program: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f00000000c0)=0xf) r1 = fcntl$dupfd(r0, 0x0, r0) (async) ioctl$TIOCMSET(r0, 0x5418, &(0x7f0000000540)=0x689) (async) r2 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$IPT_SO_SET_REPLACE(r2, 0x0, 0x40, 0x0, 0x60) (async) ioctl$TCFLSH(r1, 0x400455c8, 0x2) (async) ioctl$TIOCSETD(r1, 0x5412, &(0x7f0000000140)=0xffffffc0) ioctl$TIOCSTI(r1, 0x5412, &(0x7f0000000040)) ioctl$TIOCSTI(r1, 0x5412, &(0x7f0000000200)=0xff) ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000180)) (async) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000006c0)={{0x14, 0x10, 0x4}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x5, 0x0, 0x0, {0x7}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWSET={0x3c, 0x9, 0xa, 0x0, 0x0, 0x0, {0x7}, [@NFTA_SET_ID={0x8}, @NFTA_SET_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_KEY_LEN={0x8, 0x5, 0x1, 0x0, 0x21}]}, @NFT_MSG_NEWSETELEM={0x40, 0xc, 0xa, 0x301, 0x0, 0x0, {0x7}, [@NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_ELEM_LIST_ELEMENTS={0x14, 0x3, 0x0, 0x1, [{0x10, 0x0, 0x0, 0x1, [@NFTA_SET_ELEM_FLAGS={0x8, 0x3, 0x1, 0x0, 0x2}, @NFTA_SET_ELEM_KEY_END={0x4}]}]}]}], {0x14, 0x10, 0x1, 0x0, 0x0, {0x0, 0x84}}}, 0xc4}}, 0x0) ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000240)) (async) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) (async) r4 = creat(&(0x7f0000000100)='./file0\x00', 0x189) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, r4) (async) ioctl$TIOCSTI(r1, 0x5412, &(0x7f00000001c0)) (async) r5 = syz_open_dev$evdev(&(0x7f0000000180), 0x0, 0x0) (async) r6 = open(&(0x7f0000000280)='.\x00', 0x0, 0x0) fcntl$notify(r6, 0x402, 0x8000003d) (async) fcntl$setsig(r6, 0xa, 0x21) (async) sendmsg$NFT_BATCH(r6, &(0x7f0000000080)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000000040)={&(0x7f00000001c0)={{0x14}, [@NFT_MSG_DELTABLE={0x168, 0x2, 0xa, 0x801, 0x0, 0x0, {0xa}, [@NFTA_TABLE_FLAGS={0x8}, @NFTA_TABLE_USERDATA={0xa0, 0x6, "2242b70a5bc8a44314956c9f3e2102bb394408ad47799cab504135c5f212f8817c0fafb8b6608a1d7836f04b5e96770091b975ad949c5d5ff99b41b2f13e9a0e864500ef7d981f26aab100f853c09ffca95e5a49e02c1b06ee7dfb12f4851c8a045bd9f57f0be687764bb679ef5580b1c5f363512e46ccc2eb12fe23f3f45cb14ab12aefe6cdee0a3b477ce275a6f76e6a8da070f48bf4990d3acf10"}, @NFTA_TABLE_NAME={0x9, 0x1, 'syz1\x00'}, @NFTA_TABLE_HANDLE={0xc, 0x4, 0x1, 0x0, 0x1}, @NFTA_TABLE_FLAGS={0x8}, @NFTA_TABLE_USERDATA={0x57, 0x6, "e2f74188471a45cb78eb39080c1c6685222c02c8fc00e452a0f674c54b0b6d65eab6e333d501c01327a25d101123dbffa7d2b5190cc3821303ff0caf8594a83586d881df116efa3dc9d70b1a3ac94366576bdb"}, @NFTA_TABLE_FLAGS={0x8, 0x2, 0x1, 0x0, 0x3}, @NFTA_TABLE_HANDLE={0xc, 0x4, 0x1, 0x0, 0x4}, @NFTA_TABLE_USERDATA={0x20, 0x6, "ff6d2a5774ae90bc6e8b45dd497be5a1e23e472e1349074ce60fa24f"}]}, @NFT_MSG_DELCHAIN={0x1c, 0x5, 0xa, 0x5, 0x0, 0x0, {0x0, 0x0, 0x1}, [@NFTA_CHAIN_ID={0x8, 0xb, 0x1, 0x0, 0x3}]}, @NFT_MSG_DELFLOWTABLE={0x19c, 0x18, 0xa, 0x3, 0x0, 0x0, {0x2, 0x0, 0x9}, [@NFTA_FLOWTABLE_FLAGS={0x8, 0x7, 0x1, 0x0, 0x1}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x1}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x15c, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}, @NFTA_FLOWTABLE_HOOK_DEVS={0x90, 0x3, 0x0, 0x1, [{0x14, 0x1, 'bond0\x00'}, {0x14, 0x1, 'dummy0\x00'}, {0x14}, {0x14, 0x1, 'veth1_to_hsr\x00'}, {0x14, 0x1, 'bond0\x00'}, {0x14, 0x1, 'veth0_to_bond\x00'}, {0x14, 0x1, 'vlan0\x00'}]}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_DEVS={0x90, 0x3, 0x0, 0x1, [{0x14, 0x1, 'netdevsim0\x00'}, {0x14, 0x1, 'bond_slave_1\x00'}, {0x14, 0x1, 'syzkaller0\x00'}, {0x14, 0x1, 'veth0_to_batadv\x00'}, {0x14, 0x1, 'wg2\x00'}, {0x14, 0x1, 'veth0_to_batadv\x00'}, {0x14, 0x1, 'ipvlan0\x00'}]}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}]}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x2}}}, 0x348}}, 0x4000810) r7 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r7, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0) sendmsg$NFT_BATCH(r7, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000b00)={&(0x7f00000000c0)={{0x14, 0x10, 0x1, 0x0, 0x0, {0xa}}, [@NFT_MSG_NEWRULE={0x78, 0x6, 0xa, 0x401, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x38, 0x4, 0x0, 0x1, [{0x34, 0x1, 0x0, 0x1, @match={{0xa}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_MATCH_NAME={0x8, 0x1, 'udp\x00'}, @NFTA_MATCH_INFO={0xe, 0x3, "7acc6338a90000b03bd9"}, @NFTA_MATCH_REV={0x8}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}, @NFTA_RULE_COMPAT={0x14, 0x5, 0x0, 0x1, [@NFTA_RULE_COMPAT_PROTO_IPV4={0x8, 0x1, 0x1, 0x0, 0x11}, @NFTA_RULE_COMPAT_FLAGS={0x8}]}]}], {0x14}}, 0xa0}}, 0x0) (async) ioctl$EVIOCGMASK(r5, 0x80104592, &(0x7f0000000780)={0x1, 0x61, &(0x7f0000000880)="1e1ca2a7a519d6541fbbea8581b335d76a94a3258b726853137fa2666e6cba7e7598838a428dc03c104df65c8cc4f9c5f05fa26ba24f12c216ed4ab2a45a2b4b632ce724d8b668427a5f0106ef3f399d3a799a05b85b1229fd3549a51cd5e4d7fa"}) [ 75.893269][ T4668] Bluetooth: hci0: command tx timeout [ 75.940098][ T5319] Oops: general protection fault, probably for non-canonical address 0xdffffc000000005f: 0000 [#1] SMP KASAN NOPTI [ 75.949613][ T5319] KASAN: null-ptr-deref in range [0x00000000000002f8-0x00000000000002ff] [ 75.955699][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.959720][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.964118][ T5319] RIP: 0010:h5_recv+0x146/0x910 [ 75.966391][ T5319] Code: 18 48 c1 ea 03 48 89 54 24 28 48 89 d8 48 c1 e8 03 48 89 44 24 50 44 89 64 24 14 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 30 <80> 3c 01 00 74 08 4c 89 ef e8 3c 01 f4 f9 4d 8b 65 00 31 ff 4c 89 [ 75.974958][ T5319] RSP: 0018:ffffc9000d3cfc20 EFLAGS: 00010202 [ 75.977656][ T5319] RAX: dffffc0000000000 RBX: 00000000000002e8 RCX: 000000000000005f [ 75.980998][ T5319] RDX: 000000000000005e RSI: 0000000000000001 RDI: 0000000000000000 [ 75.984297][ T5319] RBP: ffffc9000d3cfd40 R08: ffff88801225dc1f R09: 1ffff1100244bb83 [ 75.987775][ T5319] R10: dffffc0000000000 R11: ffffffff88335150 R12: 0000000000000001 [ 75.991262][ T5319] R13: 00000000000002f8 R14: ffff88801225dc10 R15: ffffc9000d3cfde0 [ 75.994870][ T5319] FS: 00007f82685d46c0(0000) GS:ffff88808d730000(0000) knlGS:0000000000000000 [ 75.998744][ T5319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 76.001667][ T5319] CR2: 00007f82685d3fc8 CR3: 00000000426d3000 CR4: 0000000000352ef0 [ 76.005254][ T5319] Call Trace: [ 76.006784][ T5319] [ 76.008076][ T5319] ? __pfx_h5_recv+0x10/0x10 [ 76.009869][ T5319] ? rcu_read_lock_any_held+0xb3/0x120 [ 76.011940][ T5319] ? __pfx_rcu_read_lock_any_held+0x10/0x10 [ 76.014091][ T5319] ? tty_audit_push+0x7c/0x250 [ 76.015829][ T5319] hci_uart_tty_receive+0x194/0x220 [ 76.017925][ T5319] ? __pfx_hci_uart_tty_receive+0x10/0x10 [ 76.020485][ T5319] tiocsti+0x23c/0x2c0 [ 76.022304][ T5319] ? __pfx_tiocsti+0x10/0x10 [ 76.024383][ T5319] ? __fget_files+0x3a0/0x420 [ 76.026461][ T5319] ? __fget_files+0x2a/0x420 [ 76.028599][ T5319] tty_ioctl+0x626/0xde0 [ 76.030350][ T5319] ? __pfx_tty_ioctl+0x10/0x10 [ 76.032490][ T5319] __se_sys_ioctl+0xfc/0x170 [ 76.034456][ T5319] do_syscall_64+0xfa/0xfa0 [ 76.036253][ T5319] ? lockdep_hardirqs_on+0x9c/0x150 [ 76.038527][ T5319] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.041206][ T5319] ? clear_bhb_loop+0x60/0xb0 [ 76.043258][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.045846][ T5319] RIP: 0033:0x7f826c18f6c9 [ 76.047767][ T5319] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.055626][ T5319] RSP: 002b:00007f82685d4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 76.059343][ T5319] RAX: ffffffffffffffda RBX: 00007f826c3e6090 RCX: 00007f826c18f6c9 [ 76.062736][ T5319] RDX: 0000200000000140 RSI: 0000000000005412 RDI: 0000000000000004 [ 76.066131][ T5319] RBP: 00007f826c211f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.069580][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.072950][ T5319] R13: 00007f826c3e6128 R14: 00007f826c3e6090 R15: 00007ffca77dbeb8 [ 76.076127][ T5319] [ 76.077485][ T5319] Modules linked in: [ 76.079679][ T5319] ---[ end trace 0000000000000000 ]--- [ 76.094689][ T5319] RIP: 0010:h5_recv+0x146/0x910 [ 76.096745][ T5319] Code: 18 48 c1 ea 03 48 89 54 24 28 48 89 d8 48 c1 e8 03 48 89 44 24 50 44 89 64 24 14 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 30 <80> 3c 01 00 74 08 4c 89 ef e8 3c 01 f4 f9 4d 8b 65 00 31 ff 4c 89 [ 76.106174][ T5319] RSP: 0018:ffffc9000d3cfc20 EFLAGS: 00010202 [ 76.109606][ T5319] RAX: dffffc0000000000 RBX: 00000000000002e8 RCX: 000000000000005f [ 76.113597][ T5319] RDX: 000000000000005e RSI: 0000000000000001 RDI: 0000000000000000 [ 76.117024][ T5319] RBP: ffffc9000d3cfd40 R08: ffff88801225dc1f R09: 1ffff1100244bb83 [ 76.121405][ T5319] R10: dffffc0000000000 R11: ffffffff88335150 R12: 0000000000000001 [ 76.124785][ T5319] R13: 00000000000002f8 R14: ffff88801225dc10 R15: ffffc9000d3cfde0 [ 76.128726][ T5319] FS: 00007f82685d46c0(0000) GS:ffff88808d730000(0000) knlGS:0000000000000000 [ 76.132591][ T5319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 76.135392][ T5319] CR2: 00007f82685d3fc8 CR3: 00000000426d3000 CR4: 0000000000352ef0 [ 76.139361][ T5319] Kernel panic - not syncing: Fatal exception [ 76.142922][ T5319] Kernel Offset: disabled [ 76.145213][ T5319] Rebooting in 86400 seconds..