Extracting prog: 28m35.485876493s
Minimizing prog: 7m11.322988078s
Simplifying prog options: 1m41.78356681s
Extracting C: 39.040533648s
Simplifying C: 9m37.412808033s


extracting reproducer from 24 programs
testing a last program of every proc
single: executing 4 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$cgroup-openat$cgroup_ro-syz_emit_vhci-syz_emit_vhci-bpf$PROG_LOAD_XDP-syz_init_net_socket$bt_sco-openat$kvm-socket$packet-setsockopt$packet_int-ioctl$FS_IOC_GET_ENCRYPTION_NONCE-setsockopt$packet_int
detailed listing:
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-openat$cgroup_ro-syz_emit_ethernet-write$binfmt_script-mmap-bpf$MAP_UPDATE_CONST_STR-preadv-syz_emit_ethernet-ioctl$KVM_SET_USER_MEMORY_REGION-syz_kvm_setup_cpu$x86-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-recvmmsg-bpf$BPF_RAW_TRACEPOINT_OPEN-ioctl$KVM_RUN
detailed listing:
executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="000002f0d31209000000bc2e79e995"], 0x0)
write$binfmt_script(r2, &(0x7f0000000100), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r2, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f00000001c0)={{}, &(0x7f0000000000), 0x0}, 0x20)
preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x3e, 0x0, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaaaaaaaaffffffffffff86dd600a847500140600fe800000000000", @ANYRES32=0x41424344], 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000327000/0x18000)=nil, &(0x7f0000000040)=[@text16={0x10, &(0x7f0000000180)="66b9800000c00f326635000800000f300f0f1c9a65660ff3b20618baa000ec672e660f38803d004000000f285473f61366b9800000c00f326635004000000f300f20e06635800000000f22e0f30fa6c8", 0x50}], 0x1, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000000180)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000002540)=""/216, 0xd8}}], 0x1, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0}, 0x10)
ioctl$KVM_RUN(r3, 0xae80, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-gettid-socketpair$unix-ioctl$int_in-fcntl$setsig-syz_io_uring_setup-syz_clone3-syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-accept4$bt_l2cap-dup2-fcntl$setown-tkill-ioctl$DRM_IOCTL_SYNCOBJ_CREATE-ioctl$DRM_IOCTL_SYNCOBJ_DESTROY-socket$nl_netfilter-sendmsg$IPCTNL_MSG_CT_DELETE-sendmsg$NFT_MSG_GETOBJ
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$cgroup_ro-syz_open_dev$sg-dup2-mmap-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-ioctl$KVM_RUN-syz_kvm_setup_cpu$x86-ioctl$KVM_RUN-setsockopt$IP_VS_SO_SET_STARTDAEMON-setsockopt$IP_VS_SO_SET_STOPDAEMON-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000480)='blkio.throttle.io_serviced\x00', 0x275a, 0x0)
r1 = syz_open_dev$sg(&(0x7f00000060c0), 0x0, 0x0)
dup2(r1, r0)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x200000b, 0x12, r0, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000004c0), 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
setsockopt$IP_VS_SO_SET_STARTDAEMON(0xffffffffffffffff, 0x0, 0x48b, &(0x7f0000002100)={0x1, 'netpci0\x00'}, 0x18)
setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0x1, 'dummy0\x00'}, 0x18)
bpf$PROG_LOAD(0x5, &(0x7f00000017c0)={0x1, 0xe, &(0x7f0000001880)=ANY=[@ANYBLOB="b700000081000000bfa30000000000000703000003feffff720a00fef8ffffff71a4f1ff0000000071302000000000001d400500000000004704000001ed00000f030000000000001d44000000000000620a00ff040400007203000000000000b500f7ff000000009500000000000000023bc065b58111c6dfa041b63af4a3912435f1a864a710aad58db6a693002e7f3be361917adef6ee1c8a2a4f8ef1e50becb19bc461e91a7168c50000000190f32050e436fe275daf51efd601b6bf01c8e8b1b526375ec4dd6fcd82e4fe51bef7af9aa0d7d600c095199fe3380d28e599b0eaebbdbd732c9cc00eec363e4a8f6456e2cc21557c0afc646cb7798b3e6440c2fbdb00a3e35208b0bb0d2cd829e654400e2438ec649dc74a28610643a98d9ec21ead2ed51bf900000000000000d8a7925c3109b151b8b9f75dd08d123deda88c658d42ecbf28bf7076c15b463bebc72f526d8e8afcb913466aaa7f6df70252e79166d858fcd0e06dd31af9612f2460d0b11008e59a5923906f88b53987ad1714e72ba7a54f0c33d39000d06a59ff616236fd9aa58f2477184b6a89adaf17b0a6041bdef728d236619074d6ebdfd1f5089048ddff6da40f9411fe722631cb467600ade70063e5291569b33d21dae356e1c51f03a801be8189679a16da18ec0ae564162a27afea62d84f3a10746443d6438e959532e0617d419c6bc6ea9f2bca4464f56e24e6d2105bd901204a1deeed4155617572652d950ad31928b0b0c3dc2869f478341d02d0f5ad94b081fcd507acb4b9c65fee9d5a17f48a7382f13d000000225d85ae49cee383dc5049076b989b40000000000000da60d2ae20cfb91d6a49964757cdf538f9ce2bdb1ab062cd54e67011d355d84ce97bb0c6b4a595e487efbb2d71cde2c140952f9a0f0bc6980fe78683ac5c0c31032599ddd71063be9261b2e1aab1675b34a22048ef8c126aeef5f510a8f1aded94a129e4aec6f8d9ab06faffc3a15d96c2ea3e2e04cfe031b2875353193f82ade69d0540059fe6c7fe7cd8697502c7596566d674e425da5e87e59602a9f6590521d31d3804b3e0a1053abdc31282dfb15eb6841bb64a1b304502dda787343ce3c953992e4a982f3c48153baae244e7bf37548c7f1a4cad2422ee965a38f7defbd2160242b104e20dc2d9b0c35608d402ccdd9069bd50b994fda7a9de44028d6112a0c2d21b2dc98816106dec28eaeb883418f562ae00003ea96d10f172c0374d6eed826416050000000bfe9b4a9c5a90ff59d54d1f92ecc4e95dd2d18383117c039862198899b212c55318294270a1ad10c80fef7c24d47afce829ba0f85da6d888f18ea40ab959f6074ab2a40d85d15017ab513cdc6c0e57fb1c1ca571380d7b4ead35a385e0b4a26b702396df7e0c1e02b6e4114f244a9bf93020000000000000080e69db384ac7eeedcf2ba3a9508f9d6aba582a896a9f1e096df6ecea75caf822a7a63ba34015ea5aacb1188883ad2a3b1832371fe5bc621426d1ed0a4a99702cc1b6912a1e717d29135753208165b9cdbae2ed9dc7358f0ebadde0b727f27feeb744ddcc536cbae315c7d1fe1399562ba6824840bd2951680f6f2f9a6a8346962a350845ffa0d829e4f79adc287906943408e6df3c391e97ba48db0a5adbfd03aac93df8866fb010aec0e92bed1fe39af169d2a466f0db6f3d9436a7d55fc30511d00e10000c95265b2bd83d64a532869d701723fedcbada1ee7baa5b6a686b50f0937f778af083e055f6138a757ebd0ed91124a6b244f9acf41ac5d73a008364e0606a594817031fc2f52c8785fe0721719b3d654026c6ea08b83b123145ab5703dad844ceb201ddeb6dc5f6a903792283c42efc54fa84323afc4c10eff462c8843187f1dd48ef3fa293774d582956ff0f40b10ca94f6feeb2893c17888e1cdba94a6ea80c33ead5722c3293a493f1479531dd88261458f40d31fe8df15efaaeea831555877f9538d6ee6ba65893ff1f908ba7554ba583fef3ec7932f5954f31a878e2fae6691d1aee1da02ba516467df3e7d1daac43738012e4fee18a22da19fcdb4c2890cda1f96b952511e3a69d694d625e0b2f808890205f3a6da2819d2f9e77c7c64affa54fec0136cbafa5f6f096753b639a924599c1f69219927ea5301fff0a6063d427f0688430754c02180d61542c2571f983e9673560000000000000000005a7b57f03ca91a01ba2e30ca99e8ebc15ecb4d91675767999d146aef7799738b292fd640dfef6b04d086f737a159d7e0c6e4d81ad64a8bbca48568325b2969e2b15f36b788bce5ccdbaf75c94cb93499f6947a967a7bce14c6de4e7c0660d80010f5c653d22d490cba8c2a4ab595bf4238f18ca428dafc7ac96d404607a0000000051a2104f22e6db5a62b5089c1b45282d38864daa3ae81d6b0968d1d2867b91b7d120617d12d91db2633d6864da40b54783a17aaeb6737c323f9f98e354cc98dcfe23ad01bd1c61563e69ffe1c2c73e16e1461173f359e93d2c5e424c17998809ec8f0232b3955e052a4cecd89008f70314a0bdd491ec86a4555d89fe0120f64c62e8e3ed8bcb45202c3d4bbec8d722824c0ebca8db1ea4a003d2fbdc1f9be78537756ab5bbe4fe9af5d785d0128171c90d9900ce2532b0f9d01c4b45294fbba468df3e1b583cb4e62e754598e47df6bd06431c94bc5d047899fd219f448bf9189c65c9d91eda6b52a373803a9efe44f86909bc90addb7b9aee813df534aac4b3093c91b8068cd84990453f006694d461b76a58d88cf0f520310a1e80dc18cde98d662eee077515d0a8811922929e085392ab3d1311b8243266d87047f601fa88a0da36b9f302e8262395174328f2482d14008de83070744f143fdec90ba5a82668d5fac114c13955ad6dca5db2231d8ba14c54c47ed04a4b4ace17e357e1d6032399f87a7a14245bbd796a09313b247b95d37ff40a404bdad74bd20000000000000000000099fef7cd7af3ce64a92f95d89d125b1e641240d7e5e27a3d1f7684448c3e3822d617e205061298b939a191be4b48e169bde2cae3accc5bd40a2968b59c93d35f8e42366fdef9a2abae1cf01ce68abff28861aac8302d268569dd42e194e330c7aaa54ebbcefd23f21ce8153b9926e12e925cb56119df72c7533a48d028ad0c74e2a9478fa3be18a1a2b65079cc1c00000000000000f59dd19e8d525206c0a728cfd42193abe8130bc01a2d69841f3d7799ac04bdc590bb1c89b9c695f163e57343c9bfb59909433c9001c5f8b23e38534a538fc933cac6c2a92d038df638a0f226df9fb857bd414c2cd69985e8053e3dfa41614d7c74d04d8c2471041d17c730fad28395f8d4688898cd58b9d600c851626529bb58aa364b55e73f053450665e7b94ed1012fd7a8139166fd5e59c84f4ab279b1b99c028db4cb9680c8035f967db18de738844da7e260a830c1ffa49f5af3c15423a0e315acb82a3e89218cb314e68fda4d94aa1d815babc13b9fd336d205c5913ef67cf0216e2d81e6127bd9d7fab28800eaab2355992f8ce4cd38add4b272c0bee4076ca4847ffa691cf78fb7ec212bad3bef29f577ea7159b7f3025b3d977ff7c91024cf71126233cb8791c3c"], &(0x7f00000001c0)='GPL\x00', 0x1, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000)={0x0, 0x3}, 0xfffffffffffffd00, 0x0, 0xffffffffffffffff, 0xffffffa0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)

program did not crash
single: failed to extract reproducer
bisect: bisecting 24 programs with base timeout 30s
testing program (duration=36s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [23, 16, 15, 12, 30, 1, 17, 21, 10, 14, 13, 4, 12, 21, 5, 40, 8, 5, 20, 8, 30, 16, 20, 11]
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0) (async)
r1 = socket(0x10, 0x803, 0x0)
sendmsg$nl_route(r1, &(0x7f0000000380)={0x0, 0x4076cbba9945d516, &(0x7f0000000340)={0x0, 0x14}}, 0x0) (async)
getsockname$packet(r1, &(0x7f0000000140)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x28a) (async)
r3 = socket$nl_route(0x10, 0x3, 0x0) (async)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x0, 0x5d032, 0xffffffffffffffff, 0x0) (async)
r4 = userfaultfd(0x80801)
ioctl$UFFDIO_API(r4, 0xc018aa3f, &(0x7f0000000100))
ioctl$UFFDIO_REGISTER(r4, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5}) (async)
ioctl$UFFDIO_CONTINUE(r4, 0xc020aa08, &(0x7f0000000080)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}})
r5 = syz_open_procfs$pagemap(0xffffffffffffffff, &(0x7f0000000080))
ioctl$PAGEMAP_SCAN(r5, 0xc0606610, &(0x7f0000000100)={0x60, 0x0, &(0x7f00001c9000/0x3000)=nil, &(0x7f0000ffc000/0x1000)=nil, 0x1ff, 0x0, 0x0, 0x8000000000000000, 0xb, 0x2, 0x0, 0x2}) (async)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) (async)
chown(0x0, 0x0, 0xffffffffffffffff) (async)
r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000280), 0x103383, 0x0)
r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r7, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r8, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000600)=[@text64={0x40, &(0x7f0000000640)="430fc73f0f2390b9800000c00f3235010000000f300f20d835080000000f22d8c4e18173f53866baf80cb83879e487ef66bafc0cec66b88e008ec02d1aa80000460f1c460041ae", 0x47}], 0x1, 0x74, 0x0, 0x0)
syz_usb_control_io$printer(0xffffffffffffffff, &(0x7f0000000240)={0x14, &(0x7f00000001c0)=ANY=[], 0x0}, 0x0)
ioctl$KVM_RUN(r8, 0xae80, 0x0) (async)
sendmsg$nl_route(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000500)={&(0x7f00000006c0)=ANY=[@ANYBLOB="3800000010003904000000000000000000000010728b9ae898ffd9eb789e08d2e71706000000c20d34d768d4703105295b849194d1d81a00824ceb7cf46b0cd266ec9d810f6dfb515cec76fb6b5c2c6ce482644ad8a1035dd240a66a45f49f94b28561701135e4395bcdfffab83e7825ad3c28969bcc8d1097ef4f39f9854ac73dcd9c94a5ccc41109883bdd3dcacd79ea27f5c3847fb9968ff107ccd3d9ed3dc8496836328ef6913cb785871a0455c7bf1f95d14e8d540be7d89c6a4911ce427639586625c49db00a00"/213, @ANYRES32=r2, @ANYBLOB="01980000000000001800128008000100677265000c00028008000100", @ANYRES32=r2, @ANYBLOB], 0x38}}, 0x0) (async)
sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000180)=@newlink={0x34, 0x10, 0x439, 0x0, 0x0, {0x0, 0x0, 0x0, r2}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @gre={{0x8}, {0x8, 0x2, 0x0, 0x1, [@IFLA_GRE_COLLECT_METADATA={0x4}]}}}]}, 0x34}}, 0x0)
executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000000000b40d504010000000000000109022400010000000009"], 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r2 = syz_open_dev$dri(&(0x7f0000000000), 0x2, 0x0)
r3 = syz_open_dev$dri(&(0x7f0000000140), 0x1, 0x102)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f00000001c0)={0x0, &(0x7f0000000040)=[<r4=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f0000000600)={0x0, 0xfffffffffffffe57, r4, <r5=>0x0})
ioctl$DRM_IOCTL_MODE_GETFB2(r3, 0xc06864ce, &(0x7f0000000440)={r5, 0x0, 0x0, 0x0, 0x1, [<r6=>0x0], [], [0x0, 0x0, 0x0, 0x3]})
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r3, 0xc00c642d, &(0x7f0000000100)={r6, 0x0, <r7=>0xffffffffffffffff})
ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r2, 0xc00c642e, &(0x7f0000000800)={0x0, 0x0, r7})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)
r8 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_GUEST_DEBUG(r8, 0x4048ae9b, &(0x7f0000000300)={0x160001, 0x0, [0x0, 0x0, 0xfffffffffffffffe, 0xffffffffffffffff, 0x0, 0x0, 0x29]})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000011000/0x18000)=nil, &(0x7f0000000080)=[@textreal={0x8, &(0x7f0000000140)="f20f1c0166b864912c870f23c80f21f866350c0080000f23f80f01fc0f20e06635000010000f22e066f30fa7c00f1c9700000f01c566b9a001000066b80400000066ba000000000f30c0dbb6660f3adf932700de", 0x54}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_RUN(r8, 0xae80, 0x0)
executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x8)
close(r1)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000440), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_FEATURES_SET(r2, &(0x7f0000001e80)={0x0, 0x0, &(0x7f0000001e40)={&(0x7f00000003c0)={0x38, r3, 0x1, 0x0, 0x0, {}, [@ETHTOOL_A_FEATURES_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bridge\x00'}]}, @ETHTOOL_A_FEATURES_WANTED={0xc, 0x3, 0x0, 0x1, [@ETHTOOL_A_BITSET_BITS={0x4}, @ETHTOOL_A_BITSET_NOMASK={0x4}]}]}, 0x38}}, 0x4000)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4, &(0x7f0000000280)=ANY=[@ANYBLOB="180000000000000000000000000000006112000000000000950000000000000051fa7824c74186dc02ec0696c37b64e3b24da3180100000005345c0f63cdc2e82818254950ee03568b8809a1f04c7c4750eabfafcb9531b31e6a86827d1010c5a909ab98e00e19644a88e95ba26d1c9eecddb2d11c541418ceeb29b9b6829c6e433822bdb3cc85244aab66c1aae9314d7381fcfeb970bea672010000000000000043144648a07a975bd89dc398712376610faa54f12495b4659be8673086f6f3543205d4bc4ce05b8b961103673dff7f158052e62bfbdcddde6985f3f1ac5d9a94cc53207899762a07282a1914452d11858e795a3ca30a101af5574f9035f2b5f703e5be7e4acf8b78c2834ae5805fffee38a9a0033d520bcf6b08ede50899d4b9bdf85c71c5ed44039aab46419496362e54cfad05b4004ac71a003d7b85d07191bed4e5a8908263722d4146f7ed569985439baa355cf3d8731f5e7a237bc06d035a8d601f21746d880819f38b34a495040000000071c2f0cce8c93cc17e9afa314fcb2ba15d646c5b9f87d988c9fbd2b9d9b4e2d71753b1549fa734f0b2e5fcf9549804cddad721971637f9c9730a9cc384eed30345979db9c93e1c52f42cad0a4d4f9436d3f39b0ed09c395dc6e970366087a8e4daeeb1b017006f25caf0cbcefd13d68839893e39c588eb032905f91cafa4996dbf0cc8228d02a3092c0830b8f587a5624515298b2d4eb2bde6f9a2eb83d53f710c490ecd085d2811a7555c53030000007f00000000bfa6478eb96b079c277e2910b7ccdc3d672ed34aa65278c549e2abb549ad954884289130bc71cee2b7de62bf48129ae1af052a2d46a6165eb0954dac7265f1f425735acf6377793946b3229e861d8ea49806b3b533345d36ecef9df700000000f337b1ceb2d8a65dcdcd895d7ba37098d2593fdaaef445af5bee02019c000000aaae37f044bcadeb0f6846582b7653665aa336db9f0384d3c7ddf79c2e0000000000000000000000000000000000000000000000e154aa0d3e41986a668ee1e5ef93a8ceac75f44aae95e26742f895f287111f8ee86f7e3ffb63cfb0e345cf7fc63dd2b0d30977899c6f03640040af4db71f7452bfc79a05118d8bb42b63b195771e42f9942ec626bd4b5461b74324012164e8"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x70)
socket$kcm(0x2, 0x2, 0x73)
mount$fuse(0x0, &(0x7f00000020c0)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX, @ANYBLOB=',rootmode=00000000000000000100000,user_id=', @ANYRESDEC=0x0])
read$FUSE(r1, &(0x7f000000c400)={0x2020}, 0x2020)
write$FUSE_INIT(r1, 0x0, 0x0)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
r4 = openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000200), 0x2, 0x0)
ioctl$VIDIOC_S_SELECTION(r4, 0xc040565f, &(0x7f0000000400)={0xa, 0x3, 0x7, {0x0, 0x0, 0x1003f, 0x5}})
sendmsg$NFT_BATCH(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000b00)={&(0x7f00000006c0)={{0x14, 0x10, 0x1, 0x0, 0x0, {0xa}}, [@NFT_MSG_NEWRULE={0x5c, 0x6, 0xa, 0x401, 0x0, 0x0, {0x2, 0x0, 0x5}, [@NFTA_RULE_EXPRESSIONS={0x30, 0x4, 0x0, 0x1, [{0x2c, 0x1, 0x0, 0x1, @match={{0xa}, @val={0x1c, 0x2, 0x0, 0x1, [@NFTA_MATCH_NAME={0x8, 0x1, 'ttl\x00'}, @NFTA_MATCH_INFO={0x5, 0x3, 'z'}, @NFTA_MATCH_REV={0x8}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x84}, 0x1, 0xf5ffffff, 0x0, 0x24004001}, 0x0)
executing program 0:
r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000080), 0x600, 0x0)
ioctl$IOMMU_HWPT_GET_DIRTY_BITMAP(r0, 0x3b8c, &(0x7f00000000c0)={0x30, 0x0, 0x1, 0x0, 0x8, 0x4186, 0xc58, 0x0})
socket(0xa, 0x3, 0x3a)
syz_usb_connect(0x2, 0x3d, &(0x7f00000001c0)=ANY=[@ANYBLOB="12010000bdce4208110f80106afc0000000109022b00010000000009043700022ee5cd0009058010ff037f790209050e0320000980070705ab0b78"], 0x0)
r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0)
writev(r1, &(0x7f0000000340)=[{&(0x7f0000000700)="97", 0x1}, {&(0x7f0000000640)="d3", 0x1}], 0x2)
close(0x4)
bpf$PROG_LOAD_XDP(0x5, &(0x7f00000000c0)={0x12, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0xf, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0xfffffffffffffeba, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x1, @void, @value}, 0x94)
r2 = socket$nl_route(0x10, 0x3, 0x0)
r3 = socket(0x1, 0x803, 0x0)
getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, <r4=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000000)=ANY=[@ANYBLOB="440000001000030400"/20, @ANYRES32=0x0, @ANYBLOB="96040f0000440200320012502fc2f6800b00010069703667726500000c000280", @ANYRES32=r4, @ANYBLOB='\b\x00\n\x00', @ANYRES32=r4, @ANYBLOB], 0x44}, 0x1, 0x0, 0x0, 0x600}, 0x0)
executing program 2:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000100))
socket$nl_route(0x10, 0x3, 0x0)
io_uring_setup(0x31d0, &(0x7f0000000740))
socket$inet_tcp(0x2, 0x1, 0x0)
socket$netlink(0x10, 0x3, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
socket$caif_seqpacket(0x25, 0x5, 0x3)
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140), 0x800, 0x0)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x4030582b, &(0x7f00000000c0)={'lo\x00', @link_local={0x1, 0x80, 0xc2, 0xc}})
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="1900000004000000040000000200000000000000", @ANYRES32=0x1, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32, @ANYBLOB="00faff400005000000000000000000000000000000bc000000000000"], 0x50)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000180)={r1, &(0x7f00000000c0), &(0x7f0000000000)=""/10, 0x2}, 0x20)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000200)={r1, &(0x7f0000000080), &(0x7f0000000000)=""/10, 0x2}, 0x28)
bpf$MAP_GET_NEXT_KEY(0x3, &(0x7f0000000800)={r1, &(0x7f0000000500)="ab30d7dc7e11f85beb3976f81df772d129eda59e42de630de2d98b9e6bd37d513aa254897384c4afec41f6a727db0492417e954eed4d6db0cbf70dddb39c841f18b84a1dd608a99ac92d49a98fc3087d7a50d7d5cdbae04245895e9f365ecc10fcb13473fe2941e62a16a748d5dfc58c5e2d68a61e29707cbe28c422f9f9fa4b3e6ac055354fe3a92e2b3a218af9d174ea1dc74b82cdd5baf8a7d48612284a7b88121d08691ecbe01cd163a5dd1de3b7bcf65b835904bf575094a68ee0f67e47daff72909213a7013dd24e74a7be803e34a746ec60557f20f63ea0bd827e38573305620dea709bb80d066052b776b8928be505ad1b5e1353498837504d6e7c6b", 0x0}, 0x20)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000), 0x20902, 0x0)
epoll_create1(0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='io.stat\x00', 0x275a, 0x0)
r3 = socket$inet_sctp(0x2, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000040)={<r4=>0x0}, &(0x7f00000000c0)=0x8)
getsockopt$inet_sctp_SCTP_ASSOCINFO(r3, 0x84, 0x1, &(0x7f0000000200)={r4, 0x4a, 0x5, 0x0, 0x81, 0x3}, &(0x7f0000000240)=0x14)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='blkio.bfq.io_wait_time_recursive\x00', 0x26e1, 0x0)
r6 = openat$cgroup(r5, &(0x7f0000000280)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r6, &(0x7f0000000300)='cgroup.kill\x00', 0x0, 0x0)
r7 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000100)='cgroup.stat\x00', 0x275a, 0x0)
write$UHID_CREATE2(r7, &(0x7f00000002c0)=ANY=[@ANYRES8=r5], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x5, 0x12, r7, 0x0)
r8 = bpf$PROG_LOAD(0x5, &(0x7f0000000c80)={0xf, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b703000000000000850000007300000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f00000004c0)='generic_add_lease\x00', r8}, 0x18)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1\x00', 0x281c2, 0x0)
fcntl$setlease(r0, 0x400, 0x1)
syz_open_dev$tty1(0xc, 0x4, 0x1)
executing program 2:
syz_open_dev$usbmon(&(0x7f0000000000), 0x5, 0x450400)
executing program 2:
prctl$PR_SET_SECCOMP(0x16, 0x2, 0x0) (async)
listxattr(0x0, 0x0, 0x0) (async)
socket$nl_route(0x10, 0x3, 0x0)
sched_setscheduler(0x0, 0x1, 0x0) (async)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000040), 0x28081, 0x0)
read$msr(0xffffffffffffffff, &(0x7f0000019680)=""/102392, 0x18ff8) (async)
sched_setaffinity(0x0, 0x0, 0x0) (async)
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0xb, 0x7, 0x10001, 0x9, 0x1, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000000)={{r0, <r1=>0xffffffffffffffff}, &(0x7f0000000580), &(0x7f00000005c0)}, 0x20)
r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000480)={0x11, 0xd, &(0x7f00000002c0)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000003000000650000000800000095"], &(0x7f0000000080)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000340)='ext4_sync_fs\x00', r2}, 0x10) (async)
sync() (async)
r3 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000780)=@newtaction={0x48, 0x30, 0x1, 0x0, 0x0, {}, [{0x34, 0x1, [@m_ctinfo={0x30, 0x1, 0x0, 0x0, {{0xb}, {0x4, 0x2, 0x0, 0x0}, {0x4}, {0xffffffffffffff13}, {0xc}}}]}]}, 0x48}}, 0x0) (async)
syz_80211_inject_frame(0x0, 0x0, 0x47)
r4 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8914, &(0x7f0000000000)={'wlan1\x00'})
executing program 2:
r0 = socket$nl_route(0x10, 0x3, 0x0)
syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async)
syz_init_net_socket$netrom(0x6, 0x5, 0x0)
r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000300)={0x6, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="180000000000000000000000000200009500000000"], &(0x7f00000001c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r2 = socket$packet(0x11, 0x2, 0x300)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, &(0x7f0000000440)={&(0x7f0000000400)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x6}) (async)
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, &(0x7f0000000440)={&(0x7f0000000400)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x6, 0x0, 0x0, <r4=>0xffffffffffffffff})
r5 = syz_create_resource$binfmt(&(0x7f0000000480)='./file0\x00')
execveat$binfmt(r4, r5, &(0x7f0000000500)={[&(0x7f00000004c0)='geneve0\x00']}, &(0x7f00000005c0)={[&(0x7f0000000540)='wlan0\x00', &(0x7f0000000580)='\x00']}, 0x1000)
r6 = socket$netlink(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000200)={'geneve0\x00'}) (async)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000200)={'geneve0\x00', <r7=>0x0})
sendmsg$nl_route(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="480000001000010400"/20, @ANYRES32=r7, @ANYBLOB="0000000080010000280012800b00010067656e4276335e7fddb4c7eca96500001800028014000700ff02004000000000"], 0x48}, 0x1, 0x2, 0x0, 0x8000}, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f0000000140)={'wlan0\x00'}) (async)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f0000000140)={'wlan0\x00', <r8=>0x0})
sendmsg$NL80211_CMD_CRIT_PROTOCOL_START(r6, &(0x7f00000003c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000180)={0x3c, 0x0, 0x4, 0x70bd25, 0x25dfdbff, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_MAX_CRIT_PROT_DURATION={0x6, 0xb4, 0x88f}, @NL80211_ATTR_CRIT_PROT_ID={0x6}, @NL80211_ATTR_CRIT_PROT_ID={0x6, 0xb3, 0x1}, @NL80211_ATTR_MAX_CRIT_PROT_DURATION={0x6, 0xb4, 0xdc8}]}, 0x3c}, 0x1, 0x0, 0x0, 0x800}, 0x0) (async)
sendmsg$NL80211_CMD_CRIT_PROTOCOL_START(r6, &(0x7f00000003c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000180)={0x3c, 0x0, 0x4, 0x70bd25, 0x25dfdbff, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_MAX_CRIT_PROT_DURATION={0x6, 0xb4, 0x88f}, @NL80211_ATTR_CRIT_PROT_ID={0x6}, @NL80211_ATTR_CRIT_PROT_ID={0x6, 0xb3, 0x1}, @NL80211_ATTR_MAX_CRIT_PROT_DURATION={0x6, 0xb4, 0xdc8}]}, 0x3c}, 0x1, 0x0, 0x0, 0x800}, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000080)={'veth1_to_hsr\x00', <r9=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000000c0)={r1, r9, 0x25, 0x0, @val=@netfilter}, 0x40)
sendmsg$nl_route_sched(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000004c00)=@newtfilter={0x24, 0x11, 0xd27, 0xffffffff, 0x0, {0x0, 0x0, 0x74, r9, {0x0, 0x7}, {0x0, 0x4}, {0x1}}}, 0x24}, 0x1, 0xf0ffffffffffff}, 0x0)
executing program 2:
r0 = signalfd(0xffffffffffffffff, &(0x7f0000000140), 0x8)
r1 = io_uring_setup(0x1397, &(0x7f00000000c0)={0x0, 0x47f, 0xef85869e598f7813, 0x2, 0x389, 0x0, r0})
r2 = syz_io_uring_setup(0x7e2b, &(0x7f0000000300)={0x0, 0x3, 0x800, 0x0, 0x1ba, 0x0, r1}, &(0x7f0000000180)=<r3=>0x0, &(0x7f0000000200)=<r4=>0x0)
syz_io_uring_submit(r3, r4, &(0x7f00000001c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x3, r0})
io_uring_enter(r2, 0x353, 0x3, 0x1, 0x0, 0x0)
signalfd(r0, &(0x7f0000002340), 0x8) (async)
r5 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f00000003c0)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x300}, 0x9c)
r6 = openat$binfmt_register(0xffffff9c, &(0x7f0000000080), 0x1, 0x0)
write$binfmt_register(r6, &(0x7f0000000040)={0x3a, 'syz0', 0x3a, 'E', 0x3a, 0x0, 0x3a, 'syz2', 0x3a, 'Y$*@', 0x3a, './file0', 0x3a, [0x50, 0x46, 0x46]}, 0x32)
executing program 2:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000480)='blkio.throttle.io_serviced\x00', 0x275a, 0x0)
r1 = syz_open_dev$sg(&(0x7f00000060c0), 0x0, 0x0)
dup2(r1, r0)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x200000b, 0x12, r0, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000004c0), 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
setsockopt$IP_VS_SO_SET_STARTDAEMON(0xffffffffffffffff, 0x0, 0x48b, &(0x7f0000002100)={0x1, 'netpci0\x00'}, 0x18)
setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0x1, 'dummy0\x00'}, 0x18)
bpf$PROG_LOAD(0x5, &(0x7f00000017c0)={0x1, 0xe, &(0x7f0000001880)=ANY=[@ANYBLOB="b700000081000000bfa30000000000000703000003feffff720a00fef8ffffff71a4f1ff0000000071302000000000001d400500000000004704000001ed00000f030000000000001d44000000000000620a00ff040400007203000000000000b500f7ff000000009500000000000000023bc065b58111c6dfa041b63af4a3912435f1a864a710aad58db6a693002e7f3be361917adef6ee1c8a2a4f8ef1e50becb19bc461e91a7168c50000000190f32050e436fe275daf51efd601b6bf01c8e8b1b526375ec4dd6fcd82e4fe51bef7af9aa0d7d600c095199fe3380d28e599b0eaebbdbd732c9cc00eec363e4a8f6456e2cc21557c0afc646cb7798b3e6440c2fbdb00a3e35208b0bb0d2cd829e654400e2438ec649dc74a28610643a98d9ec21ead2ed51bf900000000000000d8a7925c3109b151b8b9f75dd08d123deda88c658d42ecbf28bf7076c15b463bebc72f526d8e8afcb913466aaa7f6df70252e79166d858fcd0e06dd31af9612f2460d0b11008e59a5923906f88b53987ad1714e72ba7a54f0c33d39000d06a59ff616236fd9aa58f2477184b6a89adaf17b0a6041bdef728d236619074d6ebdfd1f5089048ddff6da40f9411fe722631cb467600ade70063e5291569b33d21dae356e1c51f03a801be8189679a16da18ec0ae564162a27afea62d84f3a10746443d6438e959532e0617d419c6bc6ea9f2bca4464f56e24e6d2105bd901204a1deeed4155617572652d950ad31928b0b0c3dc2869f478341d02d0f5ad94b081fcd507acb4b9c65fee9d5a17f48a7382f13d000000225d85ae49cee383dc5049076b989b40000000000000da60d2ae20cfb91d6a49964757cdf538f9ce2bdb1ab062cd54e67011d355d84ce97bb0c6b4a595e487efbb2d71cde2c140952f9a0f0bc6980fe78683ac5c0c31032599ddd71063be9261b2e1aab1675b34a22048ef8c126aeef5f510a8f1aded94a129e4aec6f8d9ab06faffc3a15d96c2ea3e2e04cfe031b2875353193f82ade69d0540059fe6c7fe7cd8697502c7596566d674e425da5e87e59602a9f6590521d31d3804b3e0a1053abdc31282dfb15eb6841bb64a1b304502dda787343ce3c953992e4a982f3c48153baae244e7bf37548c7f1a4cad2422ee965a38f7defbd2160242b104e20dc2d9b0c35608d402ccdd9069bd50b994fda7a9de44028d6112a0c2d21b2dc98816106dec28eaeb883418f562ae00003ea96d10f172c0374d6eed826416050000000bfe9b4a9c5a90ff59d54d1f92ecc4e95dd2d18383117c039862198899b212c55318294270a1ad10c80fef7c24d47afce829ba0f85da6d888f18ea40ab959f6074ab2a40d85d15017ab513cdc6c0e57fb1c1ca571380d7b4ead35a385e0b4a26b702396df7e0c1e02b6e4114f244a9bf93020000000000000080e69db384ac7eeedcf2ba3a9508f9d6aba582a896a9f1e096df6ecea75caf822a7a63ba34015ea5aacb1188883ad2a3b1832371fe5bc621426d1ed0a4a99702cc1b6912a1e717d29135753208165b9cdbae2ed9dc7358f0ebadde0b727f27feeb744ddcc536cbae315c7d1fe1399562ba6824840bd2951680f6f2f9a6a8346962a350845ffa0d829e4f79adc287906943408e6df3c391e97ba48db0a5adbfd03aac93df8866fb010aec0e92bed1fe39af169d2a466f0db6f3d9436a7d55fc30511d00e10000c95265b2bd83d64a532869d701723fedcbada1ee7baa5b6a686b50f0937f778af083e055f6138a757ebd0ed91124a6b244f9acf41ac5d73a008364e0606a594817031fc2f52c8785fe0721719b3d654026c6ea08b83b123145ab5703dad844ceb201ddeb6dc5f6a903792283c42efc54fa84323afc4c10eff462c8843187f1dd48ef3fa293774d582956ff0f40b10ca94f6feeb2893c17888e1cdba94a6ea80c33ead5722c3293a493f1479531dd88261458f40d31fe8df15efaaeea831555877f9538d6ee6ba65893ff1f908ba7554ba583fef3ec7932f5954f31a878e2fae6691d1aee1da02ba516467df3e7d1daac43738012e4fee18a22da19fcdb4c2890cda1f96b952511e3a69d694d625e0b2f808890205f3a6da2819d2f9e77c7c64affa54fec0136cbafa5f6f096753b639a924599c1f69219927ea5301fff0a6063d427f0688430754c02180d61542c2571f983e9673560000000000000000005a7b57f03ca91a01ba2e30ca99e8ebc15ecb4d91675767999d146aef7799738b292fd640dfef6b04d086f737a159d7e0c6e4d81ad64a8bbca48568325b2969e2b15f36b788bce5ccdbaf75c94cb93499f6947a967a7bce14c6de4e7c0660d80010f5c653d22d490cba8c2a4ab595bf4238f18ca428dafc7ac96d404607a0000000051a2104f22e6db5a62b5089c1b45282d38864daa3ae81d6b0968d1d2867b91b7d120617d12d91db2633d6864da40b54783a17aaeb6737c323f9f98e354cc98dcfe23ad01bd1c61563e69ffe1c2c73e16e1461173f359e93d2c5e424c17998809ec8f0232b3955e052a4cecd89008f70314a0bdd491ec86a4555d89fe0120f64c62e8e3ed8bcb45202c3d4bbec8d722824c0ebca8db1ea4a003d2fbdc1f9be78537756ab5bbe4fe9af5d785d0128171c90d9900ce2532b0f9d01c4b45294fbba468df3e1b583cb4e62e754598e47df6bd06431c94bc5d047899fd219f448bf9189c65c9d91eda6b52a373803a9efe44f86909bc90addb7b9aee813df534aac4b3093c91b8068cd84990453f006694d461b76a58d88cf0f520310a1e80dc18cde98d662eee077515d0a8811922929e085392ab3d1311b8243266d87047f601fa88a0da36b9f302e8262395174328f2482d14008de83070744f143fdec90ba5a82668d5fac114c13955ad6dca5db2231d8ba14c54c47ed04a4b4ace17e357e1d6032399f87a7a14245bbd796a09313b247b95d37ff40a404bdad74bd20000000000000000000099fef7cd7af3ce64a92f95d89d125b1e641240d7e5e27a3d1f7684448c3e3822d617e205061298b939a191be4b48e169bde2cae3accc5bd40a2968b59c93d35f8e42366fdef9a2abae1cf01ce68abff28861aac8302d268569dd42e194e330c7aaa54ebbcefd23f21ce8153b9926e12e925cb56119df72c7533a48d028ad0c74e2a9478fa3be18a1a2b65079cc1c00000000000000f59dd19e8d525206c0a728cfd42193abe8130bc01a2d69841f3d7799ac04bdc590bb1c89b9c695f163e57343c9bfb59909433c9001c5f8b23e38534a538fc933cac6c2a92d038df638a0f226df9fb857bd414c2cd69985e8053e3dfa41614d7c74d04d8c2471041d17c730fad28395f8d4688898cd58b9d600c851626529bb58aa364b55e73f053450665e7b94ed1012fd7a8139166fd5e59c84f4ab279b1b99c028db4cb9680c8035f967db18de738844da7e260a830c1ffa49f5af3c15423a0e315acb82a3e89218cb314e68fda4d94aa1d815babc13b9fd336d205c5913ef67cf0216e2d81e6127bd9d7fab28800eaab2355992f8ce4cd38add4b272c0bee4076ca4847ffa691cf78fb7ec212bad3bef29f577ea7159b7f3025b3d977ff7c91024cf71126233cb8791c3c"], &(0x7f00000001c0)='GPL\x00', 0x1, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000)={0x0, 0x3}, 0xfffffffffffffd00, 0x0, 0xffffffffffffffff, 0xffffffa0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
executing program 1:
r0 = syz_io_uring_setup(0x5411, &(0x7f0000000300)={0x0, 0x6b7f, 0x1000, 0x2, 0x221}, &(0x7f0000000380), 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x400, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000180)={0x0, 0x3, 0x0, 0x1000, &(0x7f0000000000/0x1000)=nil})
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000000000)="6941c43b78eeda4918160798ef967cb9254c327158c51dc69eeda809ba0f")
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000dc0)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_NMI(r4, 0xae9a)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
mmap(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x0, 0x13, r0, 0xd481e000)
executing program 3:
openat$sw_sync_info(0xffffffffffffff9c, &(0x7f0000000040), 0x4000, 0x0)
pipe(&(0x7f0000000340)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
vmsplice(r0, &(0x7f0000000300)=[{0x0, 0x61}, {&(0x7f00000001c0)="5c8000000000000000ea45a1", 0x20000081}], 0x2, 0x0)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000080)={0x2, 0xc, &(0x7f00000013c0)=ANY=[@ANYBLOB="180200001000000000000000000000001801000020696c2500000000002020207b2af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000600000087000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0xffffffff, 0xd2, &(0x7f0000000140)=""/210, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
executing program 3:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
socket(0x400000000010, 0x3, 0x0) (async)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
socket$inet(0x2, 0x6, 0x0)
ioctl$SIOCX25SFACILITIES(0xffffffffffffffff, 0x89e3, 0x0) (async)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000180)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) (async)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000001800)=[@text64={0x40, &(0x7f0000001840)="f3470fbc06c74424000600007848b800280000000000000f23c00f21f835030004000f23f8c7442406000000000f0114246aa2450f0012124424001afa0000c744240216383d27c7442406000000000f011c2466b8f0000f00d0400f060f00e4c4a1c1edba2500000066baa00066b8000066ef66b82f008ed0", 0x79}], 0x1, 0x0, 0x0, 0x47) (async)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000440)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
mount(0x0, 0x0, &(0x7f0000000000)='autofs\x00', 0x0, 0x0) (async)
ioctl$KVM_NMI(r2, 0xae9a) (async)
ioctl$KVM_RUN(r2, 0xae80, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$xdp(0x2c, 0x3, 0x0)
r2 = socket$inet6_udplite(0xa, 0x2, 0x88)
setsockopt$XDP_RX_RING(r1, 0x11b, 0x2, &(0x7f00000002c0)=0x100, 0x4)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000240), r3)
sendmsg$IEEE802154_DISASSOCIATE_REQ(r4, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000280)={0x14, r5, 0x1}, 0x14}}, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r2, 0x8933, &(0x7f0000000280)={'batadv_slave_1\x00', <r6=>0x0})
r7 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_UMEM_REG(r7, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000140)={r7})
setsockopt$XDP_UMEM_COMPLETION_RING(r1, 0x11b, 0x6, &(0x7f0000000080)=0x1, 0x4)
r8 = socket$inet6_udplite(0xa, 0x2, 0x88)
setsockopt$XDP_RX_RING(r7, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r8, 0x8933, &(0x7f0000000580)={'batadv_slave_0\x00', <r9=>0x0})
setsockopt$XDP_UMEM_FILL_RING(r7, 0x11b, 0x5, &(0x7f0000000300)=0x1, 0x4)
bind$xdp(r7, &(0x7f0000000100)={0x2c, 0x0, r9}, 0x10)
bind$xdp(r1, &(0x7f0000000240)={0x2c, 0x1, r6, 0x0, r7}, 0x60)
sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=ANY=[], 0x38}}, 0x0)
openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0x4aa841, 0x0)
executing program 3:
socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
getsockopt(r1, 0xff, 0x1, 0x0, &(0x7f0000000000))
setsockopt$inet_int(r1, 0x0, 0xb, &(0x7f0000000040)=0x9, 0x4)
sendmsg$tipc(r0, &(0x7f0000000240)={0x0, 0x18, &(0x7f00000000c0), 0x31}, 0x0)
executing program 1:
r0 = openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0), 0x1, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r3, &(0x7f0000000340), 0x8)
getsockopt$bt_BT_DEFER_SETUP(r3, 0x112, 0x7, &(0x7f0000000200)=0x1, &(0x7f0000000240)=0x4)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_CPUID2(r4, 0x4008ae90, &(0x7f0000000240)=ANY=[@ANYBLOB="010000000000000001000000000000000000000000000000001b0300ff"])
ioctl$KVM_RUN(r4, 0xae80, 0x0)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f0000000000)=ANY=[@ANYBLOB="01000000000000008a04"])
r5 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_int(r5, 0x0, 0x1, 0x0, 0x0)
mmap$snddsp_status(&(0x7f0000ffc000/0x4000)=nil, 0x1000, 0x200000d, 0x30, r0, 0x82000000)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000001700), 0x100102, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x200000, 0x0)
r6 = socket$nl_route(0x10, 0x3, 0x0)
r7 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000c80)={'lo\x00', <r8=>0x0})
sendmsg$nl_route_sched(r6, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000100)=@newqdisc={0x24, 0x24, 0x200, 0x0, 0xffffffff, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0x7}, {0xfff2, 0xffff}}}, 0x24}, 0x1, 0x0, 0x0, 0x4008880}, 0x8004)
ioctl$KVM_NMI(r4, 0xae9a)
openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) (async)
openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0), 0x1, 0x0) (async)
ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) (async)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async)
bind$bt_sco(r3, &(0x7f0000000340), 0x8) (async)
getsockopt$bt_BT_DEFER_SETUP(r3, 0x112, 0x7, &(0x7f0000000200)=0x1, &(0x7f0000000240)=0x4) (async)
ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) (async)
ioctl$KVM_SET_CPUID2(r4, 0x4008ae90, &(0x7f0000000240)=ANY=[@ANYBLOB="010000000000000001000000000000000000000000000000001b0300ff"]) (async)
ioctl$KVM_RUN(r4, 0xae80, 0x0) (async)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f0000000000)=ANY=[@ANYBLOB="01000000000000008a04"]) (async)
socket$inet_mptcp(0x2, 0x1, 0x106) (async)
setsockopt$inet_int(r5, 0x0, 0x1, 0x0, 0x0) (async)
mmap$snddsp_status(&(0x7f0000ffc000/0x4000)=nil, 0x1000, 0x200000d, 0x30, r0, 0x82000000) (async)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000001700), 0x100102, 0x0) (async)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x200000, 0x0) (async)
socket$nl_route(0x10, 0x3, 0x0) (async)
socket$inet6_udp(0xa, 0x2, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000c80)={'lo\x00'}) (async)
sendmsg$nl_route_sched(r6, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000100)=@newqdisc={0x24, 0x24, 0x200, 0x0, 0xffffffff, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0x7}, {0xfff2, 0xffff}}}, 0x24}, 0x1, 0x0, 0x0, 0x4008880}, 0x8004) (async)
ioctl$KVM_NMI(r4, 0xae9a) (async)
executing program 3:
r0 = openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0)
r1 = socket$netlink(0x10, 0x3, 0x0)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="cca3fcf58d8fb8739ab092390ff73d843e5982972b842ab7b9a9b8948618f7de1185b56070fa0b2011c0c80d348fbbf00389a0144fc941ec995f3acade2e6339a5cdfd03b31658a6781404055c7faa203af4cbd30c89c9de87da3439a3d54d50d0cbd1c3a10735873d4b5fdd848dfc316db8bdbd5b1e62f593be65fc8e5f0a643ef0938976c9f8dc7a4f29f29112615581b3ec916f3d5e79d9c0efbb16b025b24891", 0xa2}], 0x1)
ioctl$IMDELTIMER(r0, 0x80044941, &(0x7f0000000200)=0x1)
openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0) (async)
socket$netlink(0x10, 0x3, 0x0) (async)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="cca3fcf58d8fb8739ab092390ff73d843e5982972b842ab7b9a9b8948618f7de1185b56070fa0b2011c0c80d348fbbf00389a0144fc941ec995f3acade2e6339a5cdfd03b31658a6781404055c7faa203af4cbd30c89c9de87da3439a3d54d50d0cbd1c3a10735873d4b5fdd848dfc316db8bdbd5b1e62f593be65fc8e5f0a643ef0938976c9f8dc7a4f29f29112615581b3ec916f3d5e79d9c0efbb16b025b24891", 0xa2}], 0x1) (async)
ioctl$IMDELTIMER(r0, 0x80044941, &(0x7f0000000200)=0x1) (async)
executing program 3:
r0 = socket$inet6(0xa, 0x5, 0x0)
recvmmsg(r0, &(0x7f00000001c0)=[{{0x0, 0x0, 0x0}, 0xdc}], 0x1, 0x2, 0x0)
r1 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000240)="d800000018007b7be00212ba0d0505040a003f00000f040b067c55a1bc0009001e0006990300000015000500fe800000000000000300014002000c0901ac04000bd67f6f94007100a007a290457f0189b316277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee4b11602b2a10c11ce1b14d6d930dfe1d9d322fe04fb95cae8c9010000730d7a5025ccca262f3d40fad95667e04adcdf634c1f215ce3bb9ad8ffd5e1cace81ed0b7fece0b42a9ecbee5de6ccd40dd601edef3d93452a92307f00000e97031e9f05e9f16e9cb5000004000000", 0xd8}], 0x1, 0x0, 0x0, 0x2663}, 0x0)
socket$nl_netfilter(0x10, 0x3, 0xc)
executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x80002, 0x0)
syz_io_uring_submit(0x0, 0x0, 0x0)
madvise(&(0x7f0000bdc000/0x4000)=nil, 0x86ac726dff2f4713, 0xa)
syz_clone(0x1000, 0x0, 0x0, &(0x7f0000000080), 0x0, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f0000001240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=@newtaction={0x78, 0x30, 0x1, 0x3, 0x0, {}, [{0x64, 0x1, [@m_skbmod={0x60, 0x1, 0x0, 0x0, {{0xb}, {0x34, 0x2, 0x0, 0x1, [@TCA_SKBMOD_PARMS={0x24, 0x2, {{0x0, 0x2, 0x20000000, 0xfffffff3, 0x5}, 0xb}}, @TCA_SKBMOD_SMAC={0xa}]}, {0x4, 0x14}, {0xc}, {0xc, 0x6}}}]}]}, 0x78}}, 0x0)
sendmsg$IPCTNL_MSG_EXP_DELETE(0xffffffffffffffff, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x8000000}, 0x11, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, 0x2, 0x2, 0x801, 0x0, 0x0, {0xa, 0x0, 0x6}, [@CTA_EXPECT_ZONE={0x6, 0x7, 0x1, 0x0, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x24004094)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="50000000210000082bbd7000ffdbdf25022014430200000000000000080017004e224e240c000c4000800000000009680800f2000a01010108000100e0000002080002000000000008001000d54a00004e5303fd1982be57b5728d6e99be2b5856a2c955f61850d5e9bfe473bc9398c38a83d76ca1b5aab8b66b8bec6578191ed65542920ad192daebdba317b6c089a32a91e692dff08d4713b173f19e"], 0x50}}, 0x0)
executing program 1:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0x2, &(0x7f00000002c0)=ANY=[@ANYBLOB="85000000b800000000000000000000000631624e4138822c72b162876a01a6464d7561ca99cc641308000100004dc21b9c001a4b0464e9d7a490fe969138653592b707e4a755d182252ab16adb"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x11, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90)
r0 = syz_clone(0x24100000, 0x0, 0x0, 0x0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$devlink(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_SB_PORT_POOL_GET(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000005c0)={0x4c, r2, 0x1, 0x0, 0x0, {0x4e}, [{{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8, 0xab}}, {0x8}, {0x6}}]}, 0x4c}}, 0x0)
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0xa031, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x4001, &(0x7f0000000000)=0x1, 0x7, 0x0)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000002100)='numa_maps\x00')
read$FUSE(r3, &(0x7f0000002140)={0x2020}, 0x2020)
r4 = syz_pidfd_open(r0, 0x0)
pidfd_send_signal(r4, 0x4, 0x0, 0x2)
socket$inet(0x2, 0x3, 0x2)
r5 = socket$inet(0x2, 0x3, 0x2)
r6 = socket$inet6(0xa, 0x3, 0xff)
r7 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/tty/ldiscs\x00', 0x0, 0x0)
r8 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/clear_refs\x00', 0x1, 0x0)
sendfile(r8, r7, 0x0, 0x7)
connect$inet6(r6, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty}, 0x1c)
sendto$inet6(r6, &(0x7f0000000280)="eb43ef45c546a50bc7cc12129d130100000033302925ff007332e4228741e90a762873abfee765d1", 0x28, 0x4048814, 0x0, 0x0)
ioctl$EXT4_IOC_SWAP_BOOT(r3, 0x6611)
setsockopt$inet_mreqsrc(r5, 0x0, 0x27, 0x0, 0x0)
r9 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000400), r1)
sendmsg$TIPC_NL_BEARER_GET(r1, &(0x7f0000000500)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f00000004c0)={&(0x7f0000000440)={0x50, r9, 0x4, 0x94b, 0x25dfdbfc, {}, [@TIPC_NLA_SOCK={0x10, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x3ff}]}, @TIPC_NLA_NET={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0xb}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x3}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x9}, @TIPC_NLA_NET_ID={0x8, 0x1, 0xfe000000}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40000}, 0x40000)
syz_emit_ethernet(0x26, &(0x7f00000003c0)={@link_local, @empty, @val={@val={0x88a8, 0x3, 0x0, 0x1}, {0x8100, 0x1, 0x1, 0x4}}, {@can={0xc, {{0x3, 0x0, 0x0, 0x1}, 0x7, 0x0, 0x0, 0x0, "4ef846dab031fc34"}}}}, 0x0)
r10 = socket$netlink(0x10, 0x3, 0x4)
setsockopt$netlink_NETLINK_PKTINFO(r10, 0x10e, 0x3, 0x0, 0x0)
writev(r10, &(0x7f0000000100)=[{&(0x7f0000000000)="580000001400192340834b80043f679a10ff3d425f9cc3f4ff7f4e32f61bcdf1e422000000000100804824cabecc4b381eaadc28f23457e792945f64009400050028925aaa000000c611000000000000feff2c707f8f00ff", 0x58}], 0x1)
setsockopt$sock_linger(r6, 0x1, 0xd, &(0x7f0000000240)={0x0, 0x8930}, 0x8)
r11 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_REMOVE(r10, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x28, r11, 0x4, 0x70bd28, 0x25dfdbff, {}, [@MPTCP_PM_ATTR_LOC_ID={0x5, 0x5, 0xe}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xc51}, @MPTCP_PM_ATTR_ADDR_REMOTE={0x4}]}, 0x28}, 0x1, 0x0, 0x0, 0x4000}, 0x44800)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="000002f0d31209000000bc2e79e995"], 0x0)
write$binfmt_script(r2, &(0x7f0000000100), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r2, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f00000001c0)={{}, &(0x7f0000000000), 0x0}, 0x20)
preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x3e, 0x0, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaaaaaaaaffffffffffff86dd600a847500140600fe800000000000", @ANYRES32=0x41424344], 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000327000/0x18000)=nil, &(0x7f0000000040)=[@text16={0x10, &(0x7f0000000180)="66b9800000c00f326635000800000f300f0f1c9a65660ff3b20618baa000ec672e660f38803d004000000f285473f61366b9800000c00f326635004000000f300f20e06635800000000f22e0f30fa6c8", 0x50}], 0x1, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000000180)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000002540)=""/216, 0xd8}}], 0x1, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0}, 0x10)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 0:
r0 = fsopen(&(0x7f0000000040)='sysfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x5)
fchdir(r1)
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f00000009c0)='./file0\x00', 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000ac0)={{0x14}, [@NFT_MSG_NEWRULE={0x6c, 0x6, 0xa, 0x409, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x40, 0x4, 0x0, 0x1, [{0x3c, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x28, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x1c, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x18, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffc}]}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x2000}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x94}}, 0x0)
llistxattr(&(0x7f0000000340)='./bus\x00', &(0x7f0000000b80)=""/4096, 0x1000)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mkdir(&(0x7f0000000440)='./file1\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@nfs_export_on}]})
chdir(&(0x7f00000001c0)='./bus\x00')
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="9feb0100180000000000000002"], 0x0, 0x1a, 0x0, 0x1, 0x0, 0x0, @void, @value}, 0x28)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x16, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r4, 0xfca804a0, 0xfffffffffffffd0b, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c)
rmdir(&(0x7f0000000380)='./file0/../file0\x00')
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
bisect: bisecting 24 programs
bisect: split chunks (needed=false): <24>
bisect: split chunk #0 of len 24 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=34s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 14, 13, 4, 12, 21, 5, 40, 8, 5, 20, 8, 30, 16, 20, 11]
detailed listing:
executing program 2:
r0 = signalfd(0xffffffffffffffff, &(0x7f0000000140), 0x8)
r1 = io_uring_setup(0x1397, &(0x7f00000000c0)={0x0, 0x47f, 0xef85869e598f7813, 0x2, 0x389, 0x0, r0})
r2 = syz_io_uring_setup(0x7e2b, &(0x7f0000000300)={0x0, 0x3, 0x800, 0x0, 0x1ba, 0x0, r1}, &(0x7f0000000180)=<r3=>0x0, &(0x7f0000000200)=<r4=>0x0)
syz_io_uring_submit(r3, r4, &(0x7f00000001c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x3, r0})
io_uring_enter(r2, 0x353, 0x3, 0x1, 0x0, 0x0)
signalfd(r0, &(0x7f0000002340), 0x8) (async)
r5 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f00000003c0)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x300}, 0x9c)
r6 = openat$binfmt_register(0xffffff9c, &(0x7f0000000080), 0x1, 0x0)
write$binfmt_register(r6, &(0x7f0000000040)={0x3a, 'syz0', 0x3a, 'E', 0x3a, 0x0, 0x3a, 'syz2', 0x3a, 'Y$*@', 0x3a, './file0', 0x3a, [0x50, 0x46, 0x46]}, 0x32)
executing program 2:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000480)='blkio.throttle.io_serviced\x00', 0x275a, 0x0)
r1 = syz_open_dev$sg(&(0x7f00000060c0), 0x0, 0x0)
dup2(r1, r0)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x200000b, 0x12, r0, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000004c0), 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
setsockopt$IP_VS_SO_SET_STARTDAEMON(0xffffffffffffffff, 0x0, 0x48b, &(0x7f0000002100)={0x1, 'netpci0\x00'}, 0x18)
setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0x1, 'dummy0\x00'}, 0x18)
bpf$PROG_LOAD(0x5, &(0x7f00000017c0)={0x1, 0xe, &(0x7f0000001880)=ANY=[@ANYBLOB="b700000081000000bfa30000000000000703000003feffff720a00fef8ffffff71a4f1ff0000000071302000000000001d400500000000004704000001ed00000f030000000000001d44000000000000620a00ff040400007203000000000000b500f7ff000000009500000000000000023bc065b58111c6dfa041b63af4a3912435f1a864a710aad58db6a693002e7f3be361917adef6ee1c8a2a4f8ef1e50becb19bc461e91a7168c50000000190f32050e436fe275daf51efd601b6bf01c8e8b1b526375ec4dd6fcd82e4fe51bef7af9aa0d7d600c095199fe3380d28e599b0eaebbdbd732c9cc00eec363e4a8f6456e2cc21557c0afc646cb7798b3e6440c2fbdb00a3e35208b0bb0d2cd829e654400e2438ec649dc74a28610643a98d9ec21ead2ed51bf900000000000000d8a7925c3109b151b8b9f75dd08d123deda88c658d42ecbf28bf7076c15b463bebc72f526d8e8afcb913466aaa7f6df70252e79166d858fcd0e06dd31af9612f2460d0b11008e59a5923906f88b53987ad1714e72ba7a54f0c33d39000d06a59ff616236fd9aa58f2477184b6a89adaf17b0a6041bdef728d236619074d6ebdfd1f5089048ddff6da40f9411fe722631cb467600ade70063e5291569b33d21dae356e1c51f03a801be8189679a16da18ec0ae564162a27afea62d84f3a10746443d6438e959532e0617d419c6bc6ea9f2bca4464f56e24e6d2105bd901204a1deeed4155617572652d950ad31928b0b0c3dc2869f478341d02d0f5ad94b081fcd507acb4b9c65fee9d5a17f48a7382f13d000000225d85ae49cee383dc5049076b989b40000000000000da60d2ae20cfb91d6a49964757cdf538f9ce2bdb1ab062cd54e67011d355d84ce97bb0c6b4a595e487efbb2d71cde2c140952f9a0f0bc6980fe78683ac5c0c31032599ddd71063be9261b2e1aab1675b34a22048ef8c126aeef5f510a8f1aded94a129e4aec6f8d9ab06faffc3a15d96c2ea3e2e04cfe031b2875353193f82ade69d0540059fe6c7fe7cd8697502c7596566d674e425da5e87e59602a9f6590521d31d3804b3e0a1053abdc31282dfb15eb6841bb64a1b304502dda787343ce3c953992e4a982f3c48153baae244e7bf37548c7f1a4cad2422ee965a38f7defbd2160242b104e20dc2d9b0c35608d402ccdd9069bd50b994fda7a9de44028d6112a0c2d21b2dc98816106dec28eaeb883418f562ae00003ea96d10f172c0374d6eed826416050000000bfe9b4a9c5a90ff59d54d1f92ecc4e95dd2d18383117c039862198899b212c55318294270a1ad10c80fef7c24d47afce829ba0f85da6d888f18ea40ab959f6074ab2a40d85d15017ab513cdc6c0e57fb1c1ca571380d7b4ead35a385e0b4a26b702396df7e0c1e02b6e4114f244a9bf93020000000000000080e69db384ac7eeedcf2ba3a9508f9d6aba582a896a9f1e096df6ecea75caf822a7a63ba34015ea5aacb1188883ad2a3b1832371fe5bc621426d1ed0a4a99702cc1b6912a1e717d29135753208165b9cdbae2ed9dc7358f0ebadde0b727f27feeb744ddcc536cbae315c7d1fe1399562ba6824840bd2951680f6f2f9a6a8346962a350845ffa0d829e4f79adc287906943408e6df3c391e97ba48db0a5adbfd03aac93df8866fb010aec0e92bed1fe39af169d2a466f0db6f3d9436a7d55fc30511d00e10000c95265b2bd83d64a532869d701723fedcbada1ee7baa5b6a686b50f0937f778af083e055f6138a757ebd0ed91124a6b244f9acf41ac5d73a008364e0606a594817031fc2f52c8785fe0721719b3d654026c6ea08b83b123145ab5703dad844ceb201ddeb6dc5f6a903792283c42efc54fa84323afc4c10eff462c8843187f1dd48ef3fa293774d582956ff0f40b10ca94f6feeb2893c17888e1cdba94a6ea80c33ead5722c3293a493f1479531dd88261458f40d31fe8df15efaaeea831555877f9538d6ee6ba65893ff1f908ba7554ba583fef3ec7932f5954f31a878e2fae6691d1aee1da02ba516467df3e7d1daac43738012e4fee18a22da19fcdb4c2890cda1f96b952511e3a69d694d625e0b2f808890205f3a6da2819d2f9e77c7c64affa54fec0136cbafa5f6f096753b639a924599c1f69219927ea5301fff0a6063d427f0688430754c02180d61542c2571f983e9673560000000000000000005a7b57f03ca91a01ba2e30ca99e8ebc15ecb4d91675767999d146aef7799738b292fd640dfef6b04d086f737a159d7e0c6e4d81ad64a8bbca48568325b2969e2b15f36b788bce5ccdbaf75c94cb93499f6947a967a7bce14c6de4e7c0660d80010f5c653d22d490cba8c2a4ab595bf4238f18ca428dafc7ac96d404607a0000000051a2104f22e6db5a62b5089c1b45282d38864daa3ae81d6b0968d1d2867b91b7d120617d12d91db2633d6864da40b54783a17aaeb6737c323f9f98e354cc98dcfe23ad01bd1c61563e69ffe1c2c73e16e1461173f359e93d2c5e424c17998809ec8f0232b3955e052a4cecd89008f70314a0bdd491ec86a4555d89fe0120f64c62e8e3ed8bcb45202c3d4bbec8d722824c0ebca8db1ea4a003d2fbdc1f9be78537756ab5bbe4fe9af5d785d0128171c90d9900ce2532b0f9d01c4b45294fbba468df3e1b583cb4e62e754598e47df6bd06431c94bc5d047899fd219f448bf9189c65c9d91eda6b52a373803a9efe44f86909bc90addb7b9aee813df534aac4b3093c91b8068cd84990453f006694d461b76a58d88cf0f520310a1e80dc18cde98d662eee077515d0a8811922929e085392ab3d1311b8243266d87047f601fa88a0da36b9f302e8262395174328f2482d14008de83070744f143fdec90ba5a82668d5fac114c13955ad6dca5db2231d8ba14c54c47ed04a4b4ace17e357e1d6032399f87a7a14245bbd796a09313b247b95d37ff40a404bdad74bd20000000000000000000099fef7cd7af3ce64a92f95d89d125b1e641240d7e5e27a3d1f7684448c3e3822d617e205061298b939a191be4b48e169bde2cae3accc5bd40a2968b59c93d35f8e42366fdef9a2abae1cf01ce68abff28861aac8302d268569dd42e194e330c7aaa54ebbcefd23f21ce8153b9926e12e925cb56119df72c7533a48d028ad0c74e2a9478fa3be18a1a2b65079cc1c00000000000000f59dd19e8d525206c0a728cfd42193abe8130bc01a2d69841f3d7799ac04bdc590bb1c89b9c695f163e57343c9bfb59909433c9001c5f8b23e38534a538fc933cac6c2a92d038df638a0f226df9fb857bd414c2cd69985e8053e3dfa41614d7c74d04d8c2471041d17c730fad28395f8d4688898cd58b9d600c851626529bb58aa364b55e73f053450665e7b94ed1012fd7a8139166fd5e59c84f4ab279b1b99c028db4cb9680c8035f967db18de738844da7e260a830c1ffa49f5af3c15423a0e315acb82a3e89218cb314e68fda4d94aa1d815babc13b9fd336d205c5913ef67cf0216e2d81e6127bd9d7fab28800eaab2355992f8ce4cd38add4b272c0bee4076ca4847ffa691cf78fb7ec212bad3bef29f577ea7159b7f3025b3d977ff7c91024cf71126233cb8791c3c"], &(0x7f00000001c0)='GPL\x00', 0x1, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000)={0x0, 0x3}, 0xfffffffffffffd00, 0x0, 0xffffffffffffffff, 0xffffffa0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
executing program 1:
r0 = syz_io_uring_setup(0x5411, &(0x7f0000000300)={0x0, 0x6b7f, 0x1000, 0x2, 0x221}, &(0x7f0000000380), 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x400, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000180)={0x0, 0x3, 0x0, 0x1000, &(0x7f0000000000/0x1000)=nil})
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000000000)="6941c43b78eeda4918160798ef967cb9254c327158c51dc69eeda809ba0f")
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000dc0)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_NMI(r4, 0xae9a)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
mmap(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x0, 0x13, r0, 0xd481e000)
executing program 3:
openat$sw_sync_info(0xffffffffffffff9c, &(0x7f0000000040), 0x4000, 0x0)
pipe(&(0x7f0000000340)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
vmsplice(r0, &(0x7f0000000300)=[{0x0, 0x61}, {&(0x7f00000001c0)="5c8000000000000000ea45a1", 0x20000081}], 0x2, 0x0)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000080)={0x2, 0xc, &(0x7f00000013c0)=ANY=[@ANYBLOB="180200001000000000000000000000001801000020696c2500000000002020207b2af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000600000087000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0xffffffff, 0xd2, &(0x7f0000000140)=""/210, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
executing program 3:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
socket(0x400000000010, 0x3, 0x0) (async)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
socket$inet(0x2, 0x6, 0x0)
ioctl$SIOCX25SFACILITIES(0xffffffffffffffff, 0x89e3, 0x0) (async)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000180)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) (async)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000001800)=[@text64={0x40, &(0x7f0000001840)="f3470fbc06c74424000600007848b800280000000000000f23c00f21f835030004000f23f8c7442406000000000f0114246aa2450f0012124424001afa0000c744240216383d27c7442406000000000f011c2466b8f0000f00d0400f060f00e4c4a1c1edba2500000066baa00066b8000066ef66b82f008ed0", 0x79}], 0x1, 0x0, 0x0, 0x47) (async)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000440)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
mount(0x0, 0x0, &(0x7f0000000000)='autofs\x00', 0x0, 0x0) (async)
ioctl$KVM_NMI(r2, 0xae9a) (async)
ioctl$KVM_RUN(r2, 0xae80, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$xdp(0x2c, 0x3, 0x0)
r2 = socket$inet6_udplite(0xa, 0x2, 0x88)
setsockopt$XDP_RX_RING(r1, 0x11b, 0x2, &(0x7f00000002c0)=0x100, 0x4)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000240), r3)
sendmsg$IEEE802154_DISASSOCIATE_REQ(r4, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000280)={0x14, r5, 0x1}, 0x14}}, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r2, 0x8933, &(0x7f0000000280)={'batadv_slave_1\x00', <r6=>0x0})
r7 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_UMEM_REG(r7, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000140)={r7})
setsockopt$XDP_UMEM_COMPLETION_RING(r1, 0x11b, 0x6, &(0x7f0000000080)=0x1, 0x4)
r8 = socket$inet6_udplite(0xa, 0x2, 0x88)
setsockopt$XDP_RX_RING(r7, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r8, 0x8933, &(0x7f0000000580)={'batadv_slave_0\x00', <r9=>0x0})
setsockopt$XDP_UMEM_FILL_RING(r7, 0x11b, 0x5, &(0x7f0000000300)=0x1, 0x4)
bind$xdp(r7, &(0x7f0000000100)={0x2c, 0x0, r9}, 0x10)
bind$xdp(r1, &(0x7f0000000240)={0x2c, 0x1, r6, 0x0, r7}, 0x60)
sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=ANY=[], 0x38}}, 0x0)
openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0x4aa841, 0x0)
executing program 3:
socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
getsockopt(r1, 0xff, 0x1, 0x0, &(0x7f0000000000))
setsockopt$inet_int(r1, 0x0, 0xb, &(0x7f0000000040)=0x9, 0x4)
sendmsg$tipc(r0, &(0x7f0000000240)={0x0, 0x18, &(0x7f00000000c0), 0x31}, 0x0)
executing program 1:
r0 = openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0), 0x1, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r3, &(0x7f0000000340), 0x8)
getsockopt$bt_BT_DEFER_SETUP(r3, 0x112, 0x7, &(0x7f0000000200)=0x1, &(0x7f0000000240)=0x4)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_CPUID2(r4, 0x4008ae90, &(0x7f0000000240)=ANY=[@ANYBLOB="010000000000000001000000000000000000000000000000001b0300ff"])
ioctl$KVM_RUN(r4, 0xae80, 0x0)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f0000000000)=ANY=[@ANYBLOB="01000000000000008a04"])
r5 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_int(r5, 0x0, 0x1, 0x0, 0x0)
mmap$snddsp_status(&(0x7f0000ffc000/0x4000)=nil, 0x1000, 0x200000d, 0x30, r0, 0x82000000)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000001700), 0x100102, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x200000, 0x0)
r6 = socket$nl_route(0x10, 0x3, 0x0)
r7 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000c80)={'lo\x00', <r8=>0x0})
sendmsg$nl_route_sched(r6, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000100)=@newqdisc={0x24, 0x24, 0x200, 0x0, 0xffffffff, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0x7}, {0xfff2, 0xffff}}}, 0x24}, 0x1, 0x0, 0x0, 0x4008880}, 0x8004)
ioctl$KVM_NMI(r4, 0xae9a)
openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) (async)
openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0), 0x1, 0x0) (async)
ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) (async)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async)
bind$bt_sco(r3, &(0x7f0000000340), 0x8) (async)
getsockopt$bt_BT_DEFER_SETUP(r3, 0x112, 0x7, &(0x7f0000000200)=0x1, &(0x7f0000000240)=0x4) (async)
ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) (async)
ioctl$KVM_SET_CPUID2(r4, 0x4008ae90, &(0x7f0000000240)=ANY=[@ANYBLOB="010000000000000001000000000000000000000000000000001b0300ff"]) (async)
ioctl$KVM_RUN(r4, 0xae80, 0x0) (async)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f0000000000)=ANY=[@ANYBLOB="01000000000000008a04"]) (async)
socket$inet_mptcp(0x2, 0x1, 0x106) (async)
setsockopt$inet_int(r5, 0x0, 0x1, 0x0, 0x0) (async)
mmap$snddsp_status(&(0x7f0000ffc000/0x4000)=nil, 0x1000, 0x200000d, 0x30, r0, 0x82000000) (async)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000001700), 0x100102, 0x0) (async)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x200000, 0x0) (async)
socket$nl_route(0x10, 0x3, 0x0) (async)
socket$inet6_udp(0xa, 0x2, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000c80)={'lo\x00'}) (async)
sendmsg$nl_route_sched(r6, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000100)=@newqdisc={0x24, 0x24, 0x200, 0x0, 0xffffffff, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0x7}, {0xfff2, 0xffff}}}, 0x24}, 0x1, 0x0, 0x0, 0x4008880}, 0x8004) (async)
ioctl$KVM_NMI(r4, 0xae9a) (async)
executing program 3:
r0 = openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0)
r1 = socket$netlink(0x10, 0x3, 0x0)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="cca3fcf58d8fb8739ab092390ff73d843e5982972b842ab7b9a9b8948618f7de1185b56070fa0b2011c0c80d348fbbf00389a0144fc941ec995f3acade2e6339a5cdfd03b31658a6781404055c7faa203af4cbd30c89c9de87da3439a3d54d50d0cbd1c3a10735873d4b5fdd848dfc316db8bdbd5b1e62f593be65fc8e5f0a643ef0938976c9f8dc7a4f29f29112615581b3ec916f3d5e79d9c0efbb16b025b24891", 0xa2}], 0x1)
ioctl$IMDELTIMER(r0, 0x80044941, &(0x7f0000000200)=0x1)
openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0) (async)
socket$netlink(0x10, 0x3, 0x0) (async)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="cca3fcf58d8fb8739ab092390ff73d843e5982972b842ab7b9a9b8948618f7de1185b56070fa0b2011c0c80d348fbbf00389a0144fc941ec995f3acade2e6339a5cdfd03b31658a6781404055c7faa203af4cbd30c89c9de87da3439a3d54d50d0cbd1c3a10735873d4b5fdd848dfc316db8bdbd5b1e62f593be65fc8e5f0a643ef0938976c9f8dc7a4f29f29112615581b3ec916f3d5e79d9c0efbb16b025b24891", 0xa2}], 0x1) (async)
ioctl$IMDELTIMER(r0, 0x80044941, &(0x7f0000000200)=0x1) (async)
executing program 3:
r0 = socket$inet6(0xa, 0x5, 0x0)
recvmmsg(r0, &(0x7f00000001c0)=[{{0x0, 0x0, 0x0}, 0xdc}], 0x1, 0x2, 0x0)
r1 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000240)="d800000018007b7be00212ba0d0505040a003f00000f040b067c55a1bc0009001e0006990300000015000500fe800000000000000300014002000c0901ac04000bd67f6f94007100a007a290457f0189b316277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee4b11602b2a10c11ce1b14d6d930dfe1d9d322fe04fb95cae8c9010000730d7a5025ccca262f3d40fad95667e04adcdf634c1f215ce3bb9ad8ffd5e1cace81ed0b7fece0b42a9ecbee5de6ccd40dd601edef3d93452a92307f00000e97031e9f05e9f16e9cb5000004000000", 0xd8}], 0x1, 0x0, 0x0, 0x2663}, 0x0)
socket$nl_netfilter(0x10, 0x3, 0xc)
executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x80002, 0x0)
syz_io_uring_submit(0x0, 0x0, 0x0)
madvise(&(0x7f0000bdc000/0x4000)=nil, 0x86ac726dff2f4713, 0xa)
syz_clone(0x1000, 0x0, 0x0, &(0x7f0000000080), 0x0, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f0000001240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=@newtaction={0x78, 0x30, 0x1, 0x3, 0x0, {}, [{0x64, 0x1, [@m_skbmod={0x60, 0x1, 0x0, 0x0, {{0xb}, {0x34, 0x2, 0x0, 0x1, [@TCA_SKBMOD_PARMS={0x24, 0x2, {{0x0, 0x2, 0x20000000, 0xfffffff3, 0x5}, 0xb}}, @TCA_SKBMOD_SMAC={0xa}]}, {0x4, 0x14}, {0xc}, {0xc, 0x6}}}]}]}, 0x78}}, 0x0)
sendmsg$IPCTNL_MSG_EXP_DELETE(0xffffffffffffffff, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x8000000}, 0x11, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, 0x2, 0x2, 0x801, 0x0, 0x0, {0xa, 0x0, 0x6}, [@CTA_EXPECT_ZONE={0x6, 0x7, 0x1, 0x0, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x24004094)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="50000000210000082bbd7000ffdbdf25022014430200000000000000080017004e224e240c000c4000800000000009680800f2000a01010108000100e0000002080002000000000008001000d54a00004e5303fd1982be57b5728d6e99be2b5856a2c955f61850d5e9bfe473bc9398c38a83d76ca1b5aab8b66b8bec6578191ed65542920ad192daebdba317b6c089a32a91e692dff08d4713b173f19e"], 0x50}}, 0x0)
executing program 1:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0x2, &(0x7f00000002c0)=ANY=[@ANYBLOB="85000000b800000000000000000000000631624e4138822c72b162876a01a6464d7561ca99cc641308000100004dc21b9c001a4b0464e9d7a490fe969138653592b707e4a755d182252ab16adb"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x11, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90)
r0 = syz_clone(0x24100000, 0x0, 0x0, 0x0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$devlink(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_SB_PORT_POOL_GET(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000005c0)={0x4c, r2, 0x1, 0x0, 0x0, {0x4e}, [{{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8, 0xab}}, {0x8}, {0x6}}]}, 0x4c}}, 0x0)
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0xa031, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x4001, &(0x7f0000000000)=0x1, 0x7, 0x0)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000002100)='numa_maps\x00')
read$FUSE(r3, &(0x7f0000002140)={0x2020}, 0x2020)
r4 = syz_pidfd_open(r0, 0x0)
pidfd_send_signal(r4, 0x4, 0x0, 0x2)
socket$inet(0x2, 0x3, 0x2)
r5 = socket$inet(0x2, 0x3, 0x2)
r6 = socket$inet6(0xa, 0x3, 0xff)
r7 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/tty/ldiscs\x00', 0x0, 0x0)
r8 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/clear_refs\x00', 0x1, 0x0)
sendfile(r8, r7, 0x0, 0x7)
connect$inet6(r6, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty}, 0x1c)
sendto$inet6(r6, &(0x7f0000000280)="eb43ef45c546a50bc7cc12129d130100000033302925ff007332e4228741e90a762873abfee765d1", 0x28, 0x4048814, 0x0, 0x0)
ioctl$EXT4_IOC_SWAP_BOOT(r3, 0x6611)
setsockopt$inet_mreqsrc(r5, 0x0, 0x27, 0x0, 0x0)
r9 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000400), r1)
sendmsg$TIPC_NL_BEARER_GET(r1, &(0x7f0000000500)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f00000004c0)={&(0x7f0000000440)={0x50, r9, 0x4, 0x94b, 0x25dfdbfc, {}, [@TIPC_NLA_SOCK={0x10, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x3ff}]}, @TIPC_NLA_NET={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0xb}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x3}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x9}, @TIPC_NLA_NET_ID={0x8, 0x1, 0xfe000000}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40000}, 0x40000)
syz_emit_ethernet(0x26, &(0x7f00000003c0)={@link_local, @empty, @val={@val={0x88a8, 0x3, 0x0, 0x1}, {0x8100, 0x1, 0x1, 0x4}}, {@can={0xc, {{0x3, 0x0, 0x0, 0x1}, 0x7, 0x0, 0x0, 0x0, "4ef846dab031fc34"}}}}, 0x0)
r10 = socket$netlink(0x10, 0x3, 0x4)
setsockopt$netlink_NETLINK_PKTINFO(r10, 0x10e, 0x3, 0x0, 0x0)
writev(r10, &(0x7f0000000100)=[{&(0x7f0000000000)="580000001400192340834b80043f679a10ff3d425f9cc3f4ff7f4e32f61bcdf1e422000000000100804824cabecc4b381eaadc28f23457e792945f64009400050028925aaa000000c611000000000000feff2c707f8f00ff", 0x58}], 0x1)
setsockopt$sock_linger(r6, 0x1, 0xd, &(0x7f0000000240)={0x0, 0x8930}, 0x8)
r11 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_REMOVE(r10, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x28, r11, 0x4, 0x70bd28, 0x25dfdbff, {}, [@MPTCP_PM_ATTR_LOC_ID={0x5, 0x5, 0xe}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xc51}, @MPTCP_PM_ATTR_ADDR_REMOTE={0x4}]}, 0x28}, 0x1, 0x0, 0x0, 0x4000}, 0x44800)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="000002f0d31209000000bc2e79e995"], 0x0)
write$binfmt_script(r2, &(0x7f0000000100), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r2, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f00000001c0)={{}, &(0x7f0000000000), 0x0}, 0x20)
preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x3e, 0x0, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaaaaaaaaffffffffffff86dd600a847500140600fe800000000000", @ANYRES32=0x41424344], 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000327000/0x18000)=nil, &(0x7f0000000040)=[@text16={0x10, &(0x7f0000000180)="66b9800000c00f326635000800000f300f0f1c9a65660ff3b20618baa000ec672e660f38803d004000000f285473f61366b9800000c00f326635004000000f300f20e06635800000000f22e0f30fa6c8", 0x50}], 0x1, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000000180)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000002540)=""/216, 0xd8}}], 0x1, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0}, 0x10)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 0:
r0 = fsopen(&(0x7f0000000040)='sysfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x5)
fchdir(r1)
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f00000009c0)='./file0\x00', 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000ac0)={{0x14}, [@NFT_MSG_NEWRULE={0x6c, 0x6, 0xa, 0x409, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x40, 0x4, 0x0, 0x1, [{0x3c, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x28, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x1c, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x18, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffc}]}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x2000}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x94}}, 0x0)
llistxattr(&(0x7f0000000340)='./bus\x00', &(0x7f0000000b80)=""/4096, 0x1000)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mkdir(&(0x7f0000000440)='./file1\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@nfs_export_on}]})
chdir(&(0x7f00000001c0)='./bus\x00')
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="9feb0100180000000000000002"], 0x0, 0x1a, 0x0, 0x1, 0x0, 0x0, @void, @value}, 0x28)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x16, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r4, 0xfca804a0, 0xfffffffffffffd0b, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c)
rmdir(&(0x7f0000000380)='./file0/../file0\x00')
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/3
testing program (duration=32s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [8, 5, 20, 8, 30, 16, 20, 11]
detailed listing:
executing program 3:
r0 = openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0)
r1 = socket$netlink(0x10, 0x3, 0x0)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="cca3fcf58d8fb8739ab092390ff73d843e5982972b842ab7b9a9b8948618f7de1185b56070fa0b2011c0c80d348fbbf00389a0144fc941ec995f3acade2e6339a5cdfd03b31658a6781404055c7faa203af4cbd30c89c9de87da3439a3d54d50d0cbd1c3a10735873d4b5fdd848dfc316db8bdbd5b1e62f593be65fc8e5f0a643ef0938976c9f8dc7a4f29f29112615581b3ec916f3d5e79d9c0efbb16b025b24891", 0xa2}], 0x1)
ioctl$IMDELTIMER(r0, 0x80044941, &(0x7f0000000200)=0x1)
openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0) (async)
socket$netlink(0x10, 0x3, 0x0) (async)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="cca3fcf58d8fb8739ab092390ff73d843e5982972b842ab7b9a9b8948618f7de1185b56070fa0b2011c0c80d348fbbf00389a0144fc941ec995f3acade2e6339a5cdfd03b31658a6781404055c7faa203af4cbd30c89c9de87da3439a3d54d50d0cbd1c3a10735873d4b5fdd848dfc316db8bdbd5b1e62f593be65fc8e5f0a643ef0938976c9f8dc7a4f29f29112615581b3ec916f3d5e79d9c0efbb16b025b24891", 0xa2}], 0x1) (async)
ioctl$IMDELTIMER(r0, 0x80044941, &(0x7f0000000200)=0x1) (async)
executing program 3:
r0 = socket$inet6(0xa, 0x5, 0x0)
recvmmsg(r0, &(0x7f00000001c0)=[{{0x0, 0x0, 0x0}, 0xdc}], 0x1, 0x2, 0x0)
r1 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000240)="d800000018007b7be00212ba0d0505040a003f00000f040b067c55a1bc0009001e0006990300000015000500fe800000000000000300014002000c0901ac04000bd67f6f94007100a007a290457f0189b316277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee4b11602b2a10c11ce1b14d6d930dfe1d9d322fe04fb95cae8c9010000730d7a5025ccca262f3d40fad95667e04adcdf634c1f215ce3bb9ad8ffd5e1cace81ed0b7fece0b42a9ecbee5de6ccd40dd601edef3d93452a92307f00000e97031e9f05e9f16e9cb5000004000000", 0xd8}], 0x1, 0x0, 0x0, 0x2663}, 0x0)
socket$nl_netfilter(0x10, 0x3, 0xc)
executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x80002, 0x0)
syz_io_uring_submit(0x0, 0x0, 0x0)
madvise(&(0x7f0000bdc000/0x4000)=nil, 0x86ac726dff2f4713, 0xa)
syz_clone(0x1000, 0x0, 0x0, &(0x7f0000000080), 0x0, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f0000001240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=@newtaction={0x78, 0x30, 0x1, 0x3, 0x0, {}, [{0x64, 0x1, [@m_skbmod={0x60, 0x1, 0x0, 0x0, {{0xb}, {0x34, 0x2, 0x0, 0x1, [@TCA_SKBMOD_PARMS={0x24, 0x2, {{0x0, 0x2, 0x20000000, 0xfffffff3, 0x5}, 0xb}}, @TCA_SKBMOD_SMAC={0xa}]}, {0x4, 0x14}, {0xc}, {0xc, 0x6}}}]}]}, 0x78}}, 0x0)
sendmsg$IPCTNL_MSG_EXP_DELETE(0xffffffffffffffff, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x8000000}, 0x11, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, 0x2, 0x2, 0x801, 0x0, 0x0, {0xa, 0x0, 0x6}, [@CTA_EXPECT_ZONE={0x6, 0x7, 0x1, 0x0, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x24004094)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="50000000210000082bbd7000ffdbdf25022014430200000000000000080017004e224e240c000c4000800000000009680800f2000a01010108000100e0000002080002000000000008001000d54a00004e5303fd1982be57b5728d6e99be2b5856a2c955f61850d5e9bfe473bc9398c38a83d76ca1b5aab8b66b8bec6578191ed65542920ad192daebdba317b6c089a32a91e692dff08d4713b173f19e"], 0x50}}, 0x0)
executing program 1:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0x2, &(0x7f00000002c0)=ANY=[@ANYBLOB="85000000b800000000000000000000000631624e4138822c72b162876a01a6464d7561ca99cc641308000100004dc21b9c001a4b0464e9d7a490fe969138653592b707e4a755d182252ab16adb"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x11, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90)
r0 = syz_clone(0x24100000, 0x0, 0x0, 0x0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$devlink(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_SB_PORT_POOL_GET(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000005c0)={0x4c, r2, 0x1, 0x0, 0x0, {0x4e}, [{{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8, 0xab}}, {0x8}, {0x6}}]}, 0x4c}}, 0x0)
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0xa031, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x4001, &(0x7f0000000000)=0x1, 0x7, 0x0)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000002100)='numa_maps\x00')
read$FUSE(r3, &(0x7f0000002140)={0x2020}, 0x2020)
r4 = syz_pidfd_open(r0, 0x0)
pidfd_send_signal(r4, 0x4, 0x0, 0x2)
socket$inet(0x2, 0x3, 0x2)
r5 = socket$inet(0x2, 0x3, 0x2)
r6 = socket$inet6(0xa, 0x3, 0xff)
r7 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/tty/ldiscs\x00', 0x0, 0x0)
r8 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/clear_refs\x00', 0x1, 0x0)
sendfile(r8, r7, 0x0, 0x7)
connect$inet6(r6, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty}, 0x1c)
sendto$inet6(r6, &(0x7f0000000280)="eb43ef45c546a50bc7cc12129d130100000033302925ff007332e4228741e90a762873abfee765d1", 0x28, 0x4048814, 0x0, 0x0)
ioctl$EXT4_IOC_SWAP_BOOT(r3, 0x6611)
setsockopt$inet_mreqsrc(r5, 0x0, 0x27, 0x0, 0x0)
r9 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000400), r1)
sendmsg$TIPC_NL_BEARER_GET(r1, &(0x7f0000000500)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f00000004c0)={&(0x7f0000000440)={0x50, r9, 0x4, 0x94b, 0x25dfdbfc, {}, [@TIPC_NLA_SOCK={0x10, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x3ff}]}, @TIPC_NLA_NET={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0xb}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x3}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x9}, @TIPC_NLA_NET_ID={0x8, 0x1, 0xfe000000}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40000}, 0x40000)
syz_emit_ethernet(0x26, &(0x7f00000003c0)={@link_local, @empty, @val={@val={0x88a8, 0x3, 0x0, 0x1}, {0x8100, 0x1, 0x1, 0x4}}, {@can={0xc, {{0x3, 0x0, 0x0, 0x1}, 0x7, 0x0, 0x0, 0x0, "4ef846dab031fc34"}}}}, 0x0)
r10 = socket$netlink(0x10, 0x3, 0x4)
setsockopt$netlink_NETLINK_PKTINFO(r10, 0x10e, 0x3, 0x0, 0x0)
writev(r10, &(0x7f0000000100)=[{&(0x7f0000000000)="580000001400192340834b80043f679a10ff3d425f9cc3f4ff7f4e32f61bcdf1e422000000000100804824cabecc4b381eaadc28f23457e792945f64009400050028925aaa000000c611000000000000feff2c707f8f00ff", 0x58}], 0x1)
setsockopt$sock_linger(r6, 0x1, 0xd, &(0x7f0000000240)={0x0, 0x8930}, 0x8)
r11 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_REMOVE(r10, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x28, r11, 0x4, 0x70bd28, 0x25dfdbff, {}, [@MPTCP_PM_ATTR_LOC_ID={0x5, 0x5, 0xe}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xc51}, @MPTCP_PM_ATTR_ADDR_REMOTE={0x4}]}, 0x28}, 0x1, 0x0, 0x0, 0x4000}, 0x44800)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="000002f0d31209000000bc2e79e995"], 0x0)
write$binfmt_script(r2, &(0x7f0000000100), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r2, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f00000001c0)={{}, &(0x7f0000000000), 0x0}, 0x20)
preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x3e, 0x0, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaaaaaaaaffffffffffff86dd600a847500140600fe800000000000", @ANYRES32=0x41424344], 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000327000/0x18000)=nil, &(0x7f0000000040)=[@text16={0x10, &(0x7f0000000180)="66b9800000c00f326635000800000f300f0f1c9a65660ff3b20618baa000ec672e660f38803d004000000f285473f61366b9800000c00f326635004000000f300f20e06635800000000f22e0f30fa6c8", 0x50}], 0x1, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000000180)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000002540)=""/216, 0xd8}}], 0x1, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0}, 0x10)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 0:
r0 = fsopen(&(0x7f0000000040)='sysfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x5)
fchdir(r1)
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f00000009c0)='./file0\x00', 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000ac0)={{0x14}, [@NFT_MSG_NEWRULE={0x6c, 0x6, 0xa, 0x409, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x40, 0x4, 0x0, 0x1, [{0x3c, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x28, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x1c, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x18, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffc}]}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x2000}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x94}}, 0x0)
llistxattr(&(0x7f0000000340)='./bus\x00', &(0x7f0000000b80)=""/4096, 0x1000)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mkdir(&(0x7f0000000440)='./file1\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@nfs_export_on}]})
chdir(&(0x7f00000001c0)='./bus\x00')
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="9feb0100180000000000000002"], 0x0, 0x1a, 0x0, 0x1, 0x0, 0x0, @void, @value}, 0x28)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x16, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r4, 0xfca804a0, 0xfffffffffffffd0b, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c)
rmdir(&(0x7f0000000380)='./file0/../file0\x00')
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
bisect: the chunk can be dropped
bisect: testing without sub-chunk 3/3
bisect: split chunks (needed=true): <8>
bisect: split chunk #0 of len 8 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=31s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 16, 20, 11]
detailed listing:
executing program 1:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0x2, &(0x7f00000002c0)=ANY=[@ANYBLOB="85000000b800000000000000000000000631624e4138822c72b162876a01a6464d7561ca99cc641308000100004dc21b9c001a4b0464e9d7a490fe969138653592b707e4a755d182252ab16adb"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x11, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90)
r0 = syz_clone(0x24100000, 0x0, 0x0, 0x0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$devlink(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_SB_PORT_POOL_GET(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000005c0)={0x4c, r2, 0x1, 0x0, 0x0, {0x4e}, [{{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8, 0xab}}, {0x8}, {0x6}}]}, 0x4c}}, 0x0)
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0xa031, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x4001, &(0x7f0000000000)=0x1, 0x7, 0x0)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000002100)='numa_maps\x00')
read$FUSE(r3, &(0x7f0000002140)={0x2020}, 0x2020)
r4 = syz_pidfd_open(r0, 0x0)
pidfd_send_signal(r4, 0x4, 0x0, 0x2)
socket$inet(0x2, 0x3, 0x2)
r5 = socket$inet(0x2, 0x3, 0x2)
r6 = socket$inet6(0xa, 0x3, 0xff)
r7 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/tty/ldiscs\x00', 0x0, 0x0)
r8 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/clear_refs\x00', 0x1, 0x0)
sendfile(r8, r7, 0x0, 0x7)
connect$inet6(r6, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty}, 0x1c)
sendto$inet6(r6, &(0x7f0000000280)="eb43ef45c546a50bc7cc12129d130100000033302925ff007332e4228741e90a762873abfee765d1", 0x28, 0x4048814, 0x0, 0x0)
ioctl$EXT4_IOC_SWAP_BOOT(r3, 0x6611)
setsockopt$inet_mreqsrc(r5, 0x0, 0x27, 0x0, 0x0)
r9 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000400), r1)
sendmsg$TIPC_NL_BEARER_GET(r1, &(0x7f0000000500)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f00000004c0)={&(0x7f0000000440)={0x50, r9, 0x4, 0x94b, 0x25dfdbfc, {}, [@TIPC_NLA_SOCK={0x10, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x3ff}]}, @TIPC_NLA_NET={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0xb}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x3}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x9}, @TIPC_NLA_NET_ID={0x8, 0x1, 0xfe000000}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40000}, 0x40000)
syz_emit_ethernet(0x26, &(0x7f00000003c0)={@link_local, @empty, @val={@val={0x88a8, 0x3, 0x0, 0x1}, {0x8100, 0x1, 0x1, 0x4}}, {@can={0xc, {{0x3, 0x0, 0x0, 0x1}, 0x7, 0x0, 0x0, 0x0, "4ef846dab031fc34"}}}}, 0x0)
r10 = socket$netlink(0x10, 0x3, 0x4)
setsockopt$netlink_NETLINK_PKTINFO(r10, 0x10e, 0x3, 0x0, 0x0)
writev(r10, &(0x7f0000000100)=[{&(0x7f0000000000)="580000001400192340834b80043f679a10ff3d425f9cc3f4ff7f4e32f61bcdf1e422000000000100804824cabecc4b381eaadc28f23457e792945f64009400050028925aaa000000c611000000000000feff2c707f8f00ff", 0x58}], 0x1)
setsockopt$sock_linger(r6, 0x1, 0xd, &(0x7f0000000240)={0x0, 0x8930}, 0x8)
r11 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_REMOVE(r10, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x28, r11, 0x4, 0x70bd28, 0x25dfdbff, {}, [@MPTCP_PM_ATTR_LOC_ID={0x5, 0x5, 0xe}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xc51}, @MPTCP_PM_ATTR_ADDR_REMOTE={0x4}]}, 0x28}, 0x1, 0x0, 0x0, 0x4000}, 0x44800)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="000002f0d31209000000bc2e79e995"], 0x0)
write$binfmt_script(r2, &(0x7f0000000100), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r2, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f00000001c0)={{}, &(0x7f0000000000), 0x0}, 0x20)
preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x3e, 0x0, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaaaaaaaaffffffffffff86dd600a847500140600fe800000000000", @ANYRES32=0x41424344], 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000327000/0x18000)=nil, &(0x7f0000000040)=[@text16={0x10, &(0x7f0000000180)="66b9800000c00f326635000800000f300f0f1c9a65660ff3b20618baa000ec672e660f38803d004000000f285473f61366b9800000c00f326635004000000f300f20e06635800000000f22e0f30fa6c8", 0x50}], 0x1, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000000180)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000002540)=""/216, 0xd8}}], 0x1, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0}, 0x10)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 0:
r0 = fsopen(&(0x7f0000000040)='sysfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x5)
fchdir(r1)
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f00000009c0)='./file0\x00', 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000ac0)={{0x14}, [@NFT_MSG_NEWRULE={0x6c, 0x6, 0xa, 0x409, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x40, 0x4, 0x0, 0x1, [{0x3c, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x28, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x1c, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x18, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffc}]}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x2000}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x94}}, 0x0)
llistxattr(&(0x7f0000000340)='./bus\x00', &(0x7f0000000b80)=""/4096, 0x1000)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mkdir(&(0x7f0000000440)='./file1\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@nfs_export_on}]})
chdir(&(0x7f00000001c0)='./bus\x00')
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="9feb0100180000000000000002"], 0x0, 0x1a, 0x0, 0x1, 0x0, 0x0, @void, @value}, 0x28)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x16, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r4, 0xfca804a0, 0xfffffffffffffd0b, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c)
rmdir(&(0x7f0000000380)='./file0/../file0\x00')
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=31s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [8, 5, 20, 8]
detailed listing:
executing program 3:
r0 = openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0)
r1 = socket$netlink(0x10, 0x3, 0x0)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="cca3fcf58d8fb8739ab092390ff73d843e5982972b842ab7b9a9b8948618f7de1185b56070fa0b2011c0c80d348fbbf00389a0144fc941ec995f3acade2e6339a5cdfd03b31658a6781404055c7faa203af4cbd30c89c9de87da3439a3d54d50d0cbd1c3a10735873d4b5fdd848dfc316db8bdbd5b1e62f593be65fc8e5f0a643ef0938976c9f8dc7a4f29f29112615581b3ec916f3d5e79d9c0efbb16b025b24891", 0xa2}], 0x1)
ioctl$IMDELTIMER(r0, 0x80044941, &(0x7f0000000200)=0x1)
openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0) (async)
socket$netlink(0x10, 0x3, 0x0) (async)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="cca3fcf58d8fb8739ab092390ff73d843e5982972b842ab7b9a9b8948618f7de1185b56070fa0b2011c0c80d348fbbf00389a0144fc941ec995f3acade2e6339a5cdfd03b31658a6781404055c7faa203af4cbd30c89c9de87da3439a3d54d50d0cbd1c3a10735873d4b5fdd848dfc316db8bdbd5b1e62f593be65fc8e5f0a643ef0938976c9f8dc7a4f29f29112615581b3ec916f3d5e79d9c0efbb16b025b24891", 0xa2}], 0x1) (async)
ioctl$IMDELTIMER(r0, 0x80044941, &(0x7f0000000200)=0x1) (async)
executing program 3:
r0 = socket$inet6(0xa, 0x5, 0x0)
recvmmsg(r0, &(0x7f00000001c0)=[{{0x0, 0x0, 0x0}, 0xdc}], 0x1, 0x2, 0x0)
r1 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000240)="d800000018007b7be00212ba0d0505040a003f00000f040b067c55a1bc0009001e0006990300000015000500fe800000000000000300014002000c0901ac04000bd67f6f94007100a007a290457f0189b316277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee4b11602b2a10c11ce1b14d6d930dfe1d9d322fe04fb95cae8c9010000730d7a5025ccca262f3d40fad95667e04adcdf634c1f215ce3bb9ad8ffd5e1cace81ed0b7fece0b42a9ecbee5de6ccd40dd601edef3d93452a92307f00000e97031e9f05e9f16e9cb5000004000000", 0xd8}], 0x1, 0x0, 0x0, 0x2663}, 0x0)
socket$nl_netfilter(0x10, 0x3, 0xc)
executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x80002, 0x0)
syz_io_uring_submit(0x0, 0x0, 0x0)
madvise(&(0x7f0000bdc000/0x4000)=nil, 0x86ac726dff2f4713, 0xa)
syz_clone(0x1000, 0x0, 0x0, &(0x7f0000000080), 0x0, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f0000001240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=@newtaction={0x78, 0x30, 0x1, 0x3, 0x0, {}, [{0x64, 0x1, [@m_skbmod={0x60, 0x1, 0x0, 0x0, {{0xb}, {0x34, 0x2, 0x0, 0x1, [@TCA_SKBMOD_PARMS={0x24, 0x2, {{0x0, 0x2, 0x20000000, 0xfffffff3, 0x5}, 0xb}}, @TCA_SKBMOD_SMAC={0xa}]}, {0x4, 0x14}, {0xc}, {0xc, 0x6}}}]}]}, 0x78}}, 0x0)
sendmsg$IPCTNL_MSG_EXP_DELETE(0xffffffffffffffff, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x8000000}, 0x11, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, 0x2, 0x2, 0x801, 0x0, 0x0, {0xa, 0x0, 0x6}, [@CTA_EXPECT_ZONE={0x6, 0x7, 0x1, 0x0, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x24004094)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="50000000210000082bbd7000ffdbdf25022014430200000000000000080017004e224e240c000c4000800000000009680800f2000a01010108000100e0000002080002000000000008001000d54a00004e5303fd1982be57b5728d6e99be2b5856a2c955f61850d5e9bfe473bc9398c38a83d76ca1b5aab8b66b8bec6578191ed65542920ad192daebdba317b6c089a32a91e692dff08d4713b173f19e"], 0x50}}, 0x0)

program did not crash
bisect: split chunks (needed=true): <4>, <4>
bisect: split chunk #0 of len 4 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=31s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [20, 8, 30, 16, 20, 11]
detailed listing:
executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x80002, 0x0)
syz_io_uring_submit(0x0, 0x0, 0x0)
madvise(&(0x7f0000bdc000/0x4000)=nil, 0x86ac726dff2f4713, 0xa)
syz_clone(0x1000, 0x0, 0x0, &(0x7f0000000080), 0x0, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f0000001240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=@newtaction={0x78, 0x30, 0x1, 0x3, 0x0, {}, [{0x64, 0x1, [@m_skbmod={0x60, 0x1, 0x0, 0x0, {{0xb}, {0x34, 0x2, 0x0, 0x1, [@TCA_SKBMOD_PARMS={0x24, 0x2, {{0x0, 0x2, 0x20000000, 0xfffffff3, 0x5}, 0xb}}, @TCA_SKBMOD_SMAC={0xa}]}, {0x4, 0x14}, {0xc}, {0xc, 0x6}}}]}]}, 0x78}}, 0x0)
sendmsg$IPCTNL_MSG_EXP_DELETE(0xffffffffffffffff, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x8000000}, 0x11, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, 0x2, 0x2, 0x801, 0x0, 0x0, {0xa, 0x0, 0x6}, [@CTA_EXPECT_ZONE={0x6, 0x7, 0x1, 0x0, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x24004094)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="50000000210000082bbd7000ffdbdf25022014430200000000000000080017004e224e240c000c4000800000000009680800f2000a01010108000100e0000002080002000000000008001000d54a00004e5303fd1982be57b5728d6e99be2b5856a2c955f61850d5e9bfe473bc9398c38a83d76ca1b5aab8b66b8bec6578191ed65542920ad192daebdba317b6c089a32a91e692dff08d4713b173f19e"], 0x50}}, 0x0)
executing program 1:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0x2, &(0x7f00000002c0)=ANY=[@ANYBLOB="85000000b800000000000000000000000631624e4138822c72b162876a01a6464d7561ca99cc641308000100004dc21b9c001a4b0464e9d7a490fe969138653592b707e4a755d182252ab16adb"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x11, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90)
r0 = syz_clone(0x24100000, 0x0, 0x0, 0x0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$devlink(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_SB_PORT_POOL_GET(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000005c0)={0x4c, r2, 0x1, 0x0, 0x0, {0x4e}, [{{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8, 0xab}}, {0x8}, {0x6}}]}, 0x4c}}, 0x0)
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0xa031, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x4001, &(0x7f0000000000)=0x1, 0x7, 0x0)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000002100)='numa_maps\x00')
read$FUSE(r3, &(0x7f0000002140)={0x2020}, 0x2020)
r4 = syz_pidfd_open(r0, 0x0)
pidfd_send_signal(r4, 0x4, 0x0, 0x2)
socket$inet(0x2, 0x3, 0x2)
r5 = socket$inet(0x2, 0x3, 0x2)
r6 = socket$inet6(0xa, 0x3, 0xff)
r7 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/tty/ldiscs\x00', 0x0, 0x0)
r8 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/clear_refs\x00', 0x1, 0x0)
sendfile(r8, r7, 0x0, 0x7)
connect$inet6(r6, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty}, 0x1c)
sendto$inet6(r6, &(0x7f0000000280)="eb43ef45c546a50bc7cc12129d130100000033302925ff007332e4228741e90a762873abfee765d1", 0x28, 0x4048814, 0x0, 0x0)
ioctl$EXT4_IOC_SWAP_BOOT(r3, 0x6611)
setsockopt$inet_mreqsrc(r5, 0x0, 0x27, 0x0, 0x0)
r9 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000400), r1)
sendmsg$TIPC_NL_BEARER_GET(r1, &(0x7f0000000500)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f00000004c0)={&(0x7f0000000440)={0x50, r9, 0x4, 0x94b, 0x25dfdbfc, {}, [@TIPC_NLA_SOCK={0x10, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x3ff}]}, @TIPC_NLA_NET={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0xb}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x3}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x9}, @TIPC_NLA_NET_ID={0x8, 0x1, 0xfe000000}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40000}, 0x40000)
syz_emit_ethernet(0x26, &(0x7f00000003c0)={@link_local, @empty, @val={@val={0x88a8, 0x3, 0x0, 0x1}, {0x8100, 0x1, 0x1, 0x4}}, {@can={0xc, {{0x3, 0x0, 0x0, 0x1}, 0x7, 0x0, 0x0, 0x0, "4ef846dab031fc34"}}}}, 0x0)
r10 = socket$netlink(0x10, 0x3, 0x4)
setsockopt$netlink_NETLINK_PKTINFO(r10, 0x10e, 0x3, 0x0, 0x0)
writev(r10, &(0x7f0000000100)=[{&(0x7f0000000000)="580000001400192340834b80043f679a10ff3d425f9cc3f4ff7f4e32f61bcdf1e422000000000100804824cabecc4b381eaadc28f23457e792945f64009400050028925aaa000000c611000000000000feff2c707f8f00ff", 0x58}], 0x1)
setsockopt$sock_linger(r6, 0x1, 0xd, &(0x7f0000000240)={0x0, 0x8930}, 0x8)
r11 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_REMOVE(r10, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x28, r11, 0x4, 0x70bd28, 0x25dfdbff, {}, [@MPTCP_PM_ATTR_LOC_ID={0x5, 0x5, 0xe}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xc51}, @MPTCP_PM_ATTR_ADDR_REMOTE={0x4}]}, 0x28}, 0x1, 0x0, 0x0, 0x4000}, 0x44800)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="000002f0d31209000000bc2e79e995"], 0x0)
write$binfmt_script(r2, &(0x7f0000000100), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r2, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f00000001c0)={{}, &(0x7f0000000000), 0x0}, 0x20)
preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x3e, 0x0, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaaaaaaaaffffffffffff86dd600a847500140600fe800000000000", @ANYRES32=0x41424344], 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000327000/0x18000)=nil, &(0x7f0000000040)=[@text16={0x10, &(0x7f0000000180)="66b9800000c00f326635000800000f300f0f1c9a65660ff3b20618baa000ec672e660f38803d004000000f285473f61366b9800000c00f326635004000000f300f20e06635800000000f22e0f30fa6c8", 0x50}], 0x1, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, 0x0}], 0x1, 0x0, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000000180)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000002540)=""/216, 0xd8}}], 0x1, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0}, 0x10)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 0:
r0 = fsopen(&(0x7f0000000040)='sysfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x5)
fchdir(r1)
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f00000009c0)='./file0\x00', 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000ac0)={{0x14}, [@NFT_MSG_NEWRULE={0x6c, 0x6, 0xa, 0x409, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x40, 0x4, 0x0, 0x1, [{0x3c, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x28, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x1c, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x18, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffc}]}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x2000}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x94}}, 0x0)
llistxattr(&(0x7f0000000340)='./bus\x00', &(0x7f0000000b80)=""/4096, 0x1000)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mkdir(&(0x7f0000000440)='./file1\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@nfs_export_on}]})
chdir(&(0x7f00000001c0)='./bus\x00')
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="9feb0100180000000000000002"], 0x0, 0x1a, 0x0, 0x1, 0x0, 0x0, @void, @value}, 0x28)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x16, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r4, 0xfca804a0, 0xfffffffffffffd0b, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c)
rmdir(&(0x7f0000000380)='./file0/../file0\x00')
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunk #1 of len 4 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=31s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [20, 8, 20, 11]
detailed listing:
executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x80002, 0x0)
syz_io_uring_submit(0x0, 0x0, 0x0)
madvise(&(0x7f0000bdc000/0x4000)=nil, 0x86ac726dff2f4713, 0xa)
syz_clone(0x1000, 0x0, 0x0, &(0x7f0000000080), 0x0, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f0000001240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=@newtaction={0x78, 0x30, 0x1, 0x3, 0x0, {}, [{0x64, 0x1, [@m_skbmod={0x60, 0x1, 0x0, 0x0, {{0xb}, {0x34, 0x2, 0x0, 0x1, [@TCA_SKBMOD_PARMS={0x24, 0x2, {{0x0, 0x2, 0x20000000, 0xfffffff3, 0x5}, 0xb}}, @TCA_SKBMOD_SMAC={0xa}]}, {0x4, 0x14}, {0xc}, {0xc, 0x6}}}]}]}, 0x78}}, 0x0)
sendmsg$IPCTNL_MSG_EXP_DELETE(0xffffffffffffffff, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x8000000}, 0x11, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, 0x2, 0x2, 0x801, 0x0, 0x0, {0xa, 0x0, 0x6}, [@CTA_EXPECT_ZONE={0x6, 0x7, 0x1, 0x0, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x24004094)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="50000000210000082bbd7000ffdbdf25022014430200000000000000080017004e224e240c000c4000800000000009680800f2000a01010108000100e0000002080002000000000008001000d54a00004e5303fd1982be57b5728d6e99be2b5856a2c955f61850d5e9bfe473bc9398c38a83d76ca1b5aab8b66b8bec6578191ed65542920ad192daebdba317b6c089a32a91e692dff08d4713b173f19e"], 0x50}}, 0x0)
executing program 0:
r0 = fsopen(&(0x7f0000000040)='sysfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x5)
fchdir(r1)
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f00000009c0)='./file0\x00', 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000ac0)={{0x14}, [@NFT_MSG_NEWRULE={0x6c, 0x6, 0xa, 0x409, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x40, 0x4, 0x0, 0x1, [{0x3c, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x28, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x1c, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x18, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffc}]}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x2000}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x94}}, 0x0)
llistxattr(&(0x7f0000000340)='./bus\x00', &(0x7f0000000b80)=""/4096, 0x1000)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mkdir(&(0x7f0000000440)='./file1\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@nfs_export_on}]})
chdir(&(0x7f00000001c0)='./bus\x00')
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="9feb0100180000000000000002"], 0x0, 0x1a, 0x0, 0x1, 0x0, 0x0, @void, @value}, 0x28)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x16, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r4, 0xfca804a0, 0xfffffffffffffd0b, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c)
rmdir(&(0x7f0000000380)='./file0/../file0\x00')
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <2>, <2>
bisect: split chunk #0 of len 2 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [8, 20, 11]
detailed listing:
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x80002, 0x0)
syz_io_uring_submit(0x0, 0x0, 0x0)
madvise(&(0x7f0000bdc000/0x4000)=nil, 0x86ac726dff2f4713, 0xa)
syz_clone(0x1000, 0x0, 0x0, &(0x7f0000000080), 0x0, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f0000001240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=@newtaction={0x78, 0x30, 0x1, 0x3, 0x0, {}, [{0x64, 0x1, [@m_skbmod={0x60, 0x1, 0x0, 0x0, {{0xb}, {0x34, 0x2, 0x0, 0x1, [@TCA_SKBMOD_PARMS={0x24, 0x2, {{0x0, 0x2, 0x20000000, 0xfffffff3, 0x5}, 0xb}}, @TCA_SKBMOD_SMAC={0xa}]}, {0x4, 0x14}, {0xc}, {0xc, 0x6}}}]}]}, 0x78}}, 0x0)
sendmsg$IPCTNL_MSG_EXP_DELETE(0xffffffffffffffff, &(0x7f00000001c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x8000000}, 0x11, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, 0x2, 0x2, 0x801, 0x0, 0x0, {0xa, 0x0, 0x6}, [@CTA_EXPECT_ZONE={0x6, 0x7, 0x1, 0x0, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x24004094)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="50000000210000082bbd7000ffdbdf25022014430200000000000000080017004e224e240c000c4000800000000009680800f2000a01010108000100e0000002080002000000000008001000d54a00004e5303fd1982be57b5728d6e99be2b5856a2c955f61850d5e9bfe473bc9398c38a83d76ca1b5aab8b66b8bec6578191ed65542920ad192daebdba317b6c089a32a91e692dff08d4713b173f19e"], 0x50}}, 0x0)
executing program 0:
r0 = fsopen(&(0x7f0000000040)='sysfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x5)
fchdir(r1)
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f00000009c0)='./file0\x00', 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000ac0)={{0x14}, [@NFT_MSG_NEWRULE={0x6c, 0x6, 0xa, 0x409, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x40, 0x4, 0x0, 0x1, [{0x3c, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x28, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x1c, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x18, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffc}]}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x2000}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x94}}, 0x0)
llistxattr(&(0x7f0000000340)='./bus\x00', &(0x7f0000000b80)=""/4096, 0x1000)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mkdir(&(0x7f0000000440)='./file1\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@nfs_export_on}]})
chdir(&(0x7f00000001c0)='./bus\x00')
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="9feb0100180000000000000002"], 0x0, 0x1a, 0x0, 0x1, 0x0, 0x0, @void, @value}, 0x28)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x16, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r4, 0xfca804a0, 0xfffffffffffffd0b, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c)
rmdir(&(0x7f0000000380)='./file0/../file0\x00')
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [20, 20, 11]
detailed listing:
executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 0:
r0 = fsopen(&(0x7f0000000040)='sysfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x5)
fchdir(r1)
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f00000009c0)='./file0\x00', 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000ac0)={{0x14}, [@NFT_MSG_NEWRULE={0x6c, 0x6, 0xa, 0x409, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x40, 0x4, 0x0, 0x1, [{0x3c, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x28, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DATA={0x1c, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x18, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffc}]}]}, @NFTA_IMMEDIATE_DREG={0x8, 0x1, 0x1, 0x0, 0x2000}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x94}}, 0x0)
llistxattr(&(0x7f0000000340)='./bus\x00', &(0x7f0000000b80)=""/4096, 0x1000)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mkdir(&(0x7f0000000440)='./file1\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@nfs_export_on}]})
chdir(&(0x7f00000001c0)='./bus\x00')
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="9feb0100180000000000000002"], 0x0, 0x1a, 0x0, 0x1, 0x0, 0x0, @void, @value}, 0x28)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x16, 0x7, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000002000000850000008600000095"], &(0x7f00000003c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000240)={r4, 0xfca804a0, 0xfffffffffffffd0b, 0x38, &(0x7f00000002c0)="b800000500000000", &(0x7f0000000300)=""/8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4c)
rmdir(&(0x7f0000000380)='./file0/../file0\x00')
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
bisect: the chunk can be dropped
bisect: split chunk #1 of len 2 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [20, 11]
detailed listing:
executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <1>, <1>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: split chunk #1 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 2 programs left: 

executing program 3:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
sendmsg$NFT_MSG_GETOBJ(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="34000000130a03000000000000000000020000000900020073797a310000000008000340"], 0x34}}, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)


bisect: trying to concatenate
bisect: concatenate 2 entries
minimizing program #0 before concatenation
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [19, 11]
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000080)={&(0x7f00000001c0)=ANY=[@ANYBLOB="3c0000000201030000000000000003000000000000000280aa2eb0f65a672019dd421400018008000100ac14144808000200e0000001060012400001000008000c4000000003"], 0x3c}}, 0x4)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [18, 11]
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
socket$nl_netfilter(0x10, 0x3, 0xc)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [17, 11]
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r6=>0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_DESTROY(r0, 0xc00864c0, &(0x7f0000000400)={r6})
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [16, 11]
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r2, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r4, &(0x7f0000000040), 0x8)
listen(r4, 0x0)
r5 = dup2(r4, r4)
accept4$bt_l2cap(r5, 0x0, 0x0, 0x0)
dup2(r2, r3)
fcntl$setown(r2, 0x8, r1)
tkill(r1, 0x13)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={0x0, 0x1})
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [15, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r0 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$int_in(r1, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r1, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r3, &(0x7f0000000040), 0x8)
listen(r3, 0x0)
r4 = dup2(r3, r3)
accept4$bt_l2cap(r4, 0x0, 0x0, 0x0)
dup2(r1, r2)
fcntl$setown(r1, 0x8, r0)
tkill(r0, 0x13)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r0 = gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$int_in(r1, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r1, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r3, &(0x7f0000000040), 0x8)
listen(r3, 0x0)
r4 = dup2(r3, r3)
accept4$bt_l2cap(r4, 0x0, 0x0, 0x0)
dup2(r1, r2)
fcntl$setown(r1, 0x8, r0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [13, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r2, &(0x7f0000000040), 0x8)
listen(r2, 0x0)
r3 = dup2(r2, r2)
accept4$bt_l2cap(r3, 0x0, 0x0, 0x0)
dup2(r0, r1)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [12, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000040), 0x8)
listen(r1, 0x0)
r2 = dup2(r1, r1)
accept4$bt_l2cap(r2, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000040), 0x8)
listen(r1, 0x0)
dup2(r1, r1)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000040), 0x8)
listen(r1, 0x0)
accept4$bt_l2cap(0xffffffffffffffff, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000040), 0x8)
r2 = dup2(r1, r1)
accept4$bt_l2cap(r2, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
listen(r1, 0x0)
r2 = dup2(r1, r1)
accept4$bt_l2cap(r2, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
syz_clone3(&(0x7f0000001980)={0x0, 0x0, 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
bind$bt_sco(0xffffffffffffffff, &(0x7f0000000040), 0x8)
listen(0xffffffffffffffff, 0x0)
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
syz_io_uring_setup(0x5411, 0x0, 0x0, 0x0)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000040), 0x8)
listen(r1, 0x0)
r2 = dup2(r1, r1)
accept4$bt_l2cap(r2, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
fcntl$setsig(r0, 0xa, 0x12)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000040), 0x8)
listen(r1, 0x0)
r2 = dup2(r1, r1)
accept4$bt_l2cap(r2, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [9, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={<r0=>0xffffffffffffffff})
ioctl$int_in(r0, 0x5452, &(0x7f0000b28000)=0x3)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000040), 0x8)
listen(r1, 0x0)
r2 = dup2(r1, r1)
accept4$bt_l2cap(r2, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [8, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0))
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [7, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
gettid()
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 11]
detailed listing:
executing program 0:
syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 11]
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
setsockopt$packet_int(r1, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
minimized 20 calls -> 5 calls
minimizing program #1 before concatenation
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 10]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 9]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 8]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)
socket$packet(0x11, 0x3, 0x300)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 7]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0), 0x10000, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 6]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 5]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 4]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 3]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 3]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
openat$cgroup_ro(r0, &(0x7f0000000040)='memory.numa_stat\x00', 0x26e1, 0x0)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 3]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
openat$cgroup(0xffffffffffffffff, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 2]
detailed listing:
executing program 3:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
executing program 0:
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
minimized 11 calls -> 2 calls
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-accept4$bt_l2cap-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
bisect: concatenation succeeded
found reproducer with 7 syscalls
minimizing guilty program
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-accept4$bt_l2cap-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)

program did not crash
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-accept4$bt_l2cap-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
r1 = dup2(r0, r0)
accept4$bt_l2cap(r1, 0x0, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program did not crash
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
dup2(r0, r0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program did not crash
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-dup2-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
dup2(r0, r0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program did not crash
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
listen(r0, 0x0)
dup2(r0, r0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program did not crash
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
bind$bt_sco(0xffffffffffffffff, &(0x7f0000000040), 0x8)
listen(0xffffffffffffffff, 0x0)
dup2(0xffffffffffffffff, 0xffffffffffffffff)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program did not crash
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, 0x0, 0x0)
listen(r0, 0x0)
dup2(r0, r0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program did not crash
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
dup2(r0, r0)
syz_emit_vhci(0x0, 0x0)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program did not crash
testing program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
dup2(r0, r0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=35.383881762s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
simplifying guilty program options
testing program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x8)
listen(r0, 0x0)
dup2(r0, r0)
syz_emit_vhci(&(0x7f0000000180)=@HCI_EVENT_PKT={0x4, @hci_ev_conn_request={{0x4, 0xa}, {@any, '\x00', 0x2}}}, 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
extracting C reproducer
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
simplifying C reproducer
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program crashed: BUG: sleeping function called from invalid context in lock_sock_nested
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
testing compiled C program (duration=35.383881762s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_sco-bind$bt_sco-listen-dup2-syz_emit_vhci-syz_emit_vhci
program did not crash
reproducing took 47m48.326235841s
repro crashed as (corrupted=false):
BUG: sleeping function called from invalid context at net/core/sock.c:3624
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5941, name: kworker/u33:2
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
5 locks held by kworker/u33:2/5941:
 #0: ffff888024c12948 ((wq_completion)hci3#2){+.+.}-{0:0}, at: process_one_work+0x1293/0x1ba0 kernel/workqueue.c:3204
 #1: ffffc90003f5fd80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
 #2: ffff88802893c078 (
&hdev->lock
){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x199/0xa80 net/bluetooth/hci_event.c:4931
 #3: ffff888029604420 (&conn->lock#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #3: ffff888029604420 (&conn->lock#2){+.+.}-{3:3}, at: sco_conn_ready net/bluetooth/sco.c:1328 [inline]
 #3: ffff888029604420 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x29f/0xc00 net/bluetooth/sco.c:1415
 #4: ffff88802b63e258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1617 [inline]
 #4: ffff88802b63e258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_ready net/bluetooth/sco.c:1341 [inline]
 #4: ffff88802b63e258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x3bc/0xc00 net/bluetooth/sco.c:1415
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 3 UID: 0 PID: 5941 Comm: kworker/u33:2 Not tainted 6.13.0-rc3-syzkaller-00073-geabcdba3ad40 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci3 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
 __might_resched+0x3c0/0x5e0 kernel/sched/core.c:8758
 lock_sock_nested+0x4b/0xf0 net/core/sock.c:3624
 lock_sock include/net/sock.h:1617 [inline]
 sco_conn_ready net/bluetooth/sco.c:1341 [inline]
 sco_connect_cfm+0x3bc/0xc00 net/bluetooth/sco.c:1415
 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]
 hci_sync_conn_complete_evt+0x421/0xa80 net/bluetooth/hci_event.c:5014
 hci_event_func net/bluetooth/hci_event.c:7473 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7525
 hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4035
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2d90/0x3c40 kernel/locking/lockdep.c:5089
Read of size 8 at addr ffff88802b63e1d8 by task kworker/u33:2/5941

CPU: 3 UID: 0 PID: 5941 Comm: kworker/u33:2 Tainted: G        W          6.13.0-rc3-syzkaller-00073-geabcdba3ad40 #0
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci3 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 __lock_acquire+0x2d90/0x3c40 kernel/locking/lockdep.c:5089
 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
 _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:356 [inline]
 lock_sock_nested+0x5f/0xf0 net/core/sock.c:3625
 lock_sock include/net/sock.h:1617 [inline]
 sco_conn_ready net/bluetooth/sco.c:1341 [inline]
 sco_connect_cfm+0x3bc/0xc00 net/bluetooth/sco.c:1415
 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]
 hci_sync_conn_complete_evt+0x421/0xa80 net/bluetooth/hci_event.c:5014
 hci_event_func net/bluetooth/hci_event.c:7473 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7525
 hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4035
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 6011:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4298 [inline]
 __kmalloc_noprof+0x21c/0x510 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2165
 sk_alloc+0x36/0xb90 net/core/sock.c:2218
 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148
 sco_sock_alloc net/bluetooth/sco.c:552 [inline]
 sco_sock_create+0xe3/0x3c0 net/bluetooth/sco.c:583
 bt_sock_create+0x182/0x350 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x335/0x8d0 net/socket.c:1558
 sock_create net/socket.c:1616 [inline]
 __sys_socket_create net/socket.c:1653 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1700
 __do_sys_socket net/socket.c:1714 [inline]
 __se_sys_socket net/socket.c:1712 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1712
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6011:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 sk_prot_free net/core/sock.c:2201 [inline]
 __sk_destruct+0x5eb/0x720 net/core/sock.c:2293
 sk_destruct+0xc2/0xf0 net/core/sock.c:2308
 __sk_free+0xf4/0x3e0 net/core/sock.c:2319
 sk_free+0x6a/0x90 net/core/sock.c:2330
 sock_put include/net/sock.h:1904 [inline]
 sco_sock_kill net/bluetooth/sco.c:494 [inline]
 sco_sock_kill+0x11a/0x1c0 net/bluetooth/sco.c:484
 sco_sock_release+0x154/0x2d0 net/bluetooth/sco.c:1310
 __sock_release+0xb0/0x270 net/socket.c:640
 sock_close+0x1c/0x30 net/socket.c:1408
 __fput+0x3f8/0xb60 fs/file_table.c:450
 __fput_sync+0xa1/0xc0 fs/file_table.c:535
 __do_sys_close fs/open.c:1554 [inline]
 __se_sys_close fs/open.c:1539 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1539
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802b63e000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 472 bytes inside of
 freed 2048-byte region [ffff88802b63e000, ffff88802b63e800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b638
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042f00 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042f00 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0000ad8e01 ffffffffffffffff 0000000000000000
head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5934, tgid 5934 (syz-executor267), ts 45292128587, free_ts 42226222516
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xd7d/0x17a0 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_noprof+0x2ec/0x510 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 ops_init+0x77/0x5f0 net/core/net_namespace.c:128
 setup_net+0x21f/0x860 net/core/net_namespace.c:362
 copy_net_ns+0x2b4/0x6c0 net/core/net_namespace.c:516
 create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
 ksys_unshare+0x45d/0xa40 kernel/fork.c:3334
 __do_sys_unshare kernel/fork.c:3405 [inline]
 __se_sys_unshare kernel/fork.c:3403 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:3403
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
page last free pid 5920 tgid 5920 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
 __put_partials+0x14c/0x170 mm/slub.c:3157
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4119 [inline]
 slab_alloc_node mm/slub.c:4168 [inline]
 kmem_cache_alloc_noprof+0x226/0x3d0 mm/slub.c:4175
 getname_flags.part.0+0x4c/0x550 fs/namei.c:139
 getname_flags+0x93/0xf0 include/linux/audit.h:322
 user_path_at+0x24/0x60 fs/namei.c:3069
 __do_sys_chroot fs/open.c:596 [inline]
 __se_sys_chroot fs/open.c:590 [inline]
 __x64_sys_chroot+0xbf/0x340 fs/open.c:590
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802b63e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802b63e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802b63e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88802b63e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802b63e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
BUG: sleeping function called from invalid context at net/core/sock.c:3624
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5941, name: kworker/u33:2
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
5 locks held by kworker/u33:2/5941:
 #0: ffff888024c12948 ((wq_completion)hci3#2){+.+.}-{0:0}, at: process_one_work+0x1293/0x1ba0 kernel/workqueue.c:3204
 #1: ffffc90003f5fd80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
 #2: ffff88802893c078 (
&hdev->lock
){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x199/0xa80 net/bluetooth/hci_event.c:4931
 #3: ffff888029604420 (&conn->lock#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #3: ffff888029604420 (&conn->lock#2){+.+.}-{3:3}, at: sco_conn_ready net/bluetooth/sco.c:1328 [inline]
 #3: ffff888029604420 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x29f/0xc00 net/bluetooth/sco.c:1415
 #4: ffff88802b63e258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1617 [inline]
 #4: ffff88802b63e258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_ready net/bluetooth/sco.c:1341 [inline]
 #4: ffff88802b63e258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x3bc/0xc00 net/bluetooth/sco.c:1415
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 3 UID: 0 PID: 5941 Comm: kworker/u33:2 Not tainted 6.13.0-rc3-syzkaller-00073-geabcdba3ad40 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci3 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
 __might_resched+0x3c0/0x5e0 kernel/sched/core.c:8758
 lock_sock_nested+0x4b/0xf0 net/core/sock.c:3624
 lock_sock include/net/sock.h:1617 [inline]
 sco_conn_ready net/bluetooth/sco.c:1341 [inline]
 sco_connect_cfm+0x3bc/0xc00 net/bluetooth/sco.c:1415
 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]
 hci_sync_conn_complete_evt+0x421/0xa80 net/bluetooth/hci_event.c:5014
 hci_event_func net/bluetooth/hci_event.c:7473 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7525
 hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4035
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2d90/0x3c40 kernel/locking/lockdep.c:5089
Read of size 8 at addr ffff88802b63e1d8 by task kworker/u33:2/5941

CPU: 3 UID: 0 PID: 5941 Comm: kworker/u33:2 Tainted: G        W          6.13.0-rc3-syzkaller-00073-geabcdba3ad40 #0
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci3 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 __lock_acquire+0x2d90/0x3c40 kernel/locking/lockdep.c:5089
 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
 _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:356 [inline]
 lock_sock_nested+0x5f/0xf0 net/core/sock.c:3625
 lock_sock include/net/sock.h:1617 [inline]
 sco_conn_ready net/bluetooth/sco.c:1341 [inline]
 sco_connect_cfm+0x3bc/0xc00 net/bluetooth/sco.c:1415
 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]
 hci_sync_conn_complete_evt+0x421/0xa80 net/bluetooth/hci_event.c:5014
 hci_event_func net/bluetooth/hci_event.c:7473 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7525
 hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4035
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 6011:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4298 [inline]
 __kmalloc_noprof+0x21c/0x510 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2165
 sk_alloc+0x36/0xb90 net/core/sock.c:2218
 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148
 sco_sock_alloc net/bluetooth/sco.c:552 [inline]
 sco_sock_create+0xe3/0x3c0 net/bluetooth/sco.c:583
 bt_sock_create+0x182/0x350 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x335/0x8d0 net/socket.c:1558
 sock_create net/socket.c:1616 [inline]
 __sys_socket_create net/socket.c:1653 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1700
 __do_sys_socket net/socket.c:1714 [inline]
 __se_sys_socket net/socket.c:1712 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1712
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6011:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 sk_prot_free net/core/sock.c:2201 [inline]
 __sk_destruct+0x5eb/0x720 net/core/sock.c:2293
 sk_destruct+0xc2/0xf0 net/core/sock.c:2308
 __sk_free+0xf4/0x3e0 net/core/sock.c:2319
 sk_free+0x6a/0x90 net/core/sock.c:2330
 sock_put include/net/sock.h:1904 [inline]
 sco_sock_kill net/bluetooth/sco.c:494 [inline]
 sco_sock_kill+0x11a/0x1c0 net/bluetooth/sco.c:484
 sco_sock_release+0x154/0x2d0 net/bluetooth/sco.c:1310
 __sock_release+0xb0/0x270 net/socket.c:640
 sock_close+0x1c/0x30 net/socket.c:1408
 __fput+0x3f8/0xb60 fs/file_table.c:450
 __fput_sync+0xa1/0xc0 fs/file_table.c:535
 __do_sys_close fs/open.c:1554 [inline]
 __se_sys_close fs/open.c:1539 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1539
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802b63e000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 472 bytes inside of
 freed 2048-byte region [ffff88802b63e000, ffff88802b63e800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b638
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042f00 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042f00 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0000ad8e01 ffffffffffffffff 0000000000000000
head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5934, tgid 5934 (syz-executor267), ts 45292128587, free_ts 42226222516
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xd7d/0x17a0 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_noprof+0x2ec/0x510 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 ops_init+0x77/0x5f0 net/core/net_namespace.c:128
 setup_net+0x21f/0x860 net/core/net_namespace.c:362
 copy_net_ns+0x2b4/0x6c0 net/core/net_namespace.c:516
 create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
 ksys_unshare+0x45d/0xa40 kernel/fork.c:3334
 __do_sys_unshare kernel/fork.c:3405 [inline]
 __se_sys_unshare kernel/fork.c:3403 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:3403
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
page last free pid 5920 tgid 5920 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
 __put_partials+0x14c/0x170 mm/slub.c:3157
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4119 [inline]
 slab_alloc_node mm/slub.c:4168 [inline]
 kmem_cache_alloc_noprof+0x226/0x3d0 mm/slub.c:4175
 getname_flags.part.0+0x4c/0x550 fs/namei.c:139
 getname_flags+0x93/0xf0 include/linux/audit.h:322
 user_path_at+0x24/0x60 fs/namei.c:3069
 __do_sys_chroot fs/open.c:596 [inline]
 __se_sys_chroot fs/open.c:590 [inline]
 __x64_sys_chroot+0xbf/0x340 fs/open.c:590
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802b63e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802b63e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802b63e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88802b63e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802b63e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================