Extracting prog: 33m55.982589637s Minimizing prog: 1h13m28.929287264s Simplifying prog options: 24m20.862285994s Extracting C: 6m48.100919348s Simplifying C: 0s extracting reproducer from 37 programs testing a last program of every proc single: executing 7 programs separately with timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-bpf$BPF_BTF_GET_FD_BY_ID-openat$cgroup_ro-mmap-socket$inet6_sctp-socket$inet6-connect$inet6-setsockopt$IP6T_SO_SET_REPLACE-sendmsg-getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS-setsockopt$inet_sctp6_SCTP_PR_SUPPORTED-bpf$BPF_MAP_CONST_STR_FREEZE-bpf$BPF_PROG_WITH_BTFID_LOAD-bpf$MAP_GET_NEXT_KEY-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f0000000000)=@framed={{0x18, 0x2, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1}, [@call={0x85, 0x0, 0x0, 0x7d}]}, &(0x7f00000001c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp=0x25, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) r1 = bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f0000000180), 0x4) r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r2, 0x0) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = socket$inet6(0xa, 0x3, 0x8000000003c) connect$inet6(r4, &(0x7f0000000140)={0xa, 0x0, 0x0, @dev, 0x9}, 0x1c) setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) sendmsg(r4, &(0x7f00000000c0)={0x0, 0x952b, &(0x7f0000000100)=[{&(0x7f0000000000)="2c10", 0x5dc}], 0x1, 0x0, 0x0, 0x2c}, 0x44004) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f00000004c0)={0x0, @in={{0x2, 0x4e23, @initdev={0xac, 0x1e, 0x1, 0x0}}}, 0xa548, 0x0, 0x5, 0x9c8, 0x24, 0x34c78989, 0xa}, &(0x7f00000003c0)=0x9c) setsockopt$inet_sctp6_SCTP_PR_SUPPORTED(r3, 0x84, 0x71, &(0x7f0000000580)={r5, 0x8}, 0x8) bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f0000000280)={0x1, 0xffffffffffffffff}, 0x4) bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000300)=@bpf_ext={0x1c, 0x1, &(0x7f0000000100)=@raw=[@ldst={0x2, 0x1, 0x1, 0xb, 0x1, 0x2, 0xfffffffffffffff0}], &(0x7f0000000140)='syzkaller\x00', 0xf799, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, 0x0, r1, 0x8, &(0x7f0000000200)={0x5, 0x2}, 0x8, 0x10, &(0x7f0000000240)={0x5, 0x8, 0x4, 0x100000}, 0x10, 0xa5ee, r0, 0x0, &(0x7f00000002c0)=[r2, r6, r0], 0x0, 0x10, 0x2, @void, @value}, 0x94) bpf$MAP_GET_NEXT_KEY(0x4, &(0x7f0000000480)={r2, &(0x7f00000003c0), &(0x7f0000000400)=""/102}, 0x20) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r0, 0x0, 0x3100, 0x0, &(0x7f0000000140), 0x0, 0x1008, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9}, 0x50) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$unix-bpf$MAP_CREATE-bpf$MAP_CREATE-bpf$MAP_LOOKUP_ELEM-socket-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$nbd-socketpair$nbd-sendmsg$NBD_CMD_CONNECT-epoll_create-socket-connect$inet6-connect$inet6-socket$inet_tcp-syz_genetlink_get_family_id$gtp-socket$inet_sctp-setsockopt$IP_VS_SO_SET_ADD-ioctl$VFAT_IOCTL_READDIR_BOTH-syz_init_net_socket$bt_hci-syz_80211_join_ibss-syz_80211_inject_frame-bind$bt_hci-socketpair$unix-socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_NEW_STATION-sendmsg$NFT_BATCH-syz_genetlink_get_family_id$ethtool-sendmsg$ETHTOOL_MSG_COALESCE_SET detailed listing: executing program 0: r0 = socket$unix(0x1, 0x1, 0x0) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000940)=ANY=[@ANYBLOB="02000000040000000400000009000000000200004e45c8b49b4ef359cab4d311be280d2f295ed101ca81eb7c0c3a6ea77a27185015cc0f50d1f8241c424c15a34a861a2dbd6c7b7cb363866d4ae5b6487b3d2bcadce43be63729489d4f5cd6346e52fe299afa425a0dce6c9c6e62bd7be5aa50b8c514dadd19d59f18c88f3358dc6e894223d534c4", @ANYRES32, @ANYBLOB='\x00'/20, @ANYRES8=r0, @ANYRES32, @ANYBLOB='\x00'/28], 0x48) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000900)=ANY=[@ANYBLOB="0d00000009000000040000000100000000000000", @ANYRES32=r1], 0x48) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000001b00)={r2, &(0x7f0000000440)="744b19ceda99f5a3aece75260acdac2108aa98e6ad5832996845ebfc525eb60fb32e5d866f83d4088945d453cd403d25dcd13ff1f99862c908b63682e12c1becc82c6a6f3786ddb5f4f980e828abc3966cdf09f54cd75ed84bf040d8ab9e519a6d19c0edb701000000000000003e2c1129dc862723009fa5a96a6b22ca3cd4b1e7b1500345c36bb980c0df62b3f70c9823675909fc4a0b9ba694795e91fe3797f5f345a30200e6ca6bff79788a2861fb5c9ba8cb828f56a4462856718d07599cbab6902544b617a1fa", 0x0, 0x4}, 0x20) r3 = socket(0x2b, 0x80801, 0x1) r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nbd(&(0x7f0000000040), 0xffffffffffffffff) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) sendmsg$NBD_CMD_CONNECT(r4, &(0x7f0000001ac0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000400)=ANY=[@ANYBLOB='<\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="01002bbd700000000000010000000c0002000c000000000000001c0007800c00018008000100", @ANYRES32=r6, @ANYBLOB="0c00018008000100", @ANYRES32=r3], 0x3c}, 0x1, 0x0, 0x0, 0x20000014}, 0x0) epoll_create(0x3) r7 = socket(0x0, 0x80801, 0x5) connect$inet6(r7, &(0x7f0000000000)={0xa, 0x0, 0x10000, @empty}, 0x1c) connect$inet6(r7, &(0x7f0000000140)={0xa, 0x4e22, 0xffffffab, @loopback, 0x4}, 0x1c) r8 = socket$inet_tcp(0x2, 0x1, 0x0) syz_genetlink_get_family_id$gtp(&(0x7f00000007c0), r2) r9 = socket$inet_sctp(0x2, 0x1, 0x84) setsockopt$IP_VS_SO_SET_ADD(r8, 0x0, 0x482, &(0x7f0000000180)={0x2f, @broadcast, 0x4e23, 0x2, 'wrr\x00', 0x1a, 0x5, 0x7d}, 0x2c) ioctl$VFAT_IOCTL_READDIR_BOTH(r9, 0x82187201, 0x0) r10 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) syz_80211_join_ibss(&(0x7f0000000040)='wlan0\x00', &(0x7f0000000080)=@default_ibss_ssid, 0x6, 0x0) syz_80211_inject_frame(&(0x7f00000000c0), &(0x7f0000000100)=ANY=[@ANYBLOB="80000000080211000001080211000000080211000000000000e3ffffffffffff63822f07c13b1974f100010000060202020202020108"], 0x36) bind$bt_hci(r10, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000003c0)={0xffffffffffffffff}) r12 = socket$nl_generic(0x10, 0x3, 0x10) r13 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r11, 0x8933, &(0x7f0000000300)={'wlan0\x00'}) sendmsg$NL80211_CMD_NEW_STATION(r3, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000540)=ANY=[@ANYRES16=r12, @ANYRESOCT=0x0, @ANYBLOB="aaa7a9843f5a35092dda5b7b7c55f58fe84dddadb41a8cb3f1c1198fc44231d7ccca826aa73bdb10db9fc1106b1e0df39ad4110b480355846a2dc04dae4cf9cf8c4b3d7b34198698d873fd7f193a0ced57034b52c6d9fa7fb451aa1c877bf7a2d95c205fcab9f053cd7f2ac101a572079715a1fb5a52cdcc90b0798b134a1733106fc669b03eed574ddb16ee907f7622ecf8ee03e3ef0b4ee90aa9db30dd85338c4debf083109039bf56e641f38cd6bd934629e99811699e27d0fc23ac950d8206d76fe40b56775e709ea6f700ca8394bd42f2", @ANYBLOB="ec4b5560353086be8439361d9e590b85e93d162ed28b17c0f540589d35f523babc1ada6bd2b055caa8b46b0b2fe9d508bd29d853e5c38ff51c85dc20f481e217a5264a0586facd16c30f4fd5047c07805516d05a2d58bbd66b0e5ef4ed830a4de4457b", @ANYRESHEX=r13], 0xfc}, 0x1, 0x0, 0x0, 0x4814}, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000b00)={&(0x7f00000000c0)=ANY=[@ANYBLOB], 0x68}}, 0x0) r14 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000340), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_COALESCE_SET(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000100)=ANY=[@ANYBLOB='D\x00\x00', @ANYRES16=r14], 0x44}}, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-ioctl$TUNSETQUEUE-nanosleep-ioctl$SIOCSIFHWADDR-bpf$TOKEN_CREATE-bpf$MAP_UPDATE_ELEM_TAIL_CALL-bpf$PROG_LOAD-write$tun-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$MAP_CREATE-bpf$PROG_LOAD-bpf$BPF_PROG_TEST_RUN-openat$cgroup_root-bpf$PROG_LOAD-bpf$BPF_PROG_DETACH-openat$cgroup_procs-bpf$PROG_BIND_MAP-ioctl$FS_IOC_FIEMAP-bpf$MAP_UPDATE_ELEM_TAIL_CALL-splice detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x4a301, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8d11}) r1 = socket$kcm(0x2, 0xa, 0x2) ioctl$TUNSETQUEUE(r0, 0x400454d9, &(0x7f0000000000)={'\x00', 0x400}) nanosleep(&(0x7f0000000800)={0x77359400}, &(0x7f0000000880)) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) bpf$TOKEN_CREATE(0x24, &(0x7f0000000640)={0x0, r1}, 0x8) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f00000007c0)={{0x1, 0xffffffffffffffff}, &(0x7f0000000740), &(0x7f0000000780)}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x1e, 0xe, &(0x7f0000000e40)=@framed={{0xffffffb4, 0x5, 0x0, 0x0, 0x0, 0x79, 0x10, 0x69}, [@ldst={0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, @ringbuf_output={{0x18, 0x1, 0x1, 0x0, r2}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x1}, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x4, 0x0, 0x0, 0x1}}, @call={0x85, 0x0, 0x0, 0xd0}]}, &(0x7f0000003ff6)='GPL\x00', 0x5, 0xc3, &(0x7f000000cf3d)=""/195, 0x41100, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, &(0x7f0000000000), 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) write$tun(r0, &(0x7f0000000440)=ANY=[], 0x3e) r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x13, 0x11, &(0x7f0000000080)=@framed={{0x18, 0x8, 0x0, 0x0, 0xffd0, 0x0, 0x0, 0x0, 0xffffffff}, [@map_fd={0x18, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10000000}, @generic={0x66, 0x8}, @btf_id={0x18, 0x0, 0x3, 0x0, 0x5}, @exit, @printk={@x, {}, {}, {}, {}, {0x5, 0x0, 0xb, 0xa}}]}, &(0x7f0000000000)='GPL\x00', 0x6, 0xde, &(0x7f0000000340)=""/222, 0x0, 0x4, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) r4 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0xe, 0x4, 0x8, 0x7, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) r5 = bpf$PROG_LOAD(0x5, &(0x7f00000002c0)={0xc, 0xc, &(0x7f0000000100)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xaa9a}, [@ringbuf_output={{0x18, 0x5, 0x1, 0x0, r4}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x80000000}, {0x3, 0x3, 0x3, 0xa, 0x5}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x1e}}]}, &(0x7f0000000840)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x2a, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000d80)={r5, 0x18000000000002a0, 0xe, 0x0, &(0x7f0000000040)="76ea090000000000009ba56a88ca", 0x0, 0x6400, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50) r6 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4, &(0x7f00000008c0)=ANY=[@ANYBLOB="180000000000000000000000000000006112000000000000950000000000000051fa7824c74186dc02ec0696c37b64e3b24da3180100000005165c0f63cdc2e82818254950ee03568b8809a1ff4c7c4750eabfafcb9531b31e6a86827d1010c5a909ab98e00e19644a88e95ba26d1c9eecddb2d11c541418ceeb29b9b6829c6e433822bdb3cc85244aab60c1aae1314d7381fcfeb970bea672cf1e926f6a51479343144648a07a975bd89dc398712376610f6254f12495b4658319684387f6f3543205d4bc4ce05b8b961103673dff7f158052e62b20f05fd24108d8363d44fcd0f8f3647899762a17282a1914452d11f557c28f396eebdc858558db0276d14f9035f2b5f703e5be7e4acf8b78c2834ae5805fffee38a9a0033d520bcf6b08ede50899d4b9bdf85c71c5de2503dab358f42a2624c7daa9ed44039aab46419496362e54cfad05a0004ac71a003d7b85d07191bed4e5a890826300214146f7ed569985439baa355c2766dd056f5d79e454f3d873095e7a237bc06d035a8d601f21746d886419f38b34a495040000000071c2f0cce8c93cc17e9afa314fcb2ba15d646c66b0f65021829f87d988b4e2d71753b1549fa734f0b2e56dbd21ed2e09d0cddad721971637f384eed3034597c93e1c52f42cad0ed09c395dc6e9703660fefa1c80f467367c006f25caf0cbcefd13d68839893e39c588eb032905f91cafa4996dbf0c9be9654db05fb918086cc8228d02a3092c0830b8f587a5624515298b2d4eb2bde6f9a2eb83d53f717f13fa7552d92c51dbd32ea50c490ecd085d2811a7555c538cffffff7f00000000dd872244bfa64779e0f43a9c277e2910b7ccdc3d6726d34ad2101033a623ca2a49ad344884289130bc71cee2b7de62bf48129ae1af052a2d46a61625735a9eea7f793946b3229e861d8ea49806b3f7d4295f6b000000000000f337b1ceb2d8a65dcdcd895d7ba37098d2593fdaaef445af5bee02019c00000099b13ecda2a5b37de0519e974cba92ebaf0f701611a9b027ce04340bda4594cc9049c3f101629ab028145e004209ebe71a6fe84af50804000000000000004a27213354964e250a98fe357676f94b6947383e320fbb1118f586d5b9b1b977e1e1a4490ff67703a9b5900f8a6f8a805879dd91ec5ff435b219c53680c0ae04dcc4ef69b98fcb0d6b6a03a8b71a66b4e2876dc4b610444bf10000000000b046b6ae5d68156bcbd6d8793ade9a22ac8fc7857e5bbc14adc4e12b08f350c6789283b9990c72e64372a1f79769a8bdc632fc1a0b3417855d8b7d25ca4d404c23631ad3d2f55dcd385371c86170a4bca58c2b2b4eabc365f45bd10bb45b0c5bc354456a52be18d9b44014d20a3c51c8f013dade83562e73278662829e4f5a9ac00fd91178468c737f0872d97d38d11a176be5a0d7294c51eb161eddcfefa8837c7430721851ec2a107af0df6d43e732bbc01e76c66895eb85d36798d61622773591ee21ad9f6a1b73fa9cf3ffeb8a00b63af800a81d0fb8aa29df8b8ad6fbafefb5802a23cbdeeabceda5bfc5ff2fa5c1d61d04a1324794c6ed000696d9f04010c35474e690545c3d9bd836d4cef2585ba616e01c3d000000000000000000470ebc6f3453ecbf3047e4547d7632d3ad21798e730cb5d1da059b5bdb8107815dff995c0788906790406dfb4f8ee9f24ff94233e2e6e581e6e5de33a5f254c9a8b612547473c3001df3928dac9203b744619082421a8da7c00000000000000000000000000000018a73ef40cca690fb7595c6962984f8276677be6f66cbdbccf1896433808c9c84d74ac4a7c186a04a2250972f7acb156b21f9826b6acb7db32c4e3b3ec8b59fd972975edb1da872d81a35e4fda2f5cbde6b40bea20418c6e9dad30b791eea58f53e80fee4dd7fe08373ea2784fcd3a65261de71eb866458d2c22a"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x70) bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000040)={@cgroup=r6, r7, 0x2, 0x2, 0x0, @void, @value}, 0x10) openat$cgroup_procs(r6, &(0x7f0000000240)='cgroup.threads\x00', 0x2, 0x0) bpf$PROG_BIND_MAP(0x23, &(0x7f0000000040)={r5, 0x1}, 0xc) ioctl$FS_IOC_FIEMAP(r3, 0xc020660b, &(0x7f0000000440)={0x4, 0x13eb, 0x0, 0x6, 0x4, 0x0, [{0x3, 0x1, 0xff, '\x00', 0x4}, {0x101, 0x71, 0xfffffffffffffffb, '\x00', 0x2000}, {0x0, 0x100000000, 0x8, '\x00', 0x2982}, {0x6, 0x0, 0x8, '\x00', 0x2000}]}) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000580)={{r4, 0xffffffffffffffff}, &(0x7f0000000280), &(0x7f0000000540)=r7}, 0x20) splice(r8, &(0x7f00000005c0)=0x6, r3, &(0x7f0000000600)=0x4, 0x1, 0xa) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$MAP_CREATE-accept$packet-setsockopt$packet_fanout_data-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_procfs$namespace-syz_open_procfs$namespace-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$pppl2tp-ioctl$SIOCSIFMTU-bpf$PROG_LOAD-bpf$BPF_PROG_TEST_RUN-sendmsg$IPSET_CMD_CREATE detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) (async) bpf$MAP_CREATE(0x0, &(0x7f0000001080)=ANY=[@ANYBLOB="1b000008e7ff000000000000008000000010000076f8c3cfb1900a8bd14f92cbc1728be01f30fbc1f78fbad6484999a92ab96751004258be8031b75e67856bd3074299fcf3342034e035f7c946337bcdd0bac1591cccf2da3c18f6141ffee8772e20305630b1dc8921221baea856a78bc9508b664df3e9f73e436ae0d0d9417f72582438600bfc559f01feffffffffffff023fc3a56c92bbd6d08f423f885ec770395763682a337f287157293daa29f279865000be7687826b6559119d3ff9f1b0ee193e3e917c599e94368bd9063810dfe895687eebbc2891dedade152e7b211f98704a287293d79f00512b8bfc4243d8d4a31f46216bf60a38a7abfc5af822fd51a2670894bbcd34bca425a11de84ab647dc59031b8a6cb21d99c0663beaeeebd04b87cb36b30811b953823ebe0a295acbcd7ab03e7c58890cdad7340061d532e4376bc67268b2fdc75151fd11c7c764cb65d1d600a9e116303b1977bbc06004544f58a542e38e667e9d23d167ba28bec393345a3b5c278e4cf11b191237541083f720d828c7835108504a3015828368cd7497de7b45e1fbba8e51bd47947903ed6bc3d766be329cbb9e3d2fa433270524b19aeeb12b5365d1e4000349b019eeb7fe3602c59ea66706a1d2f09756ab", @ANYRES32, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32, @ANYBLOB='\x00'/28], 0x48) (async) r1 = accept$packet(0xffffffffffffffff, &(0x7f0000000040)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000002c0)=0x14) setsockopt$packet_fanout_data(r1, 0x107, 0x16, &(0x7f0000000380)={0x1, &(0x7f0000000300)=[{0xfdaa, 0x0, 0x3, 0x7fff}]}, 0x10) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x6d, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000100)='net_dev_xmit\x00', r2}, 0x10) (async) syz_open_procfs$namespace(0x0, &(0x7f00000013c0)='ns/mnt\x00') (async) syz_open_procfs$namespace(0xffffffffffffffff, &(0x7f0000001440)='ns/mnt\x00') (async) r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000100)='net_dev_xmit\x00', r3}, 0x10) (async) r4 = socket$pppl2tp(0x18, 0x1, 0x1) ioctl$SIOCSIFMTU(r4, 0x8947, &(0x7f0000000580)={'bond0\x00', 0xfffd}) (async) r5 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000640)=ANY=[@ANYBLOB="b702000003000000bfa30000000000000703000000feffff7a0af0ff0100000079a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe00000000850000000d000000b70000000000000095000000000000005ecefab8f2e85c6c1ca711fcd020f4c0c8c56147d66527da307bf731fef97861750379585e5a076d839240d29c034055b67dafe6c8dc3d5d78c07fa1f7e655ce34e4d5b3185fec0e07004e60c08dc8b8dbf11e6e94d75938321a3aa502cd2424a66e6d2ef831ab7ea0c34f17e3946ef3bb622003b538dfd8e012e79578e51bc53099e90f4580d760551b5b341a29f31e3106d1ddd6152f7cbdb9cd38bdb2209c67deca8eeb9c15ab3a14817ac61e4dd11183a13477bf7e860e3665f1328d6704902cbe7bc04b82d2789cb132b8667c2147661df28d9961b63e1a9cf6c2a660a1fe3c184b751c51160fb20b1c581e7be6ba0dc001c4110555850915148ba532e6ea09c346dfebd38608b3280080005d9a9500000000000000334d83239dd27080851dcac3c12233f9a1fb9c2aec61ce63a38d2fd50117b89a9ab359b4eea0c6e95767d42b4e54861d0227dbfd2e6d7f715a7f3deadd7130856f756436303767d2e24f29e5dad9796edb697aeea0182babd18cac1bd4f4390af9a9ceafd0002cab154ad029a1090000002780870014f51c3c975d5aec84222fff0d7216fdb0d3a0ec4be3e563112f0b39501aafe234870072858dc06e7c337642d3e5a815232f5e16c1b30c3a6a71bc85018e5ff2c91018afc9ffc2cc788bee1b47683db01a469398685211dfbbae3e2ed0a50e7313bff5d4c391ddece00fc772dd6b4d4de2a41990f05ca3bdfc92c88c5b8dcd36e7487afa447c2edfae4f390a8337841cef386e22cc22ee17476d738952229682e24b92533ac2a9f5a699593f084419cae0b4532bcc97d3ae486aca54183fb01c73f979ca9857399537f5dc2acb72e7ead0509d380578673f8b6e74ce23877a6b24db0000000000000003629fbef2461c96a088a22e8b15c3e233db7ab22e30d46a9d24d37cef099ece729aa218f9f44a3210223fdae7ed04935c3c90d3add8eebc8619d7b90dfae158b94f50adab988dd8e12b1b56073d0d10f7067c881434af5cc9398fff00404d5d99f82e20ee6a8c88e18c2977aab37d9ac4cfc1c7b400000000000007ff57c39495c826b956ba859ac8e3c177b91bd7d5e41ff868f7ca1664fe2f3ced846891180604b6dd2499d16d7d9158ffffffff00000000ef069dc42749a89f854797f29d0000002d8c38a967c1bbe09315c29877a331bcc87dc3addb08141bdee5d27874b2f663ddeef0005b3d96c7aabf77bfc95769a9294df517d90bdc01e73835efd98ad5a3e1a90800c66ee2b1ad76dff9f9000071414c99d4894ee7f8249dc1e3428d2129369ee1b85af6eb2eea0d0df414b31592479ecf2392548f11e1036a8debd64cbe359454a3f2239cfe35f81b7a490f167e6d5c1109000000000000000042b8ff8c21ad702ccacad5b39eef213d1ca296d2a27798c8ce2a305c0c7d35cf4b22549a4bd92052188bd1f285f653b621491dc6aaee0200e2ff08644fb94c06006eff1be2f633c1d987591ec3db58a7bb3042ec3f771f7a1338a5c3dd35e926049fe86e09c58e273cd905deb28c13c1ed1c0d9cae846bcbfa8cce7b893e578af7dc7d5e87d44ff828de453f34c2b18660b080efc707e676e1fb4d5825c0ca177a4c7fbb4e62b445c00f576b2b5cc7f819abd0f885cc4806f40300966fcf1e54f5a2d38708194cd6f496e5dee734fe7da3770845cf442d488afdc0e17000000000000000000000000000000000000000000000000000005205000000dc1c56d59f35d367632952a93466ae595c6a8cda690d192a070886df42b27098773b45198b4a34ac977ebd4450e121d01342703f5bf030e935878a6d169c80aa4252d4ea6b8f6216ff202b5b5a182cb5e838b307632d03a7ca6f6d0339f9953c3093c3690d10ecb65dc5b47481edbe1f000000000000004d16d29c28eb5167e9936ed327fb237a56224e49d9ea955a5f0dec1b3ccd35364600000000000000000000000000000000000000000000000000000000000026ded4dd6fe1518cc7802043ecfe69f743f1213bf8179ecd9e5a225d67521dc728eac7d80a5646ac2cbde21d3ebfbf69ff861f4394836ddf128d6d19079e64336e7c676505c78ad67548f4b192be1827fcd95cf107753cb0a6a979d3db0c407081c6281e2d8429a863903ca75f4c7df3ea8fc2018d07af1491ef060cd4403a099f32468f65bd06b4082d43e121861b5cc03f1a1561f0589e0d12969bc982ff5d8e9b986c0c6c747d9a1cc500bb892c3a16ff10feea20bdac0000000000000000ca06f256c8028e0f9b65f037b21f3289f86a6826c69fa35ba5cbc3f2db1516ffc5c6e3fa618b24a6ce16d6c7010bb37b61fa0a2d8974e69115d33394e86e4b838297ba20f96936b7e4766e92dea6c5d1d33d84d96b50fb000000ae07c65b71088dd7d5d1e1bab9000000000000000000000000b5ace293bec859c13e3229432ad71d646218b5229dd88137fc7c59aa242af3bb4efb82055a3b61227ad40f52c9f250057931d828ec78e116ae46c4897e2795b6ff92e9a1f63a6ed8fb4f8f3a6ec4e76f8621e24b0b855c02f2b7add58ffb25f339297729a7a51810134d3dfbf71f6516737be55c06d9cdcfb1e2bb10b50000eb4acff90756dba1ecf9f58afd3c19b5c4558ba9af6b7333c894a1fb29ade9ad75c9c022e8d03fe28bc358684492aa771dbfe80745fe89ad349ffaad76ff9dd643796caffdf67af5dd476c37e7e9a84e2e5da2696e285a59b53f2fb0e16d8262c080c159ce40c14089c82759106f422582b42e3e8484ea5a6ad9aa52106eafe0e0caea1ad4cb23f3c2b8a0f455ba69ea284c268d54b43158a8b1d128d02af263b3dc1cab794c9ac57a2a7332f4d8764c302ccd5aac114482b619fc575aa0dd2777e881e29a854380e2f1e49db5a1517ec40bb3fa44f9959bad67ccaba76408da35c9f1534c8bd48bbd61627a2e0a74b5e6aefb7eee403f02734137ff47257f164391c673b6071b6ad0f05eed164ca63e4ea26dce0fb3ce0f6591d80dfb8f386bb79f5589829b6b0679b5d65a81826fc9b38f791c8f1892b51ad65a89bc84646ebf78f5d5d4804d9abb071fd711b5e7cc163b42a6510b8f5ee6747df0b560eabe0499bf1fef7c18bb9f55effa018679845c6598fb78bf1b8d9d9f04a5f6062c2bbb91952755b3f7c948268cb647d0a0bb1286480615941154a01d23734bcafe3b164474e2f2efa77850686ee4541f3e79efa63545a7ae53d5f0c40cc86473f7eb093980bd0d97bb4750128d9c519984c5f731ea259e71b2f12d67ce12e52c283e74594dfc933e625737ed231d61263721d46daf093f770357cd78fe1431aef52b4a0a933f1a5334ad03f3876fc8a8e187f80318427b4c922075cf829e3cc49d71d52137b48e1fb6b05dd1c7b251a7059f0a4b4f3431f67fc65b75c202e43816e34ff41db85bacd77b25242830b788ae1e00"/2566], &(0x7f0000000340)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={r5, 0x18000000000002a0, 0xe40, 0x0, &(0x7f0000000100)="b9ff03076844268cb89e14f005dd1be0ffff00fe3a21632f77fbac14141de007031762079f4b4d2f87e5feca6aab845013f2325f1a3901050b038da1880b25181aa59d943be3f4aed50ea5a6b8686731cb89ef77123c899b699eeaa8eaa0073461119663906400f30c0600000000000059b6d3296e8ca31bce1d8392078b72f24996ae17dffc2e43c8174b54b620636894aaacf28ff62616363c70a440aec4014caf28c0adc043084617d7ecf41e9d134589d46e5dfc4ca5780d38cae870b9a1df48b238190da450296b0ac01496ace23eefc9d4246dd14afbf79a2283a0bb7e1d235f3df126c3acc240d75a058f6efa6d1f5f7ff4000000000000000000", 0x0, 0x8, 0x60000000}, 0x1e) (async) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="6c00000002060500000000000000000000000000120003006269746d61703a69702c6d616300000005000400000000000900020073797a3100000000200007800c00018008000140ac1414bb080008000000000008000600fffff53905000500020000000500010006"], 0x6c}, 0x1, 0x0, 0x0, 0x4810}, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-syz_genetlink_get_family_id$smc-sendmsg$SMC_PNETID_DEL-bpf$BPF_RAW_TRACEPOINT_OPEN-mkdirat$cgroup_root-bpf$ITER_CREATE-close-openat$cgroup_root-bpf$MAP_CREATE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_GET_PROG_INFO-bpf$MAP_GET_NEXT_KEY-openat$tun-ioctl$TUNSETIFF-ioctl$TUNSETQUEUE-openat$tun-ioctl$TUNSETIFF-openat$tun-close-socketpair$unix-ioctl$AUTOFS_IOC_EXPIRE-ioctl$SIOCSIFHWADDR detailed listing: executing program 0: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000340)={0x18, 0x3, &(0x7f0000000d00)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = syz_genetlink_get_family_id$smc(&(0x7f0000000240), 0xffffffffffffffff) sendmsg$SMC_PNETID_DEL(0xffffffffffffffff, &(0x7f00000006c0)={0x0, 0x4, &(0x7f0000000040)={&(0x7f0000000300)={0x14, r1, 0x1, 0x70bd2d, 0x0, {0x2, 0x2, 0x2}}, 0x14}, 0x1, 0x40030000000000, 0x0, 0x44880}, 0x20000000) r2 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000001c0)='task_newtask\x00', r0}, 0x10) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup/syz1\x00', 0x1ff) r3 = bpf$ITER_CREATE(0xb, &(0x7f0000000100)={r2}, 0x8) close(r3) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=@base={0x15, 0x10, 0x8, 0x0, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) r5 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x8, 0xf, &(0x7f0000000c80)=@ringbuf={{}, {{0x18, 0x1, 0x1, 0x0, r4}, {}, {0x7, 0x0, 0xb, 0x2}, {0x85, 0x0, 0x0, 0x51}}, {}, [], {{}, {}, {0x85, 0x0, 0x0, 0x5}}}, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) bpf$BPF_GET_PROG_INFO(0x1c, &(0x7f00000003c0)={r5, 0x0, 0x0}, 0x10) bpf$MAP_GET_NEXT_KEY(0x4, &(0x7f0000000500)={r4, &(0x7f0000000240), 0x0}, 0x20) r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x20702, 0x0) ioctl$TUNSETIFF(r6, 0x400454ca, &(0x7f0000000080)={'syzkaller0\x00', 0xca58c30f81b6079f}) ioctl$TUNSETQUEUE(r6, 0x400454d9, &(0x7f0000000280)={'veth1_to_bridge\x00', 0x400}) r7 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x20702, 0x0) ioctl$TUNSETIFF(r7, 0x400454ca, &(0x7f0000000080)={'syzkaller0\x00', 0xca58c30f81b6079f}) r8 = openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) close(r8) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000029c0)) ioctl$AUTOFS_IOC_EXPIRE(0xffffffffffffffff, 0x810c9365, &(0x7f00000000c0)={{0x4, 0x1e28}, 0x100, './file0\x00'}) ioctl$SIOCSIFHWADDR(r8, 0x8943, &(0x7f0000002280)={'syzkaller0\x00'}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$inet6-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD-ioctl$sock_bt_hidp_HIDPCONNDEL detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f0000000040)={0xa, 0x4e23, 0x1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x81}, 0x1c) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) ioctl$sock_bt_hidp_HIDPCONNDEL(r0, 0x400448c9, &(0x7f0000000000)={@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}) program crashed: INFO: task hung in hidp_session_remove single: successfully extracted reproducer found reproducer with 6 syscalls minimizing guilty program testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$inet6-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f0000000040)={0xa, 0x4e23, 0x1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x81}, 0x1c) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program crashed: INFO: task hung in hci_remote_features_evt testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$inet6-connect$bt_l2cap detailed listing: executing program 0: syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f0000000040)={0xa, 0x4e23, 0x1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x81}, 0x1c) connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$inet6-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f0000000040)={0xa, 0x4e23, 0x1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x81}, 0x1c) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program crashed: INFO: task hung in hci_remote_features_evt testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) connect$bt_l2cap(0xffffffffffffffff, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(0xffffffffffffffff, 0x400448c8, &(0x7f00000000c0)={r0, r0, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, 0x0, 0x0) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0x0, 0x0, 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0x0, &(0x7f00000009c0), 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program did not crash extracting C reproducer testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD program crashed: no output from test machine a never seen crash title: no output from test machine, ignore simplifying guilty program options testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program crashed: INFO: task hung in hci_remote_features_evt extracting C reproducer testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD program crashed: no output from test machine a never seen crash title: no output from test machine, ignore testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) ioctl$sock_bt_hidp_HIDPCONNADD(r0, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0xc, 0xffffffffffffff2c, &(0x7f00000009c0)="160000000000000000b20c00", 0x2, 0x7f, 0x16c0, 0x5505, 0x48b, 0x1, 0xffffffff, 'syz0\x00'}) program crashed: INFO: task hung in hci_remote_features_evt extracting C reproducer testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hidp-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-ioctl$sock_bt_hidp_HIDPCONNADD program crashed: no output from test machine a never seen crash title: no output from test machine, ignore reproducing took 2h18m55.597184745s repro crashed as (corrupted=false): INFO: task kworker/u9:1:5139 blocked for more than 143 seconds. Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u9:1 state:D stack:27192 pid:5139 tgid:5139 ppid:2 task_flags:0x4208060 flags:0x00004000 Workqueue: hci1 hci_rx_work Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767 __schedule_loop kernel/sched/core.c:6845 [inline] schedule+0x165/0x360 kernel/sched/core.c:6860 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6917 __mutex_lock_common kernel/locking/mutex.c:678 [inline] __mutex_lock+0x724/0xe80 kernel/locking/mutex.c:746 hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x7e3/0x1200 net/bluetooth/hci_event.c:7565 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4036 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 INFO: task syz-executor:5929 blocked for more than 144 seconds. Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:22136 pid:5929 tgid:5929 ppid:1 task_flags:0x40054c flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767 __schedule_loop kernel/sched/core.c:6845 [inline] schedule+0x165/0x360 kernel/sched/core.c:6860 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common kernel/sched/completion.c:116 [inline] wait_for_common kernel/sched/completion.c:127 [inline] wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364 hidp_session_remove+0x62/0x260 net/bluetooth/hidp/core.c:1169 l2cap_unregister_all_users net/bluetooth/l2cap_core.c:1748 [inline] l2cap_conn_del+0x23d/0x680 net/bluetooth/l2cap_core.c:1777 hci_disconn_cfm include/net/bluetooth/hci_core.h:2065 [inline] hci_conn_hash_flush+0x10a/0x230 net/bluetooth/hci_conn.c:2543 hci_dev_close_sync+0xaef/0x1330 net/bluetooth/hci_sync.c:5225 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_unregister_dev+0x206/0x500 net/bluetooth/hci_core.c:2678 vhci_release+0x80/0xd0 drivers/bluetooth/hci_vhci.c:665 __fput+0x44c/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x8d6/0x2550 kernel/exit.c:953 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102 get_signal+0x125e/0x1310 kernel/signal.c:3034 arch_do_signal_or_restart+0x95/0x780 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x8b/0x120 kernel/entry/common.c:218 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe5caf8df17 RSP: 002b:00007ffe3a22b918 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe5caf8df17 RDX: 00007ffe3a22b940 RSI: 00007ffe3a22b9d0 RDI: 00007ffe3a22b9d0 RBP: 00007ffe3a22b9d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe3a22ca60 R13: 00007fe5cb01089d R14: 000000000001f705 R15: 00007ffe3a22caa0 INFO: task khidpd_16c05505:5971 blocked for more than 145 seconds. Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:khidpd_16c05505 state:D stack:29576 pid:5971 tgid:5971 ppid:2 task_flags:0x208040 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767 __schedule_loop kernel/sched/core.c:6845 [inline] schedule+0x165/0x360 kernel/sched/core.c:6860 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6917 __mutex_lock_common kernel/locking/mutex.c:678 [inline] __mutex_lock+0x724/0xe80 kernel/locking/mutex.c:746 l2cap_unregister_user+0x6a/0x1b0 net/bluetooth/l2cap_core.c:1728 hidp_session_thread+0x3c9/0x410 net/bluetooth/hidp/core.c:1304 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 INFO: task syz.0.616:6591 blocked for more than 146 seconds. Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.616 state:D stack:27288 pid:6591 tgid:6591 ppid:6578 task_flags:0x400140 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767 __schedule_loop kernel/sched/core.c:6845 [inline] schedule+0x165/0x360 kernel/sched/core.c:6860 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6917 __mutex_lock_common kernel/locking/mutex.c:678 [inline] __mutex_lock+0x724/0xe80 kernel/locking/mutex.c:746 l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 l2cap_sock_connect+0x5c5/0x7a0 net/bluetooth/l2cap_sock.c:256 __sys_connect_file net/socket.c:2038 [inline] __sys_connect+0x316/0x440 net/socket.c:2057 __do_sys_connect net/socket.c:2063 [inline] __se_sys_connect net/socket.c:2060 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2060 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff97d58e969 RSP: 002b:00007fffe499daf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007ff97d7b5fa0 RCX: 00007ff97d58e969 RDX: 000000000000000e RSI: 0000200000000080 RDI: 0000000000000005 RBP: 00007ff97d610ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ff97d7b5fa0 R14: 00007ff97d7b5fa0 R15: 0000000000000003 Showing all locks held in the system: 8 locks held by kworker/1:0/24: 1 lock held by khungtaskd/31: #0: ffffffff8df3dee0 ( rcu_read_lock ){....}-{1:3} , at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] , at: rcu_read_lock include/linux/rcupdate.h:841 [inline] , at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6764 4 locks held by kworker/u9:0/56: #0: ffff88807e6f9148 ((wq_completion)hci4#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline] #0: ffff88807e6f9148 ((wq_completion)hci4#2){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000101fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] #1: ffffc9000101fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff888030a34078 (&hdev->lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 4 locks held by kworker/u9:1/5139: #0: ffff888027c2c148 ( (wq_completion)hci1 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000ee47c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] #1: ffffc9000ee47c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880632ec078 (&hdev->lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 2 locks held by getty/5593: #0: ffff8880308820a0 ( &tty->ldisc_sem ){++++}-{0:0} , at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc9000333b2f0 ( &ldata->atomic_read_lock ){+.+.}-{4:4} , at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222 4 locks held by kworker/u9:2/5883: #0: ffff88807ce99148 ((wq_completion)hci5#2){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000484fc60 ((work_completion)(&hdev->rx_work) ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3214 [inline] , at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880719bc078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 5 locks held by syz-executor/5929: #0: ffff88802596cd80 ( &hdev->req_lock ){+.+.}-{4:4} , at: hci_dev_do_close net/bluetooth/hci_core.c:481 [inline] , at: hci_unregister_dev+0x1fe/0x500 net/bluetooth/hci_core.c:2678 #1: ffff88802596c078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_dev_close_sync+0x66a/0x1330 net/bluetooth/hci_sync.c:5213 #2: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2062 [inline] (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230 net/bluetooth/hci_conn.c:2543 #3: ffff88807faa1b38 (&conn->lock#2){+.+.}-{4:4} , at: l2cap_conn_del+0x70/0x680 net/bluetooth/l2cap_core.c:1762 #4: ffffffff8f48b4f0 ( hidp_session_sem ){++++}-{4:4} , at: hidp_session_remove+0x2c/0x260 net/bluetooth/hidp/core.c:1165 1 lock held by khidpd_16c05505/5971: #0: ffff88802596c078 ( &hdev->lock ){+.+.}-{4:4} , at: l2cap_unregister_user+0x6a/0x1b0 net/bluetooth/l2cap_core.c:1728 1 lock held by syz.0.616/6591: #0: ffff8880632ec078 (&hdev->lock ){+.+.}-{4:4} , at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:3/6596: #0: ffff888064acb148 ((wq_completion)hci2 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d327c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880640a0078 (&hdev->lock){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.1.617/6608: #0: ffff8880640a0078 ( &hdev->lock ){+.+.}-{4:4} , at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:4/6612: #0: ffff888028a30948 ( (wq_completion)hci3 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d3afc60 ( (work_completion)(&hdev->rx_work) ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3214 [inline] , at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880713dc078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.2.618/6625: #0: ffff8880713dc078 (&hdev->lock){+.+.}-{4:4}, at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:5/6629: #0: ffff88805fc54148 ((wq_completion)hci9#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline] #0: ffff88805fc54148 ((wq_completion)hci9#2){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000396fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] #1: ffffc9000396fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff88807d1c0078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.3.619/6642: #0: ffff888030a34078 ( &hdev->lock ){+.+.}-{4:4} , at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:6/6651: #0: ffff888029098948 ((wq_completion)hci6#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline] ((wq_completion)hci6#2){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d4d7c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] #1: ffffc9000d4d7c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880715c4078 (&hdev->lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.4.620/6669: #0: ffff8880719bc078 ( &hdev->lock ){+.+.}-{4:4} , at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:7/6673: #0: ffff8880222c1948 ( (wq_completion)hci8 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d567c60 ( (work_completion)(&hdev->rx_work) ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3214 [inline] , at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff888064b1c078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.5.621/6691: #0: ffff8880715c4078 (&hdev->lock){+.+.}-{4:4}, at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:8/6696: #0: ffff88806ecdd948 ( (wq_completion)hci7 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d5dfc60 ( (work_completion)(&hdev->rx_work) ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3214 [inline] , at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880328fc078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.6.622/6713: #0: ffff8880328fc078 (&hdev->lock){+.+.}-{4:4}, at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 1 lock held by syz.7.623/6741: #0: ffff888064b1c078 ( &hdev->lock){+.+.}-{4:4}, at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 3 locks held by syz-executor/6743: #0: ffffffff8ea945e0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #0: ffffffff8ea945e0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #0: ffffffff8ea945e0 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570 #1: ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline] #1: ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline] #1: ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4065 #2: ffffffff8df439b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:304 [inline] #2: ffffffff8df439b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2f4/0x730 kernel/rcu/tree_exp.h:998 ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113 final repro crashed as (corrupted=false): INFO: task kworker/u9:1:5139 blocked for more than 143 seconds. Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u9:1 state:D stack:27192 pid:5139 tgid:5139 ppid:2 task_flags:0x4208060 flags:0x00004000 Workqueue: hci1 hci_rx_work Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767 __schedule_loop kernel/sched/core.c:6845 [inline] schedule+0x165/0x360 kernel/sched/core.c:6860 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6917 __mutex_lock_common kernel/locking/mutex.c:678 [inline] __mutex_lock+0x724/0xe80 kernel/locking/mutex.c:746 hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x7e3/0x1200 net/bluetooth/hci_event.c:7565 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4036 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 INFO: task syz-executor:5929 blocked for more than 144 seconds. Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:22136 pid:5929 tgid:5929 ppid:1 task_flags:0x40054c flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767 __schedule_loop kernel/sched/core.c:6845 [inline] schedule+0x165/0x360 kernel/sched/core.c:6860 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common kernel/sched/completion.c:116 [inline] wait_for_common kernel/sched/completion.c:127 [inline] wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364 hidp_session_remove+0x62/0x260 net/bluetooth/hidp/core.c:1169 l2cap_unregister_all_users net/bluetooth/l2cap_core.c:1748 [inline] l2cap_conn_del+0x23d/0x680 net/bluetooth/l2cap_core.c:1777 hci_disconn_cfm include/net/bluetooth/hci_core.h:2065 [inline] hci_conn_hash_flush+0x10a/0x230 net/bluetooth/hci_conn.c:2543 hci_dev_close_sync+0xaef/0x1330 net/bluetooth/hci_sync.c:5225 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_unregister_dev+0x206/0x500 net/bluetooth/hci_core.c:2678 vhci_release+0x80/0xd0 drivers/bluetooth/hci_vhci.c:665 __fput+0x44c/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x8d6/0x2550 kernel/exit.c:953 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102 get_signal+0x125e/0x1310 kernel/signal.c:3034 arch_do_signal_or_restart+0x95/0x780 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x8b/0x120 kernel/entry/common.c:218 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe5caf8df17 RSP: 002b:00007ffe3a22b918 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe5caf8df17 RDX: 00007ffe3a22b940 RSI: 00007ffe3a22b9d0 RDI: 00007ffe3a22b9d0 RBP: 00007ffe3a22b9d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe3a22ca60 R13: 00007fe5cb01089d R14: 000000000001f705 R15: 00007ffe3a22caa0 INFO: task khidpd_16c05505:5971 blocked for more than 145 seconds. Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:khidpd_16c05505 state:D stack:29576 pid:5971 tgid:5971 ppid:2 task_flags:0x208040 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767 __schedule_loop kernel/sched/core.c:6845 [inline] schedule+0x165/0x360 kernel/sched/core.c:6860 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6917 __mutex_lock_common kernel/locking/mutex.c:678 [inline] __mutex_lock+0x724/0xe80 kernel/locking/mutex.c:746 l2cap_unregister_user+0x6a/0x1b0 net/bluetooth/l2cap_core.c:1728 hidp_session_thread+0x3c9/0x410 net/bluetooth/hidp/core.c:1304 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 INFO: task syz.0.616:6591 blocked for more than 146 seconds. Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.616 state:D stack:27288 pid:6591 tgid:6591 ppid:6578 task_flags:0x400140 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767 __schedule_loop kernel/sched/core.c:6845 [inline] schedule+0x165/0x360 kernel/sched/core.c:6860 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6917 __mutex_lock_common kernel/locking/mutex.c:678 [inline] __mutex_lock+0x724/0xe80 kernel/locking/mutex.c:746 l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 l2cap_sock_connect+0x5c5/0x7a0 net/bluetooth/l2cap_sock.c:256 __sys_connect_file net/socket.c:2038 [inline] __sys_connect+0x316/0x440 net/socket.c:2057 __do_sys_connect net/socket.c:2063 [inline] __se_sys_connect net/socket.c:2060 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2060 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff97d58e969 RSP: 002b:00007fffe499daf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007ff97d7b5fa0 RCX: 00007ff97d58e969 RDX: 000000000000000e RSI: 0000200000000080 RDI: 0000000000000005 RBP: 00007ff97d610ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ff97d7b5fa0 R14: 00007ff97d7b5fa0 R15: 0000000000000003 Showing all locks held in the system: 8 locks held by kworker/1:0/24: 1 lock held by khungtaskd/31: #0: ffffffff8df3dee0 ( rcu_read_lock ){....}-{1:3} , at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] , at: rcu_read_lock include/linux/rcupdate.h:841 [inline] , at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6764 4 locks held by kworker/u9:0/56: #0: ffff88807e6f9148 ((wq_completion)hci4#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline] #0: ffff88807e6f9148 ((wq_completion)hci4#2){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000101fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] #1: ffffc9000101fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff888030a34078 (&hdev->lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 4 locks held by kworker/u9:1/5139: #0: ffff888027c2c148 ( (wq_completion)hci1 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000ee47c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] #1: ffffc9000ee47c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880632ec078 (&hdev->lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 2 locks held by getty/5593: #0: ffff8880308820a0 ( &tty->ldisc_sem ){++++}-{0:0} , at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc9000333b2f0 ( &ldata->atomic_read_lock ){+.+.}-{4:4} , at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222 4 locks held by kworker/u9:2/5883: #0: ffff88807ce99148 ((wq_completion)hci5#2){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000484fc60 ((work_completion)(&hdev->rx_work) ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3214 [inline] , at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880719bc078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 5 locks held by syz-executor/5929: #0: ffff88802596cd80 ( &hdev->req_lock ){+.+.}-{4:4} , at: hci_dev_do_close net/bluetooth/hci_core.c:481 [inline] , at: hci_unregister_dev+0x1fe/0x500 net/bluetooth/hci_core.c:2678 #1: ffff88802596c078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_dev_close_sync+0x66a/0x1330 net/bluetooth/hci_sync.c:5213 #2: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2062 [inline] (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230 net/bluetooth/hci_conn.c:2543 #3: ffff88807faa1b38 (&conn->lock#2){+.+.}-{4:4} , at: l2cap_conn_del+0x70/0x680 net/bluetooth/l2cap_core.c:1762 #4: ffffffff8f48b4f0 ( hidp_session_sem ){++++}-{4:4} , at: hidp_session_remove+0x2c/0x260 net/bluetooth/hidp/core.c:1165 1 lock held by khidpd_16c05505/5971: #0: ffff88802596c078 ( &hdev->lock ){+.+.}-{4:4} , at: l2cap_unregister_user+0x6a/0x1b0 net/bluetooth/l2cap_core.c:1728 1 lock held by syz.0.616/6591: #0: ffff8880632ec078 (&hdev->lock ){+.+.}-{4:4} , at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:3/6596: #0: ffff888064acb148 ((wq_completion)hci2 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d327c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880640a0078 (&hdev->lock){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.1.617/6608: #0: ffff8880640a0078 ( &hdev->lock ){+.+.}-{4:4} , at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:4/6612: #0: ffff888028a30948 ( (wq_completion)hci3 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d3afc60 ( (work_completion)(&hdev->rx_work) ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3214 [inline] , at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880713dc078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.2.618/6625: #0: ffff8880713dc078 (&hdev->lock){+.+.}-{4:4}, at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:5/6629: #0: ffff88805fc54148 ((wq_completion)hci9#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline] #0: ffff88805fc54148 ((wq_completion)hci9#2){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000396fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] #1: ffffc9000396fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff88807d1c0078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.3.619/6642: #0: ffff888030a34078 ( &hdev->lock ){+.+.}-{4:4} , at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:6/6651: #0: ffff888029098948 ((wq_completion)hci6#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline] ((wq_completion)hci6#2){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d4d7c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline] #1: ffffc9000d4d7c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880715c4078 (&hdev->lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.4.620/6669: #0: ffff8880719bc078 ( &hdev->lock ){+.+.}-{4:4} , at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:7/6673: #0: ffff8880222c1948 ( (wq_completion)hci8 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d567c60 ( (work_completion)(&hdev->rx_work) ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3214 [inline] , at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff888064b1c078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 ( hci_cb_list_lock ){+.+.}-{4:4} , at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] , at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.5.621/6691: #0: ffff8880715c4078 (&hdev->lock){+.+.}-{4:4}, at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 4 locks held by kworker/u9:8/6696: #0: ffff88806ecdd948 ( (wq_completion)hci7 #2 ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3213 [inline] , at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319 #1: ffffc9000d5dfc60 ( (work_completion)(&hdev->rx_work) ){+.+.}-{0:0} , at: process_one_work kernel/workqueue.c:3214 [inline] , at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319 #2: ffff8880328fc078 ( &hdev->lock ){+.+.}-{4:4} , at: hci_remote_features_evt+0x9b/0x8e0 net/bluetooth/hci_event.c:3713 #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2047 [inline] #3: ffffffff8f462668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x516/0x8e0 net/bluetooth/hci_event.c:3747 1 lock held by syz.6.622/6713: #0: ffff8880328fc078 (&hdev->lock){+.+.}-{4:4}, at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 1 lock held by syz.7.623/6741: #0: ffff888064b1c078 ( &hdev->lock){+.+.}-{4:4}, at: l2cap_chan_connect+0x102/0xe30 net/bluetooth/l2cap_core.c:6956 3 locks held by syz-executor/6743: #0: ffffffff8ea945e0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #0: ffffffff8ea945e0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #0: ffffffff8ea945e0 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570 #1: ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline] #1: ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline] #1: ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4065 #2: ffffffff8df439b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:304 [inline] #2: ffffffff8df439b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2f4/0x730 kernel/rcu/tree_exp.h:998 ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.15.0-rc7-syzkaller-01658-gea15e046263b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113