Extracting prog: 1h32m9.750259225s
Minimizing prog: 28m8.250177474s
Simplifying prog options: 18m17.595853986s
Extracting C: 6m15.192292128s
Simplifying C: 0s


extracting reproducer from 45 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
single: failed to extract reproducer
bisect: bisecting 45 programs with base timeout 30s
testing program (duration=41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3]
detailed listing:
executing program 1:
rmdir$auto(&(0x7f0000000100)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00')
executing program 1:
socketpair$auto(0x2d, 0x6, 0x6, &(0x7f0000000000)=0x4)
executing program 1:
openat$auto_severities_coverage_fops_severity(0xffffffffffffff9c, &(0x7f0000000880), 0x0, 0x0)
executing program 1:
bpf$auto(0x0, &(0x7f00000001c0)=@task_fd_query={0xa, 0x4, 0x200, 0x2, 0x8, 0x9, 0x66b, 0x0, 0x3}, 0x6f4)
executing program 1:
rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}})
executing program 1:
request_key$auto(&(0x7f0000000380)=':/*(}--^{^\x00', &(0x7f00000003c0)='\x00', &(0x7f0000000400)='#\x00', 0x1)
executing program 32:
request_key$auto(&(0x7f0000000380)=':/*(}--^{^\x00', &(0x7f00000003c0)='\x00', &(0x7f0000000400)='#\x00', 0x1)
executing program 2:
r0 = openat$auto_proc_pid_numa_maps_operations_internal(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/numa_maps\x00', 0x121240, 0x0)
read$auto_proc_pid_numa_maps_operations_internal(r0, &(0x7f0000000040)=""/4096, 0x1000)
executing program 2:
r0 = openat$auto_sco_debugfs_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x242, 0x0)
read$auto_sco_debugfs_fops_(r0, &(0x7f0000000140)=""/211, 0xd3)
executing program 2:
mmap$auto(0x0, 0x400005, 0xfffffffffffffffe, 0x9b72, 0xc76, 0x8000)
mremap$auto(0x0, 0x7, 0x10000000003fd6, 0x3, 0x20000000)
executing program 2:
r0 = openat$auto_tracing_mark_raw_fops_trace(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/debug/tracing/trace_marker_raw\x00', 0xc05, 0x0)
write$auto_tracing_mark_raw_fops_trace(r0, 0x0, 0x68)
executing program 2:
setresuid$auto(0xffffffffffffffff, 0x8, 0x8000)
tkill$auto(0x80000000000001, 0x7)
executing program 2:
r0 = openat$auto_raw_fops_raw_gadget(0xffffffffffffff9c, &(0x7f0000000000), 0x440, 0x0)
ioctl$auto_USB_RAW_IOCTL_EP_READ(r0, 0xc0085508, &(0x7f0000000040)={0x9, 0x0, 0x80})
executing program 33:
r0 = openat$auto_raw_fops_raw_gadget(0xffffffffffffff9c, &(0x7f0000000000), 0x440, 0x0)
ioctl$auto_USB_RAW_IOCTL_EP_READ(r0, 0xc0085508, &(0x7f0000000040)={0x9, 0x0, 0x80})
executing program 3:
mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000)
socket(0x1e, 0x1, 0x0)
ioctl$auto(0x3, 0x89e1, 0x91)
executing program 3:
r0 = syz_genetlink_get_family_id$auto_tipcv2(&(0x7f0000000180), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_TIPC_NL_MON_PEER_GET(r1, &(0x7f0000006140)={0x0, 0x0, &(0x7f0000006100)={&(0x7f00000034c0)={0x18, r0, 0x711, 0x70bd2c, 0x25dfdbff, {}, [@TIPC_NLA_MON={0x4}]}, 0x18}, 0x1, 0x0, 0x0, 0x4401}, 0x4c848)
executing program 3:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ioam6(&(0x7f0000000180), 0xffffffffffffffff)
sendmsg$auto_IOAM6_CMD_ADD_SCHEMA(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000001c0)={0x14, r1, 0x1, 0x70bd29, 0x25dfdbfe}, 0x14}, 0x1, 0x0, 0x0, 0x4}, 0x0)
executing program 3:
r0 = syz_genetlink_get_family_id$auto_ovs_flow(&(0x7f0000000180), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_OVS_FLOW_CMD_GET(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16=r0, @ANYBLOB="010029bd700002dcdf250300000004000879180001801400108008000800ac1414bb080001"], 0x30}, 0x1, 0x0, 0x0, 0x200400f0}, 0x800)
executing program 3:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
prctl$auto(0x1000000003b, 0x1, 0x4, 0x5, 0x7)
rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}})
executing program 3:
r0 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000006140), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_ETHTOOL_MSG_LINKINFO_SET(r1, &(0x7f0000006800)={0x0, 0x0, &(0x7f00000067c0)={&(0x7f0000006740)={0x2c, r0, 0x1, 0x70bd27, 0x25dfdbfd, {}, [@ETHTOOL_A_LINKINFO_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'gretap0\x00'}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x4004)
executing program 34:
r0 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000006140), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_ETHTOOL_MSG_LINKINFO_SET(r1, &(0x7f0000006800)={0x0, 0x0, &(0x7f00000067c0)={&(0x7f0000006740)={0x2c, r0, 0x1, 0x70bd27, 0x25dfdbfd, {}, [@ETHTOOL_A_LINKINFO_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'gretap0\x00'}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x4004)
executing program 5:
socket(0x2, 0x5, 0x0)
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
setsockopt$auto(0x3, 0x10000000084, 0x7f, 0x0, 0x1)
executing program 5:
syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000000580), 0xffffffffffffffff)
mprotect$auto(0x1ffff000, 0x7fffffff, 0x0)
mbind$auto(0x0, 0x100000004, 0x100000000, 0x0, 0x20000000000006, 0x2)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mbind$auto(0x8000, 0xfa9d, 0x2, &(0x7f0000000280)=0x20000000000000fb, 0x3, 0x1)
executing program 0:
socket(0xa, 0x3, 0xff)
connect$auto(0x3, &(0x7f00000018c0)=@generic={0xa}, 0x55)
sendmmsg$auto(0x3, &(0x7f0000000080)={{0x0, 0x2, &(0x7f00000002c0)={0x0, 0xc4}, 0x1, 0x0, 0x0, 0x9}, 0x7}, 0xa, 0x0)
executing program 0:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x405, 0x8000)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x2000f, 0x101, &(0x7f0000000000)=@in={0x2, 0x4e22, @loopback}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x40009, 0xdf, 0x9b72, 0x7, 0x28000)
r0 = openat$auto_v4l2_fops_v4l2_dev(0xffffffffffffff9c, &(0x7f0000000140)='/dev/v4l-touch13\x00', 0x280, 0x0)
ioctl$auto(r0, 0x4020565b, 0x38)
executing program 4:
bpf$auto(0x8, &(0x7f0000000000)=@query={@target_fd, 0xfffffe01, 0xfff, 0x8, 0xfffffffeffffffff, @prog_cnt=0x2, 0x0, 0x2, 0x2, 0xf6, 0xf}, 0x7)
mprotect$auto(0x1ffff000, 0x8000000000000001, 0xd)
pwrite64$auto(0xc8, &(0x7f0000000000)='\vX\xb5n\x91p\xe6\x1eRN8\x99\x86\xdds\x1cJ\x99\x00:2\x14\r>\x94\x1a\xd3\xd3\x1d\xf8\xbebZ\xddL\'\x03\xf1`\x9f\x1e\xf9\xa4\xf8\x15\x02l@\x18*\xc0\xc1\xf2\x14^\x0fo\x84\xfc\x89\v\xea\x1b\x95\xafQ;CL\"\x01\x0e\xa4\xdf\xdav\x1cC\x8a\xeeq\xf0\xcdr\xfa\xa2@X\xb9_\xdd*\xd1\x14^\xbe\xa2', 0x10, 0x3)
executing program 6:
ioctl$auto_SNDRV_CTL_IOCTL_ELEM_READ(0xffffffffffffffff, 0xc4c85512, &(0x7f00000001c0)={{@inferred, 0x66cd, 0xe, 0x71, "2d9520fb7ec91dbc900700000066f1ffe185301b4e352e371e8f750f4d7484cf24fafc91c0c70e6fb0498441"}, 0x0, @enumerated=@item=[0x2, 0x44f71334, 0x1, 0x200, 0xa1, 0x63e, 0x80000001, 0x9, 0x3, 0xfffffffd, 0xbb, 0xfffffff7, 0x0, 0x6, 0x5, 0x7, 0xffff, 0x8, 0xdd7, 0xf, 0x2, 0x40, 0x6034, 0x7fff, 0x1, 0x8, 0x3, 0x2, 0xfffffffa, 0x276, 0x620, 0x8001, 0x7fffffff, 0x80000001, 0x4, 0x9, 0x81, 0xddf6, 0x6, 0x4, 0x1, 0x5, 0x40, 0x6, 0x1, 0x0, 0x3, 0xffffff00, 0x2, 0x1, 0x5, 0x4, 0x6, 0x0, 0x80, 0x2f, 0x8, 0x101, 0x489c, 0x1, 0x6, 0x1, 0x2, 0x7, 0x8, 0x4, 0x9, 0x9, 0x7, 0x0, 0xf, 0xcb, 0x6, 0x7b49, 0x9, 0xd, 0x3, 0x10001, 0x6, 0x428e, 0x3, 0x8, 0x2, 0x6, 0x10001, 0x6, 0xa2c, 0x8, 0x1, 0x9, 0x4, 0x4, 0xfffffc01, 0x0, 0xfffffcca, 0x39, 0xcbf2, 0x80, 0x40000000, 0x80000000, 0x5, 0xffffffea, 0x0, 0xffffff18, 0x6, 0x6694, 0xc, 0xd4ea, 0x5, 0x2, 0x81, 0x6, 0x8, 0x4a90, 0x9, 0xf, 0x2, 0x7, 0x0, 0xb9, 0x2, 0x4, 0x8f04, 0xfff, 0x9, 0x77, 0x58, 0x4], "ed73acd0f01fcb12f1c6824fd270d30da1fe9621575a656ce4c6d4098b4094caf703dd9bb2d915b237e17e9a74ab4bc63062913d45c7a6e0eeb759b4712a6be7642a8a0eaee5e1b71487c74434f5da9f601f2a676159fac607ad76ec43feebf7fe7b76f8eb8e351c6097c4c6713ee799106b65ea99ab3c9fe49bb49570e5806a"})
mprotect$auto(0x1ffff000, 0x8000000000000001, 0xd)
request_key$auto(&(0x7f0000000300)='\xcb\x02\xf7d\xdae\xa2%\x98N\xfdH\x99\x9d\xbe\xf4\t\xb5\xdf\xf1\x82{R\xd8\xa7\xbd\x89\xde\xe0?\x17+\xe7\x17z\xdd\x14\f\xd2\xf3\x01\x82g\xfb\xd3\xf2v\x01!\x9bs\x03\xd0\x813\xb1\x14\x8b\xc9\x1b*\x9a\xec\x17}:\xa3\xac\xb7`\xb1\xd0V:\x8b\xb0\xa0\xff_Co\xe4\xfe\x8e;g\xb0f\xe2\xefG\xd2m\\df\xf6h\x17\x81\xf1p\x11\x9bf\xf3\xb4\xbe\x84z\xbf\xe5\rf}\xde\xdf\xcdc\x01H\xae\xd58\f\xf36\xa2J3^b\x17\xdb\xd2\xae\xdb\xb3(V\xfb\x1b\x992\xff\xa9/\b\xf4\xb1d\x84\fm\xbbuH\xa6v\xff \x91<\\\\\x04\xe8\xe2\x1a\xd9\xaa\xb3\xbdx|\xd4\xeb\x00\x8e\r\xc0\xddq\a\xd3\x9b\x03\xea\xc9a3\xdbw\xe7\xf7\xc1\xbb\xb7f\xd1\xc1\xf8\xae_t\xcf\xc8a`\x8f<\xbf_\x9c|s\xd2\xe2|\xb9\xfd{\n\xadC\xcb\\\x19\xaea\xed!\xe8\x8ee1\xbf\xa1\xdb^eA;\x1f;\xc6L\xeeTd(\x9b\xe4b\x00y\xfaI\x14\xad\xbe\xa4\a\xab\xfb,Q%.\xe7\xcff.\xd2SI\xa5h\x85\xd2\x8aM\xc3\xd2\xc7H\xdf\xec\xeeY\xd0\x81\xf1k\x1d\x18\xe8g8z#\x8b\xe2\xb2]\xe4:p\x99\xba\x93v8I\xe8\x16t\xed\xbb\x043t\xba\x7fu\xbe\xc9I\x86\xb1\xd9\t\x12\xff.\xac\xea\xd6v\x8ff\xeepEu|\xf2\xa2?h\"\xba\xbfg\xca\xa8\vk\xf0\f\x17~\r^\xf3\x16J\xc2\xc9ic\xaen\xb6\xf3\xe1\xcak\'\xa0\x12\xbd\x8d\ti\"\xb6\f\r\xc3\xc2\r\'i\x04\x168\x1e\x00\xb1\xb7\xc1\xec\xf5u*B-\x99\xac\xda\xb3@\xfd9V\xf6\b\b\xa60\xdc\x1e\x1b\x04\x19\xfed\x00w\xed\xc7W\xfd\x99\xdbba\xe8=\xf3\x9c\xaf\xa9`\xe3q\x85\xcaY\xd3\x15y\x04r\xc6,\x16\xec\x8a~\x14\xfb2\v\xa3r/:\xbb\xce\xa2>5\xc5\xdb\x0e\xd0-\xa2\xf6~\x92\x88\x1b\xa3^\xd4nER\x03\xec\xda\\\x11\xe8^\xf8\x8d\xce\x92u\xd7\xd71\xc9%sQ\x98\xcd\xb4B\x92\"2\xf1F\x10\x19\xc4\x83P\x13\xb5\xe7\x8a\xca\xd1\xd7\xbf\xda\x8c\xb9\x1f\\\x9dP`\x01@\xfa \xe7\xea\x81\x10P2F,\xd5\xd8>\xbb\xcdz\x83\x04\xe9', 0x0, 0x0, 0x4008)
executing program 0:
userfaultfd$auto(0x1)
open(&(0x7f0000000000)='./file0\x00', 0xa040, 0x122)
splice$auto(0x4, 0x0, 0x2, 0x0, 0xfffffffffffffffc, 0x4)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
inotify_add_watch$auto(0x4, 0x0, 0xe6e)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000040), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000001a00)={0x40, r1, 0x1b, 0x70bd26, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_PROBE={0x4}, @OVS_PACKET_ATTR_ACTIONS={0x10, 0x3, 0x0, 0x1, [@nested={0xc, 0x16, 0x0, 0x1, [@nested={0x4, 0x7}, @nested={0x4, 0x26}]}]}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "898771f1c19f1779048590828847"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x40}, 0x1, 0x0, 0x0, 0x4004040}, 0xc800)
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
alarm$auto(0xffffffff)
getitimer$auto(0x0, 0x0)
executing program 5:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x9, 0x72, 0x8b72, 0x2, 0x8000)
getsockopt$auto(r0, 0x10e, 0xb, 0x0, 0x0)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 6:
mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x40000000000a5, 0x8000)
r0 = openat$auto_usbdev_file_operations_usb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/bus/usb/006/001\x00', 0xa901, 0x0)
ioctl$auto(r0, 0x4004551e, r0)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
executing program 4:
mmap$auto(0x0, 0x20009, 0xe2, 0xeb1, 0x405, 0x8000)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x4, 0x0, 0x0)
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x8, 0xdf, 0x9b72, 0x2, 0x8000)
getsockopt$auto(0x3, 0x200000000001, 0x42, 0x0, 0x0)
executing program 6:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = socket(0x11, 0x80003, 0x300)
setsockopt$auto(r0, 0x107, 0xc, 0x0, 0x4)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000c40), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000001d40)={0x0, 0x0, &(0x7f0000001d00)={&(0x7f00000002c0)={0x3c, r1, 0x1, 0x70bd2b, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x9}, @OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x2ee9}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "4f1980af25430d91ee91098bd96e"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x3c}, 0x1, 0x0, 0x0, 0x8000}, 0x80000)
executing program 4:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
setrlimit$auto(0x1000000007, 0x0)
landlock_create_ruleset$auto(&(0x7f0000000000)={0x6, 0x400, 0x7}, 0x9, 0x0)
executing program 6:
open(&(0x7f0000000000)='./file0\x00', 0x161342, 0x100)
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
ioctl$auto(0x3, 0x5460, 0x5)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
single: failed to extract reproducer
bisect: bisecting 45 programs with base timeout 1m40s
testing program (duration=1m51s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3]
detailed listing:
executing program 1:
rmdir$auto(&(0x7f0000000100)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00')
executing program 1:
socketpair$auto(0x2d, 0x6, 0x6, &(0x7f0000000000)=0x4)
executing program 1:
openat$auto_severities_coverage_fops_severity(0xffffffffffffff9c, &(0x7f0000000880), 0x0, 0x0)
executing program 1:
bpf$auto(0x0, &(0x7f00000001c0)=@task_fd_query={0xa, 0x4, 0x200, 0x2, 0x8, 0x9, 0x66b, 0x0, 0x3}, 0x6f4)
executing program 1:
rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}})
executing program 1:
request_key$auto(&(0x7f0000000380)=':/*(}--^{^\x00', &(0x7f00000003c0)='\x00', &(0x7f0000000400)='#\x00', 0x1)
executing program 32:
request_key$auto(&(0x7f0000000380)=':/*(}--^{^\x00', &(0x7f00000003c0)='\x00', &(0x7f0000000400)='#\x00', 0x1)
executing program 2:
r0 = openat$auto_proc_pid_numa_maps_operations_internal(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/numa_maps\x00', 0x121240, 0x0)
read$auto_proc_pid_numa_maps_operations_internal(r0, &(0x7f0000000040)=""/4096, 0x1000)
executing program 2:
r0 = openat$auto_sco_debugfs_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x242, 0x0)
read$auto_sco_debugfs_fops_(r0, &(0x7f0000000140)=""/211, 0xd3)
executing program 2:
mmap$auto(0x0, 0x400005, 0xfffffffffffffffe, 0x9b72, 0xc76, 0x8000)
mremap$auto(0x0, 0x7, 0x10000000003fd6, 0x3, 0x20000000)
executing program 2:
r0 = openat$auto_tracing_mark_raw_fops_trace(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/debug/tracing/trace_marker_raw\x00', 0xc05, 0x0)
write$auto_tracing_mark_raw_fops_trace(r0, 0x0, 0x68)
executing program 2:
setresuid$auto(0xffffffffffffffff, 0x8, 0x8000)
tkill$auto(0x80000000000001, 0x7)
executing program 2:
r0 = openat$auto_raw_fops_raw_gadget(0xffffffffffffff9c, &(0x7f0000000000), 0x440, 0x0)
ioctl$auto_USB_RAW_IOCTL_EP_READ(r0, 0xc0085508, &(0x7f0000000040)={0x9, 0x0, 0x80})
executing program 33:
r0 = openat$auto_raw_fops_raw_gadget(0xffffffffffffff9c, &(0x7f0000000000), 0x440, 0x0)
ioctl$auto_USB_RAW_IOCTL_EP_READ(r0, 0xc0085508, &(0x7f0000000040)={0x9, 0x0, 0x80})
executing program 3:
mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x401, 0x8000)
socket(0x1e, 0x1, 0x0)
ioctl$auto(0x3, 0x89e1, 0x91)
executing program 3:
r0 = syz_genetlink_get_family_id$auto_tipcv2(&(0x7f0000000180), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_TIPC_NL_MON_PEER_GET(r1, &(0x7f0000006140)={0x0, 0x0, &(0x7f0000006100)={&(0x7f00000034c0)={0x18, r0, 0x711, 0x70bd2c, 0x25dfdbff, {}, [@TIPC_NLA_MON={0x4}]}, 0x18}, 0x1, 0x0, 0x0, 0x4401}, 0x4c848)
executing program 3:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ioam6(&(0x7f0000000180), 0xffffffffffffffff)
sendmsg$auto_IOAM6_CMD_ADD_SCHEMA(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000001c0)={0x14, r1, 0x1, 0x70bd29, 0x25dfdbfe}, 0x14}, 0x1, 0x0, 0x0, 0x4}, 0x0)
executing program 3:
r0 = syz_genetlink_get_family_id$auto_ovs_flow(&(0x7f0000000180), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_OVS_FLOW_CMD_GET(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16=r0, @ANYBLOB="010029bd700002dcdf250300000004000879180001801400108008000800ac1414bb080001"], 0x30}, 0x1, 0x0, 0x0, 0x200400f0}, 0x800)
executing program 3:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
prctl$auto(0x1000000003b, 0x1, 0x4, 0x5, 0x7)
rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}})
executing program 3:
r0 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000006140), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_ETHTOOL_MSG_LINKINFO_SET(r1, &(0x7f0000006800)={0x0, 0x0, &(0x7f00000067c0)={&(0x7f0000006740)={0x2c, r0, 0x1, 0x70bd27, 0x25dfdbfd, {}, [@ETHTOOL_A_LINKINFO_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'gretap0\x00'}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x4004)
executing program 34:
r0 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000006140), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_ETHTOOL_MSG_LINKINFO_SET(r1, &(0x7f0000006800)={0x0, 0x0, &(0x7f00000067c0)={&(0x7f0000006740)={0x2c, r0, 0x1, 0x70bd27, 0x25dfdbfd, {}, [@ETHTOOL_A_LINKINFO_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'gretap0\x00'}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x4004)
executing program 5:
socket(0x2, 0x5, 0x0)
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
setsockopt$auto(0x3, 0x10000000084, 0x7f, 0x0, 0x1)
executing program 5:
syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000000580), 0xffffffffffffffff)
mprotect$auto(0x1ffff000, 0x7fffffff, 0x0)
mbind$auto(0x0, 0x100000004, 0x100000000, 0x0, 0x20000000000006, 0x2)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mbind$auto(0x8000, 0xfa9d, 0x2, &(0x7f0000000280)=0x20000000000000fb, 0x3, 0x1)
executing program 0:
socket(0xa, 0x3, 0xff)
connect$auto(0x3, &(0x7f00000018c0)=@generic={0xa}, 0x55)
sendmmsg$auto(0x3, &(0x7f0000000080)={{0x0, 0x2, &(0x7f00000002c0)={0x0, 0xc4}, 0x1, 0x0, 0x0, 0x9}, 0x7}, 0xa, 0x0)
executing program 0:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x405, 0x8000)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x2000f, 0x101, &(0x7f0000000000)=@in={0x2, 0x4e22, @loopback}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x40009, 0xdf, 0x9b72, 0x7, 0x28000)
r0 = openat$auto_v4l2_fops_v4l2_dev(0xffffffffffffff9c, &(0x7f0000000140)='/dev/v4l-touch13\x00', 0x280, 0x0)
ioctl$auto(r0, 0x4020565b, 0x38)
executing program 4:
bpf$auto(0x8, &(0x7f0000000000)=@query={@target_fd, 0xfffffe01, 0xfff, 0x8, 0xfffffffeffffffff, @prog_cnt=0x2, 0x0, 0x2, 0x2, 0xf6, 0xf}, 0x7)
mprotect$auto(0x1ffff000, 0x8000000000000001, 0xd)
pwrite64$auto(0xc8, &(0x7f0000000000)='\vX\xb5n\x91p\xe6\x1eRN8\x99\x86\xdds\x1cJ\x99\x00:2\x14\r>\x94\x1a\xd3\xd3\x1d\xf8\xbebZ\xddL\'\x03\xf1`\x9f\x1e\xf9\xa4\xf8\x15\x02l@\x18*\xc0\xc1\xf2\x14^\x0fo\x84\xfc\x89\v\xea\x1b\x95\xafQ;CL\"\x01\x0e\xa4\xdf\xdav\x1cC\x8a\xeeq\xf0\xcdr\xfa\xa2@X\xb9_\xdd*\xd1\x14^\xbe\xa2', 0x10, 0x3)
executing program 6:
ioctl$auto_SNDRV_CTL_IOCTL_ELEM_READ(0xffffffffffffffff, 0xc4c85512, &(0x7f00000001c0)={{@inferred, 0x66cd, 0xe, 0x71, "2d9520fb7ec91dbc900700000066f1ffe185301b4e352e371e8f750f4d7484cf24fafc91c0c70e6fb0498441"}, 0x0, @enumerated=@item=[0x2, 0x44f71334, 0x1, 0x200, 0xa1, 0x63e, 0x80000001, 0x9, 0x3, 0xfffffffd, 0xbb, 0xfffffff7, 0x0, 0x6, 0x5, 0x7, 0xffff, 0x8, 0xdd7, 0xf, 0x2, 0x40, 0x6034, 0x7fff, 0x1, 0x8, 0x3, 0x2, 0xfffffffa, 0x276, 0x620, 0x8001, 0x7fffffff, 0x80000001, 0x4, 0x9, 0x81, 0xddf6, 0x6, 0x4, 0x1, 0x5, 0x40, 0x6, 0x1, 0x0, 0x3, 0xffffff00, 0x2, 0x1, 0x5, 0x4, 0x6, 0x0, 0x80, 0x2f, 0x8, 0x101, 0x489c, 0x1, 0x6, 0x1, 0x2, 0x7, 0x8, 0x4, 0x9, 0x9, 0x7, 0x0, 0xf, 0xcb, 0x6, 0x7b49, 0x9, 0xd, 0x3, 0x10001, 0x6, 0x428e, 0x3, 0x8, 0x2, 0x6, 0x10001, 0x6, 0xa2c, 0x8, 0x1, 0x9, 0x4, 0x4, 0xfffffc01, 0x0, 0xfffffcca, 0x39, 0xcbf2, 0x80, 0x40000000, 0x80000000, 0x5, 0xffffffea, 0x0, 0xffffff18, 0x6, 0x6694, 0xc, 0xd4ea, 0x5, 0x2, 0x81, 0x6, 0x8, 0x4a90, 0x9, 0xf, 0x2, 0x7, 0x0, 0xb9, 0x2, 0x4, 0x8f04, 0xfff, 0x9, 0x77, 0x58, 0x4], "ed73acd0f01fcb12f1c6824fd270d30da1fe9621575a656ce4c6d4098b4094caf703dd9bb2d915b237e17e9a74ab4bc63062913d45c7a6e0eeb759b4712a6be7642a8a0eaee5e1b71487c74434f5da9f601f2a676159fac607ad76ec43feebf7fe7b76f8eb8e351c6097c4c6713ee799106b65ea99ab3c9fe49bb49570e5806a"})
mprotect$auto(0x1ffff000, 0x8000000000000001, 0xd)
request_key$auto(&(0x7f0000000300)='\xcb\x02\xf7d\xdae\xa2%\x98N\xfdH\x99\x9d\xbe\xf4\t\xb5\xdf\xf1\x82{R\xd8\xa7\xbd\x89\xde\xe0?\x17+\xe7\x17z\xdd\x14\f\xd2\xf3\x01\x82g\xfb\xd3\xf2v\x01!\x9bs\x03\xd0\x813\xb1\x14\x8b\xc9\x1b*\x9a\xec\x17}:\xa3\xac\xb7`\xb1\xd0V:\x8b\xb0\xa0\xff_Co\xe4\xfe\x8e;g\xb0f\xe2\xefG\xd2m\\df\xf6h\x17\x81\xf1p\x11\x9bf\xf3\xb4\xbe\x84z\xbf\xe5\rf}\xde\xdf\xcdc\x01H\xae\xd58\f\xf36\xa2J3^b\x17\xdb\xd2\xae\xdb\xb3(V\xfb\x1b\x992\xff\xa9/\b\xf4\xb1d\x84\fm\xbbuH\xa6v\xff \x91<\\\\\x04\xe8\xe2\x1a\xd9\xaa\xb3\xbdx|\xd4\xeb\x00\x8e\r\xc0\xddq\a\xd3\x9b\x03\xea\xc9a3\xdbw\xe7\xf7\xc1\xbb\xb7f\xd1\xc1\xf8\xae_t\xcf\xc8a`\x8f<\xbf_\x9c|s\xd2\xe2|\xb9\xfd{\n\xadC\xcb\\\x19\xaea\xed!\xe8\x8ee1\xbf\xa1\xdb^eA;\x1f;\xc6L\xeeTd(\x9b\xe4b\x00y\xfaI\x14\xad\xbe\xa4\a\xab\xfb,Q%.\xe7\xcff.\xd2SI\xa5h\x85\xd2\x8aM\xc3\xd2\xc7H\xdf\xec\xeeY\xd0\x81\xf1k\x1d\x18\xe8g8z#\x8b\xe2\xb2]\xe4:p\x99\xba\x93v8I\xe8\x16t\xed\xbb\x043t\xba\x7fu\xbe\xc9I\x86\xb1\xd9\t\x12\xff.\xac\xea\xd6v\x8ff\xeepEu|\xf2\xa2?h\"\xba\xbfg\xca\xa8\vk\xf0\f\x17~\r^\xf3\x16J\xc2\xc9ic\xaen\xb6\xf3\xe1\xcak\'\xa0\x12\xbd\x8d\ti\"\xb6\f\r\xc3\xc2\r\'i\x04\x168\x1e\x00\xb1\xb7\xc1\xec\xf5u*B-\x99\xac\xda\xb3@\xfd9V\xf6\b\b\xa60\xdc\x1e\x1b\x04\x19\xfed\x00w\xed\xc7W\xfd\x99\xdbba\xe8=\xf3\x9c\xaf\xa9`\xe3q\x85\xcaY\xd3\x15y\x04r\xc6,\x16\xec\x8a~\x14\xfb2\v\xa3r/:\xbb\xce\xa2>5\xc5\xdb\x0e\xd0-\xa2\xf6~\x92\x88\x1b\xa3^\xd4nER\x03\xec\xda\\\x11\xe8^\xf8\x8d\xce\x92u\xd7\xd71\xc9%sQ\x98\xcd\xb4B\x92\"2\xf1F\x10\x19\xc4\x83P\x13\xb5\xe7\x8a\xca\xd1\xd7\xbf\xda\x8c\xb9\x1f\\\x9dP`\x01@\xfa \xe7\xea\x81\x10P2F,\xd5\xd8>\xbb\xcdz\x83\x04\xe9', 0x0, 0x0, 0x4008)
executing program 0:
userfaultfd$auto(0x1)
open(&(0x7f0000000000)='./file0\x00', 0xa040, 0x122)
splice$auto(0x4, 0x0, 0x2, 0x0, 0xfffffffffffffffc, 0x4)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
inotify_add_watch$auto(0x4, 0x0, 0xe6e)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000040), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000001a00)={0x40, r1, 0x1b, 0x70bd26, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_PROBE={0x4}, @OVS_PACKET_ATTR_ACTIONS={0x10, 0x3, 0x0, 0x1, [@nested={0xc, 0x16, 0x0, 0x1, [@nested={0x4, 0x7}, @nested={0x4, 0x26}]}]}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "898771f1c19f1779048590828847"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x40}, 0x1, 0x0, 0x0, 0x4004040}, 0xc800)
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
alarm$auto(0xffffffff)
getitimer$auto(0x0, 0x0)
executing program 5:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x9, 0x72, 0x8b72, 0x2, 0x8000)
getsockopt$auto(r0, 0x10e, 0xb, 0x0, 0x0)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 6:
mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x40000000000a5, 0x8000)
r0 = openat$auto_usbdev_file_operations_usb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/bus/usb/006/001\x00', 0xa901, 0x0)
ioctl$auto(r0, 0x4004551e, r0)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
executing program 4:
mmap$auto(0x0, 0x20009, 0xe2, 0xeb1, 0x405, 0x8000)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x4, 0x0, 0x0)
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x8, 0xdf, 0x9b72, 0x2, 0x8000)
getsockopt$auto(0x3, 0x200000000001, 0x42, 0x0, 0x0)
executing program 6:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = socket(0x11, 0x80003, 0x300)
setsockopt$auto(r0, 0x107, 0xc, 0x0, 0x4)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000c40), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000001d40)={0x0, 0x0, &(0x7f0000001d00)={&(0x7f00000002c0)={0x3c, r1, 0x1, 0x70bd2b, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x9}, @OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x2ee9}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "4f1980af25430d91ee91098bd96e"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x3c}, 0x1, 0x0, 0x0, 0x8000}, 0x80000)
executing program 4:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
setrlimit$auto(0x1000000007, 0x0)
landlock_create_ruleset$auto(&(0x7f0000000000)={0x6, 0x400, 0x7}, 0x9, 0x0)
executing program 6:
open(&(0x7f0000000000)='./file0\x00', 0x161342, 0x100)
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
ioctl$auto(0x3, 0x5460, 0x5)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
bisect: bisecting 45 programs
bisect: split chunks (needed=false): <44>
bisect: split chunk #0 of len 44 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=1m47s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3]
detailed listing:
executing program 3:
r0 = syz_genetlink_get_family_id$auto_tipcv2(&(0x7f0000000180), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_TIPC_NL_MON_PEER_GET(r1, &(0x7f0000006140)={0x0, 0x0, &(0x7f0000006100)={&(0x7f00000034c0)={0x18, r0, 0x711, 0x70bd2c, 0x25dfdbff, {}, [@TIPC_NLA_MON={0x4}]}, 0x18}, 0x1, 0x0, 0x0, 0x4401}, 0x4c848)
executing program 3:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ioam6(&(0x7f0000000180), 0xffffffffffffffff)
sendmsg$auto_IOAM6_CMD_ADD_SCHEMA(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000001c0)={0x14, r1, 0x1, 0x70bd29, 0x25dfdbfe}, 0x14}, 0x1, 0x0, 0x0, 0x4}, 0x0)
executing program 3:
r0 = syz_genetlink_get_family_id$auto_ovs_flow(&(0x7f0000000180), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_OVS_FLOW_CMD_GET(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16=r0, @ANYBLOB="010029bd700002dcdf250300000004000879180001801400108008000800ac1414bb080001"], 0x30}, 0x1, 0x0, 0x0, 0x200400f0}, 0x800)
executing program 3:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
prctl$auto(0x1000000003b, 0x1, 0x4, 0x5, 0x7)
rt_sigqueueinfo$auto(0x1, 0x7, &(0x7f0000000040)={@siginfo_0_0={0x0, 0x5, 0xfffffffb, @_sigpoll={0x52, 0x7}}})
executing program 3:
r0 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000006140), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_ETHTOOL_MSG_LINKINFO_SET(r1, &(0x7f0000006800)={0x0, 0x0, &(0x7f00000067c0)={&(0x7f0000006740)={0x2c, r0, 0x1, 0x70bd27, 0x25dfdbfd, {}, [@ETHTOOL_A_LINKINFO_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'gretap0\x00'}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x4004)
executing program 34:
r0 = syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000006140), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$auto_ETHTOOL_MSG_LINKINFO_SET(r1, &(0x7f0000006800)={0x0, 0x0, &(0x7f00000067c0)={&(0x7f0000006740)={0x2c, r0, 0x1, 0x70bd27, 0x25dfdbfd, {}, [@ETHTOOL_A_LINKINFO_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'gretap0\x00'}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x4004)
executing program 5:
socket(0x2, 0x5, 0x0)
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
setsockopt$auto(0x3, 0x10000000084, 0x7f, 0x0, 0x1)
executing program 5:
syz_genetlink_get_family_id$auto_ethtool(&(0x7f0000000580), 0xffffffffffffffff)
mprotect$auto(0x1ffff000, 0x7fffffff, 0x0)
mbind$auto(0x0, 0x100000004, 0x100000000, 0x0, 0x20000000000006, 0x2)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mbind$auto(0x8000, 0xfa9d, 0x2, &(0x7f0000000280)=0x20000000000000fb, 0x3, 0x1)
executing program 0:
socket(0xa, 0x3, 0xff)
connect$auto(0x3, &(0x7f00000018c0)=@generic={0xa}, 0x55)
sendmmsg$auto(0x3, &(0x7f0000000080)={{0x0, 0x2, &(0x7f00000002c0)={0x0, 0xc4}, 0x1, 0x0, 0x0, 0x9}, 0x7}, 0xa, 0x0)
executing program 0:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x405, 0x8000)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x2000f, 0x101, &(0x7f0000000000)=@in={0x2, 0x4e22, @loopback}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x40009, 0xdf, 0x9b72, 0x7, 0x28000)
r0 = openat$auto_v4l2_fops_v4l2_dev(0xffffffffffffff9c, &(0x7f0000000140)='/dev/v4l-touch13\x00', 0x280, 0x0)
ioctl$auto(r0, 0x4020565b, 0x38)
executing program 4:
bpf$auto(0x8, &(0x7f0000000000)=@query={@target_fd, 0xfffffe01, 0xfff, 0x8, 0xfffffffeffffffff, @prog_cnt=0x2, 0x0, 0x2, 0x2, 0xf6, 0xf}, 0x7)
mprotect$auto(0x1ffff000, 0x8000000000000001, 0xd)
pwrite64$auto(0xc8, &(0x7f0000000000)='\vX\xb5n\x91p\xe6\x1eRN8\x99\x86\xdds\x1cJ\x99\x00:2\x14\r>\x94\x1a\xd3\xd3\x1d\xf8\xbebZ\xddL\'\x03\xf1`\x9f\x1e\xf9\xa4\xf8\x15\x02l@\x18*\xc0\xc1\xf2\x14^\x0fo\x84\xfc\x89\v\xea\x1b\x95\xafQ;CL\"\x01\x0e\xa4\xdf\xdav\x1cC\x8a\xeeq\xf0\xcdr\xfa\xa2@X\xb9_\xdd*\xd1\x14^\xbe\xa2', 0x10, 0x3)
executing program 6:
ioctl$auto_SNDRV_CTL_IOCTL_ELEM_READ(0xffffffffffffffff, 0xc4c85512, &(0x7f00000001c0)={{@inferred, 0x66cd, 0xe, 0x71, "2d9520fb7ec91dbc900700000066f1ffe185301b4e352e371e8f750f4d7484cf24fafc91c0c70e6fb0498441"}, 0x0, @enumerated=@item=[0x2, 0x44f71334, 0x1, 0x200, 0xa1, 0x63e, 0x80000001, 0x9, 0x3, 0xfffffffd, 0xbb, 0xfffffff7, 0x0, 0x6, 0x5, 0x7, 0xffff, 0x8, 0xdd7, 0xf, 0x2, 0x40, 0x6034, 0x7fff, 0x1, 0x8, 0x3, 0x2, 0xfffffffa, 0x276, 0x620, 0x8001, 0x7fffffff, 0x80000001, 0x4, 0x9, 0x81, 0xddf6, 0x6, 0x4, 0x1, 0x5, 0x40, 0x6, 0x1, 0x0, 0x3, 0xffffff00, 0x2, 0x1, 0x5, 0x4, 0x6, 0x0, 0x80, 0x2f, 0x8, 0x101, 0x489c, 0x1, 0x6, 0x1, 0x2, 0x7, 0x8, 0x4, 0x9, 0x9, 0x7, 0x0, 0xf, 0xcb, 0x6, 0x7b49, 0x9, 0xd, 0x3, 0x10001, 0x6, 0x428e, 0x3, 0x8, 0x2, 0x6, 0x10001, 0x6, 0xa2c, 0x8, 0x1, 0x9, 0x4, 0x4, 0xfffffc01, 0x0, 0xfffffcca, 0x39, 0xcbf2, 0x80, 0x40000000, 0x80000000, 0x5, 0xffffffea, 0x0, 0xffffff18, 0x6, 0x6694, 0xc, 0xd4ea, 0x5, 0x2, 0x81, 0x6, 0x8, 0x4a90, 0x9, 0xf, 0x2, 0x7, 0x0, 0xb9, 0x2, 0x4, 0x8f04, 0xfff, 0x9, 0x77, 0x58, 0x4], "ed73acd0f01fcb12f1c6824fd270d30da1fe9621575a656ce4c6d4098b4094caf703dd9bb2d915b237e17e9a74ab4bc63062913d45c7a6e0eeb759b4712a6be7642a8a0eaee5e1b71487c74434f5da9f601f2a676159fac607ad76ec43feebf7fe7b76f8eb8e351c6097c4c6713ee799106b65ea99ab3c9fe49bb49570e5806a"})
mprotect$auto(0x1ffff000, 0x8000000000000001, 0xd)
request_key$auto(&(0x7f0000000300)='\xcb\x02\xf7d\xdae\xa2%\x98N\xfdH\x99\x9d\xbe\xf4\t\xb5\xdf\xf1\x82{R\xd8\xa7\xbd\x89\xde\xe0?\x17+\xe7\x17z\xdd\x14\f\xd2\xf3\x01\x82g\xfb\xd3\xf2v\x01!\x9bs\x03\xd0\x813\xb1\x14\x8b\xc9\x1b*\x9a\xec\x17}:\xa3\xac\xb7`\xb1\xd0V:\x8b\xb0\xa0\xff_Co\xe4\xfe\x8e;g\xb0f\xe2\xefG\xd2m\\df\xf6h\x17\x81\xf1p\x11\x9bf\xf3\xb4\xbe\x84z\xbf\xe5\rf}\xde\xdf\xcdc\x01H\xae\xd58\f\xf36\xa2J3^b\x17\xdb\xd2\xae\xdb\xb3(V\xfb\x1b\x992\xff\xa9/\b\xf4\xb1d\x84\fm\xbbuH\xa6v\xff \x91<\\\\\x04\xe8\xe2\x1a\xd9\xaa\xb3\xbdx|\xd4\xeb\x00\x8e\r\xc0\xddq\a\xd3\x9b\x03\xea\xc9a3\xdbw\xe7\xf7\xc1\xbb\xb7f\xd1\xc1\xf8\xae_t\xcf\xc8a`\x8f<\xbf_\x9c|s\xd2\xe2|\xb9\xfd{\n\xadC\xcb\\\x19\xaea\xed!\xe8\x8ee1\xbf\xa1\xdb^eA;\x1f;\xc6L\xeeTd(\x9b\xe4b\x00y\xfaI\x14\xad\xbe\xa4\a\xab\xfb,Q%.\xe7\xcff.\xd2SI\xa5h\x85\xd2\x8aM\xc3\xd2\xc7H\xdf\xec\xeeY\xd0\x81\xf1k\x1d\x18\xe8g8z#\x8b\xe2\xb2]\xe4:p\x99\xba\x93v8I\xe8\x16t\xed\xbb\x043t\xba\x7fu\xbe\xc9I\x86\xb1\xd9\t\x12\xff.\xac\xea\xd6v\x8ff\xeepEu|\xf2\xa2?h\"\xba\xbfg\xca\xa8\vk\xf0\f\x17~\r^\xf3\x16J\xc2\xc9ic\xaen\xb6\xf3\xe1\xcak\'\xa0\x12\xbd\x8d\ti\"\xb6\f\r\xc3\xc2\r\'i\x04\x168\x1e\x00\xb1\xb7\xc1\xec\xf5u*B-\x99\xac\xda\xb3@\xfd9V\xf6\b\b\xa60\xdc\x1e\x1b\x04\x19\xfed\x00w\xed\xc7W\xfd\x99\xdbba\xe8=\xf3\x9c\xaf\xa9`\xe3q\x85\xcaY\xd3\x15y\x04r\xc6,\x16\xec\x8a~\x14\xfb2\v\xa3r/:\xbb\xce\xa2>5\xc5\xdb\x0e\xd0-\xa2\xf6~\x92\x88\x1b\xa3^\xd4nER\x03\xec\xda\\\x11\xe8^\xf8\x8d\xce\x92u\xd7\xd71\xc9%sQ\x98\xcd\xb4B\x92\"2\xf1F\x10\x19\xc4\x83P\x13\xb5\xe7\x8a\xca\xd1\xd7\xbf\xda\x8c\xb9\x1f\\\x9dP`\x01@\xfa \xe7\xea\x81\x10P2F,\xd5\xd8>\xbb\xcdz\x83\x04\xe9', 0x0, 0x0, 0x4008)
executing program 0:
userfaultfd$auto(0x1)
open(&(0x7f0000000000)='./file0\x00', 0xa040, 0x122)
splice$auto(0x4, 0x0, 0x2, 0x0, 0xfffffffffffffffc, 0x4)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
inotify_add_watch$auto(0x4, 0x0, 0xe6e)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000040), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000001a00)={0x40, r1, 0x1b, 0x70bd26, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_PROBE={0x4}, @OVS_PACKET_ATTR_ACTIONS={0x10, 0x3, 0x0, 0x1, [@nested={0xc, 0x16, 0x0, 0x1, [@nested={0x4, 0x7}, @nested={0x4, 0x26}]}]}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "898771f1c19f1779048590828847"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x40}, 0x1, 0x0, 0x0, 0x4004040}, 0xc800)
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
alarm$auto(0xffffffff)
getitimer$auto(0x0, 0x0)
executing program 5:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x9, 0x72, 0x8b72, 0x2, 0x8000)
getsockopt$auto(r0, 0x10e, 0xb, 0x0, 0x0)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 6:
mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x40000000000a5, 0x8000)
r0 = openat$auto_usbdev_file_operations_usb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/bus/usb/006/001\x00', 0xa901, 0x0)
ioctl$auto(r0, 0x4004551e, r0)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
executing program 4:
mmap$auto(0x0, 0x20009, 0xe2, 0xeb1, 0x405, 0x8000)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x4, 0x0, 0x0)
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x8, 0xdf, 0x9b72, 0x2, 0x8000)
getsockopt$auto(0x3, 0x200000000001, 0x42, 0x0, 0x0)
executing program 6:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = socket(0x11, 0x80003, 0x300)
setsockopt$auto(r0, 0x107, 0xc, 0x0, 0x4)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000c40), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000001d40)={0x0, 0x0, &(0x7f0000001d00)={&(0x7f00000002c0)={0x3c, r1, 0x1, 0x70bd2b, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x9}, @OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x2ee9}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "4f1980af25430d91ee91098bd96e"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x3c}, 0x1, 0x0, 0x0, 0x8000}, 0x80000)
executing program 4:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
setrlimit$auto(0x1000000007, 0x0)
landlock_create_ruleset$auto(&(0x7f0000000000)={0x6, 0x400, 0x7}, 0x9, 0x0)
executing program 6:
open(&(0x7f0000000000)='./file0\x00', 0x161342, 0x100)
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
ioctl$auto(0x3, 0x5460, 0x5)

program crashed: WARNING: ODEBUG bug in hci_release_dev
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/3
testing program (duration=1m43s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3]
detailed listing:
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
inotify_add_watch$auto(0x4, 0x0, 0xe6e)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000040), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000001a00)={0x40, r1, 0x1b, 0x70bd26, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_PROBE={0x4}, @OVS_PACKET_ATTR_ACTIONS={0x10, 0x3, 0x0, 0x1, [@nested={0xc, 0x16, 0x0, 0x1, [@nested={0x4, 0x7}, @nested={0x4, 0x26}]}]}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "898771f1c19f1779048590828847"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x40}, 0x1, 0x0, 0x0, 0x4004040}, 0xc800)
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
alarm$auto(0xffffffff)
getitimer$auto(0x0, 0x0)
executing program 5:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x9, 0x72, 0x8b72, 0x2, 0x8000)
getsockopt$auto(r0, 0x10e, 0xb, 0x0, 0x0)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 6:
mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x40000000000a5, 0x8000)
r0 = openat$auto_usbdev_file_operations_usb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/bus/usb/006/001\x00', 0xa901, 0x0)
ioctl$auto(r0, 0x4004551e, r0)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
executing program 4:
mmap$auto(0x0, 0x20009, 0xe2, 0xeb1, 0x405, 0x8000)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x4, 0x0, 0x0)
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x8, 0xdf, 0x9b72, 0x2, 0x8000)
getsockopt$auto(0x3, 0x200000000001, 0x42, 0x0, 0x0)
executing program 6:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = socket(0x11, 0x80003, 0x300)
setsockopt$auto(r0, 0x107, 0xc, 0x0, 0x4)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000c40), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000001d40)={0x0, 0x0, &(0x7f0000001d00)={&(0x7f00000002c0)={0x3c, r1, 0x1, 0x70bd2b, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x9}, @OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x2ee9}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "4f1980af25430d91ee91098bd96e"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x3c}, 0x1, 0x0, 0x0, 0x8000}, 0x80000)
executing program 4:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
setrlimit$auto(0x1000000007, 0x0)
landlock_create_ruleset$auto(&(0x7f0000000000)={0x6, 0x400, 0x7}, 0x9, 0x0)
executing program 6:
open(&(0x7f0000000000)='./file0\x00', 0x161342, 0x100)
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
ioctl$auto(0x3, 0x5460, 0x5)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
bisect: the chunk can be dropped
bisect: testing without sub-chunk 3/3
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
bisect: split chunks (needed=true): <14>
bisect: split chunk #0 of len 14 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m42s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3, 3, 3, 3, 3]
detailed listing:
executing program 6:
mmap$auto(0x0, 0x20009, 0xdf, 0xeb1, 0x40000000000a5, 0x8000)
r0 = openat$auto_usbdev_file_operations_usb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/bus/usb/006/001\x00', 0xa901, 0x0)
ioctl$auto(r0, 0x4004551e, r0)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
executing program 4:
mmap$auto(0x0, 0x20009, 0xe2, 0xeb1, 0x405, 0x8000)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x4, 0x0, 0x0)
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x8, 0xdf, 0x9b72, 0x2, 0x8000)
getsockopt$auto(0x3, 0x200000000001, 0x42, 0x0, 0x0)
executing program 6:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = socket(0x11, 0x80003, 0x300)
setsockopt$auto(r0, 0x107, 0xc, 0x0, 0x4)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000c40), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000001d40)={0x0, 0x0, &(0x7f0000001d00)={&(0x7f00000002c0)={0x3c, r1, 0x1, 0x70bd2b, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x9}, @OVS_PACKET_ATTR_MRU={0x6, 0x9, 0x2ee9}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "4f1980af25430d91ee91098bd96e"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x3c}, 0x1, 0x0, 0x0, 0x8000}, 0x80000)
executing program 4:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
setrlimit$auto(0x1000000007, 0x0)
landlock_create_ruleset$auto(&(0x7f0000000000)={0x6, 0x400, 0x7}, 0x9, 0x0)
executing program 6:
open(&(0x7f0000000000)='./file0\x00', 0x161342, 0x100)
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
ioctl$auto(0x3, 0x5460, 0x5)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m42s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3, 3, 3, 3, 3]
detailed listing:
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
inotify_add_watch$auto(0x4, 0x0, 0xe6e)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000040), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000001a00)={0x40, r1, 0x1b, 0x70bd26, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_PROBE={0x4}, @OVS_PACKET_ATTR_ACTIONS={0x10, 0x3, 0x0, 0x1, [@nested={0xc, 0x16, 0x0, 0x1, [@nested={0x4, 0x7}, @nested={0x4, 0x26}]}]}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "898771f1c19f1779048590828847"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x40}, 0x1, 0x0, 0x0, 0x4004040}, 0xc800)
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
alarm$auto(0xffffffff)
getitimer$auto(0x0, 0x0)
executing program 5:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x9, 0x72, 0x8b72, 0x2, 0x8000)
getsockopt$auto(r0, 0x10e, 0xb, 0x0, 0x0)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <7>
bisect: split chunk #0 of len 7 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3]
detailed listing:
executing program 4:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
alarm$auto(0xffffffff)
getitimer$auto(0x0, 0x0)
executing program 5:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x9, 0x72, 0x8b72, 0x2, 0x8000)
getsockopt$auto(r0, 0x10e, 0xb, 0x0, 0x0)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3, 3]
detailed listing:
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
inotify_add_watch$auto(0x4, 0x0, 0xe6e)
executing program 6:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_ovs_packet(&(0x7f0000000040), r0)
sendmsg$auto_OVS_PACKET_CMD_EXECUTE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000001a00)={0x40, r1, 0x1b, 0x70bd26, 0x25dfdbfd, {}, [@OVS_PACKET_ATTR_PROBE={0x4}, @OVS_PACKET_ATTR_ACTIONS={0x10, 0x3, 0x0, 0x1, [@nested={0xc, 0x16, 0x0, 0x1, [@nested={0x4, 0x7}, @nested={0x4, 0x26}]}]}, @OVS_PACKET_ATTR_PACKET={0x12, 0x1, "898771f1c19f1779048590828847"}, @OVS_PACKET_ATTR_KEY={0x4}]}, 0x40}, 0x1, 0x0, 0x0, 0x4004040}, 0xc800)
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
bisect: split chunks (needed=true): <4>, <3>
bisect: split chunk #0 of len 4 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3, 3, 3]
detailed listing:
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 4:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
alarm$auto(0xffffffff)
getitimer$auto(0x0, 0x0)
executing program 5:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x9, 0x72, 0x8b72, 0x2, 0x8000)
getsockopt$auto(r0, 0x10e, 0xb, 0x0, 0x0)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunk #1 of len 3 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3]
detailed listing:
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <2>, <1>
bisect: split chunk #0 of len 2 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3]
detailed listing:
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3]
detailed listing:
executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
bisect: split chunk #1 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: split chunks (needed=true): <1>, <1>, <1, final>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: split chunk #1 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 4 programs left: 

executing program 5:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
r0 = socket(0x10, 0x2, 0x14)
sendmsg$auto_ETHTOOL_MSG_CHANNELS_GET(r0, &(0x7f0000003000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000000114"], 0x14}}, 0x24000044)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)


bisect: trying to concatenate
bisect: concatenate 4 entries
minimizing program #0 before concatenation
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 3, 3, 3]
detailed listing:
executing program 0:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
socket(0x10, 0x2, 0x14)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 3, 3, 3]
detailed listing:
executing program 0:
openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/modules\x00', 0xa2b40, 0x0)
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 3, 3, 3]
detailed listing:
executing program 0:
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
r0 = socket(0xa, 0x5, 0x84)
sendto$auto(r0, 0x0, 0x401, 0x101, &(0x7f0000000000)=@generic={0xa, "e2e18340cba8fe8000"}, 0x1c)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
minimized 3 calls -> 0 calls
minimizing program #1 before concatenation
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 2, 3, 3]
detailed listing:
executing program 5:
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
socket(0xa, 0x5, 0x84)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 1, 3, 3]
detailed listing:
executing program 5:
executing program 0:
openat$auto_suspend_stats_fops_(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 0, 3, 3]
detailed listing:
executing program 5:
executing program 0:
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
setsockopt$auto(0x4, 0x0, 0x80, 0xfffffffffffffffc, 0x1003f)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
minimized 3 calls -> 0 calls
minimizing program #2 before concatenation
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 0, 2, 3]
detailed listing:
executing program 5:
executing program 0:
executing program 0:
socket(0x1, 0x2, 0x0)
socket(0x2b, 0x1, 0x1)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 0, 1, 3]
detailed listing:
executing program 5:
executing program 0:
executing program 0:
socket(0x1, 0x2, 0x0)
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 0, 0, 3]
detailed listing:
executing program 5:
executing program 0:
executing program 0:
executing program 5:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
minimized 3 calls -> 1 calls
minimizing program #3 before concatenation
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 0, 1, 2]
detailed listing:
executing program 5:
executing program 0:
executing program 0:
socket(0x1, 0x2, 0x0)
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)

program did not crash
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 0, 1, 2]
detailed listing:
executing program 5:
executing program 0:
executing program 0:
socket(0x1, 0x2, 0x0)
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
write$auto(0xffffffffffffffff, 0x0, 0xe)

program did not crash
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 0, 1, 2]
detailed listing:
executing program 5:
executing program 0:
executing program 0:
socket(0x1, 0x2, 0x0)
executing program 0:
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
minimized 3 calls -> 3 calls
testing program (duration=2m31.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
socket(0x1, 0x2, 0x0)
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
bisect: concatenated prog does not crash
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
single: successfully extracted reproducer
found reproducer with 3 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci
detailed listing:
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
write$auto(0xffffffffffffffff, 0x0, 0xe)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, 0x0, 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)

program crashed: KASAN: slab-use-after-free Read in force_devcd_write
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
reproducing took 2h23m50.033164802s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff888027f5a800 by task syz.0.616/6621

CPU: 0 UID: 0 PID: 6621 Comm: syz.0.616 Not tainted 6.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327
 full_proxy_write+0xfd/0x1b0 fs/debugfs/file.c:369
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa558585d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff74cc4cd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa558775fa0 RCX: 00007fa558585d29
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fa558601b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa558775fa0 R14: 00007fa558775fa0 R15: 00000000000018c7
 </TASK>

Allocated by task 5922:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634
 misc_open+0x35a/0x420 drivers/char/misc.c:165
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5922:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:670
 __fput+0x3f8/0xb60 fs/file_table.c:450
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xad8/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3036
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888027f5a800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff888027f5a800, ffff888027f5ac00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27f58
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00009fd601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 35, tgid 35 (kworker/u8:2), ts 79739193388, free_ts 79467668206
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
 prep_new_page mm/page_alloc.c:1566 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753
 alloc_pages_mpol_noprof+0x2c8/0x620 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_noprof+0x2de/0x4f0 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 neigh_alloc net/core/neighbour.c:473 [inline]
 ___neigh_create+0x1530/0x2990 net/core/neighbour.c:607
 ip6_finish_output2+0x111b/0x2070 net/ipv6/ip6_output.c:132
 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
 ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0xa69/0x1c50 net/ipv6/ndisc.c:511
 ndisc_send_rs+0x129/0x670 net/ipv6/ndisc.c:721
 addrconf_dad_completed+0x4a1/0x1060 net/ipv6/addrconf.c:4381
 addrconf_dad_work+0x7fb/0x14d0 net/ipv6/addrconf.c:4289
page last free pid 5837 tgid 5837 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2659
 __put_partials+0x14c/0x170 mm/slub.c:3157
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4119 [inline]
 slab_alloc_node mm/slub.c:4168 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_noprof+0x1d1/0x4f0 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 inotify_handle_inode_event+0x1c7/0x600 fs/notify/inotify/inotify_fsnotify.c:96
 inotify_ignored_and_remove_idr+0x28/0x70 fs/notify/inotify/inotify_user.c:526
 fsnotify_free_mark+0xe9/0x140 fs/notify/mark.c:582
 __do_sys_inotify_rm_watch fs/notify/inotify/inotify_user.c:805 [inline]
 __se_sys_inotify_rm_watch fs/notify/inotify/inotify_user.c:786 [inline]
 __x64_sys_inotify_rm_watch+0x112/0x190 fs/notify/inotify/inotify_user.c:786
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888027f5a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888027f5a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888027f5a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888027f5a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888027f5a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff888027f5a800 by task syz.0.616/6621

CPU: 0 UID: 0 PID: 6621 Comm: syz.0.616 Not tainted 6.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327
 full_proxy_write+0xfd/0x1b0 fs/debugfs/file.c:369
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa558585d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff74cc4cd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa558775fa0 RCX: 00007fa558585d29
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fa558601b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa558775fa0 R14: 00007fa558775fa0 R15: 00000000000018c7
 </TASK>

Allocated by task 5922:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634
 misc_open+0x35a/0x420 drivers/char/misc.c:165
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5922:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:670
 __fput+0x3f8/0xb60 fs/file_table.c:450
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xad8/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3036
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888027f5a800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff888027f5a800, ffff888027f5ac00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27f58
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00009fd601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 35, tgid 35 (kworker/u8:2), ts 79739193388, free_ts 79467668206
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
 prep_new_page mm/page_alloc.c:1566 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753
 alloc_pages_mpol_noprof+0x2c8/0x620 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_noprof+0x2de/0x4f0 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 neigh_alloc net/core/neighbour.c:473 [inline]
 ___neigh_create+0x1530/0x2990 net/core/neighbour.c:607
 ip6_finish_output2+0x111b/0x2070 net/ipv6/ip6_output.c:132
 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
 ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0xa69/0x1c50 net/ipv6/ndisc.c:511
 ndisc_send_rs+0x129/0x670 net/ipv6/ndisc.c:721
 addrconf_dad_completed+0x4a1/0x1060 net/ipv6/addrconf.c:4381
 addrconf_dad_work+0x7fb/0x14d0 net/ipv6/addrconf.c:4289
page last free pid 5837 tgid 5837 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2659
 __put_partials+0x14c/0x170 mm/slub.c:3157
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4119 [inline]
 slab_alloc_node mm/slub.c:4168 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_noprof+0x1d1/0x4f0 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 inotify_handle_inode_event+0x1c7/0x600 fs/notify/inotify/inotify_fsnotify.c:96
 inotify_ignored_and_remove_idr+0x28/0x70 fs/notify/inotify/inotify_user.c:526
 fsnotify_free_mark+0xe9/0x140 fs/notify/mark.c:582
 __do_sys_inotify_rm_watch fs/notify/inotify/inotify_user.c:805 [inline]
 __se_sys_inotify_rm_watch fs/notify/inotify/inotify_user.c:786 [inline]
 __x64_sys_inotify_rm_watch+0x112/0x190 fs/notify/inotify/inotify_user.c:786
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888027f5a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888027f5a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888027f5a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888027f5a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888027f5a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================