Warning: Permanently added '[localhost]:19833' (ECDSA) to the list of known hosts. 2025/11/16 19:18:45 fuzzer started 2025/11/16 19:18:45 dialing manager at localhost:37161 syzkaller login: [ 59.277571] cgroup: Unknown subsys name 'net' [ 59.351543] cgroup: Unknown subsys name 'cpuset' [ 59.370993] cgroup: Unknown subsys name 'rlimit' 2025/11/16 19:18:56 syscalls: 202 2025/11/16 19:18:56 code coverage: enabled 2025/11/16 19:18:56 comparison tracing: enabled 2025/11/16 19:18:56 extra coverage: enabled 2025/11/16 19:18:56 setuid sandbox: enabled 2025/11/16 19:18:56 namespace sandbox: enabled 2025/11/16 19:18:56 Android sandbox: enabled 2025/11/16 19:18:56 fault injection: enabled 2025/11/16 19:18:56 leak checking: enabled 2025/11/16 19:18:56 net packet injection: enabled 2025/11/16 19:18:56 net device setup: enabled 2025/11/16 19:18:56 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2025/11/16 19:18:56 devlink PCI setup: PCI device 0000:00:10.0 is not available 2025/11/16 19:18:56 USB emulation: enabled 2025/11/16 19:18:56 hci packet injection: enabled 2025/11/16 19:18:56 wifi device emulation: enabled 2025/11/16 19:18:56 802.15.4 emulation: enabled 2025/11/16 19:18:56 fetching corpus: 0, signal 0/0 (executing program) 2025/11/16 19:18:58 starting 8 fuzzer processes 19:18:58 executing program 0: r0 = socket(0x1f, 0xa, 0xfffffff8) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000000)={'netpci0\x00'}) r1 = ioctl$NS_GET_PARENT(0xffffffffffffffff, 0xb702, 0x0) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18, r1, {0x1}}, './file0\x00'}) r3 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080), 0x80542, 0x0) r4 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f00000000c0)='./cgroup/syz1\x00', 0x200002, 0x0) ioctl$AUTOFS_DEV_IOCTL_PROTOVER(r3, 0xc0189372, &(0x7f0000000100)={{0x1, 0x1, 0x18, r4, {0x4}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_READY(r3, 0xc0189376, &(0x7f0000000140)={{0x1, 0x1, 0x18, r2, {0x80000001}}, './file0/file0\x00'}) ioctl$NS_GET_NSTYPE(r6, 0xb703, 0x0) setns(r5, 0x2000000) ioctl$AUTOFS_DEV_IOCTL_FAIL(r2, 0xc0189377, &(0x7f0000000180)={{0x1, 0x1, 0x18, r4, {0xf8, 0x7}}, './file0\x00'}) ioctl$SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION(r6, 0xc0505350, &(0x7f00000001c0)={{0x6, 0x5}, {0x23, 0x6}, 0x3f, 0x3}) ioctl$AUTOFS_DEV_IOCTL_CATATONIC(r3, 0xc0189379, &(0x7f0000000240)={{0x1, 0x1, 0x18, r0}, './file0/file0\x00'}) sendmsg$GTP_CMD_NEWPDP(r0, &(0x7f0000000380)={&(0x7f0000000280), 0xc, &(0x7f0000000340)={&(0x7f00000002c0)={0x4c, 0x0, 0x2, 0x70bd2d, 0x25dfdbfe, {}, [@GTPA_NET_NS_FD={0x8, 0x7, r2}, @GTPA_I_TEI={0x8, 0x8, 0x4}, @GTPA_PEER_ADDRESS={0x8, 0x4, @initdev={0xac, 0x1e, 0x1, 0x0}}, @GTPA_LINK={0x8}, @GTPA_O_TEI={0x8, 0x9, 0x3}, @GTPA_VERSION={0x8, 0x2, 0x1}, @GTPA_O_TEI={0x8, 0x9, 0x2}]}, 0x4c}, 0x1, 0x0, 0x0, 0x10}, 0xc854) ioctl$SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT(r6, 0xc0bc5351, &(0x7f00000003c0)={0x5, 0x2, 'client0\x00', 0x7, "3133ff622d9fb9b2", "c39ef927b823a676651dabd5dc3d2d7f501099caa43896ba05b422c40db12988", 0x80000001, 0x800}) r7 = fsmount(r5, 0x0, 0x3a) getsockopt$bt_l2cap_L2CAP_LM(r7, 0x6, 0x3, &(0x7f0000000480), &(0x7f00000004c0)=0x4) ioctl$AUTOFS_DEV_IOCTL_CATATONIC(r5, 0xc0189379, &(0x7f0000000500)={{0x1, 0x1, 0x18, r2}, './file0\x00'}) socket(0x31, 0x3, 0x15) write$rfkill(0xffffffffffffffff, &(0x7f0000000580)={0xb565, 0x3, 0x3}, 0x8) 19:18:58 executing program 1: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$AUTOFS_DEV_IOCTL_REQUESTER(0xffffffffffffffff, 0xc018937b, &(0x7f0000000000)={{0x1, 0x1, 0x18, r0, {0xee00}}, './file0\x00'}) r2 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x141500, 0x0) ioctl$AUTOFS_DEV_IOCTL_FAIL(r1, 0xc0189377, &(0x7f0000000080)={{0x1, 0x1, 0x18, r2, {0x1, 0x3ff}}, './file0\x00'}) r4 = openat$autofs(0xffffffffffffff9c, &(0x7f00000000c0), 0x40, 0x0) sendmsg$BATADV_CMD_GET_VLAN(0xffffffffffffffff, &(0x7f00000001c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x80000000}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x24, 0x0, 0x10, 0x70bd2d, 0x25dfdbfc, {}, [@BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x2}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x3}]}, 0x24}, 0x1, 0x0, 0x0, 0x4000000}, 0x8010) ioctl$AUTOFS_DEV_IOCTL_FAIL(r4, 0xc0189377, &(0x7f0000000200)={{0x1, 0x1, 0x18, r4, {0xf8, 0x400}}, './file1\x00'}) ioctl$AUTOFS_DEV_IOCTL_ISMOUNTPOINT(r5, 0xc018937e, &(0x7f0000000240)={{0x1, 0x1, 0x18, r4, @out_args}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_FAIL(r3, 0xc0189377, &(0x7f0000000280)={{0x1, 0x1, 0x18, r4, {0x120, 0xfffffff7}}, './file1\x00'}) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(r6, 0xc018937c, &(0x7f00000002c0)={{0x1, 0x1, 0x18, r4, {0x2}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_READY(r6, 0xc0189376, &(0x7f0000000300)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x7}}, './file0\x00'}) openat$rfkill(0xffffffffffffff9c, &(0x7f0000000340), 0xc0000, 0x0) sendmsg$BATADV_CMD_GET_ROUTING_ALGOS(r3, &(0x7f0000000440)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000400)={&(0x7f00000003c0)={0x24, 0x0, 0x100, 0x70bd27, 0x25dfdbfe, {}, [@BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0xf03}]}, 0x24}}, 0x40010) ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT(r3, 0xc0189375, &(0x7f0000000480)={{0x1, 0x1, 0x18, r6}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_CATATONIC(r8, 0xc0189379, &(0x7f00000004c0)={{0x1, 0x1, 0x18, r4}, './file0\x00'}) r10 = openat$tcp_congestion(0xffffffffffffff9c, &(0x7f0000000500), 0x1, 0x0) ioctl$AUTOFS_DEV_IOCTL_ASKUMOUNT(r7, 0xc018937d, &(0x7f0000000540)={{0x1, 0x1, 0x18, r1, {0x1f}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_VERSION(r11, 0xc0189371, &(0x7f0000000580)={{0x1, 0x1, 0x18, r10}, './file1\x00'}) write$sndseq(r12, &(0x7f00000005c0)=[{0x7, 0x8, 0x2, 0xf, @time={0x3, 0xe91}, {0x20}, {0x20, 0x3}, @raw8={"1557af7c32ca956d6e2c3de6"}}, {0x7e, 0x7, 0x2, 0xf7, @time={0x1ff, 0x1}, {0xf8, 0x62}, {0x0, 0x3f}, @queue={0x27, {0xfffff801, 0x4}}}], 0x38) ioctl$BINDER_WRITE_READ(r11, 0xc0306201, &(0x7f0000000a40)={0xac, 0x0, &(0x7f0000000900)=[@dead_binder_done, @reply_sg={0x40486312, {0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x60, 0x18, &(0x7f00000006c0)={@ptr={0x70742a85, 0x1, &(0x7f0000000600)=""/148, 0x94, 0x1, 0xc}, @flat=@binder={0x73622a85, 0x1101, 0x3}, @fda={0x66646185, 0x7, 0x1, 0xe}}, &(0x7f0000000740)={0x0, 0x28, 0x40}}, 0x400}, @release={0x40046306, 0x1}, @reply_sg={0x40486312, {0x0, 0x0, 0x0, 0x0, 0x20, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000840)={@fd={0x66642a85, 0x0, r9}, @ptr={0x70742a85, 0x0, &(0x7f0000000780)=""/173, 0xad, 0x2, 0x15}, @fd={0x66642a85, 0x0, r3}}, &(0x7f00000008c0)={0x0, 0x18, 0x40}}}], 0x69, 0x0, &(0x7f00000009c0)="d5e466084a55a0d42ba4fbc6ac539a8ae2bf921e3ea648c6c289305bfa221a4df7b4ac2b34453ea3dc2404fd3e3c2c655f3a18dd327ebb44d44071dc6b687ad0a4c915db266d4f55f54b9e37c502755f8f6ad5b000e598dbf554127b58d10de42af97443c462f08217"}) 19:18:58 executing program 5: fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) fsconfig$FSCONFIG_SET_PATH_EMPTY(0xffffffffffffffff, 0x4, &(0x7f0000000000)='()/](][\x00', &(0x7f0000000040)='./file0\x00', 0xffffffffffffffff) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000080)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x5892198cc7a030bb}}, './file0\x00'}) fsconfig$FSCONFIG_SET_FLAG(r0, 0x0, &(0x7f00000000c0)='mand\x00', 0x0, 0x0) rt_sigreturn() fsconfig$FSCONFIG_SET_BINARY(r0, 0x2, &(0x7f0000000100)='()/](][\x00', &(0x7f0000000140)="40739724bd51d3fabf11bf02d065f0c3e09dff4f52c1de24fa142b8938cce154b17d4412ca41437a10a2822351d550512a8e2c4dea7cd6ab0ebfac36d5fd65c9679e1cf8f898d7967f848e9a750f65e5033e60fb9579a3d57baffe760fb21ab924df6f7c9ab866d8108c9f13d175e9e986e0be0b66ee05111b2ddaf98b4b99a0cdd302e19770100aaaf56cf8a4b3f955ef5c42e3ab58d9a7740138cd84a105a35b7e2f6970fc4af1eb693a46b9bf9ab111d14f8883704d699b67a53046b0e3b88a3344a77d99c0eb933c2a2d5ab353b3c4cd65ca64f03771cc53821e965d89c54c019e8f3972018e65", 0xe9) rt_sigreturn() r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000240)='timerslack_ns\x00') getsockopt$bt_sco_SCO_OPTIONS(r1, 0x11, 0x1, &(0x7f0000000280)=""/115, &(0x7f0000000300)=0x73) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) connect$bt_sco(r2, &(0x7f0000000340)={0x1f, @none}, 0x8) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(r0, 0xc018937c, &(0x7f0000000380)={{0x1, 0x1, 0x18, r1, {0x2}}, './file0\x00'}) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r3, 0x8933, &(0x7f00000003c0)) r4 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000400), 0x6001, 0x0) ioctl$AUTOFS_DEV_IOCTL_PROTOSUBVER(r4, 0xc0189373, &(0x7f0000000440)={{0x1, 0x1, 0x18, r2, {0x7b}}, './file1\x00'}) sendmsg$BATADV_CMD_GET_TRANSTABLE_GLOBAL(r3, &(0x7f0000000540)={&(0x7f0000000480)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000500)={&(0x7f00000004c0)={0x24, 0x0, 0x800, 0x70bd2c, 0x25dfdbff, {}, [@BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x1ff}]}, 0x24}, 0x1, 0x0, 0x0, 0x4048094}, 0x4000044) ioctl$AUTOFS_DEV_IOCTL_ISMOUNTPOINT(r5, 0xc018937e, &(0x7f0000000580)={{0x1, 0x1, 0x18, r3, @in_args={0x7}}, './file1\x00'}) ioctl$AUTOFS_DEV_IOCTL_OPENMOUNT(r6, 0xc0189374, &(0x7f00000005c0)={{0x1, 0x1, 0x18, r5, {0xffffffff}}, './file0\x00'}) r7 = fsmount(r3, 0x70dab0cb0cdd3245, 0x0) fsconfig$FSCONFIG_SET_FLAG(r7, 0x0, &(0x7f0000000600)='silent\x00', 0x0, 0x0) 19:18:58 executing program 2: ioctl$ifreq_SIOCGIFINDEX_batadv_hard(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00', 0x0}) setsockopt$sock_void(0xffffffffffffffff, 0x1, 0x24, 0x0, 0x0) sendmsg$BATADV_CMD_GET_DAT_CACHE(0xffffffffffffffff, &(0x7f0000000140)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000000100)={&(0x7f0000000080)={0x54, 0x0, 0x2, 0x70bd2b, 0x25dfdbfd, {}, [@BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0xfffffffa}, @BATADV_ATTR_BONDING_ENABLED={0x5}, @BATADV_ATTR_NETWORK_CODING_ENABLED={0x5}, @BATADV_ATTR_ELP_INTERVAL={0x8, 0x3a, 0x3}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}, @BATADV_ATTR_BONDING_ENABLED={0x5}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x800}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0xff}]}, 0x54}, 0x1, 0x0, 0x0, 0x4}, 0x20040050) ioctl$AUTOFS_DEV_IOCTL_READY(0xffffffffffffffff, 0xc0189376, &(0x7f0000000180)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x3}}, './file0\x00'}) bind(r1, &(0x7f00000001c0)=@phonet={0x23, 0xff, 0xbb, 0xff}, 0x80) r2 = getpid() sendmsg$NL802154_CMD_SET_WPAN_PHY_NETNS(0xffffffffffffffff, &(0x7f0000000340)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x40000}, 0xc, &(0x7f0000000300)={&(0x7f0000000280)={0x6c, 0x0, 0x10, 0x70bd2a, 0x25dfdbfe, {}, [@NL802154_ATTR_WPAN_DEV={0xc}, @NL802154_ATTR_NETNS_FD={0x8, 0x1d, r1}, @NL802154_ATTR_WPAN_PHY={0x8, 0x1, 0x1}, @NL802154_ATTR_PID={0x8, 0x1c, 0xffffffffffffffff}, @NL802154_ATTR_WPAN_PHY={0x8, 0x1, 0x3}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x100000001}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_NETNS_FD={0x8, 0x1d, r1}, @NL802154_ATTR_PID={0x8, 0x1c, r2}]}, 0x6c}, 0x1, 0x0, 0x0, 0x54}, 0x4) r3 = fsmount(r1, 0x1, 0x8) sendmsg$BATADV_CMD_GET_GATEWAYS(r3, &(0x7f0000000480)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f0000000440)={&(0x7f00000003c0)={0x68, 0x0, 0x2, 0x70bd25, 0x25dfdbfd, {}, [@BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0xd86}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x9}, @BATADV_ATTR_AGGREGATED_OGMS_ENABLED={0x5, 0x29, 0x1}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8}, @BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x7ff}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x7}, @BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @random="13c731fc83bb"}, @BATADV_ATTR_HOP_PENALTY={0x5, 0x35, 0x1}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x4}, @BATADV_ATTR_GW_MODE={0x5}]}, 0x68}, 0x1, 0x0, 0x0, 0x800}, 0x44010) r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0) setsockopt$sock_void(r4, 0x1, 0x1b, 0x0, 0x0) sendmsg$GTP_CMD_GETPDP(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000000540)={&(0x7f0000000500)={0x34, 0x0, 0x100, 0x70bd29, 0x25dfdbfb, {}, [@GTPA_VERSION={0x8}, @GTPA_MS_ADDRESS={0x8, 0x5, @multicast1}, @GTPA_VERSION={0x8, 0x2, 0x1}, @GTPA_LINK={0x8, 0x1, r0}]}, 0x34}, 0x1, 0x0, 0x0, 0x40040}, 0x20000000) r5 = socket$inet(0x2, 0x2, 0x0) getsockopt$bt_hci(r5, 0x0, 0x2, &(0x7f00000005c0)=""/37, &(0x7f0000000600)=0x25) ioctl$AUTOFS_DEV_IOCTL_PROTOVER(r1, 0xc0189372, &(0x7f00000006c0)={{0x1, 0x1, 0x18, r1, {0x7fff}}, './file0\x00'}) fsconfig$FSCONFIG_SET_PATH_EMPTY(r3, 0x4, &(0x7f0000000640)='\x00', &(0x7f0000000680)='./file0\x00', r6) r7 = syz_open_procfs(r2, &(0x7f0000000700)='net/ip6_tables_matches\x00') r8 = syz_open_procfs(r2, &(0x7f0000000740)='numa_maps\x00') ioctl$AUTOFS_DEV_IOCTL_ASKUMOUNT(r7, 0xc018937d, &(0x7f0000000780)={{0x1, 0x1, 0x18, r8, {0xffffffff}}, './file0\x00'}) ioctl$NS_GET_NSTYPE(r7, 0xb703, 0x0) 19:18:58 executing program 3: r0 = syz_genetlink_get_family_id$nl802154(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$NL802154_CMD_SET_WPAN_PHY_NETNS(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x2c, r0, 0x20, 0x70bd28, 0x25dfdbfc, {}, [@NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x3}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x200000000}]}, 0x2c}, 0x1, 0x0, 0x0, 0xc010}, 0x8050) ioctl$AUTOFS_DEV_IOCTL_SETPIPEFD(0xffffffffffffffff, 0xc0189378, &(0x7f0000000140)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0xffffffffffffffff}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_PROTOSUBVER(0xffffffffffffffff, 0xc0189373, &(0x7f0000000180)={{0x1, 0x1, 0x18, r1}, './file0\x00'}) r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl802154(&(0x7f00000001c0), r4) ioctl$AUTOFS_DEV_IOCTL_OPENMOUNT(r1, 0xc0189374, &(0x7f0000000200)={{0x1, 0x1, 0x18, r1, {0x3}}, './file1\x00'}) r6 = syz_genetlink_get_family_id$gtp(&(0x7f0000000280), r3) sendmsg$GTP_CMD_NEWPDP(r5, &(0x7f0000000340)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x24, r6, 0x200, 0x70bd28, 0x25dfdbfd, {}, [@GTPA_I_TEI={0x8, 0x8, 0x4}, @GTPA_NET_NS_FD={0x8, 0x7, r2}]}, 0x24}, 0x1, 0x0, 0x0, 0x800}, 0x20000880) sendmsg$BATADV_CMD_GET_HARDIF(r2, &(0x7f0000000480)={&(0x7f0000000380), 0xc, &(0x7f0000000440)={&(0x7f00000003c0)={0x44, 0x0, 0x2, 0x70bd2a, 0x25dfdbfc, {}, [@BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_BONDING_ENABLED={0x5}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0xb15}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x5}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}, @BATADV_ATTR_ORIG_INTERVAL={0x8}]}, 0x44}, 0x1, 0x0, 0x0, 0x4}, 0x40814) r7 = getpid() r8 = getpgid(r7) ioctl$BINDER_FREEZE(r3, 0x400c620e, &(0x7f00000004c0)={r8, 0x1, 0xffff}) getpgrp(r8) ioctl$SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION(r1, 0xc0505350, &(0x7f0000000500)={{0x2, 0x81}, {0x8, 0x97}, 0xd60, 0x0, 0x2}) ptrace$setopts(0x4200, r8, 0x1, 0x1) ioctl$AUTOFS_DEV_IOCTL_VERSION(r5, 0xc0189371, &(0x7f0000000580)={{0x1, 0x1, 0x18, r2}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(r5, 0xc018937c, &(0x7f00000005c0)={{0x1, 0x1, 0x18, r1, {0x4}}, './file0\x00'}) r9 = getpgrp(0x0) syz_open_procfs$namespace(r9, &(0x7f0000000600)='ns/net\x00') 19:18:58 executing program 6: arch_prctl$ARCH_MAP_VDSO_X32(0x2001, 0x7) arch_prctl$ARCH_MAP_VDSO_X32(0x2001, 0x10001) arch_prctl$ARCH_MAP_VDSO_X32(0x2001, 0xff) arch_prctl$ARCH_MAP_VDSO_X32(0x2001, 0x5) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f00000000c0)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x2}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_TIMEOUT(0xffffffffffffffff, 0xc018937a, &(0x7f0000000100)={{0x1, 0x1, 0x18, r0, {0x6}}, './file0\x00'}) arch_prctl$ARCH_MAP_VDSO_X32(0x2001, 0x7) r2 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000140), 0x2) ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(r2, 0xc058534b, &(0x7f0000000180)={0xf10, 0x3, 0x401, 0x6, 0x3}) arch_prctl$ARCH_MAP_VDSO_X32(0x2001, 0x2) r3 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000200), 0x311041) ioctl$AUTOFS_DEV_IOCTL_SETPIPEFD(r0, 0xc0189378, &(0x7f0000000240)={{0x1, 0x1, 0x18, r2, {r3}}, './file0\x00'}) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000280)={'wlan0\x00', 0x0}) ioctl$AUTOFS_DEV_IOCTL_READY(r1, 0xc0189376, &(0x7f00000002c0)={{0x1, 0x1, 0x18, r1, {0x5}}, './file0\x00'}) r7 = syz_genetlink_get_family_id$gtp(&(0x7f0000000340), r1) sendmsg$GTP_CMD_NEWPDP(r6, &(0x7f0000000440)={&(0x7f0000000300), 0xc, &(0x7f0000000400)={&(0x7f0000000380)={0x44, r7, 0x0, 0x70bd2a, 0x25dfdbfe, {}, [@GTPA_LINK={0x8}, @GTPA_O_TEI={0x8, 0x9, 0x2}, @GTPA_VERSION={0x8}, @GTPA_I_TEI={0x8, 0x8, 0x2}, @GTPA_NET_NS_FD={0x8, 0x7, r4}, @GTPA_FLOW={0x6, 0x6, 0x1}]}, 0x44}, 0x1, 0x0, 0x0, 0x4}, 0x0) sendmsg$BATADV_CMD_GET_NEIGHBORS(0xffffffffffffffff, &(0x7f0000000540)={&(0x7f0000000480)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000000500)={&(0x7f00000004c0)={0x40, 0x0, 0x200, 0x70bd26, 0x25dfdbff, {}, [@BATADV_ATTR_NETWORK_CODING_ENABLED={0x5}, @BATADV_ATTR_ORIG_ADDRESS={0xa}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_BONDING_ENABLED={0x5, 0x2d, 0x1}, @BATADV_ATTR_MESH_IFINDEX={0x8}]}, 0x40}}, 0x8880) sendmsg$NL80211_CMD_SET_WIPHY_NETNS(r0, &(0x7f0000000680)={&(0x7f0000000580)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000000640)={&(0x7f00000005c0)={0x48, 0x0, 0x2, 0x70bd2d, 0x25dfdbfc, {{}, {@void, @val={0x8, 0x3, r5}, @val={0xc, 0x99, {0x0, 0x59}}}}, [@NL80211_ATTR_WDEV={0xc, 0x99, {0x7, 0x31}}, @NL80211_ATTR_PID={0x8}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x8, 0x5d}}]}, 0x48}, 0x1, 0x0, 0x0, 0x4044810}, 0x40) ioctl$SNDRV_SEQ_IOCTL_GET_PORT_INFO(r0, 0xc0a85322, &(0x7f00000006c0)) sendmsg$BATADV_CMD_TP_METER_CANCEL(0xffffffffffffffff, &(0x7f0000000880)={&(0x7f00000007c0)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000840)={&(0x7f0000000800)={0x20, 0x0, 0x1, 0x70bd2a, 0x25dfdbfc, {}, [@BATADV_ATTR_ORIG_ADDRESS={0xa, 0x9, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x42}}]}, 0x20}, 0x1, 0x0, 0x0, 0x4000060}, 0x20048000) [ 70.504449] audit: type=1400 audit(1763320738.344:7): avc: denied { execmem } for pid=275 comm="syz-executor.1" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 19:18:58 executing program 4: socketpair(0x22, 0x80003, 0x4, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = syz_genetlink_get_family_id$batadv(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$BATADV_CMD_GET_TRANSTABLE_LOCAL(r0, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x100000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x64, r2, 0x200, 0x70bd2a, 0x25dfdbfb, {}, [@BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x3}, @BATADV_ATTR_MULTICAST_FANOUT={0x8, 0x3c, 0x7}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x4}, @BATADV_ATTR_VLANID={0x6}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x1}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}, @BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x1}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x9}, @BATADV_ATTR_ELP_INTERVAL={0x8}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x1}]}, 0x64}, 0x1, 0x0, 0x0, 0x4000000}, 0x24048000) r3 = syz_genetlink_get_family_id$batadv(&(0x7f0000000200), r0) sendmsg$BATADV_CMD_GET_MCAST_FLAGS(0xffffffffffffffff, &(0x7f0000000300)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000240)={0x4c, r3, 0x100, 0x70bd2a, 0x25dfdbfb, {}, [@BATADV_ATTR_MULTICAST_FANOUT={0x8}, @BATADV_ATTR_VLANID={0x6, 0x28, 0x4}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0xaa000}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x1}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0xfffffff9}, @BATADV_ATTR_AP_ISOLATION_ENABLED={0x5}, @BATADV_ATTR_VLANID={0x6, 0x28, 0x2}]}, 0x4c}, 0x1, 0x0, 0x0, 0x10}, 0x81) syz_genetlink_get_family_id$l2tp(&(0x7f0000000340), r0) getsockname(r1, &(0x7f0000000380)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff}}, &(0x7f0000000400)=0x80) sendmsg$BATADV_CMD_GET_MCAST_FLAGS(r4, &(0x7f0000000500)={&(0x7f0000000440)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f00000004c0)={&(0x7f0000000480)={0x24, r3, 0x8, 0x70bd29, 0x25dfdbff, {}, [@BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x4}, @BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x3600}]}, 0x24}, 0x1, 0x0, 0x0, 0x1001}, 0x20000040) socketpair(0x2a, 0x2, 0x10001, &(0x7f0000000540)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$BATADV_CMD_SET_VLAN(r5, &(0x7f0000000640)={&(0x7f0000000580)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000600)={&(0x7f00000005c0)={0x3c, r3, 0x100, 0x70bd27, 0x25dfdbfb, {}, [@BATADV_ATTR_TPMETER_TEST_TIME={0x8, 0xb, 0x40}, @BATADV_ATTR_GW_MODE={0x5, 0x33, 0x1}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}, @BATADV_ATTR_NETWORK_CODING_ENABLED={0x5, 0x38, 0x1}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0xd6}]}, 0x3c}, 0x1, 0x0, 0x0, 0x20004050}, 0x80) ioctl$AUTOFS_DEV_IOCTL_PROTOVER(0xffffffffffffffff, 0xc0189372, &(0x7f0000000680)={{0x1, 0x1, 0x18, r4, {0x7}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_ASKUMOUNT(r6, 0xc018937d, &(0x7f00000006c0)={{0x1, 0x1, 0x18, r1, {0x6}}, './file0\x00'}) getsockname(r7, &(0x7f0000000700)=@nfc_llcp, &(0x7f0000000780)=0x80) ioctl$NS_GET_PARENT(r6, 0xb702, 0x0) r8 = syz_genetlink_get_family_id$batadv(&(0x7f0000000800), r4) sendmsg$BATADV_CMD_GET_MESH(r1, &(0x7f00000008c0)={&(0x7f00000007c0)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000880)={&(0x7f0000000840)={0x2c, r8, 0x200, 0x70bd25, 0x25dfdbfc, {}, [@BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x7ff}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x7}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0xfffff001}]}, 0x2c}}, 0xc080) getsockopt$bt_l2cap_L2CAP_OPTIONS(r6, 0x6, 0x1, &(0x7f0000000900), &(0x7f0000000940)=0xc) r9 = syz_genetlink_get_family_id$batadv(&(0x7f00000009c0), r7) sendmsg$BATADV_CMD_GET_GATEWAYS(r7, &(0x7f0000000a80)={&(0x7f0000000980)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000a40)={&(0x7f0000000a00)={0x3c, r9, 0x400, 0x70bd2b, 0x25dfdbfb, {}, [@BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5, 0x2e, 0x1}, @BATADV_ATTR_NETWORK_CODING_ENABLED={0x5, 0x38, 0x1}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x3}, @BATADV_ATTR_THROUGHPUT_OVERRIDE={0x8, 0x3b, 0x9}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}]}, 0x3c}, 0x1, 0x0, 0x0, 0x4040044}, 0x80) write$cgroup_int(0xffffffffffffffff, &(0x7f0000000b00), 0x12) 19:18:58 executing program 7: r0 = getegid() setresgid(r0, 0xffffffffffffffff, 0x0) r1 = geteuid() ioctl$AUTOFS_DEV_IOCTL_REQUESTER(0xffffffffffffffff, 0xc018937b, &(0x7f0000000000)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x0, r0}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_REQUESTER(0xffffffffffffffff, 0xc018937b, &(0x7f0000000040)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {r1, r4}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_READY(r5, 0xc0189376, &(0x7f0000000080)={{0x1, 0x1, 0x18, r2, {0x3}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_FAIL(r5, 0xc0189377, &(0x7f00000000c0)={{0x1, 0x1, 0x18, r2, {0x9, 0x1000}}, './file0\x00'}) ioctl$AUTOFS_DEV_IOCTL_REQUESTER(r6, 0xc018937b, &(0x7f0000000100)={{0x1, 0x1, 0x18, r7, {r3, r0}}, './file0\x00'}) prctl$PR_GET_SECUREBITS(0x1b) unlinkat$binderfs_device(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00') prctl$PR_GET_SECUREBITS(0x1b) ioctl$AUTOFS_DEV_IOCTL_VERSION(r5, 0xc0189371, &(0x7f0000000180)={{0x1, 0x1, 0x18, 0xffffffffffffffff}, './file0\x00'}) r9 = syz_genetlink_get_family_id$batadv(&(0x7f0000000200), r5) sendmsg$BATADV_CMD_GET_VLAN(r8, &(0x7f0000000300)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000240)={0x5c, r9, 0x400, 0x70bd27, 0x25dfdbfe, {}, [@BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x6}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x90000000}, @BATADV_ATTR_VLANID={0x6}, @BATADV_ATTR_AP_ISOLATION_ENABLED={0x5, 0x2a, 0x1}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5}, @BATADV_ATTR_VLANID={0x6}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x8}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5, 0x2e, 0x1}]}, 0x5c}, 0x1, 0x0, 0x0, 0x8000010}, 0x20008041) sendmsg$GTP_CMD_DELPDP(r6, &(0x7f0000000440)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000400)={&(0x7f0000000380)={0x64, 0x0, 0x800, 0x70bd29, 0x25dfdbfd, {}, [@GTPA_PEER_ADDRESS={0x8, 0x4, @rand_addr=0x64010100}, @GTPA_VERSION={0x8}, @GTPA_TID={0xc, 0x3, 0x4}, @GTPA_NET_NS_FD={0x8, 0x7, r5}, @GTPA_MS_ADDRESS={0x8, 0x5, @loopback}, @GTPA_I_TEI={0x8, 0x8, 0x2}, @GTPA_LINK={0x8}, @GTPA_TID={0xc, 0x3, 0x4}, @GTPA_FLOW={0x6, 0x6, 0x4}]}, 0x64}, 0x1, 0x0, 0x0, 0x800}, 0x0) openat$autofs(0xffffffffffffff9c, &(0x7f0000000480), 0xe001c1, 0x0) getsockname(r7, &(0x7f00000004c0)=@in6={0xa, 0x0, 0x0, @mcast2}, &(0x7f0000000540)=0x80) ioctl$AUTOFS_DEV_IOCTL_OPENMOUNT(r7, 0xc0189374, &(0x7f0000000580)={{0x1, 0x1, 0x18, r5, {0xd16}}, './file0\x00'}) arch_prctl$ARCH_MAP_VDSO_X32(0x2001, 0x74) set_thread_area(&(0x7f00000005c0)={0x1, 0x20001000, 0xffffffffffffffff, 0x0, 0x2, 0x1, 0x0, 0x0, 0x1}) [ 71.761788] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 71.764371] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 71.766060] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 71.768166] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 71.770037] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 71.774550] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 71.775871] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 71.779135] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 71.786811] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 71.799114] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 71.823091] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 71.825459] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 71.826932] ================================================================== [ 71.827991] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0 [ 71.828983] Read of size 2 at addr ffff88800b83a178 by task kworker/u11:0/291 [ 71.831477] [ 71.832316] CPU: 1 UID: 0 PID: 291 Comm: kworker/u11:0 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) [ 71.832345] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 71.832359] Workqueue: hci2 hci_cmd_work [ 71.832389] Call Trace: [ 71.832396] [ 71.832404] dump_stack_lvl+0xca/0x120 [ 71.832431] print_report+0xcb/0x610 [ 71.832459] ? __virt_addr_valid+0x100/0x5d0 [ 71.832483] ? hci_cmd_work+0x66d/0x6d0 [ 71.832509] ? hci_cmd_work+0x66d/0x6d0 [ 71.832535] kasan_report+0xca/0x100 [ 71.832561] ? hci_cmd_work+0x66d/0x6d0 [ 71.832591] hci_cmd_work+0x66d/0x6d0 [ 71.832618] process_one_work+0x8e1/0x19c0 [ 71.832654] ? __pfx_process_one_work+0x10/0x10 [ 71.832683] ? move_linked_works+0x172/0x270 [ 71.832711] ? assign_work+0x196/0x240 [ 71.832741] worker_thread+0x67e/0xe90 [ 71.832769] ? trace_irq_enable.constprop.0+0xc2/0x100 [ 71.832795] ? __pfx_worker_thread+0x10/0x10 [ 71.832825] kthread+0x3c8/0x740 [ 71.832851] ? __pfx_kthread+0x10/0x10 [ 71.832876] ? ret_from_fork+0x79/0x7a0 [ 71.832898] ? lock_release+0xc8/0x290 [ 71.832929] ? __pfx_kthread+0x10/0x10 [ 71.832956] ret_from_fork+0x67a/0x7a0 [ 71.832976] ? __pfx_ret_from_fork+0x10/0x10 [ 71.833012] ? __switch_to+0x759/0x1060 [ 71.833041] ? __pfx_kthread+0x10/0x10 [ 71.833068] ret_from_fork_asm+0x1a/0x30 [ 71.833102] [ 71.833109] [ 71.854764] Allocated by task 293: [ 71.855278] kasan_save_stack+0x24/0x50 [ 71.855854] kasan_save_track+0x14/0x30 [ 71.856427] __kasan_slab_alloc+0x59/0x70 [ 71.857034] kmem_cache_alloc_node_noprof+0x228/0x6b0 [ 71.857787] __alloc_skb+0x2ab/0x370 [ 71.858338] hci_cmd_sync_alloc+0x34/0x300 [ 71.858964] __hci_cmd_sync_sk+0xf7/0x5c0 [ 71.859579] hci_read_local_version_sync+0x2c/0x170 [ 71.860313] hci_dev_open_sync+0x145c/0x1f60 [ 71.860962] hci_power_on+0xdb/0x5d0 [ 71.861525] process_one_work+0x8e1/0x19c0 [ 71.862140] worker_thread+0x67e/0xe90 [ 71.862709] kthread+0x3c8/0x740 [ 71.863204] ret_from_fork+0x67a/0x7a0 [ 71.863768] ret_from_fork_asm+0x1a/0x30 [ 71.864371] [ 71.864623] Freed by task 299: [ 71.865099] kasan_save_stack+0x24/0x50 [ 71.865682] kasan_save_track+0x14/0x30 [ 71.866259] kasan_save_free_info+0x3a/0x60 [ 71.866899] __kasan_slab_free+0x43/0x70 [ 71.867484] kmem_cache_free+0x26f/0x500 [ 71.868081] kfree_skbmem+0x18a/0x1f0 [ 71.868637] sk_skb_reason_drop+0x10e/0x1b0 [ 71.869267] vhci_read+0x3d5/0x5d0 [ 71.869797] vfs_read+0x1eb/0xc70 [ 71.870302] ksys_read+0x121/0x240 [ 71.870821] do_syscall_64+0xbf/0x430 [ 71.871381] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.872115] [ 71.872370] The buggy address belongs to the object at ffff88800b83a140 [ 71.872370] which belongs to the cache skbuff_head_cache of size 232 [ 71.874160] The buggy address is located 56 bytes inside of [ 71.874160] freed 232-byte region [ffff88800b83a140, ffff88800b83a228) [ 71.875774] [ 71.876015] The buggy address belongs to the physical page: [ 71.876772] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb83a [ 71.877851] memcg:ffff88800d8ed581 [ 71.878340] flags: 0x100000000000000(node=0|zone=1) [ 71.879019] page_type: f5(slab) [ 71.879484] raw: 0100000000000000 ffff8880096c78c0 dead000000000122 0000000000000000 [ 71.880539] raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88800d8ed581 [ 71.881588] page dumped because: kasan: bad access detected [ 71.882344] [ 71.882588] Memory state around the buggy address: [ 71.883255] ffff88800b83a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.884230] ffff88800b83a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 71.885224] >ffff88800b83a100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 71.886200] ^ [ 71.887181] ffff88800b83a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.888161] ffff88800b83a200: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 71.889155] ================================================================== [ 71.890291] Disabling lock debugging due to kernel taint [ 71.894756] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 71.899689] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 71.900900] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1 [ 71.902331] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 71.903545] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9 [ 71.905481] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 71.909021] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 71.910201] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9 [ 71.911983] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 71.913237] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 71.916688] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 71.917745] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4 [ 71.923807] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 71.924928] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2 [ 71.936875] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 71.938936] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 71.943611] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 71.943773] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 71.946130] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 71.957774] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 71.957882] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 71.959549] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1 [ 71.961777] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 71.968054] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9 [ 71.969979] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9 [ 71.976889] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 71.991112] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4 [ 72.001927] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2 [ 73.850914] Bluetooth: hci1: command tx timeout [ 73.851387] Bluetooth: hci0: command tx timeout [ 73.978679] Bluetooth: hci6: command tx timeout [ 73.978752] Bluetooth: hci2: command tx timeout [ 73.979125] Bluetooth: hci5: command tx timeout [ 74.042720] Bluetooth: hci4: command tx timeout [ 74.042843] Bluetooth: hci7: command tx timeout [ 74.107697] Bluetooth: hci3: command tx timeout [ 75.899690] Bluetooth: hci0: command tx timeout [ 75.899719] Bluetooth: hci1: command tx timeout [ 76.027109] Bluetooth: hci5: command tx timeout [ 76.027693] Bluetooth: hci2: command tx timeout [ 76.027909] Bluetooth: hci6: command tx timeout [ 76.091769] Bluetooth: hci7: command tx timeout [ 76.092491] Bluetooth: hci4: command tx timeout [ 76.155714] Bluetooth: hci3: command tx timeout [ 77.947329] Bluetooth: hci1: command tx timeout [ 77.947347] Bluetooth: hci0: command tx timeout [ 78.074723] Bluetooth: hci6: command tx timeout [ 78.075281] Bluetooth: hci2: command tx timeout [ 78.076169] Bluetooth: hci5: command tx timeout [ 78.138750] Bluetooth: hci4: command tx timeout [ 78.139274] Bluetooth: hci7: command tx timeout [ 78.204664] Bluetooth: hci3: command tx timeout [ 79.994711] Bluetooth: hci1: command tx timeout [ 79.995270] Bluetooth: hci0: command tx timeout [ 80.122806] Bluetooth: hci2: command tx timeout [ 80.123246] Bluetooth: hci6: command tx timeout [ 80.123618] Bluetooth: hci5: command tx timeout [ 80.187683] Bluetooth: hci7: command tx timeout [ 80.188079] Bluetooth: hci4: command tx timeout [ 80.250665] Bluetooth: hci3: command tx timeout VM DIAGNOSIS: 19:18:59 Registers: info registers vcpu 0 RAX=ffff88800dc57000 RBX=0000000000000000 RCX=0000000000092cc0 RDX=0000000000000000 RSI=ffff88800dc57000 RDI=ffff88806ce31cd0 RBP=ffff8880095578a0 RSP=ffff8880095577c8 R8 =00000000ffffffff R9 =ffff88806c2d5260 R10=ffff8880095577d8 R11=0000000000000000 R12=ffff88800bcdd4a0 R13=0000000000000010 R14=0000000000000001 R15=ffff888008c41640 RIP=ffffffff81ab3545 RFL=00000246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 00007f0bb2595900 00000000 00000000 GS =0000 ffff8880e538f000 00000000 00000000 LDT=0000 fffffe7c00000000 00000000 00000000 TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000001000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007f0e2512a27c CR3=000000000c794000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000 XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000 XMM04=ffffffffffffff00000000ff00000000 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000 info registers vcpu 1 RAX=0000000000000069 RBX=00000000000003f8 RCX=0000000000000000 RDX=00000000000003f8 RSI=ffffffff8293dd05 RDI=ffffffff889747c0 RBP=ffffffff88974780 RSP=ffff888017197618 R8 =0000000000000000 R9 =ffffed1001679046 R10=0000000000000069 R11=6572617764726148 R12=0000000000000069 R13=0000000000000010 R14=ffffffff88974780 R15=ffffffff8293dcf0 RIP=ffffffff8293dd5d RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff8880e548f000 00000000 00000000 LDT=0000 fffffe2500000000 00000000 00000000 TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000048000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007fbc7000c070 CR3=000000001ead5000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00007fbc700cf7c000007fbc700cf7c8 XMM02=00007fbc700cf7e000007fbc700cf7c0 XMM03=00007fbc700cf7c800007fbc700cf7c0 XMM04=ffffffffffffffffffffffffffffff00 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000