Extracting prog: 5m8.725896837s
Minimizing prog: 2h11m39.353975178s
Simplifying prog options: 12m17.039091659s
Extracting C: 5m9.609896376s
Simplifying C: 0s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r4, &(0x7f0000000040)="05000000010001", 0x7) (async)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0) (async)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8) (async)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0) (async)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r4, &(0x7f0000000040)="05000000010001", 0x7) (async)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0) (async)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8) (async)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0) (async)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r4, &(0x7f0000000040)="05000000010001", 0x7) (async)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0) (async)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8) (async)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
single: successfully extracted reproducer
found reproducer with 28 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r4, &(0x7f0000000040)="05000000010001", 0x7) (async)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0) (async)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r4, &(0x7f0000000040)="05000000010001", 0x7) (async)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r4, &(0x7f0000000040)="05000000010001", 0x7) (async)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r4, &(0x7f0000000040)="05000000010001", 0x7) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic-syz_genetlink_get_family_id$wireguard
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE-socket$nl_generic
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill-sendmsg$WG_CMD_SET_DEVICE
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill-write$rfkill
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r2, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r3 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r3, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-openat$rfkill
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r2, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)

program crashed: KASAN: slab-use-after-free Read in set_powered_sync
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r2, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-write
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r2, &(0x7f0000000040)="05000000010001", 0x7)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program crashed: KASAN: slab-use-after-free Read in set_powered_sync
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
bind$bt_hci(0xffffffffffffffff, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(0xffffffffffffffff, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(0xffffffffffffffff, &(0x7f0000000040)="05000000010000", 0x7)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
ioctl$HCIINQUIRY(0xffffffffffffffff, 0x400448ca, 0x0)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r0, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r0, &(0x7f0000000040)="05000000010000", 0x7)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(0xffffffffffffffff, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(0x0, 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, 0x0, 0x0)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, 0x0, 0x0)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040), 0x0)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, 0x0, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$wireguard-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write-syz_init_net_socket$bt_hci-bind$bt_hci-bind$bt_hci
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="05000000010000", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

program did not crash
reproducing took 2h34m14.728873537s
repro crashed as (corrupted=false):
Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
Bluetooth: hci0: unexpected cc 0x0c13 length: 249 > 1
==================================================================
BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353
Read of size 8 at addr ffff88805458cb18 by task kworker/u5:1/4671

CPU: 0 UID: 0 PID: 4671 Comm: kworker/u5:1 Not tainted 6.12.0-rc5-syzkaller-00322-gb9021de3ec2f #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353
 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 14140:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
 kmalloc_noprof include/linux/slab.h:878 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
 set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394
 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:744
 sock_write_iter+0x2d7/0x3f0 net/socket.c:1165
 new_sync_write fs/read_write.c:590 [inline]
 vfs_write+0xaeb/0xd30 fs/read_write.c:683
 ksys_write+0x183/0x2b0 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 14134:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x1a0/0x440 mm/slub.c:4727
 settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443
 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
 __mgmt_power_off+0x106/0x430 net/bluetooth/mgmt.c:9460
 hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5201
 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
 hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508
 sock_do_ioctl+0x158/0x460 net/socket.c:1227
 sock_ioctl+0x626/0x8e0 net/socket.c:1346
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88805458cb00
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 24 bytes inside of
 freed 96-byte region [ffff88805458cb00, ffff88805458cb60)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5458c
ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff88801ac41280 ffffea00013497c0 dead000000000003
raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5381, tgid 5381 (kworker/u4:1), ts 401682132373, free_ts 401599810164
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 alloc_slab_page+0x6a/0x120 mm/slub.c:2412
 allocate_slab+0x5a/0x2f0 mm/slub.c:2578
 new_slab mm/slub.c:2631 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
 __slab_alloc+0x58/0xa0 mm/slub.c:3908
 __slab_alloc_node mm/slub.c:3961 [inline]
 slab_alloc_node mm/slub.c:4122 [inline]
 __kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4290
 kmalloc_noprof include/linux/slab.h:878 [inline]
 dst_cow_metrics_generic+0x56/0x1c0 net/core/dst.c:185
 dst_metrics_write_ptr include/net/dst.h:133 [inline]
 dst_metric_set include/net/dst.h:194 [inline]
 icmp6_dst_alloc+0x270/0x420 net/ipv6/route.c:3288
 ndisc_send_skb+0x32a/0x1380 net/ipv6/ndisc.c:491
 ndisc_send_ns+0xcc/0x160 net/ipv6/ndisc.c:669
 addrconf_dad_work+0xb45/0x16f0 net/ipv6/addrconf.c:4284
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
page last free pid 5857 tgid 5849 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
 folios_put_refs+0x76c/0x860 mm/swap.c:1007
 free_pages_and_swap_cache+0x2ea/0x690 mm/swap_state.c:332
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
 exit_mmap+0x496/0xc40 mm/mmap.c:1925
 __mmput+0x115/0x390 kernel/fork.c:1348
 exit_mm+0x220/0x310 kernel/exit.c:571
 do_exit+0x9b2/0x28e0 kernel/exit.c:926
 do_group_exit+0x207/0x2c0 kernel/exit.c:1088
 get_signal+0x16a3/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805458ca00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff88805458ca80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff88805458cb00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                            ^
 ffff88805458cb80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
 ffff88805458cc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================

final repro crashed as (corrupted=false):
Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
Bluetooth: hci0: unexpected cc 0x0c13 length: 249 > 1
==================================================================
BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353
Read of size 8 at addr ffff88805458cb18 by task kworker/u5:1/4671

CPU: 0 UID: 0 PID: 4671 Comm: kworker/u5:1 Not tainted 6.12.0-rc5-syzkaller-00322-gb9021de3ec2f #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353
 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 14140:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
 kmalloc_noprof include/linux/slab.h:878 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
 set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394
 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:744
 sock_write_iter+0x2d7/0x3f0 net/socket.c:1165
 new_sync_write fs/read_write.c:590 [inline]
 vfs_write+0xaeb/0xd30 fs/read_write.c:683
 ksys_write+0x183/0x2b0 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 14134:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x1a0/0x440 mm/slub.c:4727
 settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443
 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
 __mgmt_power_off+0x106/0x430 net/bluetooth/mgmt.c:9460
 hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5201
 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
 hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508
 sock_do_ioctl+0x158/0x460 net/socket.c:1227
 sock_ioctl+0x626/0x8e0 net/socket.c:1346
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88805458cb00
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 24 bytes inside of
 freed 96-byte region [ffff88805458cb00, ffff88805458cb60)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5458c
ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff88801ac41280 ffffea00013497c0 dead000000000003
raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5381, tgid 5381 (kworker/u4:1), ts 401682132373, free_ts 401599810164
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 alloc_slab_page+0x6a/0x120 mm/slub.c:2412
 allocate_slab+0x5a/0x2f0 mm/slub.c:2578
 new_slab mm/slub.c:2631 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
 __slab_alloc+0x58/0xa0 mm/slub.c:3908
 __slab_alloc_node mm/slub.c:3961 [inline]
 slab_alloc_node mm/slub.c:4122 [inline]
 __kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4290
 kmalloc_noprof include/linux/slab.h:878 [inline]
 dst_cow_metrics_generic+0x56/0x1c0 net/core/dst.c:185
 dst_metrics_write_ptr include/net/dst.h:133 [inline]
 dst_metric_set include/net/dst.h:194 [inline]
 icmp6_dst_alloc+0x270/0x420 net/ipv6/route.c:3288
 ndisc_send_skb+0x32a/0x1380 net/ipv6/ndisc.c:491
 ndisc_send_ns+0xcc/0x160 net/ipv6/ndisc.c:669
 addrconf_dad_work+0xb45/0x16f0 net/ipv6/addrconf.c:4284
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
page last free pid 5857 tgid 5849 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
 folios_put_refs+0x76c/0x860 mm/swap.c:1007
 free_pages_and_swap_cache+0x2ea/0x690 mm/swap_state.c:332
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
 exit_mmap+0x496/0xc40 mm/mmap.c:1925
 __mmput+0x115/0x390 kernel/fork.c:1348
 exit_mm+0x220/0x310 kernel/exit.c:571
 do_exit+0x9b2/0x28e0 kernel/exit.c:926
 do_group_exit+0x207/0x2c0 kernel/exit.c:1088
 get_signal+0x16a3/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805458ca00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff88805458ca80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff88805458cb00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                            ^
 ffff88805458cb80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
 ffff88805458cc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================