Warning: Permanently added '[localhost]:8653' (ECDSA) to the list of known hosts.
2025/11/16 19:51:27 fuzzer started
2025/11/16 19:51:27 dialing manager at localhost:37161
syzkaller login: [   51.642995] cgroup: Unknown subsys name 'net'
[   51.705901] cgroup: Unknown subsys name 'cpuset'
[   51.735789] cgroup: Unknown subsys name 'rlimit'
2025/11/16 19:51:38 syscalls: 209
2025/11/16 19:51:38 code coverage: enabled
2025/11/16 19:51:38 comparison tracing: enabled
2025/11/16 19:51:38 extra coverage: enabled
2025/11/16 19:51:38 setuid sandbox: enabled
2025/11/16 19:51:38 namespace sandbox: enabled
2025/11/16 19:51:38 Android sandbox: enabled
2025/11/16 19:51:38 fault injection: enabled
2025/11/16 19:51:38 leak checking: enabled
2025/11/16 19:51:38 net packet injection: enabled
2025/11/16 19:51:38 net device setup: enabled
2025/11/16 19:51:38 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2025/11/16 19:51:38 devlink PCI setup: PCI device 0000:00:10.0 is not available
2025/11/16 19:51:38 USB emulation: enabled
2025/11/16 19:51:38 hci packet injection: enabled
2025/11/16 19:51:38 wifi device emulation: enabled
2025/11/16 19:51:38 802.15.4 emulation: enabled
2025/11/16 19:51:38 fetching corpus: 0, signal 0/0 (executing program)
2025/11/16 19:51:40 starting 8 fuzzer processes
19:51:40 executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000000), 0x1, 0x1)
ioctl$SG_GET_SCSI_ID(0xffffffffffffffff, 0x2276, &(0x7f0000000040))
ioctl$SG_GET_KEEP_ORPHAN(0xffffffffffffffff, 0x2288, &(0x7f0000000080))
ioctl$SG_SCSI_RESET(0xffffffffffffffff, 0x2284, 0x0)
r1 = openat$full(0xffffffffffffff9c, &(0x7f00000000c0), 0x48001, 0x0)
ioctl$BLKTRACESETUP(r1, 0xc0481273, &(0x7f0000000100)={'\x00', 0x40, 0x401, 0xca, 0x73, 0xffffffffffff1161})
ioctl$SG_SET_TIMEOUT(r1, 0x2201, &(0x7f0000000180)=0x9)
ioctl$BLKDISCARD(r0, 0x1277, &(0x7f00000001c0)=0x3)
syz_open_dev$loop(&(0x7f0000000200), 0xfff, 0x420040)
r2 = accept4(r1, &(0x7f0000000240)=@rxrpc=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x0, @initdev}}, &(0x7f00000002c0)=0x80, 0x800)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000004c0)={0x68, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x3, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000300)={@fd={0x66642a85, 0x0, r2}, @fda={0x66646185, 0x3, 0x0, 0xc}, @fda={0x66646185, 0x4, 0x1, 0x3b}}, &(0x7f0000000380)={0x0, 0x18, 0x38}}}, @free_buffer, @increfs_done, @register_looper], 0x41, 0x0, &(0x7f0000000440)="99a3a50741b952646b6b78f164ce825df7b3148a26c80fa8d66879512a21ac0acd03411194f5a69f1c1dc2e4d7416c2adf2c2aad2f3a8b22ee89f08f8d4973ec2f"})
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f0000000500)={'wlan0\x00'})
r3 = socket$nl_xfrm(0x10, 0x3, 0x6)
getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f0000000580)={{{@in=@private, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{@in6=@ipv4={""/10, ""/2, @initdev}}, 0x0, @in6=@private1}}, &(0x7f0000000680)=0xe8)
getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f00000006c0)={{{@in=@private, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r5=>0x0}}, {{@in=@loopback}, 0x0, @in6=@initdev}}, &(0x7f00000007c0)=0xe8)
sendmsg$nl_xfrm(r3, &(0x7f0000000b00)={&(0x7f0000000540)={0x10, 0x0, 0x0, 0x80000000}, 0xc, &(0x7f0000000ac0)={&(0x7f0000000800)=@flushpolicy={0x294, 0x1d, 0x100, 0x70bd26, 0x25dfdbfb, "", [@lifetime_val={0x24, 0x9, {0x7c, 0x6, 0x1000, 0x1}}, @XFRMA_IF_ID={0x8, 0x1f, r4}, @sec_ctx={0x9e, 0x8, {0x9a, 0x8, 0x0, 0x69, 0x92, "1b8893a142e587879d6f8b538c49ddba101970319e53524348d5b31e1eb842c354a3f0ebd8a3144c16048935034d2bd688e4c1c8bc6ed030dafc4a35b9b01b8cee58b4932f2ce33751284bf8d9075a1e542919bd91fb8ff25d4bd2ed650a2843ada1639d0f1e18cbf68b860082c9bdf097120c18d7ed5620865e5633ef92ce8a6ea74b3670c9fd0aa0dd86beb35468394b3c"}}, @srcaddr={0x14, 0xd, @in6=@empty}, @sa={0xe4, 0x6, {{@in6=@private1={0xfc, 0x1, '\x00', 0x1}, @in6=@mcast2, 0x4e21, 0x2e, 0x4e22, 0x0, 0x1, 0x0, 0xa0, 0x3b, 0x0, 0xee00}, {@in=@remote, 0x4d5, 0x32}, @in=@private=0xa010100, {0xfffffffffffffffa, 0x1e4, 0x80, 0x32, 0x4, 0x200, 0x5, 0xb9a}, {0x5, 0x2, 0x5, 0x101}, {0x8001, 0x4, 0x2}, 0x70bd29, 0x3504, 0x2, 0x0, 0x8, 0x52}}, @srcaddr={0x14, 0xd, @in6=@private1={0xfc, 0x1, '\x00', 0x1}}, @policy={0xac, 0x7, {{@in=@multicast1, @in6=@mcast1, 0x4e20, 0x101, 0x4e23, 0x0, 0xa, 0x0, 0x80, 0x6, 0x0, r5}, {0x7, 0x20, 0x8, 0x7, 0x9, 0x40, 0x100000001}, {0x0, 0xfffffffffffffffb, 0x2, 0x1}, 0x41ee, 0x6e6bb6, 0x2, 0x0, 0x0, 0x1}}]}, 0x294}, 0x1, 0x0, 0x0, 0x20000800}, 0x0)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000b40), r2)
ioctl$BLKGETSIZE(r1, 0x1260, &(0x7f0000000b80))
ioctl$SCSI_IOCTL_STOP_UNIT(0xffffffffffffffff, 0x6)
ioctl$SCSI_IOCTL_GET_IDLUN(0xffffffffffffffff, 0x5382, &(0x7f0000000c00))

19:51:40 executing program 5:
r0 = syz_open_dev$loop(&(0x7f0000000000), 0x7, 0x400040)
ioctl$IOC_PR_PREEMPT_ABORT(r0, 0x401870cc, &(0x7f0000000040)={0x5, 0x3ff, 0x1, 0x4d7a})
r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000080), 0x24140, 0x0)
ioctl$BLKGETSIZE64(r1, 0x80081272, &(0x7f00000000c0))
ioctl$LOOP_CHANGE_FD(r1, 0x4c06, r0)
ioctl$IOC_PR_CLEAR(r0, 0x401070cd, &(0x7f0000000100)={0x401})
ioctl$SG_GET_REQUEST_TABLE(0xffffffffffffffff, 0x2286, &(0x7f0000000140))
ioctl$SCSI_IOCTL_START_UNIT(r1, 0x5)
ioctl$BLKROSET(r1, 0x125d, &(0x7f00000002c0)=0x6d)
r2 = openat$full(0xffffffffffffff9c, &(0x7f0000000300), 0x200002, 0x0)
ioctl$SG_IO(r2, 0x2285, &(0x7f00000005c0)={0x53, 0xffffffffffffffff, 0x87, 0x4, @buffer={0x0, 0x6d, &(0x7f0000000340)=""/109}, &(0x7f00000003c0)="59c1718f7842425a61cd1d01eeed4559417f932425078f920300ce57f85ce2d74277baa0cc0e381d0df3f7cf54817deb5d96152e2153c1ef39fb104cd65f3c811721f2c8b08f9162af5e81c3803464ac93cf78ec57f403e8700c167ebb6825a06894ddc25d125a3c76fafc19cf98e02213f715bd590d95bf36cb9355e922ea6ed4dee4a945b25d", &(0x7f0000000480)=""/218, 0x80, 0x10000, 0x1, &(0x7f0000000580)})
r3 = syz_open_dev$sg(&(0x7f0000000640), 0x2, 0x200001)
ioctl$SG_SET_RESERVED_SIZE(r3, 0x2275, &(0x7f0000000680))
r4 = accept4(0xffffffffffffffff, &(0x7f00000006c0)=@pppol2tpin6={0x18, 0x1, {0x0, <r5=>0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast2}}}, &(0x7f0000000740)=0x80, 0x80c00)
r6 = syz_genetlink_get_family_id$ipvs(&(0x7f00000007c0), r2)
sendmsg$IPVS_CMD_GET_SERVICE(r5, &(0x7f00000008c0)={&(0x7f0000000780)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000880)={&(0x7f0000000800)={0x4c, r6, 0x200, 0x70bd28, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x3}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x7f}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x8c51}, @IPVS_CMD_ATTR_DEST={0x18, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@private1}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x56f}]}, 0x4c}, 0x1, 0x0, 0x0, 0x4090}, 0x400c081)
r7 = openat$full(0xffffffffffffff9c, &(0x7f0000000900), 0x10a01, 0x0)
ioctl$SG_GET_PACK_ID(r7, 0x227c, &(0x7f0000000940))
sendmsg$IPVS_CMD_ZERO(r4, &(0x7f0000000a80)={&(0x7f0000000980)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000a40)={&(0x7f00000009c0)={0x5c, r6, 0x4, 0x70bd25, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_SERVICE={0x14, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PORT={0x6, 0x4, 0x4e23}, @IPVS_SVC_ATTR_FWMARK={0x8}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x1ff}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x6, 0xb, 0x2}, @IPVS_DEST_ATTR_PORT={0x6, 0x2, 0x4e22}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xa73}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x10001}]}, 0x5c}, 0x1, 0x0, 0x0, 0xc090}, 0x24040801)
sendmsg$IPVS_CMD_DEL_SERVICE(r5, &(0x7f0000000c00)={&(0x7f0000000ac0)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000bc0)={&(0x7f0000000b00)={0xa0, 0x0, 0x100, 0x70bd2b, 0x25dfdbfe, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8}, @IPVS_CMD_ATTR_DEST={0x44, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e24}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x9}, @IPVS_DEST_ATTR_TUN_TYPE={0x5, 0xd, 0x1}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x7}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4e9}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x6}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x1}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e24}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x1c}, @IPVS_CMD_ATTR_DAEMON={0x28, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x3}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'vlan1\x00'}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x1}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x1}]}, 0xa0}, 0x1, 0x0, 0x0, 0x4044060}, 0x0)

19:51:40 executing program 7:
pipe2$9p(&(0x7f0000000000), 0xc00)
ioctl$SG_SET_FORCE_PACK_ID(0xffffffffffffffff, 0x227b, &(0x7f0000000040))
ioctl$SG_SET_COMMAND_Q(0xffffffffffffffff, 0x2271, &(0x7f0000000080))
ioctl$SG_IO(0xffffffffffffffff, 0x2285, &(0x7f0000000340)={0x0, 0x7ffffffffffffffd, 0xad, 0x8e, @scatter={0x3, 0x0, &(0x7f00000001c0)=[{&(0x7f00000000c0)}, {&(0x7f0000000100)=""/92, 0x5c}, {&(0x7f0000000180)=""/58, 0x3a}]}, &(0x7f0000000200)="b6e9b252a7ac2124c9d4b28ff91344a1f68087562f817eb7e95c0f4dffeca22b13159ae4a2afbbf63c0d54ebe48c75fc77199bb7dd12bba565f6ca3465b9c87a5d3df4d058ed8646793a903959129ee78685577538fa3a89dbef1014ea3383a6e314bf7a3cdf6ba6f162247eae971c79049481829c62765f6cac94fa8af15cc554bb980cfe9a6d358543b10f1511dc6b4d58a06c6e781613524152393c3b3ea71b7b5269358dc6d0dbe28d46c3", &(0x7f00000002c0)=""/44, 0x7f, 0x3, 0xffffffffffffffff, &(0x7f0000000300)})
ioctl$SG_GET_ACCESS_COUNT(0xffffffffffffffff, 0x2289, &(0x7f00000003c0))
shmctl$SHM_STAT(0xffffffffffffffff, 0xd, &(0x7f0000000400)=""/196)
r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000500), 0x200480, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000540)={0x26, 0x3, 0x2, "29c5dfb0b1c513ef0adae8a6fbfc10b1d64b7cf458c5b888d6731d09a83d53e749bea23d290e"})
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$NLBL_UNLABEL_C_LIST(r1, &(0x7f0000000780)={&(0x7f0000000580)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000740)={&(0x7f00000005c0)={0x144, 0x0, 0x8, 0x70bd25, 0x25dfdbfd, {}, [@NLBL_UNLABEL_A_SECCTX={0x28, 0x7, 'system_u:object_r:mqueue_spool_t:s0\x00'}, @NLBL_UNLABEL_A_SECCTX={0x2f, 0x7, 'system_u:object_r:systemd_notify_exec_t:s0\x00'}, @NLBL_UNLABEL_A_SECCTX={0x31, 0x7, 'system_u:object_r:systemd_tmpfiles_exec_t:s0\x00'}, @NLBL_UNLABEL_A_IPV4ADDR={0x8, 0x4, @loopback}, @NLBL_UNLABEL_A_SECCTX={0x2b, 0x7, 'system_u:object_r:syslogd_var_lib_t:s0\x00'}, @NLBL_UNLABEL_A_SECCTX={0x1f, 0x7, 'system_u:object_r:bin_t:s0\x00'}, @NLBL_UNLABEL_A_IFACE={0x14, 0x6, 'tunl0\x00'}, @NLBL_UNLABEL_A_IPV6MASK={0x14, 0x3, @initdev={0xfe, 0x88, '\x00', 0x1, 0x0}}, @NLBL_UNLABEL_A_IPV6MASK={0x14, 0x3, @private0}, @NLBL_UNLABEL_A_IPV6ADDR={0x14, 0x2, @private2}]}, 0x144}, 0x1, 0x0, 0x0, 0x800}, 0x40000)
r2 = syz_open_dev$hidraw(&(0x7f00000007c0), 0x10000, 0x60203)
ioctl$HIDIOCGRAWNAME(r2, 0x80404804, &(0x7f0000000800))
ioctl$LOOP_SET_FD(r0, 0x4c00, r2)
ioctl$SG_SET_TIMEOUT(r0, 0x2201, &(0x7f0000000840)=0x7)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f00000008c0), r0)
sendmsg$NL80211_CMD_ABORT_SCAN(0xffffffffffffffff, &(0x7f0000000980)={&(0x7f0000000880)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000940)={&(0x7f0000000900)={0x20, r3, 0xb24, 0x70bd26, 0x25dfdbfd, {{}, {@void, @val={0xc, 0x99, {0x6c, 0x13}}}}, [""]}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x40000)
ioctl$SG_SET_FORCE_PACK_ID(r0, 0x227b, &(0x7f00000009c0)=0x1)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r4 = openat$full(0xffffffffffffff9c, &(0x7f0000000a00), 0x40000, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r4, 0x1, &(0x7f0000000a40)={0x49, 0x9, 0x9, "f8488b52874d63b7985ec788a9f8f82c104229fc619697bc48f5d8c3d3c8a1c9dbb9c7d33c9c65ae45b57fe9904a5eb6a7e1e18eb416d81fee5bc8e8132ed561b0a8eff98d9b8896fa"})

19:51:40 executing program 2:
r0 = io_uring_setup(0x63f4, &(0x7f0000000000)={0x0, 0xdb6d, 0x20, 0x1, 0xb7})
r1 = io_uring_register$IORING_REGISTER_PERSONALITY(r0, 0x9, 0x0, 0x0)
membarrier(0x1, 0x0)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
r2 = inotify_add_watch(0xffffffffffffffff, &(0x7f00000000c0)='./file0\x00', 0x1000000)
inotify_rm_watch(0xffffffffffffffff, r2)
prctl$PR_CAPBSET_DROP(0x18, 0xc)
io_uring_register$IORING_UNREGISTER_PERSONALITY(r0, 0xa, 0x0, r1)
ioctl$BLKBSZGET(0xffffffffffffffff, 0x80081270, &(0x7f0000000100))
r3 = inotify_add_watch(0xffffffffffffffff, &(0x7f0000000140)='./file0\x00', 0x1000000)
r4 = syz_open_dev$loop(&(0x7f0000000180), 0x1, 0x208000)
ioctl$LOOP_SET_FD(r4, 0x4c00, r0)
r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/custom1\x00', 0x800, 0x0)
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r5, 0x81f8943c, &(0x7f0000000200))
inotify_init()
inotify_rm_watch(r5, r3)
membarrier(0x4, 0x0)
r6 = syz_open_dev$loop(&(0x7f0000000400), 0xffff, 0x200180)
ioctl$LOOP_SET_BLOCK_SIZE(r6, 0x4c09, 0x4)
openat$rfkill(0xffffffffffffff9c, &(0x7f0000000440), 0x6a202, 0x0)

19:51:40 executing program 6:
ioctl$BLKDISCARD(0xffffffffffffffff, 0x1277, &(0x7f0000000000)=0x9)
r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000040), 0x31200, 0x0)
ioctl$LOOP_SET_FD(r0, 0x4c00, 0xffffffffffffffff)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), r0)
sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r0, &(0x7f0000000400)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f00000003c0)={&(0x7f0000000100)={0x290, r1, 0x1, 0x70bd29, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x4, 0x1d}}}}, [@NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x67}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4f}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0xd}, @NL80211_ATTR_IE={0x1f4, 0x2a, [@random_vendor={0xdd, 0x19, "066c78a053250acb52b0cbdea87d2b881b6dd1a4125ea10fcf"}, @tim={0x5, 0x7f, {0x1, 0x9f, 0x5, "040cabaf0ba4934ef7231975540ddb13eda65f68b4a4bf3d5327eec91ea582f1190196cc46abb493aae5fa9b03ceea055fcccddb4e6dbbe8346f85bad2f19cbaa7611d58960076988b7cd3ed4d781664e63be4de6fd67c8e8de9dd0c61d6ad31d028549c2dfd97996edf6dc206dd0e1bcbdea83abadab1562afb89ae"}}, @erp={0x2a, 0x1, {0x0, 0x0, 0x1}}, @prep={0x83, 0x25, @ext={{}, 0x3f, 0x38, @broadcast, 0x0, @device_b, 0x6, 0x27, @device_b, 0x6}}, @perr={0x84, 0xdc, {0x1, 0xe, [@not_ext={{}, @device_b, 0xfffffffb, "", 0x18}, @not_ext={{}, @device_b, 0x7, "", 0x2b}, @not_ext={{}, @device_a, 0x401, "", 0x33}, @not_ext={{}, @broadcast, 0x69e3, "", 0x2}, @not_ext={{}, @device_a, 0x1, "", 0x29}, @ext={{}, @device_b, 0x7, @device_a, 0xf}, @ext={{}, @device_a, 0xaf, @device_a, 0x37}, @ext={{}, @broadcast, 0x7, @device_b, 0x16}, @not_ext={{}, @device_b, 0x401, "", 0x33}, @ext={{}, @device_a, 0x6, @device_b, 0x32}, @ext={{}, @device_b, 0xffffff01, @broadcast, 0x3e}, @not_ext={{}, @device_a, 0x5, "", 0x17}, @ext={{}, @device_a, 0x9, @broadcast, 0x39}, @not_ext={{}, @broadcast, 0x1, "", 0x18}]}}, @prep={0x83, 0x25, @ext={{}, 0x1, 0xff, @device_a, 0x7, @device_a, 0x2, 0x800, @device_b, 0x7}}, @chsw_timing={0x68, 0x4, {0x5}}, @ht={0x2d, 0x1a, {0x40, 0x2, 0x2, 0x0, {0x92ed, 0x0, 0x0, 0x74, 0x0, 0x0, 0x1, 0x3, 0x1}, 0x400, 0x63, 0x81}}, @dsss={0x3, 0x1, 0x9d}]}, @NL80211_ATTR_IE={0xc, 0x2a, [@sec_chan_ofs={0x3e, 0x1, 0x1}, @channel_switch={0x25, 0x3, {0x1, 0xb1, 0xff}}]}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_IE={0x40, 0x2a, [@channel_switch={0x25, 0x3, {0x1, 0x9, 0x2}}, @mesh_config={0x71, 0x7, {0xffffffffffffffff, 0x0, 0x0, 0x1, 0x2, 0x3f, 0x20}}, @tim={0x5, 0x10, {0xbc, 0x3e, 0x1, "3a59666438c284ee6d556fb981"}}, @gcr_ga={0xbd, 0x6}, @link_id={0x65, 0x12, {@initial, @device_b, @broadcast}}]}]}, 0x290}, 0x1, 0x0, 0x0, 0x4000041}, 0x4000008)
ioctl$IOC_PR_RESERVE(r0, 0x401070c9, &(0x7f0000000440)={0x1, 0x8})
r2 = syz_open_dev$loop(&(0x7f0000000480), 0x1, 0x80000)
ioctl$BLKIOMIN(r2, 0x1278, &(0x7f00000004c0))
ioctl$BLKROSET(r0, 0x125d, &(0x7f0000000500)=0x3)
r3 = openat$full(0xffffffffffffff9c, &(0x7f0000000540), 0x400203, 0x0)
sendmsg$IPVS_CMD_SET_CONFIG(r3, &(0x7f0000000640)={&(0x7f0000000580)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000000600)={&(0x7f00000005c0)={0x40, 0x0, 0x1, 0x70bd27, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}, @IPVS_CMD_ATTR_DEST={0x1c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0xc87}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x2}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xfff}]}]}, 0x40}}, 0x20004044)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000680)='./binderfs2/binder1\x00', 0x802, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000740)={0x8, 0x0, &(0x7f00000006c0)=[@decrefs={0x40046307, 0x1}], 0x2d, 0x0, &(0x7f0000000700)="e34899e042ae36375fb768206eda13485e10798417cbaaa77c64278d1686f083d4bb39bdd70b06fd0b15629983"})
ioctl$BLKREPORTZONE(r0, 0xc0101282, &(0x7f0000000780)={0xe, 0x1, 0x0, [{0xf56, 0x7, 0xffffffff, 0x7, 0x7, 0x6, 0x1}]})
r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000840), 0xffffffffffffffff)
sendmsg$NL80211_CMD_JOIN_IBSS(r3, &(0x7f0000000980)={&(0x7f0000000800)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000940)={&(0x7f0000000880)={0xc0, r5, 0x0, 0x70bd2c, 0x25dfdbfd, {{}, {@void, @void}}, [@NL80211_ATTR_FREQ_FIXED={0x4}, @NL80211_ATTR_BEACON_INTERVAL={0x8, 0xc, @random=0xe8cb}, @NL80211_ATTR_FREQ_FIXED={0x4}, @NL80211_ATTR_KEYS={0x9c, 0x51, 0x0, 0x1, [{0x64, 0x0, 0x0, 0x1, [@NL80211_KEY_DEFAULT_TYPES={0x24, 0x8, 0x0, 0x1, [@NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_MULTICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_MULTICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}]}, @NL80211_KEY_CIPHER={0x8, 0x3, 0xfac01}, @NL80211_KEY_DEFAULT_TYPES={0x20, 0x8, 0x0, 0x1, [@NL80211_KEY_DEFAULT_TYPE_MULTICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_MULTICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}, @NL80211_KEY_DEFAULT_TYPE_UNICAST={0x4}]}, @NL80211_KEY_DATA_WEP40={0x9, 0x1, "721a644f02"}, @NL80211_KEY_TYPE={0x8, 0x7, 0x1}]}, {0x1c, 0x0, 0x0, 0x1, [@NL80211_KEY_TYPE={0x8}, @NL80211_KEY_IDX={0x5, 0x2, 0x2}, @NL80211_KEY_IDX={0x5, 0x2, 0x5}]}, {0x18, 0x0, 0x0, 0x1, [@NL80211_KEY_SEQ={0x6, 0x4, "1bac"}, @NL80211_KEY_DEFAULT_MGMT={0x4}, @NL80211_KEY_SEQ={0x8, 0x4, "ca5299e4"}]}]}]}, 0xc0}, 0x1, 0x0, 0x0, 0x4040881}, 0x10008054)
ioctl$IOC_PR_CLEAR(r0, 0x401070cd, &(0x7f00000009c0)={0x7f})
ioctl$BLKBSZGET(r3, 0x80081270, &(0x7f0000000a00))
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$IPVS_CMD_DEL_SERVICE(r6, &(0x7f0000000b40)={&(0x7f0000000a40)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000b00)={&(0x7f0000000a80)={0x5c, 0x0, 0x200, 0x70bd2b, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x7}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0xfff}, @IPVS_CMD_ATTR_DAEMON={0x28, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'dummy0\x00'}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x3}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x100}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8}]}, 0x5c}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000050)

19:51:40 executing program 3:
r0 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$IPVS_CMD_SET_CONFIG(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000080)={0xb0, r0, 0x4, 0x70bd28, 0x25dfdbfe, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x3}, @IPVS_CMD_ATTR_DAEMON={0x4c, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x5}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x8}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @mcast1}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x2}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'wlan0\x00'}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x1}, @IPVS_CMD_ATTR_DEST={0x40, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0xffffffff}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x3}, @IPVS_DEST_ATTR_PORT={0x6, 0x2, 0x4e21}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x3ff}, @IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@private1={0xfc, 0x1, '\x00', 0x1}}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e24}]}]}, 0xb0}, 0x1, 0x0, 0x0, 0x90}, 0x14000885)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000200)={'wlan1\x00', <r1=>0x0})
sendmsg$NL80211_CMD_CRIT_PROTOCOL_STOP(0xffffffffffffffff, &(0x7f00000002c0)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f0000000280)={&(0x7f0000000240)={0x28, 0x0, 0x20, 0x70bd26, 0x25dfdbff, {{}, {@val={0x8, 0x3, r1}, @val={0xc, 0x99, {0x3f, 0x74}}}}, ["", ""]}, 0x28}, 0x1, 0x0, 0x0, 0x20008814}, 0x40000)
sendmsg$IPVS_CMD_GET_CONFIG(0xffffffffffffffff, &(0x7f0000000540)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000000500)={&(0x7f0000000340)={0x18c, r0, 0x8, 0x70bd25, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x5}, @IPVS_CMD_ATTR_SERVICE={0x58, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x2b}, @IPVS_SVC_ATTR_FWMARK={0x8}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x3}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x3a}, @IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x5f}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x2}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x34}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'lc\x00'}, @IPVS_SVC_ATTR_AF={0x6, 0x1, 0x2}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x7ff}, @IPVS_CMD_ATTR_DAEMON={0x68, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x7}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x1f}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private0={0xfc, 0x0, '\x00', 0x1}}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'virt_wifi0\x00'}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'vlan1\x00'}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x2}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @remote}]}, @IPVS_CMD_ATTR_SERVICE={0x3c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x4}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x16}, @IPVS_SVC_ATTR_PORT={0x6, 0x4, 0x4e21}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x8, 0x14}}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'wlc\x00'}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x20, 0x2}}]}, @IPVS_CMD_ATTR_DEST={0x1c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}]}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x5}, @IPVS_CMD_ATTR_DEST={0x40, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x4}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x200}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x7f}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x4}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e20}, @IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x1}]}, 0x18c}}, 0x400c050)
sendmsg$NL80211_CMD_ASSOCIATE(0xffffffffffffffff, &(0x7f00000008c0)={&(0x7f0000000580)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f0000000880)={&(0x7f00000005c0)={0x290, 0x0, 0x8, 0x70bd2b, 0x25dfdbff, {{}, {@val={0x8, 0x3, r1}, @val={0xc, 0x99, {0xd6, 0x5e}}}}, [@NL80211_ATTR_HT_CAPABILITY_MASK={0x1e, 0x94, {0x400, 0x3, 0x2, 0x0, {0xffffffffffffffe0, 0x2, 0x0, 0x6, 0x0, 0x0, 0x0, 0x1}, 0x8, 0x10001, 0x4}}, @NL80211_ATTR_SSID={0xa, 0x34, @default_ibss_ssid}, @NL80211_ATTR_IE={0x55, 0x2a, [@cf={0x4, 0x6, {0x4, 0x4, 0x5, 0x1f}}, @random={0x80, 0x43, "e9c35dc199aac919e4a81e135a2cce36348a13a357b03eb39f16ad9d00f66c84bc3c476576cb8d52312f44fd53290e09534b3592b950eb6c95af593e18c4a04f53a1f2"}, @ibss={0x6, 0x2, 0x5}]}, @NL80211_ATTR_DISABLE_HT={0x4}, @NL80211_ATTR_USE_MFP={0x8, 0x42, 0x2}, @NL80211_ATTR_MAC={0xa, 0x6, @from_mac}, @NL80211_ATTR_IE={0x1bc, 0x2a, [@random_vendor={0xdd, 0xd5, "c32c95b5bb3a5173abbb82b21f52f5eb715fea4cba9f1b06bb4ef6a17727cac64fcf2247777598b929716f7d746d6bdc92bf4b8461722a4dda8b3f51747be688866959bb92ec5d53a25569c25291a005b5cb098b2ec94e3a114a78d6fdd34477e505badf129bfd47fdafc2260d171816eb8ba4233e7be1e1e3a67b9844fffe37bdbe3009bdaa8e469f43014bf483b52373f5e64c970ba75017bad13297225b17cbb6f598c6c8ed85c0189e09fd3e4c8f7419b1271bf6c19c5587f055ee1cd1c79edb0684ec14e8b640d67c2e151d438d6e8fa8bcfd"}, @fast_bss_trans={0x37, 0x8e, {0x3, 0x2, "c627651124f9b710dbffa8b4e030f2e7", "be2a46c8d696f12674e48c33f2c57cdbed1392eb8dd7edda9bcf6d7e05af0623", "51cf74154ab5de5226439a2bdc931a8c158354fc1e77bc9bad3e73a85d27e1af", [{0x1, 0x1c, "0b674739e5c3bf5b5ffab2618d362af6fe5e536b4047d83a58750855"}, {0x1, 0x1c, "ab4af648f01a776b24b843c5c438ec84d0a677b2fadd9a69d7948f08"}]}}, @sec_chan_ofs={0x3e, 0x1, 0x3}, @gcr_ga={0xbd, 0x6, @device_b}, @measure_req={0x26, 0x44, {0x0, 0x3, 0xe0, "00a990bc1e5ad2cf8a361d65fc3ea2f474327755c089c6e1904c3247be3d542dd664d79c721b9bb3c68016bc1565b6d30f96c1f35aece37e1d3e4b3c5295a0783d"}}]}, @NL80211_ATTR_VHT_CAPABILITY={0x10, 0x9d, {0x0, {0xffff, 0x0, 0x3, 0x7fff}}}]}, 0x290}, 0x1, 0x0, 0x0, 0x20000}, 0x24008040)
r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000940), 0xffffffffffffffff)
sendmsg$IPVS_CMD_GET_CONFIG(0xffffffffffffffff, &(0x7f0000000a00)={&(0x7f0000000900)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f00000009c0)={&(0x7f0000000980)={0x1c, r2, 0x20, 0x70bd2c, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x4}]}, 0x1c}, 0x1, 0x0, 0x0, 0x8000}, 0x44000)
r3 = accept4(0xffffffffffffffff, &(0x7f0000000a40)=@alg, &(0x7f0000000ac0)=0x80, 0x181800)
r4 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000b40), 0xffffffffffffffff)
sendmsg$IPVS_CMD_DEL_DEST(r3, &(0x7f0000000c40)={&(0x7f0000000b00)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000c00)={&(0x7f0000000b80)={0x7c, r4, 0x100, 0x70bd26, 0x25dfdbfe, {}, [@IPVS_CMD_ATTR_DAEMON={0x4c, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e24}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e23}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @remote}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x4}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x4}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x101}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e22}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e23}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @broadcast}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x1}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x1}, @IPVS_CMD_ATTR_DAEMON={0xc, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x8}]}]}, 0x7c}, 0x1, 0x0, 0x0, 0x20004010}, 0x810)
getpeername(r3, &(0x7f0000000c80)=@pppol2tpv3={0x18, 0x1, {0x0, <r5=>0xffffffffffffffff, {0x2, 0x0, @initdev}}}, &(0x7f0000000d00)=0x80)
r6 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000d80), r3)
sendmsg$IPVS_CMD_GET_CONFIG(r5, &(0x7f0000000f00)={&(0x7f0000000d40)={0x10, 0x0, 0x0, 0x800008}, 0xc, &(0x7f0000000ec0)={&(0x7f0000000dc0)={0xdc, r6, 0x10, 0x70bd26, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0xffff}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_PORT={0x6, 0x2, 0x4e24}]}, @IPVS_CMD_ATTR_DAEMON={0x38, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x4}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'ip6tnl0\x00'}, @IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @rand_addr=0x64010100}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @broadcast}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3ff}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e24}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x1}, @IPVS_DEST_ATTR_WEIGHT={0x8}, @IPVS_DEST_ATTR_TUN_TYPE={0x5, 0xd, 0x1}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x3}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x8}, @IPVS_CMD_ATTR_DEST={0x40, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x9}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0xe77}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xfffffeff}, @IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@rand_addr=' \x01\x00'}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x5}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x5}]}]}, 0xdc}, 0x1, 0x0, 0x0, 0x48}, 0x40000000)
sendmsg$IPVS_CMD_DEL_DEST(r5, &(0x7f0000001040)={&(0x7f0000000f40), 0xc, &(0x7f0000001000)={&(0x7f0000000f80)={0x68, r2, 0x800, 0x70bd2c, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xe7fb}, @IPVS_CMD_ATTR_DAEMON={0x4c, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'gretap0\x00'}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x1}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'veth1\x00'}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0xd3}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x1}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x38}]}]}, 0x68}, 0x1, 0x0, 0x0, 0x44400}, 0x24000)
r7 = syz_genetlink_get_family_id$ipvs(&(0x7f00000010c0), r3)
sendmsg$IPVS_CMD_DEL_DEST(r3, &(0x7f00000011c0)={&(0x7f0000001080)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f0000001180)={&(0x7f0000001100)={0x58, r7, 0x400, 0x70bd2c, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_SERVICE={0x1c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x11}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x4}, @IPVS_SVC_ATTR_FWMARK={0x8}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x3}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xffff0000}, @IPVS_CMD_ATTR_SERVICE={0x18, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x15, 0x21}}, @IPVS_SVC_ATTR_PROTOCOL={0x6}]}]}, 0x58}, 0x1, 0x0, 0x0, 0x4000001}, 0x4000001)
socketpair(0x22, 0x80000, 0xa1, &(0x7f0000001200)={<r8=>0xffffffffffffffff})
sendmsg$IPVS_CMD_FLUSH(r8, &(0x7f0000001340)={&(0x7f0000001240)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000001300)={&(0x7f0000001280)={0x70, r0, 0x0, 0x70bd2c, 0x25dfdbfe, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0xc8}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_SERVICE={0x38, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x30, 0x32}}, @IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0xd692}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x21, 0xa}}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x1, 0x2}}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'sh\x00'}]}, @IPVS_CMD_ATTR_DEST={0x14, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7fffffff}]}]}, 0x70}, 0x1, 0x0, 0x0, 0x40015}, 0x40000)
sendmsg$NL80211_CMD_JOIN_IBSS(0xffffffffffffffff, &(0x7f00000015c0)={&(0x7f0000001380)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000001580)={&(0x7f0000001400)={0x15c, 0x0, 0x601, 0x70bd25, 0x25dfdbfb, {{}, {@val={0x8, 0x3, r1}, @void}}, [@NL80211_ATTR_BEACON_INTERVAL={0x8, 0xc, @random}, @NL80211_ATTR_KEYS={0x7c, 0x51, 0x0, 0x1, [{0x20, 0x0, 0x0, 0x1, [@NL80211_KEY_DEFAULT_MGMT={0x4}, @NL80211_KEY_DEFAULT={0x4}, @NL80211_KEY_DATA_WEP104={0x11, 0x1, "1ec2d7ab7f935af76ce3a4b633"}]}, {0x58, 0x0, 0x0, 0x1, [@NL80211_KEY_DATA_WEP40={0x9, 0x1, "8c1ac9399f"}, @NL80211_KEY_MODE={0x5, 0x9, 0x2}, @NL80211_KEY_SEQ={0x11, 0x4, "fde7333021d721b8c59f31e490"}, @NL80211_KEY_IDX={0x5, 0x2, 0x3}, @NL80211_KEY_IDX={0x5, 0x2, 0x3}, @NL80211_KEY_SEQ={0xa, 0x4, "368d68b4f62a"}, @NL80211_KEY_MODE={0x5}, @NL80211_KEY_CIPHER={0x8, 0x3, 0xfac05}]}]}, @NL80211_ATTR_HIDDEN_SSID={0x9, 0x7e, @random="901462c741"}, @chandef_params=[@NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8}, @NL80211_ATTR_WIPHY_FREQ_OFFSET={0x8, 0x122, 0x28}, @NL80211_ATTR_WIPHY_EDMG_BW_CONFIG={0x5, 0x119, 0xf}, @NL80211_ATTR_CHANNEL_WIDTH={0x8, 0x9f, 0x2}, @NL80211_ATTR_CENTER_FREQ2={0x8, 0xa1, 0xec}, @NL80211_ATTR_CENTER_FREQ2={0x8, 0xa1, 0x4}, @NL80211_ATTR_WIPHY_EDMG_CHANNELS={0x5, 0x118, 0x2a}], @NL80211_ATTR_BSS_BASIC_RATES={0x21, 0x24, [{0x16}, {0xc}, {0x12}, {0x5}, {0x5, 0x1}, {0x6c, 0x1}, {0x4}, {0x3}, {0x4, 0x1}, {0x1, 0x1}, {0xb, 0x1}, {0x18, 0x1}, {0x6c, 0x1}, {0x30}, {0x7d}, {0xb}, {0x1b, 0x1}, {0x2, 0x1}, {0x60, 0x1}, {0x16}, {0x1, 0x1}, {0x6c}, {0x4, 0x1}, {0x18}, {0x30, 0x1}, {0x18, 0x1}, {0x24}, {0x5, 0x1}, {0x12}]}, @NL80211_ATTR_PRIVACY={0x4}, @NL80211_ATTR_IE={0xc, 0x2a, [@gcr_ga={0xbd, 0x6, @device_b}]}, @NL80211_ATTR_MCAST_RATE={0x8, 0x6b, 0xfbb}, @NL80211_ATTR_IE={0x3c, 0x2a, [@random={0x1, 0x12, "ed67349bb9fdd2ac8c00220f7ffbab18b2cf"}, @random={0x9, 0x22, "c099fc1ea4b92c95b769d91cc58604b7c2c97c9810a2d525ee787ac90cb4cf566594"}]}]}, 0x15c}, 0x1, 0x0, 0x0, 0x4000000}, 0x20000000)

19:51:40 executing program 4:
ioctl$sock_inet_SIOCGIFADDR(0xffffffffffffffff, 0x8915, &(0x7f0000000000)={'veth1_to_team\x00', {0x2, 0x0, @dev}})
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$sock_SIOCGIFVLAN_ADD_VLAN_CMD(r0, 0x8982, &(0x7f0000000040)={0x0, 'vcan0\x00', {0x4}, 0x4})
r1 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000080), 0x6040, 0x0)
ioctl$sock_SIOCGIFVLAN_ADD_VLAN_CMD(r0, 0x8982, &(0x7f00000000c0)={0x0, 'veth1_vlan\x00', {0x1}, 0xffff})
r2 = socket(0xb, 0x2, 0x1f)
sendmsg$NL80211_CMD_CRIT_PROTOCOL_STOP(r2, &(0x7f00000001c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x28, 0x0, 0x800, 0x70bd2c, 0x25dfdbfe, {{}, {@val={0x8}, @val={0xc, 0x99, {0x7fffffff, 0x16}}}}, ["", "", "", "", "", "", "", "", "", ""]}, 0x28}, 0x1, 0x0, 0x0, 0x4040811}, 0x24000051)
ioctl$SG_SET_COMMAND_Q(0xffffffffffffffff, 0x2271, &(0x7f0000000200)=0x1)
write$rfkill(r1, &(0x7f0000000240)={0x2, 0x2, 0x3, 0x1, 0x1}, 0x8)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000280)={'wlan0\x00'})
r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
r4 = gettid()
ioctl$sock_FIOSETOWN(r3, 0x8901, &(0x7f00000002c0)=r4)
r5 = syz_open_dev$loop(&(0x7f0000000300), 0x8, 0x2000)
ioctl$BLKGETSIZE(r5, 0x1260, &(0x7f0000000340))
socket(0x22, 0x4, 0x40000)
ioctl$sock_SIOCGIFVLAN_ADD_VLAN_CMD(r0, 0x8982, &(0x7f0000000380)={0x0, 'rose0\x00', {0x2}, 0x1})
sendmsg$NL80211_CMD_CRIT_PROTOCOL_STOP(0xffffffffffffffff, &(0x7f0000000480)={&(0x7f00000003c0)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000440)={&(0x7f0000000400)={0x28, 0x0, 0x300, 0x70bd28, 0x25dfdbfe, {{}, {@val={0x8}, @val={0xc, 0x99, {0x2, 0x51}}}}, ["", "", "", ""]}, 0x28}, 0x1, 0x0, 0x0, 0x40}, 0x8000)
setsockopt$sock_linger(r0, 0x1, 0xd, &(0x7f00000004c0)={0x1, 0x8}, 0x8)
sendmsg$IPVS_CMD_SET_CONFIG(r2, &(0x7f0000000640)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000000600)={&(0x7f0000000540)={0xb8, 0x0, 0x200, 0x70bd28, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_DAEMON={0xc, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x3}]}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x7}, @IPVS_CMD_ATTR_SERVICE={0x20, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0x10001}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@broadcast}]}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0xffffffff}, @IPVS_CMD_ATTR_DAEMON={0x60, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x6, 0x4, 0x4}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'ip6gre0\x00'}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'ip6gretap0\x00'}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private1}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x80}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @multicast1}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x9}]}, 0xb8}, 0x1, 0x0, 0x0, 0x2204c000}, 0x40)

[   62.616656] audit: type=1400 audit(1763322700.240:7): avc:  denied  { execmem } for  pid=273 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
19:51:40 executing program 1:
shmget(0x3, 0x4000, 0x8, &(0x7f0000ffc000/0x4000)=nil)
write$cgroup_int(0xffffffffffffffff, &(0x7f0000000000)=0x8, 0x12)
r0 = shmget(0x2, 0x3000, 0x100, &(0x7f0000ffd000/0x3000)=nil)
r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000040), 0x2000, 0x0)
write$cgroup_int(r1, &(0x7f0000000080)=0x3f, 0x12)
shmctl$IPC_SET(r0, 0x1, &(0x7f00000000c0)={{0x3, 0x0, 0xffffffffffffffff, 0xee00, 0xffffffffffffffff, 0x148, 0xb6}, 0x3, 0x4, 0x9, 0x9, 0xffffffffffffffff, 0xffffffffffffffff, 0x2})
shmget(0x3, 0x3000, 0x1, &(0x7f0000ffd000/0x3000)=nil)
r2 = openat$cgroup_int(r1, &(0x7f0000000140)='pids.max\x00', 0x2, 0x0)
getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000000180)={{{@in=@empty, @in=@broadcast}}, {{@in6}, 0x0, @in=@local}}, &(0x7f0000000280)=0xe8)
ioctl$SG_SET_COMMAND_Q(r1, 0x2271, &(0x7f00000002c0)=0x1)
r3 = shmget$private(0x0, 0x3000, 0x4, &(0x7f0000ffd000/0x3000)=nil)
shmctl$SHM_INFO(r3, 0xe, &(0x7f0000000300)=""/155)
r4 = openat$full(0xffffffffffffff9c, &(0x7f00000003c0), 0x101002, 0x0)
ioctl$BLKALIGNOFF(r4, 0x127a, &(0x7f0000000400))
ioctl$SG_IO(0xffffffffffffffff, 0x2285, &(0x7f0000001640)={0x53, 0xfffffffffffffffb, 0x75, 0x8, @scatter={0x1, 0x0, &(0x7f0000001440)=[{&(0x7f0000000440)=""/4096, 0x1000}]}, &(0x7f0000001480)="8f968d82bf6cdb290ccda4394dbbef1f3eba321c13d60f2b2311ae8463bf68335d07e88bd20841171f63ae0ed1395ffefbc04b37d1f806eede4fbacd1aa8c2d6a7381f85d44f62e6f113df807733289e745acefc2089fe672653a43280ac8c49a7ed9ab49fd66c06e25af35302659f22fe8ceabcf4", &(0x7f0000001500)=""/215, 0xffff, 0x10000, 0x0, &(0x7f0000001600)})
ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r2, 0xd000943d, &(0x7f00000016c0)={0x2, [{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, <r5=>0x0}], 0x9, "837a4258b11d8e"})
ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r1, 0xd000943d, &(0x7f00000026c0)={0xd9e, [{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {<r6=>0x0}], 0x1f, "abbb51d53fc95e"})
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r4, 0x81f8943c, &(0x7f00000036c0)={<r7=>0x0})
ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r4, 0xd000943d, &(0x7f00000038c0)={0x4, [{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {<r8=>0x0}], 0x2, "b4280ff5f79272"})
ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(0xffffffffffffffff, 0xd000943d, &(0x7f0000061ac0)={0x80000001, [{}, {}, {}, {}, {}, {}, {0x0, r5}, {}, {r6}, {r7}, {r8}], 0x4, "3b9dd7708251a3"})

[   63.764931] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   63.767377] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   63.769400] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   63.773797] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   63.776411] ==================================================================
[   63.777662] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0
[   63.778864] Read of size 2 at addr ffff88800b3a3cb8 by task kworker/u11:2/292
[   63.782313] 
[   63.784646] CPU: 1 UID: 0 PID: 292 Comm: kworker/u11:2 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) 
[   63.784680] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   63.784697] Workqueue: hci0 hci_cmd_work
[   63.784731] Call Trace:
[   63.784740]  <TASK>
[   63.784749]  dump_stack_lvl+0xca/0x120
[   63.784782]  print_report+0xcb/0x610
[   63.784816]  ? __virt_addr_valid+0x100/0x5d0
[   63.784845]  ? hci_cmd_work+0x66d/0x6d0
[   63.784877]  ? hci_cmd_work+0x66d/0x6d0
[   63.784909]  kasan_report+0xca/0x100
[   63.784942]  ? hci_cmd_work+0x66d/0x6d0
[   63.784978]  hci_cmd_work+0x66d/0x6d0
[   63.785012]  process_one_work+0x8e1/0x19c0
[   63.785055]  ? __pfx_process_one_work+0x10/0x10
[   63.785091]  ? move_linked_works+0x172/0x270
[   63.785119]  ? assign_work+0x196/0x240
[   63.785155]  worker_thread+0x67e/0xe90
[   63.785191]  ? trace_irq_enable.constprop.0+0xc2/0x100
[   63.785222]  ? __pfx_worker_thread+0x10/0x10
[   63.785259]  kthread+0x3c8/0x740
[   63.785291]  ? __pfx_kthread+0x10/0x10
[   63.785323]  ? ret_from_fork+0x79/0x7a0
[   63.785348]  ? lock_release+0xc8/0x290
[   63.785387]  ? __pfx_kthread+0x10/0x10
[   63.785420]  ret_from_fork+0x67a/0x7a0
[   63.785445]  ? __pfx_ret_from_fork+0x10/0x10
[   63.785472]  ? __switch_to+0x759/0x1060
[   63.785507]  ? __pfx_kthread+0x10/0x10
[   63.785540]  ret_from_fork_asm+0x1a/0x30
[   63.785582]  </TASK>
[   63.785590] 
[   63.809606] Allocated by task 289:
[   63.810219]  kasan_save_stack+0x24/0x50
[   63.810922]  kasan_save_track+0x14/0x30
[   63.811607]  __kasan_slab_alloc+0x59/0x70
[   63.812331]  kmem_cache_alloc_node_noprof+0x228/0x6b0
[   63.813228]  __alloc_skb+0x2ab/0x370
[   63.813901]  hci_cmd_sync_alloc+0x34/0x300
[   63.814648]  __hci_cmd_sync_sk+0xf7/0x5c0
[   63.815376]  hci_read_num_supported_iac_sync+0x2c/0x170
[   63.816293]  hci_dev_open_sync+0x1874/0x1f60
[   63.817060]  hci_power_on+0xdb/0x5d0
[   63.817719]  process_one_work+0x8e1/0x19c0
[   63.818476]  worker_thread+0x67e/0xe90
[   63.819171]  kthread+0x3c8/0x740
[   63.819772]  ret_from_fork+0x67a/0x7a0
[   63.820476]  ret_from_fork_asm+0x1a/0x30
[   63.821188] 
[   63.821487] Freed by task 291:
[   63.822041]  kasan_save_stack+0x24/0x50
[   63.822746]  kasan_save_track+0x14/0x30
[   63.823441]  kasan_save_free_info+0x3a/0x60
[   63.824191]  __kasan_slab_free+0x43/0x70
[   63.824891]  kmem_cache_free+0x26f/0x500
[   63.825605]  kfree_skbmem+0x18a/0x1f0
[   63.826273]  sk_skb_reason_drop+0x10e/0x1b0
[   63.827032]  vhci_read+0x3d5/0x5d0
[   63.827659]  vfs_read+0x1eb/0xc70
[   63.828272]  ksys_read+0x121/0x240
[   63.828895]  do_syscall_64+0xbf/0x430
[   63.829571]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   63.830467] 
[   63.830775] The buggy address belongs to the object at ffff88800b3a3c80
[   63.830775]  which belongs to the cache skbuff_head_cache of size 232
[   63.832950] The buggy address is located 56 bytes inside of
[   63.832950]  freed 232-byte region [ffff88800b3a3c80, ffff88800b3a3d68)
[   63.835337] 
[   63.835732] The buggy address belongs to the physical page:
[   63.836969] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb3a3
[   63.838706] memcg:ffff88800a16c401
[   63.839405] flags: 0x100000000000000(node=0|zone=1)
[   63.840391] page_type: f5(slab)
[   63.841072] raw: 0100000000000000 ffff8880096c78c0 ffffea000023fd40 dead000000000004
[   63.842606] raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88800a16c401
[   63.844125] page dumped because: kasan: bad access detected
[   63.845241] 
[   63.845602] Memory state around the buggy address:
[   63.846605]  ffff88800b3a3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.847856]  ffff88800b3a3c00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   63.849015] >ffff88800b3a3c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.850197]                                         ^
[   63.851218]  ffff88800b3a3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   63.852370]  ffff88800b3a3d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   63.853486] ==================================================================
[   63.854688] Disabling lock debugging due to kernel taint
[   63.855702] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   63.890611] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   63.897609] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   63.899355] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   63.902136] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   63.905785] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   63.924872] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   63.927406] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   63.928986] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   63.934063] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   63.935625] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   63.950546] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   63.960700] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1
[   63.964915] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1
[   63.965601] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   63.966182] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   63.967060] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9
[   63.968043] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9
[   63.969114] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9
[   63.970374] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   63.972496] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4
[   63.973064] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   63.973874] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9
[   63.976354] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2
[   63.977671] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   63.978884] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   63.980899] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4
[   63.980974] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   63.983795] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2
[   63.986644] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   63.995573] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   64.156602] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1
[   64.158484] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9
[   64.163404] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9
[   64.165581] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4
[   64.167124] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2
[   65.926189] Bluetooth: hci1: command tx timeout
[   65.926642] Bluetooth: hci0: command tx timeout
[   65.989329] Bluetooth: hci2: command tx timeout
[   66.054265] Bluetooth: hci4: command tx timeout
[   66.054706] Bluetooth: hci5: command tx timeout
[   66.055082] Bluetooth: hci3: command tx timeout
[   66.117951] Bluetooth: hci6: command tx timeout
[   66.245188] Bluetooth: hci7: command tx timeout
[   67.973245] Bluetooth: hci0: command tx timeout
[   67.973696] Bluetooth: hci1: command tx timeout
[   68.037518] Bluetooth: hci2: command tx timeout
[   68.101221] Bluetooth: hci3: command tx timeout
[   68.101657] Bluetooth: hci5: command tx timeout
[   68.102034] Bluetooth: hci4: command tx timeout
[   68.167484] Bluetooth: hci6: command tx timeout
[   68.293192] Bluetooth: hci7: command tx timeout
[   70.024176] Bluetooth: hci1: command tx timeout
[   70.024620] Bluetooth: hci0: command tx timeout
[   70.086243] Bluetooth: hci2: command tx timeout
[   70.150226] Bluetooth: hci4: command tx timeout
[   70.150637] Bluetooth: hci5: command tx timeout
[   70.150666] Bluetooth: hci3: command tx timeout
[   70.216355] Bluetooth: hci6: command tx timeout
[   70.342211] Bluetooth: hci7: command tx timeout
[   72.070501] Bluetooth: hci0: command tx timeout
[   72.070625] Bluetooth: hci1: command tx timeout
[   72.134176] Bluetooth: hci2: command tx timeout
[   72.197220] Bluetooth: hci3: command tx timeout
[   72.198571] Bluetooth: hci4: command tx timeout
[   72.198967] Bluetooth: hci5: command tx timeout
[   72.261299] Bluetooth: hci6: command tx timeout
[   72.391250] Bluetooth: hci7: command tx timeout

VM DIAGNOSIS:
19:51:41  Registers:
info registers vcpu 0
RAX=0000000080010000 RBX=1ffff1100d9c11b2 RCX=ffffffff8162fb29 RDX=ffff888009548000
RSI=ffffffff8166eab8 RDI=ffff88806ce28e58 RBP=ffff88806ce28e58 RSP=ffff88806ce08d70
R8 =0000000000000000 R9 =fffffbfff0cc9daa R10=0000000000000001 R11=0000000000000001
R12=ffff88806ce28500 R13=ffff888009557568 R14=0000000000000001 R15=dffffc0000000000
RIP=ffffffff81637a04 RFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 00000000 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 00000000 00000000
FS =0000 00007ff2f1deb900 00000000 00000000
GS =0000 ffff8880e538f000 00000000 00000000
LDT=0000 fffffe2400000000 00000000 00000000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007f65d69b85f0 CR3=000000000c6e0000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001fa0
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000
XMM02=0000000000000000bfe62e42fefa39ef XMM03=0000ff00000000000000000000000000
XMM04=732f6c61636f6c2f7273752f3d485441 XMM05=622f6c61636f6c2f7273752f3a6e6962
XMM06=73752f3a6e6962732f7273752f3a6e69 XMM07=6e69622f3a6e6962732f3a6e69622f72
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
info registers vcpu 1
RAX=000000000000005b RBX=00000000000003f8 RCX=0000000000000000 RDX=00000000000003f8
RSI=ffffffff8293dd05 RDI=ffffffff889747c0 RBP=ffffffff88974780 RSP=ffff88801686f618
R8 =0000000000000000 R9 =ffffed1001668046 R10=000000000000005b R11=000000003a555043
R12=000000000000005b R13=0000000000000010 R14=ffffffff88974780 R15=ffffffff8293dcf0
RIP=ffffffff8293dd5d RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 00000000 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 00000000 00000000
FS =0000 0000000000000000 00000000 00000000
GS =0000 ffff8880e548f000 00000000 00000000
LDT=0000 fffffe6000000000 00000000 00000000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000048000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=000055a8a2786690 CR3=000000001baf9000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000a60ce07b00000000cec3662e XMM01=00000000000000003a59457db3c5de50
XMM02=00000000000000000000000000000000 XMM03=0000000000000000736563697665642f
XMM04=2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f XMM05=000055a8a27306a0000055a8a27608d0
XMM06=000055a8a2784b30ffffffff00000003 XMM07=00000000000000000000000000000000
XMM08=2f63697361622f6372732f2e2e000d0a XMM09=00000000000000000000000000000000
XMM10=00000000200000000000000020000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000