Warning: Permanently added '[localhost]:46300' (ECDSA) to the list of known hosts.
2025/11/15 18:27:43 fuzzer started
2025/11/15 18:27:44 dialing manager at localhost:37161
syzkaller login: [   52.458226] cgroup: Unknown subsys name 'net'
[   52.560326] cgroup: Unknown subsys name 'cpuset'
[   52.576310] cgroup: Unknown subsys name 'rlimit'
2025/11/15 18:27:55 syscalls: 206
2025/11/15 18:27:55 code coverage: enabled
2025/11/15 18:27:55 comparison tracing: enabled
2025/11/15 18:27:55 extra coverage: enabled
2025/11/15 18:27:55 setuid sandbox: enabled
2025/11/15 18:27:55 namespace sandbox: enabled
2025/11/15 18:27:55 Android sandbox: enabled
2025/11/15 18:27:55 fault injection: enabled
2025/11/15 18:27:55 leak checking: enabled
2025/11/15 18:27:55 net packet injection: enabled
2025/11/15 18:27:55 net device setup: enabled
2025/11/15 18:27:55 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2025/11/15 18:27:55 devlink PCI setup: PCI device 0000:00:10.0 is not available
2025/11/15 18:27:55 USB emulation: enabled
2025/11/15 18:27:55 hci packet injection: enabled
2025/11/15 18:27:55 wifi device emulation: enabled
2025/11/15 18:27:55 802.15.4 emulation: enabled
2025/11/15 18:27:55 fetching corpus: 0, signal 0/0 (executing program)
2025/11/15 18:27:56 starting 8 fuzzer processes
18:27:56 executing program 0:
connect$unix(0xffffffffffffffff, &(0x7f0000000000)=@file={0x1}, 0x6e)
ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT(0xffffffffffffffff, 0xc0189375, &(0x7f0000000080)={{0x1, 0x1, 0x18, <r0=>0xffffffffffffffff}, './file0\x00'})
syz_mount_image$ext4(&(0x7f00000000c0)='ext2\x00', &(0x7f0000000100)='./file0\x00', 0x7, 0x1, &(0x7f0000000240)=[{&(0x7f0000000140)="b6c27351a9f0947834d8cef0f9870b92347af17561696da1927f67c156406d630d5a2f728d90dd883eec8da0b5640f4f06b1e522c8930cfab3202f24a933dfb40a7d2d545259f8ae3b604a39dcedcefdce70cbe9dcc004430ac8c7c7196d3b7b34b99c5d977c75b67229730b777daafa2adbb01f35dbe68e9508c159859cd3b7b3fd23cb5b4642a036dca20a184f202503df5b27d8f95fdf56100f8a0deaeb0122251531c0d89947c283f06a95cbc5c6f75bad610a9bda9bf249dd85bf822212e674f7b7b0036c1365b10f83237b3c22aba34dbf8ab3adb39e769c15", 0xdc, 0x3}], 0x911004, &(0x7f0000000280)={[{@barrier}, {@acl}, {@i_version}, {@nodelalloc}, {@test_dummy_encryption}], [{@smackfsdef={'smackfsdef', 0x3d, '\x8f\''}}, {@euid_eq={'euid', 0x3d, 0xffffffffffffffff}}, {@func={'func', 0x3d, 'MMAP_CHECK'}}]})
setsockopt$inet_opts(r0, 0x0, 0x9, &(0x7f0000000300)="444918a7553be962cf7f51116ff2afd3525f453c585050a901bd9455635834a798e80814e4111373b29cbf61a4d607789752db05ce40cb4c9ae202e4826068e2d59a5ba98f45ac7bbb972980caae9b3144ba047c790c5f458fee7a4a09a9b4679a9b32f853d5caf1475b81c7bfcfccdb5309c0debe68a528b60e35df68f82e3706b295256f4210adc7a266b780b88918c313af33973ffef8b47e8c7e7566a7b02bb39ede36", 0xa5)
mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x8, 0x10, r0, 0x10000000)
socketpair(0x10, 0x80000, 0x3, &(0x7f00000003c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$inet_msfilter(r1, 0x0, 0x29, &(0x7f0000000400)={@multicast2, @dev={0xac, 0x14, 0x14, 0x23}, 0x0, 0x5, [@broadcast, @multicast2, @multicast2, @rand_addr=0x64010102, @empty]}, 0x24)
r3 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$sock_ifreq(r3, 0x8937, &(0x7f0000000480)={'ip6_vti0\x00', @ifru_data=&(0x7f0000000440)="a94df9d41334f962ae0caba354e94845a38e78c38707b5c71e729b89921b23ea"})
setsockopt$inet_opts(r2, 0x0, 0x0, &(0x7f00000004c0)="8b34e259b08a8eaa3a9a61c632247876231727b0682ccb0fdd9c30c5d3a575365e74d6ca4c433ced29f60702bb28fb37dafa2029c12143436906ac14aa9f3d81fcefcc7cfba695e61983f9742527108c44ed241f344cb7fb3f09a28215850c045034e20bf80af6a0ee36092a1a031d9b701d16209438ca225d0b4a75765e79b65a2585dd8c124233e7f7d320d2a32079634fce705ee7b31d54fb481b22a8392f566dc455e65adbf22c67b0049de93fb994516253c0c09e88c953828c856c4774f023808ed1ee7ab289e1d3db66ff72d794ec00a0d9956a8560c1a8a739b63b474534803400a787b1aa967844db9d6fc256905d9f1519ca871de866", 0xfb)
setsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f00000005c0)={0x0, @remote, @local}, 0xc)
r4 = openat$nvram(0xffffffffffffff9c, &(0x7f0000000600), 0x0, 0x0)
readlinkat(r4, &(0x7f0000000640)='./file0\x00', &(0x7f0000000680)=""/245, 0xf5)
sendmsg$BATADV_CMD_SET_VLAN(r0, &(0x7f0000000840)={&(0x7f0000000780), 0xc, &(0x7f0000000800)={&(0x7f00000007c0)={0x34, 0x0, 0x11, 0x70bd2b, 0x25dfdbff, {}, [@BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_NETWORK_CODING_ENABLED={0x5, 0x38, 0x1}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0xccab}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5}]}, 0x34}, 0x1, 0x0, 0x0, 0x4005881}, 0x4000000)
mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x2000)=nil, 0x2000, 0x2000000, 0x80010, r0, 0x0)
r5 = accept4(r1, &(0x7f0000000880)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @link_local}, &(0x7f0000000900)=0x80, 0x80000)
setsockopt$inet_opts(r5, 0x0, 0x9, &(0x7f0000000940)="c3dfd6a04a7681720baaf3e97784f6dc5e2e9f14a20d56475077a94a8bc92857190797a474e4775fd2431dd5fb09c8765eef437ed697dfe784b6f6314249088210b7700952a3aed0d61200722992df9b6b9f594885f45f15295d5547c722c18ec91a25c53f097d713b81d6bb8b47eff4aef51559f328d0895baccc8afccee83d1f2f226cd028e2da4ec8043b8262fbe242de7ced9d6eeebe7b5ee36a34", 0x9d)
setsockopt$sock_void(r1, 0x1, 0x29, 0x0, 0x0)
mount$9p_fd(0x0, &(0x7f0000000a00)='./file0\x00', &(0x7f0000000a40), 0x40000, &(0x7f0000000a80)={'trans=fd,', {'rfdno', 0x3d, r4}, 0x2c, {'wfdno', 0x3d, r4}, 0x2c, {[{@msize={'msize', 0x3d, 0xcf}}, {@privport}, {@mmap}], [{@fscontext={'fscontext', 0x3d, 'staff_u'}}, {@rootcontext={'rootcontext', 0x3d, 'sysadm_u'}}, {@uid_gt}]}})
connect$unix(r4, &(0x7f0000000b40)=@abs={0x1, 0x0, 0x4e24}, 0x6e)

18:27:56 executing program 1:
ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT(0xffffffffffffffff, 0xc0189375, &(0x7f00000000c0)={{0x1, 0x1, 0x18, <r0=>0xffffffffffffffff}, './file0\x00'})
sendmsg$BATADV_CMD_GET_NEIGHBORS(r0, &(0x7f00000001c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x24, 0x0, 0x2, 0x70bd29, 0x25dfdbfd, {}, [@BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x4}]}, 0x24}, 0x1, 0x0, 0x0, 0x4000001}, 0x50)
sendmsg$ETHTOOL_MSG_COALESCE_GET(r0, &(0x7f0000000340)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f0000000300)={&(0x7f0000000240)={0x94, 0x0, 0x10, 0x70bd29, 0x25dfdbfe, {}, [@HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'vcan0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'macvtap0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'team_slave_1\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'dummy0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'bridge_slave_1\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8}]}]}, 0x94}, 0x1, 0x0, 0x0, 0x40040}, 0x40014)
syz_mount_image$ext4(&(0x7f0000000380)='ext3\x00', &(0x7f00000003c0)='./file0\x00', 0xb778, 0x2, &(0x7f0000000500)=[{&(0x7f0000000400)="28a0178bfc6d0def790914c9c6ab88ea2802e755421232292a42c05a9086377a055f89815d48fcc40e3d3d5050d1569075f731af1148eab066e2784508cd3445ae5abaa7d9fc4c471b0cc26ad54e3b08af1cb6813b5102ad5e6e0835b4de14720913c79dd4d2e000cf839ef2bf281df96caf21280cda73c5124f2e97c1d37fa5072470bf97", 0x85, 0x8}, {&(0x7f00000004c0)="b831f7ad979ef42545cf190f8352f8f2b74d0ffc9775ac953fb5", 0x1a, 0x7}], 0x8446, &(0x7f0000000540)={[{@nobh}, {@init_itable_val={'init_itable', 0x3d, 0x6}}], [{@obj_type}, {@subj_type={'subj_type', 0x3d, 'bridge_slave_1\x00'}}, {@fsmagic={'fsmagic', 0x3d, 0x7}}, {@subj_user={'subj_user', 0x3d, '\xed&!'}}]})
write$char_usb(r0, &(0x7f00000005c0)="397ec5a31f", 0x5)
r1 = openat$nvram(0xffffffffffffff9c, &(0x7f0000000600), 0x0, 0x0)
clock_gettime(0x5, &(0x7f0000000640))
r2 = accept4(r0, &(0x7f0000000680)=@ax25={{0x3, @null}, [@netrom, @netrom, @null, @remote, @rose, @null, @remote, @netrom]}, &(0x7f0000000700)=0x80, 0x800)
getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000000780)={<r3=>0x0, @initdev, @loopback}, &(0x7f00000007c0)=0xc)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r0, 0x8933, &(0x7f0000000800)={'batadv0\x00', <r4=>0x0})
getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000001b40)={<r5=>0x0, @remote, @local}, &(0x7f0000001b80)=0xc)
ioctl$ifreq_SIOCGIFINDEX_team(r1, 0x8933, &(0x7f0000001bc0)={'team0\x00', <r6=>0x0})
getsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000001c40)={<r7=>0x0, @broadcast, @initdev}, &(0x7f0000001c80)=0xc)
sendmsg$ETHTOOL_MSG_LINKINFO_GET(r2, &(0x7f0000001ec0)={&(0x7f0000000740)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000001e80)={&(0x7f0000001cc0)={0x1b4, 0x0, 0x2, 0x70bd2b, 0x25dfdbfe, {}, [@HEADER={0x5c, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r3}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x3}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r5}]}, @HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'vcan0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x6}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}]}, @HEADER={0x4c, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6tnl0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r6}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'macvlan0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r7}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @HEADER={0x6c, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'team0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_virt_wifi\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth0_vlan\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6erspan0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x5}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8}]}, @HEADER={0x1c, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x3}]}, @HEADER={0x34, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x3}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'team_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'bridge0\x00'}]}, @HEADER={0xc, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}]}]}, 0x1b4}, 0x1, 0x0, 0x0, 0x4000080}, 0x4008000)
ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT(r0, 0xc0189375, &(0x7f0000001f00)={{0x1, 0x1, 0x18, <r8=>r2}, './file0/file0\x00'})
recvmsg(r8, &(0x7f0000002480)={&(0x7f0000001f40)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x80, &(0x7f0000002300)=[{&(0x7f0000001fc0)=""/56, 0x38}, {&(0x7f0000002000)=""/91, 0x5b}, {&(0x7f0000002080)=""/236, 0xec}, {&(0x7f0000002180)=""/65, 0x41}, {&(0x7f0000002200)=""/3, 0x3}, {&(0x7f0000002240)=""/153, 0x99}], 0x6, &(0x7f0000002380)=""/195, 0xc3}, 0x10140)
r9 = accept4(r0, 0x0, &(0x7f00000024c0), 0x81c00)
ioctl$sock_SIOCGIFBR(r9, 0x8940, &(0x7f0000002500)=@generic={0x3, 0x723, 0x78})
futex(&(0x7f0000002540)=0x1, 0xa, 0x2, &(0x7f0000002580)={0x0, 0x989680}, &(0x7f00000025c0)=0x1, 0x0)
read$char_usb(r0, &(0x7f0000002600)=""/144, 0x90)

18:27:56 executing program 5:
r0 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'team0\x00', <r1=>0x0})
sendmsg$MPTCP_PM_CMD_GET_ADDR(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x70, r0, 0x10, 0x70bd2b, 0x25dfdbff, {}, [@MPTCP_PM_ATTR_ADDR={0x18, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_ADDR6={0x14, 0x4, @mcast1}]}, @MPTCP_PM_ATTR_SUBFLOWS={0x8}, @MPTCP_PM_ATTR_SUBFLOWS={0x8}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x5}, @MPTCP_PM_ATTR_ADDR={0x2c, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_IF_IDX={0x8, 0x7, r1}, @MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e21}, @MPTCP_PM_ADDR_ATTR_ADDR4={0x8, 0x3, @rand_addr=0x64010101}, @MPTCP_PM_ADDR_ATTR_ADDR4={0x8, 0x3, @multicast1}, @MPTCP_PM_ADDR_ATTR_FLAGS={0x8}]}]}, 0x70}, 0x1, 0x0, 0x0, 0xc04}, 0x48000)
ioctl$sock_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000200)={0x0, @tipc=@id={0x1e, 0x3, 0x2, {0x4e23}}, @hci={0x1f, 0x3, 0x4}, @generic={0x45, "3b498d73958a9e86bb66a76c0831"}, 0x6, 0x0, 0x0, 0x0, 0x6, &(0x7f00000001c0)='veth1\x00', 0x2, 0x4, 0x1})
sendmsg$BATADV_CMD_GET_GATEWAYS(0xffffffffffffffff, &(0x7f0000000380)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000340)={&(0x7f00000002c0)={0x5c, 0x0, 0xc00, 0x70bd26, 0x25dfdbff, {}, [@BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x6}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x6}, @BATADV_ATTR_HARD_IFINDEX={0x8}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x9f}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x1}, @BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0x1000}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x200}, @BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}]}, 0x5c}, 0x1, 0x0, 0x0, 0x10000c00}, 0x48040)
sendmsg$SEG6_CMD_SETHMAC(0xffffffffffffffff, &(0x7f0000000480)={&(0x7f00000003c0)={0x10, 0x0, 0x0, 0x80800000}, 0xc, &(0x7f0000000440)={&(0x7f0000000400)={0x24, 0x0, 0x20, 0x70bd26, 0x25dfdbfc, {}, [@SEG6_ATTR_SECRETLEN={0x5, 0x5, 0x1}, @SEG6_ATTR_DSTLEN={0x8, 0x2, 0x71}]}, 0x24}, 0x1, 0x0, 0x0, 0x2000c800}, 0x800)
ioctl$sock_ipv4_tunnel_SIOCDELTUNNEL(0xffffffffffffffff, 0x89f2, &(0x7f0000000540)={'tunl0\x00', &(0x7f00000004c0)={'erspan0\x00', r1, 0x20, 0x8, 0xffffffff, 0xa125, {{0x11, 0x4, 0x0, 0x7, 0x44, 0x66, 0x0, 0xca, 0x2f, 0x0, @remote, @broadcast, {[@cipso={0x86, 0xa, 0x3, [{0x2, 0x4, "865b"}]}, @noop, @end, @generic={0x44, 0xd, "d2b5f064d261db56e09c1c"}, @timestamp_addr={0x44, 0x14, 0x25, 0x1, 0x5, [{@initdev={0xac, 0x1e, 0x1, 0x0}, 0x9}, {@private=0xa010102, 0x1}]}]}}}}})
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_void(r2, 0x1, 0x24, 0x0, 0x0)
r3 = accept4$inet(0xffffffffffffffff, &(0x7f0000000580)={0x2, 0x0, @dev}, &(0x7f00000005c0)=0x10, 0x1000)
setsockopt$IP_VS_SO_SET_ZERO(r3, 0x0, 0x48f, &(0x7f0000000600)={0x31, @initdev={0xac, 0x1e, 0x0, 0x0}, 0x4e22, 0x1, 'rr\x00', 0xe, 0x797ff074, 0x1}, 0x2c)
socketpair(0x10, 0x3, 0x2, &(0x7f0000000640)={<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff})
ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000680)={'vcan0\x00'})
ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT(0xffffffffffffffff, 0xc0189375, &(0x7f00000006c0)={{0x1, 0x1, 0x18, <r6=>r3}, './file0\x00'})
timerfd_settime(r6, 0x0, &(0x7f0000000700)={{0x77359400}, {0x0, 0x989680}}, &(0x7f0000000740))
r7 = syz_genetlink_get_family_id$batadv(&(0x7f00000007c0), r6)
sendmsg$BATADV_CMD_TP_METER(r5, &(0x7f0000000880)={&(0x7f0000000780)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000840)={&(0x7f0000000800)={0x1c, r7, 0x200, 0x70bd29, 0x25dfdbfb, {}, [@BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x7}]}, 0x1c}, 0x1, 0x0, 0x0, 0xea41488dc4381a42}, 0x4000000)
getsockopt$IPT_SO_GET_ENTRIES(r4, 0x0, 0x41, &(0x7f00000008c0)={'mangle\x00', 0x7d, "dcfdfaa571471d2bbe617de2dd9d1cd0160fe3ad4b812b9f9374a812cf0f8c1b2f06b4d605af0f44da884a9d696228471da003ba5a13602dcae59328eca8491c8274db9e3312f5f11735e0190a178c2f15c8ebe04084a989a470e6438acc61c5fdae1f0cab23d61f2b3ec7f9accb6c3adf9fd9c77e628475a130ee3818"}, &(0x7f0000000980)=0xa1)
r8 = syz_genetlink_get_family_id$tipc(&(0x7f0000000a00), r4)
sendmsg$TIPC_CMD_DISABLE_BEARER(r5, &(0x7f0000000ac0)={&(0x7f00000009c0)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000000a80)={&(0x7f0000000a40)={0x34, r8, 0x300, 0x70bd2c, 0x25dfdbff, {{}, {}, {0x18, 0x13, @l2={'eth', 0x3a, 'veth1_virt_wifi\x00'}}}, ["", "", "", ""]}, 0x34}, 0x1, 0x0, 0x0, 0x4008040}, 0x1)

[   63.327208] audit: type=1400 audit(1763231276.210:7): avc:  denied  { execmem } for  pid=273 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
18:27:56 executing program 7:
ioctl$sock_ifreq(0xffffffffffffffff, 0xa8, &(0x7f0000000000)={'ipvlan0\x00', @ifru_hwaddr=@link_local})
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$BATADV_CMD_GET_TRANSTABLE_GLOBAL(r0, &(0x7f0000000100)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x2c, 0x0, 0x200, 0x70bd28, 0x25dfdbff, {}, [@BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0x7}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x6}]}, 0x2c}, 0x1, 0x0, 0x0, 0x8000}, 0x1)
r1 = syz_genetlink_get_family_id$batadv(&(0x7f0000000180), r0)
sendmsg$BATADV_CMD_GET_NEIGHBORS(r0, &(0x7f0000000240)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000200)={&(0x7f00000001c0)={0x34, r1, 0x100, 0x70bd2a, 0x25dfdbfd, {}, [@BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_NETWORK_CODING_ENABLED={0x5}, @BATADV_ATTR_AGGREGATED_OGMS_ENABLED={0x5, 0x29, 0x1}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x1}]}, 0x34}, 0x1, 0x0, 0x0, 0x1}, 0x20000000)
ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f00000002c0)={'team0\x00', <r2=>0x0})
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, &(0x7f0000000300)={'batadv_slave_0\x00', <r3=>0x0})
ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000340)={'team0\x00', <r4=>0x0})
sendmsg$TEAM_CMD_OPTIONS_GET(r0, &(0x7f0000000600)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f00000005c0)={&(0x7f0000000380)={0x228, 0x0, 0x200, 0x4, 0x25dfdbfb, {}, [{{0x8, 0x1, r2}, {0x20c, 0x2, 0x0, 0x1, [{0x3c, 0x1, @user_linkup_enabled={{{0x24}, {0x5}, {0x4}}, {0x8, 0x6, r3}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24}, {0x5}, {0x8, 0x4, 0x7ff}}}, {0x38, 0x1, @notify_peers_interval={{0x24}, {0x5}, {0x8, 0x4, 0x5}}}, {0x74, 0x1, @bpf_hash_func={{0x24}, {0x5}, {0x44, 0x4, [{0x1, 0x1, 0x1, 0x6}, {0x3f, 0x1, 0x3f, 0x6}, {0x3f, 0x4, 0x0, 0x119}, {0x7, 0x7, 0x8, 0xe09}, {0x81, 0x7f, 0xb5, 0x871d}, {0x6aed, 0x6, 0x1, 0x2}, {0xb5, 0x40, 0x1, 0x7}, {0x40, 0x6, 0x7, 0x89}]}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24}, {0x5}, {0x8, 0x4, 0x9}}}, {0x3c, 0x1, @enabled={{{0x24}, {0x5}, {0x4}}, {0x8, 0x6, r4}}}, {0x38, 0x1, @activeport={{0x24}, {0x5}, {0x8}}}, {0x3c, 0x1, @lb_tx_method={{0x24}, {0x5}, {0x9, 0x4, 'hash\x00'}}}]}}]}, 0x228}, 0x1, 0x0, 0x0, 0x20000800}, 0x40000)
ioctl$sock_SIOCSIFVLAN_GET_VLAN_VID_CMD(r0, 0x8983, &(0x7f0000000640))
r5 = syz_genetlink_get_family_id$SEG6(&(0x7f00000006c0), r0)
sendmsg$SEG6_CMD_GET_TUNSRC(r0, &(0x7f0000000780)={&(0x7f0000000680)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f0000000740)={&(0x7f0000000700)={0x28, r5, 0x400, 0x70bd26, 0x25dfdbfd, {}, [@SEG6_ATTR_SECRET={0xc, 0x4, [0x3, 0x7f]}, @SEG6_ATTR_ALGID={0x5, 0x6, 0x8}]}, 0x28}, 0x1, 0x0, 0x0, 0xc0}, 0x8000)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000800)={'vxcan0\x00', <r6=>0x0})
ioctl$sock_ipv4_tunnel_SIOCDELTUNNEL(0xffffffffffffffff, 0x89f2, &(0x7f0000000940)={'syztnl0\x00', &(0x7f0000000840)={'ip_vti0\x00', r6, 0x20, 0x80, 0x80000001, 0x8, {{0x38, 0x4, 0x3, 0x1b, 0xe0, 0x64, 0x0, 0x7, 0x4, 0x0, @private=0xa010101, @remote, {[@ssrr={0x89, 0x17, 0xd5, [@initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0x16}, @multicast1, @loopback, @local]}, @ssrr={0x89, 0x13, 0x9c, [@remote, @loopback, @local, @initdev={0xac, 0x1e, 0x1, 0x0}]}, @timestamp_prespec={0x44, 0x2c, 0xf2, 0x3, 0x0, [{@dev={0xac, 0x14, 0x14, 0x21}, 0x8}, {@initdev={0xac, 0x1e, 0x1, 0x0}, 0x7fff}, {@rand_addr=0x64010101, 0xfffffffe}, {@remote, 0x1}, {@remote, 0x2}]}, @timestamp_prespec={0x44, 0x34, 0x90, 0x3, 0x8, [{@local, 0x9}, {@rand_addr=0x64010100, 0x9ae3}, {@multicast2, 0x1}, {@multicast1, 0x400}, {@initdev={0xac, 0x1e, 0x1, 0x0}, 0x8}, {@private=0xa010102, 0xfc}]}, @timestamp_prespec={0x44, 0x24, 0x9b, 0x3, 0x7, [{@loopback, 0xfffffff7}, {@private=0xa010101, 0x7}, {@multicast1, 0x7}, {@private=0xa010101, 0x4}]}, @timestamp_addr={0x44, 0x1c, 0x66, 0x1, 0x9, [{@private=0xa010102, 0x3}, {@empty, 0x7}, {@multicast1, 0x3ff}]}]}}}}})
r7 = fsmount(0xffffffffffffffff, 0x0, 0x1fb)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000980), r7)
pipe2$9p(&(0x7f00000009c0), 0x80800)
io_uring_setup(0x20dc, &(0x7f0000000a00)={0x0, 0x6b7a, 0x0, 0x1, 0x208, 0x0, r7})
pipe2(&(0x7f0000000a80)={<r8=>0xffffffffffffffff}, 0x0)
mmap$IORING_OFF_SQES(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x4000000, 0x80010, r8, 0x10000000)

18:27:56 executing program 2:
socketpair(0x2a, 0xa, 0x2, &(0x7f0000000000)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = syz_genetlink_get_family_id$batadv(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$BATADV_CMD_GET_BLA_CLAIM(r1, &(0x7f0000000140)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x2c, r2, 0x1, 0x70bd2c, 0x25dfdbfd, {}, [@BATADV_ATTR_VLANID={0x6, 0x28, 0x1}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x6}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000080}, 0x0)
r3 = accept4(0xffffffffffffffff, 0x0, &(0x7f0000000240), 0x80800)
sendmsg$ETHTOOL_MSG_COALESCE_GET(r3, &(0x7f0000000340)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x30, 0x0, 0x4, 0x70bd29, 0x25dfdbfc, {}, [@HEADER={0x1c, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_FLAGS={0x8}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}]}]}, 0x30}, 0x1, 0x0, 0x0, 0x40000}, 0x40000)
r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000380), r0)
getsockname(r0, &(0x7f00000003c0)=@alg, &(0x7f0000000440)=0x80)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000480)={'vlan1\x00', {0x2, 0x0, @initdev}})
sendmsg$NL80211_CMD_START_SCHED_SCAN(r0, &(0x7f00000005c0)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000580)={&(0x7f0000000500)={0x7c, r4, 0x1, 0x70bd2d, 0x25dfdbfe, {{}, {@void, @void}}, [@NL80211_ATTR_SCAN_FLAGS={0x8, 0x9e, 0x800}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x9}, @NL80211_ATTR_SCAN_FREQUENCIES={0x2c, 0x2c, 0x0, 0x1, [{0x8, 0x0, 0x6}, {0x8, 0x0, 0x20}, {0x8, 0x0, 0x6}, {0x8, 0x0, 0x200}, {0x8, 0x0, 0x10001}]}, @NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST={0x6, 0xf7, {0x5, 0x7f}}, @NL80211_ATTR_SCAN_FREQUENCIES={0xc, 0x2c, 0x0, 0x1, [{0x8, 0x0, 0x2}]}, @NL80211_ATTR_TX_NO_CCK_RATE={0x4}, @NL80211_ATTR_TX_NO_CCK_RATE={0x4}, @NL80211_ATTR_SCHED_SCAN_MULTI={0x4}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}]}, 0x7c}, 0x1, 0x0, 0x0, 0x40800}, 0x40000000)
r5 = accept4(r0, 0x0, &(0x7f0000000600), 0x80800)
sendmsg$BATADV_CMD_SET_MESH(r5, &(0x7f0000000700)={&(0x7f0000000640)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f00000006c0)={&(0x7f0000000680)={0x30, r2, 0x10, 0x70bd2a, 0x25dfdbfd, {}, [@BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x9}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x3}}, @BATADV_ATTR_GW_MODE={0x5}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000000}, 0x40044)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000780)={'wlan1\x00', <r6=>0x0})
sendmsg$NL80211_CMD_LEAVE_OCB(0xffffffffffffffff, &(0x7f0000000840)={&(0x7f0000000740)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000800)={&(0x7f00000007c0)={0x28, r4, 0x8, 0x70bd27, 0x25dfdbfc, {{}, {@val={0x8, 0x3, r6}, @val={0xc, 0x99, {0x9, 0x7}}}}, ["", "", "", "", "", "", "", ""]}, 0x28}, 0x1, 0x0, 0x0, 0x44000}, 0x800)
r7 = accept4(0xffffffffffffffff, 0x0, &(0x7f00000008c0), 0x800)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000880), r7)
r8 = openat$nvram(0xffffffffffffff9c, &(0x7f0000000900), 0x800, 0x0)
ioctl$sock_inet_SIOCSIFBRDADDR(r8, 0x891a, &(0x7f0000000940)={'wg1\x00', {0x2, 0x0, @multicast1}})
setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f0000000980)=0x4, 0x4)
r9 = syz_genetlink_get_family_id$batadv(&(0x7f0000000a00), r8)
sendmsg$BATADV_CMD_GET_ORIGINATORS(r8, &(0x7f0000000ac0)={&(0x7f00000009c0)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000a80)={&(0x7f0000000a40)={0x2c, r9, 0x4, 0x70bd2a, 0x25dfdbfd, {}, [@BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0xe20831fe}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x4}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40001}, 0x811)

18:27:56 executing program 6:
r0 = syz_io_uring_setup(0x1ace, &(0x7f0000000000)={0x0, 0x5523, 0x10, 0x1, 0x14d}, &(0x7f0000ff5000/0x9000)=nil, &(0x7f0000ffa000/0x3000)=nil, &(0x7f0000000080)=<r1=>0x0, &(0x7f00000000c0))
r2 = syz_io_uring_setup(0x3aa2, &(0x7f0000000100)={0x0, 0x7971, 0x2, 0x2, 0x1eb, 0x0, r0}, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000ff5000/0x4000)=nil, &(0x7f0000000180), &(0x7f00000001c0))
recvmsg(0xffffffffffffffff, &(0x7f00000013c0)={0x0, 0x0, &(0x7f0000001380)=[{&(0x7f0000000200)=""/56, 0x38}, {&(0x7f0000000240)=""/4096, 0x1000}, {&(0x7f0000001240)=""/92, 0x5c}, {&(0x7f00000012c0)=""/141, 0x8d}], 0x4}, 0x2100)
getsockname(0xffffffffffffffff, &(0x7f0000001400)=@ethernet={0x0, @random}, &(0x7f0000001480)=0x80)
r3 = mmap$IORING_OFF_SQES(&(0x7f0000ff6000/0x2000)=nil, 0x2000, 0x2000015, 0x1010, r2, 0x10000000)
syz_io_uring_submit(r1, r3, &(0x7f0000001500)=@IORING_OP_TIMEOUT={0xb, 0x2, 0x0, 0x0, 0x3, &(0x7f00000014c0)={0x0, 0x989680}}, 0x1)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x2000005, 0x4010, r2, 0x10000000)
mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x2000)=nil, 0x2000, 0x1000000, 0x10, r0, 0x10000000)
sendmsg$NL80211_CMD_DEL_MPATH(0xffffffffffffffff, &(0x7f0000001640)={&(0x7f0000001540)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000001600)={&(0x7f0000001580)={0x64, 0x0, 0x4, 0x70bd25, 0x25dfdbfe, {{}, {@val={0x8}, @val={0xc, 0x99, {0x4, 0x7}}}}, [@NL80211_ATTR_MAC={0xa, 0x6, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @device_b}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @device_b}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}]}, 0x64}, 0x1, 0x0, 0x0, 0x44050}, 0x4)
r4 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000001680), 0x800, 0x0)
ioctl$SNAPSHOT_FREE(r4, 0x3305)
r5 = socket$inet_udplite(0x2, 0x2, 0x88)
getsockname(r5, &(0x7f00000016c0)=@generic, &(0x7f0000001740)=0x80)
getsockopt$IPT_SO_GET_ENTRIES(r5, 0x0, 0x41, &(0x7f0000001780)={'mangle\x00', 0x36, "52d06f87883d809a0ca4afea39c0f91b0d18c61e2e120e0e08c95b46878e0cc631c0465022abf0c98a0e765a2c846145cd5e5b367038"}, &(0x7f0000001800)=0x5a)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000001840))
setsockopt$inet_opts(r5, 0x0, 0x4, &(0x7f0000001880)="c9d1b9f3fe492307749089421a97c5e6c89ff360ab63de", 0x17)
sendmsg$BATADV_CMD_GET_ORIGINATORS(0xffffffffffffffff, &(0x7f0000001980)={&(0x7f00000018c0)={0x10, 0x0, 0x0, 0x20004000}, 0xc, &(0x7f0000001940)={&(0x7f0000001900)={0x34, 0x0, 0x800, 0x70bd27, 0x25dfdbfd, {}, [@BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x5}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x6}, @BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0x200}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x20}]}, 0x34}}, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000ff7000/0x3000)=nil, 0x3000, 0x1000004, 0x2010, r0, 0x0)
r6 = syz_genetlink_get_family_id$batadv(&(0x7f0000001a00), 0xffffffffffffffff)
sendmsg$BATADV_CMD_GET_HARDIF(0xffffffffffffffff, &(0x7f0000001ac0)={&(0x7f00000019c0)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000001a80)={&(0x7f0000001a40)={0x2c, r6, 0x400, 0x70bd27, 0x25dfdbff, {}, [@BATADV_ATTR_MESH_IFINDEX={0x8}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x1}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4048010}, 0x20000011)

18:27:56 executing program 3:
sendmsg$BATADV_CMD_GET_BLA_CLAIM(0xffffffffffffffff, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000080)={&(0x7f0000000040)={0x3c, 0x0, 0x400, 0x70bd27, 0x25dfdbfb, {}, [@BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x7fff}, @BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x2}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x401}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x101}]}, 0x3c}, 0x1, 0x0, 0x0, 0x20000008}, 0x20000000)
sendmsg$NLBL_CIPSOV4_C_LISTALL(0xffffffffffffffff, &(0x7f0000000400)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f00000003c0)={&(0x7f0000000140)={0x25c, 0x0, 0x2, 0x70bd25, 0x25dfdbfb, {}, [@NLBL_CIPSOV4_A_MLSCATLST={0xd0, 0xc, 0x0, 0x1, [{0x4c, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xb462}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x6c7b}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x67c7}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x58da}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x2f4a2818}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x31ff}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xef2d}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x1b93b0ea}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x7411a53a}]}, {0x3c, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x7084}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x3f80000}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x16094ec4}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xe2d6}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x45db}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x2be2}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xc8d0}]}, {0x44, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xb3e6}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x755b5cf1}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x5595f917}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xbe20}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x59061f1d}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xf000}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x2c03b71d}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x470e}]}]}, @NLBL_CIPSOV4_A_TAGLST={0x34, 0x4, 0x0, 0x1, [{0x5, 0x3, 0x5}, {0x5, 0x3, 0x1}, {0x5, 0x3, 0x2}, {0x5, 0x3, 0x1}, {0x5, 0x3, 0x2}, {0x5, 0x3, 0x5}]}, @NLBL_CIPSOV4_A_MLSCATLST={0x6c, 0xc, 0x0, 0x1, [{0x14, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xbb8e}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x656ccead}]}, {0xc, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x5dd876ca}]}, {0x2c, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x7fd26341}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xcae4}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x35e8}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x1e33173}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x1d73df03}]}, {0x1c, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0xc62a88f}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x6990}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x6de521de}]}]}, @NLBL_CIPSOV4_A_MLSCATLST={0x58, 0xc, 0x0, 0x1, [{0x2c, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xc9a6}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0xee51ad2}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x3337802a}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x74f1}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0xeb60}]}, {0x14, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x8d91}, @NLBL_CIPSOV4_A_MLSCATREM={0x8, 0xa, 0x4fd1}]}, {0x14, 0xb, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0xa1a585b}, @NLBL_CIPSOV4_A_MLSCATLOC={0x8, 0x9, 0x60a8f0c0}]}]}, @NLBL_CIPSOV4_A_MLSLVLLST={0x6c, 0x8, 0x0, 0x1, [{0xc, 0x7, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSLVLREM={0x8, 0x6, 0xf1}]}, {0xc, 0x7, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSLVLREM={0x8, 0x6, 0x60}]}, {0x1c, 0x7, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSLVLLOC={0x8, 0x5, 0x36a298e9}, @NLBL_CIPSOV4_A_MLSLVLLOC={0x8, 0x5, 0x659080ba}, @NLBL_CIPSOV4_A_MLSLVLREM={0x8, 0x6, 0xab}]}, {0xc, 0x7, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSLVLREM={0x8, 0x6, 0xed}]}, {0xc, 0x7, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSLVLLOC={0x8, 0x5, 0xfe120d9}]}, {0x1c, 0x7, 0x0, 0x1, [@NLBL_CIPSOV4_A_MLSLVLREM={0x8, 0x6, 0x74}, @NLBL_CIPSOV4_A_MLSLVLLOC={0x8, 0x5, 0x10ba0583}, @NLBL_CIPSOV4_A_MLSLVLREM={0x8, 0x6, 0xf8}]}]}, @NLBL_CIPSOV4_A_TAGLST={0x14, 0x4, 0x0, 0x1, [{0x5, 0x3, 0x5}, {0x5}]}]}, 0x25c}, 0x1, 0x0, 0x0, 0x800}, 0x4041)
sendmsg$BATADV_CMD_GET_ROUTING_ALGOS(0xffffffffffffffff, &(0x7f0000000500)={&(0x7f0000000440), 0xc, &(0x7f00000004c0)={&(0x7f0000000480)={0x3c, 0x0, 0x2, 0x70bd25, 0x25dfdbfe, {}, [@BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0x20}, @BATADV_ATTR_ISOLATION_MARK={0x8}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x7ff}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x8001}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}]}, 0x3c}, 0x1, 0x0, 0x0, 0x80}, 0x4048800)
sendmsg$GTP_CMD_GETPDP(0xffffffffffffffff, &(0x7f0000000600)={&(0x7f0000000540)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000005c0)={&(0x7f0000000580)={0x1c, 0x0, 0x2, 0x70bd26, 0x25dfdbfe, {}, [@GTPA_LINK={0x8}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4004000}, 0x4004000)
ioctl$sock_SIOCSPGRP(0xffffffffffffffff, 0x8902, &(0x7f0000000640)=0xffffffffffffffff)
r0 = accept4(0xffffffffffffffff, 0x0, &(0x7f00000006c0), 0x0)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000680), r0)
getsockopt$IP_VS_SO_GET_DESTS(r0, 0x0, 0x484, &(0x7f0000000700)=""/82, &(0x7f0000000780)=0x52)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
accept$inet(r1, 0x0, &(0x7f0000000880))
r2 = syz_genetlink_get_family_id$batadv(&(0x7f0000000900), r0)
sendmsg$BATADV_CMD_GET_HARDIF(r0, &(0x7f00000009c0)={&(0x7f00000008c0)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000000980)={&(0x7f0000000940)={0x1c, r2, 0x2, 0x70bd25, 0x25dfdbfc, {}, [@BATADV_ATTR_VLANID={0x6}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4048040}, 0x4040)
r3 = syz_genetlink_get_family_id$batadv(&(0x7f0000000a40), 0xffffffffffffffff)
sendmsg$BATADV_CMD_SET_MESH(r0, &(0x7f0000000b40)={&(0x7f0000000a00)={0x10, 0x0, 0x0, 0xe4e66a9150979ffd}, 0xc, &(0x7f0000000b00)={&(0x7f0000000a80)={0x58, r3, 0x0, 0x70bd2d, 0x25dfdbfc, {}, [@BATADV_ATTR_HARD_IFINDEX={0x8}, @BATADV_ATTR_AGGREGATED_OGMS_ENABLED={0x5}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0xffffffff}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x7f}, @BATADV_ATTR_HARD_IFINDEX={0x8}, @BATADV_ATTR_NETWORK_CODING_ENABLED={0x5}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}}, @BATADV_ATTR_HARD_IFINDEX={0x8}]}, 0x58}, 0x1, 0x0, 0x0, 0x10}, 0x20000014)
ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT(0xffffffffffffffff, 0xc0189375, &(0x7f0000000b80)={{0x1, 0x1, 0x18, <r4=>r0}, './file0\x00'})
ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000c00)={'team0\x00', <r5=>0x0})
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, &(0x7f0000000d00)={'batadv_slave_0\x00', <r6=>0x0})
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r0, 0x8933, &(0x7f0000003280)={'batadv0\x00', <r7=>0x0})
getsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f00000032c0)={<r8=>0x0, @rand_addr, @multicast1}, &(0x7f0000003300)=0xc)
sendmsg$TEAM_CMD_OPTIONS_GET(r4, &(0x7f0000003a80)={&(0x7f0000000bc0)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000003a40)={&(0x7f0000003480)={0x5ac, 0x0, 0x200, 0x70bd2d, 0x25dfdbfc, {}, [{{0x8, 0x1, r5}, {0x1a4, 0x2, 0x0, 0x1, [{0x38, 0x1, @mcast_rejoin_interval={{0x24}, {0x5}, {0x8, 0x4, 0x80000000}}}, {0x40, 0x1, @name={{0x24}, {0x5}, {0xe, 0x4, 'broadcast\x00'}}}, {0x3c, 0x1, @enabled={{{0x24}, {0x5}, {0x4}}, {0x8}}}, {0x40, 0x1, @lb_hash_stats={{{0x24}, {0x5}, {0x8}}, {0x8, 0x7, 0x6}}}, {0x3c, 0x1, @user_linkup={{{0x24}, {0x5}, {0x4}}, {0x8, 0x6, r6}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24}, {0x5}, {0x8, 0x4, 0x7ff}}}, {0x38, 0x1, @notify_peers_interval={{0x24}, {0x5}, {0x8, 0x4, 0x56}}}]}}, {{0x8}, {0x168, 0x2, 0x0, 0x1, [{0x3c, 0x1, @user_linkup_enabled={{{0x24}, {0x5}, {0x4}}, {0x8}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24}, {0x5}, {0x8, 0x4, 0xffff}}}, {0x3c, 0x1, @enabled={{{0x24}, {0x5}, {0x4}}, {0x8, 0x6, r7}}}, {0x3c, 0x1, @user_linkup={{{0x24}, {0x5}, {0x4}}, {0x8}}}, {0x40, 0x1, @name={{0x24}, {0x5}, {0xe, 0x4, 'broadcast\x00'}}}, {0x38, 0x1, @notify_peers_interval={{0x24}, {0x5}, {0x8, 0x4, 0x2}}}]}}, {{0x8, 0x1, r8}, {0x274, 0x2, 0x0, 0x1, [{0x3c, 0x1, @lb_tx_method={{0x24}, {0x5}, {0x9, 0x4, 'hash\x00'}}}, {0x3c, 0x1, @user_linkup={{{0x24}, {0x5}, {0x4}}, {0x8}}}, {0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24}, {0x5}, {0x8}}, {0x8}}}, {0x3c, 0x1, @user_linkup={{{0x24}, {0x5}, {0x4}}, {0x8}}}, {0x40, 0x1, @lb_hash_stats={{{0x24}, {0x5}, {0x8, 0x4, 0x1}}, {0x8}}}, {0x3c, 0x1, @enabled={{{0x24}, {0x5}, {0x4}}, {0x8}}}, {0x38, 0x1, @activeport={{0x24}, {0x5}, {0x8}}}, {0x4c, 0x1, @lb_tx_method={{0x24}, {0x5}, {0x19, 0x4, 'hash_to_port_mapping\x00'}}}, {0x3c, 0x1, @bpf_hash_func={{0x24}, {0x5}, {0xc, 0x4, [{0x200, 0x80, 0x8, 0xd5f}]}}}, {0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24}, {0x5}, {0x8}}, {0x8}}}]}}]}, 0x5ac}, 0x1, 0x0, 0x0, 0x20000800}, 0x51)

18:27:56 executing program 4:
r0 = openat$nvram(0xffffffffffffff9c, &(0x7f0000000000), 0x802000, 0x0)
sendmsg$NL80211_CMD_REQ_SET_REG(r0, &(0x7f0000000100)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x1c, 0x0, 0x400, 0x70bd28, 0x25dfdbfe, {}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x31}]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000004}, 0x20000)
socketpair(0x2c, 0x2, 0x200000, &(0x7f0000000140)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f00000001c0), r0)
sendmsg$NL80211_CMD_ASSOCIATE(r2, &(0x7f0000000280)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x40000}, 0xc, &(0x7f0000000240)={&(0x7f0000000200)={0x34, r3, 0x2, 0x70bd26, 0x25dfdbfe, {{}, {@void, @val={0xc, 0x99, {0x36100db5, 0x5}}}}, [@NL80211_ATTR_USE_RRM={0x4}, @NL80211_ATTR_USE_RRM={0x4}, @NL80211_ATTR_MAC={0xa, 0x6, @from_mac=@device_b}]}, 0x34}, 0x1, 0x0, 0x0, 0x4000080}, 0x8014)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r2, 0x8933, &(0x7f0000000380)={'batadv_slave_0\x00', <r5=>0x0})
sendmsg$BATADV_CMD_GET_DAT_CACHE(r4, &(0x7f0000000440)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x20}, 0xc, &(0x7f0000000400)={&(0x7f00000003c0)={0x2c, 0x0, 0x4, 0x70bd2a, 0x25dfdbfd, {}, [@BATADV_ATTR_GW_SEL_CLASS={0x8}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0xffff}, @BATADV_ATTR_HARD_IFINDEX={0x8, 0x6, r5}]}, 0x2c}, 0x1, 0x0, 0x0, 0x15}, 0x880)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000480), r0)
sendmsg$TIPC_CMD_DISABLE_BEARER(r4, &(0x7f0000000580)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x22000000}, 0xc, &(0x7f0000000540)={&(0x7f0000000500)={0x2c, 0x0, 0x400, 0x70bd2a, 0x25dfdbfc, {{}, {}, {0x10, 0x13, @udp='udp:syz1\x00'}}, ["", "", "", "", "", "", "", "", ""]}, 0x2c}, 0x1, 0x0, 0x0, 0x800}, 0x8000)
r6 = syz_genetlink_get_family_id$batadv(&(0x7f0000000600), r2)
sendmsg$BATADV_CMD_GET_ORIGINATORS(r0, &(0x7f00000006c0)={&(0x7f00000005c0)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000000680)={&(0x7f0000000640)={0x1c, r6, 0x20, 0x70bd2b, 0x25dfdbfc, {}, [@BATADV_ATTR_TPMETER_TEST_TIME={0x8}]}, 0x1c}, 0x1, 0x0, 0x0, 0x10}, 0x80)
r7 = openat$nvram(0xffffffffffffff9c, &(0x7f0000000700), 0x48800, 0x0)
fspick(r7, &(0x7f0000000740)='./file0\x00', 0x1)
sendmsg$SEG6_CMD_DUMPHMAC(r1, &(0x7f0000000880)={&(0x7f0000000780)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000840)={&(0x7f00000007c0)={0x5c, 0x0, 0x200, 0x70bd28, 0x25dfdbfc, {}, [@SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x3ff}, @SEG6_ATTR_DST={0x14, 0x1, @empty}, @SEG6_ATTR_SECRETLEN={0x5, 0x5, 0x4}, @SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x4}, @SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x1687}, @SEG6_ATTR_DST={0x14, 0x1, @mcast2}]}, 0x5c}, 0x1, 0x0, 0x0, 0x4000000}, 0x20040810)
r8 = syz_genetlink_get_family_id$batadv(&(0x7f0000000900), 0xffffffffffffffff)
sendmsg$BATADV_CMD_GET_BLA_BACKBONE(r2, &(0x7f00000009c0)={&(0x7f00000008c0)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000980)={&(0x7f0000000940)={0x28, r8, 0x1, 0x70bd27, 0x25dfdbfd, {}, [@BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @random="7c03cace2a91"}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0xeb}]}, 0x28}, 0x1, 0x0, 0x0, 0x4000040}, 0x0)
r9 = socket$unix(0x1, 0x1, 0x0)
getsockopt$IP_VS_SO_GET_DESTS(r9, 0x0, 0x484, &(0x7f0000000cc0)=""/223, &(0x7f0000000dc0)=0xdf)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f0000000e00)={'batadv_slave_1\x00'})

[   64.521674] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   64.524603] ==================================================================
[   64.525985] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0
[   64.527268] Read of size 2 at addr ffff88800c0067b8 by task kworker/u11:2/291
[   64.534194] 
[   64.534538] CPU: 1 UID: 0 PID: 291 Comm: kworker/u11:2 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) 
[   64.534575] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   64.534593] Workqueue: hci0 hci_cmd_work
[   64.534630] Call Trace:
[   64.534640]  <TASK>
[   64.534650]  dump_stack_lvl+0xca/0x120
[   64.534685]  print_report+0xcb/0x610
[   64.534721]  ? __virt_addr_valid+0x100/0x5d0
[   64.534753]  ? hci_cmd_work+0x66d/0x6d0
[   64.534794]  ? hci_cmd_work+0x66d/0x6d0
[   64.534829]  kasan_report+0xca/0x100
[   64.534863]  ? hci_cmd_work+0x66d/0x6d0
[   64.534902]  hci_cmd_work+0x66d/0x6d0
[   64.534938]  process_one_work+0x8e1/0x19c0
[   64.534984]  ? __pfx_process_one_work+0x10/0x10
[   64.535023]  ? move_linked_works+0x172/0x270
[   64.535054]  ? assign_work+0x196/0x240
[   64.535092]  worker_thread+0x67e/0xe90
[   64.535130]  ? trace_irq_enable.constprop.0+0xc2/0x100
[   64.535163]  ? __pfx_worker_thread+0x10/0x10
[   64.535202]  kthread+0x3c8/0x740
[   64.535237]  ? __pfx_kthread+0x10/0x10
[   64.535271]  ? ret_from_fork+0x79/0x7a0
[   64.535299]  ? lock_release+0xc8/0x290
[   64.535340]  ? __pfx_kthread+0x10/0x10
[   64.535376]  ret_from_fork+0x67a/0x7a0
[   64.535402]  ? __pfx_ret_from_fork+0x10/0x10
[   64.535428]  ? save_fpregs_to_fpstate+0x145/0x270
[   64.535464]  ? __switch_to+0x759/0x1060
[   64.535501]  ? __pfx_kthread+0x10/0x10
[   64.535537]  ret_from_fork_asm+0x1a/0x30
[   64.535582]  </TASK>
[   64.535591] 
[   64.560544] Allocated by task 289:
[   64.561201]  kasan_save_stack+0x24/0x50
[   64.561934]  kasan_save_track+0x14/0x30
[   64.562676]  __kasan_slab_alloc+0x59/0x70
[   64.563452]  kmem_cache_alloc_node_noprof+0x228/0x6b0
[   64.564404]  __alloc_skb+0x2ab/0x370
[   64.565131]  hci_cmd_sync_alloc+0x34/0x300
[   64.565946]  __hci_cmd_sync_sk+0xf7/0x5c0
[   64.566739]  hci_read_local_features_sync+0x2c/0x170
[   64.567691]  hci_dev_open_sync+0x145c/0x1f60
[   64.568523]  hci_power_on+0xdb/0x5d0
[   64.569230]  process_one_work+0x8e1/0x19c0
[   64.570027]  worker_thread+0x67e/0xe90
[   64.570759]  kthread+0x3c8/0x740
[   64.571412]  ret_from_fork+0x67a/0x7a0
[   64.572138]  ret_from_fork_asm+0x1a/0x30
[   64.572907] 
[   64.573229] Freed by task 292:
[   64.573832]  kasan_save_stack+0x24/0x50
[   64.574577]  kasan_save_track+0x14/0x30
[   64.575321]  kasan_save_free_info+0x3a/0x60
[   64.576132]  __kasan_slab_free+0x43/0x70
[   64.576899]  kmem_cache_free+0x26f/0x500
[   64.577668]  kfree_skbmem+0x18a/0x1f0
[   64.578392]  sk_skb_reason_drop+0x10e/0x1b0
[   64.579204]  vhci_read+0x3d5/0x5d0
[   64.579881]  vfs_read+0x1eb/0xc70
[   64.580556]  ksys_read+0x121/0x240
[   64.581223]  do_syscall_64+0xbf/0x430
[   64.581947]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.582905] 
[   64.583231] The buggy address belongs to the object at ffff88800c006780
[   64.583231]  which belongs to the cache skbuff_head_cache of size 232
[   64.585570] The buggy address is located 56 bytes inside of
[   64.585570]  freed 232-byte region [ffff88800c006780, ffff88800c006868)
[   64.587708] 
[   64.588024] The buggy address belongs to the physical page:
[   64.589045] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc006
[   64.590311] memcg:ffff88800b7fd301
[   64.590876] anon flags: 0x100000000000000(node=0|zone=1)
[   64.591723] page_type: f5(slab)
[   64.592262] raw: 0100000000000000 ffff8880096c78c0 ffffea00002fe080 dead000000000003
[   64.593494] raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88800b7fd301
[   64.594703] page dumped because: kasan: bad access detected
[   64.595578] 
[   64.595854] Memory state around the buggy address:
[   64.596628]  ffff88800c006680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.597764]  ffff88800c006700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   64.598895] >ffff88800c006780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.600009]                                         ^
[   64.600811]  ffff88800c006800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   64.601932]  ffff88800c006880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   64.603044] ==================================================================
[   64.604347] Disabling lock debugging due to kernel taint
[   64.606181] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   64.607801] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   64.610589] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   64.612490] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   64.638898] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   64.642560] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   64.643961] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   64.646082] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   64.647365] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   64.649152] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   64.650624] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   64.654359] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   64.655644] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   64.657390] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   64.661765] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   64.675242] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   64.679974] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   64.681045] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   64.687956] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   64.702198] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   64.714467] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1
[   64.730570] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   64.733715] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   64.737383] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1
[   64.738989] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1
[   64.739693] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9
[   64.743956] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9
[   64.744820] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9
[   64.749000] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9
[   64.750395] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   64.753123] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   64.755129] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4
[   64.756650] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2
[   64.773136] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9
[   64.773204] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9
[   64.776938] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4
[   64.779486] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2
[   64.789856] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4
[   64.797966] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2
[   66.675896] Bluetooth: hci1: command tx timeout
[   66.676840] Bluetooth: hci0: command tx timeout
[   66.739903] Bluetooth: hci2: command tx timeout
[   66.741248] Bluetooth: hci3: command tx timeout
[   66.803988] Bluetooth: hci7: command tx timeout
[   66.804616] Bluetooth: hci5: command tx timeout
[   66.805261] Bluetooth: hci4: command tx timeout
[   66.868772] Bluetooth: hci6: command tx timeout
[   68.725533] Bluetooth: hci1: command tx timeout
[   68.725795] Bluetooth: hci0: command tx timeout
[   68.787865] Bluetooth: hci3: command tx timeout
[   68.788310] Bluetooth: hci2: command tx timeout
[   68.851827] Bluetooth: hci7: command tx timeout
[   68.851861] Bluetooth: hci5: command tx timeout
[   68.852795] Bluetooth: hci4: command tx timeout
[   68.916859] Bluetooth: hci6: command tx timeout
[   70.771884] Bluetooth: hci0: command tx timeout
[   70.772828] Bluetooth: hci1: command tx timeout
[   70.835818] Bluetooth: hci2: command tx timeout
[   70.835841] Bluetooth: hci3: command tx timeout
[   70.899804] Bluetooth: hci5: command tx timeout
[   70.901786] Bluetooth: hci4: command tx timeout
[   70.901959] Bluetooth: hci7: command tx timeout
[   70.964809] Bluetooth: hci6: command tx timeout
[   72.821762] Bluetooth: hci1: command tx timeout
[   72.821801] Bluetooth: hci0: command tx timeout
[   72.884833] Bluetooth: hci3: command tx timeout
[   72.884855] Bluetooth: hci2: command tx timeout
[   72.949758] Bluetooth: hci4: command tx timeout
[   72.949793] Bluetooth: hci5: command tx timeout
[   72.950198] Bluetooth: hci7: command tx timeout
[   73.012785] Bluetooth: hci6: command tx timeout

VM DIAGNOSIS:
18:27:57  Registers:
info registers vcpu 0
RAX=1ffffffff0cd1f43 RBX=ffffffff8668fa1c RCX=ffffffff8100012f RDX=0000000000000000
RSI=ffffffff869d70a2 RDI=ffffffff8668fa18 RBP=ffffffff8668fa18 RSP=ffff88801926f800
R8 =ffffffff869d70a2 R9 =0000000000000000 R10=000000000003ca6e R11=0000000000000003
R12=ffffffff8668fa20 R13=ffffffff8668fa18 R14=ffffffff8668fa18 R15=dffffc0000000000
RIP=ffffffff8135ea8f RFL=00000213 [----A-C] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 00000000 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 00000000 00000000
FS =0000 00007f7411aca8c0 00000000 00000000
GS =0000 ffff8880e538f000 00000000 00000000
LDT=0000 fffffe7c00000000 00000000 00000000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00005596700405a0 CR3=0000000020455000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=25252525252525252525252525252525 XMM01=0000ff0000ff0000ff0000ff0000ff00
XMM02=0000ff0000000000ff0000000000ff00 XMM03=00000000000000000000000000000000
XMM04=2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f XMM05=010201010100ff0000000006ffffffff
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=3a56000a73253a51000a73253a47000a XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
info registers vcpu 1
RAX=0000000000000061 RBX=00000000000003f8 RCX=0000000000000000 RDX=00000000000003f8
RSI=ffffffff8293dd05 RDI=ffffffff889747c0 RBP=ffffffff88974780 RSP=ffff8880190ff618
R8 =0000000000000000 R9 =ffffed10016c6046 R10=0000000000000061 R11=6330303838386652
R12=0000000000000061 R13=0000000000000010 R14=ffffffff88974780 R15=ffffffff8293dcf0
RIP=ffffffff8293dd5d RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 00000000 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 00000000 00000000
FS =0000 0000000000000000 00000000 00000000
GS =0000 ffff8880e548f000 00000000 00000000
LDT=0000 fffffe0e00000000 00000000 00000000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000048000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007f10f82d2070 CR3=000000001e8c1000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00007f10f83957c000007f10f83957c8
XMM02=00007f10f83957e000007f10f83957c0 XMM03=00007f10f83957c800007f10f83957c0
XMM04=ffffffffffffffffffffffffffffff00 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000