1b999a12df6bee431a6681000000263b6233e1c0fe30e384c3cb07b74a72291a1a2b523dd81b6651b1ee48e999bb004823ebcd8c65743f31f84b263ab9b3426692d01ad194f302d7a658e9e54687d3c56d7bedb6b2f25ddb8c640bb321a402058c9221b6870814cf4ee23ddb79fff5eb156e0a000000000000f2bd1d4a178d86d6935eb8b75bc4eb680d10e8b6a54c6c8674caf63ff76622939a20d4aadf85db40179c2cf83ee07e30a279d8f9f3bc282deb43a03409f8e6972f3f720d045923702cede0f3e91411f3f1b16f065624f280a7dcce8db910f93c49b9e0b6dd7356aa79d5fabb5c0d0da6d719d7e0efb2bb713d18242cd5df6ca53307a4cdd91be4587f90e317c8de5e5c3933fd5d5bf38f6b9fc39fc829dcfe4af8ac5fbb7314a7a433e0182767d1786eda2b20"], &(0x7f0000000100)='GPL\x00'}, 0x48)
r2 = socket$kcm(0x2, 0x5, 0x84)
perf_event_open(&(0x7f0000000d00)={0x2, 0x80, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x4, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x4, @perf_config_ext, 0x100188, 0x0, 0x0, 0x0, 0x0, 0x0, 0xbf0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
sendmsg$inet(r2, &(0x7f00000007c0)={&(0x7f00000000c0)={0x2, 0x0, @rand_addr=0x64010102}, 0x10, &(0x7f0000000300)=[{&(0x7f0000000080)="92", 0x1}], 0x1, &(0x7f0000000640)=ANY=[], 0x158}, 0x40)
r3 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000001840)=ANY=[@ANYBLOB="0300000004000000040000000a"], 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000c80)={{r3}, &(0x7f0000000b00), &(0x7f0000000b40)=r1}, 0x20)
r4 = socket$kcm(0x10, 0x400000002, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000040)=ANY=[@ANYBLOB="934300005a0033"], 0xfe33)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000280)={{r3}, &(0x7f0000000200), &(0x7f0000000240)=r1}, 0x20)

147.883368ms ago: executing program 0 (id=252):
bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x10, 0x4, &(0x7f0000001300)=@framed={{}, [@ldst={0x1, 0x2, 0x3, 0x0, 0x1, 0x1}]}, &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0xe}, 0x94)

78.15877ms ago: executing program 2 (id=253):
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0xd, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff00000000b7080000000000007b8af0ff00000000bf8100000000000007080000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018210000", @ANYRES32=r0, @ANYBLOB="0000000002000000b70500000800000085000000aa00000095"], &(0x7f0000000300)='GPL\x00', 0x4}, 0x94)

77.867603ms ago: executing program 0 (id=254):
perf_event_open(&(0x7f0000000100)={0x2, 0x80, 0x52, 0x1, 0x0, 0x0, 0x0, 0x7fef, 0x82, 0xd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x107b7d, 0x1, @perf_config_ext={0x407fff, 0xaea}, 0x14105, 0x2e, 0xfffffbff, 0x5, 0x2, 0x0, 0x6, 0x0, 0x0, 0x0, 0xa9e6}, 0x0, 0xfbffffffffffffff, 0xffffffffffffffff, 0x9)
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000380)=@base={0x5, 0x5, 0x9fd, 0x85, 0x41}, 0x50)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000300)={0xffffffffffffffff, 0x0, &(0x7f00000000c0), &(0x7f0000000240), 0x800, r0}, 0x38)
bpf$MAP_LOOKUP_BATCH(0x19, &(0x7f0000000800)={0x0, 0x0, &(0x7f0000000680), &(0x7f0000000540), 0x6c, r0}, 0x38)

341.739µs ago: executing program 2 (id=255):
perf_event_open(&(0x7f00000004c0)={0x2, 0x80, 0x37, 0x1, 0x0, 0x0, 0x0, 0x7, 0x590, 0x1b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffe, 0x2, @perf_config_ext={0x6, 0x6}, 0x4c58, 0x5, 0x0, 0x1, 0x2, 0x20002, 0x10, 0x0, 0x0, 0x0, 0x2}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)

0s ago: executing program 1 (id=256):
r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x101801, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000000)={'syzkaller1\x00', 0x2})
ioctl$TUNSETDEBUG(r0, 0x400454c9, 0xffffffffffffffff)
ioctl$TUNSETLINK(r0, 0x400454cd, 0x337)

kernel console output (not intermixed with test programs):

Warning: Permanently added '[localhost]:52490' (ED25519) to the list of known hosts.
syzkaller login: [   57.737475][ T5837] cgroup: Unknown subsys name 'net'
[   57.852965][ T5837] cgroup: Unknown subsys name 'cpuset'
[   57.857030][ T5837] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   59.694832][ T5837] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   71.164774][   T55] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   71.169192][   T55] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   71.173837][   T55] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   71.179247][   T55] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   71.187908][ T5878] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   71.211707][ T5882] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   71.214955][ T5883] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   71.227529][ T5874] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   71.236475][ T1362] ieee802154 phy0 wpan0: encryption failed: -22
[   71.239099][ T1362] ieee802154 phy1 wpan1: encryption failed: -22
[   71.246619][ T5239] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   71.249891][ T5239] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   71.267589][ T5880] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   71.282106][   T55] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   71.285773][   T55] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   71.291129][   T55] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   71.300955][   T55] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   71.648770][ T5873] chnl_net:caif_netlink_parms(): no params data found
[   71.745022][ T5876] chnl_net:caif_netlink_parms(): no params data found
[   71.785799][ T5877] chnl_net:caif_netlink_parms(): no params data found
[   71.849323][ T5873] bridge0: port 1(bridge_slave_0) entered blocking state
[   71.852962][ T5873] bridge0: port 1(bridge_slave_0) entered disabled state
[   71.855667][ T5873] bridge_slave_0: entered allmulticast mode
[   71.859454][ T5873] bridge_slave_0: entered promiscuous mode
[   71.865516][ T5873] bridge0: port 2(bridge_slave_1) entered blocking state
[   71.868335][ T5873] bridge0: port 2(bridge_slave_1) entered disabled state
[   71.871911][ T5873] bridge_slave_1: entered allmulticast mode
[   71.875887][ T5873] bridge_slave_1: entered promiscuous mode
[   71.965081][ T5873] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   71.968060][ T5876] bridge0: port 1(bridge_slave_0) entered blocking state
[   71.971209][ T5876] bridge0: port 1(bridge_slave_0) entered disabled state
[   71.974036][ T5876] bridge_slave_0: entered allmulticast mode
[   71.977266][ T5876] bridge_slave_0: entered promiscuous mode
[   71.995041][ T5873] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   72.013225][ T5876] bridge0: port 2(bridge_slave_1) entered blocking state
[   72.015957][ T5876] bridge0: port 2(bridge_slave_1) entered disabled state
[   72.018811][ T5876] bridge_slave_1: entered allmulticast mode
[   72.023498][ T5876] bridge_slave_1: entered promiscuous mode
[   72.055948][ T5877] bridge0: port 1(bridge_slave_0) entered blocking state
[   72.058874][ T5877] bridge0: port 1(bridge_slave_0) entered disabled state
[   72.062720][ T5877] bridge_slave_0: entered allmulticast mode
[   72.066928][ T5877] bridge_slave_0: entered promiscuous mode
[   72.094000][ T5873] team0: Port device team_slave_0 added
[   72.096750][ T5877] bridge0: port 2(bridge_slave_1) entered blocking state
[   72.100713][ T5877] bridge0: port 2(bridge_slave_1) entered disabled state
[   72.103638][ T5877] bridge_slave_1: entered allmulticast mode
[   72.107368][ T5877] bridge_slave_1: entered promiscuous mode
[   72.112160][ T5876] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   72.143277][ T5873] team0: Port device team_slave_1 added
[   72.147323][ T5876] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   72.154606][ T5877] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   72.183368][ T5877] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   72.226454][ T5876] team0: Port device team_slave_0 added
[   72.229723][ T5877] team0: Port device team_slave_0 added
[   72.234303][ T5873] batman_adv: batadv0: Adding interface: batadv_slave_0
[   72.236931][ T5873] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   72.247462][ T5873] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   72.254568][ T5876] team0: Port device team_slave_1 added
[   72.258010][ T5877] team0: Port device team_slave_1 added
[   72.269879][ T5873] batman_adv: batadv0: Adding interface: batadv_slave_1
[   72.273968][ T5873] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   72.282258][ T5873] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   72.328305][ T5877] batman_adv: batadv0: Adding interface: batadv_slave_0
[   72.331299][ T5877] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   72.341588][ T5877] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   72.346617][ T5876] batman_adv: batadv0: Adding interface: batadv_slave_0
[   72.349304][ T5876] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   72.360180][ T5876] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   72.367742][ T5877] batman_adv: batadv0: Adding interface: batadv_slave_1
[   72.371414][ T5877] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   72.382618][ T5877] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   72.410976][ T5876] batman_adv: batadv0: Adding interface: batadv_slave_1
[   72.413613][ T5876] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   72.424103][ T5876] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   72.434643][ T5873] hsr_slave_0: entered promiscuous mode
[   72.437254][ T5873] hsr_slave_1: entered promiscuous mode
[   72.522285][ T5876] hsr_slave_0: entered promiscuous mode
[   72.526304][ T5876] hsr_slave_1: entered promiscuous mode
[   72.528626][ T5876] debugfs: 'hsr0' already exists in 'hsr'
[   72.531249][ T5876] Cannot create hsr debugfs directory
[   72.545630][ T5877] hsr_slave_0: entered promiscuous mode
[   72.548747][ T5877] hsr_slave_1: entered promiscuous mode
[   72.552097][ T5877] debugfs: 'hsr0' already exists in 'hsr'
[   72.553838][ T5877] Cannot create hsr debugfs directory
[   72.885457][ T5873] netdevsim netdevsim2 netdevsim0: renamed from eth0
[   72.898099][ T5873] netdevsim netdevsim2 netdevsim1: renamed from eth1
[   72.904129][ T5873] netdevsim netdevsim2 netdevsim2: renamed from eth2
[   72.916597][ T5873] netdevsim netdevsim2 netdevsim3: renamed from eth3
[   72.961092][ T5877] netdevsim netdevsim1 netdevsim0: renamed from eth0
[   72.982741][ T5877] netdevsim netdevsim1 netdevsim1: renamed from eth1
[   72.992056][ T5877] netdevsim netdevsim1 netdevsim2: renamed from eth2
[   73.008394][ T5877] netdevsim netdevsim1 netdevsim3: renamed from eth3
[   73.045886][ T5876] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   73.053652][ T5876] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   73.065430][ T5876] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   73.077473][ T5876] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   73.167851][ T5873] 8021q: adding VLAN 0 to HW filter on device bond0
[   73.209605][ T5873] 8021q: adding VLAN 0 to HW filter on device team0
[   73.233167][ T3024] bridge0: port 1(bridge_slave_0) entered blocking state
[   73.236106][ T3024] bridge0: port 1(bridge_slave_0) entered forwarding state
[   73.259365][ T3024] bridge0: port 2(bridge_slave_1) entered blocking state
[   73.262128][ T3024] bridge0: port 2(bridge_slave_1) entered forwarding state
[   73.276759][ T5877] 8021q: adding VLAN 0 to HW filter on device bond0
[   73.312105][   T55] Bluetooth: hci0: command tx timeout
[   73.314611][   T55] Bluetooth: hci1: command tx timeout
[   73.317982][ T5873] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   73.326802][ T5877] 8021q: adding VLAN 0 to HW filter on device team0
[   73.352738][   T65] bridge0: port 1(bridge_slave_0) entered blocking state
[   73.355563][   T65] bridge0: port 1(bridge_slave_0) entered forwarding state
[   73.359748][   T65] bridge0: port 2(bridge_slave_1) entered blocking state
[   73.362376][   T65] bridge0: port 2(bridge_slave_1) entered forwarding state
[   73.386203][ T5876] 8021q: adding VLAN 0 to HW filter on device bond0
[   73.390818][   T55] Bluetooth: hci2: command tx timeout
[   73.432491][ T5876] 8021q: adding VLAN 0 to HW filter on device team0
[   73.443076][   T65] bridge0: port 1(bridge_slave_0) entered blocking state
[   73.445558][   T65] bridge0: port 1(bridge_slave_0) entered forwarding state
[   73.468828][   T65] bridge0: port 2(bridge_slave_1) entered blocking state
[   73.471318][   T65] bridge0: port 2(bridge_slave_1) entered forwarding state
[   73.553226][ T5876] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   73.624325][ T5877] 8021q: adding VLAN 0 to HW filter on device batadv0
[   73.629653][ T5873] 8021q: adding VLAN 0 to HW filter on device batadv0
[   73.756961][ T5873] veth0_vlan: entered promiscuous mode
[   73.765177][ T5877] veth0_vlan: entered promiscuous mode
[   73.786127][ T5877] veth1_vlan: entered promiscuous mode
[   73.792817][ T5873] veth1_vlan: entered promiscuous mode
[   73.815075][ T5876] 8021q: adding VLAN 0 to HW filter on device batadv0
[   73.836101][ T5873] veth0_macvtap: entered promiscuous mode
[   73.852311][ T5873] veth1_macvtap: entered promiscuous mode
[   73.861463][ T5877] veth0_macvtap: entered promiscuous mode
[   73.875142][ T5877] veth1_macvtap: entered promiscuous mode
[   73.891604][ T5873] batman_adv: batadv0: Interface activated: batadv_slave_0
[   73.905181][ T5873] batman_adv: batadv0: Interface activated: batadv_slave_1
[   73.918975][ T5877] batman_adv: batadv0: Interface activated: batadv_slave_0
[   73.941733][ T5877] batman_adv: batadv0: Interface activated: batadv_slave_1
[   73.944635][   T13] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   73.948260][   T13] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   73.972889][   T13] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   73.976492][   T13] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   73.994124][ T5876] veth0_vlan: entered promiscuous mode
[   74.002486][   T13] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   74.005927][   T13] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   74.029890][   T13] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   74.037273][ T5876] veth1_vlan: entered promiscuous mode
[   74.051771][   T13] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   74.121302][   T36] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   74.124520][   T36] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   74.158297][   T53] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   74.163429][   T53] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   74.168842][ T5876] veth0_macvtap: entered promiscuous mode
[   74.192517][ T5876] veth1_macvtap: entered promiscuous mode
[   74.230690][ T1091] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   74.233907][ T1091] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   74.239821][   T53] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   74.244957][   T53] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   74.263489][ T5876] batman_adv: batadv0: Interface activated: batadv_slave_0
[   74.295630][ T5873] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   74.303487][ T5876] batman_adv: batadv0: Interface activated: batadv_slave_1
[   74.325332][   T13] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   74.343889][   T12] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   74.364838][   T12] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   74.368377][   T12] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   74.523346][ T1091] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   74.526475][ T1091] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   74.574022][ T1091] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   74.586112][ T1091] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   74.589949][    C0] hrtimer: interrupt took 62406 ns
[   75.390466][   T55] Bluetooth: hci1: command tx timeout
[   75.392718][   T55] Bluetooth: hci0: command tx timeout
[   75.495757][ T5878] Bluetooth: hci2: command tx timeout
[   75.961154][ T5992] netlink: 'syz.2.31': attribute type 1 has an invalid length.
[   76.273664][ T5993] delete_channel: no stack
[   76.528334][ T6007] netlink: 'syz.0.37': attribute type 21 has an invalid length.
[   77.301093][ T6031] Zero length message leads to an empty skb
[   77.357553][ T6035] netlink: 1041 bytes leftover after parsing attributes in process `syz.0.52'.
[   77.362273][ T6035] netlink: get zone limit has 8 unknown bytes
[   77.470386][ T5878] Bluetooth: hci0: command tx timeout
[   77.473660][ T5878] Bluetooth: hci1: command tx timeout
[   77.551873][   T55] Bluetooth: hci2: command tx timeout
[   77.557051][   T55] Bluetooth: hci0: unexpected event 0x20 length: 15 > 7
[   77.943645][ T6060] netlink: 196 bytes leftover after parsing attributes in process `syz.2.63'.
[   78.437570][ T6090] netlink: 'syz.0.77': attribute type 3 has an invalid length.
[   78.441985][ T6090] netlink: 132 bytes leftover after parsing attributes in process `syz.0.77'.
[   78.567700][ T6096] netlink: 'syz.2.80': attribute type 29 has an invalid length.
[   78.574561][ T6096] netlink: 'syz.2.80': attribute type 29 has an invalid length.
[   78.735036][   T13] syzkaller0: tun_net_xmit 76
[   78.736779][   T13] syzkaller0: tun_net_xmit 48
[   78.749906][ T6100] syzkaller0: create flow: hash 2040187334 index 1
[   78.761139][   T10] syzkaller0: tun_net_xmit 76
[   78.791190][ T6100] syzkaller0: delete flow: hash 2040187334 index 1
[   79.550434][ T5878] Bluetooth: hci0: command tx timeout
[   79.552908][   T55] Bluetooth: hci1: command tx timeout
[   79.630884][   T55] Bluetooth: hci2: command tx timeout
[   79.691862][ T6111] syz.0.86: vmalloc error: size 8589938688, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0-1
[   79.698213][ T6111] CPU: 1 UID: 0 PID: 6111 Comm: syz.0.86 Not tainted syzkaller #0 PREEMPT(full) 
[   79.698236][ T6111] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   79.698248][ T6111] Call Trace:
[   79.698257][ T6111]  <TASK>
[   79.698266][ T6111]  dump_stack_lvl+0x189/0x250
[   79.698308][ T6111]  ? __pfx_dump_stack_lvl+0x10/0x10
[   79.698328][ T6111]  ? __pfx__printk+0x10/0x10
[   79.698348][ T6111]  ? cpuset_print_current_mems_allowed+0x1f/0x360
[   79.698374][ T6111]  ? cpuset_print_current_mems_allowed+0x1f/0x360
[   79.698396][ T6111]  ? cpuset_print_current_mems_allowed+0x2ee/0x360
[   79.698416][ T6111]  warn_alloc+0x214/0x310
[   79.698434][ T6111]  ? stack_depot_save_flags+0x41b/0x860
[   79.698462][ T6111]  ? __pfx_warn_alloc+0x10/0x10
[   79.698477][ T6111]  ? kasan_save_track+0x4f/0x80
[   79.698500][ T6111]  ? xskq_create+0x56/0x170
[   79.698513][ T6111]  ? xsk_init_queue+0xb0/0x110
[   79.698526][ T6111]  ? xsk_setsockopt+0x57b/0x8d0
[   79.698545][ T6111]  ? do_sock_setsockopt+0x17c/0x1b0
[   79.698564][ T6111]  ? __x64_sys_setsockopt+0x13f/0x1b0
[   79.698582][ T6111]  ? do_syscall_64+0xfa/0x3b0
[   79.698595][ T6111]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   79.698612][ T6111]  __vmalloc_node_range_noprof+0x125/0x12f0
[   79.698658][ T6111]  ? __pfx___vmalloc_node_range_noprof+0x10/0x10
[   79.698678][ T6111]  ? xskq_create+0x56/0x170
[   79.698693][ T6111]  ? __kasan_kmalloc+0x93/0xb0
[   79.698716][ T6111]  vmalloc_user_noprof+0xad/0xf0
[   79.698738][ T6111]  ? xskq_create+0xbf/0x170
[   79.698753][ T6111]  xskq_create+0xbf/0x170
[   79.698769][ T6111]  xsk_init_queue+0xb0/0x110
[   79.698786][ T6111]  xsk_setsockopt+0x57b/0x8d0
[   79.698847][ T6111]  ? __pfx_xsk_setsockopt+0x10/0x10
[   79.698871][ T6111]  ? __pfx_aa_sk_perm+0x10/0x10
[   79.698889][ T6111]  ? __fget_files+0x2a/0x420
[   79.698903][ T6111]  ? aa_sock_opt_perm+0xff/0x1b0
[   79.698920][ T6111]  ? bpf_lsm_socket_setsockopt+0x9/0x20
[   79.698937][ T6111]  ? __pfx_xsk_setsockopt+0x10/0x10
[   79.698963][ T6111]  do_sock_setsockopt+0x17c/0x1b0
[   79.698985][ T6111]  __x64_sys_setsockopt+0x13f/0x1b0
[   79.699008][ T6111]  do_syscall_64+0xfa/0x3b0
[   79.699025][ T6111]  ? lockdep_hardirqs_on+0x9c/0x150
[   79.699042][ T6111]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   79.699057][ T6111]  ? exc_page_fault+0x9f/0xf0
[   79.699073][ T6111]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   79.699087][ T6111] RIP: 0033:0x7f06d538eba9
[   79.699103][ T6111] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   79.699118][ T6111] RSP: 002b:00007f06d621f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
[   79.699137][ T6111] RAX: ffffffffffffffda RBX: 00007f06d55d6090 RCX: 00007f06d538eba9
[   79.699149][ T6111] RDX: 0000000000000002 RSI: 000000000000011b RDI: 0000000000000009
[   79.699158][ T6111] RBP: 00007f06d5411e19 R08: 0000000000000004 R09: 0000000000000000
[   79.699167][ T6111] R10: 0000200000000900 R11: 0000000000000246 R12: 0000000000000000
[   79.699176][ T6111] R13: 00007f06d55d6128 R14: 00007f06d55d6090 R15: 00007ffc56494b78
[   79.699200][ T6111]  </TASK>
[   79.699207][ T6111] Mem-Info:
[   79.847133][ T6111] active_anon:5365 inactive_anon:0 isolated_anon:0
[   79.847133][ T6111]  active_file:1132 inactive_file:38246 isolated_file:0
[   79.847133][ T6111]  unevictable:1768 dirty:1420 writeback:0
[   79.847133][ T6111]  slab_reclaimable:9470 slab_unreclaimable:53545
[   79.847133][ T6111]  mapped:18049 shmem:2429 pagetables:945
[   79.847133][ T6111]  sec_pagetables:0 bounce:0
[   79.847133][ T6111]  kernel_misc_reclaimable:0
[   79.847133][ T6111]  free:300385 free_pcp:17848 free_cma:0
[   79.867119][ T6111] Node 0 active_anon:14472kB inactive_anon:0kB active_file:1932kB inactive_file:94492kB unevictable:3536kB isolated(anon):0kB isolated(file):0kB mapped:48296kB dirty:452kB writeback:0kB shmem:4760kB shmem_thp:0kB shmem_pmdmapped:0kB anon_thp:0kB kernel_stack:4272kB pagetables:2088kB sec_pagetables:0kB all_unreclaimable? no Balloon:0kB
[   79.881211][ T6111] Node 1 active_anon:6988kB inactive_anon:0kB active_file:2596kB inactive_file:58492kB unevictable:3536kB isolated(anon):0kB isolated(file):0kB mapped:23900kB dirty:5228kB writeback:0kB shmem:4956kB shmem_thp:0kB shmem_pmdmapped:0kB anon_thp:0kB kernel_stack:7344kB pagetables:1692kB sec_pagetables:0kB all_unreclaimable? no Balloon:0kB
[   79.894846][ T6111] Node 0 DMA free:15360kB boost:0kB min:640kB low:800kB high:960kB reserved_highatomic:0KB free_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
[   79.907472][ T6111] lowmem_reserve[]: 0 811 811 811 811
[   79.910387][ T6111] Node 0 DMA32 free:316684kB boost:0kB min:33660kB low:42072kB high:50484kB reserved_highatomic:0KB free_highatomic:0KB active_anon:14472kB inactive_anon:0kB active_file:1932kB inactive_file:94492kB unevictable:3536kB writepending:452kB present:1556484kB managed:830888kB mlocked:0kB bounce:0kB free_pcp:36012kB local_pcp:19736kB free_cma:0kB
[   79.925598][ T6111] lowmem_reserve[]: 0 0 0 0 0
[   79.927922][ T6111] Node 1 DMA32 free:458492kB boost:0kB min:19192kB low:23988kB high:28784kB reserved_highatomic:0KB free_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:524152kB managed:458616kB mlocked:0kB bounce:0kB free_pcp:116kB local_pcp:116kB free_cma:0kB
[   79.948005][ T6111] lowmem_reserve[]: 0 0 854 854 854
[   79.952709][ T6111] Node 1 Normal free:410620kB boost:0kB min:36612kB low:45764kB high:54916kB reserved_highatomic:0KB free_highatomic:0KB active_anon:6988kB inactive_anon:0kB active_file:2596kB inactive_file:58492kB unevictable:3536kB writepending:5228kB present:1048576kB managed:874952kB mlocked:0kB bounce:0kB free_pcp:35320kB local_pcp:18360kB free_cma:0kB
[   79.968505][ T6111] lowmem_reserve[]: 0 0 0 0 0
[   79.971067][ T6111] Node 0 DMA: 0*4kB 0*8kB 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15360kB
[   79.976316][ T6111] Node 0 DMA32: 443*4kB (UME) 124*8kB (M) 70*16kB (ME) 87*32kB (UM) 30*64kB (UME) 19*128kB (UME) 8*256kB (M) 3*512kB (M) 5*1024kB (UM) 3*2048kB (UM) 71*4096kB (M) = 316684kB
[   79.986752][ T6111] Node 1 DMA32: 3*4kB (UM) 2*8kB (M) 2*16kB (M) 2*32kB (M) 2*64kB (M) 2*128kB (UM) 3*256kB (UM) 3*512kB (UM) 3*1024kB (UM) 3*2048kB (UM) 109*4096kB (M) = 458492kB
[   79.995716][ T6111] Node 1 Normal: 65*4kB (U) 45*8kB (UM) 241*16kB (UM) 94*32kB (UME) 86*64kB (UM) 16*128kB (UME) 5*256kB (U) 0*512kB 1*1024kB (E) 2*2048kB (UE) 95*4096kB (M) = 410556kB
[   80.008247][ T6111] Node 0 hugepages_total=2 hugepages_free=2 hugepages_surp=0 hugepages_size=2048kB
[   80.019554][ T6111] Node 1 hugepages_total=2 hugepages_free=2 hugepages_surp=0 hugepages_size=2048kB
[   80.023837][ T6111] 41807 total pagecache pages
[   80.025766][ T6111] 0 pages in swap cache
[   80.027473][ T6111] Free swap  = 124996kB
[   80.029225][ T6111] Total swap = 124996kB
[   80.033499][ T6111] 786301 pages RAM
[   80.035013][ T6111] 0 pages HighMem/MovableOnly
[   80.036895][ T6111] 241347 pages reserved
[   80.038634][ T6111] 0 pages cma reserved
[   80.519774][ T6120] netlink: 16 bytes leftover after parsing attributes in process `syz.0.90'.
[   81.256142][ T6136] netlink: 'syz.1.96': attribute type 2 has an invalid length.
[   82.713770][ T6150] netlink: 'syz.0.104': attribute type 10 has an invalid length.
[   82.797107][ T6155] =======================================================
[   82.797107][ T6155] WARNING: The mand mount option has been deprecated and
[   82.797107][ T6155]          and is ignored by this kernel. Remove the mand
[   82.797107][ T6155]          option from the mount to silence this warning.
[   82.797107][ T6155] =======================================================
[   82.917350][ T6162] netlink: 'syz.2.110': attribute type 2 has an invalid length.
[   82.931758][ T6162] netlink: 164 bytes leftover after parsing attributes in process `syz.2.110'.
[   83.802176][ T6190] netlink: 'syz.1.122': attribute type 21 has an invalid length.
[   83.805745][ T6190] netlink: 'syz.1.122': attribute type 5 has an invalid length.
[   84.112217][ T6203] netlink: 'syz.0.127': attribute type 2 has an invalid length.
[   84.599085][ T6220] netlink: 'syz.2.134': attribute type 10 has an invalid length.
[   84.606207][ T6220] netlink: 40 bytes leftover after parsing attributes in process `syz.2.134'.
[   85.084406][ T6220] ipvlan1: entered promiscuous mode
[   85.087747][ T6220] ipvlan1: entered allmulticast mode
[   85.159366][ T6220] veth0_vlan: entered allmulticast mode
[   85.244117][ T6220] bridge0: port 3(ipvlan1) entered blocking state
[   85.276196][ T6220] bridge0: port 3(ipvlan1) entered disabled state
[   85.395894][ T6220] A link change request failed with some changes committed already. Interface ipvlan1 may have been left with an inconsistent configuration, please check.
[   85.458870][ T6233] netlink: 'syz.2.138': attribute type 4 has an invalid length.
[   85.467603][ T6233] netlink: 199836 bytes leftover after parsing attributes in process `syz.2.138'.
[   85.859648][ T6250] netlink: 'syz.2.146': attribute type 27 has an invalid length.
[   85.871703][ T6250] netlink: 2418 bytes leftover after parsing attributes in process `syz.2.146'.
[   86.605638][    T9] cfg80211: failed to load regulatory.db
[   87.426077][ T6272] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   87.494616][ T6275] netlink: 'syz.2.156': attribute type 30 has an invalid length.
[   87.594234][ T6277] netlink: 13 bytes leftover after parsing attributes in process `syz.2.156'.
[   88.009455][ T6285] syzkaller0: entered promiscuous mode
[   88.013831][ T6285] syzkaller0: entered allmulticast mode
[   89.227871][ T6301] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[   89.230941][ T6301] batman_adv: batadv0: Removing interface: batadv_slave_0
[   89.241232][ T6301] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[   89.249370][ T6301] batman_adv: batadv0: Removing interface: batadv_slave_1
[   89.377600][ T6305] netlink: 60 bytes leftover after parsing attributes in process `syz.1.169'.
[   89.381799][ T6307] netlink: 60 bytes leftover after parsing attributes in process `syz.1.169'.
[   89.386032][ T6308] netlink: 60 bytes leftover after parsing attributes in process `syz.1.169'.
[   89.531205][ T6314] netlink: 'syz.2.172': attribute type 1 has an invalid length.
[   89.534483][ T6314] netlink: 376 bytes leftover after parsing attributes in process `syz.2.172'.
[   89.823570][ T6329] netlink: 'syz.2.179': attribute type 29 has an invalid length.
[   89.900426][ T6336] netlink: 16 bytes leftover after parsing attributes in process `syz.1.175'.
[   89.938133][ T6329] netlink: 'syz.2.179': attribute type 10 has an invalid length.
[   90.148165][ T6329] 8021q: adding VLAN 0 to HW filter on device bond0
[   90.188355][ T6329] team0: Port device bond0 added
[   90.200918][ T6334] warning: `syz.0.181' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
[   91.423183][ T6349] delete_channel: no stack
[   95.961690][    C1] clocksource: Long readout interval, skipping watchdog check: cs_nsec: 1301721364 wd_nsec: 1301721397
[   96.317735][ T6386] netlink: 16 bytes leftover after parsing attributes in process `syz.2.200'.
[   96.324512][ T6386] netlink: 16 bytes leftover after parsing attributes in process `syz.2.200'.
[   96.352499][ T6388] netlink: 'syz.1.202': attribute type 4 has an invalid length.
[   96.355270][ T6388] netlink: 'syz.1.202': attribute type 1 has an invalid length.
[   96.357862][ T6388] netlink: 'syz.1.202': attribute type 2 has an invalid length.
[   96.441678][ T6388] netlink: 198236 bytes leftover after parsing attributes in process `syz.1.202'.
[   97.318293][ T6404] netlink: 4 bytes leftover after parsing attributes in process `syz.2.209'.
[   97.605726][ T6423] netlink: 'syz.2.216': attribute type 9 has an invalid length.
[   97.968654][   T55] Bluetooth: hci1: unexpected event 0x10 length: 15 > 1
[   97.969448][ T5878] Bluetooth: hci1: hardware error 0x00
[   98.459019][ T6453] netlink: 'syz.2.230': attribute type 2 has an invalid length.
[   98.461923][ T6453] netlink: 132 bytes leftover after parsing attributes in process `syz.2.230'.
[   98.527413][ T6456] netlink: 80 bytes leftover after parsing attributes in process `syz.1.231'.
[   98.996594][ T6476] netlink: 152 bytes leftover after parsing attributes in process `syz.1.239'.
[   99.035975][ T6478] netlink: 8 bytes leftover after parsing attributes in process `syz.0.240'.
[  100.030412][ T5878] Bluetooth: hci1: Opcode 0x0c03 failed: -110
[  100.259052][    C1] Scheduler tracepoints stat_sleep, stat_iowait, stat_blocked and stat_runtime require the kernel parameter schedstats=enable or kernel.sched_schedstats=1
[  100.280504][ T6505] netlink: 17279 bytes leftover after parsing attributes in process `syz.1.251'.
[  100.415077][ T6513] syzkaller1: tun_chr_ioctl cmd 1074025677
[  100.417840][ T6513] syzkaller1: linktype set to 823
[  100.459110][ T6515] netlink: 'syz.2.257': attribute type 29 has an invalid length.
[  100.463638][ T6515] netlink: 'syz.2.257': attribute type 29 has an invalid length.
[  100.467618][ T6515] netlink: 500 bytes leftover after parsing attributes in process `syz.2.257'.
[  100.471736][ T6515] ==================================================================
[  100.474647][ T6515] BUG: KASAN: slab-use-after-free in xfrm_alloc_spi+0x570/0xf30
[  100.477604][ T6515] Read of size 4 at addr ffff8880273c80c4 by task syz.2.257/6515
[  100.481130][ T6515] 
[  100.482385][ T6515] CPU: 0 UID: 0 PID: 6515 Comm: syz.2.257 Not tainted syzkaller #0 PREEMPT(full) 
[  100.482398][ T6515] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[  100.482404][ T6515] Call Trace:
[  100.482409][ T6515]  <TASK>
[  100.482414][ T6515]  dump_stack_lvl+0x189/0x250
[  100.482429][ T6515]  ? __kasan_check_byte+0x12/0x40
[  100.482443][ T6515]  ? __pfx_dump_stack_lvl+0x10/0x10
[  100.482453][ T6515]  ? lock_release+0x4b/0x3e0
[  100.482467][ T6515]  ? __virt_addr_valid+0x4a5/0x5c0
[  100.482478][ T6515]  print_report+0xca/0x240
[  100.482485][ T6515]  ? xfrm_alloc_spi+0x570/0xf30
[  100.482498][ T6515]  kasan_report+0x118/0x150
[  100.482509][ T6515]  ? xfrm_alloc_spi+0x570/0xf30
[  100.482522][ T6515]  xfrm_alloc_spi+0x570/0xf30
[  100.482544][ T6515]  ? xfrm_alloc_spi+0x2a0/0xf30
[  100.482559][ T6515]  ? __pfx_xfrm_alloc_spi+0x10/0x10
[  100.482570][ T6515]  ? xfrm_find_acq+0x87/0xa0
[  100.482582][ T6515]  xfrm_alloc_userspi+0x70b/0xc90
[  100.482597][ T6515]  ? apparmor_capable+0x137/0x1b0
[  100.482607][ T6515]  ? __pfx_xfrm_alloc_userspi+0x10/0x10
[  100.482619][ T6515]  ? __nla_parse+0x40/0x60
[  100.482628][ T6515]  xfrm_user_rcv_msg+0x7a3/0xab0
[  100.482640][ T6515]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[  100.482657][ T6515]  ? __pfx___mutex_trylock_common+0x10/0x10
[  100.482667][ T6515]  ? rcu_is_watching+0x15/0xb0
[  100.482675][ T6515]  ? trace_contention_end+0x39/0x120
[  100.482683][ T6515]  ? __mutex_lock+0x335/0x1350
[  100.482693][ T6515]  netlink_rcv_skb+0x208/0x470
[  100.482702][ T6515]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[  100.482713][ T6515]  ? __pfx_netlink_rcv_skb+0x10/0x10
[  100.482724][ T6515]  ? netlink_deliver_tap+0x2e/0x1b0
[  100.482733][ T6515]  ? netlink_deliver_tap+0x2e/0x1b0
[  100.482742][ T6515]  xfrm_netlink_rcv+0x79/0x90
[  100.482754][ T6515]  netlink_unicast+0x82f/0x9e0
[  100.482763][ T6515]  ? __pfx_netlink_unicast+0x10/0x10
[  100.482770][ T6515]  ? netlink_sendmsg+0x642/0xb30
[  100.482778][ T6515]  ? skb_put+0x11b/0x210
[  100.482788][ T6515]  netlink_sendmsg+0x805/0xb30
[  100.482798][ T6515]  ? __pfx_netlink_sendmsg+0x10/0x10
[  100.482807][ T6515]  ? aa_sock_msg_perm+0xf1/0x1d0
[  100.482815][ T6515]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[  100.482824][ T6515]  ? __pfx_netlink_sendmsg+0x10/0x10
[  100.482832][ T6515]  __sock_sendmsg+0x21c/0x270
[  100.482845][ T6515]  ____sys_sendmsg+0x505/0x830
[  100.482855][ T6515]  ? __pfx_____sys_sendmsg+0x10/0x10
[  100.482866][ T6515]  ? import_iovec+0x74/0xa0
[  100.482877][ T6515]  ___sys_sendmsg+0x21f/0x2a0
[  100.482887][ T6515]  ? __pfx____sys_sendmsg+0x10/0x10
[  100.482909][ T6515]  ? __fget_files+0x2a/0x420
[  100.482916][ T6515]  ? __fget_files+0x3a0/0x420
[  100.482925][ T6515]  __x64_sys_sendmsg+0x19b/0x260
[  100.482935][ T6515]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[  100.482948][ T6515]  ? rcu_is_watching+0x15/0xb0
[  100.482958][ T6515]  ? do_syscall_64+0xbe/0x3b0
[  100.482968][ T6515]  do_syscall_64+0xfa/0x3b0
[  100.482976][ T6515]  ? lockdep_hardirqs_on+0x9c/0x150
[  100.482984][ T6515]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  100.482992][ T6515]  ? exc_page_fault+0x9f/0xf0
[  100.482999][ T6515]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  100.483007][ T6515] RIP: 0033:0x7f9cea58eba9
[  100.483017][ T6515] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  100.483024][ T6515] RSP: 002b:00007f9ceb405038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  100.483034][ T6515] RAX: ffffffffffffffda RBX: 00007f9cea7d5fa0 RCX: 00007f9cea58eba9
[  100.483040][ T6515] RDX: 0000000000000000 RSI: 0000200000000840 RDI: 0000000000000004
[  100.483046][ T6515] RBP: 00007f9cea611e19 R08: 0000000000000000 R09: 0000000000000000
[  100.483051][ T6515] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  100.483056][ T6515] R13: 00007f9cea7d6038 R14: 00007f9cea7d5fa0 R15: 00007ffe11e752b8
[  100.483065][ T6515]  </TASK>
[  100.483068][ T6515] 
[  100.609924][ T6515] Allocated by task 5988:
[  100.611742][ T6515]  kasan_save_track+0x3e/0x80
[  100.613735][ T6515]  __kasan_slab_alloc+0x6c/0x80
[  100.615771][ T6515]  kmem_cache_alloc_noprof+0x1c1/0x3c0
[  100.618025][ T6515]  xfrm_state_alloc+0x24/0x2f0
[  100.620048][ T6515]  __find_acq_core+0x8a7/0x1c00
[  100.621990][ T6515]  xfrm_find_acq+0x78/0xa0
[  100.623794][ T6515]  xfrm_alloc_userspi+0x6b3/0xc90
[  100.625902][ T6515]  xfrm_user_rcv_msg+0x7a3/0xab0
[  100.627972][ T6515]  netlink_rcv_skb+0x208/0x470
[  100.629917][ T6515]  xfrm_netlink_rcv+0x79/0x90
[  100.631834][ T6515]  netlink_unicast+0x82f/0x9e0
[  100.633723][ T6515]  netlink_sendmsg+0x805/0xb30
[  100.635671][ T6515]  __sock_sendmsg+0x21c/0x270
[  100.637515][ T6515]  ____sys_sendmsg+0x505/0x830
[  100.639503][ T6515]  ___sys_sendmsg+0x21f/0x2a0
[  100.641483][ T6515]  __x64_sys_sendmsg+0x19b/0x260
[  100.643527][ T6515]  do_syscall_64+0xfa/0x3b0
[  100.645398][ T6515]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  100.647796][ T6515] 
[  100.648790][ T6515] Freed by task 5936:
[  100.650416][ T6515]  kasan_save_track+0x3e/0x80
[  100.652369][ T6515]  kasan_save_free_info+0x46/0x50
[  100.654435][ T6515]  __kasan_slab_free+0x5b/0x80
[  100.656487][ T6515]  kmem_cache_free+0x18f/0x400
[  100.658429][ T6515]  xfrm_state_gc_task+0x52d/0x6b0
[  100.660458][ T6515]  process_scheduled_works+0xae1/0x17b0
[  100.662736][ T6515]  worker_thread+0x8a0/0xda0
[  100.664670][ T6515]  kthread+0x711/0x8a0
[  100.666243][ T6515]  ret_from_fork+0x439/0x7d0
[  100.668069][ T6515]  ret_from_fork_asm+0x1a/0x30
[  100.670000][ T6515] 
[  100.670978][ T6515] The buggy address belongs to the object at ffff8880273c8000
[  100.670978][ T6515]  which belongs to the cache xfrm_state of size 928
[  100.676379][ T6515] The buggy address is located 196 bytes inside of
[  100.676379][ T6515]  freed 928-byte region [ffff8880273c8000, ffff8880273c83a0)
[  100.681745][ T6515] 
[  100.682751][ T6515] The buggy address belongs to the physical page:
[  100.685369][ T6515] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880273c8000 pfn:0x273c8
[  100.689415][ T6515] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  100.692783][ T6515] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  100.695694][ T6515] page_type: f5(slab)
[  100.697242][ T6515] raw: 00fff00000000040 ffff88801b3ed780 dead000000000122 0000000000000000
[  100.699813][ T6515] raw: ffff8880273c8000 00000000800e000d 00000000f5000000 0000000000000000
[  100.702536][ T6515] head: 00fff00000000040 ffff88801b3ed780 dead000000000122 0000000000000000
[  100.705266][ T6515] head: ffff8880273c8000 00000000800e000d 00000000f5000000 0000000000000000
[  100.707953][ T6515] head: 00fff00000000002 ffffea00009cf201 00000000ffffffff 00000000ffffffff
[  100.710823][ T6515] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[  100.713571][ T6515] page dumped because: kasan: bad access detected
[  100.715763][ T6515] page_owner tracks the page as allocated
[  100.717714][ T6515] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5988, tgid 5987 (syz.2.29), ts 75804290321, free_ts 75744965590
[  100.724412][ T6515]  post_alloc_hook+0x240/0x2a0
[  100.726370][ T6515]  get_page_from_freelist+0x21e4/0x22c0
[  100.728663][ T6515]  __alloc_frozen_pages_noprof+0x181/0x370
[  100.731021][ T6515]  alloc_pages_mpol+0x232/0x4a0
[  100.733018][ T6515]  allocate_slab+0x8a/0x370
[  100.734890][ T6515]  ___slab_alloc+0xbeb/0x1420
[  100.736836][ T6515]  kmem_cache_alloc_noprof+0x283/0x3c0
[  100.739098][ T6515]  xfrm_state_alloc+0x24/0x2f0
[  100.741077][ T6515]  __find_acq_core+0x8a7/0x1c00
[  100.743042][ T6515]  xfrm_find_acq+0x78/0xa0
[  100.744941][ T6515]  xfrm_alloc_userspi+0x6b3/0xc90
[  100.746993][ T6515]  xfrm_user_rcv_msg+0x7a3/0xab0
[  100.749007][ T6515]  netlink_rcv_skb+0x208/0x470
[  100.750986][ T6515]  xfrm_netlink_rcv+0x79/0x90
[  100.752900][ T6515]  netlink_unicast+0x82f/0x9e0
[  100.754819][ T6515]  netlink_sendmsg+0x805/0xb30
[  100.756762][ T6515] page last free pid 5837 tgid 5837 stack trace:
[  100.759220][ T6515]  __free_frozen_pages+0xbc4/0xd30
[  100.761190][ T6515]  stack_depot_save_flags+0x436/0x860
[  100.763220][ T6515]  kasan_save_track+0x4f/0x80
[  100.765001][ T6515]  __kasan_slab_alloc+0x6c/0x80
[  100.766906][ T6515]  kmem_cache_alloc_noprof+0x1c1/0x3c0
[  100.768676][ T6515]  start_this_handle+0x37c/0x21c0
[  100.770337][ T6515]  jbd2__journal_start+0x2c1/0x5b0
[  100.771962][ T6515]  __ext4_journal_start_sb+0x227/0x5c0
[  100.773693][ T6515]  ext4_dirty_inode+0x93/0x110
[  100.775209][ T6515]  __mark_inode_dirty+0x2ec/0xe10
[  100.776809][ T6515]  file_update_time+0x40c/0x490
[  100.778377][ T6515]  ext4_page_mkwrite+0x20e/0x1190
[  100.779938][ T6515]  do_page_mkwrite+0x14d/0x310
[  100.781523][ T6515]  do_wp_page+0x268d/0x5800
[  100.782999][ T6515]  __handle_mm_fault+0x1033/0x5440
[  100.784667][ T6515]  handle_mm_fault+0x40a/0x8e0
[  100.786201][ T6515] 
[  100.786999][ T6515] Memory state around the buggy address:
[  100.788798][ T6515]  ffff8880273c7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  100.791385][ T6515]  ffff8880273c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  100.793828][ T6515] >ffff8880273c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  100.796509][ T6515]                                            ^
[  100.798506][ T6515]  ffff8880273c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  100.801103][ T6515]  ffff8880273c8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  100.803775][ T6515] ==================================================================
[  100.806556][ T6515] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  100.808818][ T6515] CPU: 0 UID: 0 PID: 6515 Comm: syz.2.257 Not tainted syzkaller #0 PREEMPT(full) 
[  100.811886][ T6515] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[  100.815126][ T6515] Call Trace:
[  100.816246][ T6515]  <TASK>
[  100.817331][ T6515]  dump_stack_lvl+0x99/0x250
[  100.818738][ T6515]  ? __asan_memcpy+0x40/0x70
[  100.820144][ T6515]  ? __pfx_dump_stack_lvl+0x10/0x10
[  100.821753][ T6515]  ? __pfx__printk+0x10/0x10
[  100.823489][ T6515]  vpanic+0x281/0x750
[  100.825055][ T6515]  ? __pfx_vpanic+0x10/0x10
[  100.826479][ T6515]  ? irqentry_exit+0x74/0x90
[  100.827874][ T6515]  panic+0xb9/0xc0
[  100.829136][ T6515]  ? __pfx_panic+0x10/0x10
[  100.830595][ T6515]  ? _raw_spin_unlock_irqrestore+0xa8/0x110
[  100.832469][ T6515]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[  100.834440][ T6515]  ? xfrm_alloc_spi+0x570/0xf30
[  100.836180][ T6515]  check_panic_on_warn+0x89/0xb0
[  100.837659][ T6515]  ? xfrm_alloc_spi+0x570/0xf30
[  100.839107][ T6515]  end_report+0x78/0x160
[  100.840392][ T6515]  kasan_report+0x129/0x150
[  100.841736][ T6515]  ? xfrm_alloc_spi+0x570/0xf30
[  100.843163][ T6515]  xfrm_alloc_spi+0x570/0xf30
[  100.844782][ T6515]  ? xfrm_alloc_spi+0x2a0/0xf30
[  100.846414][ T6515]  ? __pfx_xfrm_alloc_spi+0x10/0x10
[  100.848115][ T6515]  ? xfrm_find_acq+0x87/0xa0
[  100.849813][ T6515]  xfrm_alloc_userspi+0x70b/0xc90
[  100.851644][ T6515]  ? apparmor_capable+0x137/0x1b0
[  100.853094][ T6515]  ? __pfx_xfrm_alloc_userspi+0x10/0x10
[  100.854988][ T6515]  ? __nla_parse+0x40/0x60
[  100.856419][ T6515]  xfrm_user_rcv_msg+0x7a3/0xab0
[  100.857928][ T6515]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[  100.859552][ T6515]  ? __pfx___mutex_trylock_common+0x10/0x10
[  100.861627][ T6515]  ? rcu_is_watching+0x15/0xb0
[  100.863196][ T6515]  ? trace_contention_end+0x39/0x120
[  100.865149][ T6515]  ? __mutex_lock+0x335/0x1350
[  100.867086][ T6515]  netlink_rcv_skb+0x208/0x470
[  100.868686][ T6515]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[  100.870683][ T6515]  ? __pfx_netlink_rcv_skb+0x10/0x10
[  100.872744][ T6515]  ? netlink_deliver_tap+0x2e/0x1b0
[  100.874645][ T6515]  ? netlink_deliver_tap+0x2e/0x1b0
[  100.876220][ T6515]  xfrm_netlink_rcv+0x79/0x90
[  100.877650][ T6515]  netlink_unicast+0x82f/0x9e0
[  100.879101][ T6515]  ? __pfx_netlink_unicast+0x10/0x10
[  100.880755][ T6515]  ? netlink_sendmsg+0x642/0xb30
[  100.882259][ T6515]  ? skb_put+0x11b/0x210
[  100.883558][ T6515]  netlink_sendmsg+0x805/0xb30
[  100.885427][ T6515]  ? __pfx_netlink_sendmsg+0x10/0x10
[  100.887473][ T6515]  ? aa_sock_msg_perm+0xf1/0x1d0
[  100.889438][ T6515]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[  100.891526][ T6515]  ? __pfx_netlink_sendmsg+0x10/0x10
[  100.893581][ T6515]  __sock_sendmsg+0x21c/0x270
[  100.895503][ T6515]  ____sys_sendmsg+0x505/0x830
[  100.897462][ T6515]  ? __pfx_____sys_sendmsg+0x10/0x10
[  100.899607][ T6515]  ? import_iovec+0x74/0xa0
[  100.901428][ T6515]  ___sys_sendmsg+0x21f/0x2a0
[  100.903242][ T6515]  ? __pfx____sys_sendmsg+0x10/0x10
[  100.905341][ T6515]  ? __fget_files+0x2a/0x420
[  100.907195][ T6515]  ? __fget_files+0x3a0/0x420
[  100.909034][ T6515]  __x64_sys_sendmsg+0x19b/0x260
[  100.910949][ T6515]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[  100.913075][ T6515]  ? rcu_is_watching+0x15/0xb0
[  100.914939][ T6515]  ? do_syscall_64+0xbe/0x3b0
[  100.916843][ T6515]  do_syscall_64+0xfa/0x3b0
[  100.918694][ T6515]  ? lockdep_hardirqs_on+0x9c/0x150
[  100.920776][ T6515]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  100.923128][ T6515]  ? exc_page_fault+0x9f/0xf0
[  100.924981][ T6515]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  100.927281][ T6515] RIP: 0033:0x7f9cea58eba9
[  100.929076][ T6515] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  100.935474][ T6515] RSP: 002b:00007f9ceb405038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  100.938529][ T6515] RAX: ffffffffffffffda RBX: 00007f9cea7d5fa0 RCX: 00007f9cea58eba9
[  100.940942][ T6515] RDX: 0000000000000000 RSI: 0000200000000840 RDI: 0000000000000004
[  100.943542][ T6515] RBP: 00007f9cea611e19 R08: 0000000000000000 R09: 0000000000000000
[  100.946155][ T6515] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  100.948836][ T6515] R13: 00007f9cea7d6038 R14: 00007f9cea7d5fa0 R15: 00007ffe11e752b8
[  100.951766][ T6515]  </TASK>
[  100.953476][ T6515] Kernel Offset: disabled
[  100.954902][ T6515] Rebooting in 86400 seconds..

VM DIAGNOSIS:
04:27:19  Registers:
info registers vcpu 0

CPU#0
RAX=0000000000000020 RBX=0000000000000020 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000001782 RDI=0000000000001783 RBP=00000000000003f8 RSP=ffffc9000646e9f0
R8 =ffff888107520237 R9 =1ffff11020ea4046 R10=dffffc0000000000 R11=ffffffff854fa140
R12=dffffc0000000000 R13=ffffffff99b028ff R14=ffffffff99df7420 R15=0000000000000000
RIP=ffffffff854fa1bc RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 00007f9ceb4056c0 ffffffff 00c00000
GS =0000 ffff8880b8613000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=0000001b3411dff8 CR3=000000002867c000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000600
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000 0000000000000000 XMM01=0000000000000000 0000000000000000
XMM02=00007f9cea7a7498 00007f9cea7a7470 XMM03=00007f9cea7a74a8 00007f9cea7a74a0
XMM04=00007f9ceb30d100 00007f9cea7a7460 XMM05=00007f9cea7a7478 00007f9cea7a74c0
XMM06=00007f9cea7a74b8 00007f9cea7a74b0 XMM07=00007f9cea7a74a8 00007f9cea7a74a0
XMM08=0000000000000000 00007f9cea612ee7 XMM09=0000000000000000 00007f9cea612fc5
XMM10=0000000000000000 0000000000000000 XMM11=0000000000000000 0000000000000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000
info registers vcpu 1

CPU#1
RAX=0000000000000000 RBX=ffff888020ec2040 RCX=8edf3906b6211100 RDX=0000000000000000
RSI=ffffffff8be33e60 RDI=ffffffff8be33e20 RBP=fffffffffffffe38 RSP=ffffc900000f79b8
R8 =0000000000000000 R9 =ffffffff8b47e1f2 R10=dffffc0000000000 R11=ffffffff8b47e120
R12=dffffc0000000000 R13=ffffffff8b47e1f2 R14=ffffffff8e13a120 R15=000000000000000d
RIP=ffffffff819d80d0 RFL=00000202 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff8881a3c13000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000048000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00005581a620f7e8 CR3=000000010f40c000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000600
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000 00000000000001a4 XMM01=0000000000000000 0000000000000000
XMM02=0000000000000000 0000000000000000 XMM03=0000000000000000 0000000000000000
XMM04=0000000000000000 0000000000000000 XMM05=0000000000000000 0000000000000000
XMM06=0000000000000000 0000000000000000 XMM07=0000000000000000 0000000000000000
XMM08=0000000000000000 0000000000000000 XMM09=0000000000000000 0000000000000000
XMM10=0000000000000000 0000000000000000 XMM11=0000000000000000 0000000000000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000
