last executing test programs: 6.753184619s ago: executing program 3 (id=12): r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000100)='mountinfo\x00') mkdir(&(0x7f0000000040)='./file0\x00', 0x1) (async) ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r0, 0xd000943d, &(0x7f0000002600)={0x1000, [{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0}], 0x2, "39ee8c1eee48a5"}) ioctl$BTRFS_IOC_INO_LOOKUP(0xffffffffffffffff, 0xd0009412, &(0x7f0000003600)={r1, 0x800}) (async) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) (async, rerun: 64) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) (async, rerun: 64) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x1000000, &(0x7f0000000140)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}, {@default_permissions}]}) (async) read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020) 6.751942489s ago: executing program 3 (id=14): mkdir(&(0x7f0000000180)='./file0\x00', 0x0) creat(&(0x7f0000000080)='./file0/file1\x00', 0x90) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mkdir(&(0x7f0000000100)='./bus\x00', 0xe8) mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0\x00', 0x0, 0x101091, 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000a00)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]}) chdir(&(0x7f00000001c0)='./bus\x00') rmdir(&(0x7f0000000000)='./file0\x00') r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440), 0x141800, 0x0) unshare(0x6060600) r1 = signalfd4(0xffffffffffffffff, &(0x7f0000000140)={[0xfffffffffffffff5]}, 0x8, 0x80000) readv(r1, &(0x7f0000000180)=[{&(0x7f00000001c0)=""/262, 0x106}], 0x1) r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/power/resume_offset', 0x2, 0x4) ppoll(&(0x7f0000000240)=[{r2, 0x8}, {r2, 0x88}], 0x2, 0x0, 0x0, 0x0) r3 = syz_clone(0x140011, 0x0, 0x0, 0x0, 0x0, 0x0) timer_create(0x1, &(0x7f00000000c0)={0x0, 0x12, 0x1, @tid=r3}, &(0x7f0000000100)) timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x3938700}, {0x0, 0x3938700}}, 0x0) r4 = gettid() rt_sigaction(0x16, &(0x7f0000000380)={0x0, 0x90000000, 0x0}, 0x0, 0x8, &(0x7f0000000180)) tkill(r4, 0x16) r5 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) kcmp$KCMP_EPOLL_TFD(0x0, 0x0, 0x7, 0xffffffffffffffff, 0x0) ioctl$KVM_INTERRUPT(r2, 0x4004ae86, &(0x7f0000000300)) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0) ioctl$KVM_GET_EMULATED_CPUID(r6, 0xc008ae09, &(0x7f00000001c0)={0x3, 0x0, [{0x80000001, 0x6, 0x0, 0xc7, 0x6a6, 0x8, 0x7fff}, {0x80000007, 0x1, 0x5, 0x100, 0x1, 0x0, 0x47e735c3}, {0xb, 0x800, 0x4, 0x4, 0xfffffff8, 0xe, 0x4}]}) ioctl$KVM_CAP_SPLIT_IRQCHIP(r5, 0x4068aea3, &(0x7f0000000040)={0x79, 0x0, 0x5}) r7 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x981b00, 0x0) epoll_pwait2(r2, &(0x7f00000003c0)=[{}, {}, {}, {}, {}, {}, {}, {}], 0x8, &(0x7f0000000480)={0x77359400}, &(0x7f00000004c0)={[0x4]}, 0x8) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x12, r7, 0x45809000) ioctl$KVM_IRQFD(r5, 0x4020ae76, &(0x7f0000000000)) 3.703776203s ago: executing program 3 (id=35): r0 = syz_open_procfs$pagemap(0xffffffffffffffff, &(0x7f0000000000)) fcntl$setownex(r0, 0xf, &(0x7f0000000040)={0x2}) ioctl$KVM_CREATE_DEVICE(0xffffffffffffffff, 0xc00caee0, &(0x7f0000000080)={0x9, 0xffffffffffffffff}) ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, &(0x7f00000000c0)) ioctl$AUTOFS_IOC_SETTIMEOUT(r0, 0x80049367, &(0x7f0000000100)=0x7fffffffffffffff) r2 = accept4$bt_l2cap(0xffffffffffffffff, &(0x7f0000000140)={0x1f, 0x0, @fixed}, &(0x7f0000000180)=0xe, 0x0) poll(&(0x7f00000001c0)=[{r0, 0x8749}, {r2, 0x8}, {r1, 0x3084}, {r0, 0x200}, {r1, 0x400}, {r1}], 0x6, 0xfffffc01) r3 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) ioctl$UI_SET_PHYS(r3, 0x4008556c, &(0x7f0000000240)='syz1\x00') r4 = openat$tcp_congestion(0xffffffffffffff9c, &(0x7f0000000280), 0x1, 0x0) write$tcp_congestion(r4, &(0x7f00000002c0)='reno\x00', 0x5) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) r5 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x3c) ioctl$KVM_CLEAR_DIRTY_LOG(r5, 0xc018aec0, &(0x7f0000000700)={0x2710, 0x80, 0x2c0, &(0x7f0000000300)=[0xffff, 0x2, 0xb9d, 0x8000000000000, 0xffffffffffffffff, 0x7f50, 0x7, 0x1ff, 0x2, 0x6, 0x0, 0x9, 0x280000, 0xf, 0x7fff, 0x0, 0x9, 0x9, 0x3, 0x8000000000000000, 0x9, 0xe, 0x3, 0x2, 0xf7f, 0x6845, 0x0, 0x7, 0x7, 0x4c838fe0, 0xffffffff, 0x8, 0x4, 0x101, 0x5, 0x8000000000000000, 0x0, 0x1, 0x4, 0x8, 0x1, 0x4, 0xfffffffffffeffff, 0x2, 0xfffffffffffffff8, 0x1ff, 0x4, 0x7, 0x80000000, 0x5, 0x40, 0x7, 0x6, 0x1, 0x7c, 0x80000000000, 0xffffffffffffab4e, 0x5, 0x4, 0xf60, 0x5, 0xfffffffffffffff8, 0x2, 0x400, 0x600, 0x9, 0x4, 0xa, 0x400, 0x80, 0x0, 0x996, 0x1, 0x2, 0x0, 0x9, 0x10001, 0xffffffffffffffff, 0x8001, 0x4, 0x1000, 0x9, 0x6, 0x4, 0x39, 0x1, 0x4, 0x8, 0x0, 0x400, 0x100, 0x6, 0x0, 0x9, 0x10, 0xdab, 0x8, 0x5, 0xe80, 0x7fff, 0x100000001, 0x5, 0x5, 0x7, 0x100000000000000, 0x4, 0x9, 0x0, 0x3, 0x1, 0x9, 0x2, 0xdf08, 0x6, 0xae8, 0xd, 0x81, 0x3, 0x70000, 0x8, 0x6, 0x10000, 0x8, 0xd, 0x1000, 0x180000, 0x5516, 0x7]}) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000740), 0x42001, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x22) fcntl$setlease(r0, 0x400, 0x1) execve(&(0x7f0000000780)='./file0\x00', &(0x7f0000000840)={[&(0x7f00000007c0)='&\x00', &(0x7f0000000800)='pagemap\x00']}, &(0x7f0000000940)={[&(0x7f0000000880)='reno\x00', &(0x7f00000008c0)='/dev/uinput\x00', &(0x7f0000000900)='\x00']}) recvmsg$can_bcm(r3, &(0x7f0000001000)={&(0x7f0000000980)=@in6={0xa, 0x0, 0x0, @remote}, 0x80, &(0x7f0000000ec0)=[{&(0x7f0000000a00)=""/246, 0xf6}, {&(0x7f0000000b00)=""/213, 0xd5}, {&(0x7f0000000c00)=""/87, 0x57}, {&(0x7f0000000c80)=""/186, 0xba}, {&(0x7f0000000d40)=""/40, 0x28}, {&(0x7f0000000d80)=""/100, 0x64}, {&(0x7f0000000e00)=""/171, 0xab}], 0x7, &(0x7f0000000f40)=""/157, 0x9d}, 0x2040) r8 = pidfd_getfd(0xffffffffffffffff, r0, 0x0) ioctl$PPPIOCDISCONN(r8, 0x7439) r9 = syz_kvm_add_vcpu$x86(0x0, &(0x7f0000001200)={0x0, &(0x7f0000001040)=[@rdmsr={0x32, 0x18, {0x4000009e}}, @wr_crn={0x46, 0x20, {0x3, 0x8}}, @rdmsr={0x32, 0x18, {0x894}}, @wrmsr={0x1e, 0x20, {0x289, 0x5}}, @cpuid={0x14, 0x18, {0x2}}, @wr_crn={0x46, 0x20, {0x8, 0x401}}, @code={0xa, 0x60, {"c4e17d159d132e0000640f3566410f21bd450fc7f466baf80cb8d07f8d82ef66bafc0cb80a800000ef0f01d12e460f472166b8dc008ec0c4a2310d9ba796000066baf80cb869598a87ef66bafc0cec"}}, @cpuid={0x14, 0x18, {0xcddcfbb, 0x200}}, @code={0xa, 0x5d, {"26f3e15843d9d948b8ffffffffff7f00000f23c80f21f835040090000f23f866470fec44e7e5450fc71e2ef3460f09450f30b9030000400f32f2f33e3e430f001b6467648394130000fffffa"}}, @uexit={0x0, 0x18, 0xfff}], 0x195}) ioctl$KVM_DIRTY_TLB(r9, 0x4010aeaa, &(0x7f0000001240)={0x7ff, 0x4e04}) ioctl$RTC_WKALM_RD(0xffffffffffffffff, 0x80287010, &(0x7f0000001280)) r10 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) getsockopt$sock_cred(r10, 0x1, 0x11, &(0x7f00000012c0), &(0x7f0000001300)=0xc) r11 = ioctl$USERFAULTFD_IOC_NEW(r8, 0xaa00) pread64(r11, &(0x7f0000001340)=""/44, 0x2c, 0x4) ioctl$KVM_CREATE_PIT2(r7, 0x4040ae77, &(0x7f0000001380)) ioctl$KDSETKEYCODE(r1, 0x4b4d, &(0x7f00000013c0)={0x7}) 3.700779074s ago: executing program 3 (id=36): madvise(&(0x7f0000000000/0x600000)=nil, 0x600722, 0x66) (async) madvise(&(0x7f0000000000/0x600000)=nil, 0x600722, 0x66) syz_clone(0x1022000, 0x0, 0xfffffffffffffc76, 0x0, 0x0, 0x0) (async) syz_clone(0x1022000, 0x0, 0xfffffffffffffc76, 0x0, 0x0, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs2/binder1\x00', 0x802, 0x0) syz_usb_connect$cdc_ncm(0x0, 0x72, 0x0, 0x0) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000), 0x80082, 0x0) write$vga_arbiter(r1, &(0x7f0000000040)=ANY=[@ANYBLOB='lock io+eem\x00'], 0xc) (async) write$vga_arbiter(r1, &(0x7f0000000040)=ANY=[@ANYBLOB='lock io+eem\x00'], 0xc) syz_usb_connect(0x0, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000413b88400819151300000000000109022d00010000000009040000026bb22b000904fffffd0000000009"], 0x0) r2 = syz_usb_connect(0x0, 0x36, &(0x7f0000000cc0)=ANY=[@ANYBLOB="12010000773604202404019957c2010203010902240001000010000904430002317d5500090502020002020000090582020002"], 0x0) syz_usb_control_io(r2, 0x0, 0x0) syz_usb_control_io$printer(r2, 0x0, &(0x7f0000000900)={0x34, &(0x7f0000000200)=ANY=[@ANYBLOB="001804"], 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ecm(r2, 0x0, 0x0) (async) syz_usb_control_io$cdc_ecm(r2, 0x0, 0x0) r3 = getpgid(0x0) syz_pidfd_open(r3, 0x0) (async) r4 = syz_pidfd_open(r3, 0x0) pidfd_send_signal(r4, 0x11, 0x0, 0x0) syz_usb_control_io$printer(r2, &(0x7f0000000340)={0x14, &(0x7f0000000280)={0x40, 0x11, 0x2, {0x2, 0xa}}, 0x0}, &(0x7f00000006c0)={0x34, &(0x7f0000000380)=ANY=[@ANYBLOB="20052a000000768e3823ea5fd679c3cc51092a6ad34d1b746be79b953c7b0a19ffb9585df1d3c133858e1f6202c0ddee"], &(0x7f0000000400)={0x0, 0xa, 0x1, 0x5f}, &(0x7f00000004c0)={0x0, 0x8, 0x1, 0x97}, &(0x7f0000000500)={0x20, 0x0, 0x2}, &(0x7f0000000600)={0x20, 0x1, 0x1, 0xc}, 0x0}) syz_usb_control_io$uac1(r2, 0x0, 0x0) (async) syz_usb_control_io$uac1(r2, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r2, 0x0, &(0x7f00000003c0)={0x1c, &(0x7f0000000240)={0x20, 0x14, 0x5, "73fc843992"}, 0x0, 0x0}) read$FUSE(0xffffffffffffffff, 0x0, 0x0) lremovexattr(&(0x7f0000000700)='./file0\x00', 0x0) close_range(r0, 0xffffffffffffffff, 0x0) (async) close_range(r0, 0xffffffffffffffff, 0x0) fcntl$dupfd(r0, 0x406, r1) 3.099662112s ago: executing program 3 (id=39): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) getsockopt$inet6_tcp_buf(r0, 0x6, 0x1c, &(0x7f00000000c0)=""/142, 0x0) connect$vsock_stream(0xffffffffffffffff, &(0x7f00000005c0)={0x28, 0x0, 0x2710}, 0x10) r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000080), 0x20002, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x11, r1, 0x45809000) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) r2 = socket$inet_tcp(0x2, 0x1, 0x0) sendmmsg(r2, &(0x7f0000001f80)=[{{&(0x7f00000018c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x2, 0x1, 0x3, 0x3, {0xa, 0x4e22, 0x5769ea24, @empty}}}, 0x80, 0x0}}], 0x1, 0x20000000) madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x15) r3 = socket$nl_xfrm(0x10, 0x3, 0x6) r4 = geteuid() sendmsg$nl_xfrm(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000800)=@delpolicy={0x1098, 0x14, 0x0, 0x70bd26, 0x25dfdbff, {{@in=@dev={0xac, 0x14, 0x14, 0x22}, @in6=@mcast2, 0x4e23, 0x9, 0x4e20, 0x2, 0xa, 0x80, 0x30, 0x2f, 0x0, r4}}, [@algo_comp={0x1048, 0x3, {{'lzjh\x00'}, 0x8000, "bdf36fc5ea29d5c493732b73e6db8042b02d2b1cef8242df7f0f404133042cc88930880bb58888f0af3d2fdc855b27cf6b0912db237ee9c76dc3db38d838074a8489a26ef9874ebbbdb16ad18e06f97b4328e6beaa48c2fa47b19405c9f55a31782b02874fd512385e2c8786896d869f13d4259ff655edd206311ac6ccdeac1c28d5dccf9d0d4aa9ddceffca612e3ea72231a0dc7975df6756982eb7f2f7a016ca19f0619a40f14ef052cd35767d09baec16b97706bd32406848143fdda70f411a51ad918cb63b1c6dda4106a5f35eddf05ea8d8f61401839f8e8ab0009e5d8a0e844daadf4773ffda3ca38bb06ad38f563ed14e438688d3924428f472122f04bf24cc70509a2110e090ba7caa68b433ebdb09881ab68c33a363cd466279a7a54191273a11057a4356e6b4557b12d5b25cb076b994b79cb578f83e2eb85a313278d81aa933f55c0ddba5a1a490b942c12b61668fce6864410060d6f7c7dd2f6cd3386855c9cd67379111fc436528b699db84d8456a82104a031bcbd6426362ccdb4fca3a131d16e285fa324937ea7ff5fd4d789bedbe51f120c9e376c0d5024963da7c9e797e3532b97cd7f7185b65d09b6c2e72197489abcb2a2c80ef9cc4f29abd63519b61a35e93de926aa1789723c90d1c1e153cbdbf308bef88b5ba8439e0d73fdc34c7cbb0321e66533f717a6ba4b15244c268a627c2ef43847f8cdd7c0c1345e89c7e2bb4cd8eeed0b3dfc4fc30ec3385510ef1df7c5ea48f16386b4ba8eeb8dc2d2c812815418d788df3f6001445985a006c9f1f71cf6cdd68baa59f75d24feff8202a1dfe9aa38483880d584da1a2486a1be7896af65881e66d6bffb49a2651b8a32df7b52bd3bcd34720e09aff5458d80bace647d2532f4892f03fca638f8dcef372bf8833f751326a32ced5ee2aedb9fce584a560320a813e35047e9fbb72233b7a0ea28a9a727cb95046724a9926e73c787ce34d81a1ec728cddfb9df37e472cade8d853b1b5ee763bd8c7c05c5aa78934a990aea45e494d95bff9a5dcba2c5fe69b8d2f5550b6f461a76b80b4b852142e224960d6594adf8844859513ec84b4b797799024b9028946ca92c58a4ca6cfbf94fce1cdcb78c220df4ddd7dbf3c8d2a5fbabd654a8375165ba950c6aff02faf20b7a0f28e17ea7d048562ef78a1736c795c155b1d473b4afcdd4621927680f4bd62268f1596b38ccc7c1a11f2e38b2cc71a257202ea9ba057dbbe23410745d7d15b827235357bed6271c139665d534f02cdfc27cf421d444df0411d24456aa8ebb8c661b0ab639caba7ef975ee2150ac0294704c3c3c3006065e52f89db877d7b6e7982624fac26237fdaa063f44e740a8edf91e6caa30c6861d4e35e005776b004a329f4195142172791fb7077bd6bb9a3c2f8dc49c842920c7241ca787d50076471a61526b83dc582e71f2d368746e79e2057eeb4b0b023b0b4082c610e5f82c2a6101456c77be187f61626ad492d53728f4b6e440fe6eaec69fb92fcf94c5beaa9461b0407aff733e92dfb76bcdfe13f1ef33100925622b6d7a7b2e0489a2e699f99daa925b8560f232fbe11a135c14b50f742f55bafbdb8b0a06301d46ba826beb4893b55e64845949a516d886eec13e8fbff292c7b02a7091c39d3fc72c1d139d98f89e8bcba1f3f3015456f88a7855b4be538b8bce94c4a380179c99f74b681c9eb302fc3b5fb8c36e72d097f32a7423656aa708cc022d332786fa135bbdce10fd979bae3d7ccf161b1527317fee3fcf45b5e4c1f1805527fb46c5c411119d6cc791b7fccc132c8e46406f38cf392ffe423cf76ffaf0f1b0e066aaf042a351fc24461418dacc0a4324f590ef738d5735cfe8a929f43a1e450bdb0e2f3bd0217ee94bcd9cedf8fc92328f2e294da8a3ffafc0f65af1a77e7a17f0fa4de294215783e1188d7dbb7cac42c6798df14bf8d599c63eff04b1b9a6fd58dd13632a2181c6f04163afc9a3570dcf02c3425668b0937ff52b08f990b438b801da9268c057712eaa73001659781bdad3f76ced62d5721cbd3e49a0040d2a796392ceacd1470e298c58438045d3c1b8da591ba9a2984b386d0869f731ecd3e2d05dadab419786cd198d2fd825c3a90ccbea303b703b051f7be07d318e915a71bfb5ecfc545ac9fbffaf7c7089db161ca771d6a591e99903d1bdf31a66251c0ec836efb6d146133cff69a7e8ab07e0255deb99209c7068ce86daaef80a40333a7cfbffbdbff67754fcda9c7d49c54c77b1b9b9680faf3385dfe6cdb51d0949ca543e9f94b315521b54d2b31019715d807568c7c4999032deec1ac8890bff7253ac71aa1bacfa2af64dfd1784132c11d1eba24a8c2ee87607eea00276696c86cd53c871ecfaca60d3fae49e378c706b94760ffe8447f3677a540c9e7d90c4a6205476edf6d70070047832af4bd2ffee449ccfa783bc557663d47823ce9a4c13ef0f84eb8794eb3c0086c19cc330e703bc79bf1edc3af19a1984d9a7a079e960d8c3e7f753d91933a39b378271349ff5b17a3a2e32a102ae4587be44311409e2a2b6aecd3ec220acabf01d0dbbedd497fc96bb5153da36b0ca45cb6bd52bd28eea38b9a957318a17f47cb4576e0e25555a7becda2f7cf5ac6c16fe6af1a5351c124bd2db56d4c740eb729c09fa336359a8f32377cf82f542498b4fc3b4c109e7f880b80c29c0cde646e7b6d6d2dc30f503431fff01416ce2c410322725c91f071ff117826bfb083433a4dca8ff189bebb4f6a16125dcaa8b673eec8c1ca1a46165e258941fdbcbd47007c1c81b19d38b2fbe45b2d6cc70c6bf037ce458f2d058bb57ffe9d9157355b7c78441c725980b16b241eb4438286b212b8fcb3d77799f05970c17ef23ac20448c84e0011895c434c020c56a294b25f0e1e4e7868e6f09594448e70f89bf2c3aadcb4e9a14e5c2bd0bd2486fd71d6909b46a044f98b1b7784a3466a2fb60f3ca4765a391a8c4df5ac478e5299246a983d4e9f5e60f6897050058e93e8a36f1ac0b937ee4ccbb51b38422787d406ddb12a975b6601f5f6211efd2da4905a63241a323387ebcb13f45e419d8989a398c7d2186bee1130f7b71ff32ddaef7c8c1efaebcbf70fb1596b8d9ba8f821b3e9e042a7291b60852664fe39646243b2eb5d039e20ca58e0f34e6ceba2d3db01e9ac09ac05ad41a8c37379158616fd0f76714bc1af0f78504a2346da27c08b18b7b4467ca0aab33bc656eef342ed60ea8fc5605b9c757ade30e150585906fe29b1674412b0270d5cec618bbbe17ac6aa94f9e238120ca866ca39618fbcc9354f02300b2c199d8d628d4c241e759dd4b031defdb412d45369c7e313769109194957a78a3ff062d8b199da332cbdcbe32d5ea44cb676b2a75f52a014f2e9b9a31388c796a5fc492febf6e185241514a9ded19db3fb7219444b75bf8dd4136a47fc670781d1f0864414bab77ff8d711a22a23df92178f4bd066859e76ed9624aa4a424d8ee09ae54b60727e28bb51154595c2a00a0247cd519520b69635b55d9298d7831200d96ddaf65f7b59ecad3fdfba6558277719327051f8f7a578069b2ccc3cb8756e330ca168c14a35be01e7710e5cf201100c923472f616c10505a0b809a103b4291d678fc1f58f07da9957c3bc71b1e4619361c5460ee746e7e84e42d3168531b17ea139adf280b9602c4d206aab7ea94f498cf70e14f87043d3b9205b624497fa68ea4bec5a2053d5f58443dc4da070d94002eb34f4e6dd40826060958c6cc29a2ede9898f5e6e4a262e25596d633a44a8e9e978b17c69faaab13857f6f6ce454406ca560c2fa63d33e422056390c7edb0b0b12910966fe0e4a70350dc2612e3275ef4259d7d6a404807ec81a650306c6cfe7b0017babc05042251c2247ed37656948c348b73eb3c3d946b8f5bdf2b64687c539edebbdbcf77637e27781387193652b62670818ead253f617b8eb36a3406542bdfad44fe5deb6229b5aee9e992b2c6d185ad6f44f25684952a466a4a2d5f37547830f617aa9ad7458ac687b5ee90ed50988b988fdcdfde65db8446246e0c0f6f283d1395be120b766d81ff2fb4afafcc7be6402ebb33033a3b021c3a0336fe2c97cceab78addbf3adf54392b220004d5fd89680a1bfbb490af48f6fa5d5a6d74563d25776a06b983157c7e25fbee81c0125d73be514487fc3b75e6d20f62893d56c43d670f5dd588b78fec34b6f3de3bcac6b3c93bbd92d9e93b10e17a4e51d4f94faebc98ebd249151e1fba9030ffed2a6e201d0d665ec04edc0fae8a97fad9438084512c72e21421ffd3ec3a7cccbd9f3a46ab6940819610657144f00df3591e8067e0580f7fe415a0679163e26b1a33078fd0a36f3fbb75efaf8a1e0f87e0238106d2a0582fae22a2779a57c42cd6ca7fe694e27e98c2ebe0590f2781b7f2602805f0004682ab29970b9d07aed615fb4ce07f75cc992c6c2cb200207dc2e6fbed42508f153e93c44b3d5ecbd9bffa4be0cd58512049eaf1fa728f34581c6936ebfdd678a0dfd1c217ac0202377df8538e48cb7a2ee8c03ddd57132a94ae02a151d487eb8cd68db25fcf56789e17480308d97ab65792134d8186e9c8b712918b092497c161c3ac32a0074a946837eb6447bdf8d2c7013ba6884864637a2a789ea6d81ac7be9ea6c7459a44e2815250d57326c19510a4f787b2b7b19cfb2de5de25aa37800053d2724678546c5f0218f68bfaa8385ffc018a65e0d3fe525d7b21fdc394e4c5c101eff4b325e0a29bcc6ba76c431044c3aef9f1cdec02c417bbb5764ba61c55ecb04b0f6762357a37ee62e1a6a3254fa80e39dd014fa36bdab5c3403b3e5ae7f64ecb561644c2f74f48946b3244a703ba58da3e955aadf33e282b320867f32875c4b189a0511021a8b4f4df6bdaa65706bb56183c0a1e01a696357713f6dd85a546422cfd0bb2ca6129f8e1809fbafec7118fce89c29d66baaf04edb054486592617786bca8f9dd9d101ae313408385f262f5399a5494f1ec8e1899bf17ff9c4a26a824be4442f53a3cc61265396f4fbaca2cae17a9a77bceb92502da361f6a995c7763f77ea57b26e8bc91eed5f522ea3d1d9337e2a2be240b68a54883841aa9011f9a107114fe4f87e9521ac0fb33860fedef934dcdeb7bef4ceff898c5f258e59eddddf868cf81a6e5fc21b4e69dfc0d15bc44677028d3566edad1feb29523bdaea17e75220e760dbd5310eead9aa37c2e7ad024545ad772d99b3dd2acd6a1dcfb51d8ed2edad9f89801d6eae68bfb61a50a88c7e2d82418dcfacf6c1128f2205261b543b8e427a1e315e689c366a20172f43d2d8975a15d073b420fb4e9929b6cbd1d55ac5d61069fc23601848250845bea15e1011636c3fc18c99be15357c48a914b9c9c12fa300c61553946e85c77f40f37d8d8f0f7eb8e9aaa50c645cd6d29ec048047beb3c1c1fe7d809da18de6ee0e5db035c80cb1f1d129b047b8cf2ced14ddcc5ada999843269e1b4a95465f99680e83fb3f66ee2eb17cd28f89ea4d45882485df204c515273a19da96af9e0a8568f7ae386b55fcc9023a1c53a706e539e10a0b68241d9e269730a5eaea6ae238f757cd77f79a7fb70e805a46e9c8360e190c0c6f017332a45ee4e276075abcec94ddbb136868f7ee3b7e340d33c36611c7cbe421ab696fa73ade4bbc9273c0d53a158af8399eae21e544161c9a57d578948f014d8ce35b8398fe9136f426cca0217cb48da858c48983a2939fa57020e0c4b2612b9cb3b9357f36fe2e81ebdecc6ab59ae32b92"}}]}, 0x1098}, 0x1, 0x0, 0x0, 0x880}, 0x0) r5 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000080), 0x1c0002, 0x0) write$vga_arbiter(r5, &(0x7f00000001c0)=ANY=[], 0xc) r6 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000180)='rdma.current\x00', 0x0, 0x0) mmap$binder(&(0x7f000008f000/0x3000)=nil, 0x3000, 0x1, 0x11, r6, 0x8) r7 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0) syz_usb_control_io$hid(r7, 0x0, 0x0) syz_usb_control_io$hid(r7, &(0x7f0000000580)={0x24, 0x0, 0x0, &(0x7f0000000500)={0x0, 0x22, 0x1, {[@global=@item_012={0x0, 0x1, 0x8}]}}, 0x0}, 0x0) syz_usb_ep_write(r7, 0x81, 0xffffff75, &(0x7f00000002c0)="b9425b44651dd23241963599000000110000004a16941ff5f4b4f1f0add7fcf2b877fceafffffffffff1ffdf4cd9f5d3969890522c77157d88010000003a5bd5531d459dffff03000000000091ff000000e8f5b3371da3635b8b4fa637135800001f65e4b436aa9e50bc0f19b7d3372ff9ebcede1fb5e9428f54d5d1f0cc752cf246a5d2da34a5aa97dc14a469c3dd3e26b41c356484e46fd66e3f2c7807e8773eed7b94fa099ab84feadec2ea95f65bba452eae5b0900f98a979a88c517a2dc360a00237723e2f467af706ea17226296b3a10a351cb47aba2c6b836c90679b4dd859ddc9e4800448aab0000000000000d75f34bb50d8d7084") syz_usb_control_io$hid(r7, &(0x7f0000000300)={0x24, &(0x7f00000001c0)={0x0, 0xe, 0x6f, {0x6f, 0x21, "705084224504c3d450a041ec6d81d39645e001b2c6fcf8e7dc6da72b43702b3a79c26f0acea57c022a3bd3fb671f9c18ff5febe26b424fa6df7d14ca8b4927ec7b2a27f462a96b7dcfbb87544a284d3e1fdeb30aaaf80dfee0b6a93ba99ab5aad40057df5a695b3e484eb12e3b"}}, &(0x7f0000000240)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x40f}}, &(0x7f0000000280)={0x0, 0x22, 0x12, {[@main=@item_012={0x1, 0x0, 0xc, "82"}, @main=@item_012={0x1, 0x0, 0xb, 'R'}, @local=@item_012={0x2, 0x2, 0x2, "72b0"}, @main=@item_4={0x3, 0x0, 0x0, "af31e82b"}, @local=@item_012={0x0, 0x2, 0x4}, @global=@item_4={0x3, 0x1, 0x7, "079937ea"}]}}, &(0x7f00000002c0)={0x0, 0x21, 0x9, {0x9, 0x21, 0x1, 0xd2, 0x1, {0x22, 0xa18}}}}, &(0x7f0000000540)={0x2c, &(0x7f0000000340)={0x0, 0x1, 0x50, "2d021e83fd04b4f93de177330e03706d1c99614556f4de50117f5c1d29901f4e38077c017985d1b3398ee90d3c7455b780e6d0c14e89f487bad327af1337bc609aaa77e855cc69c7f1deff0844a5bc74"}, &(0x7f00000003c0)={0x0, 0xa, 0x1, 0x16}, &(0x7f0000000400)={0x0, 0x8, 0x1}, &(0x7f0000000440)={0x20, 0x1, 0x82, "44d709962be440c14956c72f9a7a0bf3e57a8e02076f1d29065f4a24f5885e42df8b2bf9c90afa7de63a535b5e15720b4cafbacc79cceb46ceaabdc9772005c7518188498138c054dcd19cc6f9d74aebac4ce78f9291569cf4984183969eea7f381a2f11a5ee0bd6becc4ad8c5909e0920709c15df796c3cbaffa6e305c31c1a4334"}, &(0x7f0000000500)={0x20, 0x3, 0x1, 0x7}}) syz_open_procfs(0x0, 0x0) bind$bt_hci(0xffffffffffffffff, 0x0, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) r8 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000000), 0x1cbd81, 0x0) ioctl$BLKRRPART(r8, 0x125f, 0x0) 2.160992337s ago: executing program 1 (id=48): r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x6, 0x12, r0, 0x1f972000) (async) sendmmsg$inet(0xffffffffffffffff, &(0x7f0000001540)=[{{0x0, 0xfffffffffffffda1, 0x0}}], 0x40001b6, 0x0) (async) close(0xffffffffffffffff) r1 = syz_usb_connect$cdc_ecm(0x0, 0x4d, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x2, 0x0, 0x0, 0x40, 0x525, 0xa4a1, 0x40, 0x0, 0x0, 0xffffffffffff8001, 0x1, [{{0x9, 0x2, 0x3b, 0x1, 0x1, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x12, 0x2, 0x6, 0x0, 0x0, {{0x5}, {0x5}, {0xd}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x200}}, {{0x9, 0x5, 0x3, 0x2, 0x200}}}}}]}}]}}, &(0x7f0000001400)={0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ecm(r1, 0x0, 0x0) (async) syz_usb_control_io$cdc_ecm(r1, 0x0, 0x0) (async) syz_usb_control_io$cdc_ecm(r1, &(0x7f0000000080)={0x14, 0x0, &(0x7f0000000040)={0x0, 0x3, 0x1a, {0x1a}}}, 0x0) (async) syz_usb_ep_write(r1, 0x82, 0x5, &(0x7f0000002340)='hello') (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) (async) r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) ioctl$TCSETS(r2, 0x40045431, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, 0x0, "7f12ddc1517600000000000000000000000002"}) (async) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) (async) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) 1.403186068s ago: executing program 1 (id=52): r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000002dc0)=ANY=[@ANYBLOB="bc010000190001000000000000000000fe8000000000000000000000000000bbfc02000000000000000000000000000000000000000000000a00000000000000", @ANYRES32=0x0, @ANYRES32, @ANYBLOB="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000230000000300000000000000000000000000000000000000000000001100000000000000000000000000000000000000000000000100000000000000040105007f0000010000ff000000000000000000000000003c00000000000000ac1e00010000000000000000000000000000000000000000000000000000000040000000fc000000000000000000000000000000000000003300000000000000ac1414aa0000000000000000000000000000003401ca2e7802"], 0x1bc}}, 0x0) (async) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1802, 0x0) (async) r1 = timerfd_create(0x0, 0x0) timerfd_settime(r1, 0x3, &(0x7f0000000140), 0x0) (async) clock_adjtime(0x6, &(0x7f0000000000)={0xffff, 0x2, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3b9ac9ff, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfc}) (async, rerun: 32) r2 = openat$kvm(0x0, &(0x7f0000000000), 0x0, 0x0) (rerun: 32) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) (async) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) (async) r4 = socket$inet_tcp(0x2, 0x1, 0x0) getsockopt$sock_cred(r4, 0x1, 0x11, &(0x7f0000000000), &(0x7f0000000080)=0xffffffffffffffca) r5 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000080)=ANY=[@ANYBLOB="12010000090024206d041cc340000000000109022400010000a00009040000010301010009210008000122010009058103"], 0x0) (async, rerun: 32) socket$nl_sock_diag(0x10, 0x3, 0x4) (rerun: 32) r6 = socket$netlink(0x10, 0x3, 0x0) sendmsg$netlink(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000001f00)=ANY=[@ANYBLOB="200000005e00250e00000000000000000c000080eec47c8e670527ab04000180"], 0x20}], 0x1}, 0xc0) (async) recvmmsg(r6, &(0x7f00000010c0)=[{{0x0, 0x0, 0x0}, 0x1}, {{0x0, 0x0, 0x0}, 0xfff}, {{0x0, 0x0, 0x0}, 0x17f887e6}, {{0x0, 0x0, 0x0}, 0x5}], 0x4, 0x40012020, 0x0) (async) syz_genetlink_get_family_id$nl80211(&(0x7f0000000240), r6) syz_usb_control_io(r5, 0x0, 0x0) (async) syz_usb_control_io(r5, 0x0, 0x0) openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000180), 0x10402) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000180)) (async) r7 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000000)={'xfrm0\x00', 0x0}) r9 = socket$packet(0x11, 0x3, 0x300) sendto$packet(r9, &(0x7f0000000180)='`', 0x500, 0x0, &(0x7f0000000240)={0x3b, 0x0, r8, 0x1, 0x0, 0x6, @local}, 0x14) (async) syz_usb_control_io(r5, 0x0, 0x0) (async) syz_usb_control_io$hid(r5, 0x0, 0x0) (async) syz_usb_control_io(r5, &(0x7f0000000540)={0x2c, &(0x7f0000000300)=ANY=[@ANYBLOB="e309000300000041256fbf9faf79d488d1f76cb4ba1092066e47f98ce4cab022032f0ffde8d0588fe59b710d3aef0e588b31337b79fe2e3b0101000000000000329650c0a461554c"], 0x0, 0x0, 0x0, 0x0}, 0x0) (async) ioctl$KVM_X86_SET_MSR_FILTER(r3, 0x4188aec6, &(0x7f0000000a40)={0x1, [{0x0, 0x0, 0x800, 0x0}, {0x2, 0x0, 0x2128ddc7, 0x0}, {0x1, 0x0, 0x3, 0x0}, {0x2, 0x0, 0x1, 0x0}, {0x1, 0x0, 0x2, 0x0}, {0x2, 0x0, 0xe593, 0x0}, {0x1, 0x0, 0x7, 0x0}, {0x0, 0x0, 0x0, 0x0}, {0x3, 0x0, 0x6ac8, 0x0}, {0x1, 0x0, 0x1, 0x0}, {0x0, 0x0, 0x7ff, 0x0}, {0x0, 0x0, 0x3, 0x0}, {0x3, 0x0, 0x2, 0x0}, {0x1, 0x0, 0xffffff81, 0x0}, {0x2, 0x0, 0x9, 0x0}, {0x0, 0x0, 0x8, 0x0}]}) syz_kvm_setup_syzos_vm$x86(r3, &(0x7f0000c00000/0x400000)=nil) 1.332030683s ago: executing program 0 (id=53): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x7cab6ced6415608, 0x3}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000240)={0x4, 0x0, &(0x7f0000000200)=[@enter_looper], 0x50, 0x0, &(0x7f0000000580)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x44, 0x0, &(0x7f0000000380)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x56, 0x0, &(0x7f0000000400)="8b0b4c404981a6ef39f577efb9c2c64f47b576cec3dab5adbd25d802c31aa20f47283d909cfc1520a8ebb223d441539406505ea001848d180490b7a70bc561639b136ecae6c156d04957009916c1b24ba79c86ea0683"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0xfffffffffffffd6a, 0x0, &(0x7f00000004c0), 0x0, 0x0, 0x0}) r1 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0) ioctl$VHOST_SET_VRING_BUSYLOOP_TIMEOUT(r1, 0x4008af23, &(0x7f0000000080)={0x2, 0x7}) 1.324286004s ago: executing program 1 (id=54): r0 = socket$inet6(0xa, 0x2, 0x0) (async) r1 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="12013f00000000407f04ffff000000000001090224000100000000090400001503000000092140000001220f00090581d7"], 0x0) syz_usb_control_io$hid(r1, 0x0, 0x0) (async) syz_usb_control_io$hid(r1, &(0x7f00000002c0)={0x24, 0x0, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00220f000000540b4550182195f57584839e3ce07964cc7e175284e92477d1757d8a0bd242697d249d589c37762a4ca738e77843883e43f282d6e10d164a285192e7a439272dfcb1c75485176833bcadcfbfdf038bb2c4762c820a11e50899ba3690b27d676b278fccf0f12b83dea9944900"/124], 0x0}, 0x0) r2 = syz_open_dev$hiddev(&(0x7f0000000540), 0x0, 0x0) ioctl$HIDIOCGFIELDINFO(r2, 0xc038480a, &(0x7f0000000080)={0x1, 0x200, 0x10ac, 0x4, 0x7, 0x82, 0x4, 0x5, 0x1, 0x6, 0x7, 0x3ff, 0x1, 0x54}) (async, rerun: 32) setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x6, &(0x7f0000000140)={0x11, {{0x29, 0x0, 0x4000000, @local}}}, 0x88) (async, rerun: 32) r3 = socket$pppl2tp(0x18, 0x1, 0x1) (async, rerun: 32) r4 = socket(0xa, 0x3, 0x87) (rerun: 32) r5 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000080)={'lo\x00', 0x0}) ioctl$sock_inet6_SIOCSIFADDR(r4, 0x8916, &(0x7f0000000180)={@private1, 0x18, r6}) (async) connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r3, {0x2, 0x4e24, @private=0xa0100ff}, 0x2, 0x0, 0x2, 0x1}}, 0x26) (async) ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x0, 0x3}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0) r7 = socket$inet6(0x10, 0x3, 0x0) ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r7, 0x89f1, &(0x7f0000000100)={'ip6_vti0\x00', &(0x7f0000000200)={'syztnl2\x00', 0x0, 0x29, 0x2, 0x6, 0xfffffffe, 0x4, @private1, @private2, 0x1, 0x80, 0x2a, 0x4}}) (async) r8 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1802, 0x0) r9 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$SO_TIMESTAMP(r9, 0x1, 0x1d, &(0x7f00000000c0)=0x4, 0xd) (async) getsockopt$SO_TIMESTAMP(r9, 0x1, 0x1d, 0x0, &(0x7f0000000080)) (async, rerun: 64) r10 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100), 0x183001, 0x0) (rerun: 64) write$cgroup_subtree(0xffffffffffffffff, 0x0, 0x32600) (async) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, 0xffffffffffffffff, 0x0) (async) r11 = epoll_create1(0x80000) epoll_ctl$EPOLL_CTL_ADD(r11, 0x1, r10, &(0x7f0000000000)={0xa0002004}) (async) close_range(r8, 0xffffffffffffffff, 0x0) 513.769069ms ago: executing program 0 (id=56): r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0) (async) r1 = socket$packet(0x11, 0x2, 0x300) setsockopt$packet_int(r1, 0x107, 0xa, &(0x7f0000000080)=0x1, 0x4) (async) setsockopt$packet_rx_ring(r1, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x800, 0x2, 0x4}, 0x1c) r2 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000340)={'veth0_to_hsr\x00', 0x0}) sendto$packet(r2, &(0x7f0000000100)="9c9e3aec1d9f", 0x6, 0x0, &(0x7f0000000200)={0x11, 0x88a8, r3, 0x1, 0xe0}, 0x14) (async) sendfile(r0, r0, 0x0, 0xd) 449.352895ms ago: executing program 0 (id=57): r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x100, 0x0) mmap(&(0x7f00000e7000/0x1000)=nil, 0x1000, 0x6, 0x12, r0, 0xe5444000) r1 = socket(0x10, 0x803, 0x0) ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f00000002c0)={'veth0_to_team\x00', &(0x7f0000000000)=@ethtool_channels={0x3d, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1}}) syz_kvm_setup_syzos_vm$x86(0xffffffffffffffff, &(0x7f0000131000/0x400000)=nil) madvise(&(0x7f0000363000/0x4000)=nil, 0x4000, 0x17) socket$xdp(0x2c, 0x3, 0x0) socket$inet6_udplite(0xa, 0x2, 0x88) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c) openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x100, 0x0) (async) mmap(&(0x7f00000e7000/0x1000)=nil, 0x1000, 0x6, 0x12, r0, 0xe5444000) (async) socket(0x10, 0x803, 0x0) (async) ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f00000002c0)={'veth0_to_team\x00', &(0x7f0000000000)=@ethtool_channels={0x3d, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1}}) (async) syz_kvm_setup_syzos_vm$x86(0xffffffffffffffff, &(0x7f0000131000/0x400000)=nil) (async) madvise(&(0x7f0000363000/0x4000)=nil, 0x4000, 0x17) (async) socket$xdp(0x2c, 0x3, 0x0) (async) socket$inet6_udplite(0xa, 0x2, 0x88) (async) socket$xdp(0x2c, 0x3, 0x0) (async) setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c) (async) 448.802275ms ago: executing program 2 (id=58): r0 = syz_init_net_socket$bt_rfcomm(0x1f, 0x1, 0x3) getsockopt$SO_COOKIE(r0, 0x1, 0x39, &(0x7f0000000140), &(0x7f0000000180)=0x8) getsockopt(r0, 0xe, 0x200, &(0x7f0000000000)=""/45, &(0x7f0000000040)=0x2d) r1 = syz_clone(0x18040, 0x0, 0x0, 0x0, 0x0, 0x0) setsockopt$bt_rfcomm_RFCOMM_LM(r0, 0x12, 0x3, &(0x7f0000000100)=0x2, 0x4) socket$nl_audit(0x10, 0x3, 0x9) (async) r2 = socket$nl_audit(0x10, 0x3, 0x9) ioctl$sock_SIOCETHTOOL(r2, 0x8946, &(0x7f0000000380)={'team_slave_0\x00', &(0x7f00000000c0)=@ethtool_rxnfc={0x28, 0x3, 0x0, {0x10, @ether_spec={@local, @remote, 0x1ff}, {0x0, @random="cc80348623a4", 0x0, 0x8000, [0x2, 0x2]}, @udp_ip6_spec={@dev={0xfe, 0x80, '\x00', 0x28}, @mcast1, 0x4e22, 0x4e22, 0x9c}, {0x0, @broadcast, 0x3, 0x0, [0x3, 0x5]}, 0xfffffffffffffffe, 0x1}}}) (async) ioctl$sock_SIOCETHTOOL(r2, 0x8946, &(0x7f0000000380)={'team_slave_0\x00', &(0x7f00000000c0)=@ethtool_rxnfc={0x28, 0x3, 0x0, {0x10, @ether_spec={@local, @remote, 0x1ff}, {0x0, @random="cc80348623a4", 0x0, 0x8000, [0x2, 0x2]}, @udp_ip6_spec={@dev={0xfe, 0x80, '\x00', 0x28}, @mcast1, 0x4e22, 0x4e22, 0x9c}, {0x0, @broadcast, 0x3, 0x0, [0x3, 0x5]}, 0xfffffffffffffffe, 0x1}}}) mount$binderfs(0x0, &(0x7f0000000080)='./binderfs\x00', 0x0, 0x2010860, &(0x7f0000000200)=ANY=[@ANYBLOB="636f6e746578743d73792274656d5f75dd47d0b9"]) (async) mount$binderfs(0x0, &(0x7f0000000080)='./binderfs\x00', 0x0, 0x2010860, &(0x7f0000000200)=ANY=[@ANYBLOB="636f6e746578743d73792274656d5f75dd47d0b9"]) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f00000000c0)='lo\x00', 0x10) sched_setscheduler(r1, 0x5, &(0x7f00000001c0)=0x9) 448.502725ms ago: executing program 0 (id=59): pipe2$9p(0x0, 0x0) r0 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000000), 0x40000, 0x0) readv(r0, &(0x7f0000000040)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) r1 = gettid() tkill(r1, 0x21) ioprio_set$pid(0x1, 0x0, 0x0) sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0x0) fcntl$setstatus(r0, 0x4, 0x800) r2 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000080), 0x8803, 0x0) openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$BLKRRPART(r2, 0x125f, 0x0) pipe2$9p(0x0, 0x0) (async) openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000000), 0x40000, 0x0) (async) readv(r0, &(0x7f0000000040)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) (async) gettid() (async) tkill(r1, 0x21) (async) ioprio_set$pid(0x1, 0x0, 0x0) (async) sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0x0) (async) fcntl$setstatus(r0, 0x4, 0x800) (async) openat$rnullb(0xffffffffffffff9c, &(0x7f0000000080), 0x8803, 0x0) (async) openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async) ioctl$BLKRRPART(r2, 0x125f, 0x0) (async) 436.074255ms ago: executing program 0 (id=60): r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000100)='mountinfo\x00') mkdir(&(0x7f0000000040)='./file0\x00', 0x1) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) socket$xdp(0x2c, 0x3, 0x0) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x1000000, &(0x7f0000000140)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}, {@default_permissions}]}) read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020) 432.939516ms ago: executing program 2 (id=61): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x180, 0x3}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) r1 = socket$inet6(0xa, 0x80803, 0x84) getsockopt$inet6_int(r1, 0x29, 0x50, 0x0, &(0x7f00000003c0)) mmap(&(0x7f00005ca000/0x3000)=nil, 0x3000, 0xf, 0x4008031, 0xffffffffffffffff, 0x0) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000040)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 417.390657ms ago: executing program 0 (id=62): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs2/custom0\x00', 0x1002, 0x0) mount$tmpfs(0x0, &(0x7f00000000c0)='./cgroup\x00', &(0x7f0000000100), 0x81, &(0x7f0000000200)={[{@nr_inodes={'nr_inodes', 0x3d, [0x74]}}]}) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140), 0x62081, 0x0) ioctl$TIOCSETD(r1, 0x5423, &(0x7f0000000000)=0x11) syz_usb_connect(0x1, 0x24, &(0x7f0000000100)=ANY=[], 0x0) close_range(r0, 0xffffffffffffffff, 0x0) 372.009701ms ago: executing program 2 (id=63): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.io_serviced_recursive\x00', 0x275a, 0x0) (async) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.io_serviced_recursive\x00', 0x275a, 0x0) mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x0, 0x12, r1, 0x0) (async) mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x0, 0x12, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x1380, 0x3}) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f00000001c0)={0x0, 0x0}, &(0x7f0000000200)=0xc) getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000000300)={{{@in6=@private0, @in6=@dev}}, {{@in6=@mcast1}, 0x0, @in6=@mcast1}}, &(0x7f0000000240)=0xe8) (async) getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000000300)={{{@in6=@private0, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in6=@mcast1}}, &(0x7f0000000240)=0xe8) mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000100), 0x20081c, &(0x7f0000000400)={[{@redirect_dir_on}, {@redirect_dir_on}, {@redirect_dir_follow}, {@workdir={'workdir', 0x3d, './file0'}}], [{@euid_lt={'euid<', r2}}, {@seclabel}, {@smackfsdef}, {@fscontext={'fscontext', 0x3d, 'system_u'}}, {@fowner_eq={'fowner', 0x3d, r3}}]}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000940)={0x4c, 0x0, &(0x7f0000000000)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x7624f2802272dfee, 0x0, 0x0, 0x70, 0x18, &(0x7f0000000280)={@ptr={0x70742a85, 0x0, 0x0, 0x0, 0x40000000000000, 0x16}, @ptr={0x70742a85, 0xfffffffc, &(0x7f00000029c0)=""/201, 0xc9, 0x1, 0x14}, @fda={0x66646185, 0x6, 0x1, 0x21}}, &(0x7f0000000180)={0x0, 0x28, 0x50}}, 0x400}], 0x0, 0x0, 0x0}) 371.71736ms ago: executing program 2 (id=64): mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mkdir(&(0x7f00000004c0)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f0000000140)='./bus\x00', &(0x7f0000000000), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]}) r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000400)='./bus\x00', 0x200000, 0x3b) mknodat(r0, &(0x7f00000003c0)='./file0\x00', 0x0, 0x0) chdir(&(0x7f00000000c0)='./bus\x00') r1 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x0, 0x2) mkdir(&(0x7f0000000240)='./bus\x00', 0x0) renameat2(r1, &(0x7f00000001c0)='./file0\x00', r1, &(0x7f0000000200)='./bus/file0\x00', 0x0) r2 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000080), 0x20002, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x11, r2, 0x45809000) syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) r3 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000000), 0x1cbd81, 0x0) ioctl$BLKRRPART(r3, 0x125f, 0x0) 210.099964ms ago: executing program 2 (id=65): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002}) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs2/custom1\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) r2 = dup3(r1, r0, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0x20, 0x0, &(0x7f0000000100)=[@acquire, @clear_death={0x400c630f, 0x3}, @decrefs={0x40046307, 0x2}], 0x0, 0x0, 0x0}) 208.254984ms ago: executing program 1 (id=66): mount(&(0x7f0000000080)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000240)='vfat\x00', 0x200000, 0x0) 206.859554ms ago: executing program 1 (id=67): mkdir(&(0x7f0000000040)='./file0/file0\x00', 0xd) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) mkdir(&(0x7f0000000400)='./file1\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000340), 0x0, &(0x7f00000001c0)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]}) r0 = creat(&(0x7f0000000440)='./file0/file0\x00', 0x0) chdir(&(0x7f0000000480)='./bus\x00') ftruncate(r0, 0x2) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$unix(r1, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f00000001c0)='\x00', 0x1}], 0x1, &(0x7f00000000c0)=ANY=[@ANYBLOB="14000000000000000100000001"], 0x18}, 0x0) prlimit64(0x0, 0x7, &(0x7f0000000300), 0x0) sendmmsg$unix(r1, &(0x7f0000005400)=[{{0x0, 0x0, &(0x7f0000000200)=[{&(0x7f0000000100)='+', 0x1}], 0x1, &(0x7f0000000880)=ANY=[@ANYBLOB="14000000000000000100000001"], 0x18}}], 0x1, 0x11) lsetxattr$trusted_overlay_redirect(&(0x7f0000000880)='./file0\x00', &(0x7f00000008c0), 0x0, 0x0, 0x3) inotify_add_watch(0xffffffffffffffff, 0x0, 0x0) r2 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000080), 0x8803, 0x0) ioctl$BLKRRPART(r2, 0x125f, 0x0) 206.610024ms ago: executing program 2 (id=68): r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000040), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x6, 0x12, r0, 0x57789000) (async) mkdirat(0xffffffffffffff9c, &(0x7f0000002000)='./file0\x00', 0x0) madvise(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0xe) symlink(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='./file0\x00') (async) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) 180.120366ms ago: executing program 32 (id=68): r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000040), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x6, 0x12, r0, 0x57789000) (async) mkdirat(0xffffffffffffff9c, &(0x7f0000002000)='./file0\x00', 0x0) madvise(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0xe) symlink(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='./file0\x00') (async) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) 155.420138ms ago: executing program 1 (id=70): openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1802, 0x0) r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x1c1341, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller0\x00', 0x84aebfbd6349b7f2}) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000500), 0x400, 0x0) close(r1) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff}) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local}) r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$tipc(&(0x7f0000000200), 0xffffffffffffffff) sendmsg$TIPC_CMD_ENABLE_BEARER(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000680)=ANY=[@ANYBLOB='8\x00\x00\x00', @ANYRES16=r4, @ANYBLOB="010000000d0000000000010000000000000001410000001c001700000000000000006574683a73797a6b616c6c657230"], 0x38}}, 0x0) close_range(r2, r3, 0x0) 0s ago: executing program 3 (id=71): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs/binder0\x00', 0x802, 0x0) r1 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_buf(r1, 0x29, 0x23, &(0x7f0000000000)="31a15332938f7bd53c804648c6af344a7aabaf11bbcc8bdacf09e294161eae3db93a1e635b5007ea868317c1bb202a99e68d4f7ec15a7cc415f8b6db3bc571854d56d2fd80d933417a54ee7702e5ba97728fa002a003afcca3114ea440169f5898800bc8bce40f5260f2e5b10b6b32b120a8e9156672f243d9901235958a5e1df051cfc12569b86a9e89d79399a85394af80ebf77ef1003884df8f06922bbe08321cdd023049d6c5", 0xa8) r2 = syz_open_dev$usbmon(&(0x7f0000000080), 0x0, 0x0) syz_open_dev$usbmon(&(0x7f0000000040), 0x5, 0x10b900) ioctl$FS_IOC_READ_VERITY_METADATA(r2, 0xc0286687, 0x0) close_range(r0, 0xffffffffffffffff, 0x0) 0s ago: executing program 1 (id=74): mount(&(0x7f0000000000)=@sg0, &(0x7f00000000c0)='./cgroup\x00', &(0x7f0000000040)='omfs\x00', 0x20800, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002}) (async) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) (async) r2 = dup3(r1, 0xffffffffffffffff, 0x0) r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x802, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a}) (async) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0x20, 0x0, &(0x7f0000000100)=[@acquire, @clear_death={0x400c630f, 0x3}, @decrefs={0x40046307, 0x2}], 0x0, 0x0, 0x0}) openat$binderfs(0xffffffffffffff9c, 0x0, 0x1803, 0x0) ioctl$UI_END_FF_UPLOAD(0xffffffffffffffff, 0x406855c9, 0x0) (async) openat$selinux_mls(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440), 0x0, 0x0) r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) ioctl$KVM_CAP_SPLIT_IRQCHIP(r5, 0x4068aea3, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1000003, 0x13, r6, 0x0) ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x8946, &(0x7f0000000080)={'veth0_to_bond\x00', &(0x7f0000000100)=@ethtool_perm_addr={0x20, 0x21, "b96fd02f51155d72d46b513227a9d4e5c821d84a2832a63ec0448ea50e87a4e575"}}) setsockopt$inet6_IPV6_HOPOPTS(0xffffffffffffffff, 0x29, 0x36, &(0x7f0000000340)=ANY=[], 0x8) (async) ioctl$KVM_RUN(r6, 0xae80, 0x0) r7 = socket(0x2c, 0x5, 0xc) listen(r7, 0x0) r8 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000001c0), 0x240, 0x0) ioctl$TIOCSETD(r8, 0x5423, &(0x7f0000000000)=0xf) ioctl$TCFLSH(r8, 0x400455c8, 0x4) (async) r9 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x801, 0x0) write$rfkill(r9, &(0x7f0000000240)={0x0, 0x4, 0x3, 0x2, 0x1}, 0x8) r10 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r10, 0xae60) kernel console output (not intermixed with test programs): [ 14.241686][ T36] audit: type=1400 audit(1755434650.290:62): avc: denied { rlimitinh } for pid=229 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.244547][ T36] audit: type=1400 audit(1755434650.300:63): avc: denied { siginh } for pid=229 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.0.151' (ED25519) to the list of known hosts. [ 21.897751][ T36] audit: type=1400 audit(1755434657.960:64): avc: denied { mounton } for pid=281 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 21.899177][ T281] cgroup: Unknown subsys name 'net' [ 21.920509][ T36] audit: type=1400 audit(1755434657.960:65): avc: denied { mount } for pid=281 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.947881][ T36] audit: type=1400 audit(1755434657.990:66): avc: denied { unmount } for pid=281 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.948166][ T281] cgroup: Unknown subsys name 'devices' [ 22.127514][ T281] cgroup: Unknown subsys name 'hugetlb' [ 22.133166][ T281] cgroup: Unknown subsys name 'rlimit' [ 22.270065][ T36] audit: type=1400 audit(1755434658.330:67): avc: denied { setattr } for pid=281 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.293360][ T36] audit: type=1400 audit(1755434658.330:68): avc: denied { mounton } for pid=281 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 22.318393][ T36] audit: type=1400 audit(1755434658.330:69): avc: denied { mount } for pid=281 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 22.348696][ T283] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 22.357629][ T36] audit: type=1400 audit(1755434658.420:70): avc: denied { relabelto } for pid=283 comm="mkswap" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 22.383403][ T36] audit: type=1400 audit(1755434658.420:71): avc: denied { write } for pid=283 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 22.386499][ T281] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 22.409018][ T36] audit: type=1400 audit(1755434658.440:72): avc: denied { read } for pid=281 comm="syz-executor" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 22.443340][ T36] audit: type=1400 audit(1755434658.440:73): avc: denied { open } for pid=281 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.706350][ T288] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.713423][ T288] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.720606][ T288] bridge_slave_0: entered allmulticast mode [ 23.727025][ T288] bridge_slave_0: entered promiscuous mode [ 23.734513][ T288] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.741619][ T288] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.748742][ T288] bridge_slave_1: entered allmulticast mode [ 23.755047][ T288] bridge_slave_1: entered promiscuous mode [ 23.852389][ T291] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.859539][ T291] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.866686][ T291] bridge_slave_0: entered allmulticast mode [ 23.872956][ T291] bridge_slave_0: entered promiscuous mode [ 23.879435][ T291] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.886619][ T291] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.893680][ T291] bridge_slave_1: entered allmulticast mode [ 23.900136][ T291] bridge_slave_1: entered promiscuous mode [ 23.948684][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.955766][ T290] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.962837][ T290] bridge_slave_0: entered allmulticast mode [ 23.969322][ T290] bridge_slave_0: entered promiscuous mode [ 23.975802][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.982850][ T290] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.990013][ T290] bridge_slave_1: entered allmulticast mode [ 23.996341][ T290] bridge_slave_1: entered promiscuous mode [ 24.002425][ T289] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.009575][ T289] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.016722][ T289] bridge_slave_0: entered allmulticast mode [ 24.022934][ T289] bridge_slave_0: entered promiscuous mode [ 24.037672][ T289] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.044722][ T289] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.051959][ T289] bridge_slave_1: entered allmulticast mode [ 24.058283][ T289] bridge_slave_1: entered promiscuous mode [ 24.150193][ T288] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.157284][ T288] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.164708][ T288] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.171778][ T288] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.239280][ T291] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.246550][ T291] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.253857][ T291] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.260960][ T291] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.273914][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.281014][ T290] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.288312][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.295362][ T290] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.314185][ T289] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.321294][ T289] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.328617][ T289] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.335691][ T289] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.367907][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.375424][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.382833][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.390396][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.398891][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.406132][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.413275][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.420687][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.439221][ T46] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.446320][ T46] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.454486][ T46] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.461626][ T46] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.469756][ T46] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.476856][ T46] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.486785][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.493848][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.526173][ T46] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.533248][ T46] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.540965][ T46] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.548032][ T46] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.566724][ T292] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.573778][ T292] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.581479][ T292] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.588563][ T292] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.636526][ T290] veth0_vlan: entered promiscuous mode [ 24.643195][ T288] veth0_vlan: entered promiscuous mode [ 24.664189][ T289] veth0_vlan: entered promiscuous mode [ 24.681736][ T291] veth0_vlan: entered promiscuous mode [ 24.688493][ T288] veth1_macvtap: entered promiscuous mode [ 24.697263][ T290] veth1_macvtap: entered promiscuous mode [ 24.712043][ T289] veth1_macvtap: entered promiscuous mode [ 24.736474][ T291] veth1_macvtap: entered promiscuous mode [ 24.770401][ T290] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 24.828694][ T334] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 24.846675][ T336] netlink: 'syz.1.2': attribute type 13 has an invalid length. [ 24.867588][ T341] rust_binder: Error while translating object. [ 24.869594][ T341] rust_binder: Failure in copy_transaction_data: BR_FAILED_REPLY { source: EINVAL } [ 24.871842][ T336] rust_binder: BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 24.882502][ T341] rust_binder: Transaction failed: BR_FAILED_REPLY { source: EINVAL } my_pid:2 [ 24.902898][ T336] rust_binder: Transaction failed: BR_FAILED_REPLY { source: ENOENT } my_pid:2 [ 24.916674][ T336] netlink: 'syz.1.2': attribute type 13 has an invalid length. [ 24.951467][ T356] rust_binder: Got transaction with invalid offset. [ 24.951526][ T356] rust_binder: Failure in copy_transaction_data: BR_FAILED_REPLY { source: EINVAL } [ 24.963975][ T356] rust_binder: Transaction failed: BR_FAILED_REPLY { source: EINVAL } my_pid:7 [ 25.014715][ T366] ======================================================= [ 25.014715][ T366] WARNING: The mand mount option has been deprecated and [ 25.014715][ T366] and is ignored by this kernel. Remove the mand [ 25.014715][ T366] option from the mount to silence this warning. [ 25.014715][ T366] ======================================================= [ 25.293014][ T380] SELinux: unrecognized netlink message: protocol=6 nlmsg_type=65296 sclass=netlink_xfrm_socket pid=380 comm=syz.2.15 [ 25.308486][ T380] tipc: Started in network mode [ 25.313402][ T380] tipc: Node identity 4, cluster identity 4711 [ 25.319957][ T380] tipc: Node number set to 4 [ 25.384930][ T31] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 25.403632][ T383] netlink: 'syz.2.16': attribute type 4 has an invalid length. [ 25.411371][ T383] netlink: 3657 bytes leftover after parsing attributes in process `syz.2.16'. [ 25.534983][ T31] usb 2-1: Using ep0 maxpacket: 16 [ 25.541478][ T31] usb 2-1: config 0 has an invalid interface number: 41 but max is 0 [ 25.554686][ T31] usb 2-1: config 0 has no interface number 0 [ 25.561063][ T31] usb 2-1: config 0 interface 41 altsetting 2 bulk endpoint 0x4 has invalid maxpacket 16 [ 25.571145][ T31] usb 2-1: config 0 interface 41 altsetting 2 bulk endpoint 0x82 has invalid maxpacket 64 [ 25.582680][ T31] usb 2-1: config 0 interface 41 has no altsetting 0 [ 25.585453][ T389] SELinux: security_context_str_to_sid () failed with errno=-22 [ 25.591261][ T31] usb 2-1: New USB device found, idVendor=0fe6, idProduct=9800, bcdDevice=d1.9a [ 25.608397][ T31] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 25.616653][ T31] usb 2-1: Product: syz [ 25.620891][ T31] usb 2-1: Manufacturer: syz [ 25.625785][ T31] usb 2-1: SerialNumber: syz [ 25.631863][ T31] usb 2-1: config 0 descriptor?? [ 25.639863][ T375] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 25.647267][ T375] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 25.647453][ T395] netlink: 76 bytes leftover after parsing attributes in process `syz.2.20'. [ 25.663364][ T396] netlink: 76 bytes leftover after parsing attributes in process `syz.2.20'. [ 25.696624][ T400] rust_binder: Write failure EINVAL in pid:29 [ 25.855346][ T370] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 25.868812][ T370] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 26.004905][ T330] usb 3-1: new low-speed USB device number 2 using dummy_hcd [ 26.166877][ T330] usb 3-1: config 1 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 64, setting to 8 [ 26.177607][ T330] usb 3-1: config 1 interface 1 altsetting 1 endpoint 0x82 is Bulk; changing to Interrupt [ 26.187617][ T330] usb 3-1: config 1 interface 1 altsetting 1 endpoint 0x3 is Bulk; changing to Interrupt [ 26.199509][ T330] usb 3-1: string descriptor 0 read error: -22 [ 26.206086][ T330] usb 3-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 26.215214][ T330] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 26.224242][ T412] raw-gadget.1 gadget.2: fail, usb_ep_enable returned -22 [ 26.283683][ T31] CoreChips 2-1:0.41 (unnamed net_device) (uninitialized): sr_get_phy_addr : Error reading PHYID register:ffffffe0 [ 26.433421][ T330] cdc_ncm 3-1:1.0: bind() failure [ 26.440106][ T330] cdc_ncm 3-1:1.1: CDC Union missing and no IAD found [ 26.447032][ T330] cdc_ncm 3-1:1.1: bind() failure [ 26.453502][ T330] usb 3-1: USB disconnect, device number 2 [ 26.525185][ T31] CoreChips 2-1:0.41 (unnamed net_device) (uninitialized): Failed to send software reset:ffffffb9 [ 26.535992][ T31] CoreChips 2-1:0.41 (unnamed net_device) (uninitialized): Failed to reset PHY: -71 [ 26.545594][ T31] CoreChips 2-1:0.41: probe with driver CoreChips failed with error -71 [ 26.555863][ T31] usb 2-1: USB disconnect, device number 2 [ 26.904943][ T31] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 26.954922][ T53] Bluetooth: hci0: Opcode 0x1003 failed: -110 [ 26.961133][ T345] Bluetooth: hci0: command 0x1003 tx timeout [ 26.985582][ T36] kauditd_printk_skb: 96 callbacks suppressed [ 26.985602][ T36] audit: type=1400 audit(1755434663.040:170): avc: denied { create } for pid=424 comm="syz.0.27" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 27.013084][ T36] audit: type=1400 audit(1755434663.070:171): avc: denied { setopt } for pid=424 comm="syz.0.27" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 27.064982][ T31] usb 2-1: Using ep0 maxpacket: 16 [ 27.072402][ T31] usb 2-1: config 1 has 2 interfaces, different from the descriptor's value: 3 [ 27.081773][ T31] usb 2-1: config 1 has no interface number 1 [ 27.088258][ T31] usb 2-1: config 1 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 0 [ 27.101380][ T31] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 139, changing to 7 [ 27.114264][ T31] usb 2-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 27.123979][ T31] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 27.132316][ T31] usb 2-1: Product: syz [ 27.136817][ T31] usb 2-1: Manufacturer: syz [ 27.141512][ T31] usb 2-1: SerialNumber: syz [ 27.851478][ T36] audit: type=1400 audit(1755434663.910:172): avc: denied { read } for pid=427 comm="syz.0.28" dev="nsfs" ino=4026532390 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 27.874360][ T36] audit: type=1400 audit(1755434663.910:173): avc: denied { open } for pid=427 comm="syz.0.28" path="net:[4026532390]" dev="nsfs" ino=4026532390 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 27.923977][ T36] audit: type=1400 audit(1755434663.980:174): avc: denied { mounton } for pid=434 comm="syz.0.29" path="/4/file0" dev="tmpfs" ino=39 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=file permissive=1 [ 27.952339][ T36] audit: type=1400 audit(1755434664.010:175): avc: denied { read } for pid=436 comm="syz.0.30" name="uinput" dev="devtmpfs" ino=194 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 27.982612][ T439] netlink: 'syz.0.31': attribute type 29 has an invalid length. [ 27.990762][ T439] netlink: 64138 bytes leftover after parsing attributes in process `syz.0.31'. [ 28.014583][ T36] audit: type=1400 audit(1755434664.070:176): avc: denied { execute } for pid=438 comm="syz.0.31" name="file1" dev="tmpfs" ino=51 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=file permissive=1 [ 28.038359][ T36] audit: type=1400 audit(1755434664.070:177): avc: denied { execute_no_trans } for pid=438 comm="syz.0.31" path="/6/file1" dev="tmpfs" ino=51 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=file permissive=1 [ 28.062779][ T36] audit: type=1400 audit(1755434664.070:178): avc: denied { unmount } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 28.106132][ T36] audit: type=1400 audit(1755434664.160:179): avc: denied { write } for pid=442 comm="syz.0.32" name="001" dev="devtmpfs" ino=111 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usb_device_t tclass=chr_file permissive=1 [ 28.142501][ T445] IPv6: NLM_F_CREATE should be specified when creating new route [ 28.374919][ T10] usb 3-1: new high-speed USB device number 3 using dummy_hcd [ 28.536232][ T10] usb 3-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 28.546586][ T10] usb 3-1: config 0 has 0 interfaces, different from the descriptor's value: 1 [ 28.556419][ T10] usb 3-1: New USB device found, idVendor=e72f, idProduct=0054, bcdDevice= 0.00 [ 28.565916][ T10] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 28.584828][ T10] usb 3-1: config 0 descriptor?? [ 28.735075][ T462] sock: sock_timestamping_bind_phc: sock not bind to device [ 28.746092][ T462] 9pnet_fd: Insufficient options for proto=fd [ 29.094913][ T420] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 29.245974][ T420] usb 4-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 29.256959][ T420] usb 4-1: New USB device found, idVendor=0926, idProduct=3333, bcdDevice= 0.40 [ 29.266035][ T420] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 29.274929][ T420] usb 4-1: config 0 descriptor?? [ 29.342172][ T474] rust_binder: Write failure EINVAL in pid:43 [ 29.360854][ T476] overlayfs: failed to resolve 'pcr=00000000000000000000': -2 [ 29.586644][ T31] usb 2-1: 2:1 : UAC_AS_GENERAL descriptor not found [ 29.622554][ T31] usb 2-1: USB disconnect, device number 3 [ 29.639458][ T415] udevd[415]: error opening ATTR{/sys/devices/platform/dummy_hcd.1/usb2/2-1/2-1:1.0/sound/card0/controlC0/../uevent} for writing: No such file or directory [ 29.657865][ T485] rust_binder: Failure in copy_transaction_data: BR_FAILED_REPLY { source: EINVAL } [ 29.657899][ T485] rust_binder: Failure BR_FAILED_REPLY { source: EINVAL } during reply - delivering BR_FAILED_REPLY to sender. [ 29.667662][ T485] rust_binder: Transaction failed: BR_TRANSACTION_COMPLETE my_pid:18 [ 29.690350][ T420] keytouch 0003:0926:3333.0001: fixing up Keytouch IEC report descriptor [ 29.710166][ T10] rust_binder: 484: removing orphan mapping 0:24 [ 29.717236][ T420] input: HID 0926:3333 as /devices/platform/dummy_hcd.3/usb4/4-1/4-1:0.0/0003:0926:3333.0001/input/input6 [ 29.813811][ T420] keytouch 0003:0926:3333.0001: input,hidraw0: USB HID v0.00 Keyboard [HID 0926:3333] on usb-dummy_hcd.3-1/input0 [ 30.034937][ T31] usb 2-1: new high-speed USB device number 4 using dummy_hcd [ 30.196580][ T31] usb 2-1: config 1 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18 [ 30.211288][ T31] usb 2-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 30.235812][ T31] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=1 [ 30.249429][ T31] usb 2-1: SerialNumber: syz Stopping sshd: [ 30.387659][ T501] input: syz0 as /devices/virtual/input/input7 stopped /usr/sbin/sshd (pid 202) OK Stopping crond: stopped /usr/sbin/crond (pid 193) OK [ 30.475265][ T31] cdc_ether 2-1:1.0: probe with driver cdc_ether failed with error -71 [ 30.491023][ T511] ptm ptm10: ldisc open failed (-12), clearing slot 10 [ 30.499211][ T31] usb 2-1: USB disconnect, device number 4 Stopping dhcpcd... stopped /sbin/dhcpcd (pid 147) [ 30.565500][ T469] Trying to write to read-only block-device rnullb0 Stopping network: OK Stopping iptables: OK Stopping system message bus: done [ 30.631012][ T522] rust_binder: Write failure EINVAL in pid:66 [ 30.894937][ T31] usb 2-1: new high-speed USB device number 5 using dummy_hcd Stopping klogd: OK Stopping acpid: [ 31.065900][ T31] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 31.076912][ T31] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 31.086713][ T31] usb 2-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 21 [ 31.099685][ T31] usb 2-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 31.108816][ T31] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 31.109925][ T329] usb 3-1: USB disconnect, device number 3 [ 31.118099][ T31] usb 2-1: config 0 descriptor?? [ 31.368317][ T329] rust_binder: 521: removing orphan mapping 0:24 [ 31.398541][ T564] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 31.431873][ T569] SELinux: security_context_str_to_sid (sytem_uÝGй) failed with errno=-22 [ 31.440875][ T570] SELinux: security_context_str_to_sid (sytem_uÝGй) failed with errno=-22 [ 31.482206][ T583] rust_binder: Error while translating object. [ 31.482299][ T583] rust_binder: Failure in copy_transaction_data: BR_FAILED_REPLY { source: EFAULT } [ 31.484237][ T582] can0: slcan on ptm0. [ 31.488581][ T583] rust_binder: Transaction failed: BR_FAILED_REPLY { source: EFAULT } my_pid:60 [ 31.544163][ T31] usbhid 2-1:0.0: can't add hid device: -71 [ 31.552512][ T591] /dev/nullb0: Can't lookup blockdev [ 31.554562][ T31] usbhid 2-1:0.0: probe with driver usbhid failed with error -71 [ 31.575646][ T31] usb 2-1: USB disconnect, device number 5 [ 31.585824][ T593] overlayfs: failed to resolve './file0': -2 [ 31.612055][ T13] bridge_slave_1: left allmulticast mode [ 31.625481][ T13] bridge_slave_1: left promiscuous mode [ 31.634494][ T13] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.652924][ T13] bridge_slave_0: left allmulticast mode [ 31.662402][ T13] bridge_slave_0: left promiscuous mode [ 31.675013][ T13] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.734923][ T420] usb 1-1: new low-speed USB device number 2 using dummy_hcd [ 31.788098][ T597] tipc: Started in network mode [ 31.793045][ T597] tipc: Node identity 766865f40d96, cluster identity 4711 [ 31.797184][ T31] usb 4-1: USB disconnect, device number 2 [ 31.800359][ T597] tipc: Enabled bearer , priority 0 [ 31.813937][ T596] tipc: Resetting bearer [ 31.830136][ T596] tipc: Disabling bearer [ 31.851076][ T13] tipc: Left network mode [ 31.860758][ T13] veth1_macvtap: left promiscuous mode [ 31.873514][ T13] veth0_vlan: left promiscuous mode [ 31.874929][ T420] usb 1-1: device descriptor read/64, error -71 [ 31.919695][ T609] rust_binder: 44: no such ref 0 [ 31.958941][ T607] netlink: 4 bytes leftover after parsing attributes in process `syz.3.73'. [ 31.968888][ T12] Bluetooth: hci0: Frame reassembly failed (-84) [ 31.991297][ T608] ------------[ cut here ]------------ [ 31.996891][ T608] WARNING: CPU: 0 PID: 608 at kernel/rcu/srcutree.c:664 cleanup_srcu_struct+0x3e9/0x4c0 SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=-1 (errno 104: Connection reset by peer) [ 32.006709][ T608] Modules linked in: [ 32.010661][ T608] CPU: 0 UID: 0 PID: 608 Comm: syz.1.74 Not tainted 6.12.38-syzkaller-g3f3a5c5e782d #0 c9247809a66a5ebb3467d1c2e99b1dedbd707993 OK[ 32.024488][ T608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 32.034586][ T608] RIP: 0010:cleanup_srcu_struct+0x3e9/0x4c0 [ 32.040273][ T36] kauditd_printk_skb: 63 callbacks suppressed [ 32.040294][ T36] audit: type=1400 audit(1755434668.100:243): avc: denied { write } for pid=281 comm="syz-executor" path="pipe:[2863]" dev="pipefs" ino=2863 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 32.040714][ T608] Code: 00 48 8b 5d a0 74 08 48 89 df e8 12 43 6e 00 48 c7 03 00 00 00 00 48 83 c4 40 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b eb e8 0f 0b eb e4 0f 0b eb e0 0f 0b eb 0e 0f 0b 4c 8b 75 d0 [ 32.089418][ T608] RSP: 0018:ffffc9000b9ffc88 EFLAGS: 00010202 [ 32.095566][ T608] RAX: 1ffffd1ffff81d0a RBX: ffffc9000ff758e8 RCX: ffffffff816dc249 Stopping syslogd[ 32.103597][ T608] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffe8ffffc0e850 : [ 32.113226][ T608] RBP: ffffc9000b9ffcf0 R08: ffffe8ffffc0e857 R09: 1ffffd1ffff81d0a [ 32.121331][ T608] R10: dffffc0000000000 R11: fffff91ffff81d0b R12: dffffc0000000000 [ 32.124917][ T420] usb 1-1: device descriptor read/64, error -71 [ 32.129363][ T608] R13: dffffc0000000000 R14: 0000000000000000 R15: ffffe8ffffc0e850 [ 32.143593][ T608] FS: 00005555919dd500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 stopped /sbin/sy[ 32.152798][ T608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 slogd (pid 91) [ 32.160909][ T608] CR2: 00007ffd575abb48 CR3: 000000010baf6000 CR4: 00000000003526b0 [ 32.170024][ T608] Call Trace: [ 32.173330][ T608] [ 32.176307][ T608] kvm_put_kvm+0x1100/0x12b0 [ 32.181036][ T608] ? __cfi_kvm_vm_release+0x10/0x10 [ 32.186307][ T608] kvm_vm_release+0x47/0x70 [ 32.190892][ T608] __fput+0x1fb/0xa00 [ 32.194931][ T608] ? __cfi__raw_spin_lock_irq+0x10/0x10 [ 32.200521][ T608] ____fput+0x20/0x30 [ 32.204598][ T608] task_work_run+0x1e0/0x250 [ 32.209266][ T608] ? __cfi_task_work_run+0x10/0x10 [ 32.214424][ T608] ? __kasan_check_write+0x18/0x20 [ 32.219714][ T608] resume_user_mode_work+0x36/0x50 [ 32.224979][ T608] syscall_exit_to_user_mode+0x64/0xb0 [ 32.230470][ T608] do_syscall_64+0x64/0xf0 [ 32.235016][ T608] ? clear_bhb_loop+0x50/0xa0 [ 32.239728][ T608] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 32.245687][ T608] RIP: 0033:0x7f7c8078ebe9 [ 32.250148][ T608] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 32.269811][ T608] RSP: 002b:00007ffd75d6ca98 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 OK [ 32.278284][ T608] RAX: 0000000000000000 RBX: 0000000000007c98 RCX: 00007f7c8078ebe9 [ 32.286663][ T608] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 32.294668][ T608] RBP: 00007f7c809b7da0 R08: 0000000000000001 R09: 0000001d75d6cd8f [ 32.302688][ T608] R10: 0000001b2dd20000 R11: 0000000000000246 R12: 00007f7c809b609c [ 32.310806][ T608] R13: 00007f7c809b6090 R14: ffffffffffffffff R15: 00007ffd75d6cbb0 [ 32.318881][ T608] [ 32.321927][ T608] ---[ end trace 0000000000000000 ]--- [ 32.384907][ T420] usb 1-1: new low-speed USB device number 3 using dummy_hcd umount: can't remount debugfs read-only [ 32.486446][ T582] can0 (unregistered): slcan off ptm0. umount: sysfs busy - remounted read-only umount: devtmpfs busy - remounted read-only umount: c[ 32.607985][ T13] bridge_slave_1: left allmulticast mode [ 32.613675][ T13] bridge_slave_1: left promiscuous mode [ 32.619393][ T13] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.627076][ T13] bridge_slave_0: left allmulticast mode [ 32.632723][ T13] bridge_slave_0: left promiscuous mode [ 32.638428][ T13] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.646248][ T13] bridge_slave_1: left allmulticast mode [ 32.651909][ T13] bridge_slave_1: left promiscuous mode [ 32.657618][ T13] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.665347][ T13] bridge_slave_0: left allmulticast mode [ 32.671004][ T13] bridge_slave_0: left promiscuous mode [ 32.676669][ T13] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.929703][ T13] veth1_macvtap: left promiscuous mode [ 32.935384][ T13] veth0_vlan: left promiscuous mode [ 32.941026][ T13] veth1_macvtap: left promiscuous mode [ 32.946611][ T13] veth0_vlan: left promiscuous mode Sent SIGKILL to all processes Requesting system poweroff [ 33.995013][ T53] Bluetooth: hci0: command 0x1003 tx timeout [ 33.995022][ T345] Bluetooth: hci0: Opcode 0x1003 failed: -110 [ 34.087761][ T13] bridge_slave_1: left allmulticast mode [ 34.093477][ T13] bridge_slave_1: left promiscuous mode [ 34.099178][ T13] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.106881][ T13] bridge_slave_0: left allmulticast mode [ 34.112619][ T13] bridge_slave_0: left promiscuous mode [ 34.118336][ T13] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.267480][ T13] tipc: Left network mode [ 34.273025][ T13] veth1_macvtap: left promiscuous mode [ 34.278582][ T13] veth0_vlan: left promiscuous mode [ 34.548377][ T624] sd 0:0:1:0: [sda] Synchronizing SCSI cache [ 34.555153][ T624] ACPI: PM: Preparing to enter system sleep state S5 [ 34.562092][ T624] kvm: exiting hardware virtualization [ 34.567644][ T624] reboot: Power down serialport: VM disconnected.