Debian GNU/Linux 11 syzkaller ttyS0 Warning: Permanently added '[localhost]:21121' (ECDSA) to the list of known hosts. 2025/11/16 18:55:03 fuzzer started 2025/11/16 18:55:03 dialing manager at localhost:37161 syzkaller login: [ 52.342470] cgroup: Unknown subsys name 'net' [ 52.399284] cgroup: Unknown subsys name 'cpuset' [ 52.413487] cgroup: Unknown subsys name 'rlimit' 2025/11/16 18:55:14 syscalls: 207 2025/11/16 18:55:14 code coverage: enabled 2025/11/16 18:55:14 comparison tracing: enabled 2025/11/16 18:55:14 extra coverage: enabled 2025/11/16 18:55:14 setuid sandbox: enabled 2025/11/16 18:55:14 namespace sandbox: enabled 2025/11/16 18:55:14 Android sandbox: enabled 2025/11/16 18:55:14 fault injection: enabled 2025/11/16 18:55:14 leak checking: enabled 2025/11/16 18:55:14 net packet injection: enabled 2025/11/16 18:55:14 net device setup: enabled 2025/11/16 18:55:14 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2025/11/16 18:55:14 devlink PCI setup: PCI device 0000:00:10.0 is not available 2025/11/16 18:55:14 USB emulation: enabled 2025/11/16 18:55:14 hci packet injection: enabled 2025/11/16 18:55:14 wifi device emulation: enabled 2025/11/16 18:55:14 802.15.4 emulation: enabled 2025/11/16 18:55:14 fetching corpus: 0, signal 0/0 (executing program) 2025/11/16 18:55:15 starting 8 fuzzer processes 18:55:15 executing program 0: ioctl$TUNGETIFF(0xffffffffffffffff, 0x800454d2, &(0x7f0000000000)) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'veth0_macvtap\x00'}) r0 = memfd_secret(0x9e06e5794e56667c) ioctl$BTRFS_IOC_SCRUB(r0, 0xc400941b, &(0x7f0000000080)={0x0, 0x80, 0x400, 0x1}) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000480), 0x94800, 0x0) r2 = openat$tun(0xffffffffffffff9c, &(0x7f00000004c0), 0x440002, 0x0) ioctl$TUNSETCARRIER(0xffffffffffffffff, 0x400454e2, &(0x7f0000000500)) r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000540), 0x800, 0x0) ioctl$TUNSETCARRIER(r3, 0x400454e2, &(0x7f0000000580)) syz_genetlink_get_family_id$tipc(&(0x7f00000005c0), r0) ioctl$TUNSETTXFILTER(r1, 0x400454d1, &(0x7f0000000600)={0x1, 0x5, [@random="f9add5c0235e", @empty, @multicast, @empty, @broadcast]}) r4 = creat(&(0x7f0000000640)='./file0\x00', 0x82) ioctl$sock_inet_udp_SIOCINQ(r4, 0x541b, &(0x7f0000000680)) read$ptp(r4, &(0x7f00000006c0)=""/174, 0xae) ioctl$TUNGETVNETHDRSZ(r2, 0x800454d7, &(0x7f0000000780)) ioctl$TUNGETFEATURES(r1, 0x800454cf, &(0x7f00000007c0)) ioctl$SIOCGIFHWADDR(r1, 0x8927, &(0x7f0000000800)={'batadv_slave_1\x00'}) socket$inet_icmp(0x2, 0x2, 0x1) lsetxattr(&(0x7f0000000840)='./file0\x00', &(0x7f0000000880)=@random={'osx.', '\xbb\xbb\xbb\xbb\xbb\xbb'}, &(0x7f00000008c0)='/dev/net/tun\x00', 0xd, 0x3) io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) 18:55:15 executing program 6: read$ptp(0xffffffffffffffff, &(0x7f0000000000)=""/219, 0xdb) ioctl$AUTOFS_DEV_IOCTL_ASKUMOUNT(0xffffffffffffffff, 0xc018937d, &(0x7f0000000100)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x5f86}}, './file0\x00'}) ioctl$PTP_ENABLE_PPS(r0, 0x40043d04, 0x1) r1 = io_uring_setup(0x5371, &(0x7f0000000140)={0x0, 0x6522, 0x1, 0x1, 0xac, 0x0, r0}) ioctl$BTRFS_IOC_SCRUB_PROGRESS(r1, 0xc400941d, &(0x7f00000001c0)={0x0, 0x7fff, 0x5, 0x1}) sendmsg$MPTCP_PM_CMD_GET_LIMITS(r0, &(0x7f0000000680)={&(0x7f00000005c0)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f0000000640)={&(0x7f0000000600)={0x28, 0x0, 0x2, 0x70bd25, 0x25dfdbfd, {}, [@MPTCP_PM_ATTR_SUBFLOWS={0x8, 0x3, 0x7}, @MPTCP_PM_ATTR_ADDR={0xc, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e21}]}]}, 0x28}, 0x1, 0x0, 0x0, 0x8000}, 0x0) r2 = open(&(0x7f00000006c0)='./file0\x00', 0x2, 0x10e) ioctl$PTP_PIN_SETFUNC2(r2, 0x40603d10, &(0x7f0000000700)={'\x00', 0x6af7, 0x1, 0x401}) syz_io_uring_setup(0x5788, &(0x7f0000000780)={0x0, 0x2b41, 0x1, 0x3, 0x3d6, 0x0, r0}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000000800), &(0x7f0000000840)) r3 = memfd_secret(0x0) ioctl$TUNDETACHFILTER(r3, 0x401054d6, 0x0) r4 = syz_mount_image$ext4(&(0x7f0000000880)='ext3\x00', &(0x7f00000008c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000a00)=[{&(0x7f0000000900)="5d6fcb70129d84c5596deb129984b775c09b4986e91810c059a82727b5cf9bf8587612af74b3cbd821c3d0c00ca08e52f7227eb9384517c2242427c3f83cd7987307eced5b66d60a115e9014cf9b4106eaeb7a28848f257a60454cab3dbd3611e09de40393d46453e95e301ebb2617e7d52f361f211f5d13c41f903c08126284dfdf66dccc8b4a798b9582c372395165028bd4b75227b82882351e6af86e767bc8e9ce4546eb2aec2701c5dc0629e20d25b892a48630263f98aa2a84126f882627d86d3c8d45d883", 0xc8, 0x9}], 0x1200000, &(0x7f0000000a40)={[{@max_dir_size_kb={'max_dir_size_kb', 0x3d, 0x1000}}, {@orlov}, {@data_journal}, {@data_err_abort}], [{@obj_type={'obj_type', 0x3d, '#'}}, {@mask={'mask', 0x3d, '^MAY_WRITE'}}, {@func={'func', 0x3d, 'BPRM_CHECK'}}, {@euid_lt={'euid<', 0xffffffffffffffff}}, {@obj_user={'obj_user', 0x3d, '\x00'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}]}) ioctl$BTRFS_IOC_RESIZE(r4, 0x50009403, &(0x7f0000000b00)={{r1}, {@val, @actul_num={@void, 0x0, 0x65}}}) r5 = syz_mount_image$nfs(&(0x7f0000000b40), &(0x7f0000000b80)='./file0\x00', 0x7, 0x7, &(0x7f0000000f40)=[{&(0x7f0000000bc0)="01afc8b5ba683f486a", 0x9, 0x820}, {&(0x7f0000000c00)="4e34566f413f52cf4f7ddc732aac1b8f3df8e93c617c976a27a88165216362e7fd6b8c324b9e14b65f5485dc871017b4f7b0fb7ebbcc8c9270c0902134f9637cac", 0x41, 0x101}, {&(0x7f0000000c80)="c0c313e92c3473c5e873831e44dad7e7ceaef21cde902e7e4e39a524ed6b3a919cf9764f61af757eb3f1350df0357e53e41b25543c41870b2eeac6ac99ce73b0388d08044a4c340177f2ba025771c7d974c1e393ab338aad921f72fa3e8740b851b7995faccc03f6b105e89b77112c71e7853a63991d79908f01d58a4ba82c80683a6f356b4f0533580cd855c485e6e09857ff23be", 0x95, 0x3f}, {&(0x7f0000000d40)="64d8e2a40134", 0x6}, {&(0x7f0000000d80)="b8c7fb392aa756142e8937fa3752926567d8a0103d4ce1aca16a56b5b1662993350f1a2dbf494d85c831e0e9aae3fbd5e5330c2ac3f2084f39732340a592b4e81a390c0ed66634503adbf0d5bb80bc8b5c5adf89923e4a5a791125a1d13726a55e66a2a7c781ae1f7abf3645d255fc431e604ac5c361f633814258f174cafa76635aff4bd775a08d4ab4b499d4aed2ad5b25d70bae89043c44b15005a79b6af3d80e1dad52161459944fc3d8ca833a64f353bc7453ae2b140b4cd4b6c0ccfc18e070ba502a8797fd848a98f305bb8d0c117d8436e4048c0c6a89d8b523ba1413441271cf04eea4", 0xe7, 0x3}, {&(0x7f0000000e80)="a70a4f4a37d0b8b6c96af223f32448ac8818ee6101cf07baa75a00c01c8765edb4a78611eca9e1b3b69b838b5b4958d8ab08c7f6bf456a169404f7aca945628688", 0x41, 0x7}, {&(0x7f0000000f00)="dc00ac2d53b528aafa59c14497244f224940262d67", 0x15, 0x2}], 0x209000, &(0x7f0000001000)={[{'BPRM_CHECK'}, {'obj_user'}, {'max_dir_size_kb'}], [{@smackfsfloor={'smackfsfloor', 0x3d, 'BPRM_CHECK'}}, {@mask={'mask', 0x3d, 'MAY_EXEC'}}, {@permit_directio}, {@dont_hash}, {@smackfsfloor={'smackfsfloor', 0x3d, 'func'}}]}) unlinkat(r5, &(0x7f0000001080)='./file0\x00', 0x0) r6 = openat$tun(0xffffffffffffff9c, &(0x7f00000010c0), 0x400000, 0x0) ioctl$TUNSETTXFILTER(r6, 0x400454d1, &(0x7f0000001100)={0x0, 0x8, [@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}, @dev={'\xaa\xaa\xaa\xaa\xaa', 0xa}, @link_local, @broadcast, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}, @random="f8fd0dceb36e", @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x1b}]}) ioctl$AUTOFS_DEV_IOCTL_FAIL(r3, 0xc0189377, &(0x7f0000001140)={{0x1, 0x1, 0x18, r1, {0x4, 0x9b8}}, './file0\x00'}) io_uring_register$IORING_UNREGISTER_BUFFERS(r7, 0x1, 0x0, 0x0) write$P9_RREADLINK(r7, &(0x7f0000001180)={0x10, 0x17, 0x1, {0x7, './file0'}}, 0x10) 18:55:15 executing program 1: r0 = syz_mount_image$iso9660(&(0x7f0000000000), &(0x7f0000000040)='./file0\x00', 0x3f, 0x4, &(0x7f0000000180)=[{&(0x7f0000000080)="a1dabc007e", 0x5, 0x1216}, {&(0x7f00000000c0)="ee934175e097946b148c0970e7cdd7e6f2fdf92917f0ff09d860a049910367da2a6a3e0e2cad667f589803108d1f57e2e1e8d3e370d79f17c1dd7278a94d4379", 0x40, 0xb1e}, {&(0x7f0000000100)="e3a4f3e606670ccab3b969d244920f3aafc9992f", 0x14, 0x93}, {&(0x7f0000000140)="20596219a79b2faeed02d6c42e713698f07e06affea3aec1feb9f656e7b1eae28e4399cf7ea626e5ecb562f0", 0x2c, 0x56e0}], 0x1000, &(0x7f0000000200)={[{@map_acorn}], [{@smackfsroot={'smackfsroot', 0x3d, ':-^-['}}, {@dont_measure}, {@fscontext={'fscontext', 0x3d, 'sysadm_u'}}, {@func={'func', 0x3d, 'PATH_CHECK'}}]}) mknodat$loop(r0, &(0x7f0000000280)='./file0\x00', 0x1, 0x1) keyctl$clear(0x7, 0xffffffffffffffff) r1 = add_key$keyring(&(0x7f00000002c0), &(0x7f0000000300)={'syz', 0x1}, 0x0, 0x0, 0x0) mknodat$null(r0, &(0x7f0000000340)='./file0\x00', 0x4, 0x103) setxattr$incfs_id(&(0x7f0000000380)='./file0\x00', &(0x7f00000003c0), &(0x7f0000000400)={'0000000000000000000000000000000', 0x33}, 0x20, 0xc338164646c15c51) readlinkat(r0, &(0x7f0000000440)='./file0\x00', &(0x7f0000000480)=""/177, 0xb1) setxattr$incfs_id(&(0x7f0000000540)='./file1\x00', &(0x7f0000000580), &(0x7f00000005c0)={'0000000000000000000000000000000', 0x30}, 0x20, 0x1) r2 = add_key$fscrypt_v1(&(0x7f0000000600), &(0x7f0000000640)={'fscrypt:', @auto=[0x58, 0x30, 0x36, 0x66, 0x64, 0x31, 0x31, 0x65, 0x63, 0x34, 0x34, 0x36, 0x30, 0x62, 0x37, 0x39]}, &(0x7f0000000680)={0x0, "d615628a3ae2f0c210b88e2c5a1281811eaca99084508512d8cae26d8fd39c9a04829222f7e3ff02bd0e9e2d45899fb6c387388ee37525f5f3d63fd772cbe89b", 0x20}, 0x48, 0xfffffffffffffffb) keyctl$unlink(0x9, r2, r1) r3 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000700), 0x200000, 0x0) keyctl$clear(0x7, r1) ioctl$BTRFS_IOC_DEV_INFO(r3, 0xd000941e, &(0x7f0000000740)={0x0, "c02272186daefc155ebeb117d32f3873"}) open$dir(&(0x7f0000001740)='./file1\x00', 0x80100, 0x1) keyctl$unlink(0x9, 0x0, r2) r4 = add_key$keyring(&(0x7f0000001780), &(0x7f00000017c0)={'syz', 0x0}, 0x0, 0x0, 0xfffffffffffffff8) keyctl$reject(0x13, r4, 0x0, 0xc264, r1) newfstatat(0xffffffffffffff9c, &(0x7f0000001900)='./file1\x00', &(0x7f0000001940)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x6000) syz_mount_image$nfs(&(0x7f0000001800), &(0x7f0000001840)='./file1\x00', 0x7fff, 0x1, &(0x7f00000018c0)=[{&(0x7f0000001880)="9d7a3d92373f042b9dcc35fb63f39e3554c8d1c20395e0b5ed12fd870f68b881e0a2149533be71b9994905c808280a7febf8077e21", 0x35, 0x12b147d0}], 0x2000000, &(0x7f00000019c0)={[{'\x00'}, {}, {':-^-['}, {'fscrypt:'}], [{@euid_lt={'euid<', 0xee01}}, {@uid_lt={'uid<', r5}}]}) add_key$fscrypt_v1(&(0x7f0000001a40), &(0x7f0000001a80)={'fscrypt:', @desc3}, &(0x7f0000001ac0)={0x0, "175384c6cccc953d6f5417f9219b1710585e562eee7057d87a9a728fa9b2f3bfe789e3c7410f1842add37386563bd2d2ee738269f2ed6f780d652318c7a0c21e", 0x34}, 0x48, 0xfffffffffffffff8) 18:55:15 executing program 7: r0 = io_uring_setup(0x485a, &(0x7f0000000000)={0x0, 0x575b, 0x2, 0x81, 0x300}) sendmsg$BATADV_CMD_SET_HARDIF(0xffffffffffffffff, &(0x7f0000000140)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x24, 0x0, 0x2, 0x70bd2d, 0x25dfdbfc, {}, [@BATADV_ATTR_MESH_IFINDEX={0x8}, @BATADV_ATTR_ORIG_INTERVAL={0x8, 0x39, 0x7}]}, 0x24}, 0x1, 0x0, 0x0, 0x8000040}, 0x1) ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000180)={{0x1, 0x1, 0x18, r0, {0x8, 0x40}}, './file0\x00'}) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(0xffffffffffffffff, 0x8933, &(0x7f0000000240)={'batadv0\x00', 0x0}) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(0xffffffffffffffff, 0x8933, &(0x7f0000000280)={'batadv0\x00', 0x0}) sendmsg$BATADV_CMD_GET_ORIGINATORS(r1, &(0x7f0000000380)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000340)={&(0x7f00000002c0)={0x64, 0x0, 0x0, 0x70bd27, 0x25dfdbfc, {}, [@BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r2}, @BATADV_ATTR_VLANID={0x6}, @BATADV_ATTR_MULTICAST_FANOUT={0x8}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x80000000}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5, 0x2e, 0x1}, @BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r3}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x1}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x9}]}, 0x64}, 0x1, 0x0, 0x0, 0x1}, 0xd410) sendmsg$nl_xfrm(r1, &(0x7f00000004c0)={&(0x7f00000003c0), 0xc, &(0x7f0000000480)={&(0x7f0000000400)=@getsa={0x44, 0x12, 0x0, 0x70bd29, 0x25dfdbfb, {@in6=@ipv4={'\x00', '\xff\xff', @multicast1}, 0x4d2, 0x8, 0x32}, [@encap={0x1c, 0x4, {0xffffffffffffffff, 0x4e22, 0x4e22, @in6=@rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}}]}, 0x44}, 0x1, 0x0, 0x0, 0x24000801}, 0x4005) ioctl$BTRFS_IOC_DEV_REPLACE(r1, 0xca289435, &(0x7f0000000500)={0x0, 0xedf, @start={0x0, 0x1, "b9b3b4bfb680a539d629570ad1b3fb945da8a7732ea678f33ce149322e5d09ec48fd265a67da356ee51ca84fbdaed87a83141f81a8504e0f43c47d21a96ae04a28f3070155c3e01f06db65f7e9f4144a036d4d868f2386ef37e689c8006e3ea9dc5b3977243f494838c3ff099509ac3cfdcf40cbb4c52c1d079fc093e69a3c578ffc27a23f4af59fe9d4b44aa1766af4f5dff9e36e0910f93d9738f9e87f090debc13d8c7b83472844110e4f0f6de4adc407dfa47051693811f474eb6d548d6320dfc762cfc68dc3cf9465edc679484427c1c38a7c785770fecd0d7d80258b60646ad635fa81dcba073bb12516b95c4b4ebdd25ed0d426dc5428a6e1e3784b6a4f0375c644e976fc8e04bffd23c70c9bcbb8588247ae475a3e24dc570ab9b49a4a0764952c015a2d3d6c6a91b43f087101bc97ef744c1c124cc7d476bc69d224651016b01f75bc7f5da3d2f913cba6fe66fcb92750b4ad3597505c0a785e9b2f4c9c9433061673989c39f4347db378698bb27405d74dd6843d5330573d157fbae1dce9b0d7d4a12a2ba3a43a966c43c03c29660bb27e9a90bd53110465e8a0dd521aa2149f7a4f7cccf36f4826e09a50930e237fcc9283fb64d534a509ea9d191fc1c3ae87671e4429f009f2352902d8092a19396e90975c2d1ea297dfb712eef4dad5a174462654a9d0eed4be957a4017620f34739ec9ed0287aad49a74a6c68996c3a96ea6641a2ea6d9d5677896084905b79ad112caf615c53c6f44f87ab63ec149ea1c6b893d24481d01bfed1490e046766fbc94e347f2e563158481b346daf8ee9b622628234e496a5b16e655d386d216a6731d046931f82ba39233875fb11bbb6fa7f6ee835fee5b2ebe74f3f9d7f310c3da7e0aaf79e66c239287a0c166b10cdce00dbbbba0e5a2ed05158f03cf005e920025e4e4eea9c54ea476b66bb3432abbce939da06c234afaf87a33a34a9fa03237256a876255bc70b6648a76accc8648bf16dabbbe63dfcaaeb6269be95f8c7774b38525e4e984ef8c728091d430cc588463308131e268440e49ac07ceedbe43ab853f63ebe2c9d654c7a3650254ee8bb8bbc60dfe10d7ba427f216bce693b34fad8df760fa391472af4dbb6e8116886615ed6998a7bb203e98c3da177024bc56373dc880b31c59d274a4d79fbb77c71f0984eeb82a30a79cfe1cc0204ad57be7088037c4cf52b4dd36250a5d7fc995a90ea19926df0f64e6b9fce53180a9e031eee502ca83c4566e7730e3e013c883cc434ac481be47821629af8a17efea18128fc1f0882745c5f56d83af413e5b17d08bda44188c1a2d8194b741d686c6b7b707bc935f1c82ec35994a97f40dfd2a749aabd06c0578a3a242fcd152920d25d95959b170eefbb1cdf2e700778d210644b15deb1c989241a5cd032bdbb3a3b7fd61ef4eed542e6ce2cae26fe22", "befa010c575b2af0b7ee18377426d3bb1d3bb72ae332b6e0a4df98412c9117c39c181c09671895c7702ccde4e0014bd617f9bb03b72d1392bbfc7a317b4da4c00c89c78658f9068333a18b65db0becef0fb98551732d78a5ee75a85698c756c665d4a3312226ca92c56a6b9aaa8e966a6c5ae02f57aa603a47e5550c1462f4ba6ea72c7475c63d0553fc04ee8577ab45d1a87c9e2d7ff9fca215e1d39a6c9a03a851206e52ecd07245abacc0c7298b249b0c26d63ab365350ba1ab263824dc12715eff29234cf7ed374d8d817251a2ac25535937ed2d7a1cc2c4f134c736fcb26a50503cfdb1dcc1326e313f07d665108930facc5a8fd7c991123be501e6f60a1274bf60111f3dde486052719ec3a338832881646114cbe1554165c403fa6e92d2f8f6758dc3fd6596ca7a81a1b9088c77213e01f2eb082139f1bea114ad59cf39477aece5207121db6704481e39904f464cedb36822d05a4bd7078eb9ca96a4abd6c784624ae7ba2410e176bfd4fc519e444bb2d4b46df587a12053ac1215f7c942f46aaa0aae49c68487cd0e6028582e4a3037a63b63654fa075ffa601e99bde2093ff4138f8c9de6f17e581f12b0a8cabcd6d637d3aa4d5965184bc61831b0eb59f94c63001d1d4d9f4c431d627fb01c28ba86569b2de60458c8ebdfb8e67e1d19b751c654fddb7bb666f3369b825af8a59d3b1591033996c634524b9546dcd2e71828efd67f114062fa4526c616686dca9b12840e29772f2df9350716aece2412f42bbeb4eef1023578fe5d55803286d10046549dfdd9407d1f354b11d54a255d2088a170565f26baf79dc502c2fee2d354f2eccef9ed0026626b91f974f4a4758440e92128749630e7bb48d86b4df6201abb7192b8b99bd510d07d7989869bb4db2cb6a7bde2154860154f7e82cf08446ab97bd9c694540b5021ab22134e1f5d18831adbe9606db06510b92f1f9556471062cb9dde73e86c6b0add7b790df2fddf0932e0f000e4031fb1253ccf076eee4f73e266a49b629e60926269196a22e37006ea36e06da6534110668415f0f5e6fc9f41662f2f2998f00dbcd6d6076d0f8abc081cc55df452d2b6fb0ddf079f404ac35f3327292c02c68c82f7fd3c48605cdfe202d1ae4007452e4f31e8f3f3c791c70360811b402571fc5e188c25478a90db6410a114bc647d9c9bac1a6859c222d9761e096772d51b060d35b3fa4ae8d476f6cab37fe237304e95c581b77ccabba59da7367c9ae281276232058acd6d88f6eb47ec156143ff2c7106410baa8bc409dd48cb4cfe0f69baeadc722746b702ccc08df78d14989d43cab026781cea939aa01080a6e0d69bf1ba1369ccf1de8d450137402f720fc8585a92856d42ae2b2a4002397a12f93dd0e284a95336a598f01ec7030ce3ef7f56a4f7ebfe0d366dd3bd208bda74f64da12ef041f7f"}, [0x100000000, 0x7, 0x1ff, 0x6b, 0x9, 0x0, 0x4, 0x1, 0x1ff, 0x5, 0x0, 0x3, 0x9, 0x0, 0x2, 0x9, 0x401, 0x8, 0x853, 0x400000, 0x100, 0x6, 0x800, 0x2, 0x6d62, 0x0, 0x8, 0x7fffffff, 0x74, 0xffffffff, 0xffffffff, 0x0, 0x4, 0x5, 0x9, 0x3, 0x247, 0x8, 0x8, 0x4, 0x100, 0xc00000, 0xfffffffffffffe27, 0x6, 0x9, 0x9e98, 0x400, 0x6, 0x2, 0x76, 0x400, 0x1, 0x3ff, 0x93, 0xffffffff, 0xfff, 0x2, 0x4, 0x9, 0x40, 0x0, 0x62f, 0x9, 0x7f]}) ioctl$AUTOFS_DEV_IOCTL_ASKUMOUNT(r1, 0xc018937d, &(0x7f0000000f40)={{0x1, 0x1, 0x18, r0, {0x80}}, './file0\x00'}) r5 = syz_genetlink_get_family_id$batadv(&(0x7f0000000fc0), r1) sendmsg$BATADV_CMD_GET_NEIGHBORS(r4, &(0x7f00000010c0)={&(0x7f0000000f80)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000001080)={&(0x7f0000001000)={0x54, r5, 0x20, 0x70bd2c, 0x25dfdbfb, {}, [@BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x8}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x1ff}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x7f}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_VLANID={0x6, 0x28, 0x4}]}, 0x54}, 0x1, 0x0, 0x0, 0x20000040}, 0x20000800) chroot(&(0x7f0000001100)='./file0\x00') r6 = creat(&(0x7f0000001140)='./file0\x00', 0x14) io_uring_register$IORING_REGISTER_PROBE(r1, 0x8, &(0x7f0000001180)={0x0, 0x0, 0x0, '\x00', [{}]}, 0x1) io_uring_setup(0x4bb5, &(0x7f00000011c0)={0x0, 0xe59c, 0x7, 0x1, 0x27a}) sendmsg$BATADV_CMD_GET_TRANSTABLE_GLOBAL(r1, &(0x7f0000001340)={&(0x7f0000001240)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000001300)={&(0x7f0000001280)={0x48, r5, 0x4, 0x70bd2a, 0x25dfdbfe, {}, [@BATADV_ATTR_NETWORK_CODING_ENABLED={0x5, 0x38, 0x1}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x44}}, @BATADV_ATTR_GW_MODE={0x5}, @BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}, @BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x5}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x5}]}, 0x48}, 0x1, 0x0, 0x0, 0x20008010}, 0x20000010) r7 = open(&(0x7f0000001380)='./file0\x00', 0x40100, 0xcc) r8 = socket$inet6_udplite(0xa, 0x2, 0x88) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000013c0)={0xffffffffffffffff}) io_uring_register$IORING_REGISTER_FILES(r1, 0x2, &(0x7f0000001400)=[r7, r1, r0, r8, r6, r0, r9], 0x7) 18:55:15 executing program 2: ioctl$sock_inet_udp_SIOCINQ(0xffffffffffffffff, 0x541b, &(0x7f0000000000)) r0 = creat(&(0x7f0000000040)='./file0\x00', 0x30) ioctl$TUNSETOWNER(r0, 0x400454cc, 0xee01) r1 = socket$inet_icmp(0x2, 0x2, 0x1) ioctl$SIOCGSTAMP(r1, 0x8906, &(0x7f0000000080)) r2 = open(&(0x7f00000000c0)='./file0\x00', 0x10000, 0x10) ioctl$TUNGETFEATURES(r2, 0x800454cf, &(0x7f0000000100)) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$SIOCGSTAMP(r3, 0x8906, &(0x7f0000000140)) r4 = geteuid() setxattr$security_capability(&(0x7f0000000180)='./file1\x00', &(0x7f00000001c0), &(0x7f0000000200)=@v3={0x3000000, [{0xfffffff8, 0x1}, {0x80000001, 0xfffffffe}], r4}, 0x18, 0x0) mknodat$loop(r2, &(0x7f0000000240)='./file1\x00', 0x6000, 0x1) r5 = creat(&(0x7f0000000280)='./file0\x00', 0xa) sendmsg$BATADV_CMD_GET_NEIGHBORS(r3, &(0x7f0000000380)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000340)={&(0x7f0000000300)={0x24, 0x0, 0x810, 0x70bd28, 0x25dfdbfe, {}, [@BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0xf0000000}]}, 0x24}, 0x1, 0x0, 0x0, 0x24004800}, 0x8080) r6 = inotify_init() ioctl$BTRFS_IOC_DEV_INFO(r2, 0xd000941e, &(0x7f00000003c0)={0x0, "27e45e2ba7d3590d37e1c70bfdf297c8"}) ioctl$BTRFS_IOC_BALANCE_V2(r6, 0xc4009420, &(0x7f00000013c0)={0xe, 0x0, {0x6, @struct={0x3, 0xfffffffd}, r7, 0x44c, 0x7fffffff, 0x6, 0x1, 0x101, 0x440, @usage=0xb6d5, 0x529a, 0x401, [0x0, 0x1, 0x80000000, 0x6, 0x3, 0x3]}, {0x5, @usage=0x3, 0x0, 0x498d, 0x3a, 0x2, 0x100000001, 0x5fc, 0x2, @struct={0x800, 0x800}, 0x200, 0x8, [0x3, 0x7, 0x2d, 0xfffffffffffff8b6, 0x1, 0x4]}, {0x8, @struct={0x60000000, 0x4}, 0x0, 0x9, 0x1, 0x8, 0xf3, 0x8, 0x10, @usage=0xfffffffffffffffb, 0x0, 0x7fffffff, [0x7f, 0x6, 0x6, 0x7, 0x80000000, 0x9]}, {0x6d1d, 0x0, 0x10}}) setsockopt$WPAN_SECURITY_LEVEL(r2, 0x0, 0x2, &(0x7f00000017c0)=0x6, 0x4) r8 = syz_genetlink_get_family_id$tipc(&(0x7f0000001840), 0xffffffffffffffff) sendmsg$TIPC_CMD_GET_REMOTE_MNG(r5, &(0x7f0000001900)={&(0x7f0000001800)={0x10, 0x0, 0x0, 0xa0081080}, 0xc, &(0x7f00000018c0)={&(0x7f0000001880)={0x1c, r8, 0x2, 0x70bd26, 0x25dfdbfe, {}, ["", "", "", "", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x4000000}, 0x4000011) 18:55:15 executing program 3: ioctl$PTP_PIN_SETFUNC(0xffffffffffffffff, 0x40603d07, &(0x7f0000000000)={'\x00', 0x80000000, 0x2, 0x8}) r0 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000080), 0xc2, 0x0) ioctl$PTP_CLOCK_GETCAPS(r0, 0x80503d01, &(0x7f00000000c0)) ioctl$PTP_PIN_GETFUNC2(r0, 0xc0603d0f, &(0x7f0000000140)={'\x00', 0x7, 0x0, 0x8}) ioctl$PTP_ENABLE_PPS(r0, 0x40043d04, 0x0) read$ptp(r0, &(0x7f00000001c0)=""/77, 0x4d) ioctl$PTP_PIN_GETFUNC(r0, 0xc0603d06, &(0x7f0000000240)={'\x00', 0xc00000, 0x2, 0x7}) ioctl$PTP_PIN_SETFUNC(r0, 0x40603d07, &(0x7f00000002c0)={'\x00', 0x6, 0x0, 0x7f}) ioctl$PTP_PIN_GETFUNC2(0xffffffffffffffff, 0xc0603d0f, &(0x7f0000000340)={'\x00', 0x9, 0x3, 0xe622}) openat2$dir(0xffffffffffffff9c, &(0x7f00000003c0)='./file0\x00', &(0x7f0000000400)={0x0, 0x10, 0x1}, 0x18) ioctl$sock_inet_udp_SIOCINQ(0xffffffffffffffff, 0x541b, &(0x7f0000000440)) ioctl$PTP_PIN_SETFUNC2(r0, 0x40603d10, &(0x7f0000000480)={'\x00', 0x9, 0x0, 0xd5}) ioctl$AUTOFS_DEV_IOCTL_ASKUMOUNT(0xffffffffffffffff, 0xc018937d, &(0x7f0000000500)={{0x1, 0x1, 0x18, r0, {0xfffffffa}}, './file0\x00'}) ioctl$PTP_PIN_GETFUNC2(r1, 0xc0603d0f, &(0x7f0000000540)={'\x00', 0x1f, 0x2, 0x41}) ioctl$PTP_PIN_GETFUNC(r1, 0xc0603d06, &(0x7f00000005c0)={'\x00', 0x2, 0x0, 0x1}) r2 = creat(&(0x7f0000000640)='./file0\x00', 0x85) read$ptp(r2, &(0x7f0000000680)=""/69, 0x45) r3 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000700), 0x298480, 0x0) ioctl$PTP_ENABLE_PPS(r3, 0x40043d04, 0x0) ioctl$PTP_PIN_GETFUNC(r2, 0xc0603d06, &(0x7f0000000740)={'\x00', 0x1, 0x0, 0x7}) 18:55:15 executing program 4: mount$tmpfs(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0xc0400, &(0x7f0000000080)={[{@mpol={'mpol', 0x3d, {'bind', '', @val={0x3a, [0x2f, 0x34, 0x35]}}}}, {@size={'size', 0x3d, [0x30, 0x78, 0x43, 0x34, 0x74, 0x78, 0x65]}}, {@huge_always}, {@size={'size', 0x3d, [0x39, 0x56, 0x70]}}, {@size={'size', 0x3d, [0x34, 0x38, 0x25, 0x67, 0x0, 0x36, 0x6b, 0x25, 0x33]}}, {@mode={'mode', 0x3d, 0x517061b6}}], [{@pcr={'pcr', 0x3d, 0x30}}, {@appraise_type}, {@subj_type={'subj_type', 0x3d, '(?'}}, {@audit}, {@obj_type={'obj_type', 0x3d, '/@]%#((Z%@+'}}, {@func={'func', 0x3d, 'CREDS_CHECK'}}, {@measure}, {@smackfshat={'smackfshat', 0x3d, ':{:-[),t&+[#)\'.'}}, {@hash}, {@subj_user={'subj_user', 0x3d, '\\'}}]}) inotify_add_watch(0xffffffffffffffff, &(0x7f0000000180)='./file0/../file0\x00', 0x200) r0 = geteuid() r1 = syz_mount_image$iso9660(&(0x7f00000001c0), &(0x7f0000000200)='./file0\x00', 0x8, 0x4, &(0x7f00000003c0)=[{&(0x7f0000000240)="57e9298474b4b775c7fd568c37760e2ef19b08fda01c19e4160f157277bb495d307df15e8225db64d0d4c339855d8dd9a56fc179395be75bd2ba02472c94f6ad07ecbaf6a510868363b9fa563fb37c2cd53ce250d4be29d3dfd0", 0x5a, 0x1f}, {&(0x7f00000002c0)="63201e49aa51155678a3ab04759dfb184944d9d411b3a53cd398ea1f35f278d43d28cdf548819a29c45be367995cb7cf4c627b4c2db93537947ec535c84efa2e108a9b5877954dd5ad9cb3e1e4fee38df0045adae13c8c8884374d2bd9e3909cd7e0b17c1780a81a438cedfb4a04", 0x6e, 0x24d2}, {&(0x7f0000000340)="f098339d9b2e63c790def77f7d2bcbff7648036fe7d55c71b462cd06d458b6e5b6d4b30d0b85f450f64cd9702ae50e", 0x2f}, {&(0x7f0000000380)="0c9d37c6e5730e4892c21665c7ced0542580420d2ecd40d869ca8f73cecbe329c4b6", 0x22, 0x2}], 0x4000, &(0x7f0000000440)={[{@dmode={'dmode', 0x3d, 0x3}}, {@dmode={'dmode', 0x3d, 0x7f}}, {@map_acorn}, {@mode={'mode', 0x3d, 0x6}}, {@overriderock}, {@check_relaxed}, {@sbsector={'sbsector', 0x3d, 0x4}}, {@unhide}, {@map_acorn}, {@utf8}], [{@uid_eq={'uid', 0x3d, r0}}, {@permit_directio}, {@func={'func', 0x3d, 'MMAP_CHECK'}}, {@fsuuid={'fsuuid', 0x3d, {[0x61, 0x66, 0x39, 0x37, 0x38, 0x32, 0x32, 0x32], 0x2d, [0x35, 0x35, 0x38, 0x65], 0x2d, [0x38, 0x34, 0x62, 0x62], 0x2d, [0x65, 0x39, 0x64, 0x36], 0x2d, [0x33, 0x65, 0x32, 0x38, 0x31, 0x31, 0x36, 0x63]}}}, {@fowner_eq={'fowner', 0x3d, 0xee01}}, {@smackfsfloor={'smackfsfloor', 0x3d, '\xdc^+{'}}, {@fsuuid={'fsuuid', 0x3d, {[0x39, 0x0, 0x51ea83a6947c95c7, 0x32, 0x31, 0x39, 0x38, 0x30], 0x2d, [0x66, 0x37, 0x66, 0x39], 0x2d, [0x63, 0x36, 0x62, 0x33], 0x2d, [0x39, 0x66, 0x37, 0x30], 0x2d, [0x63, 0x64, 0x31, 0x9d89d626ce960891, 0x38, 0x0, 0x27, 0x33]}}}, {@euid_lt={'euid<', 0xee00}}, {@euid_eq={'euid', 0x3d, 0xee00}}]}) newfstatat(0xffffffffffffff9c, &(0x7f0000000600)='./file0/../file0\x00', &(0x7f0000000640), 0x100) setxattr$security_capability(&(0x7f00000006c0)='./file1\x00', &(0x7f0000000700), &(0x7f0000000740)=@v1={0x1000000, [{0x2, 0x1}]}, 0xc, 0x1) mount(&(0x7f0000000780)=@sg0, &(0x7f00000007c0)='./file1\x00', &(0x7f0000000800)='ecryptfs\x00', 0x2a27481, &(0x7f0000000840)='*\x00') mknodat$loop(r1, &(0x7f0000000880)='./file1\x00', 0x40, 0x1) r2 = open(&(0x7f00000008c0)='./file2\x00', 0x80, 0x187) r3 = geteuid() setxattr$security_capability(&(0x7f0000000900)='./file0\x00', &(0x7f0000000940), &(0x7f0000000980)=@v3={0x3000000, [{0x3ff, 0x3}, {0x2, 0x4}], r3}, 0x18, 0x1) linkat(r2, &(0x7f00000009c0)='./file1\x00', 0xffffffffffffff9c, &(0x7f0000000a00)='./file1\x00', 0x400) mount$tmpfs(0x0, &(0x7f0000000a40)='./file2/../file0\x00', &(0x7f0000000a80), 0x100080, &(0x7f0000000ac0)={[{@nr_inodes={'nr_inodes', 0x3d, [0x30, 0x34, 0x36]}}, {@uid={'uid', 0x3d, r3}}, {@mode={'mode', 0x3d, 0x80000000}}, {@mpol={'mpol', 0x3d, {'bind', '=relative'}}}, {@size={'size', 0x3d, [0x33, 0x37, 0x2d, 0x35]}}, {@nr_blocks={'nr_blocks', 0x3d, [0x78, 0x32, 0x25, 0x6b, 0x17, 0x39]}}], [{@pcr={'pcr', 0x3d, 0x2c}}, {@smackfsdef={'smackfsdef', 0x3d, '-^\''}}, {@fsmagic={'fsmagic', 0x3d, 0x5}}]}) newfstatat(0xffffffffffffff9c, &(0x7f0000000b80)='./file2/../file0\x00', &(0x7f0000000bc0), 0x2000) r4 = geteuid() mount$tmpfs(0x0, &(0x7f0000000c40)='./file1\x00', &(0x7f0000000c80), 0x40c, &(0x7f0000000cc0)={[{@gid={'gid', 0x3d, 0xee01}}, {@huge_advise}, {@nr_inodes={'nr_inodes', 0x3d, [0x33, 0x25, 0x2d, 0x33, 0x39, 0x38, 0x34]}}, {@nr_inodes={'nr_inodes', 0x3d, [0x25, 0x6d, 0x37]}}, {@mode={'mode', 0x3d, 0xf9}}], [{@appraise_type}, {@dont_measure}, {@subj_type={'subj_type', 0x3d, '['}}, {@dont_measure}, {@euid_gt={'euid>', r4}}, {@context={'context', 0x3d, 'user_u'}}]}) mount$tmpfs(0x0, &(0x7f0000000dc0)='./file0\x00', &(0x7f0000000e00), 0x180480, &(0x7f0000000e40)={[{@mpol={'mpol', 0x3d, {'prefer', '=static', @void}}}], [{@obj_role={'obj_role', 0x3d, '-'}}, {@pcr={'pcr', 0x3d, 0x40}}, {@context={'context', 0x3d, 'user_u'}}]}) setxattr$security_capability(&(0x7f0000000ec0)='./file0/../file0\x00', &(0x7f0000000f00), &(0x7f0000000f40)=@v2={0x2000000, [{0x2, 0x800}, {0x3, 0x8}]}, 0x14, 0x3) getsockname$unix(r2, &(0x7f0000000f80), &(0x7f0000001000)=0x6e) name_to_handle_at(r2, &(0x7f0000001040)='./file2\x00', &(0x7f0000001080)=@xfs={0x1c, 0x81, {0x7fff, 0x2, 0x7, 0x8}}, &(0x7f00000010c0), 0x0) 18:55:15 executing program 5: r0 = openat$cgroup_int(0xffffffffffffffff, &(0x7f0000000000)='io.weight\x00', 0x2, 0x0) ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000040)={{0x1, 0x1, 0x18, r0, {0x1, 0x20}}, './file0\x00'}) r2 = openat$cgroup_int(r1, &(0x7f0000000080)='memory.oom.group\x00', 0x2, 0x0) ioctl$BTRFS_IOC_SCRUB(r1, 0xc400941b, &(0x7f00000000c0)={0x0, 0x8001, 0x0, 0x1}) r4 = memfd_secret(0x80000) ioctl$AUTOFS_DEV_IOCTL_ASKUMOUNT(r4, 0xc018937d, &(0x7f00000004c0)={{0x1, 0x1, 0x18, r2}, './file0\x00'}) mmap$IORING_OFF_CQ_RING(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x3, 0x20010, r5, 0x8000000) openat$tun(0xffffffffffffff9c, &(0x7f0000000500), 0x0, 0x0) r6 = syz_genetlink_get_family_id$batadv(&(0x7f0000000580), r1) sendmsg$BATADV_CMD_SET_MESH(r5, &(0x7f0000000680)={&(0x7f0000000540)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000640)={&(0x7f00000005c0)={0x48, r6, 0x10, 0x70bd2c, 0x25dfdbfe, {}, [@BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @remote}, @BATADV_ATTR_HARD_IFINDEX={0x8}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x101}, @BATADV_ATTR_GW_MODE={0x5}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x2}]}, 0x48}, 0x1, 0x0, 0x0, 0x10004085}, 0x20000000) r7 = open(&(0x7f00000006c0)='./file0\x00', 0x410001, 0x20) ioctl$PTP_PIN_GETFUNC2(r7, 0xc0603d0f, &(0x7f0000000700)={'\x00', 0x7fffffff, 0x1, 0x1000}) ioctl$BTRFS_IOC_DEV_INFO(r4, 0xd000941e, &(0x7f0000000780)={r3, "be950a2bdfda5569db9bf31c47c41adf"}) openat$cgroup_devices(r7, &(0x7f0000001780)='devices.allow\x00', 0x2, 0x0) r8 = socket$inet_icmp(0x2, 0x2, 0x1) openat$autofs(0xffffffffffffff9c, &(0x7f00000017c0), 0x100, 0x0) unlinkat(r1, &(0x7f0000001800)='./file0\x00', 0x0) ioctl$TUNGETFEATURES(r8, 0x800454cf, &(0x7f0000001840)) r9 = socket$unix(0x1, 0x2, 0x0) getpeername$unix(r9, &(0x7f0000001880)=@abs, &(0x7f0000001900)=0x6e) [ 63.135769] audit: type=1400 audit(1763319315.643:7): avc: denied { execmem } for pid=271 comm="syz-executor.1" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 64.383875] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 64.389200] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 64.393053] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 64.395127] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 64.398770] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 64.401951] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 64.403640] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 64.405929] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 64.410109] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 64.411671] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 64.413123] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 64.414333] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 64.414887] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 64.418884] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 64.419892] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 64.421243] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 64.421527] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 64.424020] ================================================================== [ 64.424595] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 64.425237] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0 [ 64.427388] Read of size 2 at addr ffff88801f43e2b8 by task kworker/u11:7/300 [ 64.429714] [ 64.430870] CPU: 0 UID: 0 PID: 300 Comm: kworker/u11:7 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) [ 64.430906] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 64.430924] Workqueue: hci3 hci_cmd_work [ 64.430958] Call Trace: [ 64.430967] [ 64.430977] dump_stack_lvl+0xca/0x120 [ 64.431010] print_report+0xcb/0x610 [ 64.431042] ? __virt_addr_valid+0x100/0x5d0 [ 64.431071] ? hci_cmd_work+0x66d/0x6d0 [ 64.431102] ? hci_cmd_work+0x66d/0x6d0 [ 64.431113] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 64.431135] kasan_report+0xca/0x100 [ 64.431167] ? hci_cmd_work+0x66d/0x6d0 [ 64.431203] hci_cmd_work+0x66d/0x6d0 [ 64.431236] process_one_work+0x8e1/0x19c0 [ 64.431278] ? __pfx_process_one_work+0x10/0x10 [ 64.431314] ? move_linked_works+0x172/0x270 [ 64.431342] ? assign_work+0x196/0x240 [ 64.431377] worker_thread+0x67e/0xe90 [ 64.431412] ? trace_irq_enable.constprop.0+0xc2/0x100 [ 64.431443] ? __pfx_worker_thread+0x10/0x10 [ 64.431479] kthread+0x3c8/0x740 [ 64.431512] ? __pfx_kthread+0x10/0x10 [ 64.431546] ? ret_from_fork+0x79/0x7a0 [ 64.431571] ? lock_release+0xc8/0x290 [ 64.431609] ? __pfx_kthread+0x10/0x10 [ 64.431641] ret_from_fork+0x67a/0x7a0 [ 64.431666] ? __pfx_ret_from_fork+0x10/0x10 [ 64.431692] ? __switch_to+0x759/0x1060 [ 64.431726] ? __pfx_kthread+0x10/0x10 [ 64.431904] ret_from_fork_asm+0x1a/0x30 [ 64.431946] [ 64.431954] [ 64.440652] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 64.441110] Allocated by task 289: [ 64.444362] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 64.444845] kasan_save_stack+0x24/0x50 [ 64.447509] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 64.447852] kasan_save_track+0x14/0x30 [ 64.450309] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 64.450373] __kasan_slab_alloc+0x59/0x70 [ 64.450402] kmem_cache_alloc_node_noprof+0x228/0x6b0 [ 64.453007] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 64.453234] __alloc_skb+0x2ab/0x370 [ 64.454951] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 64.455002] hci_cmd_sync_alloc+0x34/0x300 [ 64.459471] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 64.459760] __hci_cmd_sync_sk+0xf7/0x5c0 [ 64.466630] hci_read_buffer_size_sync+0x2c/0x170 [ 64.467327] hci_dev_open_sync+0x1874/0x1f60 [ 64.467956] hci_power_on+0xdb/0x5d0 [ 64.468493] process_one_work+0x8e1/0x19c0 [ 64.469096] worker_thread+0x67e/0xe90 [ 64.469676] kthread+0x3c8/0x740 [ 64.470181] ret_from_fork+0x67a/0x7a0 [ 64.470736] ret_from_fork_asm+0x1a/0x30 [ 64.471202] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 64.471324] [ 64.471332] Freed by task 297: [ 64.472936] kasan_save_stack+0x24/0x50 [ 64.473188] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 64.473522] kasan_save_track+0x14/0x30 [ 64.473552] kasan_save_free_info+0x3a/0x60 [ 64.475582] __kasan_slab_free+0x43/0x70 [ 64.476172] kmem_cache_free+0x26f/0x500 [ 64.476766] kfree_skbmem+0x18a/0x1f0 [ 64.477326] sk_skb_reason_drop+0x10e/0x1b0 [ 64.477925] vhci_read+0x3d5/0x5d0 [ 64.478450] vfs_read+0x1eb/0xc70 [ 64.478957] ksys_read+0x121/0x240 [ 64.479465] do_syscall_64+0xbf/0x430 [ 64.480017] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 64.480744] [ 64.480993] The buggy address belongs to the object at ffff88801f43e280 [ 64.480993] which belongs to the cache skbuff_head_cache of size 232 [ 64.482787] The buggy address is located 56 bytes inside of [ 64.482787] freed 232-byte region [ffff88801f43e280, ffff88801f43e368) [ 64.484440] [ 64.484689] The buggy address belongs to the physical page: [ 64.485464] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f43e [ 64.486560] flags: 0x100000000000000(node=0|zone=1) [ 64.487253] page_type: f5(slab) [ 64.487733] raw: 0100000000000000 ffff8880096c78c0 dead000000000122 0000000000000000 [ 64.488806] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000 [ 64.489888] page dumped because: kasan: bad access detected [ 64.490669] [ 64.490912] Memory state around the buggy address: [ 64.491600] ffff88801f43e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.492606] ffff88801f43e200: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 64.493621] >ffff88801f43e280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.494625] ^ [ 64.495343] ffff88801f43e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 64.496355] ffff88801f43e380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 64.497492] ================================================================== [ 64.498843] Disabling lock debugging due to kernel taint [ 64.510702] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1 [ 64.519212] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9 [ 64.520265] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1 [ 64.521594] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 64.523282] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9 [ 64.524789] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9 [ 64.525865] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9 [ 64.535482] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 64.541439] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4 [ 64.544173] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4 [ 64.547303] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2 [ 64.551871] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2 [ 66.537438] Bluetooth: hci4: command tx timeout [ 66.537465] Bluetooth: hci0: command tx timeout [ 66.538001] Bluetooth: hci1: command tx timeout [ 66.538817] Bluetooth: hci5: command tx timeout [ 66.600464] Bluetooth: hci6: command tx timeout [ 66.600521] Bluetooth: hci7: command tx timeout [ 66.601654] Bluetooth: hci3: command tx timeout [ 66.602053] Bluetooth: hci2: command tx timeout [ 68.587013] Bluetooth: hci1: command tx timeout [ 68.587841] Bluetooth: hci5: command tx timeout [ 68.587866] Bluetooth: hci0: command tx timeout [ 68.587876] Bluetooth: hci4: command tx timeout [ 68.649029] Bluetooth: hci2: command tx timeout [ 68.649043] Bluetooth: hci3: command tx timeout [ 68.649065] Bluetooth: hci7: command tx timeout [ 68.649900] Bluetooth: hci6: command tx timeout [ 70.634484] Bluetooth: hci1: command tx timeout [ 70.634763] Bluetooth: hci4: command tx timeout [ 70.635865] Bluetooth: hci0: command tx timeout [ 70.635905] Bluetooth: hci5: command tx timeout [ 70.696437] Bluetooth: hci6: command tx timeout [ 70.697530] Bluetooth: hci7: command tx timeout [ 70.697970] Bluetooth: hci2: command tx timeout [ 70.698206] Bluetooth: hci3: command tx timeout [ 72.680460] Bluetooth: hci5: command tx timeout [ 72.683415] Bluetooth: hci4: command tx timeout [ 72.683435] Bluetooth: hci0: command tx timeout [ 72.684115] Bluetooth: hci1: command tx timeout [ 72.744445] Bluetooth: hci3: command tx timeout [ 72.745164] Bluetooth: hci6: command tx timeout [ 72.745450] Bluetooth: hci2: command tx timeout [ 72.745913] Bluetooth: hci7: command tx timeout VM DIAGNOSIS: 18:55:17 Registers: info registers vcpu 0 RAX=0000000000000000 RBX=ffffffff85800f1e RCX=ffffffff816a11df RDX=ffff8880174a1bc0 RSI=00000000000001f4 RDI=0000000000000001 RBP=0000000000000064 RSP=ffff88801748ef60 R8 =ffff88801748f030 R9 =ffff88801748f150 R10=0000000000000001 R11=0000000000000001 R12=0000000000000001 R13=ffff88801748f15c R14=00000000000001f4 R15=dffffc0000000000 RIP=ffffffff81752f48 RFL=00000093 [--S-A-C] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff8880e538f000 00000000 00000000 LDT=0000 fffffe6d00000000 00000000 00000000 TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000001000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=000055557bebc6e8 CR3=000000001ed19000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00007ff7c92547c000007ff7c92547c8 XMM02=00007ff7c92547e000007ff7c92547c0 XMM03=00007ff7c92547c800007ff7c92547c0 XMM04=ffffffffffffffffffffffffffffff00 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000 info registers vcpu 1 RAX=0000000000000034 RBX=00000000000003f8 RCX=0000000000000000 RDX=00000000000003f8 RSI=ffffffff8293dd05 RDI=ffffffff889747c0 RBP=ffffffff88974780 RSP=ffff8880141df468 R8 =0000000000000000 R9 =ffffed1001659046 R10=0000000000000034 R11=0000000000000001 R12=0000000000000034 R13=0000000000000010 R14=ffffffff88974780 R15=ffffffff8293dcf0 RIP=ffffffff8293dd5d RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff8880e548f000 00000000 00000000 LDT=0000 fffffe4000000000 00000000 00000000 TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000048000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007eff23ce0070 CR3=000000001ef74000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00007f667342e7c000007f667342e7c8 XMM02=00007f667342e7e000007f667342e7c0 XMM03=00007f667342e7c800007f667342e7c0 XMM04=ffffffffffffffffffffffffffffff00 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000