./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2802112059

<...>
DUID 00:04:48:c1:59:5f:fc:59:49:5e:88:a3:60:14:b2:b9:c6:dc
forked to background, child pid 4666
[   20.012431][ T4667] 8021q: adding VLAN 0 to HW filter on device bond0
[   20.023469][ T4667] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.1.122' (ECDSA) to the list of known hosts.
execve("./syz-executor2802112059", ["./syz-executor2802112059"], 0x7ffc085160a0 /* 10 vars */) = 0
brk(NULL)                               = 0x555556696000
brk(0x555556696d40)                     = 0x555556696d40
arch_prctl(ARCH_SET_FS, 0x555556696400) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
set_tid_address(0x5555566966d0)         = 4998
set_robust_list(0x5555566966e0, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f8744fcf1b0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f8744fce700}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f8744fcf250, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f8744fce700}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2802112059", 4096) = 28
brk(0x5555566b7d40)                     = 0x5555566b7d40
brk(0x5555566b8000)                     = 0x5555566b8000
mprotect(0x7f8745091000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid()                                = 4998
openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
write(3, "10000000000", 11)             = 11
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
write(3, "20", 2)                       = 2
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
write(3, "100", 3)                      = 3
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
write(3, "7 4 1 3", 7)                  = 7
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
write(3, "4998", 4)                     = 4
close(3)                                = 0
mount(NULL, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, NULL) = -1 EBUSY (Device or resource busy)
openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/register", O_WRONLY|O_CLOEXEC) = 3
write(3, "\x3a\x73\x79\x7a\x30\x3a\x4d\x3a\x30\x3a\x01\x3a\x3a\x2e\x2f\x66\x69\x6c\x65\x30\x3a", 21) = 21
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/register", O_WRONLY|O_CLOEXEC) = 3
write(3, "\x3a\x73\x79\x7a\x31\x3a\x4d\x3a\x31\x3a\x02\x3a\x3a\x2e\x2f\x66\x69\x6c\x65\x30\x3a\x50\x4f\x43", 24) = 24
close(3)                                = 0
chmod("/dev/raw-gadget", 0666)          = 0
socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3
socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4
sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36
recvfrom(4, [{nlmsg_len=784, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=4998}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1d\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x2e\x00\x00\x00\x98\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 784
recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4998}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
access("/proc/net", R_OK)               = 0
access("/proc/net/unix", R_OK)          = 0
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5
ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0
close(5)                                = 0
sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36
recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4998}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5
ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0
close(5)                                = 0
sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44
recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4998}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68
recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4998}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5
ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0
close(5)                                = 0
sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36
recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4998}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5
ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0
close(5)                                = 0
sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44
recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4998}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
close(3)                                = 0
close(4)                                = 0
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7f8744fc8e20, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f8744fce700}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7f8744fc8e20, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f8744fce700}, NULL, 8) = 0
getpid()                                = 4998
mkdir("./syzkaller.TBWU69", 0700)       = 0
chmod("./syzkaller.TBWU69", 0777)       = 0
chdir("./syzkaller.TBWU69")             = 0
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555566966d0) = 5000
./strace-static-x86_64: Process 5000 attached
[pid  5000] set_robust_list(0x5555566966e0, 24) = 0
[pid  5000] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  5000] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3
[pid  5000] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4
[pid  5000] dup2(4, 202)                = 202
[pid  5000] close(4)                    = 0
[pid  5000] write(202, "\xff\x00", 2)   = 2
[pid  5000] read(202, "\xff\x00\x00\x00", 4) = 4
[pid  5000] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f87447bd000
[pid  5000] mprotect(0x7f87447be000, 8388608, PROT_READ|PROT_WRITE) = 0
[pid  5000] clone(child_stack=0x7f8744fbd2f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2], tls=0x7f8744fbd700, child_tidptr=0x7f8744fbd9d0) = 2
[pid  5000] ioctl(3, HCIDEVUP./strace-static-x86_64: Process 5003 attached
 <unfinished ...>
[pid  5003] set_robust_list(0x7f8744fbd9e0, 24) = 0
[pid  5003] read(202, "\x01\x03\x0c\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202, "\x01\x03\x10\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202, "\x01\x01\x10\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202, "\x01\x09\x10\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13
[pid  5003] read(202, "\x01\x05\x10\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14
[pid  5003] read(202, "\x01\x23\x0c\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202, "\x01\x14\x0c\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202, "\x01\x25\x0c\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202, "\x01\x38\x0c\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202, "\x01\x39\x0c\x00", 1024) = 4
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5003] read(202,  <unfinished ...>
[pid  5000] <... ioctl resumed>, 0)     = -1 EALREADY (Operation already in progress)
[pid  5000] ioctl(3, HCISETSCAN <unfinished ...>
[pid  5003] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5
[pid  5003] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4 <unfinished ...>
[pid  5000] <... ioctl resumed>, 0x7ffe19cecea0) = 0
[pid  5003] <... writev resumed>)       = 7
[pid  5000] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3) = 13
[pid  5000] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14
[pid  5000] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14
[pid  5000] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22
[pid  5000] futex(0x7f8744fbd9d0, FUTEX_WAIT, 2, NULL <unfinished ...>
[pid  5003] madvise(0x7f87447bd000, 8372224, MADV_DONTNEED) = 0
[pid  5003] exit(0)                     = ?
[pid  5000] <... futex resumed>)        = 0
[pid  5000] close(3)                    = 0
[pid  5000] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5000] setsid()                    = 1
[pid  5000] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  5000] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  5000] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  5000] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  5000] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  5000] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  5000] unshare(CLONE_NEWNS)        = 0
[pid  5000] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  5000] unshare(CLONE_NEWIPC)       = 0
[pid  5000] unshare(CLONE_NEWCGROUP)    = 0
[pid  5000] unshare(CLONE_NEWUTS)       = 0
[pid  5000] unshare(CLONE_SYSVSEM)      = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "16777216", 8)     = 8
[pid  5000] close(3)                    = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "536870912", 9)    = 9
[pid  5000] close(3 <unfinished ...>
[pid  5003] +++ exited with 0 +++
[pid  5000] <... close resumed>)        = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "1024", 4)         = 4
[pid  5000] close(3)                    = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "8192", 4)         = 4
[pid  5000] close(3)                    = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "1024", 4)         = 4
[pid  5000] close(3)                    = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "1024", 4)         = 4
[pid  5000] close(3)                    = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "1024 1048576 500 1024", 21) = 21
[pid  5000] close(3)                    = 0
[pid  5000] getpid()                    = 1
[pid  5000] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5000] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
syzkaller login: [   43.887104][ T5001] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   43.894931][ T5001] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   43.903406][ T5001] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   43.912515][ T5001] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   43.921536][ T5001] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   43.929520][ T5001] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[pid  5000] unshare(CLONE_NEWNET)       = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "0 65535", 7)      = 7
[pid  5000] close(3)                    = 0
[pid  5000] openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_NONBLOCK) = 3
[pid  5000] dup2(3, 200)                = 200
[pid  5000] close(3)                    = 0
[pid  5000] ioctl(200, TUNSETIFF, 0x7ffe19cecef0) = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/net/ipv6/conf/syz_tun/accept_dad", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "0", 1)            = 1
[pid  5000] close(3)                    = 0
[pid  5000] openat(AT_FDCWD, "/proc/sys/net/ipv6/conf/syz_tun/router_solicitations", O_WRONLY|O_CLOEXEC) = 3
[pid  5000] write(3, "0", 1)            = 1
[pid  5000] close(3)                    = 0
[pid  5000] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3
[pid  5000] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5000] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5000] close(4)                    = 0
[pid  5000] sendto(3, [{nlmsg_len=40, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}, "\x02\x18\x00\x00\x0b\x00\x00\x00\x08\x00\x02\x00\xac\x14\x14\xaa\x08\x00\x01\x00\xac\x14\x14\xaa"], 40, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 40
[pid  5000] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=40, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5000] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5000] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5000] close(4)                    = 0
[pid  5000] sendto(3, [{nlmsg_len=64, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}, "\x0a\x78\x00\x00\x0b\x00\x00\x00\x14\x00\x02\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x14\x00\x01\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa"], 64, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 64
[pid  5000] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=64, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5000] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5000] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5000] close(4)                    = 0
[pid  5000] sendto(3, [{nlmsg_len=48, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}, "\x02\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x08\x00\x01\x00\xac\x14\x14\xbb\x0a\x00\x02\x00\xbb\xaa\xaa\xaa\xaa\xaa\x00\x00"], 48, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 48
[pid  5000] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=48, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5000] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5000] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5000] close(4)                    = 0
[pid  5000] sendto(3, [{nlmsg_len=60, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}, "\x0a\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x14\x00\x01\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbb\x0a\x00\x02\x00\xbb\xaa\xaa\xaa\xaa\xaa\x00\x00"], 60, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 60
[pid  5000] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=60, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5000] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5000] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5000] close(4)                    = 0
[pid  5000] sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0a\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44
[pid  5000] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5000] close(3)                    = 0
[pid  5000] mkdir("/dev/binderfs", 0777) = 0
[pid  5000] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  5000] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3
[pid  5000] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe19ceadf0) = 18
[   44.276224][   T26] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[pid  5000] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe19ceadf0) = 18
[   44.516209][   T26] usb 1-1: Using ep0 maxpacket: 8
[pid  5000] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe19ceadf0) = 9
[pid  5000] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe19ceadf0) = 70
[pid  5000] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe19ceadf0) = 4
[   44.636574][   T26] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config
[pid  5000] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe19ceadf0) = 8
[pid  5000] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe19cebe00) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0
[pid  5000] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0
[   44.746346][   T26] usb 1-1: New USB device found, idVendor=0bd3, idProduct=0d55, bcdDevice=69.6a
[   44.755404][   T26] usb 1-1: New USB device strings: Mfr=64, Product=0, SerialNumber=0
[   44.763691][   T26] usb 1-1: Manufacturer: syz
[   44.771862][   T26] usb 1-1: config 0 descriptor??
[pid  5000] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe19ceadf0) = 0
[pid  5000] close(3)                    = 0
[pid  5000] close(4)                    = -1 EBADF (Bad file descriptor)
[pid  5000] close(5)                    = -1 EBADF (Bad file descriptor)
[pid  5000] close(6)                    = -1 EBADF (Bad file descriptor)
[pid  5000] close(7)                    = -1 EBADF (Bad file descriptor)
[pid  5000] close(8)                    = -1 EBADF (Bad file descriptor)
[pid  5000] close(9)                    = -1 EBADF (Bad file descriptor)
[pid  5000] close(10)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(11)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(12)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(13)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(14)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(15)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(16)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(17)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(18)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(19)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(20)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(21)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(22)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(23)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(24)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(25)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(26)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(27)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(28)                   = -1 EBADF (Bad file descriptor)
[pid  5000] close(29)                   = -1 EBADF (Bad file descriptor)
[pid  5000] exit_group(1)               = ?
[   45.066298][   T26] usb 1-1: Found UVC 0.00 device <unnamed> (0bd3:0d55)
[   45.073520][   T26] uvcvideo 1-1:0.0: Entity type for entity Output 255 was not initialized!
[   45.082826][   T26] ------------[ cut here ]------------
[   45.088296][   T26] WARNING: CPU: 1 PID: 26 at drivers/media/mc/mc-entity.c:1089 media_create_pad_link+0x4e2/0x650
[   45.098834][   T26] Modules linked in:
[   45.102725][   T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.4.0-rc5-syzkaller #0
[   45.110898][   T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[   45.120972][   T26] Workqueue: usb_hub_wq hub_event
[   45.125987][   T26] RIP: 0010:media_create_pad_link+0x4e2/0x650
[   45.132115][   T26] Code: 04 32 d6 fa 44 89 e0 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 ed 31 d6 fa 0f 0b 41 bc ea ff ff ff eb da e8 de 31 d6 fa <0f> 0b 41 bc ea ff ff ff eb cb e8 cf 31 d6 fa 0f 0b 41 bc ea ff ff
[   45.151783][   T26] RSP: 0018:ffffc90000a1efe8 EFLAGS: 00010293
[   45.157894][   T26] RAX: 0000000000000000 RBX: ffff88801ec42880 RCX: 0000000000000000
[   45.165970][   T26] RDX: ffff888017670000 RSI: ffffffff86ae1462 RDI: 0000000000000002
[   45.174011][   T26] RBP: ffff888021070880 R08: 0000000000000002 R09: 0000000000000000
[   45.182018][   T26] R10: 0000000000000000 R11: 1ffffffff219823a R12: 0000000000000000
[   45.190046][   T26] R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
[   45.198037][   T26] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   45.207073][   T26] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   45.213653][   T26] CR2: 0000557263a600f0 CR3: 000000002a1a9000 CR4: 0000000000350ee0
[   45.221649][   T26] Call Trace:
[   45.224925][   T26]  <TASK>
[   45.227902][   T26]  ? __warn+0xe6/0x390
[   45.231982][   T26]  ? media_create_pad_link+0x4e2/0x650
[   45.237498][   T26]  ? report_bug+0x2da/0x500
[   45.242037][   T26]  ? handle_bug+0x3c/0x70
[   45.246405][   T26]  ? exc_invalid_op+0x18/0x50
[   45.251085][   T26]  ? asm_exc_invalid_op+0x1a/0x20
[   45.256096][   T26]  ? media_create_pad_link+0x4e2/0x650
[   45.261598][   T26]  ? media_create_pad_link+0x4e2/0x650
[   45.267088][   T26]  ? media_create_pad_link+0x4e2/0x650
[   45.272533][   T26]  uvc_mc_register_entities+0x629/0xaa0
[   45.278102][   T26]  uvc_probe+0x283e/0x4790
[   45.282528][   T26]  usb_probe_interface+0x30f/0x960
[   45.287671][   T26]  ? usb_match_dynamic_id+0x1a0/0x1a0
[   45.293050][   T26]  really_probe+0x240/0xca0
[   45.297603][   T26]  __driver_probe_device+0x1df/0x4b0
[   45.302907][   T26]  ? usb_match_id.part.0+0x163/0x1b0
[   45.308286][   T26]  driver_probe_device+0x4c/0x1a0
[   45.313331][   T26]  __device_attach_driver+0x1d4/0x2e0
[   45.318750][   T26]  bus_for_each_drv+0x149/0x1d0
[   45.323643][   T26]  ? driver_probe_device+0x1a0/0x1a0
[   45.328954][   T26]  ? bus_for_each_dev+0x1c0/0x1c0
[   45.333990][   T26]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   45.339919][   T26]  ? lockdep_hardirqs_on+0x7d/0x100
[   45.345125][   T26]  ? _raw_spin_unlock_irqrestore+0x41/0x70
[   45.350963][   T26]  __device_attach+0x1e4/0x4b0
[   45.355740][   T26]  ? device_driver_attach+0x210/0x210
[   45.361139][   T26]  ? do_raw_spin_unlock+0x175/0x230
[   45.366379][   T26]  bus_probe_device+0x17c/0x1c0
[   45.371220][   T26]  device_add+0x112d/0x1a40
[   45.375726][   T26]  ? __fw_devlink_link_to_consumers.isra.0+0x270/0x270
[   45.382605][   T26]  ? mark_held_locks+0x9f/0xe0
[   45.387393][   T26]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   45.393194][   T26]  usb_set_configuration+0x1196/0x1bc0
[   45.398691][   T26]  usb_generic_driver_probe+0xcf/0x130
[   45.404155][   T26]  usb_probe_device+0xd8/0x2c0
[   45.408940][   T26]  ? usb_driver_release_interface+0x190/0x190
[   45.415012][   T26]  really_probe+0x240/0xca0
[   45.419551][   T26]  __driver_probe_device+0x1df/0x4b0
[   45.424870][   T26]  driver_probe_device+0x4c/0x1a0
[   45.429981][   T26]  __device_attach_driver+0x1d4/0x2e0
[   45.435404][   T26]  bus_for_each_drv+0x149/0x1d0
[   45.440313][   T26]  ? driver_probe_device+0x1a0/0x1a0
[   45.445620][   T26]  ? bus_for_each_dev+0x1c0/0x1c0
[   45.450680][   T26]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   45.456516][   T26]  ? lockdep_hardirqs_on+0x7d/0x100
[   45.461717][   T26]  ? _raw_spin_unlock_irqrestore+0x41/0x70
[   45.467555][   T26]  __device_attach+0x1e4/0x4b0
[   45.472329][   T26]  ? device_driver_attach+0x210/0x210
[   45.477726][   T26]  ? do_raw_spin_unlock+0x175/0x230
[   45.482935][   T26]  bus_probe_device+0x17c/0x1c0
[   45.487829][   T26]  device_add+0x112d/0x1a40
[   45.492340][   T26]  ? __fw_devlink_link_to_consumers.isra.0+0x270/0x270
[   45.499212][   T26]  ? add_device_randomness+0xb8/0xe0
[   45.504509][   T26]  usb_new_device+0xcb2/0x19d0
[   45.509302][   T26]  ? hub_disconnect+0x520/0x520
[   45.514160][   T26]  ? _raw_spin_unlock_irq+0x23/0x50
[   45.519391][   T26]  hub_event+0x2d9e/0x4e40
[   45.523822][   T26]  ? hub_port_debounce+0x3b0/0x3b0
[   45.528962][   T26]  ? lock_sync+0x190/0x190
[   45.533385][   T26]  ? lock_downgrade+0x690/0x690
[   45.538257][   T26]  ? do_raw_spin_lock+0x124/0x2b0
[   45.543291][   T26]  ? _raw_spin_unlock_irq+0x23/0x50
[   45.548524][   T26]  process_one_work+0x99a/0x15e0
[   45.553561][   T26]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[   45.558984][   T26]  ? spin_bug+0x1c0/0x1c0
[   45.563332][   T26]  ? _raw_spin_lock_irq+0x45/0x50
[   45.568462][   T26]  worker_thread+0x67d/0x10c0
[   45.573178][   T26]  ? process_one_work+0x15e0/0x15e0
[   45.578420][   T26]  kthread+0x344/0x440
[   45.582494][   T26]  ? kthread_complete_and_exit+0x40/0x40
[   45.588273][   T26]  ret_from_fork+0x1f/0x30
[   45.592697][   T26]  </TASK>
[   45.595699][   T26] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   45.602954][   T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.4.0-rc5-syzkaller #0
[   45.611083][   T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[   45.621122][   T26] Workqueue: usb_hub_wq hub_event
[   45.626135][   T26] Call Trace:
[   45.629404][   T26]  <TASK>
[   45.632317][   T26]  dump_stack_lvl+0xd9/0x150
[   45.636887][   T26]  panic+0x686/0x730
[   45.640764][   T26]  ? panic_smp_self_stop+0xa0/0xa0
[   45.645853][   T26]  ? show_trace_log_lvl+0x284/0x390
[   45.651041][   T26]  ? media_create_pad_link+0x4e2/0x650
[   45.656485][   T26]  check_panic_on_warn+0xb1/0xc0
[   45.661413][   T26]  __warn+0xf2/0x390
[   45.665306][   T26]  ? media_create_pad_link+0x4e2/0x650
[   45.670749][   T26]  report_bug+0x2da/0x500
[   45.675080][   T26]  handle_bug+0x3c/0x70
[   45.679213][   T26]  exc_invalid_op+0x18/0x50
[   45.683714][   T26]  asm_exc_invalid_op+0x1a/0x20
[   45.688546][   T26] RIP: 0010:media_create_pad_link+0x4e2/0x650
[   45.694597][   T26] Code: 04 32 d6 fa 44 89 e0 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 ed 31 d6 fa 0f 0b 41 bc ea ff ff ff eb da e8 de 31 d6 fa <0f> 0b 41 bc ea ff ff ff eb cb e8 cf 31 d6 fa 0f 0b 41 bc ea ff ff
[   45.714187][   T26] RSP: 0018:ffffc90000a1efe8 EFLAGS: 00010293
[   45.720244][   T26] RAX: 0000000000000000 RBX: ffff88801ec42880 RCX: 0000000000000000
[   45.728207][   T26] RDX: ffff888017670000 RSI: ffffffff86ae1462 RDI: 0000000000000002
[   45.736167][   T26] RBP: ffff888021070880 R08: 0000000000000002 R09: 0000000000000000
[   45.744123][   T26] R10: 0000000000000000 R11: 1ffffffff219823a R12: 0000000000000000
[   45.752114][   T26] R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
[   45.760081][   T26]  ? media_create_pad_link+0x4e2/0x650
[   45.765552][   T26]  ? media_create_pad_link+0x4e2/0x650
[   45.771014][   T26]  uvc_mc_register_entities+0x629/0xaa0
[   45.776556][   T26]  uvc_probe+0x283e/0x4790
[   45.780977][   T26]  usb_probe_interface+0x30f/0x960
[   45.786085][   T26]  ? usb_match_dynamic_id+0x1a0/0x1a0
[   45.791449][   T26]  really_probe+0x240/0xca0
[   45.795957][   T26]  __driver_probe_device+0x1df/0x4b0
[   45.801255][   T26]  ? usb_match_id.part.0+0x163/0x1b0
[   45.806540][   T26]  driver_probe_device+0x4c/0x1a0
[   45.811560][   T26]  __device_attach_driver+0x1d4/0x2e0
[   45.816927][   T26]  bus_for_each_drv+0x149/0x1d0
[   45.821768][   T26]  ? driver_probe_device+0x1a0/0x1a0
[   45.827049][   T26]  ? bus_for_each_dev+0x1c0/0x1c0
[   45.832062][   T26]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   45.837861][   T26]  ? lockdep_hardirqs_on+0x7d/0x100
[   45.843049][   T26]  ? _raw_spin_unlock_irqrestore+0x41/0x70
[   45.848852][   T26]  __device_attach+0x1e4/0x4b0
[   45.853610][   T26]  ? device_driver_attach+0x210/0x210
[   45.858978][   T26]  ? do_raw_spin_unlock+0x175/0x230
[   45.864180][   T26]  bus_probe_device+0x17c/0x1c0
[   45.869027][   T26]  device_add+0x112d/0x1a40
[   45.873530][   T26]  ? __fw_devlink_link_to_consumers.isra.0+0x270/0x270
[   45.880370][   T26]  ? mark_held_locks+0x9f/0xe0
[   45.885132][   T26]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   45.890937][   T26]  usb_set_configuration+0x1196/0x1bc0
[   45.896400][   T26]  usb_generic_driver_probe+0xcf/0x130
[   45.901851][   T26]  usb_probe_device+0xd8/0x2c0
[   45.906631][   T26]  ? usb_driver_release_interface+0x190/0x190
[   45.912700][   T26]  really_probe+0x240/0xca0
[   45.917197][   T26]  __driver_probe_device+0x1df/0x4b0
[   45.922479][   T26]  driver_probe_device+0x4c/0x1a0
[   45.927502][   T26]  __device_attach_driver+0x1d4/0x2e0
[   45.932868][   T26]  bus_for_each_drv+0x149/0x1d0
[   45.937708][   T26]  ? driver_probe_device+0x1a0/0x1a0
[   45.942995][   T26]  ? bus_for_each_dev+0x1c0/0x1c0
[   45.948011][   T26]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   45.953808][   T26]  ? lockdep_hardirqs_on+0x7d/0x100
[   45.959003][   T26]  ? _raw_spin_unlock_irqrestore+0x41/0x70
[   45.964804][   T26]  __device_attach+0x1e4/0x4b0
[   45.969562][   T26]  ? device_driver_attach+0x210/0x210
[   45.974925][   T26]  ? do_raw_spin_unlock+0x175/0x230
[   45.980118][   T26]  bus_probe_device+0x17c/0x1c0
[   45.984963][   T26]  device_add+0x112d/0x1a40
[   45.989464][   T26]  ? __fw_devlink_link_to_consumers.isra.0+0x270/0x270
[   45.996308][   T26]  ? add_device_randomness+0xb8/0xe0
[   46.001590][   T26]  usb_new_device+0xcb2/0x19d0
[   46.006346][   T26]  ? hub_disconnect+0x520/0x520
[   46.011187][   T26]  ? _raw_spin_unlock_irq+0x23/0x50
[   46.016382][   T26]  hub_event+0x2d9e/0x4e40
[   46.020798][   T26]  ? hub_port_debounce+0x3b0/0x3b0
[   46.025899][   T26]  ? lock_sync+0x190/0x190
[   46.030309][   T26]  ? lock_downgrade+0x690/0x690
[   46.035150][   T26]  ? do_raw_spin_lock+0x124/0x2b0
[   46.040255][   T26]  ? _raw_spin_unlock_irq+0x23/0x50
[   46.045447][   T26]  process_one_work+0x99a/0x15e0
[   46.050385][   T26]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[   46.055756][   T26]  ? spin_bug+0x1c0/0x1c0
[   46.060077][   T26]  ? _raw_spin_lock_irq+0x45/0x50
[   46.065182][   T26]  worker_thread+0x67d/0x10c0
[   46.069858][   T26]  ? process_one_work+0x15e0/0x15e0
[   46.075052][   T26]  kthread+0x344/0x440
[   46.079196][   T26]  ? kthread_complete_and_exit+0x40/0x40
[   46.084820][   T26]  ret_from_fork+0x1f/0x30
[   46.089237][   T26]  </TASK>
[   46.093132][   T26] Kernel Offset: disabled
[   46.097511][   T26] Rebooting in 86400 seconds..