Extracting prog: 25m48.40751956s
Minimizing prog: 2h36m30.821306007s
Simplifying prog options: 0s
Extracting C: 2m12.904989508s
Simplifying C: 49m1.457125625s


30 programs, timeouts [6m0s]
extracting reproducer from 30 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-sched_setaffinity-syz_open_dev$MSR-read$msr-prctl$PR_SCHED_CORE-mkdirat-pipe2$9p-openat$vnet-ioctl$int_in-socket-getsockname$packet-sendmsg$nl_route_sched-sendmsg$nl_route_sched-socket$netlink-sendmmsg-ioctl$VHOST_SET_MEM_TABLE-socket$packet-ioctl$VHOST_SET_VRING_ADDR-ioctl$VHOST_SET_FEATURES-openat$iommufd-openat$iommufd-ioctl$IOMMU_TEST_OP_CREATE_ACCESS-syz_genetlink_get_family_id$ethtool-sendmsg$ETHTOOL_MSG_FEATURES_GET-ioctl$IOMMU_TEST_OP_MOCK_DOMAIN
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r0, 0x29, 0x39, &(0x7f0000000080)=ANY=[@ANYBLOB="0004020000000000000000000000000000000000005a271935cfd38ff5c31ec1d6dbf40000000000"], 0x28)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
mkdirat(0xffffffffffffffff, &(0x7f0000000480)='./file1\x00', 0x2)
pipe2$9p(&(0x7f0000000240), 0x0)
r2 = openat$vnet(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0)
ioctl$int_in(r2, 0x40000000af01, 0x0)
r3 = socket(0x2a, 0x2, 0x0)
getsockname$packet(r3, &(0x7f0000000200)={0x11, 0x0, <r4=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newqdisc={0x2c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_drr={0x8}]}, 0x2c}}, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, 0x0}, 0x0)
r5 = socket$netlink(0x10, 0x3, 0x0)
sendmmsg(r5, &(0x7f00000002c0), 0x40000000000009f, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r2, 0x4008af03, &(0x7f0000000080))
socket$packet(0x11, 0x3, 0x300)
ioctl$VHOST_SET_VRING_ADDR(r2, 0x4028af11, &(0x7f00000001c0)={0x0, 0x0, 0x0, &(0x7f00000003c0)=""/75, 0x0})
ioctl$VHOST_SET_FEATURES(r2, 0x4008af00, 0x0)
r6 = openat$iommufd(0xffffffffffffff9c, 0x0, 0x200, 0x0)
r7 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r7, 0x3ba0, &(0x7f00000001c0)={0x48})
r8 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000100), r5)
sendmsg$ETHTOOL_MSG_FEATURES_GET(r3, &(0x7f0000000300)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000140)={&(0x7f00000004c0)={0x50, r8, 0x8, 0x70bd27, 0x25dfdbfb, {}, [@HEADER={0x3c, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x3}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'wlan0\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x3}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'geneve1\x00'}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40890}, 0x8000)
ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r6, 0x3ba0, &(0x7f0000000340)={0x48})

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vhost_vsock-prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-getpid-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-bpf$PROG_LOAD-add_key$user-add_key$user-keyctl$dh_compute-fcntl$getown-ioctl$VHOST_SET_VRING_BASE-eventfd-ioctl$VHOST_SET_VRING_BASE-ioctl$VHOST_SET_LOG_FD-ioctl$VHOST_SET_VRING_KICK-ioctl$VHOST_SET_VRING_ADDR-ioctl$VHOST_SET_VRING_ADDR-ioctl$VHOST_SET_MEM_TABLE-ioctl$VHOST_SET_VRING_ERR-ioctl$VHOST_VSOCK_SET_RUNNING
detailed listing:
executing program 0:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x6)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x0, 0x0)
r1 = getpid()
sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f0000000380)=@abs, 0x6e)
sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x11, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x90)
r4 = add_key$user(&(0x7f0000000380), 0x0, 0x0, 0x0, 0xfffffffffffffffe)
r5 = add_key$user(0x0, 0x0, &(0x7f00000000c0), 0x0, 0xfffffffffffffffd)
keyctl$dh_compute(0x17, &(0x7f0000000100)={r4, r5, r5}, 0x0, 0x0, &(0x7f0000000180)={0x0})
fcntl$getown(r0, 0x9)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r6 = eventfd(0x0)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r6)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r6})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000500)=""/67, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, 0x0, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/74})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
ioctl$VHOST_SET_VRING_ERR(r0, 0x4008af22, &(0x7f00000002c0)={0x1, r6})
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$can_raw-ioctl$sock_SIOCOUTQNSD-prctl$PR_SCHED_CORE-getpgid-getpid-process_vm_readv-socketpair$tipc-openat$sysfs-fanotify_mark-finit_module-pipe2-kcmp$KCMP_EPOLL_TFD-sched_setaffinity-openat$hwrng-preadv-openat$cgroup_ro-socket$nl_route-read$FUSE-sendmsg$nl_route-syz_open_dev$ndb-getpid-socket$inet_sctp-sendto$inet-add_key-socket$nl_netfilter-sendmsg$IPSET_CMD_FLUSH
detailed listing:
executing program 0:
r0 = socket$can_raw(0x1d, 0x3, 0x1)
ioctl$sock_SIOCOUTQNSD(r0, 0x894b, &(0x7f0000000200))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
getpgid(0x0)
r1 = getpid()
process_vm_readv(r1, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
r3 = openat$sysfs(0xffffff9c, &(0x7f0000000040)='/sys/kernel/notes', 0x0, 0x0)
fanotify_mark(r3, 0x80, 0x12, 0xffffffffffffffff, &(0x7f0000000180)='./file0\x00')
finit_module(r3, 0x0, 0x2)
pipe2(&(0x7f00000000c0)={<r4=>0xffffffffffffffff}, 0x0)
kcmp$KCMP_EPOLL_TFD(0x0, r1, 0x7, r2, &(0x7f0000000140)={r3, r4, 0x6})
sched_setaffinity(r1, 0x8, &(0x7f0000000040)=0x10001)
r5 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r5, &(0x7f0000000340)=[{&(0x7f0000008680)=""/102386, 0xfdc6}, {&(0x7f0000002d00)=""/4096, 0x1000}], 0x2, 0x0, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
r6 = socket$nl_route(0x10, 0x3, 0x0)
read$FUSE(0xffffffffffffffff, &(0x7f0000000cc0)={0x2020}, 0x2020)
sendmsg$nl_route(r6, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000c80)=ANY=[@ANYBLOB="4000000010001500"/20, @ANYRES32=0x0, @ANYBLOB="0000000000000000180012800b0001006772657461700000080002800400120008001f0004000000"], 0x40}}, 0x0)
syz_open_dev$ndb(0x0, 0x0, 0x0)
getpid()
socket$inet_sctp(0x2, 0x0, 0x84)
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
add_key(&(0x7f0000000040)='asymmetric\x00', 0x0, &(0x7f0000000300)="303e3002a0001f14000000d190c937dc6914243b0402d6dcb70ad80851956fe6727ae888746b02cee670a5882a0ad79716584e6b04b7f62edac751478af9c62f", 0x40, 0xfffffffffffffffc)
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_FLUSH(r7, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000480)={&(0x7f00000004c0)={0x48, 0x4, 0x6, 0x201, 0x0, 0x0, {0x1}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz2\x00'}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}]}, 0x48}, 0x1, 0x0, 0x0, 0x40000}, 0x800)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_dev$usbfs-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_SET_LEDBIT-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
r7 = syz_open_dev$usbfs(&(0x7f0000000100), 0x77, 0xb8800)
ioctl$USBDEVFS_FREE_STREAMS(r7, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(r7, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_SET_LEDBIT(r1, 0x40045569, 0x1)
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
single: successfully extracted reproducer
found reproducer with 26 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_dev$usbfs-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_SET_LEDBIT-ioctl$UI_DEV_SETUP
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
r7 = syz_open_dev$usbfs(&(0x7f0000000100), 0x77, 0xb8800)
ioctl$USBDEVFS_FREE_STREAMS(r7, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(r7, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_SET_LEDBIT(r1, 0x40045569, 0x1)
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_dev$usbfs-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_SET_LEDBIT-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
r7 = syz_open_dev$usbfs(&(0x7f0000000100), 0x77, 0xb8800)
ioctl$USBDEVFS_FREE_STREAMS(r7, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(r7, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_SET_LEDBIT(r1, 0x40045569, 0x1)
ioctl$UI_DEV_CREATE(r1, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_dev$usbfs-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
r7 = syz_open_dev$usbfs(&(0x7f0000000100), 0x77, 0xb8800)
ioctl$USBDEVFS_FREE_STREAMS(r7, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(r7, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_send_cmd
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_dev$usbfs-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
r7 = syz_open_dev$usbfs(&(0x7f0000000100), 0x77, 0xb8800)
ioctl$USBDEVFS_FREE_STREAMS(r7, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_dev$usbfs-ioctl$USBDEVFS_FREE_STREAMS-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
r7 = syz_open_dev$usbfs(&(0x7f0000000100), 0x77, 0xb8800)
ioctl$USBDEVFS_FREE_STREAMS(r7, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
ioctl$USBDEVFS_CONTROL(r7, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_dev$usbfs-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
r7 = syz_open_dev$usbfs(&(0x7f0000000100), 0x77, 0xb8800)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(r7, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-bpf$BPF_RAW_TRACEPOINT_OPEN-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-ioctl$UI_SET_EVBIT-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x11)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r6=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r6}, 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_send_cmd
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00'})
r4 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f00000011c0)={'vxcan0\x00', <r5=>0x0})
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r5}, 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000011c0)={'vxcan0\x00'})
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$can_j1939-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r3, &(0x7f0000001200), 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-ioctl$ifreq_SIOCGIFINDEX_vcan-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r2 = socket(0x10, 0x3, 0x0)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f00000011c0)={'vcan0\x00', <r4=>0x0})
bind$can_j1939(r3, &(0x7f0000001200), 0x18)
connect$can_j1939(r3, &(0x7f0000000080)={0x1d, r4}, 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-socket$can_j1939-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
socket(0x10, 0x3, 0x0)
r2 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r2, &(0x7f0000001200), 0x18)
connect$can_j1939(r2, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program crashed: lost connection to test machine
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-openat$uinput-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r1, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-preadv-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0x18ff2}], 0x1, 0x0, 0x5)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: lost connection to test machine
suppressed program crash: lost connection to test machine
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-openat$hwrng-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x1c9100, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-syz_emit_vhci-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi_and_pscan_mode={{0x22, 0x10}, {0x1, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0xc}, 0xf5, 0x4, 0x5, '\x00', 0x80, 0xb1}]}}}, 0x13)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: lost connection to test machine
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-sched_setaffinity-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x2b, &(0x7f0000000040)=0x200000000005)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-prctl$PR_SCHED_CORE-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-syz_emit_vhci-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
syz_emit_vhci(&(0x7f00000004c0)=ANY=[@ANYBLOB="040e0501460c1f00c7f641737da8c5df97e629d54f8eef8f4b4c287248623393943b5ba71f4c252077dee7cda5f191af639f6bc9ccce6307303924e47e62deed5d1bb5921eea00000c30f73971da9388b9ec29139dedf9d61d113d31eeef342c9d"], 0x8)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'})
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000001200), 0x18)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, 0x0, 0x0)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, 0x0, 0x0)
connect$can_j1939(0xffffffffffffffff, 0x0, 0x0)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, &(0x7f0000000000)=ANY=[@ANYBLOB="02002303100007006000000002000020d3"])
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, 0x0, 0x0)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, 0x0)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, 0x0, 0x0)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, 0x0)
syz_emit_vhci(0x0, 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, 0x0, 0x0)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, 0x0)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, 0x0, 0x0)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, 0x0)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, 0x0)
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000100)={{0x0, 0x0, 0x3}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0)
socket(0x10, 0x3, 0x0)
bind$can_j1939(0xffffffffffffffff, 0x0, 0x0)
connect$can_j1939(0xffffffffffffffff, &(0x7f0000000080), 0x18)
socket$nl_rdma(0x10, 0x3, 0x14)
ioctl$USBDEVFS_FREE_STREAMS(0xffffffffffffffff, 0x802c550a, 0x0)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="02c8204d00490001000cfb05000600feff080d7f080002000800000000010df8080009000f000a0008000f01040005007b00110c0200050002010400020001000383080002000000136aac0700015b0200050026db42aec9e47fb72220a280b6d882cec6e41ad1cf0a4982214bf5303844857d91872640e1cb8520784bfc7b58a8bbdbfac7dcb1aafec9af78ea69ab8f724194509a88e8c8973e4d957a2ed4d9a83396348da132dd9b0bccf67c58f1276b2e7ea5cc7c8a47568bc5ff8cd8ac"], 0x52)
ioctl$USBDEVFS_CONTROL(0xffffffffffffffff, 0x4008550d, 0x0)
ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, 0x0)
ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501)

program crashed: KASAN: slab-use-after-free Read in l2cap_connect
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_send_cmd
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_send_cmd
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_send_cmd
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX_80211-socket-bind$can_j1939-connect$can_j1939-socket$nl_rdma-ioctl$USBDEVFS_FREE_STREAMS-syz_emit_vhci-ioctl$USBDEVFS_CONTROL-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
program crashed: KASAN: slab-use-after-free Read in l2cap_connect
reproducing took 3h53m33.590975436s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
Read of size 8 at addr ffff88807c558000 by task kworker/u9:5/5239

CPU: 0 UID: 0 PID: 5239 Comm: kworker/u9:5 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci3 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
 l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825
 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
 hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5239:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kmalloc_noprof include/linux/slab.h:681 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 l2cap_conn_add.part.0+0x60/0xa60 net/bluetooth/l2cap_core.c:6868
 l2cap_conn_add net/bluetooth/l2cap_core.c:69 [inline]
 l2cap_connect_cfm+0x428/0xf80 net/bluetooth/l2cap_core.c:7245
 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
 hci_remote_features_evt+0x548/0x9e0 net/bluetooth/hci_event.c:3721
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
 hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 55:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2256 [inline]
 slab_free mm/slub.c:4477 [inline]
 kfree+0x12a/0x3b0 mm/slub.c:4598
 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
 l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
 hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265
 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
 insert_work+0x36/0x230 kernel/workqueue.c:2185
 __queue_work+0x97e/0x1070 kernel/workqueue.c:2341
 call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1792
 expire_timers kernel/time/timer.c:1838 [inline]
 __run_timers+0x567/0xaf0 kernel/time/timer.c:2417
 __run_timer_base kernel/time/timer.c:2428 [inline]
 __run_timer_base kernel/time/timer.c:2421 [inline]
 run_timer_base+0x111/0x190 kernel/time/timer.c:2437
 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu kernel/softirq.c:637 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Second to last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
 insert_work+0x36/0x230 kernel/workqueue.c:2185
 __queue_work+0x3f8/0x1070 kernel/workqueue.c:2345
 queue_work_on+0x11a/0x140 kernel/workqueue.c:2392
 queue_work include/linux/workqueue.h:621 [inline]
 l2cap_conn_ready net/bluetooth/l2cap_core.c:1640 [inline]
 l2cap_connect_cfm+0x9c9/0xf80 net/bluetooth/l2cap_core.c:7286
 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
 hci_remote_features_evt+0x548/0x9e0 net/bluetooth/hci_event.c:3721
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
 hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88807c558000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff88807c558000, ffff88807c558400)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c558
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001f15601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4643, tgid 4643 (init), ts 27312989793, free_ts 24993738984
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1500
 prep_new_page mm/page_alloc.c:1508 [inline]
 get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3446
 __alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4702
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x4e/0xf0 mm/slub.c:2325
 allocate_slab mm/slub.c:2488 [inline]
 new_slab+0x84/0x260 mm/slub.c:2541
 ___slab_alloc+0xdac/0x1870 mm/slub.c:3727
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3817
 __slab_alloc_node mm/slub.c:3870 [inline]
 slab_alloc_node mm/slub.c:4029 [inline]
 __do_kmalloc_node mm/slub.c:4161 [inline]
 __kmalloc_noprof+0x367/0x400 mm/slub.c:4174
 kmalloc_noprof include/linux/slab.h:685 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 tomoyo_init_log+0x13ca/0x2180 security/tomoyo/audit.c:275
 tomoyo_supervisor+0x30c/0xea0 security/tomoyo/common.c:2089
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x193/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0xef9/0x2020 security/tomoyo/domain.c:878
 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
 tomoyo_bprm_check_security+0x12e/0x1d0 security/tomoyo/tomoyo.c:92
 security_bprm_check+0x65/0xb0 security/security.c:1191
 search_binary_handler fs/exec.c:1815 [inline]
 exec_binprm fs/exec.c:1869 [inline]
 bprm_execve fs/exec.c:1920 [inline]
 bprm_execve+0x642/0x1960 fs/exec.c:1896
 do_execveat_common.isra.0+0x4f1/0x630 fs/exec.c:2027
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1101 [inline]
 free_unref_page+0x64a/0xe40 mm/page_alloc.c:2619
 free_contig_range+0xb6/0x1a0 mm/page_alloc.c:6667
 destroy_args+0xa42/0xe10 mm/debug_vm_pgtable.c:1017
 debug_vm_pgtable+0x1705/0x3280 mm/debug_vm_pgtable.c:1397
 do_one_initcall+0x128/0x700 init/main.c:1267
 do_initcall_level init/main.c:1329 [inline]
 do_initcalls init/main.c:1345 [inline]
 do_basic_setup init/main.c:1364 [inline]
 kernel_init_freeable+0x69d/0xca0 init/main.c:1578
 kernel_init+0x1c/0x2b0 init/main.c:1467
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88807c557f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807c557f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807c558000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88807c558080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807c558100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
Read of size 8 at addr ffff88807c558000 by task kworker/u9:5/5239

CPU: 0 UID: 0 PID: 5239 Comm: kworker/u9:5 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci3 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
 l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825
 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
 hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5239:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kmalloc_noprof include/linux/slab.h:681 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 l2cap_conn_add.part.0+0x60/0xa60 net/bluetooth/l2cap_core.c:6868
 l2cap_conn_add net/bluetooth/l2cap_core.c:69 [inline]
 l2cap_connect_cfm+0x428/0xf80 net/bluetooth/l2cap_core.c:7245
 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
 hci_remote_features_evt+0x548/0x9e0 net/bluetooth/hci_event.c:3721
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
 hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 55:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2256 [inline]
 slab_free mm/slub.c:4477 [inline]
 kfree+0x12a/0x3b0 mm/slub.c:4598
 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
 l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
 hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265
 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
 insert_work+0x36/0x230 kernel/workqueue.c:2185
 __queue_work+0x97e/0x1070 kernel/workqueue.c:2341
 call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1792
 expire_timers kernel/time/timer.c:1838 [inline]
 __run_timers+0x567/0xaf0 kernel/time/timer.c:2417
 __run_timer_base kernel/time/timer.c:2428 [inline]
 __run_timer_base kernel/time/timer.c:2421 [inline]
 run_timer_base+0x111/0x190 kernel/time/timer.c:2437
 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu kernel/softirq.c:637 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Second to last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
 insert_work+0x36/0x230 kernel/workqueue.c:2185
 __queue_work+0x3f8/0x1070 kernel/workqueue.c:2345
 queue_work_on+0x11a/0x140 kernel/workqueue.c:2392
 queue_work include/linux/workqueue.h:621 [inline]
 l2cap_conn_ready net/bluetooth/l2cap_core.c:1640 [inline]
 l2cap_connect_cfm+0x9c9/0xf80 net/bluetooth/l2cap_core.c:7286
 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
 hci_remote_features_evt+0x548/0x9e0 net/bluetooth/hci_event.c:3721
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
 hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88807c558000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff88807c558000, ffff88807c558400)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c558
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001f15601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4643, tgid 4643 (init), ts 27312989793, free_ts 24993738984
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1500
 prep_new_page mm/page_alloc.c:1508 [inline]
 get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3446
 __alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4702
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x4e/0xf0 mm/slub.c:2325
 allocate_slab mm/slub.c:2488 [inline]
 new_slab+0x84/0x260 mm/slub.c:2541
 ___slab_alloc+0xdac/0x1870 mm/slub.c:3727
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3817
 __slab_alloc_node mm/slub.c:3870 [inline]
 slab_alloc_node mm/slub.c:4029 [inline]
 __do_kmalloc_node mm/slub.c:4161 [inline]
 __kmalloc_noprof+0x367/0x400 mm/slub.c:4174
 kmalloc_noprof include/linux/slab.h:685 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 tomoyo_init_log+0x13ca/0x2180 security/tomoyo/audit.c:275
 tomoyo_supervisor+0x30c/0xea0 security/tomoyo/common.c:2089
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x193/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0xef9/0x2020 security/tomoyo/domain.c:878
 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
 tomoyo_bprm_check_security+0x12e/0x1d0 security/tomoyo/tomoyo.c:92
 security_bprm_check+0x65/0xb0 security/security.c:1191
 search_binary_handler fs/exec.c:1815 [inline]
 exec_binprm fs/exec.c:1869 [inline]
 bprm_execve fs/exec.c:1920 [inline]
 bprm_execve+0x642/0x1960 fs/exec.c:1896
 do_execveat_common.isra.0+0x4f1/0x630 fs/exec.c:2027
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1101 [inline]
 free_unref_page+0x64a/0xe40 mm/page_alloc.c:2619
 free_contig_range+0xb6/0x1a0 mm/page_alloc.c:6667
 destroy_args+0xa42/0xe10 mm/debug_vm_pgtable.c:1017
 debug_vm_pgtable+0x1705/0x3280 mm/debug_vm_pgtable.c:1397
 do_one_initcall+0x128/0x700 init/main.c:1267
 do_initcall_level init/main.c:1329 [inline]
 do_initcalls init/main.c:1345 [inline]
 do_basic_setup init/main.c:1364 [inline]
 kernel_init_freeable+0x69d/0xca0 init/main.c:1578
 kernel_init+0x1c/0x2b0 init/main.c:1467
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88807c557f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807c557f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807c558000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88807c558080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807c558100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================