Warning: Permanently added '[localhost]:62227' (ECDSA) to the list of known hosts. 2025/11/16 00:30:08 fuzzer started 2025/11/16 00:30:08 dialing manager at localhost:37161 syzkaller login: [ 52.973813] cgroup: Unknown subsys name 'net' [ 53.025154] cgroup: Unknown subsys name 'cpuset' [ 53.039799] cgroup: Unknown subsys name 'rlimit' 2025/11/16 00:30:19 syscalls: 208 2025/11/16 00:30:19 code coverage: enabled 2025/11/16 00:30:19 comparison tracing: enabled 2025/11/16 00:30:19 extra coverage: enabled 2025/11/16 00:30:19 setuid sandbox: enabled 2025/11/16 00:30:19 namespace sandbox: enabled 2025/11/16 00:30:19 Android sandbox: enabled 2025/11/16 00:30:19 fault injection: enabled 2025/11/16 00:30:19 leak checking: enabled 2025/11/16 00:30:19 net packet injection: enabled 2025/11/16 00:30:19 net device setup: enabled 2025/11/16 00:30:19 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2025/11/16 00:30:19 devlink PCI setup: PCI device 0000:00:10.0 is not available 2025/11/16 00:30:19 USB emulation: enabled 2025/11/16 00:30:19 hci packet injection: enabled 2025/11/16 00:30:19 wifi device emulation: enabled 2025/11/16 00:30:19 802.15.4 emulation: enabled 2025/11/16 00:30:19 fetching corpus: 0, signal 0/0 (executing program) 2025/11/16 00:30:20 starting 8 fuzzer processes 00:30:20 executing program 0: ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(0xffffffffffffffff, 0xc0145401, &(0x7f0000000000)={0x0, 0x3, 0x3ff, 0x1, 0x9}) pipe2(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4800) write$P9_RWRITE(r1, &(0x7f0000000080)={0xb, 0x77, 0x2, 0xb74a}, 0xb) ioctl$SNDRV_TIMER_IOCTL_GSTATUS(r0, 0xc0505405, &(0x7f00000000c0)={{0x3, 0x1, 0x1, 0x0, 0x40}, 0x8, 0x10001, 0xeb1d}) pipe2(&(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800) setsockopt$inet_tcp_buf(r2, 0x6, 0xe, &(0x7f0000000180)="d851efc382a8d14c633fe2002fe308abbd2125e4ce5b820e1b8163df1fa42ea3e6c68b9cfa3aa7dfe8589d06ad5cad12d441484e62544bda0ab67b4cdfccc199e1d89c97c3aaf2fad0d992dbb3536b8cf2a7477e53e85d211355cffe522dd7515683f7bd3bf204ddc20fd478bd20ce01058537d6ee6fde5919f500ad305bf4d2bc7c2e51a570dd3172f02e49ed68db004379f90b5acbf79776fa855548fcf0dd4a8714e6e0b628f041", 0xa9) pipe2$9p(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80000) write$P9_RREADLINK(r4, &(0x7f0000000280)={0x10, 0x17, 0x1, {0x7, './file0'}}, 0x10) setsockopt$inet_buf(r2, 0x0, 0x2e, &(0x7f00000002c0)="f1dc6108a6598b4bce1bc1df2214a2db3663abb0a3ddaaaa4a13ca2a24e1454758676157b6a97ed51c86e522ff6f6e7325e0dc5f6ff2a8ab26240ed8505599b1078ef9dfbcbf8db30dd5aefcba501d91d039b1cbd1507a549fd42c5cc630ce648e51e185c05be3f475b5652479ffe3d28d27036a912a9c67a9025e43d72622915bd7983ae03cf9bba043b97b8ef0b25186dd25c2e661401f5fe48fb6cd26e7b607d41458d50610e98740e6ff3a2e19c6174150e2db0f9e0e9120b05f426ec9c44e382d414e1931002c850e695d5771d41a25be6518e7288e26ccb41b544e496632aa7b4a9fc053bb9f4e1bcd9ece344ebcb3d9ce", 0xf4) write$P9_RLERROR(0xffffffffffffffff, &(0x7f00000003c0)={0xd, 0x7, 0x1, {0x4, '([+&'}}, 0xd) r5 = openat$zero(0xffffffffffffff9c, &(0x7f0000000400), 0x200000, 0x0) fsconfig$FSCONFIG_CMD_CREATE(r5, 0x6, 0x0, 0x0, 0x0) write$9p(0xffffffffffffffff, &(0x7f0000000440)="ddbd5a5d89713307aa9c805638ccdd7300dea3dd5e70505100f58fa41ea11ff076edd4ca", 0x24) getsockopt$EBT_SO_GET_INIT_INFO(r1, 0x0, 0x82, &(0x7f0000000480)={'filter\x00', 0x0, 0x0, 0x0, [0x9, 0x7, 0x1, 0x2, 0x8, 0x3]}, &(0x7f0000000500)=0x78) setsockopt$IP_VS_SO_SET_DEL(r3, 0x0, 0x484, &(0x7f0000000540)={0x0, @multicast2, 0x4e21, 0x1, 'lblcr\x00', 0x2b, 0x3, 0x11}, 0x2c) ioctl$SECCOMP_IOCTL_NOTIF_SEND(r3, 0xc0182101, &(0x7f0000000580)={0x0, 0x3, 0x3}) write$P9_RLERROR(r0, &(0x7f00000005c0)={0x9, 0x7, 0x1}, 0x9) ioctl$SNDRV_TIMER_IOCTL_START(r5, 0x54a0) ioctl$BLKTRACETEARDOWN(r0, 0x1276, 0x0) sendmsg$unix(r2, &(0x7f0000000940)={0x0, 0x0, &(0x7f00000008c0)=[{&(0x7f0000000600)="6a0f6d8b1f187d738aa153a10575bca42c16cdcfce9c62b8468e5c3f62745edead5a7dcaff5879096735322ad036316a0304cb815359d62893fab469", 0x3c}, {&(0x7f0000000640)="2a90f47683941a999c80ff851101c047e90e158ba7e43122f7195243dda098d072169d4d1910118bf8745c40fb19bcc15b323490b688de8f180b570565cf8f04446651cbbb8a3a2adc6af019605bc25962fa3796e4f1b9c954799e264c21fabfb00fde85037d7eff280c812b2b05cc4bb0595c87f796aa9479b37248bb2cbe048e48845fcaf8a01b20b9795f9185", 0x8e}, {&(0x7f0000000700)="733f6c7dc7d9cf2921fcbe8e272b5b1e95165dde31fa8f986d2e6ed9af1e6a8d4b4e84ea43cde56ec7253405a7632c303757fe1f757536993bf52ef05efac891107f6842912f0205b471a08ed01e3cd4e67df8a9de6daaf3d8f7ed9ead2c38ad17da9ccce43159a58e769e8f82420a4b90c26ae4697ce8fcf4471609b8e8bbc1d40c3e1643e7d639ea9ccd24e0350e039de8e379d94083dd97dc8666960f68fa7df06e5ca5b19ebfe725326bd2b8c72e", 0xb0}, {&(0x7f00000007c0)="9544", 0x2}, {&(0x7f0000000800)="82eee1731442f70778e797c4e2e4f44fba284b76eacdf6600c96b7ed1cbd973c55584204aa914b10b0046d29211f9def9ff955f6f86f221e38698bda3be19b2a9ff62d35e33ac0aaa96032ef4b8af7410ff5f4dca28fa2a4eea187a871ffcc882d6fae4adab35a5d4529a2333234e202eb47dea17459e9ce358625a1cbafaaa9b9c900d578657200c530fe24e6f65a849c064a705a801c2778cdeb5e1d459b999fca99e917618c4ec7338556", 0xac}], 0x5, 0x0, 0x0, 0x20040801}, 0x4004004) 00:30:20 executing program 1: ioctl$LOOP_SET_FD(0xffffffffffffffff, 0x4c00, 0xffffffffffffffff) ioctl$SNDRV_TIMER_IOCTL_START(0xffffffffffffffff, 0x54a0) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) timerfd_settime(0xffffffffffffffff, 0x1, &(0x7f0000000040)={{r0, r1+10000000}, {0x0, 0x3938700}}, &(0x7f0000000080)) r2 = openat$sndtimer(0xffffffffffffff9c, &(0x7f00000000c0), 0x200) ioctl$SNDRV_TIMER_IOCTL_STOP(r2, 0x54a1) setsockopt$IP_VS_SO_SET_ZERO(0xffffffffffffffff, 0x0, 0x48f, &(0x7f0000000100)={0x0, @loopback, 0x4e24, 0x4, 'dh\x00', 0x10, 0x80000001, 0x63}, 0x2c) r3 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000140), 0x103480) ioctl$SNDRV_TIMER_IOCTL_STATUS32(r3, 0x80585414, &(0x7f0000000180)) getsockopt$EBT_SO_GET_INIT_INFO(0xffffffffffffffff, 0x0, 0x82, &(0x7f0000000200)={'broute\x00', 0x0, 0x0, 0x0, [0x7, 0x2, 0x4, 0x820a, 0x400, 0x8248]}, &(0x7f0000000280)=0x78) openat$sndtimer(0xffffffffffffff9c, &(0x7f00000002c0), 0x2000) r4 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$IP_VS_SO_SET_ADDDEST(r4, 0x0, 0x487, &(0x7f0000000300)={{0x32, @loopback, 0x4e22, 0x2, 'none\x00', 0x8, 0x4, 0x7c}, {@multicast2, 0x4e20, 0x2000, 0x3715899b, 0x6, 0x1}}, 0x44) r5 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet_mtu(r5, 0x0, 0xa, &(0x7f0000000380), &(0x7f00000003c0)=0x4) r6 = syz_io_uring_setup(0x1126, &(0x7f0000000400)={0x0, 0x2f61, 0x10, 0x0, 0x4f}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000000480), &(0x7f00000004c0)) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x0, 0x11, r6, 0x0) r7 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000500), 0x4c2) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(r7, 0x54a2) pselect6(0x40, &(0x7f0000000540)={0x98f, 0x1, 0x1800000000000, 0x7, 0x83e, 0x8, 0x6, 0x5}, &(0x7f0000000580)={0x9, 0x5, 0xffffffffffffffff, 0x9, 0x6e5, 0x7, 0x6, 0x4}, &(0x7f00000005c0)={0x8, 0x0, 0x5, 0x40, 0x3f, 0x505, 0x8, 0xfbe50}, &(0x7f0000000640), &(0x7f00000006c0)={&(0x7f0000000680)={[0x1]}, 0x8}) 00:30:20 executing program 2: pipe2$9p(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4000) write$P9_RCREATE(r0, &(0x7f0000000040)={0x18, 0x73, 0x2, {{0x8, 0x0, 0x2}, 0x1000}}, 0x18) write$P9_RWALK(r0, &(0x7f0000000080)={0x30, 0x6f, 0x2, {0x3, [{0x4, 0x3, 0x7}, {0x8, 0x4, 0x7}, {0x3, 0x0, 0x1}]}}, 0x30) sendmsg$BATADV_CMD_SET_MESH(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x34, 0x0, 0x2, 0x70bd25, 0x25dfdbff, {}, [@BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x5}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}]}, 0x34}, 0x1, 0x0, 0x0, 0xc00}, 0x800) r1 = fsmount(0xffffffffffffffff, 0x1, 0x9) write$P9_RSTATFS(r1, &(0x7f00000001c0)={0x43, 0x9, 0x2, {0x5, 0x906, 0x2, 0x6, 0x6, 0x7fff, 0x80000001, 0x8a2c, 0xfff}}, 0x43) write$P9_RLOCK(r1, &(0x7f0000000240)={0x8, 0x35, 0x1}, 0x8) setsockopt$ARPT_SO_SET_ADD_COUNTERS(r1, 0x0, 0x61, &(0x7f0000000280)={'filter\x00', 0x4}, 0x68) write$P9_RREADLINK(r1, &(0x7f0000000300)={0x10, 0x17, 0x1, {0x7, './file0'}}, 0x10) r2 = socket$inet(0x2, 0x1, 0x2) accept$inet(r2, &(0x7f0000000340)={0x2, 0x0, @multicast1}, &(0x7f0000000380)=0x10) write$P9_RLERROR(r1, &(0x7f00000003c0)={0x10, 0x7, 0x1, {0x7, 'filter\x00'}}, 0x10) fsconfig$FSCONFIG_SET_FD(r1, 0x5, &(0x7f0000000400)='&{^!{},\x00', 0x0, r1) write$P9_RCREATE(r0, &(0x7f0000000440)={0x18, 0x73, 0x1, {{0x4, 0x4, 0x5}, 0x10001}}, 0x18) write$P9_RMKNOD(r1, &(0x7f0000000480)={0x14, 0x13, 0x2, {0x1, 0x3, 0x4}}, 0x14) write$P9_RMKNOD(r0, &(0x7f00000004c0)={0x14, 0x13, 0x2, {0x20, 0x4, 0x7}}, 0x14) write$P9_RLOCK(r0, &(0x7f0000000500)={0x8, 0x35, 0x1, 0x3}, 0x8) ioctl$RTC_EPOCH_READ(r1, 0x8008700d, &(0x7f0000000540)) r3 = accept4$unix(r1, &(0x7f0000000580)=@abs, &(0x7f0000000600)=0x6e, 0x80000) accept$unix(r3, &(0x7f0000000640)=@abs, &(0x7f00000006c0)=0x6e) 00:30:20 executing program 7: r0 = socket$unix(0x1, 0x2, 0x0) recvmsg$unix(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)=[{&(0x7f0000000000)=""/214, 0xd6}], 0x1, &(0x7f0000000140)=[@rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c, 0x1, 0x2, {0x0, 0x0, 0x0}}}, @rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c, 0x1, 0x2, {0x0, 0x0}}}], 0xa8}, 0x20) syz_open_dev$loop(&(0x7f0000000240), 0x40, 0x0) r8 = openat$zero(0xffffffffffffff9c, &(0x7f0000000280), 0x40000, 0x0) write$P9_RREADDIR(r1, &(0x7f00000002c0)={0x68, 0x29, 0x1, {0x80, [{{0x80, 0x2}, 0x0, 0x4, 0x7, './file0'}, {{0x20, 0x1, 0x2}, 0x2, 0x0, 0x7, './file0'}, {{0x20, 0x3}, 0x306c9bef, 0xd, 0x7, './file0'}]}}, 0x68) recvmsg$unix(0xffffffffffffffff, &(0x7f00000007c0)={&(0x7f0000000340), 0x6e, &(0x7f0000000700)=[{&(0x7f00000003c0)=""/5, 0x5}, {&(0x7f0000000400)=""/129, 0x81}, {&(0x7f00000004c0)=""/242, 0xf2}, {&(0x7f00000005c0)=""/169, 0xa9}, {&(0x7f0000000680)=""/51, 0x33}, {&(0x7f00000006c0)=""/24, 0x18}], 0x6, &(0x7f0000000780)=[@rights={{0x34, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}], 0x38}, 0x3022) connect$unix(r8, &(0x7f0000000800)=@abs={0x1, 0x0, 0x4e24}, 0x6e) sendmsg$unix(r9, &(0x7f0000000c40)={&(0x7f0000000880)=@abs={0x1, 0x0, 0x4e20}, 0x6e, &(0x7f0000000bc0)=[{&(0x7f0000000900)="9f3099db9d5d00952478a406c16cb6cb3cfc0e2c6513a98054c449a5142f6301ee0b56407389cd76a0c7c94a69eedd9604a9f7612f8150c2a578cdc221501638fe169afacff586b812eb5b454cc98a84fc53c0df32aad4ec95f87f3547290b5723193509352b34b1567c1d3eb7cf90e50975212c7e43a4870db47d282301c28cf47363e40b7b97359a0e4cc3ffc4a72ffd72c904", 0x94}, {&(0x7f00000009c0)="8b0e8341824a799ed609e3ee7d7bf45f587da38ae0452ae587cf67a6db0fa682fdbe076e2dfc4a12579f8ffd118fe4c870090269fd02050050dcef56ebf203230230ba26af800201939bdcd65aec6bc5c318dbecf19e6e2a0ee7a768f4eafc7aad40f7", 0x63}, {&(0x7f0000000a40)="80f85742a3159d8a10c3b337b3744626172232acb5c6215906febd44fb5376b79f9c1bf01012a2e4bd7c7d009db3a3f3e7877377c04de8863be162419d007e8c83dbdb33da4c380f2accc9bdfe052085f74a2d22d72250d31ce5b055dea5dfc0ab363e73", 0x64}, {&(0x7f0000000ac0)="9eac68968c5d4aaad3add78e1ca579ac235da522b9c3ff4229c2b1b6de71cf0cc9896c6b6754af3e06145ec44833386af3aba514b5f92c5cd02c0f1b38f33a1d701ec415736852221533f104b45042c1165d641f82d956c3a5bf1f6193db8a4fd7834d1b4d8735b52041b523faddadb487eb29cdccf3dcbef54dea7b69b1843d75f17bb52fe4d9bd21167d259488820e602ce3462529cd3eea472be942855e81a36c8b1118342e418a9f3e25373c02e3263c122f0773d06e9e470d1e", 0xbc}, {&(0x7f0000000b80)="6434b7dc555901145dbce70f802f9ae7", 0x10}], 0x5, 0x0, 0x0, 0x20000000}, 0x40000) r12 = openat$zero(0xffffffffffffff9c, &(0x7f0000001180), 0x8002, 0x0) setsockopt$inet_tcp_TCP_MD5SIG(r12, 0x6, 0xe, &(0x7f00000011c0)={@in6={{0xa, 0x4e20, 0x3, @private2, 0xfffffd14}}, 0x0, 0x0, 0x18, 0x0, "b00c6ff9d36dc8450b590ef39e9a4b208a151ee95a77ec4a0eba9ca0180d9335a528d7b50709937c0b5bcfcab058b7e2cea9965dc2b82f1e21c4dc18b7db839c7ce7ed33b5b2e5d87d8a3970672436bf"}, 0xd8) getpeername$unix(r1, &(0x7f00000012c0), &(0x7f0000001340)=0x6e) r13 = openat$zero(0xffffffffffffff9c, &(0x7f0000001380), 0x48001, 0x0) connect$unix(r13, &(0x7f00000013c0)=@file={0x1, './file0\x00'}, 0x6e) recvmsg$unix(r10, &(0x7f0000001d00)={&(0x7f0000001b40)=@abs, 0x6e, &(0x7f0000001c00)=[{&(0x7f0000001bc0)}], 0x1, &(0x7f0000001c40)=[@cred={{0x1c}}, @cred={{0x1c}}, @cred={{0x1c, 0x1, 0x2, {0x0, 0x0, 0x0}}}, @rights={{0x24, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0xa8}, 0x10000) recvmsg$unix(r11, &(0x7f0000002f80)={&(0x7f0000001d40), 0x6e, &(0x7f0000002e00)=[{&(0x7f0000001dc0)=""/4096, 0x1000}, {&(0x7f0000002dc0)=""/59, 0x3b}], 0x2, &(0x7f0000002e40)=[@cred={{0x1c}}, @rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @cred={{0x1c, 0x1, 0x2, {0x0}}}, @cred={{0x1c}}], 0x138}, 0x1) r17 = geteuid() getresuid(&(0x7f0000002fc0)=0x0, &(0x7f0000003000), &(0x7f0000003040)) r19 = getegid() sendmmsg$unix(r2, &(0x7f0000003180)=[{{&(0x7f0000001440)=@abs={0x0, 0x0, 0x4e22}, 0x6e, &(0x7f0000001780)=[{&(0x7f00000014c0)="6709db0c748c4bfe1368c363b06fbe469579389f24dd0cc6ab91f6057c709d05e89267834d2529584cc52d590e78f64661ab2685e75b6c27185415e3eb009aec0ce28d90ac0e", 0x46}, {&(0x7f0000001540)="e40a10e9559cc8da4a6e34fd330225452aba96a5f1ff255c992425a4b5711930dc98b7589d724822afa7ba97967ed5926dc87e9be341d045ec839aa6c2d193ffe772af7f09b66c15a616ddcfc8b564d532d6bd0974880892b8b5db", 0x5b}, {&(0x7f00000015c0)="d1a9eef1f38b927c5727c4a0d84b441c5b67df073a4173afd2883162d6db3838f17642b7d14d", 0x26}, {&(0x7f0000001600)="41c0f0bb62e8d57df1bc78100e2f66205d1a019b91dccaf5e40ee9f1e83ed2abdce30f33de1455006b4232a43fd493dd5b7c0a2f5bb3c0649fa4e15bdc4a3791848d41170e57b38711436f37341e0e0554b3c2a1af8812c4a301ebf81ada2d841569c2026a695a73bae26fe5", 0x6c}, {&(0x7f0000001680)="af09b7744e93ff74870ecf007470b06f4d8575417c519a5e98b40a2033a818c8e354c4a72ae7bde1d7d74f54b47b0b3c769cced4a76a3f84b947ec366dbab777aaf7e8491aa083cd6fa9d8584b8c05144729fa4c596ea550ecdf11cba7c64f99d2b87381f90cd8292fc88d32e8fc829ae2b89f27aeaf95196bdd03fde49126de9ce23ce28a32c331676a217ca7524f07e577b10818dee5ccb4fcd1128282a5f4643aea564e7d1b18f39eb59890c7eab2039d4508345044c2a2726e4759580d75929864ed9239dc171584cd2ce2ae523d63ac56cdf390c9dbe7ceeabc68bd06d7d4", 0xe1}], 0x5, 0x0, 0x0, 0x4004000}}, {{0x0, 0x0, &(0x7f0000001a40)=[{&(0x7f0000001800)="9d3ec161f6b2f16a7eb0106caab039ebfec0c5c8f73ef255803453058ee7017376b4b4a56b8b14074f347d092063f7d7566081b5099c997201786ed0a3675f5d5c8c63cb08f3838d68ce55d12418112509045221cc9497d07f744645e6b0fed8551d6e30760dabe6c4bebb434c27f12129b68bf86851ceabd1ea22b5fc6218731d27a77e2d0efd6f5a8324d8d9fca7f77cddc4cc6321af4a4775ba5682036f014b89f77920b098c3d432a018", 0xac}, {&(0x7f00000018c0)="4cd2fa4caedaaf78cb9c6f80918b3812090a51c826163380ee267573a10550", 0x1f}, {&(0x7f0000001900)="5321308576166b916462d3ecd5649d57383c38d755377ff58c076e565e24c6940f2ca92bc9ba512986bb09a53f721894781ea55e3b1d115eac3e83100e28f0c69ed9533ec0a7d57867a1f9aa7c5c16cf0df3a4dd4c3f5e97b3d992d922c45cf080e310592bf0b4ab3190595358f47b649778900dbc24aab571afa2efb16cb3111f2d13541bb8268e54c76fab519d268ecb07bc8b260851b2ee599816c75f0890c96b0130eb94b9b5c4322cf4bc7477966a32dd93c7ea83b6f21dcb", 0xbb}, {&(0x7f00000019c0)="6c37c4528f3c0ee5d5beaf37a0e3157244c550852f0be8dbf6377ee3740df9ad66e995a498fded1f419b2c7e2d1d9fdb48471e54ba542a9c58dd671647e1250bcb7c8c4bd4fe", 0x46}, {0xfffffffffffffffd}], 0x5, &(0x7f0000003080)=[@cred={{0x1c, 0x1, 0x2, {r6, r7, r5}}}, @cred={{0x1c, 0x1, 0x2, {r6, r4, r14}}}, @cred={{0x1c, 0x1, 0x2, {r16, r17, r5}}}, @cred={{0x1c, 0x1, 0x2, {r6, r4, r5}}}, @cred={{0x1c, 0x1, 0x2, {r3, r18}}}, @rights={{0x18, 0x1, 0x1, [r10, r10]}}, @cred={{0x1c, 0x1, 0x2, {r6, r4, r19}}}], 0xd8, 0x20040000}}], 0x2, 0x1) fsconfig$FSCONFIG_SET_FD(0xffffffffffffffff, 0x5, &(0x7f0000003240)='*[[@-(-{\x00', 0x0, r15) 00:30:20 executing program 6: r0 = syz_genetlink_get_family_id$batadv(&(0x7f0000000040), 0xffffffffffffffff) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'batadv0\x00', 0x0}) sendmsg$BATADV_CMD_GET_TRANSTABLE_LOCAL(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x44, r0, 0x20, 0x70bd2b, 0x25dfdbfb, {}, [@BATADV_ATTR_AGGREGATED_OGMS_ENABLED={0x5, 0x29, 0x1}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x7}, @BATADV_ATTR_VLANID={0x6}, @BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r1}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}]}, 0x44}, 0x1, 0x0, 0x0, 0x40d0}, 0x8081) sendmsg$BATADV_CMD_GET_BLA_CLAIM(0xffffffffffffffff, &(0x7f00000002c0)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000200)={0x4c, r0, 0x804, 0x70bd25, 0x25dfdbfc, {}, [@BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x9}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5, 0x2f, 0x1}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x7fffffff}, @BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r1}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5, 0x2e, 0x1}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5}]}, 0x4c}, 0x1, 0x0, 0x0, 0x8000}, 0x24044801) write$cgroup_netprio_ifpriomap(0xffffffffffffffff, &(0x7f0000000300)={'batadv_slave_0', 0x32, 0x37}, 0x11) r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000340), 0x101100, 0x0) sendmsg$BATADV_CMD_GET_TRANSTABLE_LOCAL(r2, &(0x7f0000000440)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x20020202}, 0xc, &(0x7f0000000400)={&(0x7f00000003c0)={0x1c, r0, 0x20, 0x70bd2d, 0x25dfdbfb, {}, [@BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000000}, 0x4040) sendmsg$BATADV_CMD_GET_MESH(r2, &(0x7f0000000540)={&(0x7f0000000480)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000000500)={&(0x7f00000004c0)={0x1c, r0, 0x100, 0x70bd29, 0x25dfdbff, {}, [@BATADV_ATTR_GW_BANDWIDTH_UP={0x8}]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000040}, 0x40) r3 = syz_genetlink_get_family_id$batadv(&(0x7f00000005c0), r2) sendmsg$BATADV_CMD_GET_TRANSTABLE_GLOBAL(0xffffffffffffffff, &(0x7f00000006c0)={&(0x7f0000000580)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000680)={&(0x7f0000000600)={0x48, r3, 0x800, 0x70bd2b, 0x25dfdbfd, {}, [@BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x1}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0xfff}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x26}}, @BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x1000}]}, 0x48}, 0x1, 0x0, 0x0, 0x20000840}, 0x408c000) r4 = openat$zero(0xffffffffffffff9c, &(0x7f0000000700), 0x410240, 0x0) r5 = syz_genetlink_get_family_id$batadv(&(0x7f0000000780), r2) sendmsg$BATADV_CMD_GET_ORIGINATORS(r4, &(0x7f0000000840)={&(0x7f0000000740)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000800)={&(0x7f00000007c0)={0x34, r5, 0x10, 0x70bd2d, 0x25dfdbff, {}, [@BATADV_ATTR_NETWORK_CODING_ENABLED={0x5, 0x38, 0x1}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x6}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}]}, 0x34}, 0x1, 0x0, 0x0, 0x400c005}, 0x20000001) r6 = syz_genetlink_get_family_id$batadv(&(0x7f00000008c0), r4) sendmsg$BATADV_CMD_GET_BLA_CLAIM(r4, &(0x7f0000000980)={&(0x7f0000000880)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f0000000940)={&(0x7f0000000900)={0x24, r6, 0x400, 0x70bd2c, 0x25dfdbfe, {}, [@BATADV_ATTR_HARD_IFINDEX={0x8}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0xfffffffe}]}, 0x24}, 0x1, 0x0, 0x0, 0x44080}, 0x1) getsockopt$inet_tcp_TCP_REPAIR_WINDOW(r4, 0x6, 0x1d, &(0x7f00000009c0), &(0x7f0000000a00)=0x14) socketpair(0x23, 0x1, 0x9, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$BATADV_CMD_SET_VLAN(r7, &(0x7f0000000b40)={&(0x7f0000000a80)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f0000000b00)={&(0x7f0000000ac0)={0x28, r3, 0x200, 0x70bd28, 0x25dfdbfc, {}, [@BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x12}}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x38}]}, 0x28}, 0x1, 0x0, 0x0, 0x4000000}, 0x4000) getpeername$packet(r2, &(0x7f0000000bc0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000c00)=0x14) sendmsg$BATADV_CMD_SET_HARDIF(r2, &(0x7f0000000d00)={&(0x7f0000000b80)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f0000000cc0)={&(0x7f0000000c40)={0x54, r6, 0x200, 0x70bd26, 0x25dfdbfd, {}, [@BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x7}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x3a}, @BATADV_ATTR_NETWORK_CODING_ENABLED={0x5, 0x38, 0x1}, @BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r8}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x8}, @BATADV_ATTR_HARD_IFINDEX={0x8}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}]}, 0x54}, 0x1, 0x0, 0x0, 0x48081}, 0x40000) 00:30:20 executing program 3: getpeername$packet(0xffffffffffffffff, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @link_local}, &(0x7f0000000040)=0x14) r0 = accept$packet(0xffffffffffffffff, &(0x7f0000000080)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000000c0)=0x14) getpeername$packet(r0, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000000140)=0x14) recvfrom$packet(r0, &(0x7f0000000180)=""/63, 0x3f, 0x100, &(0x7f00000001c0)={0x11, 0x2891e1d1876cd9ed, r1, 0x1, 0xb8, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x3}}, 0x14) r2 = socket$inet(0x2, 0x4, 0x4f5c) setsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f0000000200)={{{@in=@multicast2, @in6=@loopback, 0x4e22, 0x4, 0x4e22, 0x3, 0xa, 0xa0, 0x80, 0x5c}, {0x773, 0x3, 0x7bb4, 0xffffffffffff0000, 0x5, 0x3f, 0x9, 0xa7b6}, {0x8, 0x7fff, 0x0, 0x6}, 0x800, 0x0, 0x1, 0x0, 0x0, 0x1}, {{@in=@local, 0x4d3, 0xf9130141ca209a46}, 0x2, @in6=@local, 0x3500, 0x4, 0x0, 0xff, 0x8c, 0x3, 0x3}}, 0xe8) r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000300), 0x501102, 0x0) r4 = accept4$packet(r3, &(0x7f0000000340)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000380)=0x14, 0x800) getsockname$packet(r4, &(0x7f00000003c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @multicast}, &(0x7f0000000400)=0x14) setsockopt$packet_drop_memb(r4, 0x107, 0x2, &(0x7f0000000440)={r5, 0x1, 0x6, @remote}, 0x10) setsockopt$packet_buf(r4, 0x107, 0x5, &(0x7f0000000480)="6bc6f170a6ffed4fca13c455eb", 0xd) r6 = socket$packet(0x11, 0x2, 0x300) connect$packet(r6, &(0x7f00000004c0)={0x11, 0x19, r1, 0x1, 0x5, 0x6, @multicast}, 0x14) setsockopt$packet_drop_memb(0xffffffffffffffff, 0x107, 0x2, &(0x7f0000000500)={r1, 0x1, 0x6, @broadcast}, 0x10) pipe2(&(0x7f0000000540)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800) setsockopt$packet_rx_ring(r7, 0x107, 0x5, &(0x7f0000000580)=@req={0xb0e80de0, 0x7fffffff, 0x3, 0x6}, 0x10) r9 = accept4$packet(r3, &(0x7f00000005c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000000600)=0x14, 0x800) accept$packet(r9, &(0x7f0000000640)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @link_local}, &(0x7f0000000680)=0x14) accept4$packet(r3, 0x0, &(0x7f00000006c0), 0x80800) sendmsg$BATADV_CMD_SET_VLAN(r8, &(0x7f00000007c0)={&(0x7f0000000700)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000780)={&(0x7f0000000740)={0x2c, 0x0, 0x300, 0x70bd2b, 0x25dfdbfe, {}, [@BATADV_ATTR_GW_MODE={0x5, 0x33, 0x2}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x472e}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}]}, 0x2c}, 0x1, 0x0, 0x0, 0x8000}, 0x40040) 00:30:20 executing program 4: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$BATADV_CMD_SET_VLAN(r0, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000080)={&(0x7f0000000040)={0x1c, 0x0, 0x10, 0x70bd29, 0x25dfdbff, {}, [@BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x8c0d}]}, 0x1c}, 0x1, 0x0, 0x0, 0x40080c0}, 0x24030094) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x12, &(0x7f0000000100)=0xab, 0x4) connect$packet(0xffffffffffffffff, &(0x7f0000000140)={0x11, 0x7, 0x0, 0x1, 0xf8, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x3}}, 0x14) r1 = accept4$packet(0xffffffffffffffff, &(0x7f0000000180)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f00000001c0)=0x14, 0x100000) getpeername$packet(r1, &(0x7f0000000200), &(0x7f0000000240)=0x14) sendmsg$BATADV_CMD_GET_BLA_CLAIM(0xffffffffffffffff, &(0x7f0000000340)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x2c, 0x0, 0x200, 0x70bd26, 0x25dfdbfc, {}, [@BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x5}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x8}]}, 0x2c}, 0x1, 0x0, 0x0, 0x85}, 0x40000) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$BATADV_CMD_SET_MESH(r3, &(0x7f0000000480)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f0000000440)={&(0x7f00000003c0)={0x54, 0x0, 0x300, 0x70bd26, 0x25dfdbff, {}, [@BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x8001}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0xf9}, @BATADV_ATTR_GW_MODE={0x5}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x5}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x20}, @BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}, @BATADV_ATTR_HARD_IFINDEX={0x8, 0x6, r2}]}, 0x54}, 0x1, 0x0, 0x0, 0x104}, 0x10880) r4 = openat$zero(0xffffffffffffff9c, &(0x7f00000004c0), 0x123000, 0x0) sendmsg$BATADV_CMD_GET_MESH(r4, &(0x7f00000005c0)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000580)={&(0x7f0000000540)={0x34, 0x0, 0x800, 0x70bd2d, 0x25dfdbfb, {}, [@BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0x7ff}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x2}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}, @BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}]}, 0x34}, 0x1, 0x0, 0x0, 0x1}, 0x20000040) sendto$packet(r1, &(0x7f0000000600)="19f098f8835dd233cf3427aff2a55312274365f7141edff51fef013e89ab86ba2b2fcaab47e95b2895e1a8ed4393556d24b88c2b", 0x34, 0x1, 0x0, 0x0) sendmsg$BATADV_CMD_GET_MESH(0xffffffffffffffff, &(0x7f0000000740)={&(0x7f0000000640)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000700)={&(0x7f0000000680)={0x60, 0x0, 0x2, 0x70bd2d, 0x25dfdbfe, {}, [@BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x1}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5, 0x2e, 0x1}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x2}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5, 0x2e, 0x1}, @BATADV_ATTR_AGGREGATED_OGMS_ENABLED={0x5, 0x29, 0x1}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @local}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x3}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x8}]}, 0x60}, 0x1, 0x0, 0x0, 0xc000}, 0x1) r5 = syz_genetlink_get_family_id$batadv(&(0x7f00000007c0), r3) sendmsg$BATADV_CMD_TP_METER(0xffffffffffffffff, &(0x7f0000000880)={&(0x7f0000000780)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000840)={&(0x7f0000000800)={0x2c, r5, 0x200, 0x70bd28, 0x25dfdbff, {}, [@BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x7d}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x10000}, @BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0x5}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4081}, 0x8010) r6 = syz_genetlink_get_family_id$batadv(&(0x7f0000000900), r0) sendmsg$BATADV_CMD_GET_GATEWAYS(r4, &(0x7f00000009c0)={&(0x7f00000008c0)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f0000000980)={&(0x7f0000000940)={0x24, r6, 0x300, 0x70bd26, 0x25dfdbfd, {}, [@BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}]}, 0x24}}, 0x4) getsockopt$packet_buf(r1, 0x107, 0x1, &(0x7f0000000a00)=""/221, &(0x7f0000000b00)=0xdd) socket$nl_generic(0x10, 0x3, 0x10) sendmsg$BATADV_CMD_GET_MCAST_FLAGS(r3, &(0x7f0000000c40)={&(0x7f0000000b40)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000c00)={&(0x7f0000000bc0)={0x34, 0x0, 0x602, 0x70bd2d, 0x25dfdbff, {}, [@BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5, 0x2e, 0x1}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x43e}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x8}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5}]}, 0x34}, 0x1, 0x0, 0x0, 0x4000}, 0x800) 00:30:20 executing program 5: r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000), 0x204240, 0x0) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000040), 0x4) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = openat$cdrom(0xffffffffffffff9c, &(0x7f0000000080), 0x248000, 0x0) ioctl$CDROMREADALL(r2, 0x5318, &(0x7f00000000c0)) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r1, 0x8933, &(0x7f0000000b80)={'batadv0\x00', 0x0}) sendmsg$BATADV_CMD_GET_BLA_BACKBONE(r0, &(0x7f0000000c80)={&(0x7f0000000b40)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000000c40)={&(0x7f0000000bc0)={0x44, 0x0, 0x200, 0x70bd2a, 0x25dfdbfe, {}, [@BATADV_ATTR_MESH_IFINDEX={0x8}, @BATADV_ATTR_BONDING_ENABLED={0x5}, @BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0x8dd1}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x7fffffff}, @BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x6}, @BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r3}]}, 0x44}, 0x1, 0x0, 0x0, 0x90}, 0x2000c080) socketpair(0x10, 0x4, 0x3, &(0x7f0000000cc0)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$inet_tcp_buf(r4, 0x6, 0xd, &(0x7f0000000d00)="2c31895f944d8880f5e28a8a4c1a5c3d5fe4f8e567648b8e2a3f475191fbfa6207225db0298268087c7c0386c9df0fa0eef32c46a47b8a9a14597492be895d71621ee245ed26c971bd6ca6ac80d9c43b822fc7d57d8dc2b3f443b6f821c902420f9057f5c0cd633efb0ea900274791e62cc8a3a5f8aaae1ddda487d4b61a978cf0b659949241371a1a23ae16808f39a74c8b24415534ac9f770a7d684c2d60052d31b2dc4222360837f9a294376c84d46e02cf8fee98", 0xb6) bind$unix(r4, &(0x7f0000000dc0)=@file={0x0, './file0\x00'}, 0x6e) r5 = openat$zero(0xffffffffffffff9c, &(0x7f0000000e40), 0x200, 0x0) setsockopt$inet_tcp_int(r5, 0x6, 0x6, &(0x7f0000000e80)=0x2, 0x4) syz_io_uring_submit(0x0, 0x0, &(0x7f0000000f00)=@IORING_OP_WRITE={0x17, 0x2, 0x2000, @fd_index=0x7, 0x1f, &(0x7f0000000ec0)="da78b8eb7e26aeeaebfdd515004270421753f16fdd270a", 0x17, 0x1}, 0xfffeffff) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(0xffffffffffffffff, 0x8933, &(0x7f0000000f40)={'batadv_slave_1\x00'}) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, &(0x7f0000000f80), 0x4) getsockopt$inet_mtu(r4, 0x0, 0xa, &(0x7f0000000fc0), &(0x7f0000001000)=0x4) setsockopt$inet_tcp_TCP_CONGESTION(r5, 0x6, 0xd, &(0x7f0000001040)='scalable\x00', 0x9) r6 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) sendmsg$NL802154_CMD_GET_WPAN_PHY(r6, &(0x7f0000001180)={&(0x7f0000001080)={0x10, 0x0, 0x0, 0x80100080}, 0xc, &(0x7f0000001140)={&(0x7f00000010c0)={0x68, 0x0, 0x100, 0x70bd2b, 0x25dfdbff, {}, [@NL802154_ATTR_WPAN_PHY={0x8, 0x1, 0x1}, @NL802154_ATTR_WPAN_DEV={0xc}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x200000002}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_WPAN_PHY={0x8, 0x1, 0x3}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x3}]}, 0x68}, 0x1, 0x0, 0x0, 0x20000004}, 0x10) ioctl$RTC_WKALM_RD(0xffffffffffffffff, 0x80287010, &(0x7f0000001200)) [ 63.931960] audit: type=1400 audit(1763253020.908:7): avc: denied { execmem } for pid=273 comm="syz-executor.6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 65.125770] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 65.128484] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 65.130371] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 65.135536] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 65.138560] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 65.193764] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 65.197851] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 65.202208] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 65.207318] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 65.209895] ================================================================== [ 65.211012] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0 [ 65.212011] Read of size 2 at addr ffff88801f4353f8 by task kworker/u11:4/299 [ 65.215283] [ 65.216515] CPU: 0 UID: 0 PID: 299 Comm: kworker/u11:4 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) [ 65.216564] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 65.216579] Workqueue: hci2 hci_cmd_work [ 65.216620] Call Trace: [ 65.216631] [ 65.216641] dump_stack_lvl+0xca/0x120 [ 65.216674] print_report+0xcb/0x610 [ 65.216701] ? __virt_addr_valid+0x100/0x5d0 [ 65.216726] ? hci_cmd_work+0x66d/0x6d0 [ 65.216752] ? hci_cmd_work+0x66d/0x6d0 [ 65.216778] kasan_report+0xca/0x100 [ 65.216805] ? hci_cmd_work+0x66d/0x6d0 [ 65.216834] hci_cmd_work+0x66d/0x6d0 [ 65.216862] process_one_work+0x8e1/0x19c0 [ 65.216897] ? __pfx_process_one_work+0x10/0x10 [ 65.216926] ? move_linked_works+0x172/0x270 [ 65.216950] ? assign_work+0x196/0x240 [ 65.216979] worker_thread+0x67e/0xe90 [ 65.217008] ? trace_irq_enable.constprop.0+0xc2/0x100 [ 65.217033] ? __pfx_worker_thread+0x10/0x10 [ 65.217063] kthread+0x3c8/0x740 [ 65.217089] ? __pfx_kthread+0x10/0x10 [ 65.217115] ? ret_from_fork+0x79/0x7a0 [ 65.217135] ? lock_release+0xc8/0x290 [ 65.217167] ? __pfx_kthread+0x10/0x10 [ 65.217194] ret_from_fork+0x67a/0x7a0 [ 65.217214] ? __pfx_ret_from_fork+0x10/0x10 [ 65.217236] ? __switch_to+0x759/0x1060 [ 65.217264] ? __pfx_kthread+0x10/0x10 [ 65.217291] ret_from_fork_asm+0x1a/0x30 [ 65.217325] [ 65.217332] [ 65.238083] Allocated by task 289: [ 65.238597] kasan_save_stack+0x24/0x50 [ 65.239175] kasan_save_track+0x14/0x30 [ 65.239756] __kasan_slab_alloc+0x59/0x70 [ 65.240361] kmem_cache_alloc_node_noprof+0x228/0x6b0 [ 65.241129] __alloc_skb+0x2ab/0x370 [ 65.241684] hci_cmd_sync_alloc+0x34/0x300 [ 65.242313] __hci_cmd_sync_sk+0xf7/0x5c0 [ 65.242926] hci_read_local_features_sync+0x2c/0x170 [ 65.243667] hci_dev_open_sync+0x145c/0x1f60 [ 65.244309] hci_power_on+0xdb/0x5d0 [ 65.244867] process_one_work+0x8e1/0x19c0 [ 65.245491] worker_thread+0x67e/0xe90 [ 65.246058] kthread+0x3c8/0x740 [ 65.246568] ret_from_fork+0x67a/0x7a0 [ 65.247136] ret_from_fork_asm+0x1a/0x30 [ 65.247733] [ 65.247986] Freed by task 297: [ 65.248449] kasan_save_stack+0x24/0x50 [ 65.249042] kasan_save_track+0x14/0x30 [ 65.249622] kasan_save_free_info+0x3a/0x60 [ 65.250255] __kasan_slab_free+0x43/0x70 [ 65.250848] kmem_cache_free+0x26f/0x500 [ 65.251443] kfree_skbmem+0x18a/0x1f0 [ 65.252007] sk_skb_reason_drop+0x10e/0x1b0 [ 65.252632] vhci_read+0x3d5/0x5d0 [ 65.253155] vfs_read+0x1eb/0xc70 [ 65.253676] ksys_read+0x121/0x240 [ 65.254195] do_syscall_64+0xbf/0x430 [ 65.254762] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 65.255505] [ 65.255756] The buggy address belongs to the object at ffff88801f4353c0 [ 65.255756] which belongs to the cache skbuff_head_cache of size 232 [ 65.257590] The buggy address is located 56 bytes inside of [ 65.257590] freed 232-byte region [ffff88801f4353c0, ffff88801f4354a8) [ 65.259287] [ 65.259542] The buggy address belongs to the physical page: [ 65.260344] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f435 [ 65.261483] memcg:ffff88801f553c01 [ 65.262001] flags: 0x100000000000000(node=0|zone=1) [ 65.262727] page_type: f5(slab) [ 65.263214] raw: 0100000000000000 ffff8880096c78c0 dead000000000122 0000000000000000 [ 65.264315] raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88801f553c01 [ 65.265425] page dumped because: kasan: bad access detected [ 65.266227] [ 65.266481] Memory state around the buggy address: [ 65.267187] ffff88801f435280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.268215] ffff88801f435300: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 65.269253] >ffff88801f435380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 65.270289] ^ [ 65.271308] ffff88801f435400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.272337] ffff88801f435480: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 65.273382] ================================================================== [ 65.274529] Disabling lock debugging due to kernel taint [ 65.288190] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 65.308558] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 65.310347] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 65.311963] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 65.312411] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 65.313367] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 65.314407] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 65.315213] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 65.317599] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 65.319136] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 65.320732] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 65.322344] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 65.323559] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1 [ 65.328014] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1 [ 65.329443] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9 [ 65.331048] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 65.332711] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9 [ 65.334350] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9 [ 65.338045] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9 [ 65.339138] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 65.342682] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 65.346145] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 65.347967] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 65.351854] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 65.353396] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 65.355227] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 65.361883] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 65.363049] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4 [ 65.366552] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4 [ 65.368036] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2 [ 65.377319] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2 [ 67.157583] Bluetooth: hci0: command tx timeout [ 67.349237] Bluetooth: hci1: command tx timeout [ 67.412703] Bluetooth: hci3: command tx timeout [ 67.413455] Bluetooth: hci5: command tx timeout [ 67.414170] Bluetooth: hci4: command tx timeout [ 67.478139] Bluetooth: hci6: command tx timeout [ 67.478666] Bluetooth: hci7: command tx timeout [ 67.479847] Bluetooth: hci2: command tx timeout [ 69.205134] Bluetooth: hci0: command tx timeout [ 69.397125] Bluetooth: hci1: command tx timeout [ 69.461168] Bluetooth: hci4: command tx timeout [ 69.461604] Bluetooth: hci5: command tx timeout [ 69.461951] Bluetooth: hci3: command tx timeout [ 69.524145] Bluetooth: hci2: command tx timeout [ 69.524591] Bluetooth: hci7: command tx timeout [ 69.524939] Bluetooth: hci6: command tx timeout [ 71.254187] Bluetooth: hci0: command tx timeout [ 71.445111] Bluetooth: hci1: command tx timeout [ 71.510209] Bluetooth: hci3: command tx timeout [ 71.510641] Bluetooth: hci5: command tx timeout [ 71.510989] Bluetooth: hci4: command tx timeout [ 71.573160] Bluetooth: hci6: command tx timeout [ 71.573584] Bluetooth: hci7: command tx timeout [ 71.573937] Bluetooth: hci2: command tx timeout [ 73.301308] Bluetooth: hci0: command tx timeout [ 73.493104] Bluetooth: hci1: command tx timeout [ 73.556185] Bluetooth: hci4: command tx timeout [ 73.556927] Bluetooth: hci5: command tx timeout [ 73.557745] Bluetooth: hci3: command tx timeout [ 73.621795] Bluetooth: hci6: command tx timeout [ 73.623640] Bluetooth: hci7: command tx timeout [ 73.624370] Bluetooth: hci2: command tx timeout VM DIAGNOSIS: 00:30:22 Registers: info registers vcpu 0 RAX=0000000000000005 RBX=00000000000003f9 RCX=0000000000000000 RDX=00000000000003f9 RSI=ffffffff8293dd05 RDI=ffffffff889747c0 RBP=ffffffff88974780 RSP=ffff88801767f618 R8 =0000000000000000 R9 =ffffed100157f046 R10=0000000000000000 R11=fffffffffffc9978 R12=0000000000000005 R13=0000000000000010 R14=ffffffff88974780 R15=ffffffff8293dcf0 RIP=ffffffff8293dd5d RFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff8880e538f000 00000000 00000000 LDT=0000 fffffe7c00000000 00000000 00000000 TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000001000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007fc807bc9368 CR3=000000000b83e000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00007f9d93ed67c000007f9d93ed67c8 XMM02=00007f9d93ed67e000007f9d93ed67c0 XMM03=00007f9d93ed67c800007f9d93ed67c0 XMM04=ffffffffffffffffffffffffffffff00 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000 info registers vcpu 1 RAX=0000000000000000 RBX=0000000000000000 RCX=0000000000000000 RDX=0000000000092800 RSI=ffff88801f42d000 RDI=ffff888008c4b780 RBP=00000000000000e8 RSP=ffff8880163076d0 R8 =ffff88801f42d000 R9 =0000000000000000 R10=ffffed1003e85a00 R11=0000000000000001 R12=ffff88801f42d000 R13=0000000000092800 R14=ffff888008c4b780 R15=0000000000092800 RIP=ffffffff81b2edbe RFL=00000246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 00007fc807bc1540 00000000 00000000 GS =0000 ffff8880e548f000 00000000 00000000 LDT=0000 fffffe5800000000 00000000 00000000 TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000048000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007f6afe4d39dc CR3=000000001f47d000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=000000ff0000000000000000000000ff XMM01=ffffff0000ff00ffffffffffffffff00 XMM02=494c4700362e322e325f4342494c4700 XMM03=00000000000000000000000000004700 XMM04=4342494c4700362e322e325f4342494c XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000