Extracting prog: 3m24.620520375s
Minimizing prog: 31m43.288370856s
Simplifying prog options: 7m30.719161644s
Extracting C: 2m32.054816738s
Simplifying C: 0s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind-mount$bind-mount$bind-socket$kcm-set_mempolicy-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x80000, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)
socket$kcm(0x11, 0x2, 0x0)
set_mempolicy(0x4005, 0x0, 0x4)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind-mount$bind-mount$bind-socket$kcm-set_mempolicy-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x80000, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)
socket$kcm(0x11, 0x2, 0x0)
set_mempolicy(0x4005, 0x0, 0x4)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
single: successfully extracted reproducer
found reproducer with 12 syscalls
minimizing guilty program
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind-mount$bind-mount$bind-socket$kcm-set_mempolicy
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x80000, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)
socket$kcm(0x11, 0x2, 0x0)
set_mempolicy(0x4005, 0x0, 0x4)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind-mount$bind-mount$bind-socket$kcm
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x80000, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)
socket$kcm(0x11, 0x2, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind-mount$bind-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x80000, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x80000, 0x0)

program did not crash
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program did not crash
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
listen(r0, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program did not crash
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-mount$bind-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
bind$bt_l2cap(0xffffffffffffffff, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(0xffffffffffffffff, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program did not crash
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mbind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mbind(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8005, 0x0, 0x9, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program did not crash
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, 0x0, 0x0)
listen(r0, 0x0)
mount$bind(0x0, &(0x7f0000000480)='./file0/../file0\x00', 0x0, 0x0, 0x0)

program did not crash
testing program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
extracting C reproducer
testing compiled C program (duration=2m19.308159264s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
program did not crash
simplifying guilty program options
testing program (duration=2m19.308159264s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
extracting C reproducer
testing compiled C program (duration=2m19.308159264s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
program did not crash
testing program (duration=2m19.308159264s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-mount$bind
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
mount$bind(0x0, 0x0, 0x0, 0x0, 0x0)

program did not crash
reproducing took 45m15.406275176s
repro crashed as (corrupted=false):
Unable to handle kernel paging request at virtual address dfff800000000024
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000024] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4125 Comm: kworker/0:13 Not tainted 5.15.180-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: events l2cap_info_timeout
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lock_acquire+0x104/0x7638 kernel/locking/lockdep.c:4882
lr : lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5623
sp : ffff800020477480
x29: ffff800020477720 x28: 1ffff0000296e06b x27: 0000000000000001
x26: ffff800010ef3050 x25: ffff70000408eeb4 x24: 0000000000000000
x23: 0000000000000000 x22: ffff0000c6a61b40 x21: 0000000000000000
x20: 0000000000000000 x19: 0000000000000120 x18: ffff800020477300
x17: 0000000000000000 x16: ffff800011b54918 x15: 0000000000000005
x14: ffff8000172044c0 x13: ffff8000204775a0 x12: dfff800000000000
x11: ffff8000082f27b8 x10: ffff800014b7035c x9 : 00000000000000f3
x8 : 0000000000000024 x7 : ffff800010ef3050 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000120
Call trace:
 __lock_acquire+0x104/0x7638 kernel/locking/lockdep.c:4882
 lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5623
 lock_sock_nested+0xec/0x1ec net/core/sock.c:3253
 lock_sock include/net/sock.h:1684 [inline]
 l2cap_sock_ready_cb+0x4c/0x130 net/bluetooth/l2cap_sock.c:1649
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1386 [inline]
 l2cap_conn_start+0x668/0xd28 net/bluetooth/l2cap_core.c:1644
 l2cap_info_timeout+0x68/0xb8 net/bluetooth/l2cap_core.c:1811
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: f00648e8 b945e108 34000208 d343fe68 (386c6908) 
---[ end trace 1feebdd1f80f0163 ]---
----------------
Code disassembly (best guess):
   0:	f00648e8 	adrp	x8, 0xc91f000
   4:	b945e108 	ldr	w8, [x8, #1504]
   8:	34000208 	cbz	w8, 0x48
   c:	d343fe68 	lsr	x8, x19, #3
* 10:	386c6908 	ldrb	w8, [x8, x12] <-- trapping instruction

final repro crashed as (corrupted=false):
Unable to handle kernel paging request at virtual address dfff800000000024
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000024] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4125 Comm: kworker/0:13 Not tainted 5.15.180-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: events l2cap_info_timeout
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lock_acquire+0x104/0x7638 kernel/locking/lockdep.c:4882
lr : lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5623
sp : ffff800020477480
x29: ffff800020477720 x28: 1ffff0000296e06b x27: 0000000000000001
x26: ffff800010ef3050 x25: ffff70000408eeb4 x24: 0000000000000000
x23: 0000000000000000 x22: ffff0000c6a61b40 x21: 0000000000000000
x20: 0000000000000000 x19: 0000000000000120 x18: ffff800020477300
x17: 0000000000000000 x16: ffff800011b54918 x15: 0000000000000005
x14: ffff8000172044c0 x13: ffff8000204775a0 x12: dfff800000000000
x11: ffff8000082f27b8 x10: ffff800014b7035c x9 : 00000000000000f3
x8 : 0000000000000024 x7 : ffff800010ef3050 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000120
Call trace:
 __lock_acquire+0x104/0x7638 kernel/locking/lockdep.c:4882
 lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5623
 lock_sock_nested+0xec/0x1ec net/core/sock.c:3253
 lock_sock include/net/sock.h:1684 [inline]
 l2cap_sock_ready_cb+0x4c/0x130 net/bluetooth/l2cap_sock.c:1649
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1386 [inline]
 l2cap_conn_start+0x668/0xd28 net/bluetooth/l2cap_core.c:1644
 l2cap_info_timeout+0x68/0xb8 net/bluetooth/l2cap_core.c:1811
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: f00648e8 b945e108 34000208 d343fe68 (386c6908) 
---[ end trace 1feebdd1f80f0163 ]---
----------------
Code disassembly (best guess):
   0:	f00648e8 	adrp	x8, 0xc91f000
   4:	b945e108 	ldr	w8, [x8, #1504]
   8:	34000208 	cbz	w8, 0x48
   c:	d343fe68 	lsr	x8, x19, #3
* 10:	386c6908 	ldrb	w8, [x8, x12] <-- trapping instruction