ci2 starts bisection 2026-06-18 03:28:11.354250922 +0000 UTC m=+45264.970675567
bisecting fixing commit since 7c87defbd336df289c8c0280f019647864ff70c6
building syzkaller on 303e2802d4760a2024848e19b613070c0df2a791
ensuring issue is reproducible on original commit 7c87defbd336df289c8c0280f019647864ff70c6

testing commit 7c87defbd336df289c8c0280f019647864ff70c6 gcc
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
kernel signature: 142841e78a35833fbd29de9ad5a4069da267764d86a90219570a441809c19342
all runs: crashed: BUG: unable to handle kernel paging request in l2cap_unregister_user
representative crash: BUG: unable to handle kernel paging request in l2cap_unregister_user, types: [MEMORY_SAFETY_BUG]
check whether we can drop unnecessary instrumentation
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 7c87defbd336df289c8c0280f019647864ff70c6 gcc
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
kernel signature: 6ab1efadf1f5ffd81710d2cc50b83c4d82258fff91951773760191628c86581d
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
representative crash: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user, types: [NULL-POINTER-DEREFERENCE]
the bug reproduces without the instrumentation
disabling configs for [locking atomic_sleep hang memleak ubsan kasan], they are not needed
kconfig minimization: base=7505 full=9786 leaves diff=2008
split chunks (needed=false): <2008>
split chunk #0 of len 2008 into 5 parts
testing without sub-chunk 1/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 7c87defbd336df289c8c0280f019647864ff70c6 gcc
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
kernel signature: 701f90048fc344fb31dc22fa4fbda8ab26b20a3066f183baaeb4647634c5c162
all runs: OK
false negative chance: 0.000
testing without sub-chunk 2/5
disabling configs for [memleak ubsan kasan locking atomic_sleep hang], they are not needed
testing commit 7c87defbd336df289c8c0280f019647864ff70c6 gcc
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
kernel signature: 788b3be70b60907bc4cf8a82fe9bc7b8893dfa482641a8dde554f3cc08873030
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
representative crash: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user, types: [NULL-POINTER-DEREFERENCE]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 7c87defbd336df289c8c0280f019647864ff70c6 gcc
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
kernel signature: 782d079c2c35f75edd7801db62f58f0f9a204e4731582da69bb553edf3c5e4c9
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #3: OK
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
representative crash: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user, types: [NULL-POINTER-DEREFERENCE]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 7c87defbd336df289c8c0280f019647864ff70c6 gcc
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
kernel signature: b5c3149cab238163d4d506dbcec019b33fb3e0c6da83d0573ad5dd8378909510
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #9: OK
representative crash: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user, types: [NULL-POINTER-DEREFERENCE]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 7c87defbd336df289c8c0280f019647864ff70c6 gcc
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
kernel signature: 138df74537904e4f1773b110b2611d5f7eebf928085f7454bd917f25aea84a9f
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #2: OK
run #3: OK
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #5: OK
run #6: OK
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #9: OK
representative crash: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user, types: [NULL-POINTER-DEREFERENCE]
the chunk can be dropped
minimized to 402 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_DOCK ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APPLE_MFI_FASTCHARGE AR5523 ARM_SDE_INTERFACE ASM_MODVERSIONS ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATA_PIIX ATH10K ATH10K_CE ATH10K_PCI ATH10K_SNOC ATH10K_USB ATH11K ATH11K_AHB ATH11K_PCI ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AX25 AX25_DAMA_SLAVE BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BINFMT_MISC BLK_CGROUP_IOCOST BLK_CGROUP_IOLATENCY BLK_CGROUP_RWSTAT BLK_DEBUG_FS_ZONED BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_SR BLK_DEV_THROTTLING BLK_DEV_ZONED BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_MQ_RDMA BLK_RQ_ALLOC_TIME BLK_WBT BLK_WBT_MQ BONDING BPF_JIT_ALWAYS_ON BPQETHER BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_MRP BRIDGE_NF_EBTABLES BSD_DISKLABEL BTRFS_ASSERT BTRFS_FS_REF_VERIFY BT_6LOWPAN BT_ATH3K BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_MTK BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIVHCI BT_HS BT_LE BT_MSFTEXT BT_MTK BT_RFCOMM BT_RFCOMM_TTY CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN_8DEV_USB CAN_EMS_USB CAN_ESD_USB CAN_ETAS_ES58X CAN_GS_USB CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_PEAK_USB CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CDROM CEC_CORE CEC_NOTIFIER CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_NET_CLASSID CGROUP_NET_PRIO CGROUP_RDMA CHARGER_BQ24190 CHARGER_ISP1704 CHECKPOINT_RESTORE CHECK_SIGNATURE CHR_DEV_SG CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLS_U32_MARK CLS_U32_PERF CMDLINE_PARTITION COMEDI COMEDI_8254 COMEDI_8255 COMEDI_8255_PCI COMEDI_8255_SA COMEDI_ADL_PCI9118 COMEDI_BOND COMEDI_DT9812 COMEDI_KCOMEDILIB COMEDI_MISC_DRIVERS COMEDI_NI_DAQ_700_CS COMEDI_NI_LABPC COMEDI_NI_LABPC_CS COMEDI_NI_LABPC_PCI COMEDI_NI_USB6501 COMEDI_PARPORT COMEDI_PCI_DRIVERS COMEDI_PCMCIA_DRIVERS COMEDI_TEST COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES CONNECTOR COUNTER CPU_FREQ_DEFAULT_GOV_USERSPACE CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AES_ARM64 CRYPTO_AES_TI CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_CAMELLIA CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CRC32 CRYPTO_CTS CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_VIRTIO CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECRDSA CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CURVE25519 CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_NHPOLY1305 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_NEON CRYPTO_POLYVAL CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SEQIV CRYPTO_SM2 CRYPTO_SM4_ARM64_CE CRYPTO_SM4_ARM64_CE_BLK CRYPTO_SM4_ARM64_NEON_BLK CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_COMMON CRYPTO_USER CRYPTO_USER_API_AEAD CRYPTO_USER_API_HASH CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CYPRESS_FIRMWARE DAMON DAMON_DBGFS DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCB DEFAULT_CUBIC DEFAULT_PFIFO_FAST DEVICE_MIGRATION DEVICE_PRIVATE DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_ANALOGIX_DP DRM_BOCHS DRM_BRIDGE DRM_CDNS_MHDP8546 DRM_CDNS_MHDP8546_J721E DRM_CIRRUS_QEMU DRM_DEBUG_MM DRM_DISPLAY_CONNECTOR DRM_DISPLAY_DP_HELPER DRM_DISPLAY_HDCP_HELPER DRM_DISPLAY_HDMI_HELPER DRM_DISPLAY_HELPER DRM_DP_AUX_BUS DRM_DW_HDMI DRM_DW_HDMI_AHB_AUDIO DRM_DW_HDMI_CEC DRM_DW_HDMI_I2S_AUDIO DRM_DW_MIPI_DSI DRM_ETNAVIV DRM_ETNAVIV_THERMAL DRM_EXYNOS DRM_EXYNOS5433_DECON DRM_EXYNOS7_DECON DRM_EXYNOS_DSI DRM_EXYNOS_HDMI DRM_EXYNOS_MIC DRM_FBDEV_EMULATION DRM_GEM_DMA_HELPER DRM_GEM_SHMEM_HELPER DRM_GM12U320 DRM_GUD DRM_HDLCD DRM_HISI_HIBMC DRM_HISI_KIRIN DRM_I2C_ADV7511 DRM_I2C_ADV7511_AUDIO DRM_I2C_ADV7511_CEC DRM_I2C_CH7006 DRM_I2C_NXP_TDA998X DRM_I2C_SIL164 DRM_IMX_DCSS DRM_KMS_HELPER DRM_KOMEDA DRM_LEGACY DRM_LIMA DRM_LONTIUM_LT8912B DRM_LONTIUM_LT9611 DRM_LONTIUM_LT9611UXC DRM_MALI_DISPLAY DRM_MEDIATEK DRM_MEDIATEK_HDMI DRM_MESON DRM_MESON_DW_HDMI DRM_MIPI_DSI DRM_MSM DRM_MSM_DP DRM_MSM_DPU DRM_MSM_DSI DRM_MSM_DSI_10NM_PHY DRM_MSM_DSI_14NM_PHY DRM_MSM_DSI_20NM_PHY DRM_MSM_DSI_28NM_8960_PHY DRM_MSM_DSI_28NM_PHY DRM_MSM_DSI_7NM_PHY DRM_MSM_GPU_STATE DRM_MSM_HDMI DRM_MSM_HDMI_HDCP DRM_MSM_MDP4 DRM_MSM_MDP5 DRM_MSM_MDSS DRM_MXS DRM_MXSFB DRM_NOMODESET DRM_NOUVEAU DRM_NOUVEAU_BACKLIGHT DRM_NWL_MIPI_DSI DRM_PANEL DRM_PANEL_BOE_TV101WUM_NL6 DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_LVDS DRM_PANEL_MANTIX_MLAF057WE51 DRM_PANEL_RAYDIUM_RM67191 DRM_PANEL_SIMPLE DRM_PANEL_SITRONIX_ST7703 DRM_PANEL_TRULY_NT35597_WQXGA DRM_PANFROST DRM_PARADE_PS8640 DRM_PL111 DRM_RCAR_CMM DRM_RCAR_DU DRM_RCAR_DW_HDMI DRM_RCAR_LVDS DRM_RCAR_MIPI_DSI DRM_RCAR_USE_CMM DRM_RCAR_USE_LVDS DRM_RCAR_USE_MIPI_DSI DRM_RCAR_VSP DRM_RCAR_WRITEBACK DRM_SCHED DRM_SII902X DRM_SIMPLEDRM DRM_SIMPLE_BRIDGE DRM_SUN4I DRM_SUN6I_DSI DRM_SUN8I_DW_HDMI DRM_SUN8I_MIXER DRM_SUN8I_TCON_TOP DRM_TEGRA DRM_THINE_THC63LVD1024 ENCRYPTED_KEYS FSCACHE HAMRADIO HID_DRAGONRISE INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ ISDN ISDN_CAPI MAC80211 MAC80211_LEDS MFD_DLN2 NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED PCCARD PCMCIA RFKILL SND SND_SOC SOUND TCP_CONG_ADVANCED TLS TLS_DEVICE TRUSTED_KEYS WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH ZONE_DEVICE]
disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed
testing current HEAD 228da13e907e2b46b7222cfc35290fbfad920bef
testing commit 228da13e907e2b46b7222cfc35290fbfad920bef gcc
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
kernel signature: 8bb20b1c54a2433569b5b30f458a463b09746b53e19902bfc32ef98004286036
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #5: OK
run #6: OK
run #7: OK
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
run #9: OK
representative crash: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user, types: [NULL-POINTER-DEREFERENCE]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 2h43m12.101177451s (build: 1h0m22.452362407s, test: 1h26m52.803548438s)
crash still not fixed or there were kernel test errors
commit msg: Linux 6.1.175
crash: BUG: unable to handle kernel NULL pointer dereference in l2cap_unregister_user
input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci5/hci5:200/input101
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000001127a3000
[0000000000000000] pgd=0800000111743003, p4d=0800000111743003, pud=080000011173a003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 5866 Comm: syz.1.500 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 02400005 (nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : l2cap_unregister_user+0x14/0x88 net/bluetooth/l2cap_core.c:1893
lr : hidp_connection_del+0x40/0x90 net/bluetooth/hidp/core.c:1422
sp : ffff8000154e3b00
x29: ffff8000154e3b00 x28: ffff0000c6234bc0 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000006
x23: 00000000400448c9 x22: 0000000020000000 x21: ffff80000f9975c0
x20: ffff8000154e3b68 x19: ffff0000d2510000 x18: 0000000000000001
x17: 0000000000000001 x16: 0000000000000144 x15: 0000000020000000
x14: ffff80000a9e568c x13: 000000000000004e x12: 00000000000010aa
x11: 00000000000010aa x10: 00000000aaaaaaaa x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff80000a026e70
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000001
x2 : 0000000000000001 x1 : ffff0000d2510090 x0 : 0000000000000000
Call trace:
 l2cap_unregister_user+0x14/0x88 net/bluetooth/l2cap_core.c:1892
 hidp_connection_del+0x40/0x90 net/bluetooth/hidp/core.c:1422
 do_hidp_sock_ioctl net/bluetooth/hidp/sock.c:97 [inline]
 hidp_sock_ioctl+0x3ac/0x3f8 net/bluetooth/hidp/sock.c:128
 sock_do_ioctl+0x58/0x16c net/socket.c:1201
 sock_ioctl+0x2f0/0x3bc net/socket.c:1320
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __arm64_sys_ioctl+0x88/0xc8 fs/ioctl.c:856
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x40/0xdc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0xb0/0xe8 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x24/0x80 arch/arm64/kernel/syscall.c:204
 el0_svc+0x34/0xd4 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: a9bd7bfd f9000bf5 a9024ff4 910003fd (f9400008) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	a9bd7bfd 	stp	x29, x30, [sp, #-48]!
   4:	f9000bf5 	str	x21, [sp, #16]
   8:	a9024ff4 	stp	x20, x19, [sp, #32]
   c:	910003fd 	mov	x29, sp
* 10:	f9400008 	ldr	x8, [x0] <-- trapping instruction