Extracting prog: 6m50.166734246s
Minimizing prog: 43m58.647311777s
Simplifying prog options: 0s
Extracting C: 18.620808344s
Simplifying C: 11m12.949330863s


24 programs, 3 VMs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 24 programs
single: executing 4 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-openat$procfs-readv
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000001280)={0x18, 0x3, &(0x7f0000000940)=ANY=[@ANYBLOB="180000000000000000000000d5e4000095"], &(0x7f0000000440)='GPL\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000007c0)={&(0x7f0000000780)='contention_end\x00', r0}, 0x10)
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000280)='/proc/asound/timers\x00', 0x0, 0x0)
readv(r1, &(0x7f0000000240)=[{&(0x7f00000006c0)=""/4103, 0x1007}], 0x1)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-open-fallocate-open-pwritev2-socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_NEW_STATION-fallocate-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-ioctl$SECCOMP_IOCTL_NOTIF_RECV-socket$nl_generic-ioctl$sock_SIOCETHTOOL-socket$nl_route-sendmsg$nl_route-ioctl$SECCOMP_IOCTL_NOTIF_ADDFD-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_NR_MMU_PAGES
detailed listing:
executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x80800, 0x0)
r1 = open(&(0x7f0000000180)='./bus\x00', 0x14927e, 0x0)
fallocate(r1, 0x0, 0x0, 0x1000f4)
r2 = open(&(0x7f00000005c0)='./bus\x00', 0x64842, 0x0)
pwritev2(r2, &(0x7f0000000240)=[{&(0x7f0000000000)="85", 0x78c00}], 0x1, 0x2000, 0x0, 0x3)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000040)={'wlan1\x00', <r5=>0x0})
sendmsg$NL80211_CMD_NEW_STATION(r3, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f00000002c0)={0x44, r4, 0xb97534d5fe9704cf, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_STA_LISTEN_INTERVAL={0x6}, @NL80211_ATTR_PEER_AID={0x6, 0xb5, 0x185}, @NL80211_ATTR_MAC={0xa, 0x6, @broadcast}, @NL80211_ATTR_OPMODE_NOTIF={0x5}]}, 0x44}}, 0x0)
fallocate(r1, 0x11, 0x596b, 0xd3eb)
r6 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f0000000040)={0x4, &(0x7f0000000000)=[{0x100, 0xff, 0x1, 0x41d4}, {0x2, 0x20, 0xb3, 0x3ff}, {0x100, 0xff, 0x1, 0x750}, {0x7ff, 0xcb, 0xf7, 0x7289}]})
ioctl$SECCOMP_IOCTL_NOTIF_RECV(0xffffffffffffffff, 0xc0502100, &(0x7f0000000080))
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCETHTOOL(r7, 0x8946, &(0x7f0000000180)={'wg1\x00', &(0x7f0000000080)=@ethtool_rxnfc={0x2a, 0x0, 0x0, {0x0, @tcp_ip6_spec={@mcast1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, {0x0, @remote}, @ah_ip4_spec={@initdev={0xac, 0x1e, 0x0, 0x0}, @initdev={0xac, 0x1e, 0x0, 0x0}}, {0x0, @random="438d39bb7145"}}}})
r8 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r8, &(0x7f0000000dc0)={0x0, 0x0, &(0x7f0000000d80)={&(0x7f0000000d00)=ANY=[@ANYBLOB="1c6cd0a10fd30000002000110a00000000000000000a000000ff0000"], 0x1c}}, 0x0)
ioctl$SECCOMP_IOCTL_NOTIF_ADDFD(r6, 0x40182103, &(0x7f0000000100)={0x0, 0x0, r0, 0xfff, 0x80000})
r9 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_SET_NR_MMU_PAGES(r9, 0x4008ae48, 0x2)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-fanotify_init-fanotify_mark-pipe2$9p-openat-mount$9p_fd
detailed listing:
executing program 0:
r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r1 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r2, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r3 = socket$inet_udp(0x2, 0x2, 0x0)
r4 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r4, 0x5425, 0x0)
r5 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r5)
ioctl$TCSETSW2(r4, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r3, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r2, 0xffffffffffffffff, 0x0)
r7 = fanotify_init(0x0, 0x0)
fanotify_mark(r7, 0x105, 0x4800003a, r0, 0x0)
pipe2$9p(&(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff}, 0x0)
r9 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r9}, 0x2c, {'wfdno', 0x3d, r8}})

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioperm-msgsnd-msgrcv-socket$nl_generic-socket$nl_generic-ioctl$ifreq_SIOCGIFINDEX_wireguard-syz_genetlink_get_family_id$wireguard-socket$netlink-socket$nl_route-socket$netlink-socket-write$binfmt_elf64-prctl$PR_SCHED_CORE-bpf$PROG_LOAD-getpid-process_vm_readv-bpf$BPF_PROG_TEST_RUN-getsockname$packet-sendmsg$nl_route-socket$nl_route-sendmsg$nl_route-bpf$BPF_RAW_TRACEPOINT_OPEN-ioctl$sock_SIOCGIFINDEX-socket$inet6-sendmsg$inet-sendmsg$nl_route-bpf$PROG_LOAD-sendmsg$WG_CMD_SET_DEVICE-sendmsg$WG_CMD_SET_DEVICE
detailed listing:
executing program 0:
ioperm(0x0, 0x3d, 0x80000000001f)
msgsnd(0x0, &(0x7f0000000140)=ANY=[@ANYBLOB="1c"], 0xb, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_wireguard(r1, 0x8933, &(0x7f0000001880)={'wg1\x00', <r2=>0x0})
r3 = syz_genetlink_get_family_id$wireguard(&(0x7f0000000fc0), 0xffffffffffffffff)
socket$netlink(0x10, 0x3, 0x0)
r4 = socket$nl_route(0x10, 0x3, 0x0)
r5 = socket$netlink(0x10, 0x3, 0x0)
r6 = socket(0x10, 0x803, 0x0)
write$binfmt_elf64(r6, 0x0, 0x40)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000000)={0x1, 0x8, &(0x7f0000000400)=ANY=[@ANYBLOB="7a0af8ff75257035bfa100000000000007010000f9ffffffb702000005000000bf130000000000008500000006000000b7000000000000009500000000000000b2595285faa6ead0169191d54f8196217fc560e2fc91f6da4dad4fdc2eb1b5986fc4a3f611a7c8edd3aa5d6ee7ab10b1a297cf528666d1ddd73f3047d248df061222193165274bc7f2382f6cda4bfdd45be583823c0f09621f3c1c65ee19ee875daf45006a4c4ea5e15b2f9618d547244a22000000000000db453620ce7243d1aebdb638d91dbef661935839c77edf2d34b12cd48a0c20fb7dd843267e0331759f4ec6b5b0af58e604f4942eb613eff289026d5045ef76d7d864409eb2dc7718a09f4886afc26abba34635d0e8b598a51bc742135a6e1d33fe226c944bc76be40d435aa8b5202db761014b1b999a12df6bee431a6681"], &(0x7f0000000100)='GPL\x00'}, 0x48)
r8 = getpid()
process_vm_readv(r8, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={r7, 0x2000007, 0xe, 0x55, &(0x7f0000000140)="a06ad876d56a0064d082778c3938", &(0x7f0000000380)=""/85, 0x2e00, 0x4000000}, 0x28)
getsockname$packet(r6, &(0x7f00000002c0)={0x11, 0x0, <r9=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$nl_route(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=ANY=[@ANYBLOB="48000000100005f7000000000000000000000002", @ANYRES32=r9, @ANYBLOB="b100000000000000280012000c00010076657468"], 0x48}}, 0x0)
r10 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r10, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000600)=ANY=[@ANYBLOB="2000000014002101000000000000000002016800", @ANYRES32=r9, @ANYBLOB="08000200ac1414aa"], 0x20}}, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r11 = socket$inet6(0xa, 0x2, 0x0)
sendmsg$inet(r11, &(0x7f0000000340)={&(0x7f0000000100)={0x2, 0x4e22, @private=0xa010101}, 0x10, 0x0, 0x0, &(0x7f0000000040)=[@ip_retopts={{0x1c, 0x0, 0x7, {[@noop, @ssrr={0x89, 0xb, 0x4, [@remote, @multicast2]}]}}}], 0x20}, 0x0)
sendmsg$nl_route(r4, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000440)=@ipv4_newaddr={0x20, 0x14, 0x121, 0x0, 0x0, {0x2, 0x2, 0x0, 0x0, r9}, [@IFA_LOCAL={0x8, 0x2, @local}]}, 0x20}}, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000b80)={0x0, 0x0, &(0x7f0000000b40)={&(0x7f0000001000)={0x24, r3, 0xa29, 0x0, 0x0, {}, [@WGDEVICE_A_IFINDEX={0x8, 0x1, r2}, @WGDEVICE_A_FLAGS={0x8, 0x5, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x40080}, 0x0)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000140)={0x24, r3, 0x1, 0x0, 0x0, {}, [@WGDEVICE_A_IFINDEX={0x8, 0x1, r2}, @WGDEVICE_A_FWMARK={0x8}]}, 0x24}}, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 24 programs with base timeout 15s
testing program (duration=21s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [17, 2, 1, 11, 7, 4, 26, 6, 4, 2, 2, 3, 7, 2, 29, 2, 5, 4, 4, 5, 2, 23, 19, 4]
detailed listing:
executing program 0:
creat(0x0, 0x0)
openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x1c1341, 0x0)
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, 0x0)
openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x400000bce)
r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8)
keyctl$clear(0x11, 0xfffffffffffffffd)
setsockopt$SO_TIMESTAMPING(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r1 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000040), 0x62181)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue1\x00'})
write$sndseq(r1, &(0x7f0000000000)=[{0x0, 0x0, 0x0, 0x0, @tick, {}, {}, @raw32}], 0xffc8)
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000180)=@newlink={0x3c, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @geneve={{0xb}, {0x4}}}, @IFLA_MASTER={0x8, 0x3}]}, 0x3c}, 0x1, 0xd}, 0x0)
executing program 0:
syz_emit_ethernet(0x376, &(0x7f00000003c0)={@broadcast, @remote, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "0300", 0x340, 0x3a, 0xff, @remote, @mcast2, {[], @ndisc_ra={0x86, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [{0x0, 0xa, "a78ce54006598080a8030003004023493b87aafaffffffffffffff23732472eefa45ad96579269748e254c1e4a8a8b3f0ab0c430d3be27df3e34066d42ca0a5c15b37adac15084dbaf736b41e5af0502"}, {0x0, 0x1, "000000050000000026000400"}, {0x0, 0x18, "fe906d26efe39393fe08f73eabc5977b1190a3a6ad8338f1511cdd10c35d8f6de79fc7fd175f75649fa368a32c829af02d7f44d92324a7051e460a13ddde25a5b85b9d930914625d8a049b4cf0d129806a610ad8477a2499a9a0527f75b655a6653d0363a979acf93f88eea07d68423e90280409de1657275f716a2bf2915d1783e8eb477b0d1170f0ecbdef4c23e1b76e9ab3d2fbe4b34438d2a77577edd0ebed9682b851b380ae0cab282af9d7ebe668177704c5fd4698c934de4731f3f61effc978"}, {0x0, 0x1d, "06aa85616177c61bc943afcb84619755403946b0730a18d5c38cf7dcad830f2dc8674b87ba8b58f81ece27975cc39e595e9af90b4fe92a38d25551c2d9ebfc5dfc5a2a501b7e483de3f808895c5f4a1a2367bc591dd8b094822ff0dea07c9a1f643c822a18b79f7c5eba31fb68b2d734a6671e27182aee4df24a4a5cf390dab23b500b0c0272479611e4f7f4299ec4d926d443367b105185e6ecd9602ba95392343e9bbd047ef6bc1ba42399907ccd0a562db212baa39eb8164e240069f656d3a05fecf894222a141123f5ac010000000000000090aa235a670670ffc5dc49dfb58d00000000000000"}, {0x0, 0xb, "17dcea46805d4809c20547406b18901b0aeff04c0300f3c75dc2d227a83b89483b1084743475671545e65eb2e9ac946a3f0e2bc4619f91394c02bcfbbb7d71138537d68e2d2c6393a9f3becd1a9f51a948b5b303f4f003"}, {0x19, 0x7, "b8a3e10000a3e1100000006f00ffc0ffff00000000600000ff0bc0fe000000000000000000000000d9a0274400"/55}, {0x0, 0x11, "3f14f0e74d2d42cfb3f27fafb60845f90b6dfc2e37bc87c6905bbc94d33e1ea71a28105f543e868a8a53b360a9d33e2b1e2eeb1d18065daa7628cf9ef083611c9f6ae2e1eb3d8bf9c6ab2642c4808288e62afbf03269f1f98aea6ab3beb5fdc5fdaabc2c676d8800871a6aa54155dea2d995cb22c9924e0ad38c6967052cc7786d779b8353aac33a57d79b05"}]}}}}}}, 0x0)
executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000140)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(blowfish)\x00'}, 0x58)
r1 = getpid()
r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000880)={0x11, 0xc, &(0x7f0000000800)=ANY=[@ANYBLOB="18010000000000000000000000000000850000006d0000001801000020696c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000004c0)={&(0x7f0000000500)='tlb_flush\x00', r2}, 0x10)
process_vm_readv(r1, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
r3 = accept4(r0, 0x0, 0x0, 0x0)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000400)="3f4e55f1", 0x4)
sendto$unix(r3, &(0x7f0000000080), 0xffffff9d, 0x0, 0x0, 0x0)
recvfrom(r3, &(0x7f00000030c0)=""/4117, 0xffffffffffffffbf, 0x0, 0x0, 0xffffffffffffff54)
sendmmsg$unix(r3, &(0x7f0000005c40)=[{{0x0, 0x0, &(0x7f0000001500)=[{&(0x7f00000001c0)=',', 0x1}], 0x1}}], 0x1, 0x0)
executing program 3:
bind$alg(0xffffffffffffffff, &(0x7f0000000340)={0x26, 'hash\x00', 0x0, 0x0, 'sha224-avx\x00'}, 0x58)
r0 = socket$inet(0x2, 0x2, 0x0)
bind$inet(r0, &(0x7f0000000200)={0x2, 0x1004e20}, 0x10)
readv(r0, &(0x7f00000000c0)=[{&(0x7f0000000300)=""/203, 0x3}], 0x300)
sendto$inet(r0, 0x0, 0x0, 0x20008800, &(0x7f0000000100)={0x2, 0x4e23, @empty}, 0x10)
connect$inet(r0, &(0x7f00000002c0)={0x2, 0x4e20, @empty}, 0x10)
sendmmsg$inet(r0, &(0x7f0000000680)=[{{0x0, 0x0, &(0x7f00000035c0)=[{&(0x7f0000000240)="60dbc0f4aca2fd393c58413552ee20a6ffb194eb866939781720f1a589bd4a5c95c4be84deeeb45c8ce7954b1c1057ede4df0326ff749c8aabb67b0138b7c5bc96cb44ea1d", 0x45}], 0x1}}], 0x1, 0x0)
executing program 3:
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
setsockopt$inet6_tcp_int(r0, 0x6, 0x24, &(0x7f0000000000)=0x1, 0x4)
connect$inet6(r0, &(0x7f0000000180)={0xa, 0x4001, 0x0, @dev={0xfe, 0x80, '\x00', 0x1c}, 0xd}, 0x1c)
recvmmsg(r0, &(0x7f00000000c0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
executing program 0:
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='memory.events\x00', 0x26e1, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r0 = getpid()
process_vm_readv(r0, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
r1 = socket$inet6(0xa, 0x3, 0x7)
connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c)
setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0)
sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000580)='memory.events\x00', 0x100002, 0x0)
r2 = bpf$MAP_CREATE(0x0, 0x0, 0x0)
close(r2)
mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x27fffff, 0x10, 0xffffffffffffffff, 0x0)
ioperm(0x8000000000000000, 0x5, 0x1)
bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0xc, 0xd, &(0x7f0000000140)=ANY=[@ANYBLOB, @ANYRES32, @ANYBLOB="0000000000000000b7080000000000007b5af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000030000850000001400000085"], &(0x7f0000000400)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
ioctl$TUNSETCARRIER(0xffffffffffffffff, 0x400454e2, &(0x7f0000000000))
keyctl$reject(0x13, 0x0, 0x0, 0x202, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000300)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000900)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}]})
r3 = open(&(0x7f0000000140)='./file0\x00', 0x0, 0x0)
mknodat$loop(r3, &(0x7f0000001600)='./file1\x00', 0x0, 0x0)
chdir(&(0x7f00000003c0)='./bus\x00')
linkat(r3, &(0x7f0000000100)='./file1\x00', r3, &(0x7f0000000240)='./file0\x00', 0x0)
unlink(&(0x7f0000000280)='./file1\x00')
link(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000140)='./file1\x00')
executing program 3:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x0, 0x14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local})
write$tun(r0, &(0x7f0000000280)={@val={0x0, 0x800}, @val={0x1, 0x0, 0x0, 0x0, 0x3d}, @mpls={[], @ipv4=@tcp={{0x6, 0x4, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x84, 0x0, @empty=0x3fffffff, @local}, {{0x0, 0x0, 0x41424344, 0x41424344, 0x0, 0x2, 0xb, 0x0, 0x500, 0x0, 0x1c, {[@window={0xa, 0x3}, @timestamp={0x5, 0x2}, @generic={0x0, 0x2, "d58838068b91"}]}}}}}}, 0x4e)
executing program 1:
ioctl$PIO_UNIMAP(0xffffffffffffffff, 0x4b67, &(0x7f0000000000)={0x2, &(0x7f0000000080)=[{}]})
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r0, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r1=>0x0}, &(0x7f0000000040)=0x8)
setsockopt$inet_sctp_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f00000000c0)={r1, 0x0, 0x500}, 0x10)
executing program 3:
r0 = syz_open_dev$cec(&(0x7f0000001340), 0x0, 0x0)
ioctl$CEC_S_MODE(r0, 0x40046109, &(0x7f0000001380)=0x4)
executing program 1:
r0 = socket$igmp(0x2, 0x3, 0x2)
getsockopt$MRT(r0, 0x0, 0xd0, 0x0, 0x0)
executing program 3:
r0 = bpf$MAP_CREATE(0x1900000000000000, &(0x7f0000000040)=@base={0x1b, 0x0, 0x0, 0x2000}, 0x48)
mmap(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x1e, 0x13, r0, 0x0)
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f0000000640)={r0}, 0x4)
executing program 1:
bind$alg(0xffffffffffffffff, &(0x7f0000000340)={0x26, 'hash\x00', 0x0, 0x0, 'sha224-avx\x00'}, 0x58)
r0 = socket$inet(0x2, 0x2, 0x0)
bind$inet(r0, &(0x7f0000000200)={0x2, 0x1004e20}, 0x10)
readv(r0, &(0x7f00000000c0)=[{&(0x7f0000000300)=""/203, 0x3}], 0x300)
sendto$inet(r0, 0x0, 0x0, 0x20008800, &(0x7f0000000100)={0x2, 0x4e23, @empty}, 0x10)
connect$inet(r0, &(0x7f00000002c0)={0x2, 0x4e20, @empty}, 0x10)
sendmmsg$inet(r0, &(0x7f0000000680)=[{{0x0, 0x0, &(0x7f00000035c0)=[{&(0x7f0000000240)="60dbc0f4aca2fd393c58413552ee20a6ffb194eb866939781720f1a589bd4a5c95c4be84deeeb45c8ce7954b1c1057ede4df0326ff749c8aabb67b0138b7c5bc96cb44ea1d", 0x45}], 0x1}}], 0x1, 0x0)
executing program 2:
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000740)=@nat={'nat\x00', 0x8, 0x5, 0x6c0, 0x2a0, 0xf0, 0xffffffff, 0xf0, 0x2a0, 0x5f0, 0x5f0, 0xffffffff, 0x5f0, 0x5f0, 0x5, 0x0, {[{{@uncond, 0xb7030000, 0xa8, 0xf0}, @NETMAP={0x48, 'NETMAP\x00', 0x0, {0x1d, @ipv6=@private2, @ipv6=@private0, @port, @gre_key}}}, {{@uncond, 0x0, 0x168, 0x1b0, 0x0, {}, [@common=@unspec=@conntrack2={{0xc0}, {{@ipv4=@dev, [], @ipv6=@private1, [], @ipv4=@private, [], @ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}}}]}, @REDIRECT={0x48, 'REDIRECT\x00', 0x0, {0x19, @ipv4=@loopback, @ipv6=@local, @icmp_id, @icmp_id}}}, {{@ipv6={@mcast1, @local, [], [], 'wg1\x00', 'virt_wifi0\x00'}, 0x0, 0xa8, 0xf0}, @REDIRECT={0x48, 'REDIRECT\x00', 0x0, {0x0, @ipv4, @ipv4=@empty, @gre_key, @icmp_id}}}, {{@ipv6={@rand_addr=' \x01\x00', @ipv4={'\x00', '\xff\xff', @empty}, [], [], 'dummy0\x00', 'syzkaller0\x00'}, 0x0, 0x218, 0x260, 0x0, {}, [@common=@inet=@sctp={{0x148}}, @common=@mh={{0x28}, {"0c06"}}]}, @REDIRECT={0x48, 'REDIRECT\x00', 0x0, {0x0, @ipv4=@multicast1, @ipv4=@initdev={0xac, 0x1e, 0x0, 0x0}, @icmp_id, @icmp_id}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x720)
executing program 3:
ioperm(0x0, 0x3d, 0x80000000001f)
msgsnd(0x0, &(0x7f0000000140)=ANY=[@ANYBLOB="1c"], 0xb, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_wireguard(r1, 0x8933, &(0x7f0000001880)={'wg1\x00', <r2=>0x0})
r3 = syz_genetlink_get_family_id$wireguard(&(0x7f0000000fc0), 0xffffffffffffffff)
socket$netlink(0x10, 0x3, 0x0)
r4 = socket$nl_route(0x10, 0x3, 0x0)
r5 = socket$netlink(0x10, 0x3, 0x0)
r6 = socket(0x10, 0x803, 0x0)
write$binfmt_elf64(r6, 0x0, 0x40)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000000)={0x1, 0x8, &(0x7f0000000400)=ANY=[@ANYBLOB="7a0af8ff75257035bfa100000000000007010000f9ffffffb702000005000000bf130000000000008500000006000000b7000000000000009500000000000000b2595285faa6ead0169191d54f8196217fc560e2fc91f6da4dad4fdc2eb1b5986fc4a3f611a7c8edd3aa5d6ee7ab10b1a297cf528666d1ddd73f3047d248df061222193165274bc7f2382f6cda4bfdd45be583823c0f09621f3c1c65ee19ee875daf45006a4c4ea5e15b2f9618d547244a22000000000000db453620ce7243d1aebdb638d91dbef661935839c77edf2d34b12cd48a0c20fb7dd843267e0331759f4ec6b5b0af58e604f4942eb613eff289026d5045ef76d7d864409eb2dc7718a09f4886afc26abba34635d0e8b598a51bc742135a6e1d33fe226c944bc76be40d435aa8b5202db761014b1b999a12df6bee431a6681"], &(0x7f0000000100)='GPL\x00'}, 0x48)
r8 = getpid()
process_vm_readv(r8, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={r7, 0x2000007, 0xe, 0x55, &(0x7f0000000140)="a06ad876d56a0064d082778c3938", &(0x7f0000000380)=""/85, 0x2e00, 0x4000000}, 0x28)
getsockname$packet(r6, &(0x7f00000002c0)={0x11, 0x0, <r9=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$nl_route(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=ANY=[@ANYBLOB="48000000100005f7000000000000000000000002", @ANYRES32=r9, @ANYBLOB="b100000000000000280012000c00010076657468"], 0x48}}, 0x0)
r10 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r10, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000600)=ANY=[@ANYBLOB="2000000014002101000000000000000002016800", @ANYRES32=r9, @ANYBLOB="08000200ac1414aa"], 0x20}}, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r11 = socket$inet6(0xa, 0x2, 0x0)
sendmsg$inet(r11, &(0x7f0000000340)={&(0x7f0000000100)={0x2, 0x4e22, @private=0xa010101}, 0x10, 0x0, 0x0, &(0x7f0000000040)=[@ip_retopts={{0x1c, 0x0, 0x7, {[@noop, @ssrr={0x89, 0xb, 0x4, [@remote, @multicast2]}]}}}], 0x20}, 0x0)
sendmsg$nl_route(r4, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000440)=@ipv4_newaddr={0x20, 0x14, 0x121, 0x0, 0x0, {0x2, 0x2, 0x0, 0x0, r9}, [@IFA_LOCAL={0x8, 0x2, @local}]}, 0x20}}, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000b80)={0x0, 0x0, &(0x7f0000000b40)={&(0x7f0000001000)={0x24, r3, 0xa29, 0x0, 0x0, {}, [@WGDEVICE_A_IFINDEX={0x8, 0x1, r2}, @WGDEVICE_A_FLAGS={0x8, 0x5, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x40080}, 0x0)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000140)={0x24, r3, 0x1, 0x0, 0x0, {}, [@WGDEVICE_A_IFINDEX={0x8, 0x1, r2}, @WGDEVICE_A_FWMARK={0x8}]}, 0x24}}, 0x0)
executing program 2:
r0 = socket$kcm(0x11, 0x2, 0x0)
sendmsg$sock(r0, &(0x7f00000000c0)={&(0x7f0000000200)=@tipc=@nameseq={0x1e, 0x1, 0x0, {0x41}}, 0x80, 0x0, 0x0, &(0x7f0000000040)=[@mark={{0x14, 0x1, 0x24, 0x9}}], 0x18}, 0x0)
executing program 1:
syz_open_dev$vcsu(&(0x7f0000000000), 0x0, 0x0)
r0 = socket$inet(0x2, 0x80001, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={<r1=>0x0}, &(0x7f0000000040)=0x8)
r2 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(r2, 0x84, 0x76, &(0x7f0000000080)={r1}, 0x8)
executing program 2:
ioctl$PIO_UNIMAP(0xffffffffffffffff, 0x4b67, &(0x7f0000000000)={0x2, &(0x7f0000000080)=[{}]})
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r0, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r1=>0x0}, &(0x7f0000000040)=0x8)
setsockopt$inet_sctp_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f00000000c0)={r1, 0x0, 0x500}, 0x10)
executing program 1:
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
setsockopt$inet6_tcp_int(r0, 0x6, 0x24, &(0x7f0000000000)=0x1, 0x4)
connect$inet6(r0, &(0x7f0000000180)={0xa, 0x4001, 0x0, @dev={0xfe, 0x80, '\x00', 0x1c}, 0xd}, 0x1c)
recvmmsg(r0, &(0x7f00000000c0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
executing program 2:
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000012c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
sendmsg$inet(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000000)='l', 0x1}], 0x1}, 0x0)
setsockopt$sock_attach_bpf(r1, 0x1, 0x10, &(0x7f0000000340), 0x4)
sendmsg$inet(r0, &(0x7f0000000700)={0x0, 0x0, &(0x7f00000001c0)=[{&(0x7f0000000100)='u', 0x1}], 0x1, &(0x7f0000000a80)=ANY=[@ANYBLOB="78000000000000000000000007000000070fb27f000001e0000002ac1414bb8927cce0000002e0000001e0000001ffffffff00000000ac141423e00000017f000001ac14144300440cc401ac1e010100000fff94040100000bba416311049117549344142cb1e00000010000c6707f000001fffffc01000014000000000000000000000001000000f70c0000000000001c000000000000000000000008000000", @ANYRES32, @ANYBLOB="ffffffffffffffff0000000014000000000000000000000001000000090000000000000011000000000000000000000001000000b400000000000000110000000000000000000000010000007a000000000000001c"], 0x118}, 0x0)
recvmsg(r1, &(0x7f0000000fc0)={0x0, 0x0, 0x0}, 0x42)
executing program 2:
r0 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000300)='/proc/cpuinfo\x00', 0x0, 0x0)
preadv(r0, &(0x7f0000000640)=[{&(0x7f0000000680)=""/201, 0xc9}], 0x1, 0xfffffff9, 0x0)
executing program 1:
r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r1 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r2, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r3 = socket$inet_udp(0x2, 0x2, 0x0)
r4 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r4, 0x5425, 0x0)
r5 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r5)
ioctl$TCSETSW2(r4, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r3, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r2, 0xffffffffffffffff, 0x0)
r7 = fanotify_init(0x0, 0x0)
fanotify_mark(r7, 0x105, 0x4800003a, r0, 0x0)
pipe2$9p(&(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff}, 0x0)
r9 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r9}, 0x2c, {'wfdno', 0x3d, r8}})
executing program 2:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x80800, 0x0)
r1 = open(&(0x7f0000000180)='./bus\x00', 0x14927e, 0x0)
fallocate(r1, 0x0, 0x0, 0x1000f4)
r2 = open(&(0x7f00000005c0)='./bus\x00', 0x64842, 0x0)
pwritev2(r2, &(0x7f0000000240)=[{&(0x7f0000000000)="85", 0x78c00}], 0x1, 0x2000, 0x0, 0x3)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000040)={'wlan1\x00', <r5=>0x0})
sendmsg$NL80211_CMD_NEW_STATION(r3, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f00000002c0)={0x44, r4, 0xb97534d5fe9704cf, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_STA_LISTEN_INTERVAL={0x6}, @NL80211_ATTR_PEER_AID={0x6, 0xb5, 0x185}, @NL80211_ATTR_MAC={0xa, 0x6, @broadcast}, @NL80211_ATTR_OPMODE_NOTIF={0x5}]}, 0x44}}, 0x0)
fallocate(r1, 0x11, 0x596b, 0xd3eb)
r6 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f0000000040)={0x4, &(0x7f0000000000)=[{0x100, 0xff, 0x1, 0x41d4}, {0x2, 0x20, 0xb3, 0x3ff}, {0x100, 0xff, 0x1, 0x750}, {0x7ff, 0xcb, 0xf7, 0x7289}]})
ioctl$SECCOMP_IOCTL_NOTIF_RECV(0xffffffffffffffff, 0xc0502100, &(0x7f0000000080))
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCETHTOOL(r7, 0x8946, &(0x7f0000000180)={'wg1\x00', &(0x7f0000000080)=@ethtool_rxnfc={0x2a, 0x0, 0x0, {0x0, @tcp_ip6_spec={@mcast1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, {0x0, @remote}, @ah_ip4_spec={@initdev={0xac, 0x1e, 0x0, 0x0}, @initdev={0xac, 0x1e, 0x0, 0x0}}, {0x0, @random="438d39bb7145"}}}})
r8 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r8, &(0x7f0000000dc0)={0x0, 0x0, &(0x7f0000000d80)={&(0x7f0000000d00)=ANY=[@ANYBLOB="1c6cd0a10fd30000002000110a00000000000000000a000000ff0000"], 0x1c}}, 0x0)
ioctl$SECCOMP_IOCTL_NOTIF_ADDFD(r6, 0x40182103, &(0x7f0000000100)={0x0, 0x0, r0, 0xfff, 0x80000})
r9 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_SET_NR_MMU_PAGES(r9, 0x4008ae48, 0x2)
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000001280)={0x18, 0x3, &(0x7f0000000940)=ANY=[@ANYBLOB="180000000000000000000000d5e4000095"], &(0x7f0000000440)='GPL\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000007c0)={&(0x7f0000000780)='contention_end\x00', r0}, 0x10)
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000280)='/proc/asound/timers\x00', 0x0, 0x0)
readv(r1, &(0x7f0000000240)=[{&(0x7f00000006c0)=""/4103, 0x1007}], 0x1)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 4 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-openat$procfs-readv
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000001280)={0x18, 0x3, &(0x7f0000000940)=ANY=[@ANYBLOB="180000000000000000000000d5e4000095"], &(0x7f0000000440)='GPL\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000007c0)={&(0x7f0000000780)='contention_end\x00', r0}, 0x10)
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000280)='/proc/asound/timers\x00', 0x0, 0x0)
readv(r1, &(0x7f0000000240)=[{&(0x7f00000006c0)=""/4103, 0x1007}], 0x1)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-open-fallocate-open-pwritev2-socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_NEW_STATION-fallocate-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-ioctl$SECCOMP_IOCTL_NOTIF_RECV-socket$nl_generic-ioctl$sock_SIOCETHTOOL-socket$nl_route-sendmsg$nl_route-ioctl$SECCOMP_IOCTL_NOTIF_ADDFD-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_NR_MMU_PAGES
detailed listing:
executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x80800, 0x0)
r1 = open(&(0x7f0000000180)='./bus\x00', 0x14927e, 0x0)
fallocate(r1, 0x0, 0x0, 0x1000f4)
r2 = open(&(0x7f00000005c0)='./bus\x00', 0x64842, 0x0)
pwritev2(r2, &(0x7f0000000240)=[{&(0x7f0000000000)="85", 0x78c00}], 0x1, 0x2000, 0x0, 0x3)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000040)={'wlan1\x00', <r5=>0x0})
sendmsg$NL80211_CMD_NEW_STATION(r3, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f00000002c0)={0x44, r4, 0xb97534d5fe9704cf, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_STA_LISTEN_INTERVAL={0x6}, @NL80211_ATTR_PEER_AID={0x6, 0xb5, 0x185}, @NL80211_ATTR_MAC={0xa, 0x6, @broadcast}, @NL80211_ATTR_OPMODE_NOTIF={0x5}]}, 0x44}}, 0x0)
fallocate(r1, 0x11, 0x596b, 0xd3eb)
r6 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f0000000040)={0x4, &(0x7f0000000000)=[{0x100, 0xff, 0x1, 0x41d4}, {0x2, 0x20, 0xb3, 0x3ff}, {0x100, 0xff, 0x1, 0x750}, {0x7ff, 0xcb, 0xf7, 0x7289}]})
ioctl$SECCOMP_IOCTL_NOTIF_RECV(0xffffffffffffffff, 0xc0502100, &(0x7f0000000080))
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCETHTOOL(r7, 0x8946, &(0x7f0000000180)={'wg1\x00', &(0x7f0000000080)=@ethtool_rxnfc={0x2a, 0x0, 0x0, {0x0, @tcp_ip6_spec={@mcast1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, {0x0, @remote}, @ah_ip4_spec={@initdev={0xac, 0x1e, 0x0, 0x0}, @initdev={0xac, 0x1e, 0x0, 0x0}}, {0x0, @random="438d39bb7145"}}}})
r8 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r8, &(0x7f0000000dc0)={0x0, 0x0, &(0x7f0000000d80)={&(0x7f0000000d00)=ANY=[@ANYBLOB="1c6cd0a10fd30000002000110a00000000000000000a000000ff0000"], 0x1c}}, 0x0)
ioctl$SECCOMP_IOCTL_NOTIF_ADDFD(r6, 0x40182103, &(0x7f0000000100)={0x0, 0x0, r0, 0xfff, 0x80000})
r9 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_SET_NR_MMU_PAGES(r9, 0x4008ae48, 0x2)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-fanotify_init-fanotify_mark-pipe2$9p-openat-mount$9p_fd
detailed listing:
executing program 0:
r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r1 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r2, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r3 = socket$inet_udp(0x2, 0x2, 0x0)
r4 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r4, 0x5425, 0x0)
r5 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r5)
ioctl$TCSETSW2(r4, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r3, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r2, 0xffffffffffffffff, 0x0)
r7 = fanotify_init(0x0, 0x0)
fanotify_mark(r7, 0x105, 0x4800003a, r0, 0x0)
pipe2$9p(&(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff}, 0x0)
r9 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r9}, 0x2c, {'wfdno', 0x3d, r8}})

program crashed: general protection fault in l2cap_publish_rx_avail
single: successfully extracted reproducer
found reproducer with 23 syscalls
minimizing guilty program
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-fanotify_init-fanotify_mark-pipe2$9p-openat
detailed listing:
executing program 0:
r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r1 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r2, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r3 = socket$inet_udp(0x2, 0x2, 0x0)
r4 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r4, 0x5425, 0x0)
r5 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r5)
ioctl$TCSETSW2(r4, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r3, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r2, 0xffffffffffffffff, 0x0)
r7 = fanotify_init(0x0, 0x0)
fanotify_mark(r7, 0x105, 0x4800003a, r0, 0x0)
pipe2$9p(&(0x7f0000000080), 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x0)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-fanotify_init-fanotify_mark-pipe2$9p-mount$9p_fd
detailed listing:
executing program 0:
r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r1 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r2, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r3 = socket$inet_udp(0x2, 0x2, 0x0)
r4 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r4, 0x5425, 0x0)
r5 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r5)
ioctl$TCSETSW2(r4, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r3, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r2, 0xffffffffffffffff, 0x0)
r7 = fanotify_init(0x0, 0x0)
fanotify_mark(r7, 0x105, 0x4800003a, r0, 0x0)
pipe2$9p(&(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff}, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280)={'trans=fd,', {}, 0x2c, {'wfdno', 0x3d, r8}})

program crashed: general protection fault in selinux_socket_sock_rcv_skb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-fanotify_init-fanotify_mark-mount$9p_fd
detailed listing:
executing program 0:
r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r1 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r2, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r3 = socket$inet_udp(0x2, 0x2, 0x0)
r4 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r4, 0x5425, 0x0)
r5 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r5)
ioctl$TCSETSW2(r4, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r3, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r2, 0xffffffffffffffff, 0x0)
r7 = fanotify_init(0x0, 0x0)
fanotify_mark(r7, 0x105, 0x4800003a, r0, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-fanotify_init-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
r4 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r4)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r5, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
fanotify_init(0x0, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
r4 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r4)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r5, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
r4 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r4)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r5, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
r4 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r4)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r5, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-syz_init_net_socket$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
r4 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r4)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-socket$inet6_sctp-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
r4 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r4)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
socket$inet6_sctp(0xa, 0x0, 0x84)
connect$bt_l2cap(0xffffffffffffffff, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
r4 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r4)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r5, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-ioctl$TCSETSW2-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
socket$inet_udp(0x2, 0x2, 0x0)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r2, 0x5425, 0x0)
r3 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r3)
ioctl$TCSETSW2(r2, 0x5425, 0x0)
r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r4, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-close-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
r4 = io_uring_setup(0x2ad5, &(0x7f00000001c0))
close(r4)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r5, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-io_uring_setup-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
io_uring_setup(0x2ad5, &(0x7f00000001c0))
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r4, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSBRKP-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSBRKP(r3, 0x5425, 0x0)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r4, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-openat$ttyS3-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001600), 0x0, 0x0)
ioctl$TCSETSW2(r3, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r4, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-socket$inet_udp-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r2, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r3, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-setsockopt$inet_MCAST_MSFILTER-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f0000000980)=ANY=[@ANYBLOB="020000000000000002000000e0000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000300000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000002000000ac1414bb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002"], 0x210)
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r2, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: KASAN: slab-use-after-free Read in __sock_queue_rcv_skb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-setsockopt$inet_MCAST_JOIN_GROUP-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000000)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r2, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-socket$inet_udp-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r2, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(r1, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-setsockopt$inet_mtu-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r0 = accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000180)=0x4, 0x4)
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-accept4$inet-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
accept4$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x0, @private}, &(0x7f0000000140)=0x10, 0x800)
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, &(0x7f0000000180)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, 0x0, 0x0)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(0x0, 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000100), 0x0, &(0x7f0000000280))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, 0x0, &(0x7f0000000100), 0x0, &(0x7f0000000280))

program crashed: general protection fault in l2cap_publish_rx_avail
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, 0x0, 0x0, 0x0, &(0x7f0000000280))

program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
detailed listing:
executing program 0:
ioctl$TCSETSW2(0xffffffffffffffff, 0x5425, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount$9p_fd(0x0, 0x0, 0x0, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in __lock_sock
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: general protection fault in l2cap_publish_rx_avail
simplifying C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: general protection fault in l2cap_publish_rx_avail
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program did not crash
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: general protection fault in l2cap_publish_rx_avail
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: general protection fault in l2cap_publish_rx_avail
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program did not crash
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: general protection fault in selinux_socket_sock_rcv_skb
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TCSETSW2-setsockopt$inet_MCAST_JOIN_GROUP-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci-close_range-mount$9p_fd
program crashed: KASAN: slab-use-after-free Read in __lock_sock
reproducing took 1h2m20.384204334s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2dd6/0x3b30 kernel/locking/lockdep.c:5005
Read of size 8 at addr ffff88802857d1d8 by task kworker/u33:1/4634

CPU: 1 PID: 4634 Comm: kworker/u33:1 Not tainted 6.10.0-rc5-syzkaller-00282-g8282d5af7be8 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 __lock_acquire+0x2dd6/0x3b30 kernel/locking/lockdep.c:5005
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
 _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:356 [inline]
 __lock_sock+0x147/0x270 net/core/sock.c:2960
 lock_sock_nested+0xda/0xf0 net/core/sock.c:3539
 lock_sock include/net/sock.h:1602 [inline]
 l2cap_sock_recv_cb+0x54/0x3d0 net/bluetooth/l2cap_sock.c:1488
 l2cap_conless_channel net/bluetooth/l2cap_core.c:6774 [inline]
 l2cap_recv_frame+0x1c4c/0x8e50 net/bluetooth/l2cap_core.c:6827
 l2cap_recv_acldata+0x9ac/0xb60 net/bluetooth/l2cap_core.c:7510
 hci_acldata_packet net/bluetooth/hci_core.c:3842 [inline]
 hci_rx_work+0xaa7/0x1610 net/bluetooth/hci_core.c:4079
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3248
 process_scheduled_works kernel/workqueue.c:3329 [inline]
 worker_thread+0x6c8/0xf30 kernel/workqueue.c:3409
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5252:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4123 [inline]
 __kmalloc_noprof+0x1ec/0x410 mm/slub.c:4136
 kmalloc_noprof include/linux/slab.h:664 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148
 l2cap_sock_alloc.constprop.0+0x35/0x180 net/bluetooth/l2cap_sock.c:1869
 l2cap_sock_create+0x123/0x1f0 net/bluetooth/l2cap_sock.c:1909
 bt_sock_create+0x182/0x350 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x32e/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5252:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4438 [inline]
 kfree+0x12a/0x3b0 mm/slub.c:4559
 sk_prot_free net/core/sock.c:2116 [inline]
 __sk_destruct+0x5d8/0x730 net/core/sock.c:2208
 sk_destruct+0xc2/0xf0 net/core/sock.c:2223
 __sk_free+0xf4/0x3e0 net/core/sock.c:2234
 sk_free+0x7c/0xa0 net/core/sock.c:2245
 sock_put include/net/sock.h:1879 [inline]
 l2cap_sock_kill net/bluetooth/l2cap_sock.c:1246 [inline]
 l2cap_sock_kill+0x22f/0x270 net/bluetooth/l2cap_sock.c:1235
 l2cap_sock_release+0x189/0x210 net/bluetooth/l2cap_sock.c:1417
 __sock_release+0xb0/0x270 net/socket.c:659
 sock_close+0x1c/0x30 net/socket.c:1421
 __fput+0x408/0xbb0 fs/file_table.c:422
 __fput_sync+0x47/0x50 fs/file_table.c:507
 __do_sys_close fs/open.c:1555 [inline]
 __se_sys_close fs/open.c:1540 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1540
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802857d000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 472 bytes inside of
 freed 2048-byte region [ffff88802857d000, ffff88802857d800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28578
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015442f00 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015442f00 dead000000000122 0000000000000000
head: 0000000000000000 0000000000080008 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea0000a15e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5248, tgid 5248 (syz-executor332), ts 54620783854, free_ts 54075826268
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x1353/0x2e50 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x56/0x110 mm/slub.c:2265
 allocate_slab mm/slub.c:2428 [inline]
 new_slab+0x84/0x260 mm/slub.c:2481
 ___slab_alloc+0xdac/0x1870 mm/slub.c:3667
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3990 [inline]
 kmalloc_trace_noprof+0x2b4/0x300 mm/slub.c:4149
 kmalloc_noprof include/linux/slab.h:660 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 l2cap_chan_create+0x44/0x920 net/bluetooth/l2cap_core.c:449
 l2cap_sock_alloc.constprop.0+0xf3/0x180 net/bluetooth/l2cap_sock.c:1878
 l2cap_sock_create+0x123/0x1f0 net/bluetooth/l2cap_sock.c:1909
 bt_sock_create+0x182/0x350 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x32e/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
page last free pid 5188 tgid 5188 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_page+0x64a/0xe40 mm/page_alloc.c:2588
 __put_partials+0x14c/0x170 mm/slub.c:2995
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3940 [inline]
 slab_alloc_node mm/slub.c:4002 [inline]
 kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4045
 __alloc_skb+0x2b1/0x380 net/core/skbuff.c:656
 alloc_skb_fclone include/linux/skbuff.h:1358 [inline]
 tcp_stream_alloc_skb+0x34/0x570 net/ipv4/tcp.c:879
 tcp_sendmsg_locked+0xecc/0x3550 net/ipv4/tcp.c:1161
 tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1351
 inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0x6b6/0x1140 fs/read_write.c:590
 ksys_write+0x1f8/0x260 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802857d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802857d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802857d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88802857d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802857d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2dd6/0x3b30 kernel/locking/lockdep.c:5005
Read of size 8 at addr ffff88802857d1d8 by task kworker/u33:1/4634

CPU: 1 PID: 4634 Comm: kworker/u33:1 Not tainted 6.10.0-rc5-syzkaller-00282-g8282d5af7be8 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 __lock_acquire+0x2dd6/0x3b30 kernel/locking/lockdep.c:5005
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
 _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:356 [inline]
 __lock_sock+0x147/0x270 net/core/sock.c:2960
 lock_sock_nested+0xda/0xf0 net/core/sock.c:3539
 lock_sock include/net/sock.h:1602 [inline]
 l2cap_sock_recv_cb+0x54/0x3d0 net/bluetooth/l2cap_sock.c:1488
 l2cap_conless_channel net/bluetooth/l2cap_core.c:6774 [inline]
 l2cap_recv_frame+0x1c4c/0x8e50 net/bluetooth/l2cap_core.c:6827
 l2cap_recv_acldata+0x9ac/0xb60 net/bluetooth/l2cap_core.c:7510
 hci_acldata_packet net/bluetooth/hci_core.c:3842 [inline]
 hci_rx_work+0xaa7/0x1610 net/bluetooth/hci_core.c:4079
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3248
 process_scheduled_works kernel/workqueue.c:3329 [inline]
 worker_thread+0x6c8/0xf30 kernel/workqueue.c:3409
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5252:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4123 [inline]
 __kmalloc_noprof+0x1ec/0x410 mm/slub.c:4136
 kmalloc_noprof include/linux/slab.h:664 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148
 l2cap_sock_alloc.constprop.0+0x35/0x180 net/bluetooth/l2cap_sock.c:1869
 l2cap_sock_create+0x123/0x1f0 net/bluetooth/l2cap_sock.c:1909
 bt_sock_create+0x182/0x350 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x32e/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5252:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4438 [inline]
 kfree+0x12a/0x3b0 mm/slub.c:4559
 sk_prot_free net/core/sock.c:2116 [inline]
 __sk_destruct+0x5d8/0x730 net/core/sock.c:2208
 sk_destruct+0xc2/0xf0 net/core/sock.c:2223
 __sk_free+0xf4/0x3e0 net/core/sock.c:2234
 sk_free+0x7c/0xa0 net/core/sock.c:2245
 sock_put include/net/sock.h:1879 [inline]
 l2cap_sock_kill net/bluetooth/l2cap_sock.c:1246 [inline]
 l2cap_sock_kill+0x22f/0x270 net/bluetooth/l2cap_sock.c:1235
 l2cap_sock_release+0x189/0x210 net/bluetooth/l2cap_sock.c:1417
 __sock_release+0xb0/0x270 net/socket.c:659
 sock_close+0x1c/0x30 net/socket.c:1421
 __fput+0x408/0xbb0 fs/file_table.c:422
 __fput_sync+0x47/0x50 fs/file_table.c:507
 __do_sys_close fs/open.c:1555 [inline]
 __se_sys_close fs/open.c:1540 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1540
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802857d000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 472 bytes inside of
 freed 2048-byte region [ffff88802857d000, ffff88802857d800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28578
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015442f00 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015442f00 dead000000000122 0000000000000000
head: 0000000000000000 0000000000080008 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea0000a15e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5248, tgid 5248 (syz-executor332), ts 54620783854, free_ts 54075826268
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x1353/0x2e50 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x56/0x110 mm/slub.c:2265
 allocate_slab mm/slub.c:2428 [inline]
 new_slab+0x84/0x260 mm/slub.c:2481
 ___slab_alloc+0xdac/0x1870 mm/slub.c:3667
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3990 [inline]
 kmalloc_trace_noprof+0x2b4/0x300 mm/slub.c:4149
 kmalloc_noprof include/linux/slab.h:660 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 l2cap_chan_create+0x44/0x920 net/bluetooth/l2cap_core.c:449
 l2cap_sock_alloc.constprop.0+0xf3/0x180 net/bluetooth/l2cap_sock.c:1878
 l2cap_sock_create+0x123/0x1f0 net/bluetooth/l2cap_sock.c:1909
 bt_sock_create+0x182/0x350 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x32e/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
page last free pid 5188 tgid 5188 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_page+0x64a/0xe40 mm/page_alloc.c:2588
 __put_partials+0x14c/0x170 mm/slub.c:2995
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3940 [inline]
 slab_alloc_node mm/slub.c:4002 [inline]
 kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4045
 __alloc_skb+0x2b1/0x380 net/core/skbuff.c:656
 alloc_skb_fclone include/linux/skbuff.h:1358 [inline]
 tcp_stream_alloc_skb+0x34/0x570 net/ipv4/tcp.c:879
 tcp_sendmsg_locked+0xecc/0x3550 net/ipv4/tcp.c:1161
 tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1351
 inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0x6b6/0x1140 fs/read_write.c:590
 ksys_write+0x1f8/0x260 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802857d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802857d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802857d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88802857d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802857d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================