Extracting prog: 9m14.549484375s
Minimizing prog: 1h7m36.917758905s
Simplifying prog options: 15m23.090440223s
Extracting C: 5m17.563388143s
Simplifying C: 0s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-connect$bt_l2cap-mount$bind-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000240)={0x1f, 0x0, @any, 0x5}, 0xe)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-connect$bt_l2cap-mount$bind-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000240)={0x1f, 0x0, @any, 0x5}, 0xe)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-connect$bt_l2cap-mount$bind-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000240)={0x1f, 0x0, @any, 0x5}, 0xe)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
single: successfully extracted reproducer
found reproducer with 11 syscalls
minimizing guilty program
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-connect$bt_l2cap-mount$bind
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000240)={0x1f, 0x0, @any, 0x5}, 0xe)
mount$bind(&(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x89101a, 0x0)

program did not crash
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-connect$bt_l2cap-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000240)={0x1f, 0x0, @any, 0x5}, 0xe)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-syz_init_net_socket$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
listen(r1, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-mount$bind-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
bind$bt_l2cap(0xffffffffffffffff, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(0xffffffffffffffff, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-mkdirat-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-mmap$IORING_OFF_SQES-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x1, 0x4000010, 0xffffffffffffffff, 0x10000000)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$nl_route_sched-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000001000)=@newqdisc={0x8c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}]}}]}, 0x8c}}, 0x0)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r1, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r1, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
socket$netlink(0x10, 0x3, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, 0x0, 0x0)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
extracting C reproducer
testing compiled C program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=7m34.986867075s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, 0x0, 0x0)

program did not crash
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, 0x0, 0x0)

program did not crash
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
validation run: crashed=true
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
validation run: crashed=true
testing program (duration=7m34.986867075s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-sendmsg$nl_generic
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000001180)={0x1f, 0x0, @any, 0x3}, 0xe)
listen(r0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, 0x0, 0x0)

program crashed: BUG: unable to handle kernel paging request in lock_sock_nested
validation run: crashed=true
reproducing took 1h45m53.54246486s
repro crashed as (corrupted=false):
Unable to handle kernel paging request at virtual address dfff800000000024
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000024] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4072 Comm: kworker/0:4 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events l2cap_info_timeout
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lock_acquire+0xe0/0x651c kernel/locking/lockdep.c:4882
lr : lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
sp : ffff80001f3e75c0
x29: ffff80001f3e77d0 x28: dfff800000000000 x27: 0000000000000000
x26: ffff80001056c1b8 x25: 1ffff0000282e06a x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
x20: 0000000000000120 x19: 0000000000000000 x18: 0000000000010000
x17: ffff800016d04000 x16: ffff8000111bc798 x15: ffff8000167e4500
x14: ffff0000db294080 x13: ffff0000db294120 x12: 0000000000ff0100
x11: 0000000000000000 x10: ffff700003e7ced8 x9 : ffff800014170354
x8 : 0000000000000024 x7 : ffff80001056c1b8 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000120
Call trace:
 __lock_acquire+0xe0/0x651c kernel/locking/lockdep.c:4882
 lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
 lock_sock_nested+0xd8/0x1d4 net/core/sock.c:3251
 lock_sock include/net/sock.h:1694 [inline]
 l2cap_sock_ready_cb+0x4c/0x130 net/bluetooth/l2cap_sock.c:1649
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1386 [inline]
 l2cap_conn_start+0x594/0xb4c net/bluetooth/l2cap_core.c:1645
 l2cap_info_timeout+0x68/0xb8 net/bluetooth/l2cap_core.c:1812
 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310
 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457
 kthread+0x374/0x454 kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:855
Code: d005fa68 b9406108 340001c8 d343fe88 (387c6908) 
---[ end trace 935bd6372af63a96 ]---
----------------
Code disassembly (best guess):
   0:	d005fa68 	adrp	x8, 0xbf4e000
   4:	b9406108 	ldr	w8, [x8, #96]
   8:	340001c8 	cbz	w8, 0x40
   c:	d343fe88 	lsr	x8, x20, #3
* 10:	387c6908 	ldrb	w8, [x8, x28] <-- trapping instruction

final repro crashed as (corrupted=false):
Unable to handle kernel paging request at virtual address dfff800000000024
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000024] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4072 Comm: kworker/0:4 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events l2cap_info_timeout
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lock_acquire+0xe0/0x651c kernel/locking/lockdep.c:4882
lr : lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
sp : ffff80001f3e75c0
x29: ffff80001f3e77d0 x28: dfff800000000000 x27: 0000000000000000
x26: ffff80001056c1b8 x25: 1ffff0000282e06a x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
x20: 0000000000000120 x19: 0000000000000000 x18: 0000000000010000
x17: ffff800016d04000 x16: ffff8000111bc798 x15: ffff8000167e4500
x14: ffff0000db294080 x13: ffff0000db294120 x12: 0000000000ff0100
x11: 0000000000000000 x10: ffff700003e7ced8 x9 : ffff800014170354
x8 : 0000000000000024 x7 : ffff80001056c1b8 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000120
Call trace:
 __lock_acquire+0xe0/0x651c kernel/locking/lockdep.c:4882
 lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
 lock_sock_nested+0xd8/0x1d4 net/core/sock.c:3251
 lock_sock include/net/sock.h:1694 [inline]
 l2cap_sock_ready_cb+0x4c/0x130 net/bluetooth/l2cap_sock.c:1649
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1386 [inline]
 l2cap_conn_start+0x594/0xb4c net/bluetooth/l2cap_core.c:1645
 l2cap_info_timeout+0x68/0xb8 net/bluetooth/l2cap_core.c:1812
 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310
 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457
 kthread+0x374/0x454 kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:855
Code: d005fa68 b9406108 340001c8 d343fe88 (387c6908) 
---[ end trace 935bd6372af63a96 ]---
----------------
Code disassembly (best guess):
   0:	d005fa68 	adrp	x8, 0xbf4e000
   4:	b9406108 	ldr	w8, [x8, #96]
   8:	340001c8 	cbz	w8, 0x40
   c:	d343fe88 	lsr	x8, x20, #3
* 10:	387c6908 	ldrb	w8, [x8, x28] <-- trapping instruction