Extracting prog: 5m50.370021445s Minimizing prog: 47m25.25535757s Simplifying prog options: 0s Extracting C: 42.635006276s Simplifying C: 21m56.998056399s 30 programs, timeouts [30s 1m40s 6m0s] extracting reproducer from 30 programs testing a last program of every proc single: executing 5 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE-socket$nl_netfilter-sendmsg$IPSET_CMD_SWAP-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$PROG_LOAD detailed listing: executing program 0: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000640)=@base={0x1e, 0x0, 0x4, 0x3, 0x0, 0x1}, 0x48) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_SWAP(r1, &(0x7f0000000880)={0x0, 0x0, &(0x7f0000000840)={&(0x7f00000007c0)={0x28, 0x6, 0x6, 0x101, 0x0, 0x0, {0x0, 0x0, 0x5}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_PROTOCOL={0x5}]}, 0x28}, 0x1, 0x0, 0x0, 0x30008080}, 0x20048104) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000000000000b704000000000000850000005700000095"], 0x0}, 0x90) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='percpu_alloc_percpu\x00', r2}, 0x10) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_rdma-socket$netlink-socketpair$unix-sendmmsg$unix-socketpair$unix-sendmsg$inet-recvmsg$unix-pselect6-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-sendmsg$RDMA_NLDEV_CMD_STAT_DEL-recvmmsg-sendmsg$RDMA_NLDEV_CMD_RES_PD_GET-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-socket$nl_generic-syz_genetlink_get_family_id$mptcp-sendmsg$MPTCP_PM_CMD_DEL_ADDR-sendmsg$MPTCP_PM_CMD_ANNOUNCE-sendmsg$IEEE802154_LLSEC_ADD_SECLEVEL detailed listing: executing program 0: r0 = socket$nl_rdma(0x10, 0x3, 0x14) r1 = socket$netlink(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000001500)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r4, &(0x7f0000001b00)={0x0, 0x0, 0x0, 0x0, &(0x7f0000001d80)=ANY=[@ANYBLOB="28010000000000000100000001"], 0x128}, 0x0) recvmsg$unix(r3, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0), 0x100}, 0x0) pselect6(0x65, &(0x7f0000000180)={0xfffffffffffffffd, 0x3}, 0x0, 0x0, 0x0, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000080)={'bridge0\x00', 0x0}) sendmsg$nl_route(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB="1c0000001d00070f000000000000000007000000", @ANYRES32=r5], 0x1c}}, 0x0) sendmsg$RDMA_NLDEV_CMD_STAT_DEL(r1, &(0x7f00000002c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f00000001c0)={&(0x7f0000000240)={0x50, 0x1412, 0x200, 0x70bd29, 0x25dfdbfb, "", [@RDMA_NLDEV_ATTR_STAT_RES={0x8}, @RDMA_NLDEV_ATTR_RES_LQPN={0x8, 0x15, 0x3}, @RDMA_NLDEV_ATTR_PORT_INDEX={0x8, 0x3, 0x3}, @RDMA_NLDEV_ATTR_PORT_INDEX={0x8, 0x3, 0x3}, @RDMA_NLDEV_ATTR_STAT_COUNTER_ID={0x8, 0x4f, 0x5}, @RDMA_NLDEV_ATTR_STAT_RES={0x8}, @RDMA_NLDEV_ATTR_STAT_RES={0x8}, @RDMA_NLDEV_ATTR_PORT_INDEX={0x8}]}, 0x50}, 0x1, 0x0, 0x0, 0x44}, 0x8000) recvmmsg(r0, &(0x7f0000000fc0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0) sendmsg$RDMA_NLDEV_CMD_RES_PD_GET(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYBLOB="180000000e1443eb0000000000001900080001"], 0x18}}, 0x0) r6 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000080), 0xffffffffffffffff) r8 = socket$nl_generic(0x10, 0x3, 0x10) r9 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), r8) sendmsg$MPTCP_PM_CMD_DEL_ADDR(r8, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=ANY=[@ANYBLOB='8\x00\x00\x00', @ANYRES16=r9, @ANYBLOB="01000000000000000000020000002400018008000700", @ANYRES32=0x0, @ANYBLOB="0800030008010102060005004e24000006000100021200"], 0x38}}, 0x0) sendmsg$MPTCP_PM_CMD_ANNOUNCE(r1, &(0x7f0000000480)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000440)={&(0x7f0000000380)={0xa0, r9, 0x2, 0x70bd2a, 0x25dfdbfb, {}, [@MPTCP_PM_ATTR_LOC_ID={0x5, 0x5, 0x4}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x2}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x1}, @MPTCP_PM_ATTR_ADDR_REMOTE={0x20, 0x6, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_ADDR6={0x14, 0x4, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, @MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e21}]}, @MPTCP_PM_ATTR_LOC_ID={0x5, 0x5, 0x74}, @MPTCP_PM_ATTR_ADDR_REMOTE={0x38, 0x6, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_ADDR4={0x8, 0x3, @remote}, @MPTCP_PM_ADDR_ATTR_FLAGS={0x8}, @MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e21}, @MPTCP_PM_ADDR_ATTR_ADDR6={0x14, 0x4, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, @MPTCP_PM_ADDR_ATTR_ID={0x5, 0x2, 0x2}]}, @MPTCP_PM_ATTR_ADDR={0xc, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_FLAGS={0x8}]}, @MPTCP_PM_ATTR_TOKEN={0x8}]}, 0xa0}, 0x1, 0x0, 0x0, 0x8000}, 0x0) sendmsg$IEEE802154_LLSEC_ADD_SECLEVEL(r6, &(0x7f0000000140)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x100000}, 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x30, r7, 0x100, 0x70bd2a, 0x25dfdbfd, {}, [@IEEE802154_ATTR_LLSEC_DEV_OVERRIDE={0x5}, @IEEE802154_ATTR_LLSEC_FRAME_TYPE={0x5, 0x33, 0x8}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan0\x00'}]}, 0x30}, 0x1, 0x0, 0x0, 0xc002}, 0x80) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-sendto$inet6-socket$packet-openat$tun-ioctl$TUNSETIFF-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-ioctl$sock_SIOCGIFINDEX-socket$nl_route-socket$nl_netfilter-sendmsg$NFT_BATCH-socket$nl_generic-ioctl$sock_ipv4_tunnel_SIOCGETTUNNEL-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-getsockopt$inet_sctp6_SCTP_MAX_BURST-socket$nl_generic-sendmsg$NL80211_CMD_SET_TID_CONFIG-ioctl$sock_SIOCGIFINDEX-ioctl$ifreq_SIOCGIFINDEX_team-socket$inet6-socket-setsockopt$MRT6_ADD_MFC_PROXY-ioctl$sock_kcm_SIOCKCMCLONE-sendmsg$nl_route-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_cipso-sendmsg$NLBL_CIPSOV4_C_ADD detailed listing: executing program 0: socket$inet6_sctp(0xa, 0x801, 0x84) sendto$inet6(0xffffffffffffffff, &(0x7f0000004b40)="c5", 0x1, 0x0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @dev, 0x12}, 0x1c) socket$packet(0x11, 0x0, 0x300) r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) r1 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f00000003c0)={@val={0x0, 0x800}, @val={0x1, 0x0, 0x0, 0x0, 0x5}, @mpls={[], @ipv4=@udp={{0x5, 0x4, 0x0, 0x8, 0x78, 0x0, 0x0, 0x9, 0x11, 0x0, @rand_addr=0x64010100, @dev={0xac, 0x14, 0x14, 0x14}}, {0x0, 0x4e23, 0x64, 0x0, @wg=@response={0x2, 0x0, 0x80, "020fa43bf7c207e653c4eaf6572e29bc6da6f5b3a9c69edefbb73dec0f713cef", "71e2b4cd1047ea30103bae45f7895ebc", {"2a29711f4121ad21021c38beeeae454b", "a8f9e2561aa6e8d019a7e9fc0ed26b72"}}}}}}, 0x86) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f00000000c0)={'ip_vti0\x00'}) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000001c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a44000000090a03000000000000000000000000000900020073797a31000000000900010073797a310000000008000a4000000000080005400000828f08000440ffffff7f140000001100010000000000000000000000000a"], 0x6c}}, 0x0) r4 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_ipv4_tunnel_SIOCGETTUNNEL(0xffffffffffffffff, 0x89f0, &(0x7f0000000600)={'ip_vti0\x00', &(0x7f0000000100)={'sit0\x00', 0x0, 0x0, 0x7840, 0x0, 0x3, {{0x8, 0x4, 0x0, 0x0, 0x20, 0x0, 0x0, 0x0, 0x0, 0x0, @loopback, @multicast1, {[@end, @ssrr={0x89, 0xb, 0x80, [@multicast1, @multicast2]}]}}}}}) r5 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r5, 0x84, 0x6f, &(0x7f0000000280)={0x0, 0x1c, &(0x7f0000000000)=[@in6={0xa, 0x0, 0x0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x9}]}, &(0x7f00000002c0)=0x10) getsockopt$inet_sctp6_SCTP_MAX_BURST(r5, 0x84, 0x83, &(0x7f0000000000)=@assoc_value, &(0x7f0000000300)=0x8) socket$nl_generic(0x10, 0x3, 0x10) sendmsg$NL80211_CMD_SET_TID_CONFIG(r4, 0x0, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'wlan0\x00', 0x0}) ioctl$ifreq_SIOCGIFINDEX_team(r2, 0x8933, &(0x7f0000000040)={'team0\x00', 0x0}) socket$inet6(0xa, 0x3, 0x6) r8 = socket(0x0, 0x0, 0x0) setsockopt$MRT6_ADD_MFC_PROXY(r8, 0x29, 0xcf, 0x0, 0x4) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, 0x0) sendmsg$nl_route(r2, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000080)=@newlink={0x44, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x4, 0x0, 0xe00}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @macvlan={{0xc}, {0x4}}}, @IFLA_LINK={0x8, 0x5, r6}, @IFLA_MASTER={0x8, 0xa, r7}]}, 0x44}}, 0x0) r9 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r10 = syz_genetlink_get_family_id$netlbl_cipso(&(0x7f00000002c0), r9) sendmsg$NLBL_CIPSOV4_C_ADD(r9, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x40, r10, 0x1, 0x4004, 0x25dfdbfb, {}, [@NLBL_CIPSOV4_A_DOI={0x8, 0x1, 0x3}, @NLBL_CIPSOV4_A_MTYPE={0x8, 0x2, 0x2}, @NLBL_CIPSOV4_A_TAGLST={0x1c, 0x4, 0x0, 0x1, [{0x5, 0x3, 0x1}, {0x5, 0x3, 0x1}, {0x5, 0x3, 0x5}]}]}, 0x40}}, 0x0) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-setsockopt$nfc_llcp_NFC_LLCP_MIUX-socket$inet-epoll_create1-epoll_ctl$EPOLL_CTL_ADD-write$binfmt_misc-bind$bt_hci-write-ioctl$BTRFS_IOC_QUOTA_CTL detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) r9 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r9, 0x118, 0x1, &(0x7f0000000000), 0x4) r10 = socket$inet(0x2, 0x80001, 0x84) r11 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r11, 0x1, r10, &(0x7f0000000180)={0x10000008}) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) ioctl$BTRFS_IOC_QUOTA_CTL(r8, 0xc0109428, &(0x7f0000000000)={0x2}) program crashed: KASAN: slab-use-after-free Read in set_powered_sync single: successfully extracted reproducer found reproducer with 29 syscalls minimizing guilty program testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-setsockopt$nfc_llcp_NFC_LLCP_MIUX-socket$inet-epoll_create1-epoll_ctl$EPOLL_CTL_ADD-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) r9 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r9, 0x118, 0x1, &(0x7f0000000000), 0x4) r10 = socket$inet(0x2, 0x80001, 0x84) r11 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r11, 0x1, r10, &(0x7f0000000180)={0x10000008}) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-setsockopt$nfc_llcp_NFC_LLCP_MIUX-socket$inet-epoll_create1-epoll_ctl$EPOLL_CTL_ADD-write$binfmt_misc-bind$bt_hci detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) r9 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r9, 0x118, 0x1, &(0x7f0000000000), 0x4) r10 = socket$inet(0x2, 0x80001, 0x84) r11 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r11, 0x1, r10, &(0x7f0000000180)={0x10000008}) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-setsockopt$nfc_llcp_NFC_LLCP_MIUX-socket$inet-epoll_create1-epoll_ctl$EPOLL_CTL_ADD-write$binfmt_misc-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) r9 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r9, 0x118, 0x1, &(0x7f0000000000), 0x4) r10 = socket$inet(0x2, 0x80001, 0x84) r11 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r11, 0x1, r10, &(0x7f0000000180)={0x10000008}) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-setsockopt$nfc_llcp_NFC_LLCP_MIUX-socket$inet-epoll_create1-epoll_ctl$EPOLL_CTL_ADD-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) r9 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r9, 0x118, 0x1, &(0x7f0000000000), 0x4) r10 = socket$inet(0x2, 0x80001, 0x84) r11 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r11, 0x1, r10, &(0x7f0000000180)={0x10000008}) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-setsockopt$nfc_llcp_NFC_LLCP_MIUX-socket$inet-epoll_create1-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) r9 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r9, 0x118, 0x1, &(0x7f0000000000), 0x4) socket$inet(0x2, 0x80001, 0x84) epoll_create1(0x0) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-setsockopt$nfc_llcp_NFC_LLCP_MIUX-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) r9 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r9, 0x118, 0x1, &(0x7f0000000000), 0x4) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-setsockopt$nfc_llcp_NFC_LLCP_MIUX-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) r9 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r9, 0x118, 0x1, &(0x7f0000000000), 0x4) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-unshare-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) unshare(0xa020480) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) bind$bt_hci(r8, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r8, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-syz_init_net_socket$bt_hci-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r8, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-splice-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r5 = socket(0x1, 0x803, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r6, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r7 = socket$inet_udp(0x2, 0x2, 0x0) close(r7) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r4, &(0x7f0000000000)=ANY=[], 0xfffffecc) splice(r3, 0x0, r7, 0x0, 0x4ffe6, 0x0) ioctl$HCIINQUIRY(0xffffffffffffffff, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-write$binfmt_misc-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r4 = socket(0x1, 0x803, 0x0) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r5, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r6 = socket$inet_udp(0x2, 0x2, 0x0) close(r6) socket$nl_route(0x10, 0x3, 0x0) write$binfmt_misc(r3, &(0x7f0000000000)=ANY=[], 0xfffffecc) r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r7, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r7, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-socket$nl_route-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r3 = socket(0x1, 0x803, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r4, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r5 = socket$inet_udp(0x2, 0x2, 0x0) close(r5) socket$nl_route(0x10, 0x3, 0x0) r6 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r6, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r6, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-close-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r3 = socket(0x1, 0x803, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r4, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r5 = socket$inet_udp(0x2, 0x2, 0x0) close(r5) r6 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r6, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r6, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r3 = socket(0x1, 0x803, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r4, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r5, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r5, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-sendmsg$nl_route-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r3 = socket(0x1, 0x803, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c6556823400b59500000000000000000a000000", @ANYRES32=r4, @ANYBLOB="1400020000000000000000000000ffff00000000"], 0x2c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r5, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r5, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-getsockname$packet-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) r3 = socket(0x1, 0x803, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000280)=0x14) socket$inet_udp(0x2, 0x2, 0x0) r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r4, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r4, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r3, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r3, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-bpf$BPF_BTF_LOAD-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018"], 0x0, 0x5a}, 0x20) socket$inet_udp(0x2, 0x2, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r3, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r3, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-pipe-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) pipe(&(0x7f0000000080)) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r3, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r3, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-bpf$PROG_LOAD-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xd, 0x3, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, &(0x7f0000000100)='syzkaller\x00', 0x5, 0x9d, &(0x7f00000002c0)=""/157, 0x41100, 0x0, '\x00', 0x0, 0x0, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200)={0x0, 0x1, 0x0, 0x9}, 0x10}, 0x90) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r3, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r3, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-bpf$BPF_BTF_LOAD-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000400)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x79, 0x79, 0x3, [@datasec={0xf, 0x9, 0x0, 0xf, 0x1, [{0x3, 0x2, 0x3}, {0x4, 0x0, 0x5}, {0x4, 0x8, 0x322}, {0x4, 0x80000000, 0x3}, {0x2, 0x5, 0x7fffffff}, {0x5, 0xd6c, 0xe9c}, {0x1, 0x2, 0x2}, {0x3, 0x7}, {0x2, 0x5, 0x938}], 'Z'}]}, {0x0, [0x30]}}, 0x0, 0x97}, 0x20) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r2, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r2, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r2, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r1, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(0xffffffffffffffff, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(0xffffffffffffffff, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r1, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r0, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r0, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: ioctl$HCIINQUIRY(0xffffffffffffffff, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r1, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r0, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r0, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r2, &(0x7f0000000d40)=ANY=[@ANYBLOB="03"], 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r2, 0x0, 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r2, 0x0, 0x4) bind$bt_hci(r1, 0x0, 0x0) write(r1, &(0x7f0000000040)="05000000010000", 0x7) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r2, 0x0, 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, 0x0, 0x0) program did not crash testing program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x800448f0, &(0x7f00000000c0)={0x0, 0x0, "a4cd91", 0x9}) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) unshare(0x4000400) socket(0x1, 0x803, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet(0x2, 0x80001, 0x84) write$binfmt_misc(r2, 0x0, 0x4) bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000040), 0x0) program did not crash extracting C reproducer testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync simplifying C reproducer testing compiled C program (duration=1m12.117090936s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program did not crash testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program did not crash testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program did not crash testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KFENCE: use-after-free in set_powered_sync a never seen crash title: KFENCE: use-after-free in set_powered_sync, ignore testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program did not crash testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program did not crash testing compiled C program (duration=1m12.117090936s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-unshare-socket-socket$inet_udp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$nfc_llcp-socket$inet-write$binfmt_misc-bind$bt_hci-write program crashed: KASAN: slab-use-after-free Read in set_powered_sync reproducing took 1h15m55.258470544s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888022aa2c98 by task kworker/u9:1/4623 CPU: 0 UID: 0 PID: 4623 Comm: kworker/u9:1 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd10 kernel/workqueue.c:3389 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Allocated by task 5242: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193 kmalloc_noprof include/linux/slab.h:681 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa72/0xc90 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5241: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x149/0x360 mm/slub.c:4598 settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455 hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888022aa2c80 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888022aa2c80, ffff888022aa2ce0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22aa2 anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xfdffffff(slab) raw: 00fff00000000000 ffff88801ac41280 ffffea00008aba40 dead000000000005 raw: 0000000000000000 0000000000200020 00000001fdffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 3557625285, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1500 prep_new_page mm/page_alloc.c:1508 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3446 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4702 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2325 allocate_slab+0x5a/0x2f0 mm/slub.c:2488 new_slab mm/slub.c:2541 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3727 __slab_alloc+0x58/0xa0 mm/slub.c:3817 __slab_alloc_node mm/slub.c:3870 [inline] slab_alloc_node mm/slub.c:4029 [inline] __kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4188 kmalloc_noprof include/linux/slab.h:681 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] acpi_evaluate_object+0x15c/0xaf0 drivers/acpi/acpica/nsxfeval.c:177 acpi_run_hpp drivers/pci/pci-acpi.c:733 [inline] pci_acpi_program_hp_params+0x25e0/0x2d90 drivers/pci/pci-acpi.c:795 pci_configure_device drivers/pci/probe.c:2283 [inline] pci_device_add+0x8f5/0x16c0 drivers/pci/probe.c:2554 pci_scan_single_device+0x460/0x5a0 drivers/pci/probe.c:2612 pci_scan_slot+0x1d8/0x6c0 drivers/pci/probe.c:2695 pci_scan_child_bus_extend+0x9b/0x950 drivers/pci/probe.c:2914 acpi_pci_root_create+0x9fc/0xc20 drivers/acpi/pci_root.c:1049 pci_acpi_scan_root+0x3b1/0x620 arch/x86/pci/acpi.c:455 page_owner free stack trace missing Memory state around the buggy address: ffff888022aa2b80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff888022aa2c00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc >ffff888022aa2c80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888022aa2d00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff888022aa2d80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888022aa2c98 by task kworker/u9:1/4623 CPU: 0 UID: 0 PID: 4623 Comm: kworker/u9:1 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd10 kernel/workqueue.c:3389 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Allocated by task 5242: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193 kmalloc_noprof include/linux/slab.h:681 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa72/0xc90 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5241: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x149/0x360 mm/slub.c:4598 settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455 hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888022aa2c80 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888022aa2c80, ffff888022aa2ce0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22aa2 anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xfdffffff(slab) raw: 00fff00000000000 ffff88801ac41280 ffffea00008aba40 dead000000000005 raw: 0000000000000000 0000000000200020 00000001fdffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 3557625285, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1500 prep_new_page mm/page_alloc.c:1508 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3446 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4702 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2325 allocate_slab+0x5a/0x2f0 mm/slub.c:2488 new_slab mm/slub.c:2541 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3727 __slab_alloc+0x58/0xa0 mm/slub.c:3817 __slab_alloc_node mm/slub.c:3870 [inline] slab_alloc_node mm/slub.c:4029 [inline] __kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4188 kmalloc_noprof include/linux/slab.h:681 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] acpi_evaluate_object+0x15c/0xaf0 drivers/acpi/acpica/nsxfeval.c:177 acpi_run_hpp drivers/pci/pci-acpi.c:733 [inline] pci_acpi_program_hp_params+0x25e0/0x2d90 drivers/pci/pci-acpi.c:795 pci_configure_device drivers/pci/probe.c:2283 [inline] pci_device_add+0x8f5/0x16c0 drivers/pci/probe.c:2554 pci_scan_single_device+0x460/0x5a0 drivers/pci/probe.c:2612 pci_scan_slot+0x1d8/0x6c0 drivers/pci/probe.c:2695 pci_scan_child_bus_extend+0x9b/0x950 drivers/pci/probe.c:2914 acpi_pci_root_create+0x9fc/0xc20 drivers/acpi/pci_root.c:1049 pci_acpi_scan_root+0x3b1/0x620 arch/x86/pci/acpi.c:455 page_owner free stack trace missing Memory state around the buggy address: ffff888022aa2b80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff888022aa2c00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc >ffff888022aa2c80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888022aa2d00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff888022aa2d80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================