Extracting prog: 7m52.212928202s
Minimizing prog: 14m40.07623342s
Simplifying prog options: 0s
Extracting C: 29.014401706s
Simplifying C: 23m56.982669374s


30 programs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 30 programs
single: executing 5 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs2/binder0\x00', 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="043e3b0d"], 0x3e)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$9p_virtio-chdir-openat$cgroup_ro-read$FUSE
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount$9p_virtio(&(0x7f00000001c0), &(0x7f0000000480)='./file0\x00', &(0x7f00000004c0), 0x0, &(0x7f0000000840)=ANY=[])
chdir(&(0x7f0000000280)='./file0\x00')
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.io_serviced\x00', 0x275a, 0x0)
read$FUSE(r0, &(0x7f00000021c0)={0x2020}, 0x2020)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-mbind-syz_open_procfs$pagemap-ioctl$PAGEMAP_SCAN
detailed listing:
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x2)
r0 = syz_open_procfs$pagemap(0x0, &(0x7f00000012c0))
ioctl$PAGEMAP_SCAN(r0, 0xc0606610, &(0x7f0000000080)={0x60, 0x0, &(0x7f0000002000/0x4000)=nil, &(0x7f0000ffa000/0x4000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x44})

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-setsockopt$inet_tcp_int-bind$inet-connect$inet-setsockopt$inet_tcp_TCP_REPAIR_OPTIONS-setsockopt$inet_tcp_TCP_CONGESTION-setsockopt$inet_tcp_TCP_REPAIR-sendto$inet-recvfrom$inet
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$inet_tcp_int(r0, 0x6, 0x210000000013, &(0x7f00000000c0)=0x100000001, 0x4)
bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e21, @broadcast}, 0x10)
connect$inet(r0, &(0x7f0000000180)={0x2, 0x4e21, @local}, 0x10)
setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r0, 0x6, 0x16, &(0x7f0000000000)=[@mss, @sack_perm, @window, @mss, @window, @window], 0x20000000000000e4)
setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000040)='yeah\x00', 0x5)
setsockopt$inet_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f00000001c0), 0xc7)
sendto$inet(r0, &(0x7f0000000000), 0xffffffffffffff94, 0x0, 0x0, 0x0)
recvfrom$inet(r0, 0x0, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-bind$alg-setsockopt$ALG_SET_KEY-accept$alg-sendmsg$alg-recvmmsg
detailed listing:
executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000007c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(sm4)\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000001280)="b7f21e0dd037a3f08d3aaea2bc0000de", 0x10)
r1 = accept$alg(r0, 0x0, 0x0)
sendmsg$alg(r1, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000002a00)=[{&(0x7f0000002900)="ccb0f1104dc7f600b9a3720847aac9a2b51a80af95655526910c1431d37326cf17d44ca3f624286da9a17d8ec43ffa4e99584810546966d0fffc95cf5fe175560742ca5687d6bee70b3645903a33108420903aa541c59e04bfeaa460604649dcaf74d53ddf83e069d8d0df09b6b7191c0bfbd0c1d902aa78ceef3acb7c98228820b57ba692214312e9e49b43a0b9fe75", 0x90}], 0x1}, 0x0)
recvmmsg(r1, &(0x7f0000002a40)=[{{0x0, 0x0, &(0x7f0000000500)=[{&(0x7f0000000580)=""/201, 0xc9}], 0x1}}], 0x1, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 15s
testing program (duration=22s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 10, 7, 3, 23, 6, 29, 30, 6, 5, 1, 15, 29, 20, 6, 3, 26, 2, 26, 6, 2, 9, 2, 4, 2, 2, 2, 2, 5, 2]
detailed listing:
executing program 3:
bpf$ENABLE_STATS(0x20, 0x0, 0x0)
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x1, 0x4, 0xfff, 0x8}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f00000004c0)={{r0, <r1=>0xffffffffffffffff}, &(0x7f0000000400), &(0x7f00000005c0)}, 0x1a)
bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xd, &(0x7f0000000300)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=<r2=>r1, @ANYBLOB="0000000000000000b7080000010000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000001000000850000000500000095"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xd, &(0x7f0000000280)=ANY=[@ANYBLOB="18000000000000000000000000000000850000000f00000018110000", @ANYRES32=r2, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b70400000000725e850000000100000095"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$PROG_BIND_MAP(0xa, &(0x7f00000002c0)={r3}, 0xc)
executing program 3:
socketpair$nbd(0x1, 0x1, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={0x0}, 0x10)
socket$nl_route(0x10, 0x3, 0x0)
socket$nl_netfilter(0x10, 0x3, 0xc)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000640), 0xffffffffffffffff)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NL80211_CMD_FRAME(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000009c0)=ANY=[@ANYBLOB, @ANYBLOB="7e0233008080"], 0x2a8}}, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f0000000340)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_FRAME(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000680)=ANY=[@ANYBLOB="98030000", @ANYRES16=r1, @ANYBLOB="010028057000fcdbdf253b00000008000300", @ANYRES32=r3, @ANYBLOB="04008e00080057001b0a000004006c000500190107000000080026006c0900005603330080b0c000ffffffffffff"], 0x398}}, 0x0)
executing program 3:
socket$nl_generic(0x10, 0x3, 0x10)
unshare(0x62040200)
socket$can_raw(0x1d, 0x3, 0x1)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
sendto$inet(r0, &(0x7f0000000100)="1ce0", 0xffeb, 0x0, &(0x7f0000001100)={0x2, 0x0, @private}, 0x10)
executing program 1:
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000040)={0xffffffffffffffff, 0x18000000000002a0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000640)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$SIOCSIFHWADDR(r0, 0x89f1, &(0x7f0000000900)={'ip6gre0\x00', @random="0600002000"})
executing program 2:
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x6, 0x4, 0xfff, 0x7}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000400007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='blkio.bfq.time_recursive\x00', 0x275a, 0x0)
r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000000)='GPL\x00', 0xfffffffc, 0x0, 0x0, 0x0, 0xb, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
write$cgroup_type(r1, &(0x7f0000000380), 0x9)
r3 = socket$netlink(0x10, 0x3, 0xf)
bind$netlink(r3, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc)
syz_genetlink_get_family_id$fou(&(0x7f0000000140), r3)
syz_genetlink_get_family_id$gtp(&(0x7f0000000280), r3)
setsockopt$sock_int(r3, 0x1, 0x8, &(0x7f0000000000), 0x4)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000100), r3)
syz_genetlink_get_family_id$nl80211(&(0x7f00000010c0), r3)
syz_genetlink_get_family_id$smc(&(0x7f00000000c0), r3)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000300)={&(0x7f00000002c0)='ext4_ext_remove_space_done\x00', r2}, 0x10)
r4 = socket$inet_udplite(0x2, 0x2, 0x88)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$devlink(&(0x7f00000007c0), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_RATE_NEW(r5, &(0x7f00000008c0)={0x0, 0x0, &(0x7f0000000880)={&(0x7f0000000180)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="01000000000008000000000000000e0001006e657464657673696d0000000f0002006e65bc0c000000000000b5ebb9bbe39a510b306ae651e326435200"], 0x34}}, 0x0)
setsockopt$IPT_SO_SET_REPLACE(r4, 0x0, 0x40, &(0x7f0000000400)=@filter={'filter\x00', 0x42, 0x4, 0x4a0, 0xffffffff, 0xb0, 0x0, 0x0, 0xffffffff, 0xffffffff, 0x408, 0x408, 0x408, 0xffffffff, 0x4, 0x0, {[{{@ip={@local, @loopback, 0x0, 0x0, 'team_slave_0\x00', 'veth1_to_bond\x00'}, 0x0, 0x70, 0xb0, 0x0, {0x100000000000000}}, @common=@unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz1\x00', 0x0, 0x9}}}, {{@uncond, 0x0, 0x210, 0x238, 0x0, {}, [@common=@inet=@hashlimit3={{0x158}, {'hsr0\x00', {0x4000000000000, 0x8, 0x0, 0x0, 0x0, 0x9, 0x1000}}}, @common=@unspec=@helper={{0x48}, {0x0, 'snmp\x00'}}]}, @REJECT={0x28}}, {{@ip={@remote, @dev, 0x0, 0x0, 'batadv_slave_0\x00', 'rose0\x00'}, 0x0, 0xc0, 0x120, 0x0, {}, [@common=@ttl={{0x28}}, @common=@ttl={{0x28}}]}, @common=@inet=@HMARK={0x60, 'HMARK\x00', 0x0, {@ipv4=@broadcast}}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x500)
bpf$ENABLE_STATS(0x20, 0x0, 0x0)
r7 = socket$rxrpc(0x21, 0x2, 0x2)
bind$rxrpc(r7, &(0x7f0000000640)=@in4={0x21, 0x3, 0x2, 0x10, {0x2, 0x0, @broadcast}}, 0x24)
write$binfmt_script(r7, 0x0, 0x0)
executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000007c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(sm4)\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000001280)="b7f21e0dd037a3f08d3aaea2bc0000de", 0x10)
r1 = accept$alg(r0, 0x0, 0x0)
sendmsg$alg(r1, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000002a00)=[{&(0x7f0000002900)="ccb0f1104dc7f600b9a3720847aac9a2b51a80af95655526910c1431d37326cf17d44ca3f624286da9a17d8ec43ffa4e99584810546966d0fffc95cf5fe1755607", 0x41}], 0x1}, 0x0)
recvmmsg(r1, &(0x7f0000002a40)=[{{0x0, 0x0, &(0x7f0000000500)=[{&(0x7f0000000580)=""/201, 0xc9}], 0x1}}], 0x1, 0x0, 0x0)
executing program 1:
r0 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000600)={0x4, 0xe, &(0x7f0000000580)=ANY=[@ANYRES32=r0], &(0x7f00000005c0)='GPL\x00', 0x400000, 0xfffffffffffffff8, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000040)={0x0, 0x0, 0x8}, 0x10}, 0x90)
socket$can_raw(0x1d, 0x3, 0x1)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$L2TP_CMD_TUNNEL_GET(r1, &(0x7f0000000440)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x4000000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x8005)
socket$kcm(0x11, 0x200000000000002, 0x300)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_buf(r2, 0x6, 0xd, &(0x7f0000000000)="9b", 0x1)
setsockopt$inet6_tcp_TCP_QUEUE_SEQ(r2, 0x6, 0x15, &(0x7f0000000080), 0x4)
r3 = bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={0x0, r3}, 0x10)
recvmmsg(0xffffffffffffffff, &(0x7f0000001c40)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, 0x0}}], 0x2, 0x0, 0x0)
r4 = socket$kcm(0x10, 0x2, 0x0)
r5 = syz_genetlink_get_family_id$batadv(&(0x7f0000000340), 0xffffffffffffffff)
sendmsg$BATADV_CMD_GET_GATEWAYS(0xffffffffffffffff, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000003c0)={0x14, r5, 0x701, 0x0, 0x0, {0x6}}, 0x14}}, 0x0)
sendmsg$BATADV_CMD_GET_DAT_CACHE(0xffffffffffffffff, &(0x7f0000000540)={&(0x7f0000000480)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000500)={&(0x7f00000004c0)={0x1c, r5, 0x20, 0x70bd2d, 0x25dfdbfb, {}, [@BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x200}]}, 0x1c}, 0x1, 0x0, 0x0, 0x22040000}, 0x850)
r6 = socket$nl_route(0x10, 0x3, 0x0)
r7 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r8=>0x0})
bind$can_j1939(r7, &(0x7f0000001200)={0x1d, r8}, 0x18)
socket(0xa, 0x2400000001, 0x0)
connect$can_j1939(r7, &(0x7f0000000080)={0x1d, r8}, 0x18)
writev(r7, &(0x7f0000000240)=[{&(0x7f0000000000)='h', 0xfdef}], 0x1)
setsockopt$SO_J1939_FILTER(r7, 0x6b, 0x1, &(0x7f0000000340)=[{0x40, 0x2, {0x0, 0xf0}, {0x0, 0xff}, 0xff, 0x1}, {0x1, 0x1, {}, {0x0, 0x1}, 0x0, 0xff}, {0x3, 0x100000000000, {}, {0x2}}], 0x60)
ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000300)={'vxcan0\x00', <r9=>0x0})
r10 = socket$rxrpc(0x21, 0x2, 0xa)
connect$rxrpc(r10, &(0x7f0000000000)=@in6={0x21, 0x0, 0x2, 0x1c, {0xa, 0x0, 0x2, @mcast2}}, 0x5b)
sendmsg$nl_route_sched(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000002c0)=@getchain={0x24, 0x11, 0x839, 0x0, 0x0, {0x0, 0x0, 0x0, r9}}, 0x24}}, 0x0)
executing program 2:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@bloom_filter={0x1e, 0x0, 0x80000000, 0x5, 0x110, 0x1, 0xf58d, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x2, 0x2}, 0x48)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = socket$inet(0x2, 0x2, 0x1)
sendmsg$inet(r2, &(0x7f0000000600)={&(0x7f0000000000)={0x2, 0x0, @remote}, 0x10, &(0x7f00000005c0)=[{&(0x7f0000000400)='\b\x00', 0x2}, {&(0x7f0000000180)="96bc1480bb58", 0x6}], 0x2, &(0x7f00000034c0)=[@ip_tos_u8={{0x11}}], 0x18}, 0x14)
socket$inet_tcp(0x2, 0x1, 0x0)
syz_emit_ethernet(0x82, 0x0, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='cgroup.controllers\x00', 0x275a, 0x0)
write$binfmt_script(r3, &(0x7f0000000140), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
r4 = socket$inet_smc(0x2b, 0x1, 0x0)
writev(r4, &(0x7f0000000400)=[{&(0x7f0000000200)="67a818beb2c030ce59945b", 0xb}, {&(0x7f0000000300), 0x400000}, {0x0}], 0x3)
setsockopt$sock_int(r4, 0x1, 0x12, &(0x7f0000000040)=0xfffffffc, 0x4)
bpf$BPF_BTF_LOAD(0x12, &(0x7f00000014c0)={&(0x7f0000000380)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@typedef]}}, 0x0, 0x26}, 0x20)
syz_genetlink_get_family_id$batadv(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$BATADV_CMD_GET_BLA_BACKBONE(r1, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x1c}}, 0x0)
r5 = socket$inet6_sctp(0xa, 0x1, 0x84)
sendmsg$inet(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000100)=[{0x0}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x0)
r6 = socket$kcm(0xf, 0x3, 0x2)
sendmsg$inet(r6, &(0x7f0000003780)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000040)="0204000902000000e4a17c45c8d260c9", 0x10}], 0x7}, 0x0)
setsockopt(r5, 0x84, 0x81, &(0x7f0000000280)="1a00000002000000", 0x8)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000500)={0x3, 0x5, &(0x7f0000000700)=ANY=[@ANYBLOB="180000000000000000000000000000de850000006100000085000000a0000000"], &(0x7f0000000200)='GPL\x00'}, 0x90)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
r7 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000200)={'veth1_to_bridge\x00', <r8=>0x0})
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCSIFADDR(r0, 0x8916, &(0x7f0000000100)={@local, 0x0, r8})
socket$nl_xfrm(0x10, 0x3, 0x6)
executing program 4:
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000300)={0xd, 0x10, 0x0, &(0x7f0000000100)='GPL\x00', 0xe}, 0x90)
r0 = socket$inet_udp(0x2, 0x2, 0x0)
recvmmsg(r0, &(0x7f0000000080)=[{{0x0, 0x0, 0x0}}], 0x40000000000012d, 0x2, 0x0)
bind$inet(r0, &(0x7f0000000040)={0x2, 0x4e20, @empty}, 0x10)
syz_emit_ethernet(0x32, &(0x7f00000005c0)={@broadcast, @random, @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x24, 0x0, 0x0, 0x0, 0x11, 0x0, @empty, @empty}, {0x0, 0x4e20, 0x10, 0x0, @gue={{0x2}}}}}}}, 0x0)
executing program 0:
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000180), r0)
sendmsg$IEEE802154_LLSEC_LIST_SECLEVEL(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000980)={&(0x7f0000000040)={0x14, r1, 0x31f}, 0x14}}, 0x0)
syz_genetlink_get_family_id$ieee802154(&(0x7f0000000140), r0)
getsockopt$inet_sctp6_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0)
executing program 4:
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x1, 0xb, &(0x7f0000000000)=@framed={{}, [@printk={@s, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x71}}]}, &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
executing program 2:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4001, 0x0, @dev={0xfe, 0x80, '\x00', 0x1b}, 0xd}, 0x1c)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000680)='cpu.stat\x00', 0x275a, 0x0)
write$binfmt_script(r1, &(0x7f0000000200), 0xfffffd9d)
sendfile(r0, r1, 0x0, 0xffffffff002)
syz_emit_ethernet(0x136, &(0x7f0000000080)=ANY=[@ANYBLOB="ffffffffffff00000000000086dd6012000801"], 0x0)
socket$nl_xfrm(0x10, 0x3, 0x6)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
shutdown(r3, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r3, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x1c, &(0x7f00000000c0)=[@in6={0xa, 0x0, 0x0, @private2}]}, &(0x7f0000000180)=0x10)
getsockopt$inet_sctp_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r4=>0x0}, &(0x7f0000000040)=0x8)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f00000001c0)={r4, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0xd4}, 0x9c)
r5 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$TIPC_NL_MEDIA_GET(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000005c0)={&(0x7f0000000200)={0x6c, r5, 0x1, 0x0, 0x0, {0x3}, [@TIPC_NLA_BEARER={0x58, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x0, 0x0, @dev={0xfe, 0x80, '\x00', 0x13}, 0xf8}}, {0x20, 0x2, @in6={0xa, 0x0, 0x0, @mcast2}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}]}]}, 0x6c}}, 0x0)
executing program 1:
r0 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000600)={0x4, 0xe, &(0x7f0000000580)=ANY=[@ANYRES32=r0], &(0x7f00000005c0)='GPL\x00', 0x400000, 0xfffffffffffffff8, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000040)={0x0, 0x0, 0x8}, 0x10}, 0x90)
socket$can_raw(0x1d, 0x3, 0x1)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$L2TP_CMD_TUNNEL_GET(r1, &(0x7f0000000440)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x4000000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x8005)
socket$kcm(0x11, 0x200000000000002, 0x300)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_buf(r2, 0x6, 0xd, &(0x7f0000000000)="9b", 0x1)
setsockopt$inet6_tcp_TCP_QUEUE_SEQ(r2, 0x6, 0x15, &(0x7f0000000080), 0x4)
r3 = bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={0x0, r3}, 0x10)
r4 = socket(0x1, 0x801, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000001c40)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, 0x0}}], 0x2, 0x0, 0x0)
r5 = socket$kcm(0x10, 0x2, 0x0)
r6 = syz_genetlink_get_family_id$batadv(&(0x7f0000000340), 0xffffffffffffffff)
sendmsg$BATADV_CMD_GET_GATEWAYS(0xffffffffffffffff, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000003c0)={0x14, r6, 0x701, 0x0, 0x0, {0x6}}, 0x14}}, 0x0)
sendmsg$BATADV_CMD_GET_DAT_CACHE(r4, &(0x7f0000000540)={&(0x7f0000000480)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000500)={&(0x7f00000004c0)={0x1c, r6, 0x20, 0x70bd2d, 0x25dfdbfb, {}, [@BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x200}]}, 0x1c}, 0x1, 0x0, 0x0, 0x22040000}, 0x850)
r7 = socket$nl_route(0x10, 0x3, 0x0)
r8 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r8, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r9=>0x0})
socket(0xa, 0x2400000001, 0x0)
connect$can_j1939(r8, &(0x7f0000000080)={0x1d, r9}, 0x18)
writev(r8, &(0x7f0000000240)=[{&(0x7f0000000000)='h', 0xfdef}], 0x1)
setsockopt$SO_J1939_FILTER(r8, 0x6b, 0x1, &(0x7f0000000340)=[{0x40, 0x2, {0x0, 0xf0}, {0x0, 0xff}, 0xff, 0x1}, {0x1, 0x1, {}, {0x0, 0x1}, 0x0, 0xff}, {0x3, 0x100000000000, {}, {0x2}}], 0x60)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f0000000300)={'vxcan0\x00', <r10=>0x0})
r11 = socket$rxrpc(0x21, 0x2, 0xa)
connect$rxrpc(r11, &(0x7f0000000000)=@in6={0x21, 0x0, 0x2, 0x1c, {0xa, 0x0, 0x2, @mcast2}}, 0x5b)
sendmsg$nl_route_sched(r7, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000002c0)=@getchain={0x24, 0x11, 0x839, 0x0, 0x0, {0x0, 0x0, 0x0, r10}}, 0x24}}, 0x0)
executing program 0:
sendmsg$NL80211_CMD_NEW_STATION(0xffffffffffffffff, 0x0, 0x4048881)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$mptcp(0x0, 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_DEL_ADDR(r0, &(0x7f0000001000)={0x0, 0x0, &(0x7f0000000fc0)={&(0x7f0000000f00)={0x30, r1, 0x1, 0x0, 0x0, {}, [@MPTCP_PM_ATTR_ADDR={0x1c, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_IF_IDX={0x8}, @MPTCP_PM_ADDR_ATTR_FAMILY={0x6, 0x1, 0x2}, @MPTCP_PM_ADDR_ATTR_ADDR4={0x8}]}]}, 0x30}}, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
r3 = socket(0x10, 0x803, 0x0)
sendmsg$SMC_PNETID_GET(r3, &(0x7f0000000300)={0x0, 0x0, 0x0}, 0x0)
r4 = socket$nl_rdma(0x10, 0x3, 0x14)
sendmsg$RDMA_NLDEV_CMD_NEWLINK(r4, &(0x7f0000000600)={0x0, 0x0, &(0x7f00000005c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="380000000314010028bd7000000000000900020073797a3200000000080041"], 0x38}}, 0x0)
socket$inet6(0xa, 0x6, 0x0)
r5 = socket$inet_dccp(0x2, 0x6, 0x0)
connect$inet(r5, &(0x7f0000e5c000)={0x2, 0x4e20, @empty}, 0x10)
getsockopt$inet_int(r5, 0x10d, 0xeb, &(0x7f0000000000), &(0x7f0000000080)=0x4)
getsockname$packet(r3, &(0x7f0000000940)={0x11, 0x0, <r6=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000900)=0x14)
sendmsg$nl_route(r2, &(0x7f0000000380)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000b00)=@newlink={0x44, 0x10, 0x437, 0x0, 0x0, {0x0, 0x0, 0x0, r6, 0x54583}, [@IFLA_LINKINFO={0x24, 0x12, 0x0, 0x1, @ipip={{0x9}, {0x14, 0x2, 0x0, 0x1, [@IFLA_IPTUN_ENCAP_TYPE={0x6, 0xf, 0x2}, @IFLA_IPTUN_REMOTE={0x8, 0x3, @dev}]}}}]}, 0xfff9}}, 0x0)
r7 = socket$inet6_tcp(0xa, 0x1, 0x0)
connect$inet6(r7, &(0x7f0000000180)={0xa, 0x4001, 0x0, @dev={0xfe, 0x80, '\x00', 0x1b}, 0xd}, 0x1c)
ioctl$int_in(r7, 0x5421, &(0x7f0000000000)=0xdb42)
sendmsg$ETHTOOL_MSG_COALESCE_GET(r4, &(0x7f0000000280)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f0000000240)={&(0x7f00000003c0)={0xa0, 0x0, 0x100, 0x70bd2d, 0x25dfdbfd, {}, [@HEADER={0x4}, @HEADER={0x3c, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x3}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r6}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x3}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r6}, @ETHTOOL_A_HEADER_FLAGS={0x8}, @ETHTOOL_A_HEADER_FLAGS={0x8}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8}]}, @HEADER={0x1c, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8}]}, @HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r6}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth0_to_hsr\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r6}]}]}, 0xa0}, 0x1, 0x0, 0x0, 0x48000}, 0x4000000)
sendmmsg$inet(0xffffffffffffffff, &(0x7f0000000d40)=[{{&(0x7f0000000040)={0x2, 0x4e1c, @loopback}, 0x10, 0x0, 0x0, &(0x7f0000000000)=[@ip_pktinfo={{0x1c, 0x0, 0x8, {r6, @empty}}}], 0x20}}], 0x1, 0x0)
executing program 4:
r0 = socket$unix(0x1, 0x1, 0x0)
r1 = socket$unix(0x1, 0x1, 0x0)
bind$unix(r1, &(0x7f0000003000)=@file={0x1}, 0x6e)
listen(r1, 0x0)
connect$unix(r0, &(0x7f0000000640)=@file={0x1}, 0x6e)
sendmsg$inet(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000180)=[{&(0x7f0000000100)='\\\x00\x00', 0x3}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x0)
executing program 4:
unshare(0x400)
r0 = socket(0x40000000015, 0x5, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x5, @ipv4={'\x00', '\xff\xff', @multicast1}, 0x4}, 0x1c)
executing program 0:
r0 = socket(0x10, 0x3, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$batadv(&(0x7f0000000340), 0xffffffffffffffff)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r3, 0x8933, &(0x7f0000000040)={'batadv0\x00', <r4=>0x0})
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r3, 0x8933, &(0x7f0000000280)={'batadv_slave_0\x00', <r5=>0x0})
sendmsg$BATADV_CMD_GET_NEIGHBORS(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000240)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="010300000000000000f00800000008000300", @ANYRES32=r4, @ANYBLOB="08000600", @ANYRES32=r5], 0x24}}, 0x0)
r6 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_int(r6, 0x29, 0x31, &(0x7f0000000040)=0x8000, 0x4)
bind$inet6(r6, &(0x7f0000f5dfe4)={0xa, 0x4e20, 0x0, @empty}, 0x1c)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={0xffffffffffffffff, 0x18000000000002a0, 0x0, 0x0, 0x0, 0x0, 0x24, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
syz_emit_ethernet(0x2a, &(0x7f0000001600)={@local, @link_local, @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty, @empty}, {0x0, 0x4e20, 0x8}}}}}, 0x0)
recvmmsg(r6, &(0x7f0000000040), 0x400000000000284, 0x2, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000040)={<r7=>0x0, 0x800}, &(0x7f0000000140)=0xc)
syz_genetlink_get_family_id$tipc2(0x0, 0xffffffffffffffff)
sendmsg$TIPC_NL_NAME_TABLE_GET(0xffffffffffffffff, 0x0, 0x0)
setsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000100)=0xb03, 0x4)
syz_emit_ethernet(0x0, 0x0, 0x0)
close(0xffffffffffffffff)
sendmsg$IPVS_CMD_SET_CONFIG(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000200)=ANY=[], 0x28}}, 0x0)
syz_emit_ethernet(0xae, &(0x7f0000000000)={@link_local, @link_local, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "081f20", 0x78, 0x3a, 0xff, @remote, @mcast2, {[], @ndisc_ra={0x86, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [{0x0, 0xa, "a78ce54006598080a8030037004023493b87aafaffffffffffffff23732472eefa45ad96489269748e254c1e4a8a8b3f0ab0c430d3be27df3e34066d42ca0a5c15b37adac15084dbaf736b41e5af1802"}, {0x0, 0x1, "000000000400260004000000"}, {0x1, 0x1, "fe906d17efe3"}]}}}}}}, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r7, @in={{0x2, 0x4e20, @private=0xa010102}}, [0xe689, 0x8000000000000000, 0x3, 0x10000, 0x5663, 0x509592ff, 0xbc, 0x800, 0x56e, 0x4, 0x1, 0x186ebba1, 0x7ff, 0xfffffffffffffffa, 0x6e1]}, &(0x7f0000000280)=0x100)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
syz_genetlink_get_family_id$smc(&(0x7f00000002c0), r0)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'lo\x00', <r9=>0x0})
sendmsg$nl_route_sched(r0, &(0x7f0000000640)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000000c0)=@newqdisc={0x24, 0x24, 0xf0b, 0x0, 0x0, {0x60, 0x0, 0x0, r9, {}, {0xffff, 0xffff}}}, 0x24}}, 0x0)
executing program 4:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)={0x18, 0x2a, 0x9, 0x0, 0x0, {0x4, 0x0, 0x2c00}, [@nested={0x4, 0x12}]}, 0x18}, 0x1, 0x3000000}, 0x0)
executing program 1:
r0 = socket(0x10, 0x3, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$batadv(&(0x7f0000000340), 0xffffffffffffffff)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r3, 0x8933, &(0x7f0000000040)={'batadv0\x00', <r4=>0x0})
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r3, 0x8933, &(0x7f0000000280)={'batadv_slave_0\x00', <r5=>0x0})
sendmsg$BATADV_CMD_GET_NEIGHBORS(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000240)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="010300000000000000f00800000008000300", @ANYRES32=r4, @ANYBLOB="08000600", @ANYRES32=r5], 0x24}}, 0x0)
r6 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_int(r6, 0x29, 0x31, &(0x7f0000000040)=0x8000, 0x4)
bind$inet6(r6, &(0x7f0000f5dfe4)={0xa, 0x4e20, 0x0, @empty}, 0x1c)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={0xffffffffffffffff, 0x18000000000002a0, 0x0, 0x0, 0x0, 0x0, 0x24, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
syz_emit_ethernet(0x2a, &(0x7f0000001600)={@local, @link_local, @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty, @empty}, {0x0, 0x4e20, 0x8}}}}}, 0x0)
recvmmsg(r6, &(0x7f0000000040), 0x400000000000284, 0x2, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000040)={<r7=>0x0, 0x800}, 0x0)
syz_genetlink_get_family_id$tipc2(0x0, 0xffffffffffffffff)
sendmsg$TIPC_NL_NAME_TABLE_GET(0xffffffffffffffff, 0x0, 0x0)
setsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000100)=0xb03, 0x4)
syz_emit_ethernet(0x0, 0x0, 0x0)
close(0xffffffffffffffff)
sendmsg$IPVS_CMD_SET_CONFIG(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000200)=ANY=[], 0x28}}, 0x0)
syz_emit_ethernet(0xae, &(0x7f0000000000)={@link_local, @link_local, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "081f20", 0x78, 0x3a, 0xff, @remote, @mcast2, {[], @ndisc_ra={0x86, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [{0x0, 0xa, "a78ce54006598080a8030037004023493b87aafaffffffffffffff23732472eefa45ad96489269748e254c1e4a8a8b3f0ab0c430d3be27df3e34066d42ca0a5c15b37adac15084dbaf736b41e5af1802"}, {0x0, 0x1, "000000000400260004000000"}, {0x1, 0x1, "fe906d17efe3"}]}}}}}}, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={r7, @in={{0x2, 0x4e20, @private=0xa010102}}, [0xe689, 0x8000000000000000, 0x3, 0x10000, 0x5663, 0x509592ff, 0xbc, 0x800, 0x56e, 0x4, 0x1, 0x186ebba1, 0x7ff, 0xfffffffffffffffa, 0x6e1]}, &(0x7f0000000280)=0x100)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
syz_genetlink_get_family_id$smc(&(0x7f00000002c0), r0)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'lo\x00', <r9=>0x0})
sendmsg$nl_route_sched(r0, &(0x7f0000000640)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000000c0)=@newqdisc={0x48, 0x24, 0xf0b, 0x0, 0x0, {0x60, 0x0, 0x0, r9, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_fq_codel={{0xd}, {0x14, 0x2, [@TCA_FQ_CODEL_QUANTUM={0x8}, @TCA_FQ_CODEL_FLOWS={0x8, 0x5, 0x7fff}]}}]}, 0x48}}, 0x0)
executing program 4:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000007c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(sm4)\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000001280)="b7f21e0dd037a3f08d3aaea2bc0000de", 0x10)
r1 = accept$alg(r0, 0x0, 0x0)
sendmsg$alg(r1, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000002a00)=[{&(0x7f0000002900)="ccb0f1104dc7f600b9a3720847aac9a2b51a80af95655526910c1431d37326cf17d44ca3f624286da9a17d8ec43ffa4e99584810546966d0fffc95cf5fe175560742ca5687d6bee70b3645903a33108420903aa541c59e04bfeaa460604649dcaf74d53ddf83e069d8d0df09b6b7191c0bfbd0c1d902aa78ceef3acb7c98228820b57ba692214312e9e49b43a0b9fe75", 0x90}], 0x1}, 0x0)
recvmmsg(r1, &(0x7f0000002a40)=[{{0x0, 0x0, &(0x7f0000000500)=[{&(0x7f0000000580)=""/201, 0xc9}], 0x1}}], 0x1, 0x0, 0x0)
executing program 0:
r0 = socket$can_raw(0x1d, 0x3, 0x1)
setsockopt$CAN_RAW_ERR_FILTER(r0, 0x65, 0x7, &(0x7f00000001c0)=0x44, 0x4)
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$inet_tcp_int(r0, 0x6, 0x210000000013, &(0x7f00000000c0)=0x100000001, 0x4)
bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e21, @broadcast}, 0x10)
connect$inet(r0, &(0x7f0000000180)={0x2, 0x4e21, @local}, 0x10)
setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r0, 0x6, 0x16, &(0x7f0000000000)=[@mss, @sack_perm, @window, @mss, @window, @window], 0x20000000000000e4)
setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000040)='yeah\x00', 0x5)
setsockopt$inet_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f00000001c0), 0xc7)
sendto$inet(r0, &(0x7f0000000000), 0xffffffffffffff94, 0x0, 0x0, 0x0)
recvfrom$inet(r0, 0x0, 0x0, 0x0, 0x0, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000380)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000016c0)=ANY=[@ANYBLOB="480000001000370400"/20, @ANYRES32=0x0, @ANYBLOB="8b04040000000000280012800b00010067656e657665000018000280060005204e2000000500080005000800040006"], 0x48}}, 0x0)
executing program 1:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x2)
r0 = syz_open_procfs$pagemap(0x0, &(0x7f00000012c0))
ioctl$PAGEMAP_SCAN(r0, 0xc0606610, &(0x7f0000000080)={0x60, 0x0, &(0x7f0000002000/0x4000)=nil, &(0x7f0000ffa000/0x4000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x44})
executing program 3:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000240)={{0x14}, [@NFT_MSG_NEWTABLE={0x14, 0x0, 0xa, 0x5, 0x0, 0x0, {0x1}}, @NFT_MSG_NEWCHAIN={0x20, 0x3, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14}}, 0x5c}}, 0x0)
executing program 2:
r0 = openat$ptp0(0xffffff9c, &(0x7f00000009c0), 0x123101, 0x0)
ioctl$AUTOFS_IOC_PROTOSUBVER(r0, 0x80049367, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000240)=@newlink={0x38, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, 0x0, 0x1, @ppp={{0x8}, {0xc, 0x2, 0x0, 0x1, {0x8, 0x1, r0}}}}]}, 0x38}}, 0x0)
executing program 2:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000400)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000000)=ANY=[@ANYBLOB="17000000760009eeffffffff", @ANYBLOB], 0x24}, 0x1, 0x5502000000000000}, 0x0)
executing program 3:
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount$9p_virtio(&(0x7f00000001c0), &(0x7f0000000480)='./file0\x00', &(0x7f00000004c0), 0x0, &(0x7f0000000840)=ANY=[])
chdir(&(0x7f0000000280)='./file0\x00')
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.io_serviced\x00', 0x275a, 0x0)
read$FUSE(r0, &(0x7f00000021c0)={0x2020}, 0x2020)
executing program 2:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs2/binder0\x00', 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="043e3b0d"], 0x3e)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 5 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs2/binder0\x00', 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="043e3b0d"], 0x3e)

program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
single: successfully extracted reproducer
found reproducer with 2 syscalls
minimizing guilty program
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs2/binder0\x00', 0x0, 0x0)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
detailed listing:
executing program 0:
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="043e3b0d"], 0x3e)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="043e3b0d"], 0x3e)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs2/binder0\x00', 0x0, 0x0)
syz_emit_vhci(0x0, 0x3e)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs2/binder0\x00', 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB], 0x3e)

program did not crash
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
simplifying C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program did not crash
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program did not crash
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
reproducing took 46m58.286272772s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in hci_le_ext_adv_report_evt net/bluetooth/hci_event.c:5937 [inline]
BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0xde8/0x31c0 net/bluetooth/hci_event.c:6210
Read of size 1 at addr ffff0000cfd87204 by task kworker/u5:1/4026

CPU: 0 PID: 4026 Comm: kworker/u5:1 Not tainted 5.15.165-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: hci0 hci_rx_work
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x174/0x1e4 mm/kasan/report.c:451
 __asan_report_load1_noabort+0x44/0x50 mm/kasan/report_generic.c:306
 hci_le_ext_adv_report_evt net/bluetooth/hci_event.c:5937 [inline]
 hci_le_meta_evt+0xde8/0x31c0 net/bluetooth/hci_event.c:6210
 hci_event_packet+0xd34/0x12b4 net/bluetooth/hci_event.c:6527
 hci_rx_work+0x1c0/0x7c4 net/bluetooth/hci_core.c:5160
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870

Allocated by task 4030:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
 __kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 __kmalloc_node_track_caller+0x234/0x448 mm/slub.c:4963
 kmalloc_reserve+0xe8/0x270 net/core/skbuff.c:356
 __alloc_skb+0x1a4/0x584 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1167 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:391 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:170 [inline]
 vhci_write+0xb8/0x3b8 drivers/bluetooth/hci_vhci.c:290
 call_write_iter include/linux/fs.h:2172 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0x884/0xb44 fs/read_write.c:594
 ksys_write+0x15c/0x26c fs/read_write.c:647
 __do_sys_write fs/read_write.c:659 [inline]
 __se_sys_write fs/read_write.c:656 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:656
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the object at ffff0000cfd87000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 4 bytes to the right of
 512-byte region [ffff0000cfd87000, ffff0000cfd87200)
The buggy address belongs to the page:
page:000000002421fb43 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fd84
head:000000002421fb43 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 0000000800000001 ffff0000c0002600
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cfd87100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000cfd87180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cfd87200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff0000cfd87280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000cfd87300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Bluetooth: hci0: Unknown advertising packet type: 0xff00
Bluetooth: hci0: Unknown advertising packet type: 0x6920
Bluetooth: hci0: Unknown advertising packet type: 0xf500
Bluetooth: hci0: Unknown advertising packet type: 0x7974
Bluetooth: hci0: Unknown advertising packet type: 0x78a0
Bluetooth: hci0: Unknown advertising packet type: 0xff00
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xffff
Bluetooth: hci0: Unknown advertising packet type: 0x1030
Bluetooth: hci0: Unknown advertising packet type: 0xffff
bt_err_ratelimited: 2400 callbacks suppressed
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff00
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in hci_le_ext_adv_report_evt net/bluetooth/hci_event.c:5937 [inline]
BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0xde8/0x31c0 net/bluetooth/hci_event.c:6210
Read of size 1 at addr ffff0000cfd87204 by task kworker/u5:1/4026

CPU: 0 PID: 4026 Comm: kworker/u5:1 Not tainted 5.15.165-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: hci0 hci_rx_work
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x174/0x1e4 mm/kasan/report.c:451
 __asan_report_load1_noabort+0x44/0x50 mm/kasan/report_generic.c:306
 hci_le_ext_adv_report_evt net/bluetooth/hci_event.c:5937 [inline]
 hci_le_meta_evt+0xde8/0x31c0 net/bluetooth/hci_event.c:6210
 hci_event_packet+0xd34/0x12b4 net/bluetooth/hci_event.c:6527
 hci_rx_work+0x1c0/0x7c4 net/bluetooth/hci_core.c:5160
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870

Allocated by task 4030:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
 __kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 __kmalloc_node_track_caller+0x234/0x448 mm/slub.c:4963
 kmalloc_reserve+0xe8/0x270 net/core/skbuff.c:356
 __alloc_skb+0x1a4/0x584 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1167 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:391 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:170 [inline]
 vhci_write+0xb8/0x3b8 drivers/bluetooth/hci_vhci.c:290
 call_write_iter include/linux/fs.h:2172 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0x884/0xb44 fs/read_write.c:594
 ksys_write+0x15c/0x26c fs/read_write.c:647
 __do_sys_write fs/read_write.c:659 [inline]
 __se_sys_write fs/read_write.c:656 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:656
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the object at ffff0000cfd87000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 4 bytes to the right of
 512-byte region [ffff0000cfd87000, ffff0000cfd87200)
The buggy address belongs to the page:
page:000000002421fb43 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fd84
head:000000002421fb43 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 0000000800000001 ffff0000c0002600
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cfd87100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000cfd87180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cfd87200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff0000cfd87280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000cfd87300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Bluetooth: hci0: Unknown advertising packet type: 0xff00
Bluetooth: hci0: Unknown advertising packet type: 0x6920
Bluetooth: hci0: Unknown advertising packet type: 0xf500
Bluetooth: hci0: Unknown advertising packet type: 0x7974
Bluetooth: hci0: Unknown advertising packet type: 0x78a0
Bluetooth: hci0: Unknown advertising packet type: 0xff00
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xffff
Bluetooth: hci0: Unknown advertising packet type: 0x1030
Bluetooth: hci0: Unknown advertising packet type: 0xffff
bt_err_ratelimited: 2400 callbacks suppressed
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff00
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80
Bluetooth: hci0: Unknown advertising packet type: 0xff80