program: r0 = syz_open_dev$ttys(0xc, 0x2, 0x1) r1 = syz_open_dev$tty1(0xc, 0x4, 0x1) r2 = fcntl$dupfd(r0, 0x0, r1) ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000000c0)=0xf) ioctl$KDSIGACCEPT(r0, 0x400455c8, 0x4000000002) ioctl$TIOCSTI(r2, 0x5412, &(0x7f0000000000)) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) bind$netlink(r4, &(0x7f0000000100)={0x10, 0x0, 0x25dfdbfd, 0x400}, 0xc) getsockname$packet(r4, &(0x7f0000000600)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000080)=0x14) sendmmsg$inet6(r2, &(0x7f0000000340)=[{{0x0, 0x0, &(0x7f0000000280)=[{&(0x7f00000001c0)="09961b2051e5e186d3b0bcbf93cbb2ae24011399547077aadfab34c63206567fc0daf01e9d6244e6785b936038dc52f3764112b03dca21de9ff45855b118c1748dcf339418e2cd3759ba31285dee5061604136b004", 0x55}], 0x1, &(0x7f0000000300)=[@pktinfo={{0x24, 0x29, 0x32, {@private1, r5}}}, @hoplimit={{0x14, 0x29, 0x34, 0x401}}], 0x40}}], 0x1, 0x800) sendmsg$nl_route(r3, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=@newlink={0x3c, 0x10, 0x40d, 0x70bd2a, 0x0, {0x0, 0x0, 0x0, r5, 0x1}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @bond={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_BOND_MODE={0x5, 0x1, 0x6}]}}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x40040}, 0x0) r6 = socket$nl_route(0x10, 0x3, 0x0) r7 = socket(0x1, 0x803, 0x0) getsockname$packet(r7, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14) sendmsg$nl_route(r6, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000004c0)=@newlink={0x50, 0x10, 0x401, 0x70bd25, 0x0, {0x0, 0x0, 0x0, 0x0, 0x40018}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @geneve={{0xb}, {0x18, 0x2, 0x0, 0x1, [@IFLA_GENEVE_REMOTE6={0x14, 0x7, @private2}]}}}, @IFLA_MASTER={0x8, 0xa, r8}]}, 0x50}}, 0x0) [ 68.239001][ T4685] Bluetooth: hci0: command tx timeout [ 68.419082][ T5338] Oops: general protection fault, probably for non-canonical address 0xdffffc000000005f: 0000 [#1] SMP KASAN NOPTI [ 68.436424][ T5338] KASAN: null-ptr-deref in range [0x00000000000002f8-0x00000000000002ff] [ 68.439921][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 68.449883][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 68.454083][ T5338] RIP: 0010:h5_recv+0x136/0x850 [ 68.456429][ T5338] Code: 03 48 89 44 24 50 48 89 4c 24 10 48 c1 e9 03 48 89 4c 24 20 48 89 d8 48 c1 e8 03 48 89 44 24 48 4c 89 64 24 58 48 8b 44 24 28 <42> 80 3c 30 00 74 08 4c 89 ef e8 ab 8d d2 f9 4d 8b 65 00 31 ff 4c [ 68.487567][ T5338] RSP: 0018:ffffc9000caffc40 EFLAGS: 00010202 [ 68.490116][ T5338] RAX: 000000000000005f RBX: 00000000000002e8 RCX: 000000000000005e [ 68.507632][ T5338] RDX: 000000000000005f RSI: 0000000000000001 RDI: 0000000000000000 [ 68.511767][ T5338] RBP: ffffc9000caffd60 R08: ffff88803885a01f R09: 1ffff1100710b403 [ 68.537572][ T5338] R10: dffffc0000000000 R11: ffffffff8858abf0 R12: ffff88803885a010 [ 68.541816][ T5338] R13: 00000000000002f8 R14: dffffc0000000000 R15: ffffc9000caffe00 [ 68.567386][ T5338] FS: 00007f5b40eda6c0(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000 [ 68.571219][ T5338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 68.574137][ T5338] CR2: 00007f5b40ed9ff0 CR3: 0000000036754000 CR4: 0000000000352ef0 [ 68.590319][ T5338] Call Trace: [ 68.593145][ T5338] [ 68.594952][ T5338] ? __pfx_h5_recv+0x10/0x10 [ 68.597567][ T5338] hci_uart_tty_receive+0x194/0x220 [ 68.600295][ T5338] ? __pfx_hci_uart_tty_receive+0x10/0x10 [ 68.606036][ T5338] tiocsti+0x218/0x2a0 [ 68.626403][ T5338] ? __pfx_tiocsti+0x10/0x10 [ 68.630873][ T5338] ? __fget_files+0x2a/0x420 [ 68.633759][ T5338] ? __fget_files+0x3a0/0x420 [ 68.636562][ T5338] ? __fget_files+0x2a/0x420 [ 68.640101][ T5338] tty_ioctl+0x626/0xde0 [ 68.642884][ T5338] ? __pfx_tty_ioctl+0x10/0x10 [ 68.650902][ T5338] __se_sys_ioctl+0xfc/0x170 [ 68.653142][ T5338] do_syscall_64+0xe2/0xf80 [ 68.664006][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.669396][ T5338] ? trace_irq_disable+0x37/0x100 [ 68.671524][ T5338] ? clear_bhb_loop+0x60/0xb0 [ 68.686338][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.689110][ T5338] RIP: 0033:0x7f5b3ff9acb9 [ 68.691159][ T5338] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 68.747021][ T5338] RSP: 002b:00007f5b40eda028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 68.752672][ T5338] RAX: ffffffffffffffda RBX: 00007f5b40216090 RCX: 00007f5b3ff9acb9 [ 68.756880][ T5338] RDX: 0000200000000000 RSI: 0000000000005412 RDI: 0000000000000005 [ 68.760308][ T5338] RBP: 00007f5b40008bf7 R08: 0000000000000000 R09: 0000000000000000 [ 68.778472][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.782100][ T5338] R13: 00007f5b40216128 R14: 00007f5b40216090 R15: 00007fff50179258 [ 68.785445][ T5338] [ 68.786861][ T5338] Modules linked in: [ 68.789044][ T5338] ---[ end trace 0000000000000000 ]--- [ 68.868756][ T5338] RIP: 0010:h5_recv+0x136/0x850 [ 68.871871][ T5338] Code: 03 48 89 44 24 50 48 89 4c 24 10 48 c1 e9 03 48 89 4c 24 20 48 89 d8 48 c1 e8 03 48 89 44 24 48 4c 89 64 24 58 48 8b 44 24 28 <42> 80 3c 30 00 74 08 4c 89 ef e8 ab 8d d2 f9 4d 8b 65 00 31 ff 4c [ 68.895175][ T5338] RSP: 0018:ffffc9000caffc40 EFLAGS: 00010202 [ 68.898919][ T5338] RAX: 000000000000005f RBX: 00000000000002e8 RCX: 000000000000005e [ 68.912025][ T5338] RDX: 000000000000005f RSI: 0000000000000001 RDI: 0000000000000000 [ 68.916757][ T5338] RBP: ffffc9000caffd60 R08: ffff88803885a01f R09: 1ffff1100710b403 [ 68.962900][ T5337] 8021q: adding VLAN 0 to HW filter on device bond1 [ 69.004615][ T5338] R10: dffffc0000000000 R11: ffffffff8858abf0 R12: ffff88803885a010 [ 69.025385][ T5337] bond1: (slave geneve2): making interface the new active one [ 69.034415][ T5338] R13: 00000000000002f8 R14: dffffc0000000000 R15: ffffc9000caffe00 [ 69.057614][ T5337] bond1: (slave geneve2): Enslaving as an active interface with an up link [ 69.063610][ T5338] FS: 00007f5b40eda6c0(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000 [ 69.077098][ T5338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 69.080353][ T5338] CR2: 00007f5b401e5558 CR3: 0000000036754000 CR4: 0000000000352ef0 [ 69.099462][ T5338] Kernel panic - not syncing: Fatal exception [ 69.103233][ T5338] Kernel Offset: disabled [ 69.114950][ T5338] Rebooting in 86400 seconds..