program:
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl802154(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wpan0\x00', <r2=>0x0})
sendmsg$NL802154_CMD_GET_INTERFACE(r0, &(0x7f0000000180)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x48, r1, 0x1, 0x70bd2d, 0x25dfdbfc, {}, [@NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x2}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x200000002}, @NL802154_ATTR_WPAN_DEV={0xc}, @NL802154_ATTR_IFINDEX={0x8, 0x3, r2}]}, 0x48}}, 0x0) (async)
r3 = syz_genetlink_get_family_id$nfc(&(0x7f0000000200), r0)
ioctl$IOCTL_GET_NCIDEV_IDX(0xffffffffffffffff, 0x0, &(0x7f0000000240)=<r4=>0x0)
sendmsg$NFC_CMD_START_POLL(r0, &(0x7f0000000340)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000300)={&(0x7f0000000280)={0x64, r3, 0x800, 0x70bd2a, 0x25dfdbff, {}, [@NFC_ATTR_IM_PROTOCOLS={0x8, 0xd, 0x20}, @NFC_ATTR_DEVICE_INDEX={0x8, 0x1, r4}, @NFC_ATTR_TM_PROTOCOLS={0x8, 0xe, 0x4}, @NFC_ATTR_IM_PROTOCOLS={0x8, 0xd, 0x84}, @NFC_ATTR_PROTOCOLS={0x8, 0x3, 0x10}, @NFC_ATTR_PROTOCOLS={0x8, 0x3, 0x4}, @NFC_ATTR_IM_PROTOCOLS={0x8, 0xd, 0xe0}, @NFC_ATTR_IM_PROTOCOLS={0x8, 0xd, 0x2}, @NFC_ATTR_PROTOCOLS={0x8, 0x3, 0xd0}, @NFC_ATTR_PROTOCOLS={0x8, 0x3, 0x8}]}, 0x64}, 0x1, 0x0, 0x0, 0x4004}, 0x2000c081) (async)
r5 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r6 = syz_genetlink_get_family_id$ethtool(&(0x7f00000003c0), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_RINGS_SET(r5, &(0x7f0000000480)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000440)={&(0x7f0000000400)={0x34, r6, 0x300, 0x70bd2a, 0x25dfdbfb, {}, [@ETHTOOL_A_RINGS_RX={0x8, 0x6, 0x4}, @ETHTOOL_A_RINGS_RX={0x8, 0x6, 0x5}, @ETHTOOL_A_RINGS_RX_MINI={0x8, 0x7, 0xc662}, @ETHTOOL_A_RINGS_TX={0x8, 0x9, 0x800}]}, 0x34}, 0x1, 0x0, 0x0, 0x44000}, 0x4004000)
r7 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000500), r5)
sendmsg$TIPC_NL_KEY_FLUSH(r5, &(0x7f0000000840)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x20}, 0xc, &(0x7f0000000800)={&(0x7f0000000540)={0x28c, r7, 0x2, 0x70bd25, 0x25dfdbff, {}, [@TIPC_NLA_PUBL={0x3c, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x9}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0xe}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xfff}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x1}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x10}]}, @TIPC_NLA_NET={0x3c, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_NODEID={0xc, 0x3, 0x9}, @TIPC_NLA_NET_ID={0x8, 0x1, 0xdbdf}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x3}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0xfcad}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x4}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x8}]}, @TIPC_NLA_BEARER={0xa4, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3eee33e1}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xde}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xb351}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x6e2}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x0, @remote, 0x9}}, {0x20, 0x2, @in6={0xa, 0x4e24, 0x80, @initdev={0xfe, 0x88, '\x00', 0x1, 0x0}, 0x2}}}}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1d0}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x80}]}]}, @TIPC_NLA_BEARER={0xbc, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @empty}}, {0x20, 0x2, @in6={0xa, 0x4e24, 0x3, @loopback, 0x1}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @multicast1}}, {0x14, 0x2, @in={0x2, 0x4e22, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x2}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xba20}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e20, @broadcast}}, {0x14, 0x2, @in={0x2, 0x4e22, @remote}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xf8}]}, @TIPC_NLA_NET={0x30, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0xb350}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x270}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0xffffffff}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x9}]}, @TIPC_NLA_MEDIA={0x20, 0x5, 0x0, 0x1, [@TIPC_NLA_MEDIA_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x2f0}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}]}, @TIPC_NLA_PUBL={0x34, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_LOWER={0x8}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0xa}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x5}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x829}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x2}]}, @TIPC_NLA_MON={0x1c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x5}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x10001}]}]}, 0x28c}}, 0x804)
sendmsg$TIPC_NL_PEER_REMOVE(r5, &(0x7f0000000ac0)={&(0x7f0000000880), 0xc, &(0x7f0000000a80)={&(0x7f00000008c0)={0x184, r7, 0x400, 0x70bd26, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0x12c, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xa}, @TIPC_NLA_BEARER_PROP={0x2c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xf47}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}]}, @TIPC_NLA_BEARER_NAME={0xc, 0x1, @l2={'eth', 0x3a, 'wg0\x00'}}, @TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xb452}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xbb}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @l2={'ib', 0x3a, 'veth0\x00'}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0x100, @local, 0xb}}, {0x14, 0x2, @in={0x2, 0x4e23, @rand_addr=0x64010102}}}}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'eth', 0x3a, 'ip_vti0\x00'}}, @TIPC_NLA_BEARER_PROP={0x4c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x1ff}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1c}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8001}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7ff}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @l2={'ib', 0x3a, 'team0\x00'}}]}, @TIPC_NLA_MEDIA={0x44, 0x5, 0x0, 0x1, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7ab2}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1c}]}, @TIPC_NLA_MEDIA_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}]}]}, 0x184}, 0x1, 0x0, 0x0, 0x4000}, 0x40095) (async)
sendmsg$TIPC_NL_MEDIA_GET(r5, &(0x7f0000000e80)={&(0x7f0000000b00)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000000e40)={&(0x7f0000000b40)={0x2cc, r7, 0x800, 0x70bd2b, 0x25dfdbff, {}, [@TIPC_NLA_MEDIA={0x1c, 0x5, 0x0, 0x1, [@TIPC_NLA_MEDIA_NAME={0x7, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x7, 0x1, 'ib\x00'}]}, @TIPC_NLA_MON={0x2c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x80}, @TIPC_NLA_MON_REF={0x8, 0x2, 0xfe000000}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x7f}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x7ff8}]}, @TIPC_NLA_BEARER={0x54, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x7ff}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e22, 0xffffffff, @local, 0x9}}, {0x14, 0x2, @in={0x2, 0x4e20, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz0\x00'}]}, @TIPC_NLA_NODE={0x134, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY_MASTER={0x4}, @TIPC_NLA_NODE_KEY={0x43, 0x4, {'gcm(aes)\x00', 0x1b, "c9e96d7e0d355d15a5af8c170aa59c6c6e28cb1877b2a533aea8fd"}}, @TIPC_NLA_NODE_ID={0xdf, 0x3, "e2a3d656f9fa2c488e17ebe19a29d17eea81b7f1a0a773cf9a2a0dda36339127c9831ce69b5ff80adfe0b9868e9aa33cea057332fd67ff21780cc2c38ebbdd1c180de9a439d64cc3f26c69cd50de3095eb2bd2a0b787aee2bee9470fd746e57ace90518ef5770e2be1a983bb0173ee37b303e394c4c44797844e80db722647074b2863d753b53b5e29293c43d8b2f8d44fb651b35a5ffdd6c882d2c3279e8ad94065324cf9c844ff0635d10c5fb65b25e9b273a3e20cd3f010823c095a3ea6e3263549e35f5177fc502161ae43d48290a7633b7fc09e7959b35087"}, @TIPC_NLA_NODE_REKEYING={0x8, 0x6, 0x8}]}, @TIPC_NLA_PUBL={0x3c, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_LOWER={0x8}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x8ee}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x84ab}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x8}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x6}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x939}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0xc0}]}, @TIPC_NLA_SOCK={0x3c, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x2}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x10000}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x1}, @TIPC_NLA_SOCK_CON={0xc, 0x3, 0x0, 0x1, [@TIPC_NLA_CON_NODE={0x8, 0x2, 0x5}]}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x2}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x1}]}, @TIPC_NLA_MON={0x24, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x5}, @TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x800}]}, @TIPC_NLA_NET={0x4c, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x1}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x5}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x5}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x3}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x31}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x714}, @TIPC_NLA_NET_ADDR={0x8}]}]}, 0x2cc}, 0x1, 0x0, 0x0, 0x850}, 0x400c055) (async)
ioctl$DMA_HEAP_IOCTL_ALLOC(0xffffffffffffffff, 0xc0184800, &(0x7f0000000ec0)={0xc3e, <r8=>r5, 0x3}) (async)
ioctl$DRM_IOCTL_GET_CLIENT(0xffffffffffffffff, 0xc0286405, &(0x7f0000000f40)={0x4, 0x40, {<r9=>0x0}, {<r10=>0xee01}, 0x256, 0xa000000000000000})
sendmsg$nl_generic(r8, &(0x7f0000001140)={&(0x7f0000000f00)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000001100)={&(0x7f0000000f80)={0x148, 0x30, 0x10, 0x70bd2d, 0x25dfdbfe, {0x19}, [@nested={0xb2, 0xa8, 0x0, 0x1, [@nested={0x4, 0x1d}, @nested={0x4, 0x1e}, @generic="7ed20f65ea2eb9689deedc8002b4ba77cf99f9fa6c882e265e63d10fd6109f46111e90e57b4444e1616f815d7da07f39b40f921250e214d538074f6d5d5b01fcce15b022fb2cdfaa6ce718786aae86ac406bb3efae2995c822a08592789212047ee220f8e227ab58952bfdb514623a6e553ca2c98dc2188b23c4b90e6a70888ca0b2e3b87cac17c965ac9019cca2d100022ccfca045008a824e384ce7a7a41845857d2a47b63"]}, @nested={0x53, 0x155, 0x0, 0x1, [@generic="43f4c377ae18ac39029c14d235e37c3d969093933ce2e665bb5f434e96af6ef511b1129ad8ba7fc2ed0ae7838cc12917cb44fe477c71cb", @typed={0x5, 0x13d, 0x0, 0x0, @str='\x00'}, @typed={0x4, 0xc6}, @nested={0x4, 0x110}, @typed={0x8, 0x68, 0x0, 0x0, @pid=r9}]}, @typed={0x8, 0x61, 0x0, 0x0, @ipv4=@multicast1}, @generic="95cd13adce110dae11ff1a7a4ca45bc9b388a0489e36d8430c", @typed={0x8, 0x1c, 0x0, 0x0, @str='wg0\x00'}]}, 0x148}, 0x1, 0x0, 0x0, 0x4000000}, 0x0) (async)
syz_genetlink_get_family_id$nl80211(&(0x7f0000001180), r5) (async)
ioctl$OCFS2_IOC_MOVE_EXT(0xffffffffffffffff, 0x40406f06, &(0x7f00000011c0)={0x100000001, 0x4, 0x4, 0x2, 0x5}) (async)
getpeername$tipc(r8, &(0x7f0000001200)=@id, &(0x7f0000001240)=0x10) (async)
ioctl$FS_IOC_GETFSUUID(r5, 0x80111500, &(0x7f0000001280)) (async)
ioctl$SNDCTL_SEQ_GETTIME(r8, 0x80045113, &(0x7f00000012c0)) (async)
r11 = epoll_create1(0x80000)
epoll_pwait2(r11, &(0x7f0000001300)=[{}, {}, {}, {}, {}], 0x5, &(0x7f0000001340)={0x0, 0x3938700}, &(0x7f0000001380)={[0x3]}, 0x8) (async)
r12 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$TIPC_NL_BEARER_ENABLE(r12, &(0x7f00000015c0)={&(0x7f00000013c0)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000001580)={&(0x7f0000001400)={0x150, r7, 0x800, 0x70bd2a, 0x25dfdbfd, {}, [@TIPC_NLA_MEDIA={0xc, 0x5, 0x0, 0x1, [@TIPC_NLA_MEDIA_NAME={0x7, 0x1, 'ib\x00'}]}, @TIPC_NLA_MEDIA={0x38, 0x5, 0x0, 0x1, [@TIPC_NLA_MEDIA_PROP={0x34, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x800}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}]}, @TIPC_NLA_NET={0x38, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x5}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x1}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0xff67}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x71f}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x2}]}, @TIPC_NLA_PUBL={0x14, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x3}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x15fb}]}, @TIPC_NLA_PUBL={0x34, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x1}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x9}, @TIPC_NLA_PUBL_LOWER={0x8, 0x2, 0x5}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x8}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x101}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x10001}]}, @TIPC_NLA_BEARER={0x38, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x34, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6add}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x6}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x800}]}]}, @TIPC_NLA_LINK={0x34, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x2}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz0\x00'}]}, @TIPC_NLA_SOCK={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x8}]}]}, 0x150}, 0x1, 0x0, 0x0, 0x20000004}, 0x41)
syz_emit_vhci(&(0x7f0000001600)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x0, 0x22}, @l2cap_cid_le_signaling={{0x1e}, @l2cap_ecred_conn_req={{0x17, 0x1, 0x1a}, {0xf, 0x0, 0xfff, 0x9, [0x8, 0x9, 0x2, 0x6, 0xff81, 0x7, 0x7, 0x7, 0x3]}}}}, 0x27)
ioctl$NS_GET_OWNER_UID(r8, 0xb704, &(0x7f0000001700)=<r13=>0x0)
mount$9p_rdma(&(0x7f0000001640), &(0x7f0000001680)='./file0\x00', &(0x7f00000016c0), 0x80000, &(0x7f0000001740)={'trans=rdma,', {'port', 0x3d, 0x4e23}, 0x2c, {[{@timeout={'timeout', 0x3d, 0x7f}}, {@sq={'sq', 0x3d, 0x8}}, {@timeout={'timeout', 0x3d, 0x1ff}}, {@sq={'sq', 0x3d, 0xf45a}}, {@common=@access_uid={'access', 0x3d, r10}}, {@sq={'sq', 0x3d, 0xb}}, {@common=@version_u}], [{@fowner_lt={'fowner<', r13}}, {@flag='ro'}]}}) (async)
syz_genetlink_get_family_id$tipc2(&(0x7f0000001840), r5)

[  104.446307][ T4669] Bluetooth: hci0: command tx timeout
[  104.593125][ T4669] ==================================================================
[  104.596739][ T4669] BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x2a3/0xb90
[  104.600580][ T4669] Read of size 26 at addr ffffc9000fa574e0 by task kworker/u5:1/4669
[  104.604552][ T4669] 
[  104.605736][ T4669] CPU: 0 UID: 0 PID: 4669 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) 
[  104.605753][ T4669] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  104.605765][ T4669] Workqueue: hci0 hci_rx_work
[  104.605786][ T4669] Call Trace:
[  104.605795][ T4669]  <TASK>
[  104.605802][ T4669]  dump_stack_lvl+0xe8/0x150
[  104.605822][ T4669]  print_report+0xba/0x230
[  104.605840][ T4669]  ? l2cap_send_cmd+0x2a3/0xb90
[  104.605853][ T4669]  kasan_report+0x117/0x150
[  104.605868][ T4669]  ? trace_kmem_cache_alloc+0x29/0xf0
[  104.605884][ T4669]  ? l2cap_send_cmd+0x2a3/0xb90
[  104.605897][ T4669]  kasan_check_range+0x264/0x2c0
[  104.605908][ T4669]  ? l2cap_send_cmd+0x2a3/0xb90
[  104.605918][ T4669]  __asan_memcpy+0x29/0x70
[  104.605960][ T4669]  l2cap_send_cmd+0x2a3/0xb90
[  104.605976][ T4669]  l2cap_recv_frame+0xc032/0x10240
[  104.605992][ T4669]  ? lock_release+0x4b/0x3d0
[  104.606008][ T4669]  ? ret_from_fork_asm+0x1a/0x30
[  104.606026][ T4669]  ? unwind_next_frame+0xa5/0x23c0
[  104.606044][ T4669]  ? rcu_is_watching+0x15/0xb0
[  104.606059][ T4669]  ? lock_release+0x4b/0x3d0
[  104.606073][ T4669]  ? unwind_next_frame+0x1aaf/0x23c0
[  104.606090][ T4669]  ? unwind_next_frame+0xa5/0x23c0
[  104.606104][ T4669]  ? unwind_next_frame+0x1aaf/0x23c0
[  104.606121][ T4669]  ? __pfx_l2cap_recv_frame+0x10/0x10
[  104.606134][ T4669]  ? ret_from_fork_asm+0x1a/0x30
[  104.606149][ T4669]  ? ret_from_fork_asm+0x1a/0x30
[  104.606163][ T4669]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[  104.606178][ T4669]  ? ret_from_fork_asm+0x1a/0x30
[  104.606195][ T4669]  ? stack_trace_save+0xa9/0x100
[  104.606206][ T4669]  ? __pfx_stack_trace_save+0x10/0x10
[  104.606218][ T4669]  ? check_path+0x21/0x40
[  104.606232][ T4669]  ? check_noncircular+0xda/0x150
[  104.606243][ T4669]  ? add_lock_to_list+0xc7/0x100
[  104.606253][ T4669]  ? lockdep_unlock+0x5d/0xd0
[  104.606261][ T4669]  ? __lock_acquire+0x146e/0x2cf0
[  104.606273][ T4669]  ? __mutex_trylock_common+0x158/0x260
[  104.606284][ T4669]  ? __pfx___mutex_trylock_common+0x10/0x10
[  104.606295][ T4669]  ? rcu_is_watching+0x15/0xb0
[  104.606305][ T4669]  ? trace_contention_end+0x3d/0x150
[  104.606320][ T4669]  ? __mutex_lock+0x319/0x1300
[  104.606333][ T4669]  ? l2cap_recv_acldata+0x2e3/0x13e0
[  104.606349][ T4669]  ? l2cap_recv_acldata+0x30b/0x13e0
[  104.606362][ T4669]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[  104.606374][ T4669]  ? __pfx___mutex_lock+0x10/0x10
[  104.606386][ T4669]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[  104.606398][ T4669]  ? l2cap_conn_hold_unless_zero+0x179/0x2b0
[  104.606413][ T4669]  ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10
[  104.606427][ T4669]  ? l2cap_recv_acldata+0x41/0x13e0
[  104.606436][ T4669]  l2cap_recv_acldata+0x7e9/0x13e0
[  104.606458][ T4669]  hci_rx_work+0x4f9/0x1030
[  104.606474][ T4669]  ? process_scheduled_works+0xa8d/0x18c0
[  104.606491][ T4669]  process_scheduled_works+0xb6e/0x18c0
[  104.606515][ T4669]  ? __pfx_process_scheduled_works+0x10/0x10
[  104.606528][ T4669]  ? assign_work+0x3d5/0x5e0
[  104.606541][ T4669]  worker_thread+0xa53/0xfc0
[  104.606555][ T4669]  kthread+0x388/0x470
[  104.606564][ T4669]  ? __pfx_worker_thread+0x10/0x10
[  104.606574][ T4669]  ? __pfx_kthread+0x10/0x10
[  104.606582][ T4669]  ret_from_fork+0x51e/0xb90
[  104.606606][ T4669]  ? __pfx_ret_from_fork+0x10/0x10
[  104.606625][ T4669]  ? __switch_to+0xc7d/0x1450
[  104.606641][ T4669]  ? __pfx_kthread+0x10/0x10
[  104.606653][ T4669]  ret_from_fork_asm+0x1a/0x30
[  104.606674][ T4669]  </TASK>
[  104.606678][ T4669] 
[  104.766692][ T4669] The buggy address belongs to stack of task kworker/u5:1/4669
[  104.769867][ T4669]  and is located at offset 128 in frame:
[  104.772415][ T4669]  l2cap_recv_frame+0x0/0x10240
[  104.774669][ T4669] 
[  104.775756][ T4669] This frame has 26 objects:
[  104.777802][ T4669]  [32, 34) 'rsp.i241.i.i'
[  104.777814][ T4669]  [48, 88) 'chan.i.i.i'
[  104.780215][ T4669]  [128, 146) 'pdu_u.i.i.i'
[  104.782164][ T4669]  [192, 202) 'rsp.i94.i.i'
[  104.784160][ T4669]  [224, 226) 'rsp.i.i.i111'
[  104.786147][ T4669]  [240, 242) 'rej.i'
[  104.788245][ T4669]  [256, 258) 'rej.i145.i'
[  104.790187][ T4669]  [272, 274) 'rej.i143.i'
[  104.792386][ T4669]  [288, 290) 'req.i229.i.i'
[  104.794720][ T4669]  [304, 312) 'buf.i222.i.i'
[  104.797132][ T4669]  [336, 348) 'buf29.i.i.i'
[  104.799421][ T4669]  [368, 372) 'rsp49.i.i.i'
[  104.801492][ T4669]  [384, 393) 'rfc.i.i118.i.i'
[  104.803651][ T4669]  [416, 480) 'buf.i119.i.i'
[  104.806225][ T4669]  [512, 576) 'req.i120.i.i'
[  104.808614][ T4669]  [608, 617) 'rfc.i.i.i.i'
[  104.810750][ T4669]  [640, 656) 'efs.i.i.i.i'
[  104.812837][ T4669]  [672, 678) 'rej.i371.i.i.i'
[  104.814910][ T4669]  [704, 710) 'rej.i.i.i.i'
[  104.817107][ T4669]  [736, 800) 'rsp.i.i.i'
[  104.819643][ T4669]  [832, 896) 'buf.i.i.i'
[  104.824964][ T4669]  [928, 1056) 'req.i.i.i'
[  104.826858][ T4669]  [1088, 1096) 'rsp.i.i.i.i'
[  104.828842][ T4669]  [1120, 1122) 'info.i.i.i.i'
[  104.830937][ T4669]  [1136, 1264) 'buf.i.i.i.i'
[  104.833022][ T4669]  [1296, 1298) 'rej.i.i'
[  104.835149][ T4669] 
[  104.838643][ T4669] The buggy address belongs to a 8-page vmalloc region starting at 0xffffc9000fa50000 allocated at copy_process+0x508/0x3cd0
[  104.844308][ T4669] The buggy address belongs to the physical page:
[  104.847090][ T4669] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x436b7
[  104.852002][ T4669] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[  104.855525][ T4669] raw: 04fff00000000000 0000000000000000 ffffea00010dadc8 0000000000000000
[  104.859565][ T4669] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[  104.864175][ T4669] page dumped because: kasan: bad access detected
[  104.867188][ T4669] page_owner tracks the page as allocated
[  104.869747][ T4669] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 35826103261, free_ts 35340549951
[  104.879784][ T4669]  post_alloc_hook+0x231/0x280
[  104.882003][ T4669]  get_page_from_freelist+0x24dc/0x2580
[  104.884588][ T4669]  __alloc_frozen_pages_noprof+0x18d/0x380
[  104.887283][ T4669]  __alloc_pages_noprof+0xa/0x30
[  104.889620][ T4669]  __vmalloc_node_range_noprof+0x7be/0x1730
[  104.892457][ T4669]  __vmalloc_node_noprof+0xc2/0x100
[  104.895272][ T4669]  dup_task_struct+0x275/0x9a0
[  104.897776][ T4669]  copy_process+0x508/0x3cd0
[  104.899957][ T4669]  kernel_clone+0x248/0x8e0
[  104.902085][ T4669]  kernel_thread+0x13f/0x1b0
[  104.904325][ T4669]  kthreadd+0x4ec/0x6e0
[  104.906727][ T4669]  ret_from_fork+0x51e/0xb90
[  104.909288][ T4669]  ret_from_fork_asm+0x1a/0x30
[  104.911634][ T4669] page last free pid 1 tgid 1 stack trace:
[  104.914263][ T4669]  __free_frozen_pages+0xc2b/0xdb0
[  104.916614][ T4669]  __slab_free+0x263/0x2b0
[  104.918880][ T4669]  qlist_free_all+0x97/0x100
[  104.921500][ T4669]  kasan_quarantine_reduce+0x148/0x160
[  104.924531][ T4669]  __kasan_slab_alloc+0x22/0x80
[  104.926713][ T4669]  __kmalloc_noprof+0x316/0x760
[  104.928813][ T4669]  bpf_check+0x1676f/0x1ce00
[  104.930828][ T4669]  bpf_prog_load+0x1484/0x1ae0
[  104.932964][ T4669]  __sys_bpf+0x618/0x950
[  104.935258][ T4669]  kern_sys_bpf+0x185/0x700
[  104.938003][ T4669]  load+0x488/0xad0
[  104.940173][ T4669]  do_one_initcall+0x250/0x8d0
[  104.942789][ T4669]  do_initcall_level+0x104/0x190
[  104.945142][ T4669]  do_initcalls+0x59/0xa0
[  104.946990][ T4669]  kernel_init_freeable+0x2a6/0x3e0
[  104.949394][ T4669]  kernel_init+0x1d/0x1d0
[  104.951409][ T4669] 
[  104.952526][ T4669] Memory state around the buggy address:
[  104.955006][ T4669]  ffffc9000fa57380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  104.958702][ T4669]  ffffc9000fa57400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[  104.962695][ T4669] >ffffc9000fa57480: f8 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 00 00 02 f2
[  104.966650][ T4669]                                                              ^
[  104.970108][ T4669]  ffffc9000fa57500: f2 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f2 f8 f2 f8 f2
[  104.974389][ T4669]  ffffc9000fa57580: f8 f2 f8 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f8 f2 f2
[  104.978181][ T4669] ==================================================================
[  105.010553][ T4669] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  105.013818][ T4669] CPU: 0 UID: 0 PID: 4669 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) 
[  105.018051][ T4669] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  105.022952][ T4669] Workqueue: hci0 hci_rx_work
[  105.025384][ T4669] Call Trace:
[  105.027137][ T4669]  <TASK>
[  105.028669][ T4669]  vpanic+0x56c/0xa60
[  105.030521][ T4669]  ? __pfx_vpanic+0x10/0x10
[  105.032642][ T4669]  panic+0xc5/0xd0
[  105.034460][ T4669]  ? __pfx_panic+0x10/0x10
[  105.036719][ T4669]  ? preempt_schedule_thunk+0x16/0x30
[  105.039672][ T4669]  ? preempt_schedule_thunk+0x16/0x30
[  105.042303][ T4669]  ? l2cap_send_cmd+0x2a3/0xb90
[  105.044454][ T4669]  check_panic_on_warn+0x89/0xb0
[  105.046733][ T4669]  ? l2cap_send_cmd+0x2a3/0xb90
[  105.048971][ T4669]  end_report+0x73/0x180
[  105.051279][ T4669]  ? l2cap_send_cmd+0x2a3/0xb90
[  105.053843][ T4669]  kasan_report+0x128/0x150
[  105.056052][ T4669]  ? trace_kmem_cache_alloc+0x29/0xf0
[  105.058494][ T4669]  ? l2cap_send_cmd+0x2a3/0xb90
[  105.060655][ T4669]  kasan_check_range+0x264/0x2c0
[  105.062883][ T4669]  ? l2cap_send_cmd+0x2a3/0xb90
[  105.065409][ T4669]  __asan_memcpy+0x29/0x70
[  105.068024][ T4669]  l2cap_send_cmd+0x2a3/0xb90
[  105.070417][ T4669]  l2cap_recv_frame+0xc032/0x10240
[  105.072689][ T4669]  ? lock_release+0x4b/0x3d0
[  105.074817][ T4669]  ? ret_from_fork_asm+0x1a/0x30
[  105.077061][ T4669]  ? unwind_next_frame+0xa5/0x23c0
[  105.079357][ T4669]  ? rcu_is_watching+0x15/0xb0
[  105.081613][ T4669]  ? lock_release+0x4b/0x3d0
[  105.084226][ T4669]  ? unwind_next_frame+0x1aaf/0x23c0
[  105.087574][ T4669]  ? unwind_next_frame+0xa5/0x23c0
[  105.090077][ T4669]  ? unwind_next_frame+0x1aaf/0x23c0
[  105.092506][ T4669]  ? __pfx_l2cap_recv_frame+0x10/0x10
[  105.094826][ T4669]  ? ret_from_fork_asm+0x1a/0x30
[  105.097087][ T4669]  ? ret_from_fork_asm+0x1a/0x30
[  105.099440][ T4669]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[  105.102436][ T4669]  ? ret_from_fork_asm+0x1a/0x30
[  105.105086][ T4669]  ? stack_trace_save+0xa9/0x100
[  105.107592][ T4669]  ? __pfx_stack_trace_save+0x10/0x10
[  105.109970][ T4669]  ? check_path+0x21/0x40
[  105.111902][ T4669]  ? check_noncircular+0xda/0x150
[  105.114256][ T4669]  ? add_lock_to_list+0xc7/0x100
[  105.116706][ T4669]  ? lockdep_unlock+0x5d/0xd0
[  105.119023][ T4669]  ? __lock_acquire+0x146e/0x2cf0
[  105.121347][ T4669]  ? __mutex_trylock_common+0x158/0x260
[  105.123911][ T4669]  ? __pfx___mutex_trylock_common+0x10/0x10
[  105.126757][ T4669]  ? rcu_is_watching+0x15/0xb0
[  105.129264][ T4669]  ? trace_contention_end+0x3d/0x150
[  105.132145][ T4669]  ? __mutex_lock+0x319/0x1300
[  105.134624][ T4669]  ? l2cap_recv_acldata+0x2e3/0x13e0
[  105.137193][ T4669]  ? l2cap_recv_acldata+0x30b/0x13e0
[  105.139750][ T4669]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[  105.142582][ T4669]  ? __pfx___mutex_lock+0x10/0x10
[  105.145119][ T4669]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[  105.148089][ T4669]  ? l2cap_conn_hold_unless_zero+0x179/0x2b0
[  105.150874][ T4669]  ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10
[  105.153669][ T4669]  ? l2cap_recv_acldata+0x41/0x13e0
[  105.156419][ T4669]  l2cap_recv_acldata+0x7e9/0x13e0
[  105.159358][ T4669]  hci_rx_work+0x4f9/0x1030
[  105.161762][ T4669]  ? process_scheduled_works+0xa8d/0x18c0
[  105.164379][ T4669]  process_scheduled_works+0xb6e/0x18c0
[  105.167050][ T4669]  ? __pfx_process_scheduled_works+0x10/0x10
[  105.170032][ T4669]  ? assign_work+0x3d5/0x5e0
[  105.172360][ T4669]  worker_thread+0xa53/0xfc0
[  105.174751][ T4669]  kthread+0x388/0x470
[  105.177063][ T4669]  ? __pfx_worker_thread+0x10/0x10
[  105.179792][ T4669]  ? __pfx_kthread+0x10/0x10
[  105.182121][ T4669]  ret_from_fork+0x51e/0xb90
[  105.184245][ T4669]  ? __pfx_ret_from_fork+0x10/0x10
[  105.186657][ T4669]  ? __switch_to+0xc7d/0x1450
[  105.188890][ T4669]  ? __pfx_kthread+0x10/0x10
[  105.191348][ T4669]  ret_from_fork_asm+0x1a/0x30
[  105.193885][ T4669]  </TASK>
[  105.195953][ T4669] Kernel Offset: disabled
[  105.198313][ T4669] Rebooting in 86400 seconds..