last executing test programs: 4.727250949s ago: executing program 1 (id=2): r0 = accept4$unix(0xffffffffffffffff, &(0x7f0000000040)=@abs, &(0x7f00000000c0)=0x6e, 0x800) recvmmsg$unix(r0, &(0x7f0000000100), 0x0, 0x40000040, &(0x7f0000000140)={0x77359400}) ioctl$F2FS_IOC_MOVE_RANGE(r0, 0xc020f509, &(0x7f0000000100)={r0, 0x0, 0x1, 0x8}) openat$incfs(r1, &(0x7f0000000180)='.pending_reads\x00', 0x0, 0x0) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000240)={0x4, 0x0, &(0x7f0000000000)=[@enter_looper], 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"}) syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) 4.644657896s ago: executing program 0 (id=1): r0 = syz_usb_connect(0x0, 0x36, &(0x7f00000005c0)=ANY=[@ANYBLOB="120100003a370520810705000100010203010902240001000010000904e602025bbd97000905020200020200000905820200020000"], 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) mount$overlay(0x0, 0x0, 0x0, 0x1000000, 0x0) ioctl$EXT4_IOC_SWAP_BOOT(0xffffffffffffffff, 0x6611) socket(0x1e, 0x4, 0x0) r1 = socket(0x28, 0x5, 0x0) sendmsg$AUDIT_MAKE_EQUIV(r1, &(0x7f0000000680)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000640)={&(0x7f0000000540)={0x28, 0x3f7, 0x200, 0x70bd2a, 0x25dfdbff, {0x7, 0x7, './file0', './file0'}, ["", "", "", "", "", ""]}, 0x28}}, 0x1) bind$vsock_stream(r1, 0x0, 0x0) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) syz_open_dev$usbmon(&(0x7f0000002080), 0x8, 0x4082) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r2, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x7cab6ced6415608, 0x3}) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040), 0x101000, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000300), 0x50, 0x0, &(0x7f0000000580)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r2, 0x0) syz_open_procfs$userns(0xffffffffffffffff, &(0x7f0000000200)) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2, 0x0, 0xffffffffffffffff, &(0x7f0000000040)="2d62c33539c414deb7e5ca47391bc6b415caf3cc1ea692d29c", 0x19, 0x12, 0x0, 0x2}, 0x0) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x100, 0x0) io_setup(0x5, &(0x7f0000000480)=0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff}) io_submit(r4, 0x1, &(0x7f0000000380)=[&(0x7f00000001c0)={0x0, 0x4, 0x0, 0x0, 0x4040, r5, &(0x7f00000004c0)='2o', 0x2, 0x0, 0x0, 0x2}]) io_destroy(r4) io_setup(0x5bf, &(0x7f0000000340)) openat$kvm(0xffffffffffffff9c, 0x0, 0x40d00, 0x0) r6 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r7 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='blkio.bfq.io_wait_time_recursive\x00', 0x275a, 0x0) write$binfmt_script(r7, &(0x7f0000000000), 0x208e24b) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000003, 0x28011, r7, 0x0) preadv(r7, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x1, 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r6, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) 4.442779732s ago: executing program 1 (id=9): r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='memory.events\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1, 0x10010, r0, 0x4000) (async) madvise(&(0x7f0000003000/0x3000)=nil, 0x3000, 0x12) (async) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0) (async) r2 = socket$inet(0xa, 0x801, 0x6) listen(r2, 0x48) accept4(r2, 0x0, 0x0, 0x0) (async) r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000280), 0x0, 0x0) ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000140)={'pim6reg1\x00', 0x1}) ioctl$TUNSETLINK(r3, 0x400454cd, 0x339) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000100)={'pim6reg1\x00', @broadcast}) (async) r5 = syz_open_procfs(0x0, &(0x7f00000000c0)='task\x00') lseek(r5, 0x1, 0x1) close_range(r1, 0xffffffffffffffff, 0x0) 4.35255207s ago: executing program 1 (id=15): r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000040), 0x60a00, 0x0) futex(0x0, 0x7, 0x1, 0x0, 0x0, 0x1) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x6, 0x12, r0, 0x4a58c000) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x2) pipe(&(0x7f0000000080)={0xffffffffffffffff}) r2 = fcntl$dupfd(r1, 0x3, 0xffffffffffffffff) ioctl$KVM_REGISTER_COALESCED_MMIO(r2, 0x4010ae67, &(0x7f0000000000)={0x8080000, 0x102000, 0x1}) write(r2, &(0x7f0000000100), 0xfffffe5d) 3.6032526s ago: executing program 1 (id=26): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r1 = mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0xc, 0x0, &(0x7f0000000240)=[@free_buffer={0x40086303, r1}], 0x0, 0x0, 0x0}) r2 = syz_usb_connect(0x0, 0x36, &(0x7f00000005c0)={{0x12, 0x1, 0x0, 0x3a, 0x37, 0x5, 0x20, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0xe6, 0x2, 0x2, 0x5b, 0xbd, 0x97, 0x0, [], [{{0x9, 0x5, 0x2, 0x2, 0x200, 0x2}}, {{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_control_io(r2, 0x0, 0x0) r3 = syz_usb_connect(0x0, 0x0, 0x0, 0x0) syz_usb_control_io$uac1(r3, 0x0, 0x0) syz_usb_control_io$printer(r3, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0) r4 = socket$inet6(0xa, 0x2, 0x0) bind$inet6(r4, &(0x7f00000001c0)={0xa, 0x4e20, 0x0, @empty}, 0x1c) sendto$inet6(r4, 0x0, 0x0, 0x0, &(0x7f0000000240)={0xa, 0x4e20, 0x0, @mcast2}, 0x1c) shutdown(r4, 0x0) setsockopt$sock_int(r4, 0x1, 0x2a, &(0x7f0000000000), 0x4) recvmmsg(r4, &(0x7f0000008880), 0x45b, 0x2, 0x0) syz_usb_control_io$hid(r3, 0x0, 0x0) syz_usb_control_io$uac1(r3, 0x0, 0x0) r5 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_TCP_REPAIR(r5, 0x6, 0x13, &(0x7f0000000080)=0xffffffffffffffff, 0x4) syz_usb_control_io$uac1(r2, 0x0, &(0x7f0000000140)={0x44, &(0x7f00000003c0)={0x41, 0x12, 0x1, '\x00'}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ncm(r2, 0x0, &(0x7f0000000340)={0x44, &(0x7f0000000100)={0x40, 0x12, 0x3, "ecb9e0"}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$printer(r2, 0x0, &(0x7f0000000e40)={0x34, &(0x7f0000000cc0)={0x20, 0x9, 0x2, "e655"}, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$uac1(r2, 0x0, 0x0) syz_usb_control_io$printer(r2, 0x0, &(0x7f0000000440)={0x34, &(0x7f00000001c0)=ANY=[@ANYBLOB="203103f9000061c717"], 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r0, 0x81f8943c, &(0x7f0000001280)) ioctl$BTRFS_IOC_SCRUB_CANCEL(r0, 0x941c, 0x0) ioctl$FS_IOC_READ_VERITY_METADATA(r0, 0xc0286687, &(0x7f0000000040)={0x3, 0x1, 0x1000, &(0x7f0000000280)=""/4096}) prctl$PR_SET_TIMERSLACK(0x1d, 0x0) syz_usb_control_io$lan78xx(r3, &(0x7f00000015c0)={0x14, &(0x7f0000001480)={0x40, 0x1c, 0xfb, {0xfb, 0x11, "7a9e44db55acb56edc779f3a75bc6011051c49cda3ea1b76e1cb3e7a8d4a1473a3fe0fb1af8854516c99b81f8f5932b2dd56c806ee04e2b09201acda537332b180ee9ba1b5020ad0bea77ccc9175146006e923ee01c2c55adf2e0faa5791e597c4164c4afd955c78ead1ce33360457cd5c1af825711c2dc00f6dbedfceda899e8340b66637a9643b4c12252fb896a2abb34e008ca866ae0dc8e827431dab941d0acc15291e20bafbfdd3a272e3fbb9a05e4ff3692aaa62517d119798345384f751be21e183c92ebca265a862f98df1dfcd9752dc3c5936faa3b1b138d44d16da2906a7269606923471a4f60643dd6d80e5b10afe5cca09e3b1"}}, &(0x7f0000000200)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x1001}}}, &(0x7f0000001780)={0x34, &(0x7f0000001600)={0x0, 0x0, 0x28, "090ce9cbc0867b3eb97ef7bd71c4b9df7d41dabfc0857927c97e897dac248e7f7d258d011a772b9e"}, &(0x7f0000001640)={0x0, 0xa, 0x1, 0x7}, &(0x7f0000001680)={0x0, 0x8, 0x1, 0x9}, &(0x7f00000016c0)={0xc0, 0xa1, 0x4}, &(0x7f0000001700)={0x40, 0xa0, 0x4, 0x4}, &(0x7f0000001740)={0xc0, 0xa2, 0x2f, "6e3405a0098a60bdb7b44223a76d70b6610b621e7065f86977670fdec00fe1f1f3d77d01ac9f3e88a8d1cee4a6e23a"}}) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000000)={0x73622a85, 0xa, 0x2}) 1.889283088s ago: executing program 3 (id=40): syz_open_procfs(0x0, &(0x7f0000000380)='mounts\x00') mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1) futex(&(0x7f0000000140)=0x2, 0xc, 0x1, 0x0, 0x0, 0x2) r0 = syz_open_dev$usbfs(&(0x7f0000000100), 0x76, 0x101b01) ioctl$USBDEVFS_DISCONNECT_CLAIM(r0, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"}) ioctl$USBDEVFS_RELEASE_PORT(r0, 0x80045519, &(0x7f0000000000)=0x2) ioctl$USBDEVFS_CLEAR_HALT(r0, 0x80045515, &(0x7f0000000040)={0x1, 0x1}) r1 = signalfd(0xffffffffffffffff, &(0x7f00000003c0), 0x8) mkdir(&(0x7f0000000140)='./control\x00', 0x5) close(r1) r2 = inotify_init1(0x800) fcntl$setstatus(r1, 0x4, 0x2c00) r3 = gettid() fcntl$setown(r1, 0x8, r3) fcntl$setsig(r2, 0xa, 0xe) rt_sigprocmask(0x0, &(0x7f0000000000)={[0xfffffffffffffffd]}, 0x0, 0x8) rt_sigtimedwait(&(0x7f0000000040)={[0xffffffffffff7ff8]}, 0x0, 0x0, 0x8) inotify_add_watch(r2, &(0x7f0000000180)='./control\x00', 0xa400080a) rmdir(&(0x7f0000000100)='./control\x00') r4 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x8002, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x44, 0x0, &(0x7f0000000380)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) ioctl$ASHMEM_SET_SIZE(r4, 0x40087703, 0x10001) ioctl$ASHMEM_SET_NAME(r4, 0x41007701, &(0x7f00000002c0)='/devFtR\xac\x13\x1e\x14e\x81h\xa3K\xd6\xd0^\xed\xd7\xb3\xac\xa0&&\xf8\x0f|\xe8\x15\xf2\x82\xb4\xa0\xc2\x01e\x1e\xf4\x19\x06\x03\xf5+\xc4\r\xa1\xb8DY-\x17\x0f\xf7\x8d\x7f\x9473\x1f\xc5!\xb2\x1bs\xfc\x91~c\xd1*en\xd1\xfc\t\x9c\xda\xfd\xde\xc0\xa2\xf4\x15\xf1\xd9\xe0\xe2\xf3^R\x8d\xae\x8d\x87Fc\a\xe6_\xd0V\'B?\x8b\xa6\x9cIT\x1f\x93\x8b\xfd\x814dX\x93\x89\x1a_45\x94y(\xb9\xaa\x91\xa5\xe8n\xe6\xb58.\xc4\ntJ\x11\f\xb8\x18\xfe\xb2\x93\x93\xe6\x82\\\xe8]fV\xc0#\x1c\xbf\xd1T\x809/\xc3\xa3\x17\xc4\x0e\xdby\xd6\xff\xfb\xbe\x83\xf7$\xf7\xc4\x16\xee\xa0Tn\t\x0f,|\r\xc3\xb39A\xc2wF\xb9l\'_\x89B\xf8z\xe6\xc13\x9d~\xd5\xc6\xae8\a\xa1\x90\f)M4J\xaf\x010;\xc7\xfd\xe7\x95\xfb\x95\xd6N\v\xf9\xe1=3\xe7\x8a\xc8\xca\xf12\x1aJ\xd6Xj4\x1a\x88\x04\xb1DJ\xce\x95\xdb\xd2\xab\xd6\xeb\xc6\xc6v\xd0#x@\x96\xbf\xa4E\x11\x9dH$+\xadS&\xa6\xcd>\xa2<\xe2\xa7\xa3\x99\n7c\xc5\xbb\xc2\xb9\xa3k\xaa\x9e\xe9\xb4\xd4\xbc\xda') mknodat$loop(0xffffffffffffff9c, &(0x7f0000000180)='./file2\x00', 0x6000, 0x0) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff) sendmsg$NL80211_CMD_SET_TX_BITRATE_MASK(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000200)={0x80, r6, 0x1, 0x0, 0xfffffffd, {{}, {@val={0x8}, @val={0xc, 0x99, {0x2, 0x56}}}}, [@NL80211_ATTR_TX_RATES={0x58, 0x10d, 0x0, 0x1, [@NL80211_BAND_5GHZ={0x54, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5}, @NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x6, 0x2, 0x2, 0xc7, 0x8000, 0x7fff, 0x7ff, 0x7]}}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0xc, 0x7, 0xff71, 0xffff, 0x7, 0xfffe, 0x1, 0x5]}}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_GI={0x5}]}]}]}, 0x80}, 0x1, 0x0, 0x0, 0x4845}, 0x4000000) ioctl$BTRFS_IOC_SUBVOL_GETFLAGS(r4, 0x80089419, &(0x7f00000001c0)) open(&(0x7f00000003c0)='./file2\x00', 0x803, 0x21) ioctl$BTRFS_IOC_DEFRAG(r4, 0x127a, 0x3) 1.396115308s ago: executing program 0 (id=41): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0) unshare(0x2040400) r1 = getpid() openat$tun(0xffffffffffffff9c, 0x0, 0x40241, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r2, &(0x7f00000000c0)={0xa, 0x4e22, 0x9, @ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0xd}}, 0x6}, 0x1c) connect$inet6(r2, &(0x7f0000000080)={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @empty}, 0xfff}, 0x1c) sendmmsg$inet6(r2, &(0x7f0000002200), 0x0, 0x4000045) write(r2, &(0x7f0000002280)="6f5f7016a7", 0x5) getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r2, 0x6, 0x23, &(0x7f0000000140)={&(0x7f0000ff3000/0xc000)=nil, 0xc000, 0x0, 0x0, 0x0, &(0x7f0000000000)=""/201, 0xc9, 0x1, 0x0}, &(0x7f0000000180)=0x40) r3 = socket$packet(0x11, 0x3, 0x300) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='memory.events\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1, 0x10012, r4, 0x0) mount$bind(0x0, 0x0, 0x0, 0x89101a, 0x0) mount$bind(&(0x7f00000000c0)='.\x00', 0x0, 0x0, 0x80700a, 0x0) r5 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) write(r5, &(0x7f00000000c0)="bba99475105094568ada45167329fd08a88d0d1c94a8d5b6c84db0a187738549e998e09c27e34a450ca7eb503cb9844ee14eb0b7fc2d21a50f4ec99adff0bd2b48cf6cd7d4dbeb4a35d81a91add5f351b63dc21a155f642a5534aff81a1433a6fc394f73bd6541ef031ea87c2fbc1d9c", 0x70) r6 = socket$inet(0x2, 0x1, 0x0) sendto$inet(r6, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @empty}, 0x10) r7 = fcntl$getown(0xffffffffffffffff, 0x9) ioctl$sock_FIOSETOWN(r3, 0x8901, &(0x7f0000000040)=r7) ioctl$sock_TIOCINQ(r3, 0x541b, &(0x7f0000004e40)) r8 = syz_pidfd_open(r1, 0x0) ioctl$KVM_SET_PIT2(r4, 0x4070aea0, &(0x7f0000000140)={[{0x9, 0x81, 0x1, 0x2, 0x5, 0x3, 0x8, 0x1, 0x9f, 0x0, 0x8, 0x2, 0x5}, {0x0, 0x80, 0xdc, 0x4, 0xf, 0x9, 0x4, 0x2, 0x5, 0x89, 0xff, 0x6, 0x3}, {0x58, 0x7, 0x1, 0xd, 0x4, 0x20, 0x50, 0x8, 0x4, 0x1, 0x23, 0x9, 0xe50}], 0x359}) r9 = fcntl$dupfd(r8, 0x406, r8) setns(r9, 0x2000000) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, 0x0) r10 = openat$pidfd(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) fcntl$F_SET_RW_HINT(r10, 0x40c, &(0x7f0000000080)=0x6) ioctl$BINDER_ENABLE_ONEWAY_SPAM_DETECTION(r0, 0x40046210, &(0x7f0000000100)) 1.36773316s ago: executing program 0 (id=42): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0xc) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r3, 0x400448e1, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000002000)='./file0\x00', 0x0) openat$fuse(0xffffffffffffff9c, &(0x7f0000008300), 0x2, 0x0) mount$fuse(0x0, &(0x7f0000002080)='./file0\x00', &(0x7f00000020c0), 0x1041011, &(0x7f0000002100)=ANY=[]) setregid(0xee00, 0x0) r4 = getgid() fchownat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0, r4, 0x400) ioctl$KVM_SET_BOOT_CPU_ID(r2, 0xae78, &(0x7f0000000000)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000340), 0x0, 0x0, 0x0}) fsetxattr$trusted_overlay_upper(r0, &(0x7f0000000040), &(0x7f0000000340)={0x0, 0xfb, 0x10f, 0x0, 0xff, "41f9f10aeeb201c9a7016d4b042116c7", "da0d3f40254a372d1fc9f50feff0d507a1c273a1507359b8a6d87d4bc2aca7f5473f53e990631e2c72a94abcb016d5b9081f8d2b4ee375bf6b983a7c119bcc17860e4df0a1c9d9b5bbcf2e1f665b4f56163a1ca9f99df20a860c8eaf10861c9e0962e4fba8eed5b2451065f0fc7b5e5b29807c581ff7cc744fc573a516096fad83add50b6ceae019b61b35e536cd167d177033d033eec7f872b92d1bcccbf39c54abc400be57138031b6aed19bdcff4c128f91cb9ea9f49c05206c3832f876575a47526d52cbd60923d0c4d7a71eb5d636cd1425deb948ad42c173c30f95727a108fc0c826e54fe0418e295b0a9101b06357313d8248c8bbdbab"}, 0x10f, 0x3) 1.308615725s ago: executing program 0 (id=43): prctl$PR_GET_CHILD_SUBREAPER(0x25) r0 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x481, 0x0) syz_usb_control_io$hid(0xffffffffffffffff, &(0x7f00000001c0)={0x24, 0x0, 0x0, &(0x7f0000000040), 0x0}, 0x0) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1802, 0x0) openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0x4008ae89, &(0x7f0000000100)=ANY=[@ANYBLOB="0100000000000000014d56"]) r1 = syz_usb_connect$hid(0x5, 0x3f, &(0x7f0000000040)=ANY=[@ANYBLOB="12010000000000204f045db600000000000109022d000100006002090400100503000100092100003601220500090581", @ANYRES16], 0x0) syz_usb_control_io(r1, 0x0, 0x0) syz_usb_control_io(r1, &(0x7f0000000380)={0x18, &(0x7f0000000100)=ANY=[@ANYBLOB="000457"], 0x0, 0x0, 0x0, 0x0}, 0x0) r2 = dup(r0) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x8500, 0x0) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) ioctl$KVM_SET_MSRS(r5, 0x4008ae89, &(0x7f0000000140)=ANY=[@ANYBLOB="010000000000000090000040"]) ioctl$PTP_EXTTS_REQUEST2(r2, 0x40603d07, &(0x7f0000000180)={0xfffffffe}) r6 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/power/wake_lock', 0x202, 0x40) write$cgroup_pressure(r6, &(0x7f0000000080)={'some', 0x20, 0x56, 0x20, 0xe}, 0x19) r7 = openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x800, 0x0) ioctl$TUNSETIFF(r7, 0x400454ca, &(0x7f0000000000)={'pimreg\x00', 0x2bc67b5dc0ef3785}) read(r7, 0x0, 0x0) setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, 0x0, 0x0) sendto$packet(0xffffffffffffffff, 0x0, 0x0, 0x4, 0x0, 0x0) splice(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x5, 0x19) setsockopt$inet_tcp_TCP_CONGESTION(r2, 0x6, 0xd, &(0x7f0000000200)='yeah\x00', 0x5) mkdirat(0xffffffffffffffff, &(0x7f0000002040)='./file0\x00', 0x0) r8 = syz_open_procfs(0x0, &(0x7f0000000700)='mounts\x00') mount$binderfs(0x0, 0x0, 0x0, 0x0, &(0x7f0000000100)=ANY=[@ANYRES32=r6]) mount(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000000)='devpts\x00', 0x801, &(0x7f0000000240)='MJ\x03\x81~\x8f\x05?%\xdds\xe7\b\xd3\xc5/\x97H\xf5\xa2\xf9 \b\x0f/\xbcw\x8e^\x1a*|k\bK\xacX\x8b\x9b\x92\xc4') read$FUSE(r8, &(0x7f0000000980)={0x2020}, 0x2020) 999.86336ms ago: executing program 3 (id=45): r0 = openat$binderfs_ctrl(0xffffffffffffff9c, &(0x7f0000001ec0)='./binderfs/binder-control\x00', 0x0, 0x0) socket$inet6_udp(0xa, 0x2, 0x0) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0) openat$rnullb(0xffffffffffffff9c, &(0x7f00000000c0), 0x401100, 0x0) write$cgroup_subtree(r1, &(0x7f0000000100)=ANY=[], 0x32600) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f0000000040)={0x2, &(0x7f0000000000)=[{0x6, 0x0, 0xb, 0x9f2f}, {0x6, 0x1, 0x3, 0x8}]}) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r1, 0x0) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000080), 0x8000, 0x0) ioctl$BINDER_CTL_ADD(r0, 0xc1086201, &(0x7f0000000140)={'binder0\x00'}) 980.816591ms ago: executing program 2 (id=46): madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) (async) syz_clone(0x2000000, &(0x7f0000000280), 0x0, 0x0, 0x0, &(0x7f00000003c0)="f8") (async) getresuid(&(0x7f0000000040), 0x0, 0x0) (async) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) (async) r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_generic(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000000)=ANY=[@ANYBLOB="1400000042000501"], 0x14}, 0x1, 0x0, 0x0, 0x4024854}, 0x4) ioctl$FS_IOC_RESVSP(r0, 0x40305828, &(0x7f00000000c0)={0x0, 0x4, 0x4, 0x6}) recvmmsg(r0, &(0x7f0000002ac0)=[{{0x0, 0x0, &(0x7f00000016c0)=[{&(0x7f0000001840)=""/4080, 0xff0}, {&(0x7f00000014c0)=""/197, 0xc5}, {&(0x7f0000000040)=""/102, 0x66}], 0x3}, 0x12}, {{0x0, 0x0, 0x0}, 0x2be9}], 0x2, 0x2, 0x0) (async, rerun: 64) mount$binderfs(0x0, &(0x7f0000000100)='./binderfs\x00', &(0x7f0000000140), 0x4800, &(0x7f0000000000)=ANY=[@ANYBLOB='fscontext?}']) (rerun: 64) 372.03273ms ago: executing program 2 (id=47): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder0\x00', 0x3bd26500de5ff463, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x1381, 0x1000000003}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x1a0000, 0x0) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000003500), r2) ioctl$F2FS_IOC_COMMIT_ATOMIC_WRITE(r0, 0xf502, 0x0) sendmsg$IEEE802154_ASSOCIATE_REQ(r2, &(0x7f0000003600)={0x0, 0x0, &(0x7f00000035c0)={&(0x7f0000000600)=ANY=[@ANYBLOB="2400000001ad9c3b9b96880ae5d818ba6167494c4d2bf112bd9b96fbc1a9cdae6eca58edff3e0aa8766bcf43dd59545239ae766450d39ece2610d3022c91b4314abb7fade057ca4c808f34976dbf4c0146bd1ef3c449cbe972129bf5f331aac4f72a7647a73a39feeca07f3633d5904ae17311bef2c0bba83642", @ANYRES16=r3, @ANYBLOB="010127bd7000fcdbdf2501000000050007000200000006000800feff0000"], 0x24}, 0x1, 0x0, 0x0, 0x5}, 0x4000040) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000200)={'team0\x00', 0x0}) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(0xffffffffffffffff, 0x8933, &(0x7f0000000800)={'batadv_slave_0\x00', 0x0}) r6 = socket(0x11, 0x3, 0x0) r7 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f00000005c0)={'gre0\x00', 0x0}) bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8, 0x1, 0x0, 0x6, @dev}, 0x14) socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff}) recvmsg(r9, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000100)}, 0x1f00) r10 = socket(0x10, 0x2, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(r9, 0x8933, &(0x7f0000000380)={'vcan0\x00', 0x0}) ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r10, 0x89f1, &(0x7f0000000000)={'ip6tnl0\x00', &(0x7f0000000080)={'syztnl2\x00', r11, 0x29, 0x7d, 0x9, 0x1, 0x60, @remote, @loopback={0x0, 0x460c6}, 0x1, 0x0, 0x25a2, 0x10}}) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000840)={'team0\x00', 0x0}) r13 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r13, 0x107, 0xf, &(0x7f0000000100)=0x200, 0x4) r14 = socket$inet6_tcp(0xa, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f00000001c0)={'veth0\x00', 0x0}) sendto$packet(r13, &(0x7f0000000180)="0b041000e0ff020002004788aa96a13bb10000000000892f1100", 0x10000, 0x0, &(0x7f0000000140)={0x11, 0x0, r15}, 0x14) getsockname$packet(0xffffffffffffffff, &(0x7f0000000880)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000000240)=0x14) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000900)={'team0\x00', 0x0}) getsockopt$inet6_mreq(0xffffffffffffffff, 0x29, 0x14, &(0x7f0000000940)={@dev}, &(0x7f0000000980)=0x14) sendmsg$TEAM_CMD_OPTIONS_GET(0xffffffffffffffff, &(0x7f0000001180)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000001140)={&(0x7f00000009c0)=ANY=[@ANYRESHEX=r1, @ANYRES16=0x0, @ANYBLOB="10002cbd7000bf6a6459996578468f000100", @ANYRES32=0x0, @ANYRES16=r5, @ANYRES32=0x0, @ANYBLOB="400001002400010071756575655f69640000000000000000000000000000000000000000000000000500030003000000080004000200000008000600", @ANYRES32=r12, @ANYBLOB="40000100240001007072696f72697479000000000000000000000000000000000000000000000000050003000e00000008000400fc03000008000600", @ANYRES32=0x0, @ANYBLOB="38000100240001006d636173745f72656a6f696e5f696e74657276616c0000000000000000000000050003000300000008000400ffffff7f38000100240001006d636173745f72656a6f696e5f696e74657276616c000000000000000000000005000300030000000800040005000000400001002400010071756575655f69640000000000000000000000000000000000000000000000000500030003000000080004000700000008000600", @ANYRES64=r7, @ANYBLOB="38000100240001006d636173745f72656a6f696e5f636f756e7400000000000000000000000000000500030003000000080004000600000054000100240001006270665f686173685f66756e6300000000000000000000000000000000000000050003000b0000002400040000000404200000000010040705000000080080c9000000000200fa0d0c00000008000100", @ANYRES32=0x0, @ANYBLOB="d00102803c000100240001006270665f686173685f66756e6300000000000000000000000000000000000000050003000b0000000c000400020011cc8b4124ff3c000100241d0100757365725f6c696e6b75705f656e61626c65000005000300060000000400040008000600"/120, @ANYRES32=0x0, @ANYBLOB="54000100240001006270665f686173685f66756e6300000000000000000000000000000000000000050003000b000000240004000500fe071a7a6ad197293002a74d098000e200b50009020200000007001702ffffff7f01000883020000005100010024000107006e61626c65640000100000000000000000000000000000000000000000000005000300068be5b02ade8faec8cded1a1df832ccd8af13cbf10b4922f902445d8cb728f6448b5b9af4cc3bc1e12fbcf5ccd379a775d447a82894728b4551c4ae27656dcf8221aa7225876e1a2a3b0c3c80efb9a3f8e9bc83ec37b7d0040fd67f4d7197940b6c0b701d485ac380b07425", @ANYRES32=0x0, @ANYBLOB="4c000100240001006c625f74785f6d6574686f640000000000000000000000000000000000000000050003000500000019000400686173685f746f5f706f72745f6d617070696e670000000038000100240001006e6f746966795f70656572735f696e74657276616c00000000000000000000000500030003000000080004000100000008000100", @ANYRES32=r4, @ANYBLOB="140202803c000100240001006c625f74785f6d6574686f64000000000000000000000000000000000000000005000300050000000900040068617368000000003c00010024000100757365725f6c696e6b757000000000000000000000000000000000000000000005000300060000000400040008000600", @ANYRES32=0x0, @ANYBLOB="38000100240001006c625f73746174735f726566726573685f696e74657276616c00000000000000050003000300000008000400080000003c00010024000100656e61626c65640000000000000000000000000000000000000000000000000005000300060000000400040008000600", @ANYRES32=r5, @ANYBLOB="38000100240001006c625f73746174735f726566726573685f696e74657276616c0000000000000005000300030000001798c0d2ee29ca761c6a4408000400ffff00003800010024000100616374697665706f727400000000000000000000000000000000000000000000050003000300000008000400", @ANYRESOCT=r1, @ANYBLOB="38000100240001006e6f746966795f70656572735f636f756e7400000000000000000000000000000500030003000000080004000300000040000100240001006c625f686173685f737461747300000000000000000000000000000000000000050003000b000000080004006d00000008000700000000003c000100240001006d6f64650000000000000000000000000000000000000000000000000000000005000300050000000b00040072616e646f6d000008000100", @ANYRES64=r14, @ANYBLOB="0400028008000100", @ANYRESHEX=r10, @ANYBLOB="4400028040000100240001006d6f64650000000000000000000000000000000000000000000000000000000005000300050000000e00040062726f61646361737400000008000100", @ANYRES32=r16, @ANYBLOB="400002803c00010024000100656e61626c65640000000000000000000000000000000000000000000000000005000300060000000400040008000600", @ANYRES32=0x0, @ANYBLOB], 0x6a8}, 0x1, 0x0, 0x0, 0x2004c044}, 0x20000844) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x4c, 0x0, &(0x7f0000000500)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000440)={@fda={0x66646185, 0x9, 0x0, 0x39}, @flat=@binder={0x73622a85, 0x1, 0x2}, @fda={0x66646185, 0x8, 0x0, 0x24}}, &(0x7f0000000000)={0x0, 0x20, 0x38}}, 0x1000}], 0x0, 0x0, 0x0}) 310.575306ms ago: executing program 2 (id=48): r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000100)='mountinfo\x00') socket$inet_udp(0x2, 0x2, 0x0) mkdir(&(0x7f0000000040)='./file0\x00', 0x1) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x1000000, &(0x7f0000000140)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}, {@default_permissions}]}) read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020) 293.857307ms ago: executing program 2 (id=49): r0 = syz_open_procfs(0x0, &(0x7f0000000040)='oom_score_adj\x00') write$cgroup_pid(r0, 0x0, 0x2d) mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x1e) mount(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000080)='debugfs\x00', 0x0, 0x0) mount$bpf(0x0, &(0x7f0000000380)='./file0\x00', 0x0, 0x40020, &(0x7f00000004c0)=ANY=[@ANYBLOB='uid=', @ANYRESHEX=0x0, @ANYBLOB='D\x00']) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1802, 0x0) r2 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000400), 0x2, 0x0) write$UHID_CREATE2(r2, &(0x7f00000007c0)=ANY=[@ANYBLOB="0b00000073797a31000000dfff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a30000037b35f0a000089b4c45a10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"], 0x119) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x70f9a000) r3 = syz_open_dev$hidraw(&(0x7f0000000000), 0x0, 0x81) ioctl$HIDIOCSFEATURE(r3, 0xc0404806, &(0x7f0000000040)) close_range(r1, 0xffffffffffffffff, 0x0) 112.957721ms ago: executing program 3 (id=50): setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, 0x0, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x1002, 0x0) sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x0, 0x0, 0x0, 0xdb9, 0x0, 0x0, 0x4}, 0x0) ioprio_set$pid(0x2, 0x0, 0x0) r1 = creat(&(0x7f0000000280)='./file0\x00', 0xecf86c37d53049cc) close(r1) execve(&(0x7f0000000000)='./file0\x00', 0x0, 0x0) r2 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x1843, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'pim6reg0\x00', 0x2}) ioctl$TUNSETOWNER(r2, 0x400454cc, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000000)={'gre0\x00', 0x800}) close_range(r0, 0xffffffffffffffff, 0x0) fcntl$F_SET_RW_HINT(r2, 0x40c, &(0x7f0000000040)=0x5) 103.842142ms ago: executing program 1 (id=51): mmap$binder(&(0x7f00000a0000)=nil, 0x0, 0x1, 0x11, 0xffffffffffffffff, 0x3) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000007c0)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x58, 0x0, &(0x7f0000000140)={@flat=@handle={0x73682a85, 0x101}, @ptr={0x70742a85, 0x1, 0x0, 0x0, 0x1, 0x8}, @fd}, 0x0}}], 0x0, 0x0, 0x0}) socket$can_raw(0x1d, 0x3, 0x1) r0 = socket$packet(0x11, 0x3, 0x300) socketpair(0x1, 0x100000005, 0x0, &(0x7f0000000000)={0xffffffffffffffff}) capset(&(0x7f0000000100)={0x20080522}, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x81, 0xfffffffb, 0x3}) r2 = syz_open_procfs(0x0, &(0x7f0000000200)='oom_adj\x00') write$tcp_mem(r2, &(0x7f0000000140), 0x48) getpeername$packet(r1, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000000100)=0x14) sendmmsg(r0, &(0x7f0000000080)=[{{&(0x7f0000000500)=@sco, 0x80, &(0x7f00000004c0)=[{&(0x7f0000000180)='O', 0x1}], 0x1, 0x0, 0x0, 0x2f00}}], 0x1, 0x20000084) syz_pidfd_open(0x0, 0x0) openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x2, 0x0) 103.561882ms ago: executing program 2 (id=52): r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='ns\x00') (async) r1 = socket$nl_generic(0x10, 0x3, 0x10) (async) r2 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_COALESCE_SET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000600)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="010004000000000000001000000018000180140002007665746830000000000000000000000008000f00"], 0x34}}, 0x0) (async) getdents64(r0, 0x0, 0x0) (async) mount(&(0x7f0000000000)=@loop={'/dev/loop', 0x0}, &(0x7f00000000c0)='./cgroup\x00', &(0x7f0000000040)='f2fs\x00', 0x0, 0x0) 18.765109ms ago: executing program 1 (id=53): openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) (async) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000300)={0x0, 0x1, 0x1, 0x1000, &(0x7f0000000000/0x1000)=nil}) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0) r2 = socket$inet6(0x10, 0x3, 0x0) write(r2, &(0x7f0000000040)="2400000021002551241c0165ff00fc020200000003100f000e", 0x19) (async) write(r2, &(0x7f0000000040)="2400000021002551241c0165ff00fc020200000003100f000e", 0x19) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x200, 0x0) socketpair$tipc(0x1e, 0x0, 0x0, &(0x7f0000000040)) ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) (async) ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r4 = open_tree(0xffffffffffffff9c, &(0x7f0000000100)='\x00', 0x80901) syz_usb_connect$uac1(0x0, 0xa4, &(0x7f0000000000)=ANY=[@ANYBLOB="2a01000020000040b708000000000000030109029200030172e5000904000000010100000a24010000000201020c0d2407000005000000000000000c240000e9fffff5ffffffff092403f3ff000005024524", @ANYRES8=r4, @ANYBLOB="05"], 0x0) 18.400459ms ago: executing program 2 (id=54): sendmsg$key(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000240)={0x2, 0xd, 0x0, 0x0, 0x14, 0x0, 0x0, 0x0, [@sadb_address={0x5, 0x5, 0x0, 0x0, 0x0, @in6={0xa, 0x0, 0x0, @private1}}, @sadb_address={0x5, 0x5, 0x0, 0x0, 0x0, @in6={0xa, 0x0, 0x0, @empty}}, @sadb_x_policy={0x8, 0x12, 0x2, 0x2, 0x0, 0xffffffff, 0x0, {0x6, 0x2b, 0x2, 0x3, 0x0, 0x0, 0x0, @in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @in6=@remote}}]}, 0xa0}}, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) (async) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x840000000002, 0x3, 0xff) connect$inet(r2, &(0x7f0000000540)={0x2, 0x4e22, @remote}, 0x10) bind$inet(r2, &(0x7f0000000100)={0x2, 0x4e24, @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x10) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x3) (async) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x3) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000080)=[@text64={0x40, &(0x7f0000000000)="2ef36644f7e62e3e672e450f078f29d095abaa960000b890a4f084ef66bafc0c6d8f297812cf66ba410066ef48b800100000000000000f23d00f21f835100000080f23f866baf80cb88ef01480ef66bafc0c66b80c0066efc7442402d8650000c7442406000000000f011c2466ba4200ec2e64f30f5a8e6c000000", 0x7b}], 0x1, 0x52, &(0x7f0000000200)=[@vmwrite={0x8, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x0, 0x85200000c}], 0x1) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000240)={[0x3, 0xec, 0x401, 0x3, 0x7, 0x4, 0x8000000000000001, 0x80000001, 0x1, 0x200, 0x4, 0x6, 0x9, 0x10000000003a, 0x9, 0x9], 0x0, 0x2a80}) ioctl$KVM_RUN(r3, 0xae80, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) ioctl$KVM_CAP_EXIT_ON_EMULATION_FAILURE(r1, 0x4068aea3, &(0x7f0000000300)={0xcc, 0x0, 0x1}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@textreal={0x8, 0x0}], 0x1, 0x7c, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) (async) ioctl$KVM_RUN(r3, 0xae80, 0x0) r4 = socket(0x10, 0x3, 0x0) sendmsg$netlink(r4, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000001c0)=[{&(0x7f00000002c0)=ANY=[@ANYBLOB="1c0000001a0001002abd700000ffffff81"], 0x78}], 0x1, 0x0, 0x0, 0x20400}, 0x0) syz_open_dev$loop(&(0x7f0000000140), 0x75f, 0xa382) (async) r5 = syz_open_dev$loop(&(0x7f0000000140), 0x75f, 0xa382) dup2(r5, r5) (async) r6 = dup2(r5, r5) ioctl$BLKSECDISCARD(r6, 0x127d, 0x0) setregid(0x0, 0xffffffffffffffff) (async) setregid(0x0, 0xffffffffffffffff) r7 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f00000001c0)={0x2, &(0x7f0000000000)=[{0x20, 0x6}, {0x6}]}) (async) prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f00000001c0)={0x2, &(0x7f0000000000)=[{0x20, 0x6}, {0x6}]}) ioctl$BINDER_GET_NODE_INFO_FOR_REF(r7, 0xc018620c, &(0x7f0000000080)={0x2, 0x0, 0x0, 0x0, 0x1000000}) 12.582409ms ago: executing program 3 (id=55): openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x2, 0x0) (async) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x1381, 0x3}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) (async) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) r2 = socket$inet6(0xa, 0x2, 0x0) setsockopt$inet6_udp_encap(r2, 0x11, 0x64, &(0x7f00000002c0)=0x2, 0x4) socket$inet6_tcp(0xa, 0x1, 0x0) (async) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r3, 0x6, 0x3, &(0x7f0000000040)=0x5, 0xfdda) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000040)=[@decrefs={0x40046307, 0x3}], 0x0, 0x0, 0x0}) ioctl$BINDER_THREAD_EXIT(r1, 0x40046208, 0x0) 2.19018ms ago: executing program 3 (id=56): r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000500), 0x200, 0x0) (async) r1 = openat$pidfd(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) (async) r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000100)='mountinfo\x00') close_range(r2, 0xffffffffffffffff, 0x0) (async) pidfd_send_signal(r1, 0x33, &(0x7f0000000000)={0x11, 0x4, 0x2}, 0x0) (async) r3 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x200000, 0x0) ioctl$ASHMEM_SET_SIZE(r3, 0x40087703, 0xfffffffa) (async) mmap(&(0x7f0000701000/0x3000)=nil, 0x3000, 0x5, 0x4010, r0, 0x0) (async) mremap(&(0x7f0000701000/0x1000)=nil, 0x1000, 0x3000, 0x3, &(0x7f0000ffc000/0x3000)=nil) 0s ago: executing program 3 (id=57): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x1381, 0x3}) ioctl$KVM_SET_TSC_KHZ_vm(0xffffffffffffffff, 0xaea2, 0x5) r1 = mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x58, 0x0, &(0x7f0000000000)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc, 0x18, &(0x7f0000000440)={@flat=@weak_binder={0x77622a85, 0x0, 0x3}, @fda={0x66646185, 0x1, 0x0, 0xe}, @fd={0x66642a85, 0x0, r0}}, &(0x7f00000001c0)={0x0, 0x18, 0x38}}, 0x1000}, @free_buffer={0x40086303, r1}], 0x0, 0x0, 0x0}) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.157' (ED25519) to the list of known hosts. [ 19.873198][ T36] audit: type=1400 audit(1756123955.660:64): avc: denied { mounton } for pid=281 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 19.879259][ T36] audit: type=1400 audit(1756123955.660:65): avc: denied { mount } for pid=281 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 19.889658][ T281] cgroup: Unknown subsys name 'net' [ 19.891192][ T36] audit: type=1400 audit(1756123955.680:66): avc: denied { unmount } for pid=281 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 19.891336][ T281] cgroup: Unknown subsys name 'devices' [ 20.082495][ T281] cgroup: Unknown subsys name 'hugetlb' [ 20.088816][ T281] cgroup: Unknown subsys name 'rlimit' [ 20.219896][ T36] audit: type=1400 audit(1756123956.000:67): avc: denied { setattr } for pid=281 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 20.243949][ T36] audit: type=1400 audit(1756123956.000:68): avc: denied { mounton } for pid=281 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 20.252276][ T283] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 20.269802][ T36] audit: type=1400 audit(1756123956.000:69): avc: denied { mount } for pid=281 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 20.302073][ T36] audit: type=1400 audit(1756123956.070:70): avc: denied { relabelto } for pid=283 comm="mkswap" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.330663][ T36] audit: type=1400 audit(1756123956.070:71): avc: denied { write } for pid=283 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.362692][ T36] audit: type=1400 audit(1756123956.150:72): avc: denied { read } for pid=281 comm="syz-executor" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.389789][ T36] audit: type=1400 audit(1756123956.150:73): avc: denied { open } for pid=281 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.389854][ T281] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 21.126021][ T288] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.137303][ T288] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.144765][ T288] bridge_slave_0: entered allmulticast mode [ 21.151575][ T288] bridge_slave_0: entered promiscuous mode [ 21.159314][ T288] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.166730][ T288] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.174092][ T288] bridge_slave_1: entered allmulticast mode [ 21.180708][ T288] bridge_slave_1: entered promiscuous mode [ 21.302177][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.309629][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.317180][ T293] bridge_slave_0: entered allmulticast mode [ 21.323532][ T293] bridge_slave_0: entered promiscuous mode [ 21.339108][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.346595][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.353697][ T293] bridge_slave_1: entered allmulticast mode [ 21.360111][ T293] bridge_slave_1: entered promiscuous mode [ 21.382215][ T292] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.389622][ T292] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.397014][ T292] bridge_slave_0: entered allmulticast mode [ 21.403597][ T292] bridge_slave_0: entered promiscuous mode [ 21.413915][ T292] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.421558][ T292] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.428722][ T292] bridge_slave_1: entered allmulticast mode [ 21.435480][ T292] bridge_slave_1: entered promiscuous mode [ 21.454377][ T294] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.461970][ T294] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.469021][ T294] bridge_slave_0: entered allmulticast mode [ 21.475610][ T294] bridge_slave_0: entered promiscuous mode [ 21.482242][ T294] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.489387][ T294] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.497053][ T294] bridge_slave_1: entered allmulticast mode [ 21.503603][ T294] bridge_slave_1: entered promiscuous mode [ 21.524778][ T288] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.532311][ T288] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.540043][ T288] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.549051][ T288] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.649787][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.657756][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.684198][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.691591][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.703897][ T46] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.711154][ T46] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.782013][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.789450][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.804151][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.811781][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.821211][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.828360][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.842738][ T288] veth0_vlan: entered promiscuous mode [ 21.853207][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.861258][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.881835][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.889165][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.907391][ T288] veth1_macvtap: entered promiscuous mode [ 21.915484][ T46] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.922661][ T46] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.957495][ T292] veth0_vlan: entered promiscuous mode [ 21.981469][ T293] veth0_vlan: entered promiscuous mode [ 21.989062][ T288] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 21.994355][ T293] veth1_macvtap: entered promiscuous mode [ 22.013765][ T292] veth1_macvtap: entered promiscuous mode [ 22.045805][ T294] veth0_vlan: entered promiscuous mode [ 22.060078][ T294] veth1_macvtap: entered promiscuous mode [ 22.130094][ T342] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 22.168376][ T348] ======================================================= [ 22.168376][ T348] WARNING: The mand mount option has been deprecated and [ 22.168376][ T348] and is ignored by this kernel. Remove the mand [ 22.168376][ T348] option from the mount to silence this warning. [ 22.168376][ T348] ======================================================= [ 22.205542][ T348] SELinux: security_context_str_to_sid (sytem_uÝGй ‰:ÿß) failed with errno=-22 [ 22.249402][ T355] rust_binder: Failure when writing BR_NOOP at beginning of buffer. [ 22.249427][ T355] rust_binder: Read failure Err(EFAULT) in pid:13 [ 22.282040][ T357] pim6reg1: entered promiscuous mode [ 22.282817][ T361] rust_binder: Failure when writing BR_NOOP at beginning of buffer. [ 22.288583][ T357] pim6reg1: entered allmulticast mode [ 22.305055][ T364] rust_binder: Write failure EFAULT in pid:15 [ 22.308061][ T361] rust_binder: Read failure Err(EFAULT) in pid:4 [ 22.380250][ T330] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 22.550245][ T330] usb 1-1: Using ep0 maxpacket: 32 [ 22.565354][ T330] usb 1-1: config 0 has an invalid interface number: 230 but max is 0 [ 22.575419][ T330] usb 1-1: config 0 has no interface number 0 [ 22.590473][ T330] usb 1-1: config 0 interface 230 has no altsetting 0 [ 22.605080][ T330] usb 1-1: New USB device found, idVendor=0781, idProduct=0005, bcdDevice= 0.01 [ 22.620953][ T330] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 22.640366][ T330] usb 1-1: Product: syz [ 22.651084][ T330] usb 1-1: Manufacturer: syz [ 22.662490][ T330] usb 1-1: SerialNumber: syz [ 22.678725][ T330] usb 1-1: config 0 descriptor?? [ 22.743404][ T386] overlay: ./file0 is not a directory [ 22.806049][ T388] netlink: 8 bytes leftover after parsing attributes in process `syz.3.20'. [ 22.875943][ T393] option changes via remount are deprecated (pid=392 comm=syz.3.21) [ 22.904408][ T393] rust_binder: Transaction failed: BR_FAILED_REPLY { source: ENOENT } my_pid:37 [ 23.033791][ T397] __vm_enough_memory: pid: 397, comm: syz.3.23, bytes: 18014402804453376 not enough memory for the allocation [ 23.410305][ T330] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 23.442156][ T434] SELinux: policydb magic number 0x10c0 does not match expected magic number 0xf97cff8c [ 23.453339][ T434] SELinux: failed to load policy [ 23.580252][ T330] usb 2-1: Using ep0 maxpacket: 32 [ 23.586789][ T330] usb 2-1: config 0 has an invalid interface number: 230 but max is 0 [ 23.595228][ T330] usb 2-1: config 0 has no interface number 0 [ 23.601617][ T330] usb 2-1: config 0 interface 230 has no altsetting 0 [ 23.609820][ T330] usb 2-1: New USB device found, idVendor=0781, idProduct=0005, bcdDevice= 0.05 [ 23.619930][ T330] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.628488][ T330] usb 2-1: Product: syz [ 23.632826][ T330] usb 2-1: Manufacturer: syz [ 23.637453][ T330] usb 2-1: SerialNumber: syz [ 23.643981][ T330] usb 2-1: config 0 descriptor?? [ 23.649899][ T330] ums-usbat 2-1:0.230: USB Mass Storage device detected [ 23.658116][ T330] ums-usbat 2-1:0.230: Quirks match for vid 0781 pid 0005: 1 [ 23.690258][ T65] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 23.840244][ T65] usb 4-1: Using ep0 maxpacket: 16 [ 23.846887][ T65] usb 4-1: unable to get BOS descriptor set [ 23.854013][ T65] usb 4-1: config 1 interface 0 altsetting 5 bulk endpoint 0x82 has invalid maxpacket 16 [ 23.864459][ T65] usb 4-1: config 1 interface 0 altsetting 5 bulk endpoint 0x3 has invalid maxpacket 64 [ 23.875083][ T65] usb 4-1: config 1 interface 0 has no altsetting 0 [ 23.884355][ T65] usb 4-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 23.894388][ T65] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.902808][ T65] usb 4-1: Product: syz [ 23.906981][ T65] usb 4-1: Manufacturer: syz [ 23.912009][ T65] usb 4-1: SerialNumber: syz [ 23.917622][ T434] raw-gadget.2 gadget.3: fail, usb_ep_enable returned -22 [ 23.925566][ T434] raw-gadget.2 gadget.3: fail, usb_ep_enable returned -22 [ 24.181952][ T65] cdc_ether 4-1:1.0: probe with driver cdc_ether failed with error -71 [ 24.192518][ T65] usb 4-1: USB disconnect, device number 2 [ 24.370279][ T346] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 24.521620][ T346] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 24.532250][ T346] usb 3-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 2 [ 24.545523][ T346] usb 3-1: New USB device found, idVendor=046d, idProduct=c29c, bcdDevice= 0.00 [ 24.555115][ T346] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 24.564069][ T346] usb 3-1: config 0 descriptor?? [ 24.919422][ T460] Zero length message leads to an empty skb [ 24.973624][ T346] logitech 0003:046D:C29C.0001: hidraw0: USB HID v10.00 Device [HID 046d:c29c] on usb-dummy_hcd.2-1/input0 [ 25.186988][ T346] logitech 0003:046D:C29C.0001: no inputs found [ 25.196326][ T346] usb 3-1: USB disconnect, device number 2 [ 25.301705][ T45] usb 1-1: USB disconnect, device number 2 [ 25.317650][ T36] kauditd_printk_skb: 106 callbacks suppressed [ 25.317666][ T36] audit: type=1400 audit(1756123961.100:180): avc: denied { write } for pid=464 comm="syz.0.41" path="socket:[4532]" dev="sockfs" ino=4532 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 25.350218][ T36] audit: type=1400 audit(1756123961.130:181): avc: denied { ioctl } for pid=464 comm="syz.0.41" path="socket:[4529]" dev="sockfs" ino=4529 ioctlcmd=0x8901 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=packet_socket permissive=1 [ 25.389768][ T36] audit: type=1400 audit(1756123961.170:182): avc: denied { ioctl } for pid=466 comm="syz.0.42" path="socket:[3967]" dev="sockfs" ino=3967 ioctlcmd=0x48e1 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 25.416369][ T36] audit: type=1400 audit(1756123961.180:183): avc: denied { setattr } for pid=466 comm="syz.0.42" name="binder0" dev="binder" ino=10 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file permissive=1 [ 25.441624][ T36] audit: type=1400 audit(1756123961.220:184): avc: denied { append } for pid=468 comm="syz.0.43" name="ptp0" dev="devtmpfs" ino=196 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 25.466285][ T36] audit: type=1400 audit(1756123961.220:185): avc: denied { open } for pid=468 comm="syz.0.43" path="/dev/ptp0" dev="devtmpfs" ino=196 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 25.708770][ T474] EXT4-fs (rnullb0): VFS: Can't find ext4 filesystem [ 25.710288][ T36] audit: type=1400 audit(1756123961.490:186): avc: denied { write } for pid=471 comm="syz.2.44" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=key permissive=1 [ 25.736004][ T36] audit: type=1400 audit(1756123961.490:187): avc: denied { write } for pid=471 comm="syz.2.44" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 25.753141][ T45] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 25.760016][ T36] audit: type=1326 audit(1756123961.540:188): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=root:sysadm_r:sysadm_t pid=476 comm="syz.3.45" exe="/root/syz-executor" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f4a45b8ebe9 code=0x0 [ 25.788537][ T482] binder: Unknown parameter 'fscontext?}' [ 25.794962][ T482] binder: Unknown parameter 'fscontext?}' [ 25.802257][ T36] audit: type=1400 audit(1756123961.570:189): avc: denied { mounton } for pid=478 comm="syz.2.46" path="/dev/binderfs" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 25.814487][ T482] binder: Unknown parameter 'fscontext?}' [ 25.834690][ T482] binder: Unknown parameter 'fscontext?}' [ 25.840885][ T482] binder: Unknown parameter 'fscontext?}' [ 25.846843][ T482] binder: Unknown parameter 'fscontext?}' [ 25.853383][ T482] binder: Unknown parameter 'fscontext?}' [ 25.860419][ T482] binder: Unknown parameter 'fscontext?}' [ 25.871258][ T482] binder: Unknown parameter 'fscontext?}' [ 25.877168][ T482] binder: Unknown parameter 'fscontext?}' [ 25.884072][ T482] binder: Unknown parameter 'fscontext?}' [ 25.890658][ T482] binder: Unknown parameter 'fscontext?}' [ 25.897052][ T482] binder: Unknown parameter 'fscontext?}' [ 25.903999][ T482] binder: Unknown parameter 'fscontext?}' [ 25.910118][ T482] binder: Unknown parameter 'fscontext?}' [ 25.916343][ T45] usb 1-1: Using ep0 maxpacket: 32 [ 25.922553][ T482] binder: Unknown parameter 'fscontext?}' [ 25.928683][ T482] binder: Unknown parameter 'fscontext?}' [ 25.935924][ T45] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 25.947550][ T45] usb 1-1: config 0 interface 0 altsetting 16 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 25.959187][ T330] ums-usbat 2-1:0.230: probe with driver ums-usbat failed with error -5 [ 25.970230][ T482] binder: Unknown parameter 'fscontext?}' [ 25.976794][ T482] binder: Unknown parameter 'fscontext?}' [ 25.983000][ T45] usb 1-1: config 0 interface 0 altsetting 16 has 1 endpoint descriptor, different from the interface descriptor's value: 5 [ 25.996757][ T482] binder: Unknown parameter 'fscontext?}' [ 26.003200][ T45] usb 1-1: config 0 interface 0 has no altsetting 0 [ 26.010233][ T482] binder: Unknown parameter 'fscontext?}' [ 26.016316][ T45] usb 1-1: New USB device found, idVendor=044f, idProduct=b65d, bcdDevice= 0.00 [ 26.026380][ T482] binder: Unknown parameter 'fscontext?}' [ 26.032391][ T45] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 26.041207][ T482] binder: Unknown parameter 'fscontext?}' [ 26.047491][ T482] binder: Unknown parameter 'fscontext?}' [ 26.047725][ T45] usb 1-1: config 0 descriptor?? [ 26.062788][ T482] binder: Unknown parameter 'fscontext?}' [ 26.068720][ T482] binder: Unknown parameter 'fscontext?}' [ 26.075058][ T482] binder: Unknown parameter 'fscontext?}' [ 26.081301][ T482] binder: Unknown parameter 'fscontext?}' [ 26.087411][ T482] binder: Unknown parameter 'fscontext?}' [ 26.093855][ T482] binder: Unknown parameter 'fscontext?}' [ 26.100506][ T482] binder: Unknown parameter 'fscontext?}' [ 26.104646][ T346] usb 2-1: USB disconnect, device number 2 [ 26.106522][ T482] binder: Unknown parameter 'fscontext?}' [ 26.120957][ T482] binder: Unknown parameter 'fscontext?}' [ 26.127711][ T482] binder: Unknown parameter 'fscontext?}' [ 26.134178][ T482] binder: Unknown parameter 'fscontext?}' [ 26.141027][ T482] binder: Unknown parameter 'fscontext?}' [ 26.147179][ T482] binder: Unknown parameter 'fscontext?}' [ 26.153508][ T482] binder: Unknown parameter 'fscontext?}' [ 26.159617][ T482] binder: Unknown parameter 'fscontext?}' [ 26.166688][ T482] binder: Unknown parameter 'fscontext?}' [ 26.173022][ T482] binder: Unknown parameter 'fscontext?}' [ 26.179250][ T482] binder: Unknown parameter 'fscontext?}' [ 26.185634][ T482] binder: Unknown parameter 'fscontext?}' [ 26.191837][ T482] binder: Unknown parameter 'fscontext?}' [ 26.197941][ T482] binder: Unknown parameter 'fscontext?}' [ 26.204316][ T482] binder: Unknown parameter 'fscontext?}' [ 26.210646][ T482] binder: Unknown parameter 'fscontext?}' [ 26.216777][ T482] binder: Unknown parameter 'fscontext?}' [ 26.223736][ T482] binder: Unknown parameter 'fscontext?}' [ 26.229864][ T482] binder: Unknown parameter 'fscontext?}' [ 26.236236][ T482] binder: Unknown parameter 'fscontext?}' [ 26.242431][ T482] binder: Unknown parameter 'fscontext?}' [ 26.248418][ T482] binder: Unknown parameter 'fscontext?}' [ 26.255161][ T482] binder: Unknown parameter 'fscontext?}' [ 26.261562][ T482] binder: Unknown parameter 'fscontext?}' [ 26.267673][ T482] binder: Unknown parameter 'fscontext?}' [ 26.273755][ T482] binder: Unknown parameter 'fscontext?}' [ 26.279846][ T482] binder: Unknown parameter 'fscontext?}' [ 26.286555][ T482] binder: Unknown parameter 'fscontext?}' [ 26.292511][ T482] binder: Unknown parameter 'fscontext?}' [ 26.298368][ T482] binder: Unknown parameter 'fscontext?}' [ 26.304353][ T482] binder: Unknown parameter 'fscontext?}' [ 26.310478][ T482] binder: Unknown parameter 'fscontext?}' [ 26.317069][ T482] binder: Unknown parameter 'fscontext?}' [ 26.323586][ T482] binder: Unknown parameter 'fscontext?}' [ 26.457259][ T45] hid-thrustmaster 0003:044F:B65D.0002: unknown main item tag 0x0 [ 26.466460][ T9] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 26.471966][ T45] hid-thrustmaster 0003:044F:B65D.0002: unknown main item tag 0x0 [ 26.474790][ T9] hid-generic 0000:0000:0000.0003: hidraw0: HID v0.00 Device [syz1] on syz0 [ 26.490325][ T45] hid-thrustmaster 0003:044F:B65D.0002: unknown main item tag 0x0 [ 26.511924][ T45] hid-thrustmaster 0003:044F:B65D.0002: item fetching failed at offset 4/5 [ 26.524871][ T45] hid-thrustmaster 0003:044F:B65D.0002: parse failed with error -22 [ 26.533447][ T45] hid-thrustmaster 0003:044F:B65D.0002: probe with driver hid-thrustmaster failed with error -22 [ 26.600756][ T494] process 'syz.3.50' launched './file0' with NULL argv: empty string added [ 26.646056][ T498] F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 26.654755][ T498] F2FS-fs (loop2): Can't find valid F2FS filesystem in 1th superblock [ 26.664407][ T498] F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 26.673329][ T498] F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock [ 26.735502][ T502] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 26.750598][ T502] ------------[ cut here ]------------ [ 26.756394][ T502] WARNING: CPU: 0 PID: 502 at arch/x86/kvm/x86.c:11569 kvm_arch_vcpu_ioctl_run+0x12af/0x1aa0 [ 26.756649][ T516] rust_binder: Failure in copy_transaction_data: BR_FAILED_REPLY { source: EFAULT } [ 26.767419][ T516] rust_binder: Transaction failed: BR_FAILED_REPLY { source: EFAULT } my_pid:96 [ 26.767507][ T502] Modules linked in: [ 26.790703][ T502] CPU: 0 UID: 0 PID: 502 Comm: syz.2.54 Not tainted syzkaller #0 0043dfd2fbaf315da186ee57f2b2b1c8bfff300f [ 26.803071][ T502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 26.813570][ T502] RIP: 0010:kvm_arch_vcpu_ioctl_run+0x12af/0x1aa0 [ 26.815455][ T519] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 26.820312][ T502] Code: 7e 3b e8 44 0c 6a 00 49 bd 00 00 00 00 00 fc ff df 4c 8b 7c 24 20 4c 8b 64 24 40 48 8b 5c 24 28 e9 26 fd ff ff e8 21 0c 6a 00 <0f> 0b e9 e4 fc ff ff e8 15 0c 6a 00 0f 0b e9 0e fd ff ff e8 09 0c [ 26.853054][ T502] RSP: 0018:ffffc9000d5c79c0 EFLAGS: 00010293 [ 26.859662][ T502] RAX: ffffffff811bd81f RBX: ffff888116f10000 RCX: ffff8881169c1300 [ 26.868526][ T502] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 26.876877][ T502] RBP: ffffc9000d5c7c70 R08: ffff8881169c1307 R09: 1ffff11022d38260 [ 26.885289][ T502] R10: dffffc0000000000 R11: ffffed1022d38261 R12: ffff8881148bb000 [ 26.893574][ T502] R13: dffffc0000000000 R14: 0000000000000001 R15: ffff888116f10078 [ 26.902050][ T502] FS: 00007f2c3a5a36c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 26.911197][ T502] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.918147][ T502] CR2: 0000200000ff0000 CR3: 00000001156ac000 CR4: 00000000003526b0 [ 26.927034][ T502] Call Trace: [ 26.930535][ T502] [ 26.933933][ T502] ? __cfi___futex_queue+0x10/0x10 [ 26.939131][ T502] ? futex_wait_setup+0x1bc/0x260 [ 26.944212][ T502] ? __cfi_kvm_arch_vcpu_ioctl_run+0x10/0x10 [ 26.950495][ T502] ? futex_unqueue+0x136/0x160 [ 26.955391][ T502] ? __futex_wait+0x218/0x2a0 [ 26.960425][ T502] ? should_fail+0xf/0x20 [ 26.965051][ T502] ? ioctl_has_perm+0x1aa/0x4d0 [ 26.970101][ T502] ? __asan_memcpy+0x5a/0x80 [ 26.970261][ T45] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 26.974907][ T502] ? ioctl_has_perm+0x3e0/0x4d0 [ 26.987650][ T502] ? has_cap_mac_admin+0xd0/0xd0 [ 26.993049][ T502] ? __kasan_check_write+0x18/0x20 [ 26.998350][ T502] ? mutex_lock_killable+0x92/0x1c0 [ 27.003951][ T502] ? __cfi_mutex_lock_killable+0x10/0x10 [ 27.009590][ T502] ? futex_wait+0x29a/0x7a0 [ 27.014419][ T502] ? __cfi_futex_wait+0x10/0x10 [ 27.019367][ T502] kvm_vcpu_ioctl+0x96f/0xee0 [ 27.024271][ T502] ? __cfi_kvm_vcpu_ioctl+0x10/0x10 [ 27.029839][ T502] ? do_futex+0x309/0x500 [ 27.034315][ T502] ? __cfi_do_futex+0x10/0x10 [ 27.039193][ T502] ? __fget_files+0x2c5/0x340 [ 27.044094][ T502] ? bpf_lsm_file_ioctl+0xd/0x20 [ 27.049145][ T502] ? security_file_ioctl+0x34/0xd0 [ 27.054374][ T502] ? __cfi_kvm_vcpu_ioctl+0x10/0x10 [ 27.059931][ T502] __se_sys_ioctl+0x132/0x1b0 [ 27.064734][ T502] __x64_sys_ioctl+0x7f/0xa0 [ 27.069605][ T502] x64_sys_call+0x1878/0x2ee0 [ 27.074469][ T502] do_syscall_64+0x58/0xf0 [ 27.079238][ T502] ? clear_bhb_loop+0x50/0xa0 [ 27.084306][ T502] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 27.090571][ T502] RIP: 0033:0x7f2c3978ebe9 [ 27.095279][ T502] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 27.115367][ T502] RSP: 002b:00007f2c3a5a3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 27.123820][ T502] RAX: ffffffffffffffda RBX: 00007f2c399b5fa0 RCX: 00007f2c3978ebe9 [ 27.132388][ T502] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000007 [ 27.141020][ T502] RBP: 00007f2c39811e19 R08: 0000000000000000 R09: 0000000000000000 [ 27.149383][ T502] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 27.151302][ T45] usb 2-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 27.158006][ T502] R13: 00007f2c399b6038 R14: 00007f2c399b5fa0 R15: 00007fffc5bcc8b8 [ 27.158033][ T502] [ 27.169069][ T45] usb 2-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 27.177298][ T502] ---[ end trace 0000000000000000 ]--- [ 27.181278][ T45] usb 2-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00 [ 27.205239][ T45] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3 [ 27.213627][ T45] usb 2-1: SerialNumber: syz [ 27.340776][ T330] usb 1-1: USB disconnect, device number 3 [ 27.421283][ T45] usb 2-1: 0:2 : does not exist [ 27.426463][ T45] usb 2-1: unit 5 not found! [ 27.434617][ T45] usb 2-1: USB disconnect, device number 3