Extracting prog: 1m28.371804536s
Minimizing prog: 45m33.102139551s
Simplifying prog options: 0s
Extracting C: 31.183721392s
Simplifying C: 18m39.888252589s


extracting reproducer from 66 programs
testing a last program of every proc
single: executing 16 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-setsockopt$inet6_int-openat$cgroup-openat$cgroup_subtree-ioctl$DRM_IOCTL_PANTHOR_VM_CREATE-ioctl$DRM_IOCTL_PANTHOR_VM_GET_STATE-ioctl$DRM_IOCTL_IRQ_BUSID-ioctl$DRM_IOCTL_MODE_GETFB2-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [<r6=>0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r11=>0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r13=>0xffffffffffffffff, <r14=>0xffffffffffffffff, <r15=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r12, &(0x7f0000000580)=0x5, r8, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r7, r0, 0x0)
setsockopt$inet6_tcp_buf(r7, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r13, 0xc02064b6, &(0x7f0000000780)={0x0, <r16=>0x0, <r17=>0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r15, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r16})
r18 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r9)
sendmsg$TIPC_NL_LINK_GET(r11, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r18, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r10, 0x227f, &(0x7f0000000ec0))
r19 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r19, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r20 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r8)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r9, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r20, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
r21 = openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
setsockopt$inet6_int(r5, 0x29, 0x10, &(0x7f0000001200)=0xfffffffa, 0x4)
r22 = openat$cgroup(r14, &(0x7f0000001240)='syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(r22, &(0x7f0000001280), 0x2, 0x0)
ioctl$DRM_IOCTL_PANTHOR_VM_CREATE(r2, 0xc0106441, &(0x7f00000012c0)={0x0, <r23=>0x0, 0x7})
ioctl$DRM_IOCTL_PANTHOR_VM_GET_STATE(r21, 0xc0086444, &(0x7f0000001300)={r23})
ioctl$DRM_IOCTL_IRQ_BUSID(r1, 0xc0106403, &(0x7f0000001340)={0x0, 0x8, 0x1, 0x9a24fe5})
ioctl$DRM_IOCTL_MODE_GETFB2(r6, 0xc06864ce, &(0x7f0000001380)={r17, 0xfffffffb, 0x10001, 0x6, 0x2, [], [0x10, 0x33, 0x5, 0x9], [0x1, 0xffff, 0x8, 0x2], [0x9, 0x0, 0x7fffffff, 0x8000000000000000]})
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
single: successfully extracted reproducer
found reproducer with 30 syscalls
minimizing guilty program
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-setsockopt$inet6_int-openat$cgroup-openat$cgroup_subtree-ioctl$DRM_IOCTL_PANTHOR_VM_CREATE-ioctl$DRM_IOCTL_PANTHOR_VM_GET_STATE-ioctl$DRM_IOCTL_IRQ_BUSID-ioctl$DRM_IOCTL_MODE_GETFB2
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [<r6=>0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r11=>0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r13=>0xffffffffffffffff, <r14=>0xffffffffffffffff, <r15=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r12, &(0x7f0000000580)=0x5, r8, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r7, r0, 0x0)
setsockopt$inet6_tcp_buf(r7, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r13, 0xc02064b6, &(0x7f0000000780)={0x0, <r16=>0x0, <r17=>0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r15, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r16})
r18 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r9)
sendmsg$TIPC_NL_LINK_GET(r11, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r18, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r10, 0x227f, &(0x7f0000000ec0))
r19 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r19, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r20 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r8)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r9, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r20, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
r21 = openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
setsockopt$inet6_int(r5, 0x29, 0x10, &(0x7f0000001200)=0xfffffffa, 0x4)
r22 = openat$cgroup(r14, &(0x7f0000001240)='syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(r22, &(0x7f0000001280), 0x2, 0x0)
ioctl$DRM_IOCTL_PANTHOR_VM_CREATE(r2, 0xc0106441, &(0x7f00000012c0)={0x0, <r23=>0x0, 0x7})
ioctl$DRM_IOCTL_PANTHOR_VM_GET_STATE(r21, 0xc0086444, &(0x7f0000001300)={r23})
ioctl$DRM_IOCTL_IRQ_BUSID(r1, 0xc0106403, &(0x7f0000001340)={0x0, 0x8, 0x1, 0x9a24fe5})
ioctl$DRM_IOCTL_MODE_GETFB2(r6, 0xc06864ce, &(0x7f0000001380)={r17, 0xfffffffb, 0x10001, 0x6, 0x2, [], [0x10, 0x33, 0x5, 0x9], [0x1, 0xffff, 0x8, 0x2], [0x9, 0x0, 0x7fffffff, 0x8000000000000000]})

program did not crash
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-setsockopt$inet6_int-openat$cgroup-openat$cgroup_subtree-ioctl$DRM_IOCTL_PANTHOR_VM_CREATE-ioctl$DRM_IOCTL_PANTHOR_VM_GET_STATE-ioctl$DRM_IOCTL_IRQ_BUSID-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, <r7=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r10=>0xffffffffffffffff, <r11=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r12=>0xffffffffffffffff, <r13=>0xffffffffffffffff, <r14=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r11, &(0x7f0000000580)=0x5, r7, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r6, r0, 0x0)
setsockopt$inet6_tcp_buf(r6, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r12, 0xc02064b6, &(0x7f0000000780)={0x0, <r15=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r14, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r15})
r16 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r8)
sendmsg$TIPC_NL_LINK_GET(r10, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r16, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r9, 0x227f, &(0x7f0000000ec0))
r17 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r17, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r18 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r7)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r8, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r18, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
r19 = openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
setsockopt$inet6_int(r5, 0x29, 0x10, &(0x7f0000001200)=0xfffffffa, 0x4)
r20 = openat$cgroup(r13, &(0x7f0000001240)='syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(r20, &(0x7f0000001280), 0x2, 0x0)
ioctl$DRM_IOCTL_PANTHOR_VM_CREATE(r2, 0xc0106441, &(0x7f00000012c0)={0x0, <r21=>0x0, 0x7})
ioctl$DRM_IOCTL_PANTHOR_VM_GET_STATE(r19, 0xc0086444, &(0x7f0000001300)={r21})
ioctl$DRM_IOCTL_IRQ_BUSID(r1, 0xc0106403, &(0x7f0000001340)={0x0, 0x8, 0x1, 0x9a24fe5})
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-setsockopt$inet6_int-openat$cgroup-openat$cgroup_subtree-ioctl$DRM_IOCTL_PANTHOR_VM_CREATE-ioctl$DRM_IOCTL_PANTHOR_VM_GET_STATE-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, <r7=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r10=>0xffffffffffffffff, <r11=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r12=>0xffffffffffffffff, <r13=>0xffffffffffffffff, <r14=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r11, &(0x7f0000000580)=0x5, r7, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r6, r0, 0x0)
setsockopt$inet6_tcp_buf(r6, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r12, 0xc02064b6, &(0x7f0000000780)={0x0, <r15=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r14, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r15})
r16 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r8)
sendmsg$TIPC_NL_LINK_GET(r10, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r16, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r9, 0x227f, &(0x7f0000000ec0))
r17 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r17, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r18 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r7)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r8, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r18, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
r19 = openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
setsockopt$inet6_int(r5, 0x29, 0x10, &(0x7f0000001200)=0xfffffffa, 0x4)
r20 = openat$cgroup(r13, &(0x7f0000001240)='syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(r20, &(0x7f0000001280), 0x2, 0x0)
ioctl$DRM_IOCTL_PANTHOR_VM_CREATE(r2, 0xc0106441, &(0x7f00000012c0)={0x0, <r21=>0x0, 0x7})
ioctl$DRM_IOCTL_PANTHOR_VM_GET_STATE(r19, 0xc0086444, &(0x7f0000001300)={r21})
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-setsockopt$inet6_int-openat$cgroup-openat$cgroup_subtree-ioctl$DRM_IOCTL_PANTHOR_VM_CREATE-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, <r7=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r10=>0xffffffffffffffff, <r11=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r12=>0xffffffffffffffff, <r13=>0xffffffffffffffff, <r14=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r11, &(0x7f0000000580)=0x5, r7, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r6, r0, 0x0)
setsockopt$inet6_tcp_buf(r6, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r12, 0xc02064b6, &(0x7f0000000780)={0x0, <r15=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r14, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r15})
r16 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r8)
sendmsg$TIPC_NL_LINK_GET(r10, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r16, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r9, 0x227f, &(0x7f0000000ec0))
r17 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r17, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r18 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r7)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r8, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r18, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
setsockopt$inet6_int(r5, 0x29, 0x10, &(0x7f0000001200)=0xfffffffa, 0x4)
r19 = openat$cgroup(r13, &(0x7f0000001240)='syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(r19, &(0x7f0000001280), 0x2, 0x0)
ioctl$DRM_IOCTL_PANTHOR_VM_CREATE(r2, 0xc0106441, &(0x7f00000012c0)={0x0, 0x0, 0x7})
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-setsockopt$inet6_int-openat$cgroup-openat$cgroup_subtree-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, <r7=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r10=>0xffffffffffffffff, <r11=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r12=>0xffffffffffffffff, <r13=>0xffffffffffffffff, <r14=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r11, &(0x7f0000000580)=0x5, r7, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r6, r0, 0x0)
setsockopt$inet6_tcp_buf(r6, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r12, 0xc02064b6, &(0x7f0000000780)={0x0, <r15=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r14, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r15})
r16 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r8)
sendmsg$TIPC_NL_LINK_GET(r10, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r16, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r9, 0x227f, &(0x7f0000000ec0))
r17 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r17, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r18 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r7)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r8, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r18, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
setsockopt$inet6_int(r5, 0x29, 0x10, &(0x7f0000001200)=0xfffffffa, 0x4)
r19 = openat$cgroup(r13, &(0x7f0000001240)='syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(r19, &(0x7f0000001280), 0x2, 0x0)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-setsockopt$inet6_int-openat$cgroup-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, <r7=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r10=>0xffffffffffffffff, <r11=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r12=>0xffffffffffffffff, <r13=>0xffffffffffffffff, <r14=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r11, &(0x7f0000000580)=0x5, r7, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r6, r0, 0x0)
setsockopt$inet6_tcp_buf(r6, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r12, 0xc02064b6, &(0x7f0000000780)={0x0, <r15=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r14, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r15})
r16 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r8)
sendmsg$TIPC_NL_LINK_GET(r10, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r16, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r9, 0x227f, &(0x7f0000000ec0))
r17 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r17, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r18 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r7)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r8, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r18, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
setsockopt$inet6_int(r5, 0x29, 0x10, &(0x7f0000001200)=0xfffffffa, 0x4)
openat$cgroup(r13, &(0x7f0000001240)='syz1\x00', 0x200002, 0x0)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-setsockopt$inet6_int-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, <r7=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r10=>0xffffffffffffffff, <r11=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r12=>0xffffffffffffffff, 0xffffffffffffffff, <r13=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r11, &(0x7f0000000580)=0x5, r7, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r6, r0, 0x0)
setsockopt$inet6_tcp_buf(r6, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r12, 0xc02064b6, &(0x7f0000000780)={0x0, <r14=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r13, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r14})
r15 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r8)
sendmsg$TIPC_NL_LINK_GET(r10, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r15, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r9, 0x227f, &(0x7f0000000ec0))
r16 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r16, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r17 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r7)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r8, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r17, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
setsockopt$inet6_int(r5, 0x29, 0x10, &(0x7f0000001200)=0xfffffffa, 0x4)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-openat$pfkey-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r9=>0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r11=>0xffffffffffffffff, 0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r10, &(0x7f0000000580)=0x5, r6, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r5, r0, 0x0)
setsockopt$inet6_tcp_buf(r5, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r11, 0xc02064b6, &(0x7f0000000780)={0x0, <r13=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r12, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r13})
r14 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r7)
sendmsg$TIPC_NL_LINK_GET(r9, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r14, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r8, 0x227f, &(0x7f0000000ec0))
r15 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r15, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r16 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r6)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r7, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r16, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
openat$pfkey(0xffffffffffffff9c, &(0x7f00000011c0), 0x0, 0x0)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-mkdirat$cgroup-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r9=>0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r11=>0xffffffffffffffff, 0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r10, &(0x7f0000000580)=0x5, r6, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r5, r0, 0x0)
setsockopt$inet6_tcp_buf(r5, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r11, 0xc02064b6, &(0x7f0000000780)={0x0, <r13=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r12, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r13})
r14 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r7)
sendmsg$TIPC_NL_LINK_GET(r9, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r14, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r8, 0x227f, &(0x7f0000000ec0))
r15 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r15, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r16 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r6)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r7, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r16, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
mkdirat$cgroup(r2, &(0x7f0000001180)='syz1\x00', 0x1ff)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_START_SCHED_SCAN-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r9=>0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r11=>0xffffffffffffffff, 0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r10, &(0x7f0000000580)=0x5, r6, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r5, r0, 0x0)
setsockopt$inet6_tcp_buf(r5, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r11, 0xc02064b6, &(0x7f0000000780)={0x0, <r13=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r12, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r13})
r14 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r7)
sendmsg$TIPC_NL_LINK_GET(r9, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r14, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r8, 0x227f, &(0x7f0000000ec0))
r15 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r15, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
r16 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r6)
sendmsg$NL80211_CMD_START_SCHED_SCAN(r7, &(0x7f0000001140)={&(0x7f0000000fc0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000001100)={&(0x7f0000001040)={0x94, r16, 0x10, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x2, 0x3c}}}}, [@NL80211_ATTR_SCAN_SSIDS={0x64, 0x2d, 0x0, 0x1, [{0x16, 0x0, @random="4fd0d69057c029cb497b596526718e357381"}, {0x1b, 0x0, @random="65c0712f5c610998bb932efeb4850b37eac32e4e1fa059"}, {0x1e, 0x0, @random="b8f04df244991af3939fe127fd9402e9e510b34f6511d2633661"}, {0xa, 0x0, @default_ap_ssid}]}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x8ad}, @NL80211_ATTR_SCHED_SCAN_DELAY={0x8, 0xdc, 0x9}]}, 0x94}, 0x1, 0x0, 0x0, 0x880}, 0xa0)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_genetlink_get_family_id$nl80211-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r9=>0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r11=>0xffffffffffffffff, 0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r10, &(0x7f0000000580)=0x5, r6, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r5, r0, 0x0)
setsockopt$inet6_tcp_buf(r5, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r11, 0xc02064b6, &(0x7f0000000780)={0x0, <r13=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r12, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r13})
r14 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r7)
sendmsg$TIPC_NL_LINK_GET(r9, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r14, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r8, 0x227f, &(0x7f0000000ec0))
r15 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r15, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
syz_genetlink_get_family_id$nl80211(&(0x7f0000001000), r6)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-getpeername$netrom-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r9=>0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r11=>0xffffffffffffffff, 0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r10, &(0x7f0000000580)=0x5, r6, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r5, r0, 0x0)
setsockopt$inet6_tcp_buf(r5, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r11, 0xc02064b6, &(0x7f0000000780)={0x0, <r13=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r12, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r13})
r14 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r7)
sendmsg$TIPC_NL_LINK_GET(r9, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r14, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r8, 0x227f, &(0x7f0000000ec0))
r15 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getpeername$netrom(r15, &(0x7f0000000f00)={{0x3, @bcast}, [@null, @default, @rose, @netrom, @rose, @rose, @bcast, @null]}, &(0x7f0000000f80)=0x48)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_init_net_socket$netrom-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r9=>0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r11=>0xffffffffffffffff, 0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r10, &(0x7f0000000580)=0x5, r6, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r5, r0, 0x0)
setsockopt$inet6_tcp_buf(r5, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r11, 0xc02064b6, &(0x7f0000000780)={0x0, <r13=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r12, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r13})
r14 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r7)
sendmsg$TIPC_NL_LINK_GET(r9, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r14, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r8, 0x227f, &(0x7f0000000ec0))
syz_init_net_socket$netrom(0x6, 0x5, 0x0)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-ioctl$SG_GET_SG_TABLESIZE-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r9=>0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r11=>0xffffffffffffffff, 0xffffffffffffffff, <r12=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r10, &(0x7f0000000580)=0x5, r6, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r5, r0, 0x0)
setsockopt$inet6_tcp_buf(r5, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r11, 0xc02064b6, &(0x7f0000000780)={0x0, <r13=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r12, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r13})
r14 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r7)
sendmsg$TIPC_NL_LINK_GET(r9, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r14, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r8, 0x227f, &(0x7f0000000ec0))
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-sendmsg$IPVS_CMD_SET_DEST-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [<r4=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r8=>0xffffffffffffffff, <r9=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r10=>0xffffffffffffffff, 0xffffffffffffffff, <r11=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r9, &(0x7f0000000580)=0x5, r6, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r5, r0, 0x0)
setsockopt$inet6_tcp_buf(r5, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r10, 0xc02064b6, &(0x7f0000000780)={0x0, <r12=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r11, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r12})
r13 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r7)
sendmsg$TIPC_NL_LINK_GET(r8, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r13, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
sendmsg$IPVS_CMD_SET_DEST(r4, &(0x7f0000000e80)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000e40)={&(0x7f0000000e00)={0x2c, 0x0, 0x400, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-sendmsg$TIPC_NL_LINK_GET-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r7=>0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r9=>0xffffffffffffffff, 0xffffffffffffffff, <r10=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r8, &(0x7f0000000580)=0x5, r5, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r4, r0, 0x0)
setsockopt$inet6_tcp_buf(r4, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r9, 0xc02064b6, &(0x7f0000000780)={0x0, <r11=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r10, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r11})
r12 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r6)
sendmsg$TIPC_NL_LINK_GET(r7, &(0x7f0000000d80)={&(0x7f0000000840)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000d40)={&(0x7f00000008c0)={0x450, r12, 0x400, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0xc4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x273e, @private0={0xfc, 0x0, '\x00', 0x1}, 0x6}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x1a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xd, @mcast1, 0xf11}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @private1, 0x44a}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x1a}}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x2, @rand_addr=' \x01\x00', 0x1}}}}]}, @TIPC_NLA_NODE={0x30, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_ID={0x27, 0x3, "cc54958aa755767c3f2ab96ae101abd0927da73f7c0cb9e7f6375775283c901b5998d2"}, @TIPC_NLA_NODE_KEY_MASTER={0x4}]}, @TIPC_NLA_LINK={0xb0, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc447}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x7}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x9}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfffffff7}]}, @TIPC_NLA_BEARER={0x124, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xe, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5c}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}]}, @TIPC_NLA_BEARER_PROP={0x4}, @TIPC_NLA_BEARER_NAME={0x11, 0x1, @l2={'eth', 0x3a, 'macvtap0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @private=0xa010101}}, {0x14, 0x2, @in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_NAME={0x9, 0x1, @l2={'eth', 0x3a, '\x00'}}, @TIPC_NLA_BEARER_NAME={0xb, 0x1, @l2={'ib', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x5}}, {0x20, 0x2, @in6={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x8}}}}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_PUBL={0x24, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x80000001}, @TIPC_NLA_PUBL_UPPER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x100}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_NODE={0x40, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x3c, 0x4, {'gcm(aes)\x00', 0x14, "9ce95b022735c5acb2ad0d8c3c0409b045423c43"}}]}, @TIPC_NLA_BEARER={0xc0, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'macvlan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_NAME={0x17, 0x1, @l2={'eth', 0x3a, 'bridge_slave_0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}, @TIPC_NLA_BEARER_NAME={0x18, 0x1, @l2={'eth', 0x3a, 'veth1_to_batadv\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @empty}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x8, @private0={0xfc, 0x0, '\x00', 0x1}, 0x2}}, {0x14, 0x2, @in={0x2, 0x4e21, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x7fff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6dc}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}]}, 0x450}, 0x1, 0x0, 0x0, 0x40008c0}, 0x4004)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_genetlink_get_family_id$tipc2-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r8=>0xffffffffffffffff, 0xffffffffffffffff, <r9=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r7, &(0x7f0000000580)=0x5, r5, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r4, r0, 0x0)
setsockopt$inet6_tcp_buf(r4, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r8, 0xc02064b6, &(0x7f0000000780)={0x0, <r10=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r9, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r10})
syz_genetlink_get_family_id$tipc2(&(0x7f0000000880), r6)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-ioctl$DRM_IOCTL_MODE_GETCRTC-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r7=>0xffffffffffffffff, 0xffffffffffffffff, <r8=>0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r6, &(0x7f0000000580)=0x5, r5, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r4, r0, 0x0)
setsockopt$inet6_tcp_buf(r4, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r7, 0xc02064b6, &(0x7f0000000780)={0x0, <r9=>0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
ioctl$DRM_IOCTL_MODE_GETCRTC(r8, 0xc06864a1, &(0x7f00000007c0)={&(0x7f0000000700)=[0x0, 0x0], 0x2, r9})
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-ioctl$DRM_IOCTL_MODE_GETPLANE-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [<r7=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r6, &(0x7f0000000580)=0x5, r5, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r4, r0, 0x0)
setsockopt$inet6_tcp_buf(r4, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
ioctl$DRM_IOCTL_MODE_GETPLANE(r7, 0xc02064b6, &(0x7f0000000780)={0x0, 0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000740)=[0x0]})
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-setsockopt$inet6_tcp_buf-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r6, &(0x7f0000000580)=0x5, r5, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r4, r0, 0x0)
setsockopt$inet6_tcp_buf(r4, 0x6, 0xe, &(0x7f0000000600)="99e526592cb82f0c8a7132eff8b376a15ad02f275cd1d45552490c15220a37a823b5a9e7d92d6653537dd0991c48dd9e655d1752747b114cd4ae8defbd2eba7ea97f2c87f8cfdbeef3dcd2dafaf73bedb26fa4ec9e727268c47ece4e6f28253c8776f4419d55cdfcc2d5598a73c135072ccad8e0ae17dbd053fc3e6925b783134f765ec654bcefdf9ab04827322517134afd3d67f9b81203eac717f13bd52ff0983bed39714b33a5d8294bbb08cbee08ee7a1bb23d2e8717d49f0843063e8ef29ae4213b14058c8a04c0e8013519bd1be2e9", 0xd2)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-close_range-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r6, &(0x7f0000000580)=0x5, r5, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
close_range(r4, r0, 0x0)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-splice-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r5=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
splice(r5, &(0x7f0000000580)=0x5, r4, &(0x7f00000005c0)=0x6, 0x6b, 0xe)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-recvmsg$unix-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={<r3=>r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
recvmsg$unix(r3, &(0x7f0000000540)={&(0x7f0000000280)=@abs, 0x6e, &(0x7f00000003c0)=[{&(0x7f0000000300)=""/126, 0x7e}, {&(0x7f0000000380)=""/13, 0xd}], 0x2, &(0x7f0000000400)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0x140}, 0x2021)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-ioctl$XFS_IOC_PATH_TO_FSHANDLE-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
r2 = dup3(r0, r1, 0x0)
ioctl$XFS_IOC_PATH_TO_FSHANDLE(r0, 0xc0385868, &(0x7f0000000240)={r2, &(0x7f0000000140)='^\xeb\x1b\x00', 0x200, &(0x7f0000000180)={@align=0x4, {0x400, 0x4, 0x52efd3dc, 0x9}}, 0xfffffff3, &(0x7f00000001c0)={@_ha_fsid}, &(0x7f0000000200)=0x6})
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-dup3-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0)={<r1=>0xffffffffffffffff})
dup3(r0, r1, 0x0)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-ioctl$XFS_IOC_START_COMMIT-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
ioctl$XFS_IOC_START_COMMIT(r0, 0x80585882, &(0x7f00000000c0))
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(0xffffffffffffffff, 0xc058534b, &(0x7f0000000040)={0x8b0f, 0x5, 0x7f, 0x1, 0xead1, 0x8})
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-connect$inet6-syz_emit_vhci
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x7, @mcast2}, 0x1c)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_emit_vhci
detailed listing:
executing program 0:
socket$inet6_sctp(0xa, 0x1, 0x84)
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
detailed listing:
executing program 0:
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
detailed listing:
executing program 0:
syz_emit_vhci(0x0, 0x0)

program did not crash
testing program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
detailed listing:
executing program 0:
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x10}, @l2cap_cid_le_signaling={{0xc}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x8}, {0x4, 0x0, 0xe, 0x8000}}}}, 0x15)

program did not crash
extracting C reproducer
testing compiled C program (duration=47.490215743s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
simplifying C reproducer
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program did not crash
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program did not crash
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing compiled C program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
testing program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
detailed listing:
executing program 0:
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
validation run: crashed=true
testing program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
detailed listing:
executing program 0:
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
validation run: crashed=true
testing program (duration=47.490215743s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_vhci
detailed listing:
executing program 0:
syz_emit_vhci(&(0x7f0000001400)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x8, 0x16}, {0x4, 0x0, 0xe, 0x8000, [0xffbe, 0x1000, 0x28d, 0x4711, 0x7, 0x3, 0x4]}}}}, 0x23)

program crashed: KASAN: stack-out-of-bounds Read in l2cap_send_cmd
validation run: crashed=true
reproducing took 1h11m24.967508243s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: stack-out-of-bounds in skb_put_data include/linux/skbuff.h:2800 [inline]
BUG: KASAN: stack-out-of-bounds in l2cap_build_cmd net/bluetooth/l2cap_core.c:3003 [inline]
BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x2a3/0xb90 net/bluetooth/l2cap_core.c:954
Read of size 22 at addr ffffc90000bb7540 by task kworker/u9:0/51

CPU: 1 UID: 0 PID: 51 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 skb_put_data include/linux/skbuff.h:2800 [inline]
 l2cap_build_cmd net/bluetooth/l2cap_core.c:3003 [inline]
 l2cap_send_cmd+0x2a3/0xb90 net/bluetooth/l2cap_core.c:954
 l2cap_ecred_conn_req net/bluetooth/l2cap_core.c:5192 [inline]
 l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5494 [inline]
 l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5552 [inline]
 l2cap_recv_frame+0xd352/0x10110 net/bluetooth/l2cap_core.c:6897
 l2cap_recv_acldata+0x7e9/0x13e0 net/bluetooth/l2cap_core.c:7621
 hci_acldata_packet net/bluetooth/hci_core.c:3855 [inline]
 hci_rx_work+0x4f9/0x1040 net/bluetooth/hci_core.c:4082
 process_one_work+0x949/0x1650 kernel/workqueue.c:3279
 process_scheduled_works kernel/workqueue.c:3362 [inline]
 worker_thread+0xb46/0x1140 kernel/workqueue.c:3443
 kthread+0x388/0x470 kernel/kthread.c:467
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to stack of task kworker/u9:0/51
 and is located at offset 128 in frame:
 l2cap_recv_frame+0x0/0x10110 include/linux/skbuff.h:-1

This frame has 26 objects:
 [32, 34) 'rsp.i238.i.i'
 [48, 88) 'chan.i.i.i'
 [128, 146) 'pdu_u.i.i.i'
 [192, 202) 'rsp.i94.i.i'
 [224, 226) 'rsp.i.i.i111'
 [240, 242) 'rej.i'
 [256, 258) 'rej.i145.i'
 [272, 274) 'rej.i143.i'
 [288, 290) 'req.i229.i.i'
 [304, 312) 'buf.i222.i.i'
 [336, 348) 'buf29.i.i.i'
 [368, 372) 'rsp49.i.i.i'
 [384, 393) 'rfc.i.i118.i.i'
 [416, 480) 'buf.i119.i.i'
 [512, 576) 'req.i120.i.i'
 [608, 617) 'rfc.i.i.i.i'
 [640, 656) 'efs.i.i.i.i'
 [672, 678) 'rej.i371.i.i.i'
 [704, 710) 'rej.i.i.i.i'
 [736, 800) 'rsp.i.i.i'
 [832, 896) 'buf.i.i.i'
 [928, 1056) 'req.i.i.i'
 [1088, 1096) 'rsp.i.i.i.i'
 [1120, 1122) 'info.i.i.i.i'
 [1136, 1264) 'buf.i.i.i.i'
 [1296, 1298) 'rej.i.i'

The buggy address belongs to a 8-page vmalloc region starting at 0xffffc90000bb0000 allocated at copy_process+0x508/0x3cf0 kernel/fork.c:2050
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bf87
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00006fe1c8 ffffea00006fe1c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 3686034072, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof+0xa/0x30 mm/page_alloc.c:5284
 __alloc_pages_node_noprof include/linux/gfp.h:285 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:312 [inline]
 vm_area_alloc_pages mm/vmalloc.c:3664 [inline]
 __vmalloc_area_node mm/vmalloc.c:3876 [inline]
 __vmalloc_node_range_noprof+0x7be/0x1730 mm/vmalloc.c:4064
 __vmalloc_node_noprof+0xc2/0x100 mm/vmalloc.c:4124
 alloc_thread_stack_node kernel/fork.c:355 [inline]
 dup_task_struct+0x228/0x9a0 kernel/fork.c:924
 copy_process+0x508/0x3cf0 kernel/fork.c:2050
 kernel_clone+0x248/0x8e0 kernel/fork.c:2654
 kernel_thread+0x13f/0x1b0 kernel/fork.c:2715
 create_kthread kernel/kthread.c:490 [inline]
 kthreadd+0x4ec/0x6e0 kernel/kthread.c:849
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page_owner free stack trace missing

Memory state around the buggy address:
 ffffc90000bb7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000bb7480: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f8 f8
>ffffc90000bb7500: f8 f8 f8 f2 f2 f2 f2 f2 00 00 02 f2 f2 f2 f2 f2
                                                 ^
 ffffc90000bb7580: f8 f8 f2 f2 f8 f2 f8 f2 f8 f2 f8 f2 f8 f2 f8 f2
 ffffc90000bb7600: f2 f2 f8 f8 f2 f2 f8 f2 f8 f8 f2 f2 f8 f8 f8 f8
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: stack-out-of-bounds in skb_put_data include/linux/skbuff.h:2800 [inline]
BUG: KASAN: stack-out-of-bounds in l2cap_build_cmd net/bluetooth/l2cap_core.c:3003 [inline]
BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x2a3/0xb90 net/bluetooth/l2cap_core.c:954
Read of size 22 at addr ffffc90000bb7540 by task kworker/u9:0/51

CPU: 1 UID: 0 PID: 51 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 skb_put_data include/linux/skbuff.h:2800 [inline]
 l2cap_build_cmd net/bluetooth/l2cap_core.c:3003 [inline]
 l2cap_send_cmd+0x2a3/0xb90 net/bluetooth/l2cap_core.c:954
 l2cap_ecred_conn_req net/bluetooth/l2cap_core.c:5192 [inline]
 l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5494 [inline]
 l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5552 [inline]
 l2cap_recv_frame+0xd352/0x10110 net/bluetooth/l2cap_core.c:6897
 l2cap_recv_acldata+0x7e9/0x13e0 net/bluetooth/l2cap_core.c:7621
 hci_acldata_packet net/bluetooth/hci_core.c:3855 [inline]
 hci_rx_work+0x4f9/0x1040 net/bluetooth/hci_core.c:4082
 process_one_work+0x949/0x1650 kernel/workqueue.c:3279
 process_scheduled_works kernel/workqueue.c:3362 [inline]
 worker_thread+0xb46/0x1140 kernel/workqueue.c:3443
 kthread+0x388/0x470 kernel/kthread.c:467
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to stack of task kworker/u9:0/51
 and is located at offset 128 in frame:
 l2cap_recv_frame+0x0/0x10110 include/linux/skbuff.h:-1

This frame has 26 objects:
 [32, 34) 'rsp.i238.i.i'
 [48, 88) 'chan.i.i.i'
 [128, 146) 'pdu_u.i.i.i'
 [192, 202) 'rsp.i94.i.i'
 [224, 226) 'rsp.i.i.i111'
 [240, 242) 'rej.i'
 [256, 258) 'rej.i145.i'
 [272, 274) 'rej.i143.i'
 [288, 290) 'req.i229.i.i'
 [304, 312) 'buf.i222.i.i'
 [336, 348) 'buf29.i.i.i'
 [368, 372) 'rsp49.i.i.i'
 [384, 393) 'rfc.i.i118.i.i'
 [416, 480) 'buf.i119.i.i'
 [512, 576) 'req.i120.i.i'
 [608, 617) 'rfc.i.i.i.i'
 [640, 656) 'efs.i.i.i.i'
 [672, 678) 'rej.i371.i.i.i'
 [704, 710) 'rej.i.i.i.i'
 [736, 800) 'rsp.i.i.i'
 [832, 896) 'buf.i.i.i'
 [928, 1056) 'req.i.i.i'
 [1088, 1096) 'rsp.i.i.i.i'
 [1120, 1122) 'info.i.i.i.i'
 [1136, 1264) 'buf.i.i.i.i'
 [1296, 1298) 'rej.i.i'

The buggy address belongs to a 8-page vmalloc region starting at 0xffffc90000bb0000 allocated at copy_process+0x508/0x3cf0 kernel/fork.c:2050
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bf87
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00006fe1c8 ffffea00006fe1c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 3686034072, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof+0xa/0x30 mm/page_alloc.c:5284
 __alloc_pages_node_noprof include/linux/gfp.h:285 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:312 [inline]
 vm_area_alloc_pages mm/vmalloc.c:3664 [inline]
 __vmalloc_area_node mm/vmalloc.c:3876 [inline]
 __vmalloc_node_range_noprof+0x7be/0x1730 mm/vmalloc.c:4064
 __vmalloc_node_noprof+0xc2/0x100 mm/vmalloc.c:4124
 alloc_thread_stack_node kernel/fork.c:355 [inline]
 dup_task_struct+0x228/0x9a0 kernel/fork.c:924
 copy_process+0x508/0x3cf0 kernel/fork.c:2050
 kernel_clone+0x248/0x8e0 kernel/fork.c:2654
 kernel_thread+0x13f/0x1b0 kernel/fork.c:2715
 create_kthread kernel/kthread.c:490 [inline]
 kthreadd+0x4ec/0x6e0 kernel/kthread.c:849
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page_owner free stack trace missing

Memory state around the buggy address:
 ffffc90000bb7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000bb7480: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f8 f8
>ffffc90000bb7500: f8 f8 f8 f2 f2 f2 f2 f2 00 00 02 f2 f2 f2 f2 f2
                                                 ^
 ffffc90000bb7580: f8 f8 f2 f2 f8 f2 f8 f2 f8 f2 f8 f2 f8 f2 f8 f2
 ffffc90000bb7600: f2 f2 f8 f8 f2 f2 f8 f2 f8 f8 f2 f2 f8 f8 f8 f8
==================================================================