program:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc) (async)
r1 = bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000100)='kmem_cache_free\x00', r1}, 0x10) (async)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000008c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
r2 = openat$comedi(0xffffff9c, &(0x7f0000000040)='/dev/comedi3\x00', 0x2000, 0x0)
ioctl$COMEDI_DEVCONFIG(r2, 0x40946400, &(0x7f0000000080)={'das16m1\x00', [0x2f00, 0x80008000, 0x1, 0xa, 0x0, 0x0, 0x1, 0xf, 0x1000, 0x1, 0x8, 0x1, 0x6, 0x4, 0xffff, 0x6, 0xffffffa7, 0x9, 0xfffffffd, 0x1, 0x3ff, 0x10000, 0x800, 0xe2df, 0x9, 0x1, 0x4, 0x3, 0x7, 0x5, 0x5]}) (async)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000000)={&(0x7f0000000380)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x30, 0x30, 0x3, [@func_proto={0x0, 0x3, 0x0, 0xd, 0x0, [{0x407, 0x2}, {0x3, 0x20004}, {}]}, @type_tag={0x5, 0x0, 0x0, 0x12, 0x1}]}, {0x0, [0x61]}}, 0x0, 0x4b, 0x0, 0x1}, 0x28) (async, rerun: 32)
r3 = socket$inet6_tcp(0xa, 0x1, 0x0) (rerun: 32)
bind$inet6(r3, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c)
listen(r3, 0xfff) (async)
syz_emit_ethernet(0x262, &(0x7f0000000940)=ANY=[@ANYBLOB="aaaaaaaaaaaaaaaaaaaaaa0086dd60000000022c0600fe8000000000000000000000000000bbfe8000000000000000000000000000aa2b00000000000000060235c7000100002f08010200000000fc000000000000000000000000000000fe8000000000000000000000000000bb20010000000000000000000000000002fc010000000000000000000000000000320c040608100100fc010000000000000000000000000000ff010000000000000000000000000001fe8000000000000000000000000000aaff020000000000000000000000000001fc000000000000000000000000000000fe8000000000000000000000000000203a1400000000000005020007010400000000c910fe80000000000000000000000000000a06501d09ee6526d93c35c600232c77d5bfbf41c6e0a63228c590e633890298626d0729945bb5425f66aa464a9718a27eb1798727d13b9457fe00cec56fa0673022cd19739b1d1be3a435de34dcfebe91e2c3000100040109071800000001040606000300000000000000030000000000000000010004010dc9100000000000000000000000000000000100002101000000000000c204000080000001000000000000000032008118660000003302010700000000000000000000000000000000000000003a0b0000000000000740000000010e0001000900000000000000a3040000000000000100000000000000f2080000000000000100000000000000fdffffffffffffff03000000000000000718000000020409268701000000000000000600000000000000000000005d0003786800000000004e22", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="50020000907800009931e0ae69ee8b5a313178b97c3a95645a4557bcd772775ab89820c126ef1de23096f50466c3a07563702863526f52cce3d714cf38817b3b4de061e7f910de2fdf1975aab74f8ea4a447"], 0x0)
syz_emit_ethernet(0x52, &(0x7f00000004c0)={@multicast, @link_local, @val={@val={0x88a8, 0x1, 0x1, 0x3}, {0x8100, 0x6, 0x1}}, {@ipv6={0x86dd, @tcp={0x0, 0x6, "8a35f2", 0x14, 0x6, 0x0, @remote, @local, {[], {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x0, 0x5}}}}}}}, 0x0)
syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000180)=ANY=[@ANYBLOB="12013f00000000407f04ffff000000000001090224"], 0x0) (async, rerun: 64)
syz_emit_ethernet(0x4a, &(0x7f0000000440)={@remote, @dev, @void, {@ipv6={0x86dd, @tcp={0x0, 0x6, '6\x00', 0x14, 0x6, 0x0, @remote, @rand_addr=' \x01\x00', {[], {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x0, 0x5, 0x2}}}}}}}, 0x0) (async, rerun: 64)
r4 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000001c0), 0x292342, 0x0)
r5 = socket(0x10, 0x803, 0x0) (async, rerun: 32)
r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) (rerun: 32)
ioctl$TUNSETIFF(r6, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) (async)
r7 = socket(0x400000000010, 0x3, 0x0) (async)
r8 = socket$unix(0x1, 0x5, 0x0)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r9=>0x0})
sendmsg$nl_route_sched(r7, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r9, {0x0, 0xfff1}, {0xffff, 0xffff}, {0x0, 0xf}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8, 0x2, {0x1}}}]}, 0x38}}, 0x0) (async)
sendmsg$nl_route_sched(r5, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=@newtfilter={0x4c, 0x2c, 0xd2b, 0x0, 0x0, {0x0, 0x0, 0x0, r9, {0x4, 0xfff3}, {}, {0x7}}, [@filter_kind_options=@f_flow={{0x9}, {0x1c, 0x2, [@TCA_FLOW_MODE={0x8, 0x2, 0x1}, @TCA_FLOW_MASK={0x8, 0x6, 0x8001}, @TCA_FLOW_KEYS={0x8, 0x1, 0x6fc1}]}}]}, 0x4c}}, 0x4044040)
bpf$BPF_GET_MAP_INFO(0xf, &(0x7f0000000340)={r4, 0x58, &(0x7f00000002c0)}, 0x10) (async)
r10 = io_uring_setup(0x3ca9, &(0x7f00000000c0)={0x0, 0xd4ea, 0x2, 0x0, 0x3})
io_uring_enter(r10, 0x6a8a, 0xffefffff, 0x21, &(0x7f0000000040)={[0xffffffffffffffff]}, 0x8)
sendmsg$NFT_MSG_GETTABLE(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000100)=ANY=[@ANYBLOB="14000000010a"], 0x14}}, 0x0)
ioctl$IOCTL_GET_NCIDEV_IDX(0xffffffffffffffff, 0x0, &(0x7f0000000080))
r11 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r11, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000010000000900010073797a3000000000140000001100010000000000000100000000000ad19589f860"], 0x48}, 0x1, 0x0, 0x0, 0x8040}, 0x0)

[   84.458581][ T5322] Bluetooth: hci0: command tx timeout
[   84.562586][ T5344] ------------[ cut here ]------------
[   84.565059][ T5344] UBSAN: shift-out-of-bounds in drivers/comedi/drivers/das16m1.c:525:9
[   84.568224][ T5344] shift exponent -2147450880 is negative
[   84.605434][ T5344] CPU: 0 UID: 0 PID: 5344 Comm: syz.0.0 Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9 #0 PREEMPT(full) 
[   84.605454][ T5344] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   84.605461][ T5344] Call Trace:
[   84.605465][ T5344]  <TASK>
[   84.605470][ T5344]  dump_stack_lvl+0x189/0x250
[   84.605568][ T5344]  ? __pfx_dump_stack_lvl+0x10/0x10
[   84.605582][ T5344]  ? __pfx__printk+0x10/0x10
[   84.605606][ T5344]  ubsan_epilogue+0xa/0x40
[   84.605621][ T5344]  __ubsan_handle_shift_out_of_bounds+0x386/0x410
[   84.605672][ T5344]  ? __comedi_request_region+0x74/0x140
[   84.605730][ T5344]  das16m1_attach+0x8ee/0xb20
[   84.605750][ T5344]  comedi_device_attach+0x520/0x670
[   84.605767][ T5344]  comedi_unlocked_ioctl+0x686/0xf40
[   84.605788][ T5344]  ? __pfx_comedi_unlocked_ioctl+0x10/0x10
[   84.605822][ T5344]  ? __lock_acquire+0xab9/0xd20
[   84.605847][ T5344]  ? __fget_files+0x2a/0x420
[   84.605864][ T5344]  ? __fget_files+0x2a/0x420
[   84.605878][ T5344]  ? __fget_files+0x3a0/0x420
[   84.605891][ T5344]  ? __fget_files+0x2a/0x420
[   84.605906][ T5344]  ? bpf_lsm_file_ioctl+0x9/0x20
[   84.605918][ T5344]  ? __pfx_comedi_unlocked_ioctl+0x10/0x10
[   84.605940][ T5344]  __se_sys_ioctl+0xfc/0x170
[   84.605955][ T5344]  do_syscall_64+0xfa/0x3b0
[   84.606007][ T5344]  ? lockdep_hardirqs_on+0x9c/0x150
[   84.606024][ T5344]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.606035][ T5344]  ? clear_bhb_loop+0x60/0xb0
[   84.606049][ T5344]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.606060][ T5344] RIP: 0033:0x7fed3bb8e929
[   84.606071][ T5344] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   84.606081][ T5344] RSP: 002b:00007fed37ff5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   84.606094][ T5344] RAX: ffffffffffffffda RBX: 00007fed3bdb5fa0 RCX: 00007fed3bb8e929
[   84.606102][ T5344] RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000004
[   84.606108][ T5344] RBP: 00007fed3bc10b39 R08: 0000000000000000 R09: 0000000000000000
[   84.606115][ T5344] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   84.606120][ T5344] R13: 0000000000000000 R14: 00007fed3bdb5fa0 R15: 00007fff9213c048
[   84.606137][ T5344]  </TASK>
[   84.606142][ T5344] ---[ end trace ]---
[   84.712536][ T5344] Kernel panic - not syncing: UBSAN: panic_on_warn set ...
[   84.715410][ T5344] CPU: 0 UID: 0 PID: 5344 Comm: syz.0.0 Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9 #0 PREEMPT(full) 
[   84.719922][ T5344] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   84.724047][ T5344] Call Trace:
[   84.725373][ T5344]  <TASK>
[   84.726826][ T5344]  dump_stack_lvl+0x99/0x250
[   84.728896][ T5344]  ? __asan_memcpy+0x40/0x70
[   84.730952][ T5344]  ? __pfx_dump_stack_lvl+0x10/0x10
[   84.733249][ T5344]  ? __pfx__printk+0x10/0x10
[   84.735161][ T5344]  panic+0x2db/0x790
[   84.736903][ T5344]  ? __pfx_panic+0x10/0x10
[   84.738766][ T5344]  ? _printk+0xcf/0x120
[   84.740570][ T5344]  ? __pfx__printk+0x10/0x10
[   84.742495][ T5344]  check_panic_on_warn+0x89/0xb0
[   84.744655][ T5344]  __ubsan_handle_shift_out_of_bounds+0x386/0x410
[   84.747319][ T5344]  ? __comedi_request_region+0x74/0x140
[   84.749660][ T5344]  das16m1_attach+0x8ee/0xb20
[   84.751677][ T5344]  comedi_device_attach+0x520/0x670
[   84.753859][ T5344]  comedi_unlocked_ioctl+0x686/0xf40
[   84.756159][ T5344]  ? __pfx_comedi_unlocked_ioctl+0x10/0x10
[   84.758603][ T5344]  ? __lock_acquire+0xab9/0xd20
[   84.760576][ T5344]  ? __fget_files+0x2a/0x420
[   84.762528][ T5344]  ? __fget_files+0x2a/0x420
[   84.764713][ T5344]  ? __fget_files+0x3a0/0x420
[   84.766642][ T5344]  ? __fget_files+0x2a/0x420
[   84.768748][ T5344]  ? bpf_lsm_file_ioctl+0x9/0x20
[   84.770952][ T5344]  ? __pfx_comedi_unlocked_ioctl+0x10/0x10
[   84.773584][ T5344]  __se_sys_ioctl+0xfc/0x170
[   84.775562][ T5344]  do_syscall_64+0xfa/0x3b0
[   84.777541][ T5344]  ? lockdep_hardirqs_on+0x9c/0x150
[   84.779684][ T5344]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.782256][ T5344]  ? clear_bhb_loop+0x60/0xb0
[   84.784276][ T5344]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.786462][ T5344] RIP: 0033:0x7fed3bb8e929
[   84.788294][ T5344] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   84.799386][ T5344] RSP: 002b:00007fed37ff5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   84.802982][ T5344] RAX: ffffffffffffffda RBX: 00007fed3bdb5fa0 RCX: 00007fed3bb8e929
[   84.806171][ T5344] RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000004
[   84.809543][ T5344] RBP: 00007fed3bc10b39 R08: 0000000000000000 R09: 0000000000000000
[   84.812815][ T5344] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   84.816080][ T5344] R13: 0000000000000000 R14: 00007fed3bdb5fa0 R15: 00007fff9213c048
[   84.819586][ T5344]  </TASK>
[   84.821340][ T5344] Kernel Offset: disabled
[   84.823291][ T5344] Rebooting in 86400 seconds..