[ 50.396201] sshd (6142) used greatest stack depth: 53184 bytes left [....] Starting OpenBSD Secure Shell server: sshd[ 50.648612] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 51.003922] audit: type=1800 audit(1538839673.060:29): pid=6079 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 53.753510] random: sshd: uninitialized urandom read (32 bytes read) [ 54.142425] random: sshd: uninitialized urandom read (32 bytes read) [ 56.176859] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. [ 61.952368] random: sshd: uninitialized urandom read (32 bytes read) 2018/10/06 15:28:05 fuzzer started [ 66.283087] random: cc1: uninitialized urandom read (8 bytes read) 2018/10/06 15:28:10 dialing manager at 10.128.0.26:36867 2018/10/06 15:28:10 syscalls: 1 2018/10/06 15:28:10 code coverage: enabled 2018/10/06 15:28:10 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2018/10/06 15:28:10 setuid sandbox: enabled 2018/10/06 15:28:10 namespace sandbox: enabled 2018/10/06 15:28:10 Android sandbox: /sys/fs/selinux/policy does not exist 2018/10/06 15:28:10 fault injection: enabled 2018/10/06 15:28:10 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/10/06 15:28:10 net packed injection: enabled 2018/10/06 15:28:10 net device setup: enabled [ 70.750006] random: crng init done 15:29:53 executing program 0: perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e5}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_mreqsrc(r0, 0x0, 0x27, &(0x7f000001b000)={@multicast2, @remote, @loopback}, 0xc) [ 171.904479] IPVS: ftp: loaded support on port[0] = 21 [ 173.918880] bridge0: port 1(bridge_slave_0) entered blocking state [ 173.925496] bridge0: port 1(bridge_slave_0) entered disabled state [ 173.933782] device bridge_slave_0 entered promiscuous mode [ 174.054804] bridge0: port 2(bridge_slave_1) entered blocking state [ 174.061256] bridge0: port 2(bridge_slave_1) entered disabled state [ 174.069547] device bridge_slave_1 entered promiscuous mode [ 174.188514] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 174.307760] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 174.676764] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 174.801148] bond0: Enslaving bond_slave_1 as an active interface with an up link 15:29:56 executing program 1: r0 = syz_open_dev$sndseq(&(0x7f0000000140)='/dev/snd/seq\x00', 0x0, 0x0) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, 'port0\x00', 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f0000000200)={0x2000000021, @time}) ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_INFO(r0, 0xc0bc5310, &(0x7f0000000300)) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x0, 0x0) [ 175.493290] IPVS: ftp: loaded support on port[0] = 21 [ 175.770372] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 175.778535] team0: Port device team_slave_0 added [ 175.973725] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 175.981754] team0: Port device team_slave_1 added [ 176.175792] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 176.385988] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 176.393264] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 176.401967] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 176.562214] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 176.570036] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 176.578904] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 176.761954] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 176.769530] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 176.778374] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 178.896912] bridge0: port 2(bridge_slave_1) entered blocking state [ 178.903462] bridge0: port 2(bridge_slave_1) entered forwarding state [ 178.910329] bridge0: port 1(bridge_slave_0) entered blocking state [ 178.916845] bridge0: port 1(bridge_slave_0) entered forwarding state [ 178.925655] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 178.938817] bridge0: port 1(bridge_slave_0) entered blocking state [ 178.945517] bridge0: port 1(bridge_slave_0) entered disabled state [ 178.953765] device bridge_slave_0 entered promiscuous mode [ 179.132361] bridge0: port 2(bridge_slave_1) entered blocking state [ 179.138818] bridge0: port 2(bridge_slave_1) entered disabled state [ 179.147120] device bridge_slave_1 entered promiscuous mode [ 179.380225] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 179.580167] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready 15:30:01 executing program 2: r0 = socket(0xa, 0x1, 0x0) r1 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r1) socket$nl_route(0x10, 0x3, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) sendmsg$nl_route(r2, &(0x7f0000000340)={&(0x7f0000000140), 0xc, &(0x7f0000000280)={&(0x7f0000000180)=@ipv4_newaddr={0x20, 0x14, 0x1, 0x0, 0x0, {0x2, 0x0, 0x0, 0x0, r3}, [@IFA_LOCAL={0x8, 0x2, @rand_addr}]}, 0x20}}, 0x0) [ 179.932948] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 180.263491] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 180.418768] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 180.600693] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 180.608689] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 180.726441] IPVS: ftp: loaded support on port[0] = 21 [ 181.619778] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 181.627823] team0: Port device team_slave_0 added [ 181.913628] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 181.921477] team0: Port device team_slave_1 added [ 182.163730] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 182.170801] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 182.179674] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 182.330459] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 182.337614] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 182.346423] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 182.608475] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 182.616107] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 182.624815] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 182.890590] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 182.898272] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 182.907116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 184.814104] bridge0: port 1(bridge_slave_0) entered blocking state [ 184.820572] bridge0: port 1(bridge_slave_0) entered disabled state [ 184.828867] device bridge_slave_0 entered promiscuous mode [ 185.162333] bridge0: port 2(bridge_slave_1) entered blocking state [ 185.168790] bridge0: port 2(bridge_slave_1) entered disabled state [ 185.177038] device bridge_slave_1 entered promiscuous mode [ 185.437775] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 185.615067] bridge0: port 2(bridge_slave_1) entered blocking state [ 185.621664] bridge0: port 2(bridge_slave_1) entered forwarding state [ 185.628525] bridge0: port 1(bridge_slave_0) entered blocking state [ 185.635038] bridge0: port 1(bridge_slave_0) entered forwarding state [ 185.643371] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 185.703075] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 186.061951] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 186.443707] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 186.638089] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 186.846589] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 186.854638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready 15:30:09 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = dup2(r0, r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140)='/dev/ptmx\x00', 0x0, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x0) ioctl$TIOCGWINSZ(r3, 0x5413, &(0x7f0000000000)) [ 187.953140] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 187.961040] team0: Port device team_slave_0 added [ 188.096880] IPVS: ftp: loaded support on port[0] = 21 [ 188.304416] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 188.312447] team0: Port device team_slave_1 added [ 188.569887] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 188.577414] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 188.586063] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 188.909409] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 188.916653] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 188.925567] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 189.307133] 8021q: adding VLAN 0 to HW filter on device bond0 [ 189.333918] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 189.341438] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 189.350467] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 189.499740] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 189.507681] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 189.516651] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 190.624375] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 191.885622] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 191.892077] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 191.899830] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 192.973951] 8021q: adding VLAN 0 to HW filter on device team0 [ 193.075694] bridge0: port 2(bridge_slave_1) entered blocking state [ 193.082248] bridge0: port 2(bridge_slave_1) entered forwarding state [ 193.089094] bridge0: port 1(bridge_slave_0) entered blocking state [ 193.095639] bridge0: port 1(bridge_slave_0) entered forwarding state [ 193.104557] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 193.237358] bridge0: port 1(bridge_slave_0) entered blocking state [ 193.244092] bridge0: port 1(bridge_slave_0) entered disabled state [ 193.252360] device bridge_slave_0 entered promiscuous mode [ 193.600563] bridge0: port 2(bridge_slave_1) entered blocking state [ 193.607213] bridge0: port 2(bridge_slave_1) entered disabled state [ 193.615685] device bridge_slave_1 entered promiscuous mode [ 193.852316] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 193.943930] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 194.207255] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 195.184769] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 195.540906] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 195.864909] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 195.872139] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 196.184514] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 196.197803] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready 15:30:18 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000000)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000280)='/dev/fuse\x00', 0x2, 0x0) mount$fuse(0x0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000300)='fuse\x00', 0x0, &(0x7f0000000480)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x4000}, 0x2c, {'user_id'}, 0x2c, {'group_id'}}) read$FUSE(r0, &(0x7f0000003000), 0x4ea) read$FUSE(r0, &(0x7f0000005000), 0xe83) write$FUSE_INIT(r0, &(0x7f0000000100)={0x50, 0x0, 0x1}, 0x50) read$FUSE(r0, &(0x7f0000008000), 0x139f) lstat(&(0x7f0000000000)='./file0/file0\x00', &(0x7f0000000340)) r1 = open$dir(&(0x7f0000000080)='./file0\x00', 0x0, 0x0) read$FUSE(r0, &(0x7f0000002000), 0x10165) write$FUSE_OPEN(r0, &(0x7f0000000240)={0x20, 0x0, 0x3}, 0x20) ioctl(r1, 0x0, &(0x7f0000000040)) write$FUSE_INIT(r0, &(0x7f0000000180)={0x50, 0x0, 0x4}, 0x50) [ 197.278030] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 197.286084] team0: Port device team_slave_0 added [ 197.558804] IPVS: ftp: loaded support on port[0] = 21 [ 197.664474] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 197.672552] team0: Port device team_slave_1 added [ 198.073722] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 198.092489] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 198.101164] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 198.499114] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 198.506347] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 198.514922] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 198.706105] 8021q: adding VLAN 0 to HW filter on device bond0 [ 198.889539] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 198.897279] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 198.906095] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 199.341452] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 199.349094] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 199.358104] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 200.218121] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready 15:30:22 executing program 0: mkdir(&(0x7f0000000000)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000280)='/dev/fuse\x00', 0x2, 0x0) mount$fuse(0x0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000300)='fuse\x00', 0x0, &(0x7f0000000480)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x4000}, 0x2c, {'user_id'}, 0x2c, {'group_id'}}) read$FUSE(r0, &(0x7f0000003000), 0x4ea) read$FUSE(r0, &(0x7f0000005000), 0xe83) write$FUSE_INIT(r0, &(0x7f0000000100)={0x50, 0x0, 0x1}, 0x50) read$FUSE(r0, &(0x7f0000008000), 0x139f) lstat(&(0x7f0000000000)='./file0/file0\x00', &(0x7f0000000340)) r1 = open$dir(&(0x7f0000000080)='./file0\x00', 0x0, 0x0) read$FUSE(r0, &(0x7f0000002000), 0x10165) write$FUSE_OPEN(r0, &(0x7f0000000240)={0x20, 0x0, 0x3}, 0x20) ioctl(r1, 0xffffffffffffffff, &(0x7f0000000040)) write$FUSE_INIT(r0, &(0x7f0000000180)={0x50, 0x0, 0x4}, 0x50) [ 201.616220] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 201.622929] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 201.630660] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 15:30:24 executing program 0: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="153f6234488dd25d766070") ioctl$KVM_SET_DEBUGREGS(r0, 0x4080aea2, &(0x7f0000000000)={[0xaa1c20ca21c7b1b8, 0x4000, 0x5000, 0x2], 0x3, 0x11}) clone(0x0, &(0x7f0000000040), &(0x7f0000000180), &(0x7f0000003ffc), &(0x7f0000002000)) r1 = openat$vhci(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vhci\x00', 0x181081, 0x0) ioctl$DRM_IOCTL_RM_MAP(r1, 0x4028641b, &(0x7f00000000c0)={&(0x7f0000ffb000/0x2000)=nil, 0x5, 0x7, 0x80, &(0x7f0000ffc000/0x1000)=nil, 0x7}) waitid(0x0, 0x0, &(0x7f0000002ff9), 0xc1000006, 0x0) 15:30:25 executing program 0: r0 = socket$l2tp(0x18, 0x1, 0x1) ioctl(r0, 0x8912, &(0x7f00000000c0)="153f6234418dd25d766070") r1 = socket(0x1e, 0x4, 0x0) r2 = socket(0x1e, 0x4, 0x0) setsockopt$packet_tx_ring(r2, 0x10f, 0x87, &(0x7f0000000080)=@req={0x3fc}, 0x10) recvmsg(r2, &(0x7f0000002a00)={&(0x7f00000003c0)=@xdp, 0x80, &(0x7f00000028c0)=[{&(0x7f0000002840)=""/109, 0x6d}], 0x1, &(0x7f0000002900)=""/213, 0xd5}, 0x0) setsockopt$packet_tx_ring(r1, 0x10f, 0x87, &(0x7f0000265000)=@req={0x3fc, 0x0, 0x2}, 0x10) r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x82, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r3, 0x4008240b, &(0x7f0000000100)={0x0, 0x70, 0x7, 0x95, 0x1, 0x81, 0x0, 0x6, 0x0, 0xa, 0x3, 0x2, 0x5, 0x7fffffff, 0x1f, 0x1, 0x2, 0x21, 0x5, 0x4, 0x9, 0x3, 0x8, 0x3, 0x2, 0x81, 0x5, 0x80000000, 0x0, 0x2, 0x5, 0x4, 0x9, 0x8, 0x7, 0x0, 0x10001, 0x7f, 0x0, 0x100, 0x0, @perf_config_ext={0xfffffffffffffffe, 0x5}, 0x1, 0x9, 0x8, 0x4, 0x7, 0x10001, 0x4}) ioctl$LOOP_GET_STATUS(r3, 0x4c03, &(0x7f0000000180)) sendmmsg(r1, &(0x7f0000000a40), 0x8000000000000b0, 0x0) write$binfmt_script(r1, &(0x7f0000000000)=ANY=[@ANYBLOB=':'], 0x1) [ 203.054704] 8021q: adding VLAN 0 to HW filter on device team0 [ 203.521130] bridge0: port 1(bridge_slave_0) entered blocking state [ 203.527842] bridge0: port 1(bridge_slave_0) entered disabled state [ 203.536139] device bridge_slave_0 entered promiscuous mode 15:30:25 executing program 0: r0 = openat$cuse(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cuse\x00', 0x81, 0x0) io_setup(0x9, &(0x7f0000000240)=0x0) io_submit(r1, 0x1, &(0x7f00000000c0)=[&(0x7f0000000200)={0x0, 0x0, 0x0, 0x1, 0x0, r0, &(0x7f0000000080)="7c4cd73556ec29e66db1a479b5356fed", 0x10}]) r2 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x3, 0x0) ioctl$sock_inet_SIOCGIFPFLAGS(r2, 0x8935, &(0x7f0000000180)={'bridge0\x00', 0xffffffffffff7fff}) ioctl$FS_IOC_GETFSLABEL(r0, 0x81009431, &(0x7f0000000280)) ioctl$KVM_GET_DEBUGREGS(r2, 0x8080aea1, &(0x7f0000000100)) [ 203.796998] bridge0: port 2(bridge_slave_1) entered blocking state [ 203.803531] bridge0: port 2(bridge_slave_1) entered forwarding state [ 203.810396] bridge0: port 1(bridge_slave_0) entered blocking state [ 203.816949] bridge0: port 1(bridge_slave_0) entered forwarding state [ 203.824969] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 203.976894] bridge0: port 2(bridge_slave_1) entered blocking state [ 203.983464] bridge0: port 2(bridge_slave_1) entered disabled state [ 203.991856] device bridge_slave_1 entered promiscuous mode 15:30:26 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x400000, 0x0) ioctl$KDSKBLED(r2, 0x4b65, 0x2b0f) [ 204.460791] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 204.732081] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready 15:30:27 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x400000, 0x0) ioctl$KDSKBLED(r2, 0x4b65, 0x2b0f) [ 204.928087] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready 15:30:27 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x400000, 0x0) ioctl$KDSKBLED(r2, 0x4b65, 0x2b0f) [ 205.960622] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 206.304913] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 206.671345] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 206.678571] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready 15:30:28 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x400000, 0x0) ioctl$KDSKBLED(r2, 0x4b65, 0x2b0f) [ 207.082126] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 207.089606] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 207.832505] 8021q: adding VLAN 0 to HW filter on device bond0 [ 208.037509] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 208.045489] team0: Port device team_slave_0 added [ 208.363651] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 208.371789] team0: Port device team_slave_1 added [ 208.633708] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 208.640768] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 208.649449] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 208.799377] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 208.806588] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 208.815550] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 209.025794] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 209.044160] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 209.052886] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 209.061643] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 209.319553] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 209.327324] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 209.336086] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 210.004671] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 210.011124] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 210.019156] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 15:30:32 executing program 1: r0 = socket$inet6(0xa, 0x3, 0x3a) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) setsockopt$inet6_MRT6_ADD_MFC(r0, 0x29, 0xcc, &(0x7f0000000100)={{0xa, 0x0, 0x0, @loopback}, {0xa, 0x0, 0x0, @mcast1}, 0x0, [0xa4ffffff]}, 0x5c) [ 211.048908] 8021q: adding VLAN 0 to HW filter on device team0 [ 211.697132] bridge0: port 2(bridge_slave_1) entered blocking state [ 211.703782] bridge0: port 2(bridge_slave_1) entered forwarding state [ 211.710825] bridge0: port 1(bridge_slave_0) entered blocking state [ 211.717431] bridge0: port 1(bridge_slave_0) entered forwarding state [ 211.725994] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 211.732694] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 214.307963] 8021q: adding VLAN 0 to HW filter on device bond0 [ 214.995516] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready 15:30:37 executing program 2: r0 = socket(0x8001000100000010, 0x3, 0x0) write(r0, &(0x7f0000000040)="1f0000001e0007f1fff57f02000000000000010053d6445f89390836be381b", 0x1f) [ 215.770770] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 215.777538] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 215.785437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 216.356259] 8021q: adding VLAN 0 to HW filter on device team0 [ 218.201664] 8021q: adding VLAN 0 to HW filter on device bond0 [ 218.677971] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 219.153959] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 219.160363] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 219.168232] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 15:30:41 executing program 3: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = gettid() process_vm_writev(r1, &(0x7f0000000000)=[{&(0x7f0000000240)=""/253, 0xfd}], 0x1, &(0x7f00000000c0)=[{&(0x7f0000000080)}, {&(0x7f0000000340)=""/223, 0xdf}], 0x2, 0x0) [ 219.649591] 8021q: adding VLAN 0 to HW filter on device team0 [ 221.462463] hrtimer: interrupt took 29524 ns 15:30:44 executing program 4: r0 = socket$netlink(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000040)={'bridge_slave_0\x00'}) sendmsg$nl_route(r0, &(0x7f0000000240)={&(0x7f0000000000)={0x10, 0x37e00}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)=ANY=[@ANYBLOB="e003ff000a0002000000000000000000"], 0x1}}, 0x0) 15:30:44 executing program 5: r0 = openat$smack_thread_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/attr/current\x00', 0x2, 0x0) r1 = openat$smack_task_current(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/attr/current\x00', 0x2, 0x0) r2 = fcntl$getown(r0, 0x9) fcntl$lock(r0, 0x7, &(0x7f0000000080)={0x0, 0x0, 0x8, 0x7, r2}) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f00000000c0)) socketpair$inet_sctp(0x2, 0x5, 0x84, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) getpeername$inet(r3, &(0x7f0000000140)={0x2, 0x0, @local}, &(0x7f0000000180)=0x10) r5 = syz_open_dev$audion(&(0x7f00000001c0)='/dev/audio#\x00', 0x20, 0x410200) write$P9_RLCREATE(r5, &(0x7f0000000200)={0x18, 0xf, 0x1, {{0x8, 0x1, 0x6}, 0x1400}}, 0x18) r6 = openat$smack_task_current(0xffffffffffffff9c, &(0x7f0000000240)='/proc/self/attr/current\x00', 0x2, 0x0) getsockopt$inet_sctp_SCTP_GET_PEER_ADDR_INFO(r4, 0x84, 0xf, &(0x7f0000000280)={0x0, @in={{0x2, 0x4e21, @broadcast}}, 0x7, 0x89ee, 0x2, 0xfffffffffffffe01, 0x1}, &(0x7f0000000340)=0x98) setsockopt$inet_sctp6_SCTP_SET_PEER_PRIMARY_ADDR(r5, 0x84, 0x5, &(0x7f0000000380)={r7, @in={{0x2, 0x4e23, @multicast1}}}, 0x84) setsockopt$sock_int(r3, 0x1, 0x29, &(0x7f0000000440)=0x2, 0x4) write$RDMA_USER_CM_CMD_GET_EVENT(r5, &(0x7f0000000600)={0xc, 0x8, 0xfa00, {&(0x7f0000000480)}}, 0x10) getsockopt$inet6_dccp_buf(r1, 0x21, 0xcf, &(0x7f0000000640)=""/163, &(0x7f0000000700)=0xa3) setsockopt$inet_sctp6_SCTP_MAX_BURST(r5, 0x84, 0x14, &(0x7f0000000740)=@int=0x3, 0x4) setsockopt$inet_sctp_SCTP_HMAC_IDENT(r4, 0x84, 0x16, &(0x7f0000000780)={0x3, [0x8e, 0x8, 0x7fffffff]}, 0xa) setsockopt$sock_int(r5, 0x1, 0x2e, &(0x7f00000007c0)=0x6, 0x4) listxattr(&(0x7f0000000800)='./file0\x00', &(0x7f0000000840)=""/134, 0x86) ioctl$KDSKBMETA(r5, 0x4b63, &(0x7f0000000900)=0x3) setsockopt$bt_BT_CHANNEL_POLICY(r5, 0x112, 0xa, &(0x7f0000000940)=0x170, 0x4) getpeername(r5, &(0x7f0000000980)=@can, &(0x7f0000000a00)=0x80) r8 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000a40)='/dev/sequencer2\x00', 0x4080, 0x0) setsockopt$IP_VS_SO_SET_DELDEST(r5, 0x0, 0x488, &(0x7f0000000a80)={{0x7f, @remote, 0x4e23, 0x2, 'nq\x00', 0x10, 0x2806, 0x35}, {@remote, 0x4e23, 0x10000, 0x1, 0x6, 0x100000000}}, 0x44) ioctl$PPPIOCSFLAGS(r5, 0x40047459, &(0x7f0000000b00)=0x4000) recvfrom$unix(r8, &(0x7f0000000b40)=""/75, 0x4b, 0x1460af429c669438, &(0x7f0000000bc0)=@file={0x0, './file0\x00'}, 0x6e) ioctl$DRM_IOCTL_ADD_CTX(r5, 0xc0086420, &(0x7f0000000c40)) io_setup(0x2, &(0x7f0000000c80)=0x0) io_submit(r9, 0x4, &(0x7f0000001080)=[&(0x7f0000000dc0)={0x0, 0x0, 0x0, 0x2, 0x1, r4, &(0x7f0000000cc0)="739e652093259dafe99d63d193963373b3a42aab248903c4ae9fb04aa4240716d1a76eae4d35572646eaa949bde687a5de780793fbc08b46f0092e6192111df1e03bf569cf4cbca964fcd8eecedfe31a88dfe66c2abc6c43213e203cfb9303665c2c652edceda0d101f6fb6100813260c0b59d75f26f36f17d6b8511650ec7ef76458b767d06e6bcfb08494be761a01359a894ac20ec13d9bb03dad3e0feede5a33f6afbf6fe58afd1982e616e905d511b110b0d6a17a7ec89b5c67bf68b15b58dd0339d07fc18eb3ce47f000c86b52f17ee182af61efafe13ce1fcc0d03b55c171a49a02460674440c956ecb7f7e41f97803cfb881c7cc171980deb8d", 0xfd, 0xffffffffffffffc1, 0x0, 0x0, r8}, &(0x7f0000000ec0)={0x0, 0x0, 0x0, 0x3, 0x24, r5, &(0x7f0000000e00)="eb051d31a50652f56cbd807fab3207910de5aeb39a88cf770762e32a71ba43a094134f1066959408afd034a84ef808638ae7721a1058b996dedc97c43bf7f45820d19cc2d7cd0746d0f470aabbaa2bd5cc195fe4f2dc8bf4ef4d1f16e97416408ebfa716d078e22f4993dd679f3f2e5ea04c1ce599d8ffde7d35febb16405766a21caa07e335196650876227cfc62fac9b198b7ddf63d450d6e099ed3b88b501af70b13b39d94d92ea6162f9050da9f4628a5ba50f459bc399", 0xb9, 0x6}, &(0x7f0000000f40)={0x0, 0x0, 0x0, 0x6, 0x1, r5, &(0x7f0000000f00)="84d2306c488e6c868a552196bdf99c1994426d743015fea3988a756260c430f85cde4025f3bdefecc078ed987c86caa622c08bb4ba5faa5616", 0x39, 0x1000, 0x0, 0x0, r5}, &(0x7f0000001040)={0x0, 0x0, 0x0, 0x2, 0x5, r6, &(0x7f0000000f80)="75b416802cb3b593bf3ff7dc311cec5e29f7b0852204adbc8b29750f0b77df21a07ca9d46070777e52ebf4fb877b6319da230171852bdc85d4b2d5d4c5f5627baa3b4f4bed06daa643c15ab1ce48da34972dec09c64a96b0edac5d181943f627c3905f88ee2821555661e48bc984fc2b5d8889ba5d7fd65e36505712faaef1262bf41ea7a3b8a55f5ef8f92952704a992072697117a1188ee6abfa62220cdb1fbed180ec175ab74e9ceae478", 0xac, 0x10000, 0x0, 0x1, r8}]) r10 = semget$private(0x0, 0x7, 0x400) semctl$IPC_STAT(r10, 0x0, 0x2, &(0x7f00000010c0)=""/129) 15:30:44 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket(0x11, 0x802, 0x0) r1 = socket(0x0, 0x0, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000180)='/dev/rtc0\x00', 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000000)={"7465616d30001000", 0xffffffffffbfdffc}) ioctl$SCSI_IOCTL_GET_BUS_NUMBER(0xffffffffffffffff, 0x5386, &(0x7f0000000280)) ioctl$SNDRV_TIMER_IOCTL_GSTATUS(r2, 0xc0505405, &(0x7f0000000100)={{0x2, 0x3, 0xffffffffffff09b9, 0x0, 0x3}, 0x13fee36e}) getpid() r3 = fcntl$getown(0xffffffffffffffff, 0x9) fcntl$setpipe(r1, 0x407, 0x80000004) write$nbd(r2, &(0x7f00000001c0)={0x67446698, 0x1, 0x3, 0x4, 0x4, "cb83036f423a89f5e2a99dbe9b177f964eb6b9de9394ae30078021f04b680147921c85b21dc7d1c0b15d6add219db6821321d4d567645c141b826d7113adee436baa3c7064a90c93b7239183c5ad150ae82e"}, 0x62) r4 = syz_open_dev$vcsn(&(0x7f0000000500)='/dev/vcs#\x00', 0x200000000000, 0x2000000010000) setsockopt$packet_fanout_data(r2, 0x107, 0x16, &(0x7f0000000080)={0x2, &(0x7f0000000040)=[{0x7, 0x100000000, 0x3, 0x800}, {0x8, 0x4, 0x1}]}, 0x8) ioctl$SNDRV_TIMER_IOCTL_INFO(r4, 0x80e05411, &(0x7f0000000540)=""/253) ioctl$ASHMEM_GET_PROT_MASK(r4, 0x7706, &(0x7f0000000400)) setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000002c0)={0x1, {{0x2, 0x4e23, @multicast1}}, {{0x2, 0x4e22}}}, 0x104) ioctl$SNDRV_CTL_IOCTL_TLV_READ(0xffffffffffffffff, 0xc008551a, &(0x7f00000006c0)=ANY=[]) r5 = socket$inet_sctp(0x2, 0x1, 0x84) accept4(r5, &(0x7f0000001900)=@hci, &(0x7f0000001980)=0x80, 0x80800) ioctl$EVIOCGSND(r2, 0x8040451a, &(0x7f0000000440)=""/166) ioctl$SG_IO(r2, 0x2285, &(0x7f0000001880)={0x0, 0xffffffffffffffff, 0xa1, 0xfffffffffffffff8, @scatter={0x2, 0x0, &(0x7f00000016c0)=[{&(0x7f0000000640)=""/4096, 0x1000}, {&(0x7f0000001640)=""/102, 0x66}]}, &(0x7f0000001700)="fdf935625966b55462627c45e30222e8bc7040edfcddc57b7acda5235768e437a1423d658af4994b485aa70c0b2701d49f058a0a4be0867b8c3ee4f02d97f8f086ff8b6082992a299f26120b24c1a5dad70b19853da18342a2c32fd48e992f4756d08e5b94b37880cce046041e18a0cbe384ed1a9693265183788577153be5e0685b7929190c4ffe7039db976b29bfa816cbc6933aaa43e68af1b5852b994a9560", &(0x7f00000017c0)=""/83, 0x69, 0x10, 0xffffffffffffffff, &(0x7f0000001840)}) prctl$setptracer(0x59616d61, r3) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000240)={"7465616d300000ffffffc000002000", 0x4bfd}) mmap$xdp(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x1, 0x810, r4, 0x180000000) ioctl$SG_GET_VERSION_NUM(r4, 0x2282, &(0x7f00000018c0)) ioctl$DRM_IOCTL_ADD_CTX(r2, 0xc0086420, &(0x7f00000000c0)) setsockopt$sock_timeval(r1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x7530}, 0x8) 15:30:44 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x400000, 0x0) 15:30:44 executing program 2: r0 = socket(0x8001000100000010, 0x3, 0x0) write(r0, &(0x7f0000000040)="1f0000001e0007f1fff57f02000000000000010053d6445f89390836be381b", 0x1f) 15:30:44 executing program 3: r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @dev, 0x6}, 0x1c) sendto$inet6(r0, &(0x7f0000000040), 0x0, 0x4008080, &(0x7f00000000c0)={0xa, 0x4e23, 0x0, @ipv4={[], [], @multicast2}}, 0x1c) sendmmsg(r0, &(0x7f00000092c0), 0x4ff, 0x0) r1 = socket$inet6(0xa, 0x3, 0xb6) ioctl(r1, 0x8912, &(0x7f0000000280)="153f6234488dd25d766070") [ 222.511867] device team0 entered promiscuous mode [ 222.516971] device team_slave_0 entered promiscuous mode [ 222.522966] device team_slave_1 entered promiscuous mode 15:30:44 executing program 2: r0 = socket$l2tp(0x18, 0x1, 0x1) ioctl(r0, 0x8912, &(0x7f0000000280)="153f6234488dd25d766070") socket$inet6(0xa, 0x6, 0x0) [ 222.560927] 8021q: adding VLAN 0 to HW filter on device team0 [ 222.711760] 8021q: adding VLAN 0 to HW filter on device team0 15:30:44 executing program 4: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000600)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket(0x10, 0x2, 0xc) write(r1, &(0x7f0000a6b000)="1f0000000104ff00fd4354c007110000f305010008000100010423dcffdf00", 0x1f) write(r1, &(0x7f0000000000)="1f0000000104fffffd3b000007110000f30501000b000100020423ca0000cf", 0x1f) 15:30:45 executing program 2: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup\x00syz1\x00', 0x200002, 0x0) bpf$BPF_PROG_ATTACH(0x9, &(0x7f0000000640)={r0, 0xffffffffffffffff, 0xa}, 0x10) [ 223.048068] netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. 15:30:45 executing program 1: r0 = syz_open_dev$adsp(&(0x7f0000000840)='/dev/adsp#\x00', 0x7fffffff, 0x101000) ioctl$UI_SET_SNDBIT(r0, 0x4004556a, 0x2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) creat(&(0x7f0000000680)='./file0\x00', 0x71) openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000800)='/dev/qat_adf_ctl\x00', 0x0, 0x0) io_submit(0x0, 0x0, &(0x7f0000000980)) clone(0x802102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000040), 0xffffffffffffffff) perf_event_open(&(0x7f0000000000)={0x5, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080)}, 0x200000000, 0x2}, 0x0, 0x1, 0xffffffffffffffff, 0x0) mount(&(0x7f0000000240)=ANY=[], &(0x7f0000000180)='./file0\x00', &(0x7f0000000100)='nfs\x00', 0x0, &(0x7f0000000000)) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, &(0x7f0000000240)=@assoc_value={0x0, 0x3}, &(0x7f0000000280)=0x8) getsockopt$inet6_mreq(r0, 0x29, 0x1f, &(0x7f0000000600)={@empty, 0x0}, &(0x7f0000000640)=0x14) sendmsg$nl_route_sched(r0, &(0x7f0000000780)={&(0x7f00000005c0)={0x10, 0x0, 0x0, 0x8040120}, 0xc, &(0x7f0000000740)={&(0x7f00000006c0)=@deltclass={0x48, 0x29, 0x8, 0x70bd2c, 0x25dfdbfd, {0x0, r1, {0x0, 0xf}, {0x0, 0xffe0}, {0xffe0, 0xfff2}}, [@TCA_RATE={0x8, 0x5, {0x93, 0x3f}}, @tclass_kind_options=@c_qfq={{0x8, 0x1, 'qfq\x00'}, {0x14, 0x2, [@TCA_QFQ_WEIGHT={0x8, 0x1, 0x1}, @TCA_QFQ_WEIGHT={0x8, 0x1, 0x6}]}}]}, 0x48}, 0x1, 0x0, 0x0, 0x20000010}, 0x10) r2 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000400)={0x0, 0x18, 0xfa00, {0x0, &(0x7f00000003c0), 0x13f, 0x1009}}, 0x20) write$RDMA_USER_CM_CMD_NOTIFY(r2, &(0x7f0000000440)={0xf, 0x8, 0xfa00, {0xffffffffffffffff, 0x7}}, 0x10) socket$alg(0x26, 0x5, 0x0) setsockopt$IP_VS_SO_SET_EDITDEST(0xffffffffffffffff, 0x0, 0x489, &(0x7f00000001c0)={{0x0, @remote, 0x4e20, 0x2, 'lblcr\x00', 0x0, 0x7}, {@broadcast, 0x4e23, 0x0, 0x1, 0x5}}, 0x6) r3 = socket$inet6_udp(0xa, 0x2, 0x0) ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305828, &(0x7f00000004c0)={0x0, 0x0, 0x46, 0x3}) sendto$inet6(0xffffffffffffffff, &(0x7f00000001c0)="e3f55ded2f469c66aa7667671a9547719a2688fe70227ecc61c18e5425", 0x1d, 0x400c004, &(0x7f0000000000)={0xa, 0x4e22, 0xa29}, 0x1c) ioctl$sock_inet6_SIOCSIFADDR(r3, 0x89a1, &(0x7f00000000c0)={@local={0xfe, 0x80, [0x31030000, 0x3ef, 0x0, 0x3f00000000000000, 0x0, 0x0, 0x1103, 0x0, 0x0, 0x0, 0x0, 0x6]}}) connect$l2tp(0xffffffffffffffff, &(0x7f0000000080)=@pppol2tp={0x18, 0x1, {0x0, r3, {0x2, 0x4e24, @loopback}, 0x3, 0x0, 0x4}}, 0x26) ioctl$sock_inet6_SIOCADDRT(r3, 0x89a0, &(0x7f0000000100)={@local, @empty, @loopback, 0x3}) [ 223.088490] netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. 15:30:45 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x400000, 0x0) 15:30:45 executing program 2: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000040)={0x13, 0x10}, 0x2c) bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000080)={r0}, 0x10) 15:30:45 executing program 1: r0 = syz_open_dev$adsp(&(0x7f0000000840)='/dev/adsp#\x00', 0x7fffffff, 0x101000) ioctl$UI_SET_SNDBIT(r0, 0x4004556a, 0x2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) creat(&(0x7f0000000680)='./file0\x00', 0x71) openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000800)='/dev/qat_adf_ctl\x00', 0x0, 0x0) io_submit(0x0, 0x0, &(0x7f0000000980)) clone(0x802102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000040), 0xffffffffffffffff) perf_event_open(&(0x7f0000000000)={0x5, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080)}, 0x200000000, 0x2}, 0x0, 0x1, 0xffffffffffffffff, 0x0) mount(&(0x7f0000000240)=ANY=[], &(0x7f0000000180)='./file0\x00', &(0x7f0000000100)='nfs\x00', 0x0, &(0x7f0000000000)) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, &(0x7f0000000240)=@assoc_value={0x0, 0x3}, &(0x7f0000000280)=0x8) getsockopt$inet6_mreq(r0, 0x29, 0x1f, &(0x7f0000000600)={@empty, 0x0}, &(0x7f0000000640)=0x14) sendmsg$nl_route_sched(r0, &(0x7f0000000780)={&(0x7f00000005c0)={0x10, 0x0, 0x0, 0x8040120}, 0xc, &(0x7f0000000740)={&(0x7f00000006c0)=@deltclass={0x48, 0x29, 0x8, 0x70bd2c, 0x25dfdbfd, {0x0, r1, {0x0, 0xf}, {0x0, 0xffe0}, {0xffe0, 0xfff2}}, [@TCA_RATE={0x8, 0x5, {0x93, 0x3f}}, @tclass_kind_options=@c_qfq={{0x8, 0x1, 'qfq\x00'}, {0x14, 0x2, [@TCA_QFQ_WEIGHT={0x8, 0x1, 0x1}, @TCA_QFQ_WEIGHT={0x8, 0x1, 0x6}]}}]}, 0x48}, 0x1, 0x0, 0x0, 0x20000010}, 0x10) r2 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000400)={0x0, 0x18, 0xfa00, {0x0, &(0x7f00000003c0), 0x13f, 0x1009}}, 0x20) write$RDMA_USER_CM_CMD_NOTIFY(r2, &(0x7f0000000440)={0xf, 0x8, 0xfa00, {0xffffffffffffffff, 0x7}}, 0x10) socket$alg(0x26, 0x5, 0x0) setsockopt$IP_VS_SO_SET_EDITDEST(0xffffffffffffffff, 0x0, 0x489, &(0x7f00000001c0)={{0x0, @remote, 0x4e20, 0x2, 'lblcr\x00', 0x0, 0x7}, {@broadcast, 0x4e23, 0x0, 0x1, 0x5}}, 0x6) r3 = socket$inet6_udp(0xa, 0x2, 0x0) ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305828, &(0x7f00000004c0)={0x0, 0x0, 0x46, 0x3}) sendto$inet6(0xffffffffffffffff, &(0x7f00000001c0)="e3f55ded2f469c66aa7667671a9547719a2688fe70227ecc61c18e5425", 0x1d, 0x400c004, &(0x7f0000000000)={0xa, 0x4e22, 0xa29}, 0x1c) ioctl$sock_inet6_SIOCSIFADDR(r3, 0x89a1, &(0x7f00000000c0)={@local={0xfe, 0x80, [0x31030000, 0x3ef, 0x0, 0x3f00000000000000, 0x0, 0x0, 0x1103, 0x0, 0x0, 0x0, 0x0, 0x6]}}) connect$l2tp(0xffffffffffffffff, &(0x7f0000000080)=@pppol2tp={0x18, 0x1, {0x0, r3, {0x2, 0x4e24, @loopback}, 0x3, 0x0, 0x4}}, 0x26) ioctl$sock_inet6_SIOCADDRT(r3, 0x89a0, &(0x7f0000000100)={@local, @empty, @loopback, 0x3}) [ 223.796254] IPVS: ftp: loaded support on port[0] = 21 [ 225.307904] bridge0: port 1(bridge_slave_0) entered blocking state [ 225.314610] bridge0: port 1(bridge_slave_0) entered disabled state [ 225.322751] device bridge_slave_0 entered promiscuous mode [ 225.399243] bridge0: port 2(bridge_slave_1) entered blocking state [ 225.405886] bridge0: port 2(bridge_slave_1) entered disabled state [ 225.413830] device bridge_slave_1 entered promiscuous mode [ 225.488410] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 225.561349] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 225.784742] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 225.861865] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 226.008690] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 226.015780] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 226.236048] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 226.243884] team0: Port device team_slave_0 added [ 226.317191] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 226.324830] team0: Port device team_slave_1 added [ 226.398951] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 226.474290] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 226.549648] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 226.557055] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 226.565949] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 226.634584] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 226.642023] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 226.650552] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 227.476242] bridge0: port 2(bridge_slave_1) entered blocking state [ 227.482706] bridge0: port 2(bridge_slave_1) entered forwarding state [ 227.489478] bridge0: port 1(bridge_slave_0) entered blocking state [ 227.496001] bridge0: port 1(bridge_slave_0) entered forwarding state [ 227.503699] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 227.961793] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 230.490660] 8021q: adding VLAN 0 to HW filter on device bond0 [ 230.766815] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 231.053522] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 231.059768] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 231.067635] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 231.336755] 8021q: adding VLAN 0 to HW filter on device team0 15:30:55 executing program 5: 15:30:55 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpu.stat\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x100000002072, 0xffffffffffffffff, 0x0) setsockopt$inet_MCAST_JOIN_GROUP(r0, 0x0, 0x2a, &(0x7f0000000100)={0xad, {{0x2, 0x4e21}}}, 0x88) r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f00000005c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(serpent)\x00'}, 0x58) recvmsg(r1, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000003c0)=[{&(0x7f0000000640)=""/132, 0x84}, {&(0x7f0000000700)=""/212, 0xd4}, {&(0x7f0000000800)=""/216, 0xd8}], 0x3, &(0x7f0000000900)=""/194, 0xc2, 0x1}, 0x2) setsockopt$ALG_SET_KEY(r1, 0x117, 0x1, &(0x7f0000000080), 0x0) r2 = accept$alg(r1, 0x0, 0x0) write$binfmt_script(r2, &(0x7f0000000a40)=ANY=[@ANYBLOB="d10000000000f7060030688aaec3d68bbeda4174fba2ae72a4f8038c49aad8d62df448a542e71c151b8ecf2321b2e205d28101705f4c20cb22c300000000000000000000000019a99156cac3abc6fc29f6bf1f5a4ec60c0e966486f4c3d2ca91cd92140f37d563d50bb1b705ae46a73f157e7330ba15f7e6fa9a5e7fd26b26e2ae952cc4d62a5424f8abb2726bfdb01cc1a9760251e36004d340a206271f2ede9a3ce9d3358fa7e1026f14ed1527895a0f1e63703d77b23515ff277f7fe4a9c3d858a86968338d7d783d505c77498bb2578eccf183e82d62da9fdbbcb4c82f2230e40694f5b39305c6f9d890a8a282ee9f03bd5f3824af3ffb0c7820af18e5ff0f3b041fa6c55c1d49a49bec809550d8a2499299d45a84a0964ff5c9590d1fa39ce45cf0cbb0054bd0a040076d15556e6c3affdb98547ad8b1ded9c4f6abaa5662e5f68bfdbda28be47054966c2f67fb756befa156e56d04fc455edaccc7348584e540db74af4f5915434b929957917ce333690d3d4ada1f9f37b8cb4e867f5959278d"], 0x183) recvmmsg(r2, &(0x7f0000008a00)=[{{0x0, 0xfffffffffffffce2, &(0x7f0000000400)=[{&(0x7f0000000000)=""/48, 0x30}], 0x1, 0x0, 0x16c}}], 0x1, 0x0, &(0x7f0000008bc0)) ioctl$FIGETBSZ(r1, 0x2, &(0x7f0000000380)) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000240)={r0, 0x50, &(0x7f00000001c0)={0x0, 0x0}}, 0x10) bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000280)=r3, 0xfffffe8f) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x300000a, 0x8013, r0, 0x0) ioctl$EXT4_IOC_SWAP_BOOT(r0, 0x6611) getsockopt$inet_mreqsrc(r0, 0x0, 0x2f, &(0x7f0000000440)={@local, @dev, @multicast1}, &(0x7f0000000480)=0xc) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f00000002c0)={@mcast2, 0x1, 0x2, 0x2, 0xc, 0x7, 0xc8, 0x3}, 0x20) r4 = accept4$packet(r0, &(0x7f0000000500)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000540)=0x14, 0x80800) ioctl$sock_inet6_SIOCSIFADDR(r0, 0x8916, &(0x7f0000000580)={@empty, 0x27, r5}) openat$cgroup_procs(r0, &(0x7f0000000340)='cgroup.threads\x00', 0x2, 0x0) r6 = socket$can_bcm(0x1d, 0x2, 0x2) r7 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r7, 0x11b, 0x4, &(0x7f0000000040)={&(0x7f0000000000)=""/21, 0x3c000, 0x800}, 0x18) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000c80)={0x0, @in={{0x2, 0x4e23, @multicast1}}, [0x8ef, 0x7b96, 0x5, 0x8, 0x0, 0x7, 0x2, 0x400000004000000, 0x9, 0x401, 0xa4c, 0x758, 0x8, 0x2, 0x80000000]}, &(0x7f0000000d80)=0x100) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDR_INFO(r0, 0x84, 0xf, &(0x7f0000000dc0)={r8, @in6={{0xa, 0x4e23, 0xffffffffffff8000, @remote, 0x101}}, 0x7, 0x261, 0x3, 0x2, 0x8}, &(0x7f0000000e80)=0x98) syz_extract_tcp_res$synack(&(0x7f0000000c00), 0x1, 0x0) bind$packet(r4, &(0x7f0000000a00)={0x11, 0x0, r5, 0x1, 0xfffffffffffffffa, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}}, 0x14) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r6, 0x29, 0x20, &(0x7f0000000c40)={@dev={0xfe, 0x80, [], 0x1f}, 0x7, 0x2, 0x2, 0x4, 0x1ff, 0x7, 0x8}, 0x20) setsockopt$inet6_tcp_TLS_RX(r0, 0x6, 0x2, &(0x7f0000000300), 0x4) ioctl$FS_IOC_FSSETXATTR(r0, 0x401c5820, &(0x7f00000000c0)={0x8, 0x9, 0x9, 0x7, 0x2}) 15:30:55 executing program 2: r0 = socket$inet(0x2, 0x840000000003, 0x2) setsockopt$inet_int(r0, 0x0, 0xc8, &(0x7f0000bcf000), 0x4) close(r0) 15:30:55 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) 15:30:55 executing program 1: 15:30:55 executing program 3: 15:30:55 executing program 1: 15:30:55 executing program 5: 15:30:55 executing program 2: r0 = timerfd_create(0x0, 0x0) close(r0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)) getsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000080), &(0x7f0000000100)=0x4) 15:30:55 executing program 3: 15:30:55 executing program 4: 15:30:55 executing program 1: 15:30:55 executing program 0: gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r0+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) 15:30:55 executing program 5: 15:30:56 executing program 4: 15:30:56 executing program 2: 15:30:56 executing program 3: 15:30:56 executing program 1: 15:30:56 executing program 4: 15:30:56 executing program 5: 15:30:56 executing program 2: 15:30:56 executing program 0: gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r0+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) 15:30:56 executing program 3: 15:30:56 executing program 4: 15:30:56 executing program 2: 15:30:56 executing program 1: 15:30:56 executing program 5: 15:30:56 executing program 3: 15:30:57 executing program 1: 15:30:57 executing program 4: 15:30:57 executing program 2: 15:30:57 executing program 5: 15:30:57 executing program 3: 15:30:57 executing program 0: gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r0+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) 15:30:57 executing program 1: 15:30:57 executing program 4: 15:30:57 executing program 5: r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION(r0, 0x80045113, &(0x7f0000000080)) 15:30:57 executing program 2: perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_open_procfs(0xffffffffffffffff, &(0x7f0000000140)='net/ip6_mr_cache\x00') ioctl$KVM_TRANSLATE(0xffffffffffffffff, 0xc018ae85, &(0x7f0000000200)={0xf000}) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'vcan0\x00'}) connect$can_bcm(0xffffffffffffffff, &(0x7f0000000000), 0x10) r0 = socket$nl_netfilter(0x10, 0x3, 0xc) getsockname$netlink(r0, &(0x7f0000000080), &(0x7f0000000100)=0xc) sendmsg(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000280)}, 0x0) 15:30:57 executing program 3: r0 = syz_open_dev$evdev(&(0x7f0000000040)='/dev/input/event#\x00', 0x0, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$int_out(r0, 0x80804535, &(0x7f0000000140)) 15:30:57 executing program 1: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="153f6234488dd25d766070") r1 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @local, 0x4}, 0x1c) r2 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r2, &(0x7f000014f000)={&(0x7f00003c7ff4), 0xc, &(0x7f00000bfff0)={&(0x7f0000006440)=@updpolicy={0xb8, 0x19, 0x1, 0x0, 0x0, {{@in6=@mcast1, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0xa}}}, 0xb8}}, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r1, 0x29, 0x3a, &(0x7f0000000200)={@remote}, 0x20) 15:30:57 executing program 5: 15:30:58 executing program 2: 15:30:58 executing program 4: eventfd(0x8) perf_event_open(&(0x7f0000aaa000)={0x2, 0x70, 0x85b, 0x2}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) chdir(&(0x7f00000000c0)='./file0\x00') clone(0x2102001ffb, 0x0, 0xfffffffffffffffe, &(0x7f0000000140), 0xffffffffffffffff) mknod(&(0x7f00000056c0)='./file0\x00', 0xffc, 0x0) execve(&(0x7f0000000100)='./file0\x00', &(0x7f00000009c0), &(0x7f0000000840)) 15:30:58 executing program 3: r0 = syz_open_dev$dri(&(0x7f0000001240)='/dev/dri/card#\x00', 0x0, 0x0) readv(r0, &(0x7f0000001080)=[{&(0x7f0000001100)=""/105, 0x69}], 0x1) r1 = gettid() timer_create(0x0, &(0x7f0000000440)={0x0, 0x12, 0x0, @thr={&(0x7f0000000080), &(0x7f0000000180)}}, &(0x7f0000000040)) r2 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0xef, 0x2040) ioctl$TIOCLINUX7(r2, 0x541c, &(0x7f0000000080)={0x7, 0x7}) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = openat$vcs(0xffffffffffffff9c, &(0x7f00000010c0)='/dev/vcs\x00', 0x0, 0x0) dup2(r3, r0) tkill(r1, 0x15) 15:30:58 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f000001a000)) pipe(&(0x7f0000000680)={0xffffffffffffffff}) write(0xffffffffffffffff, &(0x7f0000000340), 0x10000014c) fadvise64(0xffffffffffffffff, 0x0, 0x319d, 0x0) bind$inet(0xffffffffffffffff, &(0x7f0000011ff0)={0x2, 0x4e20, @multicast2}, 0x10) listen(0xffffffffffffffff, 0x0) r1 = socket$inet_tcp(0x2, 0x1, 0x0) listen(r1, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clock_gettime(0x0, &(0x7f0000000240)) pselect6(0x40, &(0x7f00000000c0), &(0x7f0000000100), &(0x7f0000000140)={0x1b7}, &(0x7f0000000200), &(0x7f0000000300)={&(0x7f00000002c0), 0x8}) vmsplice(r0, &(0x7f0000000000), 0x0, 0x0) 15:30:58 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) tkill(r0, 0x1000000000016) 15:30:58 executing program 1: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000180)={0x26, 'aead\x00', 0x0, 0x0, 'rfc4543(gcm_base(ctr(aes-aesni),ghash-generic))\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="349c799b4f9183ef0842aa2bee6300b84cd901d72499c3f8d7c8cfbd", 0x1c) 15:30:58 executing program 4: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000000)=0x100, 0x100000044) setsockopt$packet_int(r0, 0x107, 0xf, &(0x7f0000000040)=0x4006, 0x4) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r1, 0x8912, &(0x7f0000000280)="153f6234488dd25d766070") sendto$inet6(r0, &(0x7f0000000300)="040105000500000000000000ffb25bc202938207d903378c398d5375c5f73f2e55067d2780e19e33e3c2e77205000000402810fadc5712f29508c008186575efe5eb8f5972eaecff8b30ac32030e80fa87d0d03d18c1f5fcb8c96da56c6fa39f106b", 0x62, 0x0, &(0x7f00000002c0)={0xa, 0x0, 0x800000000000d, @mcast2}, 0x1c) 15:30:58 executing program 2: timerfd_create(0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000180)='fdinfo/3\x00') pread64(r0, &(0x7f00000011c0)=""/4096, 0xfffffe6a, 0x0) 15:30:58 executing program 3: r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000080)={'team0\x00', 0x0}) r2 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r2, &(0x7f0000000440)={&(0x7f0000000340), 0xc, &(0x7f0000000400)={&(0x7f0000000380)=@setlink={0x2c, 0x13, 0x811, 0x0, 0x0, {0x0, 0x0, 0x0, r1}, [@IFLA_ADDRESS={0xc, 0x1, @empty=[0xa701]}]}, 0x2c}}, 0x0) 15:30:58 executing program 5: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f000016b000)={0x26, 'skcipher\x00', 0x0, 0x0, 'lrw(serpent)\x00'}, 0x58) bind$alg(r0, &(0x7f00000002c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb(cast6)\x00'}, 0x58) 15:30:58 executing program 2: r0 = socket$inet6(0xa, 0x1, 0x0) fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000640), 0xffffffffffffffff) ioctl$sock_SIOCADDDLCI(r0, 0x8980, &(0x7f0000000180)={'bridge0\x00'}) r1 = syz_open_procfs(0x0, &(0x7f0000000280)='map_files\x00') exit(0x0) getdents64(r1, &(0x7f00000000c0)=""/57, 0x53) 15:30:59 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) setsockopt$inet_sctp6_SCTP_ASSOCINFO(r0, 0x84, 0x1, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x14) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e23}, 0x1c) listen(r0, 0x80000001) r1 = socket$inet6(0xa, 0x5, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f0000000000)=[@in6={0xa, 0x0, 0x0, @loopback}, @in={0x2, 0x4e23, @local}], 0x2c) 15:30:59 executing program 3: r0 = openat$ion(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ion\x00', 0x0, 0x0) ioctl$ION_IOC_HEAP_QUERY(r0, 0xc0045878, &(0x7f00000000c0)={0x34, 0x0, &(0x7f0000000080)}) 15:30:59 executing program 2: r0 = socket$inet6(0xa, 0x1, 0x0) fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000640), 0xffffffffffffffff) ioctl$sock_SIOCADDDLCI(r0, 0x8980, &(0x7f0000000180)={'bridge0\x00'}) r1 = syz_open_procfs(0x0, &(0x7f0000000280)='map_files\x00') exit(0x0) getdents64(r1, &(0x7f00000000c0)=""/57, 0x53) 15:30:59 executing program 1: r0 = socket$inet6(0xa, 0x1000000000005, 0x0) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x17, &(0x7f0000000240), 0x8) 15:30:59 executing program 5: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000180)={0x26, 'aead\x00', 0x0, 0x0, 'rfc4543(gcm_base(ctr(aes-aesni),ghash-generic))\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="349c799b", 0x4) 15:30:59 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) nanosleep(&(0x7f0000000040), &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) 15:30:59 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000872936)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x2, 0x0, &(0x7f00000002c0)=ANY=[@ANYBLOB='\fc'], 0x0, 0x0, &(0x7f0000000340)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x10, 0x0, &(0x7f0000005fd4)=[@acquire, @acquire={0x400c630e}], 0x0, 0x0, &(0x7f00000001c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f00000000c0)=[@release={0x400c630f}], 0x0, 0x0, &(0x7f0000000f4d)}) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$sock_inet6_tcp_SIOCOUTQNSD(r1, 0x894b, &(0x7f0000000040)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x3c, 0x0, &(0x7f0000000100)=[@request_death={0x400c630e, 0x4}, @decrefs={0x40046307, 0x1}, @increfs={0x40046304, 0x4}, @exit_looper, @clear_death={0x400c630f, 0x4, 0x3}, @release={0x40046306, 0x3}], 0x44, 0x0, &(0x7f0000000140)="fe52b68a8210da56deeed51451e1c5c7b28d9e8746fc08e0b1b083007ec95163365cfc54246737cf064ecb0945cd1f526b0578eb9454b0af9fa20e0dc36edf0e8ccc3b9b"}) r2 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r2, 0x8912, &(0x7f0000000080)="153f6234488dd25d766070") ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) 15:30:59 executing program 1: r0 = openat$ion(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ion\x00', 0x0, 0x0) ioctl$FS_IOC_RESVSP(r0, 0x40305828, &(0x7f0000000000)) [ 237.794954] binder: 8110:8114 Acquire 1 refcount change on invalid ref 0 ret -22 [ 237.802888] binder: 8110:8114 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 15:30:59 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) nanosleep(&(0x7f0000000040), &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) [ 237.859662] binder: 8110:8119 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 237.913184] binder: 8110:8114 ioctl 894b 20000040 returned -22 [ 237.955234] binder: 8110:8114 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 [ 237.962586] binder: 8110:8114 DecRefs 0 refcount change on invalid ref 1 ret -22 [ 237.970192] binder: 8110:8114 IncRefs 0 refcount change on invalid ref 4 ret -22 [ 237.977912] binder: 8110:8114 BC_CLEAR_DEATH_NOTIFICATION invalid ref 4 [ 237.984830] binder: 8110:8114 Release 1 refcount change on invalid ref 3 ret -22 [ 237.992567] binder: 8114 RLIMIT_NICE not set 15:31:00 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) nanosleep(&(0x7f0000000040), &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) 15:31:00 executing program 4: r0 = syz_open_dev$sg(&(0x7f0000000780)='/dev/sg#\x00', 0x0, 0x80000000042) ioctl$SG_IO(0xffffffffffffffff, 0x2285, &(0x7f0000000300)={0x53, 0x0, 0x0, 0x0, @scatter={0x0, 0x0, &(0x7f00000001c0)}, &(0x7f0000000240), &(0x7f0000000140)=""/126, 0x0, 0x0, 0x0, &(0x7f0000000280)}) write$binfmt_aout(0xffffffffffffffff, &(0x7f0000000480), 0x20) readv(r0, &(0x7f0000000700)=[{&(0x7f0000000380)=""/236, 0xec}], 0x1) write$binfmt_elf64(r0, &(0x7f0000000300)=ANY=[], 0xf6) 15:31:00 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000001fd8)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x7, 0x37, 0x0, 0x0, 0xffff8000}}, &(0x7f0000000180)="4550d4001f91eb2f57b73224433025039c3096b20c6b439348bf689c08608537d6223e63adc0624fbae2e109359dce6922324ccc13160b68cae6430697259dd52d1f73e16adc3592d02925dffae85e9cd2398c6c67c87fb5b12602f145b484be45912966e8b7e2f66069c56dd76c1dc112013c3a6b4de999cdcdc8855aee3437dcc87580cfbe546fbbfbc0eb56d8bbbea2904a7c73c2", 0x0, 0x60, &(0x7f0000000000)=""/195}, 0x16) 15:31:00 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f000001a000)) pipe(&(0x7f0000000680)={0xffffffffffffffff, 0xffffffffffffffff}) fadvise64(r1, 0x0, 0x0, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') r2 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0xf, &(0x7f0000017000)=0xfffff7fffffffffd, 0x4) bind$inet(r2, &(0x7f0000011ff0)={0x2, 0x4e20, @multicast2}, 0x10) listen(0xffffffffffffffff, 0x0) r3 = socket$inet(0x2, 0x1, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0xf, &(0x7f0000017000)=0xfffff7fffffffffd, 0x4) setsockopt$sock_int(r3, 0x1, 0xf, &(0x7f0000356ffc)=0xffffffffffffff40, 0x4) bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4e20, @multicast2}, 0x10) listen(r4, 0x0) listen(r3, 0x0) sendmsg$IPVS_CMD_DEL_SERVICE(0xffffffffffffffff, &(0x7f00000004c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x10000041}, 0xc, &(0x7f0000000280)={&(0x7f0000000340)=ANY=[@ANYRES16=0x0], 0x1}}, 0x890) perf_event_open(&(0x7f0000000040)={0x0, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clock_gettime(0x0, &(0x7f0000000240)) eventfd(0x0) vmsplice(r0, &(0x7f0000000000)=[{&(0x7f0000000500), 0x3528a9c0}], 0x1, 0x0) 15:31:00 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) [ 238.558454] binder: 8110:8119 Acquire 1 refcount change on invalid ref 0 ret -22 [ 238.566569] binder: 8110:8119 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 238.605885] binder: 8110:8119 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 238.624365] binder: 8110:8148 ioctl 894b 20000040 returned -22 15:31:00 executing program 4: r0 = socket$inet6(0xa, 0x1000000000005, 0x0) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x76, &(0x7f0000000240), 0x8) 15:31:00 executing program 5: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$inet6(0xa, 0x803, 0x3) ioctl(r1, 0x1000008912, &(0x7f0000000380)="0a5c2d023c126285718070") sendmsg$nl_route(r0, &(0x7f00000001c0)={&(0x7f0000000100), 0xc, &(0x7f0000000040)={&(0x7f0000000000)=@newlink={0x3c, 0x10, 0x707, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x1c, 0x12, @ipip6={{0xc, 0x1, 'ip6tnl\x00'}, {0xc, 0x2, [@tunl6_policy=[@IFLA_IPTUN_FLOWINFO={0x8, 0x9}]]}}}]}, 0x3c}}, 0x0) [ 238.646240] binder: 8110:8149 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 [ 238.653482] binder: 8110:8149 DecRefs 0 refcount change on invalid ref 1 ret -22 [ 238.661072] binder: 8110:8149 IncRefs 0 refcount change on invalid ref 4 ret -22 [ 238.669126] binder: 8110:8149 BC_CLEAR_DEATH_NOTIFICATION invalid ref 4 [ 238.676044] binder: 8110:8149 Release 1 refcount change on invalid ref 3 ret -22 15:31:00 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000001fd8)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x7, 0x37, 0x0, 0x0, 0xffff8000}}, &(0x7f0000000180)="4550d4001f91eb2f57b73224433025039c3096b20c6b439348bf689c08608537d6223e63adc0624fbae2e109359dce6922324ccc13160b68cae6430697259dd52d1f73e16adc3592d02925dffae85e9cd2398c6c67c87fb5b12602f145b484be45912966e8b7e2f66069c56dd76c1dc112013c3a6b4de999cdcdc8855aee3437dcc87580cfbe546fbbfbc0eb56d8bbbea2904a7c73c2", 0x0, 0x60, &(0x7f0000000000)=""/195}, 0x16) [ 238.851400] netlink: 'syz-executor5': attribute type 9 has an invalid length. 15:31:01 executing program 3: openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) r0 = syz_open_dev$usb(&(0x7f00000000c0)='/dev/bus/usb/00#/00#\x00', 0x40000ffffff, 0x0) close(r0) 15:31:01 executing program 4: syz_emit_ethernet(0x3e, &(0x7f00000000c0)={@local, @empty, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x30, 0x0, 0x0, 0x0, 0x0, 0x0, @remote={0xac, 0x223}, @dev}, @icmp=@parameter_prob={0xc, 0x4, 0x0, 0x0, 0x0, 0x0, {0x5, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @local={0xac, 0x223}, @dev}}}}}}, &(0x7f0000000480)) 15:31:01 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000001fd8)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x7, 0x37, 0x0, 0x0, 0xffff8000}}, &(0x7f0000000180)="4550d4001f91eb2f57b73224433025039c3096b20c6b439348bf689c08608537d6223e63adc0624fbae2e109359dce6922324ccc13160b68cae6430697259dd52d1f73e16adc3592d02925dffae85e9cd2398c6c67c87fb5b12602f145b484be45912966e8b7e2f66069c56dd76c1dc112013c3a6b4de999cdcdc8855aee3437dcc87580cfbe546fbbfbc0eb56d8bbbea2904a7c73c2", 0x0, 0x60, &(0x7f0000000000)=""/195}, 0x16) 15:31:01 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = add_key$user(&(0x7f0000000040)='user\x00', &(0x7f0000000000)={'syz'}, &(0x7f00000002c0)="585ccbe4ed83b836c1a6474914dc55e72206297b6895b66147b3c7218a9169a85ea0bdc9e1587a050000000000000042e33089754c8107c3cd3923dd4a71c2ff06007b6b4816122d2550829eaa9435c99926022b8753a188748c569f435fb3bae96efb74b50ec93c152f5e8e198a29e5c0d0c60000ce0637ce0000b4ec24c53d3d661ff5ff70e48884ca000018cea71fcfacf40d32e4b58a8d2725561f6110fd7b06f90b5274cc5c1e298a16324fe27da2a9d5ba9ff3c009d308bd73f4772539", 0xc0, 0xfffffffffffffffe) r2 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f00000005c0)={'syz'}, &(0x7f00000000c0), 0x9a, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000100)={r2, r1, r1}, &(0x7f0000000080)=""/107, 0xc0, &(0x7f0000000280)={&(0x7f00000001c0)={"6372637431306469662d67656e657269630000000000000000000000000f00"}, &(0x7f0000000240)}) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000140)={0x0, 0x0, 0xffffffffffff5e97, 0xe1aa}, 0x14) 15:31:01 executing program 3: ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000280)) r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x14, &(0x7f0000788ffc)=0x100000001, 0xfdf6) openat$audio(0xffffffffffffff9c, &(0x7f0000000240)='/dev/audio\x00', 0x4000, 0x0) 15:31:01 executing program 4: openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x0, 0x0) getsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x0, &(0x7f0000000080), &(0x7f00000000c0)=0x4) ioctl$FS_IOC_GET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x400c6615, &(0x7f0000000200)) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000480)='/dev/ptmx\x00', 0x1, 0x0) fcntl$setown(0xffffffffffffffff, 0x8, 0x0) ioctl$TCSETS(r0, 0x40045431, &(0x7f00003b9fdc)) syz_open_pts(r0, 0x0) write(r0, &(0x7f0000c34fff), 0xffffff0b) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) 15:31:01 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000001fd8)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x7, 0x37, 0x0, 0x0, 0xffff8000}}, &(0x7f0000000180)="4550d4001f91eb2f57b73224433025039c3096b20c6b439348bf689c08608537d6223e63adc0624fbae2e109359dce6922324ccc13160b68cae6430697259dd52d1f73e16adc3592d02925dffae85e9cd2398c6c67c87fb5b12602f145b484be45912966e8b7e2f66069c56dd76c1dc112013c3a6b4de999cdcdc8855aee3437dcc87580cfbe546fbbfbc0eb56d8bbbea2904a7c73c2", 0x0, 0x60, &(0x7f0000000000)=""/195}, 0x16) 15:31:01 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sysfs$3(0x3) 15:31:03 executing program 0: r0 = gettid() timer_create(0x0, &(0x7f0000000080)={0x0, 0x12}, &(0x7f0000044000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) nanosleep(&(0x7f0000000040)={0x0, r1+30000000}, &(0x7f00000000c0)) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x6, 0x100000000000031, 0xffffffffffffffff, 0x0) tkill(r0, 0x1000000000016) 15:31:03 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = add_key$user(&(0x7f0000000040)='user\x00', &(0x7f0000000000)={'syz'}, &(0x7f00000002c0)="585ccbe4ed83b836c1a6474914dc55e72206297b6895b66147b3c7218a9169a85ea0bdc9e1587a050000000000000042e33089754c8107c3cd3923dd4a71c2ff06007b6b4816122d2550829eaa9435c99926022b8753a188748c569f435fb3bae96efb74b50ec93c152f5e8e198a29e5c0d0c60000ce0637ce0000b4ec24c53d3d661ff5ff70e48884ca000018cea71fcfacf40d32e4b58a8d2725561f6110fd7b06f90b5274cc5c1e298a16324fe27da2a9d5ba9ff3c009d308bd73f4772539", 0xc0, 0xfffffffffffffffe) r2 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f00000005c0)={'syz'}, &(0x7f00000000c0), 0x9a, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000100)={r2, r1, r1}, &(0x7f0000000080)=""/107, 0xc0, &(0x7f0000000280)={&(0x7f00000001c0)={"6372637431306469662d67656e657269630000000000000000000000000f00"}, &(0x7f0000000240)}) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000140)={0x0, 0x0, 0xffffffffffff5e97, 0xe1aa}, 0x14) 15:31:03 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f000001a000)) pipe(&(0x7f0000000680)={0xffffffffffffffff, 0xffffffffffffffff}) write(r1, &(0x7f0000000340), 0x10000014c) r2 = socket$inet_tcp(0x2, 0x1, 0x0) listen(r2, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) clock_gettime(0x0, &(0x7f0000000240)={0x0, 0x0}) pselect6(0x40, &(0x7f00000000c0), &(0x7f0000000100), &(0x7f0000000140)={0x1b7}, &(0x7f0000000200)={0x0, r3+30000000}, &(0x7f0000000300)={&(0x7f00000002c0), 0x8}) vmsplice(r0, &(0x7f0000000000)=[{&(0x7f0000000500), 0x3528a9c0}], 0x1, 0x0) 15:31:03 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x0, 0x3, &(0x7f0000001fd8)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x7, 0x37, 0x0, 0x0, 0xffff8000}}, &(0x7f0000000180)="4550d4001f91eb2f57b73224433025039c3096b20c6b439348bf689c08608537d6223e63adc0624fbae2e109359dce6922324ccc13160b68cae6430697259dd52d1f73e16adc3592d02925dffae85e9cd2398c6c67c87fb5b12602f145b484be45912966e8b7e2f66069c56dd76c1dc112013c3a6b4de999cdcdc8855aee3437dcc87580cfbe546fbbfbc0eb56d8bbbea2904a7c73c2", 0x0, 0x60, &(0x7f0000000000)=""/195}, 0x16) 15:31:03 executing program 2: syz_emit_ethernet(0x1, &(0x7f0000000140)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaa0086dd607660df00000000fe8000000000000000000000000000ffff0201000200000000000000000000018600907800148d0060c5961e23343fd9db69ef23000000000503000000000501ff020000000000000000000000000001"], 0x0) 15:31:03 executing program 4: openat$ashmem(0xffffffffffffff9c, &(0x7f0000000380)='/dev/ashmem\x00', 0x8c080, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000100), &(0x7f0000000140)=0xc) 15:31:04 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext={0xfffffffffffffbff, 0x10001}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0xffffffffffffffe1, 0x4000) bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x0, @local}, 0x10) connect$unix(0xffffffffffffffff, &(0x7f00000000c0)=@abs={0x1, 0x0, 0x4e20}, 0x6e) r3 = socket$nl_generic(0x10, 0x3, 0x10) getsockopt$inet_sctp_SCTP_STATUS(r2, 0x84, 0xe, &(0x7f0000000ac0)={0x0, 0x9, 0x0, 0x1, 0x2, 0xc6d, 0x0, 0x400, {0x0, @in6={{0xa, 0x4e20, 0xfffffffffffffffd, @loopback}}, 0x9, 0x4, 0x100000001, 0x7, 0x1}}, &(0x7f0000000400)=0xb0) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r2, 0x84, 0x77, &(0x7f0000000180)=ANY=[@ANYBLOB="bb00000000000000007f006f0e14b7c38149721081dfb09c91353cdc685bb525247f9c806289f3b86fe532e3f5d31841dd147a256d185d7adf72019d1219ddbc532daa5a5a6c2b4809a051a2169105fe6cd0ebd7004d13d16e7fea5d93af363a171c4e3c837038097f139f658b0efd415af3d644123ebceb7b362fbf38e08075b1cff81c683e1b56c0b7336bf859046ec5f91e663f28b1796b773c6fbab551903fd3dd245d357469848e6c87496398f128dee0b6acbf4a26eec4896421d1c80a7c0f7c3f8e276625b5a2c4a96b990456fcd7"], &(0x7f0000009140)=0x1) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) write$USERIO_CMD_REGISTER(r2, &(0x7f00000005c0)={0x0, 0x203}, 0xfffffffffffffeae) r5 = getpgrp(0xffffffffffffffff) kcmp(0x0, r5, 0x0, r3, r4) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000480)={[], 0x0, 0x1a200}) ioctl$SNDRV_CTL_IOCTL_ELEM_UNLOCK(0xffffffffffffffff, 0x40405515, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, "7914084b165e9ec52f1595ab29ebf015f37b541a5750acb2ac95e9ad3962af352e5323b779821fa55ee14bf9", 0x3d4}) openat$userio(0xffffffffffffff9c, &(0x7f0000000140)='/dev/userio\x00', 0x101000, 0x0) ioctl$KVM_GET_VCPU_EVENTS(r4, 0x4400ae8f, &(0x7f0000000000)) ioctl$KVM_GET_XSAVE(r2, 0x9000aea4, &(0x7f0000000600)) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, &(0x7f00000006c0)=ANY=[@ANYBLOB], &(0x7f0000000080)=0x1) ioctl$KVM_RUN(r4, 0xae80, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000540)={0x0, 0x18, 0xfa00, {0x1, &(0x7f00000003c0)={0xffffffffffffffff}, 0x2, 0x7}}, 0x20) write$RDMA_USER_CM_CMD_INIT_QP_ATTR(r2, &(0x7f0000000580)={0xb, 0x10, 0xfa00, {&(0x7f0000000300), r6, 0x8}}, 0x18) syz_genetlink_get_family_id$ipvs(&(0x7f00000002c0)='IPVS\x00') 15:31:04 executing program 4: perf_event_open(&(0x7f0000000040)={0x0, 0x70}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x10, 0x3, 0xc) sendmsg(r0, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000640)=[{&(0x7f0000000000)="2400000003061f001cfffd946fa2830020200a000900010006e700000000a3a20404ff7e", 0x24}], 0x1}, 0x0) 15:31:04 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000001fd8)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x0, 0x37, 0x0, 0x0, 0xffff8000}}, &(0x7f0000000180)="4550d4001f91eb2f57b73224433025039c3096b20c6b439348bf689c08608537d6223e63adc0624fbae2e109359dce6922324ccc13160b68cae6430697259dd52d1f73e16adc3592d02925dffae85e9cd2398c6c67c87fb5b12602f145b484be45912966e8b7e2f66069c56dd76c1dc112013c3a6b4de999cdcdc8855aee3437dcc87580cfbe546fbbfbc0eb56d8bbbea2904a7c73c2", 0x0, 0x60, &(0x7f0000000000)=""/195}, 0x16) 15:31:04 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = add_key$user(&(0x7f0000000040)='user\x00', &(0x7f0000000000)={'syz'}, &(0x7f00000002c0)="585ccbe4ed83b836c1a6474914dc55e72206297b6895b66147b3c7218a9169a85ea0bdc9e1587a050000000000000042e33089754c8107c3cd3923dd4a71c2ff06007b6b4816122d2550829eaa9435c99926022b8753a188748c569f435fb3bae96efb74b50ec93c152f5e8e198a29e5c0d0c60000ce0637ce0000b4ec24c53d3d661ff5ff70e48884ca000018cea71fcfacf40d32e4b58a8d2725561f6110fd7b06f90b5274cc5c1e298a16324fe27da2a9d5ba9ff3c009d308bd73f4772539", 0xc0, 0xfffffffffffffffe) r2 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f00000005c0)={'syz'}, &(0x7f00000000c0), 0x9a, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000100)={r2, r1, r1}, &(0x7f0000000080)=""/107, 0xc0, &(0x7f0000000280)={&(0x7f00000001c0)={"6372637431306469662d67656e657269630000000000000000000000000f00"}, &(0x7f0000000240)}) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000140)={0x0, 0x0, 0xffffffffffff5e97, 0xe1aa}, 0x14) [ 242.088743] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 242.253029] netlink: 'syz-executor4': attribute type 1 has an invalid length. [ 242.260474] netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. 15:31:04 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sysfs$3(0x3) [ 242.357322] ================================================================== [ 242.364764] BUG: KMSAN: uninit-value in loaded_vmcs_init+0x343/0x590 [ 242.371268] CPU: 0 PID: 6593 Comm: syz-executor3 Not tainted 4.19.0-rc4+ #63 [ 242.378452] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 242.387802] Call Trace: [ 242.390383] [ 242.392541] dump_stack+0x306/0x460 [ 242.396173] ? loaded_vmcs_init+0x343/0x590 [ 242.400508] kmsan_report+0x1a3/0x2d0 [ 242.404324] __msan_warning+0x7c/0xe0 [ 242.408143] loaded_vmcs_init+0x343/0x590 [ 242.412310] __loaded_vmcs_clear+0x2fb/0x3c0 [ 242.416737] flush_smp_call_function_queue+0x404/0x770 [ 242.422116] ? vmx_get_msr_feature+0x180/0x180 [ 242.426963] generic_smp_call_function_single_interrupt+0x1f/0x30 [ 242.433206] smp_call_function_single_interrupt+0x2f7/0x530 [ 242.438930] call_function_single_interrupt+0xf/0x20 [ 242.444115] [ 242.446370] RIP: 0010:kmsan_kmalloc+0xd4/0x120 [ 242.450952] Code: 00 74 16 eb 53 48 89 df 4c 89 f6 e8 76 bc ff ff 41 ff 8d 7c 09 00 00 75 3f e8 68 c2 36 ff 48 8b 45 c0 48 89 45 b8 ff 75 b8 9d <65> 48 8b 04 25 28 00 00 00 48 3b 45 d0 75 2f 48 83 c4 20 5b 41 5c [ 242.469858] RSP: 0018:ffff8801578afa90 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff04 [ 242.477577] RAX: 0000000000000246 RBX: ffff8801c041f180 RCX: 0000000000000031 [ 242.484853] RDX: 0000000000000030 RSI: ffff88021fff2000 RDI: ffffffff7fffffff [ 242.492121] RBP: ffff8801578afad8 R08: 00000000004000c0 R09: 0000000000000002 [ 242.499393] R10: 0000000000000004 R11: ffffffff8439f150 R12: ffff8801c2e9cf00 [ 242.506664] R13: ffff88015fce1e00 R14: 00000000000000c0 R15: 00000000006000c0 [ 242.513953] ? apparmor_socket_create+0x670/0x670 [ 242.518814] kmsan_slab_alloc+0x10/0x20 [ 242.522789] kmem_cache_alloc+0xb06/0xd50 [ 242.526949] ? __d_alloc+0xcc/0xf50 [ 242.530600] __d_alloc+0xcc/0xf50 [ 242.534068] ? kmsan_set_origin_inline+0x6b/0x120 [ 242.538912] ? __msan_poison_alloca+0x17a/0x210 [ 242.543589] d_alloc_pseudo+0x68/0x80 [ 242.547396] alloc_file_pseudo+0x19f/0x4e0 [ 242.551661] sock_alloc_file+0x1b0/0x5f0 [ 242.555738] __sys_socket+0x268/0x670 [ 242.559557] __se_sys_socket+0x8d/0xb0 [ 242.563458] __x64_sys_socket+0x4a/0x70 [ 242.567437] do_syscall_64+0xbe/0x100 [ 242.571250] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 242.576435] RIP: 0033:0x45a0e7 [ 242.579640] Code: 00 00 00 49 89 ca b8 36 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9a 88 fb ff c3 66 0f 1f 84 00 00 00 00 00 b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d 88 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 242.598558] RSP: 002b:0000000000a3f6b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 [ 242.606274] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045a0e7 [ 242.613542] RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002 [ 242.620811] RBP: 0000000000000003 R08: 0000000000000000 R09: 000000000000000a [ 242.628082] R10: 0000000000000075 R11: 0000000000000246 R12: 0000000000000009 [ 242.635359] R13: 000000000003b0bb R14: 0000000000000011 R15: 0000000000000003 [ 242.642642] [ 242.644273] Local variable description: ----error.i@loaded_vmcs_init [ 242.650764] Variable was created at: [ 242.654486] loaded_vmcs_init+0x8a/0x590 [ 242.658554] __loaded_vmcs_clear+0x2fb/0x3c0 [ 242.662956] ================================================================== [ 242.670309] Disabling lock debugging due to kernel taint [ 242.675760] Kernel panic - not syncing: panic_on_warn set ... [ 242.675760] [ 242.683135] CPU: 0 PID: 6593 Comm: syz-executor3 Tainted: G B 4.19.0-rc4+ #63 [ 242.691708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 242.701063] Call Trace: [ 242.703643] [ 242.705799] dump_stack+0x306/0x460 [ 242.709449] panic+0x54c/0xafa [ 242.712675] ? __msan_metadata_ptr_for_store_1+0x13/0x20 [ 242.718137] kmsan_report+0x2cd/0x2d0 [ 242.721950] __msan_warning+0x7c/0xe0 [ 242.725765] loaded_vmcs_init+0x343/0x590 [ 242.729930] __loaded_vmcs_clear+0x2fb/0x3c0 [ 242.734355] flush_smp_call_function_queue+0x404/0x770 [ 242.739645] ? vmx_get_msr_feature+0x180/0x180 [ 242.744242] generic_smp_call_function_single_interrupt+0x1f/0x30 [ 242.750480] smp_call_function_single_interrupt+0x2f7/0x530 [ 242.756200] call_function_single_interrupt+0xf/0x20 [ 242.761299] [ 242.763541] RIP: 0010:kmsan_kmalloc+0xd4/0x120 [ 242.768141] Code: 00 74 16 eb 53 48 89 df 4c 89 f6 e8 76 bc ff ff 41 ff 8d 7c 09 00 00 75 3f e8 68 c2 36 ff 48 8b 45 c0 48 89 45 b8 ff 75 b8 9d <65> 48 8b 04 25 28 00 00 00 48 3b 45 d0 75 2f 48 83 c4 20 5b 41 5c [ 242.787046] RSP: 0018:ffff8801578afa90 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff04 [ 242.794760] RAX: 0000000000000246 RBX: ffff8801c041f180 RCX: 0000000000000031 [ 242.802035] RDX: 0000000000000030 RSI: ffff88021fff2000 RDI: ffffffff7fffffff [ 242.809318] RBP: ffff8801578afad8 R08: 00000000004000c0 R09: 0000000000000002 [ 242.816701] R10: 0000000000000004 R11: ffffffff8439f150 R12: ffff8801c2e9cf00 [ 242.823962] R13: ffff88015fce1e00 R14: 00000000000000c0 R15: 00000000006000c0 [ 242.831245] ? apparmor_socket_create+0x670/0x670 [ 242.836110] kmsan_slab_alloc+0x10/0x20 [ 242.840089] kmem_cache_alloc+0xb06/0xd50 [ 242.844243] ? __d_alloc+0xcc/0xf50 [ 242.847888] __d_alloc+0xcc/0xf50 [ 242.851344] ? kmsan_set_origin_inline+0x6b/0x120 [ 242.856204] ? __msan_poison_alloca+0x17a/0x210 [ 242.860885] d_alloc_pseudo+0x68/0x80 [ 242.864688] alloc_file_pseudo+0x19f/0x4e0 [ 242.868944] sock_alloc_file+0x1b0/0x5f0 [ 242.873021] __sys_socket+0x268/0x670 [ 242.876836] __se_sys_socket+0x8d/0xb0 [ 242.880731] __x64_sys_socket+0x4a/0x70 [ 242.884712] do_syscall_64+0xbe/0x100 [ 242.888524] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 242.893715] RIP: 0033:0x45a0e7 [ 242.896908] Code: 00 00 00 49 89 ca b8 36 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9a 88 fb ff c3 66 0f 1f 84 00 00 00 00 00 b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d 88 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 242.915897] RSP: 002b:0000000000a3f6b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 [ 242.923617] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045a0e7 [ 242.930889] RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002 [ 242.938158] RBP: 0000000000000003 R08: 0000000000000000 R09: 000000000000000a [ 242.945434] R10: 0000000000000075 R11: 0000000000000246 R12: 0000000000000009 [ 242.952706] R13: 000000000003b0bb R14: 0000000000000011 R15: 0000000000000003 [ 242.961301] Kernel Offset: disabled [ 242.964933] Rebooting in 86400 seconds..