Extracting prog: 2m33.042775629s
Minimizing prog: 10m1.947651743s
Simplifying prog options: 0s
Extracting C: 33.97037351s
Simplifying C: 16m26.96969536s


extracting reproducer from 39 programs
testing a last program of every proc
single: executing 9 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_init_net_socket$nl_rdma-socket$inet_udp-sendmsg$nl_route_sched-sendmsg$nl_route_sched-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-sched_setaffinity-recvmmsg-shmget$private-sendmsg$netlink-syz_open_procfs-mount$9p_fd-ioctl$TUNSETIFF-socket$kcm-socket$nl_netfilter-sendmsg$NFT_MSG_GETSETELEM-syz_init_net_socket$bt_rfcomm-ioctl$int_in-connect$bt_rfcomm-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-socket$netlink
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
socket$inet_udp(0x2, 0x2, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000007900)={&(0x7f0000000040)=@newtaction={0xd0, 0x30, 0x216822a75a8bdd29, 0xffffffff, 0x0, {}, [{0xbc, 0x1, [@m_skbmod={0xb8, 0x3ffd, 0x0, 0x0, {{0xb}, {0x4}, {0x8c, 0x6, "eed6873f2981611ecb395b8716e117716864532f5465722919225448bbf6ed8357f76bf1fa9b55291316eb1809fcd4600358cdd945d387bd97c729258624b869b3ec525874365044249128c92c13f801e6fed8b7988ebfccfd15c08b07e85451a3df562d217b2010aeac8dbef98e6cbbb363bf1bff633baa160e0fd89d93f14810b030488376ad9f"}, {0xc}, {0xc}}}]}]}, 0xd0}}, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000000c0)=@newtaction={0xa4, 0x30, 0x1, 0x0, 0x0, {}, [{0x90, 0x1, [@m_ct={0x44, 0x2, 0x0, 0x0, {{0x7}, {0x1c, 0x2, 0x0, 0x1, [@TCA_CT_PARMS={0x18, 0x1, {0x9d, 0x11e41e7a, 0x20000000, 0x0, 0xf}}]}, {0x4}, {0xc, 0x7, {0x0, 0x1}}, {0xc, 0x8, {0x0, 0x1}}}}, @m_ife={0x48, 0x1, 0x0, 0x0, {{0x8}, {0x20, 0x2, 0x0, 0x1, [@TCA_IFE_PARMS={0x1c}]}, {0x4}, {0xc, 0x7, {0x1}}, {0xc}}}]}]}, 0xa4}, 0x1, 0x0, 0x0, 0x800}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r1 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r3, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r1, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
shmget$private(0x0, 0x2000, 0x800, &(0x7f0000ffd000/0x2000)=nil)
sendmsg$netlink(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000180)=ANY=[@ANYBLOB="140000001300010000000000000000"], 0x14}], 0x1}, 0x0)
r4 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00')
mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f00000003c0)=ANY=[@ANYBLOB="7472616e733d66ddccccb3b7d59d649973f756dcc67b8269b77d1b2f1b9300c4ac5a275a6c4a695205187987cdcd7e0d9b41cc3fb0730f78fcaee057e27d620c20ddb170b9f373bbae2c37811b5580807a9f9fcd8c3fa89701006e07d7e6bb0ac4bece3d7fed58fa392146813bb30fae31f9a1fcd70af66142c32740a78b39d2061a5c878a6f0eec9d6794317253ff7fcd9dff23c5986fb6dd53cd0e97434cd5a887052f3055c2f823127dd21b4c36dec4e267f3c7ad9a4585f64dc27e7791c3b4a6a7fe000000000000", @ANYRESHEX=r4, @ANYBLOB=',wfdno=', @ANYRESHEX, @ANYBLOB=',\x00'])
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000380)={'syzkaller1\x00', 0xc201})
socket$kcm(0x2, 0xa, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_MSG_GETSETELEM(r5, &(0x7f0000000240)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)={0x38, 0xd, 0xa, 0x101, 0x0, 0x0, {0x2, 0x0, 0x1}, [@NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz2\x00'}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz1\x00'}]}, 0x38}, 0x1, 0x0, 0x0, 0x20000000}, 0x4004880)
r6 = syz_init_net_socket$bt_rfcomm(0x1f, 0x1, 0x3)
ioctl$int_in(r6, 0x5421, &(0x7f0000000000)=0x5)
connect$bt_rfcomm(r6, &(0x7f0000000080)={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}, 0xb}, 0xa)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x38, &(0x7f00000000c0)=[@in6={0xa, 0x4e20, 0x0, @private2}, @in6={0xa, 0x4e20, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}]}, &(0x7f0000000180)=0x10)
socket$netlink(0x10, 0x3, 0x4)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-recvmmsg-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xf)
recvmmsg(r0, &(0x7f0000000d80)=[{{0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000180)=""/209, 0xd1}], 0x1}, 0x86e7}], 0x1, 0x0, &(0x7f0000000e00)={0x77359400})
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)

program crashed: WARNING: bad unlock balance in l2cap_recv_frame
single: successfully extracted reproducer
found reproducer with 4 syscalls
minimizing guilty program
testing program (duration=52.991088087s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-recvmmsg
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xf)
recvmmsg(r0, &(0x7f0000000d80)=[{{0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000180)=""/209, 0xd1}], 0x1}, 0x86e7}], 0x1, 0x0, &(0x7f0000000e00)={0x77359400})

program did not crash
testing program (duration=52.991088087s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xf)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)

program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing program (duration=52.991088087s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-syz_emit_vhci
detailed listing:
executing program 0:
syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)

program did not crash
testing program (duration=52.991088087s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): connect$bt_l2cap-syz_emit_vhci
detailed listing:
executing program 0:
connect$bt_l2cap(0xffffffffffffffff, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xf)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)

program did not crash
testing program (duration=52.991088087s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, 0x0, 0x0)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="02c8000c00080002"], 0x11)

program did not crash
testing program (duration=52.991088087s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xf)
syz_emit_vhci(0x0, 0x11)

program did not crash
testing program (duration=52.991088087s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xf)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB], 0x11)

program did not crash
extracting C reproducer
testing compiled C program (duration=52.991088087s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
simplifying C reproducer
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program did not crash
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program did not crash
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
testing compiled C program (duration=52.991088087s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-syz_emit_vhci
program crashed: WARNING: bad unlock balance in l2cap_recv_frame
reproducing took 29m35.930534902s
repro crashed as (corrupted=false):
=====================================
WARNING: bad unlock balance detected!
5.15.179-syzkaller #0 Not tainted
-------------------------------------
kworker/u5:1/4023 is trying to release lock (&chan->lock) at:
[<ffff800010ecc43c>] l2cap_chan_unlock include/net/bluetooth/l2cap.h:860 [inline]
[<ffff800010ecc43c>] l2cap_conless_channel net/bluetooth/l2cap_core.c:7766 [inline]
[<ffff800010ecc43c>] l2cap_recv_frame+0xf60/0x6c28 net/bluetooth/l2cap_core.c:7819
but there are no more locks to release!

other info that might help us debug this:
2 locks held by kworker/u5:1/4023:
 #0: ffff0000c992a138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x66c/0x11b8 kernel/workqueue.c:2283
 #1: ffff80001d707c00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6ac/0x11b8 kernel/workqueue.c:2285

stack backtrace:
CPU: 0 PID: 4023 Comm: kworker/u5:1 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: hci0 hci_rx_work
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 print_unlock_imbalance_bug+0x250/0x2a4 kernel/locking/lockdep.c:5065
 __lock_release kernel/locking/lockdep.c:-1 [inline]
 lock_release+0x4b8/0xa1c kernel/locking/lockdep.c:5643
 __mutex_unlock_slowpath+0xe0/0x6d4 kernel/locking/mutex.c:851
 mutex_unlock+0x8c/0xe0 kernel/locking/mutex.c:536
 l2cap_chan_unlock include/net/bluetooth/l2cap.h:860 [inline]
 l2cap_conless_channel net/bluetooth/l2cap_core.c:7766 [inline]
 l2cap_recv_frame+0xf60/0x6c28 net/bluetooth/l2cap_core.c:7819
 l2cap_recv_acldata+0x4f4/0x163c net/bluetooth/l2cap_core.c:8531
 hci_acldata_packet net/bluetooth/hci_core.c:4973 [inline]
 hci_rx_work+0x3a8/0x830 net/bluetooth/hci_core.c:5165
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870

final repro crashed as (corrupted=false):
=====================================
WARNING: bad unlock balance detected!
5.15.179-syzkaller #0 Not tainted
-------------------------------------
kworker/u5:1/4023 is trying to release lock (&chan->lock) at:
[<ffff800010ecc43c>] l2cap_chan_unlock include/net/bluetooth/l2cap.h:860 [inline]
[<ffff800010ecc43c>] l2cap_conless_channel net/bluetooth/l2cap_core.c:7766 [inline]
[<ffff800010ecc43c>] l2cap_recv_frame+0xf60/0x6c28 net/bluetooth/l2cap_core.c:7819
but there are no more locks to release!

other info that might help us debug this:
2 locks held by kworker/u5:1/4023:
 #0: ffff0000c992a138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x66c/0x11b8 kernel/workqueue.c:2283
 #1: ffff80001d707c00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6ac/0x11b8 kernel/workqueue.c:2285

stack backtrace:
CPU: 0 PID: 4023 Comm: kworker/u5:1 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: hci0 hci_rx_work
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 print_unlock_imbalance_bug+0x250/0x2a4 kernel/locking/lockdep.c:5065
 __lock_release kernel/locking/lockdep.c:-1 [inline]
 lock_release+0x4b8/0xa1c kernel/locking/lockdep.c:5643
 __mutex_unlock_slowpath+0xe0/0x6d4 kernel/locking/mutex.c:851
 mutex_unlock+0x8c/0xe0 kernel/locking/mutex.c:536
 l2cap_chan_unlock include/net/bluetooth/l2cap.h:860 [inline]
 l2cap_conless_channel net/bluetooth/l2cap_core.c:7766 [inline]
 l2cap_recv_frame+0xf60/0x6c28 net/bluetooth/l2cap_core.c:7819
 l2cap_recv_acldata+0x4f4/0x163c net/bluetooth/l2cap_core.c:8531
 hci_acldata_packet net/bluetooth/hci_core.c:4973 [inline]
 hci_rx_work+0x3a8/0x830 net/bluetooth/hci_core.c:5165
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870