Extracting prog: 3m26.366223089s
Minimizing prog: 27m44.431276308s
Simplifying prog options: 0s
Extracting C: 38.776770572s
Simplifying C: 23m55.349997168s
extracting reproducer from 30 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6-socket$nl_route-syz_emit_ethernet-socket$nl_route-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-sendmsg$nl_route_sched-connect$inet6-socket$inet6_sctp-connect$inet6-socket$inet6_sctp-sendto$inet6-getsockopt$inet_sctp6_SCTP_MAX_BURST-setsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY-sendmmsg-openat$tun-ioctl$TUNSETIFF-socket$kcm-ioctl$SIOCSIFHWADDR-socket$nl_netfilter-sendmsg$IPSET_CMD_LIST-socket$nl_generic-syz_genetlink_get_family_id$nl80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_JOIN_IBSS-sendmsg$NL80211_CMD_SET_PMK
detailed listing:
executing program 0:
r0 = socket$inet6(0xa, 0x3, 0x1)
r1 = socket$nl_route(0x10, 0x3, 0x0)
syz_emit_ethernet(0x2a, &(0x7f0000000000)={@broadcast, @local, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0x0, 0x2, 0x0, @rand_addr, @multicast1}, @address_request}}}}, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000300)={'bridge0\x00', <r3=>0x0})
sendmsg$nl_route(r2, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)=@bridge_delneigh={0x28, 0x1c, 0x1, 0x0, 0x0, {0x7, 0x0, 0x0, r3, 0x80, 0xf2}, [@NDA_LLADDR={0xa, 0x2, @dev={'\xaa\xaa\xaa\xaa\xaa', 0xc}}]}, 0x28}}, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x30, &(0x7f0000000500)={&(0x7f0000000640)=@newtfilter={0x24, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r3, {0xfff2, 0x1}, {0x5, 0xfff6}, {0x1c}}, [@TCA_RATE={0x0, 0x5, {0x6, 0xf8}}, @filter_kind_options=@f_cgroup={{}, {0x0, 0x2, [@TCA_CGROUP_ACT={0x0, 0x1, [@m_tunnel_key={0x0, 0x18, 0x0, 0x0, {{}, {}, {0x0, 0x6, "6412f4151e971606faecefec1e420911fc66c4b325e845c0c5fe6dc2e33f67558dea2a9c2875e1ab7a649b2cc941a2663440512cf8d77779556783166b8ac901208dee795fe7ac57adb8119b46d9c81dc96e3c7585f7a02b75023eadf2589bc0dba393c2a2508c5819115a1f04bcaa3612894b2c0d8702dc2c254d5298f8a4c1e1946c1cf8cf90bfa7"}, {0x0, 0x7, {0x0, 0x1}}, {0x34, 0x8, {0x9d7df3b7e7e9f7a9, 0x3}}}}, @m_sample={0x0, 0x16, 0x0, 0x0, {{}, {0x0, 0x2, 0x0, 0x1, [@TCA_SAMPLE_PARMS={0x0, 0x2, {0x7, 0xaa0, 0x8, 0x2, 0x44}}, @TCA_SAMPLE_PSAMPLE_GROUP={0x0, 0x5, 0x5}, @TCA_SAMPLE_PSAMPLE_GROUP, @TCA_SAMPLE_PARMS={0x0, 0x2, {0x9, 0x40, 0x2, 0xfffffff8, 0x5}}, @TCA_SAMPLE_PSAMPLE_GROUP]}, {0x0, 0x6, "e38a0299fa058fd8e4c5fd71533407bbfae2a7424ab0113fa6c4e74be399bfb516af1c353f86b3158084968015ad15afb247cc690e9081bdf70cdfa4894f70149564cf5baaa81afeb4e8c78d0fa2c79d83bbb348373e4ebd13da91c2959b854ebc2fb0cf7a45006f8fee47742e624eac77757eb7c347e5f04acf2bb09b8dd6d59220dbec5f9c"}, {0x0, 0x7, {0x0, 0x1}}, {0x0, 0x8, {0x3}}}}, @m_tunnel_key={0x0, 0x11, 0x0, 0x0, {{}, {}, {0x0, 0x6, "1c96d95feeea4a40b886c7a851713d1a50ab47fcd33986754e1def44a645d4f4c6dea95947c9a6a26618826cfa7caa6df878007b6423f023cdbd21149cf28d3d833b164e198c7b280466b0be23b36d06362ba9a866d318a511ec7877e6e1a2124361296c010fa681369be253dd06311e09ce4affe98b4c2b8823bc88fbe834db7d833c2eed61652ab3fbe661a5950aead22bd09e0c098b50a9a3f809fd3cbc80f71af8182386b0eae4a4927bf5a99b9c5930e9db63a3a0d8704cf53018ae6806b65af5b1bb1ac54ef20788440c55c5c2f6dddd9c2624ba83c7c3915c33357af29b7faa418727030270575b9fba2378ff8fd60440a387a3b1982a8888f96337b14fc1a75210d4e364482a93162bbaa6fbbbe0cb6be120869e387018cdd6700ed887094fe5420dcdd442262b5f96570ec5e322d55c5006727e1a6238497214865f9ca6eebe1ff3babc1f9a21eb10c4b6aa55743704c3579e1b9ee47e9d0e031eb109f9adcfbc04c03d0fec125dfd469ea6024de6c44b3948a02ba3eba9a9093f82fe7076f165bb9a16b00740682c93446fe1c492759b7445ef2c4df5ebf17e79d0e8437e04a6c8036df8ebeea81b3ce3806842fd91d7d99d60071ae4192f0b291f32da4696f01356e7a5d95b85b2d6a675e65ae44522d0af291d4db2305f0a09ad8983ed7f64c4a8763610facfabf14955845d1545c7d6e332b23fd1a0a02ab367460305678f4fff182f4fedcf6de9ae07ddff5d3528e567043f35892fca526aaa10393e81e9ef62518f682f4b091a1835e708b5d45582dad4a48ac63e7d75e1281eeeb3d3b4d4901404c72f7633d1cb4f622cd52e35674215bf761ece782e73d2412ed425ef0e9757a1658dd00f4b1e6e5c50f58008427a0f5bff30b8a2d13a6585aca62d8df2dbafb9ad0fe525547637fbfeebda1456de68d3d11bdc5ab9d1c7aaf713ac02169d4956dd0b199f5f84affb91ece5d7be6d155a7163d58abe4e27e291aeffa07d5bd3fbe96ec11f612933ed7dd92f223d3ede0b6161566ee6b223f82389d2a687fa632404af58c569f5dbd85922f989ef15511a2f1af80c6771406f7c7538cc77c1c8d744bbc7493bc60c9730de680a2f286f652480067ed6f06461d2b1184fed34590cc77995848f156188edd665a5a4732a1421c56381830db4b491493dfc59844a2b002a8162f57571ff232e575a5886293e8d5028da6a821a110a7ee60219cb8a3f528c49891e2a2eb30c9ab54675adcfc8ba3363411d24a578ac36388ed617bd35865fc60fb1961e885a08f633ff70f612f1f682faacb312dde9bd0bcdcf12fd03f5bd2ba11164273ce2fcd603a1323c2dd57a191dbe108ea8a961a8ea98fc7d016dce601b29645174c856fa39e91e8677e79318ca5ee327a3636e3eeabd53efe54bca8eeab25693e78a982446ec7727b01af0a1d63f39dd1f575ec8c18c5d0e3d08d83534f0e8d9836c0e4d1269d7c8e2bb5eead2735bf9e7dec7cf7b6017cd49c0aa32dd244bd6bf4618d3e9ff1752a7bff8d8a08e3d9ee4756d3a294d1aaa3b0ff07054cad99111cad71013e08b378afda0caab165dbc74058abea75971b5792c5dbd1288725f196e3fa7cc691e0abfc881569bf4c83a68f28d83a5a9c73c38f8063d7d59520bad2d808bbb68aabb47fcc5dc3cf1dab50c3b2ebccbc41474be41682953c6fb153fb217f3720fe4d27421c4355a15e3a5551107ebe49bf9d4a2bba589653b2c6ddf9e2a6aeb65a7577d32257131568ee9fd1bf6e4ec1599d73387cdb96c4096de268f3e8395c92527c101282547bc7a018afb369a3be435ce04bc338f005bef356f0b3d36862fa2b87fa0dd62f38317ca6b316cafca6d3dd3b2517c7d4bfba74976c00ee90cba3f232fab1718198f4744f94818bf5be4623c565717bd42956915f8076ff6293f9f34d95508fdd7c50b480e8703a388d4a8627c46c4ea067222f5ec536e94edcfc9d6daf933db9302edd332cb878e9500c32bd2385e06e6b15550283f57322818d3dc5efd5b88c18b0e079cf76a7ce43fb3d6bc717e27d2b162dad83b93881551ed53020e6a4293d5e00c1fbe991a0c3d992424006a4e53844497b1f0c64e61916ac18fd51ee6a789e1a51a15d7b8400222dddddcf83523c8751644051229e35d0cabc92909c8651f5373c8e39a0b52a8c7281c7e2cca36abe3b7e386d13a3c6e2063a37fd6504d11e998ded0b427ce82ada4254d01f98c58d48b93c12ca599e9f3b4ba456947dc2f234bade5fff8a760a9246efa3902cb70222fce926d5eabd20c125646f8eefd7b73896d57cf3183874ddd3db18a3cedc09f8fb51dd4150c5f9d8b1eda31965e616b0ad3b323eaf5059d1296852c10ffdfd9ac1a4a9e708eac526aeacb11ff94234f3ac69579808042c30fec4e6eaf539a1c1fd173087d5d70773ed35c3c2a3d2f6dd7e062f93ae28607667f5fcb7ccb0535fa7a5e6565842b4858eda65706431cbead893f746cf728cea3b995129c40f9958fd29ba19221eabe69d9a3b83427fd7e825272c2deeef8d2caec31525c8e60359326e0d60c1a377a3b4ae0b387e01a5139c8eb72b6d53542c21e49093b8c7a7ec836083a9f8d76d92ad64bbf32501b41d2a789a518bb32c0263b88fed588720d4adbeb6894c2cd876a25971f81be4571ad2a052ca843e1a111cf8ad6f849ecb1e394aa8d5660263fcc7d1a147ec0048a0ac021cd9f8249324fdc9a577d9206aae1cbe19c30a43428ccbead9e45a04723d2f53209fa54f0e8a9c202885395fe394841358ca3bf20779d64f44c46755ee22ba7d416905205d3f3859747429c6024592b4ef7e70aac5ce260b33a5f7fb8d967c501edfa6547561b914bac3db7996de7ece1729c85cb052ca0151ed3274f0032873d1886d1d5c07adb57ca8be689d857bde6fbd82fdb4bd4d85774e6326f6d5551bffae34ab45b9e3cb42f070b24b2022a8f39d34840f7d2983d30b0c56e2099de0dc17ba1af54b706cf80e2fbc53286d8b9b38976c7dd8a50445064f5dbe5d62e75f6bb3c8af6a3e95261552da2fd5534fc40681664444490a5db2409338490b448d25cd90dca651a7f14a1d694901eccedc7668876fded9545e233acb65257c6cada44904e5997c6f7af69b5c277f2646291b4cd60033fefbaf086cf0987a69f1166102b0dfdb44fee313a0614ed98487be923f0ef90f1cdb62ea6a3076af80d4e38edeca7bef2678cc33a3f5865f3b264727ba7b8b241e6a24b416007d3347d6662f2de48daf17b0fc4716d446ed2a68fbb75f7491394d7178208ba5461b8bab620de5e3742cb33a4d43fec6869e8b4b7247f0f920d484493bb7224cad23c429efb30fc17e3b167aad971aa5afef2347f9fe26660182d5bbe03a8df794784f99a97a1824891cabba3a1dfc52b6e0cb6058211f3b7c540849cd942707edcc540a6b3159e5927638d9ae0689f88fcbb99eee85fd3b337a0b0d9b164bc186637a772058299499c3976941b6aa6ba002d432f5f9c1117b97e2ee6796eaf2770a1f8910bd4966e72d2cac6b33a7380ec1c502d67c7366bd97bcf646df13e911faeb9151b6c6c233f6c8c2533c1ac4ee935d9a97fdd2215747da005d26381622b5b26bb5ec66c906174436ff6e03f9a4f1569090a221255e53ee6c8553acf506f16a6bc200d7aca3c982c1f591e69dfae8d06b29d2b8aba19a27e6e0453f8c6d02feaa1b18ac665ad9e94f1d0730b92b1bf1db43b80fc024484c6857e01c0ab8d85304c0571b726dbf385264aea32b8d0056af473c77ccd1d6a21308ad44e3280c0cbb1e8ccc64e5501f5b3a4e56622810654797afc55952bbfa1be4ba6d7bf21dac95a698a0e276b3e6f31bbad2aee9f3ef15afb7c4a76d3ed7dc7f811468b902ea33aea9c2608bba2d1903ba611ac7ca49e38fa2239dab20277a5eabc6ef811a064238940d501d0f4fae3054385cfafec9b817ba3e26a11d4b26f59df77ffa6b000b3ee0f2b7cac3b74506f8726f95590bdb7702c276fcf512f34f5c5e9c740ef26d01a352f100a352d17025b4fbde8b79190e011fd0bbc094f5ac5fd26d4d7bbdc3f9f8ad349ad802f42a843ac5dba82935c1d594379a79441df32317adfc62f257fa71ac9d7f4c0938af7eb452f7d3315ebc1fdbacbbbb20b072e053e93708bbb8bd2d1ffbf99500ef56f763cb71b3477f030f85fd3979a94b126c8af395ec3a550aa77133946936a7a2ff501d5b1565a693ccfea2755c6fd73d99b26727398d989fb7dc4db408f911fa6bd3cb5974733254bdd53ec49403faad2ab24ee72bc4a514e987b603e409d580e89456ab3aa8f4d825cf40da281cdac48c25cec06565ea10415ed7fa38768cdd9ff99782ce9df60500027e5fbdb21eebf1eae969b4d21c98c069a99429a18e26f6846d6e3911c8e9750a0098bd9999a0841ec6f6ca2cdacfc4c353c77492f821c724b0f0ab0655b1cc29f47c64e8601a62aa6d8b8e03df22389e9a4edeb0338c072cbcaf42f382fa1b970af15da88e8c5c73cb44524f036f93cc8f764e7d2652698e4ed20773d59b75d8c186117be1249683d0ce705d6297bf75e0d722c8b6524315a61f87b77e1d1a77957bd0c19e87cefa08e5be2a260dbf4f6c61bdbec475e0b53f777de8d4c51784be14662bf1bf3f4f0bd7563f81cf2112ca9ee3ef4e39039cda5f5c736c54da42da720dfffe8fee54867447d04f8d791835f4b11b2895973b0fb2bf8b15a1d4e8bc06c204e61de208a2aa6cf23cafd7708e387cc6b5c94d1cb2b3b39861cebc5e14d9cba3f029fdd60577648b4a6cf6d5170fd85bd9ede8e109c5b08234850deb6461029b888629371f2bf0a64536b483e4b823b9ff588cc23fb687697ae1f4af9b9f61d1ff8fdaa390cba1b005365d1ca7ae443f18b441485246cd7b4d048f6478401b34298624c6cbca8fcb6dce38aa63999905a6755f6c5f78e7b61f482be7005a1b40cbe969f1020901dfa1efb9b7e6d18509710d4c11e1ec171cd645d96bfb27826e31a4c9d9fc482336a5f1e5037e43254572f9130ac0bf2ec54291451e5c34383f01aab3f722b689b17e03c61dd743a8a5a2edeffbbfabd9ee641c8c2b8d92548858c2480e624940581acd8e22acc50fd40f41f1bd52271daf56fa751645223c6773e08b9bf3de7858bd4b46725208e3a124e8ce448140205953702c37af3f1cb3106603a7b17f2baaa285e3d5d59cd79f79287fc0b9edc9f6bb454932d3926a4295e133763be49894023b4b9e43b530eff8f6144801d9dd7aa98a305da55547dddfacc3183f1c63983b11c7d32bece30365e0bae5c766d0d57d39f82d26c881f910091fcce7ed7cc6d857d6c635ef0a4eccc3062690550c94d9cd86b4a9347a0395cd710766442b1a7c6a0258d24994b8b09b2318abf3bc08d21bcaa6999fcf167a197ce3c9311c816cf20725e57efcfe8144c06a06ba7e07ce987b5b99a805373d61e7f8e16dd60ffc135bf88d3b4118fe49878775e022152d22523c4702e0f1833e90fd94a866af6e781d4fa529018a90778d65eb4041d4ad978e20e45ff8d221133d54c8d9106fe6cc88623c505a4548a791136a70fa314c777e9feca7a1cdad6b21226b26eff69682c5d76b4069201bd30df639ef8cfa52ce8950781f593119e6dc29bf665527d7905f576d7db111cbc88dccddefaea82d48fd3c343e886b898f27ca01c81d161c31bdece55a727141accb5f736f56f7a8dcf7725597b109dea776a6e2321511cb26da2e52fd7392b7d705c35e33bf781efbde7a98ed7dce3ee561fed32bcf2"}, {0x0, 0x7, {0x1}}}}]}, @TCA_CGROUP_POLICE={0x0, 0x2, [@TCA_POLICE_RESULT={0x0, 0x5, 0x6}, @TCA_POLICE_PEAKRATE64={0x0, 0x9, 0x3a4}, @TCA_POLICE_PEAKRATE={0x0, 0x3, [0x9, 0x9, 0x10001, 0x2, 0x1a48, 0xfffff629, 0x4, 0xfff, 0xa00000, 0x3416400, 0x7fffffff, 0xd, 0x7, 0x5, 0x4ef, 0x80, 0x81, 0x6, 0x7fffffff, 0x6, 0x10, 0x1000, 0x0, 0x5, 0x8, 0x0, 0x4, 0x5, 0x3ff, 0x8001, 0xffffffff, 0x31420c9b, 0x4, 0xf, 0x7, 0x9, 0xfffffff8, 0x81, 0x5, 0x6, 0xa, 0xaa88, 0xd1, 0x8, 0x2da, 0x1, 0x7, 0x8, 0x3, 0x9, 0x4, 0x5d, 0x4, 0xafa, 0x1, 0x5, 0x0, 0x2, 0x1, 0x0, 0x700000, 0xe81, 0x14000000, 0x5, 0x1, 0x200, 0xa, 0x14a063ac, 0x101, 0x8000, 0xb, 0x4, 0x9, 0x1ff, 0x9, 0x0, 0x10, 0x4, 0x9, 0xf, 0xfffc0000, 0x2, 0x4, 0x7, 0x6, 0x2, 0x1, 0x200, 0x2, 0x5, 0xfffff4ac, 0x9883, 0x200, 0x9, 0x3d9, 0x3, 0x2, 0x6, 0x6, 0x0, 0x10, 0x8000, 0x4, 0x4, 0xf37b, 0x80000000, 0x4, 0x4, 0x7, 0x7, 0x2, 0x1ff, 0x80000000, 0x7, 0x1, 0x100, 0xfffffffd, 0x6, 0xe27, 0x1, 0x10, 0xfffff652, 0x9, 0x8, 0xcfe, 0x8, 0x7a475a8e, 0x1000000, 0x80000000, 0x18e2, 0x3, 0x920, 0x2, 0x9, 0x8000, 0x101, 0x5, 0x5303, 0xc4, 0xa5, 0x0, 0x7, 0x5, 0x8, 0x81, 0xffffffff, 0x401, 0x65, 0xfffffff7, 0xb22e, 0x8001, 0x8001, 0x7, 0xf, 0x3, 0x2, 0x4, 0x3ce3, 0xc, 0x2, 0x6, 0xf, 0x5, 0x9, 0x8, 0x1, 0x5, 0x7, 0x3, 0x9db5, 0x6, 0x5, 0x1789, 0x7, 0x7943, 0x4, 0x7, 0xa4, 0x7, 0x401, 0x0, 0x3807, 0x6, 0x5, 0xd4b, 0x3, 0x0, 0x5, 0x4, 0x1, 0xeea, 0x4, 0x9, 0x6, 0x2, 0x4, 0x2, 0x78a8, 0x80000001, 0x2, 0x8000, 0x80, 0x7fff, 0x10000, 0x7f, 0x1, 0x2942, 0x8, 0x1, 0x5, 0x1000, 0x32, 0x721, 0x800, 0x3, 0x6eb0, 0x2, 0x0, 0x8, 0xf, 0x7, 0x2000, 0x2, 0x3, 0x10001, 0x6, 0x5, 0x9, 0x6, 0x4, 0x3, 0xffff, 0x7, 0x40, 0x8, 0x1000, 0x1, 0x5326, 0x8, 0x80000000, 0x8, 0xd, 0xef6a, 0x2, 0x6fbc, 0x5, 0xb60d, 0x6, 0xb9, 0x722, 0xa4e7, 0xae, 0x9, 0x4, 0x5, 0x40]}, @TCA_POLICE_PEAKRATE={0x0, 0x3, [0xfffffff8, 0x0, 0x2, 0x100, 0x2, 0x7e87, 0x2, 0x40000, 0x5, 0x7, 0x7, 0x9, 0x9, 0x8, 0x73f, 0x4, 0x9, 0x7, 0x8, 0xb5, 0x2c, 0xb208, 0x1, 0x9, 0x80000001, 0x9, 0x77c00fd6, 0x4, 0x9, 0x8, 0x4, 0x80000000, 0x4, 0xdd80, 0x4, 0x5, 0x6, 0x80, 0x6, 0x9, 0xec24, 0x3, 0x7, 0x8, 0xad5, 0xffff, 0x2, 0x8000, 0x1129, 0x3, 0x7fffffff, 0x111, 0x8001, 0x6, 0x7, 0x5, 0x5, 0x12eb, 0x8, 0x8, 0x8, 0x1ff, 0xb, 0x7fff, 0x8, 0x1, 0x7, 0x2, 0x4, 0x2, 0x2, 0x1, 0xffffff7f, 0x10, 0x200, 0x121, 0x1, 0x9, 0xffffbdb2, 0x7, 0x4, 0x3, 0x10000, 0x8, 0x100, 0x43, 0x8, 0x9, 0x2, 0x1, 0x7, 0xff, 0xfffffffc, 0x7, 0x100, 0x9, 0x80, 0x7, 0x3, 0x100, 0x3, 0x81, 0x3, 0x9, 0x1, 0x8, 0x6, 0x6, 0x4b98, 0x9, 0x101, 0x5, 0x1ff, 0x401, 0x10, 0x1, 0x476, 0x80, 0x1da, 0xb30, 0x400, 0xba855a04, 0x1, 0xfff, 0x3, 0xff, 0x27, 0x3, 0x3, 0xfffffff0, 0x8, 0x9, 0x6, 0x8, 0x81, 0xa, 0xef, 0x10, 0x2, 0x7130f952, 0x7, 0x0, 0x3, 0x80000001, 0x1, 0x7, 0x8001, 0x76, 0x8, 0x10000, 0x5, 0x7fffffff, 0xb8, 0xff, 0x6e, 0x101, 0x8, 0x3, 0x6, 0x7, 0x1, 0xffff, 0x2, 0x3, 0x6, 0x4, 0x6, 0xe84, 0xd, 0x757571fb, 0xf, 0xa, 0x12, 0x3, 0x5, 0x5, 0x9, 0x4, 0xf800, 0x80000000, 0x7fff, 0x51c, 0x7, 0x3, 0xcec, 0x8, 0x829, 0x8, 0x13, 0x44e7, 0x4, 0x9, 0x8, 0x6, 0x0, 0xc9, 0x4, 0x4, 0xfffffff7, 0x0, 0x0, 0x8, 0x7, 0x9, 0x6, 0x1000, 0x0, 0x7, 0x0, 0x80000000, 0x8, 0xfffffffb, 0x9, 0x8, 0x6, 0x0, 0x3, 0x0, 0x401, 0x4ccc, 0x6, 0x7, 0x4, 0x1, 0x7, 0x2, 0x3, 0x10001, 0x5, 0x8, 0x5f, 0x928d, 0x9, 0xa, 0xb3, 0x7, 0x3, 0x24, 0x42, 0x10001, 0xb72, 0x8000, 0x4, 0xc2, 0x9, 0x2, 0xffffff89, 0x8, 0x7, 0xe0000000, 0xffffffff, 0x101, 0x4167, 0x8000, 0x756]}, @TCA_POLICE_RATE64={0x0, 0x8, 0x7}, @TCA_POLICE_PEAKRATE64={0x0, 0x9, 0x9}]}, @TCA_CGROUP_EMATCHES={0x0, 0x3, 0x0, 0x1, [@TCA_EMATCH_TREE_HDR={0x0, 0x1, {0x6fd}}, @TCA_EMATCH_TREE_HDR={0x0, 0x1, {0x2}}, @TCA_EMATCH_TREE_HDR={0x0, 0x1, {0x7}}, @TCA_EMATCH_TREE_LIST={0x0, 0x2, 0x0, 0x1, [@TCF_EM_CMP={0x0, 0x3, 0x0, 0x0, {{0x3, 0x1, 0x9}, {0x89dc, 0x8, 0x7, 0x1, 0x9, 0x0, 0x2}}}, @TCF_EM_META={0x0, 0x3, 0x0, 0x0, {{0x30, 0x4, 0x40}, [@TCA_EM_META_LVALUE={0x0, 0x2, [@TCF_META_TYPE_INT=0x3, @TCF_META_TYPE_VAR="11c455eead", @TCF_META_TYPE_VAR="acb5b24db8674aa4", @TCF_META_TYPE_INT=0x4, @TCF_META_TYPE_VAR="2c13f82c42c4", @TCF_META_TYPE_VAR='<']}, @TCA_EM_META_LVALUE={0x0, 0x2, [@TCF_META_TYPE_INT=0x3, @TCF_META_TYPE_VAR="25385b7f969e1d", @TCF_META_TYPE_INT=0x9]}, @TCA_EM_META_RVALUE={0x0, 0x3, [@TCF_META_TYPE_VAR, @TCF_META_TYPE_INT=0x5, @TCF_META_TYPE_VAR, @TCF_META_TYPE_INT=0x8, @TCF_META_TYPE_INT=0x7, @TCF_META_TYPE_VAR="fe4adf46a1521b719d", @TCF_META_TYPE_INT=0x8]}, @TCA_EM_META_HDR={0x0, 0x1, {{0x9, 0x2, 0x3}, {0x8, 0xb, 0x1}}}]}}, @TCF_EM_CMP={0x0, 0x3, 0x0, 0x0, {{0x5, 0x1, 0xa2}, {0x6, 0x0, 0x1, 0x5, 0x7, 0x1}}}, @TCF_EM_U32={0x0, 0x2, 0x0, 0x0, {{0x5f, 0x3, 0x7f5}, {0xc, 0x8000, 0x8, 0x80}}}, @TCF_EM_CMP={0x0, 0x3, 0x0, 0x0, {{0x9, 0x1, 0xdf35}, {0x8, 0x7, 0x0, 0x1, 0x5, 0x2, 0x2}}}, @TCF_EM_NBYTE={0x0, 0x3, 0x0, 0x0, {{0x0, 0x2, 0x4}, {0x2, 0x0, 0x0, "8feae9"}}}, @TCF_EM_NBYTE={0x0, 0x3, 0x0, 0x0, {{0x9, 0x2, 0x7}, {0x200, 0x0, 0x2, "fd92c4169954"}}}]}, @TCA_EMATCH_TREE_LIST={0x0, 0x2, 0x0, 0x1, [@TCF_EM_CANID={0x0, 0x2, 0x0, 0x0, {{0x1b93, 0x7, 0xada6}, {{0x1, 0x0, 0x0, 0x1}, {0x3, 0x1, 0x1, 0x1}}}}]}, @TCA_EMATCH_TREE_LIST={0x0, 0x2, 0x0, 0x1, [@TCF_EM_CANID={0x0, 0x2, 0x0, 0x0, {{0x4, 0x7, 0x8}, {{0x4, 0x1, 0x1, 0x1}, {0x1, 0x0, 0x0, 0x1}}}}, @TCF_EM_CMP={0x0, 0x2, 0x0, 0x0, {{0x2, 0x1, 0x34c}, {0x6, 0x3, 0x9, 0x2, 0x7}}}, @TCF_EM_NBYTE={0x0, 0x1, 0x0, 0x0, {{0x4, 0x2, 0xe}, {0x6, 0x0, 0x2, "3353128aa426f4e4"}}}, @TCF_EM_CMP={0x0, 0x3, 0x0, 0x0, {{0xfff, 0x1, 0x4}, {0x23301748, 0xfffffffe, 0x3, 0x0, 0x5, 0x1, 0x2}}}, @TCF_EM_IPSET={0x0, 0x2, 0x0, 0x0, {{0x2, 0x8, 0xc279}, {0x1, 0x2, 0x6}}}, @TCF_EM_CANID={0x0, 0x1, 0x0, 0x0, {{0xf, 0x7, 0x7}, {{0x0, 0x0, 0x1, 0x1}, {0x3, 0x1}}}}, @TCF_EM_NBYTE={0x0, 0x3, 0x0, 0x0, {{0x1, 0x2, 0x1fd}, {0x7, 0x0, 0x1, "414ded1eda6078b4"}}}, @TCF_EM_IPSET={0x0, 0x3, 0x0, 0x0, {{0x2, 0x8, 0xf}, {0xffffffffffffffff, 0x6, 0x3}}}, @TCF_EM_NBYTE={0x0, 0x1, 0x0, 0x0, {{0x7f, 0x2, 0x2}, {0x3, 0x0, 0x0, "afcaf62a9a4e437894"}}}]}, @TCA_EMATCH_TREE_LIST={0x0, 0x2, 0x0, 0x1, [@TCF_EM_IPT={0x0, 0x2, 0x0, 0x0, {{0x8001, 0x9, 0x9}, [@TCA_EM_IPT_NFPROTO={0x0, 0x4, 0x3}, @TCA_EM_IPT_HOOK, @TCA_EM_IPT_NFPROTO={0x0, 0x4, 0x1}, @TCA_EM_IPT_NFPROTO={0x0, 0x4, 0x1}, @TCA_EM_IPT_MATCH_REVISION={0x0, 0x3, 0x7e}, @TCA_EM_IPT_MATCH_REVISION={0x0, 0x3, 0x9}]}}, @TCF_EM_IPT={0x0, 0x3, 0x0, 0x0, {{0xf30, 0x9, 0x3}, [@TCA_EM_IPT_NFPROTO={0x0, 0x4, 0x7}, @TCA_EM_IPT_HOOK, @TCA_EM_IPT_MATCH_REVISION={0x0, 0x3, 0x5}]}}, @TCF_EM_CANID={0x0, 0x2, 0x0, 0x0, {{0x7, 0x7, 0x1}, {{0x3, 0x1, 0x1}, {0x1, 0x0, 0x1, 0x1}}}}]}, @TCA_EMATCH_TREE_HDR={0x0, 0x1, {0x400}}, @TCA_EMATCH_TREE_HDR={0x0, 0x1, {0xe89}}]}, @TCA_CGROUP_ACT={0x0, 0x1, [@m_tunnel_key={0x0, 0x20, 0x0, 0x0, {{}, {0x0, 0x2, 0x0, 0x1, [@TCA_TUNNEL_KEY_NO_CSUM, @TCA_TUNNEL_KEY_ENC_IPV4_SRC={0x0, 0x3, @empty}]}, {0x0, 0x6, "e890793f3fb1f9e7859e0744c11a76cc4a7249ec4f78e498933f354b61438a50ba2b69caf33c2a8c1ac0c014d5591ff87a73aa00834eab45d2a17a9a769a6b20c0d6eb9e85bbc60b2158a76157f48e30a7b7dd1c2817a9372753a4230face5fd7b8fe8268968adeb5160bea14ac04b0c639f7207ad60e40d9c9fa29626654faaa4b8fc5755d2e42026832504a1b3dbf69a70"}, {0x0, 0x7, {0x1}}, {0x0, 0x8, {0x1}}}}, @m_pedit={0x0, 0x13, 0x0, 0x0, {{}, {}, {0x0, 0x6, "8daa9eecddf60129"}, {0x0, 0x7, {0x1}}}}, @m_vlan={0x0, 0x20, 0x0, 0x0, {{}, {0x0, 0x2, 0x0, 0x1, [@TCA_VLAN_PARMS={0x0, 0x2, {{0x8, 0x1, 0x8}, 0x3}}, @TCA_VLAN_PUSH_VLAN_PRIORITY, @TCA_VLAN_PUSH_VLAN_ID={0x0, 0x3, 0x7c9}, @TCA_VLAN_PARMS={0x0, 0x2, {{0x3, 0xd, 0x20000000, 0xfffffc00, 0x80000000}, 0x3}}, @TCA_VLAN_PUSH_VLAN_PROTOCOL={0x0, 0x4, 0x88a8}, @TCA_VLAN_PARMS={0x0, 0x2, {{0x10000, 0x3ff, 0xffffffffffffffff, 0x9, 0xf}, 0x1}}]}, {0x0, 0x6, "18b2f5738b06b8ea44ca4166d7728fd33bacad301d7760b19c5d54cbd9812eb8f44f14858bca79a205ccc256ca499e9987c4f060bb10073dd5b5b74fefe110d647e8b263cf28691c9d1030cc659c85f2775bd1ab83287e6e62ebf35a5e316663280b36d6518fd1782f8ecf7cf3fef7d0eff6631f8e638e66085d51ab17d1e954596754683470f029f9219bef28c158381ef44d0640"}, {0x0, 0x7, {0x1, 0x1}}, {0x0, 0x8, {0x2, 0x3}}}}, @m_skbedit={0x0, 0xe, 0x0, 0x0, {{}, {0x0, 0x2, 0x0, 0x1, [@TCA_SKBEDIT_PARMS={0x0, 0x2, {0x2, 0xffffffff, 0x7, 0x7}}]}, {0x0, 0x6, "37e6b0b9f998afdf5e7328e5da51359502acf352a6c1b5e427cfcdccb429df2c0e2f9e1afb186981ccba47d1693f1935441ed1d85a64de40dbd1f83365bfd93169"}, {0x0, 0x7, {0x0, 0x1}}, {0x0, 0x8, {0x0, 0x2}}}}, @m_simple={0x0, 0x1f, 0x0, 0x0, {{}, {0x0, 0x2, 0x0, 0x1, [@TCA_DEF_PARMS={0x0, 0x2, {0x2, 0x4, 0x20000000, 0x401, 0x8}}, @TCA_DEF_DATA={0x0, 0x3, '\x00'}, @TCA_DEF_PARMS={0x0, 0x2, {0x4cc, 0x6, 0x10000002, 0x3, 0x8001}}, @TCA_DEF_DATA={0x0, 0x3, '/dev/net/tun\x00'}, @TCA_DEF_DATA={0x0, 0x3, '\xaa\xaa\xaa\xaa\xaa'}, @TCA_DEF_DATA={0x0, 0x3, '%\x00'}, @TCA_DEF_DATA={0x0, 0x3, 'bridge0\x00'}]}, {0x0, 0x6, "e428d9696eb5e259f396780bc058327bc36311376d4f45b3d46726a8db1487ad8f21bdb77e72b5c2875be7d8cbd791e950b49b6ebb4ab11c8383939fc42805b2beabba468f75a41ffa1ca3503459f51fb989ab907078560c2808983a894073bc7bdb919a26f759fac9ece3ea6744c5fa9d51b903d79cfa11e3c112722c20dad3e9964e5b502b6d5880c587d96654b2605948ffb5136f124ecf91905d613ec1211801c709d3009b0e08abe37ce99bffce1bf055eb5fe8326628640ec0264981f1aa514ed6be76123e1211a5c4d08195f5a226fa5d7d95bc8bd47909dd153b4d336344bd4023a20269836cc4a0bc977415"}, {0x0, 0x7, {0x1, 0x1}}, {0x0, 0x8, {0x3, 0x3}}}}, @m_tunnel_key={0x0, 0x2, 0x0, 0x0, {{}, {0x0, 0x2, 0x0, 0x1, [@TCA_TUNNEL_KEY_ENC_DST_PORT={0x0, 0x9, 0x4e20}]}, {0x0, 0x6, "b5879ab8f7b4c5db28d0e3820e5695553aac29df2516dd61d3e169af66d63dbfc044ed55f1484040800277c901d4d7a5ced33af0a73186de8f6cc99476c4c345479f9748e1a87cacaa564a51b3b7fa6d39c89c63a7c12287c63c3d101034533c264c79b1b89262e1"}, {}, {0x0, 0x8, {0x0, 0x5}}}}]}, @TCA_CGROUP_EMATCHES={0x0, 0x3, 0x0, 0x1, [@TCA_EMATCH_TREE_HDR={0x0, 0x1, {0x6}}]}, @TCA_CGROUP_EMATCHES={0x0, 0x3, 0x0, 0x1, [@TCA_EMATCH_TREE_LIST={0x0, 0x2, 0x0, 0x1, [@TCF_EM_IPT={0x0, 0x2, 0x0, 0x0, {{0x0, 0x9, 0x8}, [@TCA_EM_IPT_MATCH_NAME, @TCA_EM_IPT_MATCH_NAME, @TCA_EM_IPT_NFPROTO={0x0, 0x4, 0x5}, @TCA_EM_IPT_MATCH_REVISION={0x0, 0x3, 0x5}, @TCA_EM_IPT_MATCH_DATA={0x0, 0x5, "ca10"}]}}, @TCF_EM_U32={0x0, 0x2, 0x0, 0x0, {{0x5, 0x3, 0x4}, {0x3, 0x8, 0x9, 0x3}}}, @TCF_EM_IPT={0x0, 0x1, 0x0, 0x0, {{0x61, 0x9, 0x1}, [@TCA_EM_IPT_MATCH_NAME, @TCA_EM_IPT_MATCH_REVISION={0x0, 0x3, 0x6}, @TCA_EM_IPT_NFPROTO={0x0, 0x4, 0x3}, @TCA_EM_IPT_MATCH_DATA={0x0, 0x5, "4788ab0df57b16052edf16ff4c2448062c864ba12f776220"}, @TCA_EM_IPT_HOOK={0x0, 0x1, 0x1}, @TCA_EM_IPT_MATCH_REVISION={0x0, 0x3, 0x8}, @TCA_EM_IPT_MATCH_REVISION={0x0, 0x3, 0x5}, @TCA_EM_IPT_MATCH_NAME]}}, @TCF_EM_META={0x0, 0x1, 0x0, 0x0, {{0xfffb, 0x4, 0x25}, [@TCA_EM_META_LVALUE={0x0, 0x2, [@TCF_META_TYPE_VAR="1b15a147b0b780", @TCF_META_TYPE_VAR="4d83", @TCF_META_TYPE_VAR='r_G', @TCF_META_TYPE_INT]}, @TCA_EM_META_LVALUE={0x0, 0x2, [@TCF_META_TYPE_INT=0x3, @TCF_META_TYPE_VAR="90ec", @TCF_META_TYPE_VAR='1!|', @TCF_META_TYPE_INT=0x5]}, @TCA_EM_META_RVALUE={0x0, 0x3, [@TCF_META_TYPE_VAR="d764810b2a"]}, @TCA_EM_META_HDR={0x0, 0x1, {{0x0, 0x1, 0x1}, {0x0, 0xd, 0x2}}}, @TCA_EM_META_RVALUE={0x0, 0x3, [@TCF_META_TYPE_VAR="c5d0eaa1", @TCF_META_TYPE_VAR="053e", @TCF_META_TYPE_VAR, @TCF_META_TYPE_INT=0x5, @TCF_META_TYPE_INT=0x8, @TCF_META_TYPE_VAR="4e4992e6263859a3c876"]}, @TCA_EM_META_HDR={0x0, 0x1, {{0x6, 0x7, 0x1}, {0x0, 0x1, 0x2}}}, @TCA_EM_META_HDR={0x0, 0x1, {{0x8217, 0xc}, {0x3, 0xb}}}]}}, @TCF_EM_CMP={0x0, 0x2, 0x0, 0x0, {{0xa00, 0x1, 0x400}, {0x7fff, 0x8, 0xeb, 0x4, 0x1, 0x0, 0x1}}}, @TCF_EM_IPT={0x0, 0x1, 0x0, 0x0, {{0xfff, 0x9, 0x3}, [@TCA_EM_IPT_MATCH_DATA={0x0, 0x5, "c158f2031935587d6f7ddafe95ae5463320b9cbf85db5363d5d456cfae35c1fcb7237ec9e2d6403df0d1e6163a3e47f443392ef70f371062749f6d8acac9fe9f1add2e414544d9613e363bb8adb93984ff75c9dd44df949b68e89aa3f7e1385ffca88eaa115935dedbea772315545cef2e377185db734991721c16b5c69a130a92407f30ddeedc7cf79c68124747a020f6c971543acb26fc6798f99c004d7867e2d11675ef297c1399e057e2c86d7e2c98f40e739532d4f3ca4ee1f4cdb2bb4e92c359c68c4e11132766b426"}, @TCA_EM_IPT_MATCH_REVISION={0x0, 0x3, 0x6}, @TCA_EM_IPT_MATCH_DATA={0x0, 0x5, "bb53537bb2312905bc989ccf0bc4422e474a7319aeca65b91e519abef66102e24f3c4a18e9fb7126ace3444cd9078a915868fad877118746e475265a45fed65ba452e6b1c3f6aae2c31d0a690269b15899cd955aa72043bb1ced8a4fc8a6517e828b925ebc7bdfe0f2d15ef703ec4b8c16f91bb7976636f10f50be56ad1b2a9b77ce081bf5"}, @TCA_EM_IPT_HOOK={0x0, 0x1, 0x3}, @TCA_EM_IPT_HOOK={0x0, 0x1, 0x55c99cef8c348d79}, @TCA_EM_IPT_MATCH_NAME]}}, @TCF_EM_NBYTE={0x0, 0x3, 0x0, 0x0, {{0x6, 0x2, 0x6}, {0x4, 0x0, 0x0, "21b54e0e"}}}]}, @TCA_EMATCH_TREE_HDR={0x0, 0x1, {0x1ff}}, @TCA_EMATCH_TREE_LIST={0x0, 0x2, 0x0, 0x1, [@TCF_EM_NBYTE={0x0, 0x1, 0x0, 0x0, {{0x9, 0x2, 0x3}, {0x42, 0x0, 0x2, "0a59a5b73c3d6c"}}}, @TCF_EM_U32={0x0, 0x2, 0x0, 0x0, {{0xffc1, 0x3, 0x8}, {0x1, 0x7, 0x1d, 0x3}}}, @TCF_EM_NBYTE={0x0, 0x1, 0x0, 0x0, {{0x3, 0x2, 0x8}, {0x8, 0x0, 0x0, "3f9a"}}}, @TCF_EM_U32={0x0, 0x1, 0x0, 0x0, {{0x8, 0x3, 0xf}, {0xfd8, 0x1000, 0x4, 0x4}}}]}]}, @TCA_CGROUP_EMATCHES={0x0, 0x3, 0x0, 0x1, [@TCA_EMATCH_TREE_LIST={0x0, 0x2, 0x0, 0x1, [@TCF_EM_NBYTE={0x0, 0x3, 0x0, 0x0, {{0x7, 0x2, 0x4}, {0x2, 0x0, 0x1, "279c15"}}}, @TCF_EM_NBYTE={0x0, 0x1, 0x0, 0x0, {{0x5}, {0x1000, 0x0, 0x2, "be2580639847d46f4334"}}}]}, @TCA_EMATCH_TREE_HDR={0x0, 0x1, {0xff}}]}]}}]}, 0x24}, 0x1, 0x0, 0x0, 0x2404080c}, 0x40010)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c)
r4 = socket$inet6_sctp(0xa, 0x5, 0x84)
connect$inet6(r4, &(0x7f0000000300)={0xa, 0x0, 0x0, @private1}, 0x1c)
r5 = socket$inet6_sctp(0xa, 0x5, 0x84)
sendto$inet6(r4, &(0x7f00000000c0)="8d", 0x1, 0x0, &(0x7f0000000180)={0xa, 0x4e23, 0x0, @private1}, 0x1c)
getsockopt$inet_sctp6_SCTP_MAX_BURST(r5, 0x84, 0xc, &(0x7f0000000000)=@assoc_value={<r6=>0x0}, &(0x7f0000000040)=0x8)
setsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r4, 0x84, 0x18, &(0x7f0000000080)={r6, 0x8}, 0x8)
sendmmsg(r0, &(0x7f0000000480), 0x21, 0x0)
r7 = openat$tun(0xffffffffffffff9c, &(0x7f00000003c0), 0x240241, 0x0)
ioctl$TUNSETIFF(r7, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r8 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local})
r9 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_LIST(r9, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000040)={0x1c, 0x7, 0x6, 0x801, 0x0, 0x0, {0x0, 0x0, 0x3}, [@IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}]}, 0x1c}, 0x1, 0x0, 0x0, 0x2004c001}, 0x20008010)
r10 = socket$nl_generic(0x10, 0x3, 0x10)
r11 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000140), 0xffffffffffffffff)
r12 = socket$nl_generic(0x10, 0x3, 0x10)
r13 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000340), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r12, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r14=>0x0})
sendmsg$NL80211_CMD_JOIN_IBSS(r12, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000040)={0x38, r13, 0x101, 0x2, 0x0, {{}, {@val={0x8, 0x3, r14}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ibss_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}, @NL80211_ATTR_CHANNEL_WIDTH={0x8, 0x9f, 0x7}]]}, 0x38}}, 0x0)
sendmsg$NL80211_CMD_SET_PMK(r10, &(0x7f0000000380)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000280)={0x3c, r11, 0x800, 0x70bd2d, 0x25dfdbfb, {{}, {@val={0x8, 0x3, r14}, @val={0xc, 0x99, {0x80000001, 0x7a}}}}, [@NL80211_ATTR_PMKR0_NAME={0x14, 0x102, "ff696b8ddbf0871664972366f51a8fda"}]}, 0x3c}, 0x1, 0x0, 0x0, 0x8004}, 0x4000880)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_TID_CONFIG-socket$nl_netfilter-sendmsg$IPSET_CMD_CREATE-socket$nl_route-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-sendmsg$nl_route-pipe-socket$nl_route-sendmsg$nl_route-vmsplice-socket$kcm-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-setsockopt$bt_BT_DEFER_SETUP-getsockopt$bt_BT_SNDMTU-socket$nl_route-sendmsg$nl_route-splice-socket$nl_route-sendmsg$nl_route-bpf$PROG_LOAD-socket$pppl2tp
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000800), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_TID_CONFIG(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000480)={&(0x7f00000002c0)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="8b3308200300", @ANYRES32=0x0, @ANYBLOB="0c009900000000000000000008001d8004000080"], 0x30}}, 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000580)={0x58, 0x2, 0x6, 0x801, 0x0, 0x0, {}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_TYPENAME={0x14, 0x3, 'hash:ip,port,ip\x00'}, @IPSET_ATTR_DATA={0xc, 0x7, 0x0, 0x1, [@IPSET_ATTR_CIDR={0x5, 0x3, 0x1}]}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}]}, 0x58}}, 0x4000)
r3 = socket$nl_route(0x10, 0x3, 0x0)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000480)={0x11, 0x3, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000340)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, &(0x7f00000000c0)="a0", 0x0}, 0x31)
sendmsg$nl_route(r3, &(0x7f0000000400)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000540)=@newlink={0x34, 0x10, 0x413, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @vcan={{0x9}, {0x4}}}]}, 0x34}}, 0x40000)
pipe(&(0x7f0000000080)={<r5=>0xffffffffffffffff})
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000002c0)=@delnexthop={0x20, 0x69, 0xb, 0x0, 0x0, {}, [{0x8, 0x1, 0x1}]}, 0x20}}, 0x0)
vmsplice(r5, &(0x7f0000000240)=[{&(0x7f0000000140)="f3ad01a0c28e83312ab3c51d7e7c67a3dbf1ba20535524ced3d3ef8f6f6c4f681b7cd7f32a4c3799430da65a829e8c00cfae8be92749d1a02abe8ebc580fd5815592e61cca54f1f45f4010e342e75b6aaa9b702336635dfed4c1601da25424992de24c476d7950a1312ef117b202ccc6d222cfe281fd25b84e730a953465e98ff18c21ba9dffb6c6fa464a82c619123062094017b4bcd21482c4ac", 0x9b}], 0x1, 0x2)
socket$kcm(0xa, 0x922000000003, 0x11)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0)
bind$bt_l2cap(r7, &(0x7f0000000200), 0xe)
listen(r7, 0x0)
setsockopt$bt_BT_DEFER_SETUP(r7, 0x112, 0x7, &(0x7f0000000100), 0x4)
getsockopt$bt_BT_SNDMTU(r7, 0x112, 0xc, &(0x7f0000000380)=0x7f, &(0x7f00000003c0)=0x2)
r8 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r8, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="2800000021000100"], 0x28}}, 0x0)
splice(r3, &(0x7f0000000200)=0xffffffffffff18ee, r8, &(0x7f0000000280)=0x1000, 0x3, 0x3)
r9 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r9, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000080)=ANY=[@ANYBLOB="7800000010000304000000000000000000007400", @ANYRES32=0x0, @ANYBLOB="00000000600000005800128008000100677470004c00028008000100", @ANYRES32, @ANYBLOB="08000100", @ANYRES32, @ANYBLOB="0800030002000000080007006401010108000700ac1414bb0800020003"], 0x78}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0xe, 0x16, &(0x7f0000000940)=ANY=[@ANYBLOB="61153c00000000006113340000000000bfa000000000000007000000ee0016055e0301000000000025050000030000006916b80000000000bf07000000000000260507000fff0720670600003f000000140600000ee60060bf500000000000002f650000000000006507f9ff0100000007070000cddfffff1e75000000000000bf54000000000000070400000400f9ffad4301000000000095000000000000001500000000000000950000000000000032ed3c12dc8c27df8ecf264e0f84f9f17d3c30e32f1754558f2278af6d71d79a5e12814cb1d8a5d4601d295c45a6a0b9bdb7dd3997f9c9c4f6f3be4b369289aa6812b8e007e733a9a4f1b0af3dda82ee45a010fb94fe9de57b9d8a814261bdb94a05002000c6c60bf70d742a81762bab8395fa64810b5b40d893ea8fe0185473d51b546cad3f1d5ab2af27546e7c955ccefa1f6ab689b555202da2e0ec2871b4a7e65836429a527dc47ebe84a423b6c8d345dc8da3085b0ab71ca1b901627b562ed04ae76002d4519af619e3cca4d69e0dee5eb106774a8f3e6916dfec88158f0200000000c8fb730a5c1bf2b2bb71a629361997a75fd552bdc206438b8ef4901fd03c16dfda44e2a2235c8ac86d8a297dff0445a15f21dce431e56723888fb126a163f16f920ae2fb494059bba8e3b680324a188076eb685d00c4e9b2ad9bc1172ba7cbebe174aba210d739a018f9bbec63222d20cecac4d03723f1c932fb3bba54b3a6aa57f1ad2e99e0e67ab9ff16d20000009f0f53acbb40b4f8e2738270001562ed834f2af97787f696649a462e7ee4bcf8b07a10d6735154beb4000000000000000000000000004000bc00f679629709e7e78f4ddc211bc3ebe6bd9d42ca0140a7afaab43176e65ec1118d50d1e827f3472f4445d253880800000000000000690884f800031e03a651bb96589a7e2e509bcc1d161347623cb5e7ac4629c8ab04871bc47287cd31cc43010000007b40407d000000210000000000000000005f37d83f84e98a523d80bd970d703f37ca364a601ae899a56715a0a62a34c6c94cce6994521629ab028acfc1d926a0f6a5489af8dc2f17923f3c40dfd1970a55c22fe3a5ac000000000000000000000000000000c1eb2d91fb79ea00000000000000bb0d00000000000000000000e4007be511fe32fbc90e2364a55e9bb66ac64423d2d00fea2594e190deae46e26c596f84eba9000000000000003cc3aa39ee4b1386bab561cda886fa642994cacd473b543ccb5f0d7b63924f17c67b13631822a11dc3c693962895496d4f6e9cc54db6c7205a6b26f92121ef53e553acdf42068fff496d2da7d6327f31d7c8cc5d325c5379b0363ce8bd1f61b007e1ff5f1be1969a1ba791ad46d800000000c7f26a0337302f3b41eae59809fd05d12f6186f117b062df67d3a63f3265dd1410eea68208a3f26b2989b832d8b34a34a4f08b34b3042065acaa10856e858d27adee7daf32903d3fc78700d429a2d4c8b6d803eb83eecfe4c7ff9e6ab5a52e83d089dad7a8710eec53f1b11cced7bc3c8da0c44d2fbf9f6f3ff3be4d1458077c2253b0c7c7a0a9fdd63bf910dc20e5cb2a88e59febc47f1212a21f631dbaa74f22bad050e9856b48ae3a03a497c37758537650fe6db80300c41fdc3d78e046f6160e1741299e8dc29906870e6431ed1eab5d067a183f064b060a8ec12725d42e3a74863d66bee966b1574f8e01b3f34a267ff0afa1e1c758a0079b747067312e9815a21cb3f1f8150d999d788535a4d3114dbc7e2bf2402a75fd7a55733360040855ed5d1c0d634fc5fb38f8709d87b27f8a5d9121fdc058447b728f134f72062fc4b1ca0780b1a7af137ff7b4ff139604faf0453b65586f65c7943d56b52f06c870edf0c5d744b5272b44c23488b2bdbff947c4dfa108cbb88202eeb81f428a5b3c299848649e1a6bff52f657a67463d7dbf85ae9321fc2cc17dc4a29b9cba8ded5de8206c812439ab129ae818837ee1562078fc524b3baf49a0be9bb7d958d5e87c6c09bf71a894bad62934782cc308e936d7637e07c4a2a3bc87b0da20000d9ef418cf19e7a8c4c328be0ce91798adc2dca871073f6bd61940aabc86b94f8cbde4d47060400e722a6a2af483ad0d3415ed0f9db009acaba9eaea93f811d434e00000000000000000000d154672fea96aedf346279ec00000000000000000000d535d41b0067f01e2e54b9154d876020b669640ead4ca44631fadf7c4ac39a1b331dbdcd52b36df021b731ef1f92330d347f88ced5c1aaadbcdd8d2257e3a9a7c7494fadf9be36f7a2474ee6e9446fa1fd486f85d672a77dc5bd21463994d49f12016305a1e394d292b66840fe32b40ad665d241a8b8a32b3100450c32832789aa8a096f41201b585cd76631c88cf958e9e9047f5af1730c5e83db12460a0768fd4b62be6c41eed307048bac8d1f7f164574241e06027654b248dcc38749eee0c1ee7c61b3f6411a559c3d45637b11e440ed5a99109b8e71d28c3d677af5f0499c6d3fc6a129775056958c9df824ebe5fa9fb306b24a8a8334910627d03efe69d4b61c4345f048c5da8aca16cea848fa77d2507c920a6bd654b00e07789382ed902c80deeff2fd5c78f42e4353e5360c3e55962efd1331e6736eaf4ee27736fa54803ee8ec1a15266ffcd8b30368740b584c2559e691e542cab3d49db327db62328f159d1e0900b3e23e84dedcd1377aa15dbeab7db181bd66980c3557c7d9f7377fcb6023accb5c368a121acf70e5f4c3f2a0ea07011c7166c23d28c0a7101b8b09736ecd34aa9dc1b498"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x7, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
socket$pppl2tp(0x18, 0x1, 0x1)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-socket$nl_netfilter-sendmsg$IPCTNL_MSG_TIMEOUT_NEW-write$bt_hci-close
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_TIMEOUT_NEW(r3, &(0x7f0000000d00)={0x0, 0x0, &(0x7f0000000cc0)={&(0x7f0000000c40)={0x34, 0x0, 0x8, 0x801, 0x0, 0x0, {0x3, 0x0, 0x2}, [@CTA_TIMEOUT_L4PROTO={0x5, 0x3, 0x2f}, @CTA_TIMEOUT_L3PROTO={0x6, 0x2, 0x1, 0x0, 0xa00}, @CTA_TIMEOUT_DATA={0x4}, @CTA_TIMEOUT_NAME={0x9, 0x1, 'syz1\x00'}]}, 0x34}, 0x1, 0x0, 0x0, 0x4004}, 0x40)
write$bt_hci(r2, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
close(r0)
program crashed: KASAN: slab-use-after-free Read in cmd_complete_rsp
single: successfully extracted reproducer
found reproducer with 13 syscalls
minimizing guilty program
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-socket$nl_netfilter-sendmsg$IPCTNL_MSG_TIMEOUT_NEW-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_TIMEOUT_NEW(r3, &(0x7f0000000d00)={0x0, 0x0, &(0x7f0000000cc0)={&(0x7f0000000c40)={0x34, 0x0, 0x8, 0x801, 0x0, 0x0, {0x3, 0x0, 0x2}, [@CTA_TIMEOUT_L4PROTO={0x5, 0x3, 0x2f}, @CTA_TIMEOUT_L3PROTO={0x6, 0x2, 0x1, 0x0, 0xa00}, @CTA_TIMEOUT_DATA={0x4}, @CTA_TIMEOUT_NAME={0x9, 0x1, 'syz1\x00'}]}, 0x34}, 0x1, 0x0, 0x0, 0x4004}, 0x40)
write$bt_hci(r2, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-socket$nl_netfilter-sendmsg$IPCTNL_MSG_TIMEOUT_NEW
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_TIMEOUT_NEW(r3, &(0x7f0000000d00)={0x0, 0x0, &(0x7f0000000cc0)={&(0x7f0000000c40)={0x34, 0x0, 0x8, 0x801, 0x0, 0x0, {0x3, 0x0, 0x2}, [@CTA_TIMEOUT_L4PROTO={0x5, 0x3, 0x2f}, @CTA_TIMEOUT_L3PROTO={0x6, 0x2, 0x1, 0x0, 0xa00}, @CTA_TIMEOUT_DATA={0x4}, @CTA_TIMEOUT_NAME={0x9, 0x1, 'syz1\x00'}]}, 0x34}, 0x1, 0x0, 0x0, 0x4004}, 0x40)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-socket$nl_netfilter-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
socket$nl_netfilter(0x10, 0x3, 0xc)
write$bt_hci(r2, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r2, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
write$bt_hci(r2, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
bind$bt_hci(0xffffffffffffffff, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(0xffffffffffffffff, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r2, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r2, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-setsockopt$inet6_tcp_TCP_MD5SIG-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x20000000, @remote}}, 0x0, 0x0, 0x0, 0x0, "ddfd3b7ed7c6a1c172a987ae5ce3cafd64c9a736831a5912d606798fb75c9981c4b3ac0e06891ff18bc5543ed57215a3c45f9154dfa319e52a15a2b9acf80c07fb1a854dad742eef6187f2304844c296"}, 0xd8)
ioctl$HCIINQUIRY(0xffffffffffffffff, 0x400448ca, 0x0)
bind$bt_hci(0xffffffffffffffff, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r1, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_MD5SIG-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x0, 0x0, @remote}}, 0x0, 0x0, 0x50, 0x0, "3f114438efdaca16d374b49a365be44d5e860ea3ba676c0b5047b80e2c3535d5bd9db3c8572560f4d1be5cd41f7716082ee3589f099942e6f1c395ddb8160381baadf27900"}, 0xd8)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r2, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program crashed: WARNING in ip6mr_free_table
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_tcp-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
socket$inet6_tcp(0xa, 0x1, 0x0)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r1, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x1e, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000071120d000000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r1, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r1, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, 0x0, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r1, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, 0x0, 0x0)
write$bt_hci(r1, &(0x7f0000000580)=ANY=[@ANYBLOB="5300000002"], 0x8)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r1, 0x0, 0x8)
program did not crash
testing program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000000)={0x1f, 0xffffffffffffffff, 0x3}, 0x6)
write$bt_hci(r1, &(0x7f0000000580)=ANY=[@ANYBLOB], 0x8)
program did not crash
extracting C reproducer
testing compiled C program (duration=1m5.138855967s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
simplifying C reproducer
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program did not crash
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program did not crash
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program did not crash
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: KASAN: slab-use-after-free Read in mgmt_pending_remove
a never seen crash title: KASAN: slab-use-after-free Read in mgmt_pending_remove, ignore
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program did not crash
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_complete
a never seen crash title: KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_complete, ignore
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
testing compiled C program (duration=1m5.138855967s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-ioctl$HCIINQUIRY-bind$bt_hci-syz_init_net_socket$bt_hci-bind$bt_hci-write$bt_hci
program crashed: possible deadlock in mgmt_remove_adv_monitor_complete
reproducing took 55m44.924299678s
repro crashed as (corrupted=false):
======================================================
WARNING: possible circular locking dependency detected
6.12.0-syzkaller-10694-gc44daa7e3c73 #0 Not tainted
------------------------------------------------------
syz-executor645/6773 is trying to acquire lock:
ffff888079c74078 (&hdev->lock){+.+.}-{4:4}, at: mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5524
but task is already holding lock:
ffff888079c74690 (&hdev->cmd_sync_work_lock){+.+.}-{4:4}, at: hci_cmd_sync_dequeue+0x44/0x3d0 net/bluetooth/hci_sync.c:887
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&hdev->cmd_sync_work_lock){+.+.}-{4:4}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
hci_cmd_sync_lookup_entry net/bluetooth/hci_sync.c:838 [inline]
hci_cmd_sync_queue_once+0x43/0x240 net/bluetooth/hci_sync.c:782
le_conn_complete_evt+0xae1/0x12e0 net/bluetooth/hci_event.c:5778
hci_le_conn_complete_evt+0x18c/0x420 net/bluetooth/hci_event.c:5789
hci_event_func net/bluetooth/hci_event.c:7481 [inline]
hci_event_packet+0xa55/0x1540 net/bluetooth/hci_event.c:7536
hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4039
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #0 (&hdev->lock){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5524
_hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:645 [inline]
hci_cmd_sync_dequeue+0x22b/0x3d0 net/bluetooth/hci_sync.c:890
cmd_complete_rsp+0x4c/0x180 net/bluetooth/mgmt.c:1469
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
mgmt_index_removed+0x133/0x390 net/bluetooth/mgmt.c:9483
hci_sock_bind+0xcce/0x1150 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1827 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1858
__do_sys_bind net/socket.c:1863 [inline]
__se_sys_bind net/socket.c:1861 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1861
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&hdev->cmd_sync_work_lock);
lock(&hdev->lock);
lock(&hdev->cmd_sync_work_lock);
lock(&hdev->lock);
*** DEADLOCK ***
2 locks held by syz-executor645/6773:
#0: ffff888072b01258 (sk_lock-AF_BLUETOOTH-BTPROTO_HCI){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1617 [inline]
#0: ffff888072b01258 (sk_lock-AF_BLUETOOTH-BTPROTO_HCI){+.+.}-{0:0}, at: hci_sock_bind+0x149/0x1150 net/bluetooth/hci_sock.c:1202
#1: ffff888079c74690 (&hdev->cmd_sync_work_lock){+.+.}-{4:4}, at: hci_cmd_sync_dequeue+0x44/0x3d0 net/bluetooth/hci_sync.c:887
stack backtrace:
CPU: 0 UID: 0 PID: 6773 Comm: syz-executor645 Not tainted 6.12.0-syzkaller-10694-gc44daa7e3c73 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5524
_hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:645 [inline]
hci_cmd_sync_dequeue+0x22b/0x3d0 net/bluetooth/hci_sync.c:890
cmd_complete_rsp+0x4c/0x180 net/bluetooth/mgmt.c:1469
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
mgmt_index_removed+0x133/0x390 net/bluetooth/mgmt.c:9483
hci_sock_bind+0xcce/0x1150 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1827 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1858
__do_sys_bind net/socket.c:1863 [inline]
__se_sys_bind net/socket.c:1861 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1861
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4429038479
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5c59f7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4429038479
RDX: 0000000000000006 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003
R10: 00007fff5c59f790 R11: 0000000000000246 R12: 00007fff5c59f7ec
R13: 00007fff5c59f820 R14: 00007fff5c59f800 R15: 00000000000000ac
</TASK>
==================================================================
BUG: KASAN: slab-use-after-free in cmd_complete_rsp+0x67/0x180 net/bluetooth/mgmt.c:1471
Read of size 8 at addr ffff8880125470c0 by task syz-executor645/6773
CPU: 1 UID: 0 PID: 6773 Comm: syz-executor645 Not tainted 6.12.0-syzkaller-10694-gc44daa7e3c73 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
cmd_complete_rsp+0x67/0x180 net/bluetooth/mgmt.c:1471
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
mgmt_index_removed+0x133/0x390 net/bluetooth/mgmt.c:9483
hci_sock_bind+0xcce/0x1150 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1827 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1858
__do_sys_bind net/socket.c:1863 [inline]
__se_sys_bind net/socket.c:1861 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1861
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4429038479
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5c59f7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4429038479
RDX: 0000000000000006 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003
R10: 00007fff5c59f790 R11: 0000000000000246 R12: 00007fff5c59f7ec
R13: 00007fff5c59f820 R14: 00007fff5c59f800 R15: 00000000000000ac
</TASK>
Allocated by task 6771:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568
hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726
sock_write_iter+0x2d7/0x3f0 net/socket.c:1147
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0xaeb/0xd30 fs/read_write.c:679
ksys_write+0x18f/0x2b0 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6773:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2338 [inline]
slab_free mm/slub.c:4598 [inline]
kfree+0x196/0x420 mm/slub.c:4746
mgmt_remove_adv_monitor_complete+0x2bf/0x550 net/bluetooth/mgmt.c:5533
_hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:645 [inline]
hci_cmd_sync_dequeue+0x22b/0x3d0 net/bluetooth/hci_sync.c:890
cmd_complete_rsp+0x4c/0x180 net/bluetooth/mgmt.c:1469
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
mgmt_index_removed+0x133/0x390 net/bluetooth/mgmt.c:9483
hci_sock_bind+0xcce/0x1150 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1827 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1858
__do_sys_bind net/socket.c:1863 [inline]
__se_sys_bind net/socket.c:1861 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1861
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888012547080
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
freed 96-byte region [ffff888012547080, ffff8880125470e0)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12547
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801ac41280 ffffea00009fcf80 dead000000000004
raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5229, tgid 5229 (udevd), ts 31304917994, free_ts 31301524652
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x140 mm/slub.c:2408
allocate_slab+0x5a/0x2f0 mm/slub.c:2574
new_slab mm/slub.c:2627 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3815
__slab_alloc+0x58/0xa0 mm/slub.c:3905
__slab_alloc_node mm/slub.c:3980 [inline]
slab_alloc_node mm/slub.c:4141 [inline]
__do_kmalloc_node mm/slub.c:4282 [inline]
__kmalloc_noprof+0x2e6/0x4c0 mm/slub.c:4295
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
tomoyo_encode+0x26f/0x540 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0x59e/0x5e0 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
security_inode_getattr+0x130/0x330 security/security.c:2372
vfs_getattr+0x2a/0x3b0 fs/stat.c:243
vfs_fstat fs/stat.c:265 [inline]
vfs_fstatat+0xa8/0x130 fs/stat.c:364
__do_sys_newfstatat fs/stat.c:530 [inline]
__se_sys_newfstatat fs/stat.c:524 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:524
page last free pid 5236 tgid 5236 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0xdf9/0x1140 mm/page_alloc.c:2657
__slab_free+0x31b/0x3d0 mm/slub.c:4509
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4104 [inline]
slab_alloc_node mm/slub.c:4153 [inline]
__kmalloc_cache_noprof+0x1d9/0x390 mm/slub.c:4309
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
kernfs_fop_open+0x3e0/0xd10 fs/kernfs/file.c:623
do_dentry_open+0xbe1/0x1b70 fs/open.c:945
vfs_open+0x3e/0x330 fs/open.c:1075
do_open fs/namei.c:3828 [inline]
path_openat+0x2c84/0x3590 fs/namei.c:3987
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_openat fs/open.c:1433 [inline]
__se_sys_openat fs/open.c:1428 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1428
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888012546f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888012547000: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff888012547080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888012547100: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
ffff888012547180: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================
final repro crashed as (corrupted=false):
======================================================
WARNING: possible circular locking dependency detected
6.12.0-syzkaller-10694-gc44daa7e3c73 #0 Not tainted
------------------------------------------------------
syz-executor645/6773 is trying to acquire lock:
ffff888079c74078 (&hdev->lock){+.+.}-{4:4}, at: mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5524
but task is already holding lock:
ffff888079c74690 (&hdev->cmd_sync_work_lock){+.+.}-{4:4}, at: hci_cmd_sync_dequeue+0x44/0x3d0 net/bluetooth/hci_sync.c:887
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&hdev->cmd_sync_work_lock){+.+.}-{4:4}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
hci_cmd_sync_lookup_entry net/bluetooth/hci_sync.c:838 [inline]
hci_cmd_sync_queue_once+0x43/0x240 net/bluetooth/hci_sync.c:782
le_conn_complete_evt+0xae1/0x12e0 net/bluetooth/hci_event.c:5778
hci_le_conn_complete_evt+0x18c/0x420 net/bluetooth/hci_event.c:5789
hci_event_func net/bluetooth/hci_event.c:7481 [inline]
hci_event_packet+0xa55/0x1540 net/bluetooth/hci_event.c:7536
hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4039
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #0 (&hdev->lock){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5524
_hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:645 [inline]
hci_cmd_sync_dequeue+0x22b/0x3d0 net/bluetooth/hci_sync.c:890
cmd_complete_rsp+0x4c/0x180 net/bluetooth/mgmt.c:1469
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
mgmt_index_removed+0x133/0x390 net/bluetooth/mgmt.c:9483
hci_sock_bind+0xcce/0x1150 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1827 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1858
__do_sys_bind net/socket.c:1863 [inline]
__se_sys_bind net/socket.c:1861 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1861
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&hdev->cmd_sync_work_lock);
lock(&hdev->lock);
lock(&hdev->cmd_sync_work_lock);
lock(&hdev->lock);
*** DEADLOCK ***
2 locks held by syz-executor645/6773:
#0: ffff888072b01258 (sk_lock-AF_BLUETOOTH-BTPROTO_HCI){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1617 [inline]
#0: ffff888072b01258 (sk_lock-AF_BLUETOOTH-BTPROTO_HCI){+.+.}-{0:0}, at: hci_sock_bind+0x149/0x1150 net/bluetooth/hci_sock.c:1202
#1: ffff888079c74690 (&hdev->cmd_sync_work_lock){+.+.}-{4:4}, at: hci_cmd_sync_dequeue+0x44/0x3d0 net/bluetooth/hci_sync.c:887
stack backtrace:
CPU: 0 UID: 0 PID: 6773 Comm: syz-executor645 Not tainted 6.12.0-syzkaller-10694-gc44daa7e3c73 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5524
_hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:645 [inline]
hci_cmd_sync_dequeue+0x22b/0x3d0 net/bluetooth/hci_sync.c:890
cmd_complete_rsp+0x4c/0x180 net/bluetooth/mgmt.c:1469
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
mgmt_index_removed+0x133/0x390 net/bluetooth/mgmt.c:9483
hci_sock_bind+0xcce/0x1150 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1827 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1858
__do_sys_bind net/socket.c:1863 [inline]
__se_sys_bind net/socket.c:1861 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1861
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4429038479
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5c59f7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4429038479
RDX: 0000000000000006 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003
R10: 00007fff5c59f790 R11: 0000000000000246 R12: 00007fff5c59f7ec
R13: 00007fff5c59f820 R14: 00007fff5c59f800 R15: 00000000000000ac
</TASK>
==================================================================
BUG: KASAN: slab-use-after-free in cmd_complete_rsp+0x67/0x180 net/bluetooth/mgmt.c:1471
Read of size 8 at addr ffff8880125470c0 by task syz-executor645/6773
CPU: 1 UID: 0 PID: 6773 Comm: syz-executor645 Not tainted 6.12.0-syzkaller-10694-gc44daa7e3c73 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
cmd_complete_rsp+0x67/0x180 net/bluetooth/mgmt.c:1471
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
mgmt_index_removed+0x133/0x390 net/bluetooth/mgmt.c:9483
hci_sock_bind+0xcce/0x1150 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1827 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1858
__do_sys_bind net/socket.c:1863 [inline]
__se_sys_bind net/socket.c:1861 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1861
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4429038479
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5c59f7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4429038479
RDX: 0000000000000006 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003
R10: 00007fff5c59f790 R11: 0000000000000246 R12: 00007fff5c59f7ec
R13: 00007fff5c59f820 R14: 00007fff5c59f800 R15: 00000000000000ac
</TASK>
Allocated by task 6771:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568
hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726
sock_write_iter+0x2d7/0x3f0 net/socket.c:1147
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0xaeb/0xd30 fs/read_write.c:679
ksys_write+0x18f/0x2b0 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6773:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2338 [inline]
slab_free mm/slub.c:4598 [inline]
kfree+0x196/0x420 mm/slub.c:4746
mgmt_remove_adv_monitor_complete+0x2bf/0x550 net/bluetooth/mgmt.c:5533
_hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:645 [inline]
hci_cmd_sync_dequeue+0x22b/0x3d0 net/bluetooth/hci_sync.c:890
cmd_complete_rsp+0x4c/0x180 net/bluetooth/mgmt.c:1469
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
mgmt_index_removed+0x133/0x390 net/bluetooth/mgmt.c:9483
hci_sock_bind+0xcce/0x1150 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1827 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1858
__do_sys_bind net/socket.c:1863 [inline]
__se_sys_bind net/socket.c:1861 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1861
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888012547080
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
freed 96-byte region [ffff888012547080, ffff8880125470e0)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12547
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801ac41280 ffffea00009fcf80 dead000000000004
raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5229, tgid 5229 (udevd), ts 31304917994, free_ts 31301524652
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x140 mm/slub.c:2408
allocate_slab+0x5a/0x2f0 mm/slub.c:2574
new_slab mm/slub.c:2627 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3815
__slab_alloc+0x58/0xa0 mm/slub.c:3905
__slab_alloc_node mm/slub.c:3980 [inline]
slab_alloc_node mm/slub.c:4141 [inline]
__do_kmalloc_node mm/slub.c:4282 [inline]
__kmalloc_noprof+0x2e6/0x4c0 mm/slub.c:4295
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
tomoyo_encode+0x26f/0x540 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0x59e/0x5e0 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
security_inode_getattr+0x130/0x330 security/security.c:2372
vfs_getattr+0x2a/0x3b0 fs/stat.c:243
vfs_fstat fs/stat.c:265 [inline]
vfs_fstatat+0xa8/0x130 fs/stat.c:364
__do_sys_newfstatat fs/stat.c:530 [inline]
__se_sys_newfstatat fs/stat.c:524 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:524
page last free pid 5236 tgid 5236 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0xdf9/0x1140 mm/page_alloc.c:2657
__slab_free+0x31b/0x3d0 mm/slub.c:4509
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4104 [inline]
slab_alloc_node mm/slub.c:4153 [inline]
__kmalloc_cache_noprof+0x1d9/0x390 mm/slub.c:4309
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
kernfs_fop_open+0x3e0/0xd10 fs/kernfs/file.c:623
do_dentry_open+0xbe1/0x1b70 fs/open.c:945
vfs_open+0x3e/0x330 fs/open.c:1075
do_open fs/namei.c:3828 [inline]
path_openat+0x2c84/0x3590 fs/namei.c:3987
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_openat fs/open.c:1433 [inline]
__se_sys_openat fs/open.c:1428 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1428
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888012546f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888012547000: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff888012547080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888012547100: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
ffff888012547180: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================