program: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0xd, 0x4, &(0x7f0000000040)=@framed={{}, [@ldst={0x1, 0x2, 0x4, 0x2, 0x1, 0xca}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0xd, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0xffffffff}, 0x94) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000300)={{0x1, 0xffffffffffffffff}, &(0x7f0000000080), &(0x7f00000002c0)=r0}, 0x20) r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000000c0)=0xf) r3 = fcntl$dupfd(r2, 0x406, r2) ioctl$TCFLSH(r3, 0x400455c8, 0x2) ioctl$TIOCSETD(r3, 0x5412, &(0x7f0000000140)=0xffffffc0) ioctl$TIOCSTI(r3, 0x5412, &(0x7f0000000040)=0xfc) ioctl$TIOCSTI(r3, 0x5412, &(0x7f0000000340)=0x5) ioctl$TIOCSTI(r3, 0x5412, &(0x7f00000001c0)=0xfe) r4 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) fdatasync(r4) r5 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000580)={0xffffffffffffffff, 0x9, 0x8}, 0xc) r6 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f00000005c0)={0x3, 0x4, 0x4, 0xa, 0x0, 0x1, 0x7f, '\x00', 0x0, 0xffffffffffffffff, 0x4, 0x5, 0x4}, 0x50) r7 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x101100, 0x0) ioctl$EXT4_IOC_GROUP_ADD(r7, 0x4010bc05, &(0x7f00000000c0)={0x1f, 0x0, 0x7fffffbf, 0x7fffffffffffffff, 0x400868, 0x8}) r8 = open(&(0x7f00000002c0)='./file0\x00', 0x14937e, 0x0) ioctl$F2FS_IOC_GET_FEATURES(r8, 0x8004f50c, &(0x7f0000000300)) bpf$PROG_LOAD_XDP(0x5, &(0x7f00000006c0)={0x6, 0x5, &(0x7f0000000380)=@raw=[@alu={0x7, 0x0, 0x6, 0xb, 0x9, 0x7fffffffffffff90, 0xffffffffffffffff}, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffb}, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffa}, @map_fd={0x18, 0xa, 0x1, 0x0, r1}], &(0x7f00000003c0)='GPL\x00', 0x7ff, 0xd5, &(0x7f0000000400)=""/213, 0x41000, 0x2, '\x00', 0x0, 0x25, r3, 0x8, &(0x7f0000000500)={0x4, 0x2}, 0x8, 0x10, &(0x7f0000000540)={0x3, 0x7, 0x0, 0x5}, 0x10, 0x0, 0x0, 0x2, &(0x7f0000000640)=[r4, r5, r6, r7, r8], &(0x7f0000000680)=[{0x4, 0x4, 0x3, 0x4}, {0x1, 0x3, 0xa, 0x4}], 0x10, 0x40}, 0x94) r9 = memfd_create(&(0x7f00000000c0)='-B\xd5N4\xa6Ey\xdb\xd1\xa7\xb1S\xf1:)\x00\x8a\xd7Uw\x00\xbc\xa92\xb3\xbb\x8d\xac\xacva}knh#\xcf)\x0f\xc8\xc0:\x9cc\x10d\xee\xa9\x8b\x066\xb8G\xd1c\xe1$\xff\x97\x8f~\xb90a\xa9\xb2\x04K\x98\x93=\xabQ\xf7\x19\xea\xef\xe3\xe1@\x84\x13\xefZb:\x8f\t\x01B\xec\xde\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@Ip]D\xd6\r\xac\v#co\xd5\xb9\xc806\xa8\x99\xffs7\xa1b1\xb1;i)j\x0e\x1e\xedI\xa2\x80\x89\x1d\xd9p!\xc86s\xe07(\xee\xf9<\"\xf0\xc8\xae\x96J\xe2]\x01\x86\xb7.<\xf5N\xd3\x94W1\xff\x18z>\xa7q,\xf7\x96\xb8{\x8e\xbf4\xe0\x95\x1ce\xe4\x85\xcdi\xed\xd3>\xeb\xa5\xaf\x87\x90@\xd1\xbd`^\xfa\xb6\x9cj\x13/\xc5\\W\x04\br\x17X\xf3\xfb\xc8\xd4\xaeX\xc9s\xd18\xd9L\xbf\xa0\xa6\xdf2\a\x99i\xb1/\x19@4q\xebw\xf5\xff\xff\xff\xff\xff\xff\xac\xd3q\xe4vPGU', 0x0) r10 = openat$udambuf(0xffffffffffffff9c, &(0x7f0000000040), 0x2) r11 = fsmount(0xffffffffffffffff, 0x0, 0x7) ioctl$UDMABUF_CREATE_LIST(r10, 0x40087543, &(0x7f0000000200)={0x1, 0x4, [{r11, 0x0, 0xb000, 0xfffff000}, {r9, 0x0, 0x100000000, 0x10000}, {r9, 0x0, 0x10000ffff7000, 0x100000000}, {r9, 0x0, 0x8000, 0x800}]}) r12 = openat$binfmt_register(0xffffffffffffff9c, &(0x7f0000000340), 0x1, 0x0) write$binfmt_register(r12, &(0x7f0000000000)={0x3a, 'syz2', 0x3a, 'E', 0x3a, 0x0, 0x3a, '\x02', 0x3a, ']', 0x3a, './file0/file0'}, 0x2f) r13 = dup(r9) execveat(r13, &(0x7f0000000000)='\x00', 0x0, 0x0, 0x1000) [ 75.477957][ T5334] Bluetooth: hci0: command tx timeout [ 75.617845][ T5354] Oops: general protection fault, probably for non-canonical address 0xdffffc000000005f: 0000 [#1] SMP KASAN NOPTI [ 75.628046][ T5354] KASAN: null-ptr-deref in range [0x00000000000002f8-0x00000000000002ff] [ 75.631331][ T5354] CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.645276][ T5354] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.657488][ T5354] RIP: 0010:h5_recv+0x146/0x910 [ 75.662057][ T5354] Code: 18 48 c1 ea 03 48 89 54 24 28 48 89 d8 48 c1 e8 03 48 89 44 24 50 44 89 64 24 14 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 30 <80> 3c 01 00 74 08 4c 89 ef e8 0c f4 b7 f9 4d 8b 65 00 31 ff 4c 89 [ 75.685285][ T5354] RSP: 0018:ffffc9000d39fc40 EFLAGS: 00010202 [ 75.688049][ T5354] RAX: dffffc0000000000 RBX: 00000000000002e8 RCX: 000000000000005f [ 75.691324][ T5354] RDX: 000000000000005e RSI: 0000000000000001 RDI: 0000000000000000 [ 75.713275][ T5354] RBP: ffffc9000d39fd60 R08: ffff88803fdca01f R09: 1ffff11007fb9403 [ 75.716891][ T5354] R10: dffffc0000000000 R11: ffffffff886cc8e0 R12: 0000000000000001 [ 75.720565][ T5354] R13: 00000000000002f8 R14: ffff88803fdca010 R15: ffffc9000d39fe00 [ 75.733549][ T5354] FS: 00007f9e5242a6c0(0000) GS:ffff88808d00a000(0000) knlGS:0000000000000000 [ 75.737516][ T5354] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.740518][ T5354] CR2: 00007f9e52429fc8 CR3: 000000003ec95000 CR4: 0000000000352ef0 [ 75.754367][ T5354] Call Trace: [ 75.756041][ T5354] [ 75.757427][ T5354] ? __pfx_h5_recv+0x10/0x10 [ 75.759596][ T5354] ? rcu_read_lock_any_held+0xb3/0x120 [ 75.762932][ T5354] ? __pfx_rcu_read_lock_any_held+0x10/0x10 [ 75.774657][ T5354] ? tty_audit_push+0x7c/0x250 [ 75.776935][ T5354] hci_uart_tty_receive+0x194/0x220 [ 75.779361][ T5354] ? __pfx_hci_uart_tty_receive+0x10/0x10 [ 75.781998][ T5354] tiocsti+0x239/0x2c0 [ 75.794162][ T5354] ? __pfx_tiocsti+0x10/0x10 [ 75.796364][ T5354] ? __fget_files+0x2a/0x420 [ 75.798502][ T5354] ? __fget_files+0x3a0/0x420 [ 75.800739][ T5354] ? __fget_files+0x2a/0x420 [ 75.813214][ T5354] tty_ioctl+0x626/0xde0 [ 75.814930][ T5354] ? __pfx_tty_ioctl+0x10/0x10 [ 75.816902][ T5354] __se_sys_ioctl+0xf9/0x170 [ 75.818773][ T5354] do_syscall_64+0xfa/0x3b0 [ 75.821313][ T5354] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.834402][ T5354] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.837051][ T5354] ? clear_bhb_loop+0x60/0xb0 [ 75.839041][ T5354] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.841388][ T5354] RIP: 0033:0x7f9e5158eba9 [ 75.853403][ T5354] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.861810][ T5354] RSP: 002b:00007f9e5242a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 75.878258][ T5354] RAX: ffffffffffffffda RBX: 00007f9e517d6090 RCX: 00007f9e5158eba9 [ 75.881786][ T5354] RDX: 0000200000000140 RSI: 0000000000005412 RDI: 0000000000000004 [ 75.885974][ T5354] RBP: 00007f9e51611e19 R08: 0000000000000000 R09: 0000000000000000 [ 75.894514][ T5354] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.905835][ T5354] R13: 00007f9e517d6128 R14: 00007f9e517d6090 R15: 00007fff52ad3b18 [ 75.909533][ T5354] [ 75.910923][ T5354] Modules linked in: [ 75.923248][ T5354] ---[ end trace 0000000000000000 ]--- [ 75.948699][ T5354] RIP: 0010:h5_recv+0x146/0x910 [ 75.950656][ T5354] Code: 18 48 c1 ea 03 48 89 54 24 28 48 89 d8 48 c1 e8 03 48 89 44 24 50 44 89 64 24 14 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 30 <80> 3c 01 00 74 08 4c 89 ef e8 0c f4 b7 f9 4d 8b 65 00 31 ff 4c 89 [ 75.978456][ T5354] RSP: 0018:ffffc9000d39fc40 EFLAGS: 00010202 [ 75.981212][ T5354] RAX: dffffc0000000000 RBX: 00000000000002e8 RCX: 000000000000005f [ 75.996035][ T5354] RDX: 000000000000005e RSI: 0000000000000001 RDI: 0000000000000000 [ 76.000282][ T5354] RBP: ffffc9000d39fd60 R08: ffff88803fdca01f R09: 1ffff11007fb9403 [ 76.014782][ T5354] R10: dffffc0000000000 R11: ffffffff886cc8e0 R12: 0000000000000001 [ 76.019481][ T5354] R13: 00000000000002f8 R14: ffff88803fdca010 R15: ffffc9000d39fe00 [ 76.045930][ T5354] FS: 00007f9e5242a6c0(0000) GS:ffff88808d00a000(0000) knlGS:0000000000000000 [ 76.058377][ T5354] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 76.061276][ T5354] CR2: 00007f9e52408fc8 CR3: 000000003ec95000 CR4: 0000000000352ef0 [ 76.085590][ T5354] Kernel panic - not syncing: Fatal exception [ 76.088501][ T5354] Kernel Offset: disabled [ 76.090414][ T5354] Rebooting in 86400 seconds..