Extracting prog: 24m46.8263474s Minimizing prog: 36m53.850226548s Simplifying prog options: 18m12.174372528s Extracting C: 9m6.991573373s Simplifying C: 0s 3 programs, 3 VMs, timeouts [6m0s] extracting reproducer from 3 programs single: executing 1 programs separately with timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-pipe-socketpair$unix-socket$nl_sock_diag-sendmsg$SOCK_DIAG_BY_FAMILY-pipe-write$binfmt_script-sendmsg$tipc-recvmsg-splice-socket$inet_smc-setsockopt$inet_tcp_int-socket$can_raw-setsockopt$SO_TIMESTAMPING-bpf$PROG_LOAD-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_raw-socket$rds-bind$rds-setsockopt$packet_fanout_data-sendmsg$rds-recvmsg-sendmsg$can_raw-write$binfmt_misc-splice-getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM-write-bpf$PROG_LOAD-bpf$BPF_PROG_TEST_RUN-sendmsg$netlink detailed listing: executing program 0: r0 = socket$netlink(0x10, 0x3, 0x0) pipe(0x0) socketpair$unix(0x1, 0x0, 0x0, 0x0) r1 = socket$nl_sock_diag(0x10, 0x3, 0x4) sendmsg$SOCK_DIAG_BY_FAMILY(r1, &(0x7f0000001400)={0x0, 0x0, &(0x7f00000013c0)={&(0x7f00000006c0)=ANY=[@ANYBLOB="240000001400010000000000000000002c9e888833834773ed5b9f73a099d95e000d00010011a691cb3a8f31ba870000000000"], 0x24}}, 0x0) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) write$binfmt_script(0xffffffffffffffff, 0x0, 0xb) sendmsg$tipc(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000400)=[{&(0x7f0000000080)="a118cc9103043bb6b43a384e596feba9c7475c393164e8136a8badd020b05ad7ef3a9311b5d1786848470999bd671ee1ff05028a89d331513ab3e3b93a838fc71f777c5cc8ddb1e33ae8d1639b8f7766e6721bb14bbf5d56e05724a892fa918f30a5b862a632886136515a080d4e09d4ab47cd71b15a613f8b672a8c04a6ba19c344bca81829e8beb56a28a5493addae55fe72a77b0f2612322fb62bebff3d269c7767f6a620361cd16c788a16387a8fe8637ad355039a38cee97342cdfc2f9f420b837dc337c0ba868b9e5c4cd16eba0d032e72f53319944eb6", 0xda}, {&(0x7f0000000180)="21e5e4027d", 0x5}, {&(0x7f00000001c0)="bd72881710c1bd8c04cc4235947485276a5a20d1f7e0fca72fb71491c6f91a95f1e2d6f4905f12ee94fb2a498aaa295a5bfd1a6e50de6fa787f8d9bb7aec51ce9dfdddb5fafaaa9b627d842e7d44d38c294ac49cc4a06abfad6a37cad093b9bbcefdff450363a7ea490e03b441f8834a6749069483b8e76f8c214ccd609b86174166369b2b4110e44a6cf08f872c9da7c4c51de01f8e28f27d6209154aa3035b898ffffc3f43110554dace7ae64a101673acc488c3dd7b849c6b2eed6007ed6673e75e7694cd146d802236b3bcbd93b75c65264b1aa1630f", 0xd8}, {&(0x7f00000002c0)="c851e29c5c486618c02d737a89a9ed85836d88d6d95173ea787178d67621e933e391961c450a46d77ff8276c08eb99bf19f8fa40e7201ef0498fea0f781a693ba1650dcdddd629a2d9f7e43c18cbaf4020ea551524d72e", 0x57}, {&(0x7f0000000340)="ce5714db13a7111cb226281c3d8840", 0xf}], 0x5}, 0x0) recvmsg(0xffffffffffffffff, &(0x7f0000000940)={0x0, 0x0, &(0x7f00000007c0)=[{&(0x7f0000000540)=""/52, 0x34}], 0x1}, 0x40001027) splice(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0) socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x10) r4 = socket$can_raw(0x1d, 0x3, 0x1) setsockopt$SO_TIMESTAMPING(r4, 0x1, 0x25, &(0x7f0000000000)=0x190, 0x4) bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="850000002f000000d4020001200000009500000000000000"], &(0x7f0000000240)='GPL\x00', 0x1, 0x473, &(0x7f0000000280)=""/195, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0xffffffffffffff60}, 0x48) ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000ac0)={'vxcan1\x00', 0x0}) bind$can_raw(r4, &(0x7f00000005c0), 0x10) r6 = socket$rds(0x15, 0x5, 0x0) bind$rds(r6, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10) setsockopt$packet_fanout_data(r3, 0x107, 0x16, &(0x7f0000000640)={0x6, &(0x7f0000000600)=[{0x0, 0x7f, 0x81, 0x7}, {0x4, 0x3, 0xff, 0xf83}, {0x1072, 0x5, 0x3}, {0x4, 0x62, 0x4, 0x4}, {0x6, 0xff, 0x8, 0x2}, {0x36, 0x0, 0xb8, 0x7f}]}, 0x10) sendmsg$rds(r6, &(0x7f0000000580)={&(0x7f0000000000)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f0000000180)=[@mask_cswp={0x58, 0x114, 0x9, {{}, &(0x7f0000000080), 0x0, 0x0, 0x200000000000000, 0x0, 0x800000000, 0x0, 0xfffffffffffffffc}}, @fadd={0x58, 0x114, 0x6, {{}, 0x0, 0x0, 0x0, 0x1000, 0x0, 0x0, 0x0, 0xfffffffffffffffd}}], 0xb0, 0x5}, 0x0) recvmsg(r4, &(0x7f0000000a00)={0x0, 0x0, &(0x7f0000000980)=[{&(0x7f0000000480)=""/238, 0xee}, {0x0}], 0x2}, 0x0) sendmsg$can_raw(r4, &(0x7f0000000440)={&(0x7f0000000780)={0x1d, r5}, 0x10, &(0x7f0000000200)={&(0x7f0000000140)=@can={{}, 0x0, 0x0, 0x0, 0x0, "5b7b00008f28aaf0"}, 0x10}}, 0x0) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000680)=ANY=[@ANYRESOCT=0x0], 0xfdef) splice(0xffffffffffffffff, 0x0, r3, 0x0, 0x80, 0x2) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r3, 0x84, 0xa, &(0x7f0000000380)={0x40, 0xa, 0x0, 0xffffffff, 0x81, 0x2, 0x7ff, 0x10041}, &(0x7f0000000700)=0x20) write(0xffffffffffffffff, 0x0, 0x0) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="18020000000002000000000000000000850000003600000095"], &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, r2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f00000000c0)={r7, 0x27, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf2ffffff, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000005f00250e00ad000000000000000000002573"], 0x1c}], 0x1}, 0x0) program did not crash single: failed to extract reproducer bisect: bisecting 3 programs with base timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 2, 30] detailed listing: executing program 1: r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000005f00250e00ad000000000000000000002573"], 0x1c}], 0x1}, 0x0) executing program 1: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001c40)=@newtaction={0xf0, 0x30, 0x1, 0x0, 0x0, {}, [{0xdc, 0x1, [@m_police={0x6c, 0x1, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x0, 0x2}}]]}, {0x4}, {0xc}, {0xc}}}, @m_police={0x6c, 0x2, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x1, 0x0, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0xd84}}}]]}, {0x4}, {0xc}, {0xc}}}]}]}, 0xf0}}, 0x0) executing program 1: r0 = socket$netlink(0x10, 0x3, 0x0) pipe(0x0) socketpair$unix(0x1, 0x0, 0x0, 0x0) r1 = socket$nl_sock_diag(0x10, 0x3, 0x4) sendmsg$SOCK_DIAG_BY_FAMILY(r1, &(0x7f0000001400)={0x0, 0x0, &(0x7f00000013c0)={&(0x7f00000006c0)=ANY=[@ANYBLOB="240000001400010000000000000000002c9e888833834773ed5b9f73a099d95e000d00010011a691cb3a8f31ba870000000000"], 0x24}}, 0x0) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) write$binfmt_script(0xffffffffffffffff, 0x0, 0xb) sendmsg$tipc(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000400)=[{&(0x7f0000000080)="a118cc9103043bb6b43a384e596feba9c7475c393164e8136a8badd020b05ad7ef3a9311b5d1786848470999bd671ee1ff05028a89d331513ab3e3b93a838fc71f777c5cc8ddb1e33ae8d1639b8f7766e6721bb14bbf5d56e05724a892fa918f30a5b862a632886136515a080d4e09d4ab47cd71b15a613f8b672a8c04a6ba19c344bca81829e8beb56a28a5493addae55fe72a77b0f2612322fb62bebff3d269c7767f6a620361cd16c788a16387a8fe8637ad355039a38cee97342cdfc2f9f420b837dc337c0ba868b9e5c4cd16eba0d032e72f53319944eb6", 0xda}, {&(0x7f0000000180)="21e5e4027d", 0x5}, {&(0x7f00000001c0)="bd72881710c1bd8c04cc4235947485276a5a20d1f7e0fca72fb71491c6f91a95f1e2d6f4905f12ee94fb2a498aaa295a5bfd1a6e50de6fa787f8d9bb7aec51ce9dfdddb5fafaaa9b627d842e7d44d38c294ac49cc4a06abfad6a37cad093b9bbcefdff450363a7ea490e03b441f8834a6749069483b8e76f8c214ccd609b86174166369b2b4110e44a6cf08f872c9da7c4c51de01f8e28f27d6209154aa3035b898ffffc3f43110554dace7ae64a101673acc488c3dd7b849c6b2eed6007ed6673e75e7694cd146d802236b3bcbd93b75c65264b1aa1630f", 0xd8}, {&(0x7f00000002c0)="c851e29c5c486618c02d737a89a9ed85836d88d6d95173ea787178d67621e933e391961c450a46d77ff8276c08eb99bf19f8fa40e7201ef0498fea0f781a693ba1650dcdddd629a2d9f7e43c18cbaf4020ea551524d72e", 0x57}, {&(0x7f0000000340)="ce5714db13a7111cb226281c3d8840", 0xf}], 0x5}, 0x0) recvmsg(0xffffffffffffffff, &(0x7f0000000940)={0x0, 0x0, &(0x7f00000007c0)=[{&(0x7f0000000540)=""/52, 0x34}], 0x1}, 0x40001027) splice(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0) socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x10) r4 = socket$can_raw(0x1d, 0x3, 0x1) setsockopt$SO_TIMESTAMPING(r4, 0x1, 0x25, &(0x7f0000000000)=0x190, 0x4) bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="850000002f000000d4020001200000009500000000000000"], &(0x7f0000000240)='GPL\x00', 0x1, 0x473, &(0x7f0000000280)=""/195, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0xffffffffffffff60}, 0x48) ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000ac0)={'vxcan1\x00', 0x0}) bind$can_raw(r4, &(0x7f00000005c0), 0x10) r6 = socket$rds(0x15, 0x5, 0x0) bind$rds(r6, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10) setsockopt$packet_fanout_data(r3, 0x107, 0x16, &(0x7f0000000640)={0x6, &(0x7f0000000600)=[{0x0, 0x7f, 0x81, 0x7}, {0x4, 0x3, 0xff, 0xf83}, {0x1072, 0x5, 0x3}, {0x4, 0x62, 0x4, 0x4}, {0x6, 0xff, 0x8, 0x2}, {0x36, 0x0, 0xb8, 0x7f}]}, 0x10) sendmsg$rds(r6, &(0x7f0000000580)={&(0x7f0000000000)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f0000000180)=[@mask_cswp={0x58, 0x114, 0x9, {{}, &(0x7f0000000080), 0x0, 0x0, 0x200000000000000, 0x0, 0x800000000, 0x0, 0xfffffffffffffffc}}, @fadd={0x58, 0x114, 0x6, {{}, 0x0, 0x0, 0x0, 0x1000, 0x0, 0x0, 0x0, 0xfffffffffffffffd}}], 0xb0, 0x5}, 0x0) recvmsg(r4, &(0x7f0000000a00)={0x0, 0x0, &(0x7f0000000980)=[{&(0x7f0000000480)=""/238, 0xee}, {0x0}], 0x2}, 0x0) sendmsg$can_raw(r4, &(0x7f0000000440)={&(0x7f0000000780)={0x1d, r5}, 0x10, &(0x7f0000000200)={&(0x7f0000000140)=@can={{}, 0x0, 0x0, 0x0, 0x0, "5b7b00008f28aaf0"}, 0x10}}, 0x0) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000680)=ANY=[@ANYRESOCT=0x0], 0xfdef) splice(0xffffffffffffffff, 0x0, r3, 0x0, 0x80, 0x2) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r3, 0x84, 0xa, &(0x7f0000000380)={0x40, 0xa, 0x0, 0xffffffff, 0x81, 0x2, 0x7ff, 0x10041}, &(0x7f0000000700)=0x20) write(0xffffffffffffffff, 0x0, 0x0) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="18020000000002000000000000000000850000003600000095"], &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, r2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f00000000c0)={r7, 0x27, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf2ffffff, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000005f00250e00ad000000000000000000002573"], 0x1c}], 0x1}, 0x0) program crashed: INFO: task hung in linkwatch_event bisect: bisecting 3 programs bisect: split chunks (needed=false): <3> bisect: split chunk #0 of len 3 into 3 parts bisect: testing without sub-chunk 1/3 testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 30] detailed listing: executing program 1: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001c40)=@newtaction={0xf0, 0x30, 0x1, 0x0, 0x0, {}, [{0xdc, 0x1, [@m_police={0x6c, 0x1, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x0, 0x2}}]]}, {0x4}, {0xc}, {0xc}}}, @m_police={0x6c, 0x2, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x1, 0x0, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0xd84}}}]]}, {0x4}, {0xc}, {0xc}}}]}]}, 0xf0}}, 0x0) executing program 1: r0 = socket$netlink(0x10, 0x3, 0x0) pipe(0x0) socketpair$unix(0x1, 0x0, 0x0, 0x0) r1 = socket$nl_sock_diag(0x10, 0x3, 0x4) sendmsg$SOCK_DIAG_BY_FAMILY(r1, &(0x7f0000001400)={0x0, 0x0, &(0x7f00000013c0)={&(0x7f00000006c0)=ANY=[@ANYBLOB="240000001400010000000000000000002c9e888833834773ed5b9f73a099d95e000d00010011a691cb3a8f31ba870000000000"], 0x24}}, 0x0) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) write$binfmt_script(0xffffffffffffffff, 0x0, 0xb) sendmsg$tipc(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000400)=[{&(0x7f0000000080)="a118cc9103043bb6b43a384e596feba9c7475c393164e8136a8badd020b05ad7ef3a9311b5d1786848470999bd671ee1ff05028a89d331513ab3e3b93a838fc71f777c5cc8ddb1e33ae8d1639b8f7766e6721bb14bbf5d56e05724a892fa918f30a5b862a632886136515a080d4e09d4ab47cd71b15a613f8b672a8c04a6ba19c344bca81829e8beb56a28a5493addae55fe72a77b0f2612322fb62bebff3d269c7767f6a620361cd16c788a16387a8fe8637ad355039a38cee97342cdfc2f9f420b837dc337c0ba868b9e5c4cd16eba0d032e72f53319944eb6", 0xda}, {&(0x7f0000000180)="21e5e4027d", 0x5}, {&(0x7f00000001c0)="bd72881710c1bd8c04cc4235947485276a5a20d1f7e0fca72fb71491c6f91a95f1e2d6f4905f12ee94fb2a498aaa295a5bfd1a6e50de6fa787f8d9bb7aec51ce9dfdddb5fafaaa9b627d842e7d44d38c294ac49cc4a06abfad6a37cad093b9bbcefdff450363a7ea490e03b441f8834a6749069483b8e76f8c214ccd609b86174166369b2b4110e44a6cf08f872c9da7c4c51de01f8e28f27d6209154aa3035b898ffffc3f43110554dace7ae64a101673acc488c3dd7b849c6b2eed6007ed6673e75e7694cd146d802236b3bcbd93b75c65264b1aa1630f", 0xd8}, {&(0x7f00000002c0)="c851e29c5c486618c02d737a89a9ed85836d88d6d95173ea787178d67621e933e391961c450a46d77ff8276c08eb99bf19f8fa40e7201ef0498fea0f781a693ba1650dcdddd629a2d9f7e43c18cbaf4020ea551524d72e", 0x57}, {&(0x7f0000000340)="ce5714db13a7111cb226281c3d8840", 0xf}], 0x5}, 0x0) recvmsg(0xffffffffffffffff, &(0x7f0000000940)={0x0, 0x0, &(0x7f00000007c0)=[{&(0x7f0000000540)=""/52, 0x34}], 0x1}, 0x40001027) splice(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0) socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x10) r4 = socket$can_raw(0x1d, 0x3, 0x1) setsockopt$SO_TIMESTAMPING(r4, 0x1, 0x25, &(0x7f0000000000)=0x190, 0x4) bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="850000002f000000d4020001200000009500000000000000"], &(0x7f0000000240)='GPL\x00', 0x1, 0x473, &(0x7f0000000280)=""/195, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0xffffffffffffff60}, 0x48) ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000ac0)={'vxcan1\x00', 0x0}) bind$can_raw(r4, &(0x7f00000005c0), 0x10) r6 = socket$rds(0x15, 0x5, 0x0) bind$rds(r6, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10) setsockopt$packet_fanout_data(r3, 0x107, 0x16, &(0x7f0000000640)={0x6, &(0x7f0000000600)=[{0x0, 0x7f, 0x81, 0x7}, {0x4, 0x3, 0xff, 0xf83}, {0x1072, 0x5, 0x3}, {0x4, 0x62, 0x4, 0x4}, {0x6, 0xff, 0x8, 0x2}, {0x36, 0x0, 0xb8, 0x7f}]}, 0x10) sendmsg$rds(r6, &(0x7f0000000580)={&(0x7f0000000000)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f0000000180)=[@mask_cswp={0x58, 0x114, 0x9, {{}, &(0x7f0000000080), 0x0, 0x0, 0x200000000000000, 0x0, 0x800000000, 0x0, 0xfffffffffffffffc}}, @fadd={0x58, 0x114, 0x6, {{}, 0x0, 0x0, 0x0, 0x1000, 0x0, 0x0, 0x0, 0xfffffffffffffffd}}], 0xb0, 0x5}, 0x0) recvmsg(r4, &(0x7f0000000a00)={0x0, 0x0, &(0x7f0000000980)=[{&(0x7f0000000480)=""/238, 0xee}, {0x0}], 0x2}, 0x0) sendmsg$can_raw(r4, &(0x7f0000000440)={&(0x7f0000000780)={0x1d, r5}, 0x10, &(0x7f0000000200)={&(0x7f0000000140)=@can={{}, 0x0, 0x0, 0x0, 0x0, "5b7b00008f28aaf0"}, 0x10}}, 0x0) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000680)=ANY=[@ANYRESOCT=0x0], 0xfdef) splice(0xffffffffffffffff, 0x0, r3, 0x0, 0x80, 0x2) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r3, 0x84, 0xa, &(0x7f0000000380)={0x40, 0xa, 0x0, 0xffffffff, 0x81, 0x2, 0x7ff, 0x10041}, &(0x7f0000000700)=0x20) write(0xffffffffffffffff, 0x0, 0x0) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="18020000000002000000000000000000850000003600000095"], &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, r2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f00000000c0)={r7, 0x27, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf2ffffff, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000005f00250e00ad000000000000000000002573"], 0x1c}], 0x1}, 0x0) program crashed: INFO: task hung in addrconf_dad_work bisect: the chunk can be dropped bisect: testing without sub-chunk 2/3 testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-pipe-socketpair$unix-socket$nl_sock_diag-sendmsg$SOCK_DIAG_BY_FAMILY-pipe-write$binfmt_script-sendmsg$tipc-recvmsg-splice-socket$inet_smc-setsockopt$inet_tcp_int-socket$can_raw-setsockopt$SO_TIMESTAMPING-bpf$PROG_LOAD-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_raw-socket$rds-bind$rds-setsockopt$packet_fanout_data-sendmsg$rds-recvmsg-sendmsg$can_raw-write$binfmt_misc-splice-getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM-write-bpf$PROG_LOAD-bpf$BPF_PROG_TEST_RUN-sendmsg$netlink detailed listing: executing program 1: r0 = socket$netlink(0x10, 0x3, 0x0) pipe(0x0) socketpair$unix(0x1, 0x0, 0x0, 0x0) r1 = socket$nl_sock_diag(0x10, 0x3, 0x4) sendmsg$SOCK_DIAG_BY_FAMILY(r1, &(0x7f0000001400)={0x0, 0x0, &(0x7f00000013c0)={&(0x7f00000006c0)=ANY=[@ANYBLOB="240000001400010000000000000000002c9e888833834773ed5b9f73a099d95e000d00010011a691cb3a8f31ba870000000000"], 0x24}}, 0x0) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) write$binfmt_script(0xffffffffffffffff, 0x0, 0xb) sendmsg$tipc(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000400)=[{&(0x7f0000000080)="a118cc9103043bb6b43a384e596feba9c7475c393164e8136a8badd020b05ad7ef3a9311b5d1786848470999bd671ee1ff05028a89d331513ab3e3b93a838fc71f777c5cc8ddb1e33ae8d1639b8f7766e6721bb14bbf5d56e05724a892fa918f30a5b862a632886136515a080d4e09d4ab47cd71b15a613f8b672a8c04a6ba19c344bca81829e8beb56a28a5493addae55fe72a77b0f2612322fb62bebff3d269c7767f6a620361cd16c788a16387a8fe8637ad355039a38cee97342cdfc2f9f420b837dc337c0ba868b9e5c4cd16eba0d032e72f53319944eb6", 0xda}, {&(0x7f0000000180)="21e5e4027d", 0x5}, {&(0x7f00000001c0)="bd72881710c1bd8c04cc4235947485276a5a20d1f7e0fca72fb71491c6f91a95f1e2d6f4905f12ee94fb2a498aaa295a5bfd1a6e50de6fa787f8d9bb7aec51ce9dfdddb5fafaaa9b627d842e7d44d38c294ac49cc4a06abfad6a37cad093b9bbcefdff450363a7ea490e03b441f8834a6749069483b8e76f8c214ccd609b86174166369b2b4110e44a6cf08f872c9da7c4c51de01f8e28f27d6209154aa3035b898ffffc3f43110554dace7ae64a101673acc488c3dd7b849c6b2eed6007ed6673e75e7694cd146d802236b3bcbd93b75c65264b1aa1630f", 0xd8}, {&(0x7f00000002c0)="c851e29c5c486618c02d737a89a9ed85836d88d6d95173ea787178d67621e933e391961c450a46d77ff8276c08eb99bf19f8fa40e7201ef0498fea0f781a693ba1650dcdddd629a2d9f7e43c18cbaf4020ea551524d72e", 0x57}, {&(0x7f0000000340)="ce5714db13a7111cb226281c3d8840", 0xf}], 0x5}, 0x0) recvmsg(0xffffffffffffffff, &(0x7f0000000940)={0x0, 0x0, &(0x7f00000007c0)=[{&(0x7f0000000540)=""/52, 0x34}], 0x1}, 0x40001027) splice(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0) socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x10) r4 = socket$can_raw(0x1d, 0x3, 0x1) setsockopt$SO_TIMESTAMPING(r4, 0x1, 0x25, &(0x7f0000000000)=0x190, 0x4) bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="850000002f000000d4020001200000009500000000000000"], &(0x7f0000000240)='GPL\x00', 0x1, 0x473, &(0x7f0000000280)=""/195, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0xffffffffffffff60}, 0x48) ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000ac0)={'vxcan1\x00', 0x0}) bind$can_raw(r4, &(0x7f00000005c0), 0x10) r6 = socket$rds(0x15, 0x5, 0x0) bind$rds(r6, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10) setsockopt$packet_fanout_data(r3, 0x107, 0x16, &(0x7f0000000640)={0x6, &(0x7f0000000600)=[{0x0, 0x7f, 0x81, 0x7}, {0x4, 0x3, 0xff, 0xf83}, {0x1072, 0x5, 0x3}, {0x4, 0x62, 0x4, 0x4}, {0x6, 0xff, 0x8, 0x2}, {0x36, 0x0, 0xb8, 0x7f}]}, 0x10) sendmsg$rds(r6, &(0x7f0000000580)={&(0x7f0000000000)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f0000000180)=[@mask_cswp={0x58, 0x114, 0x9, {{}, &(0x7f0000000080), 0x0, 0x0, 0x200000000000000, 0x0, 0x800000000, 0x0, 0xfffffffffffffffc}}, @fadd={0x58, 0x114, 0x6, {{}, 0x0, 0x0, 0x0, 0x1000, 0x0, 0x0, 0x0, 0xfffffffffffffffd}}], 0xb0, 0x5}, 0x0) recvmsg(r4, &(0x7f0000000a00)={0x0, 0x0, &(0x7f0000000980)=[{&(0x7f0000000480)=""/238, 0xee}, {0x0}], 0x2}, 0x0) sendmsg$can_raw(r4, &(0x7f0000000440)={&(0x7f0000000780)={0x1d, r5}, 0x10, &(0x7f0000000200)={&(0x7f0000000140)=@can={{}, 0x0, 0x0, 0x0, 0x0, "5b7b00008f28aaf0"}, 0x10}}, 0x0) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000680)=ANY=[@ANYRESOCT=0x0], 0xfdef) splice(0xffffffffffffffff, 0x0, r3, 0x0, 0x80, 0x2) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r3, 0x84, 0xa, &(0x7f0000000380)={0x40, 0xa, 0x0, 0xffffffff, 0x81, 0x2, 0x7ff, 0x10041}, &(0x7f0000000700)=0x20) write(0xffffffffffffffff, 0x0, 0x0) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="18020000000002000000000000000000850000003600000095"], &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, r2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f00000000c0)={r7, 0x27, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf2ffffff, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000005f00250e00ad000000000000000000002573"], 0x1c}], 0x1}, 0x0) program did not crash bisect: testing without sub-chunk 3/3 testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched detailed listing: executing program 1: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001c40)=@newtaction={0xf0, 0x30, 0x1, 0x0, 0x0, {}, [{0xdc, 0x1, [@m_police={0x6c, 0x1, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x0, 0x2}}]]}, {0x4}, {0xc}, {0xc}}}, @m_police={0x6c, 0x2, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x1, 0x0, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0xd84}}}]]}, {0x4}, {0xc}, {0xc}}}]}]}, 0xf0}}, 0x0) program crashed: INFO: task hung in addrconf_dad_work bisect: the chunk can be dropped bisect: split chunks (needed=true): <1> bisect: split chunk #0 of len 1 into 2 parts bisect: no way to further split the chunk bisect: 1 programs left: executing program 1: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001c40)=@newtaction={0xf0, 0x30, 0x1, 0x0, 0x0, {}, [{0xdc, 0x1, [@m_police={0x6c, 0x1, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x0, 0x2}}]]}, {0x4}, {0xc}, {0xc}}}, @m_police={0x6c, 0x2, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x1, 0x0, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0xd84}}}]]}, {0x4}, {0xc}, {0xc}}}]}]}, 0xf0}}, 0x0) bisect: trying to concatenate bisect: concatenate 1 entries testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001c40)=@newtaction={0xf0, 0x30, 0x1, 0x0, 0x0, {}, [{0xdc, 0x1, [@m_police={0x6c, 0x1, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x0, 0x2}}]]}, {0x4}, {0xc}, {0xc}}}, @m_police={0x6c, 0x2, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x1, 0x0, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0xd84}}}]]}, {0x4}, {0xc}, {0xc}}}]}]}, 0xf0}}, 0x0) program crashed: lost connection to test machine bisect: concatenation succeeded found reproducer with 2 syscalls minimizing guilty program testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route detailed listing: executing program 0: socket$nl_route(0x10, 0x3, 0x0) program did not crash testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$nl_route_sched detailed listing: executing program 0: sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001c40)=@newtaction={0xf0, 0x30, 0x1, 0x0, 0x0, {}, [{0xdc, 0x1, [@m_police={0x6c, 0x1, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x0, 0x2}}]]}, {0x4}, {0xc}, {0xc}}}, @m_police={0x6c, 0x2, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x3c, 0x1, {0x1, 0x0, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0xd84}}}]]}, {0x4}, {0xc}, {0xc}}}]}]}, 0xf0}}, 0x0) program did not crash testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, 0x0, 0x0) program did not crash testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, 0x0}, 0x0) program did not crash testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={0x0}}, 0x0) program crashed: KASAN: slab-use-after-free Read in __hci_req_sync extracting C reproducer testing compiled C program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched program did not crash simplifying guilty program options testing program (duration=9m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={0x0}}, 0x0) program did not crash testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={0x0}}, 0x0) program did not crash reproducing took 1h28m59.842546453s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: slab-use-after-free in refcount_read include/linux/refcount.h:136 [inline] BUG: KASAN: slab-use-after-free in skb_unref include/linux/skbuff.h:1228 [inline] BUG: KASAN: slab-use-after-free in __kfree_skb_reason net/core/skbuff.c:1195 [inline] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0 net/core/skbuff.c:1222 Read of size 4 at addr ffff88807ac65ea4 by task syz-executor.0/5230 CPU: 1 PID: 5230 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00761-g3ec8d7572a69 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] refcount_read include/linux/refcount.h:136 [inline] skb_unref include/linux/skbuff.h:1228 [inline] __kfree_skb_reason net/core/skbuff.c:1195 [inline] kfree_skb_reason+0x41/0x3b0 net/core/skbuff.c:1222 kfree_skb include/linux/skbuff.h:1263 [inline] __hci_req_sync+0x62f/0x950 net/bluetooth/hci_request.c:184 hci_req_sync+0xa9/0xd0 net/bluetooth/hci_request.c:206 hci_dev_cmd+0x4c5/0xa50 net/bluetooth/hci_core.c:787 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdc4747cc0b Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007fff8064c980 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdc4747cc0b RDX: 00007fff8064c9f8 RSI: 00000000400448dd RDI: 0000000000000003 RBP: 0000555577f5b430 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 Allocated by task 4489: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4000 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4007 skb_clone+0x20c/0x390 net/core/skbuff.c:2052 hci_send_cmd_sync net/bluetooth/hci_core.c:4123 [inline] hci_cmd_work+0x29e/0x670 net/bluetooth/hci_core.c:4143 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 4489: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2195 [inline] slab_free mm/slub.c:4436 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4511 kfree_skb include/linux/skbuff.h:1263 [inline] hci_req_sync_complete+0xe7/0x290 net/bluetooth/hci_request.c:109 hci_event_packet+0xc71/0x1540 net/bluetooth/hci_event.c:7479 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4074 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff88807ac65dc0 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 228 bytes inside of freed 240-byte region [ffff88807ac65dc0, ffff88807ac65eb0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ac65 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffefff(slab) raw: 00fff00000000000 ffff888018ed5780 dead000000000122 0000000000000000 raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 11, tgid 11 (kworker/u8:0), ts 1066349176129, free_ts 1066307906062 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468 prep_new_page mm/page_alloc.c:1476 [inline] get_page_from_freelist+0x2e2d/0x2ee0 mm/page_alloc.c:3402 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4660 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2264 allocate_slab+0x5a/0x2e0 mm/slub.c:2427 new_slab mm/slub.c:2480 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3666 __slab_alloc+0x58/0xa0 mm/slub.c:3756 __slab_alloc_node mm/slub.c:3809 [inline] slab_alloc_node mm/slub.c:3988 [inline] kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4043 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:656 alloc_skb include/linux/skbuff.h:1314 [inline] ndisc_alloc_skb+0xed/0x2c0 net/ipv6/ndisc.c:422 ndisc_send_rs+0x27b/0x6b0 net/ipv6/ndisc.c:703 addrconf_dad_completed+0x76c/0xcd0 net/ipv6/addrconf.c:4359 addrconf_dad_work+0xdc2/0x16f0 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 page last free pid 4545 tgid 4545 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1088 [inline] free_unref_page+0xd22/0xea0 mm/page_alloc.c:2565 discard_slab mm/slub.c:2526 [inline] __put_partials+0xeb/0x130 mm/slub.c:2994 put_cpu_partial+0x17c/0x250 mm/slub.c:3069 __slab_free+0x2ea/0x3d0 mm/slub.c:4306 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4000 [inline] __do_kmalloc_node mm/slub.c:4120 [inline] __kmalloc_noprof+0x1a3/0x400 mm/slub.c:4134 kmalloc_noprof include/linux/slab.h:664 [inline] tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822 security_inode_getattr+0xd8/0x130 security/security.c:2269 vfs_getattr+0x45/0x430 fs/stat.c:173 vfs_fstat fs/stat.c:198 [inline] vfs_fstatat+0xd6/0x190 fs/stat.c:300 __do_sys_newfstatat fs/stat.c:468 [inline] __se_sys_newfstatat fs/stat.c:462 [inline] __x64_sys_newfstatat+0x125/0x1b0 fs/stat.c:462 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88807ac65d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff88807ac65e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807ac65e80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ^ ffff88807ac65f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807ac65f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: slab-use-after-free in refcount_read include/linux/refcount.h:136 [inline] BUG: KASAN: slab-use-after-free in skb_unref include/linux/skbuff.h:1228 [inline] BUG: KASAN: slab-use-after-free in __kfree_skb_reason net/core/skbuff.c:1195 [inline] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0 net/core/skbuff.c:1222 Read of size 4 at addr ffff88807ac65ea4 by task syz-executor.0/5230 CPU: 1 PID: 5230 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00761-g3ec8d7572a69 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] refcount_read include/linux/refcount.h:136 [inline] skb_unref include/linux/skbuff.h:1228 [inline] __kfree_skb_reason net/core/skbuff.c:1195 [inline] kfree_skb_reason+0x41/0x3b0 net/core/skbuff.c:1222 kfree_skb include/linux/skbuff.h:1263 [inline] __hci_req_sync+0x62f/0x950 net/bluetooth/hci_request.c:184 hci_req_sync+0xa9/0xd0 net/bluetooth/hci_request.c:206 hci_dev_cmd+0x4c5/0xa50 net/bluetooth/hci_core.c:787 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdc4747cc0b Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007fff8064c980 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdc4747cc0b RDX: 00007fff8064c9f8 RSI: 00000000400448dd RDI: 0000000000000003 RBP: 0000555577f5b430 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 Allocated by task 4489: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4000 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4007 skb_clone+0x20c/0x390 net/core/skbuff.c:2052 hci_send_cmd_sync net/bluetooth/hci_core.c:4123 [inline] hci_cmd_work+0x29e/0x670 net/bluetooth/hci_core.c:4143 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 4489: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2195 [inline] slab_free mm/slub.c:4436 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4511 kfree_skb include/linux/skbuff.h:1263 [inline] hci_req_sync_complete+0xe7/0x290 net/bluetooth/hci_request.c:109 hci_event_packet+0xc71/0x1540 net/bluetooth/hci_event.c:7479 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4074 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff88807ac65dc0 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 228 bytes inside of freed 240-byte region [ffff88807ac65dc0, ffff88807ac65eb0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ac65 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffefff(slab) raw: 00fff00000000000 ffff888018ed5780 dead000000000122 0000000000000000 raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 11, tgid 11 (kworker/u8:0), ts 1066349176129, free_ts 1066307906062 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468 prep_new_page mm/page_alloc.c:1476 [inline] get_page_from_freelist+0x2e2d/0x2ee0 mm/page_alloc.c:3402 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4660 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2264 allocate_slab+0x5a/0x2e0 mm/slub.c:2427 new_slab mm/slub.c:2480 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3666 __slab_alloc+0x58/0xa0 mm/slub.c:3756 __slab_alloc_node mm/slub.c:3809 [inline] slab_alloc_node mm/slub.c:3988 [inline] kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4043 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:656 alloc_skb include/linux/skbuff.h:1314 [inline] ndisc_alloc_skb+0xed/0x2c0 net/ipv6/ndisc.c:422 ndisc_send_rs+0x27b/0x6b0 net/ipv6/ndisc.c:703 addrconf_dad_completed+0x76c/0xcd0 net/ipv6/addrconf.c:4359 addrconf_dad_work+0xdc2/0x16f0 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 page last free pid 4545 tgid 4545 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1088 [inline] free_unref_page+0xd22/0xea0 mm/page_alloc.c:2565 discard_slab mm/slub.c:2526 [inline] __put_partials+0xeb/0x130 mm/slub.c:2994 put_cpu_partial+0x17c/0x250 mm/slub.c:3069 __slab_free+0x2ea/0x3d0 mm/slub.c:4306 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4000 [inline] __do_kmalloc_node mm/slub.c:4120 [inline] __kmalloc_noprof+0x1a3/0x400 mm/slub.c:4134 kmalloc_noprof include/linux/slab.h:664 [inline] tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822 security_inode_getattr+0xd8/0x130 security/security.c:2269 vfs_getattr+0x45/0x430 fs/stat.c:173 vfs_fstat fs/stat.c:198 [inline] vfs_fstatat+0xd6/0x190 fs/stat.c:300 __do_sys_newfstatat fs/stat.c:468 [inline] __se_sys_newfstatat fs/stat.c:462 [inline] __x64_sys_newfstatat+0x125/0x1b0 fs/stat.c:462 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88807ac65d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff88807ac65e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807ac65e80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ^ ffff88807ac65f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807ac65f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================