Warning: Permanently added '[localhost]:42199' (ECDSA) to the list of known hosts. 2025/09/01 09:21:27 fuzzer started 2025/09/01 09:21:28 dialing manager at localhost:35473 syzkaller login: [ 51.703106] cgroup: Unknown subsys name 'net' [ 51.760425] cgroup: Unknown subsys name 'cpuset' [ 51.772546] cgroup: Unknown subsys name 'rlimit' 2025/09/01 09:21:38 syscalls: 2214 2025/09/01 09:21:38 code coverage: enabled 2025/09/01 09:21:38 comparison tracing: enabled 2025/09/01 09:21:38 extra coverage: enabled 2025/09/01 09:21:38 setuid sandbox: enabled 2025/09/01 09:21:38 namespace sandbox: enabled 2025/09/01 09:21:38 Android sandbox: enabled 2025/09/01 09:21:38 fault injection: enabled 2025/09/01 09:21:38 leak checking: enabled 2025/09/01 09:21:38 net packet injection: enabled 2025/09/01 09:21:38 net device setup: enabled 2025/09/01 09:21:38 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2025/09/01 09:21:38 devlink PCI setup: PCI device 0000:00:10.0 is not available 2025/09/01 09:21:38 USB emulation: enabled 2025/09/01 09:21:38 hci packet injection: enabled 2025/09/01 09:21:38 wifi device emulation: enabled 2025/09/01 09:21:38 802.15.4 emulation: enabled 2025/09/01 09:21:38 fetching corpus: 0, signal 0/2000 (executing program) 2025/09/01 09:21:38 fetching corpus: 50, signal 30066/33231 (executing program) 2025/09/01 09:21:38 fetching corpus: 100, signal 41412/45736 (executing program) 2025/09/01 09:21:39 fetching corpus: 150, signal 46600/52087 (executing program) 2025/09/01 09:21:39 fetching corpus: 200, signal 51223/57788 (executing program) 2025/09/01 09:21:39 fetching corpus: 250, signal 54761/62307 (executing program) 2025/09/01 09:21:39 fetching corpus: 300, signal 58309/66738 (executing program) 2025/09/01 09:21:39 fetching corpus: 350, signal 62178/71453 (executing program) 2025/09/01 09:21:39 fetching corpus: 400, signal 66169/76111 (executing program) 2025/09/01 09:21:39 fetching corpus: 450, signal 70091/80596 (executing program) 2025/09/01 09:21:39 fetching corpus: 500, signal 72879/84027 (executing program) 2025/09/01 09:21:39 fetching corpus: 550, signal 75526/87276 (executing program) 2025/09/01 09:21:40 fetching corpus: 600, signal 77815/90137 (executing program) 2025/09/01 09:21:40 fetching corpus: 650, signal 80094/92901 (executing program) 2025/09/01 09:21:40 fetching corpus: 700, signal 82045/95342 (executing program) 2025/09/01 09:21:40 fetching corpus: 750, signal 84330/98061 (executing program) 2025/09/01 09:21:40 fetching corpus: 800, signal 85973/100165 (executing program) 2025/09/01 09:21:40 fetching corpus: 850, signal 88834/103200 (executing program) 2025/09/01 09:21:40 fetching corpus: 900, signal 90468/105206 (executing program) 2025/09/01 09:21:40 fetching corpus: 950, signal 91791/106975 (executing program) 2025/09/01 09:21:40 fetching corpus: 1000, signal 93565/109016 (executing program) 2025/09/01 09:21:40 fetching corpus: 1050, signal 95592/111230 (executing program) 2025/09/01 09:21:41 fetching corpus: 1100, signal 99236/114507 (executing program) 2025/09/01 09:21:41 fetching corpus: 1150, signal 102261/117262 (executing program) 2025/09/01 09:21:41 fetching corpus: 1200, signal 103975/119049 (executing program) 2025/09/01 09:21:41 fetching corpus: 1250, signal 105373/120560 (executing program) 2025/09/01 09:21:41 fetching corpus: 1300, signal 107413/122458 (executing program) 2025/09/01 09:21:41 fetching corpus: 1350, signal 108294/123537 (executing program) 2025/09/01 09:21:41 fetching corpus: 1400, signal 109749/124990 (executing program) 2025/09/01 09:21:41 fetching corpus: 1450, signal 111090/126287 (executing program) 2025/09/01 09:21:42 fetching corpus: 1500, signal 112219/127499 (executing program) 2025/09/01 09:21:42 fetching corpus: 1550, signal 113465/128689 (executing program) 2025/09/01 09:21:42 fetching corpus: 1600, signal 114485/129706 (executing program) 2025/09/01 09:21:42 fetching corpus: 1650, signal 116010/130992 (executing program) 2025/09/01 09:21:42 fetching corpus: 1700, signal 117502/132288 (executing program) 2025/09/01 09:21:42 fetching corpus: 1750, signal 119125/133495 (executing program) 2025/09/01 09:21:42 fetching corpus: 1800, signal 119927/134300 (executing program) 2025/09/01 09:21:42 fetching corpus: 1850, signal 121032/135288 (executing program) 2025/09/01 09:21:42 fetching corpus: 1900, signal 122372/136280 (executing program) 2025/09/01 09:21:42 fetching corpus: 1950, signal 123459/137152 (executing program) 2025/09/01 09:21:43 fetching corpus: 2000, signal 124907/138120 (executing program) 2025/09/01 09:21:43 fetching corpus: 2050, signal 125906/138864 (executing program) 2025/09/01 09:21:43 fetching corpus: 2100, signal 126839/139526 (executing program) 2025/09/01 09:21:43 fetching corpus: 2150, signal 127762/140185 (executing program) 2025/09/01 09:21:43 fetching corpus: 2200, signal 128937/140914 (executing program) 2025/09/01 09:21:43 fetching corpus: 2250, signal 129665/141439 (executing program) 2025/09/01 09:21:43 fetching corpus: 2300, signal 130544/141999 (executing program) 2025/09/01 09:21:43 fetching corpus: 2350, signal 131543/142588 (executing program) 2025/09/01 09:21:43 fetching corpus: 2400, signal 132121/143027 (executing program) 2025/09/01 09:21:44 fetching corpus: 2450, signal 133161/143660 (executing program) 2025/09/01 09:21:44 fetching corpus: 2500, signal 133855/144038 (executing program) 2025/09/01 09:21:44 fetching corpus: 2550, signal 134718/144516 (executing program) 2025/09/01 09:21:44 fetching corpus: 2600, signal 135481/144926 (executing program) 2025/09/01 09:21:44 fetching corpus: 2650, signal 137070/145553 (executing program) 2025/09/01 09:21:44 fetching corpus: 2700, signal 137842/145896 (executing program) 2025/09/01 09:21:44 fetching corpus: 2750, signal 138442/146183 (executing program) 2025/09/01 09:21:44 fetching corpus: 2800, signal 139313/146552 (executing program) 2025/09/01 09:21:44 fetching corpus: 2850, signal 139755/146776 (executing program) 2025/09/01 09:21:45 fetching corpus: 2900, signal 140301/147048 (executing program) 2025/09/01 09:21:45 fetching corpus: 2950, signal 140780/147235 (executing program) 2025/09/01 09:21:45 fetching corpus: 3000, signal 141884/147531 (executing program) 2025/09/01 09:21:45 fetching corpus: 3050, signal 142399/147712 (executing program) 2025/09/01 09:21:45 fetching corpus: 3100, signal 143049/147871 (executing program) 2025/09/01 09:21:45 fetching corpus: 3150, signal 143663/148071 (executing program) 2025/09/01 09:21:45 fetching corpus: 3200, signal 144426/148212 (executing program) 2025/09/01 09:21:45 fetching corpus: 3250, signal 145441/148423 (executing program) 2025/09/01 09:21:45 fetching corpus: 3300, signal 145899/148503 (executing program) 2025/09/01 09:21:45 fetching corpus: 3308, signal 146025/148550 (executing program) 2025/09/01 09:21:45 fetching corpus: 3308, signal 146025/148589 (executing program) 2025/09/01 09:21:45 fetching corpus: 3308, signal 146025/148633 (executing program) 2025/09/01 09:21:45 fetching corpus: 3308, signal 146025/148667 (executing program) 2025/09/01 09:21:45 fetching corpus: 3308, signal 146025/148694 (executing program) 2025/09/01 09:21:45 fetching corpus: 3308, signal 146025/148741 (executing program) 2025/09/01 09:21:45 fetching corpus: 3308, signal 146025/148749 (executing program) 2025/09/01 09:21:45 fetching corpus: 3308, signal 146025/148749 (executing program) 2025/09/01 09:21:48 starting 8 fuzzer processes 09:21:48 executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_TRIGGER_SCAN(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x40, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IE={0x11, 0x2a, [@random={0xdd, 0xb, 'abcdefghijk'}]}, @NL80211_ATTR_SCAN_SSIDS={0x10, 0x2d, 0x0, 0x1, [{0xa, 0x0, @default_ap_ssid}]}]}, 0x40}}, 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000040)=@mgmt_frame=@beacon={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void}, 0x36) nanosleep(&(0x7f0000000080)={0x0, 0x4c4b40}, &(0x7f00000000c0)) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000340)=@mgmt_frame=@probe_response={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void}, 0x36) 09:21:48 executing program 1: r0 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_mreq(r0, 0x29, 0x2a, 0x0, 0x1300) 09:21:48 executing program 2: syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_si_security={{0x2, 0x7}, {0xb6b4}}}, 0xa) syz_open_procfs(0xffffffffffffffff, 0x0) 09:21:48 executing program 7: capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000000)) syz_open_procfs(0x0, &(0x7f0000000000)='setgroups\x00') 09:21:48 executing program 4: io_setup(0x572, &(0x7f0000000140)=0x0) io_pgetevents(r0, 0x0, 0x0, 0x0, 0x0, 0x0) 09:21:48 executing program 5: sendmsg$NL80211_CMD_CONNECT(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x28, 0x0, 0x0, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}}, 0x0) r0 = io_uring_setup(0x4179, &(0x7f00000001c0)) io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(r0, 0x18, &(0x7f0000000240), 0x1) 09:21:48 executing program 3: syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f0000010000)="1000000040000000030000002b00000005000000010000000000000000000000002000000020000010000000000000009f09c75f0000ffff53ef", 0x3a, 0x400}], 0x0, &(0x7f0000000040)={[{@init_itable}]}) 09:21:48 executing program 6: r0 = shmget$private(0x0, 0x4000, 0x0, &(0x7f0000ff6000/0x4000)=nil) shmat(r0, &(0x7f0000ffe000/0x2000)=nil, 0x4000) mlock(&(0x7f0000ffe000/0x2000)=nil, 0x2000) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) [ 72.020089] audit: type=1400 audit(1756718508.468:7): avc: denied { execmem } for pid=272 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 73.218402] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 73.220919] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 73.226274] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 73.233190] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 73.235801] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 73.280636] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 73.287144] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 73.289387] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 73.298981] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 73.300998] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 73.356491] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 73.359106] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 73.361112] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 73.383572] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 73.387904] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 73.441403] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 73.444546] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 73.446671] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 73.449350] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 73.452208] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1 [ 73.461166] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 73.467297] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 73.474358] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 73.477571] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 73.479972] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9 [ 73.483783] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 73.483931] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 73.492479] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9 [ 73.495169] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1 [ 73.500127] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 73.503047] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 73.509613] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9 [ 73.511679] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 73.514261] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9 [ 73.523068] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4 [ 73.524669] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 73.526300] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4 [ 73.533655] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2 [ 73.535162] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2 [ 73.538572] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 75.311227] Bluetooth: hci0: command tx timeout [ 75.374817] Bluetooth: hci1: command tx timeout [ 75.439064] Bluetooth: hci2: command tx timeout [ 75.566868] Bluetooth: hci6: command tx timeout [ 75.568216] Bluetooth: hci7: command tx timeout [ 75.568809] Bluetooth: hci3: command tx timeout [ 75.630900] Bluetooth: hci5: command tx timeout [ 75.631568] Bluetooth: hci4: command tx timeout [ 77.358816] Bluetooth: hci0: command tx timeout [ 77.422972] Bluetooth: hci1: command tx timeout [ 77.487063] Bluetooth: hci2: command tx timeout [ 77.615149] Bluetooth: hci3: command tx timeout [ 77.616130] Bluetooth: hci7: command tx timeout [ 77.617197] Bluetooth: hci6: command tx timeout [ 77.679319] Bluetooth: hci4: command tx timeout [ 77.679796] Bluetooth: hci5: command tx timeout [ 79.406815] Bluetooth: hci0: command tx timeout [ 79.471796] Bluetooth: hci1: command tx timeout [ 79.534911] Bluetooth: hci2: command tx timeout [ 79.662846] Bluetooth: hci3: command tx timeout [ 79.662881] Bluetooth: hci6: command tx timeout [ 79.663271] Bluetooth: hci7: command tx timeout [ 79.727103] Bluetooth: hci4: command tx timeout [ 79.727509] Bluetooth: hci5: command tx timeout [ 81.463797] Bluetooth: hci0: command tx timeout [ 81.518911] Bluetooth: hci1: command tx timeout [ 81.583116] Bluetooth: hci2: command tx timeout [ 81.710801] Bluetooth: hci6: command tx timeout [ 81.711331] Bluetooth: hci7: command tx timeout [ 81.712768] Bluetooth: hci3: command tx timeout [ 81.774866] Bluetooth: hci5: command tx timeout [ 81.775257] Bluetooth: hci4: command tx timeout [ 110.804189] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 110.805364] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.061691] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 111.062520] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.292969] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 111.293911] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.351917] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 111.352532] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.429167] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 111.429780] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.597634] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 111.598298] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.695347] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 111.712000] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 111.712574] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.838307] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 111.851273] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 111.851880] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 112.062802] capability: warning: `syz-executor.7' uses deprecated v2 capabilities in a way that may be insecure 09:22:28 executing program 6: r0 = shmget$private(0x0, 0x4000, 0x0, &(0x7f0000ff6000/0x4000)=nil) shmat(r0, &(0x7f0000ffe000/0x2000)=nil, 0x4000) mlock(&(0x7f0000ffe000/0x2000)=nil, 0x2000) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) 09:22:28 executing program 5: sendmsg$NL80211_CMD_CONNECT(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x28, 0x0, 0x0, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}}, 0x0) r0 = io_uring_setup(0x4179, &(0x7f00000001c0)) io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(r0, 0x18, &(0x7f0000000240), 0x1) 09:22:28 executing program 7: capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000000)) syz_open_procfs(0x0, &(0x7f0000000000)='setgroups\x00') [ 112.156710] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 112.749787] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 112.750402] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 112.816941] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 112.817526] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 112.960128] Bluetooth: hci2: Malformed Event: 0x02 [ 112.969798] Bluetooth: hci2: Malformed Event: 0x02 [ 113.100238] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 113.100909] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 113.153396] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 113.154153] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 113.188602] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 113.189439] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 113.228083] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 113.228778] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 113.267141] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 113.268281] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 113.317165] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 113.318371] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 113.444249] loop3: detected capacity change from 0 to 4 [ 113.463397] EXT4-fs (loop3): bad geometry: block count 64 exceeds size of device (2 blocks) 09:22:29 executing program 7: capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000000)) syz_open_procfs(0x0, &(0x7f0000000000)='setgroups\x00') 09:22:29 executing program 5: sendmsg$NL80211_CMD_CONNECT(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x28, 0x0, 0x0, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}}, 0x0) r0 = io_uring_setup(0x4179, &(0x7f00000001c0)) io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(r0, 0x18, &(0x7f0000000240), 0x1) 09:22:29 executing program 2: syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_si_security={{0x2, 0x7}, {0xb6b4}}}, 0xa) syz_open_procfs(0xffffffffffffffff, 0x0) 09:22:29 executing program 6: r0 = shmget$private(0x0, 0x4000, 0x0, &(0x7f0000ff6000/0x4000)=nil) shmat(r0, &(0x7f0000ffe000/0x2000)=nil, 0x4000) mlock(&(0x7f0000ffe000/0x2000)=nil, 0x2000) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) 09:22:29 executing program 1: r0 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_mreq(r0, 0x29, 0x2a, 0x0, 0x1300) 09:22:29 executing program 4: io_setup(0x572, &(0x7f0000000140)=0x0) io_pgetevents(r0, 0x0, 0x0, 0x0, 0x0, 0x0) 09:22:29 executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_TRIGGER_SCAN(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x40, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IE={0x11, 0x2a, [@random={0xdd, 0xb, 'abcdefghijk'}]}, @NL80211_ATTR_SCAN_SSIDS={0x10, 0x2d, 0x0, 0x1, [{0xa, 0x0, @default_ap_ssid}]}]}, 0x40}}, 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000040)=@mgmt_frame=@beacon={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void}, 0x36) nanosleep(&(0x7f0000000080)={0x0, 0x4c4b40}, &(0x7f00000000c0)) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000340)=@mgmt_frame=@probe_response={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void}, 0x36) 09:22:29 executing program 3: syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f0000010000)="1000000040000000030000002b00000005000000010000000000000000000000002000000020000010000000000000009f09c75f0000ffff53ef", 0x3a, 0x400}], 0x0, &(0x7f0000000040)={[{@init_itable}]}) [ 113.530418] Bluetooth: hci2: Malformed Event: 0x02 [ 113.544156] loop3: detected capacity change from 0 to 4 09:22:29 executing program 7: capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000000)) syz_open_procfs(0x0, &(0x7f0000000000)='setgroups\x00') [ 113.555937] EXT4-fs (loop3): bad geometry: block count 64 exceeds size of device (2 blocks) [ 113.562206] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 113.632700] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 115.894516] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 115.897336] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 115.902059] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 115.913085] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 115.917765] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 117.998799] Bluetooth: hci0: command tx timeout [ 120.046839] Bluetooth: hci0: command tx timeout [ 122.094836] Bluetooth: hci0: command tx timeout [ 124.143943] Bluetooth: hci0: command tx timeout [ 131.770808] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 131.772337] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 131.849297] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 131.850802] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 131.971937] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 131.982424] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium 09:22:48 executing program 1: r0 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_mreq(r0, 0x29, 0x2a, 0x0, 0x1300) 09:22:48 executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_TRIGGER_SCAN(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x40, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IE={0x11, 0x2a, [@random={0xdd, 0xb, 'abcdefghijk'}]}, @NL80211_ATTR_SCAN_SSIDS={0x10, 0x2d, 0x0, 0x1, [{0xa, 0x0, @default_ap_ssid}]}]}, 0x40}}, 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000040)=@mgmt_frame=@beacon={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void}, 0x36) nanosleep(&(0x7f0000000080)={0x0, 0x4c4b40}, &(0x7f00000000c0)) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000340)=@mgmt_frame=@probe_response={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void}, 0x36) 09:22:48 executing program 4: io_setup(0x572, &(0x7f0000000140)=0x0) io_pgetevents(r0, 0x0, 0x0, 0x0, 0x0, 0x0) 09:22:48 executing program 5: sendmsg$NL80211_CMD_CONNECT(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x28, 0x0, 0x0, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}}, 0x0) r0 = io_uring_setup(0x4179, &(0x7f00000001c0)) io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(r0, 0x18, &(0x7f0000000240), 0x1) 09:22:48 executing program 6: r0 = shmget$private(0x0, 0x4000, 0x0, &(0x7f0000ff6000/0x4000)=nil) shmat(r0, &(0x7f0000ffe000/0x2000)=nil, 0x4000) mlock(&(0x7f0000ffe000/0x2000)=nil, 0x2000) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) 09:22:48 executing program 2: syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_si_security={{0x2, 0x7}, {0xb6b4}}}, 0xa) syz_open_procfs(0xffffffffffffffff, 0x0) 09:22:48 executing program 3: syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f0000010000)="1000000040000000030000002b00000005000000010000000000000000000000002000000020000010000000000000009f09c75f0000ffff53ef", 0x3a, 0x400}], 0x0, &(0x7f0000000040)={[{@init_itable}]}) 09:22:48 executing program 7: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_TRIGGER_SCAN(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x40, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IE={0x11, 0x2a, [@random={0xdd, 0xb, 'abcdefghijk'}]}, @NL80211_ATTR_SCAN_SSIDS={0x10, 0x2d, 0x0, 0x1, [{0xa, 0x0, @default_ap_ssid}]}]}, 0x40}}, 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000040)=@mgmt_frame=@beacon={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void}, 0x36) nanosleep(&(0x7f0000000080)={0x0, 0x4c4b40}, &(0x7f00000000c0)) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000340)=@mgmt_frame=@probe_response={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void}, 0x36) [ 132.396354] Bluetooth: hci2: Malformed Event: 0x02 [ 132.396841] loop3: detected capacity change from 0 to 4 [ 132.398582] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 132.404198] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 132.417411] EXT4-fs (loop3): bad geometry: block count 64 exceeds size of device (2 blocks) [ 132.431003] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 132.447671] kmemleak: Found object by alias at 0x607f1a63dcf8 [ 132.447698] CPU: 0 UID: 0 PID: 4374 Comm: syz-executor.1 Tainted: G W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary) [ 132.447741] Tainted: [W]=WARN [ 132.447748] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 132.447761] Call Trace: [ 132.447768] [ 132.447777] dump_stack_lvl+0xca/0x120 [ 132.447824] __lookup_object+0x94/0xb0 [ 132.447856] delete_object_full+0x27/0x70 [ 132.447887] free_percpu+0x30/0x1160 [ 132.447917] ? arch_uprobe_clear_state+0x16/0x140 [ 132.447954] futex_hash_free+0x38/0xc0 [ 132.447980] mmput+0x2d3/0x390 [ 132.448015] do_exit+0x79d/0x2970 [ 132.448041] ? signal_wake_up_state+0x85/0x120 [ 132.448070] ? zap_other_threads+0x2b9/0x3a0 [ 132.448101] ? __pfx_do_exit+0x10/0x10 [ 132.448136] ? do_group_exit+0x1c3/0x2a0 [ 132.448162] ? lock_release+0xc8/0x290 [ 132.448194] do_group_exit+0xd3/0x2a0 [ 132.448223] __x64_sys_exit_group+0x3e/0x50 [ 132.448249] x64_sys_call+0x18c5/0x18d0 [ 132.448279] do_syscall_64+0xbf/0x360 [ 132.448303] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 132.448325] RIP: 0033:0x7f711d2a5b19 [ 132.448341] Code: Unable to access opcode bytes at 0x7f711d2a5aef. [ 132.448351] RSP: 002b:00007fffc338ce18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 132.448372] RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007f711d2a5b19 [ 132.448387] RDX: 00007f711d25872b RSI: ffffffffffffffbc RDI: 0000000000000000 [ 132.448401] RBP: 0000000000000000 R08: 0000001b2ce2150c R09: 0000000000000000 [ 132.448414] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 132.448427] R13: 0000000000000000 R14: 0000000000000001 R15: 00007fffc338cf00 [ 132.448455] [ 132.448463] kmemleak: Object (percpu) 0x607f1a63dcf4 (size 20): [ 132.448476] kmemleak: comm "syz-executor.0", pid 3920, jiffies 4294783347 [ 132.448489] kmemleak: min_count = 1 [ 132.448496] kmemleak: count = 1 [ 132.448503] kmemleak: flags = 0x21 [ 132.448511] kmemleak: checksum = 0 [ 132.448517] kmemleak: backtrace: [ 132.448524] pcpu_alloc_noprof+0x87a/0x1170 [ 132.448553] qdisc_alloc+0x443/0xbe0 [ 132.448577] qdisc_create_dflt+0x75/0x3d0 [ 132.448599] dev_activate+0x692/0x1250 [ 132.448621] __dev_open+0x5f2/0x840 [ 132.448648] __dev_change_flags+0x51e/0x6e0 [ 132.448675] netif_change_flags+0x8e/0x170 [ 132.448702] do_setlink.constprop.0+0xc4d/0x3df0 [ 132.448733] rtnl_newlink+0x14a8/0x1f30 [ 132.448761] rtnetlink_rcv_msg+0x9c6/0xfc0 [ 132.448790] netlink_rcv_skb+0x147/0x430 [ 132.448822] netlink_unicast+0x5a7/0x870 [ 132.448851] netlink_sendmsg+0x8ac/0xd80 [ 132.448881] __sys_sendto+0x506/0x570 [ 132.448908] __x64_sys_sendto+0xe1/0x1c0 [ 132.448935] do_syscall_64+0xbf/0x360 [ 132.484786] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 132.494281] kmemleak: Cannot insert 0x607f1a63dcf8 into the object search tree (overlaps existing) [ 132.494310] CPU: 0 UID: 0 PID: 282 Comm: syz-executor.2 Tainted: G W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary) [ 132.494343] Tainted: [W]=WARN [ 132.494350] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 132.494363] Call Trace: [ 132.494370] [ 132.494378] dump_stack_lvl+0xca/0x120 [ 132.494422] __link_object+0x190/0x210 [ 132.494454] __create_object+0x48/0x80 [ 132.494487] pcpu_alloc_noprof+0x87a/0x1170 [ 132.494531] mm_init+0x99b/0x1170 [ 132.494556] copy_process+0x3ab7/0x73c0 [ 132.494593] ? __pfx_copy_process+0x10/0x10 [ 132.494622] ? do_raw_spin_lock+0x123/0x260 [ 132.494660] kernel_clone+0xea/0x7f0 [ 132.494685] ? __pfx_kernel_clone+0x10/0x10 [ 132.494711] ? __lock_acquire+0x694/0x1b70 [ 132.494746] ? css_rstat_updated+0x1b8/0x4d0 [ 132.494780] ? __pfx_css_rstat_updated+0x10/0x10 [ 132.494816] __do_sys_clone+0xce/0x120 [ 132.494839] ? __pfx___do_sys_clone+0x10/0x10 [ 132.494860] ? find_held_lock+0x2b/0x80 [ 132.494911] ? trace_irq_enable.constprop.0+0xc2/0x100 [ 132.494940] do_syscall_64+0xbf/0x360 [ 132.494963] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 132.494985] RIP: 0033:0x7f8eac7c810b [ 132.495003] Code: ed 0f 85 60 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d 91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 89 00 00 00 41 89 c5 85 c0 0f 85 90 00 00 [ 132.495024] RSP: 002b:00007ffc7961e210 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 [ 132.495044] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8eac7c810b [ 132.495059] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 [ 132.495072] RBP: 0000000000000001 R08: 0000000000000000 R09: 00005555700cb400 [ 132.495085] R10: 00005555700cb6d0 R11: 0000000000000246 R12: 0000000000000001 [ 132.495098] R13: 0000000000000000 R14: 0000000000000001 R15: 00007ffc7961e2f0 [ 132.495126] [ 132.496261] kmemleak: Kernel memory leak detector disabled [ 132.496269] kmemleak: Object (percpu) 0x607f1a63dcf4 (size 20): [ 132.496282] kmemleak: comm "syz-executor.0", pid 3920, jiffies 4294783347 [ 132.496295] kmemleak: min_count = 1 [ 132.496303] kmemleak: count = 1 [ 132.496309] kmemleak: flags = 0x21 [ 132.496317] kmemleak: checksum = 0 [ 132.496323] kmemleak: backtrace: [ 132.496330] pcpu_alloc_noprof+0x87a/0x1170 [ 132.496359] qdisc_alloc+0x443/0xbe0 [ 132.496383] qdisc_create_dflt+0x75/0x3d0 [ 132.496405] dev_activate+0x692/0x1250 [ 132.496427] __dev_open+0x5f2/0x840 [ 132.496454] __dev_change_flags+0x51e/0x6e0 [ 132.496481] netif_change_flags+0x8e/0x170 [ 132.496508] do_setlink.constprop.0+0xc4d/0x3df0 [ 132.496539] rtnl_newlink+0x14a8/0x1f30 [ 132.496567] rtnetlink_rcv_msg+0x9c6/0xfc0 [ 132.496596] netlink_rcv_skb+0x147/0x430 [ 132.496627] netlink_unicast+0x5a7/0x870 [ 132.496656] netlink_sendmsg+0x8ac/0xd80 [ 132.496686] __sys_sendto+0x506/0x570 [ 132.496713] __x64_sys_sendto+0xe1/0x1c0 [ 132.496740] do_syscall_64+0xbf/0x360 09:22:48 executing program 2: syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_si_security={{0x2, 0x7}, {0xb6b4}}}, 0xa) syz_open_procfs(0xffffffffffffffff, 0x0) 09:22:48 executing program 3: syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f0000010000)="1000000040000000030000002b00000005000000010000000000000000000000002000000020000010000000000000009f09c75f0000ffff53ef", 0x3a, 0x400}], 0x0, &(0x7f0000000040)={[{@init_itable}]}) [ 132.548278] kmemleak: Automatic memory scanning thread ended 09:22:49 executing program 1: r0 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_mreq(r0, 0x29, 0x2a, 0x0, 0x1300) 09:22:49 executing program 4: io_setup(0x572, &(0x7f0000000140)=0x0) io_pgetevents(r0, 0x0, 0x0, 0x0, 0x0, 0x0) [ 132.586229] loop3: detected capacity change from 0 to 4 [ 132.600854] EXT4-fs (loop3): bad geometry: block count 64 exceeds size of device (2 blocks) [ 132.621489] Bluetooth: hci2: Malformed Event: 0x02 09:22:49 executing program 6: r0 = shmget$private(0x0, 0x4000, 0x0, &(0x7f0000ff6000/0x4000)=nil) shmat(r0, &(0x7f0000ffe000/0x2000)=nil, 0x4000) mlock(&(0x7f0000ffe000/0x2000)=nil, 0x2000) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) 09:22:49 executing program 5: perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0xeb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0) ioctl$SNDRV_TIMER_IOCTL_GPARAMS(r0, 0x40345410, &(0x7f0000000040)={{0x1}}) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(r0, 0x54a2) [ 132.712865] audit: type=1400 audit(1756718569.160:8): avc: denied { open } for pid=4395 comm="syz-executor.5" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=perf_event permissive=1 [ 132.728439] audit: type=1400 audit(1756718569.160:9): avc: denied { kernel } for pid=4395 comm="syz-executor.5" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=perf_event permissive=1 [ 135.098121] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 135.100289] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 135.102423] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 135.103528] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 135.104312] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 137.134929] Bluetooth: hci4: command tx timeout [ 139.182807] Bluetooth: hci4: command tx timeout [ 141.230827] Bluetooth: hci4: command tx timeout [ 143.095301] unregister_netdevice: waiting for wlan0 to become free. Usage count = 0 [ 143.278810] Bluetooth: hci4: command tx timeout [ 144.077985] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 144.079328] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 144.110454] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 144.111655] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 144.188599] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 144.198979] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium 09:23:00 executing program 6: r0 = shmget$private(0x0, 0x4000, 0x0, &(0x7f0000ff6000/0x4000)=nil) shmat(r0, &(0x7f0000ffe000/0x2000)=nil, 0x4000) mlock(&(0x7f0000ffe000/0x2000)=nil, 0x2000) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) 09:23:00 executing program 1: syz_mount_image$vfat(&(0x7f0000000000), &(0x7f0000000100)='./file1\x00', 0x8, 0x4, &(0x7f00000002c0)=[{0x0}, {&(0x7f0000000780)="73797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c6572736c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a64616c6c657273797a6b616c6c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616cc6ad6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b61", 0x336, 0x7fffffff}, {&(0x7f0000000240)="73797a6b616c6c65727300000000000007000000000000003561a1c48b000000", 0x20, 0x1}, {&(0x7f0000010c00)="73797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c65727a6b616c6c657273797a6b616c6c6572be731b1b616c6c65727300"/117, 0x75, 0x141ffd}], 0x0, &(0x7f0000000200)={[{@uni_xlate}]}) 09:23:00 executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_TRIGGER_SCAN(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x40, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IE={0x11, 0x2a, [@random={0xdd, 0xb, 'abcdefghijk'}]}, @NL80211_ATTR_SCAN_SSIDS={0x10, 0x2d, 0x0, 0x1, [{0xa, 0x0, @default_ap_ssid}]}]}, 0x40}}, 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000040)=@mgmt_frame=@beacon={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void}, 0x36) nanosleep(&(0x7f0000000080)={0x0, 0x4c4b40}, &(0x7f00000000c0)) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000340)=@mgmt_frame=@probe_response={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void}, 0x36) 09:23:00 executing program 7: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_TRIGGER_SCAN(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x40, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IE={0x11, 0x2a, [@random={0xdd, 0xb, 'abcdefghijk'}]}, @NL80211_ATTR_SCAN_SSIDS={0x10, 0x2d, 0x0, 0x1, [{0xa, 0x0, @default_ap_ssid}]}]}, 0x40}}, 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000040)=@mgmt_frame=@beacon={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void}, 0x36) nanosleep(&(0x7f0000000080)={0x0, 0x4c4b40}, &(0x7f00000000c0)) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000340)=@mgmt_frame=@probe_response={@wo_ht={{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x8, [{0x2, 0x1}, {0x4, 0x1}, {0xb, 0x1}, {0x16, 0x1}, {0xc}, {0x12}, {0x18}, {0x24}]}, @void, @void, @void, @void, @void, @void}, 0x36) 09:23:00 executing program 2: r0 = io_uring_setup(0x5053, &(0x7f0000000140)) io_uring_register$IORING_REGISTER_FILES(r0, 0x22, &(0x7f0000000580)=[0xffffffffffffffff, 0xffffffffffffffff], 0x2) 09:23:00 executing program 4: syz_emit_ethernet(0x36, &(0x7f0000000040)={@local, @dev, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @local={0xac, 0x28}, @broadcast}, {{0x0, 0x0, 0x41424344, 0x41424344, 0x0, 0x0, 0x5}}}}}}, 0x0) 09:23:00 executing program 3: r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000580), 0x0, 0x0) pidfd_send_signal(r0, 0x0, 0x0, 0x0) 09:23:00 executing program 5: perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0xeb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0) ioctl$SNDRV_TIMER_IOCTL_GPARAMS(r0, 0x40345410, &(0x7f0000000040)={{0x1}}) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(r0, 0x54a2) [ 144.580966] loop1: detected capacity change from 0 to 264192 [ 144.585935] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 144.601267] FAT-fs (loop1): bogus number of reserved sectors [ 144.602475] FAT-fs (loop1): Can't find a valid FAT filesystem [ 144.610707] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 144.617117] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 144.638233] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium 09:23:01 executing program 4: syz_emit_ethernet(0x36, &(0x7f0000000040)={@local, @dev, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @local={0xac, 0x28}, @broadcast}, {{0x0, 0x0, 0x41424344, 0x41424344, 0x0, 0x0, 0x5}}}}}}, 0x0) 09:23:01 executing program 5: perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0xeb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0) ioctl$SNDRV_TIMER_IOCTL_GPARAMS(r0, 0x40345410, &(0x7f0000000040)={{0x1}}) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(r0, 0x54a2) 09:23:01 executing program 3: r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000580), 0x0, 0x0) pidfd_send_signal(r0, 0x0, 0x0, 0x0) 09:23:01 executing program 2: r0 = io_uring_setup(0x5053, &(0x7f0000000140)) io_uring_register$IORING_REGISTER_FILES(r0, 0x22, &(0x7f0000000580)=[0xffffffffffffffff, 0xffffffffffffffff], 0x2) 09:23:01 executing program 6: r0 = shmget$private(0x0, 0x4000, 0x0, &(0x7f0000ff6000/0x4000)=nil) shmat(r0, &(0x7f0000ffe000/0x2000)=nil, 0x4000) mlock(&(0x7f0000ffe000/0x2000)=nil, 0x2000) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) madvise(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x17) 09:23:01 executing program 1: syz_mount_image$vfat(&(0x7f0000000000), &(0x7f0000000100)='./file1\x00', 0x8, 0x4, &(0x7f00000002c0)=[{0x0}, {&(0x7f0000000780)="73797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c6572736c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a64616c6c657273797a6b616c6c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616cc6ad6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b61", 0x336, 0x7fffffff}, {&(0x7f0000000240)="73797a6b616c6c65727300000000000007000000000000003561a1c48b000000", 0x20, 0x1}, {&(0x7f0000010c00)="73797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c65727a6b616c6c657273797a6b616c6c6572be731b1b616c6c65727300"/117, 0x75, 0x141ffd}], 0x0, &(0x7f0000000200)={[{@uni_xlate}]}) [ 144.722845] BUG: unable to handle page fault for address: ffffed10222ab106 [ 144.723928] #PF: supervisor read access in kernel mode [ 144.724705] #PF: error_code(0x0000) - not-present page [ 144.725475] PGD 7ffd4067 P4D 7ffd4067 PUD 7ffd3067 PMD 0 [ 144.726311] Oops: Oops: 0000 [#1] SMP KASAN NOPTI [ 144.727025] CPU: 1 UID: 0 PID: 4882 Comm: syz-executor.5 Tainted: G W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary) [ 144.728777] Tainted: [W]=WARN [ 144.729239] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 144.730441] RIP: 0010:perf_tp_event+0x175/0xe70 [ 144.731189] Code: ff df 48 89 85 a8 fd ff ff 48 c1 e8 03 4c 01 e0 48 89 85 c8 fd ff ff e8 c9 51 ea ff 48 8d bb f0 01 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 74 08 3c 03 0f 8e c5 0b 00 00 44 8b ab f0 01 [ 144.733931] RSP: 0018:ffff888043e2f780 EFLAGS: 00010016 [ 144.734730] RAX: 1ffff110222ab106 RBX: ffff888111558640 RCX: ffffc9000bc4b000 [ 144.735789] RDX: 0000000000040000 RSI: ffffffff8189a4e7 RDI: ffff888111558830 [ 144.736855] RBP: ffff888043e2f9f0 R08: ffff88806cf31340 R09: ffffe8ffffd169d8 [ 144.737916] R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000 [ 144.738972] R13: 0000000000000014 R14: ffff88806cf31340 R15: dffffc0000000000 [ 144.740033] FS: 00007f3004dda700(0000) GS:ffff8880e56d8000(0000) knlGS:0000000000000000 [ 144.741227] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 144.742096] CR2: ffffed10222ab106 CR3: 0000000007282000 CR4: 0000000000350ef0 [ 144.743163] Call Trace: [ 144.743561] [ 144.743919] ? __pfx_perf_tp_event+0x10/0x10 [ 144.744608] ? __asan_memcpy+0x3d/0x60 [ 144.745207] ? visit_groups_merge.constprop.0.isra.0+0x6e7/0x1150 [ 144.746142] ? perf_trace_run_bpf_submit+0xef/0x180 [ 144.746901] ? lock_is_held_type+0x9e/0x120 [ 144.747564] ? perf_trace_run_bpf_submit+0xef/0x180 [ 144.748340] ? css_rstat_updated+0x1b8/0x4d0 [ 144.749020] ? __pfx_css_rstat_updated+0x10/0x10 [ 144.749748] ? lock_is_held_type+0x9e/0x120 [ 144.750419] ? perf_trace_run_bpf_submit+0xef/0x180 [ 144.751179] ? lock_is_held_type+0x9e/0x120 [ 144.751844] perf_trace_run_bpf_submit+0xef/0x180 [ 144.752589] perf_trace_preemptirq_template+0x259/0x430 [ 144.753396] ? __pfx_perf_trace_preemptirq_template+0x10/0x10 [ 144.754268] ? check_preempt_wakeup_fair+0x406/0x950 [ 144.755039] ? find_held_lock+0x2b/0x80 [ 144.755653] ? try_to_wake_up+0x8ae/0x11d0 [ 144.756318] ? _raw_spin_unlock_irqrestore+0x2c/0x50 [ 144.757098] trace_irq_enable.constprop.0+0xa6/0x100 [ 144.757865] trace_hardirqs_on+0x26/0x40 [ 144.758478] _raw_spin_unlock_irqrestore+0x2c/0x50 [ 144.759229] try_to_wake_up+0x8ae/0x11d0 [ 144.759861] ? __pfx_try_to_wake_up+0x10/0x10 [ 144.760554] ? plist_del+0x122/0x270 [ 144.761133] ? find_held_lock+0x2b/0x80 [ 144.761747] ? futex_wake+0x474/0x540 [ 144.762335] wake_up_q+0xa1/0x130 [ 144.762878] futex_wake+0x47e/0x540 [ 144.763443] ? __pfx_futex_wake+0x10/0x10 [ 144.764080] ? __do_sys_perf_event_open+0x44d/0x2c20 [ 144.764857] ? lock_release+0xc8/0x290 [ 144.765455] do_futex+0x26d/0x370 [ 144.765992] ? __pfx_do_futex+0x10/0x10 [ 144.766606] __x64_sys_futex+0x1c9/0x4d0 [ 144.767233] ? __pfx_perf_trace_preemptirq_template+0x10/0x10 [ 144.768106] ? __pfx___x64_sys_futex+0x10/0x10 [ 144.768812] ? xfd_validate_state+0x55/0x180 [ 144.769494] do_syscall_64+0xbf/0x360 [ 144.770076] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 144.770848] RIP: 0033:0x7f3007864b19 [ 144.771415] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 144.774085] RSP: 002b:00007f3004dda218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 144.775204] RAX: ffffffffffffffda RBX: 00007f3007977f68 RCX: 00007f3007864b19 [ 144.776253] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f3007977f6c [ 144.777327] RBP: 00007f3007977f60 R08: 000000000000000e R09: 0000000000000000 [ 144.778381] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f3007977f6c [ 144.779431] R13: 00007ffdd2fd8a8f R14: 00007f3004dda300 R15: 0000000000022000 [ 144.780508] [ 144.780873] Modules linked in: [ 144.781364] CR2: ffffed10222ab106 [ 144.781884] ---[ end trace 0000000000000000 ]--- [ 144.782584] RIP: 0010:perf_tp_event+0x175/0xe70 [ 144.783296] Code: ff df 48 89 85 a8 fd ff ff 48 c1 e8 03 4c 01 e0 48 89 85 c8 fd ff ff e8 c9 51 ea ff 48 8d bb f0 01 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 74 08 3c 03 0f 8e c5 0b 00 00 44 8b ab f0 01 [ 144.786037] RSP: 0018:ffff888043e2f780 EFLAGS: 00010016 [ 144.786861] RAX: 1ffff110222ab106 RBX: ffff888111558640 RCX: ffffc9000bc4b000 [ 144.787956] RDX: 0000000000040000 RSI: ffffffff8189a4e7 RDI: ffff888111558830 [ 144.789063] RBP: ffff888043e2f9f0 R08: ffff88806cf31340 R09: ffffe8ffffd169d8 [ 144.790159] R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000 [ 144.791255] R13: 0000000000000014 R14: ffff88806cf31340 R15: dffffc0000000000 [ 144.792372] FS: 00007f3004dda700(0000) GS:ffff8880e56d8000(0000) knlGS:0000000000000000 [ 144.793604] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 144.794502] CR2: ffffed10222ab106 CR3: 0000000007282000 CR4: 0000000000350ef0 [ 144.795602] note: syz-executor.5[4882] exited with irqs disabled [ 144.796691] BUG: unable to handle page fault for address: ffffed10222ab106 [ 144.797758] #PF: supervisor read access in kernel mode [ 144.798560] #PF: error_code(0x0000) - not-present page [ 144.799364] PGD 7ffd4067 P4D 7ffd4067 PUD 7ffd3067 PMD 0 [ 144.800233] Oops: Oops: 0000 [#2] SMP KASAN NOPTI [ 144.801011] CPU: 1 UID: 0 PID: 4882 Comm: syz-executor.5 Tainted: G D W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary) [ 144.802841] Tainted: [D]=DIE, [W]=WARN [ 144.803435] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 144.804709] RIP: 0010:perf_tp_event+0x175/0xe70 [ 144.805450] Code: ff df 48 89 85 a8 fd ff ff 48 c1 e8 03 4c 01 e0 48 89 85 c8 fd ff ff e8 c9 51 ea ff 48 8d bb f0 01 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 74 08 3c 03 0f 8e c5 0b 00 00 44 8b ab f0 01 [ 144.808223] RSP: 0018:ffff88806cf08b80 EFLAGS: 00010016 [ 144.809055] RAX: 1ffff110222ab106 RBX: ffff888111558640 RCX: 0000000000000002 [ 144.810151] RDX: ffff88800f6b8000 RSI: ffffffff8189a4e7 RDI: ffff888111558830 [ 144.811245] RBP: ffff88806cf08df0 R08: ffff88806cf313e8 R09: ffffe8ffffd169d8 [ 144.812352] R10: 0000000000000000 R11: 000000000002b145 R12: dffffc0000000000 [ 144.813438] R13: 0000000000000014 R14: ffff88806cf313e8 R15: dffffc0000000000 [ 144.814541] FS: 00007f3004dda700(0000) GS:ffff8880e56d8000(0000) knlGS:0000000000000000 [ 144.815776] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 144.816693] CR2: ffffed10222ab106 CR3: 0000000007282000 CR4: 0000000000350ef0 [ 144.817794] Call Trace: [ 144.818202] [ 144.818558] ? css_rstat_updated+0x1b8/0x4d0 [ 144.819256] ? __pfx_perf_tp_event+0x10/0x10 [ 144.819960] ? trace_pelt_se_tp+0xdf/0x130 [ 144.820640] ? __cgroup_account_cputime+0x31/0xc0 [ 144.821405] ? do_raw_spin_lock+0x123/0x260 [ 144.822091] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 144.822821] ? lock_acquire+0x18c/0x2f0 [ 144.823446] ? update_cfs_group+0x11d/0x260 [ 144.824120] ? lock_release+0x1c7/0x290 [ 144.824757] ? do_raw_spin_unlock+0x53/0x220 [ 144.825461] ? _raw_spin_unlock_irqrestore+0x22/0x50 [ 144.826260] ? try_to_wake_up+0x128/0x11d0 [ 144.826930] ? do_raw_spin_lock+0x123/0x260 [ 144.827666] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 144.828413] ? perf_trace_run_bpf_submit+0xef/0x180 [ 144.829198] perf_trace_run_bpf_submit+0xef/0x180 [ 144.829967] perf_trace_preemptirq_template+0x259/0x430 [ 144.830799] ? read_tsc+0x9/0x20 [ 144.831339] ? __pfx_perf_trace_preemptirq_template+0x10/0x10 [ 144.832240] ? clockevents_program_event+0x135/0x360 [ 144.833049] ? tick_program_event+0xac/0x140 [ 144.833744] ? handle_softirqs+0x16e/0x770 [ 144.834417] trace_irq_enable.constprop.0+0xa6/0x100 [ 144.835207] trace_hardirqs_on+0x26/0x40 [ 144.835838] handle_softirqs+0x16e/0x770 [ 144.836503] __irq_exit_rcu+0xc4/0x100 [ 144.837129] irq_exit_rcu+0x9/0x20 [ 144.837692] sysvec_apic_timer_interrupt+0x70/0x80 [ 144.838468] [ 144.838829] [ 144.839189] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 144.840003] RIP: 0010:make_task_dead+0xa2/0x3b0 [ 144.840742] Code: 38 00 85 db 0f 84 21 01 00 00 e8 09 a6 38 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 57 a1 38 00 48 85 db 0f 84 17 01 00 00 e9 a5 38 00 31 ff 65 8b 1d 60 2f 49 06 81 e3 ff ff ff 7f 89 de [ 144.843515] RSP: 0018:ffff888043e2ff28 EFLAGS: 00000246 [ 144.844342] RAX: 0000000000000001 RBX: ffff88800f6b8000 RCX: ffffffff817c3ab6 [ 144.845434] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff813b5234 [ 144.846523] RBP: 0000000000000009 R08: 0000000000000000 R09: 0000000000000000 [ 144.847612] R10: ffffffff8643b457 R11: 0000000000000001 R12: ffff88800f6b8000 [ 144.848715] R13: 0000000000000009 R14: ffff888043e2f760 R15: 0000000000000000 [ 144.849817] ? trace_irq_enable.constprop.0+0x26/0x100 [ 144.850628] ? make_task_dead+0x214/0x3b0 [ 144.851284] ? make_task_dead+0x214/0x3b0 [ 144.851934] ? do_syscall_64+0xbf/0x360 [ 144.852576] rewind_stack_and_make_dead+0x16/0x20 [ 144.853335] RIP: 0033:0x7f3007864b19 [ 144.853921] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 144.856696] RSP: 002b:00007f3004dda218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 144.857859] RAX: ffffffffffffffda RBX: 00007f3007977f68 RCX: 00007f3007864b19 [ 144.858950] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f3007977f6c [ 144.860040] RBP: 00007f3007977f60 R08: 000000000000000e R09: 0000000000000000 [ 144.861144] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f3007977f6c [ 144.862240] R13: 00007ffdd2fd8a8f R14: 00007f3004dda300 R15: 0000000000022000 [ 144.863342] [ 144.863711] Modules linked in: [ 144.864220] CR2: ffffed10222ab106 [ 144.864768] ---[ end trace 0000000000000000 ]--- [ 144.865494] RIP: 0010:perf_tp_event+0x175/0xe70 [ 144.866232] Code: ff df 48 89 85 a8 fd ff ff 48 c1 e8 03 4c 01 e0 48 89 85 c8 fd ff ff e8 c9 51 ea ff 48 8d bb f0 01 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 74 08 3c 03 0f 8e c5 0b 00 00 44 8b ab f0 01 [ 144.869013] RSP: 0018:ffff888043e2f780 EFLAGS: 00010016 [ 144.869837] RAX: 1ffff110222ab106 RBX: ffff888111558640 RCX: ffffc9000bc4b000 [ 144.870937] RDX: 0000000000040000 RSI: ffffffff8189a4e7 RDI: ffff888111558830 [ 144.872026] RBP: ffff888043e2f9f0 R08: ffff88806cf31340 R09: ffffe8ffffd169d8 [ 144.873132] R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000 [ 144.874222] R13: 0000000000000014 R14: ffff88806cf31340 R15: dffffc0000000000 [ 144.875324] FS: 00007f3004dda700(0000) GS:ffff8880e56d8000(0000) knlGS:0000000000000000 [ 144.876578] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 144.877482] CR2: ffffed10222ab106 CR3: 0000000007282000 CR4: 0000000000350ef0 [ 144.878586] Kernel panic - not syncing: Fatal exception in interrupt [ 144.879855] Kernel Offset: disabled [ 144.880432] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- VM DIAGNOSIS: 09:22:59 Registers: info registers vcpu 0 RAX=000000000ae98000 RBX=000000000ae98000 RCX=ffffffff8254b47a RDX=000000000001c064 RSI=ffffffff8254b488 RDI=0000000000000007 RBP=ffff88800ee00000 RSP=ffff88800aa2f778 R8 =0000000000000000 R9 =fffffbfff0c8768a R10=000000000001c064 R11=0000000000000001 R12=000000000001c064 R13=ffff88800ee001a0 R14=ffff88800ee00098 R15=ffffffff860d0a00 RIP=ffffffff8254b48e RFL=00000093 [--S-A-C] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff8880e55d8000 00000000 00000000 LDT=0000 fffffe1600000000 00000000 00000000 TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000001000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007f61a1984378 CR3=000000000bb85000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=ff000000000000000000000000000000 XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000 XMM04=ffbd4ebe4c2ff636000000000016a6a0 XMM05=d3fdd5f48436fbd700000000000aead0 XMM06=7ff122641144692900000000000ae988 XMM07=a1fcdcf819d7e1e500000000000ae728 XMM08=44495f474f4c5359530069253d595449 XMM09=00000000000000000000000000000000 XMM10=00000000000000000020002020200000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000 info registers vcpu 1 RAX=ffffffff86897785 RBX=0000000000000001 RCX=ffffffff86897780 RDX=0000000000000000 RSI=1ffffffff0d12ef0 RDI=ffffffff8650e228 RBP=ffff88804162f460 RSP=ffff88804162f398 R8 =ffffffff86897774 R9 =0000000000000000 R10=000000000003bea3 R11=0000000000024c9c R12=ffff88804162f468 R13=ffff88804162f450 R14=ffff88804162f449 R15=ffff88804162f408 RIP=ffffffff81358775 RFL=00000217 [----APC] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff8880e56d8000 00000000 00000000 LDT=0000 fffffe4500000000 00000000 00000000 TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000048000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007fadaf6fa310 CR3=000000000ba1e000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=6461657268747062696c2f756e672d78 XMM02=00302e6f732e6461657268747062696c XMM03=2f756e672d78756e696c2d34365f3638 XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000