last executing test programs: 2m40.326677255s ago: executing program 3 (id=3401): sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000040)=@allocspi={0xf8, 0x16, 0x1, 0x0, 0x0, {{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @in6=@mcast1, 0x0, 0x0, 0x0, 0x82, 0x0, 0x0, 0x0, 0x33, 0x0, 0xffffffffffffffff}, {@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x0, 0x33}, @in=@broadcast, {}, {0x0, 0x0, 0x0, 0xfffffffffffffffd}, {}, 0x0, 0x0, 0x2}}}, 0xf8}}, 0x0) syz_emit_ethernet(0x6e, &(0x7f0000000040)=ANY=[@ANYBLOB="0180c2000002aaaaaaaaaaaa08004500006000000000002f9078640101000000000024806558000000000000000010000800000086dd"], 0x0) sendmsg$NL80211_CMD_FRAME(0xffffffffffffffff, &(0x7f0000001380)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="f4060000", @ANYRES16, @ANYBLOB="01000000000000e14f003b00000008000300", @ANYRES32, @ANYBLOB="d50633"], 0x6f4}}, 0x0) r0 = socket$kcm(0x10, 0x2, 0x10) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000001c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a03000000000000000000070000040900010073797a30000000009c000000090a010400000000000000000700000308000a40000000000900020073797a30000000000900010073797a3000000000080005400000000d58001280200001800e000100636f6e6e6c696d69740000000c0002800800014000000008200001800e000100636f6e6e6c696d69740000000c00028008000140000000001400017b090001006cdbf80789f3f947dd000280080003"], 0xe4}, 0x1, 0x0, 0x0, 0x8001}, 0x20050840) sendmsg$kcm(r0, &(0x7f0000000000)={0x0, 0xd18c9b25, &(0x7f0000000080)=[{&(0x7f0000000040)="e03f030041000b05d25a806c8c6394f90324fc60100000000a000200053582c137153e3704020180fc5409000c00", 0x33fe0}], 0x1}, 0x0) 2m40.244566957s ago: executing program 3 (id=3403): mknod$loop(&(0x7f0000000000)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x800, 0x1) rename(&(0x7f0000000380)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0) openat$adsp1(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r0 = add_key$user(&(0x7f0000000380), &(0x7f0000000000), &(0x7f00000003c0)='X', 0x1, 0xfffffffffffffffe) r1 = add_key$user(&(0x7f0000000200), &(0x7f00000005c0), &(0x7f00000000c0), 0x390, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000100)={r0, r1, r1}, 0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000040)={'streebog512-generic\x00'}}) 2m40.124206975s ago: executing program 3 (id=3405): r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb(des3_ede)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000c18000)="ad56b6c5820fae9d6dcd3292ea54c7beef915d564c90c200", 0x18) r1 = accept4(r0, 0x0, 0x0, 0x80800) sendmsg$NL80211_CMD_SET_TX_BITRATE_MASK(r1, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000480)=ANY=[], 0x230}, 0x1, 0x0, 0x0, 0x80d0}, 0x0) recvmsg(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f00000000c0)=""/4, 0x4}, {&(0x7f0000010080)=""/182, 0xb6}], 0x2}, 0x2120) 2m40.012798038s ago: executing program 3 (id=3407): mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000180), 0x42, 0x0) mount$fuse(0x0, &(0x7f00000020c0)='./file0\x00', &(0x7f0000000080), 0x0, &(0x7f00000003c0)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=00000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) move_mount(r1, 0x0, 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x226) move_mount(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', r1, &(0x7f0000000100)='./file0\x00', 0x1) 2m39.915721357s ago: executing program 3 (id=3409): setsockopt(0xffffffffffffffff, 0x1, 0x100009, &(0x7f0000000100)="9811dc27743305040ae15f", 0xb) r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40a01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) r1 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f00000000c0)=ANY=[@ANYBLOB="001c86dd0700100000004000000060ec97000fc83c00fe8000000000000000000000000000aaff02000000000000000000000000000106"], 0xffe) 2m39.659039694s ago: executing program 3 (id=3415): r0 = memfd_create(&(0x7f0000000140)='y\x105\xf3\xf7u\x83%:r\xc2\xb9x\xa4q\xc1\xea_\x8cZ7\xe7a\x9b\x11x\x0e\xa1\xcf\x1a\x98S7\xc9\x00\x00\x00\x00\x00\x00\a\x00\x00\x00\x00\x00\x00\x04\x879\xa24\xa9am\xde\xb2\xd3\xcbZJoa\xc4\x1acB\xaa\xc1\xfb Q\xd4\xf4\x01\xa52\xe2DG\xd4\xbd{\x9f\xa9\x97\x9b@\xdbU\xb1\xe1br\xb6\x008\xe3\x10\xff\xc2\x9d\r2\x9e\x8e\x04sW\x1b\xb7\xb3\xa2\xc9&@\xca\xda\xdc\xe2/\x97X\xac\b\xb0\xc2<\x80E\x1a\xbc\xc7W\xda9VsA\xaf\xc6\x90i\xa1\xb5M\xa2\x85\xa6y\xc4J\xf1\xf7\xfcD\x95\xe3\xeb\xc7\xbc\x91\xb0\xa8\x9eo\xebF(\x9dL\x01vRk\xaacB\x04\xa7I\v\x86EZ\x96\xd5\x14O\xf8\xb5C\x1f\xb6b8b\x06A2@D\\\xe8R\xe4\xcd\xec\xcc\xd1\x0fre\xe86\xcd\xeb\xc4$\x98\x06J\xd6dD\x8d_U`ji{\xab\x97\xaf;l\x1f\xaf\xb38U\xcb\xfa\xb3j\x92\f\x81\xa0\xa2-g\b\x99\x0e\x8d\x8d\x16\x05\x00\x00\x00\x00\x00\x00\x00\'\x93\xef\x1d\xa0H\xd9\xbd\xd9\xaf\x12$\x8d\x16%\x8b\x00\x88\xd1\x1eQB\x18\xc1-\xc4\x8fK\xf8\xfa\xb6\xf8\v;\xaa\x8fW\xcc\n\x17\x7f\x98\xb7\xcdqV\xd4\xf0)\xfa\x0fG\xc8\xbf\xfd\xe8>K\f\xcd+\xb0\x99Q\xba/\xa8\xb9`k\b\xd1\xcc\xfc\xeaA\"\v=\x83fC\x90%\xa1d\x91\xf8:\x16<\xad\xc2\x18\xdf\x01\xe2\x96\xfcj\xe9\xa4\x065m\x03\x05Np\xda\"\xf1\xb6\xbcP\x8fP\x8d\x89%\xf2\x12T\xd0\xc3\x15W\x9c\x87\x1b\x8c\xc9\xd9\xc6\xad\x96-d\xa2wFB\xcaB\xa5\x15\xf8,\x04\x1c*\xd98\x8bG\x90\x81`\x03\xe0\xde\x9c\x9a\x0f\x1b\x8f\xd2%*&$Wc\xb3\xa6\xc4TK1}2\xb3\xab\xf4\xb7\xb7\x85\apa\xaf\x1c\x10i\xb9\x9f\x06\xff4%\"7f \x0e\xf5Bk\r\xac\"\x13tNx\xc0$\x85\x9f', 0x2) ftruncate(r0, 0xffff) fcntl$addseals(r0, 0x409, 0x7) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events.local\x00', 0x275a, 0x0) ftruncate(r1, 0x2000009) sendfile(r0, r1, 0x0, 0x7ffff004) 2m39.47519455s ago: executing program 32 (id=3415): r0 = memfd_create(&(0x7f0000000140)='y\x105\xf3\xf7u\x83%:r\xc2\xb9x\xa4q\xc1\xea_\x8cZ7\xe7a\x9b\x11x\x0e\xa1\xcf\x1a\x98S7\xc9\x00\x00\x00\x00\x00\x00\a\x00\x00\x00\x00\x00\x00\x04\x879\xa24\xa9am\xde\xb2\xd3\xcbZJoa\xc4\x1acB\xaa\xc1\xfb Q\xd4\xf4\x01\xa52\xe2DG\xd4\xbd{\x9f\xa9\x97\x9b@\xdbU\xb1\xe1br\xb6\x008\xe3\x10\xff\xc2\x9d\r2\x9e\x8e\x04sW\x1b\xb7\xb3\xa2\xc9&@\xca\xda\xdc\xe2/\x97X\xac\b\xb0\xc2<\x80E\x1a\xbc\xc7W\xda9VsA\xaf\xc6\x90i\xa1\xb5M\xa2\x85\xa6y\xc4J\xf1\xf7\xfcD\x95\xe3\xeb\xc7\xbc\x91\xb0\xa8\x9eo\xebF(\x9dL\x01vRk\xaacB\x04\xa7I\v\x86EZ\x96\xd5\x14O\xf8\xb5C\x1f\xb6b8b\x06A2@D\\\xe8R\xe4\xcd\xec\xcc\xd1\x0fre\xe86\xcd\xeb\xc4$\x98\x06J\xd6dD\x8d_U`ji{\xab\x97\xaf;l\x1f\xaf\xb38U\xcb\xfa\xb3j\x92\f\x81\xa0\xa2-g\b\x99\x0e\x8d\x8d\x16\x05\x00\x00\x00\x00\x00\x00\x00\'\x93\xef\x1d\xa0H\xd9\xbd\xd9\xaf\x12$\x8d\x16%\x8b\x00\x88\xd1\x1eQB\x18\xc1-\xc4\x8fK\xf8\xfa\xb6\xf8\v;\xaa\x8fW\xcc\n\x17\x7f\x98\xb7\xcdqV\xd4\xf0)\xfa\x0fG\xc8\xbf\xfd\xe8>K\f\xcd+\xb0\x99Q\xba/\xa8\xb9`k\b\xd1\xcc\xfc\xeaA\"\v=\x83fC\x90%\xa1d\x91\xf8:\x16<\xad\xc2\x18\xdf\x01\xe2\x96\xfcj\xe9\xa4\x065m\x03\x05Np\xda\"\xf1\xb6\xbcP\x8fP\x8d\x89%\xf2\x12T\xd0\xc3\x15W\x9c\x87\x1b\x8c\xc9\xd9\xc6\xad\x96-d\xa2wFB\xcaB\xa5\x15\xf8,\x04\x1c*\xd98\x8bG\x90\x81`\x03\xe0\xde\x9c\x9a\x0f\x1b\x8f\xd2%*&$Wc\xb3\xa6\xc4TK1}2\xb3\xab\xf4\xb7\xb7\x85\apa\xaf\x1c\x10i\xb9\x9f\x06\xff4%\"7f \x0e\xf5Bk\r\xac\"\x13tNx\xc0$\x85\x9f', 0x2) ftruncate(r0, 0xffff) fcntl$addseals(r0, 0x409, 0x7) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events.local\x00', 0x275a, 0x0) ftruncate(r1, 0x2000009) sendfile(r0, r1, 0x0, 0x7ffff004) 1m26.84138158s ago: executing program 5 (id=4193): r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) bind$netlink(r1, &(0x7f0000000100)={0x10, 0x0, 0x25dfdbfd, 0x400}, 0xc) getsockname$packet(r1, &(0x7f0000000600)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000040)=0x14) sendmsg$nl_route(r0, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000140)=ANY=[@ANYBLOB="4400000010000d0429bd7000fcffff1f00000000", @ANYRES32=r2, @ANYBLOB="46000600800000002400128009000100626f6e640000000014000280050001000400000005000e000100"], 0x44}, 0x1, 0x0, 0x0, 0x40040}, 0x0) sendmsg$nl_route(r0, &(0x7f00000004c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@newlink={0x30, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x200e3}, [@IFLA_MASTER={0x8, 0xa, r2}, @IFLA_GROUP={0x8}]}, 0x30}}, 0x0) 1m26.592995709s ago: executing program 5 (id=4198): openat$qrtrtun(0xffffffffffffff9c, &(0x7f0000002740), 0x181802) r0 = syz_io_uring_setup(0x235, &(0x7f0000001240)={0x0, 0x10008cc8, 0x10100, 0x2, 0x75}, &(0x7f0000000000)=0x0, &(0x7f0000000100)=0x0) syz_io_uring_submit(r1, r2, &(0x7f00000009c0)=@IORING_OP_WRITE={0x17, 0x0, 0x0, @fd_index=0x3, 0x0, 0x0, 0x0, 0x2}) close(0x3) openat$uhid(0xffffff9c, &(0x7f0000000080), 0x802, 0x0) io_uring_enter(r0, 0x7a98, 0x0, 0x0, 0x0, 0xfffffffffffffc76) 1m26.519446885s ago: executing program 5 (id=4200): r0 = syz_usb_connect(0x0, 0x24, &(0x7f0000000440)=ANY=[@ANYBLOB="120100002eab5a40401c3405cc6d010203010902120001000000000904"], 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) syz_usb_control_io$printer(r0, 0x0, &(0x7f0000000480)={0x34, &(0x7f00000001c0)={0x40, 0x16, 0x4, "90b7a71b"}, 0x0, 0x0, 0x0, 0x0, 0x0}) socket$inet6_tcp(0xa, 0x1, 0x0) 1m24.626039495s ago: executing program 5 (id=4224): mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0) r0 = open_tree(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x89901) move_mount(r0, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) move_mount(r1, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000300)='./file0\x00', 0x41) umount2(&(0x7f0000000200)='./file0/../file0/../file0/../file0\x00', 0x1) 1m24.546861725s ago: executing program 5 (id=4226): mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x3, 0x20132, 0xffffffffffffffff, 0xb2993000) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0xd3283d0368e269b2, 0x8031, 0xffffffffffffffff, 0x1000) munmap(&(0x7f0000001000/0x3000)=nil, 0x3000) r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r0) ptrace$poke(0x4, r0, &(0x7f00000011c0), 0xfffffffffffffffe) 1m24.322211272s ago: executing program 5 (id=4231): r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0) ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000040)=0x90000) ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, &(0x7f0000000240)={@hyper}) ioctl$IOCTL_VMCI_QUEUEPAIR_ALLOC(r0, 0x7a8, &(0x7f0000000000)={{@my=0x1}, @my=0x1, 0x0, 0x0, 0x421}) ioctl$IOCTL_VMCI_QUEUEPAIR_ALLOC(r0, 0x7a8, &(0x7f0000000080)={{@hyper, 0x2}, @any, 0x0, 0x0, 0x2, 0x6, 0x9a6, 0x10001, 0x8}) ioctl$IOCTL_VMCI_QUEUEPAIR_SETPF(r0, 0x7a9, &(0x7f00000003c0)={{@my=0x1}, 0xfff, 0xffffffffffffffff, 0x0, 0x0, 0x80000, 0x2, 0x1000000000ff6, 0x58df}) 1m23.99515341s ago: executing program 33 (id=4231): r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0) ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000040)=0x90000) ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, &(0x7f0000000240)={@hyper}) ioctl$IOCTL_VMCI_QUEUEPAIR_ALLOC(r0, 0x7a8, &(0x7f0000000000)={{@my=0x1}, @my=0x1, 0x0, 0x0, 0x421}) ioctl$IOCTL_VMCI_QUEUEPAIR_ALLOC(r0, 0x7a8, &(0x7f0000000080)={{@hyper, 0x2}, @any, 0x0, 0x0, 0x2, 0x6, 0x9a6, 0x10001, 0x8}) ioctl$IOCTL_VMCI_QUEUEPAIR_SETPF(r0, 0x7a9, &(0x7f00000003c0)={{@my=0x1}, 0xfff, 0xffffffffffffffff, 0x0, 0x0, 0x80000, 0x2, 0x1000000000ff6, 0x58df}) 1m8.283107627s ago: executing program 1 (id=4363): syz_io_uring_setup(0x111, &(0x7f00000003c0)={0x0, 0xfad6, 0x100, 0x2, 0x4}, 0x0, 0x0) r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) r1 = socket$kcm(0x2, 0x3, 0x2) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000080)={'syzkaller1\x00', @broadcast}) ioctl$sock_inet_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f00000003c0)={0x0, {0x2, 0x4e1a, @rand_addr=0x64010108}, {0x2, 0x4a24, @remote}, {0x2, 0x4e25, @multicast2}, 0x84, 0x0, 0x0, 0x0, 0x2008, 0x0, 0x200003, 0x2, 0x2}) write$tun(r0, &(0x7f00000003c0)=ANY=[@ANYBLOB="080000fa"], 0xdc) 1m7.688983542s ago: executing program 1 (id=4367): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r1 = socket(0x400000000010, 0x3, 0x0) r2 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0x25dfdbfb, {0x0, 0x0, 0x0, r3, {0x0, 0x1}, {0xffff, 0xffff}, {0x3, 0x9}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8}}]}, 0x38}, 0x1, 0x0, 0x0, 0x40004}, 0x4000) sendmsg$nl_route_sched(r1, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000400)=@newtfilter={0x88, 0x2c, 0xd27, 0x70bd2c, 0x25dfdbfa, {0x0, 0x0, 0x0, r3, {0x0, 0x2}, {}, {0x7, 0x9}}, [@filter_kind_options=@f_matchall={{0xd}, {0x54, 0x2, [@TCA_MATCHALL_ACT={0x50, 0x2, [@m_vlan={0x4c, 0x1, 0x0, 0x0, {{0x9}, {0x20, 0x2, 0x0, 0x1, [@TCA_VLAN_PARMS={0x1c, 0x2, {{0x7f, 0x40000008, 0xffffffffffffffff, 0x2, 0x40}, 0xa}}]}, {0x4}, {0xc, 0x7, {0x1, 0x1}}, {0xc, 0x8, {0x2, 0x2}}}}]}]}}]}, 0x88}, 0x1, 0x0, 0x0, 0x40004}, 0x20084084) 1m7.466680453s ago: executing program 1 (id=4370): madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0xe) mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) mprotect(&(0x7f0000293000/0x4000)=nil, 0x4000, 0x2) mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0xfffffffffffffff3, 0x2) prctl$PR_SET_IO_FLUSHER(0x43, 0x1) prctl$PR_SET_IO_FLUSHER(0x43, 0x0) 1m7.004749608s ago: executing program 1 (id=4374): mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0) r0 = open_tree(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x89901) move_mount(r0, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0) chroot(&(0x7f0000000300)='./file0/../file0/../file0/../file0\x00') r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) move_mount(r1, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000300)='./file0\x00', 0x0) pivot_root(&(0x7f0000000240)='./file0/../file0/../file0/../file0\x00', &(0x7f0000000080)='./file0\x00') 1m6.853474502s ago: executing program 1 (id=4376): r0 = socket$pppoe(0x18, 0x1, 0x0) r1 = socket$pppoe(0x18, 0x1, 0x0) connect$pppoe(r1, &(0x7f0000000000)={0x18, 0x0, {0x1, @empty, 'lo\x00'}}, 0x1e) r2 = socket$pppoe(0x18, 0x1, 0x0) connect$pppoe(r2, &(0x7f0000000040)={0x18, 0x0, {0x4, @remote, 'ip6gre0\x00'}}, 0x1e) connect$pppoe(r0, &(0x7f0000000080)={0x18, 0x0, {0x2, @empty, 'ip_vti0\x00'}}, 0x1e) close(r1) 1m6.56985372s ago: executing program 1 (id=4378): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = bpf$MAP_CREATE(0x0, &(0x7f00000002c0)=@base={0x2, 0x4, 0x6, 0x23, 0x0, 0x1, 0x3}, 0x50) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f00000007c0)={0x11, 0x10, &(0x7f0000000180)=@framed={{0x18, 0x0, 0x0, 0x0, 0x20}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r2}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}, @ringbuf_query={{0x18, 0x1, 0x1, 0x0, r3}}]}, 0x0, 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000880)={0x1, 0x10, &(0x7f0000000180)=ANY=[], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) setsockopt$sock_attach_bpf(r0, 0x1, 0x32, &(0x7f00000000c0)=r4, 0x4) sendmsg$unix(r1, &(0x7f00000006c0)={0x0, 0x0, 0x0}, 0x0) 1m6.07908327s ago: executing program 34 (id=4378): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = bpf$MAP_CREATE(0x0, &(0x7f00000002c0)=@base={0x2, 0x4, 0x6, 0x23, 0x0, 0x1, 0x3}, 0x50) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f00000007c0)={0x11, 0x10, &(0x7f0000000180)=@framed={{0x18, 0x0, 0x0, 0x0, 0x20}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r2}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}, @ringbuf_query={{0x18, 0x1, 0x1, 0x0, r3}}]}, 0x0, 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000880)={0x1, 0x10, &(0x7f0000000180)=ANY=[], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) setsockopt$sock_attach_bpf(r0, 0x1, 0x32, &(0x7f00000000c0)=r4, 0x4) sendmsg$unix(r1, &(0x7f00000006c0)={0x0, 0x0, 0x0}, 0x0) 31.76860815s ago: executing program 7 (id=4711): r0 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000040), 0xa1001) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000300)={{0x0, 0x2}}) r1 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000600), 0x183c81) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000003c0)={0x9c9, 0x0, 0x0, 'queue1\x00', 0x200000}) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r1, 0x40605346, &(0x7f0000000280)={0x0, 0x0, {0x3}}) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x40505412, &(0x7f00000000c0)={0x6, 0xffff81a4, 0x40, 0x0, 0xf}) 31.6516077s ago: executing program 7 (id=4715): r0 = syz_usb_connect(0x3, 0x24, &(0x7f0000000100)={{0x12, 0x1, 0x0, 0x34, 0x70, 0x9d, 0x40, 0x55f, 0xc230, 0xb6ac, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xf2, 0xa7, 0xcc}}]}}]}}, 0x0) syz_usb_control_io(r0, 0x0, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000680)={0x40, 0x21, 0x1, 0x9}}) syz_usb_control_io$printer(r0, 0x0, &(0x7f0000000c40)={0x1c, &(0x7f0000000a80)={0x20, 0x14}, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000480)={0x34, &(0x7f0000000200)={0x0, 0x8}, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000dc0)={0x2c, &(0x7f0000000000)={0x0, 0x9}, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000780)={0x2c, &(0x7f0000000380)={0x20, 0x8}, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$rtl8150(r0, 0x0, &(0x7f0000000340)={0x2c, &(0x7f0000000140)={0x0, 0x9}, 0x0, 0x0, 0x0, 0x0}) 28.969125239s ago: executing program 7 (id=4734): syz_mount_image$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) r0 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) move_mount(r0, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x100000, 0x0) open_tree(r0, &(0x7f0000000400)='./file0\x00', 0x89901) r1 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000180), 0x42, 0x0) mount$fuse(0x0, &(0x7f00000020c0)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f00000003c0)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r1, @ANYBLOB=',rootmode=00000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) 28.713905221s ago: executing program 7 (id=4738): r0 = openat$autofs(0xffffffffffffff9c, &(0x7f00000000c0), 0x40100, 0x0) move_pages(0x0, 0x1efe, &(0x7f0000000080), 0x0, &(0x7f0000000040), 0x0) r1 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0) syz_mount_image$fuse(&(0x7f0000000040), &(0x7f0000000000)='./file0\x00', 0x0, &(0x7f0000002200)={{'fd', 0x3d, r1}, 0x2c, {'rootmode', 0x3d, 0x4000}}, 0x0, 0x0, 0x0) r2 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) move_mount(r2, 0x0, 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x226) ioctl$AUTOFS_DEV_IOCTL_CATATONIC(r0, 0xc018937e, &(0x7f0000000200)={{0x1, 0x1, 0x29}, './file0\x00'}) 27.846436724s ago: executing program 7 (id=4745): prlimit64(0x0, 0xe, 0x0, 0x0) sched_setscheduler(0x0, 0x1, 0x0) sched_setscheduler(0x0, 0x2, 0x0) r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f00000001c0)=ANY=[@ANYBLOB="50000000020605000000000000000720000000000c00078008000640000000000500010006000000050005000200000005000400000000000900020073797a31000000000c000300686173683a6970"], 0x50}}, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_ADD(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000004c0)=ANY=[@ANYBLOB="44000000090601020000000000000000000000000900020073797a310000000005000100070000001c0007800c00018008000140640101020c000280080001407f"], 0x44}, 0x1, 0x0, 0x0, 0x10040047}, 0x8004) 27.618465893s ago: executing program 7 (id=4746): r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000480)={0x26, 'hash\x00', 0x0, 0x0, 'nhpoly1305-generic\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000000)="8a", 0x440) r1 = accept4(r0, 0x0, 0x0, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000200)={0x0, 0x7bff, &(0x7f0000000180)={&(0x7f0000000140)=@delqdisc={0xfffffffffffffc9b}, 0x49d32d254ae22f79}}, 0x0) getsockopt$sock_buf(r1, 0x1, 0x1a, 0x0, &(0x7f0000000340)) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x2, 0x31, 0xffffffffffffffff, 0x0) 27.469901838s ago: executing program 35 (id=4746): r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000480)={0x26, 'hash\x00', 0x0, 0x0, 'nhpoly1305-generic\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000000)="8a", 0x440) r1 = accept4(r0, 0x0, 0x0, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000200)={0x0, 0x7bff, &(0x7f0000000180)={&(0x7f0000000140)=@delqdisc={0xfffffffffffffc9b}, 0x49d32d254ae22f79}}, 0x0) getsockopt$sock_buf(r1, 0x1, 0x1a, 0x0, &(0x7f0000000340)) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x2, 0x31, 0xffffffffffffffff, 0x0) 8.296964747s ago: executing program 4 (id=4927): r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="12010000000018105e04da0700000000000109022400010000000009040000090300000009210000000122220009058103"], 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000000)={0x24, 0x0, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="00222200000096010006010003000000002a90a075388bc83e25031bdde840503a0c68932924"], 0x0}, 0x0) syz_open_dev$evdev(0x0, 0x40, 0x0) bind$inet(0xffffffffffffffff, &(0x7f00000002c0)={0x2, 0x4e20, @multicast2}, 0x10) bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4e21, @local}, 0x10) syz_open_procfs$namespace(0xffffffffffffffff, 0x0) 6.5813136s ago: executing program 6 (id=4939): timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2}, &(0x7f0000000300)=0x0) fcntl$lock(0xffffffffffffffff, 0x24, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5}) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) timer_settime(r0, 0x1, &(0x7f0000000040)={{}, {0x0, 0x989680}}, 0x0) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0x42795000) futex(&(0x7f0000000200)=0x1, 0x6, 0x0, 0x0, 0x0, 0x1) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) 6.403749283s ago: executing program 4 (id=4940): mmap(&(0x7f0000000000/0x95c000)=nil, 0x95c000, 0x2000003, 0x8c4b815a5465c2b2, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'hash\x00', 0x0, 0x0, 'sha512\x00'}, 0x58) r1 = accept4(r0, 0x0, 0x0, 0x800) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) syz_clone(0x80804000, 0x0, 0x0, 0x0, 0x0, 0x0) sendmmsg$alg(r1, &(0x7f0000000640)=[{0x0, 0x0, &(0x7f0000000380)=[{&(0x7f0000000140)="b57523cb1a2c90d8acad2e2d98dfc9ea7a5843c3b63b683ced2b3266175599b779617e66e6b3e15c042be90635a2d36160bbf9a2edcacc0bbe015b84150a1928de94397894ff36aa430fc2a0814ba634308d6d0837250dfd1eca5383f9d151449743b1a0c4ffc51242a229c5d6d06f147a61d797ea7ffeda95b76f5623", 0x7d}, {&(0x7f00000001c0)="66f7", 0x4}, {&(0x7f0000000300)='l3', 0x7fffef80}], 0x3}], 0x1, 0x0) 6.082171677s ago: executing program 4 (id=4941): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x2002, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000580)={0x2, 0x0, @ioapic={0xeeee0000, 0xb, 0xfefffffb, 0xfffffffc, 0x0, [{0xc, 0xfc, 0x8, '\x00', 0xb4}, {0x83, 0x9, 0x8, '\x00', 0x4b}, {0xf9, 0xe, 0x47, '\x00', 0x7f}, {0x0, 0x5, 0x8, '\x00', 0x8}, {0x28, 0xd, 0x8}, {0x2, 0x5, 0x6, '\x00', 0xfc}, {0x6, 0xe, 0x4b, '\x00', 0x6}, {0x5, 0x90, 0x6, '\x00', 0xe9}, {0xd, 0xf8, 0xa7, '\x00', 0x1}, {0x9, 0xcc, 0x14, '\x00', 0x5}, {0x1, 0x0, 0xb, '\x00', 0x8}, {0x0, 0x3, 0x2, '\x00', 0x7}, {0x1, 0xca, 0x80, '\x00', 0xa}, {0x7, 0xf1, 0x6}, {0x8, 0x4, 0x0, '\x00', 0xfd}, {0x6, 0x0, 0x4, '\x00', 0x9}, {0x7, 0x2, 0x4, '\x00', 0x3}, {0xee, 0x3, 0x4, '\x00', 0xff}, {0x11, 0x41, 0xf, '\x00', 0xfe}, {0x9, 0x3, 0x54, '\x00', 0x4}, {0x1, 0x3, 0x6, '\x00', 0x4}, {0x9, 0x40, 0x7}, {0xc0, 0x0, 0x7, '\x00', 0x7}, {0x5, 0x5, 0xfa, '\x00', 0x40}]}}) ioctl$KVM_SET_MP_STATE(r2, 0x4004ae99, &(0x7f0000000100)=0x9) ioctl$KVM_GET_MP_STATE(r2, 0x8004ae98, &(0x7f0000000040)) 5.905338901s ago: executing program 6 (id=4942): r0 = syz_open_dev$dri(&(0x7f0000000080), 0x0, 0x0) mmap(&(0x7f0000001000/0x4000)=nil, 0x4000, 0x4, 0x11, r0, 0x100000) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs={0x1, 0x0, 0x4e20}, 0x6e) mremap(&(0x7f000040b000/0x1000)=nil, 0x1000, 0x4000, 0x3, &(0x7f00004b3000/0x4000)=nil) mremap(&(0x7f00003ef000/0x3000)=nil, 0x3000, 0x400000, 0x3, &(0x7f000082a000/0x400000)=nil) madvise(&(0x7f000042f000/0x800000)=nil, 0x800000, 0x15) 5.899975407s ago: executing program 4 (id=4943): socket$nl_route(0x10, 0x3, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket$l2tp(0x2, 0x2, 0x73) socket$l2tp(0x2, 0x2, 0x73) r0 = syz_usb_connect(0x3, 0x4a, &(0x7f0000000040)=ANY=[@ANYBLOB="120100005520f010402038b1420104000001090238000100000000090400000371055900090582eb1000000001020009050276"], 0x0) syz_usb_control_io$cdc_ncm(r0, &(0x7f00000001c0)={0x14, 0x0, &(0x7f0000000180)={0x0, 0x3, 0x1a, {0x1a}}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0xc38, &(0x7f0000001240)=ANY=[@ANYBLOB="7c2f0aec9d222ea5ee20e6b25cf191669d6293d87d67cbc22a8dca55b40c545d1439d9ab278a279afd807e25e3c9aacca664836fec718e063c9b06cd66442b6407fec5c3e5cd9d0f1001c90a801c4fadce8e13a5e0209edf5c5693acccefa24d4f5a2ef062e701d054d19e9e6340a1651e05fd87b70942c679234426f9b19c0723563d0e38ec970aec02a6154ab61081aae03050d00192bd9d59977bb2f1297a7cd0571a0dfc5688a8e3d5f4a226b7e397b43c186967c74821bc70005059ab5606c70045a6a9915285c8215b9abd839f50530dde8ad500d70d8f7c1a0093293e6d632f8e8939f3199ab4ec92caed14c26975b57578c8ea666a2e4253ca9516f3c07bdc5ad27c2ff29e1569795f9dfbd1b92919432e423ff4f9a35b77419d6a8540fc9431ca78e05e278bef5a21b1423a3c9f7c1e2bd16a1ecdfde51cfa4aef38e6afb92770bcefb5fcb277ccede1ddc8647db538661b3d10effa1b6f705ef1b74e5bea20b4f98421b7b4be4c5c6be101f5503a4ecaffae335ef565920d678ed5b41031122b21f9d9b7f270b95f94624a7ddc657c83d3722a8d01f321fd7f685fc74d61a4e1914dda6df4be639c4910c56a84c24a41b9ef07eee4083dd9a30a53a58b50186c12180da4186fe5845b6b325fd112378a82d53bee449bc9d4c2d4331a1323c69c99c778560fc2142d138b23000c5403156cd8223f07a73811ab5b81e287bd6ad95c2fefce002ac77a1ac74d5e868870f29277da69987652b0055b3072efab2fe56fe0fe287f7d51aa772b2e3ae77954a938be2792442e1ab2e6fc078d821c70222142568b6db9609f1db23e8a4a460b9fbbeb48469e6bf0acffd85af86e69535a95c02c30d5ad776002c48e19e134688780bbafaf81097358b0c8f63bcefb61d8f29aacb3dc1a485bb7343539387f1e83b9283674bdc0d7fe8bf86948439f4b4a20e2832c560c743e4c2d37eddbf341c47f71a93101a08a533e96601f98752531428944d88c836c7d7a082859a3120721afd99130e83f689720638e889ddf4a23228dc23e955ae67fe5447e134b63f4c72e5664d2ed8a7406568e08f3582661006cf5800615fc4a5ec88ef3361ea027d2a1a550ac3e017a212570cd145fcc2e1984e4fca28bf4110f33a5ac847fcd3605e546ee8ea49a7de5d4b599926a76028e9d5259db7fd6f908c7a8657d42f895380c88ac85cdc183f6b61172b966a41888ceae895eaf18cb8da8d1918411b297959a8abacf8c4cee15ca87048aae13ffe068dee23a9edc2b259aeb0595b7ed2633431067a999f915934aef1be5f360f0db726f24e8eb89adb8db535de6fd7c06678831d17e47c67cd22f047b92d8fba83a49a1285def4dfdf634408cb05ae73f24df76e7393d1e90d40c50bd388bb53e281b889084a1a19efdfa6be16aed1a621d964c1ac332b65765e7440ccc75ef44851409c458905127bd161bf98cb6a3681af073e3650f52d5ee691c347e86360c3aebae4a691b2485d68c57d09e269656b1efbfd3413d54c8d3e467c0bfa84669d0cc5e9cfd50b9c79171f8b6a5e66e8c6f66c0916083b8e8a464498aed3badd2f267fb56adb0953b9ebd0370f941d796abffa81722d502c8d1e9d844802f4197067598b2394dddf76641f9c2ec0403bd379e8f712668b98e1121a27888b227104875999cd562fa9833458879652bfeffabc6bbb5c354dc36ad91354ccb5050d69b28b562a72bbf277f96bd1d5dc6408329f6f850a96762a6aebf2a7b5bacbbc032be8b29c453867a47094289f6b8aa38f85051fc4d4478a02af664b3250a396583001a7971cfa6f5a4931e32e7bfb7b4c3f7be3bc5f91ba46554773b9102dbd4aba4344c6fe87bd050f79175d7918d57bc137cde33a884bba63a1adf6e7e71ba783eb1fe689b23d3ad18627b0b229c0d982631308a88c4bf1e2079eb0fcc486ef864e7c6a75cce17b133577fa88d62807398b8a795ae2bb7610f8b17cfc56ff11b8ffc4aa316e612fc76955dc44e66467c4d632657d4cac3cc1bda8c2c6207915a89f76bf1fd61c156ba8720bb8048601cd1221f6996e6f04e44b842e00a4487cd59501a65db1f6ade7f22ba5d7ee8e67125e284eef41ad5f2069a48cc71c621eb08d832ef8592874199c5c03249d3ee03422535c2be6919c43724277d56a885ab67753ae8d7f1317b7e534bb1a111a0edb5d298c1374c7824a80fb00ae268f2fd641f1b2a12f712d9a5e027957941ffb4218c6d8a8e7950dca0b4c9018dcfb67244a30080d54781b5111c85cd89e08f51c55975301ff389baf2242ef0fb662122a2eb89c1dcaf82d6391906a1b235635e6c484cd5fa32bc80ce68d505df9a9c6b21e222c3b9330243b8e02a3e661c20e0da633d88f7debaf6643654050ab73613dbea6176109b5c35c4d280739aee77f81a1b58efa9e606259f45745b69523bc81828cfcfffd185ad51b4b183b7a1ef86757172ef67a4f153b7c3a3e99f15ef5b09d81cd1ccec8016ecc9864ccf2efdbf7a79ff9ba814a4a9e3124d735a591c649cdefa98bd569c5f4db18a537c55544c671d398ec50d9fc2b1ca1f9b0278acc9a21779c3815fcb0ee1c66c774b6591e8f6b5c9828db8a5d104213cd4513974be404a50c11009c15a1e2aaa81abc6c706c341f145f975717819c4429007ee648f6c3fca45d714981cd9240beea8b02a19e0ddb083dc8115d64d75ab087c87e00792b8b83551ca82b311444067923656b0e70015ca4775da3d5e984ea8af20955f92d9cbd9acca8cd258df4276a118505d440b74e93bd0b97caeb0e24dbb09e7dbdfe0c3b4bdc0983a7d1eee02bee9c5d381bfbd7dfbb6329539698477f3a8bc7f82c01588d679a167e91487f150e5923cbf3030f09c8fb89cf178f5e953618887b7e56afdfd6a6b5e3003cecdbcba76ed86bc48907fada5e0178f9194970323ae9c818215ae2feb1ee56b289d83e8e9d2ab27056ede5651d2a92a93dd3d6c519ac128a44f1414f93e96c55485a73f3cb7e4750d0f2a2acef87e46a7012a30712f7cfe2ac9372af0efcb6475e3a1a8db1961040002915038412b892eee569aae8f38fb07c27aef5bbab7750a244a7c3b0193004246afa1a72368db45cd3649a89b54e880ea12c92beb59e366d7893f725bb8080aebcd35857ff686d03eddc33af248cecc5198bda6f395b55294821f6853232cb5bde67a4166a35224cd9c5b54e6b5a38376b1fdfaeb7563a8ea93148997e2bf490c67916f059e3e1992a986f96d2720a6418cf8c57d6e72eb90d7ca59a3a20fd414e404900aa4a45f381ff7828e15558b4862055bf795c9134836878999200e71e9ba9f83a2e28955c7b37244f3abc8f9d15a5e6c3d9b2f76620b3b2bcb13c0c44c63b9bddd51e339aedfc3a4d995df0eca66c6891ca9099923577e7cd84cb58cf0d6d6eda2baeb00775c4e717e31dbc881615d5f1a0898017954e882a444017e947b1fc05fdcf4495c5dbe3b7b4ce4c1535070fbc64d135df094fe4f6cdd452e7a5f844145af9b746dc5eecede9a834de1ff65525ea3017478ee08dc1bcff852a9d2ad94f46840bdcf1b6226fb0cdb620787692e52aae3b9b703f30b3ce6ca6dcaeb8b3a5884c30c570b29741c70ad99f5d7f463c7e5e1b4bbaafae33e789c0ae1114674732d50c0a799bfa6388365c392d47c3e0d2992a61d21e4ca034ed3d386fe959a94601a4007f1f2060b59359747635b076db7697ba5ad45af0423dbb9966113fa5eb59118cac394c2e2b17ebec1b7ce18ede120b1f56956b12a95de708e780ba7a1ac3a9e31267a2c195acfcb3b20c2f5d20de288846045211da53649a6d8b23008449b763fe6a58243cde95093a9755e5725307af09c997520f159f4ec7d1e687a0cf5148721062ecc6b080f65a550730da9257f1515a10830e29b85de3138a77ee8d2f0cb129c971417d7bbcd982d684b697364084c5764bafb4e2211a82e8c962eefb1f000ac8f5f2567b580931676943cea9b95977d842c247a98672b5c73594eb51f927ee5ec2b0c45eda29fb83a092880e542c60113ca653923aa0c16e2e1604e5f437876cb7fa7d1498584f8800ff80804d41c7b89e9cba341fed8d260a6abd0fc242ba6b3d624c91c468e269069d0a121f0951c3765f18693a2c547d9bc924058d0ecece5c7802126d293d3033d6bbf83d4b8b0144d27cbb985dba465d75b62a93bf7a438cce59f", @ANYRES16=r0]) 5.53826451s ago: executing program 6 (id=4945): r0 = socket$netlink(0x10, 0x3, 0x0) r1 = syz_io_uring_setup(0x88e, &(0x7f0000000140)={0x0, 0x3cfa, 0x0, 0x2, 0x1b9}, &(0x7f0000000000)=0x0, &(0x7f0000000280)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd_index=0x3}) io_uring_enter(r1, 0x47f6, 0x0, 0x2, 0x0, 0x0) pselect6(0x40, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x200000000000}, 0x0, &(0x7f0000000240)={0x1f, 0x0, 0x42, 0x0, 0x0, 0x3}, 0x0, 0x0) sendmsg$nl_route_sched(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000540)={&(0x7f0000001300)=@newqdisc={0x24, 0x28, 0x4ee4e6a52ff56541, 0x5001, 0xfffffdfb, {0x0, 0x0, 0x0, 0x0, {0x4}, {0xffff, 0xffff}, {0x2, 0x1}}}, 0x24}, 0x1, 0x0, 0x0, 0x400dc}, 0x4000080) 2.232236312s ago: executing program 8 (id=4954): timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2}, &(0x7f0000000300)=0x0) fcntl$lock(0xffffffffffffffff, 0x24, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5}) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) timer_settime(r0, 0x1, &(0x7f0000000040)={{}, {0x0, 0x989680}}, 0x0) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0x42795000) futex(&(0x7f0000000200)=0x1, 0x6, 0x0, 0x0, 0x0, 0x1) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) 2.231901652s ago: executing program 6 (id=4956): mknodat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x0, 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0) mount$fuse(0x0, &(0x7f0000002080)='./file0\x00', &(0x7f00000020c0), 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=00000000000000000060000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) r1 = syz_io_uring_setup(0x10d, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x3}, &(0x7f0000000340)=0x0, &(0x7f0000000280)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r2, r3, &(0x7f0000000300)=@IORING_OP_OPENAT={0x12, 0x0, 0x0, 0xffffffffffffff9c, 0x0, &(0x7f0000000480)='./file0\x00', 0x0, 0x80}) io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0xfffffdcf) 2.231808877s ago: executing program 4 (id=4957): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x40241, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000000)={'syzkaller1\x00', 0xc201}) r1 = syz_io_uring_setup(0x88f, &(0x7f0000000140)={0x0, 0x400aee2, 0x400, 0xffffffff, 0xbfe00000}, &(0x7f0000000000)=0x0, &(0x7f0000000280)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0x2, 0x0, 0x4) syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd_index=0x3}) io_uring_enter(r1, 0x47d6, 0x0, 0x2, 0x0, 0x0) write$tun(r0, &(0x7f0000000240)=ANY=[], 0xfdef) 2.152450261s ago: executing program 2 (id=4958): ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000000)={{0x2, 0xfffd, 0x3}, 'syz0\x00', 0x3c}) r0 = syz_io_uring_setup(0x3380, &(0x7f0000000180)={0x0, 0xa2c2, 0x10100}, &(0x7f0000000100)=0x0, &(0x7f0000000200)=0x0) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpu.stat\x00', 0x275a, 0x0) write$UHID_CREATE2(r3, &(0x7f0000000040)=ANY=[@ANYBLOB='5'], 0x118) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x5, 0x12, r3, 0x0) syz_io_uring_submit(r1, r2, &(0x7f0000000000)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x41, 0x4, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x21, 0x1, {0x1}}) io_uring_enter(r0, 0x2d3e, 0x0, 0x0, 0x0, 0x0) 2.118629256s ago: executing program 4 (id=4959): r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) 2.09601319s ago: executing program 0 (id=4960): r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000080)={0x26, 'rng\x00', 0x0, 0x0, 'drbg_nopr_sha256\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x8031, 0xffffffffffffffff, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9) r1 = accept4(r0, 0x0, 0x0, 0x800) recvmmsg(r1, &(0x7f0000005240)=[{{0x0, 0x0, 0x0}, 0x4}, {{0x0, 0x0, &(0x7f0000000940)=[{&(0x7f0000002240)=""/4096, 0x1000}], 0x1}, 0x6}], 0x2, 0x10022, 0x0) 1.97324816s ago: executing program 6 (id=4961): r0 = syz_io_uring_setup(0x10d, &(0x7f0000000140)={0x0, 0x5885, 0x8, 0x0, 0xb9}, &(0x7f0000000340)=0x0, &(0x7f0000002300)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_WRITEV={0x2, 0x4, 0x0, @fd, 0x0, 0x0, 0x0, 0x0, 0x1, {0x1}}) io_uring_enter(r0, 0x3516, 0x0, 0x0, 0x0, 0x0) r3 = syz_io_uring_setup(0x1e1e, &(0x7f0000000200)={0x0, 0xb5da, 0x10100, 0xfffffffc, 0x3}, &(0x7f0000002000)=0x0, &(0x7f0000000000)=0x0) syz_io_uring_submit(r4, r5, &(0x7f00000001c0)=@IORING_OP_READ=@pass_buffer={0x16, 0x48, 0x0, @fd, 0xffffffffffffffff, 0x0, 0x0, 0x22}) io_uring_enter(r3, 0x48e9, 0x0, 0x2, 0x0, 0x0) 1.809763186s ago: executing program 6 (id=4962): r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000140), 0x40000000040201, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000000080)) ioctl$SNDCTL_DSP_SPEED(r0, 0xc0045002, &(0x7f0000000040)=0xdfe5) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000500)={0xa00, 0x18, 0xfa00, {0x100000000000000, 0x0}}, 0xfc36) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x4c831, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x1, 0x0, 0x0, 0x3) syz_usb_connect(0x3, 0x0, 0x0, 0x0) 1.80835255s ago: executing program 2 (id=4973): r0 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000000000)={@mcast2={0xff, 0x5}, 0x200, 0x0, 0x1, 0x3}, 0x20) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='net/ip6_flowlabel\x00') read$FUSE(r1, &(0x7f00000000c0)={0x2020}, 0x2020) r2 = socket$inet6(0xa, 0x2, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20) read$FUSE(r1, &(0x7f00000021c0)={0x2020}, 0x2020) 1.649895029s ago: executing program 2 (id=4963): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2}) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0) close(r1) socket$nl_generic(0x10, 0x3, 0x10) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast}) ioctl$TUNSETGROUP(r0, 0x400454ce, 0x0) 1.273314196s ago: executing program 8 (id=4965): r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) sendto$inet6(r0, &(0x7f0000000100)="15", 0x1, 0x1, &(0x7f0000000140)={0xa, 0x4e23, 0x7ff, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x3}, 0x1c) sendmsg$inet6(r0, &(0x7f0000000380)={&(0x7f0000000180)={0xa, 0x0, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, 0x1c, &(0x7f0000000340)=[{&(0x7f0000000480)='y', 0x1}], 0x1}, 0x0) r1 = syz_io_uring_setup(0x239, &(0x7f0000000680)={0x0, 0x405e5, 0x10100, 0x0, 0x2e0}, &(0x7f0000000180)=0x0, &(0x7f00000001c0)=0x0) syz_io_uring_submit(r2, r3, &(0x7f0000000500)=@IORING_OP_POLL_ADD={0x6, 0x8, 0x0, @fd_index=0x3, 0x0, 0x0, 0x0, {0x35a0}}) io_uring_enter(r1, 0x663e, 0x0, 0x2, 0x0, 0x0) shutdown(r0, 0x1) 1.240705324s ago: executing program 0 (id=4966): mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) connect$unix(0xffffffffffffffff, &(0x7f0000000340)=@file={0x0, './file0\x00'}, 0x6e) r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x40241, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000000)={'syzkaller1\x00', 0xc201}) r1 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000240)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000240)=ANY=[@ANYBLOB="000086dd0500560008005400000060ec970001983a00fc000018c6ba35000000000000000700ff02000000000000000000000000000100000000000000cc00000000000000000000000000000000860090780000000000000000000000000000ee3f000000002b036f8c006e64021d683910c3090b3188a7c747eb2278a273c1b80029442911892704"], 0xfdef) 1.239630628s ago: executing program 2 (id=4967): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r1 = socket(0x400000000010, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r2, {0x0, 0xfff2}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8}}]}, 0x38}}, 0x0) setsockopt$inet6_opts(0xffffffffffffffff, 0x29, 0x39, 0x0, 0xa8) sendmsg$nl_route_sched(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=@newtfilter={0x44, 0x2c, 0xd27, 0x70bd25, 0x2, {0x0, 0x0, 0x0, r2, {0x0, 0x1}, {}, {0x5}}, [@filter_kind_options=@f_flow={{0x9}, {0x14, 0x2, [@TCA_FLOW_DIVISOR={0xffffff53, 0x8, 0xfffffff8}, @TCA_FLOW_RSHIFT={0x8, 0x4, 0x2}]}}]}, 0x44}, 0x1, 0x0, 0x0, 0x80}, 0x0) 1.085893459s ago: executing program 2 (id=4968): r0 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x2f, &(0x7f0000000000)=0x1, 0x4) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX(r0, 0x84, 0x6e, &(0x7f0000000140)=[@in={0x2, 0x4e24, @initdev={0xac, 0x1e, 0x1, 0x0}}], 0x10) r1 = socket$inet_sctp(0x2, 0x1, 0x84) getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000000540)={r2, 0x2}, 0x8) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000000180)={r2}, 0x8) 806.049382ms ago: executing program 0 (id=4969): prlimit64(0x0, 0xe, &(0x7f0000000600)={0x9, 0x20000001000}, 0x0) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x19) r0 = io_uring_setup(0x46eb, &(0x7f0000000100)={0x0, 0x1f8a, 0x0, 0x3, 0x28c}) io_uring_register$IORING_REGISTER_BUFFERS(r0, 0x0, &(0x7f00000002c0)=[{0x0}], 0x1) mremap(&(0x7f00003eb000/0x2000)=nil, 0x2000, 0x1000, 0x3, &(0x7f0000003000/0x1000)=nil) setrlimit(0x40000000000008, &(0x7f00000002c0)={0x0, 0x5}) io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000001c0)=[{&(0x7f0000002700)=""/4082, 0xff2}], 0x0, 0x1}, 0x20) 710.416644ms ago: executing program 0 (id=4970): r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) sendmsg$nl_route(r1, &(0x7f0000000380)={0x0, 0x4076cbba9945d516, &(0x7f0000000340)={0x0, 0x14}}, 0x0) getsockname$packet(r1, &(0x7f0000000140)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x28a) r3 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000000)=@newlink={0x38, 0x10, 0x439, 0x0, 0xfffffffc, {0x0, 0x0, 0x0, r2, 0x9801}, [@IFLA_LINKINFO={0x18, 0x12, 0x0, 0x1, @gre={{0x8}, {0xc, 0x2, 0x0, 0x1, [@IFLA_GRE_REMOTE={0x8, 0x7, @remote}]}}}]}, 0x38}}, 0x0) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000000c0)=@newlink={0x48, 0x10, 0x439, 0x2, 0x0, {0x0, 0x0, 0x0, r2, 0x1040, 0x44100}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_REMOTE={0x8, 0x7, @local}, @IFLA_GRE_OFLAGS={0x6, 0x3, 0x91}]}}}, @IFLA_MTU={0x8, 0x4, 0x6}]}, 0x48}}, 0x4040000) 687.243445ms ago: executing program 0 (id=4971): ioctl$BTRFS_IOC_SET_RECEIVED_SUBVOL(0xffffffffffffffff, 0xc0c89425, &(0x7f0000000000)={"da19cdbf8ea74337e1c274620e046655", 0x0, 0x0, {0x9, 0x9}, {0x7, 0xf01}, 0x6, [0x5, 0x5, 0xff, 0x0, 0x9, 0x10001, 0x0, 0x5, 0x4bb, 0x72, 0x8, 0x0, 0x6, 0x3800000, 0xfffffffffffffffc, 0xffffffffffffffff]}) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000340), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x4, 0x1, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_BOOT_CPU_ID(r1, 0xae78, &(0x7f0000000000)=0x1) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f0000000100)={{0xeeee8000, 0xeeee0002, 0xc, 0x1, 0x81, 0x0, 0x0, 0x24}, {0x10000, 0x5000, 0xb, 0xfc, 0x8, 0x0, 0x0, 0x0, 0xe, 0x0, 0x5, 0xfc}, {0x3000, 0x8080000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x1, 0x4}, {0x80a0000, 0xffff1000, 0xf, 0x0, 0x0, 0x8, 0x0, 0x7}, {0xeeee0000, 0xffff1000, 0xf, 0x2, 0xfe, 0x10, 0x3, 0xc, 0x58, 0x8, 0x4}, {0x4000, 0x1000, 0x0, 0x3, 0x0, 0xfd, 0xfc, 0x0, 0x0, 0x5, 0xc0, 0x10}, {0x3000, 0x4000, 0x10, 0x8, 0x7, 0xfb, 0x0, 0x7, 0x1a, 0x2, 0x0, 0x2}, {0x0, 0x3000, 0xe, 0x2, 0xff, 0x6e, 0x7, 0xfd, 0x0, 0x9, 0x7, 0x5}, {0x2000, 0xb}, {}, 0x9df9ffdf, 0x0, 0x2, 0xa8, 0x8, 0x8000, 0x2000, [0xdd41, 0x0, 0x2]}) 566.545316ms ago: executing program 0 (id=4972): r0 = syz_usb_connect$cdc_ncm(0x0, 0x6e, &(0x7f0000000480)={{0x12, 0x1, 0x0, 0x2, 0x0, 0x0, 0x40, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x5c, 0x2, 0x1, 0x0, 0x0, 0x0, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x5}, {0x5}, {0xd}, {0x6}}, {{0x9, 0x5, 0x81, 0x3, 0x200}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x200}}, {{0x9, 0x5, 0x3, 0x2, 0x200}}}}}}}]}}, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, &(0x7f0000000340)={0x44, 0x0, 0x0, 0x0, &(0x7f0000000200)={0x20, 0x80, 0x1c, {0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10}}, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, &(0x7f0000000080)={0x14, 0x0, &(0x7f0000000040)={0x0, 0x3, 0x1a, {0x1a}}}, 0x0) syz_usb_ep_write(r0, 0x82, 0x5, &(0x7f0000002340)='hello') 329.683839ms ago: executing program 8 (id=4974): munmap(&(0x7f0000002000/0x2000)=nil, 0x2000) r0 = inotify_init() inotify_add_watch(r0, &(0x7f0000000000)='.\x00', 0x400017e) mkdir(&(0x7f0000000300)='./file0\x00', 0xfffffffffffffffe) r1 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x280a00, 0x0) openat$cgroup_ro(r1, &(0x7f0000000900)='net_prio.prioidx\x00', 0x275a, 0xb) read$FUSE(r0, &(0x7f0000001fc0)={0x2020}, 0x2020) 235.059577ms ago: executing program 8 (id=4975): mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup/syz0\x00', 0x1ff) r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r1 = openat$cgroup_procs(r0, &(0x7f0000000040)='cgroup.procs\x00', 0x2, 0x0) write$cgroup_pid(r1, &(0x7f0000000100), 0x12) unshare(0x22020600) r2 = fsopen(&(0x7f00000003c0)='cgroup2\x00', 0x0) fsconfig$FSCONFIG_CMD_CREATE(r2, 0x6, 0x0, 0x0, 0x0) 122.483118ms ago: executing program 8 (id=4976): timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2, @thr={0x0, 0x0}}, &(0x7f0000000300)=0x0) fcntl$lock(0xffffffffffffffff, 0x24, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5}) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) timer_settime(r0, 0x1, &(0x7f0000000040)={{}, {0x0, 0x989680}}, 0x0) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x2, 0x31, 0xffffffffffffffff, 0x1000) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000002c0)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x3, 0x0, 0x0, {0x7, 0x0, 0x2}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWSET={0x9c, 0x9, 0xa, 0x401, 0x0, 0x0, {0x7}, [@NFTA_SET_ID={0x8}, @NFTA_SET_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_SET_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_KEY_LEN={0xffffffffffffffef, 0x5, 0x1, 0x0, 0x31}, @NFTA_SET_DATA_TYPE={0x8, 0x6, 0x1, 0x0, 0xffffff00}, @NFTA_SET_FLAGS={0x8, 0x3, 0x1, 0x0, 0xc}, @NFTA_SET_DESC={0x50}]}, @NFT_MSG_NEWSET={0x7c, 0x9, 0xa, 0x201}], {0x14, 0x10, 0x1, 0x0, 0x0, {0x0, 0x84}}}, 0x160}}, 0x0) 122.213394ms ago: executing program 2 (id=4977): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) close_range(r0, r1, 0x0) r2 = userfaultfd(0x1) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x2}) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000180)={&(0x7f0000106000/0x4000)=nil, &(0x7f00003ab000/0x2000)=nil, 0x4000, 0x2, 0x2}) 0s ago: executing program 8 (id=4978): bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='kfree\x00'}, 0x18) bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000480)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb0118000000000000aaffc637809ac22ddb00000f0000000f00ed12bb34c627b9a4dc1c"], 0x0, 0x2a, 0x0, 0x0, 0x7ff}, 0x28) r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0) write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[], 0x3261e) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r0, 0x0) r1 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$ARPT_SO_SET_REPLACE(r1, 0x0, 0x60, &(0x7f0000000000)={'filter\x00', 0x7, 0x4, 0x3e0, 0x110, 0x0, 0x110, 0x2f8, 0x2f8, 0x2f8, 0x4, 0x0, {[{{@uncond, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@mac, @mac=@remote, @loopback, @local, 0x1, 0x1}}}, {{@arp={@multicast2, @private=0xa010100, 0xff, 0xffffff00, 0xc, 0x4, {@mac=@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, {[0xff, 0xff, 0xff, 0xff, 0x0, 0xbe9240b8a223bba0]}}, {@mac=@dev={'\xaa\xaa\xaa\xaa\xaa', 0x24}, {[0xff, 0x0, 0xff, 0xff, 0xff]}}, 0x2, 0x6, 0x23b0, 0x9dd7, 0x80, 0x9, 'veth1_vlan\x00', 'ip_vti0\x00', {0xff}, {0xff}, 0x0, 0x12}, 0xc0, 0x100}, @unspec=@ERROR={0x40, 'ERROR\x00', 0x0, "716ebd2e1aa0cc683e62f312359594df00da56317f76121697127951fdba"}}, {{@uncond, 0xc0, 0xe8}, @unspec=@NFQUEUE0={0x28}}], {{'\x00', 0xc0, 0xe8}, {0x28}}}}, 0x430) kernel console output (not intermixed with test programs): 20': attribute type 3 has an invalid length. [ 450.853279][ T3000] netdevsim netdevsim0 netdevsim0: unset [0, 0] type 1 family 0 port 8472 - 0 [ 450.860422][T16276] netlink: 136 bytes leftover after parsing attributes in process `syz.0.4120'. [ 450.877226][ T3000] netdevsim netdevsim0 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 450.887201][ T10] usb 5-1: new high-speed USB device number 69 using dummy_hcd [ 450.898221][ T5926] usb 2-1: config 0 descriptor?? [ 450.911912][ T3000] netdevsim netdevsim0 netdevsim1: unset [0, 0] type 1 family 0 port 8472 - 0 [ 450.923192][ T3000] netdevsim netdevsim0 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 450.939292][ T3000] netdevsim netdevsim0 netdevsim2: unset [0, 0] type 1 family 0 port 8472 - 0 [ 450.952004][ T3000] netdevsim netdevsim0 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 450.961258][T16256] syz_tun: left allmulticast mode [ 450.967520][ T3000] netdevsim netdevsim0 netdevsim3: unset [0, 0] type 1 family 0 port 8472 - 0 [ 450.982252][ C1] ip6_tunnel: ip6gretap0 xmit: Local address not yet configured! [ 450.982863][ T3000] netdevsim netdevsim0 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 451.072332][ T10] usb 5-1: Using ep0 maxpacket: 32 [ 451.092358][ T10] usb 5-1: config 0 has an invalid interface number: 172 but max is 0 [ 451.101086][ T10] usb 5-1: config 0 has no interface number 0 [ 451.117972][ T10] usb 5-1: config 0 interface 172 altsetting 0 endpoint 0x8F has invalid wMaxPacketSize 0 [ 451.122131][ T5883] usb 6-1: new high-speed USB device number 15 using dummy_hcd [ 451.139454][ T10] usb 5-1: New USB device found, idVendor=06f8, idProduct=301b, bcdDevice=bb.39 [ 451.154365][ T10] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 451.175292][ T10] usb 5-1: Product: syz [ 451.175808][T16284] kvm_intel: set kvm_intel.dump_invalid_vmcs=1 to dump internal KVM state. [ 451.179475][ T10] usb 5-1: Manufacturer: syz [ 451.221135][ T10] usb 5-1: SerialNumber: syz [ 451.243313][ T10] usb 5-1: config 0 descriptor?? [ 451.269526][ T10] gspca_main: gspca_pac7302-2.14.0 probing 06f8:301b [ 451.292113][ T5883] usb 6-1: Using ep0 maxpacket: 32 [ 451.299696][ T5883] usb 6-1: config 0 has an invalid interface number: 132 but max is 0 [ 451.318482][ T5883] usb 6-1: config 0 has no interface number 0 [ 451.325045][ T5883] usb 6-1: config 0 interface 132 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 451.337605][ T5883] usb 6-1: New USB device found, idVendor=0413, idProduct=6023, bcdDevice=ec.e5 [ 451.348492][ T5883] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 451.357220][ T5883] usb 6-1: Product: syz [ 451.361663][ T5883] usb 6-1: Manufacturer: syz [ 451.369105][ T5883] usb 6-1: SerialNumber: syz [ 451.404194][ T5926] input: HID 045e:07da as /devices/platform/dummy_hcd.1/usb2/2-1/2-1:0.0/0003:045E:07DA.006E/input/input104 [ 451.415706][ T5883] usb 6-1: config 0 descriptor?? [ 451.446668][ T5883] em28xx 6-1:0.132: New device syz syz @ 480 Mbps (0413:6023, interface 132, class 132) [ 451.462425][ T5926] microsoft 0003:045E:07DA.006E: input,hidraw0: USB HID v0.00 Device [HID 045e:07da] on usb-dummy_hcd.1-1/input0 [ 451.508266][ T5883] em28xx 6-1:0.132: Video interface 132 found: [ 451.733588][T16266] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 451.744494][T16266] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 451.791938][ T107] usb 2-1: USB disconnect, device number 68 [ 451.856592][ T5883] em28xx 6-1:0.132: unknown em28xx chip ID (0) [ 452.079410][ T5883] em28xx 6-1:0.132: failed to trigger read from i2c address 0xa0 (error=-5) [ 452.097826][ T10] input: gspca_pac7302 as /devices/platform/dummy_hcd.4/usb5/5-1/input/input105 [ 452.102187][ T5883] em28xx 6-1:0.132: board has no eeprom [ 452.192097][ T5883] em28xx 6-1:0.132: Identified as Leadtek Winfast USB II (card=7) [ 452.199989][ T5883] em28xx 6-1:0.132: analog set to bulk mode. [ 452.218417][ T107] em28xx 6-1:0.132: Registering V4L2 extension [ 452.238937][ T5883] usb 6-1: USB disconnect, device number 15 [ 452.253402][ T5883] em28xx 6-1:0.132: Disconnecting em28xx [ 452.437428][ T10] usb 5-1: USB disconnect, device number 69 [ 452.447994][ T107] em28xx 6-1:0.132: Config register raw data: 0xffffffed [ 452.464141][ T107] em28xx 6-1:0.132: AC97 chip type couldn't be determined [ 452.481283][ T107] em28xx 6-1:0.132: No AC97 audio processor [ 452.508861][ T107] usb 6-1: Decoder not found [ 452.516280][ T107] em28xx 6-1:0.132: failed to create media graph [ 452.527291][ T107] em28xx 6-1:0.132: V4L2 device video103 deregistered [ 452.549837][ T107] em28xx 6-1:0.132: Remote control support is not available for this card. [ 452.558957][ T5883] em28xx 6-1:0.132: Closing input extension [ 452.570615][ T5883] em28xx 6-1:0.132: Freeing device [ 453.292578][ T10] usb 1-1: new high-speed USB device number 73 using dummy_hcd [ 453.467424][ T10] usb 1-1: Using ep0 maxpacket: 16 [ 453.496884][ T10] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 453.514536][T16342] 8021q: adding VLAN 0 to HW filter on device bond0 [ 453.551836][T16342] A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. [ 453.556530][ T10] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 453.627421][ T10] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 3 [ 453.660588][ T10] usb 1-1: New USB device found, idVendor=0955, idProduct=7214, bcdDevice=ed.00 [ 453.679624][ T10] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 453.700340][ T10] usb 1-1: config 0 descriptor?? [ 453.885088][T16353] loop3: detected capacity change from 0 to 1 [ 453.903050][T16353] Dev loop3: unable to read RDB block 1 [ 453.919465][T16353] loop3: unable to read partition table [ 453.945146][T16353] loop3: partition table beyond EOD, truncated [ 453.981232][T16353] loop_reread_partitions: partition scan of loop3 (þ被xü—ŸÑà– ) failed (rc=-5) [ 454.183581][ T10] shield 0003:0955:7214.006F: unknown main item tag 0x0 [ 454.190561][ T10] shield 0003:0955:7214.006F: unknown main item tag 0x0 [ 454.255854][ T10] shield 0003:0955:7214.006F: unknown main item tag 0x0 [ 454.267681][ T10] shield 0003:0955:7214.006F: unknown main item tag 0x0 [ 454.284350][ T10] shield 0003:0955:7214.006F: unknown main item tag 0x0 [ 454.304605][ T10] input: HID 0955:7214 Haptics as /devices/virtual/input/input106 [ 454.343703][T16361] netlink: 212368 bytes leftover after parsing attributes in process `syz.5.4154'. [ 454.365370][T16326] random: crng reseeded on system resumption [ 454.373208][ T5926] usb 2-1: new high-speed USB device number 69 using dummy_hcd [ 454.397011][ T10] shield 0003:0955:7214.006F: Registered Thunderstrike controller [ 454.419725][ T10] shield 0003:0955:7214.006F: : USB HID v0.00 Device [HID 0955:7214] on usb-dummy_hcd.0-1/input0 [ 454.512448][ T978] shield 0003:0955:7214.006F: Failed to output Thunderstrike HOSTCMD request HID report due to -EPROTO [ 454.527986][ T10] usb 1-1: USB disconnect, device number 73 [ 454.556439][ T5926] usb 2-1: config 1 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0 [ 454.571237][ T978] shield 0003:0955:7214.006F: Failed to output Thunderstrike HOSTCMD request HID report due to -ENODEV [ 454.595215][ T5926] usb 2-1: config 1 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0 [ 454.615493][ T978] shield 0003:0955:7214.006F: Failed to output Thunderstrike HOSTCMD request HID report due to -ENODEV [ 454.626685][ T5926] usb 2-1: config 1 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 2 [ 454.650507][ T978] shield 0003:0955:7214.006F: Failed to output Thunderstrike HOSTCMD request HID report due to -ENODEV [ 454.667737][ T5926] usb 2-1: New USB device found, idVendor=0525, idProduct=a4a8, bcdDevice= 0.41 [ 454.681896][ T5926] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=11 [ 454.690177][ T5926] usb 2-1: Product: syz [ 454.694449][ T5926] usb 2-1: Manufacturer: syz [ 454.699041][ T5926] usb 2-1: SerialNumber: syz [ 454.937541][ T5926] usblp 2-1:1.0: usblp0: USB Unidirectional printer dev 69 if 0 alt 0 proto 1 vid 0x0525 pid 0xA4A8 [ 455.514946][T16405] A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. [ 457.039915][T16426] input: syz1 as /devices/virtual/input/input107 [ 457.145988][ T5883] usb 2-1: USB disconnect, device number 69 [ 457.174751][ T5883] usblp0: removed [ 457.469668][ T30] audit: type=1326 audit(1768199781.029:1127): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16435 comm="syz.4.4186" exe="/root/syz-executor" sig=9 arch=40000003 syscall=252 compat=1 ip=0xf70ad539 code=0x0 [ 457.557346][T16441] netlink: 212368 bytes leftover after parsing attributes in process `syz.5.4188'. [ 457.835753][T16456] bond1: (slave lo): enslaved VLAN challenged slave. Adding VLANs will be blocked as long as it is part of bond. [ 457.859976][T16459] netlink: 4 bytes leftover after parsing attributes in process `syz.1.4196'. [ 457.865923][T16456] bond1: (slave lo): Enslaving as a backup interface with an up link [ 457.891994][T16456] A link change request failed with some changes committed already. Interface tunl0 may have been left with an inconsistent configuration, please check. [ 458.111743][T16471] syzkaller1: entered promiscuous mode [ 458.118004][T16471] syzkaller1: entered allmulticast mode [ 458.192388][ T5883] usb 1-1: new high-speed USB device number 74 using dummy_hcd [ 458.322128][ T5926] usb 6-1: new high-speed USB device number 16 using dummy_hcd [ 458.352435][ T5883] usb 1-1: Using ep0 maxpacket: 32 [ 458.360307][ T5883] usb 1-1: config 155 has an invalid descriptor of length 0, skipping remainder of the config [ 458.371113][ T5883] usb 1-1: config 155 interface 0 altsetting 0 has an endpoint descriptor with address 0xE2, changing to 0x82 [ 458.383060][ T5883] usb 1-1: config 155 interface 0 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 458.396363][ T5883] usb 1-1: config 155 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 11 [ 458.409818][T16481] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4205'. [ 458.441441][ T5883] usb 1-1: New USB device found, idVendor=15c2, idProduct=ffdc, bcdDevice=bd.30 [ 458.460144][ T5883] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 458.482107][ T5883] usb 1-1: Product: syz [ 458.488846][ T5926] usb 6-1: New USB device found, idVendor=1c40, idProduct=0534, bcdDevice=6d.cc [ 458.490678][ T5883] usb 1-1: Manufacturer: syz [ 458.498368][ T10] usb 2-1: new high-speed USB device number 70 using dummy_hcd [ 458.503705][ T5883] usb 1-1: SerialNumber: syz [ 458.525584][ T5926] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 458.530380][ C1] imon 1-1:155.0: imon usb_rx_callback_intf0: status(-71) [ 458.541142][ T5926] usb 6-1: Product: syz [ 458.544413][ T5883] input: iMON Panel, Knob and Mouse(15c2:ffdc) as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:155.0/input/input108 [ 458.556250][ T5926] usb 6-1: Manufacturer: syz [ 458.570796][ T5926] usb 6-1: SerialNumber: syz [ 458.580955][ T5926] usb 6-1: config 0 descriptor?? [ 458.603104][ T5926] i2c-tiny-usb 6-1:0.0: version 6d.cc found at bus 006 address 016 [ 458.666395][ T10] usb 2-1: Using ep0 maxpacket: 8 [ 458.687385][ T10] usb 2-1: config 150 has an invalid interface number: 204 but max is 0 [ 458.713959][ T10] usb 2-1: config 150 has no interface number 0 [ 458.730021][ T10] usb 2-1: config 150 interface 204 has no altsetting 0 [ 458.749381][ T10] usb 2-1: New USB device found, idVendor=04e2, idProduct=1424, bcdDevice=c7.eb [ 458.762579][ T10] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 458.765984][ T5883] imon 1-1:155.0: Unknown 0xffdc device, defaulting to VFD and iMON IR [ 458.770700][ T10] usb 2-1: Product: syz [ 458.784057][ T10] usb 2-1: Manufacturer: syz [ 458.788907][ T10] usb 2-1: SerialNumber: syz [ 458.789204][ T5883] (id 0x00) [ 458.874127][ T5883] rc_core: IR keymap rc-imon-pad not found [ 458.879962][ T5883] Registered IR keymap rc-empty [ 458.902988][ T5883] imon 1-1:155.0: Looks like you're trying to use an IR protocol this device does not support [ 458.913835][ T5883] imon 1-1:155.0: Unsupported IR protocol specified, overriding to iMON IR protocol [ 458.960409][T16498] binder: 16497:16498 ioctl c0306201 800001c0 returned -22 [ 458.983762][ T5883] rc rc0: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:155.0/rc/rc0 [ 459.000683][ T5883] input: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:155.0/rc/rc0/input109 [ 459.022289][ T5883] imon 1-1:155.0: iMON device (15c2:ffdc, intf0) on usb<1:74> initialized [ 459.045776][ T5926] (null): failure reading functionality [ 459.062189][ C1] ip6_tunnel: ip6gretap0 xmit: Local address not yet configured! [ 459.078958][ T30] audit: type=1804 audit(1768199782.639:1128): pid=16502 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=invalid_pcr cause=open_writers comm="syz.4.4215" name="/newroot/852/file1" dev="tmpfs" ino=4371 res=1 errno=0 [ 459.089482][ T5926] i2c i2c-2: connected i2c-tiny-usb device [ 459.242281][ T5883] usb 3-1: new high-speed USB device number 66 using dummy_hcd [ 459.272020][ T10] usb 2-1: USB disconnect, device number 70 [ 459.290885][T16504] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4216'. [ 459.326152][T16504] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4216'. [ 459.337368][T16504] netlink: 100 bytes leftover after parsing attributes in process `syz.4.4216'. [ 459.349970][T16504] netlink: 100 bytes leftover after parsing attributes in process `syz.4.4216'. [ 459.362651][ T107] usb 1-1: USB disconnect, device number 74 [ 459.378207][ T5930] usb 6-1: USB disconnect, device number 16 [ 459.416941][ T5883] usb 3-1: New USB device found, idVendor=1604, idProduct=8001, bcdDevice=44.1f [ 459.440658][ T5883] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 459.449498][ T5883] usb 3-1: Product: syz [ 459.466871][ T5883] usb 3-1: Manufacturer: syz [ 459.473057][ T5883] usb 3-1: SerialNumber: syz [ 459.481737][ T5883] usb 3-1: config 0 descriptor?? [ 459.664683][T16512] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4220'. [ 459.710046][ T107] usb 3-1: USB disconnect, device number 66 [ 460.847076][ T5830] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 460.858461][ T5830] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 460.872881][ T5830] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 460.881308][ T5830] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 460.889220][ T5830] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 461.496823][T16551] chnl_net:caif_netlink_parms(): no params data found [ 461.771405][T16551] bridge0: port 1(bridge_slave_0) entered blocking state [ 461.790404][T16551] bridge0: port 1(bridge_slave_0) entered disabled state [ 461.813785][T16551] bridge_slave_0: entered allmulticast mode [ 461.836790][T16551] bridge_slave_0: entered promiscuous mode [ 461.857293][T16551] bridge0: port 2(bridge_slave_1) entered blocking state [ 461.864617][T16551] bridge0: port 2(bridge_slave_1) entered disabled state [ 461.884902][T16551] bridge_slave_1: entered allmulticast mode [ 461.892235][ T5883] usb 5-1: new high-speed USB device number 70 using dummy_hcd [ 461.895822][T16551] bridge_slave_1: entered promiscuous mode [ 461.969763][T16551] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 461.994433][T16551] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 462.064090][T16551] team0: Port device team_slave_0 added [ 462.069893][ T5883] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 462.073168][T16551] team0: Port device team_slave_1 added [ 462.086954][T16583] syzkaller1: entered promiscuous mode [ 462.091180][ T5883] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 462.094755][T16583] syzkaller1: entered allmulticast mode [ 462.122472][ T5883] usb 5-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 21 [ 462.161085][ T5883] usb 5-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 462.176333][ T5883] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 462.193172][ T5883] usb 5-1: config 0 descriptor?? [ 462.208589][T16551] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 462.216485][T16551] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 462.243727][T16551] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 462.258083][T16551] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 462.282191][T16551] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 462.315241][T16551] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 462.434233][T16551] hsr_slave_0: entered promiscuous mode [ 462.450356][T16551] hsr_slave_1: entered promiscuous mode [ 462.457759][T16551] debugfs: 'hsr0' already exists in 'hsr' [ 462.465570][T16551] Cannot create hsr debugfs directory [ 462.631609][ T5883] plantronics 0003:047F:FFFF.0070: hiddev0,hidraw0: USB HID v0.40 Device [HID 047f:ffff] on usb-dummy_hcd.4-1/input0 [ 462.922569][T16551] netdevsim netdevsim6 netdevsim0: renamed from eth0 [ 462.947050][T16551] netdevsim netdevsim6 netdevsim1: renamed from eth1 [ 462.959335][T16551] netdevsim netdevsim6 netdevsim2: renamed from eth2 [ 462.970138][T16551] netdevsim netdevsim6 netdevsim3: renamed from eth3 [ 462.984219][ T5830] Bluetooth: hci4: command tx timeout [ 463.163785][T16551] 8021q: adding VLAN 0 to HW filter on device bond0 [ 463.205922][T16551] 8021q: adding VLAN 0 to HW filter on device team0 [ 463.228400][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 463.235564][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 463.336505][T16630] bond6: (slave lo): enslaved VLAN challenged slave. Adding VLANs will be blocked as long as it is part of bond. [ 463.373167][T16630] bond6: (slave lo): Enslaving as an active interface with an up link [ 463.392276][T16630] A link change request failed with some changes committed already. Interface tunl0 may have been left with an inconsistent configuration, please check. [ 463.452070][ T2977] bridge0: port 2(bridge_slave_1) entered blocking state [ 463.459237][ T2977] bridge0: port 2(bridge_slave_1) entered forwarding state [ 463.629100][T16551] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 463.698861][T16551] veth0_vlan: entered promiscuous mode [ 463.730981][T16551] veth1_vlan: entered promiscuous mode [ 463.831037][T16551] veth0_macvtap: entered promiscuous mode [ 463.859770][T16551] veth1_macvtap: entered promiscuous mode [ 463.906858][T16551] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 463.930502][T16551] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 463.953397][ C1] plantronics 0003:047F:FFFF.0070: usb_submit_urb(ctrl) failed: -1 [ 463.985593][ T6039] netdevsim netdevsim6 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 463.997305][ T6039] netdevsim netdevsim6 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 464.007235][ T6039] netdevsim netdevsim6 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 464.016856][ T6039] netdevsim netdevsim6 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 464.178346][ T6039] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 464.201943][ T6039] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 464.257092][ T6039] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 464.265822][ T6039] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 464.691658][ T5836] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 464.701216][ T5836] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 464.709060][ T5836] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 464.727310][ T5836] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 464.733204][ T5930] usb 5-1: USB disconnect, device number 70 [ 464.751400][ T5836] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 465.062488][ T5836] Bluetooth: hci4: command tx timeout [ 465.287928][T16663] chnl_net:caif_netlink_parms(): no params data found [ 465.390952][T16663] bridge0: port 1(bridge_slave_0) entered blocking state [ 465.398987][T16663] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.406379][T16663] bridge_slave_0: entered allmulticast mode [ 465.413315][T16663] bridge_slave_0: entered promiscuous mode [ 465.421185][T16663] bridge0: port 2(bridge_slave_1) entered blocking state [ 465.428854][T16663] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.436064][ T5930] usb 5-1: new high-speed USB device number 71 using dummy_hcd [ 465.444124][T16663] bridge_slave_1: entered allmulticast mode [ 465.462283][T16663] bridge_slave_1: entered promiscuous mode [ 465.494846][T16663] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 465.508077][T16663] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 465.536436][T16663] team0: Port device team_slave_0 added [ 465.544293][T16663] team0: Port device team_slave_1 added [ 465.571165][T16663] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 465.578433][T16663] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 465.605625][T16663] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 465.618020][T16663] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 465.625197][ T5930] usb 5-1: Using ep0 maxpacket: 32 [ 465.625482][T16663] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 465.632138][ T5930] usb 5-1: config 155 has an invalid descriptor of length 0, skipping remainder of the config [ 465.656991][T16663] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 465.666934][ T5930] usb 5-1: config 155 interface 0 altsetting 0 has an endpoint descriptor with address 0xE2, changing to 0x82 [ 465.689172][ T5930] usb 5-1: config 155 interface 0 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 465.700684][ T5930] usb 5-1: config 155 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 11 [ 465.717955][ T5930] usb 5-1: New USB device found, idVendor=15c2, idProduct=ffdc, bcdDevice=bd.30 [ 465.727535][ T5930] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 465.735638][ T5930] usb 5-1: Product: syz [ 465.739892][ T5930] usb 5-1: Manufacturer: syz [ 465.744639][ T5930] usb 5-1: SerialNumber: syz [ 465.758123][T16663] hsr_slave_0: entered promiscuous mode [ 465.760901][ C1] imon 5-1:155.0: imon usb_rx_callback_intf0: status(-71) [ 465.764849][T16663] hsr_slave_1: entered promiscuous mode [ 465.773899][ T5930] input: iMON Panel, Knob and Mouse(15c2:ffdc) as /devices/platform/dummy_hcd.4/usb5/5-1/5-1:155.0/input/input111 [ 465.777577][T16663] debugfs: 'hsr0' already exists in 'hsr' [ 465.795738][T16663] Cannot create hsr debugfs directory [ 466.002139][ T5930] imon 5-1:155.0: Unknown 0xffdc device, defaulting to VFD and iMON IR [ 466.010493][ T5930] (id 0x00) [ 466.062574][ T5930] rc_core: IR keymap rc-imon-pad not found [ 466.068379][ T5930] Registered IR keymap rc-empty [ 466.074194][ T5930] imon 5-1:155.0: Looks like you're trying to use an IR protocol this device does not support [ 466.085416][ T5930] imon 5-1:155.0: Unsupported IR protocol specified, overriding to iMON IR protocol [ 466.106030][T16663] netdevsim netdevsim1 netdevsim0 (unregistering): left allmulticast mode [ 466.194115][ T5930] rc rc0: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.4/usb5/5-1/5-1:155.0/rc/rc0 [ 466.205546][T16663] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 466.209894][ T5930] input: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.4/usb5/5-1/5-1:155.0/rc/rc0/input112 [ 466.227789][T16663] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 466.229666][ T5930] imon 5-1:155.0: iMON device (15c2:ffdc, intf0) on usb<5:71> initialized [ 466.246920][T16663] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 466.259309][T16663] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 466.389684][T16663] 8021q: adding VLAN 0 to HW filter on device bond0 [ 466.414566][T16663] 8021q: adding VLAN 0 to HW filter on device team0 [ 466.443605][ T3000] bridge0: port 1(bridge_slave_0) entered blocking state [ 466.450754][ T3000] bridge0: port 1(bridge_slave_0) entered forwarding state [ 466.468603][ T62] bridge0: port 2(bridge_slave_1) entered blocking state [ 466.475685][ T62] bridge0: port 2(bridge_slave_1) entered forwarding state [ 466.497194][ T9] usb 5-1: USB disconnect, device number 71 [ 466.571396][T16663] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 466.644810][T16663] veth0_vlan: entered promiscuous mode [ 466.661811][T16663] veth1_vlan: entered promiscuous mode [ 466.694368][T16663] veth0_macvtap: entered promiscuous mode [ 466.704560][T16663] veth1_macvtap: entered promiscuous mode [ 466.746886][T16663] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 466.785169][T16663] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 466.810681][T14840] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 466.823091][ T5836] Bluetooth: hci3: command tx timeout [ 466.850254][T14840] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 466.872583][T14840] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 466.891970][T14840] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 467.034793][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 467.061240][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 467.104386][ T3000] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 467.124299][ T3000] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 467.143547][ T5836] Bluetooth: hci4: command tx timeout [ 467.256646][T16709] input: syz0 as /devices/virtual/input/input113 [ 467.627069][T16731] netlink: 'syz.2.4298': attribute type 10 has an invalid length. [ 467.645418][T16731] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 467.825999][ T30] audit: type=1326 audit(1768199791.389:1129): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16737 comm="syz.2.4302" exe="/root/syz-executor" sig=9 arch=40000003 syscall=252 compat=1 ip=0xf703d539 code=0x0 [ 468.364672][T16750] bridge0: port 2(bridge_slave_1) entered disabled state [ 468.373459][T16750] bridge0: port 1(bridge_slave_0) entered disabled state [ 468.490481][T16750] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 468.520637][T16750] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 468.756471][T16088] netdevsim netdevsim6 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 468.772550][T16088] netdevsim netdevsim6 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 468.821110][T16088] netdevsim netdevsim6 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 468.855650][T16088] netdevsim netdevsim6 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 468.902254][ T5836] Bluetooth: hci3: command tx timeout [ 469.106327][T16775] batadv_slave_1: entered promiscuous mode [ 469.113613][T16775] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4314'. [ 469.123392][T16773] batadv_slave_1: left promiscuous mode [ 469.232301][ T5836] Bluetooth: hci4: command tx timeout [ 469.342134][ T10] usb 1-1: new high-speed USB device number 75 using dummy_hcd [ 469.522313][ T10] usb 1-1: Using ep0 maxpacket: 16 [ 469.529056][ T10] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 469.540203][ T10] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 469.550407][ T10] usb 1-1: New USB device found, idVendor=0853, idProduct=0148, bcdDevice= 0.00 [ 469.559513][ T10] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 469.569409][ T10] usb 1-1: config 0 descriptor?? [ 469.981403][T16793] netlink: 76 bytes leftover after parsing attributes in process `syz.1.4323'. [ 470.025703][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.042073][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.062595][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.069934][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.089205][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.102149][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.122080][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.128943][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.152135][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.159837][ T10] topre 0003:0853:0148.0071: unknown main item tag 0x0 [ 470.187799][ T10] topre 0003:0853:0148.0071: hidraw0: USB HID v0.49 Device [HID 0853:0148] on usb-dummy_hcd.0-1/input0 [ 470.239764][ T10] usb 1-1: USB disconnect, device number 75 [ 470.346273][T16794] fido_id[16794]: Failed to open report descriptor at '/sys/devices/platform/dummy_hcd.0/usb1/report_descriptor': No such file or directory [ 470.486003][ T30] audit: type=1326 audit(1768199794.049:1130): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16796 comm="syz.1.4334" exe="/root/syz-executor" sig=9 arch=40000003 syscall=252 compat=1 ip=0xf709d539 code=0x0 [ 470.578905][ T5830] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 470.590069][ T5830] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 470.603751][ T5830] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 470.612784][ T5830] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 470.622768][ T5830] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 470.983109][ T5836] Bluetooth: hci3: command tx timeout [ 471.313158][ T5926] usb 1-1: new high-speed USB device number 76 using dummy_hcd [ 471.357837][T16802] hsr0: left allmulticast mode [ 471.372100][T16802] hsr_slave_0: left allmulticast mode [ 471.377497][T16802] hsr_slave_1: left allmulticast mode [ 471.496095][ T5926] usb 1-1: Using ep0 maxpacket: 16 [ 471.507760][ T5926] usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83 [ 471.532105][ T5926] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 471.564081][ T5926] usb 1-1: New USB device found, idVendor=2040, idProduct=0264, bcdDevice=4e.d1 [ 471.573188][ T5926] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 471.581175][ T5926] usb 1-1: Product: syz [ 471.581193][ T5926] usb 1-1: Manufacturer: syz [ 471.581206][ T5926] usb 1-1: SerialNumber: syz [ 471.625128][ T5926] usb 1-1: config 0 descriptor?? [ 471.635281][ T5926] em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0264, interface 0, class 0) [ 471.669100][ T5926] em28xx 1-1:0.0: Audio interface 0 found (Vendor Class) [ 471.808533][T14840] netdevsim netdevsim4 netdevsim0: unset [0, 0] type 1 family 0 port 8472 - 0 [ 471.842090][T14840] netdevsim netdevsim4 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 471.852432][T14840] netdevsim netdevsim4 netdevsim1: unset [0, 0] type 1 family 0 port 8472 - 0 [ 471.861320][T14840] netdevsim netdevsim4 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 471.911956][T14840] netdevsim netdevsim4 netdevsim2: unset [0, 0] type 1 family 0 port 8472 - 0 [ 471.921148][T14840] netdevsim netdevsim4 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 471.939870][T14840] netdevsim netdevsim4 netdevsim3: unset [0, 0] type 1 family 0 port 8472 - 0 [ 471.951403][T14840] netdevsim netdevsim4 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 472.283148][ T5926] em28xx 1-1:0.0: unknown em28xx chip ID (190) [ 472.313908][ T12] bond1 (unregistering): (slave geneve2): Releasing active interface [ 472.447173][ T12] bond0 (unregistering): (slave wlan1): Releasing backup interface [ 472.460593][ T12] bond0 (unregistering): Released all slaves [ 472.483741][ T5926] em28xx 1-1:0.0: Config register raw data: 0xfffffffb [ 472.574474][ T12] bond1 (unregistering): Released all slaves [ 472.666914][ T5836] Bluetooth: hci1: command tx timeout [ 472.679914][ T12] bond2 (unregistering): Released all slaves [ 472.711976][ T5926] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 472.720170][ T5926] em28xx 1-1:0.0: No AC97 audio processor [ 472.748574][ T5926] usb 1-1: USB disconnect, device number 76 [ 472.767776][ T5926] em28xx 1-1:0.0: Disconnecting em28xx [ 472.785483][ T5926] em28xx 1-1:0.0: Freeing device [ 472.827769][ T12] bond3 (unregistering): (slave batadv1): Releasing active interface [ 472.836861][ T12] bond3 (unregistering): Released all slaves [ 473.001891][ T12] tipc: Left network mode [ 473.068464][ T5836] Bluetooth: hci3: command tx timeout [ 473.465331][T16807] chnl_net:caif_netlink_parms(): no params data found [ 473.625604][ T12] hsr_slave_0: left promiscuous mode [ 473.661973][ T12] hsr_slave_1: left promiscuous mode [ 473.782618][ C1] ip6_tunnel: ip6gretap0 xmit: Local address not yet configured! [ 474.744884][ T5836] Bluetooth: hci1: command tx timeout [ 475.234630][T16898] netlink: 76 bytes leftover after parsing attributes in process `syz.6.4354'. [ 475.419177][T16807] bridge0: port 1(bridge_slave_0) entered blocking state [ 475.444717][T16807] bridge0: port 1(bridge_slave_0) entered disabled state [ 475.452931][T16807] bridge_slave_0: entered allmulticast mode [ 475.460321][T16807] bridge_slave_0: entered promiscuous mode [ 475.479732][T16807] bridge0: port 2(bridge_slave_1) entered blocking state [ 475.501907][T16807] bridge0: port 2(bridge_slave_1) entered disabled state [ 475.525879][T16807] bridge_slave_1: entered allmulticast mode [ 475.535013][T16807] bridge_slave_1: entered promiscuous mode [ 475.637121][T16807] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 475.673148][T16807] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 475.837338][T16807] team0: Port device team_slave_0 added [ 475.861211][T16807] team0: Port device team_slave_1 added [ 476.026540][T16807] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 476.062069][T16807] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 476.102404][T16807] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 476.127830][T16807] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 476.135138][T16807] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 476.181831][T16807] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 476.471375][T16807] hsr_slave_0: entered promiscuous mode [ 476.496530][T16807] hsr_slave_1: entered promiscuous mode [ 476.521023][T16807] debugfs: 'hsr0' already exists in 'hsr' [ 476.539556][T16807] Cannot create hsr debugfs directory [ 476.553585][T16934] syzkaller1: entered promiscuous mode [ 476.574246][T16934] syzkaller1: entered allmulticast mode [ 476.822130][ T5836] Bluetooth: hci1: command tx timeout [ 477.040059][T16953] loop3: detected capacity change from 0 to 7 [ 477.058760][T16953] Dev loop3: unable to read RDB block 7 [ 477.072142][T16953] loop3: unable to read partition table [ 477.093760][T16953] loop3: partition table beyond EOD, truncated [ 477.112523][T16953] loop_reread_partitions: partition scan of loop3 (þ被xü—ŸÑà– ) failed (rc=-5) [ 477.522348][ T5926] usb 1-1: new high-speed USB device number 77 using dummy_hcd [ 477.699034][ T5926] usb 1-1: too many endpoints for config 4 interface 0 altsetting 0: 101, using maximum allowed: 30 [ 477.722115][ T5926] usb 1-1: config 4 interface 0 altsetting 0 has an endpoint descriptor with address 0x31, changing to 0x1 [ 477.773066][ T5926] usb 1-1: config 4 interface 0 altsetting 0 endpoint 0x1 has an invalid bInterval 0, changing to 7 [ 477.803308][ T5926] usb 1-1: config 4 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 101 [ 477.844626][ T5926] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9374, bcdDevice=bc.3b [ 477.879260][ T5926] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 477.983762][T16807] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 478.134162][ T5926] ath6kl: Failed to submit usb control message: -71 [ 478.143774][ T5926] ath6kl: unable to send the bmi data to the device: -71 [ 478.150823][ T5926] ath6kl: Unable to send get target info: -71 [ 478.171892][T16807] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 478.198122][ T5926] ath6kl: Failed to init ath6kl core: -71 [ 478.220311][ T5926] ath6kl_usb 1-1:4.0: probe with driver ath6kl_usb failed with error -71 [ 478.252947][ T5926] usb 1-1: USB disconnect, device number 77 [ 478.316666][ T6039] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 478.364303][T16807] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 478.398168][T16807] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 478.440368][ T6039] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 478.629618][ T6039] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 478.687081][ T5830] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 478.700106][ T5830] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 478.709422][ T5830] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 478.728011][ T5830] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 478.757664][ T5830] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 478.786774][ T6039] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 478.902893][ T5830] Bluetooth: hci1: command tx timeout [ 478.939115][T16807] 8021q: adding VLAN 0 to HW filter on device bond0 [ 479.059259][T16807] 8021q: adding VLAN 0 to HW filter on device team0 [ 479.110295][T14840] bridge0: port 1(bridge_slave_0) entered blocking state [ 479.117486][T14840] bridge0: port 1(bridge_slave_0) entered forwarding state [ 479.192624][ T6070] usb 1-1: new high-speed USB device number 78 using dummy_hcd [ 479.274320][T14840] bridge0: port 2(bridge_slave_1) entered blocking state [ 479.281472][T14840] bridge0: port 2(bridge_slave_1) entered forwarding state [ 479.374207][ T6070] usb 1-1: Using ep0 maxpacket: 32 [ 479.384327][ T6070] usb 1-1: config 155 has an invalid descriptor of length 0, skipping remainder of the config [ 479.405864][ T6070] usb 1-1: config 155 interface 0 altsetting 0 has an endpoint descriptor with address 0xE2, changing to 0x82 [ 479.427572][ T6070] usb 1-1: config 155 interface 0 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 479.439971][ T6070] usb 1-1: config 155 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 11 [ 479.444916][ T6039] bridge_slave_1: left allmulticast mode [ 479.460552][ T6070] usb 1-1: New USB device found, idVendor=15c2, idProduct=ffdc, bcdDevice=bd.30 [ 479.481778][ T6070] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 479.487091][ T6039] bridge_slave_1: left promiscuous mode [ 479.502524][ T6070] usb 1-1: Product: syz [ 479.506697][ T6070] usb 1-1: Manufacturer: syz [ 479.511290][ T6070] usb 1-1: SerialNumber: syz [ 479.511687][ T6039] bridge0: port 2(bridge_slave_1) entered disabled state [ 479.544189][ C0] imon 1-1:155.0: imon usb_rx_callback_intf0: status(-71) [ 479.557787][ T6070] input: iMON Panel, Knob and Mouse(15c2:ffdc) as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:155.0/input/input115 [ 479.576318][ T6039] bridge_slave_0: left allmulticast mode [ 479.584852][ T6039] bridge_slave_0: left promiscuous mode [ 479.590676][ T6039] bridge0: port 1(bridge_slave_0) entered disabled state [ 479.756947][ T6070] imon 1-1:155.0: Unknown 0xffdc device, defaulting to VFD and iMON IR [ 479.765576][ T6070] (id 0x00) [ 479.852086][ T6070] rc_core: IR keymap rc-imon-pad not found [ 479.861870][ T6070] Registered IR keymap rc-empty [ 479.870315][ T6070] imon 1-1:155.0: Looks like you're trying to use an IR protocol this device does not support [ 479.890084][ T6070] imon 1-1:155.0: Unsupported IR protocol specified, overriding to iMON IR protocol [ 479.954662][ T6070] rc rc0: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:155.0/rc/rc0 [ 479.975735][ T6070] input: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:155.0/rc/rc0/input116 [ 480.019178][ T6070] imon 1-1:155.0: iMON device (15c2:ffdc, intf0) on usb<1:78> initialized [ 480.082194][T16813] usb 5-1: new high-speed USB device number 72 using dummy_hcd [ 480.264290][T16813] usb 5-1: Using ep0 maxpacket: 8 [ 480.275706][T16813] usb 5-1: New USB device found, idVendor=0ccd, idProduct=00b3, bcdDevice=2e.04 [ 480.285955][ T6039] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 480.287907][T16813] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 480.303599][T16813] usb 5-1: Product: syz [ 480.307856][T16813] usb 5-1: Manufacturer: syz [ 480.313912][T16813] usb 5-1: SerialNumber: syz [ 480.320344][ T6039] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 480.340477][ T6039] bond0 (unregistering): Released all slaves [ 480.347256][T16813] usb 5-1: config 0 descriptor?? [ 480.580930][T16813] usb 5-1: dvb_usb_v2: found a 'TerraTec NOXON DAB Stick' in warm state [ 480.671967][T17058] imon:send_packet: packet tx failed (-71) [ 480.678091][ T6070] usb 1-1: USB disconnect, device number 78 [ 480.708722][T17058] imon:vfd_write: send packet #1 failed [ 480.822771][ T5830] Bluetooth: hci3: command tx timeout [ 480.857345][T17004] chnl_net:caif_netlink_parms(): no params data found [ 480.998137][ T6039] hsr_slave_0: left promiscuous mode [ 481.009446][ T6039] hsr_slave_1: left promiscuous mode [ 481.018715][ T6039] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 481.026836][ T6039] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 481.035691][T16813] dvb_usb_rtl28xxu 5-1:0.0: probe with driver dvb_usb_rtl28xxu failed with error -71 [ 481.051213][ T6039] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 481.079443][T16813] usb 5-1: USB disconnect, device number 72 [ 481.086456][ T6039] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 481.169195][ T6039] veth1_macvtap: left promiscuous mode [ 481.174958][ T6039] veth0_macvtap: left promiscuous mode [ 481.180659][ T6039] veth1_vlan: left promiscuous mode [ 481.186363][ T6039] veth0_vlan: left promiscuous mode [ 481.948115][ T6039] team0 (unregistering): Port device team_slave_1 removed [ 481.988709][ T6039] team0 (unregistering): Port device team_slave_0 removed [ 482.132159][T16813] usb 1-1: new high-speed USB device number 79 using dummy_hcd [ 482.302103][T16813] usb 1-1: Using ep0 maxpacket: 16 [ 482.309422][T16813] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 482.320249][T16813] usb 1-1: New USB device found, idVendor=05ac, idProduct=0244, bcdDevice= 0.00 [ 482.329491][T16813] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 482.340340][T16813] usb 1-1: config 0 descriptor?? [ 482.360595][T16813] input: bcm5974 as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.0/input/input117 [ 482.472681][T17004] bridge0: port 1(bridge_slave_0) entered blocking state [ 482.479964][T17004] bridge0: port 1(bridge_slave_0) entered disabled state [ 482.488554][T17004] bridge_slave_0: entered allmulticast mode [ 482.505453][T17004] bridge_slave_0: entered promiscuous mode [ 482.513976][T17004] bridge0: port 2(bridge_slave_1) entered blocking state [ 482.521114][T17004] bridge0: port 2(bridge_slave_1) entered disabled state [ 482.528635][T17004] bridge_slave_1: entered allmulticast mode [ 482.536840][T17004] bridge_slave_1: entered promiscuous mode [ 482.607550][T17004] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 482.678882][T17004] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 482.762874][ T5184] bcm5974 1-1:0.0: could not read from device [ 482.787729][T16813] usb 1-1: USB disconnect, device number 79 [ 482.821067][T16807] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 482.864468][T17004] team0: Port device team_slave_0 added [ 482.903594][ T5830] Bluetooth: hci3: command tx timeout [ 482.917067][T17004] team0: Port device team_slave_1 added [ 483.000761][T17004] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 483.007845][T17004] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 483.034273][T17004] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 483.053603][T17004] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 483.061230][T17004] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 483.087625][T17004] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 483.171820][T17004] hsr_slave_0: entered promiscuous mode [ 483.179420][T17004] hsr_slave_1: entered promiscuous mode [ 483.186639][T17004] debugfs: 'hsr0' already exists in 'hsr' [ 483.192815][T17004] Cannot create hsr debugfs directory [ 483.291733][T16807] veth0_vlan: entered promiscuous mode [ 483.325065][T16807] veth1_vlan: entered promiscuous mode [ 483.434032][T16807] veth0_macvtap: entered promiscuous mode [ 483.450722][T16807] veth1_macvtap: entered promiscuous mode [ 483.494710][T16807] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 483.508102][T17004] netdevsim netdevsim7 netdevsim0: renamed from eth0 [ 483.537896][T17004] netdevsim netdevsim7 netdevsim1: renamed from eth1 [ 483.556643][T17004] netdevsim netdevsim7 netdevsim2: renamed from eth2 [ 483.570885][T16807] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 483.578462][T17004] netdevsim netdevsim7 netdevsim3: renamed from eth3 [ 483.614423][ T3000] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 483.635779][ T3000] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 483.646911][ T3000] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 483.656669][ T3000] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 483.794727][ T3000] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 483.811828][ T3000] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 483.936910][ T3000] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 483.957139][ T3000] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 483.970250][ T30] audit: type=1804 audit(1768199807.529:1131): pid=17148 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=invalid_pcr cause=ToMToU comm="syz.4.4403" name="file0" dev="ramfs" ino=74187 res=1 errno=0 [ 483.998906][T17004] 8021q: adding VLAN 0 to HW filter on device bond0 [ 484.059924][T17004] 8021q: adding VLAN 0 to HW filter on device team0 [ 484.111290][T17152] ÿ: renamed from bond_slave_0 [ 484.146633][ T1146] bridge0: port 1(bridge_slave_0) entered blocking state [ 484.153760][ T1146] bridge0: port 1(bridge_slave_0) entered forwarding state [ 484.217708][ T1146] bridge0: port 2(bridge_slave_1) entered blocking state [ 484.224843][ T1146] bridge0: port 2(bridge_slave_1) entered forwarding state [ 484.354339][T17156] netlink: 60 bytes leftover after parsing attributes in process `syz.2.4325'. [ 484.376944][T17156] netlink: 60 bytes leftover after parsing attributes in process `syz.2.4325'. [ 484.445634][T17004] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 484.472483][T17004] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 484.749998][T17004] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 484.911953][T17176] netlink: 28 bytes leftover after parsing attributes in process `syz.2.4410'. [ 484.931678][T17176] netlink: 28 bytes leftover after parsing attributes in process `syz.2.4410'. [ 484.949469][T17004] veth0_vlan: entered promiscuous mode [ 484.982869][ T5830] Bluetooth: hci3: command tx timeout [ 485.037128][T17004] veth1_vlan: entered promiscuous mode [ 485.085500][T17185] netlink: 212348 bytes leftover after parsing attributes in process `syz.0.4413'. [ 485.106354][T17185] netlink: Conntrack attr type has unexpected length (type=2, length=0, expected=2) [ 485.217878][T17004] veth0_macvtap: entered promiscuous mode [ 485.277625][T17004] veth1_macvtap: entered promiscuous mode [ 485.367666][T17004] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 485.425050][T17004] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 485.457586][ T2977] netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 485.509467][ T1146] netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 485.543458][ T1146] netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 485.572098][ T5903] usb 5-1: new high-speed USB device number 73 using dummy_hcd [ 485.600462][ T1146] netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 485.732265][ T5903] usb 5-1: Using ep0 maxpacket: 32 [ 485.753354][ T5903] usb 5-1: config index 0 descriptor too short (expected 29220, got 36) [ 485.761714][ T5903] usb 5-1: config 0 has too many interfaces: 81, using maximum allowed: 32 [ 485.804671][ T3000] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 485.823514][ T5903] usb 5-1: config 0 has 1 interface, different from the descriptor's value: 81 [ 485.844898][ T3000] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 485.862847][ T5903] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0 [ 485.894365][ T5903] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0 [ 485.949563][ T5903] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18 [ 485.994106][ T3000] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 486.006922][ T5903] usb 5-1: New USB device found, idVendor=03f0, idProduct=6c17, bcdDevice= 0.40 [ 486.020749][ T5903] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 486.028904][ T3000] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 486.043388][ T5903] usb 5-1: config 0 descriptor?? [ 486.328373][ T5903] usblp 5-1:0.0: usblp0: USB Bidirectional printer dev 73 if 0 alt 0 proto 3 vid 0x03F0 pid 0x6C17 [ 486.397315][ T5903] usb 5-1: USB disconnect, device number 73 [ 486.445038][ T5903] usblp0: removed [ 486.872150][ T5903] usb 5-1: new high-speed USB device number 74 using dummy_hcd [ 486.962433][ T6070] usb 8-1: new high-speed USB device number 2 using dummy_hcd [ 487.042218][ T5903] usb 5-1: Using ep0 maxpacket: 32 [ 487.050729][ T5903] usb 5-1: config index 0 descriptor too short (expected 29220, got 36) [ 487.065083][ T5830] Bluetooth: hci3: command tx timeout [ 487.073800][ T5903] usb 5-1: config 0 has too many interfaces: 81, using maximum allowed: 32 [ 487.092831][ T5903] usb 5-1: config 0 has 1 interface, different from the descriptor's value: 81 [ 487.125973][ T5903] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0 [ 487.142296][ T6070] usb 8-1: Using ep0 maxpacket: 32 [ 487.173670][ T6070] usb 8-1: config index 0 descriptor too short (expected 29220, got 36) [ 487.204182][ T5903] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0 [ 487.227569][ T6070] usb 8-1: config 0 has too many interfaces: 81, using maximum allowed: 32 [ 487.256770][ T5903] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18 [ 487.282105][ T6070] usb 8-1: config 0 has 1 interface, different from the descriptor's value: 81 [ 487.309255][ T5903] usb 5-1: New USB device found, idVendor=03f0, idProduct=6c17, bcdDevice= 0.40 [ 487.318689][ T6070] usb 8-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0 [ 487.338420][ T5903] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 487.346841][ T6070] usb 8-1: config 0 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0 [ 487.367517][ T5903] usb 5-1: config 0 descriptor?? [ 487.372694][ T6070] usb 8-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18 [ 487.387233][ T6070] usb 8-1: New USB device found, idVendor=03f0, idProduct=6c17, bcdDevice= 0.40 [ 487.388084][T17258] netlink: 8 bytes leftover after parsing attributes in process `syz.6.4435'. [ 487.403307][ T6070] usb 8-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 487.469107][ T6070] usb 8-1: config 0 descriptor?? [ 487.609898][ T5903] usblp 5-1:0.0: usblp0: USB Bidirectional printer dev 74 if 0 alt 0 proto 3 vid 0x03F0 pid 0x6C17 [ 487.691858][ T6070] usblp 8-1:0.0: usblp1: USB Bidirectional printer dev 2 if 0 alt 0 proto 3 vid 0x03F0 pid 0x6C17 [ 487.731378][ T6070] usb 8-1: USB disconnect, device number 2 [ 487.762700][ T6070] usblp1: removed [ 487.866274][T14950] usb 5-1: USB disconnect, device number 74 [ 487.878741][T14950] usblp0: removed [ 488.049282][T17279] netlink: 1080 bytes leftover after parsing attributes in process `syz.6.4441'. [ 488.242346][ T6070] usb 8-1: new high-speed USB device number 3 using dummy_hcd [ 488.412371][ T6070] usb 8-1: Using ep0 maxpacket: 32 [ 488.420638][ T6070] usb 8-1: config index 0 descriptor too short (expected 29220, got 36) [ 488.434547][ T6070] usb 8-1: config 0 has too many interfaces: 81, using maximum allowed: 32 [ 488.454614][ T6070] usb 8-1: config 0 has 1 interface, different from the descriptor's value: 81 [ 488.466278][ T6070] usb 8-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0 [ 488.502738][ T6070] usb 8-1: config 0 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0 [ 488.514455][ T6070] usb 8-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18 [ 488.528973][ T6070] usb 8-1: New USB device found, idVendor=03f0, idProduct=6c17, bcdDevice= 0.40 [ 488.538188][ T6070] usb 8-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 488.558505][T17300] FAULT_FLAG_ALLOW_RETRY missing 801 [ 488.564415][T17300] CPU: 1 UID: 0 PID: 17300 Comm: syz.4.4451 Tainted: G L syzkaller #0 PREEMPT(full) [ 488.564441][T17300] Tainted: [L]=SOFTLOCKUP [ 488.564447][T17300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 488.564461][T17300] Call Trace: [ 488.564469][T17300] [ 488.564478][T17300] dump_stack_lvl+0xe8/0x150 [ 488.564504][T17300] handle_userfault+0x14c3/0x17b0 [ 488.564531][T17300] ? __folio_put+0x21b/0x2c0 [ 488.564558][T17300] ? __pfx_handle_userfault+0x10/0x10 [ 488.564604][T17300] handle_mm_fault+0x1b26/0x32b0 [ 488.564627][T17300] ? __pte_offset_map_lock+0x13e/0x210 [ 488.564676][T17300] ? handle_mm_fault+0xdb/0x32b0 [ 488.564707][T17300] ? __pfx_handle_mm_fault+0x10/0x10 [ 488.564732][T17300] ? follow_page_pte+0x7ef/0x13e0 [ 488.564763][T17300] ? __pfx_follow_page_pte+0x10/0x10 [ 488.564795][T17300] __get_user_pages+0x1650/0x29f0 [ 488.564843][T17300] populate_vma_page_range+0x29f/0x3a0 [ 488.564868][T17300] ? __pfx_populate_vma_page_range+0x10/0x10 [ 488.564896][T17300] ? vma_wants_writenotify+0xb3/0x2a0 [ 488.564923][T17300] ? vma_set_page_prot+0xc3/0x100 [ 488.564950][T17300] mprotect_fixup+0x845/0xa30 [ 488.564978][T17300] ? __pfx_mprotect_fixup+0x10/0x10 [ 488.565009][T17300] do_mprotect_pkey+0x8c5/0xcd0 [ 488.565031][T17300] ? __fget_files+0x3a0/0x420 [ 488.565061][T17300] ? __pfx_do_mprotect_pkey+0x10/0x10 [ 488.565093][T17300] ? __se_sys_futex_time32+0x360/0x3e0 [ 488.565123][T17300] ? rcu_is_watching+0x15/0xb0 [ 488.565152][T17300] __ia32_sys_mprotect+0x7f/0x90 [ 488.565174][T17300] __do_fast_syscall_32+0x1dc/0x570 [ 488.565194][T17300] ? lockdep_hardirqs_on+0x7b/0x110 [ 488.565212][T17300] ? do_fast_syscall_32+0x34/0x80 [ 488.565231][T17300] ? irqentry_exit+0x10f/0x670 [ 488.565253][T17300] do_fast_syscall_32+0x34/0x80 [ 488.565273][T17300] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 488.565299][T17300] RIP: 0023:0xf70ad539 [ 488.565320][T17300] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 488.565336][T17300] RSP: 002b:00000000f549d55c EFLAGS: 00000206 ORIG_RAX: 000000000000007d [ 488.565355][T17300] RAX: ffffffffffffffda RBX: 0000000080ffc000 RCX: 0000000000004000 [ 488.565368][T17300] RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000000 [ 488.565380][T17300] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 488.565391][T17300] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 488.565403][T17300] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 488.565431][T17300] [ 488.585666][ T6070] usb 8-1: config 0 descriptor?? [ 489.065238][ T6070] usblp 8-1:0.0: usblp0: USB Bidirectional printer dev 3 if 0 alt 0 proto 3 vid 0x03F0 pid 0x6C17 [ 489.100823][T17315] syzkaller1: entered promiscuous mode [ 489.108230][T17315] syzkaller1: entered allmulticast mode [ 489.233721][T14950] usb 1-1: new high-speed USB device number 80 using dummy_hcd [ 489.402138][T14950] usb 1-1: Using ep0 maxpacket: 16 [ 489.414310][T14950] usb 1-1: config 1 has 2 interfaces, different from the descriptor's value: 3 [ 489.446097][T14950] usb 1-1: config 1 has no interface number 1 [ 489.473295][T14950] usb 1-1: config 1 interface 0 altsetting 0 has an invalid descriptor for endpoint zero, skipping [ 489.506170][T14950] usb 1-1: config 1 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 0 [ 489.519624][T14950] usb 1-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 489.533350][T14950] usb 1-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 489.543030][T14950] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 489.551019][T14950] usb 1-1: Product: syz [ 489.559361][T14950] usb 1-1: Manufacturer: syz [ 489.564366][T14950] usb 1-1: SerialNumber: syz [ 489.627904][ T6070] usb 8-1: USB disconnect, device number 3 [ 489.638146][ T6070] usblp0: removed [ 490.345959][T17361] netlink: 60 bytes leftover after parsing attributes in process `syz.4.4476'. [ 490.355484][T17361] netlink: 60 bytes leftover after parsing attributes in process `syz.4.4476'. [ 490.380917][T17363] Failed to get privilege flags for destination (handle=0x0:0x0) [ 490.988271][T14950] usb 1-1: 2:1: cannot get freq at ep 0x82 [ 491.036885][T14950] usb 1-1: USB disconnect, device number 80 [ 491.349834][T17387] syzkaller1: entered promiscuous mode [ 491.357786][T17387] syzkaller1: entered allmulticast mode [ 491.496159][T17393] syzkaller1: entered promiscuous mode [ 491.502761][T17393] syzkaller1: entered allmulticast mode [ 491.542340][ T5921] usb 5-1: new high-speed USB device number 75 using dummy_hcd [ 491.706559][ T5921] usb 5-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 491.729088][ T5921] usb 5-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 491.755629][ T5921] usb 5-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00 [ 491.772665][T14950] usb 8-1: new high-speed USB device number 4 using dummy_hcd [ 491.786930][ T5921] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3 [ 491.805580][ T5921] usb 5-1: SerialNumber: syz [ 491.872290][T17411] netlink: 36 bytes leftover after parsing attributes in process `syz.2.4496'. [ 491.911540][T17413] netlink: 4 bytes leftover after parsing attributes in process `syz.0.4497'. [ 491.963129][T14950] usb 8-1: Using ep0 maxpacket: 8 [ 491.970148][T14950] usb 8-1: config 0 has 1 interface, different from the descriptor's value: 13 [ 491.991650][T14950] usb 8-1: New USB device found, idVendor=046d, idProduct=08ae, bcdDevice=11.58 [ 492.014510][T14950] usb 8-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 492.041383][T14950] usb 8-1: Product: syz [ 492.051898][ T5921] usb 5-1: 0:2 : does not exist [ 492.061826][T14950] usb 8-1: Manufacturer: syz [ 492.077887][T14950] usb 8-1: SerialNumber: syz [ 492.100667][ T5921] usb 5-1: USB disconnect, device number 75 [ 492.111385][T14950] usb 8-1: config 0 descriptor?? [ 492.141240][T14950] gspca_main: gspca_zc3xx-2.14.0 probing 046d:08ae [ 492.165375][ T5840] udevd[5840]: error opening ATTR{/sys/devices/platform/dummy_hcd.4/usb5/5-1/5-1:1.0/sound/card3/controlC3/../uevent} for writing: No such file or directory [ 493.346851][T14950] gspca_zc3xx: reg_w_i err -71 [ 493.756001][T17477] netlink: 4 bytes leftover after parsing attributes in process `syz.2.4511'. [ 493.822180][ T5926] usb 5-1: new high-speed USB device number 76 using dummy_hcd [ 493.962133][T14950] gspca_zc3xx: Unknown sensor - set to TAS5130C [ 493.968424][T14950] gspca_zc3xx 8-1:0.0: probe with driver gspca_zc3xx failed with error -71 [ 493.972139][ T5926] usb 5-1: Using ep0 maxpacket: 32 [ 493.985956][T14950] usb 8-1: USB disconnect, device number 4 [ 493.991901][ T5926] usb 5-1: config index 0 descriptor too short (expected 29220, got 36) [ 494.005712][ T5926] usb 5-1: config 0 has too many interfaces: 81, using maximum allowed: 32 [ 494.014655][ T5926] usb 5-1: config 0 has 1 interface, different from the descriptor's value: 81 [ 494.035694][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0 [ 494.045657][ T5926] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0 [ 494.055409][ T5926] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18 [ 494.080369][ T5926] usb 5-1: New USB device found, idVendor=03f0, idProduct=6c17, bcdDevice= 0.40 [ 494.089712][ T5926] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 494.101374][ T5926] usb 5-1: config 0 descriptor?? [ 494.324278][ T5926] usblp 5-1:0.0: usblp0: USB Bidirectional printer dev 76 if 0 alt 0 proto 3 vid 0x03F0 pid 0x6C17 [ 494.375763][ T5926] usb 5-1: USB disconnect, device number 76 [ 494.396845][ T5926] usblp0: removed [ 494.412286][ T5903] usb 3-1: new high-speed USB device number 67 using dummy_hcd [ 494.574153][ T5903] usb 3-1: Using ep0 maxpacket: 32 [ 494.581062][ T5903] usb 3-1: config 155 has an invalid descriptor of length 0, skipping remainder of the config [ 494.597488][ T5903] usb 3-1: config 155 interface 0 altsetting 0 has an endpoint descriptor with address 0xE2, changing to 0x82 [ 494.610008][ T5903] usb 3-1: config 155 interface 0 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 494.625870][ T5903] usb 3-1: config 155 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 11 [ 494.644266][ T5903] usb 3-1: New USB device found, idVendor=15c2, idProduct=ffdc, bcdDevice=bd.30 [ 494.654888][ T5903] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 494.663970][ T5903] usb 3-1: Product: syz [ 494.668206][ T5903] usb 3-1: Manufacturer: syz [ 494.674441][ T5903] usb 3-1: SerialNumber: syz [ 494.694992][ C0] imon 3-1:155.0: imon usb_rx_callback_intf0: status(-71) [ 494.706466][ T5903] input: iMON Panel, Knob and Mouse(15c2:ffdc) as /devices/platform/dummy_hcd.2/usb3/3-1/3-1:155.0/input/input118 [ 494.852470][ T5926] usb 5-1: new high-speed USB device number 77 using dummy_hcd [ 494.939902][ T5903] imon 3-1:155.0: Unknown 0xffdc device, defaulting to VFD and iMON IR [ 494.958714][ T5903] (id 0x00) [ 495.022118][ T5926] usb 5-1: Using ep0 maxpacket: 32 [ 495.031430][ T5926] usb 5-1: config index 0 descriptor too short (expected 29220, got 36) [ 495.082107][ T5926] usb 5-1: config 0 has too many interfaces: 81, using maximum allowed: 32 [ 495.090771][ T5926] usb 5-1: config 0 has 1 interface, different from the descriptor's value: 81 [ 495.109955][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0 [ 495.132149][ T5926] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0 [ 495.152069][ T5903] rc_core: IR keymap rc-imon-pad not found [ 495.158164][ T5903] Registered IR keymap rc-empty [ 495.163187][ T5903] imon 3-1:155.0: Looks like you're trying to use an IR protocol this device does not support [ 495.173702][ T5926] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18 [ 495.206919][ T5903] imon 3-1:155.0: Unsupported IR protocol specified, overriding to iMON IR protocol [ 495.223086][ T5926] usb 5-1: New USB device found, idVendor=03f0, idProduct=6c17, bcdDevice= 0.40 [ 495.238372][ T5926] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 495.267592][ T5903] rc rc0: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.2/usb3/3-1/3-1:155.0/rc/rc0 [ 495.291947][ T5926] usb 5-1: config 0 descriptor?? [ 495.299819][ T5903] input: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.2/usb3/3-1/3-1:155.0/rc/rc0/input119 [ 495.338611][ T5903] imon 3-1:155.0: iMON device (15c2:ffdc, intf0) on usb<3:67> initialized [ 495.525117][ T5926] usblp 5-1:0.0: usblp1: USB Bidirectional printer dev 77 if 0 alt 0 proto 3 vid 0x03F0 pid 0x6C17 [ 495.760357][ T5926] usb 5-1: USB disconnect, device number 77 [ 495.775589][ T5926] usblp1: removed [ 495.922492][T17532] imon:send_packet: packet tx failed (-71) [ 495.922787][ T5903] usb 3-1: USB disconnect, device number 67 [ 495.942526][T17532] imon:vfd_write: send packet #1 failed [ 496.064570][T17540] binder: 17539:17540 ioctl c0306201 800003c0 returned -14 [ 496.460905][T17559] syzkaller0: entered promiscuous mode [ 496.814611][T17581] veth1_to_bond: entered allmulticast mode [ 496.831623][T17581] netlink: 4 bytes leftover after parsing attributes in process `syz.0.4555'. [ 496.905325][T17581] veth1_to_bond (unregistering): left allmulticast mode [ 496.913130][ T30] audit: type=1326 audit(1768199820.479:1132): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17577 comm="syz.4.4554" exe="/root/syz-executor" sig=9 arch=40000003 syscall=252 compat=1 ip=0xf70ad539 code=0x0 [ 497.033516][T17586] netlink: 4 bytes leftover after parsing attributes in process `syz.0.4557'. [ 497.238927][T17597] input: syz0 as /devices/virtual/input/input120 [ 497.295150][ T5840] udevd[5840]: setting owner of /dev/input/event4 to uid=0, gid=104 failed: No such file or directory [ 497.832150][ T5926] usb 8-1: new high-speed USB device number 5 using dummy_hcd [ 497.916443][T16813] usb 5-1: new full-speed USB device number 78 using dummy_hcd [ 498.006650][ T5926] usb 8-1: Using ep0 maxpacket: 32 [ 498.025566][ T5926] usb 8-1: config 155 has an invalid descriptor of length 0, skipping remainder of the config [ 498.050005][ T5926] usb 8-1: config 155 interface 0 altsetting 0 has an endpoint descriptor with address 0xE2, changing to 0x82 [ 498.079622][ T5926] usb 8-1: config 155 interface 0 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 498.117701][T16813] usb 5-1: config index 0 descriptor too short (expected 35577, got 27) [ 498.121575][ T5926] usb 8-1: config 155 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 11 [ 498.126752][T16813] usb 5-1: config 1 has too many interfaces: 92, using maximum allowed: 32 [ 498.149382][T16813] usb 5-1: config 1 has 1 interface, different from the descriptor's value: 92 [ 498.160026][T16813] usb 5-1: config 1 has no interface number 0 [ 498.166722][ T5926] usb 8-1: New USB device found, idVendor=15c2, idProduct=ffdc, bcdDevice=bd.30 [ 498.169750][T16813] usb 5-1: config 1 interface 1 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 10 [ 498.176479][ T5926] usb 8-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 498.191322][T16813] usb 5-1: config 1 interface 1 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 17 [ 498.210415][T16813] usb 5-1: New USB device found, idVendor=0e41, idProduct=5051, bcdDevice=d5.e8 [ 498.220613][T16813] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 498.226498][ T5926] usb 8-1: Product: syz [ 498.239517][ T5926] usb 8-1: Manufacturer: syz [ 498.258830][ T5926] usb 8-1: SerialNumber: syz [ 498.269908][T16813] snd_usb_pod 5-1:1.1: Line 6 Pocket POD found [ 498.297700][ C0] imon 8-1:155.0: imon usb_rx_callback_intf0: status(-71) [ 498.319945][ T5926] input: iMON Panel, Knob and Mouse(15c2:ffdc) as /devices/platform/dummy_hcd.7/usb8/8-1/8-1:155.0/input/input121 [ 498.515541][ T5926] imon 8-1:155.0: Unknown 0xffdc device, defaulting to VFD and iMON IR [ 498.524035][ T5926] (id 0x00) [ 498.572094][ T5926] rc_core: IR keymap rc-imon-pad not found [ 498.577993][ T5926] Registered IR keymap rc-empty [ 498.583676][ T5926] imon 8-1:155.0: Looks like you're trying to use an IR protocol this device does not support [ 498.594151][ T5926] imon 8-1:155.0: Unsupported IR protocol specified, overriding to iMON IR protocol [ 498.713515][ T5926] rc rc0: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.7/usb8/8-1/8-1:155.0/rc/rc0 [ 498.726620][ T5926] input: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.7/usb8/8-1/8-1:155.0/rc/rc0/input122 [ 498.757354][ T5926] imon 8-1:155.0: iMON device (15c2:ffdc, intf0) on usb<8:5> initialized [ 498.867585][T16813] snd_usb_pod 5-1:1.1: Line 6 Pocket POD now attached [ 499.142524][ T5926] usb 5-1: USB disconnect, device number 78 [ 499.149822][ T5926] snd_usb_pod 5-1:1.1: Line 6 Pocket POD now disconnected [ 499.408432][T17669] imon:send_packet: packet tx failed (-71) [ 499.409595][ T5926] usb 8-1: USB disconnect, device number 5 [ 499.442281][T17669] imon:vfd_write: send packet #1 failed [ 499.952116][ T5926] usb 1-1: new high-speed USB device number 81 using dummy_hcd [ 500.113784][ T5926] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 500.127078][ T5926] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 500.149654][ T5926] usb 1-1: New USB device found, idVendor=1e7d, idProduct=2cf6, bcdDevice= 0.00 [ 500.182107][ T5926] usb 1-1: New USB device strings: Mfr=4, Product=0, SerialNumber=0 [ 500.198730][ T5926] usb 1-1: Manufacturer: syz [ 500.209533][ T5926] usb 1-1: config 0 descriptor?? [ 500.509581][T17697] loop5: detected capacity change from 0 to 7 [ 500.545362][T17697] Dev loop5: unable to read RDB block 7 [ 500.559837][T17697] loop5: AHDI p1 p2 p3 [ 500.570872][T17697] loop5: partition table partially beyond EOD, truncated [ 500.591119][T17697] loop5: p1 start 1818582900 is beyond EOD, truncated [ 500.608215][T17697] loop5: p3 start 335544320 is beyond EOD, truncated [ 500.653606][ T5926] hid_parser_main: 154 callbacks suppressed [ 500.653627][ T5926] pyra 0003:1E7D:2CF6.0072: unknown main item tag 0x0 [ 500.701770][ T5926] pyra 0003:1E7D:2CF6.0072: unknown main item tag 0x0 [ 500.709635][ T5926] pyra 0003:1E7D:2CF6.0072: unknown main item tag 0x0 [ 500.718688][ T5926] pyra 0003:1E7D:2CF6.0072: unknown main item tag 0x0 [ 500.728805][ T5926] pyra 0003:1E7D:2CF6.0072: unknown main item tag 0x0 [ 500.752177][ T5926] pyra 0003:1E7D:2CF6.0072: unknown main item tag 0x0 [ 500.761233][ T5926] pyra 0003:1E7D:2CF6.0072: unknown main item tag 0x0 [ 500.773105][ T5926] pyra 0003:1E7D:2CF6.0072: hidraw0: USB HID v0.00 Device [syz] on usb-dummy_hcd.0-1/input0 [ 501.305034][ T1301] ieee802154 phy0 wpan0: encryption failed: -22 [ 501.311390][ T1301] ieee802154 phy1 wpan1: encryption failed: -22 [ 501.474031][T17732] netlink: 76 bytes leftover after parsing attributes in process `syz.7.4594'. [ 501.656503][ T5926] pyra 0003:1E7D:2CF6.0072: couldn't init struct pyra_device [ 501.693496][ T5926] pyra 0003:1E7D:2CF6.0072: couldn't install mouse [ 501.724502][ T5926] pyra 0003:1E7D:2CF6.0072: probe with driver pyra failed with error -71 [ 501.776161][ T5926] usb 1-1: USB disconnect, device number 81 [ 502.011268][T17747] fido_id[17747]: Failed to open report descriptor at '/sys/devices/platform/dummy_hcd.0/usb1/report_descriptor': No such file or directory [ 502.302151][T16813] usb 5-1: new high-speed USB device number 79 using dummy_hcd [ 502.472111][T16813] usb 5-1: Using ep0 maxpacket: 8 [ 502.484846][T16813] usb 5-1: config 0 has an invalid interface number: 96 but max is 0 [ 502.510145][T16813] usb 5-1: config 0 has no interface number 0 [ 502.529810][T16813] usb 5-1: config 0 interface 96 altsetting 3 endpoint 0x88 has an invalid bInterval 254, changing to 11 [ 502.555580][T16813] usb 5-1: config 0 interface 96 has no altsetting 0 [ 502.574154][T16813] usb 5-1: New USB device found, idVendor=0b57, idProduct=2a8d, bcdDevice=33.74 [ 502.583398][ C1] ip6_tunnel: ip6gretap0 xmit: Local address not yet configured! [ 502.607592][T16813] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 502.622159][T16813] usb 5-1: Product: syz [ 502.626377][T16813] usb 5-1: Manufacturer: syz [ 502.641172][T16813] usb 5-1: SerialNumber: syz [ 502.652276][T16813] usb 5-1: config 0 descriptor?? [ 503.042388][T16813] usb 5-1: USB disconnect, device number 79 [ 503.248122][ T62] ip6_tunnel: ip6gre2 xmit: Local address not yet configured! [ 503.892205][ T5926] usb 8-1: new high-speed USB device number 6 using dummy_hcd [ 504.045725][ T5926] usb 8-1: too many endpoints for config 0 interface 0 altsetting 0: 253, using maximum allowed: 30 [ 504.068347][ T5926] usb 8-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 504.081634][ T5926] usb 8-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 504.091685][ T5926] usb 8-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 253 [ 504.109127][ T5926] usb 8-1: New USB device found, idVendor=05ac, idProduct=8243, bcdDevice=8b.40 [ 504.118553][ T5926] usb 8-1: New USB device strings: Mfr=11, Product=0, SerialNumber=0 [ 504.128905][ T5926] usb 8-1: Manufacturer: syz [ 504.137250][ T5926] usb 8-1: config 0 descriptor?? [ 504.559389][ T5926] appleir 0003:05AC:8243.0073: item fetching failed at offset 0/1 [ 504.588812][ T5926] appleir 0003:05AC:8243.0073: parse failed [ 504.601679][ T5926] appleir 0003:05AC:8243.0073: probe with driver appleir failed with error -22 [ 504.772408][T16813] usb 8-1: USB disconnect, device number 6 [ 504.942299][ T5926] usb 5-1: new full-speed USB device number 80 using dummy_hcd [ 505.124503][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 1024, setting to 64 [ 505.170287][ T5926] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 7 [ 505.201737][ T5926] usb 5-1: New USB device found, idVendor=06cb, idProduct=81a7, bcdDevice= 0.00 [ 505.214499][ T5926] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 505.237138][ T5926] usb 5-1: config 0 descriptor?? [ 505.246601][T17815] raw-gadget.2 gadget.4: fail, usb_ep_enable returned -22 [ 505.476629][T17815] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 505.494596][T17815] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 505.527854][ T5926] usbhid 5-1:0.0: can't add hid device: -71 [ 505.534696][ T5926] usbhid 5-1:0.0: probe with driver usbhid failed with error -71 [ 505.553169][ T5926] usb 5-1: USB disconnect, device number 80 [ 506.002149][T16813] usb 5-1: new high-speed USB device number 81 using dummy_hcd [ 506.016930][T17841] netlink: 28 bytes leftover after parsing attributes in process `syz.2.4642'. [ 506.074874][T17843] kvm: requested 7542 ns i8254 timer period limited to 200000 ns [ 506.163042][T16813] usb 5-1: Using ep0 maxpacket: 32 [ 506.173370][T16813] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x2 has an invalid bInterval 129, changing to 11 [ 506.184644][T16813] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 7 [ 506.198928][T16813] usb 5-1: New USB device found, idVendor=06cb, idProduct=81a7, bcdDevice= 0.00 [ 506.208549][T16813] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 506.222740][T16813] usb 5-1: config 0 descriptor?? [ 506.239583][T16813] hub 5-1:0.0: bad descriptor, ignoring hub [ 506.264333][T16813] hub 5-1:0.0: probe with driver hub failed with error -5 [ 506.683672][T16813] hid-rmi 0003:06CB:81A7.0074: hidraw0: USB HID v0.00 Device [HID 06cb:81a7] on usb-dummy_hcd.4-1/input0 [ 507.062833][ C1] ip6_tunnel: ip6gre2 xmit: Local address not yet configured! [ 507.078781][T16813] usb 5-1: USB disconnect, device number 81 [ 507.089379][T17872] tipc: Started in network mode [ 507.098827][T17872] tipc: Node identity ac1414aa, cluster identity 4711 [ 507.114381][ T24] IPVS: starting estimator thread 0... [ 507.120744][T17872] tipc: Enabled bearer , priority 10 [ 507.202335][T17873] IPVS: using max 26 ests per chain, 62400 per kthread [ 507.344102][T17880] all: renamed from lo [ 508.242180][T16813] tipc: Node number set to 2886997162 [ 509.472798][ T6070] usb 1-1: new high-speed USB device number 82 using dummy_hcd [ 509.587418][T17947] netlink: 8 bytes leftover after parsing attributes in process `syz.2.4684'. [ 509.597864][T17947] netlink: 8 bytes leftover after parsing attributes in process `syz.2.4684'. [ 509.599342][T17948] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4683'. [ 509.652358][ T6070] usb 1-1: Using ep0 maxpacket: 32 [ 509.655123][T17948] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4683'. [ 509.671127][ T6070] usb 1-1: New USB device found, idVendor=0fe9, idProduct=d501, bcdDevice=23.50 [ 509.688781][T17948] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4683'. [ 509.712424][ T6070] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 509.720428][ T6070] usb 1-1: Product: syz [ 509.754096][ T6070] usb 1-1: Manufacturer: syz [ 509.762287][ T6070] usb 1-1: SerialNumber: syz [ 509.774248][ T6070] usb 1-1: config 0 descriptor?? [ 509.793276][ T6070] dvb-usb: found a 'DViCO FusionHDTV5 USB Gold' in warm state. [ 509.828479][ T30] audit: type=1326 audit(1768199833.379:1133): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17950 comm="syz.2.4685" exe="/root/syz-executor" sig=9 arch=40000003 syscall=252 compat=1 ip=0xf70cd539 code=0x0 [ 509.851084][ T6070] dvb-usb: bulk message failed: -22 (2/0) [ 509.875132][ T6070] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 509.905902][ T6070] dvbdev: DVB: registering new adapter (DViCO FusionHDTV5 USB Gold) [ 509.924725][ T6070] usb 1-1: media controller created [ 509.979730][ T6070] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 510.045009][T17959] netlink: 4 bytes leftover after parsing attributes in process `syz.6.4688'. [ 510.055514][T17959] bridge_slave_1: left allmulticast mode [ 510.061989][ T6070] usb 1-1: selecting invalid altsetting 7 [ 510.068494][T17959] bridge_slave_1: left promiscuous mode [ 510.074680][ T6070] cxusb: set interface failed [ 510.079691][T17959] bridge0: port 2(bridge_slave_1) entered disabled state [ 510.087481][ T5926] usb 5-1: new high-speed USB device number 82 using dummy_hcd [ 510.098281][ T6070] dvb-usb: bulk message failed: -22 (1/0) [ 510.108137][T17959] bridge_slave_0: left allmulticast mode [ 510.116293][T17959] bridge_slave_0: left promiscuous mode [ 510.122269][T17959] bridge0: port 1(bridge_slave_0) entered disabled state [ 510.145007][ T6070] DVB: Unable to find symbol lgdt330x_attach() [ 510.151517][ T6070] dvb-usb: no frontend was attached by 'DViCO FusionHDTV5 USB Gold' [ 510.213117][ T6070] rc_core: IR keymap rc-dvico-portable not found [ 510.219538][ T6070] Registered IR keymap rc-empty [ 510.226646][ T6070] rc rc0: DViCO FusionHDTV5 USB Gold as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 510.240124][ T6070] input: DViCO FusionHDTV5 USB Gold as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input124 [ 510.250559][ T5926] usb 5-1: Using ep0 maxpacket: 32 [ 510.266220][ T6070] dvb-usb: schedule remote query interval to 100 msecs. [ 510.274664][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 510.288505][ T6070] dvb-usb: DViCO FusionHDTV5 USB Gold successfully initialized and connected. [ 510.297938][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 510.316917][ T6070] usb 1-1: USB disconnect, device number 82 [ 510.332103][ T5926] usb 5-1: New USB device found, idVendor=0403, idProduct=6030, bcdDevice= 0.00 [ 510.332654][ T24] usb 8-1: new full-speed USB device number 7 using dummy_hcd [ 510.350823][ T5926] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 510.379537][ T5926] usb 5-1: config 0 descriptor?? [ 510.432749][ T6070] dvb-usb: DViCO FusionHDTV5 USB Gold successfully deinitialized and disconnected. [ 510.510398][T17968] netlink: 212348 bytes leftover after parsing attributes in process `syz.6.4691'. [ 510.554677][ T24] usb 8-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 510.574615][ T24] usb 8-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 510.591684][ T24] usb 8-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 510.601522][ T24] usb 8-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 510.614946][ T24] usb 8-1: Product: syz [ 510.619142][ T24] usb 8-1: Manufacturer: syz [ 510.624049][ T24] usb 8-1: SerialNumber: syz [ 510.819380][ T5926] ft260 0003:0403:6030.0075: unknown main item tag 0x7 [ 510.846474][ T24] usb 8-1: 0:2 : does not exist [ 510.868483][ T24] usb 8-1: 5:0: failed to get current value for ch 0 (-22) [ 510.920807][ T24] usb 8-1: USB disconnect, device number 7 [ 510.979585][ T5840] udevd[5840]: error opening ATTR{/sys/devices/platform/dummy_hcd.7/usb8/8-1/8-1:1.0/sound/card3/controlC3/../uevent} for writing: No such file or directory [ 511.016744][ T5926] ft260 0003:0403:6030.0075: chip code: 6424 8183 [ 511.217500][ T5926] ft260 0003:0403:6030.0075: USB HID v0.00 Device [HID 0403:6030] on usb-dummy_hcd.4-1/input0 [ 511.421253][T17983] netlink: 40 bytes leftover after parsing attributes in process `syz.0.4696'. [ 511.452660][ T5926] ft260 0003:0403:6030.0075: failed to retrieve status: -32, no wakeup [ 511.668725][ T5926] ft260 0003:0403:6030.0075: failed to reset I2C controller: -71 [ 511.707206][T17989] loop6: detected capacity change from 0 to 1024 [ 511.727064][T17989] buffer_io_error: 5658 callbacks suppressed [ 511.727079][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 511.765993][ T5926] usb 5-1: USB disconnect, device number 82 [ 511.774169][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 511.782507][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 511.790504][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 511.800875][T17993] GUP no longer grows the stack in syz.2.4708 (17993): 80007000-8000a000 (80004000) [ 511.801052][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 511.831343][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 511.843948][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 511.859908][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 511.868744][T17989] ldm_validate_partition_table(): Disk read failed. [ 511.882065][T17993] CPU: 0 UID: 0 PID: 17993 Comm: syz.2.4708 Tainted: G L syzkaller #0 PREEMPT(full) [ 511.882093][T17993] Tainted: [L]=SOFTLOCKUP [ 511.882101][T17993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 511.882111][T17993] Call Trace: [ 511.882119][T17993] [ 511.882128][T17993] dump_stack_lvl+0xe8/0x150 [ 511.882156][T17993] __get_user_pages+0x2465/0x29f0 [ 511.882199][T17993] ? __gup_longterm_locked+0xc63/0x1660 [ 511.882247][T17993] ? down_read_killable+0x1bc/0x350 [ 511.882276][T17993] __gup_longterm_locked+0xde4/0x1660 [ 511.882310][T17993] ? sanity_check_pinned_pages+0x123a/0x1300 [ 511.882340][T17993] gup_fast_fallback+0x1d26/0x2290 [ 511.882361][T17993] ? arch_stack_walk+0xfc/0x150 [ 511.882403][T17993] ? __pfx_gup_fast_fallback+0x10/0x10 [ 511.882424][T17993] ? __kasan_kmalloc+0x93/0xb0 [ 511.882442][T17993] ? blkdev_direct_IO+0x777/0x1800 [ 511.882466][T17993] ? blkdev_direct_write+0x7c/0x140 [ 511.882489][T17993] ? blkdev_write_iter+0x547/0x710 [ 511.882515][T17993] ? pin_user_pages_fast+0x4d/0xb0 [ 511.882539][T17993] iov_iter_extract_pages+0x35f/0x5e0 [ 511.882567][T17993] bio_iov_iter_get_pages+0x499/0x1490 [ 511.882608][T17993] ? __pfx_bio_iov_iter_get_pages+0x10/0x10 [ 511.882634][T17993] ? bio_init+0x160/0x2e0 [ 511.882655][T17993] blkdev_direct_IO+0x10a8/0x1800 [ 511.882692][T17993] ? __pfx_blkdev_direct_IO+0x10/0x10 [ 511.882740][T17993] ? rcu_is_watching+0x15/0xb0 [ 511.882764][T17993] ? kiocb_invalidate_pages+0xfb/0x140 [ 511.882785][T17993] blkdev_direct_write+0x7c/0x140 [ 511.882813][T17993] blkdev_write_iter+0x547/0x710 [ 511.882842][T17993] vfs_write+0x5c9/0xb30 [ 511.882864][T17993] ? __pfx_blkdev_write_iter+0x10/0x10 [ 511.882889][T17993] ? __pfx_vfs_write+0x10/0x10 [ 511.882911][T17993] ? __fget_files+0x2a/0x420 [ 511.882939][T17993] ksys_write+0x145/0x250 [ 511.882959][T17993] ? __pfx_ksys_write+0x10/0x10 [ 511.882987][T17993] __do_fast_syscall_32+0x1dc/0x570 [ 511.883008][T17993] ? do_fast_syscall_32+0x34/0x80 [ 511.883033][T17993] do_fast_syscall_32+0x34/0x80 [ 511.883052][T17993] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 511.883073][T17993] RIP: 0023:0xf70cd539 [ 511.883089][T17993] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 511.883104][T17993] RSP: 002b:00000000f549c55c EFLAGS: 00000206 ORIG_RAX: 0000000000000004 [ 511.883123][T17993] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000080001c00 [ 511.883136][T17993] RDX: 00000000fffffe38 RSI: 0000000000000000 RDI: 0000000000000000 [ 511.883148][T17993] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 511.883160][T17993] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 511.883172][T17993] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 511.883200][T17993] [ 511.895239][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 512.366211][T17989] Buffer I/O error on dev loop6, logical block 0, async page read [ 512.376096][T17989] Dev loop6: unable to read RDB block 0 [ 512.392222][T17989] loop6: unable to read partition table [ 512.426454][T17989] loop_reread_partitions: partition scan of loop6 (3Ÿ ¾‚³˜) failed (rc=-5) [ 512.488543][ T5199] ldm_validate_partition_table(): Disk read failed. [ 512.537271][ T5199] Dev loop6: unable to read RDB block 0 [ 512.552838][ T5199] loop6: unable to read partition table [ 512.765978][T18007] bond1: option arp_validate: invalid value (2048) [ 512.788586][T18007] bond1 (unregistering): Released all slaves [ 512.861457][T18019] ALSA: seq fatal error: cannot create timer (-22) [ 513.262183][ T24] usb 8-1: new high-speed USB device number 8 using dummy_hcd [ 513.302209][ T6070] usb 1-1: new high-speed USB device number 83 using dummy_hcd [ 513.412090][T16813] usb 5-1: new high-speed USB device number 83 using dummy_hcd [ 513.436080][ T24] usb 8-1: New USB device found, idVendor=055f, idProduct=c230, bcdDevice=b6.ac [ 513.445595][ T24] usb 8-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 513.453636][ T24] usb 8-1: Product: syz [ 513.458002][ T24] usb 8-1: Manufacturer: syz [ 513.465152][ T24] usb 8-1: SerialNumber: syz [ 513.467936][ T6070] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 513.479839][ T24] usb 8-1: config 0 descriptor?? [ 513.491531][ T6070] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 5 [ 513.491562][ T24] gspca_main: sunplus-2.14.0 probing 055f:c230 [ 513.526219][ T6070] usb 1-1: New USB device found, idVendor=1e7d, idProduct=2d50, bcdDevice= 0.00 [ 513.554262][ T6070] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 513.568876][ T6070] usb 1-1: config 0 descriptor?? [ 513.572478][T16813] usb 5-1: Using ep0 maxpacket: 8 [ 513.587132][T16813] usb 5-1: config index 0 descriptor too short (expected 301, got 45) [ 513.595655][T16813] usb 5-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 513.606486][T16813] usb 5-1: config 16 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 513.618008][T16813] usb 5-1: config 16 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 32 [ 513.628511][T16813] usb 5-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 513.642180][T16813] usb 5-1: New USB device found, idVendor=ee8d, idProduct=db1e, bcdDevice=61.23 [ 513.651540][T16813] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 513.881030][T16813] usb 5-1: usb_control_msg returned -32 [ 513.888234][T16813] usbtmc 5-1:16.0: can't read capabilities [ 513.993652][ T6070] kovaplus 0003:1E7D:2D50.0076: hidraw0: USB HID v0.00 Device [HID 1e7d:2d50] on usb-dummy_hcd.0-1/input0 [ 514.602133][ T9] usb 3-1: new high-speed USB device number 68 using dummy_hcd [ 514.742639][ C1] ip6_tunnel: ip6gre2 xmit: Local address not yet configured! [ 514.755360][ T9] usb 3-1: Using ep0 maxpacket: 32 [ 514.762680][ T9] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x85 has invalid wMaxPacketSize 0 [ 514.772651][ T9] usb 3-1: config 0 interface 0 altsetting 0 bulk endpoint 0x85 has invalid maxpacket 0 [ 514.784972][ T9] usb 3-1: New USB device found, idVendor=14c8, idProduct=0003, bcdDevice= 5.6c [ 514.794389][ T9] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 514.802795][ T9] usb 3-1: Product: syz [ 514.806986][ T9] usb 3-1: Manufacturer: syz [ 514.811618][ T9] usb 3-1: SerialNumber: syz [ 514.818527][ T9] usb 3-1: config 0 descriptor?? [ 514.827977][ T9] input: syz syz as /devices/platform/dummy_hcd.2/usb3/3-1/3-1:0.0/input/input125 [ 514.841404][ T9] usbtouchscreen 3-1:0.0: usbtouch_probe - usb_submit_urb failed with result: -90 [ 514.858874][ T9] usbtouchscreen 3-1:0.0: probe with driver usbtouchscreen failed with error -90 [ 514.956084][ T24] gspca_sunplus: reg_r err -71 [ 514.960976][ T24] sunplus 8-1:0.0: probe with driver sunplus failed with error -71 [ 514.982374][ T24] usb 8-1: USB disconnect, device number 8 [ 515.003226][ T6070] kovaplus 0003:1E7D:2D50.0076: couldn't init struct kovaplus_device [ 515.012843][ T6070] kovaplus 0003:1E7D:2D50.0076: couldn't install mouse [ 515.029421][ T6070] kovaplus 0003:1E7D:2D50.0076: probe with driver kovaplus failed with error -71 [ 515.047312][ T6070] usb 1-1: USB disconnect, device number 83 [ 515.059615][T14950] usb 3-1: USB disconnect, device number 68 [ 515.112712][T18068] usbtmc 5-1:16.0: usb_control_msg returned -32 [ 515.245423][ T24] usb 5-1: USB disconnect, device number 83 [ 515.922258][ T9] usb 1-1: new high-speed USB device number 84 using dummy_hcd [ 516.033291][ T6070] usb 3-1: new high-speed USB device number 69 using dummy_hcd [ 516.092533][ T9] usb 1-1: Using ep0 maxpacket: 8 [ 516.099702][ T9] usb 1-1: config index 0 descriptor too short (expected 301, got 45) [ 516.108744][ T9] usb 1-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 516.126468][ T9] usb 1-1: config 16 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 516.136538][ T9] usb 1-1: config 16 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 32 [ 516.146888][ T9] usb 1-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 516.157341][T18097] netlink: 'syz.4.4742': attribute type 1 has an invalid length. [ 516.160338][ T9] usb 1-1: New USB device found, idVendor=ee8d, idProduct=db1e, bcdDevice=61.23 [ 516.177942][ T9] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 516.202190][ T6070] usb 3-1: Using ep0 maxpacket: 16 [ 516.215468][ T6070] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x84 has invalid wMaxPacketSize 0 [ 516.227975][T18097] netlink: 8 bytes leftover after parsing attributes in process `syz.4.4742'. [ 516.237145][ T6070] usb 3-1: New USB device found, idVendor=2040, idProduct=0264, bcdDevice=4e.d1 [ 516.256021][T18097] bond6: (slave bridge2): making interface the new active one [ 516.264008][ T6070] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 516.272186][ T6070] usb 3-1: Product: syz [ 516.276446][ T6070] usb 3-1: Manufacturer: syz [ 516.282795][T18097] bond6: (slave bridge2): Enslaving as an active interface with an up link [ 516.291562][ T6070] usb 3-1: SerialNumber: syz [ 516.299573][ T6070] usb 3-1: config 0 descriptor?? [ 516.325041][ T6070] em28xx 3-1:0.0: New device syz syz @ 480 Mbps (2040:0264, interface 0, class 0) [ 516.334353][ T6070] em28xx 3-1:0.0: DVB interface 0 found: bulk [ 516.398754][ T9] usb 1-1: usb_control_msg returned -32 [ 516.404706][ T9] usbtmc 1-1:16.0: can't read capabilities [ 516.933847][ T6070] em28xx 3-1:0.0: unknown em28xx chip ID (0) [ 517.161776][ T5836] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 517.169811][ T5836] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 517.180626][ T5836] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 517.188548][ T5836] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 517.196275][ T5836] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 517.386419][T18113] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4748'. [ 517.386684][T18108] chnl_net:caif_netlink_parms(): no params data found [ 517.561047][ T6070] em28xx 3-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 517.576394][T18108] bridge0: port 1(bridge_slave_0) entered blocking state [ 517.579220][ T6070] em28xx 3-1:0.0: board has no eeprom [ 517.593036][T18108] bridge0: port 1(bridge_slave_0) entered disabled state [ 517.600210][T18108] bridge_slave_0: entered allmulticast mode [ 517.608629][T18108] bridge_slave_0: entered promiscuous mode [ 517.618588][T18108] bridge0: port 2(bridge_slave_1) entered blocking state [ 517.626575][T18108] bridge0: port 2(bridge_slave_1) entered disabled state [ 517.634447][T18108] bridge_slave_1: entered allmulticast mode [ 517.642394][T18108] bridge_slave_1: entered promiscuous mode [ 517.672756][ T6070] em28xx 3-1:0.0: Identified as PCTV tripleStick (292e) (card=94) [ 517.680594][ T6070] em28xx 3-1:0.0: dvb set to bulk mode. [ 517.686496][ T5926] em28xx 3-1:0.0: Binding DVB extension [ 517.689964][T18108] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 517.716892][ T6070] usb 3-1: USB disconnect, device number 69 [ 517.736525][T18108] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 517.746885][ T6070] em28xx 3-1:0.0: Disconnecting em28xx [ 517.807953][T18122] binder: 18121:18122 ioctl c0306201 80000140 returned -11 [ 517.820030][ T5926] em28xx 3-1:0.0: Registering input extension [ 517.829888][ T6070] em28xx 3-1:0.0: Closing input extension [ 517.843795][T18108] team0: Port device team_slave_0 added [ 517.851978][ T6070] em28xx 3-1:0.0: Freeing device [ 517.864465][T18108] team0: Port device team_slave_1 added [ 517.918309][T18124] netlink: 212348 bytes leftover after parsing attributes in process `syz.4.4751'. [ 517.931721][T18108] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 517.938996][T18108] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 517.967165][T18108] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 517.979779][T18108] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 517.987585][T18108] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 518.014947][T18108] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 518.069196][T18108] hsr_slave_0: entered promiscuous mode [ 518.076618][T18108] hsr_slave_1: entered promiscuous mode [ 518.085899][T18108] debugfs: 'hsr0' already exists in 'hsr' [ 518.091647][T18108] Cannot create hsr debugfs directory [ 518.433331][T18108] netdevsim netdevsim8 netdevsim0: renamed from eth0 [ 518.458163][T18108] netdevsim netdevsim8 netdevsim1: renamed from eth1 [ 518.485763][T18108] netdevsim netdevsim8 netdevsim2: renamed from eth2 [ 518.508266][T18108] netdevsim netdevsim8 netdevsim3: renamed from eth3 [ 518.684343][T18108] 8021q: adding VLAN 0 to HW filter on device bond0 [ 518.715177][ T9] usb 1-1: USB disconnect, device number 84 [ 518.754903][T18108] 8021q: adding VLAN 0 to HW filter on device team0 [ 518.820152][T14886] bridge0: port 1(bridge_slave_0) entered blocking state [ 518.827272][T14886] bridge0: port 1(bridge_slave_0) entered forwarding state [ 518.848717][T18145] kvm: Disabled LAPIC found during irq injection [ 518.912346][T14886] bridge0: port 2(bridge_slave_1) entered blocking state [ 518.919495][T14886] bridge0: port 2(bridge_slave_1) entered forwarding state [ 519.184655][T18108] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 519.186782][ T978] hid-generic 0000:0000:0000.0077: unknown main item tag 0x0 [ 519.223267][ T5830] Bluetooth: hci3: command tx timeout [ 519.264687][ T978] hid-generic 0000:0000:0000.0077: hidraw0: HID v0.00 Device [syz1] on syz0 [ 519.280246][T18108] veth0_vlan: entered promiscuous mode [ 519.294253][T18108] veth1_vlan: entered promiscuous mode [ 519.372271][T18108] veth0_macvtap: entered promiscuous mode [ 519.406631][T18108] veth1_macvtap: entered promiscuous mode [ 519.477420][T18108] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 519.498209][T18108] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 519.526890][T18161] netlink: 'syz.4.4764': attribute type 2 has an invalid length. [ 519.561939][T15647] netdevsim netdevsim8 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 519.581716][T15647] netdevsim netdevsim8 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 519.615413][T15647] netdevsim netdevsim8 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 519.646701][T15647] netdevsim netdevsim8 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 519.794239][T14886] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 519.813321][T14886] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 519.868081][ T3000] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 519.913259][ T3000] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 520.746641][T18196] netlink: 'syz.2.4776': attribute type 1 has an invalid length. [ 520.790514][T18196] 8021q: adding VLAN 0 to HW filter on device bond1 [ 520.824046][T18196] bond1: (slave geneve2): making interface the new active one [ 520.834179][T18196] bond1: (slave geneve2): Enslaving as an active interface with an up link [ 520.862379][ T5926] usb 9-1: new high-speed USB device number 2 using dummy_hcd [ 521.063805][ T5926] usb 9-1: config 220 has an invalid interface number: 76 but max is 2 [ 521.075439][ T5926] usb 9-1: config 220 contains an unexpected descriptor of type 0x2, skipping [ 521.097626][ T5926] usb 9-1: config 220 has an invalid descriptor of length 0, skipping remainder of the config [ 521.118322][ T5926] usb 9-1: config 220 has no interface number 2 [ 521.127309][ T5926] usb 9-1: config 220 interface 1 altsetting 5 has 0 endpoint descriptors, different from the interface descriptor's value: 12 [ 521.153354][ T5926] usb 9-1: config 220 interface 0 has no altsetting 0 [ 521.160628][ T5926] usb 9-1: config 220 interface 76 has no altsetting 0 [ 521.169360][ T5926] usb 9-1: config 220 interface 1 has no altsetting 0 [ 521.180524][ T5926] usb 9-1: New USB device found, idVendor=8086, idProduct=0b07, bcdDevice=6c.b9 [ 521.190875][ T5926] usb 9-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 521.200893][ T5926] usb 9-1: Product: syz [ 521.210724][ T5926] usb 9-1: Manufacturer: syz [ 521.218522][ T5926] usb 9-1: SerialNumber: syz [ 521.303092][ T5830] Bluetooth: hci3: command tx timeout [ 521.463657][ T5926] usb 9-1: selecting invalid altsetting 0 [ 521.469871][ T5926] uvcvideo 9-1:220.0: Found UVC 7.01 device syz (8086:0b07) [ 521.490810][ T5926] uvcvideo 9-1:220.0: No valid video chain found. [ 521.521357][ T5926] usb 9-1: selecting invalid altsetting 0 [ 521.529436][ T5926] usbtest 9-1:220.1: probe with driver usbtest failed with error -22 [ 521.562526][ T5926] usb 9-1: USB disconnect, device number 2 [ 522.101584][T18228] netlink: 12 bytes leftover after parsing attributes in process `syz.0.4788'. [ 522.189559][T18235] netlink: 24 bytes leftover after parsing attributes in process `syz.2.4792'. [ 522.942275][ T6070] usb 1-1: new high-speed USB device number 85 using dummy_hcd [ 523.104566][ T6070] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 523.142770][ T6070] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 523.165677][ T6070] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 21 [ 523.185341][ T6070] usb 1-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 523.194623][ T5926] usb 5-1: new high-speed USB device number 84 using dummy_hcd [ 523.202931][ T6070] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 523.215101][ T6070] usb 1-1: config 0 descriptor?? [ 523.364520][ T5926] usb 5-1: Using ep0 maxpacket: 16 [ 523.382836][ T5830] Bluetooth: hci3: command tx timeout [ 523.396583][ T5926] usb 5-1: config 0 has an invalid interface number: 105 but max is 0 [ 523.425998][ T5926] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 523.443391][ T5926] usb 5-1: config 0 has no interface number 0 [ 523.451183][T18280] netlink: 4 bytes leftover after parsing attributes in process `syz.6.4811'. [ 523.455438][ T5926] usb 5-1: New USB device found, idVendor=046d, idProduct=08f3, bcdDevice= b.28 [ 523.470202][ T5926] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 523.492276][ T5926] usb 5-1: Product: syz [ 523.496436][ T5926] usb 5-1: Manufacturer: syz [ 523.501027][ T5926] usb 5-1: SerialNumber: syz [ 523.526253][ T5926] usb 5-1: config 0 descriptor?? [ 523.546245][ T5926] uvcvideo 5-1:0.105: Found UVC 0.00 device syz (046d:08f3) [ 523.565124][ T5926] uvcvideo 5-1:0.105: No valid video chain found. [ 523.666445][ T6070] plantronics 0003:047F:FFFF.0078: hiddev0,hidraw0: USB HID v0.40 Device [HID 047f:ffff] on usb-dummy_hcd.0-1/input0 [ 523.764850][ T24] usb 5-1: USB disconnect, device number 84 [ 524.374475][T18317] netlink: 32 bytes leftover after parsing attributes in process `syz.4.4817'. [ 525.463830][ T5830] Bluetooth: hci3: command tx timeout [ 525.545413][T18344] netlink: 'syz.4.4831': attribute type 1 has an invalid length. [ 525.586454][T18344] 8021q: adding VLAN 0 to HW filter on device bond7 [ 525.627596][T18344] bond7: (slave geneve3): making interface the new active one [ 525.637299][T18344] bond7: (slave geneve3): Enslaving as an active interface with an up link [ 525.646145][ T12] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 525.661732][ T12] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 525.693516][ T12] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 525.724522][ T12] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 525.798542][ T24] usb 1-1: USB disconnect, device number 85 [ 526.195825][ T30] audit: type=1326 audit(1768199849.759:1134): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=18365 comm="syz.2.4838" exe="/root/syz-executor" sig=9 arch=40000003 syscall=252 compat=1 ip=0xf70cd539 code=0x0 [ 526.251086][T18368] kvm: vcpu 128: requested 128 ns lapic timer period limited to 200000 ns [ 526.274840][T18368] kvm: vcpu 128: requested lapic timer restore with starting count register 0x390=1812281087 (231971979136 ns) > initial count (200000 ns). Using initial count to start timer. [ 526.852140][ T24] usb 1-1: new high-speed USB device number 86 using dummy_hcd [ 526.922164][ T5921] usb 5-1: new high-speed USB device number 85 using dummy_hcd [ 527.012076][ T24] usb 1-1: Using ep0 maxpacket: 32 [ 527.026376][ T24] usb 1-1: New USB device found, idVendor=05a9, idProduct=1550, bcdDevice=e4.bb [ 527.047665][ T24] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 527.067903][ T24] usb 1-1: Product: syz [ 527.077699][ T24] usb 1-1: Manufacturer: syz [ 527.087845][ T24] usb 1-1: SerialNumber: syz [ 527.093746][ T5921] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 527.114696][ T24] usb 1-1: config 0 descriptor?? [ 527.120569][ T5921] usb 5-1: New USB device found, idVendor=0926, idProduct=3333, bcdDevice= 0.40 [ 527.130134][ T5921] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 527.145717][ T24] gspca_main: ov534_9-2.14.0 probing 05a9:1550 [ 527.159444][ T5921] usb 5-1: config 0 descriptor?? [ 527.354210][ T24] gspca_ov534_9: reg_w failed -71 [ 527.380431][ T5921] usbhid 5-1:0.0: can't add hid device: -71 [ 527.407716][ T5921] usbhid 5-1:0.0: probe with driver usbhid failed with error -71 [ 527.426868][ T5921] usb 5-1: USB disconnect, device number 85 [ 527.782591][ T24] gspca_ov534_9: Unknown sensor 0000 [ 527.782683][ T24] ov534_9 1-1:0.0: probe with driver ov534_9 failed with error -22 [ 527.803098][ T24] usb 1-1: USB disconnect, device number 86 [ 527.902205][ T5921] usb 5-1: new high-speed USB device number 86 using dummy_hcd [ 527.902249][ T5926] usb 3-1: new high-speed USB device number 70 using dummy_hcd [ 528.062164][ T5921] usb 5-1: Using ep0 maxpacket: 32 [ 528.068973][ T5921] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 528.080555][ T5921] usb 5-1: New USB device found, idVendor=0f11, idProduct=1021, bcdDevice= 0.40 [ 528.089880][ T5921] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 528.100582][ T5921] usb 5-1: config 0 descriptor?? [ 528.102082][ T5926] usb 3-1: Using ep0 maxpacket: 32 [ 528.109491][ T5921] ldusb 5-1:0.0: Interrupt out endpoint not found (using control endpoint instead) [ 528.122125][ T5921] ldusb 5-1:0.0: LD USB Device #0 now attached to major 180 minor 0 [ 528.131543][ T5926] usb 3-1: config 0 interface 0 has no altsetting 0 [ 528.147489][ T5926] usb 3-1: New USB device found, idVendor=16d0, idProduct=10b8, bcdDevice=de.8e [ 528.172324][ T5926] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 528.190472][ T5926] usb 3-1: Product: syz [ 528.198462][ T5926] usb 3-1: Manufacturer: syz [ 528.212028][ T5926] usb 3-1: SerialNumber: syz [ 528.223524][ T5926] usb 3-1: config 0 descriptor?? [ 528.232890][ T5926] gs_usb 3-1:0.0: Required endpoints not found [ 528.525286][T18381] ldusb 5-1:0.0: Read buffer overflow, 316 bytes dropped [ 528.545231][ T5926] usb 5-1: USB disconnect, device number 86 [ 528.570105][ T5921] usb 3-1: USB disconnect, device number 70 [ 528.572824][ T5926] ldusb 5-1:0.0: LD USB Device #0 now disconnected [ 529.267034][T18416] netlink: 44 bytes leftover after parsing attributes in process `syz.2.4858'. [ 529.302182][T18416] netlink: 9 bytes leftover after parsing attributes in process `syz.2.4858'. [ 530.252079][ T9] usb 9-1: new high-speed USB device number 3 using dummy_hcd [ 530.442242][ T9] usb 9-1: Using ep0 maxpacket: 16 [ 530.480384][ T9] usb 9-1: config 0 has an invalid interface number: 41 but max is 0 [ 530.519116][ T9] usb 9-1: config 0 has no interface number 0 [ 530.552085][ T9] usb 9-1: config 0 interface 41 altsetting 2 bulk endpoint 0x4 has invalid maxpacket 16 [ 530.612188][ T9] usb 9-1: config 0 interface 41 altsetting 2 bulk endpoint 0x82 has invalid maxpacket 64 [ 530.667497][ T9] usb 9-1: config 0 interface 41 has no altsetting 0 [ 530.732938][ T9] usb 9-1: New USB device found, idVendor=0fe6, idProduct=9800, bcdDevice=d1.9a [ 530.742977][ C1] ip6_tunnel: ip6gre2 xmit: Local address not yet configured! [ 530.767652][ T9] usb 9-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 530.814965][ T9] usb 9-1: Product: syz [ 530.815280][T18447] syzkaller1: entered promiscuous mode [ 530.842048][ T9] usb 9-1: Manufacturer: syz [ 530.842148][T18447] syzkaller1: entered allmulticast mode [ 530.846692][ T9] usb 9-1: SerialNumber: syz [ 530.887993][ T9] usb 9-1: config 0 descriptor?? [ 530.918739][T18436] raw-gadget.0 gadget.8: fail, usb_ep_enable returned -22 [ 530.958467][T18436] raw-gadget.0 gadget.8: fail, usb_ep_enable returned -22 [ 531.172301][ T5903] usb 1-1: new high-speed USB device number 87 using dummy_hcd [ 531.210143][T18436] raw-gadget.0 gadget.8: fail, usb_ep_enable returned -22 [ 531.227514][T18436] raw-gadget.0 gadget.8: fail, usb_ep_enable returned -22 [ 531.352102][ T5903] usb 1-1: Using ep0 maxpacket: 32 [ 531.384220][ T5903] usb 1-1: config 0 has an invalid interface number: 89 but max is 0 [ 531.409096][ T5903] usb 1-1: config 0 has no interface number 0 [ 531.423256][ T5903] usb 1-1: config 0 interface 89 altsetting 2 endpoint 0x82 has invalid wMaxPacketSize 0 [ 531.459552][ T5903] usb 1-1: config 0 interface 89 has no altsetting 0 [ 531.484287][ T5903] usb 1-1: New USB device found, idVendor=0ccd, idProduct=10af, bcdDevice=38.4e [ 531.496553][ T5903] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 531.509687][ T5903] usb 1-1: Product: syz [ 531.532034][ T5903] usb 1-1: Manufacturer: syz [ 531.545019][ T5903] usb 1-1: SerialNumber: syz [ 531.567946][ T5903] usb 1-1: config 0 descriptor?? [ 531.587547][ T5903] em28xx 1-1:0.89: New device syz syz @ 480 Mbps (0ccd:10af, interface 89, class 89) [ 531.612031][ T5903] em28xx 1-1:0.89: Video interface 89 found: [ 531.882093][ T9] CoreChips 9-1:0.41 (unnamed net_device) (uninitialized): sr_get_phy_addr : Error reading PHYID register:ffffffe0 [ 532.203610][ T5903] em28xx 1-1:0.89: unknown em28xx chip ID (0) [ 532.216974][T18492] binder: 18490:18492 ioctl 40046205 0 returned -22 [ 532.288851][T18494] binder: 18490:18494 ioctl c0306201 0 returned -14 [ 532.315971][ T9] CoreChips 9-1:0.41 (unnamed net_device) (uninitialized): Failed to send software reset:ffffffb9 [ 532.350108][ T9] CoreChips 9-1:0.41 (unnamed net_device) (uninitialized): Failed to reset PHY: -71 [ 532.383562][ T9] CoreChips 9-1:0.41: probe with driver CoreChips failed with error -71 [ 532.409613][ T9] usb 9-1: USB disconnect, device number 3 [ 532.851741][ T5903] em28xx 1-1:0.89: reading from i2c device at 0xa0 failed (error=-5) [ 532.873131][ T5903] em28xx 1-1:0.89: board has no eeprom [ 532.953249][ T5903] em28xx 1-1:0.89: Identified as Terratec Grabby (card=67) [ 532.970756][ T5903] em28xx 1-1:0.89: analog set to bulk mode. [ 532.994098][ T5926] em28xx 1-1:0.89: Registering V4L2 extension [ 533.014512][ T5903] usb 1-1: USB disconnect, device number 87 [ 533.021627][ T5903] em28xx 1-1:0.89: Disconnecting em28xx [ 533.150453][ T5926] em28xx 1-1:0.89: Config register raw data: 0xffffffed [ 533.182114][ T5926] em28xx 1-1:0.89: AC97 chip type couldn't be determined [ 533.189165][ T5926] em28xx 1-1:0.89: No AC97 audio processor [ 533.221845][ T5926] usb 1-1: Decoder not found [ 533.238535][ T5926] em28xx 1-1:0.89: failed to create media graph [ 533.245006][ T5926] em28xx 1-1:0.89: V4L2 device video103 deregistered [ 533.254875][ T5926] em28xx 1-1:0.89: Registering snapshot button... [ 533.270505][ T5926] input: em28xx snapshot button as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.89/input/input127 [ 533.294176][ T5926] em28xx 1-1:0.89: Remote control support is not available for this card. [ 533.309591][ T5903] em28xx 1-1:0.89: Closing input extension [ 533.318255][ T5903] em28xx 1-1:0.89: Deregistering snapshot button [ 533.337089][ T5903] em28xx 1-1:0.89: Freeing device [ 533.588896][T18524] syzkaller0: entered promiscuous mode [ 533.610065][T18524] syzkaller0: entered allmulticast mode [ 534.978408][ T5903] usb 9-1: new high-speed USB device number 4 using dummy_hcd [ 535.149968][ T5903] usb 9-1: New USB device found, idVendor=1c40, idProduct=0534, bcdDevice=6d.cc [ 535.162704][ T5903] usb 9-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 535.184156][ T5903] usb 9-1: Product: syz [ 535.188516][ T5903] usb 9-1: Manufacturer: syz [ 535.194532][ T5903] usb 9-1: SerialNumber: syz [ 535.218707][ T5903] usb 9-1: config 0 descriptor?? [ 535.236004][ T5903] i2c-tiny-usb 9-1:0.0: version 6d.cc found at bus 009 address 004 [ 535.659388][ T5903] (null): failure reading functionality [ 535.677890][ T5903] i2c i2c-2: failure reading functionality [ 535.693941][ T5903] i2c i2c-2: connected i2c-tiny-usb device [ 536.522597][ T5926] usb 5-1: new high-speed USB device number 87 using dummy_hcd [ 536.682154][ T5926] usb 5-1: Using ep0 maxpacket: 16 [ 536.695377][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 536.724293][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 536.755175][ T5926] usb 5-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 536.791328][ T5926] usb 5-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 [ 536.801609][ T5926] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 536.821278][ T5926] usb 5-1: config 0 descriptor?? [ 536.894063][T18582] fuse: root generation should be zero [ 537.266369][ T5926] microsoft 0003:045E:07DA.0079: unknown main item tag 0x0 [ 537.283942][ T5926] microsoft 0003:045E:07DA.0079: ignoring exceeding usage max [ 537.315031][ T5926] microsoft 0003:045E:07DA.0079: hidraw0: USB HID v0.00 Device [HID 045e:07da] on usb-dummy_hcd.4-1/input0 [ 537.350196][ T5926] microsoft 0003:045E:07DA.0079: no inputs found [ 537.366475][ T5926] microsoft 0003:045E:07DA.0079: could not initialize ff, continuing anyway [ 537.570423][ T5926] usb 5-1: USB disconnect, device number 87 [ 537.647830][T18601] IPVS: lc: UDP 224.0.0.2:0 - no destination available [ 537.770053][ T9] usb 9-1: USB disconnect, device number 4 [ 537.881477][ T30] audit: type=1326 audit(1768199861.439:1135): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=18610 comm="syz.8.4938" exe="/root/syz-executor" sig=9 arch=40000003 syscall=252 compat=1 ip=0xf704d539 code=0x0 [ 537.982081][ T5921] usb 1-1: new high-speed USB device number 88 using dummy_hcd [ 538.152064][ T5921] usb 1-1: Using ep0 maxpacket: 8 [ 538.166580][ T5921] usb 1-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 538.193916][ T5921] usb 1-1: config 16 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 538.212791][ T5921] usb 1-1: config 16 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 32 [ 538.234609][ T5921] usb 1-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 538.263557][ T5921] usb 1-1: New USB device found, idVendor=ee8d, idProduct=db1a, bcdDevice=61.23 [ 538.282313][ T5921] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 538.513270][ T5921] usb 1-1: GET_CAPABILITIES returned 0 [ 538.528448][ T5921] usbtmc 1-1:16.0: can't read capabilities [ 538.736354][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.745482][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.754548][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.763873][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.774603][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.783689][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.792741][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.801784][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.820893][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.829984][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.839053][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.848112][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.859090][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.868167][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.877239][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.886288][ C0] usbtmc 1-1:16.0: usbtmc_read_bulk_cb - nonzero read bulk status received: -71 [ 538.919036][T18631] loop4: detected capacity change from 0 to 524287936 [ 538.947296][ T5921] usb 1-1: USB disconnect, device number 88 [ 538.952100][ T5926] usb 5-1: new high-speed USB device number 88 using dummy_hcd [ 539.112307][ T5926] usb 5-1: Using ep0 maxpacket: 16 [ 539.133078][ T5926] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 539.150344][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 539.172061][ T5926] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x2 has invalid wMaxPacketSize 0 [ 539.181713][ T5926] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x2 has invalid maxpacket 0 [ 539.191869][ T5926] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 539.206164][ T5926] usb 5-1: New USB device found, idVendor=2040, idProduct=b138, bcdDevice= 1.42 [ 539.215239][ T5926] usb 5-1: New USB device strings: Mfr=4, Product=0, SerialNumber=0 [ 539.225000][ T5926] usb 5-1: Manufacturer: syz [ 539.232495][ T5926] usb 5-1: config 0 descriptor?? [ 539.502069][ T5926] rc_core: IR keymap rc-hauppauge not found [ 539.507988][ T5926] Registered IR keymap rc-empty [ 539.515602][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.543564][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.562811][ T5926] rc rc0: Conexant Hybrid TV (cx231xx) MCE IR no TX as /devices/platform/dummy_hcd.4/usb5/5-1/5-1:0.0/rc/rc0 [ 539.575767][ T5926] input: Conexant Hybrid TV (cx231xx) MCE IR no TX as /devices/platform/dummy_hcd.4/usb5/5-1/5-1:0.0/rc/rc0/input129 [ 539.591487][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.612493][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.632153][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.652317][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.682209][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.702967][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.722125][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.744304][T18645] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=3134677450 (3134677450 ns) > initial count (1366566911 ns). Using initial count to start timer. [ 539.761966][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.793355][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.813034][ T5926] mceusb 5-1:0.0: Error: mce write submit urb error = -90 [ 539.833886][ T5926] mceusb 5-1:0.0: Registered 424242424242 with mce emulator interface version 1 [ 539.843234][ T5926] mceusb 5-1:0.0: 2 tx ports (0x0 cabled) and 2 rx sensors (0x0 active) [ 540.082434][ T5921] usb 5-1: USB disconnect, device number 88 [ 540.312079][ T9] usb 9-1: new high-speed USB device number 5 using dummy_hcd [ 540.462050][ T9] usb 9-1: Using ep0 maxpacket: 32 [ 540.468528][ T9] usb 9-1: config 0 has an invalid interface number: 67 but max is 0 [ 540.477075][ T9] usb 9-1: config 0 has no interface number 0 [ 540.485166][ T9] usb 9-1: New USB device found, idVendor=0424, idProduct=9901, bcdDevice=c2.57 [ 540.494470][ T9] usb 9-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 540.502817][ T9] usb 9-1: Product: syz [ 540.506974][ T9] usb 9-1: Manufacturer: syz [ 540.511555][ T9] usb 9-1: SerialNumber: syz [ 540.518016][ T9] usb 9-1: config 0 descriptor?? [ 540.524756][ T9] smsc95xx v2.0.0 [ 540.928049][ T9] smsc95xx 9-1:0.67 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32 [ 540.938952][ T9] smsc95xx 9-1:0.67 (unnamed net_device) (uninitialized): Error reading E2P_CMD [ 541.751009][ T9] smsc95xx 9-1:0.67 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000014: -71 [ 541.764011][ T9] smsc95xx 9-1:0.67: probe with driver smsc95xx failed with error -71 [ 541.775284][ T9] usb 9-1: USB disconnect, device number 5 [ 542.303299][T18655] netlink: 'syz.2.4955': attribute type 3 has an invalid length. [ 542.792467][ T5921] usb 5-1: new high-speed USB device number 89 using dummy_hcd [ 542.962083][ T5921] usb 5-1: Using ep0 maxpacket: 32 [ 542.987609][ T5921] usb 5-1: config 0 has an invalid interface number: 132 but max is 0 [ 543.013492][ T5921] usb 5-1: config 0 has no interface number 0 [ 543.032938][ T5921] usb 5-1: config 0 interface 132 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 543.049486][T18681] syzkaller0: entered promiscuous mode [ 543.058420][ T5921] usb 5-1: New USB device found, idVendor=0413, idProduct=6023, bcdDevice=ec.e5 [ 543.061224][T18681] syzkaller0: entered allmulticast mode [ 543.079084][ T5921] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 543.096491][ T5921] usb 5-1: Product: syz [ 543.108691][ T5921] usb 5-1: Manufacturer: syz [ 543.129210][ T5921] usb 5-1: SerialNumber: syz [ 543.150665][ T5921] usb 5-1: config 0 descriptor?? [ 543.183200][ T5921] em28xx 5-1:0.132: New device syz syz @ 480 Mbps (0413:6023, interface 132, class 132) [ 543.216576][ T5921] em28xx 5-1:0.132: Video interface 132 found: [ 543.371473][T18687] netlink: 16 bytes leftover after parsing attributes in process `syz.2.4967'. [ 543.585046][ T5921] em28xx 5-1:0.132: unknown em28xx chip ID (0) [ 543.828489][T18699] A link change request failed with some changes committed already. Interface gre1 may have been left with an inconsistent configuration, please check. [ 543.995653][ T5921] em28xx 5-1:0.132: reading from i2c device at 0xa0 failed: couldn't get the received message from the bridge (error=-5) [ 544.012310][ T5921] em28xx 5-1:0.132: board has no eeprom [ 544.092125][ T5921] em28xx 5-1:0.132: Identified as Leadtek Winfast USB II (card=7) [ 544.100038][ T5921] em28xx 5-1:0.132: analog set to bulk mode. [ 544.107509][ T24] em28xx 5-1:0.132: Registering V4L2 extension [ 544.259156][ T6070] usb 1-1: new high-speed USB device number 89 using dummy_hcd [ 544.272524][ T24] em28xx 5-1:0.132: failed to trigger read from i2c address 0x4a (error=-5) [ 544.276800][ T978] usb 5-1: USB disconnect, device number 89 [ 544.286460][ T24] em28xx 5-1:0.132: failed to trigger read from i2c address 0x48 (error=-19) [ 544.290814][ T978] em28xx 5-1:0.132: Disconnecting em28xx [ 544.394600][ T24] em28xx 5-1:0.132: Config register raw data: 0xffffffed [ 544.401873][ T24] em28xx 5-1:0.132: AC97 chip type couldn't be determined [ 544.409998][ T24] em28xx 5-1:0.132: No AC97 audio processor [ 544.431511][ T24] usb 5-1: Decoder not found [ 544.444947][ T6070] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 544.447178][ T24] em28xx 5-1:0.132: failed to create media graph [ 544.471727][T18713] netlink: 104 bytes leftover after parsing attributes in process `syz.8.4976'. [ 544.487874][ T6070] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 544.501667][ T24] em28xx 5-1:0.132: V4L2 device video103 deregistered [ 544.509965][ T6070] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 544.528693][ T6070] usb 1-1: Product: syz [ 544.533106][ T6070] usb 1-1: Manufacturer: syz [ 544.537708][ T6070] usb 1-1: SerialNumber: syz [ 544.554548][ T24] em28xx 5-1:0.132: Remote control support is not available for this card. [ 544.554997][T18712] ================================================================== [ 544.571180][T18712] BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 [ 544.578541][T18712] Read of size 8 at addr ffff8880403a0740 by task v4l_id/18712 [ 544.586079][T18712] [ 544.588399][T18712] CPU: 0 UID: 0 PID: 18712 Comm: v4l_id Tainted: G L syzkaller #0 PREEMPT(full) [ 544.588420][T18712] Tainted: [L]=SOFTLOCKUP [ 544.588426][T18712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 544.588435][T18712] Call Trace: [ 544.588442][T18712] [ 544.588449][T18712] dump_stack_lvl+0xe8/0x150 [ 544.588470][T18712] print_report+0xca/0x240 [ 544.588485][T18712] ? v4l2_fh_open+0xac/0x420 [ 544.588504][T18712] kasan_report+0x118/0x150 [ 544.588522][T18712] ? v4l2_fh_open+0xac/0x420 [ 544.588543][T18712] v4l2_fh_open+0xac/0x420 [ 544.588561][T18712] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 544.588580][T18712] em28xx_v4l2_open+0x157/0x9a0 [ 544.588599][T18712] ? do_raw_spin_lock+0x121/0x290 [ 544.588619][T18712] v4l2_open+0x1bf/0x3a0 [ 544.588634][T18712] chrdev_open+0x4cc/0x5e0 [ 544.588651][T18712] ? __pfx_chrdev_open+0x10/0x10 [ 544.588665][T18712] ? fsnotify_open_perm_and_set_mode+0x113/0x610 [ 544.588686][T18712] ? __pfx_chrdev_open+0x10/0x10 [ 544.588700][T18712] do_dentry_open+0x7ce/0x1420 [ 544.588722][T18712] vfs_open+0x3b/0x340 [ 544.588736][T18712] ? path_openat+0x33f3/0x3dd0 [ 544.588750][T18712] path_openat+0x340e/0x3dd0 [ 544.588766][T18712] ? __pfx_stack_trace_save+0x10/0x10 [ 544.588790][T18712] ? kmem_cache_alloc_noprof+0x37d/0x710 [ 544.588809][T18712] ? getname_flags+0xb8/0x540 [ 544.588830][T18712] ? __pfx_path_openat+0x10/0x10 [ 544.588843][T18712] ? __lock_acquire+0x6b6/0x2cf0 [ 544.588861][T18712] do_filp_open+0x1fa/0x410 [ 544.588874][T18712] ? __pfx_do_filp_open+0x10/0x10 [ 544.588893][T18712] ? _raw_spin_unlock+0x28/0x50 [ 544.588906][T18712] ? alloc_fd+0x64c/0x6c0 [ 544.588924][T18712] do_sys_openat2+0x121/0x200 [ 544.588942][T18712] ? __pfx_do_sys_openat2+0x10/0x10 [ 544.588959][T18712] ? exc_page_fault+0x71/0xd0 [ 544.588975][T18712] ? do_user_addr_fault+0xc85/0x1380 [ 544.588990][T18712] __x64_sys_openat+0x138/0x170 [ 544.589008][T18712] do_syscall_64+0xec/0xf80 [ 544.589023][T18712] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 544.589036][T18712] ? trace_irq_disable+0x37/0x100 [ 544.589053][T18712] ? clear_bhb_loop+0x60/0xb0 [ 544.589069][T18712] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 544.589083][T18712] RIP: 0033:0x7fec964a7407 [ 544.589097][T18712] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 544.589110][T18712] RSP: 002b:00007fff01ee6820 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 544.589126][T18712] RAX: ffffffffffffffda RBX: 00007fec9641d880 RCX: 00007fec964a7407 [ 544.589138][T18712] RDX: 0000000000000000 RSI: 00007fff01ee6f1b RDI: ffffffffffffff9c [ 544.589148][T18712] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [ 544.589158][T18712] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 544.589167][T18712] R13: 00007fff01ee6a70 R14: 00007fec96ca3000 R15: 0000555e343164d8 [ 544.589184][T18712] [ 544.589189][T18712] [ 544.877515][T18712] Allocated by task 24: [ 544.881651][T18712] kasan_save_track+0x3e/0x80 [ 544.886313][T18712] __kasan_kmalloc+0x93/0xb0 [ 544.890892][T18712] __kmalloc_cache_noprof+0x3e2/0x700 [ 544.896251][T18712] em28xx_v4l2_init+0x10b/0x2e70 [ 544.901172][T18712] em28xx_init_extension+0x120/0x1c0 [ 544.906440][T18712] process_scheduled_works+0xad1/0x1770 [ 544.911967][T18712] worker_thread+0x8a0/0xda0 [ 544.916540][T18712] kthread+0x711/0x8a0 [ 544.920594][T18712] ret_from_fork+0x510/0xa50 [ 544.925165][T18712] ret_from_fork_asm+0x1a/0x30 [ 544.929934][T18712] [ 544.932242][T18712] Freed by task 24: [ 544.936026][T18712] kasan_save_track+0x3e/0x80 [ 544.940687][T18712] kasan_save_free_info+0x46/0x50 [ 544.945702][T18712] __kasan_slab_free+0x5c/0x80 [ 544.950450][T18712] kfree+0x1c0/0x660 [ 544.954356][T18712] em28xx_v4l2_init+0x1683/0x2e70 [ 544.959369][T18712] em28xx_init_extension+0x120/0x1c0 [ 544.964639][T18712] process_scheduled_works+0xad1/0x1770 [ 544.970164][T18712] worker_thread+0x8a0/0xda0 [ 544.974735][T18712] kthread+0x711/0x8a0 [ 544.978792][T18712] ret_from_fork+0x510/0xa50 [ 544.983363][T18712] ret_from_fork_asm+0x1a/0x30 [ 544.988110][T18712] [ 544.990425][T18712] The buggy address belongs to the object at ffff8880403a0000 [ 544.990425][T18712] which belongs to the cache kmalloc-8k of size 8192 [ 545.004458][T18712] The buggy address is located 1856 bytes inside of [ 545.004458][T18712] freed 8192-byte region [ffff8880403a0000, ffff8880403a2000) [ 545.018409][T18712] [ 545.020716][T18712] The buggy address belongs to the physical page: [ 545.027120][T18712] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x403a0 [ 545.035860][T18712] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 545.044340][T18712] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 545.052299][T18712] page_type: f5(slab) [ 545.056272][T18712] raw: 00fff00000000040 ffff88813ffa7280 ffffea0000e28e00 0000000000000005 [ 545.064839][T18712] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 545.073423][T18712] head: 00fff00000000040 ffff88813ffa7280 ffffea0000e28e00 0000000000000005 [ 545.082076][T18712] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000 [ 545.090729][T18712] head: 00fff00000000003 ffffea000100e801 00000000ffffffff 00000000ffffffff [ 545.099379][T18712] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 545.108026][T18712] page dumped because: kasan: bad access detected [ 545.114417][T18712] page_owner tracks the page as allocated [ 545.120110][T18712] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 18108, tgid 18108 (syz-executor), ts 518431127106, free_ts 517027384917 [ 545.141636][T18712] post_alloc_hook+0x234/0x290 [ 545.146384][T18712] get_page_from_freelist+0x24e0/0x2580 [ 545.151913][T18712] __alloc_frozen_pages_noprof+0x181/0x370 [ 545.157707][T18712] alloc_pages_mpol+0x232/0x4a0 [ 545.162550][T18712] allocate_slab+0x86/0x3b0 [ 545.167040][T18712] ___slab_alloc+0xe53/0x1820 [ 545.171696][T18712] __slab_alloc+0x65/0x100 [ 545.176092][T18712] __kmalloc_node_track_caller_noprof+0x5d4/0x820 [ 545.182489][T18712] kmalloc_reserve+0x136/0x290 [ 545.187239][T18712] __alloc_skb+0x204/0x3a0 [ 545.191635][T18712] netlink_dump+0x167/0xe90 [ 545.196120][T18712] __netlink_dump_start+0x5cb/0x7e0 [ 545.201301][T18712] genl_family_rcv_msg_dumpit+0x1e7/0x2c0 [ 545.207000][T18712] genl_rcv_msg+0x5da/0x790 [ 545.211483][T18712] netlink_rcv_skb+0x208/0x470 [ 545.216229][T18712] genl_rcv+0x28/0x40 [ 545.220202][T18712] page last free pid 24 tgid 24 stack trace: [ 545.226157][T18712] __free_frozen_pages+0xbc8/0xd30 [ 545.231248][T18712] kasan_depopulate_vmalloc_pte+0x6d/0x90 [ 545.236952][T18712] __apply_to_page_range+0xb66/0x13d0 [ 545.242309][T18712] __kasan_release_vmalloc+0xa2/0xd0 [ 545.247575][T18712] purge_vmap_node+0x214/0x8d0 [ 545.252320][T18712] __purge_vmap_area_lazy+0x77a/0xb00 [ 545.257674][T18712] drain_vmap_area_work+0x27/0x40 [ 545.262685][T18712] process_scheduled_works+0xad1/0x1770 [ 545.268212][T18712] worker_thread+0x8a0/0xda0 [ 545.272788][T18712] kthread+0x711/0x8a0 [ 545.276837][T18712] ret_from_fork+0x510/0xa50 [ 545.281407][T18712] ret_from_fork_asm+0x1a/0x30 [ 545.286155][T18712] [ 545.288460][T18712] Memory state around the buggy address: [ 545.294069][T18712] ffff8880403a0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 545.302111][T18712] ffff8880403a0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 545.310154][T18712] >ffff8880403a0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 545.318192][T18712] ^ [ 545.324321][T18712] ffff8880403a0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 545.332361][T18712] ffff8880403a0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 545.340397][T18712] ================================================================== [ 545.354888][ T978] em28xx 5-1:0.132: Closing input extension [ 545.392168][T18712] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 545.399392][T18712] CPU: 1 UID: 0 PID: 18712 Comm: v4l_id Tainted: G L syzkaller #0 PREEMPT(full) [ 545.409983][T18712] Tainted: [L]=SOFTLOCKUP [ 545.414314][T18712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 545.424369][T18712] Call Trace: [ 545.427646][T18712] [ 545.430578][T18712] vpanic+0x1e0/0x670 [ 545.434574][T18712] panic+0xb9/0xc0 [ 545.438302][T18712] ? __pfx_panic+0x10/0x10 [ 545.442712][T18712] ? preempt_schedule_common+0x83/0xd0 [ 545.448157][T18712] ? v4l2_fh_open+0xac/0x420 [ 545.452739][T18712] check_panic_on_warn+0x89/0xb0 [ 545.457666][T18712] ? v4l2_fh_open+0xac/0x420 [ 545.462248][T18712] end_report+0x6f/0x140 [ 545.466486][T18712] kasan_report+0x129/0x150 [ 545.470980][T18712] ? v4l2_fh_open+0xac/0x420 [ 545.475567][T18712] v4l2_fh_open+0xac/0x420 [ 545.479975][T18712] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 545.485945][T18712] em28xx_v4l2_open+0x157/0x9a0 [ 545.490789][T18712] ? do_raw_spin_lock+0x121/0x290 [ 545.495808][T18712] v4l2_open+0x1bf/0x3a0 [ 545.500037][T18712] chrdev_open+0x4cc/0x5e0 [ 545.504440][T18712] ? __pfx_chrdev_open+0x10/0x10 [ 545.509365][T18712] ? fsnotify_open_perm_and_set_mode+0x113/0x610 [ 545.515683][T18712] ? __pfx_chrdev_open+0x10/0x10 [ 545.520605][T18712] do_dentry_open+0x7ce/0x1420 [ 545.525362][T18712] vfs_open+0x3b/0x340 [ 545.529419][T18712] ? path_openat+0x33f3/0x3dd0 [ 545.534165][T18712] path_openat+0x340e/0x3dd0 [ 545.538745][T18712] ? __pfx_stack_trace_save+0x10/0x10 [ 545.544113][T18712] ? kmem_cache_alloc_noprof+0x37d/0x710 [ 545.549735][T18712] ? getname_flags+0xb8/0x540 [ 545.554398][T18712] ? __pfx_path_openat+0x10/0x10 [ 545.559317][T18712] ? __lock_acquire+0x6b6/0x2cf0 [ 545.564242][T18712] do_filp_open+0x1fa/0x410 [ 545.568730][T18712] ? __pfx_do_filp_open+0x10/0x10 [ 545.573743][T18712] ? _raw_spin_unlock+0x28/0x50 [ 545.578579][T18712] ? alloc_fd+0x64c/0x6c0 [ 545.582900][T18712] do_sys_openat2+0x121/0x200 [ 545.587572][T18712] ? __pfx_do_sys_openat2+0x10/0x10 [ 545.592759][T18712] ? exc_page_fault+0x71/0xd0 [ 545.597423][T18712] ? do_user_addr_fault+0xc85/0x1380 [ 545.602693][T18712] __x64_sys_openat+0x138/0x170 [ 545.607539][T18712] do_syscall_64+0xec/0xf80 [ 545.612029][T18712] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 545.618079][T18712] ? trace_irq_disable+0x37/0x100 [ 545.623099][T18712] ? clear_bhb_loop+0x60/0xb0 [ 545.627765][T18712] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 545.633659][T18712] RIP: 0033:0x7fec964a7407 [ 545.638065][T18712] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 545.657652][T18712] RSP: 002b:00007fff01ee6820 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 545.666051][T18712] RAX: ffffffffffffffda RBX: 00007fec9641d880 RCX: 00007fec964a7407 [ 545.674010][T18712] RDX: 0000000000000000 RSI: 00007fff01ee6f1b RDI: ffffffffffffff9c [ 545.681970][T18712] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [ 545.689929][T18712] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 545.697890][T18712] R13: 00007fff01ee6a70 R14: 00007fec96ca3000 R15: 0000555e343164d8 [ 545.705853][T18712] [ 545.709204][T18712] Kernel Offset: disabled [ 545.713508][T18712] Rebooting in 86400 seconds..