Warning: Permanently added '[localhost]:35405' (ECDSA) to the list of known hosts.
2025/11/16 09:50:03 fuzzer started
2025/11/16 09:50:03 dialing manager at localhost:37161
syzkaller login: [   51.235713] cgroup: Unknown subsys name 'net'
[   51.290982] cgroup: Unknown subsys name 'cpuset'
[   51.303593] cgroup: Unknown subsys name 'rlimit'
2025/11/16 09:50:14 syscalls: 200
2025/11/16 09:50:14 code coverage: enabled
2025/11/16 09:50:14 comparison tracing: enabled
2025/11/16 09:50:14 extra coverage: enabled
2025/11/16 09:50:14 setuid sandbox: enabled
2025/11/16 09:50:14 namespace sandbox: enabled
2025/11/16 09:50:14 Android sandbox: enabled
2025/11/16 09:50:14 fault injection: enabled
2025/11/16 09:50:14 leak checking: enabled
2025/11/16 09:50:14 net packet injection: enabled
2025/11/16 09:50:14 net device setup: enabled
2025/11/16 09:50:14 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2025/11/16 09:50:14 devlink PCI setup: PCI device 0000:00:10.0 is not available
2025/11/16 09:50:14 USB emulation: enabled
2025/11/16 09:50:14 hci packet injection: enabled
2025/11/16 09:50:14 wifi device emulation: enabled
2025/11/16 09:50:14 802.15.4 emulation: enabled
2025/11/16 09:50:14 fetching corpus: 0, signal 0/0 (executing program)
2025/11/16 09:50:16 starting 8 fuzzer processes
09:50:16 executing program 0:
getegid()
getegid()
ioctl$RNDADDENTROPY(0xffffffffffffffff, 0x40085203, &(0x7f0000000000)={0x3, 0xd8, "5dd63f563479113ffff80a0c974fe4a9c8adfaec36d6c7e327b263f0c1d139a822472d8b579a50605e41d680f1bdb65d90e3877c26cfddc8f1f461be8129cb16bb9ab7288e4b77c3473afecf3e52b3c415348283b7ace538970a662e119d5d6181a07d0835ec0ffc77beafdddfaca540b754cbd30e255905dcf107faa123a3104eccc5ba8defed283df54344fcaec97c20bb007027968c81b8dad849b7c61c0bcd2ea55ebc74c39b7b67e1d4bebce00aaa07d4f350775aade9691f329d6f52ec02bda7f3302711c0f06a966d37daedbf4593801ed1eef32e"})
r0 = syz_open_dev$mouse(&(0x7f0000000100), 0x48ec2027, 0x802)
sendmsg$NL80211_CMD_UPDATE_CONNECT_PARAMS(r0, &(0x7f00000008c0)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000880)={&(0x7f0000000180)={0x6f8, 0x0, 0x10, 0x70bd2a, 0x25dfdbfb, {{}, {@val={0x8}, @val={0xc, 0x99, {0x200, 0x63}}}}, [@fils_params=[@NL80211_ATTR_FILS_ERP_USERNAME={0xa, 0xf9, "8509d0f68987"}, @NL80211_ATTR_FILS_ERP_USERNAME={0xc, 0xf9, "2a4703e5e2138fa4"}, @NL80211_ATTR_FILS_ERP_RRK={0xdb, 0xfc, "eb4b48bf18bfadf2d7420c73f6522df50451e9b18941f039efdfb957c7ec8f0391abfa5ca517e138232828985e177ca5b3bb07e266c8e50c20728829b24cb59573ad286d380cefa5564f4f785c7f5aaa7d819d3605c0a7c70680f6f601c8566c65d21afcba3567087831e955949b0063f87549deb5f26580b34b89b75b95c389793ee64b23c53b939976b077cef1a9653772845ea25ddb5b20b377b535f4b529577d76feac569dcaa3faa8bac60a03f20b0dd42ea97f733575b637a26021feae65f540f5119ba1f32931b699a307954d4133b1d30ee919"}], @NL80211_ATTR_IE={0x2d, 0x2a, [@tim={0x5, 0x27, {0xb, 0xa7, 0xff, "9a489571671f51ee20f8778528cd521b0600c26942a5e8c373ff2834c18a9ef491d0ecf2"}}]}, @fils_params=[@NL80211_ATTR_FILS_ERP_RRK={0xc1, 0xfc, "b24cd5e85f08d461a143aa1898253725d8d986b33f67429665ffa88a1bceda359642830835a6aefe15d346aadc17cb510d6550fc8383b3ec914d1fb6af321ebfb20320edb2a5df5e10e724079f26b8ed06502232a744647f37e1c6344040401a4d411ceddb4c6b5da45284597f38d4d74504a1d812b264d08ebaf5747dba2686f372f58539ea5d13fa8cc06cfc10c0f78522d5ba211939450adb7d7882eb0d9c13e1c87e21da201fdfd66940cf73eab0239d342539ad61e394c724d07d"}], @fils_params=[@NL80211_ATTR_FILS_ERP_RRK={0x101, 0xfc, "dc4844b459d9f858f371311f7a46f9e1d8e5bdd27eba549795af7fe2f3c7bb73f516a24e94754e1db41c5e70a5874377021611b4fe84d12e65ec36b75ee8d3991d6781f2b7b588e3139ada3daa3d855b54882c9e45e956649f09b4f42abf0bbc105ecc1e4d7fc9e20c7b6b60dd4669eb4835522a156236fab3031699cd7d0fa9765bf5f9044372e4a43770a9648d62deeb94bf1868ae1096a2b763e862f53914df688ca8cf3fddb1e5f3fb2230a7e4d2e86cdde5cd05d00e15ab82ffb33cadc8b809b320071774ce2738a7232978b52c01f1de0af08e89c26976931181dd0a2129916a2f5f6f1879e6e383e5f297bae4a28d6ca89732ff0458ed29976e"}, @NL80211_ATTR_FILS_ERP_USERNAME={0xf, 0xf9, "0b96157ae32dc71732562c"}, @NL80211_ATTR_FILS_ERP_USERNAME={0x10, 0xf9, "cead824beea71e279c97ac7b"}], @fils_params=[@NL80211_ATTR_FILS_ERP_RRK={0xa5, 0xfc, "bd53109d472ea96bcdd9f0f4974dcb1a119f66b623e46a2c48c84da18b677ca61fe78a6dd1edcaf041d3570f56b98b0e31a9f807cb238f6907b7ecd12db4089a65d645135a545282c6eb6f3ca0c25a91a439b3f84d6aaeb178f812d9d63622e8c4a038c10fe095682b42130f89a9bb62eabd7f4cec6ab24c3603c2814736cec8903c6e1535a15675ce8c505a5bac8b1b893ea638dd8a81e682b12c78e2e7da66b9"}, @NL80211_ATTR_FILS_ERP_USERNAME={0x11, 0xf9, "9b0140bdc6a7ede7eaab44162a"}], @fils_params=[@NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM={0x6, 0xfb, 0x3ff}, @NL80211_ATTR_FILS_ERP_USERNAME={0x14, 0xf9, "c84bf594b058b90131c502e0720750ff"}, @NL80211_ATTR_FILS_ERP_USERNAME={0x7, 0xf9, '03-'}], @fils_params=[@NL80211_ATTR_FILS_ERP_USERNAME={0xf, 0xf9, "7f13d0a06920390db89017"}, @NL80211_ATTR_FILS_ERP_USERNAME={0x4}, @NL80211_ATTR_FILS_ERP_USERNAME={0x10, 0xf9, "48b6d0f286bae305c6af6426"}, @NL80211_ATTR_FILS_ERP_RRK={0x26, 0xfc, "4fc84aa44331c40a387c3daed48cf0d0464dc010ec1d1f80bc0f7bd3b62f6bae360f"}, @NL80211_ATTR_FILS_ERP_USERNAME={0x10, 0xf9, "bc2eabf0f2e9a4084c3c8572"}, @NL80211_ATTR_FILS_ERP_RRK={0x80, 0xfc, "599e00864f6bf5d05b60be5a55dfb90249c0f76f4f81bf65767ce4083b23599f23890b5a2c47175be3f89bf39c44969f94fa04a741f3dfeb7cec18e5e63f83bcbafc79d2460023941c0b1a3d6727f77b67840f2425c0d3109714637396eaf00086655f58378d719e9f44b2a26bde5d904e38a6f515efcc786a743f8f"}, @NL80211_ATTR_FILS_ERP_RRK={0xdd, 0xfc, "6dc963b81251988bd345954cb523616de6b35b742de5ffc4fdffc6e35b2fe66ae60f8bb678bddcaafe4e3b08488d49b1c3e49108bc76e8170698f555018b52ef87f972473b21e62afc7ead93e80ca836d67460afbb71e1d642351df86113ac6ecdedbc171ee2cca6029703ae8327ae2ae3b0c4aa32ca0e2b7bfdea951a644cd28d899520e8b2c9c93797f16421db8cf6e62f2fbb38cfc150f70b266ff0596900e4dbda7cc988b218084c84e243402a915af9251c88ebb3f34e547fab753f989cc52837abfa96d84e19cdee81a55902cd56ce24c8c60e0358ac"}, @NL80211_ATTR_FILS_ERP_RRK={0x33, 0xfc, "60d179d3d738cc2370ea99967eaf913847743feea0b9b4b2afce5b5dcec81b0f9b2511a86226d03becbb755e98f71b"}, @NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM={0x6, 0xfb, 0x29}], @NL80211_ATTR_IE={0xe9, 0x2a, [@cf={0x4, 0x6, {0x1f, 0x0, 0x7f, 0x194a}}, @channel_switch={0x25, 0x3, {0x1, 0x4, 0x81}}, @ibss={0x6, 0x2, 0x101}, @tim={0x5, 0xa5, {0x7, 0xe9, 0x3, "9ed2877a0e4d2b8f4cf3417ab259edb06b4cbad2386dcebd3566bafb8f31a2bb47e3b75a6b64652be1241b435a88a7a296ce90e7fc181ac0f71cb5087ef805dc12f2140243a2ad9f2df5f0b422273dd974d0378908935e16f75afc082f34c12498035b987f3cd921308a856a3183e7800918b7dc3076fefef80254a6391a99216fc1b201bc51fb14f026d021fb933caf49087826bcef1ed31a44a2a08605fb9cac4d"}}, @prep={0x83, 0x1f, @not_ext={{}, 0x4, 0x3, @device_a, 0x2, "", 0x4, 0x8, @device_a, 0x1}}, @mesh_id={0x72, 0x6}, @ibss={0x6, 0x2, 0x412e}]}]}, 0x6f8}}, 0x40)
setsockopt$inet6_MRT6_DEL_MFC(r0, 0x29, 0xcd, &(0x7f0000000900)={{0xa, 0x4e21, 0x1, @private0={0xfc, 0x0, '\x00', 0x1}, 0x100}, {0xa, 0x4e24, 0x4, @remote, 0xffffffff}, 0x2b04, [0x0, 0x9, 0x2, 0x8000, 0x40, 0x3, 0x3e6e1c1c]}, 0x5c)
r1 = socket(0x26, 0xa, 0x8)
setsockopt$inet6_opts(r1, 0x29, 0x36, &(0x7f0000000980)=@routing={0x4, 0xa, 0x0, 0x40, 0x0, [@private2={0xfc, 0x2, '\x00', 0x1}, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', @empty, @ipv4={'\x00', '\xff\xff', @multicast2}, @private1]}, 0x58)
ioctl$TIOCMBIS(r0, 0x5416, &(0x7f0000000a00)=0x3464)
recvmsg$unix(0xffffffffffffffff, &(0x7f0000000b80)={0x0, 0x0, &(0x7f0000000a80)=[{&(0x7f0000000a40)=""/48, 0x30}], 0x1, &(0x7f0000000ac0)=[@cred={{0x1c}}, @rights={{0x24, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff]}}], 0xa8}, 0x40010002)
getegid()
r5 = syz_open_dev$tty1(0xc, 0x4, 0x4)
ioctl$TIOCL_GETSHIFTSTATE(r5, 0x541c, &(0x7f0000000bc0))
bind$bt_sco(r4, &(0x7f0000000c00), 0x8)
r6 = openat$sr(0xffffffffffffff9c, &(0x7f0000000c40), 0x28300, 0x0)
write$cgroup_pressure(r6, &(0x7f0000000c80)={'full', 0x20, 0x1ff, 0x20, 0x159}, 0x2f)
ioctl$VT_GETSTATE(r3, 0x5603, &(0x7f0000000cc0)={0xe7ae, 0x8, 0x5})
ioctl$KDFONTOP_COPY(r0, 0x4b72, &(0x7f0000001100)={0x3, 0x0, 0x7, 0x19, 0x65, &(0x7f0000000d00)})
sendmsg$NL80211_CMD_START_NAN(r2, &(0x7f0000001200)={&(0x7f0000001140)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f00000011c0)={&(0x7f0000001180)={0x28, 0x0, 0x40b, 0x70bd29, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x8001, 0x2f}}}}, [@NL80211_ATTR_NAN_MASTER_PREF={0x5, 0xee, 0x9}]}, 0x28}, 0x1, 0x0, 0x0, 0x2c000000}, 0x4000000)
ioctl$TIOCL_GETMOUSEREPORTING(r3, 0x541c, &(0x7f0000001240))

09:50:16 executing program 1:
getsockopt$bt_sco_SCO_CONNINFO(0xffffffffffffffff, 0x11, 0x2, &(0x7f0000000000)=""/139, &(0x7f00000000c0)=0x8b)
r0 = accept4$unix(0xffffffffffffffff, &(0x7f0000000100), &(0x7f0000000180)=0x6e, 0x0)
r1 = add_key$keyring(&(0x7f00000001c0), &(0x7f0000000200)={'syz', 0x2}, 0x0, 0x0, 0xffffffffffffffff)
ioctl$KDFONTOP_COPY(0xffffffffffffffff, 0x4b72, &(0x7f0000000640)={0x3, 0x0, 0x6, 0x18, 0x172, &(0x7f0000000240)})
getsockopt$bt_sco_SCO_CONNINFO(0xffffffffffffffff, 0x11, 0x2, &(0x7f0000000680)=""/206, &(0x7f0000000780)=0xce)
add_key$fscrypt_v1(&(0x7f00000007c0), &(0x7f0000000800)={'fscrypt:', @desc3}, &(0x7f0000000840)={0x0, "147b081cc567a567ce31df7b4ec0a928bd99e3e445c4d045b03301d99a2bd159f4c58999afa90742b88c60c81bb6594f9e51a5940c635825ba086c3c12448938", 0x1b}, 0x48, 0xfffffffffffffff8)
r2 = accept4$unix(r0, &(0x7f00000008c0), &(0x7f0000000940)=0x6e, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r2, 0x8933, &(0x7f0000000980)={'batadv_slave_0\x00', <r3=>0x0})
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000a00), 0xffffffffffffffff)
sendmsg$NL80211_CMD_ADD_TX_TS(r4, &(0x7f0000000ac0)={&(0x7f00000009c0)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000a80)={&(0x7f0000000a40)={0x24, r5, 0x200, 0x70bd2b, 0x25dfdbfc, {{}, {@void, @void}}, [@NL80211_ATTR_USER_PRIO={0x5, 0xd3, 0x6}, @NL80211_ATTR_TSID={0x5, 0xd2, 0x7}]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x0)
r6 = request_key(&(0x7f0000000b00)='cifs.spnego\x00', &(0x7f0000000b40)={'syz', 0x3}, &(0x7f0000000b80)='#\x00', r1)
setsockopt$inet6_MRT6_DEL_MFC(0xffffffffffffffff, 0x29, 0xcd, &(0x7f0000000bc0)={{0xa, 0x4e24, 0x0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0xb11d}, {0xa, 0x4e23, 0x4, @local, 0x3ff}, 0x3, [0x9, 0x0, 0x5, 0x7fff, 0x156d, 0x1b6, 0x395b, 0x2]}, 0x5c)
r7 = add_key$fscrypt_v1(&(0x7f0000000c40), &(0x7f0000000c80)={'fscrypt:', @auto=[0x37, 0x35, 0x36, 0x35, 0x35, 0x66, 0x37, 0x36, 0x64, 0x30, 0x35, 0x62, 0x30, 0x34, 0x37, 0x61]}, &(0x7f0000000cc0)={0x0, "10fdf4bb4640b22edda183e5c13981091f7776cf3d47cf0310befe77de1b04602f56068020096ecf0e8f9b9091480e759cf6d3f516812715581caf1d55323851", 0x18}, 0x48, r6)
keyctl$restrict_keyring(0x1d, r7, &(0x7f0000000d40)='.request_key_auth\x00', &(0x7f0000000d80)='#\x00')
sendmsg$BATADV_CMD_TP_METER_CANCEL(r4, &(0x7f0000000ec0)={&(0x7f0000000dc0)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000e80)={&(0x7f0000000e00)={0x4c, 0x0, 0x100, 0x70bd2c, 0x25dfdbfc, {}, [@BATADV_ATTR_HARD_IFINDEX={0x8, 0x6, r3}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0xffff}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x2}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x3}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x7}]}, 0x4c}, 0x1, 0x0, 0x0, 0x4000050}, 0x8000)
sendmsg$SMC_PNETID_FLUSH(r4, &(0x7f0000001040)={&(0x7f0000000f00)={0x10, 0x0, 0x0, 0x2000}, 0xc, &(0x7f0000001000)={&(0x7f0000000f40)={0x8c, 0x0, 0x4, 0x70bd28, 0x25dfdbff, {}, [@SMC_PNETID_ETHNAME={0x14, 0x2, 'team_slave_0\x00'}, @SMC_PNETID_IBNAME={0x9, 0x3, 'syz1\x00'}, @SMC_PNETID_NAME={0x9, 0x1, 'syz2\x00'}, @SMC_PNETID_IBNAME={0x9, 0x3, 'syz1\x00'}, @SMC_PNETID_IBPORT={0x5, 0x4, 0x1}, @SMC_PNETID_ETHNAME={0x14, 0x2, 'veth1_to_bond\x00'}, @SMC_PNETID_IBPORT={0x5, 0x4, 0x1}, @SMC_PNETID_ETHNAME={0x14, 0x2, 'bond_slave_1\x00'}, @SMC_PNETID_IBPORT={0x5, 0x4, 0x1}]}, 0x8c}, 0x1, 0x0, 0x0, 0x801}, 0x8004)
recvmsg$unix(r0, &(0x7f0000001800)={&(0x7f0000001080)=@abs, 0x6e, &(0x7f00000016c0)=[{&(0x7f0000001100)=""/104, 0x68}, {&(0x7f0000001180)=""/175, 0xaf}, {&(0x7f0000001240)=""/116, 0x74}, {&(0x7f00000012c0)=""/156, 0x9c}, {&(0x7f0000001380)=""/7, 0x7}, {&(0x7f00000013c0)=""/209, 0xd1}, {&(0x7f00000014c0)=""/71, 0x47}, {&(0x7f0000001540)=""/174, 0xae}, {&(0x7f0000001600)}, {&(0x7f0000001640)=""/126, 0x7e}], 0xa, &(0x7f0000001780)=[@cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [<r8=>0xffffffffffffffff]}}], 0x58}, 0x40010000)
sendmsg$NL80211_CMD_REGISTER_FRAME(r8, &(0x7f0000001b80)={&(0x7f0000001840)={0x10, 0x0, 0x0, 0xc6412101}, 0xc, &(0x7f0000001b40)={&(0x7f0000001880)={0x288, r5, 0x10, 0x70bd25, 0x25dfdbfe, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_FRAME_MATCH={0x88, 0x5b, "eea60aff9d00eb464d36e4ac93f404829f1c3d5d2cba1f44eb7a733224410e022f28f6a7fa62c7164bae3751781d375a509ddef8dc67108477c41c4243b76f8e6b471942d5a328db3aa200a1e98b651717b9bc07fe27337a510961846ebc74d5d4e3776c61099d4e7e64914c94f532e2eb002749d651913eb6efd294791a786d7535bd3a"}, @NL80211_ATTR_FRAME_MATCH={0xc4, 0x5b, "e53115c5e7c9f871a1e8830c851613040375c6c39423a3bfe3cd2994d3abbb836233176ba6251828553857fe5415897bda7d44fd9704228cd14586b033c23a6b216616557ce200448342b5564e122f89482b0c195d01401fdde849034f1e454737eda2aca99456361f6818964e129ed69cc07288f6a505795b32e531e8b43da34e12518cacbab7260f2eac8c303269b9dd180d9c5f7f43ed6783c20a451ece723704c582d9a1a10b985282f11bd9d6a580f93b57d170b0da450d51cd118702d6"}, @NL80211_ATTR_FRAME_MATCH={0x94, 0x5b, "bb83c62f972c869227b2fee21e7067cfbfb90f2de044ecb977a72a5a9d23b5c27c043f46dcc067b5d72b87323598762236421775f3aa1d3777c3e5254e9885cb753065d4fc6eaf78081ec9866f262967dc9758df64277318c2254bafeca7dc315a5cf20fc8f52d7703850e37ee8387680592fc960b973d65cc1993c49fabf2acb8efa732e5dcc062605d0b4a560c58d7"}, @NL80211_ATTR_FRAME_TYPE={0x6, 0x65, 0x5}, @NL80211_ATTR_FRAME_TYPE={0x6, 0x65, 0x5a}, @NL80211_ATTR_FRAME_MATCH={0x7a, 0x5b, "bff434ca21286c289af42b4916dd84ad7368056246c1e50a6e30f87c2ac8359e8fdea3272d8a1ddd9b124357b24b22277d12ea31c25911ab5a61f54454b9af13129c16446876fa5aec3f154c7d6efa047002918ee7f88be4ac12dd5f65f04cc8aca2cdc2c164b24137c68264308273d3c90c5f92d622"}]}, 0x288}, 0x1, 0x0, 0x0, 0x4090}, 0x8805)

09:50:16 executing program 3:
openat$random(0xffffffffffffff9c, &(0x7f0000000000), 0x202800, 0x0)
socketpair(0x2d, 0x4, 0x40, &(0x7f0000000040)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
getpeername$unix(0xffffffffffffffff, &(0x7f0000000080)=@abs, &(0x7f0000000100)=0x6e)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r0, 0x8933, &(0x7f0000000180)={'batadv0\x00', <r3=>0x0})
sendmsg$BATADV_CMD_GET_DAT_CACHE(r2, &(0x7f0000000280)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000240)={&(0x7f00000001c0)={0x50, 0x0, 0x800, 0x70bd2c, 0x25dfdbfd, {}, [@BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x453a04cf}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x3ad9}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x3}, @BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r3}, @BATADV_ATTR_MESH_IFINDEX={0x8}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x29}}, @BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x9}]}, 0x50}, 0x1, 0x0, 0x0, 0x8090}, 0x4040090)
r4 = syz_genetlink_get_family_id$batadv(&(0x7f0000000300), r0)
sendmsg$BATADV_CMD_GET_ROUTING_ALGOS(r2, &(0x7f00000003c0)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000380)={&(0x7f0000000340)={0x1c, r4, 0x8, 0x70bd2a, 0x25dfdbfe, {}, [@BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x320e}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4080}, 0x20000090)
setsockopt$bt_l2cap_L2CAP_LM(r1, 0x6, 0x3, &(0x7f0000000400)=0x1, 0x4)
syz_open_dev$tty1(0xc, 0x4, 0x3)
sendmsg$SMC_PNETID_FLUSH(0xffffffffffffffff, &(0x7f0000000540)={&(0x7f0000000440)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000500)={&(0x7f0000000480)={0x54, 0x0, 0x400, 0x70bd2b, 0x25dfdbfe, {}, [@SMC_PNETID_ETHNAME={0x14, 0x2, 'caif0\x00'}, @SMC_PNETID_IBPORT={0x5, 0x4, 0x1}, @SMC_PNETID_NAME={0x9, 0x1, 'syz0\x00'}, @SMC_PNETID_IBNAME={0x9, 0x3, 'syz0\x00'}, @SMC_PNETID_IBNAME={0x9, 0x3, 'syz2\x00'}]}, 0x54}, 0x1, 0x0, 0x0, 0x4010}, 0x44004045)
sendmsg$BATADV_CMD_TP_METER_CANCEL(r1, &(0x7f0000000640)={&(0x7f0000000580)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000600)={&(0x7f00000005c0)={0x34, r4, 0x20, 0x70bd28, 0x25dfdbfb, {}, [@BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x1}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x80}, @BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r3}]}, 0x34}, 0x1, 0x0, 0x0, 0x8084}, 0x4084)
recvmsg$unix(r0, &(0x7f0000000980)={&(0x7f0000000680), 0x6e, &(0x7f0000000840)=[{&(0x7f0000000700)=""/222, 0xde}, {&(0x7f0000000800)}], 0x2, &(0x7f0000000880)=[@cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x34, 0x1, 0x1, [<r5=>0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r7=>0xffffffffffffffff]}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [<r8=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}], 0xf0}, 0x0)
ioctl$sock_inet6_SIOCSIFADDR(r0, 0x8916, &(0x7f00000009c0)={@remote, 0xa, r3})
ioctl$VT_WAITACTIVE(r6, 0x5607)
sendmsg$BATADV_CMD_GET_HARDIF(r8, &(0x7f0000000ac0)={&(0x7f0000000a00)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000000a80)={&(0x7f0000000a40)={0x2c, 0x0, 0x4, 0x70bd2a, 0x25dfdbff, {}, [@BATADV_ATTR_HARD_IFINDEX={0x8}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0xa}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20000000}, 0x4004040)
setsockopt$inet6_opts(r7, 0x29, 0x37, &(0x7f0000000b00)=@hopopts={0x32, 0x0, '\x00', [@pad1]}, 0x10)
ioctl$TCSETS(r5, 0x5402, &(0x7f0000000b40)={0x9, 0x1, 0x0, 0x7, 0x19, "b22172cb650a7fd9443fd954fe9126b44bd4f8"})
r9 = syz_open_dev$mouse(&(0x7f0000000b80), 0x7ff, 0x800)
setsockopt$bt_l2cap_L2CAP_CONNINFO(r9, 0x6, 0x2, &(0x7f0000000bc0)={0x9, "d7f263"}, 0x6)

09:50:16 executing program 2:
r0 = syz_open_dev$tty1(0xc, 0x4, 0x4)
ioctl$VT_WAITACTIVE(r0, 0x5607)
ioctl$GIO_FONTX(r0, 0x4b6b, &(0x7f0000000400)={0x81, 0x19})
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$TIOCL_GETSHIFTSTATE(r1, 0x541c, &(0x7f0000000440))
ioctl$PIO_CMAP(r0, 0x4b71, &(0x7f0000000480)={0x16d, 0x800, 0x8, 0x7, 0x453d04c2, 0xff})
write$tcp_congestion(0xffffffffffffffff, &(0x7f00000004c0)='hybla\x00', 0x6)
ioctl$PIO_FONTRESET(r1, 0x4b6d, 0x0)
ioctl$TIOCL_SELLOADLUT(r1, 0x541c, &(0x7f0000000500)={0x5, 0x2, 0x1, 0xffffffffffffffc1, 0x9})
setsockopt$inet6_mtu(0xffffffffffffffff, 0x29, 0x17, &(0x7f0000000540)=0x1, 0x4)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000580), 0x8900, 0x0)
ioctl$GIO_FONTX(r2, 0x4b6b, &(0x7f00000009c0)={0x1b3, 0x1f, &(0x7f00000005c0)})
setsockopt$bt_l2cap_L2CAP_LM(0xffffffffffffffff, 0x6, 0x3, &(0x7f0000000a00)=0xa, 0x4)
setsockopt$bt_l2cap_L2CAP_OPTIONS(0xffffffffffffffff, 0x6, 0x1, &(0x7f0000000a40)={0x7, 0x0, 0x8000, 0x2a, 0x1, 0x3, 0x3}, 0xc)
ioctl$TIOCPKT(r2, 0x5420, &(0x7f0000000a80)=0x4)
r3 = openat$tcp_congestion(0xffffffffffffff9c, &(0x7f0000000ac0), 0x1, 0x0)
write$tcp_congestion(r3, &(0x7f0000000b00)='cubic\x00', 0x6)
socketpair(0x1a, 0xa, 0xad8e, &(0x7f0000000b40)={<r4=>0xffffffffffffffff})
bind$bt_l2cap(r4, &(0x7f0000000b80)={0x1f, 0x4, @none, 0x2, 0x2}, 0xe)
ioctl$KDSETMODE(0xffffffffffffffff, 0x4b3a, 0x0)

[   62.640933] audit: type=1400 audit(1763286616.321:7): avc:  denied  { execmem } for  pid=273 comm="syz-executor.1" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
09:50:16 executing program 4:
getegid()
getegid()
recvmsg$unix(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000000)=""/177, 0xb1}, {&(0x7f00000000c0)=""/91, 0x5b}], 0x2, &(0x7f0000000180)=[@cred={{0x1c, 0x1, 0x2, {0x0, <r0=>0x0}}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, <r1=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x30, 0x1, 0x1, [<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0xa8}, 0x101)
getegid()
r4 = syz_open_dev$tty1(0xc, 0x4, 0x2)
ioctl$KDGKBMODE(r4, 0x4b44, &(0x7f0000000280))
ioctl$VT_GETSTATE(r1, 0x5603, &(0x7f00000002c0)={0x400, 0x0, 0x3})
ioctl$PIO_FONTRESET(r2, 0x4b6d, 0x0)
r5 = syz_open_dev$mouse(&(0x7f0000000300), 0x10001, 0x200)
ioctl$TIOCPKT(r5, 0x5420, &(0x7f0000000340)=0x200)
r6 = openat$sr(0xffffffffffffff9c, &(0x7f0000000380), 0x500, 0x0)
ioctl$TCSBRKP(r6, 0x5425, 0x0)
ioctl$KDSKBENT(r5, 0x4b47, &(0x7f00000003c0)={0x1, 0x0, 0x96})
ioctl$SECCOMP_IOCTL_NOTIF_RECV(r1, 0xc0502100, &(0x7f0000000400)={<r7=>0x0})
setsockopt$inet6_mtu(r3, 0x29, 0x17, &(0x7f0000000480)=0x4, 0x4)
ioctl$sock_ipv6_tunnel_SIOCGETPRL(r5, 0x89f4, &(0x7f0000000540)={'ip6_vti0\x00', &(0x7f00000004c0)={'syztnl2\x00', <r8=>0x0, 0x29, 0x80, 0x2, 0x1, 0x40, @private1={0xfc, 0x1, '\x00', 0x1}, @dev={0xfe, 0x80, '\x00', 0x11}, 0x700, 0x8, 0x10001, 0x10001}})
setsockopt$inet6_IPV6_IPSEC_POLICY(r5, 0x29, 0x22, &(0x7f0000000580)={{{@in=@multicast1, @in=@remote, 0x4e22, 0x7a, 0x4e20, 0x2, 0xa, 0x80, 0xa0, 0xff, r8, r0}, {0x3, 0x3ff, 0x2, 0x7f, 0x200, 0x0, 0xff, 0xfffffffffffffff7}, {0xfffffffffffff219, 0x9, 0x1, 0x4}, 0x3, 0x6e6bba, 0x1, 0x1, 0x1}, {{@in=@multicast1, 0x4d2, 0x6c}, 0xa, @in6=@private0={0xfc, 0x0, '\x00', 0x1}, 0x3506, 0x2, 0x3, 0xff, 0x0, 0x342f}}, 0xe8)
r9 = accept$unix(r2, 0x0, &(0x7f0000000680))
recvmsg$unix(r9, &(0x7f00000009c0)={&(0x7f00000006c0), 0x6e, &(0x7f0000000900)=[{&(0x7f0000000740)=""/217, 0xd9}, {&(0x7f0000000840)=""/68, 0x44}, {&(0x7f00000008c0)=""/1, 0x1}], 0x3, &(0x7f0000000940)=[@cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x24, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}], 0x68}, 0x40000102)
ioctl$SECCOMP_IOCTL_NOTIF_ADDFD(r5, 0x40182103, &(0x7f0000000a00)={r7, 0x2, 0xffffffffffffffff, 0x5, 0x80000})

09:50:16 executing program 7:
sendmsg$BATADV_CMD_SET_VLAN(0xffffffffffffffff, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000080)={&(0x7f0000000040)={0x34, 0x0, 0x1, 0x70bd25, 0x25dfdbfb, {}, [@BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x4}, @BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x6}, @BATADV_ATTR_BONDING_ENABLED={0x5}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}]}, 0x34}, 0x1, 0x0, 0x0, 0x20008001}, 0x20004000)
r0 = syz_genetlink_get_family_id$batadv(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$BATADV_CMD_GET_VLAN(0xffffffffffffffff, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x1c, r0, 0x800, 0x70bd2c, 0x25dfdbff, {}, [@BATADV_ATTR_GW_MODE={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x40845}, 0x4814)
sendmsg$NL80211_CMD_TDLS_CHANNEL_SWITCH(0xffffffffffffffff, &(0x7f0000000340)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000000300)={&(0x7f0000000280)={0x7c, 0x0, 0x200, 0x70bd2c, 0x25dfdbfc, {{}, {@val={0x8}, @void}}, [@chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}, @NL80211_ATTR_CENTER_FREQ2={0x8}, @NL80211_ATTR_WIPHY_EDMG_CHANNELS={0x5, 0x118, 0x15}, @NL80211_ATTR_CHANNEL_WIDTH={0x8, 0x9f, 0x3}, @NL80211_ATTR_CENTER_FREQ1={0x8, 0xa0, 0xe2}], @chandef_params=[@NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x2}, @NL80211_ATTR_WIPHY_EDMG_BW_CONFIG={0x5, 0x119, 0x4}, @NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x1}, @NL80211_ATTR_WIPHY_FREQ={0x8, 0x26, @random=0x171b}, @NL80211_ATTR_WIPHY_FREQ_OFFSET={0x8, 0x122, 0x19c}, @NL80211_ATTR_CENTER_FREQ1={0x8, 0xa0, 0x5}, @NL80211_ATTR_CENTER_FREQ1={0x8, 0xa0, 0x5}]]}, 0x7c}, 0x1, 0x0, 0x0, 0x10000}, 0x44000)
ioctl$BINDER_ENABLE_ONEWAY_SPAM_DETECTION(0xffffffffffffffff, 0x40046210, &(0x7f0000000380)=0x1)
sendmsg$BATADV_CMD_SET_HARDIF(0xffffffffffffffff, &(0x7f0000000480)={&(0x7f00000003c0)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000440)={&(0x7f0000000400)={0x14, r0, 0xd5a22f7092e0ea11, 0x70bd29, 0x25dfdbfb}, 0x14}, 0x1, 0x0, 0x0, 0x800}, 0x84)
sendmsg$NL80211_CMD_START_NAN(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f00000004c0), 0xc, &(0x7f0000000540)={&(0x7f0000000500)={0x30, 0x0, 0x100, 0x70bd29, 0x25dfdbfd, {{}, {@void, @val={0xc, 0x99, {0x3, 0x73}}}}, [@NL80211_ATTR_BANDS={0x8}, @NL80211_ATTR_BANDS={0x8}]}, 0x30}, 0x1, 0x0, 0x0, 0x80}, 0x4000)
r1 = openat$sr(0xffffffffffffff9c, &(0x7f00000005c0), 0x2001, 0x0)
ioctl$BINDER_THREAD_EXIT(r1, 0x40046208, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
recvmsg$unix(r1, &(0x7f0000000d00)={&(0x7f0000000600)=@abs, 0x6e, &(0x7f0000000b80)=[{&(0x7f0000000680)=""/124, 0x7c}, {&(0x7f0000000700)=""/23, 0x17}, {&(0x7f0000000740)=""/71, 0x47}, {&(0x7f00000007c0)=""/98, 0x62}, {&(0x7f0000000840)=""/52, 0x34}, {&(0x7f0000000880)=""/65, 0x41}, {&(0x7f0000000900)=""/210, 0xd2}, {&(0x7f0000000a00)=""/153, 0x99}, {&(0x7f0000000ac0)=""/186, 0xba}], 0x9, &(0x7f0000000c40)=[@cred={{0x1c}}, @rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r4=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x34, 0x1, 0x1, [0xffffffffffffffff, <r5=>0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, <r6=>0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}], 0xc0}, 0x40002000)
sendmsg$NL80211_CMD_ADD_TX_TS(r4, &(0x7f0000000e40)={&(0x7f0000000d40)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000e00)={&(0x7f0000000d80)={0x48, 0x0, 0x1, 0x70bd26, 0x25dfdbfc, {{}, {@val={0x8}, @val={0xc, 0x99, {0x5, 0x2e}}}}, [@NL80211_ATTR_TSID={0x5}, @NL80211_ATTR_ADMITTED_TIME={0x6, 0xd4, 0x40}, @NL80211_ATTR_USER_PRIO={0x5, 0xd3, 0x5}, @NL80211_ATTR_ADMITTED_TIME={0x6, 0xd4, 0x200}]}, 0x48}, 0x1, 0x0, 0x0, 0x4040}, 0x40)
r7 = syz_genetlink_get_family_id$batadv(&(0x7f0000000ec0), r3)
sendmsg$BATADV_CMD_GET_TRANSTABLE_GLOBAL(r5, &(0x7f0000000f80)={&(0x7f0000000e80)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000000f40)={&(0x7f0000000f00)={0x1c, r7, 0x200, 0x70bd28, 0x25dfdbfc, {}, [@BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x10000}]}, 0x1c}, 0x1, 0x0, 0x0, 0x8000}, 0x8000)
recvmsg$unix(0xffffffffffffffff, &(0x7f0000001240)={&(0x7f0000000fc0), 0x6e, &(0x7f00000011c0)=[{&(0x7f0000001040)=""/129, 0x81}, {&(0x7f0000001100)=""/179, 0xb3}], 0x2, &(0x7f0000001200)=[@cred={{0x1c}}, @rights={{0x18, 0x1, 0x1, [<r8=>0xffffffffffffffff, 0xffffffffffffffff]}}], 0x38}, 0x5c7e2f43f6c4dcab)
sendmsg$BATADV_CMD_TP_METER(r8, &(0x7f0000001380)={&(0x7f0000001280), 0xc, &(0x7f0000001340)={&(0x7f00000012c0)={0x50, r0, 0x400, 0x70bd2a, 0x25dfdbff, {}, [@BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}, @BATADV_ATTR_VLANID={0x6, 0x28, 0x3}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x22}}, @BATADV_ATTR_ISOLATION_MARK={0x8}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0xff}]}, 0x50}}, 0x40)
sendmsg$BATADV_CMD_GET_MCAST_FLAGS(r6, &(0x7f00000014c0)={&(0x7f00000013c0)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000001480)={&(0x7f0000001400)={0x60, r0, 0x800, 0x70bd2d, 0x25dfdbff, {}, [@BATADV_ATTR_ORIG_ADDRESS={0xa}, @BATADV_ATTR_AGGREGATED_OGMS_ENABLED={0x5}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x1}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x2}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x202461f5}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x2}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x5}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}]}, 0x60}, 0x1, 0x0, 0x0, 0x20000000}, 0x20044084)
ioctl$sock_ipv6_tunnel_SIOCADD6RD(r4, 0x89f9, &(0x7f00000015c0)={'syztnl1\x00', &(0x7f0000001540)={'ip6_vti0\x00', <r9=>0x0, 0x4, 0x7f, 0x3, 0x800, 0x4e, @empty, @rand_addr=' \x01\x00', 0x20, 0x7, 0x6, 0x5}})
sendmsg$BATADV_CMD_GET_MCAST_FLAGS(r2, &(0x7f0000001680)={&(0x7f0000001500)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000001640)={&(0x7f0000001600)={0x34, r7, 0x200, 0x70bd25, 0x25dfdbfd, {}, [@BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x8}, @BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r9}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x7ff}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x1000}]}, 0x34}, 0x1, 0x0, 0x0, 0x4000010}, 0x80)
recvmsg$unix(r8, &(0x7f0000002ac0)={&(0x7f00000016c0), 0x6e, &(0x7f0000002a00)=[{&(0x7f0000001740)=""/51, 0x33}, {&(0x7f0000001780)=""/11, 0xb}, {&(0x7f00000017c0)=""/92, 0x5c}, {&(0x7f0000001840)=""/207, 0xcf}, {&(0x7f0000001940)=""/145, 0x91}, {&(0x7f0000001a00)=""/4096, 0x1000}], 0x6, &(0x7f0000002a80)=[@cred={{0x1c}}], 0x20}, 0x2000)

09:50:16 executing program 5:
r0 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$NL80211_CMD_REGISTER_FRAME(0xffffffffffffffff, &(0x7f0000000200)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000080)={0x11c, r0, 0x200, 0x70bd28, 0x25dfdbfe, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_FRAME_MATCH={0x6b, 0x5b, "2f9fe7fee0f5b984dcb92327022eb82101dbe67db7ccc33903034aa25ccb99e62d102b05461820d433eb989643016a281aaf6177b3bfa2f7b6c2c346abf6c5ae101364a8a6f55f70e081c815884a8c88e78c1e24e6efbb89041b026bee02a93eda7705e03da014"}, @NL80211_ATTR_FRAME_TYPE={0x6, 0x65, 0x7}, @NL80211_ATTR_FRAME_TYPE={0x6, 0x65, 0x4}, @NL80211_ATTR_FRAME_MATCH={0x84, 0x5b, "98bc55c9733267cde266259e979371efb17fcbe0a41b2e9d2555a2c8a607b1b579a4da0cc45945044987ab54eea91fa9cc78eee274c32fcd7aac34a102e23f54f2940fc1c505d8f171b2f05387c6589999d2504e53c87fbadd39748e6610e87c151f12fd092753aa23df6ee0df6eb92042c1afa454f901995f2a96eea056991c"}]}, 0x11c}, 0x1, 0x0, 0x0, 0xc5}, 0x8000)
socketpair(0xe52b24ec83e0a1c3, 0x8000b, 0x7ff, &(0x7f0000000240)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
sendmsg$BATADV_CMD_GET_TRANSTABLE_LOCAL(r1, &(0x7f0000000340)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x3c, 0x0, 0x8, 0x70bd29, 0x25dfdbfe, {}, [@BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @remote}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x9}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x30}}]}, 0x3c}, 0x1, 0x0, 0x0, 0xc4}, 0x20000805)
setsockopt$inet6_MCAST_MSFILTER(r2, 0x29, 0x30, &(0x7f0000000380)={0x2, {{0xa, 0x4e24, 0x80, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x1}}, 0x1, 0x6, [{{0xa, 0x4e22, 0x9, @mcast2, 0xffff22eb}}, {{0xa, 0x4e20, 0x3, @mcast2, 0x4}}, {{0xa, 0x4e21, 0x100, @private0={0xfc, 0x0, '\x00', 0x1}, 0x7}}, {{0xa, 0x4e23, 0x0, @loopback}}, {{0xa, 0x4e22, 0x9, @mcast1, 0x4}}, {{0xa, 0x4e20, 0x5, @local, 0x6}}]}, 0x390)
r3 = accept$inet6(r2, &(0x7f0000000740)={0xa, 0x0, 0x0, @remote}, &(0x7f0000000780)=0x1c)
setsockopt$inet6_MCAST_MSFILTER(r3, 0x29, 0x30, &(0x7f00000007c0)={0x4, {{0xa, 0x4e22, 0xbc, @empty, 0x9}}, 0x0, 0x5, [{{0xa, 0x4e24, 0x7, @initdev={0xfe, 0x88, '\x00', 0x1, 0x0}, 0x40}}, {{0xa, 0x4e23, 0x3, @remote, 0x101}}, {{0xa, 0x4e24, 0x20, @mcast1, 0x80000000}}, {{0xa, 0x4e21, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x800}}, {{0xa, 0x4e20, 0x3, @mcast1, 0x6}}]}, 0x310)
r4 = syz_genetlink_get_family_id$batadv(&(0x7f0000000b00), r1)
ioctl$sock_ipv6_tunnel_SIOCDELTUNNEL(r1, 0x89f2, &(0x7f0000000bc0)={'syztnl1\x00', &(0x7f0000000b40)={'syztnl1\x00', <r5=>0x0, 0x2f, 0x3, 0x7f, 0x10000, 0x10, @mcast1, @dev={0xfe, 0x80, '\x00', 0x21}, 0x10, 0x10, 0xfffffffc, 0xff}})
setsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000000c00)={{{@in=@dev={0xac, 0x14, 0x14, 0xf}, @in6=@mcast2, 0x4e21, 0x0, 0x4e23, 0x3, 0x2, 0x20, 0x0, 0xc, r5, 0xee01}, {0xa3, 0xfffffffffffffff9, 0x10001, 0x9, 0xfffffffffffffff7, 0xa77, 0x10001, 0x3}, {0x5, 0x6, 0x3ff, 0x7}, 0x6, 0x0, 0x1, 0x1, 0x0, 0x2}, {{@in=@rand_addr=0x64010101, 0x4d3, 0x84}, 0xa, @in6=@empty, 0x3501, 0x6, 0x2, 0x6, 0x7ff, 0xfffffffc, 0x2}}, 0xe8)
setsockopt$inet6_opts(0xffffffffffffffff, 0x29, 0x39, &(0x7f0000000d00)=@fragment={0x4, 0x0, 0x8, 0x0, 0x0, 0x2, 0x65}, 0x8)
r6 = accept4$inet6(r2, &(0x7f0000000d40)={0xa, 0x0, 0x0, @private2}, &(0x7f0000000d80)=0x1c, 0x800)
setsockopt$inet6_IPV6_DSTOPTS(r6, 0x29, 0x3b, &(0x7f0000000dc0)={0x4, 0x3, '\x00', [@pad1, @ra={0x5, 0x2, 0x707d}, @hao={0xc9, 0x10, @remote}, @enc_lim={0x4, 0x1, 0x1}]}, 0x28)
sendmsg$BATADV_CMD_TP_METER(0xffffffffffffffff, &(0x7f0000000ec0)={&(0x7f0000000e00)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f0000000e80)={&(0x7f0000000e40)={0x34, r4, 0x100, 0x70bd27, 0x25dfdbfc, {}, [@BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x10001}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x8000}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5, 0x2f, 0x1}]}, 0x34}, 0x1, 0x0, 0x0, 0x4000040}, 0x20008000)
r7 = accept$unix(0xffffffffffffffff, &(0x7f0000000f00)=@abs, &(0x7f0000000f80)=0x6e)
bind$unix(r7, &(0x7f0000000fc0)=@abs={0x0, 0x0, 0x4e21}, 0x6e)
setsockopt$inet6_MCAST_LEAVE_GROUP(r1, 0x29, 0x2d, &(0x7f0000001040)={0xffffffff, {{0xa, 0x4e24, 0x2, @empty, 0x7}}}, 0x88)
ioctl$sock_ipv6_tunnel_SIOCGET6RD(0xffffffffffffffff, 0x89f8, &(0x7f0000001180)={'syztnl0\x00', &(0x7f0000001100)={'ip6gre0\x00', r5, 0x4, 0xe5, 0xff, 0x2, 0x53, @remote, @loopback, 0x700, 0x7, 0x101, 0x1}})
setsockopt$inet6_IPV6_RTHDR(r2, 0x29, 0x39, &(0x7f00000011c0)={0x21, 0x8, 0x2, 0xd, 0x0, [@private0={0xfc, 0x0, '\x00', 0x1}, @remote, @private2, @loopback]}, 0x48)
accept4$inet6(0xffffffffffffffff, &(0x7f00000012c0)={0xa, 0x0, 0x0, @private0}, &(0x7f0000001300)=0x1c, 0x80000)

09:50:16 executing program 6:
r0 = openat$sr(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
ioctl$TIOCSISO7816(r0, 0xc0285443, &(0x7f0000000040)={0x1000, 0x7fff, 0xffffffff, 0xffffffff})
getsockopt$bt_l2cap_L2CAP_LM(r0, 0x6, 0x3, &(0x7f0000000080), &(0x7f00000000c0)=0x4)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f0000000100)={'batadv_slave_1\x00', <r2=>0x0})
ioctl$sock_ipv6_tunnel_SIOCGETPRL(r0, 0x89f4, &(0x7f00000001c0)={'ip6tnl0\x00', &(0x7f0000000140)={'ip6gre0\x00', r2, 0x29, 0xb1, 0x0, 0x2, 0x24, @dev={0xfe, 0x80, '\x00', 0x36}, @mcast2, 0x20, 0x700, 0x7fff, 0x80000001}})
r3 = socket$inet6(0xa, 0x800, 0x80)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r3, 0x8933, &(0x7f0000000200))
r4 = socket(0x10, 0x2, 0x4)
ioctl$sock_ipv6_tunnel_SIOCGETPRL(r4, 0x89f4, &(0x7f00000002c0)={'sit0\x00', &(0x7f0000000240)={'sit0\x00', r2, 0x2f, 0x1f, 0x5, 0x10001, 0x20, @loopback, @local, 0x8000, 0x7, 0x7, 0x6}})
sendmmsg$inet6(r4, &(0x7f0000000480)=[{{&(0x7f0000000300)={0xa, 0x4e20, 0x84c, @remote, 0x1}, 0x1c, &(0x7f0000000440)=[{&(0x7f0000000340)="e99b013b2deb3133d5e3f2603057633df030e0534edd8029c7a1b4b07bb492e7acb5fb93d4d5c7f0947f6ffd05b592cd21bf47b46d06f44bc16ac21252c69900b038e176f2c721fb864d6991931cb3c903e5f92f223b342733d103ddc902717962248d5bc6eecf61001a79e94ada710c44c3e38145982922ebddca6543565279540c11fd9bb98efa82cda3672f8bcdbf12b4752a43a519ee1211cf93b0ec979c4644f799b548ee4a1fbad0a30ada59a40d8feb6af2dcb35e28ebfcadf2b3f464bf81160aef7c943f6b93af536d0098073318be178c2f30256091cf5eaa11284916696f3110650e7065871d0bf9ed1da9e299a1f2b29a401c0147bae6", 0xfc}], 0x1}}], 0x1, 0x400c850)
r5 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000004c0), 0xa0a03, 0x0)
ioctl$VT_GETSTATE(r5, 0x5603, &(0x7f0000000500)={0xffff, 0x8001, 0x47d})
accept4$unix(r4, &(0x7f0000000540), &(0x7f00000005c0)=0x6e, 0x400)
setsockopt$inet6_mtu(r4, 0x29, 0x17, &(0x7f0000000600), 0x4)
ioctl$sock_inet6_SIOCSIFADDR(r4, 0x8916, &(0x7f0000000640)={@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x37, r2})
r6 = socket(0x1, 0x6, 0x8000)
getsockopt$inet6_IPV6_XFRM_POLICY(r6, 0x29, 0x23, &(0x7f0000000680)={{{@in6=@initdev, @in6=@dev}}, {{@in6}, 0x0, @in6=@remote}}, &(0x7f0000000780)=0xe8)
bind$unix(r1, &(0x7f00000007c0)=@abs={0x0, 0x0, 0x4e24}, 0x6e)
ioctl$BINDER_GET_NODE_INFO_FOR_REF(r0, 0xc018620c, &(0x7f0000000840)={0x1})

[   63.834283] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   63.836070] ==================================================================
[   63.837364] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0
[   63.838559] Read of size 2 at addr ffff88800d09c538 by task kworker/u11:2/291
[   63.846043] 
[   63.846355] CPU: 1 UID: 0 PID: 291 Comm: kworker/u11:2 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) 
[   63.846388] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   63.846405] Workqueue: hci0 hci_cmd_work
[   63.846440] Call Trace:
[   63.846449]  <TASK>
[   63.846459]  dump_stack_lvl+0xca/0x120
[   63.846491]  print_report+0xcb/0x610
[   63.846527]  ? __virt_addr_valid+0x100/0x5d0
[   63.846556]  ? hci_cmd_work+0x66d/0x6d0
[   63.846587]  ? hci_cmd_work+0x66d/0x6d0
[   63.846619]  kasan_report+0xca/0x100
[   63.846651]  ? hci_cmd_work+0x66d/0x6d0
[   63.846686]  hci_cmd_work+0x66d/0x6d0
[   63.846719]  process_one_work+0x8e1/0x19c0
[   63.846761]  ? __pfx_process_one_work+0x10/0x10
[   63.846797]  ? move_linked_works+0x172/0x270
[   63.846824]  ? assign_work+0x196/0x240
[   63.846859]  worker_thread+0x67e/0xe90
[   63.846894]  ? trace_irq_enable.constprop.0+0xc2/0x100
[   63.846924]  ? __pfx_worker_thread+0x10/0x10
[   63.846960]  kthread+0x3c8/0x740
[   63.846992]  ? __pfx_kthread+0x10/0x10
[   63.847022]  ? ret_from_fork+0x79/0x7a0
[   63.847047]  ? lock_release+0xc8/0x290
[   63.847086]  ? __pfx_kthread+0x10/0x10
[   63.847118]  ret_from_fork+0x67a/0x7a0
[   63.847143]  ? __pfx_ret_from_fork+0x10/0x10
[   63.847169]  ? __switch_to+0x759/0x1060
[   63.847203]  ? __pfx_kthread+0x10/0x10
[   63.847235]  ret_from_fork_asm+0x1a/0x30
[   63.847277]  </TASK>
[   63.847285] 
[   63.869323] Allocated by task 289:
[   63.869927]  kasan_save_stack+0x24/0x50
[   63.870608]  kasan_save_track+0x14/0x30
[   63.871294]  __kasan_slab_alloc+0x59/0x70
[   63.872013]  kmem_cache_alloc_node_noprof+0x228/0x6b0
[   63.872938]  __alloc_skb+0x2ab/0x370
[   63.873591]  hci_cmd_sync_alloc+0x34/0x300
[   63.874339]  __hci_cmd_sync_sk+0xf7/0x5c0
[   63.875058]  hci_read_local_features_sync+0x2c/0x170
[   63.875927]  hci_dev_open_sync+0x145c/0x1f60
[   63.876709]  hci_power_on+0xdb/0x5d0
[   63.877375]  process_one_work+0x8e1/0x19c0
[   63.878109]  worker_thread+0x67e/0xe90
[   63.878788]  kthread+0x3c8/0x740
[   63.879380]  ret_from_fork+0x67a/0x7a0
[   63.880050]  ret_from_fork_asm+0x1a/0x30
[   63.880793] 
[   63.881092] Freed by task 292:
[   63.881650]  kasan_save_stack+0x24/0x50
[   63.882342]  kasan_save_track+0x14/0x30
[   63.883028]  kasan_save_free_info+0x3a/0x60
[   63.883795]  __kasan_slab_free+0x43/0x70
[   63.884493]  kmem_cache_free+0x26f/0x500
[   63.885248]  kfree_skbmem+0x18a/0x1f0
[   63.885929]  sk_skb_reason_drop+0x10e/0x1b0
[   63.886664]  vhci_read+0x3d5/0x5d0
[   63.887299]  vfs_read+0x1eb/0xc70
[   63.887899]  ksys_read+0x121/0x240
[   63.888521]  do_syscall_64+0xbf/0x430
[   63.889216]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   63.890112] 
[   63.890409] The buggy address belongs to the object at ffff88800d09c500
[   63.890409]  which belongs to the cache skbuff_head_cache of size 232
[   63.892556] The buggy address is located 56 bytes inside of
[   63.892556]  freed 232-byte region [ffff88800d09c500, ffff88800d09c5e8)
[   63.894613] 
[   63.894912] The buggy address belongs to the physical page:
[   63.895854] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xd09c
[   63.897214] memcg:ffff8880099aeb81
[   63.897812] anon flags: 0x100000000000000(node=0|zone=1)
[   63.898739] page_type: f5(slab)
[   63.899316] raw: 0100000000000000 ffff8880096c78c0 ffffea000034a2c0 dead000000000007
[   63.900613] raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff8880099aeb81
[   63.901939] page dumped because: kasan: bad access detected
[   63.902890] 
[   63.903198] Memory state around the buggy address:
[   63.904038]  ffff88800d09c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.905330]  ffff88800d09c480: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   63.906587] >ffff88800d09c500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.907840]                                         ^
[   63.908764]  ffff88800d09c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   63.909962]  ffff88800d09c600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   63.910999] ==================================================================
[   63.912129] Disabling lock debugging due to kernel taint
[   63.918136] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   63.919576] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   63.920957] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   63.922353] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   63.924756] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   63.928306] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   63.930172] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   63.931318] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   63.933699] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   63.935499] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   63.939900] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   63.943071] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   63.944205] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   63.956382] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   63.959047] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   63.964815] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   63.968230] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   63.968411] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   63.971814] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   63.974674] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   63.979328] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   63.984268] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   63.993542] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   63.999139] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   64.013018] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1
[   64.018071] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9
[   64.020679] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1
[   64.021733] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1
[   64.022498] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9
[   64.026453] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9
[   64.028434] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9
[   64.029600] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4
[   64.029873] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9
[   64.032406] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4
[   64.036513] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2
[   64.039993] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2
[   64.044224] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9
[   64.050970] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4
[   64.054419] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2
[   65.984608] Bluetooth: hci1: command tx timeout
[   65.985655] Bluetooth: hci0: command tx timeout
[   66.048403] Bluetooth: hci3: command tx timeout
[   66.048880] Bluetooth: hci2: command tx timeout
[   66.049641] Bluetooth: hci4: command tx timeout
[   66.112972] Bluetooth: hci5: command tx timeout
[   66.113020] Bluetooth: hci6: command tx timeout
[   66.113512] Bluetooth: hci7: command tx timeout
[   68.032288] Bluetooth: hci1: command tx timeout
[   68.033152] Bluetooth: hci0: command tx timeout
[   68.096234] Bluetooth: hci2: command tx timeout
[   68.097894] Bluetooth: hci4: command tx timeout
[   68.097918] Bluetooth: hci3: command tx timeout
[   68.160182] Bluetooth: hci5: command tx timeout
[   68.161163] Bluetooth: hci6: command tx timeout
[   68.161175] Bluetooth: hci7: command tx timeout
[   70.080194] Bluetooth: hci0: command tx timeout
[   70.080250] Bluetooth: hci1: command tx timeout
[   70.144137] Bluetooth: hci2: command tx timeout
[   70.144190] Bluetooth: hci3: command tx timeout
[   70.144719] Bluetooth: hci4: command tx timeout
[   70.208137] Bluetooth: hci5: command tx timeout
[   70.208725] Bluetooth: hci6: command tx timeout
[   70.209911] Bluetooth: hci7: command tx timeout
[   72.129139] Bluetooth: hci1: command tx timeout
[   72.129910] Bluetooth: hci0: command tx timeout
[   72.192183] Bluetooth: hci3: command tx timeout
[   72.192926] Bluetooth: hci2: command tx timeout
[   72.193789] Bluetooth: hci4: command tx timeout
[   72.256250] Bluetooth: hci6: command tx timeout
[   72.257001] Bluetooth: hci5: command tx timeout
[   72.257059] Bluetooth: hci7: command tx timeout

VM DIAGNOSIS:
09:50:17  Registers:
info registers vcpu 0
RAX=ffff888009548000 RBX=0000000000000000 RCX=0000000000000001 RDX=0000000000000000
RSI=ffffffff8135f49d RDI=fffffbfff0bc3fa8 RBP=ffffffff85e1fd40 RSP=ffff8880095572f8
R8 =0000000000000000 R9 =0000000000000000 R10=000000000003ca6e R11=000000000002571f
R12=0000000000000002 R13=0000000000000000 R14=0000000000000000 R15=0000000000000246
RIP=ffffffff81529f72 RFL=00000246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 00000000 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 00000000 00000000
FS =0000 00007f77e1b30900 00000000 00000000
GS =0000 ffff8880e538f000 00000000 00000000
LDT=0000 fffffe5800000000 00000000 00000000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007f53c7b1d070 CR3=000000000f5bd000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00007f53c7be07c000007f53c7be07c8
XMM02=00007f53c7be07e000007f53c7be07c0 XMM03=00007f53c7be07c800007f53c7be07c0
XMM04=ffffffffffffffffffffffffffffff00 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
info registers vcpu 1
RAX=0000000000000075 RBX=00000000000003f8 RCX=0000000000000000 RDX=00000000000003f8
RSI=ffffffff8293dd05 RDI=ffffffff889747c0 RBP=ffffffff88974780 RSP=ffff88801b997618
R8 =0000000000000000 R9 =ffffed10016c6046 R10=0000000000000075 R11=6430303838386652
R12=0000000000000075 R13=0000000000000010 R14=ffffffff88974780 R15=ffffffff8293dcf0
RIP=ffffffff8293dd5d RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 00000000 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 00000000 00000000
FS =0000 0000000000000000 00000000 00000000
GS =0000 ffff8880e548f000 00000000 00000000
LDT=0000 fffffe2400000000 00000000 00000000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000048000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007ffcf50e3d08 CR3=000000000d3a8000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=ffffffffffffffffffffffffffffffff XMM01=0000000000000000494e495f43455355
XMM02=ffffffffffffffff00000000000000ff XMM03=696e656420737365636341002f737973
XMM04=00000000000000010000556f837514e0 XMM05=0000556f836e42600000556f836e4240
XMM06=00000000000000000000000400000003 XMM07=00000000000000000000000000000000
XMM08=7269762f736563697665642f7379732f XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000