Extracting prog: 34m38.234860999s Minimizing prog: 13m29.11165899s Simplifying prog options: 0s Extracting C: 39.943032666s Simplifying C: 24m18.803126812s extracting reproducer from 15 programs testing a last program of every proc single: executing 4 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-openat$fuse-mount$fuse-mount$fuse-open_tree-open_tree-mount$fuse-sendfile detailed listing: executing program 0: mkdir(&(0x7f0000000400)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) mount$fuse(0x0, &(0x7f0000000280)='./file0\x00', 0x0, 0x100000, 0x0) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) open_tree(r1, &(0x7f0000000080)='.\x00', 0x9001) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x84000, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000)=0x2eb4, 0x2000007ff) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io$hid-syz_emit_vhci detailed listing: executing program 0: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-syz_open_dev$char_usb-openat$sequencer-ioctl$FS_IOC_GETVERSION-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETCRTC-openat$binderfs-epoll_create1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000000440)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040), 0x8002, 0x0) ioctl$FS_IOC_GETVERSION(r1, 0xc0145b0e, &(0x7f0000000040)) r2 = syz_open_dev$dri(0x0, 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x2, 0x0) epoll_create1(0x80000) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io$hid detailed listing: executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) program did not crash single: failed to extract reproducer bisect: bisecting 15 programs with base timeout 30s testing program (duration=33s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 4, 1, 27, 9, 6, 8, 1, 3, 9, 2, 2, 9, 8] detailed listing: executing program 3: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) executing program 2: r0 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_buf(r0, 0x6, 0xd, &(0x7f00000008c0)='.', 0x1) listen(r0, 0x6) writev(r0, &(0x7f0000001180)=[{&(0x7f0000000080)="04", 0x1}], 0x1) executing program 2: sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYBLOB="140000003b00010324bd7002fadbdf2501"], 0x14}}, 0x10) executing program 3: socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000007c0)) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) openat$loop_ctrl(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat2(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', &(0x7f0000000080)={0x420000, 0x82, 0x8}, 0x18) syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff) mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x2000000, 0x50, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ethtool(&(0x7f00000001c0), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_STRSET_GET(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={0x0, 0x28}, 0x1, 0x0, 0x0, 0x40080}, 0x4800) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x2, 0xfffffe0000000001, 0xfa11, 0xfffffffb}, 0x0) fsetxattr$security_capability(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x1) r3 = syz_open_dev$I2C(&(0x7f0000000d80), 0x0, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(0xffffffffffffffff, 0x84, 0x66, &(0x7f0000000440)={0x0, 0xc}, &(0x7f0000000480)=0x8) ioctl$EXT4_IOC_GET_ES_CACHE(r4, 0x40086602, 0x0) ioctl$I2C_SMBUS(r3, 0x720, &(0x7f0000000580)={0x1, 0x0, 0x7, 0x0}) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='new default user:syz 0000096'], 0x2a, 0xfffffffffffffff9) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, 0x0, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(0xffffffffffffffff, 0xc0205648, &(0x7f0000000100)={0x980000, 0x1, 0x0, 0xffffffffffffffff, 0x0, &(0x7f0000000080)={0x98f90b, 0x9, '\x00', @p_u16=&(0x7f0000000040)}}) socket$nl_netfilter(0x10, 0x3, 0xc) executing program 2: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @empty, 0x4000006}, 0x1c) listen(r1, 0x6) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) r3 = accept(r0, 0x0, 0x0) sendmsg$TEAM_CMD_OPTIONS_SET(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[], 0xfffffdef}}, 0x0) executing program 1: bind$tipc(0xffffffffffffffff, &(0x7f00000000c0)=@name={0x1e, 0x2, 0x0, {{0x42, 0x3}}}, 0x10) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000780), r0) mount$tmpfs(0x0, 0x0, 0x0, 0x10a40a2, &(0x7f0000000040)=ANY=[@ANYBLOB="f4697a653d"]) sendmsg$NL80211_CMD_FRAME(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000640)={&(0x7f0000000000)=ANY=[@ANYBLOB="88020000", @ANYRES16=r1, @ANYBLOB="010000000000000000003b00000008000300", @ANYRES32, @ANYBLOB="6102330050300100080211000001080211000000505050505050"], 0x288}, 0x1, 0x0, 0x0, 0x800}, 0x0) executing program 1: openat$sndseq(0xffffffffffffff9c, 0x0, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c) listen(r1, 0x0) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10) executing program 1: sendmsg$netlink(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000280)=ANY=[@ANYBLOB="180100002e00010000000000ffdbdf250601f2090c00180008ac0f000000000014000a"], 0x118}], 0x1, 0x0, 0x0, 0x400c445}, 0x0) executing program 2: creat(&(0x7f0000000400)='./bus\x00', 0x0) r0 = open(&(0x7f0000000100)='./bus\x00', 0x0, 0x0) finit_module(r0, 0x0, 0x0) executing program 3: r0 = syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000000440)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040), 0x8002, 0x0) ioctl$FS_IOC_GETVERSION(r1, 0xc0145b0e, &(0x7f0000000040)) r2 = syz_open_dev$dri(0x0, 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x2, 0x0) epoll_create1(0x80000) executing program 2: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) executing program 1: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, 0x0, 0x10) executing program 1: r0 = syz_open_dev$dri(&(0x7f0000000000), 0x1ff, 0x0) ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f0000000200)={0x82e, 0x101, 0x4}) r1 = syz_open_dev$dri(&(0x7f0000000440), 0x1, 0x48240) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r1, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc01064b5, &(0x7f0000000040)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000440)={r2, 0x0, 0x0, 0x1, 0x8, 0x8, 0x0, 0xf7b4, 0x1000, 0x7, 0x4d, 0x4}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000480)={r2, 0x0, 0x0, 0x6, 0x0, 0x8, 0x0, 0x8, 0xfffffff2, 0x7, 0x0, 0x9a9e}) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f0000000040)={0x0, &(0x7f00000002c0)=[0x0], 0x0, 0x0, 0xfffffd52, 0x1}) ioctl$DRM_IOCTL_MODE_CURSOR(r0, 0xc01c64a3, &(0x7f0000000280)={0x3, r3, 0x1, 0xffff, 0xa, 0x1ff, 0x1}) executing program 1: mkdir(&(0x7f0000000400)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) mount$fuse(0x0, &(0x7f0000000280)='./file0\x00', 0x0, 0x100000, 0x0) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) open_tree(r1, &(0x7f0000000080)='.\x00', 0x9001) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x84000, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000)=0x2eb4, 0x2000007ff) program did not crash replaying the whole log did not cause a kernel crash single: executing 4 programs separately with timeout 1m40s testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-openat$fuse-mount$fuse-mount$fuse-open_tree-open_tree-mount$fuse-sendfile detailed listing: executing program 0: mkdir(&(0x7f0000000400)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) mount$fuse(0x0, &(0x7f0000000280)='./file0\x00', 0x0, 0x100000, 0x0) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) open_tree(r1, &(0x7f0000000080)='.\x00', 0x9001) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x84000, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000)=0x2eb4, 0x2000007ff) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io$hid-syz_emit_vhci detailed listing: executing program 0: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-syz_open_dev$char_usb-openat$sequencer-ioctl$FS_IOC_GETVERSION-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETCRTC-openat$binderfs-epoll_create1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000000440)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040), 0x8002, 0x0) ioctl$FS_IOC_GETVERSION(r1, 0xc0145b0e, &(0x7f0000000040)) r2 = syz_open_dev$dri(0x0, 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x2, 0x0) epoll_create1(0x80000) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io$hid detailed listing: executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) program did not crash single: failed to extract reproducer bisect: bisecting 15 programs with base timeout 1m40s testing program (duration=1m43s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 4, 1, 27, 9, 6, 8, 1, 3, 9, 2, 2, 9, 8] detailed listing: executing program 3: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) executing program 2: r0 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_buf(r0, 0x6, 0xd, &(0x7f00000008c0)='.', 0x1) listen(r0, 0x6) writev(r0, &(0x7f0000001180)=[{&(0x7f0000000080)="04", 0x1}], 0x1) executing program 2: sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYBLOB="140000003b00010324bd7002fadbdf2501"], 0x14}}, 0x10) executing program 3: socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000007c0)) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) openat$loop_ctrl(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat2(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', &(0x7f0000000080)={0x420000, 0x82, 0x8}, 0x18) syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff) mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x2000000, 0x50, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ethtool(&(0x7f00000001c0), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_STRSET_GET(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={0x0, 0x28}, 0x1, 0x0, 0x0, 0x40080}, 0x4800) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x2, 0xfffffe0000000001, 0xfa11, 0xfffffffb}, 0x0) fsetxattr$security_capability(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x1) r3 = syz_open_dev$I2C(&(0x7f0000000d80), 0x0, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(0xffffffffffffffff, 0x84, 0x66, &(0x7f0000000440)={0x0, 0xc}, &(0x7f0000000480)=0x8) ioctl$EXT4_IOC_GET_ES_CACHE(r4, 0x40086602, 0x0) ioctl$I2C_SMBUS(r3, 0x720, &(0x7f0000000580)={0x1, 0x0, 0x7, 0x0}) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='new default user:syz 0000096'], 0x2a, 0xfffffffffffffff9) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, 0x0, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(0xffffffffffffffff, 0xc0205648, &(0x7f0000000100)={0x980000, 0x1, 0x0, 0xffffffffffffffff, 0x0, &(0x7f0000000080)={0x98f90b, 0x9, '\x00', @p_u16=&(0x7f0000000040)}}) socket$nl_netfilter(0x10, 0x3, 0xc) executing program 2: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @empty, 0x4000006}, 0x1c) listen(r1, 0x6) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) r3 = accept(r0, 0x0, 0x0) sendmsg$TEAM_CMD_OPTIONS_SET(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[], 0xfffffdef}}, 0x0) executing program 1: bind$tipc(0xffffffffffffffff, &(0x7f00000000c0)=@name={0x1e, 0x2, 0x0, {{0x42, 0x3}}}, 0x10) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000780), r0) mount$tmpfs(0x0, 0x0, 0x0, 0x10a40a2, &(0x7f0000000040)=ANY=[@ANYBLOB="f4697a653d"]) sendmsg$NL80211_CMD_FRAME(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000640)={&(0x7f0000000000)=ANY=[@ANYBLOB="88020000", @ANYRES16=r1, @ANYBLOB="010000000000000000003b00000008000300", @ANYRES32, @ANYBLOB="6102330050300100080211000001080211000000505050505050"], 0x288}, 0x1, 0x0, 0x0, 0x800}, 0x0) executing program 1: openat$sndseq(0xffffffffffffff9c, 0x0, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c) listen(r1, 0x0) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10) executing program 1: sendmsg$netlink(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000280)=ANY=[@ANYBLOB="180100002e00010000000000ffdbdf250601f2090c00180008ac0f000000000014000a"], 0x118}], 0x1, 0x0, 0x0, 0x400c445}, 0x0) executing program 2: creat(&(0x7f0000000400)='./bus\x00', 0x0) r0 = open(&(0x7f0000000100)='./bus\x00', 0x0, 0x0) finit_module(r0, 0x0, 0x0) executing program 3: r0 = syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000000440)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040), 0x8002, 0x0) ioctl$FS_IOC_GETVERSION(r1, 0xc0145b0e, &(0x7f0000000040)) r2 = syz_open_dev$dri(0x0, 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x2, 0x0) epoll_create1(0x80000) executing program 2: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) executing program 1: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, 0x0, 0x10) executing program 1: r0 = syz_open_dev$dri(&(0x7f0000000000), 0x1ff, 0x0) ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f0000000200)={0x82e, 0x101, 0x4}) r1 = syz_open_dev$dri(&(0x7f0000000440), 0x1, 0x48240) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r1, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc01064b5, &(0x7f0000000040)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000440)={r2, 0x0, 0x0, 0x1, 0x8, 0x8, 0x0, 0xf7b4, 0x1000, 0x7, 0x4d, 0x4}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000480)={r2, 0x0, 0x0, 0x6, 0x0, 0x8, 0x0, 0x8, 0xfffffff2, 0x7, 0x0, 0x9a9e}) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f0000000040)={0x0, &(0x7f00000002c0)=[0x0], 0x0, 0x0, 0xfffffd52, 0x1}) ioctl$DRM_IOCTL_MODE_CURSOR(r0, 0xc01c64a3, &(0x7f0000000280)={0x3, r3, 0x1, 0xffff, 0xa, 0x1ff, 0x1}) executing program 1: mkdir(&(0x7f0000000400)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) mount$fuse(0x0, &(0x7f0000000280)='./file0\x00', 0x0, 0x100000, 0x0) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) open_tree(r1, &(0x7f0000000080)='.\x00', 0x9001) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x84000, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000)=0x2eb4, 0x2000007ff) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop bisect: bisecting 15 programs bisect: split chunks (needed=false): <15> bisect: split chunk #0 of len 15 into 3 parts bisect: testing without sub-chunk 1/3 testing program (duration=1m42s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [9, 6, 8, 1, 3, 9, 2, 2, 9, 8] detailed listing: executing program 2: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @empty, 0x4000006}, 0x1c) listen(r1, 0x6) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) r3 = accept(r0, 0x0, 0x0) sendmsg$TEAM_CMD_OPTIONS_SET(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[], 0xfffffdef}}, 0x0) executing program 1: bind$tipc(0xffffffffffffffff, &(0x7f00000000c0)=@name={0x1e, 0x2, 0x0, {{0x42, 0x3}}}, 0x10) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000780), r0) mount$tmpfs(0x0, 0x0, 0x0, 0x10a40a2, &(0x7f0000000040)=ANY=[@ANYBLOB="f4697a653d"]) sendmsg$NL80211_CMD_FRAME(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000640)={&(0x7f0000000000)=ANY=[@ANYBLOB="88020000", @ANYRES16=r1, @ANYBLOB="010000000000000000003b00000008000300", @ANYRES32, @ANYBLOB="6102330050300100080211000001080211000000505050505050"], 0x288}, 0x1, 0x0, 0x0, 0x800}, 0x0) executing program 1: openat$sndseq(0xffffffffffffff9c, 0x0, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c) listen(r1, 0x0) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10) executing program 1: sendmsg$netlink(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000280)=ANY=[@ANYBLOB="180100002e00010000000000ffdbdf250601f2090c00180008ac0f000000000014000a"], 0x118}], 0x1, 0x0, 0x0, 0x400c445}, 0x0) executing program 2: creat(&(0x7f0000000400)='./bus\x00', 0x0) r0 = open(&(0x7f0000000100)='./bus\x00', 0x0, 0x0) finit_module(r0, 0x0, 0x0) executing program 3: r0 = syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000000440)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040), 0x8002, 0x0) ioctl$FS_IOC_GETVERSION(r1, 0xc0145b0e, &(0x7f0000000040)) r2 = syz_open_dev$dri(0x0, 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x2, 0x0) epoll_create1(0x80000) executing program 2: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) executing program 1: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, 0x0, 0x10) executing program 1: r0 = syz_open_dev$dri(&(0x7f0000000000), 0x1ff, 0x0) ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f0000000200)={0x82e, 0x101, 0x4}) r1 = syz_open_dev$dri(&(0x7f0000000440), 0x1, 0x48240) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r1, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc01064b5, &(0x7f0000000040)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000440)={r2, 0x0, 0x0, 0x1, 0x8, 0x8, 0x0, 0xf7b4, 0x1000, 0x7, 0x4d, 0x4}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000480)={r2, 0x0, 0x0, 0x6, 0x0, 0x8, 0x0, 0x8, 0xfffffff2, 0x7, 0x0, 0x9a9e}) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f0000000040)={0x0, &(0x7f00000002c0)=[0x0], 0x0, 0x0, 0xfffffd52, 0x1}) ioctl$DRM_IOCTL_MODE_CURSOR(r0, 0xc01c64a3, &(0x7f0000000280)={0x3, r3, 0x1, 0xffff, 0xa, 0x1ff, 0x1}) executing program 1: mkdir(&(0x7f0000000400)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) mount$fuse(0x0, &(0x7f0000000280)='./file0\x00', 0x0, 0x100000, 0x0) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) open_tree(r1, &(0x7f0000000080)='.\x00', 0x9001) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x84000, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000)=0x2eb4, 0x2000007ff) program did not crash bisect: testing without sub-chunk 2/3 testing program (duration=1m42s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 4, 1, 27, 9, 2, 2, 9, 8] detailed listing: executing program 3: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) executing program 2: r0 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_buf(r0, 0x6, 0xd, &(0x7f00000008c0)='.', 0x1) listen(r0, 0x6) writev(r0, &(0x7f0000001180)=[{&(0x7f0000000080)="04", 0x1}], 0x1) executing program 2: sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYBLOB="140000003b00010324bd7002fadbdf2501"], 0x14}}, 0x10) executing program 3: socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000007c0)) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) openat$loop_ctrl(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat2(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', &(0x7f0000000080)={0x420000, 0x82, 0x8}, 0x18) syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff) mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x2000000, 0x50, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ethtool(&(0x7f00000001c0), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_STRSET_GET(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={0x0, 0x28}, 0x1, 0x0, 0x0, 0x40080}, 0x4800) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x2, 0xfffffe0000000001, 0xfa11, 0xfffffffb}, 0x0) fsetxattr$security_capability(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x1) r3 = syz_open_dev$I2C(&(0x7f0000000d80), 0x0, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(0xffffffffffffffff, 0x84, 0x66, &(0x7f0000000440)={0x0, 0xc}, &(0x7f0000000480)=0x8) ioctl$EXT4_IOC_GET_ES_CACHE(r4, 0x40086602, 0x0) ioctl$I2C_SMBUS(r3, 0x720, &(0x7f0000000580)={0x1, 0x0, 0x7, 0x0}) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='new default user:syz 0000096'], 0x2a, 0xfffffffffffffff9) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, 0x0, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(0xffffffffffffffff, 0xc0205648, &(0x7f0000000100)={0x980000, 0x1, 0x0, 0xffffffffffffffff, 0x0, &(0x7f0000000080)={0x98f90b, 0x9, '\x00', @p_u16=&(0x7f0000000040)}}) socket$nl_netfilter(0x10, 0x3, 0xc) executing program 3: r0 = syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000000440)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040), 0x8002, 0x0) ioctl$FS_IOC_GETVERSION(r1, 0xc0145b0e, &(0x7f0000000040)) r2 = syz_open_dev$dri(0x0, 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x2, 0x0) epoll_create1(0x80000) executing program 2: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) executing program 1: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, 0x0, 0x10) executing program 1: r0 = syz_open_dev$dri(&(0x7f0000000000), 0x1ff, 0x0) ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f0000000200)={0x82e, 0x101, 0x4}) r1 = syz_open_dev$dri(&(0x7f0000000440), 0x1, 0x48240) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r1, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc01064b5, &(0x7f0000000040)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000440)={r2, 0x0, 0x0, 0x1, 0x8, 0x8, 0x0, 0xf7b4, 0x1000, 0x7, 0x4d, 0x4}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000480)={r2, 0x0, 0x0, 0x6, 0x0, 0x8, 0x0, 0x8, 0xfffffff2, 0x7, 0x0, 0x9a9e}) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f0000000040)={0x0, &(0x7f00000002c0)=[0x0], 0x0, 0x0, 0xfffffd52, 0x1}) ioctl$DRM_IOCTL_MODE_CURSOR(r0, 0xc01c64a3, &(0x7f0000000280)={0x3, r3, 0x1, 0xffff, 0xa, 0x1ff, 0x1}) executing program 1: mkdir(&(0x7f0000000400)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) mount$fuse(0x0, &(0x7f0000000280)='./file0\x00', 0x0, 0x100000, 0x0) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) open_tree(r1, &(0x7f0000000080)='.\x00', 0x9001) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x84000, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000)=0x2eb4, 0x2000007ff) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop bisect: the chunk can be dropped bisect: testing without sub-chunk 3/3 testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 4, 1, 27] detailed listing: executing program 3: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) executing program 2: r0 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_buf(r0, 0x6, 0xd, &(0x7f00000008c0)='.', 0x1) listen(r0, 0x6) writev(r0, &(0x7f0000001180)=[{&(0x7f0000000080)="04", 0x1}], 0x1) executing program 2: sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYBLOB="140000003b00010324bd7002fadbdf2501"], 0x14}}, 0x10) executing program 3: socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000007c0)) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) openat$loop_ctrl(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat2(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', &(0x7f0000000080)={0x420000, 0x82, 0x8}, 0x18) syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff) mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x2000000, 0x50, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ethtool(&(0x7f00000001c0), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_STRSET_GET(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={0x0, 0x28}, 0x1, 0x0, 0x0, 0x40080}, 0x4800) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x2, 0xfffffe0000000001, 0xfa11, 0xfffffffb}, 0x0) fsetxattr$security_capability(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x1) r3 = syz_open_dev$I2C(&(0x7f0000000d80), 0x0, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(0xffffffffffffffff, 0x84, 0x66, &(0x7f0000000440)={0x0, 0xc}, &(0x7f0000000480)=0x8) ioctl$EXT4_IOC_GET_ES_CACHE(r4, 0x40086602, 0x0) ioctl$I2C_SMBUS(r3, 0x720, &(0x7f0000000580)={0x1, 0x0, 0x7, 0x0}) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='new default user:syz 0000096'], 0x2a, 0xfffffffffffffff9) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, 0x0, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(0xffffffffffffffff, 0xc0205648, &(0x7f0000000100)={0x980000, 0x1, 0x0, 0xffffffffffffffff, 0x0, &(0x7f0000000080)={0x98f90b, 0x9, '\x00', @p_u16=&(0x7f0000000040)}}) socket$nl_netfilter(0x10, 0x3, 0xc) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop bisect: the chunk can be dropped bisect: split chunks (needed=true): <5> bisect: split chunk #0 of len 5 into 2 parts bisect: testing without sub-chunk 1/2 testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 27] detailed listing: executing program 2: sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYBLOB="140000003b00010324bd7002fadbdf2501"], 0x14}}, 0x10) executing program 3: socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000007c0)) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) openat$loop_ctrl(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat2(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', &(0x7f0000000080)={0x420000, 0x82, 0x8}, 0x18) syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff) mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x2000000, 0x50, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ethtool(&(0x7f00000001c0), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_STRSET_GET(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={0x0, 0x28}, 0x1, 0x0, 0x0, 0x40080}, 0x4800) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x2, 0xfffffe0000000001, 0xfa11, 0xfffffffb}, 0x0) fsetxattr$security_capability(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x1) r3 = syz_open_dev$I2C(&(0x7f0000000d80), 0x0, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(0xffffffffffffffff, 0x84, 0x66, &(0x7f0000000440)={0x0, 0xc}, &(0x7f0000000480)=0x8) ioctl$EXT4_IOC_GET_ES_CACHE(r4, 0x40086602, 0x0) ioctl$I2C_SMBUS(r3, 0x720, &(0x7f0000000580)={0x1, 0x0, 0x7, 0x0}) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='new default user:syz 0000096'], 0x2a, 0xfffffffffffffff9) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, 0x0, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(0xffffffffffffffff, 0xc0205648, &(0x7f0000000100)={0x980000, 0x1, 0x0, 0xffffffffffffffff, 0x0, &(0x7f0000000080)={0x98f90b, 0x9, '\x00', @p_u16=&(0x7f0000000040)}}) socket$nl_netfilter(0x10, 0x3, 0xc) program did not crash bisect: testing without sub-chunk 2/2 testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 4] detailed listing: executing program 3: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) executing program 2: r0 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_buf(r0, 0x6, 0xd, &(0x7f00000008c0)='.', 0x1) listen(r0, 0x6) writev(r0, &(0x7f0000001180)=[{&(0x7f0000000080)="04", 0x1}], 0x1) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop bisect: the chunk can be dropped bisect: split chunks (needed=true): <3> bisect: split chunk #0 of len 3 into 2 parts bisect: testing without sub-chunk 1/2 testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_smc-setsockopt$inet_tcp_buf-listen-writev detailed listing: executing program 2: r0 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_buf(r0, 0x6, 0xd, &(0x7f00000008c0)='.', 0x1) listen(r0, 0x6) writev(r0, &(0x7f0000001180)=[{&(0x7f0000000080)="04", 0x1}], 0x1) program did not crash bisect: testing without sub-chunk 2/2 testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3] detailed listing: executing program 3: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop bisect: the chunk can be dropped bisect: split chunks (needed=true): <2> bisect: split chunk #0 of len 2 into 2 parts bisect: testing without sub-chunk 1/2 testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io$hid detailed listing: executing program 0: r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) program did not crash bisect: testing without sub-chunk 2/2 testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io$hid-syz_emit_vhci-syz_emit_vhci detailed listing: executing program 3: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop bisect: the chunk can be dropped bisect: split chunks (needed=true): <1> bisect: split chunk #0 of len 1 into 2 parts bisect: no way to further split the chunk bisect: 1 programs left: executing program 3: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) bisect: trying to concatenate bisect: concatenate 1 entries testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io$hid-syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop bisect: concatenation succeeded found reproducer with 3 syscalls minimizing guilty program testing program (duration=1m24.534800258s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io$hid-syz_emit_vhci detailed listing: executing program 0: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) program did not crash testing program (duration=1m24.534800258s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io$hid-syz_emit_vhci detailed listing: executing program 0: syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program did not crash testing program (duration=1m24.534800258s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing program (duration=1m24.534800258s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_emit_vhci(0x0, 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program did not crash testing program (duration=1m24.534800258s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program did not crash testing program (duration=1m24.534800258s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(0x0, 0x7) program did not crash testing program (duration=1m24.534800258s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB], 0x7) program did not crash extracting C reproducer testing compiled C program (duration=1m24.534800258s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop simplifying C reproducer testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program did not crash testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program did not crash testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing compiled C program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci program crashed: KASAN: slab-use-after-free Write in hci_conn_drop testing program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop validation run: crashed=true testing program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop validation run: crashed=true testing program (duration=1m24.534800258s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci-syz_emit_vhci detailed listing: executing program 0: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) program crashed: KASAN: slab-use-after-free Write in hci_conn_drop validation run: crashed=true reproducing took 1h18m24.628845283s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2b0 include/net/bluetooth/hci_core.h:1688 Write of size 4 at addr ffff88807699c010 by task kworker/u9:1/5146 CPU: 1 UID: 0 PID: 5146 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] hci_conn_drop+0x34/0x2b0 include/net/bluetooth/hci_core.h:1688 hci_cmd_sync_work+0x262/0x400 net/bluetooth/hci_sync.c:334 process_one_work+0x93a/0x15a0 kernel/workqueue.c:3261 process_scheduled_works kernel/workqueue.c:3344 [inline] worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Allocated by task 52: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5771 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] __hci_conn_add+0x3c5/0x1b30 net/bluetooth/hci_conn.c:963 le_conn_complete_evt+0x6f6/0x1420 net/bluetooth/hci_event.c:5714 hci_le_enh_conn_complete_evt+0x189/0x4a0 net/bluetooth/hci_event.c:5861 hci_event_func net/bluetooth/hci_event.c:7716 [inline] hci_event_packet+0x78f/0x1260 net/bluetooth/hci_event.c:7773 hci_rx_work+0x3ee/0x1060 net/bluetooth/hci_core.c:4076 process_one_work+0x93a/0x15a0 kernel/workqueue.c:3261 process_scheduled_works kernel/workqueue.c:3344 [inline] worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Freed by task 52: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6663 [inline] kfree+0x1c0/0x660 mm/slub.c:6871 device_release+0x9e/0x1d0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x228/0x570 lib/kobject.c:737 hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline] hci_conn_del+0xc36/0x1240 net/bluetooth/hci_conn.c:1234 hci_disconn_complete_evt+0x64e/0x950 net/bluetooth/hci_event.c:3451 hci_event_func net/bluetooth/hci_event.c:7719 [inline] hci_event_packet+0x7e3/0x1260 net/bluetooth/hci_event.c:7773 hci_rx_work+0x3ee/0x1060 net/bluetooth/hci_core.c:4076 process_one_work+0x93a/0x15a0 kernel/workqueue.c:3261 process_scheduled_works kernel/workqueue.c:3344 [inline] worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the object at ffff88807699c000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 16 bytes inside of freed 8192-byte region [ffff88807699c000, ffff88807699e000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76998 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88813fe27280 ffffea0000a7f600 0000000000000004 raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88813fe27280 ffffea0000a7f600 0000000000000004 head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001da6601 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5676, tgid 5676 (sh), ts 70333350172, free_ts 69886124165 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846 prep_new_page mm/page_alloc.c:1854 [inline] get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3915 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486 alloc_slab_page mm/slub.c:3075 [inline] allocate_slab+0x86/0x3b0 mm/slub.c:3248 new_slab mm/slub.c:3302 [inline] ___slab_alloc+0xf2b/0x1960 mm/slub.c:4651 __slab_alloc+0x65/0x100 mm/slub.c:4774 __slab_alloc_node mm/slub.c:4850 [inline] slab_alloc_node mm/slub.c:5246 [inline] __kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5766 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] tomoyo_print_bprm security/tomoyo/audit.c:26 [inline] tomoyo_init_log+0x111f/0x1f70 security/tomoyo/audit.c:264 tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198 tomoyo_find_next_domain+0x488/0x1aa0 security/tomoyo/domain.c:762 tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102 security_bprm_check+0x89/0x270 security/security.c:794 search_binary_handler fs/exec.c:1659 [inline] exec_binprm fs/exec.c:1701 [inline] bprm_execve+0x887/0x1400 fs/exec.c:1753 do_execveat_common+0x510/0x6a0 fs/exec.c:1859 do_execve fs/exec.c:1933 [inline] __do_sys_execve fs/exec.c:2009 [inline] __se_sys_execve fs/exec.c:2004 [inline] __x64_sys_execve+0x94/0xb0 fs/exec.c:2004 page last free pid 5671 tgid 5671 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943 discard_slab mm/slub.c:3346 [inline] __put_partials+0x146/0x170 mm/slub.c:3886 put_cpu_partial+0x1f2/0x2d0 mm/slub.c:3961 __slab_free+0x288/0x2a0 mm/slub.c:5947 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:349 kasan_slab_alloc include/linux/kasan.h:252 [inline] slab_post_alloc_hook mm/slub.c:4948 [inline] slab_alloc_node mm/slub.c:5258 [inline] __do_kmalloc_node mm/slub.c:5651 [inline] __kmalloc_node_track_caller_noprof+0x526/0x820 mm/slub.c:5759 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:608 __alloc_skb+0x27e/0x430 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xca/0x890 net/core/skbuff.c:6712 sock_alloc_send_pskb+0x84d/0x980 net/core/sock.c:2995 unix_dgram_sendmsg+0x454/0x1840 net/unix/af_unix.c:2130 sock_sendmsg_nosec+0x18f/0x1d0 net/socket.c:728 __sock_sendmsg net/socket.c:743 [inline] __sys_sendto+0x3ce/0x540 net/socket.c:2212 __do_sys_sendto net/socket.c:2219 [inline] __se_sys_sendto net/socket.c:2215 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2215 Memory state around the buggy address: ffff88807699bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807699bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88807699c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807699c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807699c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2b0 include/net/bluetooth/hci_core.h:1688 Write of size 4 at addr ffff88807699c010 by task kworker/u9:1/5146 CPU: 1 UID: 0 PID: 5146 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] hci_conn_drop+0x34/0x2b0 include/net/bluetooth/hci_core.h:1688 hci_cmd_sync_work+0x262/0x400 net/bluetooth/hci_sync.c:334 process_one_work+0x93a/0x15a0 kernel/workqueue.c:3261 process_scheduled_works kernel/workqueue.c:3344 [inline] worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Allocated by task 52: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5771 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] __hci_conn_add+0x3c5/0x1b30 net/bluetooth/hci_conn.c:963 le_conn_complete_evt+0x6f6/0x1420 net/bluetooth/hci_event.c:5714 hci_le_enh_conn_complete_evt+0x189/0x4a0 net/bluetooth/hci_event.c:5861 hci_event_func net/bluetooth/hci_event.c:7716 [inline] hci_event_packet+0x78f/0x1260 net/bluetooth/hci_event.c:7773 hci_rx_work+0x3ee/0x1060 net/bluetooth/hci_core.c:4076 process_one_work+0x93a/0x15a0 kernel/workqueue.c:3261 process_scheduled_works kernel/workqueue.c:3344 [inline] worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Freed by task 52: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6663 [inline] kfree+0x1c0/0x660 mm/slub.c:6871 device_release+0x9e/0x1d0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x228/0x570 lib/kobject.c:737 hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline] hci_conn_del+0xc36/0x1240 net/bluetooth/hci_conn.c:1234 hci_disconn_complete_evt+0x64e/0x950 net/bluetooth/hci_event.c:3451 hci_event_func net/bluetooth/hci_event.c:7719 [inline] hci_event_packet+0x7e3/0x1260 net/bluetooth/hci_event.c:7773 hci_rx_work+0x3ee/0x1060 net/bluetooth/hci_core.c:4076 process_one_work+0x93a/0x15a0 kernel/workqueue.c:3261 process_scheduled_works kernel/workqueue.c:3344 [inline] worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the object at ffff88807699c000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 16 bytes inside of freed 8192-byte region [ffff88807699c000, ffff88807699e000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76998 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88813fe27280 ffffea0000a7f600 0000000000000004 raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88813fe27280 ffffea0000a7f600 0000000000000004 head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001da6601 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5676, tgid 5676 (sh), ts 70333350172, free_ts 69886124165 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846 prep_new_page mm/page_alloc.c:1854 [inline] get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3915 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486 alloc_slab_page mm/slub.c:3075 [inline] allocate_slab+0x86/0x3b0 mm/slub.c:3248 new_slab mm/slub.c:3302 [inline] ___slab_alloc+0xf2b/0x1960 mm/slub.c:4651 __slab_alloc+0x65/0x100 mm/slub.c:4774 __slab_alloc_node mm/slub.c:4850 [inline] slab_alloc_node mm/slub.c:5246 [inline] __kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5766 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] tomoyo_print_bprm security/tomoyo/audit.c:26 [inline] tomoyo_init_log+0x111f/0x1f70 security/tomoyo/audit.c:264 tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198 tomoyo_find_next_domain+0x488/0x1aa0 security/tomoyo/domain.c:762 tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102 security_bprm_check+0x89/0x270 security/security.c:794 search_binary_handler fs/exec.c:1659 [inline] exec_binprm fs/exec.c:1701 [inline] bprm_execve+0x887/0x1400 fs/exec.c:1753 do_execveat_common+0x510/0x6a0 fs/exec.c:1859 do_execve fs/exec.c:1933 [inline] __do_sys_execve fs/exec.c:2009 [inline] __se_sys_execve fs/exec.c:2004 [inline] __x64_sys_execve+0x94/0xb0 fs/exec.c:2004 page last free pid 5671 tgid 5671 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943 discard_slab mm/slub.c:3346 [inline] __put_partials+0x146/0x170 mm/slub.c:3886 put_cpu_partial+0x1f2/0x2d0 mm/slub.c:3961 __slab_free+0x288/0x2a0 mm/slub.c:5947 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:349 kasan_slab_alloc include/linux/kasan.h:252 [inline] slab_post_alloc_hook mm/slub.c:4948 [inline] slab_alloc_node mm/slub.c:5258 [inline] __do_kmalloc_node mm/slub.c:5651 [inline] __kmalloc_node_track_caller_noprof+0x526/0x820 mm/slub.c:5759 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:608 __alloc_skb+0x27e/0x430 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xca/0x890 net/core/skbuff.c:6712 sock_alloc_send_pskb+0x84d/0x980 net/core/sock.c:2995 unix_dgram_sendmsg+0x454/0x1840 net/unix/af_unix.c:2130 sock_sendmsg_nosec+0x18f/0x1d0 net/socket.c:728 __sock_sendmsg net/socket.c:743 [inline] __sys_sendto+0x3ce/0x540 net/socket.c:2212 __do_sys_sendto net/socket.c:2219 [inline] __se_sys_sendto net/socket.c:2215 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2215 Memory state around the buggy address: ffff88807699bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807699bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88807699c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807699c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807699c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================