program:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'lo\x00'})
r1 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r1, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000040), 0x111}}, 0x20) (async)
write$RDMA_USER_CM_CMD_CREATE_ID(r1, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff}, 0x111}}, 0x20)
write$RDMA_USER_CM_CMD_RESOLVE_IP(r1, &(0x7f0000000200)={0x3, 0x40, 0xfa02, {{0x6000000, 0x0, 0x0, @mcast2}, {0xa, 0x0, 0x0, @remote}, r2, 0xfffffffc}}, 0x48) (async)
write$RDMA_USER_CM_CMD_RESOLVE_IP(r1, &(0x7f0000000200)={0x3, 0x40, 0xfa02, {{0x6000000, 0x0, 0x0, @mcast2}, {0xa, 0x0, 0x0, @remote}, r2, 0xfffffffc}}, 0x48)
write$RDMA_USER_CM_CMD_CREATE_ID(r1, &(0x7f00000000c0)={0x0, 0x18, 0xfa00, {0x4, &(0x7f0000000000)={<r3=>0xffffffffffffffff}, 0x2, 0xc}}, 0x20)
write$RDMA_USER_CM_CMD_RESOLVE_IP(r1, &(0x7f0000000280)={0x3, 0x40, 0xfa00, {{0xa, 0x4e23, 0x7ff, @empty, 0x1}, {0xa, 0x4e20, 0x1ff, @dev={0xfe, 0x80, '\x00', 0x2f}, 0x9}, r3, 0xb}}, 0x48) (async)
write$RDMA_USER_CM_CMD_RESOLVE_IP(r1, &(0x7f0000000280)={0x3, 0x40, 0xfa00, {{0xa, 0x4e23, 0x7ff, @empty, 0x1}, {0xa, 0x4e20, 0x1ff, @dev={0xfe, 0x80, '\x00', 0x2f}, 0x9}, r3, 0xb}}, 0x48)
write$RDMA_USER_CM_CMD_DESTROY_ID(r1, &(0x7f0000000380)={0x1, 0x10, 0xfa00, {&(0x7f0000000300), r3}}, 0x18) (async)
write$RDMA_USER_CM_CMD_DESTROY_ID(r1, &(0x7f0000000380)={0x1, 0x10, 0xfa00, {&(0x7f0000000300), r3}}, 0x18)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x28)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
socket$nl_crypto(0x10, 0x3, 0x15) (async)
r6 = socket$nl_crypto(0x10, 0x3, 0x15)
ioctl$sock_SIOCADDRT(r6, 0x890b, &(0x7f0000000140)={0x0, @nl=@kern={0x10, 0x0, 0x0, 0x20000}, @isdn={0x22, 0x7f, 0x4, 0x7, 0x9}, @hci={0x1f, 0x2, 0x1}, 0x4, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000080)='veth1\x00', 0x9, 0x8, 0xff})
r7 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
connect$rose(r7, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c) (async)
connect$rose(r7, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c)
connect$rose(r7, &(0x7f0000000100)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x0, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180100001c0000000000000000000000850000006d00000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
r8 = openat$nvram(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
syz_kvm_setup_syzos_vm$x86(r8, &(0x7f0000bfe000/0x400000)=nil)
r9 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x11, 0x4, &(0x7f00000002c0)=ANY=[], &(0x7f0000000100)='GPL\x00', 0x200000, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, 0x2, r8}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000980)='sys_exit\x00', r9}, 0x10) (async)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000980)='sys_exit\x00', r9}, 0x10)
r10 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6}]})
ioctl$EVIOCSCLOCKID(0xffffffffffffffff, 0x400445a0, 0x0) (async)
ioctl$EVIOCSCLOCKID(0xffffffffffffffff, 0x400445a0, 0x0)
close_range(r10, 0xffffffffffffffff, 0x0) (async)
close_range(r10, 0xffffffffffffffff, 0x0)

[   83.773104][ T5299] Bluetooth: hci0: command tx timeout
[   83.990725][   T24] audit: type=1326 audit(1772936128.878:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5318 comm="syz.0.0" exe="/syz-executor" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7fdca8b9c799 code=0x0
[   84.791397][ T5319] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI
[   84.797201][ T5319] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[   84.801141][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.805270][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.813070][ T5319] RIP: 0010:rose_transmit_link+0x32/0xac0
[   84.816009][ T5319] Code: 56 41 55 41 54 53 48 83 ec 40 48 89 f3 48 89 fd 49 bc 00 00 00 00 00 fc ff df e8 79 c8 2d f7 4c 8d 73 36 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 09 00 00 45 0f b6 36 31 ff 44 89 f6
[   84.824622][ T5319] RSP: 0018:ffffc9000dc1f8e8 EFLAGS: 00010207
[   84.827274][ T5319] RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff8880003624c0
[   84.830871][ T5319] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888011c59280
[   84.835599][ T5319] RBP: ffff888011c59280 R08: ffff8880003624c0 R09: 0000000000000008
[   84.839108][ T5319] R10: 000000000000000f R11: 0000000000000000 R12: dffffc0000000000
[   84.842783][ T5319] R13: dffffc0000000000 R14: 0000000000000036 R15: 1ffff92001b83f3c
[   84.846591][ T5319] FS:  00007fdca99996c0(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000
[   84.850503][ T5319] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   84.853060][ T5319] CR2: 00005628b612c168 CR3: 0000000012e60000 CR4: 0000000000352ef0
[   84.856589][ T5319] Call Trace:
[   84.858402][ T5319]  <TASK>
[   84.859913][ T5319]  ? __alloc_skb+0x4e5/0x7d0
[   84.862288][ T5319]  ? skb_put+0x11b/0x210
[   84.864711][ T5319]  rose_write_internal+0x1256/0x1b60
[   84.867424][ T5319]  ? lockdep_hardirqs_on+0x7a/0x110
[   84.869532][ T5319]  ? __pfx_rose_write_internal+0x10/0x10
[   84.871923][ T5319]  ? timer_delete+0x245/0x340
[   84.874317][ T5319]  rose_release+0x25b/0x510
[   84.876577][ T5319]  sock_close+0xc3/0x240
[   84.879009][ T5319]  ? __pfx_sock_close+0x10/0x10
[   84.881690][ T5319]  __fput+0x44f/0xa70
[   84.883711][ T5319]  task_work_run+0x1d9/0x270
[   84.885793][ T5319]  ? __pfx_task_work_run+0x10/0x10
[   84.887980][ T5319]  ? task_work_add+0x395/0x440
[   84.890289][ T5319]  ? __pfx_task_work_add+0x10/0x10
[   84.892523][ T5319]  get_signal+0x11eb/0x1330
[   84.894865][ T5319]  arch_do_signal_or_restart+0xbc/0x830
[   84.898616][ T5319]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   84.902349][ T5319]  exit_to_user_mode_loop+0x86/0x480
[   84.905403][ T5319]  ? rcu_is_watching+0x15/0xb0
[   84.908236][ T5319]  do_syscall_64+0x32d/0xf80
[   84.910584][ T5319]  ? trace_irq_disable+0x3b/0x150
[   84.912916][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.915683][ T5319]  ? clear_bhb_loop+0x40/0x90
[   84.918181][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.921453][ T5319] RIP: 0033:0x7fdca8b9c799
[   84.923675][ T5319] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   84.931488][ T5319] RSP: 002b:00007fdca9998fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   84.935640][ T5319] RAX: 0000000000000000 RBX: 00007fdca8e15fa0 RCX: 00007fdca8b9c799
[   84.939825][ T5319] RDX: 000000000000001c RSI: 0000200000000040 RDI: 000000000000000a
[   84.943440][ T5319] RBP: 00007fdca8c32bd9 R08: 0000000000000000 R09: 0000000000000000
[   84.947201][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   84.951071][ T5319] R13: 00007fdca8e16038 R14: 00007fdca8e15fa0 R15: 00007ffe774113a8
[   84.954905][ T5319]  </TASK>
[   84.956514][ T5319] Modules linked in:
[   84.960741][ T5319] ---[ end trace 0000000000000000 ]---
[   84.981452][ T5319] RIP: 0010:rose_transmit_link+0x32/0xac0
[   84.984148][ T5319] Code: 56 41 55 41 54 53 48 83 ec 40 48 89 f3 48 89 fd 49 bc 00 00 00 00 00 fc ff df e8 79 c8 2d f7 4c 8d 73 36 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 09 00 00 45 0f b6 36 31 ff 44 89 f6
[   84.993537][ T5319] RSP: 0018:ffffc9000dc1f8e8 EFLAGS: 00010207
[   84.997156][ T5319] RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff8880003624c0
[   85.002141][ T5319] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888011c59280
[   85.006495][ T5319] RBP: ffff888011c59280 R08: ffff8880003624c0 R09: 0000000000000008
[   85.012112][ T5319] R10: 000000000000000f R11: 0000000000000000 R12: dffffc0000000000
[   85.015954][ T5319] R13: dffffc0000000000 R14: 0000000000000036 R15: 1ffff92001b83f3c
[   85.019224][ T5319] FS:  00007fdca99996c0(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000
[   85.027622][ T5319] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.057429][ T5319] CR2: 00007feb58578d20 CR3: 0000000012e60000 CR4: 0000000000352ef0
[   85.064393][ T5319] Kernel panic - not syncing: Fatal exception
[   85.067300][ T5319] Kernel Offset: disabled
[   85.069293][ T5319] Rebooting in 86400 seconds..