program: r0 = open(&(0x7f0000000180)='./bus\x00', 0x4a37e, 0x0) open(&(0x7f0000000040)='./bus\x00', 0x46342, 0x0) (async) r1 = open(&(0x7f0000000040)='./bus\x00', 0x46342, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'lo\x00'}) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0) ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]}) r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0) connect$rose(r5, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c) (async) connect$rose(r5, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c) connect$rose(r5, &(0x7f0000000100)=@full={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x0, [@null, @null, @null, @default, @bcast, @default]}, 0x40) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x0, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180100001c0000000000000000000000850000006d00000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90) r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000002c0)=ANY=[], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80) ioctl$sock_rose_SIOCRSCLRRT(r5, 0x89e4) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000980)='sys_exit\x00', r6}, 0x10) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6}]}) (async) r7 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6}]}) socket$can_bcm(0x1d, 0x2, 0x2) close_range(r7, 0xffffffffffffffff, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0) getrandom(&(0x7f0000000240)=""/286, 0xffffff9a, 0x0) r8 = syz_create_resource$binfmt(&(0x7f0000000140)='./file0/file1\x00') openat$binfmt(0xffffffffffffff9c, r8, 0x42, 0x1ff) (async) r9 = openat$binfmt(0xffffffffffffff9c, r8, 0x42, 0x1ff) close(r9) (async) close(r9) execveat$binfmt(0xffffffffffffff9c, r8, 0x0, &(0x7f0000004780)={[], 0xf000}, 0x1000) (async) execveat$binfmt(0xffffffffffffff9c, r8, 0x0, &(0x7f0000004780)={[], 0xf000}, 0x1000) ftruncate(r1, 0x2008002) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8088e3ad122bc192, 0x4002011, r0, 0x1000000) (async) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8088e3ad122bc192, 0x4002011, r0, 0x1000000) [ 170.632909][ T4668] Bluetooth: hci0: command tx timeout [ 170.866225][ T24] audit: type=1326 audit(1773959907.146:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5347 comm="syz.0.0" exe="/syz-executor" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f68dcb9c799 code=0x0 [ 170.902635][ T5347] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 170.907893][ T5347] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 170.912093][ T5347] CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 170.916297][ T5347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 170.920906][ T5347] RIP: 0010:rose_transmit_link+0x32/0xac0 [ 170.924106][ T5347] Code: 56 41 55 41 54 53 48 83 ec 40 48 89 f3 48 89 fd 49 bc 00 00 00 00 00 fc ff df e8 89 60 2d f7 4c 8d 73 36 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 09 00 00 45 0f b6 36 31 ff 44 89 f6 [ 170.933433][ T5347] RSP: 0018:ffffc9000e28f9a8 EFLAGS: 00010207 [ 170.936931][ T5347] RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff8880326bc980 [ 170.941444][ T5347] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888048fce8c0 [ 170.945281][ T5347] RBP: ffff888048fce8c0 R08: ffff8880326bc980 R09: 0000000000000008 [ 170.949590][ T5347] R10: 000000000000000f R11: 0000000000000000 R12: dffffc0000000000 [ 170.954119][ T5347] R13: dffffc0000000000 R14: 0000000000000036 R15: 1ffff92001c51f54 [ 170.957538][ T5347] FS: 0000000000000000(0000) GS:ffff88808ca55000(0000) knlGS:0000000000000000 [ 170.961537][ T5347] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 170.964687][ T5347] CR2: 00007f59c58b6bc0 CR3: 000000004885f000 CR4: 0000000000352ef0 [ 170.968822][ T5347] Call Trace: [ 170.970232][ T5347] [ 170.971373][ T5347] ? __alloc_skb+0x4e5/0x7d0 [ 170.973375][ T5347] ? skb_put+0x11b/0x210 [ 170.975162][ T5347] rose_write_internal+0x1256/0x1b60 [ 170.977234][ T5347] ? lockdep_hardirqs_on+0x7a/0x110 [ 170.979887][ T5347] ? __pfx_rose_write_internal+0x10/0x10 [ 170.982837][ T5347] ? timer_delete+0x245/0x340 [ 170.985414][ T5347] rose_release+0x25b/0x510 [ 170.987564][ T5347] sock_close+0xc3/0x240 [ 170.989501][ T5347] ? __pfx_sock_close+0x10/0x10 [ 170.991478][ T5347] __fput+0x44f/0xa70 [ 170.992906][ T5347] task_work_run+0x1d9/0x270 [ 170.994672][ T5347] ? __pfx_task_work_run+0x10/0x10 [ 170.996777][ T5347] ? do_raw_spin_unlock+0x4d/0x210 [ 170.999481][ T5347] do_exit+0x70f/0x23c0 [ 171.001902][ T5347] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 171.004306][ T5347] ? __pfx_do_exit+0x10/0x10 [ 171.006215][ T5347] ? preempt_schedule_thunk+0x16/0x30 [ 171.008518][ T5347] ? preempt_schedule_common+0x82/0xd0 [ 171.010882][ T5347] ? preempt_schedule_thunk+0x16/0x30 [ 171.013580][ T5347] do_group_exit+0x21b/0x2d0 [ 171.015746][ T5347] __x64_sys_exit_group+0x3f/0x40 [ 171.018171][ T5347] x64_sys_call+0x221a/0x2240 [ 171.020368][ T5347] do_syscall_64+0x14d/0xf80 [ 171.022602][ T5347] ? trace_irq_disable+0x3b/0x150 [ 171.025421][ T5347] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 171.028945][ T5347] ? clear_bhb_loop+0x40/0x90 [ 171.031263][ T5347] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 171.033993][ T5347] RIP: 0033:0x7f68dcb9c799 [ 171.036157][ T5347] Code: Unable to access opcode bytes at 0x7f68dcb9c76f. [ 171.039616][ T5347] RSP: 002b:00007ffe3870a878 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 171.044882][ T5347] RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f68dcb9c799 [ 171.048724][ T5347] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000000000b [ 171.052410][ T5347] RBP: 00000000000016a1 R08: 00007ffe3870b437 R09: 000000000000000b [ 171.057303][ T5347] R10: 00007f68dce15fa0 R11: 0000000000000246 R12: 0000000000000003 [ 171.061761][ T5347] R13: 00007f68dce1627c R14: 00007f68dce16278 R15: 00007f68dce16270 [ 171.065301][ T5347] [ 171.066961][ T5347] Modules linked in: [ 171.070124][ T5347] ---[ end trace 0000000000000000 ]--- [ 171.083067][ T5347] RIP: 0010:rose_transmit_link+0x32/0xac0 [ 171.086640][ T5347] Code: 56 41 55 41 54 53 48 83 ec 40 48 89 f3 48 89 fd 49 bc 00 00 00 00 00 fc ff df e8 89 60 2d f7 4c 8d 73 36 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 09 00 00 45 0f b6 36 31 ff 44 89 f6 [ 171.108309][ T5347] RSP: 0018:ffffc9000e28f9a8 EFLAGS: 00010207 [ 171.114853][ T5347] RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff8880326bc980 [ 171.118821][ T5347] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888048fce8c0 [ 171.124986][ T5347] RBP: ffff888048fce8c0 R08: ffff8880326bc980 R09: 0000000000000008 [ 171.128833][ T5347] R10: 000000000000000f R11: 0000000000000000 R12: dffffc0000000000 [ 171.150184][ T5347] R13: dffffc0000000000 R14: 0000000000000036 R15: 1ffff92001c51f54 [ 171.153955][ T5347] FS: 0000000000000000(0000) GS:ffff88808ca55000(0000) knlGS:0000000000000000 [ 171.158405][ T5347] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 171.170194][ T5347] CR2: 00007f59c58b6bc0 CR3: 000000004885f000 CR4: 0000000000352ef0 [ 171.174473][ T5347] Kernel panic - not syncing: Fatal exception [ 171.177692][ T5347] Kernel Offset: disabled [ 171.179734][ T5347] Rebooting in 86400 seconds..