last executing test programs: 13.077669241s ago: executing program 1 (id=2): bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00'}, 0x10) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x84}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) openat$vhost_vsock(0xffffffffffffff9c, 0x0, 0x2, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbee2, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x4e21}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) socket$nl_xfrm(0x10, 0x3, 0x6) bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000300)=@bpf_lsm={0xd, 0x5, &(0x7f0000000040)=@framed={{0x66, 0xa, 0x0, 0x0, 0x0, 0x61, 0x11, 0x60}, [@initr0]}, &(0x7f0000000000)='GPL\x00'}, 0x80) 11.962960773s ago: executing program 1 (id=6): ioctl$UI_SET_LEDBIT(0xffffffffffffffff, 0x40045569, 0xc) move_mount(0xffffffffffffffff, 0x0, 0xffffffffffffff9c, 0x0, 0x0) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000100)={0x8, 0x80000100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000300)=0x7) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x3) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) r0 = syz_clone(0x8000, 0x0, 0xfffffffffffffe7e, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x400000bce) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) connect$unix(0xffffffffffffffff, 0x0, 0x0) r2 = epoll_create1(0x0) r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/power/wakeup_count', 0x0, 0x10) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r3, &(0x7f00000000c0)={0xe000001a}) read$char_usb(r3, &(0x7f0000000100)=""/162, 0xa2) pselect6(0x40, &(0x7f0000000100)={0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x800, 0x0, 0x100000}, 0x0, 0x0, 0x0, 0x0) geteuid() 9.180528231s ago: executing program 0 (id=1): openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0) socket$inet_udp(0x2, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) sched_setaffinity(0x0, 0xfffffef7, &(0x7f0000000740)=0x410000002) r2 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r2) openat$procfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) ptrace$pokeuser(0x6, r2, 0x358, 0x800000000000) socket$igmp(0x2, 0x3, 0x2) sched_setaffinity(r2, 0x0, 0x0) r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) listen(r3, 0x3) r4 = accept4$bt_l2cap(r3, &(0x7f0000000200), 0x0, 0x800) setsockopt$bt_BT_SNDMTU(r4, 0x112, 0xc, &(0x7f0000000100)=0x8, 0x2) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e130100c900", @ANYBLOB=' '], 0x16) syz_emit_ethernet(0x46, &(0x7f0000000000)={@broadcast, @empty, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x67, 0x0, @rand_addr, @multicast1}, @time_exceeded={0x21, 0x0, 0x0, 0x12, 0x0, 0x2802, {0x5, 0x2, 0x0, 0x0, 0x24, 0x64, 0x0, 0x0, 0x0, 0x0, @multicast2, @rand_addr=0xe0000000}, "e9c9cee4837ae0b9"}}}}}, 0x0) 8.168268702s ago: executing program 0 (id=7): r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) listen(r0, 0x3) r1 = accept4$bt_l2cap(r0, &(0x7f0000000200), 0x0, 0x800) setsockopt$bt_BT_SNDMTU(r1, 0x112, 0xc, &(0x7f0000000100)=0x8, 0x2) 7.926413214s ago: executing program 3 (id=4): ioctl$UI_SET_LEDBIT(0xffffffffffffffff, 0x40045569, 0xc) move_mount(0xffffffffffffffff, 0x0, 0xffffffffffffff9c, 0x0, 0x0) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000100)={0x8, 0x80000100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000300)=0x7) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) getpid() mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) r0 = syz_clone(0x8000, 0x0, 0xfffffffffffffe7e, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x400000bce) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) connect$unix(0xffffffffffffffff, 0x0, 0x0) r2 = epoll_create1(0x0) r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/power/wakeup_count', 0x0, 0x10) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r3, &(0x7f00000000c0)={0xe000001a}) read$char_usb(r3, &(0x7f0000000100)=""/162, 0xa2) pselect6(0x40, &(0x7f0000000100)={0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x800, 0x0, 0x100000}, 0x0, 0x0, 0x0, 0x0) geteuid() 7.734893291s ago: executing program 1 (id=8): openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0) socket$inet_udp(0x2, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) sched_setaffinity(0x0, 0xfffffef7, &(0x7f0000000740)=0x410000002) r2 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r2) openat$procfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) ptrace$pokeuser(0x6, r2, 0x358, 0x800000000000) socket$igmp(0x2, 0x3, 0x2) sched_setaffinity(r2, 0x0, 0x0) r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) listen(r3, 0x3) r4 = accept4$bt_l2cap(r3, &(0x7f0000000200), 0x0, 0x800) setsockopt$bt_BT_SNDMTU(r4, 0x112, 0xc, &(0x7f0000000100)=0x8, 0x2) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e130100c900", @ANYBLOB=' '], 0x16) syz_emit_ethernet(0x46, &(0x7f0000000000)={@broadcast, @empty, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x67, 0x0, @rand_addr, @multicast1}, @time_exceeded={0x21, 0x0, 0x0, 0x12, 0x0, 0x2802, {0x5, 0x2, 0x0, 0x0, 0x24, 0x64, 0x0, 0x0, 0x0, 0x0, @multicast2, @rand_addr=0xe0000000}, "e9c9cee4837ae0b9"}}}}}, 0x0) 6.088313591s ago: executing program 0 (id=9): pread64(0xffffffffffffffff, 0x0, 0x0, 0x8) socket$inet_udp(0x2, 0x2, 0x0) creat(&(0x7f00000002c0)='./file0\x00', 0x0) r0 = getpgrp(0x0) sched_setaffinity(r0, 0x8, &(0x7f0000000040)=0x5) prlimit64(0x0, 0xe, &(0x7f0000000100)={0x8, 0x80000100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000300)=0x7) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x2, 0x0) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000000)=0x3) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) r2 = syz_clone(0x8000, 0x0, 0xfffffffffffffe7e, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r2, 0x1, 0x0) r3 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r3, &(0x7f0000019680)=""/102392, 0x18ff8) r4 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000040), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000002100), 0x280449c, 0x0) write$FUSE_INIT(r4, 0x0, 0x0) 3.043061138s ago: executing program 0 (id=10): socket$inet6_udp(0xa, 0x2, 0x0) epoll_create1(0x0) bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000040)={0x0, 0x0, 0x4a, 0x0, 0x1, 0x800, 0x10000}, 0x28) r0 = socket$inet6(0xa, 0x3, 0xff) connect$inet6(r0, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty}, 0x1c) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x41, &(0x7f0000000000)=0x655e, 0x4) r1 = dup2(r0, r0) r2 = socket$inet_sctp(0x2, 0x1, 0x84) sendmmsg$inet_sctp(r2, &(0x7f0000003f40)=[{&(0x7f0000000000)=@in={0x2, 0x4e22, @remote}, 0x10, &(0x7f0000000140)=[{&(0x7f0000000040)="1c", 0x1}], 0x1, &(0x7f0000000200)=[@init={0x18, 0x84, 0x0, {0xc71f, 0xfff, 0x8, 0xc4}}], 0x18, 0x48060}], 0x1, 0x200000d0) getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r2, 0x84, 0x75, &(0x7f0000000080)={0x0, 0x6}, &(0x7f00000000c0)=0x8) madvise(&(0x7f0000c00000/0x400000)=nil, 0x400000, 0xe) setsockopt$inet6_group_source_req(0xffffffffffffffff, 0x29, 0x2e, &(0x7f00000001c0)={0x3, {{0xa, 0x4e24, 0x2, @mcast1, 0xff7ffffd}}, {{0xa, 0x4e08, 0x4a3, @local, 0x4f1}}}, 0x108) setsockopt$inet6_group_source_req(0xffffffffffffffff, 0x29, 0x2c, &(0x7f0000000180)={0x3, {{0xa, 0x4e20, 0xa42, @mcast1, 0xbf9}}, {{0xa, 0x4e24, 0xc7e2, @loopback, 0xfffffe01}}}, 0x108) madvise(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x16) mprotect(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x0) openat$nullb(0xffffffffffffff9c, &(0x7f0000000080), 0x4000000004002, 0x0) ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x3}) write$tun(r1, &(0x7f0000000040)=ANY=[], 0x46) recvmmsg(r1, &(0x7f00000049c0)=[{{0x0, 0x0, 0x0, 0x0, 0x0, 0x10}}], 0x1, 0x2000, 0x0) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_TX_RING(r3, 0x11b, 0x6, &(0x7f0000000000)=0x40000000, 0x52) 2.416659714s ago: executing program 3 (id=11): openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0) socket$inet_udp(0x2, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) sched_setaffinity(0x0, 0xfffffef7, &(0x7f0000000740)=0x410000002) r2 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r2) openat$procfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) ptrace$pokeuser(0x6, r2, 0x358, 0x800000000000) socket$igmp(0x2, 0x3, 0x2) sched_setaffinity(r2, 0x0, 0x0) r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) listen(r3, 0x3) r4 = accept4$bt_l2cap(r3, &(0x7f0000000200), 0x0, 0x800) setsockopt$bt_BT_SNDMTU(r4, 0x112, 0xc, &(0x7f0000000100)=0x8, 0x2) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e130100c900", @ANYBLOB=' '], 0x16) syz_emit_ethernet(0x46, &(0x7f0000000000)={@broadcast, @empty, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x67, 0x0, @rand_addr, @multicast1}, @time_exceeded={0x21, 0x0, 0x0, 0x12, 0x0, 0x2802, {0x5, 0x2, 0x0, 0x0, 0x24, 0x64, 0x0, 0x0, 0x0, 0x0, @multicast2, @rand_addr=0xe0000000}, "e9c9cee4837ae0b9"}}}}}, 0x0) 2.392340801s ago: executing program 2 (id=3): r0 = syz_open_dev$evdev(&(0x7f0000000000), 0x19c5498e, 0x103902) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_MSG_GETCHAIN(r1, 0x0, 0x0) close(0x4) poll(&(0x7f0000000180), 0x0, 0xffffffc0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) syz_usb_control_io$hid(0xffffffffffffffff, 0x0, &(0x7f00000005c0)={0x18, 0x0, 0x0, &(0x7f00000003c0)={0x0, 0x8, 0x1, 0xd}, &(0x7f0000000500), 0x0}) socket(0x2b, 0x1, 0x0) r4 = socket(0x1e, 0x4, 0x0) r5 = openat$sysfs(0xffffff9c, &(0x7f0000000080)='/sys/kernel/address_bits', 0x210000, 0x1) fchdir(r5) setsockopt$packet_tx_ring(r4, 0x10f, 0x87, &(0x7f0000000140)=@req3={0x7813, 0x3, 0x0, 0x81, 0x1ff, 0x1, 0x1}, 0x1c) r6 = socket(0x1e, 0x4, 0x0) setsockopt$packet_tx_ring(r6, 0x10f, 0x87, &(0x7f0000000140)=@req3={0x7813, 0x3, 0x1, 0x81, 0x1ff, 0x801, 0x1}, 0x1c) sendmmsg(r6, &(0x7f00000030c0)=[{{0x0, 0xa9cc7003, &(0x7f0000000400)=[{&(0x7f00000000c0)="ee", 0x101d0}], 0x1}}], 0x400000000000181, 0x9200000000000000) bind$tipc(r6, 0x0, 0x0) close_range(r0, 0xffffffffffffffff, 0x0) 2.099382816s ago: executing program 4 (id=5): r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nbd(&(0x7f0000000140), 0xffffffffffffffff) socket(0x2, 0x80805, 0x0) sendmsg$NBD_CMD_CONNECT(r0, &(0x7f0000001ac0)={0x0, 0x0, &(0x7f00000002c0)={0x0}, 0x1, 0x0, 0x0, 0x4000}, 0x20000000) syz_init_net_socket$ax25(0x3, 0x5, 0xc5) socket(0x2000000015, 0x80005, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8d}, 0x0) sched_setscheduler(0x0, 0x2, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) writev(0xffffffffffffffff, &(0x7f0000000840)=[{0x0}], 0x1) socket$inet6_sctp(0xa, 0x1, 0x84) openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x1510c2, 0x11) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000040)='contention_begin\x00'}, 0x18) r1 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0) ioctl$DRM_IOCTL_WAIT_VBLANK(r1, 0xc018643a, &(0x7f00000000c0)={0x4000001, 0x40071, 0x200000009}) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r1, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) pread64(r1, 0x0, 0x0, 0x78f2a36b) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_GETPLANE(r1, 0xc02064b6, &(0x7f0000000300)={r2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_SETCRTC(r1, 0xc06864a2, &(0x7f0000000380)={0x0, 0x0, r3, 0x0, 0x0, 0x1f5, 0x0, 0x0, {0x4, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x8001, 0xfffffffa, "b4bc323ef77d1f000071849800000000dfff00"}}) openat$fuse(0xffffffffffffff9c, &(0x7f0000000100), 0x2, 0x0) socket(0x10, 0x800, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) 1.107076037s ago: executing program 4 (id=12): openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0) socket$inet_udp(0x2, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) sched_setaffinity(0x0, 0xfffffef7, &(0x7f0000000740)=0x410000002) r2 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r2) openat$procfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) ptrace$pokeuser(0x6, r2, 0x358, 0x800000000000) r3 = socket$igmp(0x2, 0x3, 0x2) sched_setaffinity(r2, 0x0, 0x0) r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) listen(r4, 0x3) r5 = accept4$bt_l2cap(r4, &(0x7f0000000200), 0x0, 0x800) setsockopt$bt_BT_SNDMTU(r5, 0x112, 0xc, &(0x7f0000000100)=0x8, 0x2) setsockopt$MRT_DONE(r3, 0x0, 0xc9, 0x0, 0x0) syz_emit_ethernet(0x46, &(0x7f0000000000)={@broadcast, @empty, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x67, 0x0, @rand_addr, @multicast1}, @time_exceeded={0x21, 0x0, 0x0, 0x12, 0x0, 0x2802, {0x5, 0x2, 0x0, 0x0, 0x24, 0x64, 0x0, 0x0, 0x0, 0x0, @multicast2, @rand_addr=0xe0000000}, "e9c9cee4837ae0b9"}}}}}, 0x0) 0s ago: executing program 4 (id=13): seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x4, 0x0, 0x7fff0000}]}) r0 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000100), 0x0) sched_setscheduler(0x0, 0x1, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) openat$procfs(0xffffffffffffff9c, &(0x7f00000005c0)='/proc/timer_list\x00', 0x0, 0x0) epoll_create(0x8) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL(r0, 0x40505330, &(0x7f00000001c0)={0x800100, 0xfffffffd, 0x22, 0x6, 0x1101, 0x1}) kernel console output (not intermixed with test programs): [ 92.209461][ T9] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.1.148' (ED25519) to the list of known hosts. [ 96.551516][ T5784] cgroup: Unknown subsys name 'net' [ 96.790972][ T5784] cgroup: Unknown subsys name 'cpuset' [ 96.846058][ T5784] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 98.776301][ T5784] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 102.791569][ T5810] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 102.802310][ T5810] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 102.806653][ T5810] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 102.809285][ T5813] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 102.815061][ T5813] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 102.821950][ T5812] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 102.823425][ T5812] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 102.824383][ T5812] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 102.840882][ T5810] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 102.848742][ T5810] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 102.850217][ T5816] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 102.862825][ T5816] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 102.863678][ T5816] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 102.864432][ T5816] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 102.867979][ T5816] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 102.868993][ T5816] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 102.876407][ T5816] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 102.881697][ T5816] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 102.883365][ T5816] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 102.909866][ T5816] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 102.916129][ T5816] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 102.917318][ T5816] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 102.970423][ T5812] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 102.971624][ T5812] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 102.973358][ T5809] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 103.951904][ T5815] chnl_net:caif_netlink_parms(): no params data found [ 104.242387][ T5801] chnl_net:caif_netlink_parms(): no params data found [ 104.267602][ T5802] chnl_net:caif_netlink_parms(): no params data found [ 104.312079][ T5811] chnl_net:caif_netlink_parms(): no params data found [ 104.334628][ T5803] chnl_net:caif_netlink_parms(): no params data found [ 104.858878][ T5815] bridge0: port 1(bridge_slave_0) entered blocking state [ 104.859691][ T5815] bridge0: port 1(bridge_slave_0) entered disabled state [ 104.860146][ T5815] bridge_slave_0: entered allmulticast mode [ 104.862233][ T5815] bridge_slave_0: entered promiscuous mode [ 104.927367][ T5113] Bluetooth: hci2: command tx timeout [ 104.927701][ T5815] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.927817][ T5815] bridge0: port 2(bridge_slave_1) entered disabled state [ 104.928200][ T5815] bridge_slave_1: entered allmulticast mode [ 104.930428][ T5815] bridge_slave_1: entered promiscuous mode [ 105.005426][ T5816] Bluetooth: hci4: command tx timeout [ 105.005655][ T61] Bluetooth: hci1: command tx timeout [ 105.005766][ T5113] Bluetooth: hci0: command tx timeout [ 105.086794][ T5113] Bluetooth: hci3: command tx timeout [ 105.508061][ T5801] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.509548][ T5801] bridge0: port 1(bridge_slave_0) entered disabled state [ 105.509785][ T5801] bridge_slave_0: entered allmulticast mode [ 105.512258][ T5801] bridge_slave_0: entered promiscuous mode [ 105.601696][ T5815] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 105.602035][ T5802] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.602179][ T5802] bridge0: port 1(bridge_slave_0) entered disabled state [ 105.602458][ T5802] bridge_slave_0: entered allmulticast mode [ 105.604901][ T5802] bridge_slave_0: entered promiscuous mode [ 105.687384][ T5801] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.687521][ T5801] bridge0: port 2(bridge_slave_1) entered disabled state [ 105.687722][ T5801] bridge_slave_1: entered allmulticast mode [ 105.690193][ T5801] bridge_slave_1: entered promiscuous mode [ 105.828962][ T5815] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 105.829202][ T5802] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.829361][ T5802] bridge0: port 2(bridge_slave_1) entered disabled state [ 105.829708][ T5802] bridge_slave_1: entered allmulticast mode [ 105.831528][ T5802] bridge_slave_1: entered promiscuous mode [ 105.833941][ T5811] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.834063][ T5811] bridge0: port 1(bridge_slave_0) entered disabled state [ 105.834204][ T5811] bridge_slave_0: entered allmulticast mode [ 105.837799][ T5811] bridge_slave_0: entered promiscuous mode [ 105.947213][ T5803] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.947322][ T5803] bridge0: port 1(bridge_slave_0) entered disabled state [ 105.947455][ T5803] bridge_slave_0: entered allmulticast mode [ 105.949349][ T5803] bridge_slave_0: entered promiscuous mode [ 106.096469][ T5811] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.096656][ T5811] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.096804][ T5811] bridge_slave_1: entered allmulticast mode [ 106.098903][ T5811] bridge_slave_1: entered promiscuous mode [ 106.236489][ T5803] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.236625][ T5803] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.236827][ T5803] bridge_slave_1: entered allmulticast mode [ 106.238940][ T5803] bridge_slave_1: entered promiscuous mode [ 106.450215][ T5801] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 106.528383][ T5815] team0: Port device team_slave_0 added [ 106.531947][ T5802] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 106.598946][ T5801] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 106.698450][ T5815] team0: Port device team_slave_1 added [ 106.701304][ T5802] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 106.704583][ T5811] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 106.779545][ T5803] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 106.919077][ T5811] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 106.999609][ T5803] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 107.005386][ T5113] Bluetooth: hci2: command tx timeout [ 107.085302][ T5816] Bluetooth: hci4: command tx timeout [ 107.085404][ T61] Bluetooth: hci1: command tx timeout [ 107.085483][ T5113] Bluetooth: hci0: command tx timeout [ 107.165375][ T5113] Bluetooth: hci3: command tx timeout [ 107.268446][ T5801] team0: Port device team_slave_0 added [ 107.269804][ T5815] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 107.269817][ T5815] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 107.269836][ T5815] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 107.274357][ T5802] team0: Port device team_slave_0 added [ 107.688616][ T5801] team0: Port device team_slave_1 added [ 107.689361][ T5815] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 107.689383][ T5815] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 107.689402][ T5815] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 107.692546][ T5802] team0: Port device team_slave_1 added [ 107.694366][ T5811] team0: Port device team_slave_0 added [ 107.737614][ T5803] team0: Port device team_slave_0 added [ 107.898416][ T5811] team0: Port device team_slave_1 added [ 107.900578][ T5803] team0: Port device team_slave_1 added [ 108.157095][ T5801] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 108.157109][ T5801] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 108.157129][ T5801] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 108.159805][ T5802] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 108.159822][ T5802] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 108.159841][ T5802] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 108.407105][ T5801] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 108.407125][ T5801] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 108.407151][ T5801] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 108.408336][ T5802] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 108.408349][ T5802] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 108.408368][ T5802] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 108.688248][ T5811] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 108.688267][ T5811] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 108.688299][ T5811] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 108.689868][ T5803] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 108.689885][ T5803] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 108.689911][ T5803] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 108.849269][ T5811] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 108.849284][ T5811] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 108.849303][ T5811] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 108.850452][ T5803] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 108.850466][ T5803] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 108.850485][ T5803] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 108.931543][ T5815] hsr_slave_0: entered promiscuous mode [ 108.932733][ T5815] hsr_slave_1: entered promiscuous mode [ 109.085756][ T5113] Bluetooth: hci2: command tx timeout [ 109.165582][ T5816] Bluetooth: hci4: command tx timeout [ 109.165763][ T61] Bluetooth: hci1: command tx timeout [ 109.165848][ T5113] Bluetooth: hci0: command tx timeout [ 109.245610][ T5113] Bluetooth: hci3: command tx timeout [ 109.503892][ T5801] hsr_slave_0: entered promiscuous mode [ 109.504882][ T5801] hsr_slave_1: entered promiscuous mode [ 109.517103][ T5801] debugfs: 'hsr0' already exists in 'hsr' [ 109.517246][ T5801] Cannot create hsr debugfs directory [ 109.533910][ T5802] hsr_slave_0: entered promiscuous mode [ 109.535061][ T5802] hsr_slave_1: entered promiscuous mode [ 109.536833][ T5802] debugfs: 'hsr0' already exists in 'hsr' [ 109.536865][ T5802] Cannot create hsr debugfs directory [ 109.762290][ T5811] hsr_slave_0: entered promiscuous mode [ 109.763251][ T5811] hsr_slave_1: entered promiscuous mode [ 109.763950][ T5811] debugfs: 'hsr0' already exists in 'hsr' [ 109.763971][ T5811] Cannot create hsr debugfs directory [ 109.863569][ T5803] hsr_slave_0: entered promiscuous mode [ 109.864588][ T5803] hsr_slave_1: entered promiscuous mode [ 109.866239][ T5803] debugfs: 'hsr0' already exists in 'hsr' [ 109.866269][ T5803] Cannot create hsr debugfs directory [ 111.165435][ T5113] Bluetooth: hci2: command tx timeout [ 111.245460][ T5816] Bluetooth: hci4: command tx timeout [ 111.245507][ T61] Bluetooth: hci1: command tx timeout [ 111.245538][ T5113] Bluetooth: hci0: command tx timeout [ 111.279529][ T5815] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 111.314413][ T5815] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 111.325349][ T5113] Bluetooth: hci3: command tx timeout [ 111.349017][ T5815] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 111.405412][ T5815] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 111.511271][ T5801] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 111.553656][ T5801] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 111.571230][ T5801] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 111.630806][ T5801] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 111.779155][ T5802] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 111.829673][ T5802] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 111.868029][ T5802] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 111.920883][ T5802] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 112.069639][ T5803] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 112.123439][ T5803] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 112.160743][ T5803] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 112.208877][ T5803] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 112.372548][ T5815] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.393532][ T5811] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 112.434239][ T5811] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 112.454473][ T5811] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 112.499920][ T5811] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 112.590073][ T5815] 8021q: adding VLAN 0 to HW filter on device team0 [ 112.624622][ T5801] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.646473][ T1178] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.646651][ T1178] bridge0: port 1(bridge_slave_0) entered forwarding state [ 112.701523][ T1178] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.702007][ T1178] bridge0: port 2(bridge_slave_1) entered forwarding state [ 112.773591][ T5801] 8021q: adding VLAN 0 to HW filter on device team0 [ 112.808199][ T5802] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.821837][ T1164] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.822094][ T1164] bridge0: port 1(bridge_slave_0) entered forwarding state [ 112.872200][ T1164] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.872340][ T1164] bridge0: port 2(bridge_slave_1) entered forwarding state [ 112.930948][ T5802] 8021q: adding VLAN 0 to HW filter on device team0 [ 112.970565][ T5803] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.984670][ T1178] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.984820][ T1178] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.041480][ T1178] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.046230][ T1178] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.121427][ T5803] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.182604][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.182750][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.224012][ T5811] 8021q: adding VLAN 0 to HW filter on device bond0 [ 113.254171][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.254469][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.404439][ T5811] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.447736][ T1178] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.462818][ T1178] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.529330][ T5815] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 113.536078][ T157] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.539090][ T157] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.816136][ T5801] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 113.933583][ T5815] veth0_vlan: entered promiscuous mode [ 113.993176][ T5802] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 114.000521][ T5815] veth1_vlan: entered promiscuous mode [ 114.142332][ T5801] veth0_vlan: entered promiscuous mode [ 114.180158][ T5803] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 114.214988][ T5801] veth1_vlan: entered promiscuous mode [ 114.230104][ T5815] veth0_macvtap: entered promiscuous mode [ 114.284779][ T5815] veth1_macvtap: entered promiscuous mode [ 114.343014][ T5802] veth0_vlan: entered promiscuous mode [ 114.427589][ T5815] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 114.444625][ T5811] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 114.464570][ T5802] veth1_vlan: entered promiscuous mode [ 114.492392][ T5815] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 114.516263][ T5801] veth0_macvtap: entered promiscuous mode [ 114.564142][ T12] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 114.578313][ T5801] veth1_macvtap: entered promiscuous mode [ 114.583103][ T12] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 114.595404][ T12] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 114.624392][ T12] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 114.781578][ T5801] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 114.867311][ T5802] veth0_macvtap: entered promiscuous mode [ 114.891317][ T5801] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 114.949598][ T5802] veth1_macvtap: entered promiscuous mode [ 114.981709][ T5811] veth0_vlan: entered promiscuous mode [ 114.984119][ T1165] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.014212][ T1165] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.033005][ T1165] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.045950][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.045973][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.065988][ T1165] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.142706][ T5811] veth1_vlan: entered promiscuous mode [ 115.181870][ T5802] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 115.182097][ T5803] veth0_vlan: entered promiscuous mode [ 115.250355][ T157] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.250378][ T157] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.287896][ T5802] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 115.380954][ T5803] veth1_vlan: entered promiscuous mode [ 115.397855][ T1165] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.407653][ T1165] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.412952][ T1165] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.443789][ T1165] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.568048][ T1164] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.568071][ T1164] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.885929][ T5811] veth0_macvtap: entered promiscuous mode [ 116.723976][ T5811] veth1_macvtap: entered promiscuous mode [ 116.790319][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 116.790704][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 116.885224][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.895208][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.905215][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.915165][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.925200][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.935225][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.945176][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.955209][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.965183][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 116.975180][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 118.729944][ T5803] veth0_macvtap: entered promiscuous mode [ 119.274413][ T5811] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 119.282572][ T3501] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 119.282592][ T3501] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 119.354903][ T5803] veth1_macvtap: entered promiscuous mode [ 119.386942][ T5811] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 119.509785][ T63] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 119.514261][ T1178] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 119.514283][ T1178] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 119.524831][ T63] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 119.561386][ T63] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 119.588920][ T63] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 119.618226][ T5803] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 119.962057][ T5113] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:201' [ 119.962108][ T5113] CPU: 0 UID: 0 PID: 5113 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 119.962135][ T5113] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 119.962153][ T5113] Workqueue: hci0 hci_rx_work [ 119.962210][ T5113] Call Trace: [ 119.962224][ T5113] [ 119.962235][ T5113] dump_stack_lvl+0x189/0x250 [ 119.962266][ T5113] ? __pfx_dump_stack_lvl+0x10/0x10 [ 119.962294][ T5113] ? __pfx__printk+0x10/0x10 [ 119.962320][ T5113] ? kernfs_path_from_node+0x2c/0x280 [ 119.962351][ T5113] ? kernfs_path_from_node+0x243/0x280 [ 119.962379][ T5113] ? kernfs_path_from_node+0x2c/0x280 [ 119.962412][ T5113] sysfs_create_dir_ns+0x259/0x280 [ 119.962451][ T5113] ? __pfx_rt_mutex_slowunlock+0x10/0x10 [ 119.962477][ T5113] ? __pfx_sysfs_create_dir_ns+0x10/0x10 [ 119.962509][ T5113] ? rt_spin_unlock+0x161/0x200 [ 119.962535][ T5113] kobject_add_internal+0x6b1/0xcd0 [ 119.962567][ T5113] kobject_add+0x155/0x220 [ 119.962604][ T5113] ? __pfx_kobject_add+0x10/0x10 [ 119.962641][ T5113] ? get_device_parent+0x370/0x3a0 [ 119.962676][ T5113] device_add+0x408/0xb80 [ 119.962710][ T5113] hci_conn_add_sysfs+0xd5/0x210 [ 119.962741][ T5113] le_conn_complete_evt+0xf1d/0x1420 [ 119.962763][ T5113] ? lockdep_hardirqs_on+0x98/0x140 [ 119.962799][ T5113] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 119.962819][ T5113] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 119.962855][ T5113] ? lockdep_hardirqs_on+0x98/0x140 [ 119.962888][ T5113] ? skb_pull_data+0xfb/0x200 [ 119.962920][ T5113] hci_le_conn_complete_evt+0x187/0x480 [ 119.962950][ T5113] hci_event_packet+0x78f/0x1260 [ 119.962979][ T5113] ? reacquire_held_locks+0x121/0x1c0 [ 119.963017][ T5113] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 119.963054][ T5113] ? __pfx_hci_event_packet+0x10/0x10 [ 119.963084][ T5113] ? rt_spin_unlock+0x150/0x200 [ 119.963117][ T5113] ? hci_send_to_monitor+0xe2/0x590 [ 119.963144][ T5113] hci_rx_work+0x3ee/0x1060 [ 119.963183][ T5113] ? process_scheduled_works+0x9ef/0x1770 [ 119.963211][ T5113] process_scheduled_works+0xad1/0x1770 [ 119.963263][ T5113] ? __pfx_process_scheduled_works+0x10/0x10 [ 119.963305][ T5113] worker_thread+0x8a0/0xda0 [ 119.963354][ T5113] kthread+0x711/0x8a0 [ 119.963387][ T5113] ? __pfx_worker_thread+0x10/0x10 [ 119.963414][ T5113] ? __pfx_kthread+0x10/0x10 [ 119.963452][ T5113] ? rt_spin_unlock+0x150/0x200 [ 119.963480][ T5113] ? rt_spin_unlock+0x161/0x200 [ 119.963503][ T5113] ? __pfx_kthread+0x10/0x10 [ 119.963537][ T5113] ret_from_fork+0x599/0xb30 [ 119.963562][ T5113] ? __pfx_ret_from_fork+0x10/0x10 [ 119.963595][ T5113] ? __switch_to_asm+0x39/0x70 [ 119.963624][ T5113] ? __switch_to_asm+0x33/0x70 [ 119.963651][ T5113] ? __pfx_kthread+0x10/0x10 [ 119.963681][ T5113] ret_from_fork_asm+0x1a/0x30 [ 119.963728][ T5113] [ 119.967806][ T5113] kobject: kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory. [ 119.967930][ T5113] Bluetooth: hci0: failed to register connection device [ 120.407628][ T5803] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 120.586278][ T172] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.588728][ T172] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.588780][ T172] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.588820][ T172] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 121.159863][ T1164] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 121.159886][ T1164] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 125.798341][ T1178] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 125.798364][ T1178] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 125.976909][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 125.976934][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 126.175971][ T5931] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 126.175994][ T5931] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 126.846094][ T5951] Zero length message leads to an empty skb [ 127.647007][ T5113] Bluetooth: hci0: command 0x0406 tx timeout [ 129.024915][ T61] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci4/hci4:201' [ 129.024961][ T61] CPU: 0 UID: 0 PID: 61 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 129.024988][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 129.025003][ T61] Workqueue[ 129.025003][ T61] Workqueue: hci4 hci_rx_work [ 129.025037][ T61] Call Trace: [ 129.025046][ T61] [ 129.025056][ T61] dump_stack_lvl+0x189/0x250 [ 129.025094][ T61] ? __pfx_dump_stack_lvl+0x10/0x10 [ 129.025123][ T61] ? __pfx__printk+0x10/0x10 [ 129.025150][ T61] ? kernfs_path_from_node+0x2c/0x280 [ 129.025181][ T61] ? kernfs_path_from_node+0x243/0x280 [ 129.025211][ T61] ? kernfs_path_from_node+0x2c/0x280 [ 129.025247][ T61] sysfs_create_dir_ns+0x259/0x280 [ 129.025280][ T61] ? __pfx_rt_mutex_slowunlock+0x10/0x10 [ 129.025308][ T61] ? __pfx_sysfs_create_dir_ns+0x10/0x10 [ 129.025345][ T61] ? rt_spin_unlock+0x161/0x200 [ 129.025383][ T61] kobject_add_internal+0x6b1/0xcd0 [ 129.025414][ T61] kobject_add+0x155/0x220 [ 129.025453][ T61] ? __pfx_kobject_add+0x10/0x10 [ 129.025495][ T61] ? get_device_parent+0x370/0x3a0 [ 129.025534][ T61] device_add+0x408/0xb80 [ 129.025572][ T61] hci_conn_add_sysfs+0xd5/0x210 [ 129.025607][ T61] le_conn_complete_evt+0xf1d/0x1420 [ 129.025627][ T61] ? lockdep_hardirqs_on+0x98/0x140 [ 129.025667][ T61] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 129.025689][ T61] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 129.025721][ T61] ? lockdep_hardirqs_on+0x98/0x140 [ 129.025758][ T61] ? skb_pull_data+0xfb/0x200 [ 129.025793][ T61] hci_le_conn_complete_evt+0x187/0x480 [ 129.025824][ T61] hci_event_packet+0x78f/0x1260 [ 129.025854][ T61] ? reacquire_held_locks+0x121/0x1c0 [ 129.025892][ T61] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 129.025931][ T61] ? __pfx_hci_event_packet+0x10/0x10 [ 129.025962][ T61] ? rt_spin_unlock+0x150/0x200 [ 129.025998][ T61] ? hci_send_to_monitor+0xe2/0x590 [ 129.026026][ T61] hci_rx_work+0x3ee/0x1060 [ 129.026065][ T61] ? process_scheduled_works+0x9ef/0x1770 [ 129.026094][ T61] process_scheduled_works+0xad1/0x1770 [ 129.026151][ T61] ? __pfx_process_scheduled_works+0x10/0x10 [ 129.026197][ T61] worker_thread+0x8a0/0xda0 [ 129.026253][ T61] kthread+0x711/0x8a0 [ 129.026288][ T61] ? __pfx_worker_thread+0x10/0x10 [ 129.026314][ T61] ? __pfx_kthread+0x10/0x10 [ 129.026343][ T61] ? rt_spin_unlock+0x150/0x200 [ 129.026381][ T61] ? rt_spin_unlock+0x161/0x200 [ 129.026403][ T61] ? __pfx_kthread+0x10/0x10 [ 129.026436][ T61] ret_from_fork+0x599/0xb30 [ 129.026465][ T61] ? __pfx_ret_from_fork+0x10/0x10 [ 129.026502][ T61] ? __switch_to_asm+0x39/0x70 [ 129.026532][ T61] ? __switch_to_asm+0x33/0x70 [ 129.026562][ T61] ? __pfx_kthread+0x10/0x10 [ 129.026596][ T61] ret_from_fork_asm+0x1a/0x30 [ 129.026647][ T61] [ 129.049525][ T61] kobject: kobject_add_internal failed for hci4:201 with -EEXIST, don't try to register things with the same name in the same directory. [ 129.049617][ T61] Bluetooth: hci4: failed to register connection device [ 129.224245][ T61] ================================================================== [ 129.224268][ T61] BUG: KASAN: slab-use-after-free in l2cap_sock_new_connection_cb+0x1f9/0x2e0 [ 129.224306][ T61] Read of size 8 at addr ffff8880310ff7b0 by task kworker/u9:0/61 [ 129.224325][ T61] [ 129.224338][ T61] CPU: 0 UID: 0 PID: 61 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 129.224364][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 129.224380][ T61] Workqueue: hci4 hci_rx_work [ 129.224411][ T61] Call Trace: [ 129.224421][ T61] [ 129.224432][ T61] dump_stack_lvl+0x189/0x250 [ 129.224464][ T61] ? rcu_is_watching+0x15/0xb0 [ 129.224487][ T61] ? __kasan_check_byte+0x12/0x40 [ 129.224524][ T61] ? __pfx_dump_stack_lvl+0x10/0x10 [ 129.224562][ T61] ? rcu_is_watching+0x15/0xb0 [ 129.224585][ T61] ? lock_release+0x4b/0x3b0 [ 129.224620][ T61] ? __virt_addr_valid+0x1c8/0x5c0 [ 129.224655][ T61] ? __virt_addr_valid+0x4a5/0x5c0 [ 129.224691][ T61] print_report+0xca/0x240 [ 129.224718][ T61] ? l2cap_sock_new_connection_cb+0x1f9/0x2e0 [ 129.224747][ T61] kasan_report+0x118/0x150 [ 129.224770][ T61] ? l2cap_sock_new_connection_cb+0x1f9/0x2e0 [ 129.224807][ T61] l2cap_sock_new_connection_cb+0x1f9/0x2e0 [ 129.224838][ T61] l2cap_connect_cfm+0x367/0x10e0 [ 129.224869][ T61] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 129.224895][ T61] ? mutex_lock_nested+0x154/0x1d0 [ 129.224918][ T61] ? hci_connect_cfm+0x2c/0x140 [ 129.224937][ T61] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 129.224962][ T61] hci_connect_cfm+0x95/0x140 [ 129.224984][ T61] le_conn_complete_evt+0xf65/0x1420 [ 129.225007][ T61] ? lockdep_hardirqs_on+0x98/0x140 [ 129.225041][ T61] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 129.225063][ T61] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 129.225100][ T61] ? lockdep_hardirqs_on+0x98/0x140 [ 129.225134][ T61] ? skb_pull_data+0xfb/0x200 [ 129.225166][ T61] hci_le_conn_complete_evt+0x187/0x480 [ 129.225195][ T61] hci_event_packet+0x78f/0x1260 [ 129.225223][ T61] ? reacquire_held_locks+0x121/0x1c0 [ 129.225260][ T61] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 129.225297][ T61] ? __pfx_hci_event_packet+0x10/0x10 [ 129.225327][ T61] ? rt_spin_unlock+0x150/0x200 [ 129.225359][ T61] ? hci_send_to_monitor+0xe2/0x590 [ 129.225386][ T61] hci_rx_work+0x3ee/0x1060 [ 129.225423][ T61] ? process_scheduled_works+0x9ef/0x1770 [ 129.225450][ T61] process_scheduled_works+0xad1/0x1770 [ 129.225497][ T61] ? __pfx_process_scheduled_works+0x10/0x10 [ 129.225535][ T61] worker_thread+0x8a0/0xda0 [ 129.225589][ T61] kthread+0x711/0x8a0 [ 129.225624][ T61] ? __pfx_worker_thread+0x10/0x10 [ 129.225650][ T61] ? __pfx_kthread+0x10/0x10 [ 129.225679][ T61] ? rt_spin_unlock+0x150/0x200 [ 129.225707][ T61] ? rt_spin_unlock+0x161/0x200 [ 129.225730][ T61] ? __pfx_kthread+0x10/0x10 [ 129.225762][ T61] ret_from_fork+0x599/0xb30 [ 129.225790][ T61] ? __pfx_ret_from_fork+0x10/0x10 [ 129.225822][ T61] ? __switch_to_asm+0x39/0x70 [ 129.225853][ T61] ? __switch_to_asm+0x33/0x70 [ 129.225885][ T61] ? __pfx_kthread+0x10/0x10 [ 129.225916][ T61] ret_from_fork_asm+0x1a/0x30 [ 129.225959][ T61] [ 129.225968][ T61] [ 129.225974][ T61] Allocated by task 61: [ 129.225984][ T61] kasan_save_track+0x3e/0x80 [ 129.226014][ T61] __kasan_kmalloc+0x93/0xb0 [ 129.226043][ T61] __kmalloc_noprof+0x23e/0x7e0 [ 129.226074][ T61] sk_prot_alloc+0xe7/0x220 [ 129.226093][ T61] sk_alloc+0x3a/0x390 [ 129.226111][ T61] bt_sock_alloc+0x3b/0x310 [ 129.226141][ T61] l2cap_sock_new_connection_cb+0xe2/0x2e0 [ 129.226168][ T61] l2cap_connect_cfm+0x367/0x10e0 [ 129.226190][ T61] hci_connect_cfm+0x95/0x140 [ 129.226207][ T61] le_conn_complete_evt+0xf65/0x1420 [ 129.226227][ T61] hci_le_conn_complete_evt+0x187/0x480 [ 129.226245][ T61] hci_event_packet+0x78f/0x1260 [ 129.226272][ T61] hci_rx_work+0x3ee/0x1060 [ 129.226299][ T61] process_scheduled_works+0xad1/0x1770 [ 129.226321][ T61] worker_thread+0x8a0/0xda0 [ 129.226344][ T61] kthread+0x711/0x8a0 [ 129.226371][ T61] ret_from_fork+0x599/0xb30 [ 129.226391][ T61] ret_from_fork_asm+0x1a/0x30 [ 129.226421][ T61] [ 129.226426][ T61] Freed by task 5966: [ 129.226436][ T61] kasan_save_track+0x3e/0x80 [ 129.226464][ T61] kasan_save_free_info+0x46/0x50 [ 129.226487][ T61] __kasan_slab_free+0x5c/0x80 [ 129.226517][ T61] kfree+0x1bd/0x900 [ 129.226541][ T61] __sk_destruct+0x626/0x880 [ 129.226567][ T61] l2cap_sock_cleanup_listen+0xe0/0x450 [ 129.226592][ T61] l2cap_sock_release+0x6e/0x270 [ 129.226616][ T61] sock_close+0xc3/0x240 [ 129.226640][ T61] __fput+0x45b/0xa80 [ 129.226663][ T61] task_work_run+0x1d4/0x260 [ 129.226693][ T61] get_signal+0x11c4/0x1310 [ 129.226714][ T61] arch_do_signal_or_restart+0x9a/0x7a0 [ 129.226747][ T61] exit_to_user_mode_loop+0x87/0x4f0 [ 129.226776][ T61] do_syscall_64+0x2e3/0xf80 [ 129.226805][ T61] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 129.226825][ T61] [ 129.226831][ T61] The buggy address belongs to the object at ffff8880310ff000 [ 129.226831][ T61] which belongs to the cache kmalloc-2k of size 2048 [ 129.226850][ T61] The buggy address is located 1968 bytes inside of [ 129.226850][ T61] freed 2048-byte region [ffff8880310ff000, ffff8880310ff800) [ 129.226873][ T61] [ 129.226879][ T61] The buggy address belongs to the physical page: [ 129.226910][ T61] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x310f8 [ 129.226932][ T61] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 129.226950][ T61] anon flags: 0x80000000000040(head|node=0|zone=1) [ 129.226978][ T61] page_type: f5(slab) [ 129.226997][ T61] raw: 0080000000000040 ffff88813ff27000 0000000000000000 dead000000000001 [ 129.227015][ T61] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 129.227036][ T61] head: 0080000000000040 ffff88813ff27000 0000000000000000 dead000000000001 [ 129.227054][ T61] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 129.227073][ T61] head: 0080000000000003 ffffea0000c43e01 00000000ffffffff 00000000ffffffff [ 129.227091][ T61] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008 [ 129.227102][ T61] page dumped because: kasan: bad access detected [ 129.227117][ T61] page_owner tracks the page as allocated [ 129.227125][ T61] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 26376466759, free_ts 0 [ 129.227162][ T61] post_alloc_hook+0x234/0x290 [ 129.227192][ T61] get_page_from_freelist+0x28c0/0x2960 [ 129.227211][ T61] __alloc_frozen_pages_noprof+0x181/0x370 [ 129.227232][ T61] alloc_pages_mpol+0xd1/0x380 [ 129.227250][ T61] allocate_slab+0x86/0x3b0 [ 129.227291][ T61] ___slab_alloc+0xb10/0x1400 [ 129.227311][ T61] __slab_alloc+0xc6/0x1f0 [ 129.227330][ T61] __kmalloc_node_track_caller_noprof+0x2bf/0x810 [ 129.227363][ T61] kmalloc_reserve+0x136/0x290 [ 129.227380][ T61] __alloc_skb+0x27e/0x430 [ 129.227396][ T61] rtmsg_ifinfo_build_skb+0x84/0x260 [ 129.227424][ T61] rtmsg_ifinfo+0x8c/0x1a0 [ 129.227450][ T61] register_netdevice+0x16fc/0x1a80 [ 129.227473][ T61] register_netdev+0x40/0x60 [ 129.227497][ T61] rose_proto_init+0x146/0x730 [ 129.227525][ T61] do_one_initcall+0x1fb/0x820 [ 129.227561][ T61] page_owner free stack trace missing [ 129.227569][ T61] [ 129.227575][ T61] Memory state around the buggy address: [ 129.227587][ T61] ffff8880310ff680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 129.227601][ T61] ffff8880310ff700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 129.227617][ T61] >ffff8880310ff780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 129.227628][ T61] ^ [ 129.227640][ T61] ffff8880310ff800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 129.227655][ T61] ffff8880310ff880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 129.227668][ T61] ================================================================== [ 129.227737][ T61] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 129.227760][ T61] CPU: 0 UID: 0 PID: 61 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 129.227787][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 129.227802][ T61] Workqueue: hci4 hci_rx_work [ 129.227835][ T61] Call Trace: [ 129.227844][ T61] [ 129.227853][ T61] dump_stack_lvl+0x99/0x250 [ 129.227883][ T61] ? __asan_memcpy+0x40/0x70 [ 129.227911][ T61] ? __pfx_dump_stack_lvl+0x10/0x10 [ 129.227941][ T61] ? __pfx__printk+0x10/0x10 [ 129.227969][ T61] vpanic+0x237/0x6d0 [ 129.227998][ T61] ? __pfx_vpanic+0x10/0x10 [ 129.228027][ T61] ? preempt_schedule+0xae/0xc0 [ 129.228055][ T61] ? __pfx_preempt_schedule+0x10/0x10 [ 129.228089][ T61] panic+0xb9/0xc0 [ 129.228118][ T61] ? __pfx_panic+0x10/0x10 [ 129.228150][ T61] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 129.228186][ T61] ? l2cap_sock_new_connection_cb+0x1f9/0x2e0 [ 129.228215][ T61] check_panic_on_warn+0x89/0xb0 [ 129.228250][ T61] ? l2cap_sock_new_connection_cb+0x1f9/0x2e0 [ 129.228279][ T61] end_report+0x6f/0x140 [ 129.228298][ T61] kasan_report+0x129/0x150 [ 129.228319][ T61] ? l2cap_sock_new_connection_cb+0x1f9/0x2e0 [ 129.228354][ T61] l2cap_sock_new_connection_cb+0x1f9/0x2e0 [ 129.228386][ T61] l2cap_connect_cfm+0x367/0x10e0 [ 129.228417][ T61] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 129.228444][ T61] ? mutex_lock_nested+0x154/0x1d0 [ 129.228467][ T61] ? hci_connect_cfm+0x2c/0x140 [ 129.228488][ T61] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 129.228513][ T61] hci_connect_cfm+0x95/0x140 [ 129.228535][ T61] le_conn_complete_evt+0xf65/0x1420 [ 129.228567][ T61] ? lockdep_hardirqs_on+0x98/0x140 [ 129.228603][ T61] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 129.228625][ T61] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 129.228657][ T61] ? lockdep_hardirqs_on+0x98/0x140 [ 129.228691][ T61] ? skb_pull_data+0xfb/0x200 [ 129.228721][ T61] hci_le_conn_complete_evt+0x187/0x480 [ 129.228747][ T61] hci_event_packet+0x78f/0x1260 [ 129.228776][ T61] ? reacquire_held_locks+0x121/0x1c0 [ 129.228812][ T61] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 129.228847][ T61] ? __pfx_hci_event_packet+0x10/0x10 [ 129.228876][ T61] ? rt_spin_unlock+0x150/0x200 [ 129.228905][ T61] ? hci_send_to_monitor+0xe2/0x590 [ 129.228931][ T61] hci_rx_work+0x3ee/0x1060 [ 129.228965][ T61] ? process_scheduled_works+0x9ef/0x1770 [ 129.228991][ T61] process_scheduled_works+0xad1/0x1770 [ 129.229032][ T61] ? __pfx_process_scheduled_works+0x10/0x10 [ 129.229068][ T61] worker_thread+0x8a0/0xda0 [ 129.229108][ T61] kthread+0x711/0x8a0 [ 129.229141][ T61] ? __pfx_worker_thread+0x10/0x10 [ 129.229167][ T61] ? __pfx_kthread+0x10/0x10 [ 129.229197][ T61] ? rt_spin_unlock+0x150/0x200 [ 129.229223][ T61] ? rt_spin_unlock+0x161/0x200 [ 129.229246][ T61] ? __pfx_kthread+0x10/0x10 [ 129.229277][ T61] ret_from_fork+0x599/0xb30 [ 129.229303][ T61] ? __pfx_ret_from_fork+0x10/0x10 [ 129.229333][ T61] ? __switch_to_asm+0x39/0x70 [ 129.229366][ T61] ? __switch_to_asm+0x33/0x70 [ 129.229397][ T61] ? __pfx_kthread+0x10/0x10 [ 129.229427][ T61] ret_from_fork_asm+0x1a/0x30 [ 129.229469][ T61] [ 129.229824][ T61] Kernel Offset: disabled