Extracting prog: 3m55.729030535s
Minimizing prog: 15m25.7823273s
Simplifying prog options: 0s
Extracting C: 1m44.637098549s
Simplifying C: 20m0.287372602s


extracting reproducer from 30 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): io_uring_register$IORING_REGISTER_PBUF_RING-socket$nl_netfilter-sendmsg$NFNL_MSG_ACCT_DEL-syz_io_uring_submit-sendmsg$NFNL_MSG_ACCT_DEL-sendmsg
detailed listing:
executing program 0:
io_uring_register$IORING_REGISTER_PBUF_RING(0xffffffffffffffff, 0x16, 0x0, 0x1)
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFNL_MSG_ACCT_DEL(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)={0x20, 0x3, 0x7, 0x301, 0x0, 0x0, {0x5, 0x0, 0xd}, [@NFACCT_NAME={0x9, 0x1, 'syz0\x00'}]}, 0x20}, 0x1, 0x0, 0x0, 0x8000}, 0x10)
syz_io_uring_submit(0x0, 0x0, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x322, 0x1, {0x1}})
sendmsg$NFNL_MSG_ACCT_DEL(r0, 0x0, 0x13)
sendmsg(r0, &(0x7f0000000900)={0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$vim2m-ioctl$vim2m_VIDIOC_REQBUFS-ioctl$vim2m_VIDIOC_STREAMOFF-ioctl$vim2m_VIDIOC_ENUM_FMT
detailed listing:
executing program 0:
r0 = syz_open_dev$vim2m(&(0x7f0000000080), 0x2, 0x2)
ioctl$vim2m_VIDIOC_REQBUFS(r0, 0xc0145608, &(0x7f0000000040)={0x80000001, 0x1, 0x4})
ioctl$vim2m_VIDIOC_STREAMOFF(r0, 0x40045612, &(0x7f0000000240)=0x1)
ioctl$vim2m_VIDIOC_ENUM_FMT(r0, 0xc0405602, &(0x7f0000000180)={0x1, 0x1, 0x1, "1161b976f04df1b1b51e452862612d07f147dcd85424cbb88c2856d13cee0a33", 0x39565559})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vicodec1-syz_open_dev$media-syz_usb_connect-syz_emit_vhci-mincore
detailed listing:
executing program 0:
openat$vicodec1(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0)
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)
mincore(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x0)

program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
single: successfully extracted reproducer
found reproducer with 5 syscalls
minimizing guilty program
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vicodec1-syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
openat$vicodec1(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0)
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vicodec1-syz_open_dev$media-syz_usb_connect
detailed listing:
executing program 0:
openat$vicodec1(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0)
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)

program did not crash
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vicodec1-syz_open_dev$media-syz_emit_vhci
detailed listing:
executing program 0:
openat$vicodec1(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0)
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program did not crash
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vicodec1-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
openat$vicodec1(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program did not crash
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
syz_open_dev$media(0x0, 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program did not crash
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x0, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program did not crash
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(0x0, 0xf8)

program did not crash
testing program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB], 0xf8)

program did not crash
extracting C reproducer
testing compiled C program (duration=45.187068829s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
simplifying C reproducer
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program did not crash
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program did not crash
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing compiled C program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
validation run: crashed=true
testing program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
validation run: crashed=true
testing program (duration=45.187068829s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$media-syz_usb_connect-syz_emit_vhci
detailed listing:
executing program 0:
syz_open_dev$media(&(0x7f0000000100), 0x558, 0x101400)
syz_usb_connect(0x2, 0x24, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x27, 0x4c, 0x3, 0x40, 0x5ab, 0x60, 0x1106, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0xd, 0x0, 0x0, [{{0x9, 0x4, 0xa8, 0x0, 0x0, 0xf4, 0x7, 0x50}}]}}]}}, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043ef50d"], 0xf8)

program crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
validation run: crashed=true
reproducing took 45m51.102916306s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in hci_le_ext_adv_report_evt net/bluetooth/hci_event.c:5945 [inline]
BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x12db/0x3b80 net/bluetooth/hci_event.c:6218
Read of size 1 at addr ffff88802465e409 by task kworker/u5:2/4233

CPU: 0 PID: 4233 Comm: kworker/u5:2 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 hci_le_ext_adv_report_evt net/bluetooth/hci_event.c:5945 [inline]
 hci_le_meta_evt+0x12db/0x3b80 net/bluetooth/hci_event.c:6218
 hci_event_packet+0xe05/0x12f0 net/bluetooth/hci_event.c:6535
 hci_rx_work+0x255/0xa10 net/bluetooth/hci_core.c:5160
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 4326:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:392 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:170 [inline]
 vhci_write+0xbc/0x450 drivers/bluetooth/hci_vhci.c:290
 call_write_iter include/linux/fs.h:2173 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0x712/0xd00 fs/read_write.c:594
 ksys_write+0x14d/0x250 fs/read_write.c:647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff88802465e000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 9 bytes to the right of
 1024-byte region [ffff88802465e000, ffff88802465e400)
The buggy address belongs to the page:
page:ffffea0000919600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24658
head:ffffea0000919600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000931000 0000000600000006 ffff888016841dc0
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4063, ts 54587769991, free_ts 42718037598
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 __kmalloc_node_track_caller+0x1fc/0x3a0 mm/slub.c:4963
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 __tcp_send_ack+0x9d/0x5d0 net/ipv4/tcp_output.c:3996
 tcp_ack_snd_check net/ipv4/tcp_input.c:5644 [inline]
 tcp_rcv_established+0xb97/0x1cb0 net/ipv4/tcp_input.c:6069
 tcp_v4_do_rcv+0x44b/0x9b0 net/ipv4/tcp_ipv4.c:1731
 tcp_v4_rcv+0x268f/0x2cb0 net/ipv4/tcp_ipv4.c:2143
 ip_protocol_deliver_rcu+0x3ad/0x770 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x1d5/0x320 net/ipv4/ip_input.c:231
 NF_HOOK+0x2d6/0x360 include/linux/netfilter.h:302
 dst_input include/net/dst.h:462 [inline]
 ip_sublist_rcv_finish net/ipv4/ip_input.c:577 [inline]
 ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
 ip_sublist_rcv+0xa1f/0xce0 net/ipv4/ip_input.c:636
 ip_list_rcv+0x3df/0x430 net/ipv4/ip_input.c:671
 __netif_receive_skb_list_ptype net/core/dev.c:5568 [inline]
 __netif_receive_skb_list_core+0x574/0x740 net/core/dev.c:5616
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 free_slab mm/slub.c:2020 [inline]
 discard_slab mm/slub.c:2026 [inline]
 __unfreeze_partials+0x1a5/0x200 mm/slub.c:2512
 put_cpu_partial+0x12d/0x190 mm/slub.c:2592
 qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3225 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3238
 __d_alloc+0x2a/0x6f0 fs/dcache.c:1749
 d_alloc_anon fs/dcache.c:1849 [inline]
 d_alloc_cursor+0x40/0xd0 fs/dcache.c:1855
 dcache_dir_open+0x37/0x70 fs/libfs.c:82
 do_dentry_open+0x7ff/0xf80 fs/open.c:826
 do_open fs/namei.c:3616 [inline]
 path_openat+0x2682/0x2f30 fs/namei.c:3750
 do_filp_open+0x1b3/0x3e0 fs/namei.c:3777
 do_sys_openat2+0x142/0x4a0 fs/open.c:1253

Memory state around the buggy address:
 ffff88802465e300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88802465e380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88802465e400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff88802465e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802465e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in hci_le_ext_adv_report_evt net/bluetooth/hci_event.c:5945 [inline]
BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x12db/0x3b80 net/bluetooth/hci_event.c:6218
Read of size 1 at addr ffff88802465e409 by task kworker/u5:2/4233

CPU: 0 PID: 4233 Comm: kworker/u5:2 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 hci_le_ext_adv_report_evt net/bluetooth/hci_event.c:5945 [inline]
 hci_le_meta_evt+0x12db/0x3b80 net/bluetooth/hci_event.c:6218
 hci_event_packet+0xe05/0x12f0 net/bluetooth/hci_event.c:6535
 hci_rx_work+0x255/0xa10 net/bluetooth/hci_core.c:5160
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 4326:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:392 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:170 [inline]
 vhci_write+0xbc/0x450 drivers/bluetooth/hci_vhci.c:290
 call_write_iter include/linux/fs.h:2173 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0x712/0xd00 fs/read_write.c:594
 ksys_write+0x14d/0x250 fs/read_write.c:647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff88802465e000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 9 bytes to the right of
 1024-byte region [ffff88802465e000, ffff88802465e400)
The buggy address belongs to the page:
page:ffffea0000919600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24658
head:ffffea0000919600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000931000 0000000600000006 ffff888016841dc0
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4063, ts 54587769991, free_ts 42718037598
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 __kmalloc_node_track_caller+0x1fc/0x3a0 mm/slub.c:4963
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 __tcp_send_ack+0x9d/0x5d0 net/ipv4/tcp_output.c:3996
 tcp_ack_snd_check net/ipv4/tcp_input.c:5644 [inline]
 tcp_rcv_established+0xb97/0x1cb0 net/ipv4/tcp_input.c:6069
 tcp_v4_do_rcv+0x44b/0x9b0 net/ipv4/tcp_ipv4.c:1731
 tcp_v4_rcv+0x268f/0x2cb0 net/ipv4/tcp_ipv4.c:2143
 ip_protocol_deliver_rcu+0x3ad/0x770 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x1d5/0x320 net/ipv4/ip_input.c:231
 NF_HOOK+0x2d6/0x360 include/linux/netfilter.h:302
 dst_input include/net/dst.h:462 [inline]
 ip_sublist_rcv_finish net/ipv4/ip_input.c:577 [inline]
 ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
 ip_sublist_rcv+0xa1f/0xce0 net/ipv4/ip_input.c:636
 ip_list_rcv+0x3df/0x430 net/ipv4/ip_input.c:671
 __netif_receive_skb_list_ptype net/core/dev.c:5568 [inline]
 __netif_receive_skb_list_core+0x574/0x740 net/core/dev.c:5616
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 free_slab mm/slub.c:2020 [inline]
 discard_slab mm/slub.c:2026 [inline]
 __unfreeze_partials+0x1a5/0x200 mm/slub.c:2512
 put_cpu_partial+0x12d/0x190 mm/slub.c:2592
 qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3225 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3238
 __d_alloc+0x2a/0x6f0 fs/dcache.c:1749
 d_alloc_anon fs/dcache.c:1849 [inline]
 d_alloc_cursor+0x40/0xd0 fs/dcache.c:1855
 dcache_dir_open+0x37/0x70 fs/libfs.c:82
 do_dentry_open+0x7ff/0xf80 fs/open.c:826
 do_open fs/namei.c:3616 [inline]
 path_openat+0x2682/0x2f30 fs/namei.c:3750
 do_filp_open+0x1b3/0x3e0 fs/namei.c:3777
 do_sys_openat2+0x142/0x4a0 fs/open.c:1253

Memory state around the buggy address:
 ffff88802465e300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88802465e380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88802465e400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff88802465e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802465e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================