Extracting prog: 6m17.161272249s Minimizing prog: 13m18.300262622s Simplifying prog options: 9m13.170708591s Extracting C: 3m36.457549754s Simplifying C: 0s extracting reproducer from 67 programs first checking the prog from the crash report single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto detailed listing: executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) socketpair$auto(0x1, 0x2, 0x8000000000000000, 0x0) r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0) write$auto(r0, 0x0, 0xe) program did not crash single: failed to extract reproducer bisect: bisecting 67 programs with base timeout 30s testing program (duration=46s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4] detailed listing: executing program 32: timer_create$auto(0xfdfffff9, 0x0, &(0x7f0000000040)=0x1) executing program 4: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/irq/2/wakeup\x00', 0x0, 0x0) read$auto_kernfs_file_fops_kernfs_internal(r0, &(0x7f0000000040)=""/116, 0x74) executing program 4: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000100)='/sys/devices/platform/dummy_hcd.7/usb8/8-0:1.0/usb8-port1/location\x00', 0x40000, 0x0) read$auto_kernfs_file_fops_kernfs_internal(r0, &(0x7f0000000000)=""/143, 0x8f) executing program 4: r0 = openat$auto_cpuid_fops_cpuid(0xffffffffffffff9c, &(0x7f0000000500)='/dev/cpu/0/cpuid\x00', 0x101500, 0x0) readv$auto(r0, &(0x7f0000000340)={0x0, 0x3}, 0x4) executing program 4: openat$auto_v4l2_fops_v4l2_dev(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vbi15\x00', 0x802, 0x0) mmap$auto(0x0, 0x9, 0xffb, 0x8000000008011, 0x3, 0x8000) executing program 4: rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}}) keyctl$auto(0x12, 0xf, 0x40000000c6e9, 0x81, 0xa472) executing program 4: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000001880)='/sys/devices/virtual/net/rose14/phys_switch_id\x00', 0x2000, 0x0) read$auto_kernfs_file_fops_kernfs_internal(r0, &(0x7f00000018c0)=""/219, 0xdb) executing program 33: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000001880)='/sys/devices/virtual/net/rose14/phys_switch_id\x00', 0x2000, 0x0) read$auto_kernfs_file_fops_kernfs_internal(r0, &(0x7f00000018c0)=""/219, 0xdb) executing program 1: r0 = openat$auto_proc_pid_attr_operations_base(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/attr/current\x00', 0x1, 0x0) pwritev2$auto(r0, &(0x7f0000000340)={0x0, 0x7}, 0x5, 0x8, 0xd05, 0x1) executing program 1: socket(0x2, 0x6, 0x0) connect$auto(0x3, &(0x7f00000000c0), 0x52) executing program 1: r0 = socket(0xa, 0x3, 0x3a) setsockopt$auto(r0, 0x29, 0xd0, 0x0, 0x400) executing program 1: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000300)='/sys/devices/virtual/net/bond0/bonding/arp_ip_target\x00', 0x80000, 0x0) read$auto(r0, 0x0, 0x3) executing program 1: setresuid$auto(0xffffffffffffffff, 0x8, 0x8000) tkill$auto(0x80000000000001, 0x7) executing program 1: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000000)='/sys/devices/virtual/net/ifb1/queues/tx-0/byte_queue_limits/inflight\x00', 0x180, 0x0) read$auto(r0, &(0x7f0000003740)='^.*k\x00', 0x9) executing program 34: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000000)='/sys/devices/virtual/net/ifb1/queues/tx-0/byte_queue_limits/inflight\x00', 0x180, 0x0) read$auto(r0, &(0x7f0000003740)='^.*k\x00', 0x9) executing program 3: ioperm$auto(0xaf, 0xe, 0x991b) migrate_pages$auto(0x0, 0x4, 0x0, &(0x7f0000000140)=0x3) executing program 3: openat$auto_tracing_pipe_fops_trace(0xffffffffffffff9c, &(0x7f0000003fc0)='/sys/kernel/debug/tracing/trace_pipe\x00', 0x20a02, 0x0) readv$auto(0x3, &(0x7f0000000a80)={0x0, 0xffff}, 0x1) executing program 3: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/devices/virtual/net/rose14/mtu\x00', 0x80080, 0x0) read$auto_kernfs_file_fops_kernfs_internal(r0, &(0x7f0000001100)=""/4105, 0x1009) executing program 3: ioperm$auto(0x4, 0x6, 0x2) kill$auto(0x0, 0x21) executing program 3: rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}}) migrate_pages$auto(0x1, 0x9, 0x0, &(0x7f0000000840)=0x2) executing program 3: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/devices/virtual/iscsi_transport/iser/handle\x00', 0x103400, 0x0) read$auto_kernfs_file_fops_kernfs_internal(r0, &(0x7f0000001c00)=""/4111, 0x100f) executing program 35: r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/devices/virtual/iscsi_transport/iser/handle\x00', 0x103400, 0x0) read$auto_kernfs_file_fops_kernfs_internal(r0, &(0x7f0000001c00)=""/4111, 0x100f) executing program 6: close_range$auto(0x0, 0xfffffffffffff000, 0x2) open(&(0x7f0000000800)='./file0\x00', 0x2040, 0x0) fcntl$auto(0xff80000000000000, 0x40a, 0x1) executing program 6: sendmsg$auto_ETHTOOL_MSG_MODULE_EEPROM_GET(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000180)=ANY=[], 0x44}, 0x1, 0x0, 0x0, 0x10000000}, 0x40000) r0 = socket(0xa, 0x2, 0x3a) setsockopt$auto(r0, 0x29, 0x18, &(0x7f0000000040)='!\x00', 0x1ff) executing program 6: prctl$auto(0x26, 0x1, 0x0, 0x0, 0x0) sendmsg$auto_NCSI_CMD_SET_PACKAGE_MASK(0xffffffffffffffff, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000003c0)=ANY=[], 0x14}, 0x1, 0x0, 0x0, 0x8000}, 0xfebf0c436aa031f1) seccomp$auto(0x1, 0x8, &(0x7f0000000400)) executing program 6: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000001940), 0xffffffffffffffff) sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000280)={0x3c, r1, 0x1b, 0x74bd26, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_PROBE={0x4}, @OVS_PACKET_ATTR_ACTIONS={0xc, 0x3, 0x0, 0x1, [@nested={0x8, 0x6, 0x0, 0x1, [@nested={0x4, 0x1}]}]}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "898771f1c19f17790485908286dd"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x3c}, 0x1, 0x0, 0x0, 0x4004040}, 0xc800) executing program 6: mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000) prctl$auto(0x1000000003b, 0x1, 0x4, 0x5, 0x7) rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}}) executing program 6: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$auto_l2tp(&(0x7f0000000640), 0xffffffffffffffff) sendmsg$auto_L2TP_CMD_TUNNEL_CREATE(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000000)={0x5c, r1, 0x1, 0x70bd2d, 0x25dfdbfd, {}, [@L2TP_ATTR_ENCAP_TYPE={0x6, 0x2, 0x1}, @L2TP_ATTR_PROTO_VERSION={0x5, 0x7, 0x58}, @L2TP_ATTR_CONN_ID={0x8, 0x9, 0x8}, @L2TP_ATTR_PEER_CONN_ID={0x8, 0xa, 0x8}, @L2TP_ATTR_IP6_SADDR={0x14, 0x1f, @loopback}, @L2TP_ATTR_IP6_DADDR={0x14, 0x20, @dev={0xfe, 0x80, '\x00', 0x39}}]}, 0x5c}, 0x1, 0x0, 0x0, 0x40000}, 0x0) executing program 36: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$auto_l2tp(&(0x7f0000000640), 0xffffffffffffffff) sendmsg$auto_L2TP_CMD_TUNNEL_CREATE(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000000)={0x5c, r1, 0x1, 0x70bd2d, 0x25dfdbfd, {}, [@L2TP_ATTR_ENCAP_TYPE={0x6, 0x2, 0x1}, @L2TP_ATTR_PROTO_VERSION={0x5, 0x7, 0x58}, @L2TP_ATTR_CONN_ID={0x8, 0x9, 0x8}, @L2TP_ATTR_PEER_CONN_ID={0x8, 0xa, 0x8}, @L2TP_ATTR_IP6_SADDR={0x14, 0x1f, @loopback}, @L2TP_ATTR_IP6_DADDR={0x14, 0x20, @dev={0xfe, 0x80, '\x00', 0x39}}]}, 0x5c}, 0x1, 0x0, 0x0, 0x40000}, 0x0) executing program 0: mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000) close_range$auto(0x2, 0x8, 0x0) io_uring_setup$auto(0x6, 0x0) io_uring_register$auto(0x2, 0x3, &(0x7f0000000180), 0x83) executing program 0: openat$auto_proc_pid_attr_operations_base(0xffffffffffffff9c, &(0x7f0000000080)='/proc/thread-self/attr/current\x00', 0x1, 0x0) socket$nl_generic(0x10, 0x3, 0x10) exit$auto(0x4) close_range$auto(0x2, 0x8, 0x0) executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x40000000000a5, 0x8000) r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'syz_tun\x00', 0x0}) bpf$auto(0x5, &(0x7f0000000300)=@bpf_attr_3={0x6, 0x24, 0xf, 0x63, 0x400000, 0x0, 0x4, 0x80f0c8, 0x60, "38c1d5cbcb9f6b5e511f0cd8ed068f65", r1, 0x113e33f2, 0xffffffffffffffff, 0xe4, 0x6, 0x5, 0x6, 0x8, 0x0, 0x3, @attach_prog_fd=r0, 0x6, 0xffff, 0x8, 0x0, 0xfffffffe}, 0x47) executing program 0: socket(0xa, 0x5, 0x0) mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x5, 0x8000) sysfs$auto(0x2, 0x1e, 0x0) setsockopt$auto(0x3, 0x10000000084, 0x14, 0x0, 0x8) executing program 0: mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000) prctl$auto(0x1000000003b, 0x1, 0x4, 0x5, 0x7) madvise$auto(0x0, 0xffffffffffff0005, 0x19) tkill$auto(0x80000000000001, 0x7) executing program 0: mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000) sysfs$auto(0x2, 0x11, 0x0) fsopen$auto(0x0, 0x1) close_range$auto(0x2, 0x8000, 0x0) executing program 37: mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000) sysfs$auto(0x2, 0x11, 0x0) fsopen$auto(0x0, 0x1) close_range$auto(0x2, 0x8000, 0x0) executing program 7: unshare$auto(0x40000080) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$auto_ETHTOOL_MSG_DEBUG_GET(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)={0x2c, r1, 0x1, 0x70bd29, 0x25dfdbfd, {}, [@ETHTOOL_A_DEBUG_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ipvlan0\x00'}]}]}, 0x3a}, 0x1, 0x0, 0x0, 0x4801}, 0x24000086) executing program 7: r0 = openat$auto_snd_pcm_oss_f_reg_pcm_oss(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x20342, 0x0) ioctl$auto_SNDCTL_DSP_SYNC(r0, 0x5001, 0xfffffffffffffffc) mmap$auto(0x0, 0x4, 0xffd, 0x12, 0x3, 0x0) mmap$auto(0x0, 0x400005, 0xfffffffffffffffe, 0x9b72, 0x2, 0x8000) executing program 7: openat$auto_set_tracer_fops_trace(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/tracing/current_tracer\x00', 0x1a3642, 0x0) mmap$auto(0x0, 0xa, 0xdb, 0x9b72, 0x5, 0x8000) readv$auto(0x3, &(0x7f0000003080)={0x0, 0x4}, 0x9) write$auto(0x3, 0x0, 0xfffffdef) executing program 7: mmap$auto(0x0, 0x2020009, 0x3, 0x9000000eb1, 0xfffffffffffffffa, 0x8000) socket(0xa, 0x1, 0x84) setsockopt$auto(0x3, 0x10000000084, 0x82, 0x0, 0x8) sendto$auto(0x3, 0x0, 0x2000f, 0x101, &(0x7f0000000000)=@in={0x2, 0x4e22, @loopback}, 0x1c) executing program 7: mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000) prctl$auto(0x1000000003b, 0x1, 0x4, 0x5, 0x10004) madvise$auto(0x0, 0xffffffffffff0001, 0x15) rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}}) executing program 7: mmap$auto(0x0, 0x400005, 0xdf, 0x9b72, 0x5, 0x8000) socket(0x11, 0x80003, 0x300) syz_genetlink_get_family_id$auto_ovs_meter(0x0, 0xffffffffffffffff) ioctl$auto(0x3, 0x541b, 0x38) executing program 38: mmap$auto(0x0, 0x400005, 0xdf, 0x9b72, 0x5, 0x8000) socket(0x11, 0x80003, 0x300) syz_genetlink_get_family_id$auto_ovs_meter(0x0, 0xffffffffffffffff) ioctl$auto(0x3, 0x541b, 0x38) executing program 5: r0 = syz_genetlink_get_family_id$auto_nl80211(&(0x7f0000000180), 0xffffffffffffffff) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'virt_wifi0\x00', 0x0}) sendmsg$auto_NL80211_CMD_SET_WIPHY(r1, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000000c0)={0x24, r0, 0x13, 0x70bd26, 0x25dfdbfd, {}, [@NL80211_ATTR_IFINDEX={0x8, 0x3, r2}, @NL80211_ATTR_WIPHY_FREQ={0x8, 0x26, 0x80000000}]}, 0x24}, 0x1, 0x0, 0x0, 0x4004080}, 0x48050) executing program 5: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000001d00), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'veth0_to_bond\x00', 0x0}) sendmsg$auto_ETHTOOL_MSG_MM_GET(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000100)={0x20, r1, 0x1, 0x70bd26, 0x25dfdbfb, {}, [@ETHTOOL_A_MM_HEADER={0xc, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r2}]}]}, 0x20}, 0x1, 0x0, 0x0, 0x20000000}, 0x0) executing program 5: r0 = openat$auto_v4l2_fops_v4l2_dev(0xffffffffffffff9c, &(0x7f0000000340)='/dev/video32\x00', 0x181402, 0x0) mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000) io_uring_setup$auto(0x6, 0x0) ioctl$auto(r0, 0xc0285628, 0x38) executing program 5: open(&(0x7f0000000140)='./file0\x00', 0x2a4c0, 0x20) chmod$auto(&(0x7f00000000c0)='./file0\x00', 0xf4ba) execve$auto(&(0x7f0000000080)='./file0\x00', &(0x7f0000000240)=&(0x7f0000000200)='team_slave_1\x00', 0x0) execve$auto(&(0x7f0000000100)='./file0\x00', &(0x7f00000002c0)=&(0x7f0000000280)='team_slave_1\x00', &(0x7f0000000000)=&(0x7f0000000180)='{\xff\xffcv\x14QP=qj\xca\x1cB0\xcf\x02Z\x9b\xb2\xf5\b=#t\xbfAe\xd2\x92?~\x1chD\x15\x00\xf6\f\xf3\xc8\x12\xd1S\xb1\xe3-\xa0\xb7\xef\x91\xa29KAN\xae.\xb9-\xa6*d\xa7\xa4\xc6\x93p\xf1,\tn$\xb2\xa39`6\xf4)\xca\xf0\xca\xaaeo') executing program 5: mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000) mlockall$auto(0x3) mremap$auto(0x4000, 0xfee0, 0x3fd6, 0x3, 0xfffff000) openat$auto_console_fops_tty_io(0xffffffffffffff9c, 0x0, 0x2, 0x0) executing program 8: mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000) setresuid$auto(0xd, 0x5, 0x81fe) io_uring_setup$auto(0x1, 0x0) bpf$auto(0x5, 0x0, 0x102) executing program 2: mmap$auto(0x0, 0x402000b, 0xdf, 0x10000000000eb1, 0x401, 0x8000) r0 = socketpair$auto(0x1e, 0x1, 0x8000000000000000, 0x0) r1 = openat$auto_udmabuf_fops_udmabuf(0xffffffffffffff9c, &(0x7f0000000000), 0x20100, 0x0) ioctl$auto_UDMABUF_CREATE(r1, 0x40187542, &(0x7f00000000c0)={r0, 0x7, 0x0, 0x8000}) executing program 8: mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000) socket(0xa, 0x5, 0x0) io_uring_setup$auto(0x2, 0x0) setsockopt$auto(0x3, 0x10000000084, 0x14, 0x0, 0x8) executing program 9: openat$auto_tty_fops_tty_io(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ttyS0\x00', 0x48140, 0x0) r0 = socket(0x10, 0x2, 0xf) bpf$auto(0x0, &(0x7f0000000080)=@bpf_attr_4={0x1e, r0, 0xffffffff}, 0xd) bpf$auto(0x2, &(0x7f0000000080)=@bpf_attr_3={0x5, 0x0, 0x702955be, 0x40000, 0x4, 0x5, 0x80, 0xe4, 0xfffff800, "0566c8ee7c78a925488276d7697a12bd", 0x0, 0x5, 0xffffffffffffffff, 0x7, 0x9, 0x4, 0x7, 0x10001, 0x0, 0x8001, @attach_prog_fd=r0, 0x7e, 0x4, 0x1, 0x5, 0x80000001}, 0x5) executing program 2: r0 = syz_genetlink_get_family_id$auto_nl80211(&(0x7f0000000180), 0xffffffffffffffff) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'wlan1\x00', 0x0}) sendmsg$auto_NL80211_CMD_SET_WIPHY(r1, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000440)={0x2c, r0, 0x13, 0x70bd26, 0x25dfdbdd, {}, [@NL80211_ATTR_IFINDEX={0x8, 0x3, r2}, @NL80211_ATTR_WIPHY_TX_POWER_SETTING={0x8, 0x61, 0x3}, @NL80211_ATTR_WIPHY_TX_POWER_LEVEL={0x8, 0x62, 0x7ff}]}, 0x2c}, 0x1, 0x0, 0x0, 0x24004080}, 0x20040894) executing program 9: close_range$auto(0x2, 0x8, 0x0) socket$nl_generic(0x10, 0x3, 0x10) openat$auto_stat_fops_(0xffffffffffffff9c, &(0x7f0000000180)='/proc/stat\x00', 0x2600, 0x0) mmap$auto(0x0, 0x9, 0x3, 0x8012, 0x3, 0x8000) executing program 2: mmap$auto(0x0, 0x4020009, 0x6, 0xeb1, 0x401, 0x8000) capget$auto(0x0, 0xfffffffffffffffe) capset$auto(0x0, &(0x7f0000000180)={0x1, 0x7, 0x6}) setdomainname$auto(0x0, 0x551) executing program 8: mlockall$auto(0x7) mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000) madvise$auto(0x0, 0x2000040080000004, 0xe) move_pages$auto(0x0, 0xd0, 0x0, &(0x7f0000001140), 0x0, 0x2) executing program 9: mmap$auto(0x0, 0x40009, 0xdf, 0x9b72, 0x7, 0x28000) socket(0xa, 0x2, 0x0) socket(0x1e, 0x1, 0x0) getsockopt$auto(0x4, 0x6, 0x6, 0xfffffffffffffffc, 0x0) executing program 2: mmap$auto(0x0, 0x3, 0xdf, 0x9b72, 0x2, 0x8000) io_uring_setup$auto(0x48, 0x0) r0 = socket(0xa, 0x3, 0x73) setsockopt$auto(r0, 0xff, 0x7, 0x0, 0xfff) executing program 9: socket$nl_generic(0x10, 0x3, 0x10) r0 = socket(0x2, 0x2, 0x1) bpf$auto(0x0, &(0x7f0000000000)=@bpf_attr_4={0x16, r0, 0x4, r0}, 0x10) bpf$auto(0x1, &(0x7f00000001c0)=@raw_tracepoint={0x5, 0xffffffffffffffff, 0x0, 0x3}, 0x7) executing program 2: r0 = socket(0x11, 0x80003, 0x300) sendfile$auto(0x1, r0, 0x0, 0x8fb5) dup2$auto(0x0, 0x3) ioctl$auto(0x3, 0x5760, 0xfffffffffffff4e0) executing program 9: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000001a40), r0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000001a80)={'wg2\x00', 0x0}) sendmsg$auto_ETHTOOL_MSG_CABLE_TEST_TDR_ACT(r0, &(0x7f0000002f40)={0x0, 0x0, &(0x7f0000002f00)={&(0x7f0000001ac0)={0x2c, r1, 0x1, 0x70bd2b, 0x25dfdbfc, {}, [@ETHTOOL_A_CABLE_TEST_TDR_HEADER={0xc, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r2}]}, @ETHTOOL_A_CABLE_TEST_TDR_CFG={0xc, 0x2, 0x0, 0x1, [@typed={0x8, 0x10c, 0x0, 0x0, @pid}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x24040000}, 0x0) executing program 8: openat$auto_sg_fops_sg(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sg0\x00', 0x82082, 0x0) mprotect$auto(0x1ffff000, 0x8000000000000004, 0xd) openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000000)='/sys/devices/virtual/net/rose9/tx_queue_len\x00', 0x400, 0x500) close_range$auto(0x2, 0x8, 0x0) executing program 9: unshare$auto(0x40000080) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$auto_ETHTOOL_MSG_PLCA_GET_CFG(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)={0x2c, r1, 0x1, 0x70bd27, 0x25dfdc01, {}, [@ETHTOOL_A_PLCA_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x24008081}, 0x4000004) executing program 8: r0 = openat$auto_snd_ctl_f_ops_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/snd/controlC1\x00', 0xa02, 0x0) ioctl$auto_SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r0, 0xc0045516, &(0x7f0000000000)=0x81) ioctl$auto_SNDRV_CTL_IOCTL_ELEM_ADD(r0, 0xc1105517, &(0x7f0000000080)={{@inferred=0xffffffffffffffff, 0x110d, 0x10000, 0x6, "e927783f468fa2e92fe8ec7a46cbb766439daa1ee1aa00000000e1800000000000000000040000660e070100"}, 0x6, 0x181, 0x6, @raw=0x2, @reserved="294fa6128731696b50822ae271fbb969a526bf24151b811972feed1d2e3cbcd51f764e53d99a7c725984e3c615f6c693b01da8e7b66b3d8f45bea2b1f81028f94747b01c1f3b6de2865ec8d56a9a466d66d3676277d84f090e19d63c56024114e337f6221fe4fe284e451b5fec7dd45be2a56a30e8825057fadb99f58e7c0fae", "a4699d30a05edbe0d28473c399a7dc920b153e9b1675451d7de94b4123f970bedd3460c667373fcc59b584d81592f6ab606c276852295e00af49e6de6e768034"}) close_range$auto(0x2, 0x8000, 0x0) executing program 2: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) socketpair$auto(0x1, 0x2, 0x8000000000000000, 0x0) r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0) write$auto(r0, 0x0, 0xe) executing program 5: socket(0x1d, 0x2, 0x7) r0 = socket(0x2, 0x5, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, 0x0) getsockname$auto(0x3, &(0x7f0000000d00), &(0x7f0000000d40)=0x4) executing program 8: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) madvise$auto(0x0, 0x7fffffffffffffff, 0xa) semctl$auto(0x1ff, 0x2, 0x13, 0x1) clone3$auto(&(0x7f0000000000)={0x200, 0x5, 0x7, 0x2, 0x1, 0x87, 0x8, 0xb, 0x9, 0x2, 0xcb6}, 0xaa) program did not crash replaying the whole log did not cause a kernel crash single: executing 1 programs separately with timeout 1m40s testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto detailed listing: executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) socketpair$auto(0x1, 0x2, 0x8000000000000000, 0x0) r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0) write$auto(r0, 0x0, 0xe) program crashed: KASAN: slab-use-after-free Read in force_devcd_write single: successfully extracted reproducer found reproducer with 4 syscalls minimizing guilty program testing program (duration=2m27.54111396s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-openat$auto_force_devcoredump_fops_hci_vhci detailed listing: executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) socketpair$auto(0x1, 0x2, 0x8000000000000000, 0x0) openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0) program did not crash testing program (duration=2m27.54111396s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-write$auto detailed listing: executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) socketpair$auto(0x1, 0x2, 0x8000000000000000, 0x0) write$auto(0xffffffffffffffff, 0x0, 0xe) program did not crash testing program (duration=2m27.54111396s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto detailed listing: executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0) write$auto(r0, 0x0, 0xe) program crashed: KASAN: slab-use-after-free Read in force_devcd_write testing program (duration=2m27.54111396s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$auto_force_devcoredump_fops_hci_vhci-write$auto detailed listing: executing program 0: r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0) write$auto(r0, 0x0, 0xe) program did not crash testing program (duration=2m27.54111396s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto detailed listing: executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$auto(r0, 0x0, 0xe) program did not crash extracting C reproducer testing compiled C program (duration=2m27.54111396s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto program did not crash simplifying guilty program options testing program (duration=2m27.54111396s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto detailed listing: executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0) write$auto(r0, 0x0, 0xe) program crashed: KASAN: slab-use-after-free Read in force_devcd_write extracting C reproducer testing compiled C program (duration=2m27.54111396s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto program did not crash testing program (duration=2m27.54111396s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto detailed listing: executing program 0: mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000) r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0) write$auto(r0, 0x0, 0xe) program crashed: KASAN: slab-use-after-free Read in force_devcd_write extracting C reproducer testing compiled C program (duration=2m27.54111396s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto program did not crash reproducing took 31m30.791157297s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327 Read of size 8 at addr ffff888028280000 by task syz.0.616/6625 CPU: 0 UID: 0 PID: 6625 Comm: syz.0.616 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327 full_proxy_write+0xfd/0x1b0 fs/debugfs/file.c:369 vfs_write+0x24c/0x1150 fs/read_write.c:677 ksys_write+0x12b/0x250 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e94b85d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc15439ca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f3e94d75fa0 RCX: 00007f3e94b85d29 RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f3e94c01b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3e94d75fa0 R14: 00007f3e94d75fa0 R15: 00000000000018c7 Allocated by task 5938: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634 misc_open+0x35a/0x420 drivers/char/misc.c:165 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0xf59/0x1ea0 fs/open.c:945 vfs_open+0x82/0x3f0 fs/open.c:1075 do_open fs/namei.c:3828 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3987 do_filp_open+0x20c/0x470 fs/namei.c:4014 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_openat fs/open.c:1433 [inline] __se_sys_openat fs/open.c:1428 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5938: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x14f/0x4b0 mm/slub.c:4761 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:670 __fput+0x3f8/0xb60 fs/file_table.c:450 task_work_run+0x14e/0x250 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 get_signal+0x2576/0x2610 kernel/signal.c:3017 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888028280000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 0 bytes inside of freed 1024-byte region [ffff888028280000, ffff888028280400) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28280 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801ac41dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 00fff00000000040 ffff88801ac41dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea0000a0a001 ffffffffffffffff 0000000000000000 head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5938, tgid 5938 (syz-executor), ts 124256165302, free_ts 123904636811 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558 prep_new_page mm/page_alloc.c:1566 [inline] get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753 alloc_pages_mpol_noprof+0x2c8/0x620 mm/mempolicy.c:2269 alloc_slab_page mm/slub.c:2423 [inline] allocate_slab mm/slub.c:2589 [inline] new_slab+0x2c9/0x410 mm/slub.c:2642 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920 __slab_alloc_node mm/slub.c:3995 [inline] slab_alloc_node mm/slub.c:4156 [inline] __kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4324 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634 misc_open+0x35a/0x420 drivers/char/misc.c:165 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0xf59/0x1ea0 fs/open.c:945 vfs_open+0x82/0x3f0 fs/open.c:1075 do_open fs/namei.c:3828 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3987 do_filp_open+0x20c/0x470 fs/namei.c:4014 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402 page last free pid 5843 tgid 5843 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0x661/0x1080 mm/page_alloc.c:2659 __put_partials+0x14c/0x170 mm/slub.c:3157 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4119 [inline] slab_alloc_node mm/slub.c:4168 [inline] kmem_cache_alloc_noprof+0x1c8/0x3b0 mm/slub.c:4175 getname_flags.part.0+0x4c/0x550 fs/namei.c:139 getname_flags include/linux/audit.h:322 [inline] getname+0x8d/0xe0 fs/namei.c:223 do_sys_openat2+0x104/0x1e0 fs/open.c:1396 do_sys_open fs/open.c:1417 [inline] __do_sys_openat fs/open.c:1433 [inline] __se_sys_openat fs/open.c:1428 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88802827ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802827ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888028280000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888028280080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888028280100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327 Read of size 8 at addr ffff888028280000 by task syz.0.616/6625 CPU: 0 UID: 0 PID: 6625 Comm: syz.0.616 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327 full_proxy_write+0xfd/0x1b0 fs/debugfs/file.c:369 vfs_write+0x24c/0x1150 fs/read_write.c:677 ksys_write+0x12b/0x250 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e94b85d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc15439ca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f3e94d75fa0 RCX: 00007f3e94b85d29 RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f3e94c01b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3e94d75fa0 R14: 00007f3e94d75fa0 R15: 00000000000018c7 Allocated by task 5938: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634 misc_open+0x35a/0x420 drivers/char/misc.c:165 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0xf59/0x1ea0 fs/open.c:945 vfs_open+0x82/0x3f0 fs/open.c:1075 do_open fs/namei.c:3828 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3987 do_filp_open+0x20c/0x470 fs/namei.c:4014 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_openat fs/open.c:1433 [inline] __se_sys_openat fs/open.c:1428 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5938: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x14f/0x4b0 mm/slub.c:4761 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:670 __fput+0x3f8/0xb60 fs/file_table.c:450 task_work_run+0x14e/0x250 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 get_signal+0x2576/0x2610 kernel/signal.c:3017 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888028280000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 0 bytes inside of freed 1024-byte region [ffff888028280000, ffff888028280400) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28280 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801ac41dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 00fff00000000040 ffff88801ac41dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea0000a0a001 ffffffffffffffff 0000000000000000 head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5938, tgid 5938 (syz-executor), ts 124256165302, free_ts 123904636811 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558 prep_new_page mm/page_alloc.c:1566 [inline] get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753 alloc_pages_mpol_noprof+0x2c8/0x620 mm/mempolicy.c:2269 alloc_slab_page mm/slub.c:2423 [inline] allocate_slab mm/slub.c:2589 [inline] new_slab+0x2c9/0x410 mm/slub.c:2642 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920 __slab_alloc_node mm/slub.c:3995 [inline] slab_alloc_node mm/slub.c:4156 [inline] __kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4324 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634 misc_open+0x35a/0x420 drivers/char/misc.c:165 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0xf59/0x1ea0 fs/open.c:945 vfs_open+0x82/0x3f0 fs/open.c:1075 do_open fs/namei.c:3828 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3987 do_filp_open+0x20c/0x470 fs/namei.c:4014 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402 page last free pid 5843 tgid 5843 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0x661/0x1080 mm/page_alloc.c:2659 __put_partials+0x14c/0x170 mm/slub.c:3157 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4119 [inline] slab_alloc_node mm/slub.c:4168 [inline] kmem_cache_alloc_noprof+0x1c8/0x3b0 mm/slub.c:4175 getname_flags.part.0+0x4c/0x550 fs/namei.c:139 getname_flags include/linux/audit.h:322 [inline] getname+0x8d/0xe0 fs/namei.c:223 do_sys_openat2+0x104/0x1e0 fs/open.c:1396 do_sys_open fs/open.c:1417 [inline] __do_sys_openat fs/open.c:1433 [inline] __se_sys_openat fs/open.c:1428 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88802827ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802827ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888028280000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888028280080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888028280100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================