B="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9b010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:26 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e6680a2000204010002000270fff8", 0x16, 0x1000000}], 0x800000, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, 0x0, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) sendmsg$NL80211_CMD_LEAVE_MESH(r5, &(0x7f0000000380)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x50000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000300)={0x74, 0x0, 0x200, 0x70bd25, 0x25dfdbff, {}, [@NL80211_ATTR_WDEV={0xc, 0x99, {0xbd9e, 0x1}}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x4, 0x1}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0xffffffffffffffff}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x3f, 0x2}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x1}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x6, 0x3}}, @NL80211_ATTR_WDEV={0xc, 0x99, {0xffffffe1, 0x2}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0xffffffffffffffff}, @NL80211_ATTR_WDEV={0xc, 0x99, {0xded}}]}, 0x74}, 0x1, 0x0, 0x0, 0x1243fb2832a9ab0b}, 0x890) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) ioctl$VIDIOC_RESERVED(r0, 0x5601, 0x0) 07:10:26 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe8020000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0xff00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1074.373962][T21880] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1074.385241][T21880] ref_ctr decrement failed for inode: 0x4201 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 [ 1074.398598][T21887] FAT-fs (loop4): bogus number of reserved sectors [ 1074.406085][T21887] FAT-fs (loop4): Can't find a valid FAT filesystem 07:10:26 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9c000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1074.437237][T21880] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:26 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xea020000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) r5 = socket(0x10, 0x803, 0x0) dup(r5) setsockopt$SO_RDS_MSG_RXPATH_LATENCY(r5, 0x114, 0xa, &(0x7f0000000000)={0x3, "bf44e8"}, 0x4) [ 1074.506057][ T27] audit: type=1804 audit(1586329826.352:1307): pid=21897 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1693/bus" dev="sda1" ino=16899 res=1 [ 1074.535108][T21880] ref_ctr decrement failed for inode: 0x4201 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 07:10:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0xffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1074.561069][T21887] FAT-fs (loop4): bogus number of reserved sectors [ 1074.567799][T21887] FAT-fs (loop4): Can't find a valid FAT filesystem 07:10:26 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x25dfdbfb, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1074.667665][T21904] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1074.738680][T21904] ref_ctr decrement failed for inode: 0x4201 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 [ 1074.803650][ T27] audit: type=1804 audit(1586329826.652:1308): pid=21911 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1694/bus" dev="sda1" ino=17329 res=1 07:10:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:26 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xea030000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:26 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20e, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:26 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9c010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1075.080511][ T27] audit: type=1804 audit(1586329826.932:1309): pid=21932 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1695/bus" dev="sda1" ino=17299 res=1 07:10:27 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xee020000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:27 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/snd/timer\x00', 0x20a00) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) setsockopt$inet6_tcp_TCP_REPAIR(r3, 0x6, 0x13, &(0x7f0000000040)=0x1, 0x4) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r6 = dup(r5) ioctl$PERF_EVENT_IOC_ENABLE(r6, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) 07:10:27 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) getsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0x21, &(0x7f0000000300)=""/79, &(0x7f0000000040)=0x4f) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') r3 = socket(0x10, 0x803, 0x0) dup(r3) sendmsg$NL80211_CMD_GET_SCAN(r3, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x70bd2b, 0x0, {0x11}, [@NL80211_ATTR_WIPHY={0x0, 0x1, 0x2}, @NL80211_ATTR_WIPHY={0x8}]}, 0xfffffffffffffd16}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="380000559a819f050100004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x3}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1075.247402][T21944] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1075.258203][T21944] ref_ctr decrement failed for inode: 0x4205 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 [ 1075.271632][T21944] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1075.283506][T21944] ref_ctr decrement failed for inode: 0x4205 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 [ 1075.316414][ T27] audit: type=1804 audit(1586329827.162:1310): pid=21948 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1696/bus" dev="sda1" ino=16521 res=1 07:10:27 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0000000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:27 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9d000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:27 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x218, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1075.637007][ T27] audit: type=1804 audit(1586329827.482:1311): pid=21964 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1697/bus" dev="sda1" ino=17336 res=1 07:10:27 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9d010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:27 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0020000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:27 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000580)=ANY=[@ANYBLOB="280a7f000e631bb271a24dcd4f006fdb317be7b99b8b228e469a3fba6a5894d4a5f23187ff5470ff1e7bda64f684722f5c63f97f82a6220d66dd9a6febed37d15e3f443dfcf59d74d501", @ANYRES16=r3, @ANYBLOB="c18f0000000000000000110000003500990000000000000000000800010000000000d051a9212c949a1df58cbd089f9116841cf0b0"], 0x3}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFCONF(r1, 0x8912, &(0x7f0000000340)=@req={0x28, &(0x7f0000000300)={'macvlan1\x00', @ifru_settings={0x80, 0x800, @fr=&(0x7f00000000c0)={0xa0000000, 0x3, 0xb9, 0x350ec568, 0x6, 0x37a, 0x6}}}}) openat$vcs(0xffffffffffffff9c, &(0x7f0000000380)='/dev/vcs\x00', 0x280, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) ioctl$BLKROSET(r1, 0x125d, &(0x7f0000000040)=0x7) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000880)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r7, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c000200040054800400558070f0850b4dff5f0d15aced3cbf6e6693cb44c50d56103b5969e2ddca44c31d07000000df633626c3112bbf75c1690000004f1e581b40686e3e81314b76f3312bc7f53eaadd7c795bee06d3d223c8de2d6c7db851da96431d232fdf70e1bbbcb233fad5619774d6b5c6fe6e1978347060ca528af6e07258e885e3ecebdf451bcba7af9e6a684e9db5f1579d6ae548db9b40c704a341c04d9d43b3c056f79211efe1438ad2486a68e04fea7d70cb002ad14985df3dc00595484b26438df8895eeece439a20d6cea2c30cced3f2492dff140b138e41ca9909b6944c453e03cb5a036e444e39aecda6b98d77cd03ad090000000000000098326dcf14fa0e6b7d04cb8aed361cd4d34bd5e3a6ed0b05a56f344ab8bb7b67f07f6c8e37017a2d30a90ab899eefc73e721773402e15bfd0e14e9f30f020b0926e87e2e23fe1877e0a5ed4da6462ca6f83df38f467f9aee"], 0x3c}}, 0x0) 07:10:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1075.841244][T21975] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1075.867203][T21975] ref_ctr decrement failed for inode: 0x4205 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000589f28b1 [ 1075.906194][ T7803] attempt to access beyond end of device [ 1075.910040][T21975] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1075.913967][ T7803] loop4: rw=1, want=130, limit=63 [ 1075.938585][T21975] ref_ctr decrement failed for inode: 0x4205 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000589f28b1 [ 1075.951906][ T7803] attempt to access beyond end of device [ 1075.986753][ T7803] loop4: rw=1, want=131, limit=63 [ 1076.002020][ T7803] attempt to access beyond end of device [ 1076.020808][ T7803] loop4: rw=1, want=132, limit=63 [ 1076.026100][ T7803] attempt to access beyond end of device [ 1076.032069][ T7803] loop4: rw=1, want=133, limit=63 07:10:27 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r5 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x0) r6 = syz_open_dev$loop(&(0x7f00000001c0)='/dev/loop#\x00', 0x0, 0x105084) r7 = memfd_create(&(0x7f0000000600)='\x00\x00\x00\x00\x8c\x00'/15, 0x1) pwritev(r7, &(0x7f0000f50f90)=[{&(0x7f0000000100)="a8", 0x1}], 0x1, 0x81003) ioctl$LOOP_CHANGE_FD(r6, 0x4c00, r7) sendfile(0xffffffffffffffff, r6, 0x0, 0x102000003) r8 = accept$alg(r5, 0x0, 0x0) r9 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff, 0x1001c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, @perf_config_ext={0x3}, 0x0, 0x0, 0x3, 0x0, 0x4}, 0x0, 0x8, 0xffffffffffffffff, 0x0) fcntl$setstatus(r9, 0x4, 0x3800) io_uring_register$IORING_REGISTER_FILES_UPDATE(0xffffffffffffffff, 0x6, &(0x7f0000000200)={0xfffffffa, &(0x7f00000001c0)=[0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, r6, r8, r9, r4]}, 0x9) ioctl$SNDRV_CTL_IOCTL_CARD_INFO(r5, 0x81785501, &(0x7f0000000000)=""/146) ioctl$RTC_WKALM_RD(0xffffffffffffffff, 0x80287010, &(0x7f0000000100)) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 1076.039599][ T7803] attempt to access beyond end of device [ 1076.045520][ T7803] loop4: rw=1, want=142, limit=63 [ 1076.054969][ T27] audit: type=1804 audit(1586329827.902:1312): pid=21987 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1698/bus" dev="sda1" ino=17333 res=1 07:10:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:28 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0030000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:28 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9e000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:28 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x244, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xa}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1076.328607][ T27] audit: type=1804 audit(1586329828.182:1313): pid=22009 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1699/bus" dev="sda1" ino=17332 res=1 07:10:28 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf2030000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xc}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1076.605716][T22023] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x10}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:28 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9e010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1076.663342][ T27] audit: type=1804 audit(1586329828.512:1314): pid=22036 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1700/bus" dev="sda1" ino=17341 res=1 [ 1076.667144][T22023] ref_ctr decrement failed for inode: 0x43bc offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) symlink(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='./file0\x00') r5 = socket(0x10, 0x803, 0x0) r6 = dup(r5) ioctl$PERF_EVENT_IOC_ENABLE(r6, 0x8912, 0x400200) write$P9_RSTAT(r6, &(0x7f0000000100)={0x6e, 0x7d, 0x1, {0x0, 0x67, 0x2, 0x5, {0x2, 0x3, 0x3}, 0x40000000, 0xffffffc1, 0x8, 0x6, 0x0, '', 0x11, 'systemnodev.%ppp0', 0x1a, 'wlan0cgroup+system!cpuset}', 0x9, '/dev/kvm\x00'}}, 0x6e) ioctl$KVM_RUN(r2, 0xae80, 0x0) 07:10:28 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf6ffffff, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x18}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1076.797786][T22023] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1076.817485][T22023] ref_ctr decrement failed for inode: 0x43bc offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:28 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') socket$nl_generic(0x10, 0x3, 0x10) sendmsg$rds(0xffffffffffffffff, &(0x7f00000007c0)={&(0x7f00000004c0)={0x2, 0x4e20, @empty}, 0x10, &(0x7f0000000780)=[{&(0x7f0000000580)=""/182, 0xb6}, {&(0x7f0000000640)=""/14, 0xe}, {&(0x7f00000006c0)=""/183, 0xb7}], 0x3, 0x0, 0x0, 0x20000083}, 0x4) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x44) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="38000000050000050000000000000004000000046065b3f1745cc3cc0df7b1e8f8a4d1f394b39f06964eaca7a7092019783083b0476a39e6eee2647266e05b54984be88c", @ANYRES32=r5, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x3}}, 0x0) sendmsg$nl_route_sched(r2, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) getsockname$l2tp6(0xffffffffffffffff, &(0x7f0000000400)={0xa, 0x0, 0x0, @remote}, &(0x7f0000000480)=0x20) [ 1076.987897][T22052] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1077.003088][ T27] audit: type=1804 audit(1586329828.842:1315): pid=22050 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1701/bus" dev="sda1" ino=16771 res=1 07:10:28 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9effffff, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1077.025434][T22052] ref_ctr decrement failed for inode: 0x43bc offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x48}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:29 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfa030000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:29 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x30) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:29 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x298, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x68}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1077.344085][ T27] audit: type=1804 audit(1586329829.192:1316): pid=22075 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1702/bus" dev="sda1" ino=16609 res=1 07:10:29 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff030000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1077.502428][T22083] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1077.523950][T22083] ref_ctr decrement failed for inode: 0x4141 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b [ 1077.538724][T22083] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:29 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9f000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1077.546818][T22083] ref_ctr decrement failed for inode: 0x4141 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b [ 1077.614009][T22093] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1077.683294][T22093] ref_ctr decrement failed for inode: 0x4141 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b 07:10:29 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffff7f, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x74}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:29 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2dc, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:29 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x5) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) r6 = socket(0x10, 0x803, 0x0) dup(r6) connect$bt_sco(r6, &(0x7f0000000040), 0x8) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:29 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffff8c, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7a}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:30 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9f010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1078.108063][T22120] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1078.126535][T22120] ref_ctr decrement failed for inode: 0x4172 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b [ 1078.230350][T22120] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1078.268980][T22120] ref_ctr decrement failed for inode: 0x4172 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xb5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1078.417603][T22139] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1078.446591][T22139] ref_ctr decrement failed for inode: 0x4172 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:30 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa0000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xec}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:30 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffff6, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:30 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2f4, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xf0}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x300}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1078.830241][T22158] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1078.864979][T22158] ref_ctr decrement failed for inode: 0x40c1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b 07:10:30 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700000000, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:30 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000300)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="c18f0000110000002700990000000000000000000800010000070000000000000000dec886980664dbfb00957daa3c5859be5e8b11509c3680749098728f23d20115d73c1acd97240e886e6a5c997641d36aee675c103376a9870acd26aa2dc505d3df6b3596a421abe216cd892d731ee8541e3f1996f0"], 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) setsockopt$inet_sctp6_SCTP_INITMSG(0xffffffffffffffff, 0x84, 0x2, &(0x7f00000000c0)={0x2, 0x4, 0x201}, 0x8) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYPTR=&(0x7f0000000040)=ANY=[@ANYBLOB, @ANYRESOCT=r1, @ANYRESDEC]], 0x3}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@deltclass={0x38, 0x29, 0x200, 0x70bd2b, 0x25dfdbfb, {0x0, 0x0, 0x0, r6, {0xd, 0x6}, {0x9, 0xa}, {0xffe1, 0x1}}, [@tclass_kind_options=@c_drr={{0x8, 0x1, 'drr\x00'}, {0xc, 0x2, @TCA_DRR_QUANTUM={0x8, 0x1, 0x80000001}}}]}, 0x38}}, 0x0) socket$can_j1939(0x1d, 0x2, 0x7) ioctl$VIDIOC_QBUF(0xffffffffffffffff, 0xc058560f, &(0x7f0000000480)={0x0, 0x0, 0x4, 0x0, 0x0, {0x0, 0x7530}, {0x0, 0x3000000, 0x0, 0x0, 0x0, 0x0, "bc4c74c7"}, 0x0, 0x7, @offset=0x400040, 0x10ff00}) ioctl$VIDIOC_SUBDEV_S_DV_TIMINGS(0xffffffffffffffff, 0xc0845657, &(0x7f00000006c0)={0x0, @bt={0x4a9, 0x7, 0x1, 0x3, 0x1, 0x7, 0x899, 0x7f, 0x1, 0xffffffff, 0x2, 0x3ff, 0x97, 0x10000, 0x12, 0x10, {0x0, 0x4}, 0x7, 0x81}}) 07:10:30 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa0010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1078.901407][T22158] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1078.932546][T22158] ref_ctr decrement failed for inode: 0x40c1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b [ 1079.087265][T22158] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1079.099612][T22158] ref_ctr decrement failed for inode: 0x40c1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b 07:10:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x500}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:31 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:31 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x600}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:31 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa1000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:31 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000480)=ANY=[@ANYBLOB="2800e6fff618f87207000000ac7a9c26e6fe86e9697498d064c1e27aa39f0903dbc0d1d361856dd96e21c1173115332c9a9286", @ANYRES16=r2, @ANYBLOB="c18f0000000000000000110000002700990000000000000000000800010000000000"], 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f00000079c0)={{{@in=@initdev, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in6=@empty}}, &(0x7f0000007ac0)=0xe8) getsockopt$inet6_mreq(r1, 0x29, 0x1c, &(0x7f000000d040)={@loopback, 0x0}, &(0x7f000000d080)=0x14) socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f000000d0c0)=@newtfilter={0x186c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_rsvp={{0x9, 0x1, 'rsvp\x00'}, {0x183c, 0x2, [@TCA_RSVP_ACT={0x490, 0x6, [@m_sample={0x70, 0x20, 0x0, 0x0, {{0xb, 0x1, 'sample\x00'}, {0x44, 0x2, 0x0, 0x1, [@TCA_SAMPLE_PARMS={0x18, 0x2, {0x7, 0x834d, 0x10000000, 0x3, 0x20}}, @TCA_SAMPLE_PSAMPLE_GROUP={0x8, 0x5, 0x711}, @TCA_SAMPLE_RATE={0x8, 0x3, 0xe5}, @TCA_SAMPLE_PARMS={0x18, 0x2, {0x3, 0x7f, 0x6, 0x0, 0x87}}]}, {0x1a, 0x6, "8c3546c679c555b277ea9edd02e3f892e90679456997"}}}, @m_ife={0x148, 0x18, 0x0, 0x0, {{0x8, 0x1, 'ife\x00'}, {0xbc, 0x2, 0x0, 0x1, [@TCA_IFE_SMAC={0xa, 0x4, @broadcast}, @TCA_IFE_METALST={0x2c, 0x6, [@IFE_META_SKBMARK={0x8, 0x1, @val=0xf03a}, @IFE_META_TCINDEX={0x6, 0x5, @val=0x80}, @IFE_META_PRIO={0x8, 0x3, @val=0x20}, @IFE_META_SKBMARK={0x8, 0x1, @val=0x9}, @IFE_META_TCINDEX={0x6, 0x5, @val=0x8000}]}, @TCA_IFE_METALST={0x28, 0x6, [@IFE_META_SKBMARK={0x8, 0x1, @val=0x5}, @IFE_META_TCINDEX={0x4, 0x5, @void}, @IFE_META_PRIO={0x4, 0x3, @void}, @IFE_META_SKBMARK={0x8, 0x1, @val=0x8001}, @IFE_META_PRIO={0x4, 0x3, @void}, @IFE_META_PRIO={0x8, 0x3, @val=0x4}]}, @TCA_IFE_SMAC={0xa, 0x4, @broadcast}, @TCA_IFE_PARMS={0x1c, 0x1, {{0x3, 0x7, 0x6, 0x7, 0x8}, 0x1}}, @TCA_IFE_SMAC={0xa}, @TCA_IFE_TYPE={0x6, 0x5, 0x8}, @TCA_IFE_PARMS={0x1c, 0x1, {{0x9, 0x6, 0x0, 0x9, 0x40}, 0x1}}]}, {0x7e, 0x6, "5df66addc190ea473346cd55871ca7f336fe2bf02e0cad0487d9d3f66be3ca68b9a63ae06d9039afe366da69fcc5de606bc3f4287d5d80f2a1162b691faa697667ab600a02a6ebcd38fb0c794012217800b5fc52c234dfa4cadea874d52d949f60d3cd6de71f9dea246615b20ecdcefcf817629a9763f89a8402"}}}, @m_csum={0xdc, 0xc, 0x0, 0x0, {{0x9, 0x1, 'csum\x00'}, {0x20, 0x2, 0x0, 0x1, [@TCA_CSUM_PARMS={0x1c, 0x1, {{0x7, 0x4be8, 0x3, 0x9c3}, 0x7f}}]}, {0xa9, 0x6, "3fc6703374dda5ac6f905c55f6401d4ef40ed21ae481aaea54e93b4a2fd10ebadc5e06d8dc1d35f2555d6d87a25c7fc29624ecf4d3d4728dc98453ba0af69065849a1d15175e03d16e191d71ad5a204be1a23111edaf153272e18556add62f53f11d6ca2fbb1a5505bef2fd570d8d9ad3f4475c1b80d80e165000eeb2a8e771c19029418517b719ac902ec939a849944202f8534cb34d18640620105e1c53afdafcb06ce08"}}}, @m_gact={0xe0, 0xc, 0x0, 0x0, {{0x9, 0x1, 'gact\x00'}, {0x94, 0x2, 0x0, 0x1, [@TCA_GACT_PROB={0xc, 0x3, {0x1, 0x1454, 0x10000000}}, @TCA_GACT_PARMS={0x18, 0x2, {0x9, 0x0, 0x6, 0x9, 0x7f}}, @TCA_GACT_PARMS={0x18, 0x2, {0x5, 0x63f44403, 0x1, 0x1, 0xfffffffc}}, @TCA_GACT_PARMS={0x18, 0x2, {0x5, 0x5, 0x3, 0x944, 0x7}}, @TCA_GACT_PROB={0xc, 0x3, {0x0, 0x1787, 0x10000000}}, @TCA_GACT_PARMS={0x18, 0x2, {0x8, 0x7fff, 0x0, 0xffff8000, 0x2}}, @TCA_GACT_PARMS={0x18, 0x2, {0x6, 0x0, 0x1, 0x9, 0x5}}]}, {0x3a, 0x6, "55bf67e9a7176fa8588cb2655ba4d2680f55262bcc75911a43e9ae8e72f6b3b9cf41ee98f954d0cd9683cb874dd04c7868cff208ed4a"}}}, @m_skbmod={0x118, 0x15, 0x0, 0x0, {{0xb, 0x1, 'skbmod\x00'}, {0x6c, 0x2, 0x0, 0x1, [@TCA_SKBMOD_PARMS={0x24, 0x2, {{0x57, 0x9, 0x8, 0x6, 0x4}, 0x3}}, @TCA_SKBMOD_SMAC={0xa, 0x4, @random="c2f39eb689c2"}, @TCA_SKBMOD_PARMS={0x24, 0x2, {{0xa75, 0x40, 0x8, 0xa9c, 0x7ff}, 0xd}}, @TCA_SKBMOD_SMAC={0xa, 0x4, @link_local}, @TCA_SKBMOD_ETYPE={0x6, 0x5, 0x9}]}, {0x99, 0x6, "960e23add96c51a4a3c5f3b3f357a40d85fba0bb18a8ae0697473be22ec373edd69c5ba6c88f29efcb92040776f9ea10e6be42fd47e28fb2ffb0871b5d69a46eed04b9cc4e6ddacbbdc2eda27119cfe4d64fd82e3d5d07647a4447adef4bc68e7f08c3c92b74c48f17bc50b86965eeb5767812c5b0bdaf60a772321669e82b995439a06a41f9d3881ad4ab1f5cd2f68003b81386f4"}}}]}, @TCA_RSVP_ACT={0x6e4, 0x6, [@m_skbedit={0x11c, 0x6, 0x0, 0x0, {{0xc, 0x1, 'skbedit\x00'}, {0x5c, 0x2, 0x0, 0x1, [@TCA_SKBEDIT_PRIORITY={0x8, 0x3, {0x4, 0xffe0}}, @TCA_SKBEDIT_MARK={0x8, 0x5, 0x1}, @TCA_SKBEDIT_PRIORITY={0x8, 0x3, {0xe, 0xf}}, @TCA_SKBEDIT_MARK={0x8, 0x5, 0x4}, @TCA_SKBEDIT_PARMS={0x18, 0x2, {0x0, 0x0, 0x1, 0x40, 0x6}}, @TCA_SKBEDIT_PARMS={0x18, 0x2, {0x5, 0xfffffffb, 0x7, 0x0, 0x3}}, @TCA_SKBEDIT_QUEUE_MAPPING={0x6, 0x4, 0x8}]}, {0xae, 0x6, "028bb92c74187985f34006f400125c64e5ad9db81ebdc04cfb9c95c6f0a81cb4347007237ed1f1e406a33b627cfff2d905ccab36d380febca47c6c6ab679b9f6584c1ec8b194cd0a77786396c6ed7dc683c096544c8c01533f8e7c1a9d8c004421dce2903f9d99d008ba9110172021519c27dd3129c0c3c4311704ef69a167eb2be06e97bef16ff6ab41bc4ac6a8fc9d5fb15add9a382f3c88f958642c686f221387ceabf910d382e085"}}}, @m_ipt={0x264, 0x1b, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x154, 0x2, 0x0, 0x1, [@TCA_IPT_INDEX={0x8, 0x3, 0x20}, @TCA_IPT_INDEX={0x8, 0x3, 0xfff}, @TCA_IPT_TABLE={0x24, 0x1, 'security\x00'}, @TCA_IPT_TARG={0xd2, 0x6, {0x0, 'filter\x00', 0x3, 0x380, "a1784c75e980c4c02beb7623adc60048e649f14990dda798bec179a9e8cf68797bc9014f3c8a73ea3b2f38a6a4ae5d86a1dca4938d5757fc62c8cc17a59b33222ea9f1ac6fc432c23cf0bae0d186cfdb656613157a68cc375ce530cb6a8f216a7ee9bd0f5a3facaa4ca4c3d5368f6ec69020119d5d34b8a8b1830a4122285cfa071da50a681f044b97d6cda1255cdccd509c21c217d1a96cf99082a017c47d917f84deba2664548d"}}, @TCA_IPT_TABLE={0x24, 0x1, 'raw\x00'}, @TCA_IPT_TABLE={0x24, 0x1, 'nat\x00'}]}, {0x101, 0x6, "206b1941f205b36e1cf34324bfdb7cecbd607089e64791439f07c810ee040dea555a65d702ded4c18ab47e7bdd86ddabb7be55bcd9478f9cd2a18767d0b0517d2efcb27b6cf74a3bce2829ea4accba2a336f7d2cd97d808127706a39b21feab8be504970423f0c7bfe1bc2c7d0206a3f7f0d68e60c8e2468926b0927e748f97c3f46ec1cad8001cac9456c3a1ad362a185013661888cc3cc5c43aa1db4c6d0d3a5078ee873e93b7ae12ec9757004eecc10250e3efee83b11ebb5b4054237637818dc4ebc83aecc852124fac21a66456aa1c8016f23f98fce0d4d261d537452bb559e920a627f09b31920b4f1d775182f64039fd469f9fdea3a58731dbc"}}}, @m_nat={0x1a4, 0x2, 0x0, 0x0, {{0x8, 0x1, 'nat\x00'}, {0x16c, 0x2, 0x0, 0x1, [@TCA_NAT_PARMS={0x28, 0x1, {{0x4, 0x5, 0x0, 0x1, 0x1}, @empty, @multicast1, 0xffffff00, 0x1}}, @TCA_NAT_PARMS={0x28, 0x1, {{0xffff8000, 0x5, 0x20000000, 0x76, 0x4cf}, @loopback, @rand_addr, 0xff000000, 0x1}}, @TCA_NAT_PARMS={0x28, 0x1, {{0x70, 0x9, 0x8, 0x4c, 0x4}, @remote, @multicast1}}, @TCA_NAT_PARMS={0x28, 0x1, {{0xe769, 0x5, 0xffffffffffffffff, 0x3, 0x3f}, @local, @rand_addr=0x4, 0xff}}, @TCA_NAT_PARMS={0x28, 0x1, {{0x20, 0x7, 0x10000000, 0xf7e5, 0x5a4}, @empty, @remote, 0xffffffff, 0x1}}, @TCA_NAT_PARMS={0x28, 0x1, {{0x5, 0x0, 0x5, 0x1, 0xffffffff}, @multicast1, @multicast1, 0xffffff00, 0x1}}, @TCA_NAT_PARMS={0x28, 0x1, {{0x7fffffff, 0x1, 0x3, 0x6, 0x458b}, @multicast2, @rand_addr=0x1, 0x0, 0x1}}, @TCA_NAT_PARMS={0x28, 0x1, {{0x1, 0x7, 0x5, 0x0, 0x5}, @remote, @multicast2, 0xffffff00, 0x1}}, @TCA_NAT_PARMS={0x28, 0x1, {{0x1, 0x4, 0x5, 0x80000001, 0x9}, @rand_addr=0x3ff, @remote, 0xffffff00, 0x1}}]}, {0x2c, 0x6, "0053f9ec5e4dda0fc500e4504760d8fc8cf4e2fa8aab2c80ac7f768ec898719740c211ce3dd63148"}}}, @m_mirred={0x120, 0x14, 0x0, 0x0, {{0xb, 0x1, 'mirred\x00'}, {0xe4, 0x2, 0x0, 0x1, [@TCA_MIRRED_PARMS={0x20, 0x2, {{0x3, 0xe57194c, 0x1, 0x6, 0xd476}, 0x1, r7}}, @TCA_MIRRED_PARMS={0x20, 0x2, {{0x4126b9aa, 0x0, 0x4, 0x9, 0x1}, 0x3}}, @TCA_MIRRED_PARMS={0x20, 0x2, {{0x5, 0x8, 0x1, 0x6, 0xffffffff}, 0x3, r8}}, @TCA_MIRRED_PARMS={0x20, 0x2, {{0xc293, 0x78, 0x10000000, 0x20, 0x100}, 0x1}}, @TCA_MIRRED_PARMS={0x20, 0x2, {{0x6, 0x5, 0x30000007, 0x1, 0x3}, 0x2, r6}}, @TCA_MIRRED_PARMS={0x20, 0x2, {{0xffffffff, 0x65, 0x6, 0x1, 0x7fffffff}, 0x3, r6}}, @TCA_MIRRED_PARMS={0x20, 0x2, {{0x7, 0x5df7, 0x3, 0x229, 0x7ff}, 0x8625230b1e49b942, r6}}]}, {0x2a, 0x6, "16ee3321ac1a19562d432e4540631a6dadc81a9434093a0f9871a95fbad2f798ec04c6c8da4a"}}}, @m_ct={0x9c, 0x12, 0x0, 0x0, {{0x7, 0x1, 'ct\x00'}, {0x34, 0x2, 0x0, 0x1, [@TCA_CT_NAT_IPV6_MAX={0x14, 0xc, @mcast2}, @TCA_CT_LABELS={0x14, 0x7, "76f0503e79b76687152f7b9b4c47ed51"}, @TCA_CT_MARK_MASK={0x8, 0x6, 0x39}]}, {0x5a, 0x6, "ef8c8fc70e211c88765d13390a9ab62670edd7a4f25900517de73b0a2e9623cc255b64605775b4fc53544f54f6f398b4b0ebf08bd065c70548239bcefe2eedf49d799b1680be604b25948188839489c1395c5b20ef42"}}}]}, @TCA_RSVP_DST={0x8, 0x2, @empty}, @TCA_RSVP_POLICE={0xcb8, 0x5, [@TCA_POLICE_PEAKRATE={0x404, 0x3, [0xad, 0x927, 0x68, 0x6, 0x7, 0x69, 0xfffffffc, 0x3, 0x2, 0x6, 0xffff, 0x0, 0x2, 0x8, 0x9, 0x10000, 0x6, 0x34747523, 0x9d70, 0x7, 0x77, 0x8, 0x5, 0xb5, 0x9, 0x6, 0x72, 0x64, 0x4, 0x1, 0x7, 0x9, 0x4, 0x7ff, 0x0, 0x9, 0x1, 0x3, 0xfff, 0xff, 0x3499, 0x1, 0x3ff, 0x0, 0x81, 0x0, 0x0, 0x1ff, 0x20, 0x4ac, 0x8b, 0xffffff01, 0x7fff, 0x1f, 0x5, 0x2, 0xea, 0x1000, 0x2, 0x7, 0xffff1f26, 0x1f, 0x383, 0x4, 0x2, 0xff, 0x7, 0xb2, 0x4, 0x8, 0x1083, 0x68, 0x80, 0x0, 0xce, 0xffffffff, 0x7fffffff, 0x200000, 0x7fc00, 0x5, 0x401, 0x6, 0x2, 0x1, 0x400, 0x1, 0x8, 0x9, 0x4, 0x9, 0x3a, 0x4, 0x8, 0x1, 0x1, 0x7723, 0x7, 0x9, 0x4, 0x200, 0xfff, 0x0, 0x3ff, 0x1, 0x0, 0xfff, 0xffff, 0x1, 0x3, 0x80000001, 0xbe, 0x0, 0x4, 0x1f, 0x5, 0x7, 0x80000001, 0x1, 0x7, 0x9, 0x70, 0x5, 0x8, 0x5, 0x8001, 0x3f, 0x9, 0x9, 0x6, 0xaefb, 0x9, 0xf759, 0xffff0000, 0xffffffff, 0xfffffff7, 0x8, 0x7, 0xd0, 0x82e, 0x9, 0x8000, 0x2, 0x0, 0x7, 0xe264, 0xa, 0x20, 0x70, 0x8dc9, 0x2, 0x0, 0x9, 0x8, 0xfffffffe, 0x1, 0xbd, 0x346c, 0x10001, 0x0, 0x634, 0x9, 0xffffff80, 0x8001, 0x101, 0x7, 0x6, 0x3ff, 0x3ff, 0x3ff, 0x5, 0x9, 0x10001, 0x10001, 0x80, 0x7, 0x1ff, 0x0, 0x0, 0x3, 0xb2b, 0x80000, 0x5, 0x1, 0x6, 0x1, 0x6, 0x7ff, 0x9, 0x80, 0xde, 0x80, 0x3, 0x7fffffff, 0x101, 0x2, 0x7, 0xffff, 0x29, 0x1, 0x0, 0x2, 0x5, 0x3, 0x2, 0x2, 0xa27, 0xf1e, 0x7ff, 0x7, 0x53, 0x10000, 0x5, 0x6, 0xffffffff, 0xfff, 0x7, 0xfff, 0x7, 0x2, 0x0, 0x7, 0x6, 0x5, 0xec, 0x6, 0x100, 0x80000001, 0x5, 0x0, 0x1000, 0x227, 0x5, 0x1, 0x40, 0x0, 0x0, 0x0, 0x80000000, 0x3, 0x80, 0x0, 0x6, 0x1f44c1b6, 0x4, 0x4f7b, 0x3, 0x3ff, 0x100, 0x593, 0xffffffd5, 0x5, 0x1, 0x401, 0x4f468a95, 0xa7, 0x5c2]}, @TCA_POLICE_TBF={0x3c, 0x1, {0x80000001, 0x10000000, 0x20, 0x400, 0x3f, {0x20, 0x1, 0x6, 0x1f, 0x9, 0x5}, {0x1f, 0x0, 0x1, 0x81, 0x9, 0x31}, 0xfffffff7, 0x4, 0x7}}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0xb5}, @TCA_POLICE_RATE64={0xc, 0x8, 0x80000000}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x4}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x16e}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x4, 0x8a, 0x7fff, 0x56f5, 0xfffffe67, 0x1, 0x6, 0x4, 0x2, 0x5, 0x4, 0x200, 0x7, 0x9, 0xd3, 0xfffffff9, 0x1, 0xa9fe, 0x1000, 0x401, 0x0, 0x51d1, 0x8, 0x40, 0x3, 0x20, 0x1bdc02a0, 0x7, 0x54d779fa, 0x8, 0x7f, 0x4, 0x16, 0x10200, 0x7, 0x4, 0x21, 0x1000, 0x1, 0x0, 0x1, 0x9, 0x6, 0x7ff, 0xeaa, 0x1, 0xfffffffd, 0x4, 0xb4d7, 0x7, 0x5f, 0x1fa, 0x7fdfffff, 0x1, 0x5605, 0x9, 0x1, 0x0, 0x3f, 0x9, 0x8, 0x5, 0x3, 0x6, 0x9, 0x3, 0x7fffffff, 0x4, 0x6, 0x1, 0xca, 0x8000, 0xfffeffff, 0x7, 0x8, 0x4, 0x1, 0x78e, 0x20, 0x800, 0x9, 0x10000, 0x8, 0x4, 0x5e, 0x1, 0x800, 0x1, 0x20, 0x1000, 0xfffffffd, 0x400000, 0x1, 0x5, 0x101, 0xfffff800, 0xcf9, 0x7, 0x3, 0x1, 0x3a, 0x24d0c121, 0xa290, 0x3, 0x9, 0x8, 0x1f, 0x0, 0x1, 0x88000, 0x5, 0x4, 0x1b4, 0xcb5, 0x8, 0x7, 0xf9, 0x321f, 0x3, 0x5, 0x400, 0x40, 0xfffffffe, 0xffffffff, 0x3f, 0x0, 0x8, 0x7, 0x7, 0x3, 0x10000, 0x7f, 0x4, 0xeb, 0x10001, 0x8, 0x6f19e71a, 0x7, 0x5, 0xfffffffb, 0x6, 0x1, 0x1ff, 0x8001, 0x93f, 0x8, 0x8, 0x6, 0xb4, 0x7, 0xffffffff, 0x10000, 0xed5, 0x886, 0x5, 0xfff, 0x0, 0xfffffff8, 0xfffffeff, 0xfffffffc, 0x4, 0x4b257569, 0x4, 0x5, 0x8, 0x8, 0x0, 0x4, 0x8b1, 0x6, 0x4, 0x5cdae7d7, 0x100, 0x0, 0x10001, 0x5e63, 0x1000009, 0x7fffffff, 0x1, 0xffffff80, 0x7, 0x4, 0x6, 0x1ff, 0xffffffff, 0x3e, 0x9, 0x3, 0x7, 0x1, 0xc2d, 0x8, 0x1, 0x9, 0xffff, 0x100, 0x8, 0x0, 0x7, 0x8, 0x7fffffff, 0xf86, 0x1, 0x5, 0x0, 0x7, 0x2, 0x0, 0x101, 0x3, 0x5, 0x3, 0xf5, 0x200, 0x6, 0x3, 0xffffffff, 0x2, 0x8, 0xb9, 0x6, 0x5f, 0x1f, 0x4, 0x2a, 0x10001, 0x1f4, 0x8, 0x6, 0x200, 0x7c18, 0x9, 0x101, 0x6, 0x84c9, 0x0, 0x6, 0xd6cd, 0x3, 0x1c, 0x9, 0x0, 0x7, 0x965, 0x4, 0xffffffc1, 0x3ff000, 0x3, 0x8001, 0x4, 0x6, 0x8, 0x9a, 0xa42, 0x1a]}, @TCA_POLICE_RATE={0x404, 0x2, [0x40, 0x9, 0x10000, 0x1, 0x1, 0x1, 0x0, 0x2, 0x5, 0xb565, 0x233, 0xb06eda2, 0x4, 0x9, 0x39, 0x3, 0x2, 0x1, 0x58, 0x81, 0x8, 0x8, 0xc0000000, 0x6b, 0x3f, 0x3, 0x1, 0x4, 0x100000, 0xf1, 0x8, 0x8, 0x8, 0x2, 0x101, 0x0, 0x0, 0x40, 0x7ff, 0x6, 0x8, 0x8, 0x8, 0x7, 0x5, 0xbc, 0x4, 0x5, 0x0, 0x2, 0x40, 0x0, 0x0, 0x1, 0x6, 0x80, 0x20, 0x100, 0x28cd, 0x8, 0x7fff, 0x0, 0x7f, 0x80000001, 0x10001, 0x50e, 0xed88, 0x401, 0x2, 0x7, 0x7, 0x9, 0x1000000, 0x6, 0x5, 0x1, 0x0, 0x200, 0xfffffffa, 0x6, 0x3f, 0xaa, 0x3, 0x7, 0xfffffe00, 0x772, 0x5, 0x5, 0x3, 0x5, 0x400, 0x1, 0x8, 0x6, 0x8000, 0x7ed, 0xfffff8e9, 0x97, 0xffffffaf, 0x1f, 0x3, 0x9, 0x40, 0xffffffff, 0xfff, 0x5, 0x4eb6, 0x3, 0x1, 0x0, 0x1, 0xd69, 0x5, 0x3, 0x4, 0x4, 0x711c2a09, 0x0, 0x4, 0xffffffa9, 0x400, 0x6, 0xa21, 0x18cd, 0x8, 0x401, 0x8000, 0x8dfd, 0x1, 0x7, 0x1, 0x0, 0x81, 0xb22, 0x3, 0x3, 0xffffffc1, 0x3, 0x2, 0xa971, 0x1, 0x3, 0xcff6, 0xb3, 0xde90, 0x4, 0x7ff, 0x101, 0xffc, 0x3, 0x5, 0xdd7, 0x81, 0x20, 0x1cf3, 0x1, 0x7, 0x5d2e, 0x0, 0x43, 0x2, 0x739e4b62, 0xfff, 0x1, 0x40, 0x4, 0x0, 0x9, 0x9, 0xe89, 0x8000000, 0x6375, 0x3, 0x93f, 0x6, 0x9, 0x7ff, 0x5, 0x3, 0x4, 0x5, 0x6, 0xffffffff, 0x40, 0x80, 0x1ff, 0x9, 0x9, 0x4, 0x8001, 0x8, 0x6, 0x6777, 0x2, 0x18, 0x861c, 0x200, 0x8, 0x1000, 0x80000001, 0x1, 0x7, 0x1ff, 0x4, 0x5, 0x3c, 0x0, 0x919, 0x5, 0x800, 0xffffffff, 0x6, 0x8001, 0x1, 0x1000, 0x6, 0x0, 0x1, 0x6, 0x1, 0x4, 0x3, 0x2, 0x3ff, 0x7, 0x8, 0x10000, 0x8, 0x7, 0x0, 0x79, 0x6, 0xc4, 0x8, 0x5, 0x0, 0x81, 0x661, 0x9984, 0x3, 0x5, 0x9, 0x10000, 0x3a, 0xffff8001, 0xff, 0x1, 0x5, 0x8, 0x7ff, 0x7, 0xffffffff, 0x5, 0x1, 0x0, 0xffff7fff]}, @TCA_POLICE_TBF={0x3c, 0x1, {0x10001, 0x0, 0x26dc, 0x81, 0x4, {0x0, 0x1, 0x94, 0x1, 0x4, 0x3}, {0x20, 0x0, 0x20, 0x9, 0x800, 0x5}, 0x200, 0x42d, 0x9}}]}, @TCA_RSVP_ACT={0x4}]}}]}, 0x186c}}, 0x0) 07:10:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x700}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1079.531786][T22186] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1079.555084][T22186] ref_ctr decrement failed for inode: 0x4131 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b [ 1079.577434][T22186] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:31 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1079.608884][T22186] ref_ctr decrement failed for inode: 0x4131 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b 07:10:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xa00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1079.717315][T22204] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1079.752672][T22204] ref_ctr decrement failed for inode: 0x4131 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b 07:10:31 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa1010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:31 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x110) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000040)) prctl$PR_SET_PTRACER(0x59616d61, 0xffffffffffffffff) clone(0x80000100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r3 = gettid() wait4(0x0, 0x0, 0x80000002, 0x0) vmsplice(0xffffffffffffffff, &(0x7f0000000100)=[{&(0x7f0000000040)="0f34", 0x2}], 0x1, 0x0) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYRES64, @ANYBLOB="a7b74aad84a9d68309edfe37d385"], 0x0, 0x16}, 0x20) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r5 = dup(r4) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x400200) ptrace$setopts(0x4206, r3, 0x0, 0x0) 07:10:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xc00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:31 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x334, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x1800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:31 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:32 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:32 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa2000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:32 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:32 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:32 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:32 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x364, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:32 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4c00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1080.639544][T22260] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1080.651080][T22260] ref_ctr decrement failed for inode: 0x40f2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f [ 1080.662222][ T27] kauditd_printk_skb: 5 callbacks suppressed [ 1080.662245][ T27] audit: type=1804 audit(1586329832.502:1322): pid=22256 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1711/bus" dev="sda1" ino=16754 res=1 [ 1080.697473][T22260] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1080.707854][T22260] ref_ctr decrement failed for inode: 0x40f2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f [ 1080.819701][T22264] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1080.828414][T22264] ref_ctr decrement failed for inode: 0x40f2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f [ 1080.841156][T22264] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1080.849374][T22264] ref_ctr decrement failed for inode: 0x40f2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f [ 1081.837289][ T0] NOHZ: local_softirq_pending 08 07:10:34 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:34 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa2010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:34 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:34 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) r3 = socket(0x10, 0x803, 0x0) r4 = dup(r3) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) r6 = dup(r5) r7 = syz_genetlink_get_family_id$netlbl_mgmt(0x0) sendmsg$NLBL_MGMT_C_ADD(r6, &(0x7f0000000100)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000700)=ANY=[@ANYBLOB, @ANYRES16=r7], 0x2}, 0x1, 0x0, 0x0, 0x20008000}, 0x10) sendmsg$NLBL_MGMT_C_PROTOCOLS(0xffffffffffffffff, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f00000001c0)={&(0x7f0000000140)=ANY=[@ANYBLOB, @ANYRES16=r7, @ANYBLOB="00022dbd7000fcdbdf250700000008000800e00000020800040001000000"], 0x24}, 0x1, 0x0, 0x0, 0x20080080}, 0x40004) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000000)={[0x7, 0x5, 0x2, 0x0, 0x81, 0x4, 0x63a4, 0x3ff, 0x3, 0x8000000000000000, 0x1, 0x3f, 0xb6, 0x8, 0x7, 0x3], 0x1000, 0x20000}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r9 = dup(r8) ioctl$PERF_EVENT_IOC_ENABLE(r9, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(0xffffffffffffffff, 0xc0045516, &(0x7f00000002c0)=0x7fff) 07:10:34 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3dc, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:34 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) prctl$PR_SET_FP_MODE(0x2d, 0x2) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) sendmsg$TIPC_NL_PEER_REMOVE(0xffffffffffffffff, &(0x7f0000000380)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000340)={&(0x7f00000006c0)={0x274, 0x0, 0x100, 0x70bd2a, 0x25dfdbfb, {}, [@TIPC_NLA_MEDIA={0x38, 0x5, 0x0, 0x1, [@TIPC_NLA_MEDIA_PROP={0x34, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x400}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7ff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x24a06f5c}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xd}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}]}]}, @TIPC_NLA_LINK={0xcc, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_PROP={0x3c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x6}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x20000000}]}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8}]}, @TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1b}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xa6}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x14}]}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x34, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1000}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xda0b}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xd}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x101}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6c204464}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0xaf20}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0xad}]}, @TIPC_NLA_BEARER={0xfc, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x401}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e22, @multicast2}}, {0x20, 0x2, @in6={0xa, 0x4e24, 0x7f, @dev={0xfe, 0x80, [], 0x19}, 0x1ff}}}}, @TIPC_NLA_BEARER_PROP={0x34, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xe}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x200}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3}]}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x1000}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x1}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x140}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xe53}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0x6, @remote, 0x1}}, {0x20, 0x2, @in6={0xa, 0x4e24, 0x61, @ipv4={[], [], @loopback}, 0x800}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x6}]}, @TIPC_NLA_SOCK={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x7f}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x8}]}, @TIPC_NLA_NODE={0x38, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x80}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x101}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x2}]}]}, 0x274}, 0x1, 0x0, 0x0, 0x4080}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) openat$vcs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcs\x00', 0x3a200, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {0x0, 0x7}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x64044) 07:10:34 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6c00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1083.156547][T22273] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1083.180076][T22273] ref_ctr decrement failed for inode: 0x4231 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f 07:10:35 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa3000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1083.217331][T22273] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1083.240064][T22273] ref_ctr decrement failed for inode: 0x4231 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f 07:10:35 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) r1 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) write$vhost_msg(r1, &(0x7f0000000480)={0x1, {&(0x7f0000000300)=""/184, 0xb8, &(0x7f0000000040)=""/24, 0x3, 0x2}}, 0x48) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB="54030000", @ANYRES16=r3, @ANYBLOB="c18f0000000000000000110000002700990000000000000000000800010000000000"], 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:35 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7400}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:35 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7a00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1083.466362][ T27] audit: type=1804 audit(1586329835.312:1323): pid=22275 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1712/bus" dev="sda1" ino=16593 res=1 07:10:35 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:35 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ea, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:35 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xb500}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:35 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = socket(0x10, 0x803, 0x0) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$NBD_SET_BLKSIZE(r4, 0xab01, 0x7fffffff) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)) r5 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0xffffffffffffffff) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) r6 = socket(0x10, 0x803, 0x0) r7 = dup(r6) getsockopt$TIPC_GROUP_JOIN(r6, 0x10f, 0x87, &(0x7f0000000000), &(0x7f0000000040)=0x4) r8 = socket(0x10, 0x803, 0x0) dup(r8) setsockopt$netlink_NETLINK_BROADCAST_ERROR(r8, 0x10e, 0x4, &(0x7f0000000100)=0xffff0000, 0x4) ioctl$KVM_REGISTER_COALESCED_MMIO(r7, 0x4010ae67, &(0x7f0000000080)={0x5000, 0x102000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 07:10:35 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa3010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1083.811850][ T27] audit: type=1804 audit(1586329835.662:1324): pid=22313 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1713/bus" dev="sda1" ino=17073 res=1 07:10:35 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000380)='./file0\x00', 0x1d2) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x4000, 0x0) getsockname$ax25(r5, &(0x7f0000000300)={{0x3, @rose}, [@null, @default, @rose, @remote, @default, @null, @remote, @netrom]}, &(0x7f00000000c0)=0x48) r6 = socket(0x21, 0x803, 0xffffffff) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=ANY=[@ANYBLOB='@&\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r7, @ANYBLOB="0000000000000000090000000b000100666c6f7765720000102602000400548008260300581009000b0001006d69727265640000440002802000020001000000ff03000000000000890200000900000004000000", @ANYRES32=0x0, @ANYBLOB="200002008100000000081192638b9552730d43000900000003000000", @ANYRES32=0x0, @ANYBLOB="04100600ee5f218c49c493010de65b8db0c1727897c389ad412ca4df5502d6d8cec174f743efbd2756d884924da7454d33497d1ccd1ef4a2b79ea294d9fa4762ad097d9b95995a2c845774e1b86c4bfffa45cd5be08622597de9b6ba2083a2b6e454165afb99161dd5717d9ba6bfd9217c6e9170602c85c9c0f20dc4504543b78c8079a9f9c5969244cc2490c71b779d7387632c4926a2b30d8e17ecf5700aaf340c648ad3c2e598efdcb4b6e2d0845d9ae1c9ecef9a86fb6f9ceced3b0b063bb9963f740d049f25195de2a75cdafd2972cd4c92602575ec2179f9283bce1913f3d3fd9fb28093d87abd6065695aa181c04a3433a956e72390c1ffe4a996a86d23b8b906dcc2b334dde9e5e84843066993fa5dd4b2b322782ba2771d7f48b7c7e1a7f054cf6e811195823b31cbb0f8bfd34b677b504d25a64ce6de2475876db8f6fb0f9287287dfc53489323406d03fd99bf930f194233897b1312f9b151c661a5e7782ec40d2cd93a7204a56cbf9a991df8a1ba3f4fda07f4bf0fa4f7f6f2fcf313eb4905a2e6f85705a0a2f3612877008056fb1f3f97c4b7958eea8abd788c25fbb02f203d933f7edc9a1af16e31b4ef71ac2692c1855dd4252f91b54797939037305a5d9c74971340c3d805ed55f23e4e9ad0a33dfddab2a1f74b09d348082758bdce256fd80f09654daf27ea3827917bbddce2fa34207d148a7811b8ce9b96375db18eeba813a096dd473931741708b50525248f313b4f1422f737883f6b493e211be26304e0ae4fddf9411721a19455da11d3ccc396e6ba33fecc21a8e4006ef29482e00dffc5b9bc09cd3337483b3e11fd674aa22eb1a32ad627a851e9332c22826e3bcf7c4e0f151fdf0ddf772217600ff24eba6d06de525aa84397685b92f0e5aafc7631e079515c4b3c432646702fb967f9449d96f99a7a9d3ac4d6807d1ceb957a6c1b1c2c764757d5bd73d2f35791b6439711283596ba9d9324160806cba7c0a9df5acf52c0d5508f69140122a89086e365358a2005131e49a5e173b7f8939639d041a7d632be668171bc8f8a8407f5c823e59d2052431f319a6c34f505919ec89324fd32ca6d489516687d60234c4c14e617af8c841952406d2ead472a1229c4b54a9931bb7fd235b1b23996d18140574f255aa87719c85a2b147591f48d9267a43d5447209c596da2682f34a19ceb6a049ec1c59e669f75a15a00f544edbf1a7e7f18968b72192d11e5e49001d43591b3fa1fc52d946797d4c11f136c307e73604ff041101e0aa1036bb4c20e4032d0a2c217be9dc6e4b8f539225503b7e2e5f597e6291ddae7a1385d95148c362ec804e82f2e2528991e36625b4b211b9ee31cd1842cdb037a382d420eaac10bf69ab0d319def6b8cc438c5c28ec6bad336ddbbc3b2bc3f97547c0a562cab318d32dfe87d735c1bc7cde0d96b740baa5448907a2c2383a43b251e68adde11c9852242568492dc380b4e029a6a0adba81e8c1acf95872658a07a832ab7c4718ce50269f68ec907cc5531b3dd80af664f6f11967588ba8589f040082bc90326dd788c7882251debf31552808399f8ce62f87937da4359f0cd797148da90f061a697df056cd943a8ec3fb59995b2405abe33739716249fdbf6eac89396916f92540fd410a470a2340dc3fb28503d9a656902140cf687cd3c86afa1c00307733526a018413a73b10004483398a6b8ab796fb71fe4553f7444d05357895597abb5a136a595023afd686834612a088d5fe8f6b076dcb904c6b3b41f5106ad2cd57a6d3a7770b72b6d5a56033391d41237eb649933f491ab44d7d18913952e0890ed170e9db9a2fd859f3d8d7d767ee91a988dc41317ef4ba0a03140f1ef52ac9483e41644ef6361a5d8683d3ac89a66375dbae072068463f1e4ee346c4d7cc638ffd5abe15ff0478ddeb77d09e6db7b296c40c9f1beb85541b4c08c76b90859ac2d933446daa2d30b9b95f1704423af03a18442e333aefff50ba61f8ac0bd2f1f587ec3b875fcb0bc11688c8d79daefa0a86b7a8a17e5e8f2ac09a49e21ab4377b4242fb25df912d1b3a68e09b760125bc21128580032b3ec7831972951e6efc8b8ccb8c24f9641925d9b59c0a39b56ce7ecd887cba94164bff49024497d544ae33fc23caa2fe34fe93220faea498c27d10f88b89c0ff19cd3b08c016c97b255b0b4e41297277849da761637c89bad2bab2a705305ad1e5cb35c6d100419769952b47f76f20598d3b1c2cf589b7a1d1734f571ae400b3161de56fcca9352ec70178dafdc06a83f7c00dacbc2545a8f0d1d3542e3c6b7c13db3209ec9b7294a98ce2f1630c58335b3189c00e9f01230335443c1f4f06603a09543c0074ab0bf820908696bcd9b27807b150d7d358516c956eb7905a2dfea7363601a884b932ee168e10e7e30c4d03d4f5c15c2521cb9411eaacad579c9143039f2d17c6d44860740259e02db4e9866cd8a7e730cf04274a76fc304fe874262d893853ed5734faf9127e91a9113b464a59b3442aa4c57fba17460030b12acb717542c3cfb1bc1c07a3b110ccb444b019c1833c68cd8216aebab26e257ea1fbd97dfab8fcd21166986bf95caa4285cf4e236a27fb08cef7428bebbec428352040ef2b7dfc26d4875be089ce9b9b3c106073e8a35e8d4756a266020ee25205c8dfa196c041434e49ede8e1e1e7df58f1a308bf77530a6baf321aa7148afb93e3fb62dab1ede1bdb797296a810ea2681602719166d91f114345eb81089d314da45cf5e5bd25402e9a6c7b0aa8e04a758c75fdb31b9f60245c4a575802a69b618ec8958248053d8b67c1a51ef3780a7f9cee9980ad6bfa835c0208453d13dcb4de8202e822b7fdfe238fb93aa4a63ca920478605c5cdc836e5a3549cf8b99efa2df253fe5165c5e84d23ee37085e29d3fc7f18035c8b2fc417de18dc09110f7821284b68bc8e4fbd4acf6b7374adcbc0344964c7bb6c9828efd555f466173e68d1ce9725bebfd05d7d2b4ebfa661c26d23c362feda1294f95198546c039f8ab4f94b79340f7cc9b2a251f0b72b8169e693603115034a0c15f8fc94ee223cb9c5143769e9bfc8fa63f0ca7a021634e488def0186854699fc33106fe345e91b1b885fb723e4aabf7d622bc10d9416311290db1f9a21af2ce30f07db0a937046c5e40be8fda4e8e2409b14f3bca645ae9f6931888a411593840c0ac0dc45df9e83478f12aaa055877e2b3ec989ef206d644cc8fd2eabb7b195a8392374994c2a4e3df66493e9a7f00b65d73b44c7004f692cf13b3a02383216a0a27d08b9ea4ef7ce79bac3fca30d380481a3808f9cdfa85e4f9c032997b8276f7c1cbabc35d21f1edcd81b8b512a193120253f79d774284b32b81db505385400784614ee0678c9ddea90636be8bceb10105596528c7d43acecacea5acdcfee0515d045eecaa3365b0115afa01d56b62ae64f5e18874c28903479181d4c887e1b68cb638d63e6a04c9ce2b96648b4e272f1180bcdff9cdc228f9e4259cc7f35e8898be2fcba378ea08bf48b9e35e41182ee95f9291166d5e01597e072d48e9c34bcbe640555ffedde205e34a820306efd7ea168ec2f061fe46ea9281731469bb289f6da13c33547a91b27590000ba9a3c70e9ce039df382159dd1964cdfaa36cf0a4cbc6f31b66856b54960bb5510e892baf36c40399148c5b712c59abb4b42f92406f652cd672d907f7d1e2fa9769b5f6a10c60520ff6423973d347868d498736769f5ca12c6160770729d331264bc263e5cb79ad0a3b891cf6ac62b1ee5fe69f19d15286384ff5631a338b23fc8a49bfccd0890ca87a67af24d91656aa0e4b3804595bf8c6dda4479a7d5041a516050cf53c5c9aa8ab9dc83cbcf5b90984afcf738d845c6aaec71d923df392667a95a0894fe9a1359a1c4a39c45c03ff644a14b3c771df5adb71956b333dc027bcda9db5ddfc8539d8ddce0a6e47a421c647f6c61e651084b8f7f9c918dd3d7afa8c674978bf145d6c623c9b548082de4caa1177a7d3e4962d88efe9b767e2e20464ac3c7f2011ed02099df3f8b754ed91cf35296384cdebdd9d7d762b21b213a7781c2aef517bf32b3f58ead29d6e03f1fd483dfa9122f6e3d5b882a26dc69733a70afac31f5197cf30843ab74d66628045fa34715a1e9c871324b9267693956e97f0c712db1070be24ef235cdcf6b673721b7b7893e62e9a583530ed9e28f83d105d8bfbe6c34b4b80dfd975cda3c6e52d997e441cc427368a46de636b8187ba85a518d8a65c20a57d91ec47dac09146dbf2b4d83c83d49b4a2da533c6316f5212af0a955ff6a1d3eeb926fd07f65809636753fea43aff3ea29bf990d2d2f258f5697782ee5eee56e1e1ddfeb5a520c98315257934628d376511855547eec3e66b83711a38ea41f42ed25de0e4b0dcb54020828cc48010bae40f813e8aba6bdd79a95bb836852fea24781007ae461bcec01789cc1b84c07dccf1de7ae2a917b7b90be52e24606b284db2d1e7606879f4344bc6b1c62ab82d2a852a366cae74fbbbf520f874f32318e2945112c23b57b4f0e8503c3fb19359c61cc1164764606c7a2327dbca93dc70d3cc0878642b728f7396ecd89d0334bbc287f9bca6f3ef99591354e7e126ffb04370f3412559d16e499f867b6eee9c260887c5677bc74aeaf6a8c34de4e50e4c4a7f06bb8a704fba9a16f8569e16c4462b8926874ebd1c5d165893a0994ce69d06df48ef49dc57922878e70bef48fda564842fc1811c2fb67a0c651f2a69fca981aed5e15937530e0b1f4af2e983c5c3899a058ba10c6db753060e8f01fe68ee88fe7dd8d2bc80a3c44fc7b0d8bb4e17d3fd90ed451930a836198048d068e122aa58466f0db0e5b1d920a3b902ba9de408276a39da526cde9060baf6d3a33cc1cb1e8de19b5a404420e568b5b660d0b09668bf82c4e5d2cfd12bc7b1a832dcd2a2b0ff6e845b566db4a82db90eb177b229567e764efb5f198a6e5a0c3a34c265300d3f4713198435838d84bef67dae12d50ca779d4bab8795f10b2619bdf9cb1152be4a26e223accf662115724138f56817b5ca4d482bd60182612df29d9625515f4fef42b15a249e6849ca064b08360d3e542b470c186dd4731519d581ffe6b3750cbfa922252fba93ee4a1a2ff0546c726d2ac12c89965ad05b4aae98b67a48cb0871d81f905c11ea6f4a2c9f13d0b7a728f40abd515861d3bc2b61fb7022009b1ec469265e2b3cd6b82b4ab6da056442fbd8e5dd1a741354a3aeca354aeccb666084eeab717bd0f22ed8f76e45e20c15c4d189bf727b9fd7c9d9f4ae64af538a6706dc8e0b4a2e75af7e33678a099c4813bd2079c131f6999c6522969d9b564fb4ddedeb8ff936541101026f261fcfa6a33abe58805302ab48609a2298690b7261f79a53c7fb951bf4cf2132f2962dde6423c16de9ea4f01e4ddbfb0084532289f3b0c0570220f704febfe26e8534dd0fa195e81aaefb5d4b7c8dd76460c6d1d726780e523fd07cddbcb07be435f6f30cc837c1ed0d59947c7cc986a14b5fb5dde26d1c5283238ca56c52c1bdd1932db337c5daae561c29a2578dffa08e43eac361d92d03773dfef447a20f1d5c76a429836d62b22c5cc0327aad2e980721f51a0116c5a0efa250804d247069283856cbe1a94b586e6ab30da1ff7ddfd2d71f4f252fc52caaec09b53d665a890e2ef2d993b5770998eacc6793d85c27ab5af20af04992ed4dec401d52d90cc74de1dcdf3528314b9780041037e3c363b42d1b884bdef635cc2615837a4c6a830fe05000900010067616374000000001c000280180002005706000007000000050000009fffffff0300000070000600b8ee13f3f489018a55b22d7bf266a0cb9f3bba5c390dd0607dccb0272c6efc9c29b49af74962c3402e7981ca752db7ce83ca0c652cc4e730162293d77d2aab3e0ce7f4081afb1fd8893d77024158fb5add59ba4d41dac33eede58d7b623df5f169cb8152b26bfe81da4e8edd88011f00080001006e617400f4000280280001000500000000040000fdffffcf8a0000000800000000000000ac141423ffffff00010000002800010006000000bb5000000200000003000000010000007f000001ffffffff00000000000000002800010008000000ff0000000500000075504204feffffff00000000ac1e0001ff0000000100000028000100ff7f00000200000007000000ffffffffff7f00007f00000100000004000000ff0000000028000100ff7f000001000000ffffffff01010000030000000000724f7f000001ffffffff010000002800010007000000ff010000000000000600000008000000ac1e0101ffffffff000000ff0000000088000600da3cb9454e11d8eaaf8a3b4be8866046109f97ee0197d5e30e47b0c571f4b7b5dff074b4fb578df19208bd15d993249a096ccb3300c8cb7f45904f6ee2fa13a933bb6e615a3349bdf83bd467b44be7208eab1fe714b562f86bf1fa524b7428e44036546af23664269959f40963bab33314c1ec7d9361f21541f12cb57018f628e6e8a1a990021f00080001006e617400940102802800010000000000278893c706000000c0ffffff0900000000000000ac1414bbffffff0000000000280001000080000003000000080000000700000005000000ac1414aae0000001ff00000001000000280001000080000007000000040000000900000006000000ac1414aa0000000700000000010000002800010004000000050000000000002000000000050000007f000001ffffffffff00000000000000280001000180000047000000040000000400000000000000ac1414aae0000001000000000100000028000100c80500006a05000005000000010000000100000000000080ac1e010100ffff0000000000280001003f0000000000000003000000ff01000003000000ac1414bb00000000ffffffff0000000028000100f000000008000000040000000900000006000000e00000027f00000100ffffff010000002800010002000000030000000500000002000000ff00000000000000000000000000000001000000280001000800000009000000010000000100010040000000ac1e0001e0000002ffffffff01000000ef000600409bb9e3d777be65b317d7e8e84bee022a5d998c511da55c072ef07dc35aa6c58016098223c3edc8c9a595eb491d0ef5e62b639ec609066dc3a51dcc0556c2e7acd3155830c54014a07254b695ea390e59b85a7a1fee6be425456d7247035e020fd1aa81248fc46d31e7bfa98f59ecbecbc822ee9c49e65011d1f75e62967cc24c3ce5b8c8a9ed68a772fbbad8c1e287a7d84e2a15b93566aafc2085421dc8b73d21e00875e28ea12b064f3dc58547460f1f6c4941e8ee5dceb9083a04c6669e1105250eb7ed95e45ee8c643d181b11ef43817bdc523943d13af3a084ec9abe7831ffa362f7db9f9df8b9d00f81013000800010069707400e80002800800020003000000080003007f000000240001007365637572697479000000000000000000000000000000000000000000000000980006001f006e61740000000000000000000000000000000000000000000000000000000000f6000200a6df34182a317836c0c5caeb462a9c4478f98fcddd9703877c438d6a3ca4584b026481675b12b80a494605f6e169ebf286bb975065d136f051c2408b81e6d84b7bd68604c65f31fed0d465808d370155645e72f4f0a93f6f7c83c14e9e2b13aa8e90280e6fe8235885896a312a780800020000000000080002000100000008000300e0ffffff0410060093e8922459f8e5c58e49a959173d18dae32e5c63dda3e3ae131f508290b614c58da60852c1c670c902ec9475c3a850e1f43bd59097cc2b75b2fcc4f93fee8999172cb73672bedaa343c8f983930f6d7718a4757eb0de63bb046c2710d11923b07f1ac330d277eb05fbf34c7777aa955805236260081ef0381bc55b620cba199bcc42bf552a55e7535971c17db99facb7f253928e4924ab0f65a7574a288891e53797e5539cad72ed20bdc35b9481c2db6f068552902fcf7ca3dfe5e88814c9c83e312dc946753b81f497534857dd9641ad7b80ead7d5a20e438cc8bc61d0317694e6eaf51bbb38b0b54eaa46cbebfc5f3ad8c1047900f127ef47c0a6af564f592701a9ed4963aa86b8cc7d8f59df8d1c33edd551ef221bd462d830fa6be935763d7aab1faf1a889b76bc0cb92903b1ce9d4f8990f999159bdebb21fb20bfc9d62412048cceb9ac33eb948b6525463ec75e9c73fd45912a24e52cb756514c18a77cde0b148fb5047172f2010b6ebadf678200cbe1250b8ea8cb1f888a8b26e49da6cfcf4ae328192768987f554297576b51dd080108d57450c9d27733596fff621f947d421b3f4c25a3f729cd8149b9d89cf468ce63019125a502a714dca63c6c31f8c601a95d553db34887cf9bf7bba8fd565b5e417d36004be0de7ee59b5590d07a5918ee5e52e69cadc86c14add296f8fc41fdae26047eb6ac2f1331be71b8f68a3d923a6a52b4687bc8a67ffad125df2bc8081f47347eeb385ab491ae43eb8f28de7e915f9e9e96b1765b0e1677c59f4bea9442089f1205a8e78562d2a89f56926fd126a6696ef0a14632dc079fc7210f4c958cd24ce9ec0cbc833298ead1aff1c0cdf62b57b86d8f85cf946a27fcd6d942e9b773641791c37491c2827f6d0e8a538da895d4909560954b32dc08d9d97b6066160f9dcb242c92be44cb306f9708147ac0e279b719c2550b42c6e7170694122d217efb5191ca07fae6a4fa38f25f253b454f078d18f27a1fbe72fe42909458cf1f9a9670020fab9389b59388ebbcac85b429d090710d5d971e915248e36309a23d996eb88df3f7f1f5a6920a2dde4fddaa2014243c7a07c494f499e1bf7cdccec10ae7f5934e6351bb48c20f560cf40f7d5ac928163f81b19127f0f1670f13b554346de12b5e6dd82c3f8d0cab8940064f7bb85561afefb3705f32e2771896e9d218ce58b6b148f5882b60c6c9cafd95f8365804b6699c1562bfb51ebf8443b0ef12ffb9909e89f1b8cae0647681f8f103400edbd49e7c9d9574511cbc971b4c27bd30b34cb75bb50bfbb32debdd082e20c3438860af92b70482938f0b0b06590cea065fe4d119a7575b6d63f612a8a2e325f06d4392d576b4c60b7c39bd414a46d3f8d3aca07d0645a310a5115fde3cf738c1fe098264ed2be120e465f3bdb55b28799a62e940b7071df372dc61a625e289be11afb7c0793aae7e2ffe96acb3df3c45b927e48ee46ad160cad9867d862c16479a3e1b1dff4877f0bf66b26b368db45a1409f4bd664de7b8c16cc0280114a71a098ef3cb8185fed68508ed87ee2c53fa6e0190c32171e217296db5aad05425cc36d37f58c7f0595140f191d21cdd2cb4443d101e2dc4a6ab44479d03d40f8db1956a07f99807308f7fb060163bf9a3521483bb23df703d13a8ae2c6841f3902c215592e938bcaac2d43d377394016cac2f951c33c550ef544281ccd8fd8463a374ee6aa0ae117f57433c38fc6015483c8230b72497f9343319078c4be9df1b648d3341ebafe24e7de92171c6f54c9403e52b9b40a9b95c50b7ed796e7e97d5e0935db8f4837dee35fa06ee8fc7a3dddb50dbb7b2a61e34e7708f23d1f102e7ca5daca2034d576913f05f32569c21c38749a9eaafa7b5dbffdc7c13371f5f5d44cc21678cdcf7a02f9b247662659b825fa8fd86e4c0281809036358cb310f407837e9095557150ac3d7a549846cdb3b1b608437d01410b369a84ce6a15076a655ca84bec2b055b49812545a5258097d6fdcf4d8df25d8943d3b09f06665b6b2f8b3c4736f943ea3208bc045153b5ac1e8e2d39d8871631d708c9e3acd6cca5a71639931319684050d13c7c47cc80f841d3312785b5978f2e3cdc5342affa024231120ad55ba0b4a50f0b022d972a610cfb0448ef7f7ab957c69c72a9fe6b88f1d6395bd53452c4ceb5cc2f3d37a689e34c464775f4cdeeb512b0caf9172ec944b1ee3b02d676d2ab1212ed06d18c5fbba77fe29a949f1670f254f3e6e4ed5e3c190cb0ed8da88d5c065cf3ac89348d9f8a6b6621e93f9ea120cfcca9b45ef59940f5fbd001f6fa6480799100cab6e55faa01b77eebf2975d59d5e23d0b08322d6597ba237198b0172d05ab81d2e04d1bb5fbf412410970d7505d27d5c67ff2387fdcfbf596524ae19452890df93b9b021fa448794e07756cc8d416b166a6026f8bc622b6578cbb55d621d7156aa997f9eae73b85ef53d304a54b1cb998c56c019883b0b10628a0872932edb6f24a3f338a7cd448cc6f81ff2ff1c1964cd02d33224432ec7b4a16e6ab9a03abea05365bfb280c982a334818f6d299bf158de0b13232e052671cb362f8e64080fa6ba29167bd60848279ba044b9ae79ba4d332988eeb9ead98b986e5030961633bae3d8c8ed2c0cb89136d98daddf3eb86068296d555faae69c812ee519fb8b913f22caaa6fc612641e545717d72b6b010e9239b2a7431fc545293c6634cfb4c0f2730b6c7f442a4aecf58bddefe491d77d8c489dddc64b1e1cb0c7a8997b35e2f7ea5ecc8484b480827d2db17d9ef3c2efd331e80a049adfaaea3a2d72d7c5d7f1a57b867df3333f762b355daa49bfc1cc51ee4a236d3668b3a9d6429faf0323a209c59d0e601a31e8f6c7437c84954126d69ca7fc1a3cd8cb6918abb3443254be8febb605c1cca02bd212fa09f36ea689fac4c858e3b15f07a941955731a66401dcfc3f259b8a5f9e63af03f5c28e08b0cbdd3a37292bc25471eb91f5db88eb615e02d9cd7db0e1852114d7175a36fcec4a003c5eaa7f51e4de223650a1b2b820ff9dedd2cdbef6c588d35af2c88cfe7ed36de98d20f479d148057846a89983c70a4db0b1d0ec69b7ac3861b6733e0295d5359c388e1c05d3c1b5f0ad29ad25205684ef543fe5df1707c2d4a564177ad1517e6d2c4284d4ef28c5354b8daa9f3144ced20382f2590820c0d88c95a8765b137bd502202a4ccb779e06b86266edc59e0c4e0965914600c11fdb141c0b6b22c691c36dcdba805597100c6b0c6428fad7f896ec84af1c4f2135a5ec1e5a9cb4e587a7183027456ce02f74187a4a193f0999733c1142a79d37f4964622ca33bbc1f6847b31acece9a7d54332d132b2aba30385077bb6f2ba7464eaad0e4055ee3490261dfb446582f38cce785219d7505109b2bc272d2386666e8f60ec920a972c12c01cd7f32fc2fbb761befad833b9a7eae9bf95691b14728cbe27bf62e7b6f0923b699baa780125fd68f8cca7f9e56e9d22c84446ae3cac4e63cfebe10d8d49c3da4efe26816146ecdccf31f6569d9cfbed343ea6a32847409d61b78fb9326af77515234838834486f5a740569aea667ffb192d6a174156558eea493ae47a0e3ce9145583aef6c76ab85749ff025581921548214d3cfd83488eaa5fcf53fc2cbf029b86635a078a4fa77db1f64c42306b059b4b709d71a13edabed73c176a2e53bce07279f651737993454a466d3c815f04e4956295e3b0ea51c8c8125889474b009f4354815bd21f172fe063ffe4daea95e8e99b6f3794ee95c1e6f8a3d2141a62966e8734ccc8fbc5c1065093e7936c375ca636929372ffac244d0388fe96e22213eb57bd8d0003829aafabc345b9ca5fb91a7c2f9a16fd15c32ec99343e5aafccd48962b8d5fe39e0482a4020d2a3795a70df5eb0934a0dea45b2f742a0b85880d29b778ec2ec08646fa3a57c37f1ba846028dffe5bba63c68e643ec6f2002b78a36323dd8f74702b7976f5a3afefd9029f9359ab5b99c0f1d6ec3d154d3efbe57cdf63d65c3b8941c54ff0198cafec3858de06c7ac763db3d2528515fbd056d25c6983b1410a8f63d25c502b5767c5c2172b879b7704e8eb050b56933ce44ccd19e15b82cf4bc565e2cf00c3081de37844f60a4a290780b368a7c18e46c8203c6102e0750670906100bff38ac6c875673d815246bc05e41e88c390c55dd18e7690993203968b5327e5600af2c011ce99dc9dd1131f1ebb190da059af8d5e0e85bfd7ffe2326e47667dd0519e54d986723fa6c1d91fbef438a978d3b2f1feb536d9a3cb8e7c1955fd97d8ee81b14f4451d7644cceb78ede746a8e1f14755bb8443f17a8e25e2249e090fdf295a0d42cbfcd1e46fea275a17ed99a5fca4fed94b8e507b96e1a1956b4013c5616d4fc023fdfe701f84a560194bac0d316b8f4014e6cdc563b101bc0a1c94bf12b8dfb91e9a90ddda926a9e924078093f10f16091b2a420af412128a6d7af530aeac6e38dee1fdb133b758267b52e80ed39ef8479bde8a9672ff238f6bd2cd6be484f721d4e37ad9fa98e41c7de4c226a66ff2868c9edcf6697e554a38b2ef9768db4e2fc7dcc9e77d023b97efa90af89f77802bb2df24a38e451091a91f4daea74e26bc8d1f66db79312bba65c6081d82dffaf2ed5aa2e39e58dc0b04adb2b75cf9b5748faa42dcf2ae66eb9acdd058d7ffd3608307534d1cceffb8897f26c27ab12b5759fbf2115a522f8e7cdd2a3230f0509101493fc71cecec65f99929bb227db948058843b85ca81803ac77087ef6cf3d8ce4cb4775c4d442ca7148603d0b18737861773cdaa1e573e24f160802e32bb974354cdcdb6d2d96c552aafd3443e0e818a8ae73fd569dd3145149b80a7ded9853b5ae45d40d7f4099fbcb52f19b838b209079d54242e92cd761be67e367c4dbd97e4e773c2af51857feca34ed8e1e35c4ada826686d6e57304f440972d44d281b49b9384cb6b8d7918abeb9ddf0bd5af870b8d96edc95d5d3fa50d0cbe56f7e632d800febd1e9d18cbb25c982e44b5562307ebce9af943cea93d83e78152e783c0518ec46638e018ec10ac8c328e9be7d4d10e8666c3b8a08c629c8d65fd8bfa10721fbe443b8a995fc5d2eb8870a86d2c0a80b08e6dbe1151f727cecad1132f021b953c234760e05ab75658a2046038f645918162d53b2c724ff6784b266c0c7b779202f28d42f64734d089da3b75869414393cb8de2df05aefcfac7743175910da067d2077ff497159dafcedf79ffd823acb03e1e5380d554bcae69ba8f84c99d7cd000525eb9dea0adaf83616356c5828c2c2052c4ee3c5f7f6e35ec941740feffb31a8a8ff8c4bb3474b82f3285f6fd376a7c040eef42f462bd8d6cf904f6c6fb4f4c5df02531a6b7bcc550dc815346986a0a74c5f64f718d4c7ff2d6d1e1f10d652657f4ee75ad736fa753635e4008df005958af25e127dc03683aa915714c61c466bb7ccd231803d8602486854cc07dfd65256f730f5bf47aa19881fd643d739b9951c2e6e5c2d229c9d66295b29a648656709b51a8d37bde3d8a03b69696b7a634d51d0c3c465bc1d235ddce1ab3a98a7a815852ac31ad7f399e045859b2711ab0b86a48c8aed8a81d452d797b294168c48a2f83a10e2e0c968e1d06d4937b127512612df22dc4f9b9722df7e630da4781e5d64108e4b8a092bf2ad78c025f57894de99a30d74ca3a216c4bcbfff62fd19b86d945a1e734ef295b7964ba5330b77eb44a8eb1e47544900e819a570ac4d92357ad786e01"], 0x2640}}, 0x0) 07:10:35 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:35 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xec00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1083.866726][T22324] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1083.876633][T22324] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f [ 1083.888559][ T2524] attempt to access beyond end of device [ 1083.894705][ T2524] loop4: rw=1, want=130, limit=63 [ 1083.900106][ T2524] buffer_io_error: 5 callbacks suppressed [ 1083.900154][ T2524] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1083.938091][ T2524] attempt to access beyond end of device [ 1083.957992][T22324] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1083.959740][ T2524] loop4: rw=1, want=131, limit=63 [ 1083.966060][T22324] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f 07:10:35 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xf000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1084.047382][T22338] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1084.062280][ T2524] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1084.081085][T22338] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f [ 1084.114115][ T2524] attempt to access beyond end of device [ 1084.127196][ T2524] loop4: rw=1, want=132, limit=63 [ 1084.140808][ T2524] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1084.155724][ T2524] attempt to access beyond end of device [ 1084.169526][ T2524] loop4: rw=1, want=133, limit=63 [ 1084.182287][ T2524] Buffer I/O error on dev loop4, logical block 132, lost async page write [ 1084.207126][ T2524] attempt to access beyond end of device [ 1084.220283][ T2524] loop4: rw=1, want=142, limit=63 [ 1084.230694][ T2524] Buffer I/O error on dev loop4, logical block 141, lost async page write 07:10:36 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x0) r5 = socket(0x10, 0x803, 0x0) r6 = dup(r5) ioctl$PERF_EVENT_IOC_ENABLE(r6, 0x8912, 0x400200) r7 = socket(0x10, 0x803, 0x0) r8 = dup(r7) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x400200) socket(0x10, 0x803, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0xffffff67, 0x44, 0x0, 0xffffffffffffff72) ioctl$KVM_RUN(r2, 0xae80, 0x0) r9 = socket$nl_generic(0x10, 0x3, 0x10) r10 = syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0)='TIPCv2\x00') sendmsg$TIPC_NL_SOCK_GET(r9, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000100)=ANY=[@ANYBLOB="e3ffffff", @ANYRES16=r10, @ANYBLOB="0307000000000000000006000000"], 0x14}}, 0x0) sendmsg$TIPC_NL_MON_GET(r4, &(0x7f0000000080)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000000040)={&(0x7f0000000580)=ANY=[@ANYBLOB="74020000", @ANYRES16=r10, @ANYBLOB="210025bd7010fddbdf2512000000a00001800c000280080001000800000044000400200001000a004e2200000005ff02000000000000000000000000000100000000200002000a004e2300000007fe8000000000000000000000000000bb018000000e0001006574683a7465616d300000002c000280080001000f0000000800040007000000080002000200000008000400000400000800020002000000080003000000000008000300090000002c0007800c00040007000000000000000c00030006000000000000000800010001000000080002003bcb00002800048024000780080001000e0000000800040040000000080003000700000008000200080000003400038008000100090000000800030000800000080003001f000000080002007fffffff080002000600000008000300980c000034000780080001000200000008000100020000000c000300da810000000000000c000400fd0a00000000000008000200040000004c0003800800020000000080080002000100008008000100fdffffff0800010008000000080002001e0f00000800020004000000080002000900000008000200ff7f000008000200020000007c00028008000100000400000c000380080001000800000008000100fcffffff4c000380080001000000008008000200716b0000080001000100000008000100ff0000000800010081000000080002000900000008000100080000000800010003000000080002000001000008000100ff7f00000800010003000000300004802c000780080002000200000008000100090000000800030007000000080004000300000008000400200000000c000380080002000800000089e77a2de41521edcf01e2b6c253d13bf1a639573719c9b7d5fa20dc482e2bc4ffea35db3f0ab861fb38133bc74bf57543a642456754b2767b742ee610c5f2"], 0x274}, 0x1, 0x0, 0x0, 0x4008000}, 0x44) 07:10:36 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ec, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:36 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa4000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:36 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xff00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:36 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1084.377208][ T27] audit: type=1804 audit(1586329836.222:1325): pid=22335 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1714/bus" dev="sda1" ino=16993 res=1 07:10:36 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x200000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1084.604618][T22365] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1084.627378][T22365] ref_ctr decrement failed for inode: 0x4291 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca [ 1084.686035][T22365] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1084.696335][T22365] ref_ctr decrement failed for inode: 0x4291 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:10:36 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xf0ffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:36 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa4010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1084.761963][ T27] audit: type=1804 audit(1586329836.612:1326): pid=22360 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir101063229/syzkaller.3h4HeB/1215/file0/file0" dev="loop4" ino=2335 res=1 07:10:36 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)=ANY=[@ANYBLOB='A(\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="a18f00000000000000001100000027009900000000eb00"/34], 0x3}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[]}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) pwritev(0xffffffffffffffff, &(0x7f0000f50f90)=[{&(0x7f0000000100)="a8", 0x1}], 0x1, 0x81003) ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c00, 0xffffffffffffffff) ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305828, &(0x7f00000000c0)={0x0, 0x4, 0x9, 0x1}) 07:10:36 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:36 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x1000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1084.941589][ T27] audit: type=1804 audit(1586329836.792:1327): pid=22367 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1715/bus" dev="sda1" ino=17042 res=1 07:10:36 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa1000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:36 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f2, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:36 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:37 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:37 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) r7 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r7, &(0x7f0000000080)={0x2, 0x4e23, @dev}, 0x10) sendto$inet(r7, 0x0, 0x0, 0x200007fa, &(0x7f0000000140)={0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0x1e}}, 0x10) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=ANY=[@ANYRESOCT=r7, @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x3}}, 0x4c010) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1085.218611][T22402] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1085.229340][T22402] ref_ctr decrement failed for inode: 0x42d1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca [ 1085.243525][T22402] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1085.258491][T22402] ref_ctr decrement failed for inode: 0x42d1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:10:37 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa5000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:37 executing program 3: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ec, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:37 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x3000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1085.379851][T22409] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1085.438471][T22409] ref_ctr decrement failed for inode: 0x42d1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:10:37 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1085.581128][ T27] audit: type=1804 audit(1586329837.432:1328): pid=22415 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1716/bus" dev="sda1" ino=17107 res=1 07:10:37 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa5010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:37 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f8, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:37 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:37 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ioctl$sock_kcm_SIOCKCMUNATTACH(r1, 0x89e1, &(0x7f0000000040)={r0}) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff0300000068667363000002000000000000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:37 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x5000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1085.750745][T22427] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1085.763347][T22427] ref_ctr decrement failed for inode: 0x4381 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000037205d26 [ 1085.799991][T22427] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1085.810272][T22427] ref_ctr decrement failed for inode: 0x4381 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000037205d26 07:10:37 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:37 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1085.967444][T22436] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1085.981092][T22436] ref_ctr decrement failed for inode: 0x4231 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:10:37 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1086.009680][T22436] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1086.018071][T22436] ref_ctr decrement failed for inode: 0x4231 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca [ 1086.064626][T22446] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. 07:10:38 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xa000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:38 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xa}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:38 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa6000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1086.155994][T22453] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. [ 1086.203360][ T27] audit: type=1804 audit(1586329838.052:1329): pid=22439 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1717/bus" dev="sda1" ino=17107 res=1 07:10:38 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(0xffffffffffffffff, 0x803) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB="16000000", @ANYRES16=r1, @ANYBLOB="c18f00000000000000001100000008000100040000000800010002000000"], 0x3}}, 0x4009) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0xc) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) r5 = getpid() sched_setscheduler(r5, 0x5, &(0x7f0000000380)) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000580)=ANY=[@ANYRES64=0x0, @ANYRESHEX=r5, @ANYBLOB="000012c5661d9a78f65e00000900000068b69765de9c6673630000000008000200000000005504a938e9192adf002f8363d59049a033bdfd0298fbaa1e610832f79b42996e83a42842f8e88e7a0ac19803d8ae9e46964adc4a4bb35ec79dcff131e991c80070195ba3970bc4027fdc5ba61f89ca8d9422c1b508e26a08308a84689ea959a58acefd4fee40af4d269e4683d535ec"], 0x3}, 0x1, 0x0, 0x0, 0x80000}, 0x40000) sendmsg$nl_route_sched(r2, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000007c0)=ANY=[@ANYRESOCT=r1, @ANYPTR, @ANYBLOB="000030000000000000096b00b44af1000b00000000000000000000009f6c898adde9c81eaeaf2e2038cf9d29398872fdd9a747aedb4cbf079bc43a4802c03037cf5dcab2fd33bd212e122e1961e921ceb9eba43164bd7e9ee7c360b07ce709c6696c31d42221d5171cd59062ee7994fc3766351463570bf085f3f68f247de4022e2104aed6c9c311c8be6dd668b3721d2156d5697d2beeb759b319e7af8630b78049ab0d8d4954f17dd2b746fde00277575b9dd739f03a6efc41", @ANYRES64], 0x4}}, 0x40000) 07:10:38 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3fa, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:38 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:38 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:38 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xc000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:38 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x10000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:38 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9c000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:38 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x18000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:38 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0x100, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {0x0, 0x1}, {}, {0x9, 0xffff}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1086.617735][T22495] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1086.635177][T22495] ref_ctr decrement failed for inode: 0x42e2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca [ 1086.707315][ T27] audit: type=1804 audit(1586329838.532:1330): pid=22483 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1718/bus" dev="sda1" ino=16945 res=1 [ 1086.747286][T22495] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:38 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x14, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:38 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x40000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:38 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa6010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1086.783000][T22495] ref_ctr decrement failed for inode: 0x42e2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:10:38 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1086.937352][T22495] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1087.004330][T22495] ref_ctr decrement failed for inode: 0x42e2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:10:39 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x48000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:39 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa7000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:39 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0xffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:39 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f0000000040)='./bus\x00', 0x6, 0x0, &(0x7f0000000140), 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) r6 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fcntl$setstatus(r6, 0x4, 0x3800) fadvise64(r6, 0x1, 0xefa, 0x1) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:39 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3fc, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1087.144535][ T27] audit: type=1804 audit(1586329838.992:1331): pid=22512 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1719/bus" dev="sda1" ino=17105 res=1 07:10:39 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4c000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:39 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1c, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:39 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x9b010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1087.366960][T22545] FAT-fs (loop4): bogus number of reserved sectors [ 1087.367304][T22544] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1087.373691][T22545] FAT-fs (loop4): Can't find a valid FAT filesystem [ 1087.405836][T22544] ref_ctr decrement failed for inode: 0x43a5 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:10:39 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x68000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1087.417086][T22544] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1087.425687][T22544] ref_ctr decrement failed for inode: 0x43a5 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca [ 1087.531715][T22545] FAT-fs (loop4): bogus number of reserved sectors [ 1087.543943][T22545] FAT-fs (loop4): Can't find a valid FAT filesystem 07:10:39 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa7010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:39 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6c000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1087.605882][ T27] audit: type=1804 audit(1586329839.452:1332): pid=22549 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1720/bus" dev="sda1" ino=17318 res=1 07:10:39 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1d, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:39 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3fe, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:39 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x97000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:39 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) r2 = socket$caif_seqpacket(0x25, 0x5, 0x1) ioctl$sock_SIOCSIFVLAN_GET_VLAN_EGRESS_PRIORITY_CMD(r2, 0x8983, &(0x7f0000000040)) ftruncate(r1, 0x804) syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000300)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16, @ANYRESOCT=r1], 0x3}}, 0x4000004) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x13) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:39 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x74000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:39 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa8000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1088.001759][ T27] audit: type=1804 audit(1586329839.852:1333): pid=22579 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1721/bus" dev="sda1" ino=17318 res=1 [ 1088.023787][T22580] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:39 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1e, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:39 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa7010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1088.087279][T22580] ref_ctr decrement failed for inode: 0x43a4 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000dd896009 [ 1088.113441][T22580] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:40 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7a000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1088.136795][T22580] ref_ctr decrement failed for inode: 0x43a4 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000dd896009 07:10:40 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000300)='./file0\x00', 0x204742, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c00, r3) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x102000003) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000040), &(0x7f00000000c0)=0xc) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:40 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa8010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1088.289559][ T21] attempt to access beyond end of device [ 1088.296447][ T21] loop4: rw=1, want=130, limit=63 [ 1088.310139][ T21] Buffer I/O error on dev loop4, logical block 129, lost async page write 07:10:40 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x85ffffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1088.344706][ T21] attempt to access beyond end of device [ 1088.370146][ T21] loop4: rw=1, want=131, limit=63 07:10:40 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1088.389929][ T21] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1088.398695][ T27] audit: type=1804 audit(1586329840.242:1334): pid=22602 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1722/bus" dev="sda1" ino=16948 res=1 [ 1088.432288][ T21] attempt to access beyond end of device [ 1088.443283][ T21] loop4: rw=1, want=132, limit=63 [ 1088.449029][ T21] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1088.460095][ T21] attempt to access beyond end of device [ 1088.466253][ T21] loop4: rw=1, want=133, limit=63 [ 1088.471653][ T21] Buffer I/O error on dev loop4, logical block 132, lost async page write [ 1088.483282][ T21] attempt to access beyond end of device [ 1088.489338][ T21] loop4: rw=1, want=142, limit=63 07:10:40 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x30, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:40 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x95010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1088.494443][ T21] Buffer I/O error on dev loop4, logical block 141, lost async page write 07:10:40 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xb5000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:40 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa9000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1088.625078][T22620] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1088.661383][T22620] ref_ctr decrement failed for inode: 0x4234 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 07:10:40 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xec000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1088.696582][T22620] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1088.735048][T22620] ref_ctr decrement failed for inode: 0x4234 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 07:10:40 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x6}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:40 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xff000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1088.901138][ T27] audit: type=1804 audit(1586329840.752:1335): pid=22628 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1723/bus" dev="sda1" ino=17297 res=1 07:10:40 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3e, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:40 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xa9010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:40 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:40 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x4}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:40 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xfffff000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:40 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x10480, 0x0) fchdir(r0) r1 = getpid() sched_setscheduler(r1, 0x5, &(0x7f0000000380)) sched_setaffinity(r1, 0x8, &(0x7f0000000040)=0x4) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1089.187222][T22660] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1089.195376][ T27] audit: type=1804 audit(1586329841.032:1336): pid=22656 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1724/bus" dev="sda1" ino=16596 res=1 [ 1089.200777][T22660] ref_ctr decrement failed for inode: 0x4234 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:10:41 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_genetlink_get_family_id$ethtool(&(0x7f0000000000)='ethtool\x00') syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) dup(r3) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fcntl$setstatus(r4, 0x4, 0x3800) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x8000) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200007fa, &(0x7f0000000140)={0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0x1e}}, 0x10) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f0000000200)='sit0\x00', 0x10) r5 = syz_open_dev$loop(&(0x7f00000001c0)='/dev/loop#\x00', 0x0, 0x105084) r6 = memfd_create(&(0x7f0000000600)='\x00\x00\x00\x00\x8c\x00'/15, 0x1) pwritev(r6, &(0x7f0000f50f90)=[{&(0x7f0000000100)="a8", 0x1}], 0x1, 0x81003) ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c00, r3) sendfile(0xffffffffffffffff, r5, 0x0, 0x102000003) ioctl$BLKRRPART(r5, 0x125f, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 07:10:41 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x47, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1089.286401][T22660] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1089.309121][T22660] ref_ctr decrement failed for inode: 0x4234 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:10:41 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xffffff85}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:41 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xaa000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1089.457283][T22679] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1089.469684][T22679] ref_ctr decrement failed for inode: 0x4234 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:10:41 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0xffffffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:41 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:41 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1089.637285][ T27] audit: type=1804 audit(1586329841.482:1337): pid=22682 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1725/bus" dev="sda1" ino=17346 res=1 07:10:41 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x59, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:41 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x2}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:41 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vga_arbiter\x00', 0x500, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x90}, 0x0) 07:10:41 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xaa010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1089.860492][ T21] attempt to access beyond end of device [ 1089.866267][ T21] loop4: rw=1, want=130, limit=63 [ 1089.877102][ T21] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1089.905424][ T21] attempt to access beyond end of device [ 1089.910235][ T27] audit: type=1804 audit(1586329841.752:1338): pid=22702 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1726/bus" dev="sda1" ino=17347 res=1 [ 1089.913654][ T21] loop4: rw=1, want=131, limit=63 [ 1089.945983][ T21] Buffer I/O error on dev loop4, logical block 130, lost async page write 07:10:41 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x3}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1089.946580][T22701] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1089.954854][ T21] attempt to access beyond end of device [ 1089.979648][ T21] loop4: rw=1, want=132, limit=63 [ 1089.992203][ T21] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1090.027124][ T21] attempt to access beyond end of device [ 1090.031989][T22701] ref_ctr decrement failed for inode: 0x43bf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de [ 1090.053094][ T21] loop4: rw=1, want=133, limit=63 [ 1090.060736][ T21] Buffer I/O error on dev loop4, logical block 132, lost async page write [ 1090.069829][ T21] attempt to access beyond end of device 07:10:41 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_genetlink_get_family_id$ethtool(&(0x7f0000000000)='ethtool\x00') syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) dup(r3) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fcntl$setstatus(r4, 0x4, 0x3800) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x8000) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200007fa, &(0x7f0000000140)={0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0x1e}}, 0x10) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f0000000200)='sit0\x00', 0x10) r5 = syz_open_dev$loop(&(0x7f00000001c0)='/dev/loop#\x00', 0x0, 0x105084) r6 = memfd_create(&(0x7f0000000600)='\x00\x00\x00\x00\x8c\x00'/15, 0x1) pwritev(r6, &(0x7f0000f50f90)=[{&(0x7f0000000100)="a8", 0x1}], 0x1, 0x81003) ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c00, r3) sendfile(0xffffffffffffffff, r5, 0x0, 0x102000003) ioctl$BLKRRPART(r5, 0x125f, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 07:10:41 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x64, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1090.075830][ T21] loop4: rw=1, want=142, limit=63 [ 1090.083437][ T21] Buffer I/O error on dev loop4, logical block 141, lost async page write [ 1090.102870][T22701] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:42 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x4}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1090.159407][T22701] ref_ctr decrement failed for inode: 0x43bf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:10:42 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xab000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:42 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:42 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa00, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:42 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x6}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:42 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) r2 = socket(0x10, 0x803, 0x0) dup(r2) sendmsg$RDMA_NLDEV_CMD_SYS_SET(r2, &(0x7f0000000340)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000300)={&(0x7f00000000c0)={0x24, 0x1407, 0x200, 0x70bd25, 0x25dfdbfb, "", [@RDMA_NLDEV_ATTR_DEV_NAME={0x9, 0x2, 'syz0\x00'}, @RDMA_NLDEV_ATTR_DEV_DIM={0x5, 0x54, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x8090}, 0x80) ftruncate(r1, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:42 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x78, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:42 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x7}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1090.807298][T22750] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1090.835604][T22750] ref_ctr decrement failed for inode: 0x43b1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1090.850040][T22750] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:42 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x245e30c01bc12674, 0x20) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) r1 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) write$USERIO_CMD_SET_PORT_TYPE(r1, &(0x7f0000000040)={0x1, 0x2}, 0x2) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) write$P9_RFLUSH(0xffffffffffffffff, &(0x7f00000000c0)={0x7, 0x6d, 0x1}, 0x7) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000580)=@newtfilter={0x3c, 0x2c, 0xd27, 0x70bd2c, 0x4, {0x0, 0x0, 0x0, r7, {}, {}, {0x0, 0x1}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x40188d1}, 0x0) [ 1090.903184][T22750] ref_ctr decrement failed for inode: 0x43b1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1090.953273][ T21] attempt to access beyond end of device [ 1090.966084][ T21] loop4: rw=1, want=130, limit=63 [ 1090.971349][ T21] Buffer I/O error on dev loop4, logical block 129, lost async page write 07:10:42 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xab010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1091.000807][ T21] attempt to access beyond end of device [ 1091.007024][ T21] loop4: rw=1, want=131, limit=63 [ 1091.013049][ T21] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1091.058315][ T21] attempt to access beyond end of device [ 1091.098741][ T21] loop4: rw=1, want=132, limit=63 [ 1091.114325][ T21] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1091.134953][ T21] attempt to access beyond end of device 07:10:43 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x3}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:43 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0xa}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1091.174139][ T21] loop4: rw=1, want=133, limit=63 07:10:43 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa1c, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1091.221601][ T21] Buffer I/O error on dev loop4, logical block 132, lost async page write 07:10:43 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x86, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:43 executing program 3: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1091.266884][ T21] attempt to access beyond end of device [ 1091.284522][ T21] loop4: rw=1, want=142, limit=63 [ 1091.303815][ T21] Buffer I/O error on dev loop4, logical block 141, lost async page write 07:10:43 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0xc}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:43 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xac000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1091.437362][T22773] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1091.472220][T22773] ref_ctr decrement failed for inode: 0x4156 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:10:43 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x10}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1091.527645][T22773] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1091.536109][T22773] ref_ctr decrement failed for inode: 0x4156 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:10:43 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x18}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1091.697761][T22780] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1091.710390][ T27] kauditd_printk_skb: 1 callbacks suppressed [ 1091.710474][ T27] audit: type=1804 audit(1586329843.562:1340): pid=22781 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1729/bus" dev="sda1" ino=17348 res=1 07:10:43 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xac010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1091.717228][T22780] ref_ctr decrement failed for inode: 0x43b2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000037205d26 07:10:43 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) setsockopt$inet_sctp6_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000100)={0x0, 0x6, 0x0, 0xb5}, 0x10) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f0000000000)={0x0, 0x9, 0x20, 0x4, 0x3}, 0x0) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r0, 0x84, 0x1a, &(0x7f00000006c0)=ANY=[@ANYRES32=0x0, @ANYBLOB="cf000000b8fed97bf6fdc3bef55f383344e5f405399942d049c4c0e5ffc7efd90c5d0cd288a2ddbe55bd7f7d5d5f743c578ea085912293ccc80400232d732e69878addf3999f11b3d456d89df4562d41a1e47afd73365ac9c25701eeb47024874155ed6083da4e9bdb01c40b12f464de2cb8fa01e4bac034c6cee22bb0a2939ec3af84dc39dbfded921a6382f815c1d7046e8d650644e1767d5e00a2bc01d5ef93fc64ef373b09de4194aa6c8752c0ff12a3a14ccfb3571240556ebdf741bbfee170029997bafff939e7c2dabf6aeea62b72c3df99ca427596f684de706de43677c4dc54cdad"], &(0x7f0000000040)=0xd7) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:43 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x88, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1091.811004][T22780] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1091.842823][T22780] ref_ctr decrement failed for inode: 0x43b2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000037205d26 07:10:43 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x48}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:43 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = socket(0x10, 0x803, 0x0) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) r5 = socket(0x10, 0x803, 0x0) r6 = dup(r5) syz_kvm_setup_cpu$x86(r1, r6, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r8 = dup(r7) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) r11 = fcntl$dupfd(r10, 0x0, r9) ioctl$PERF_EVENT_IOC_ENABLE(r11, 0x8912, 0x400200) r12 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r12, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000002c0)=@getlink={0x3c, 0x12, 0x1, 0x0, 0x0, {}, [@IFLA_EXT_MASK={0x8}, @IFLA_IFNAME={0x14, 0x3, 'veth1_vlan\x00'}]}, 0x3c}}, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) write(r0, &(0x7f00000002c0)="e31b1510b0ce3aa8c330c11228adb189d1d8b6f33c221eae3b92bb3b173d2a0b2a7a389267bb601fea05af6f28f9410ed714f57798bfe38885263d504a56f0639e5d6f74df1b133daf3ff1bbb06ed798062b1358403156a2e75667a32d9f91f6de2506c16c9c5fa0f33fcd5ac9d6159c79bdf5cb22031ed93cdc8801e502bf700ab71fa792e96c7f8c6b86da88f196e09b6f4d0fb648186e5d07e983e74fe6d4d4382a999f9a5b02dd96169fa1428d48a3d338cd6c5bead47fbd2f8f7d1dd51c9d6647121e31068642f2077fe7304430c8e6888ecdc60ad645517578fa30ccd903baba7551ab9267f9a150f0e837f44dfadecd2f3df7c8e8ac3edec9951aa1d24c089ffe9e628c12a67eb202f262ca4226645300d9ba1e543cf65354c4bfcc25cb6da4c69c727ec86e790219756d8d3adcd5125433b535d9c3113d169c8223c0e8e072303e3c48bb34d06fd10e2c1c9ab0ac966fabd7dba493c3ec9b600fc516ab79e8229edb2ffe5ac477ae451c7521965ce7f77fac882d429a78c8596d77ecfe6b8720b97cb3f2727be51f8b40085bd1be0360590cc3d00c7ec427d985452082bc50707593e112d1ef69edfbea58d73b1c33929a0c111a431355ae0bf10eb12718ccf1a4ba7e9bf8bbff5a51e2da73f1b11e76cbfdba1cc99e52418503c09c0d857547d2843ce7514de3c4b9a3800a4adeef365e6fc5dd1fd128deddfae6613bb6f2202b49e7b43a8d55387f010e417b7e530337498982752c137b4bacc98bf24dc515b9556aa8764cbf236b088869509e09a6bbe78902f2c30a82d4404704540a8966e5215052518de4001a85cdb403f210396a0f91e07530b594c72a92ffb6c5bd473ee5809ed555d61549129996ef626c2545bc896b9016ff8eeb70279f9bcfef4eb3e0cc7332f209a1c29a7b4e00f4e320e09c043818afcb30757ca4a7b84033e37c6d497310fe3a7496b01d4c4c951491a1cb35c8683992968d8de037fc41dea02ff9ac055a116d1e84208e876e1ce4eef4c394ba7781bde45c1053e52a1058b060377c47875078da321ce35b0c5a94bd03264bf3f6c657ca14a078554375788ed0ba72a2743670ca216b428a3574845f7b151e66716a1cd256541daca7c29171343ecfcc747cacfaac90dd92727adc93dbc42cb0f9ebc5b95438e28b240b135a514e4f82a443b3f2b9c88d42e22239c65dad0afd912f56791abb5719bca2f0af9bf621375e2733a7f7916db8630ac596025d3abc9528aa9ad41537650493280998c385f8e5932f74fc79ab0475ae232203e8b98f857009a523e55b642f7224215c285838088781d95d911654534fb0dfba5812dd36fc999b845bc7c9c634b8b36cd1c9908cdfe7d8b302af7693e3395d4cb726ef9fd3d9c78bfc0c8df3f63c9e6ba7b506365da04925656c25a32e71b2bc230889c64c785160783d65185ccb0950e4381de35fb453b56c77b3717707129be2d5b5b6c9e57bbc2f1d69a30165281af9b1162270c46db530c70e5dc6395c6fee5a996ac7beb1fe6c2dea177835ea6f71b20984ddb07e5dd5432d6a134172ca172c6f53cd2291eda02ac9f8d542650f4562458ae668d67b29fdd29c10a528f82579976471a27e54c11d5f06291f7fec6c05b109544c15a35d7f87030d3ae4f021c678bbef1504b4437d000efe150944543b0a1c6970242bf1995e563fac8e30ed08cd69be1c4804ef91cd1a1197efc53af7e7320c11e2ad1df2b62b335afd6ff53c5aa68b6ed249dba24b468232ec3e192b59e1a9749b61074a0d81d6171c3b6fe0ceb6028e15c5ca0c2465d711ed1f0696188700c00e027ec489fb2ded6cd486aca15676f641e095a373f54f17370b48e82fc724e8699b4bb78b8588f05aebaeb42998df55217e0815f21eb5769994eb35e2e9e3a1df4de1c83945ab363810bb65a8cfdba8c41ed62a86a2e2a1122c3cbaa0a5c39843fd2f2b5f3d7c34be7b2dabd3afa7b8be2a98d5a5952982da67c7f2ee14116c4f0f31538fdae3bcfa43181dff9cce0ea04e85e8a39217688c3340a36bbb6ee2cfcc4286602248c572b74e52cc3a73e38bdf830b560147ee4885522567f49c6613da71a8f5d7dfa7994cfff78c10dca7e6f8e583f74a543cf2c1f5ee22eed6006b4cf5df17f969a536d5f8a9b0caeb4f9881bd6b7a80a6f8734593a8e95637dceba7dc1e607416b6cc4531e3cd15219b456aca478abdb4e0593e9e1739813d4ea9438f0c37572ead64ee32378703a1eb7365a8d8aa82c2265b02a1b5eb8738287a86ea2db9208f6833bd9c75fb2e613501698a47e19610b5871c49d84808832e5d3196899bfeaaf43df501f2706a8a3f54721a98ce61a3a54eb82c44ce4474156eeff2a7326bce86f1c8c1605cb5d2426abc3c1c6a080fcd2c6bf621a1dc4d4d6b7691b352b6d48932a35faff739dd00cf70f60b7e3565add5b81994ddb3a3495fb4dd55a366a76fe66dffe98ad9971bbad4f7d0ae1ff65f930651b000e05cf24b43776c870584382d13886ea91104dbb5afc9f5ee160e72e98a1003c61a3b0f7a891a1cc2b92c3529614e6011a77280e0da38aa39710b057c063c1816da270349635d8172be18b2504f7bf9bec4f0109884e5da52ba8a1aeb7d1a8c1931783d4d7bb0b55a8199df62cbe3706ced154eee44930f9390327d873954b5fcfcef70387f2e13430e837d8a0dc9ea2fbefec50ff3d40a7feb15e10085dd31b99552f4db9f2aa61e5751fe91fd6c55ddad9a96947704e5c6e8e2681addfea34a4056c3904c857661163f48dee8d19ff17c85126b41a018553558e7b66f5d0054bad121fdfe9b5649fb6a23280364ed44846b6174f88982ebcde981d7ae5fedfd9b46e62aec2887aa91dbf1a2ac23504dcfeffd40d12c1bff9e6d106b6db7f42a18f3d3a7f735291837dc812938dcdd3e39fec6effd94711d09a874bb7b87b555ad0e855a52822e811919a4527bfec928f2820dfc2ee654cbc7fa0b73453e9de794c55b5c8d64fdd4bc5fc0f0e427ca56048010be0ae72a3501790d24f573ccc6a4ca00f5cb63f483aa47fec2b81d21ca1d9734db02c7b9d1f7eeddbb2925026b6d0da7089eff0c61ae987ad033bc65355b80c65a8378d428e07ead0033b358dc15d6151c7ea4bd0656501525b652fad2ac75582c1b94660c72ccc66427c119a775abe24302cb3c16002a95dcb861ce6bdefa269317976ab7eca0b9db54483231b89ada50679fbcedba53db4a980ebca2d0deb1a367099390ba5f085d98cdc42d9b1c5a73d2847fd2d428a0b3cb1cae2e0719c2449e03b35f7de4b13942ccb990e1835d7acc5338d8c5798ee2ba65118fecc9c85a5223314d7878adaaa32cfeaa85e5ce51739a6d594fff271efcb4e7aeec707a0a26835314e32e494a00e7ede49213fa99d927a9e46137a26e725685743824aadb2e759d658eb0c305ffd133fcf121e09738833a77eaa93e2d3622e3c75b7da52cee7952c6ebc884f7eabfd596ad98ce420a38d356c2bfe078e3a31f45f264c559b08e384e38d3d84f796c4ff6c11cadd85a2ed77490ef56d42e11f0d8a53abad6180c4a272ce12a1bbae91b63bdd2d5c6bebeb5c109ea32b648aa25dfcc4e2e51554d65a4cf226eb8483c58fcf8936efd28de6ba9cf023df02e38bf41b2ad889c14eadab42abbde0f11cb7169002916c1dff54cafc9a00cb49d30103efc42f855044e3e06c146503c42a762add5d3f4b582dacdc329691a59cef47ace9983259f7e8f9a0cc7606b94d6f0de00a2bf17723f4f9b8af065588127de2527e35902f82e4a44b28cd6f21ef528ab3282be7ffd5e5df6b67f33023f03c8fa267eff1d0f7d8d4f0171f51d846bd30a788cb7da3390ec4e0e26abb8681fb516da17bd57d929356ed4cfcfe4d6ecb069c30ff35990bda411e3963696906c9b376d8ef5f8b09f1300cf636eaa7ff9307d5de54c4359d5246df8c0a6b25ed71f1f76e4842c583f92e7963fb7eb6569a0873bb6e16badf61353bcf5e448250b420e047250c089928eebdd75966765b247df34ec95f08a675001dadfc0989671e036506326bd2e584aac3950827c61fcd061c8d8d69360f5c03bf85a9c91e84bff4a328b86765bbe156a882231c6b327922115eaf3f6f824fd616f34671437b1841ee6196404b676f3ae186fa19e9b4de16e06aa40d3ce4b66220a2c1bb9ad8307b897fc4b18d2208faa6f2e2cdea66c01727f0b4c5191a9ebe69f01981419395382f6e807c100b6e400313d6ff6b94f0c9aa8ed12573000d319d00b723e572c7124a1e8bace88055a0aa093593b9562a098298e6e8c3134d98aea79a19ce1a2dcf8d9db8b7932d228eb59c1449e9d1dadb6cc0fb2c7379112e9a955202fce0889e6799f7b3a1b3b2e618c8fcd34c2915b38cf211f281ab86a027ccccc6a9577a21f846fa66b0896b2782ebc09db53808c43f42238ed7bec0e0bb6248239c40c22b02e170628e8ad5b650b1bc855d925a4fb42c679849e3a29bf3a8a6022f4ebe6d4d4c2728f0be2feb28c2b1277250222ed1e0f3026e3abc3a278b97c563ccb5d1f6b49a396d81d8a6ce3517c58fb55e6b48d6af0009bacee52d3d84985ac9ae6cf0b0231ecd02044f7aeff6c2cea0a175324b6007a0050526ef09695f01d9774337d01f00a867a4586a5a6fe913480d8a4a66068b82ce5fc1189d495993e5e5cc79d1729ac7d0abe83dafbe0962608b5ac548590b5be0a1e213611057aacbd523387cd8a668bf16cffe7b8793af61c7f714df66cf80cf8bf4d12f8c2255ea15ec8c8c6c51acfc82eb93966ea774c63c6f40005d1b2ff402d04ab38d46f67b3729f0228794f912d0ed4a44b6d0fe7a265945d660f83b31efc01175aef64ed611c33a86d938683162c250635d0f2c5d43ccb1ac169b3fdf75ce4d9914cc3a9e80639725145cc5e7f2d58fdf2fa35dd530d2d26f742dd048b985882c680e265a3fa9f183f13e04cbeb1177675059ffdac3fbcfcbafff92910cd81b32c1513a3de6f29fd6d89bab6f1f3fe6ade9235303dfe06665dbed5bf55ec9c4fb2c060ac143b386fa0f2793ad8bc906c3fb5b33c0540d1dcd3647a3d27f6a522db94f4b05f5b37a33c8d51b575ee1e537480fb34fcc9eddc75dfe2968bc486cff32bb792228da31336b13b811253caeea551febbc141f6f15635524b03a1b9a3b2088758ee40bfcedb904ae4d269185d6d7c730c8560296c11da4087223ff77dfa6b9ddef02c4b0efce24a9eef4d5e8da62824267fbc5503ca8dbca13b802fa1d3023a873d775c4f8967d4bc94aad412959b281729744a2d958933474b8d390f217433faea75bd5b3efe6ac5b1e7fd639e8fd6bc8a47f6e2de39987f86e8715201d62793e9921491bf2d8f050c0f800dde3f8c39a6005c480d9daf9e62b49677245ae972fc9b1e71c48154addce05980a02e185c01fbf0c5da90f214e6c60f6344893b5fd7ec10ddde05504a5d6cee532248c1dfba77af5b593d075206c85d0fe9097119cc71fd6add65ea6810d04b2b76f2bdec12fa314a739e6967670f6453c23beb3d1a1d090d1a02b35c09877cb584492e8f0d9b94445e914f5403f49f2a63e829305fb8e8f6f6786532f42127b0f73461b95d6279427af5ee425e3c5f5650cc87c58448841cc9e45d85cff4ba958c4a4e9e4e317861213c6715e998550de70503dc89c97772a7e51a60551f32847d315cd65f7ed2246ac1b188c2b3fe5853027d37d8bef0647665bdaeabacefa622f39cfcd0b4add5fa722a8661f1e8115aa2e8753fdf72ae8dd9fc2fccbbb188", 0x1000) 07:10:43 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa1d, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1092.075069][ T27] audit: type=1804 audit(1586329843.922:1341): pid=22808 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1730/bus" dev="sda1" ino=16594 res=1 07:10:44 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb6, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:44 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xad000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:44 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x4c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:44 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x40c000, 0x0) ioctl$RTC_ALM_SET(r4, 0x40247007, &(0x7f00000000c0)={0x31, 0xa, 0xc, 0x17, 0xb, 0x4, 0x0, 0x18, 0x1}) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1092.297383][T22828] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1092.344939][T22828] ref_ctr decrement failed for inode: 0x4189 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:10:44 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x68}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1092.396522][T22828] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1092.413821][T22828] ref_ctr decrement failed for inode: 0x4189 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 [ 1092.540843][ T27] audit: type=1804 audit(1586329844.392:1342): pid=22836 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1731/bus" dev="sda1" ino=17362 res=1 07:10:44 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x6c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:44 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = socket(0x10, 0x803, 0x0) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) r5 = socket(0x10, 0x803, 0x0) r6 = dup(r5) syz_kvm_setup_cpu$x86(r1, r6, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r8 = dup(r7) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) r11 = fcntl$dupfd(r10, 0x0, r9) ioctl$PERF_EVENT_IOC_ENABLE(r11, 0x8912, 0x400200) r12 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r12, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000002c0)=@getlink={0x3c, 0x12, 0x1, 0x0, 0x0, {}, [@IFLA_EXT_MASK={0x8}, @IFLA_IFNAME={0x14, 0x3, 'veth1_vlan\x00'}]}, 0x3c}}, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) write(r0, &(0x7f00000002c0)="e31b1510b0ce3aa8c330c11228adb189d1d8b6f33c221eae3b92bb3b173d2a0b2a7a389267bb601fea05af6f28f9410ed714f57798bfe38885263d504a56f0639e5d6f74df1b133daf3ff1bbb06ed798062b1358403156a2e75667a32d9f91f6de2506c16c9c5fa0f33fcd5ac9d6159c79bdf5cb22031ed93cdc8801e502bf700ab71fa792e96c7f8c6b86da88f196e09b6f4d0fb648186e5d07e983e74fe6d4d4382a999f9a5b02dd96169fa1428d48a3d338cd6c5bead47fbd2f8f7d1dd51c9d6647121e31068642f2077fe7304430c8e6888ecdc60ad645517578fa30ccd903baba7551ab9267f9a150f0e837f44dfadecd2f3df7c8e8ac3edec9951aa1d24c089ffe9e628c12a67eb202f262ca4226645300d9ba1e543cf65354c4bfcc25cb6da4c69c727ec86e790219756d8d3adcd5125433b535d9c3113d169c8223c0e8e072303e3c48bb34d06fd10e2c1c9ab0ac966fabd7dba493c3ec9b600fc516ab79e8229edb2ffe5ac477ae451c7521965ce7f77fac882d429a78c8596d77ecfe6b8720b97cb3f2727be51f8b40085bd1be0360590cc3d00c7ec427d985452082bc50707593e112d1ef69edfbea58d73b1c33929a0c111a431355ae0bf10eb12718ccf1a4ba7e9bf8bbff5a51e2da73f1b11e76cbfdba1cc99e52418503c09c0d857547d2843ce7514de3c4b9a3800a4adeef365e6fc5dd1fd128deddfae6613bb6f2202b49e7b43a8d55387f010e417b7e530337498982752c137b4bacc98bf24dc515b9556aa8764cbf236b088869509e09a6bbe78902f2c30a82d4404704540a8966e5215052518de4001a85cdb403f210396a0f91e07530b594c72a92ffb6c5bd473ee5809ed555d61549129996ef626c2545bc896b9016ff8eeb70279f9bcfef4eb3e0cc7332f209a1c29a7b4e00f4e320e09c043818afcb30757ca4a7b84033e37c6d497310fe3a7496b01d4c4c951491a1cb35c8683992968d8de037fc41dea02ff9ac055a116d1e84208e876e1ce4eef4c394ba7781bde45c1053e52a1058b060377c47875078da321ce35b0c5a94bd03264bf3f6c657ca14a078554375788ed0ba72a2743670ca216b428a3574845f7b151e66716a1cd256541daca7c29171343ecfcc747cacfaac90dd92727adc93dbc42cb0f9ebc5b95438e28b240b135a514e4f82a443b3f2b9c88d42e22239c65dad0afd912f56791abb5719bca2f0af9bf621375e2733a7f7916db8630ac596025d3abc9528aa9ad41537650493280998c385f8e5932f74fc79ab0475ae232203e8b98f857009a523e55b642f7224215c285838088781d95d911654534fb0dfba5812dd36fc999b845bc7c9c634b8b36cd1c9908cdfe7d8b302af7693e3395d4cb726ef9fd3d9c78bfc0c8df3f63c9e6ba7b506365da04925656c25a32e71b2bc230889c64c785160783d65185ccb0950e4381de35fb453b56c77b3717707129be2d5b5b6c9e57bbc2f1d69a30165281af9b1162270c46db530c70e5dc6395c6fee5a996ac7beb1fe6c2dea177835ea6f71b20984ddb07e5dd5432d6a134172ca172c6f53cd2291eda02ac9f8d542650f4562458ae668d67b29fdd29c10a528f82579976471a27e54c11d5f06291f7fec6c05b109544c15a35d7f87030d3ae4f021c678bbef1504b4437d000efe150944543b0a1c6970242bf1995e563fac8e30ed08cd69be1c4804ef91cd1a1197efc53af7e7320c11e2ad1df2b62b335afd6ff53c5aa68b6ed249dba24b468232ec3e192b59e1a9749b61074a0d81d6171c3b6fe0ceb6028e15c5ca0c2465d711ed1f0696188700c00e027ec489fb2ded6cd486aca15676f641e095a373f54f17370b48e82fc724e8699b4bb78b8588f05aebaeb42998df55217e0815f21eb5769994eb35e2e9e3a1df4de1c83945ab363810bb65a8cfdba8c41ed62a86a2e2a1122c3cbaa0a5c39843fd2f2b5f3d7c34be7b2dabd3afa7b8be2a98d5a5952982da67c7f2ee14116c4f0f31538fdae3bcfa43181dff9cce0ea04e85e8a39217688c3340a36bbb6ee2cfcc4286602248c572b74e52cc3a73e38bdf830b560147ee4885522567f49c6613da71a8f5d7dfa7994cfff78c10dca7e6f8e583f74a543cf2c1f5ee22eed6006b4cf5df17f969a536d5f8a9b0caeb4f9881bd6b7a80a6f8734593a8e95637dceba7dc1e607416b6cc4531e3cd15219b456aca478abdb4e0593e9e1739813d4ea9438f0c37572ead64ee32378703a1eb7365a8d8aa82c2265b02a1b5eb8738287a86ea2db9208f6833bd9c75fb2e613501698a47e19610b5871c49d84808832e5d3196899bfeaaf43df501f2706a8a3f54721a98ce61a3a54eb82c44ce4474156eeff2a7326bce86f1c8c1605cb5d2426abc3c1c6a080fcd2c6bf621a1dc4d4d6b7691b352b6d48932a35faff739dd00cf70f60b7e3565add5b81994ddb3a3495fb4dd55a366a76fe66dffe98ad9971bbad4f7d0ae1ff65f930651b000e05cf24b43776c870584382d13886ea91104dbb5afc9f5ee160e72e98a1003c61a3b0f7a891a1cc2b92c3529614e6011a77280e0da38aa39710b057c063c1816da270349635d8172be18b2504f7bf9bec4f0109884e5da52ba8a1aeb7d1a8c1931783d4d7bb0b55a8199df62cbe3706ced154eee44930f9390327d873954b5fcfcef70387f2e13430e837d8a0dc9ea2fbefec50ff3d40a7feb15e10085dd31b99552f4db9f2aa61e5751fe91fd6c55ddad9a96947704e5c6e8e2681addfea34a4056c3904c857661163f48dee8d19ff17c85126b41a018553558e7b66f5d0054bad121fdfe9b5649fb6a23280364ed44846b6174f88982ebcde981d7ae5fedfd9b46e62aec2887aa91dbf1a2ac23504dcfeffd40d12c1bff9e6d106b6db7f42a18f3d3a7f735291837dc812938dcdd3e39fec6effd94711d09a874bb7b87b555ad0e855a52822e811919a4527bfec928f2820dfc2ee654cbc7fa0b73453e9de794c55b5c8d64fdd4bc5fc0f0e427ca56048010be0ae72a3501790d24f573ccc6a4ca00f5cb63f483aa47fec2b81d21ca1d9734db02c7b9d1f7eeddbb2925026b6d0da7089eff0c61ae987ad033bc65355b80c65a8378d428e07ead0033b358dc15d6151c7ea4bd0656501525b652fad2ac75582c1b94660c72ccc66427c119a775abe24302cb3c16002a95dcb861ce6bdefa269317976ab7eca0b9db54483231b89ada50679fbcedba53db4a980ebca2d0deb1a367099390ba5f085d98cdc42d9b1c5a73d2847fd2d428a0b3cb1cae2e0719c2449e03b35f7de4b13942ccb990e1835d7acc5338d8c5798ee2ba65118fecc9c85a5223314d7878adaaa32cfeaa85e5ce51739a6d594fff271efcb4e7aeec707a0a26835314e32e494a00e7ede49213fa99d927a9e46137a26e725685743824aadb2e759d658eb0c305ffd133fcf121e09738833a77eaa93e2d3622e3c75b7da52cee7952c6ebc884f7eabfd596ad98ce420a38d356c2bfe078e3a31f45f264c559b08e384e38d3d84f796c4ff6c11cadd85a2ed77490ef56d42e11f0d8a53abad6180c4a272ce12a1bbae91b63bdd2d5c6bebeb5c109ea32b648aa25dfcc4e2e51554d65a4cf226eb8483c58fcf8936efd28de6ba9cf023df02e38bf41b2ad889c14eadab42abbde0f11cb7169002916c1dff54cafc9a00cb49d30103efc42f855044e3e06c146503c42a762add5d3f4b582dacdc329691a59cef47ace9983259f7e8f9a0cc7606b94d6f0de00a2bf17723f4f9b8af065588127de2527e35902f82e4a44b28cd6f21ef528ab3282be7ffd5e5df6b67f33023f03c8fa267eff1d0f7d8d4f0171f51d846bd30a788cb7da3390ec4e0e26abb8681fb516da17bd57d929356ed4cfcfe4d6ecb069c30ff35990bda411e3963696906c9b376d8ef5f8b09f1300cf636eaa7ff9307d5de54c4359d5246df8c0a6b25ed71f1f76e4842c583f92e7963fb7eb6569a0873bb6e16badf61353bcf5e448250b420e047250c089928eebdd75966765b247df34ec95f08a675001dadfc0989671e036506326bd2e584aac3950827c61fcd061c8d8d69360f5c03bf85a9c91e84bff4a328b86765bbe156a882231c6b327922115eaf3f6f824fd616f34671437b1841ee6196404b676f3ae186fa19e9b4de16e06aa40d3ce4b66220a2c1bb9ad8307b897fc4b18d2208faa6f2e2cdea66c01727f0b4c5191a9ebe69f01981419395382f6e807c100b6e400313d6ff6b94f0c9aa8ed12573000d319d00b723e572c7124a1e8bace88055a0aa093593b9562a098298e6e8c3134d98aea79a19ce1a2dcf8d9db8b7932d228eb59c1449e9d1dadb6cc0fb2c7379112e9a955202fce0889e6799f7b3a1b3b2e618c8fcd34c2915b38cf211f281ab86a027ccccc6a9577a21f846fa66b0896b2782ebc09db53808c43f42238ed7bec0e0bb6248239c40c22b02e170628e8ad5b650b1bc855d925a4fb42c679849e3a29bf3a8a6022f4ebe6d4d4c2728f0be2feb28c2b1277250222ed1e0f3026e3abc3a278b97c563ccb5d1f6b49a396d81d8a6ce3517c58fb55e6b48d6af0009bacee52d3d84985ac9ae6cf0b0231ecd02044f7aeff6c2cea0a175324b6007a0050526ef09695f01d9774337d01f00a867a4586a5a6fe913480d8a4a66068b82ce5fc1189d495993e5e5cc79d1729ac7d0abe83dafbe0962608b5ac548590b5be0a1e213611057aacbd523387cd8a668bf16cffe7b8793af61c7f714df66cf80cf8bf4d12f8c2255ea15ec8c8c6c51acfc82eb93966ea774c63c6f40005d1b2ff402d04ab38d46f67b3729f0228794f912d0ed4a44b6d0fe7a265945d660f83b31efc01175aef64ed611c33a86d938683162c250635d0f2c5d43ccb1ac169b3fdf75ce4d9914cc3a9e80639725145cc5e7f2d58fdf2fa35dd530d2d26f742dd048b985882c680e265a3fa9f183f13e04cbeb1177675059ffdac3fbcfcbafff92910cd81b32c1513a3de6f29fd6d89bab6f1f3fe6ade9235303dfe06665dbed5bf55ec9c4fb2c060ac143b386fa0f2793ad8bc906c3fb5b33c0540d1dcd3647a3d27f6a522db94f4b05f5b37a33c8d51b575ee1e537480fb34fcc9eddc75dfe2968bc486cff32bb792228da31336b13b811253caeea551febbc141f6f15635524b03a1b9a3b2088758ee40bfcedb904ae4d269185d6d7c730c8560296c11da4087223ff77dfa6b9ddef02c4b0efce24a9eef4d5e8da62824267fbc5503ca8dbca13b802fa1d3023a873d775c4f8967d4bc94aad412959b281729744a2d958933474b8d390f217433faea75bd5b3efe6ac5b1e7fd639e8fd6bc8a47f6e2de39987f86e8715201d62793e9921491bf2d8f050c0f800dde3f8c39a6005c480d9daf9e62b49677245ae972fc9b1e71c48154addce05980a02e185c01fbf0c5da90f214e6c60f6344893b5fd7ec10ddde05504a5d6cee532248c1dfba77af5b593d075206c85d0fe9097119cc71fd6add65ea6810d04b2b76f2bdec12fa314a739e6967670f6453c23beb3d1a1d090d1a02b35c09877cb584492e8f0d9b94445e914f5403f49f2a63e829305fb8e8f6f6786532f42127b0f73461b95d6279427af5ee425e3c5f5650cc87c58448841cc9e45d85cff4ba958c4a4e9e4e317861213c6715e998550de70503dc89c97772a7e51a60551f32847d315cd65f7ed2246ac1b188c2b3fe5853027d37d8bef0647665bdaeabacefa622f39cfcd0b4add5fa722a8661f1e8115aa2e8753fdf72ae8dd9fc2fccbbb188", 0x1000) 07:10:44 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xad010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:44 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa1e, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:44 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xbc, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:44 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=@newtfilter={0x2ac, 0x2c, 0xd27, 0x0, 0x25dfdbfd, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_route={{0xa, 0x1, 'route\x00'}, {0x27c, 0x2, [@TCA_ROUTE4_TO={0x8, 0x2, 0x64}, @TCA_ROUTE4_FROM={0x8, 0x3, 0x93}, @TCA_ROUTE4_FROM={0x8, 0x3, 0xbb}, @TCA_ROUTE4_ACT={0x248, 0x6, [@m_mpls={0xb8, 0x5, 0x0, 0x0, {{0x9, 0x1, 'mpls\x00'}, {0xc, 0x2, 0x0, 0x1, [@TCA_MPLS_LABEL={0x8, 0x5, 0x14b05}]}, {0x9b, 0x6, "e3c481941badc29b081a19042ed161d994ae7bfe108804aec25dbe3f26a0bbd85db58019759ebefff6f210dbac58a6076ec3847cfa88039816523200d3c4994ac24c97e1afec0aa351c67c643e2e71fc320d923346ba343897a4fad97cb299f7f8955a93c828e0edc43794489087c6eeb0498140334fae17d19877f3e27d53771aec1884f5191eee169ce4c1335fa9502128be05074eac"}}}, @m_nat={0x40, 0xb, 0x0, 0x0, {{0x8, 0x1, 'nat\x00'}, {0x2c, 0x2, 0x0, 0x1, [@TCA_NAT_PARMS={0x28, 0x1, {{0x9, 0x1, 0xd, 0x700000, 0x5}, @empty, @multicast1, 0xffffff00, 0x1}}]}, {0x8, 0x6, "f6b60b68"}}}, @m_ipt={0xb4, 0x0, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x4c, 0x2, 0x0, 0x1, [@TCA_IPT_TABLE={0x24, 0x1, 'security\x00'}, @TCA_IPT_TABLE={0x24, 0x1, 'nat\x00'}]}, {0x5c, 0x6, "6f3b6bb92067c9590dbe2d259b28761eb2aca49b8d02a812c8dfe93d793a846a397bcb9e0ffb75783cda9210155167f62a9654f63c18570fc0998ead0fd5e64068e12d2d732326fbc678b01c74756aba1e5d0182fd550eca"}}}, @m_ipt={0x98, 0xf, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x54, 0x2, 0x0, 0x1, [@TCA_IPT_TABLE={0x24, 0x1, 'filter\x00'}, @TCA_IPT_HOOK={0x8, 0x2, 0x2}, @TCA_IPT_TABLE={0x24, 0x1, 'mangle\x00'}]}, {0x37, 0x6, "3e38b307110547bcd981b73a12c07324ca59189f86a640d79cf664d5ac6b1c96533ca8e50d0164a795913bf458e2bb8e5e0f9d"}}}]}, @TCA_ROUTE4_FROM={0x8, 0x3, 0xb8}, @TCA_ROUTE4_CLASSID={0x8, 0x1, {0x8, 0xffe0}}, @TCA_ROUTE4_IIF={0x8}]}}]}, 0x2ac}}, 0x0) 07:10:44 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x74}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1092.882816][ T27] audit: type=1804 audit(1586329844.732:1343): pid=22860 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1732/bus" dev="sda1" ino=17348 res=1 07:10:44 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xd4, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:44 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x7a}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:44 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0xb5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1093.057285][T22872] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:45 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xae000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1093.110424][T22872] ref_ctr decrement failed for inode: 0x43d2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000005cf70cb1 [ 1093.117894][T22873] attempt to access beyond end of device [ 1093.128546][T22873] loop4: rw=2049, want=78, limit=63 [ 1093.175636][T22872] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:45 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0xec}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:45 executing program 4: ioctl$VIDIOC_S_PARM(0xffffffffffffffff, 0xc0cc5616, &(0x7f0000000580)={0x5, @raw_data="257a16049f671c207d44cd59dd918c067197499633a30ad438ce21a2ad6ee189b72105a9a7a5bf0d4fb4120770b78cab99961130983e3d6f803bdfa2768a7e0f78cb62abd7fd86fbaf800b620614a631f1965eaf031311de1a7f2cf3b1023fcd0af3ff8cb30a5e3525ed7aaa7ee27c534fcf725ccfefc1a660c12c0c67ecea0022b5b592fa5a8a3b6e2072e95d77f21b9e18747fde30e1025d255c7d4874a306a2a752ee542d7d7fa386d3509e75c77c7ecea8e31ed36d7cdb65c0b82987eca96bd55552d5894f97"}) syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) r6 = socket(0x10, 0x803, 0x0) dup(r6) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1093.225179][T22872] ref_ctr decrement failed for inode: 0x43d2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000005cf70cb1 07:10:45 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = socket(0x10, 0x803, 0x0) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) r5 = socket(0x10, 0x803, 0x0) r6 = dup(r5) syz_kvm_setup_cpu$x86(r1, r6, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r8 = dup(r7) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) r11 = fcntl$dupfd(r10, 0x0, r9) ioctl$PERF_EVENT_IOC_ENABLE(r11, 0x8912, 0x400200) r12 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r12, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000002c0)=@getlink={0x3c, 0x12, 0x1, 0x0, 0x0, {}, [@IFLA_EXT_MASK={0x8}, @IFLA_IFNAME={0x14, 0x3, 'veth1_vlan\x00'}]}, 0x3c}}, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) write(r0, &(0x7f00000002c0)="e31b1510b0ce3aa8c330c11228adb189d1d8b6f33c221eae3b92bb3b173d2a0b2a7a389267bb601fea05af6f28f9410ed714f57798bfe38885263d504a56f0639e5d6f74df1b133daf3ff1bbb06ed798062b1358403156a2e75667a32d9f91f6de2506c16c9c5fa0f33fcd5ac9d6159c79bdf5cb22031ed93cdc8801e502bf700ab71fa792e96c7f8c6b86da88f196e09b6f4d0fb648186e5d07e983e74fe6d4d4382a999f9a5b02dd96169fa1428d48a3d338cd6c5bead47fbd2f8f7d1dd51c9d6647121e31068642f2077fe7304430c8e6888ecdc60ad645517578fa30ccd903baba7551ab9267f9a150f0e837f44dfadecd2f3df7c8e8ac3edec9951aa1d24c089ffe9e628c12a67eb202f262ca4226645300d9ba1e543cf65354c4bfcc25cb6da4c69c727ec86e790219756d8d3adcd5125433b535d9c3113d169c8223c0e8e072303e3c48bb34d06fd10e2c1c9ab0ac966fabd7dba493c3ec9b600fc516ab79e8229edb2ffe5ac477ae451c7521965ce7f77fac882d429a78c8596d77ecfe6b8720b97cb3f2727be51f8b40085bd1be0360590cc3d00c7ec427d985452082bc50707593e112d1ef69edfbea58d73b1c33929a0c111a431355ae0bf10eb12718ccf1a4ba7e9bf8bbff5a51e2da73f1b11e76cbfdba1cc99e52418503c09c0d857547d2843ce7514de3c4b9a3800a4adeef365e6fc5dd1fd128deddfae6613bb6f2202b49e7b43a8d55387f010e417b7e530337498982752c137b4bacc98bf24dc515b9556aa8764cbf236b088869509e09a6bbe78902f2c30a82d4404704540a8966e5215052518de4001a85cdb403f210396a0f91e07530b594c72a92ffb6c5bd473ee5809ed555d61549129996ef626c2545bc896b9016ff8eeb70279f9bcfef4eb3e0cc7332f209a1c29a7b4e00f4e320e09c043818afcb30757ca4a7b84033e37c6d497310fe3a7496b01d4c4c951491a1cb35c8683992968d8de037fc41dea02ff9ac055a116d1e84208e876e1ce4eef4c394ba7781bde45c1053e52a1058b060377c47875078da321ce35b0c5a94bd03264bf3f6c657ca14a078554375788ed0ba72a2743670ca216b428a3574845f7b151e66716a1cd256541daca7c29171343ecfcc747cacfaac90dd92727adc93dbc42cb0f9ebc5b95438e28b240b135a514e4f82a443b3f2b9c88d42e22239c65dad0afd912f56791abb5719bca2f0af9bf621375e2733a7f7916db8630ac596025d3abc9528aa9ad41537650493280998c385f8e5932f74fc79ab0475ae232203e8b98f857009a523e55b642f7224215c285838088781d95d911654534fb0dfba5812dd36fc999b845bc7c9c634b8b36cd1c9908cdfe7d8b302af7693e3395d4cb726ef9fd3d9c78bfc0c8df3f63c9e6ba7b506365da04925656c25a32e71b2bc230889c64c785160783d65185ccb0950e4381de35fb453b56c77b3717707129be2d5b5b6c9e57bbc2f1d69a30165281af9b1162270c46db530c70e5dc6395c6fee5a996ac7beb1fe6c2dea177835ea6f71b20984ddb07e5dd5432d6a134172ca172c6f53cd2291eda02ac9f8d542650f4562458ae668d67b29fdd29c10a528f82579976471a27e54c11d5f06291f7fec6c05b109544c15a35d7f87030d3ae4f021c678bbef1504b4437d000efe150944543b0a1c6970242bf1995e563fac8e30ed08cd69be1c4804ef91cd1a1197efc53af7e7320c11e2ad1df2b62b335afd6ff53c5aa68b6ed249dba24b468232ec3e192b59e1a9749b61074a0d81d6171c3b6fe0ceb6028e15c5ca0c2465d711ed1f0696188700c00e027ec489fb2ded6cd486aca15676f641e095a373f54f17370b48e82fc724e8699b4bb78b8588f05aebaeb42998df55217e0815f21eb5769994eb35e2e9e3a1df4de1c83945ab363810bb65a8cfdba8c41ed62a86a2e2a1122c3cbaa0a5c39843fd2f2b5f3d7c34be7b2dabd3afa7b8be2a98d5a5952982da67c7f2ee14116c4f0f31538fdae3bcfa43181dff9cce0ea04e85e8a39217688c3340a36bbb6ee2cfcc4286602248c572b74e52cc3a73e38bdf830b560147ee4885522567f49c6613da71a8f5d7dfa7994cfff78c10dca7e6f8e583f74a543cf2c1f5ee22eed6006b4cf5df17f969a536d5f8a9b0caeb4f9881bd6b7a80a6f8734593a8e95637dceba7dc1e607416b6cc4531e3cd15219b456aca478abdb4e0593e9e1739813d4ea9438f0c37572ead64ee32378703a1eb7365a8d8aa82c2265b02a1b5eb8738287a86ea2db9208f6833bd9c75fb2e613501698a47e19610b5871c49d84808832e5d3196899bfeaaf43df501f2706a8a3f54721a98ce61a3a54eb82c44ce4474156eeff2a7326bce86f1c8c1605cb5d2426abc3c1c6a080fcd2c6bf621a1dc4d4d6b7691b352b6d48932a35faff739dd00cf70f60b7e3565add5b81994ddb3a3495fb4dd55a366a76fe66dffe98ad9971bbad4f7d0ae1ff65f930651b000e05cf24b43776c870584382d13886ea91104dbb5afc9f5ee160e72e98a1003c61a3b0f7a891a1cc2b92c3529614e6011a77280e0da38aa39710b057c063c1816da270349635d8172be18b2504f7bf9bec4f0109884e5da52ba8a1aeb7d1a8c1931783d4d7bb0b55a8199df62cbe3706ced154eee44930f9390327d873954b5fcfcef70387f2e13430e837d8a0dc9ea2fbefec50ff3d40a7feb15e10085dd31b99552f4db9f2aa61e5751fe91fd6c55ddad9a96947704e5c6e8e2681addfea34a4056c3904c857661163f48dee8d19ff17c85126b41a018553558e7b66f5d0054bad121fdfe9b5649fb6a23280364ed44846b6174f88982ebcde981d7ae5fedfd9b46e62aec2887aa91dbf1a2ac23504dcfeffd40d12c1bff9e6d106b6db7f42a18f3d3a7f735291837dc812938dcdd3e39fec6effd94711d09a874bb7b87b555ad0e855a52822e811919a4527bfec928f2820dfc2ee654cbc7fa0b73453e9de794c55b5c8d64fdd4bc5fc0f0e427ca56048010be0ae72a3501790d24f573ccc6a4ca00f5cb63f483aa47fec2b81d21ca1d9734db02c7b9d1f7eeddbb2925026b6d0da7089eff0c61ae987ad033bc65355b80c65a8378d428e07ead0033b358dc15d6151c7ea4bd0656501525b652fad2ac75582c1b94660c72ccc66427c119a775abe24302cb3c16002a95dcb861ce6bdefa269317976ab7eca0b9db54483231b89ada50679fbcedba53db4a980ebca2d0deb1a367099390ba5f085d98cdc42d9b1c5a73d2847fd2d428a0b3cb1cae2e0719c2449e03b35f7de4b13942ccb990e1835d7acc5338d8c5798ee2ba65118fecc9c85a5223314d7878adaaa32cfeaa85e5ce51739a6d594fff271efcb4e7aeec707a0a26835314e32e494a00e7ede49213fa99d927a9e46137a26e725685743824aadb2e759d658eb0c305ffd133fcf121e09738833a77eaa93e2d3622e3c75b7da52cee7952c6ebc884f7eabfd596ad98ce420a38d356c2bfe078e3a31f45f264c559b08e384e38d3d84f796c4ff6c11cadd85a2ed77490ef56d42e11f0d8a53abad6180c4a272ce12a1bbae91b63bdd2d5c6bebeb5c109ea32b648aa25dfcc4e2e51554d65a4cf226eb8483c58fcf8936efd28de6ba9cf023df02e38bf41b2ad889c14eadab42abbde0f11cb7169002916c1dff54cafc9a00cb49d30103efc42f855044e3e06c146503c42a762add5d3f4b582dacdc329691a59cef47ace9983259f7e8f9a0cc7606b94d6f0de00a2bf17723f4f9b8af065588127de2527e35902f82e4a44b28cd6f21ef528ab3282be7ffd5e5df6b67f33023f03c8fa267eff1d0f7d8d4f0171f51d846bd30a788cb7da3390ec4e0e26abb8681fb516da17bd57d929356ed4cfcfe4d6ecb069c30ff35990bda411e3963696906c9b376d8ef5f8b09f1300cf636eaa7ff9307d5de54c4359d5246df8c0a6b25ed71f1f76e4842c583f92e7963fb7eb6569a0873bb6e16badf61353bcf5e448250b420e047250c089928eebdd75966765b247df34ec95f08a675001dadfc0989671e036506326bd2e584aac3950827c61fcd061c8d8d69360f5c03bf85a9c91e84bff4a328b86765bbe156a882231c6b327922115eaf3f6f824fd616f34671437b1841ee6196404b676f3ae186fa19e9b4de16e06aa40d3ce4b66220a2c1bb9ad8307b897fc4b18d2208faa6f2e2cdea66c01727f0b4c5191a9ebe69f01981419395382f6e807c100b6e400313d6ff6b94f0c9aa8ed12573000d319d00b723e572c7124a1e8bace88055a0aa093593b9562a098298e6e8c3134d98aea79a19ce1a2dcf8d9db8b7932d228eb59c1449e9d1dadb6cc0fb2c7379112e9a955202fce0889e6799f7b3a1b3b2e618c8fcd34c2915b38cf211f281ab86a027ccccc6a9577a21f846fa66b0896b2782ebc09db53808c43f42238ed7bec0e0bb6248239c40c22b02e170628e8ad5b650b1bc855d925a4fb42c679849e3a29bf3a8a6022f4ebe6d4d4c2728f0be2feb28c2b1277250222ed1e0f3026e3abc3a278b97c563ccb5d1f6b49a396d81d8a6ce3517c58fb55e6b48d6af0009bacee52d3d84985ac9ae6cf0b0231ecd02044f7aeff6c2cea0a175324b6007a0050526ef09695f01d9774337d01f00a867a4586a5a6fe913480d8a4a66068b82ce5fc1189d495993e5e5cc79d1729ac7d0abe83dafbe0962608b5ac548590b5be0a1e213611057aacbd523387cd8a668bf16cffe7b8793af61c7f714df66cf80cf8bf4d12f8c2255ea15ec8c8c6c51acfc82eb93966ea774c63c6f40005d1b2ff402d04ab38d46f67b3729f0228794f912d0ed4a44b6d0fe7a265945d660f83b31efc01175aef64ed611c33a86d938683162c250635d0f2c5d43ccb1ac169b3fdf75ce4d9914cc3a9e80639725145cc5e7f2d58fdf2fa35dd530d2d26f742dd048b985882c680e265a3fa9f183f13e04cbeb1177675059ffdac3fbcfcbafff92910cd81b32c1513a3de6f29fd6d89bab6f1f3fe6ade9235303dfe06665dbed5bf55ec9c4fb2c060ac143b386fa0f2793ad8bc906c3fb5b33c0540d1dcd3647a3d27f6a522db94f4b05f5b37a33c8d51b575ee1e537480fb34fcc9eddc75dfe2968bc486cff32bb792228da31336b13b811253caeea551febbc141f6f15635524b03a1b9a3b2088758ee40bfcedb904ae4d269185d6d7c730c8560296c11da4087223ff77dfa6b9ddef02c4b0efce24a9eef4d5e8da62824267fbc5503ca8dbca13b802fa1d3023a873d775c4f8967d4bc94aad412959b281729744a2d958933474b8d390f217433faea75bd5b3efe6ac5b1e7fd639e8fd6bc8a47f6e2de39987f86e8715201d62793e9921491bf2d8f050c0f800dde3f8c39a6005c480d9daf9e62b49677245ae972fc9b1e71c48154addce05980a02e185c01fbf0c5da90f214e6c60f6344893b5fd7ec10ddde05504a5d6cee532248c1dfba77af5b593d075206c85d0fe9097119cc71fd6add65ea6810d04b2b76f2bdec12fa314a739e6967670f6453c23beb3d1a1d090d1a02b35c09877cb584492e8f0d9b94445e914f5403f49f2a63e829305fb8e8f6f6786532f42127b0f73461b95d6279427af5ee425e3c5f5650cc87c58448841cc9e45d85cff4ba958c4a4e9e4e317861213c6715e998550de70503dc89c97772a7e51a60551f32847d315cd65f7ed2246ac1b188c2b3fe5853027d37d8bef0647665bdaeabacefa622f39cfcd0b4add5fa722a8661f1e8115aa2e8753fdf72ae8dd9fc2fccbbb188", 0x1000) 07:10:45 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0xff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1093.450278][ T27] audit: type=1804 audit(1586329845.302:1344): pid=22882 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1733/bus" dev="sda1" ino=17348 res=1 07:10:45 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa1f, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:45 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xae010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:45 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:45 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:45 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r5, @ANYBLOB="00000000ffffffff0000000009000100686673630000000008000200000000002202ad5110ebfc865287"], 0x3}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1093.808066][T22925] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1093.827630][T22925] ref_ctr decrement failed for inode: 0x4189 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:45 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:45 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xaf000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1093.890652][T22925] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1093.910538][T22925] ref_ctr decrement failed for inode: 0x4189 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:45 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = socket(0x10, 0x803, 0x0) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) r5 = socket(0x10, 0x803, 0x0) r6 = dup(r5) syz_kvm_setup_cpu$x86(r1, r6, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r8 = dup(r7) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) r11 = fcntl$dupfd(r10, 0x0, r9) ioctl$PERF_EVENT_IOC_ENABLE(r11, 0x8912, 0x400200) r12 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r12, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000002c0)=@getlink={0x3c, 0x12, 0x1, 0x0, 0x0, {}, [@IFLA_EXT_MASK={0x8}, @IFLA_IFNAME={0x14, 0x3, 'veth1_vlan\x00'}]}, 0x3c}}, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 07:10:45 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1094.061365][ T27] audit: type=1804 audit(1586329845.912:1345): pid=22922 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1734/bus" dev="sda1" ino=17361 res=1 07:10:46 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc00, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:46 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10c, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:46 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xaf010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:46 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) setsockopt$inet_sctp6_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000100)={0x0, 0x6, 0x0, 0xb5}, 0x10) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f0000000000)={0x0, 0x9, 0x20, 0x4, 0x3}, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000000240)=0x2) setsockopt$inet_sctp_SCTP_AUTH_DEACTIVATE_KEY(0xffffffffffffffff, 0x84, 0x23, &(0x7f0000000040)={0x0, 0x5}, 0x8) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x25dfdbfd, {0x0, 0x0, 0x0, r5, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x10}, 0x48001) 07:10:46 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1094.342302][T22957] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1094.372660][T22957] ref_ctr decrement failed for inode: 0x43c4 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b [ 1094.471770][T22957] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:46 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r7 = dup(r6) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) r10 = fcntl$dupfd(r9, 0x0, r8) ioctl$PERF_EVENT_IOC_ENABLE(r10, 0x8912, 0x400200) r11 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r11, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000002c0)=@getlink={0x3c, 0x12, 0x1, 0x0, 0x0, {}, [@IFLA_EXT_MASK={0x8}, @IFLA_IFNAME={0x14, 0x3, 'veth1_vlan\x00'}]}, 0x3c}}, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1094.519723][T22957] ref_ctr decrement failed for inode: 0x43c4 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:46 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1094.670860][ T27] audit: type=1804 audit(1586329846.522:1346): pid=22960 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1735/bus" dev="sda1" ino=16721 res=1 07:10:46 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x14, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}}, 0x14}, 0x1, 0x0, 0x0, 0x1}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:46 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x128, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:46 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb0000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:46 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:46 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe00, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:46 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:46 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x134, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:46 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r7 = dup(r6) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) r10 = fcntl$dupfd(r9, 0x0, r8) ioctl$PERF_EVENT_IOC_ENABLE(r10, 0x8912, 0x400200) socket$nl_route(0x10, 0x3, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:47 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) chmod(&(0x7f0000000040)='./file1\x00', 0x8) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00\x00\x00\x00\x00\b\x00\x00\x00\x00\x00\x00', @ANYRES32=r6, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) 07:10:47 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:47 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb0010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1095.230754][T23016] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1095.239533][T23016] ref_ctr decrement failed for inode: 0x43bf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000005cf70cb1 [ 1095.258225][T23016] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1095.294479][T23016] ref_ctr decrement failed for inode: 0x43bf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000005cf70cb1 07:10:47 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe02, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:47 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x144, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1095.470308][ T27] audit: type=1804 audit(1586329847.322:1347): pid=23017 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1737/bus" dev="sda1" ino=17349 res=1 07:10:47 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:47 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb1000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:47 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r7 = dup(r6) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) r10 = fcntl$dupfd(r9, 0x0, r8) ioctl$PERF_EVENT_IOC_ENABLE(r10, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1095.640035][T23037] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1095.673172][T23037] ref_ctr decrement failed for inode: 0x43bf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000025e7f8ca 07:10:47 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) getsockopt$TIPC_SOCK_RECVQ_DEPTH(r2, 0x10f, 0x84, &(0x7f0000000040), &(0x7f00000000c0)=0x4) ftruncate(r1, 0x804) r3 = syz_genetlink_get_family_id$nl80211(0xfffffffffffffffe) sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r7, @ANYBLOB="0000000000000000090002dad3981f47a0aa888e5860710005a298e600666c6f776572b4f0cec4616ec0c245c628d9969d4364af9019c106e5826545672c97db1dba6e1518211a16b81e139cf8e096e8f7e519b9305b073cec59e096a1055e43335e972becf9b279609dfe7179df567b13fa6b137cc4819ae3f1e6e016499efafaa99a8bbf1924d8ccce8ad0278ef2702992a14520d9bcade1547bb5dbd823503b1521af4f7e58081c20604a9f74b526fe804c5b542f0639cfc42280db5570ffbd98475a7905768c36a86ce2a9fc"], 0x3c}}, 0x0) [ 1095.752452][T23037] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1095.782581][T23037] ref_ctr decrement failed for inode: 0x43bf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000025e7f8ca 07:10:47 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:47 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1095.982566][ T27] audit: type=1804 audit(1586329847.832:1348): pid=23043 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1738/bus" dev="sda1" ino=16770 res=1 [ 1095.985682][T23058] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. 07:10:47 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1400, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:48 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r7 = dup(r6) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$dupfd(r9, 0x0, r8) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:48 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x148, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:48 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb1010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:48 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) sendto$unix(r1, &(0x7f0000000580)="4538e57cb08db8b0073a048a85a67921e981d47b5918b023a47c5a13740d40f43004f95414c8af16afeaddcd6f27bbeadad75756d1e27461a0491bf0315d628548a5579d95ca9c5208c81a04feb5f1e9428ce43e46a0f0554bfd2c77c359fb3257f3beaae89b796ba2b184318a83c44395cc7bb888ef98cfbfd50b999cd41ad54a6af8d6bfea8e5b24a759afd5263ee30cfad812f956e8ebe5c32631e92c24fdc14fa843146a461813e689c8716f09474125723e4c8736895cef89bd76433e4789b11c5a56e3450b", 0xc8, 0x28010, &(0x7f0000000300)=@abs={0x1, 0x0, 0x4e23}, 0x6e) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(0xffffffffffffffff, &(0x7f0000000380)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0xfffffffffffffe7e) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000040)=@newtfilter={0x24, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}}, 0x24}}, 0x0) 07:10:48 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1096.294247][ T7803] attempt to access beyond end of device [ 1096.302354][ T7803] loop4: rw=1, want=130, limit=63 [ 1096.317829][ T7803] buffer_io_error: 1 callbacks suppressed [ 1096.317841][ T7803] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1096.342677][ T7803] attempt to access beyond end of device [ 1096.370511][ T7803] loop4: rw=1, want=131, limit=63 [ 1096.385492][ T7803] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1096.409831][T23081] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:48 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb2000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1096.434901][T23081] ref_ctr decrement failed for inode: 0x43d0 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 [ 1096.447232][ T7803] attempt to access beyond end of device [ 1096.460570][ T7803] loop4: rw=1, want=132, limit=63 [ 1096.467729][ T7803] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1096.476400][ T7803] attempt to access beyond end of device 07:10:48 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1096.485661][T23081] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1096.505978][ T7803] loop4: rw=1, want=133, limit=63 [ 1096.512788][T23081] ref_ctr decrement failed for inode: 0x43d0 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 [ 1096.524345][ T7803] Buffer I/O error on dev loop4, logical block 132, lost async page write 07:10:48 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r7 = dup(r6) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0)) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1096.545134][ T7803] attempt to access beyond end of device [ 1096.568419][ T7803] loop4: rw=1, want=142, limit=63 [ 1096.573518][ T7803] Buffer I/O error on dev loop4, logical block 141, lost async page write [ 1096.691096][ T27] audit: type=1804 audit(1586329848.542:1349): pid=23089 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1739/bus" dev="sda1" ino=16525 res=1 07:10:48 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:48 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x149, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:48 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1600, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:48 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb2010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:48 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1097.011298][ T27] audit: type=1804 audit(1586329848.862:1350): pid=23115 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1740/bus" dev="sda1" ino=16947 res=1 [ 1097.097443][ T21] attempt to access beyond end of device [ 1097.121127][ T21] loop4: rw=1, want=78, limit=63 [ 1097.123265][T23126] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:49 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x14e, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:49 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1097.143172][T23126] ref_ctr decrement failed for inode: 0x408c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 [ 1097.144257][ T21] Buffer I/O error on dev loop4, logical block 77, lost async page write [ 1097.176450][T23126] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:49 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r7 = dup(r6) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1097.201201][T23126] ref_ctr decrement failed for inode: 0x408c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 [ 1097.347360][T23139] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1097.377843][T23139] ref_ctr decrement failed for inode: 0x408c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 07:10:49 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:49 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb3000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:49 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1802, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:49 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x170, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:49 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1097.771137][T23154] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1097.788487][T23154] ref_ctr decrement failed for inode: 0x43b3 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000025e7f8ca 07:10:49 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) dup(r6) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1097.831077][T23154] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1097.847815][T23154] ref_ctr decrement failed for inode: 0x43b3 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000025e7f8ca 07:10:49 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0xec}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:49 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb3010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1098.013014][ T27] audit: type=1804 audit(1586329849.862:1351): pid=23161 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1742/bus" dev="sda1" ino=17359 res=1 07:10:49 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:50 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x186, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:50 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1c0a, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:50 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:50 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1098.447784][T23188] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1098.460700][ T27] audit: type=1804 audit(1586329850.312:1352): pid=23181 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1743/bus" dev="sda1" ino=17381 res=1 [ 1098.463428][T23188] ref_ctr decrement failed for inode: 0x43e7 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000025e7f8ca 07:10:50 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x190, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:50 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb4000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:50 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1098.589683][T23188] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1098.656597][T23188] ref_ctr decrement failed for inode: 0x43e7 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000025e7f8ca 07:10:50 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) sendmsg$NLBL_UNLABEL_C_STATICREMOVE(r0, &(0x7f0000000380)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f00000000c0)={&(0x7f0000000480)={0x74, 0x0, 0x200, 0x70bd27, 0x25dfdbfc, {}, [@NLBL_UNLABEL_A_IPV6ADDR={0x14, 0x2, @mcast2}, @NLBL_UNLABEL_A_IPV6ADDR={0x14, 0x2, @rand_addr="a585287287b8aebf4d2151779ba6328f"}, @NLBL_UNLABEL_A_IPV6MASK={0x14, 0x3, @local}, @NLBL_UNLABEL_A_IFACE={0x14, 0x6, 'wg2\x00'}, @NLBL_UNLABEL_A_IPV4ADDR={0x8, 0x4, @initdev={0xac, 0x1e, 0x0, 0x0}}, @NLBL_UNLABEL_A_ACPTFLG={0x5}]}, 0x74}, 0x1, 0x0, 0x0, 0x8010}, 0x800) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000800)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="c18f00000000000000001100000027009900000000000000000008000100000000007307182da80188e89efa0e030e250268d2b6378f32be523a6d8531bb154562dd77d2f15b44152d5acd04ef0e6ffd23ed153f32304a7a18befcba03286bc8375d80c94b9464b97efa15194dc5222b38fa1a0e99d7af635e39f48bd89e54aabb0486d09a24e746a0eb98784746c268ed9b53ca32fb0c583a46de5791e80925fbda6c63cfd5af2f63dbf559eff7549b5ae92a715e99e8fe9307a82d2c1114e9bc562534b0c62d799d3a5fb97dd695a20546101d44164a0461385410b0bc414fc362ae91855755b9a6b15d1d9f1f6cffcaf72489bd66bd1325c229111f2f1b27b333c0fbd8cb0c8633af381ef0fda137001db57d14c0f5cc7b"], 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) bind$nfc_llcp(r4, &(0x7f0000000300)={0x27, 0x1, 0x2, 0x1, 0xe5, 0x2, "a79f8f7f5d7c10bbe06467a8dfc0fdb0061e68827d1cf756c428b3d7956fe6d6ed940b84d6942ef020fc5ed4a708031d5ec43d14c84f9d750594dea254e7cd", 0x18}, 0x60) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x23, 0x800, 0x404) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000940)=ANY=[@ANYBLOB="3c0000002c00270d00000009000000000000000001fe00a589adf8f806cebec183a1d14a25cea889e4eafec645da33d9d9d9980c384cb9cc71549197f847438711a2825a1c714a32b3b3ffa506e3a47c5ee1a29f242449caad6df40bd9657136e9ebdbe3afe80af683d768a9c05ace5bf90ab45180e2ae594f3b06e419476b60d0156661992bb1b43dbe3af58dcc086283b789ae2ebd5a92ec7aa5f64b78c2e44f5bb3f645115804448b20fd8a74dbeba411a2dadc8afc32039c5951e64d42abd6155b2b116d2ae8cb2a884cf3c17f6fe3cd518182c0dd71218171", @ANYRES32=r7, @ANYBLOB="00000000000029a8369a49b11842090000000b000100666c6f77657218002f0002000400548004005580000000000000a646bb8e5e2159ef536b204ffb1fa7898aa84903646656b41bee837c624d9c5cafbe34b4b1217ec369ff401eb83ad653577b6f75ccc55db3ae9342105daa602d973ca121413c61393c07b73f5d9f27bab218380fafec9bbf3105b12c7eac2d110c699433f38a3e7c5b72b486da9fb7a3020ec512db6ce029edc9528cbb4b19ec6146cafbb497ce87c2262ea109241f9c14f83e6ad45d15261bf69aecfa3877be1202f193e6cd71bc8fdedff2"], 0x3c}}, 0x0) 07:10:50 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) r5 = dup(r4) syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:50 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:50 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1d0a, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1098.964061][ T27] audit: type=1804 audit(1586329850.812:1353): pid=23197 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1744/bus" dev="sda1" ino=17331 res=1 [ 1099.186311][T23204] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. 07:10:51 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb4010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:51 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:51 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1a0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1099.248716][T23221] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1099.264797][T23221] ref_ctr decrement failed for inode: 0x4154 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 07:10:51 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x400200) io_uring_register$IORING_REGISTER_EVENTFD(r0, 0x4, &(0x7f0000000040)=r5, 0x1) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1099.320423][T23221] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1099.353228][T23221] ref_ctr decrement failed for inode: 0x4154 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 [ 1099.394052][T12579] attempt to access beyond end of device [ 1099.400386][T12579] loop4: rw=1, want=130, limit=63 07:10:51 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) dup(r4) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:51 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1099.440011][T12579] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1099.454205][T12579] attempt to access beyond end of device [ 1099.468718][T23234] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1099.480209][T12579] loop4: rw=1, want=131, limit=63 [ 1099.490527][T23234] ref_ctr decrement failed for inode: 0x4154 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 [ 1099.504455][T12579] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1099.519878][T12579] attempt to access beyond end of device [ 1099.526194][T12579] loop4: rw=1, want=132, limit=63 [ 1099.547823][T12579] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1099.561594][T12579] attempt to access beyond end of device [ 1099.570729][T12579] loop4: rw=1, want=133, limit=63 [ 1099.576122][T12579] Buffer I/O error on dev loop4, logical block 132, lost async page write 07:10:51 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb5000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1099.595144][T12579] attempt to access beyond end of device [ 1099.603321][T12579] loop4: rw=1, want=142, limit=63 [ 1099.640920][ T27] audit: type=1804 audit(1586329851.492:1354): pid=23232 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1745/bus" dev="sda1" ino=16722 res=1 07:10:51 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:51 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1e0a, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:51 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1a8, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:51 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:51 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) dup(r4) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:51 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1099.997346][T23264] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1100.025095][T23264] ref_ctr decrement failed for inode: 0x43c1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 [ 1100.046797][T23264] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1100.070534][T23264] ref_ctr decrement failed for inode: 0x43c1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 07:10:52 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb5010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:52 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:52 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) openat$full(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full\x00', 0x12800, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:52 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = socket(0x10, 0x803, 0x0) dup(r4) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1100.270988][ T27] audit: type=1804 audit(1586329852.122:1355): pid=23260 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1746/bus" dev="sda1" ino=16777 res=1 07:10:52 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1b5, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:52 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb6000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:52 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f0a, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:52 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:52 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:52 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb6010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1100.680300][T23302] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1100.691103][ T27] audit: type=1804 audit(1586329852.542:1356): pid=23298 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1747/bus" dev="sda1" ino=17389 res=1 07:10:52 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}, 0x1, 0x0, 0x0, 0x6}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f0000000000)={0x0, 0x9, 0x20, 0x4, 0x3}, 0x0) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(0xffffffffffffffff, 0x84, 0x6, &(0x7f0000000300)={0x0, @in={{0x2, 0x4e20, @multicast1}}}, &(0x7f0000000040)=0x84) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="a79d213c0000002c00270d000000000000000000", @ANYRES32=r6, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) 07:10:52 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) socket(0x10, 0x803, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:52 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1c0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1100.725122][T23302] ref_ctr decrement failed for inode: 0x43ec offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 [ 1100.787208][T23302] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1100.798820][T23302] ref_ctr decrement failed for inode: 0x43ec offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 07:10:52 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1100.908695][T23324] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1100.924701][T23324] ref_ctr decrement failed for inode: 0x43ec offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 07:10:52 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb7000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:52 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:53 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1101.100538][ T27] audit: type=1804 audit(1586329852.952:1357): pid=23326 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1748/bus" dev="sda1" ino=17359 res=1 07:10:53 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1d6, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:53 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:53 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:53 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7ffc, 0x1, &(0x7f0000000140)=[{&(0x7f0000000300)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') r3 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000000340)='/sys/kernel/debug/binder/failed_transaction_log\x00', 0x0, 0x0) sendmsg$NL80211_CMD_GET_SCAN(r3, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0xc}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x48030) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000020900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r7, @ANYBLOB="000000000000f0ff090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) r8 = syz_open_dev$usbfs(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0xe000000000000000, 0x20000) ioctl$FS_IOC_SETVERSION(r8, 0x40087602, &(0x7f00000000c0)=0x1) [ 1101.347308][T23351] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1101.358059][T23351] ref_ctr decrement failed for inode: 0x4154 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000025e7f8ca [ 1101.375592][T23351] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1101.398396][T23351] ref_ctr decrement failed for inode: 0x4154 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000025e7f8ca 07:10:53 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb7010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:53 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1101.551101][ T27] audit: type=1804 audit(1586329853.402:1358): pid=23349 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1749/bus" dev="sda1" ino=17346 res=1 07:10:53 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1dc, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:53 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2200, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:53 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) dup(r2) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:53 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb8000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:53 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1101.827464][T23375] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1101.847382][T23375] ref_ctr decrement failed for inode: 0x4157 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 07:10:53 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="c18f00000000000000001100000027009900f701000000000000080001a866000000"], 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1101.879881][T23375] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1101.889617][T23375] ref_ctr decrement failed for inode: 0x4157 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c16764f7 07:10:53 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1102.042278][ T27] audit: type=1804 audit(1586329853.892:1359): pid=23377 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1750/bus" dev="sda1" ino=17388 res=1 07:10:53 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3403, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:54 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) dup(r2) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:54 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb8010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:54 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x226, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:54 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:54 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="c18f00000000000020001100000027009900"/34], 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1102.417385][T23411] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1102.452076][T23411] ref_ctr decrement failed for inode: 0x43c2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 07:10:54 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb9000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:54 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xec}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1102.482113][T23411] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1102.516882][T23411] ref_ctr decrement failed for inode: 0x43c2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000967cdd56 07:10:54 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:54 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x24c, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1102.685892][ T27] audit: type=1804 audit(1586329854.532:1360): pid=23423 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1751/bus" dev="sda1" ino=17345 res=1 07:10:54 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = socket(0x10, 0x803, 0x0) dup(r2) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:54 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f00, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:54 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1102.989807][ T27] audit: type=1804 audit(1586329854.842:1361): pid=23447 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1752/bus" dev="sda1" ino=17345 res=1 07:10:54 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb9010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:54 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x24e, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:54 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) fsconfig$FSCONFIG_CMD_RECONFIGURE(r1, 0x7, 0x0, 0x0, 0x0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1103.030038][T23457] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:54 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1103.087338][T23457] ref_ctr decrement failed for inode: 0x43f1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000589f28b1 [ 1103.106907][T23457] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1103.139972][T23457] ref_ctr decrement failed for inode: 0x43f1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000589f28b1 07:10:55 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) socket(0x10, 0x803, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:55 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xba000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:55 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x252, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:55 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1103.360135][ T27] audit: type=1804 audit(1586329855.212:1362): pid=23466 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1753/bus" dev="sda1" ino=17335 res=1 07:10:55 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:55 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:55 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r0, 0x8933, &(0x7f0000000040)={'batadv0\x00', 0x0}) sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x24, r2, 0x800, 0x0, 0x0, {0x11}, [@NL80211_ATTR_IFINDEX={0x8, 0x3, r3}, @NL80211_ATTR_WIPHY={0x8}]}, 0x24}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r7, @ANYBLOB="000000000000000009000f000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) 07:10:55 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xba010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1103.707749][T23494] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1103.719651][ T27] audit: type=1804 audit(1586329855.572:1363): pid=23491 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1754/bus" dev="sda1" ino=17390 res=1 [ 1103.734172][T23494] ref_ctr decrement failed for inode: 0x43cf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000589f28b1 07:10:55 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x259, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:55 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:55 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) socket(0x10, 0x803, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1103.756743][T12579] attempt to access beyond end of device [ 1103.767723][T23494] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1103.775907][T23494] ref_ctr decrement failed for inode: 0x43cf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000589f28b1 [ 1103.777665][T12579] loop4: rw=1, want=130, limit=63 [ 1103.803437][T12579] buffer_io_error: 1 callbacks suppressed [ 1103.803447][T12579] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1103.819502][T12579] attempt to access beyond end of device [ 1103.825280][T12579] loop4: rw=1, want=131, limit=63 [ 1103.830618][T12579] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1103.840850][T23500] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1103.848828][T12579] attempt to access beyond end of device [ 1103.852074][T23500] ref_ctr decrement failed for inode: 0x43cf offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000589f28b1 [ 1103.858627][T12579] loop4: rw=1, want=132, limit=63 [ 1103.873216][T12579] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1103.913851][T12579] attempt to access beyond end of device 07:10:55 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1103.957515][T12579] loop4: rw=1, want=133, limit=63 [ 1103.962571][T12579] Buffer I/O error on dev loop4, logical block 132, lost async page write 07:10:55 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4402, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1104.019675][T12579] attempt to access beyond end of device [ 1104.025389][T12579] loop4: rw=1, want=142, limit=63 [ 1104.031242][T12579] Buffer I/O error on dev loop4, logical block 141, lost async page write 07:10:55 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1104.161149][ T27] audit: type=1804 audit(1586329856.012:1364): pid=23505 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1755/bus" dev="sda1" ino=17394 res=1 07:10:56 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbb000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:56 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x26c, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:56 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1104.283416][T23522] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1104.300200][T23522] ref_ctr decrement failed for inode: 0x43fd offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:10:56 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) socket(0x10, 0x803, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1104.405656][T23522] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1104.445723][T23522] ref_ctr decrement failed for inode: 0x43fd offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:10:56 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) sendmsg$IPSET_CMD_DESTROY(r1, &(0x7f0000000340)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000000300)={&(0x7f00000000c0)={0x28, 0x3, 0x6, 0xa05, 0x0, 0x0, {0x3, 0x0, 0x3}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz2\x00'}, @IPSET_ATTR_PROTOCOL={0x5}]}, 0x28}, 0x1, 0x0, 0x0, 0x20004000}, 0x44010) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:56 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1104.638433][ T27] audit: type=1804 audit(1586329856.492:1365): pid=23532 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1756/bus" dev="sda1" ino=17346 res=1 07:10:56 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x26e, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:56 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbb010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:56 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:56 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:56 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:56 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:56 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1105.051994][T23576] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1105.065029][T23576] ref_ctr decrement failed for inode: 0x43ee offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b [ 1105.091069][ T27] audit: type=1804 audit(1586329856.942:1366): pid=23561 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1757/bus" dev="sda1" ino=17405 res=1 [ 1105.113129][T23576] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:57 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x280, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1105.151575][T23576] ref_ctr decrement failed for inode: 0x43ee offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:10:57 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') r3 = socket(0x10, 0x803, 0x0) dup(r3) sendmsg$IPCTNL_MSG_EXP_NEW(r3, &(0x7f0000000300)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000580)={0xd8, 0x0, 0x2, 0x0, 0x0, 0x0, {0x5, 0x0, 0x2}, [@CTA_EXPECT_HELP_NAME={0xf, 0x6, 'sane-20000\x00'}, @CTA_EXPECT_MASTER={0x9c, 0x1, 0x0, 0x1, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x11}}, @CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @local}, {0x14, 0x4, @mcast2}}}, @CTA_TUPLE_ZONE={0x6, 0x3, 0x1, 0x0, 0x4}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x21}}, @CTA_TUPLE_IP={0x14, 0x1, 0x0, 0x1, @ipv4={{0x8, 0x1, @rand_addr=0xc413}, {0x8, 0x2, @rand_addr=0x2}}}, @CTA_TUPLE_ZONE={0x6, 0x3, 0x1, 0x0, 0x4}, @CTA_TUPLE_ZONE={0x6, 0x3, 0x1, 0x0, 0x3}, @CTA_TUPLE_IP={0x14, 0x1, 0x0, 0x1, @ipv4={{0x8, 0x1, @local}, {0x8, 0x2, @local}}}, @CTA_TUPLE_IP={0x14, 0x1, 0x0, 0x1, @ipv4={{0x8, 0x1, @broadcast}, {0x8, 0x2, @multicast2}}}]}, @CTA_EXPECT_HELP_NAME={0xe, 0x6, 'snmp_trap\x00'}, @CTA_EXPECT_CLASS={0x8, 0x9, 0x1, 0x0, 0x2}]}, 0xd8}, 0x1, 0x0, 0x0, 0x81}, 0x4000c14) sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x2) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240001000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x3}}, 0x20004000) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:57 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbc000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:57 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:57 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:57 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1105.411833][ T27] audit: type=1804 audit(1586329857.262:1367): pid=23584 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1758/bus" dev="sda1" ino=16503 res=1 07:10:57 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x28e, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:57 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7400}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:57 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="c18f00001b0000000000110000002700990001000000000000000800010000000000"], 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="005006a2a3000500"/19, @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:57 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:57 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbc010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1105.802637][ T27] audit: type=1804 audit(1586329857.652:1368): pid=23612 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1759/bus" dev="sda1" ino=17411 res=1 07:10:57 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x29c, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:57 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb500}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:57 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1105.958636][T23607] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1105.970477][T23607] ref_ctr decrement failed for inode: 0x43f8 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1106.017304][T23607] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1106.028337][T23607] ref_ctr decrement failed for inode: 0x43f8 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:10:57 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xec00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1106.130042][T23640] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:58 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) r7 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x400200) recvmsg$can_j1939(r7, &(0x7f0000000040)={&(0x7f0000000300)=@in, 0x80, &(0x7f0000001800)=[{&(0x7f0000000480)=""/79, 0x4f}, {&(0x7f0000000580)=""/133, 0x85}, {&(0x7f00000006c0)=""/87, 0x57}, {&(0x7f0000000740)=""/4096, 0x1000}, {&(0x7f0000001740)=""/174, 0xae}], 0x5, &(0x7f0000001880)=""/105, 0x69}, 0x41) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r6, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) [ 1106.188326][T23640] ref_ctr decrement failed for inode: 0x43f8 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:10:58 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5101, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:58 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:58 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbd000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:58 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:58 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2a0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:58 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1106.562843][T23655] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1106.597296][T23655] ref_ctr decrement failed for inode: 0x43e1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1106.608936][T23655] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1106.617123][T23655] ref_ctr decrement failed for inode: 0x43e1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:10:58 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$FUSE_DEV_IOC_CLONE(0xffffffffffffffff, 0x8004e500, &(0x7f0000000040)) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) ioctl$SNDRV_PCM_IOCTL_RESET(r1, 0x4141, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:58 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1106.747321][T23673] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1106.766134][T23673] ref_ctr decrement failed for inode: 0x43e1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:10:58 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbd010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:58 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:58 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:58 executing program 3: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = socket(0x10, 0x803, 0x0) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:58 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2e2, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:58 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:59 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1107.199995][T23705] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:10:59 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:59 executing program 4: r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB='(\x00\x00@', @ANYRES16=r2, @ANYBLOB="c18f0000000000000000110000002700990000000000000000000800010000000000"], 0x28}}, 0x0) r3 = socket(0x10, 0x803, 0x0) dup(r3) sendmsg$IPSET_CMD_TYPE(r3, &(0x7f0000000340)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x80020}, 0xc, &(0x7f0000000300)={&(0x7f00000000c0)={0x34, 0xd, 0x6, 0x201, 0x0, 0x0, {0x7, 0x0, 0x5}, [@IPSET_ATTR_FAMILY={0x5, 0x5, 0x3}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_FAMILY={0x5}]}, 0x34}, 0x1, 0x0, 0x0, 0x8000}, 0x11) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$pppoe(0x18, 0x1, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:59 executing program 3: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = socket(0x10, 0x803, 0x0) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:59 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbe000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1107.240029][T23705] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1107.260498][T23705] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1107.274098][T23705] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:10:59 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:59 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2e8, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1107.450888][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 1107.450934][ T27] audit: type=1804 audit(1586329859.302:1371): pid=23700 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1762/bus" dev="sda1" ino=17406 res=1 07:10:59 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6403, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:10:59 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:59 executing program 3: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = socket(0x10, 0x803, 0x0) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:59 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbe010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:59 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB, @ANYRES16=r2, @ANYBLOB="c18f0000000000000000110000002700990000000000000000000800010000000000"], 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$inet_udp(0x2, 0x2, 0x0) socket$inet6_tcp(0xa, 0x1, 0x0) r4 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r4, &(0x7f00000000c0)={0xa, 0x4e22}, 0x1c) [ 1107.673706][ T27] audit: type=1804 audit(1586329859.522:1372): pid=23730 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1763/bus" dev="sda1" ino=16625 res=1 [ 1107.702193][T23734] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1107.712142][T23734] ref_ctr decrement failed for inode: 0x4152 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:10:59 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:59 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2ea, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1107.745820][T23734] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1107.772732][T23734] ref_ctr decrement failed for inode: 0x4152 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:10:59 executing program 3: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = socket(0x10, 0x803, 0x0) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:59 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1107.937268][T23754] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1107.968371][T23754] ref_ctr decrement failed for inode: 0x4152 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:10:59 executing program 3: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = socket(0x10, 0x803, 0x0) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:10:59 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:10:59 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbf000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:10:59 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1108.120884][ T27] audit: type=1804 audit(1586329859.972:1373): pid=23748 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1764/bus" dev="sda1" ino=16705 res=1 07:11:00 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2ee, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:00 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:00 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) openat$vimc0(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video0\x00', 0x2, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0xfffffffffffffdda}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x102000003) setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x2a, &(0x7f0000000300)={0xa51, {{0x2, 0x4e21, @loopback}}}, 0x88) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:00 executing program 3: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = socket(0x10, 0x803, 0x0) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:00 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1108.386924][T23782] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1108.419856][T23782] ref_ctr decrement failed for inode: 0x41d1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:00 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xbf010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:00 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1108.475764][T23782] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1108.513013][T23782] ref_ctr decrement failed for inode: 0x41d1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:00 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r5, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) sendmsg$NL80211_CMD_NEW_INTERFACE(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000400)={&(0x7f0000000480)={0x48, r5, 0x4, 0x70bd27, 0x25dfdbfd, {}, [@NL80211_ATTR_IFNAME={0x14, 0x4, 'erspan0\x00'}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x4, 0x3}}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x8001, 0x5}}, @NL80211_ATTR_IFTYPE={0x8, 0x5, 0xc}]}, 0x48}, 0x1, 0x0, 0x0, 0x40000004}, 0x48011) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="3c0000002c00270d00000000000000000000b980", @ANYRES32=r7, @ANYBLOB="00000000000000000905000000000000000000657200000c000200040054800400558000"], 0x3c}}, 0x0) 07:11:00 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1108.603132][ T21] attempt to access beyond end of device [ 1108.629391][ T21] loop4: rw=1, want=130, limit=63 [ 1108.642669][ T21] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1108.651481][ T21] attempt to access beyond end of device [ 1108.657572][ T21] loop4: rw=1, want=131, limit=63 [ 1108.668274][ T27] audit: type=1804 audit(1586329860.522:1374): pid=23783 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1765/bus" dev="sda1" ino=16524 res=1 [ 1108.696035][ T21] Buffer I/O error on dev loop4, logical block 130, lost async page write 07:11:00 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:00 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2f0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1108.725524][ T21] attempt to access beyond end of device [ 1108.741117][ T21] loop4: rw=1, want=132, limit=63 [ 1108.754043][ T21] Buffer I/O error on dev loop4, logical block 131, lost async page write 07:11:00 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:00 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1108.789929][ T21] attempt to access beyond end of device [ 1108.811140][ T21] loop4: rw=1, want=133, limit=63 [ 1108.818221][ T21] Buffer I/O error on dev loop4, logical block 132, lost async page write [ 1108.832718][ T21] attempt to access beyond end of device 07:11:00 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc0000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1108.867365][ T21] loop4: rw=1, want=142, limit=63 07:11:00 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1108.892103][ T21] Buffer I/O error on dev loop4, logical block 141, lost async page write 07:11:00 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1109.040882][ T27] audit: type=1804 audit(1586329860.892:1375): pid=23819 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1766/bus" dev="sda1" ino=16593 res=1 [ 1109.080080][T23829] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:00 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1109.110686][T23829] ref_ctr decrement failed for inode: 0x4152 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de [ 1109.125519][T23829] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1109.135885][T23829] ref_ctr decrement failed for inode: 0x4152 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:01 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:01 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1109.297390][T23836] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. [ 1109.340038][T23829] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1109.365686][T23829] ref_ctr decrement failed for inode: 0x4152 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:01 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$VIDIOC_LOG_STATUS(r1, 0x5646, 0x0) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}, 0x1, 0x0, 0x0, 0x4800}, 0x84) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:01 executing program 3: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = socket(0x10, 0x803, 0x0) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:01 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc0010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:01 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:01 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7400, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:01 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb5}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1109.521124][ T27] audit: type=1804 audit(1586329861.372:1376): pid=23848 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1767/bus" dev="sda1" ino=16769 res=1 07:11:01 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x318, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:01 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xec}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:01 executing program 3: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = socket(0x10, 0x803, 0x0) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:01 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc1000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1109.707635][T23869] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1109.732363][T23869] ref_ctr decrement failed for inode: 0x408c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:01 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1109.825684][T23869] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1109.857277][T23869] ref_ctr decrement failed for inode: 0x408c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:01 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000300)=ANY=[@ANYBLOB="3c0000002c00270d000000000000000000000000aa429c1f40", @ANYRES32=r6, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) [ 1109.937856][ T21] attempt to access beyond end of device [ 1109.943515][ T21] loop4: rw=1, want=130, limit=63 [ 1109.948563][ T21] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1109.957492][ T21] attempt to access beyond end of device [ 1109.963439][ T21] loop4: rw=1, want=131, limit=63 [ 1109.968618][ T21] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1109.977571][ T21] attempt to access beyond end of device 07:11:01 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1109.983427][ T21] loop4: rw=1, want=132, limit=63 [ 1109.988900][ T21] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1109.997678][ T21] attempt to access beyond end of device [ 1110.004612][ T21] loop4: rw=1, want=133, limit=63 [ 1110.009940][ T21] Buffer I/O error on dev loop4, logical block 132, lost async page write [ 1110.021216][ T21] attempt to access beyond end of device [ 1110.023018][ T27] audit: type=1804 audit(1586329861.872:1377): pid=23875 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1768/bus" dev="sda1" ino=16528 res=1 [ 1110.027543][ T21] loop4: rw=1, want=142, limit=63 [ 1110.056405][ T21] Buffer I/O error on dev loop4, logical block 141, lost async page write 07:11:01 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:02 executing program 3: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = socket(0x10, 0x803, 0x0) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:02 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:02 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc1010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:02 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x326, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:02 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:02 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x0, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1110.416219][T23907] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. [ 1110.429934][T23912] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1110.455585][T23925] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:02 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc2000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1110.459450][T23912] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 [ 1110.479472][T23912] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1110.512718][T23912] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 07:11:02 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:02 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) openat$bsg(0xffffffffffffff9c, &(0x7f0000000040)='/dev/bsg\x00', 0x80002, 0x0) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f00000000c0)='rdma.current\x00', 0x0, 0x0) ioctl$TIOCMIWAIT(r5, 0x545c, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:02 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x0, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1110.721458][ T27] audit: type=1804 audit(1586329862.572:1378): pid=23913 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1769/bus" dev="sda1" ino=16726 res=1 07:11:02 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x328, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:02 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:02 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc2010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:02 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8600, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:02 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:02 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./bus\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1111.057584][T23964] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1111.068598][ T27] audit: type=1804 audit(1586329862.922:1379): pid=23951 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1770/bus" dev="sda1" ino=16524 res=1 07:11:03 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x344, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1111.107310][T23964] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 [ 1111.123538][T23964] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1111.141976][T23964] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 07:11:03 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc2f44f97, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:03 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x0, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:03 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1111.431111][ T27] audit: type=1804 audit(1586329863.282:1380): pid=23973 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1771/bus" dev="sda1" ino=16872 res=1 07:11:03 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:03 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x34c, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:03 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc3000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:03 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9802, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:03 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1111.717462][T23998] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1111.732878][T23998] ref_ctr decrement failed for inode: 0x4101 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 07:11:03 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) r7 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r7, &(0x7f0000000080)={0x2, 0x4e23, @dev}, 0x10) sendto$inet(r7, 0x0, 0x0, 0x200007fa, &(0x7f0000000140)={0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0x1e}}, 0x10) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000580)=ANY=[@ANYRESHEX=r7, @ANYRES32=r6, @ANYRESOCT], 0x3}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=@newtfilter={0x5314, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_matchall={{0xd, 0x1, 'matchall\x00'}, {0x52e0, 0x2, [@TCA_MATCHALL_ACT={0x100, 0x2, [@m_csum={0xfc, 0xc, 0x0, 0x0, {{0x9, 0x1, 'csum\x00'}, {0x4}, {0xe7, 0x6, "d2949a23970207fbf5a8d4d97c2d7473f363aed039a08e36875d2f431908b49d6dddf73c8cfa678bf95de22e77653839f34e60c95cb0b2791275da8bf8e9158aa0e148b978308dbd17adfe785960e98ce91426e73c7ef072e7da3274e9199d92760418aba716cd9e33cf6a5712d1b1926d005c2b7a6b9d582c8d4fc09ab702bea5f26f06ad9ac29bdb6570caff0158d5d89cf31d113722d6b245a3bde8f092d81448403fd7f055aa10dd86a2bde90970cd0898e3ff79580c4bc19e90152a3ab6dcc849bbfa9f94242af7a1c07b142e1c7b556228a4193d59495886941c84198fafb62d"}}}]}, @TCA_MATCHALL_ACT={0x1444, 0x2, [@m_sample={0x54, 0x1d, 0x0, 0x0, {{0xb, 0x1, 'sample\x00'}, {0xc, 0x2, 0x0, 0x1, [@TCA_SAMPLE_RATE={0x8, 0x3, 0x100}]}, {0x35, 0x6, "f9d6a86e2eb63f90904c103143a66bea80c2422c49f34c9fad0ccab9d68d954a47ebe0f93175f1f3ae2457c4621e1c1567"}}}, @m_csum={0xc8, 0x1e, 0x0, 0x0, {{0x9, 0x1, 'csum\x00'}, {0x20, 0x2, 0x0, 0x1, [@TCA_CSUM_PARMS={0x1c, 0x1, {{0x6, 0x3, 0x20000000, 0x3, 0xff}, 0x13}}]}, {0x97, 0x6, "94ad2fffaaf289540eb8810d6e377919123ceaf0cebc8b5a0a1223242460ef94cb4bffc101ab6710540f14085c17f3ceba5328a1331d16edc1fadae4e301cb9ad89fdb65f702008f852ee62d9f9775e07eb121b697d90e3d43d12b47d8eb5f17f5e7a04338f85fafa1072f3d68c55928675adf65ff2b68688f71aa294aec839632f7d7ac00665079467c68fd4a44a34a2dc2d3"}}}, @m_tunnel_key={0x54, 0xb, 0x0, 0x0, {{0xf, 0x1, 'tunnel_key\x00'}, {0x1c, 0x2, 0x0, 0x1, [@TCA_TUNNEL_KEY_ENC_KEY_ID={0x8, 0x7, 0xffff8001}, @TCA_TUNNEL_KEY_ENC_DST_PORT={0x6, 0x9, 0x4e24}, @TCA_TUNNEL_KEY_ENC_DST_PORT={0x6, 0x9, 0x4e21}]}, {0x23, 0x6, "f95dbdaa5321a6baec6c330be4150ff237a69d4d3a17fff58135ba7ca61608"}}}, @m_connmark={0x114, 0xe, 0x0, 0x0, {{0xd, 0x1, 'connmark\x00'}, {0xc8, 0x2, 0x0, 0x1, [@TCA_CONNMARK_PARMS={0x1c, 0x1, {{0x8, 0x9, 0x10000000, 0x40, 0x7ff}, 0x1}}, @TCA_CONNMARK_PARMS={0x1c, 0x1, {{0x6, 0x5, 0xffffffffffffffff, 0x1, 0x6}, 0x60e}}, @TCA_CONNMARK_PARMS={0x1c, 0x1, {{0x9, 0x7, 0x2, 0x4, 0x2}, 0x8001}}, @TCA_CONNMARK_PARMS={0x1c, 0x1, {{0x7, 0x200, 0x7, 0x3, 0x9}, 0x3}}, @TCA_CONNMARK_PARMS={0x1c, 0x1, {{0x33400000, 0x6, 0xffffffffffffffff, 0x1f, 0x4}}}, @TCA_CONNMARK_PARMS={0x1c, 0x1, {{0x80000001, 0x0, 0x4, 0x3, 0x8}, 0x7f}}, @TCA_CONNMARK_PARMS={0x1c, 0x1, {{0xd2, 0x1, 0x0, 0x3ff, 0x4}, 0x3f}}]}, {0x35, 0x6, "3827a1a5fc6858344dfa62bceda5536652c1d1dea2dbf635f9523446972569a77f316786cd66e923105511fab6754cd8d1"}}}, @m_ct={0x1038, 0x19, 0x0, 0x0, {{0x7, 0x1, 'ct\x00'}, {0x28, 0x2, 0x0, 0x1, [@TCA_CT_NAT_IPV4_MAX={0x8, 0xa, @initdev={0xac, 0x1e, 0x1, 0x0}}, @TCA_CT_NAT_PORT_MAX={0x6, 0xe, 0x4e22}, @TCA_CT_NAT_IPV6_MIN={0x14, 0xb, @ipv4={[], [], @empty}}]}, {0x1004, 0x6, "2728e5ca3475485be968e59ee35cb85fbb6857bddd868bdcb47efcc5d8c08b38c58b84b3a9065de26b2321084d212f22c858c19948cdd56c42977320f9f769deef34f17a30d3d927e8f8c92012ab159c647931342c15a74bd1a71fc6ca676924e91bcb212c9e4e66611084eb6154ea5b35a4cfb291e64021955443bca0a74af2867b0d29fbaa7fc6a6434d18d069e1fe15107d6d23fe1458124b32086b618688196c6b8f749d466c8a3efc05e64be3131560e9ea28e4396ec6e8f0580b883692851c3b339cc34be7dccda8c186e281cdff651c5d2f394404b4f75f158e58a2d0c16557f54e5a59dd2400d1d994e9414312dd4f6069b81b2c6d731b8563385505861ed6f381fe2c2889483f1e4ff4d2840d091d5c56e4d2b4f7b3512918dae07b79b5c24d20ffe2047fbd8687425dce77106e7db7efe9f87b3156aaa5076f1bda8c9b2cc06a00ce91b7ffc3c50caf8bfc168a69bcd00268345406cdb7a1f74d6bb73767e8037d701b35735bbbf213982a5d9d04cfd3a7f91d79565549038f4e87c9a64c6969e73b1699db695724b4fba6442545e8002203f262e0285996f8eedc7e2987fb3c609278a6adcdc1873033ac6c9954d2e57a4fb6ea4662e82ae8572088e88cd0fee111fe41d95f4cb77a787fa7d76be54c13f048b88da0c75de0ad65879aec1b3064a9af68bab11d93af4687fd9eeb7f268781fb822169290de2e4a3ff0083a3c6bc7aec0a104f11bb5c8a894b1e433f9a002f93ae56af28425f49e47fc47e6a35278de5fefc4f72254a4d0abb6f0e9c7242a73cc0504d69b36830123ec45a029888fc7c8079f006b7b90d399e9dfe17a12124c51ed4ca20bba817b325fc559e32195d519c3aa5b0145a5708d30ef5456f8e59259a3238337c7d4b5eb5e151add5318a64409a5fa26b32b117e08a4094373f547dad0cfb634e8d93eadb359f76bbda4aecea2b013a05ac955356b05db311e3ac6420c6739728f0551dc737ba817034e0b1c66f32c33c14448cc5589a1eb63e02a752849600f4026dfffab401678fcbda968c05a671313fdec37505080f1944bcbbfa9bc21c7f1a385ff3692e5f1d6df30c3a7e264f75f0f5fa04e9eaab87ff2a41d5fa685a9af1ee10a68652e003e6e80c605717350bc32c49499b21aea47a2c42dc5e12decbc71a0e6f12655df6cc20cc3c9229e152f4ab42ef8d24c3bbb3b46af09bff533f0dbe945774918015ce49ad0d5df219158d2d25bd4259ab8205cd5505ee63bd8bf5d5d0be965c15445193d8e221b97a904af55ccc33984097ceacbbbaeb406612870d3eb30c4aaa9506d10b7d71d20813da8aa97545f17078230e9ef2b8e3a33252174c8bbe99603081ffe2d77b8165aac11ab2bbcb078e296a5159081bb935528b9c0e3312c20406f1559c82bbdcbab5f0a9b124409d028992bd3c77b45e3c6a201c5cecfc014470acbd6368c85c4a4db3c7a5f9483b14da6d23de529c675038cc117ee291bae98d99fd6b1b354720d5127096e8116b9ef4f32ea099011f7516b828b4e435b752124d2994fd8e7ca68e114f18ad5b928ce477c7a2eda5bb36c33698ab437331eb7f36a0bf7a3fadbab0c99709b29ab42b814561f803bd8634785f71adea3bad8ed310eacc5154618808d9009040cc32ce58ec8d5328308a6ce3c15c3320273530c8934a2c35abf2f8201fc0abdbb224ecccbacbefe047928db12a8eafa6cae32389d675abd99769f8fd895aeb5b800308ee89a6991410aefee3f620d0930c79dcbfb3ce92f467be246804a27c9973a7f9435a6f02a97e1f2b4848da84e6c4b658dcd37ea86879ef63e9ff73720d4ab012271c10dd29dc60853aa2d18fdcb3caac48bb1eea4d845fa3657d59d7d67caf70278f4050f0b1353b2242126a4be978fa6ace89baa6407250b4f47c9ebaec45d097cf092430bfabfcc0c7714281dcbbaff9d783012113f53126b9319c942d1eb8eaaa7876bae39a47ab9fda3d90057bb7126952c2501bf391f8a5a9ba490bea5209ff53c72b64332c4f23e770a3a529299a78b8c9e55111dc618f034cc145eaf1e47dfe3bc834fe3105deb317206d323aba1667d94dd360a71ade504bf2ff766628572b7a993c54f5edd35a1982b7964859826289bacd8b3f48d852ed042c4c11ab6c6f897d34ced0ac75435688e41e3c001566ed737b863206d2f250c9d8342f7cea7271614b1c22b6004bff30a6aae19427fee859ab420a4655548c5be342f3169915260506bab22e018b8ce99980b6627c2cc30ccd6cea2cccf336aae8eb028d270b016f057cdc71d051699bbb30b57d543271ec8c0af8af876c6a8bbdf0961c1db6d69d88642efe3737132e4e17ac52e81693ab02046f5a1c35c24ffba36fab400aecc36f90094a21598df0005efd9f33945055a70ac13d9e3b95cc35310da0621ba56fa187d513f93a47bff2316a27853d797b75efaefb9de866b2d599b37f1c0f6b96d408d9068c8b3a87a08e4a7613237dcffac55cceee639ae5b586ee34e6d58ab9443a6e00a40c73143a5d15a5f598a534702deeef6c201f08add0eaf6cc0547340508375d9481981badfcbe06f2954b08cb431aab11eca77f34ae996b3bc012f808a925016726e799d5c001a7e52b098ec32b22b7d17e24009093c410d27fd5412bf8b4330750dafb6141c7d60cd0737a5e6865dce5435eb34bce58d28e325b4d4c11449a8117491e566938513b07035bfd2bc9ab570e0e8fdebf3e3b92380745e03e26b26c8781abc7f60d3e34fbb02c36c044fdc7bf137935d1f5cca857c41000a3ca89aee1bd7188e42be524633cb964d3ae8e4596cf75deab1b149ffbf75c15bc9a4ed5db786b2d8cab1cd1de5f868a66007eb047d54671f2974acada4ee10326157fb65e063f0fde2166edb0bbdbcb219bfd04f1ceb8ff2b4193a33161da32a132cca284418c3ae78b015ea5521a95ad2316ade0749891132415316c2f885dc031ed062a6f5f157c071bcdc57ae08348f2fe53542a13e6e66b6d166ea93e5c94d797fa2707081ecc93d977bff350c75dfe8725571ab33090beb2487d32bf96811f6627e473045d2d627fd1768c079057589aef0e722c604a80d167610d0a15af5acb37e4f8a7109422bb675544d4b2cb6af3a6a3326a97ca843549356ab5a91331154e315bcfa9eb4e4afe1a43511af85352f5196d7a611e01489cfb01c51d93d1e6c658c41e8c8afe042b33a6f9608517b783972a740f9d37eb27bea2ce1793b121d83d37d5a46e91cbde1a2ff6ecc564b3bb4b2a3c701d7f8382921f5d63a13595384cb1c1ea6952c7d01cacd6c9e19cd0b508371625ed66a810c93c27226eb3afa2e8671426db8a3839af3c2a4dba8e1f51a01024e504b0eef1577ebf1af249970bc7686470fc8b6106bca2196c4a8344b8192fb4d909c35fdebef4f959ffbb9309bd72c7afee96b0489486fd03b12d3053cf64a7b3f7989e3fe46e94b1b658bfc0d6a747ed61f165fd71efd13537672c495ce4883ad4a4f43a3d9670cc67ff7143809e93ac5fa09006bdafc91e0fef1758ade4a69d02bedc7c5a688f635f93d4693e37c4e499703c509f56fef1e63e28f5d4e8a2decbc6903d327887378738833e0543f26a1cdb6ce7d7ead88e5b9178e1ebb66da69a3b3a22a32a309ab64e139578bdb2209c03a4e6bf4c843012307a2c07c18f6c057ef2c2c779c293642f71ab2d7465a3d00a38876f50c68d23ed63f7772ed906be25541288913f506239447d58e01f03066b9d9ead334ae1b6ef4e88d9806790b28f2f926796d4bb9f1726c8faa6699b650a210531d98aa67d1569737d5604dbd404c81d771ce3bd359f335bc22e7924bb126563bac4f2dca3b4ac13ebea8e2d58cf08d3a6b04c650dcf615350640354cdae1cb42e8d5ececbee24c85e34ce246a11e80d387d464a3d7617fbccb142d4ff8190520862f8e7bcf982e2dc6b970e646bd79d5daa6cae4bb1760ded7cf83700862ee681062b53a17ade27706fdabcee5225a2528c94ebc071e0a93cba6059f5e4395465f54528ee09442c03f31ed121e49f9fe884691701f9f6d2f1264e1a6a0aaa2669c1da47aa1bb308d5a28302dbbc31f6293e675a3f44c5a12f4cd3489889046e427f7d04b516f590a894513d828aed30be0b97ec164c289a399a6ad1e27a5f4c3e3e60b6576fcc2fff10cc57020d1aeb4158fbf95a2db751db917ce0650c3e7859a16a9d4c54f0d46be7147dd4a904bce279dfe4263ac0737c4f5b8ab9bad5c475c01c96e851877b83043e0d182d8ddba827e75d895ff7e23b26e3bdbb1b5a7d943580f8786ec9e65f7365396c9ec174c19d13ae3f7cba598a2358f900ca68488d2fe0a41577fbd2f275b6cddcf5c16b7df2d3925212be5fc5041c395c7f58e3521caba3dad7c98d8ee3586218d16194bdf558a4bbc2738264c7d8b8415e353ff6e77550562aeecbbb940419e0fb47dc9ef1f8617f2e5ab94cc70ca0de47a308e102cdc3ebb826b1589cf36d83d3aba89972193452c8ac6e4d5bb5ed402671ac7c423ba91c9179305cc9076f50d53c27c500d1c4e6c91afaa364b49c613a948a3b08e61fe6be242e80b5983b06b91fc60999f2ccd791d249b48beb1be97247b1ef2c5a96d474c299f3e4df0e19e94c3c5b4a7bbbad0f1a8122eda0a4173a32beb532cd6473f2d374383f01b8c18438d19977f3b597abc98c14d997204cd1017b39b379b663ec90a5431851b0c8089d0ff8d994ed7477cb4b37f6ca847bf8a9eff9dcc09f8077db1d939428864b458c91609867e919f1d3953fd0b757e4a82469f6b5dc159e3ea54feefcd53d2318fb93e96395c102cc38dc48b3cb059f0ee2c9e3ca449adc5e55ca292684fbf203e9f69575ed8d34cc61626bb8f6e852bd27119ddf9a073d96f5af616c2cd7d2dfc65930e65a3da213646a56aae3727afafba6e89f487ce09ad2f09c26678f599231bec8a2622564ab5f537b54fe31c50a286145869da8e3cc217bdd05c86da5d6a306bc861871e3fc0efc345db5c28879358b7bbb01d22a7a3e1a92ee44a2b132257417b12b27912a44af06b51f67c5fffc917304153f0a877f347429576cc9508de3f519979ff0245f0cf59fa30b6b9dcd13cf14707d3efcf34e507603e3b108d45217e03a49ff775916447751e3a1a5c220c6e091df57e3d83309a40a23f6a51ce50709641c915997307246f5d6078c6189c2ca07ab39fe9f2a52fe81a7fb617a5fbbb75c97ad9bbd1bce4560e07a4be63b124019c865fd59f046c31b0ebab352e507f68456cab119597639246d35071fbc40a637b06891df1ffe5bc3c46dc1d79a97e101c8ab3a531eb8a9c745d6fd9b13c095664edd8a5cb7f06ec1820471b3c1d35fbaf0718f3a6fd693f3089416822048f83035025c2c6ac53bcd0598c5a0fb8c4c80e79b4574e27f468aa6dc46bc617cfed012e5b559c4649ff02520e4c6052a66d0ecd0ddd034c05f4440df11027d1050af6b14b3bd53f0d5aebcf4b7da285e4ad01e8c597e153cf01a1a1de4c78985e444ad3cd2ec9256462f1367da775c98b996288a2170ec0ca1c457f4f720569980c0c80821ffdb49c4f7bedea59b596356b77b220549d6201c83fd9fa451733b7b57dd0e88b850aff7ccab2507dc46d4792932ba389398c1fd1bffb6de1d499ae40b2294700007554c764886319a081fd6683a7da06d27d2c96163d34f8bba64dc7cde2600047c443ca4b948c0f33188ae239a1b3fedc870e65614402c8251a16e66f887663e9cdb026ac5e85a70b306a235d24866c68315a8"}}}, @m_vlan={0x184, 0x1e, 0x0, 0x0, {{0x9, 0x1, 'vlan\x00'}, {0x9c, 0x2, 0x0, 0x1, [@TCA_VLAN_PUSH_VLAN_ID={0x6, 0x3, 0x56c}, @TCA_VLAN_PARMS={0x1c, 0x2, {{0x3, 0x7, 0x20000000, 0x8001, 0x9}, 0x2}}, @TCA_VLAN_PUSH_VLAN_PRIORITY={0x5, 0x6, 0x1}, @TCA_VLAN_PUSH_VLAN_ID={0x6, 0x3, 0x908}, @TCA_VLAN_PARMS={0x1c, 0x2, {{0x3, 0x7, 0x5, 0x3, 0x11}, 0x2}}, @TCA_VLAN_PUSH_VLAN_PRIORITY={0x5, 0x6, 0x3}, @TCA_VLAN_PARMS={0x1c, 0x2, {{0x29ed, 0x1, 0x1, 0x67c, 0x3cfc}, 0x2}}, @TCA_VLAN_PUSH_VLAN_PRIORITY={0x5, 0x6, 0x7}, @TCA_VLAN_PARMS={0x1c, 0x2, {{0x5, 0x80000001, 0x4, 0x5, 0x1}, 0x3}}]}, {0xd7, 0x6, "c2a41d1e052ffc0571a17689987430338c8cf411c792118a4825c430a9a0c0b5d60070a0cd0717b0593e539e632785c5dfd86c1b09d62f026a9d9d749ad58cefbad02bace1d421c41b6a2e01be1bfdf943dae5d526e40a196b47b88043f3602f422d91610099a25fb7355ec4ee948d742d7dab31fcd626cea26447b9400dadf2578e276f1109a4d4dc0ac3f28b3244e693379bcdd9d9699651319ac97e803e16455aa5ed9faa00ec661f9c3563aabb1dca29a8c41937d516b53ff2614ff52b908b663e1d19cdfd7c4d9823012941faf542f714"}}}]}, @TCA_MATCHALL_ACT={0x3d98, 0x2, [@m_simple={0xa4, 0x16, 0x0, 0x0, {{0xb, 0x1, 'simple\x00'}, {0xc, 0x2, 0x0, 0x1, [@TCA_DEF_DATA={0x7, 0x3, '.#\x00'}]}, {0x86, 0x6, "f3ecdca951110116c1eac2c99e82b23235cbca8e504325e276d17e9bd431c22c0df131a88babf0e5dcac6e534759a1aaa816024c48f7d167103687c279d13ed14e588f403c3f6b949193dfe67bc4759f52d02b5e8a746dd406aa733f054941ace36ddf9aee2501a935ab87d23f3fe681903c31acf37abc704da902ed08a72bb518a2"}}}, @m_simple={0x12c, 0xb, 0x0, 0x0, {{0xb, 0x1, 'simple\x00'}, {0x98, 0x2, 0x0, 0x1, [@TCA_DEF_PARMS={0x18, 0x2, {0x6, 0x8, 0x7, 0x0, 0x1}}, @TCA_DEF_DATA={0x5, 0x3, '\x00'}, @TCA_DEF_PARMS={0x18, 0x2, {0x9, 0x7, 0x7, 0x3, 0x1000}}, @TCA_DEF_DATA={0x5, 0x3, '\x00'}, @TCA_DEF_PARMS={0x18, 0x2, {0x203, 0x3, 0x8, 0x0, 0x400}}, @TCA_DEF_PARMS={0x18, 0x2, {0x8, 0x8, 0x7, 0x5, 0x5}}, @TCA_DEF_PARMS={0x18, 0x2, {0x51416c22, 0xca2, 0x7, 0x7ff, 0x3}}, @TCA_DEF_DATA={0x9, 0x3, 'vfat\x00'}]}, {0x82, 0x6, "b4092fab6ff0c385411ef66224cb1edf8cc4e35e0963b1ed0a9075ac009d018d1adb0355520ff5a891731475497d8fa36ad9784ce9c89dbd71df70f9d4abb6b712337dd14c03e9e0a737663ca24dc081d321a7e8568b6bcfb17bf77b8af6ce82f46ac95f40e05f9eb366d98704da5335a0dbaa12e202fd9d358d4b382d39"}}}, @m_nat={0x88, 0x18, 0x0, 0x0, {{0x8, 0x1, 'nat\x00'}, {0x4}, {0x78, 0x6, "eca099e587c9ea6f945cb5152b2f1dbd8b7b99dab55ebd388e449504478942f24cfa2dc690c97906bec501104b04d7081fdebf2b0eb1f083392e7599d142b82afb275e2d093aab7ecbc19d82f291efe4ead111e58aa8a64ef9f9248375cbad83894935e54772f5e1e84469710ee25cc5b9bf7142"}}}, @m_csum={0x19c, 0x1b, 0x0, 0x0, {{0x9, 0x1, 'csum\x00'}, {0xac, 0x2, 0x0, 0x1, [@TCA_CSUM_PARMS={0x1c, 0x1, {{0xfb3, 0x5, 0xfffffffffffffff9, 0x0, 0xfffffff8}, 0x4}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0xffffffc1, 0x7fffffff, 0x5, 0x3, 0x9}, 0x36}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x4e, 0x5, 0x3, 0xbfe4, 0x1}, 0x44}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x7, 0x8, 0x4, 0x3, 0x1ff}, 0x3f}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x0, 0x3, 0x10000000, 0x0, 0x1ff}, 0x17}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x1, 0x4, 0x2, 0x1, 0xb9e}, 0x36}}]}, {0xdd, 0x6, "d95a6bd0bba3251c7f0af46a27b262e2088ff91d167c38bc04a7b8ddd78553dbab02aad142a1740627eb99ae0e005ee2d1d3ca6bd19c01ef1c680450210649fe55979696636526ede6c01458db2ae29f67b8f0f7b8732e300cdeb992162064d4b6fe50a5c36a11c1dc2be6b27e1f5d7ea378abec7568b2cd1215d4cd93b60bd5b8577b3e17dd9cbfd0ade67204f9dbb4a11cb202b39738b2b5e9b589f19c4191dd0b4df0639e0b2766386ee13d95da6b5a2c04d84ba36f98aeebc9d1aa042f9b7e9c4e2edd360f7c412566599118926683ceac36cebfde8c7e"}}}, @m_csum={0x144, 0xa, 0x0, 0x0, {{0x9, 0x1, 'csum\x00'}, {0xac, 0x2, 0x0, 0x1, [@TCA_CSUM_PARMS={0x1c, 0x1, {{0x80000000, 0x916, 0xffffffffffffffff, 0x1, 0x22}, 0x6}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x5, 0x8dae, 0x10000000, 0x8, 0x7}, 0x3c}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x800, 0x7, 0x10000000, 0x2, 0x9}, 0x16}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x2, 0xfffffffe, 0x20000000, 0x1000, 0x2}, 0x2b}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x4, 0x4, 0x1, 0xba9, 0x1}, 0x59}}, @TCA_CSUM_PARMS={0x1c, 0x1, {{0x10000, 0x8, 0x6, 0x1, 0x400}, 0x35}}]}, {0x85, 0x6, "b4059662eb09d3dce2bcfafce1b0d6788d1114d14016eaebc8290aaeac09f784b7d60acf28925c8966835aa03768c3da5dc11a0d8f7a50f57ee48968313a77140c1c786f617bc1686833568a2b27a618f63bada398c183d701016c6078920aaee37f09f6a5e2f45f61088bf58cf1a6ee87aae03452b1777452fc4837eeff3b637e"}}}, @m_skbedit={0xa0, 0x17, 0x0, 0x0, {{0xc, 0x1, 'skbedit\x00'}, {0x44, 0x2, 0x0, 0x1, [@TCA_SKBEDIT_PARMS={0x18, 0x2, {0xfff, 0x1, 0x6, 0xe4d6, 0x9b4}}, @TCA_SKBEDIT_MARK={0x8, 0x5, 0x3}, @TCA_SKBEDIT_PARMS={0x18, 0x2, {0xb7, 0x35d2, 0x6, 0x3, 0xffffffff}}, @TCA_SKBEDIT_QUEUE_MAPPING={0x6, 0x4, 0x7}]}, {0x4c, 0x6, "0aee6289f8c531f711cb39fedfd9bf7e1f6276a4f694dbb1ad3f4b786ebdec366f3576348117ab37b99c8ae7b875517820c8b4154de2c2b8b21be4c67dca2760aebd8fbd6a8cf385"}}}, @m_police={0x3708, 0xc, 0x0, 0x0, {{0xb, 0x1, 'police\x00'}, {0x367c, 0x2, 0x0, 0x1, [[@TCA_POLICE_RESULT={0x8, 0x5, 0x3}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x2}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x5}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x4, 0x6, 0x1, 0x2, 0x1f, 0x1, 0x1, 0x5, 0x0, 0xfffffeff, 0x2, 0x9, 0x800, 0x7146, 0x3f, 0x663b, 0xfffff69d, 0x1000, 0x6, 0x6, 0x40000000, 0x7fffffff, 0x5, 0xfffff21c, 0x7fffffff, 0x80000000, 0x9, 0x3ff, 0xd, 0xd32, 0x2, 0x6, 0x7, 0xfffffffb, 0x0, 0x401, 0x86cd, 0x3ff, 0x101, 0x5, 0x8, 0x3, 0x2, 0x1ff, 0x303, 0x640b, 0x9d8, 0xfff, 0x2, 0x8, 0x80000000, 0x1ff, 0x80000000, 0xb56, 0x9, 0x80000000, 0x3, 0x9, 0x3, 0x7fffffff, 0xce, 0x64, 0x40, 0x5, 0x7, 0x2, 0x10001, 0x6, 0x85f, 0x7f, 0x8000, 0x2, 0x1a04bfd3, 0x7fffffff, 0x8, 0x2906980f, 0x1, 0xe7, 0x9, 0x7, 0x7fff, 0x7, 0x8000, 0x40, 0xa4, 0x401, 0x66, 0x8, 0x7fffffff, 0x8000, 0x1ff, 0x0, 0xffffffff, 0x101, 0x1ff, 0x8, 0xfffffff8, 0xffff, 0xbc7, 0x5, 0x30000000, 0x0, 0x1000, 0x9b26, 0x800, 0xd2e, 0x4, 0x3ff, 0x8001, 0x401, 0x2, 0x4, 0x7, 0x80, 0xfffffffc, 0x1b6, 0x75, 0x7, 0xfffffe00, 0x8, 0x3, 0x5, 0x8, 0xffff0000, 0x9e2, 0xec4, 0xfffffffa, 0x200, 0x200, 0x5, 0x3, 0x5, 0x3, 0x2, 0x6, 0x4, 0x9, 0x6, 0x1, 0x6, 0x2, 0x7fffffff, 0x2, 0x5, 0x3, 0x7, 0x5, 0x2, 0x3f, 0x400, 0x1, 0x0, 0x4, 0x0, 0xfffff7b3, 0x1, 0xffff, 0x8, 0x4, 0x5, 0x7, 0x4, 0x4, 0x7fffffff, 0x7, 0x8, 0x7, 0x10, 0x52, 0x3, 0x9, 0xb35, 0x10000, 0x4, 0x0, 0xffff0001, 0x5, 0x8001, 0x6, 0xcb, 0x7, 0x6, 0x3, 0x8, 0xec9, 0xffffffc0, 0x65, 0x1f, 0x0, 0xfffffffb, 0x20a, 0x1ff, 0x8, 0x5, 0xe50, 0xfff, 0x1000, 0x5, 0x8, 0x7fff, 0x5, 0xfffffff7, 0x1, 0x5, 0x6, 0x4, 0x80, 0x8, 0x72, 0xffff0000, 0x4, 0x2, 0xfffffff7, 0x9, 0x7574, 0x6dc, 0x4d, 0x401, 0x9, 0x9, 0x40, 0x1, 0x40, 0x7fff, 0x80, 0x2, 0x80000001, 0x192, 0x8, 0x7fffffff, 0xed, 0x9, 0x3, 0x2, 0xbbf, 0x8, 0x7fffffff, 0x200, 0x9, 0x3, 0x9, 0x5, 0x7f, 0x1000000, 0x8, 0x8, 0x9, 0xfff, 0x6, 0xffff, 0x8, 0xff, 0x7fffffff, 0x20, 0x1, 0x1f]}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x794a}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x1}, @TCA_POLICE_TBF={0x3c, 0x1, {0x6, 0x5, 0x80000000, 0x4, 0x8, {0x7, 0x0, 0x5, 0x6, 0x3f, 0x1e1f}, {0x81, 0x0, 0x3, 0x9, 0x60b, 0xe4e5}, 0x3, 0x1, 0x8}}, @TCA_POLICE_RESULT={0x8, 0x5, 0x5}], [@TCA_POLICE_RESULT={0x8, 0x5, 0x140}, @TCA_POLICE_RATE64={0xc, 0x8, 0xe}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0xb727, 0x7fffffff, 0x31, 0x3, 0x0, 0x4, 0x10000, 0x4c82, 0x1, 0xfffffffd, 0x9, 0x100, 0x8000, 0x7, 0x1, 0x4, 0x9, 0x1000, 0x8, 0x10001, 0x80000001, 0x3, 0xe0, 0x7fff, 0x200, 0x8000, 0x3, 0x200, 0x80000001, 0x2, 0x3, 0x5, 0x1, 0x29d1, 0xd3d5, 0x10001, 0x9, 0x4, 0x7, 0xfff, 0x400, 0x200, 0x7, 0x1, 0x554d, 0x7866, 0x1, 0x51775ec7, 0x20, 0x365, 0x1, 0xffffffff, 0x876d, 0x9, 0x6, 0x9, 0x8, 0x741, 0x2, 0x2, 0x96, 0x1, 0x3, 0x2, 0x1000, 0x7, 0x0, 0x1, 0x8, 0x8000, 0x0, 0x6, 0x9, 0x0, 0x1, 0x3, 0x9, 0x0, 0x1233, 0x1, 0x81, 0x1, 0xffffffff, 0xffff7fff, 0xfffffffc, 0x6, 0x7, 0x400, 0x1, 0x5b2, 0xfffffffb, 0x3f, 0x9, 0x8, 0x8001, 0xb1, 0x7fff, 0x4, 0x59c, 0x3, 0xe6, 0x5, 0x4eb5, 0x200, 0x6, 0xef, 0x1, 0x40, 0x80000001, 0xec, 0x57, 0x1, 0x3, 0x0, 0x7, 0x40, 0x7fff, 0x1, 0x200, 0x2, 0x5, 0x0, 0xffffffe1, 0x5, 0x8, 0x3ff, 0x8, 0x31, 0x7, 0x6e, 0x7e3, 0x5, 0x0, 0xd6, 0x1, 0x7, 0x9, 0x400, 0x0, 0xfffffffe, 0x3, 0x0, 0x401, 0x800, 0x3, 0xee, 0x9c5, 0x1, 0x0, 0x5, 0x80000000, 0xfffffffa, 0xadc7, 0x7e17, 0x7, 0xa47, 0x20, 0x3ff, 0x1, 0x85f, 0x2, 0x0, 0x3f, 0x2, 0x7, 0x0, 0x8, 0xffffff01, 0x85, 0x3, 0x9ad0, 0xa0c9, 0x1, 0x1, 0x6, 0xfff, 0x7, 0x4, 0x6, 0x1, 0x8000, 0x3, 0x5, 0x626fa8f3, 0xf7e, 0x6, 0x921, 0x6, 0xfffffff8, 0x1, 0x9, 0x4, 0x0, 0x1, 0xfb, 0x1e90, 0xea1, 0x453, 0x0, 0x7, 0x97, 0x4f2, 0x9, 0x3, 0x0, 0xbae, 0x3f, 0x5, 0x800, 0x94, 0x10000, 0x7, 0x9, 0x9, 0x800, 0x4, 0x8, 0x5, 0x3, 0x7, 0x20, 0xb137, 0x3, 0x3, 0xc5, 0x1f, 0x2, 0x1, 0xfffff0c5, 0x8001, 0x6, 0x3, 0x80000, 0x734, 0x200, 0x2, 0x5, 0x394, 0x328000, 0x3ff, 0x8, 0x0, 0x333, 0xd0, 0x74f, 0x6, 0x723, 0x8901, 0x5, 0x5d, 0x3f, 0x800, 0x87df, 0x80000000, 0x26ea, 0x1]}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x6}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x2, 0x1, 0x42a4, 0x8, 0x3ff, 0x3, 0x20, 0xd88d, 0x7f, 0xcd6, 0x1, 0x70000, 0x6, 0xfffffff9, 0x7, 0x7, 0x1, 0x81, 0x1f, 0x9720, 0xfe0, 0x2, 0x2, 0xfffffc01, 0x3, 0xf5a, 0xa2, 0x5, 0x80000000, 0x61a, 0x5f724b8e, 0x9, 0x7f, 0xbcd2, 0x9, 0x9, 0x40, 0x96f, 0x3, 0x1, 0x6, 0x9, 0x10000, 0x20, 0x3, 0x2323, 0x3f, 0x8001, 0x6, 0x4, 0xef1, 0x2, 0x6, 0x7ff, 0x1f, 0x0, 0x8, 0x8000, 0x2, 0x1, 0x10001, 0x3ff8, 0x8, 0x80000001, 0x5, 0x6, 0xb, 0x200, 0xfffffe01, 0x9, 0x6, 0x2, 0x7, 0x40000000, 0x1ff800, 0xffff8001, 0x907, 0xff, 0x10000, 0x53d13887, 0xfff, 0x9, 0x9, 0x0, 0x7fff, 0x8, 0xfffffffb, 0xfffffffd, 0x8, 0x3, 0x3439, 0x2a, 0xe8d, 0xffffffc0, 0x7, 0x4f, 0xc, 0x7ff, 0x0, 0x8, 0x1, 0x4000000, 0x8, 0x100, 0x7, 0x3e6aa9ed, 0xffff, 0x7fffffff, 0xffffffff, 0x7c3c5a61, 0x200, 0x8, 0x9, 0x1, 0x5, 0xfffffffa, 0x3, 0x5, 0x4, 0x6, 0x8, 0x6, 0x1f, 0x8, 0xc682, 0x6, 0x8, 0x1000, 0x28, 0x0, 0x7f, 0x8000, 0xd3, 0x8, 0xfffffffc, 0x400000, 0x800, 0x80000001, 0xd5, 0x2, 0x1ca03347, 0x0, 0x1, 0x6, 0x7, 0xffffb208, 0x5, 0x5, 0x9, 0x100, 0x5, 0x6, 0x4, 0x8, 0x80000000, 0x81, 0x5, 0x8001, 0x8, 0x0, 0x9b36, 0x2, 0x0, 0x10001, 0x7f, 0x9, 0xb3, 0x9, 0x1, 0x6, 0x4, 0x40, 0x1, 0x900000, 0x4, 0x2, 0x200, 0x1, 0x5, 0x7ff, 0x9, 0x80000000, 0x8, 0x800, 0x9, 0x2, 0x5, 0xfffffff8, 0x800, 0x0, 0xffffff01, 0xec5, 0x6, 0x5, 0x10000, 0xe3, 0x5, 0x3, 0x1, 0xffffffff, 0x3, 0x9, 0xffffffff, 0x3, 0xffff, 0x8, 0x8, 0x0, 0x4, 0x5, 0xde, 0x7, 0x10001, 0x933, 0x1, 0x8000, 0xffffffff, 0x8, 0xadc1, 0x10001, 0x7, 0x64f, 0x2, 0x3, 0x3b, 0x6, 0x1, 0x100, 0x0, 0xffff, 0x401, 0x10, 0x1, 0x80000000, 0x0, 0x8, 0xd8, 0x0, 0x8, 0x1ff, 0x2, 0x10, 0x25a0, 0x4, 0x9, 0x3, 0x10, 0x6, 0x1, 0x1b, 0xfffffffa, 0x80000001, 0xfffffffb, 0x319c, 0x6, 0x80000000]}], [@TCA_POLICE_AVRATE={0x8, 0x4, 0x8000}], [@TCA_POLICE_PEAKRATE={0x404, 0x3, [0x3, 0x7, 0x4, 0x79a, 0x2, 0x5, 0x80000001, 0x0, 0x0, 0x6, 0x69, 0x4135, 0x8, 0x8, 0x25d, 0xffffffff, 0x1000, 0x8f, 0x4, 0x101, 0x2, 0xe4a, 0x20, 0x4, 0x9, 0x4, 0xa91, 0x200, 0x6, 0x8, 0x4, 0x2, 0x0, 0x5, 0xffffffff, 0x4, 0x9, 0xab7, 0x20, 0x1, 0x4, 0x3, 0x7, 0x6, 0x8, 0x0, 0x9, 0x3ff, 0x7, 0x20, 0x10000, 0x9, 0x4, 0x9, 0x2, 0x1f, 0xfffeffff, 0x0, 0x16e, 0x9, 0x86, 0x2, 0x2, 0x6, 0x100, 0x6, 0x8, 0x7fffffff, 0x736, 0x40058dff, 0x81, 0x8001, 0x6, 0x7ff, 0xfffffffa, 0xc89a, 0x7, 0x6, 0x7, 0x6, 0x2, 0x8000, 0x7fffffff, 0x9, 0x40, 0xeba8, 0x6, 0x1, 0x6, 0xd075, 0x6, 0x0, 0x101, 0x80000000, 0x62, 0x7ff, 0x0, 0xffffff05, 0x8, 0xff, 0x4, 0x9, 0x1, 0x10000, 0xf, 0x6, 0x9, 0x7, 0x2, 0x6, 0xa0, 0x5, 0x61, 0x8000, 0x14d8, 0x1, 0x0, 0x101, 0x7, 0x401, 0x8, 0xfffffff8, 0x0, 0x9, 0x1c, 0xb064, 0x5, 0x101, 0xfffffffb, 0x46a, 0x5, 0xfffffffd, 0x9, 0x9, 0x4, 0x1, 0x6, 0x9, 0x3, 0x1ff, 0xffffffff, 0x4, 0x400, 0xffff, 0xc7, 0x9d06, 0x8, 0x8, 0x9, 0x5, 0x4, 0x0, 0x4, 0x82, 0x4cc5, 0x7fffffff, 0x2, 0x4, 0x4, 0xffff8a93, 0xfffffff7, 0x0, 0x6, 0x8, 0xfff, 0x6, 0x40, 0x3, 0x4, 0x4, 0x1, 0x7, 0x8, 0xfffffbff, 0x8, 0x9, 0x40, 0x1, 0x80, 0x8d4, 0x40, 0x3, 0x2, 0x5, 0xde, 0x2, 0x5, 0x236, 0x8, 0x80000000, 0xe4b, 0x9, 0x80, 0x7, 0x80000001, 0x22b07287, 0x9, 0x9, 0x10001, 0x779, 0x1, 0x0, 0x0, 0x7, 0x7, 0x3, 0x8000, 0x40, 0x80000001, 0x3ff, 0x4, 0x0, 0x8000, 0x2, 0x3f, 0x6, 0x1, 0x6, 0x1000, 0x56a, 0x0, 0x6, 0x101, 0x800, 0x3f, 0xfffffffa, 0x3, 0xb3f, 0x60, 0x10001, 0x8, 0x7, 0x3, 0x5, 0xfd8e, 0x7, 0x1, 0x80000000, 0x98e, 0x7, 0x7f, 0x6, 0x3, 0x2, 0x401, 0x2, 0x2, 0x8, 0x8, 0x0, 0x6, 0x80000001, 0xff, 0x6, 0x33, 0xffffff8e]}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x9, 0x1, 0x3, 0x3f, 0xffff, 0x1ff, 0x0, 0x9, 0x8, 0x2, 0x401, 0x6, 0xfffffffc, 0x101, 0x0, 0x2, 0x4, 0xc5, 0x5, 0x591eb6fd, 0x1, 0xe85, 0x1, 0x3e, 0xd1d5, 0x8, 0x7fff, 0x6, 0x4, 0x0, 0x1, 0x1ff, 0x45, 0x14ae, 0x80000000, 0x800, 0x0, 0x1, 0x81, 0x2, 0x2, 0x0, 0x800, 0x5, 0xfffffffb, 0x200, 0x6, 0x9b40, 0x5, 0x4, 0x3, 0x3, 0x2, 0x1, 0x5, 0x4, 0x1ff, 0x0, 0x4, 0x7, 0x80000000, 0x800, 0x5a35b159, 0x7f, 0x401, 0x10000, 0x4, 0x7, 0x7, 0x2, 0x4, 0x1573, 0x1000, 0x7f, 0x8, 0xffff, 0x80, 0x1, 0xcbc3, 0x1, 0x0, 0x1, 0x3, 0x8, 0x4, 0x0, 0xce98, 0x1, 0x156, 0x80000000, 0x1000, 0x3, 0x20, 0xffff8001, 0x2, 0x0, 0x400, 0x5c, 0x7fff, 0x9, 0x1, 0x8001, 0x3, 0x400, 0x5, 0x3, 0x4, 0x7, 0x80000001, 0x1ff, 0x5, 0x9, 0x90, 0x3, 0xffffff80, 0x4, 0xdc2, 0x80, 0x1, 0x98, 0xffff, 0x3, 0x7, 0x76, 0x8, 0x80, 0x4, 0x2, 0x3, 0x7fffffff, 0x1, 0x6, 0x1000, 0x400, 0x2, 0x3360, 0x80, 0x1000, 0x298de99a, 0x0, 0x8, 0x9, 0x8, 0x8, 0x5, 0x0, 0xdd, 0x3f, 0x7fff, 0xff, 0x7ff, 0x1ff, 0x1, 0x4, 0x6, 0x10001, 0x7, 0x78, 0x3, 0x10000, 0x50cdadcb, 0x8000, 0x7e, 0x2, 0x1380, 0xfff, 0x4, 0x1000, 0x7fffffff, 0x3, 0x7fff, 0xa1, 0x2, 0xfffffff8, 0x7fffffff, 0x2, 0x401, 0xfffffffc, 0x7, 0x2, 0x1, 0x3ff, 0x8, 0x9, 0x7, 0x21b8728d, 0x81, 0x800, 0x0, 0xffffffff, 0x8, 0x10000, 0x89, 0x2, 0x6, 0x401, 0x4, 0xdb0, 0x7, 0x8, 0x80000001, 0x2, 0x40, 0x2, 0x8, 0x3f, 0x4, 0x8, 0x7, 0xfffffffa, 0x2, 0x28, 0x7f, 0x8000, 0x7, 0x6, 0x5, 0xfffffffb, 0x8, 0xffffffff, 0x4, 0x5, 0x8, 0x2, 0x9, 0x8, 0x9, 0x1ff, 0x885, 0x40, 0x200, 0x9, 0x9, 0xffffff7f, 0x4, 0x6, 0x10000, 0x7, 0x7f, 0x2400, 0x5, 0x2, 0x8000000, 0x7, 0x8, 0x493, 0x990, 0x0, 0xfffffea3, 0x0, 0x2, 0x91, 0x3, 0x1, 0x1f, 0x4]}, @TCA_POLICE_TBF={0x3c, 0x1, {0x101, 0x7, 0x7fff, 0x1, 0x7, {0x80, 0x2, 0x4, 0x0, 0x3, 0xfffffffb}, {0x40, 0x2, 0x1, 0x4, 0x6, 0xffffffff}, 0x0, 0x1, 0x9}}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x4, 0x101, 0x2, 0x100, 0x7, 0x5, 0x6e, 0x4ea, 0x1, 0x2, 0x72, 0x2, 0x20, 0x87e8, 0x1ff, 0x0, 0x81, 0x4, 0x4, 0x8d, 0x3, 0x800, 0x3, 0x0, 0x7, 0xff4, 0x2, 0x2015, 0x9, 0xf27, 0x200, 0xffffff7f, 0x0, 0x40, 0x9e, 0xff, 0x8, 0x7, 0x1, 0x3ff, 0x7fff, 0x7, 0x8000, 0x7, 0x101, 0x4, 0x7, 0x9, 0x5, 0x758, 0x6, 0x3ff, 0x1, 0x3f, 0x5210, 0x20000000, 0x1, 0x0, 0x80000000, 0x5c9, 0x7e, 0x8, 0xa3, 0x7, 0x0, 0x4, 0x80000001, 0xc92, 0x1000, 0x1, 0x101, 0xf6, 0x9, 0x6, 0x101, 0x7f, 0x4, 0x0, 0xffffffff, 0x1, 0x20, 0x101, 0x9, 0x145e, 0x5, 0x5, 0x80, 0x8000, 0x7, 0xff, 0x9, 0xd6, 0x28000000, 0xffffffff, 0x1, 0x2b7a, 0x8001, 0xffff, 0xcc, 0x3f, 0x40, 0x1ff, 0x2b7b, 0xde2, 0x200, 0xff, 0x1, 0x51, 0x0, 0x8, 0x5, 0x2, 0x9, 0xff, 0xbf, 0x7, 0x11068, 0xffff, 0x5, 0x8, 0x12a2cd57, 0x7, 0x7, 0x2, 0xfff, 0x7, 0x4, 0x2, 0x1ff, 0xd1f, 0x0, 0x3ff, 0x52a, 0x10001, 0x4, 0x8, 0x8, 0x8, 0x2709, 0x400, 0x7fffffff, 0x3, 0x40, 0x1, 0x8b, 0x4, 0x20, 0x96e6, 0x5e, 0x2, 0x2, 0x7, 0xfffeffff, 0x100, 0x7a6b, 0x101, 0xfffffffa, 0x3f, 0x3, 0x8, 0x7ff, 0x3, 0x6, 0x4, 0x7fff, 0x1ff, 0x4, 0x2, 0x8000, 0x2, 0x6, 0x7, 0x7fffffff, 0xdb, 0x0, 0x6, 0x9, 0x4, 0x100, 0x59b, 0x7, 0x101, 0x2, 0x0, 0x8000, 0xa180, 0x7f, 0x5, 0x2, 0x6, 0x21f, 0x6, 0x8001, 0x3, 0x7fffffff, 0x8, 0x3, 0x8001, 0x4a, 0x6, 0x0, 0xffffffd2, 0x9, 0x40, 0xdc6, 0x2, 0x1ff, 0xa5, 0x1, 0x7a, 0x1db2, 0xba1, 0x1000, 0x99, 0x3ce, 0x10001, 0xa2, 0x5, 0x0, 0x8, 0x0, 0x2, 0x21f79986, 0x3, 0x5, 0x6, 0x1602, 0x401, 0x400, 0x102a6bca, 0x0, 0x8, 0xfffffff8, 0x10001, 0xffffffff, 0x3, 0xffff0001, 0x2, 0x80000000, 0x1000, 0x2323, 0xfffffff8, 0x0, 0x2, 0x4, 0x1, 0x2, 0xfff, 0x6, 0x4, 0x9, 0x3, 0x401, 0x9, 0xfffff800, 0x4e7]}, @TCA_POLICE_RATE64={0xc, 0x8, 0x80000000}, @TCA_POLICE_TBF={0x3c, 0x1, {0xdadc, 0x4, 0x9, 0x40, 0x101, {0x81, 0x2, 0x3, 0x7fff, 0x9, 0x6}, {0x4, 0x2, 0x6, 0x4, 0x8, 0x8}, 0xa6c, 0x8, 0x6ff42021}}, @TCA_POLICE_TBF={0x3c, 0x1, {0xe6, 0x8, 0x2, 0x4, 0x8, {0x5, 0x1, 0x3, 0x4, 0x7, 0x1}, {0x81, 0x2, 0x40, 0x2, 0x100, 0x8657}, 0x9, 0xfff, 0x3f}}, @TCA_POLICE_RESULT={0x8, 0x5, 0x3}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x8}], [@TCA_POLICE_RESULT={0x8}, @TCA_POLICE_RATE={0x404, 0x2, [0x101, 0xffffffff, 0x9, 0x1ff, 0xe9, 0xe091, 0x4, 0xdb, 0x4, 0x800, 0x4, 0x8ef, 0x2, 0x7, 0x7ff, 0x0, 0x7f, 0x3, 0xe0000000, 0x6, 0x2, 0xfffffeff, 0x3, 0x7, 0x8, 0x6, 0x0, 0xb55b, 0x6, 0xfffffffc, 0x200, 0x3, 0x5, 0x800, 0x1, 0x5, 0xef2, 0x6, 0x6, 0x4, 0xfcb, 0x7, 0x0, 0x2e33, 0x8, 0x7fff, 0x8001, 0x1, 0x2, 0x3ff, 0x4, 0xd3f, 0x20, 0x80000001, 0xfffffffa, 0x5, 0x2, 0xe3, 0x3, 0x9, 0x9, 0xbd, 0x3ff, 0xb0, 0x65, 0x3f, 0x6, 0x5cc75492, 0x800, 0x1ff, 0xffffff7f, 0x4, 0x80000000, 0x9, 0x7fffffff, 0x0, 0x5, 0x6, 0x1, 0x9, 0x8, 0x101, 0x9, 0x5, 0xfffffffd, 0x3, 0x9, 0x3, 0x5, 0x8, 0xd7, 0x681, 0x7f, 0x0, 0x0, 0xce4, 0x1f, 0x6, 0xfffffffe, 0xffffff00, 0x604f98f0, 0x20, 0x7, 0x6d14, 0x3, 0xfffffffc, 0x3, 0xfffffffa, 0x8, 0x1000, 0x4, 0x80000000, 0x2, 0xffff, 0x3, 0x0, 0x4, 0x6, 0xfffffffe, 0x2, 0x7, 0x1a, 0xfffffffd, 0x3, 0x3, 0x9, 0x2, 0x67, 0x3ff, 0x1, 0x4, 0x7ff, 0x3f, 0x92, 0x9, 0x7, 0x2, 0x5, 0x101, 0x5, 0x2, 0x800, 0xdf, 0x7f, 0x81, 0x2, 0x800, 0x75, 0xdc6, 0xcb9, 0x9, 0x1, 0x3f, 0x9, 0x7f, 0x8, 0x7, 0x3, 0x9, 0xe2, 0x5, 0xffffff7f, 0x10001, 0x101, 0xffff, 0xa26b, 0x8001, 0x200, 0x80000000, 0x1, 0x2, 0x9, 0x7, 0x1, 0x2, 0x1ff, 0x400, 0x9, 0x10001, 0x6, 0x1, 0x0, 0x243, 0x3, 0x40100, 0x5, 0x1, 0x5, 0x14, 0x400, 0x101, 0x7, 0x8, 0x1, 0x6, 0x5, 0x80000001, 0x7f, 0x3, 0xf44d, 0xff, 0x7, 0x2, 0xfffffff7, 0x7, 0x15, 0x1, 0x829, 0x9, 0x40, 0xfffffffa, 0x10001, 0x3, 0x1c00, 0xffffff00, 0x81, 0x8000, 0x5, 0x81, 0x4, 0xe8ea, 0x81, 0x1, 0x6, 0x0, 0x20, 0x7fffffff, 0xffff18a4, 0x6, 0xcc5, 0x53d, 0x9, 0x9, 0x5, 0x3ff, 0x0, 0x67, 0x81, 0xfffffffb, 0x7, 0x5, 0xcc, 0xb9, 0x101, 0xd71, 0x7fffffff, 0x0, 0x3, 0x5, 0x0, 0x81, 0x0, 0x5, 0x9, 0x8, 0x4]}, @TCA_POLICE_AVRATE={0x8, 0x4, 0x9}, @TCA_POLICE_RATE={0x404, 0x2, [0x7, 0x7f, 0x2, 0xc72, 0x9, 0x6, 0x9, 0x4, 0x5, 0x3, 0x1f, 0x4, 0x100, 0x7, 0x9, 0x0, 0x8, 0xffff, 0x0, 0x5, 0x13e, 0x3ff, 0x2, 0x3ff, 0x4, 0x800, 0xfffff0d0, 0x1, 0x738, 0x7ff, 0x7, 0xd5a3, 0x7, 0x3, 0x1, 0x1, 0x7, 0x0, 0xb2, 0x400, 0x10001, 0x1ff, 0x28000, 0xe2, 0x5, 0x0, 0x7, 0x3, 0x2, 0x3, 0x1, 0x5, 0xbba, 0x3, 0x6, 0x0, 0x7, 0x7, 0x9, 0xbf93, 0x4, 0xfffffffc, 0x3f, 0x4, 0x9, 0x800, 0x0, 0x3, 0xfffffffe, 0xfffffffd, 0x3, 0x3, 0x1000, 0x6, 0x9, 0xffffffff, 0x80000000, 0x6, 0x6, 0x80, 0x5, 0x4, 0x8, 0xfd4, 0x509c, 0x8000, 0x8, 0x3ff, 0x2, 0x401, 0x5, 0xfffc0000, 0x5f96e8d7, 0x401, 0x19e, 0x8, 0x80000000, 0x8aa, 0x2928, 0x3, 0xfffff229, 0x6, 0x78, 0x0, 0x7, 0x80000001, 0x9ce8, 0xcf, 0x5, 0x3ff, 0xc2, 0x9, 0x2100, 0x4, 0xde1, 0x1000, 0x8, 0x7628, 0x9, 0x4, 0xffffff01, 0x0, 0x6, 0x3, 0xbe3, 0x5e, 0x8, 0x5, 0xe0, 0x3, 0x0, 0x0, 0x6, 0xa49, 0x3, 0x1ff, 0x9, 0x8, 0x9, 0x1337490e, 0x6, 0x0, 0x100, 0x4, 0x9, 0x0, 0x211, 0x1ff, 0x2, 0x9, 0x6, 0x1f, 0x2, 0xc00, 0x80, 0x4, 0x4, 0x7fffffff, 0x80, 0xfffffffa, 0x5, 0x0, 0x8, 0x80, 0x2, 0x8, 0x80, 0x54, 0x9, 0x8, 0x0, 0x1, 0x7f, 0x0, 0x8001, 0x4, 0x8, 0x4b, 0xffffff00, 0x2, 0x3800000, 0x8, 0x9, 0x38, 0xfffffc00, 0x6, 0x5, 0x9, 0x5, 0x5, 0xc6, 0x9, 0x40, 0x7, 0x8, 0x80000001, 0x2, 0x9, 0x242, 0xa4, 0x9, 0x4, 0xfffffff8, 0x80, 0x99, 0x10000, 0x800, 0x10000, 0x7, 0xefd0, 0x1, 0x652, 0x7ba, 0x47, 0x401, 0x6, 0x4, 0x6, 0x6, 0x5aa8, 0xcc, 0x4d, 0x0, 0x71, 0x7, 0x0, 0x8, 0x6b23, 0x7fffffff, 0x2, 0xe, 0x9, 0x1ff4, 0x9, 0xfffff4f6, 0x9, 0x6, 0x1, 0x7, 0x80000001, 0x8, 0x8001, 0x623, 0x6, 0x0, 0x1, 0x0, 0x436, 0xfffffffd, 0x400, 0x1ff, 0x0, 0x3fe0000, 0x1ff, 0x4, 0x6]}, @TCA_POLICE_RATE64={0xc}, @TCA_POLICE_RATE={0x404, 0x2, [0x5, 0x6df9c6ed, 0xed, 0x80000000, 0x5, 0x400, 0x7, 0xffff03fa, 0x1, 0x3f, 0x40, 0x11, 0x9, 0x44a, 0x7, 0x4, 0x6, 0x80000001, 0xa, 0xed2, 0x5, 0x6, 0x3, 0x7, 0x7fffffff, 0xfffffff9, 0x6, 0x6, 0xe27f, 0x9, 0x8, 0x9, 0x76bc, 0x3, 0x738, 0x7fffffff, 0x9, 0x3, 0x9, 0x4, 0xd4b2, 0x5, 0x3, 0x80, 0xb6, 0x1ff, 0x9472, 0x5, 0x4, 0x2, 0x6, 0x4, 0x4d49, 0xd00, 0xfffffff9, 0x4, 0x3, 0x2, 0x4, 0xb72, 0xb8000000, 0x80000000, 0x8, 0xffffffe0, 0x6, 0x9, 0x9, 0x4fd, 0x9, 0x7ff, 0x101, 0x0, 0x8, 0x3, 0x0, 0x8001, 0x2, 0x5, 0x7, 0x8, 0x3, 0x9, 0x126, 0xfffffff7, 0x2, 0x4a27, 0x7ff, 0x6, 0x7fff, 0xe8e9, 0xb67a, 0x7ff, 0x8001, 0x40, 0xff, 0x1b3, 0x400, 0x20, 0x3, 0x4, 0x80, 0x800, 0x7, 0xe868, 0x9, 0x0, 0x400, 0x5f3f1628, 0x3, 0x9, 0x2b78, 0x7d, 0x80, 0x6, 0x8, 0x80000000, 0x4, 0xffff, 0x34b, 0x52, 0x44, 0x8, 0x10000, 0x800, 0x80000000, 0x40, 0x20, 0x81, 0xffff20ca, 0x7, 0x79fb, 0x0, 0x800, 0x41, 0x9, 0x8001, 0x4, 0x8001, 0x6, 0x0, 0x6, 0x1ff, 0x5, 0xffffff00, 0x9, 0x0, 0x3, 0x800, 0x3f, 0xff, 0x8, 0x5, 0x80000000, 0x7, 0xda1, 0x1, 0x0, 0xfffffff9, 0xf68, 0x1f1e, 0x4, 0x79, 0x2, 0x101, 0x400, 0xffffe342, 0x200, 0x7, 0x401, 0x8001, 0x2fa, 0x5, 0x8, 0x7, 0x1, 0x9, 0x101, 0xfe1, 0x4, 0x3, 0x1, 0x9, 0xd5e3, 0x401, 0x0, 0x5, 0x10000, 0x8, 0x1, 0x1f, 0x1ea27672, 0x0, 0x1, 0x8000, 0x6, 0xb85, 0x8, 0x9, 0x1, 0x70, 0xf48, 0xfffffdc5, 0x3, 0xc29b, 0xcd84, 0x5, 0x10000, 0x367fae03, 0x0, 0xd1, 0x5, 0x4c, 0x4, 0x5c7c, 0x8, 0xffffffff, 0x401, 0x80, 0x568, 0x7fff, 0x1, 0x401, 0x7e, 0x208, 0x4, 0x100, 0x4, 0x86, 0x1, 0xb2, 0x2a6, 0xfffffffe, 0x5, 0x1f, 0x20, 0x6, 0x7, 0x8, 0x3, 0x62, 0xfffffffd, 0x1ff, 0x56ed94c3, 0x20, 0x7e1f, 0x6, 0x6, 0x2, 0xfffffffb, 0x5, 0xbb6, 0x7, 0x5, 0x6, 0xffffffd5, 0x9]}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x9, 0x0, 0x89c, 0xe9, 0x7fff, 0xfffffbff, 0x5, 0x9, 0x1, 0x1f, 0x1, 0x3, 0xc44e, 0x8, 0x100, 0xaa3, 0x3ca2, 0x1f, 0x3, 0x8, 0x8001, 0x6, 0x5, 0x4, 0x8000, 0x6, 0x5, 0x8, 0x100, 0x5, 0x3, 0x4, 0x5, 0x4, 0x272ec02, 0x3, 0x0, 0x9, 0x9, 0x5, 0x3, 0xffff, 0xa6, 0x80000001, 0x2d572a02, 0xbce, 0x400, 0x9, 0x401, 0x1f, 0x2, 0x2, 0xe1, 0x100, 0x5, 0x10001, 0x1000, 0x1f, 0x5, 0x5, 0x1, 0x2, 0x5, 0x2, 0x8, 0x7, 0x5, 0x5, 0x20000000, 0x3f, 0x6, 0x4eab, 0x0, 0x101, 0x3, 0xbfdf0b27, 0xffffffff, 0x101, 0x0, 0x5, 0x1f, 0x8, 0xfffffff7, 0x600c, 0x7, 0x9, 0x1, 0x1, 0xfffffff9, 0x3800000, 0x4ca3, 0x6, 0x1, 0x6, 0x7, 0x9, 0xd3c, 0x7f, 0x0, 0x8000, 0x100, 0x7fffffff, 0x4, 0xb1, 0x5, 0x1, 0xfff, 0x4356, 0x81, 0x6, 0xfffffff8, 0x4, 0x6, 0x3, 0x81, 0x3, 0x0, 0x0, 0x80000001, 0x377, 0x9, 0x1, 0x9, 0xfffffffa, 0x3, 0x7, 0x8001, 0x0, 0x0, 0x6, 0x2, 0x85, 0x8000, 0x2, 0x6, 0x20, 0x1000, 0xff, 0x7, 0x2, 0x2, 0x4, 0x9, 0x7fffffff, 0x7ba, 0x5658, 0x4d, 0x7fff, 0x8, 0x1, 0x7, 0x9, 0x3, 0x5, 0x8, 0x6, 0x400, 0x401, 0x0, 0x9, 0xce8, 0x7, 0x4, 0x4, 0xffffffff, 0x0, 0x7fff, 0x10000, 0xfff, 0xffff, 0x8000, 0x1ff, 0x7, 0x4af39c7e, 0x5, 0x81, 0xfffffff9, 0xff, 0x401, 0x2, 0x80000001, 0x7, 0x3, 0x1, 0x4, 0x6, 0x9, 0x1f, 0x7fffffff, 0x2000000, 0x7fffffff, 0x8, 0x8, 0x101, 0x3b65, 0x3, 0xffff, 0x3, 0x109b, 0x6, 0x5, 0x9, 0x7d6f342b, 0x0, 0x200, 0xa0, 0xffffff00, 0xffffffff, 0x7, 0x20, 0x639, 0x4, 0x8, 0x5, 0x8b, 0x9, 0x7f, 0x7ff, 0x703f, 0x4, 0x3f, 0x1, 0x70, 0x68b, 0x5, 0xfffffac6, 0x8001, 0x1, 0x1, 0x3, 0x7, 0x34, 0x3f, 0x20, 0x0, 0x5, 0x0, 0x8000, 0x0, 0x0, 0xfffff000, 0x6, 0x7, 0x6, 0x0, 0xffffffff, 0x0, 0x1f, 0x9, 0x7, 0xfffffff8, 0x4, 0x16, 0xfff, 0x16a2]}], [@TCA_POLICE_TBF={0x3c, 0x1, {0x7, 0x3, 0x6, 0x8, 0x1400000, {0x3, 0x1, 0x6, 0x24, 0x0, 0x4}, {0x8, 0x2, 0x9, 0x3ff, 0xfff7}, 0x6, 0xcfa, 0x7ff}}], [@TCA_POLICE_RESULT={0x8, 0x5, 0x5}], [@TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x5}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x7, 0x8, 0x1f, 0x5, 0x7fffffff, 0x8, 0x7f, 0x8, 0x8, 0x7ff, 0x800, 0x99cf, 0x8000000, 0x5, 0x8, 0x7, 0x8, 0x6, 0x1, 0x3, 0x1, 0x2, 0x92c, 0x0, 0x1d, 0x60, 0xffffffff, 0x0, 0x158, 0x40, 0x7a, 0x80000001, 0x5, 0xa8de, 0x7, 0x2, 0x4, 0x0, 0x2, 0x1, 0x2, 0x81, 0x5, 0x7, 0x20, 0xffc, 0x57bf, 0x4, 0x7fffffff, 0x7fff, 0x2, 0x3f, 0xc149, 0x3, 0x3, 0x7ff, 0x2, 0x0, 0x4, 0x8, 0x8, 0x8000, 0x0, 0x100, 0x5, 0x5, 0xfffffe00, 0x3, 0x100, 0x0, 0x7, 0x0, 0x3f, 0x80000000, 0x61d, 0x7, 0x80000001, 0x0, 0x7, 0xad5, 0x7, 0x80000001, 0x3, 0x3c, 0xec, 0x1, 0xd728, 0x9, 0x8, 0x80000000, 0x1ff, 0x3f, 0x1, 0x22cc, 0x4, 0x8000, 0x6, 0x7, 0x8000, 0x9, 0x3ff, 0x8, 0x80, 0x100, 0xc0, 0x0, 0x9, 0x6, 0x800, 0x2, 0xfffffc01, 0x80, 0x8, 0x3f44, 0x616b27da, 0x20, 0xffffff00, 0x8000, 0x5, 0x5, 0x5, 0x4, 0xd16, 0x0, 0x8, 0x6, 0x9, 0x1, 0x81, 0xcbe, 0x1f, 0x3, 0x1f, 0x5, 0x7, 0x4, 0x7fff0, 0x80000001, 0x7fff, 0x0, 0x8, 0xfffffffe, 0x6, 0xd7, 0xe4, 0x9, 0x2c4283a4, 0x7, 0x40, 0x32, 0x3, 0x38, 0x200, 0xffffffff, 0x86f6, 0x7f, 0x4, 0x401, 0x23c6, 0xfff, 0x4, 0x471a, 0x6, 0x81, 0x8, 0x4, 0x0, 0xe779, 0xc762, 0x89, 0x20f, 0x101, 0xffffffc0, 0x0, 0xde90, 0x80000000, 0x68, 0x4, 0x8, 0xf6c9537, 0x1ff, 0x7, 0x6, 0x6, 0x10001, 0x1000, 0x44f7, 0x7, 0xffffff48, 0x6, 0x6, 0x6, 0x3, 0x9, 0x20, 0x10000, 0x8d79, 0x9, 0x1000, 0x5, 0x7, 0xb1, 0x2, 0x1f, 0x5, 0x4, 0x1f, 0x2, 0x4, 0x2, 0x8, 0x5, 0x4, 0x8000, 0x10000000, 0x100, 0x200, 0x3f, 0x8, 0x7, 0x6, 0x200, 0xfc, 0x2, 0x8000, 0x0, 0x200, 0x6, 0x7ff, 0x2, 0x5, 0x7fffffff, 0x3, 0x9, 0x8000, 0x7fff, 0x3ff, 0x7, 0x200, 0x2, 0x8, 0x8, 0x4, 0xffffffa7, 0x6, 0x1f, 0x4, 0x1000, 0x7fff, 0x7ff, 0x5, 0x10000, 0x9, 0x4800000, 0x8, 0x81]}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x0, 0x7, 0x0, 0x600, 0x2ce, 0xffffffff, 0x8dc0, 0x4, 0x9, 0x7, 0x382f, 0x9, 0xfffffeff, 0x2, 0x5, 0x0, 0x800, 0x744, 0x9, 0x8, 0x8, 0x0, 0x1, 0x6, 0x4, 0x152e, 0x4, 0x81, 0x6, 0x5, 0x4, 0x401, 0xa898, 0x0, 0x6, 0x31, 0x1, 0x80000000, 0x699, 0x1f, 0x10001, 0x400, 0x2, 0x9, 0x4, 0x5, 0x2360, 0x5, 0x2, 0x8, 0x6, 0x6, 0xe8db, 0x9, 0x400, 0xfffffffe, 0x5, 0x2, 0x8, 0x8, 0x3, 0x80000000, 0x8, 0x5, 0xfffffffb, 0x7ff, 0x2, 0x5, 0x5a, 0x6, 0x5, 0x4, 0x3, 0x0, 0x9, 0x8, 0x67f9, 0x7, 0x2c4b, 0x4, 0x5, 0x5, 0x3, 0x4, 0x3, 0x9, 0x2, 0x9, 0x7, 0x5, 0x6, 0x2, 0x100, 0x10001, 0x8, 0x4, 0x745, 0x8, 0xffff8001, 0x8001, 0x1, 0xfb, 0x3, 0x0, 0x8, 0x6, 0x5, 0x0, 0xfffffc01, 0x798, 0x7, 0x5, 0x5, 0x9, 0x5, 0x0, 0x0, 0x58c9f928, 0x0, 0x9, 0xd86, 0x3, 0x78b, 0x9, 0x3, 0x9, 0x780d, 0x7, 0xe60, 0x80000001, 0x8, 0x3, 0xfffffff8, 0x4, 0xa2, 0x9, 0x6, 0x0, 0xffff112d, 0x401, 0x637, 0x5ca, 0x8, 0x7, 0x0, 0x8000, 0x3f, 0x7, 0xfffffff8, 0x7, 0x100, 0x8ba, 0x9, 0x10001, 0x7, 0x6, 0x7, 0x3ff, 0x8fbc, 0xd46, 0x80000000, 0xffffffff, 0x401, 0x2d8, 0x1, 0x2, 0x1, 0x5, 0xb1, 0x3, 0x3ff, 0x20, 0x9, 0x6, 0x96, 0x7, 0x1000, 0x1, 0xdc9, 0x0, 0xc3, 0x43000211, 0x9, 0x0, 0x0, 0x8000, 0x8, 0x6, 0x7ff, 0x5, 0x86, 0x3, 0x0, 0xcf, 0x8, 0xffff, 0x2, 0x5d1a, 0x80, 0x80000001, 0x3, 0x80000001, 0x0, 0x0, 0x3, 0x1000, 0x8, 0x3, 0x9, 0x3, 0x93bd, 0x0, 0x20, 0x1ff, 0x101, 0xfff, 0x6, 0x4, 0x400, 0x0, 0xffffff80, 0x800, 0x3, 0x694b, 0x7, 0x9, 0x0, 0x9, 0x101, 0xffffffff, 0x73c, 0x2, 0x1be, 0x6, 0x9, 0x7, 0x0, 0x8, 0x6, 0x51b, 0x2, 0x6, 0x1, 0x7fff, 0x3, 0x3, 0xb8c, 0x7, 0x0, 0x7fff, 0x2, 0x2, 0xd5, 0x0, 0x9, 0x200]}, @TCA_POLICE_PEAKRATE={0x404, 0x3, [0x1, 0x7, 0xa3, 0x80, 0x80000000, 0x200, 0x0, 0x100, 0x7f, 0x1, 0x3, 0x3f, 0x7, 0xff, 0x2256, 0x68b, 0x0, 0x2, 0x7f, 0xfffffffb, 0x2, 0x2, 0xf3e, 0x5, 0x40, 0x7, 0x2, 0x4, 0x7, 0x3, 0xfffffff7, 0x8, 0x45db, 0x2, 0x800, 0x800, 0x7f, 0x80, 0x0, 0x40, 0x4, 0x7fff, 0x5, 0xff, 0x8, 0x8, 0x2e4, 0x906, 0x5, 0xdf65, 0x4, 0x6, 0xfae6, 0x1, 0x4, 0x6, 0x6, 0xce, 0x1ff, 0x5c7, 0x1000, 0xffffffff, 0x4, 0x2, 0x401, 0xfffffffe, 0x10001, 0x8, 0x6f3, 0xc9, 0x0, 0x0, 0x3, 0x7f, 0x0, 0x1, 0x3, 0x1, 0x0, 0x1000, 0x36cf, 0x8, 0x4697, 0xb4e, 0xfff, 0x2946, 0x6, 0x80, 0x0, 0xfffffffc, 0x1f, 0x892, 0x10000, 0xe07, 0x612c, 0x3, 0x337, 0x3ff, 0x9, 0xf2, 0x9, 0x4, 0x101, 0x40, 0x8, 0x5, 0xfffffe01, 0x8452, 0x7, 0x6c5726fe, 0x5, 0x50, 0x0, 0x1, 0x1, 0x117, 0x7f, 0x9, 0xfa, 0x101, 0x80000001, 0x6, 0x1000, 0x4, 0x2, 0x400, 0x2, 0x7, 0x1, 0x9, 0x6400000, 0x2, 0x2, 0xdd, 0x8, 0xd6, 0x6, 0x1dfd04b6, 0x55, 0x2, 0xe0, 0x1, 0x6, 0x3, 0xe5, 0x800, 0x2, 0x5, 0x17b, 0xfff, 0x20, 0x2, 0x13, 0xec, 0x401, 0x5, 0xcb, 0x401, 0x0, 0x9, 0x3f, 0xcb4, 0x7ff, 0x81, 0x8, 0x5, 0x80000001, 0xffff0000, 0x1, 0x2000000, 0x1, 0xb4, 0xfff, 0x5, 0x4, 0x200, 0x0, 0x6, 0x583, 0x0, 0x3ff, 0x8000, 0x7e, 0x1, 0x264, 0x4, 0x3, 0x1ff, 0xffffffff, 0xfffffffa, 0x80000000, 0x4, 0x7c, 0x7, 0x1, 0xfffffc01, 0x6, 0x401, 0x0, 0xffffffff, 0x7, 0x9, 0x3, 0x0, 0x7606fe7e, 0x400, 0x101, 0x101, 0x5, 0x1, 0x9, 0x2, 0xff, 0x7f, 0x7, 0x5b6, 0x5, 0x3, 0x4, 0x5, 0x0, 0x3, 0x1, 0x8, 0x101, 0x0, 0x6, 0x3, 0x38a, 0x8, 0x38eb1eb3, 0x9, 0xffe00000, 0x11, 0x20, 0x8, 0x1, 0xef56, 0x100, 0x0, 0x1, 0x10001, 0x400, 0xfc, 0x9, 0x8, 0x9, 0x9, 0x0, 0x6, 0x5, 0x7d8000, 0x2, 0x4, 0x1, 0x7]}, @TCA_POLICE_RATE64={0xc, 0x8, 0xffffffffffffff00}], [@TCA_POLICE_RATE64={0xc, 0x8, 0x9}, @TCA_POLICE_PEAKRATE64={0xc, 0x9, 0x40}, @TCA_POLICE_TBF={0x3c, 0x1, {0x0, 0xffffffffffffffff, 0x3, 0x4ece2952, 0x5, {0x22, 0x0, 0x200, 0x7, 0x7fff, 0x4}, {0x1f, 0x1, 0xff4, 0x7ff, 0x4, 0x100}, 0x8000, 0x8, 0xffffffff}}]]}, {0x7b, 0x6, "dc531de6a132be5a1c62c4badbac86dd9506ca3fbf91e25260064072bcacb1ba5aa4dd6b40a7467e817ea56e8fdcabb48733a18b4a1a928f2f6cbfff0eb7feb05b70f723ae76d69d47f3a537595349477638fe75f8431864829674ad31f7ccdfbfd2f819d159ad60857425c5a3836965c5a1719146a447"}}}, @m_vlan={0x40, 0x12, 0x0, 0x0, {{0x9, 0x1, 'vlan\x00'}, {0x28, 0x2, 0x0, 0x1, [@TCA_VLAN_PUSH_VLAN_ID={0x6, 0x3, 0x690}, @TCA_VLAN_PARMS={0x1c, 0x2, {{0x8fdf, 0x8, 0x2, 0x8, 0x4}, 0x1}}]}, {0x5, 0x6, "f7"}}}, @m_nat={0x74, 0x1e, 0x0, 0x0, {{0x8, 0x1, 'nat\x00'}, {0x2c, 0x2, 0x0, 0x1, [@TCA_NAT_PARMS={0x28, 0x1, {{0x5, 0x34e, 0x4, 0x0, 0x3f}, @dev={0xac, 0x14, 0x14, 0x19}, @dev={0xac, 0x14, 0x14, 0x28}, 0xffffff00}}]}, {0x39, 0x6, "7fca63a5dca3c0395573fb460677064420c3eb63af2dc312f49af5dba1b733866857986d1606e6da996f4b9f0e71ff16714225973f"}}}]}]}}]}, 0x5314}}, 0x0) 07:11:03 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1111.800359][T23998] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1111.827185][T23998] ref_ctr decrement failed for inode: 0x4101 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 07:11:03 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x0, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:03 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc3010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:03 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x362, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:03 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9c00, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:04 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x0, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:04 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:04 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r6, @ANYBLOB="000000004b4ff961637e6500000000090000000a000100666c6f776500000c0002000400"], 0x3c}}, 0x0) 07:11:04 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1112.327517][T24035] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:04 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc4000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:04 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x36d, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1112.378669][T24035] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 [ 1112.457971][T24046] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. [ 1112.467409][T24035] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1112.475856][T24035] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 07:11:04 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1112.549896][T24049] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. [ 1112.567308][T24053] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1112.580524][T24053] ref_ctr decrement failed for inode: 0x4151 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000057e284e5 07:11:04 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x0, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:04 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc4010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:04 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x370, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:04 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7400}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:04 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xdc02, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:04 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) r7 = semget(0x1, 0x0, 0x0) semctl$GETZCNT(r7, 0x0, 0xf, &(0x7f0000000180)=""/176) semctl$GETALL(r7, 0x0, 0xd, &(0x7f0000000580)=""/233) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:04 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f0000000040)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c904d6b667311666174000204010002000270fff8", 0x16}], 0x1080800, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:04 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1113.065287][T24091] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1113.106185][T24091] ref_ctr decrement failed for inode: 0x4155 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de [ 1113.122050][ T27] kauditd_printk_skb: 3 callbacks suppressed [ 1113.122069][ T27] audit: type=1804 audit(1586329864.972:1384): pid=24081 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1775/bus" dev="sda1" ino=16721 res=1 [ 1113.142450][T24091] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:05 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc5000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:05 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x372, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:05 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb500}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:05 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) socket(0x10, 0x803, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1113.247234][T24091] ref_ctr decrement failed for inode: 0x4155 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:05 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xec00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1113.440243][ T27] audit: type=1804 audit(1586329865.292:1385): pid=24102 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1776/bus" dev="sda1" ino=16724 res=1 07:11:05 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x384, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:05 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x20) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0xc, 0x99, {0x2000}}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}, 0x1, 0x0, 0x0, 0x810}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000580)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff00000000090001006866736300000000080002000000000093fc2b47ac61e57e816a6e107d0c037883a0a45b8d1ea984dc31d84f2807adb9709726b9ebb3dfa52e1b69667ee89fbb81ef0c0fdf1f0863d8ac9266bc15f04aafdc75bbc0468521b4078b9b3bec8985ce455e1c37debae322a84a64232e9bc022948761c23787b7bb200aa0b625e345b3d0a0d7b50bd39f70283be33c22341aedc87a1dd8e120cbb12b1d48"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x2c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {0x1, 0x7}, {}, {0x9}}, [@TCA_CHAIN={0x8, 0xb, 0x8000}]}, 0x2c}}, 0x0) 07:11:05 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xdc03, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:05 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc5010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:05 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1113.790656][ T27] audit: type=1804 audit(1586329865.642:1386): pid=24126 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1777/bus" dev="sda1" ino=16641 res=1 [ 1113.826310][T24139] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:05 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x388, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:05 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) socket(0x10, 0x803, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1113.840572][T24139] ref_ctr decrement failed for inode: 0x4103 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:05 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff00}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:05 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc6000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1113.963006][T24139] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:05 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000300)=@newtfilter={0x24, 0x2c, 0x8, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {0x0, 0xfff1}, {0x9}}}, 0x24}}, 0x20008810) [ 1114.016118][T24139] ref_ctr decrement failed for inode: 0x4103 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:06 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) socket(0x10, 0x803, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:06 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1114.202207][ T27] audit: type=1804 audit(1586329866.052:1387): pid=24147 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1778/bus" dev="sda1" ino=16977 res=1 07:11:06 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38e, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:06 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0ffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:06 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe801, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:06 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) r7 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x400200) sendmsg$IPSET_CMD_GET_BYINDEX(r7, &(0x7f0000000340)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000300)={&(0x7f00000000c0)={0x24, 0xf, 0x6, 0x401, 0x0, 0x0, {0x1, 0x0, 0x8}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_INDEX={0x6}]}, 0x24}, 0x1, 0x0, 0x0, 0x44}, 0x2400c000) 07:11:06 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1114.518937][ T27] audit: type=1804 audit(1586329866.372:1388): pid=24175 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1779/bus" dev="sda1" ino=16721 res=1 07:11:06 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc6010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:06 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3b4, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1114.566187][T24184] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1114.621815][T24184] ref_ctr decrement failed for inode: 0x4301 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:06 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1114.712016][T24184] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1114.741764][T24184] ref_ctr decrement failed for inode: 0x4301 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:06 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc7000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:06 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:06 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:06 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc8000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1114.964921][ T27] audit: type=1804 audit(1586329866.812:1389): pid=24197 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1780/bus" dev="sda1" ino=17105 res=1 07:11:06 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) ioctl$BINDER_SET_MAX_THREADS(0xffffffffffffffff, 0x40046205, &(0x7f00000000c0)=0x8) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) ioctl$VIDIOC_PREPARE_BUF(0xffffffffffffffff, 0xc058565d, &(0x7f0000000300)={0x5, 0x0, 0x4, 0x2080000, 0x1, {}, {0x0, 0x0, 0x3f, 0x3, 0x0, 0x1f, "6b1710de"}, 0x8000, 0x1, @userptr=0x401, 0x3f, 0x0, r5}) setsockopt$RXRPC_EXCLUSIVE_CONNECTION(r7, 0x110, 0x3) 07:11:06 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3c4, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:06 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xea01, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:07 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:07 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc9000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1115.287388][T24227] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1115.327664][T24227] ref_ctr decrement failed for inode: 0x42d1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1115.364246][T24227] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:07 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, 0x0, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) setsockopt$inet_sctp6_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000100)={0x0, 0x6, 0x0, 0xb5}, 0x10) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f0000000000)={0x0, 0x9, 0x20, 0x4, 0x3}, 0x0) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r1, 0x84, 0x7c, &(0x7f0000000040)={0x0, 0x5, 0x6dca}, &(0x7f00000000c0)=0x8) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:07 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1115.389512][T24227] ref_ctr decrement failed for inode: 0x42d1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1115.450631][ T7803] attempt to access beyond end of device [ 1115.457374][ T7803] loop4: rw=1, want=130, limit=63 [ 1115.462513][ T7803] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1115.471533][ T7803] attempt to access beyond end of device [ 1115.477515][ T7803] loop4: rw=1, want=131, limit=63 [ 1115.482995][ T7803] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1115.491835][ T7803] attempt to access beyond end of device 07:11:07 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1115.498149][ T7803] loop4: rw=1, want=132, limit=63 [ 1115.503432][ T7803] Buffer I/O error on dev loop4, logical block 131, lost async page write [ 1115.522244][ T7803] attempt to access beyond end of device [ 1115.528763][ T7803] loop4: rw=1, want=133, limit=63 [ 1115.551508][ T7803] Buffer I/O error on dev loop4, logical block 132, lost async page write [ 1115.600227][ T7803] attempt to access beyond end of device [ 1115.611740][ T27] audit: type=1804 audit(1586329867.462:1390): pid=24231 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1781/bus" dev="sda1" ino=16525 res=1 [ 1115.621590][ T7803] loop4: rw=1, want=142, limit=63 07:11:07 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xca000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:07 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3d2, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:07 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xea03, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:07 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1115.709348][ T7803] Buffer I/O error on dev loop4, logical block 141, lost async page write 07:11:07 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:07 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1115.930683][ T27] audit: type=1804 audit(1586329867.782:1391): pid=24259 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1782/bus" dev="sda1" ino=16600 res=1 [ 1115.973028][T24273] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:07 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ea, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1116.037270][T24273] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1116.071084][T24273] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1116.084987][T24273] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:08 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0xfffffffffffffd8f, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_IFINDEX={0x8}, @NL80211_ATTR_WIPHY={0xffffffffffffff6c}]}, 0x24}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) close(r5) r6 = openat$cgroup_ro(r5, &(0x7f0000000040)='cpuacct.usage_sys\x00', 0x0, 0x0) getsockopt$inet_dccp_int(r6, 0x21, 0xa, &(0x7f00000000c0), &(0x7f0000000300)=0x4) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004003a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=ANY=[@ANYBLOB="3c0000002c00270d00a867756200c900984147b5ab360136b46ac22b45f504f5a3dbe0f9329255c3b3811669bb166837643c4335b4a6836ced7a3c72e9fb50e8e8f32d4b157a45857101481c55e8272d9ac74e8a62e974439da3384c875d61d71451c6000000000000000000006a2d09c1e7ac1fa174429c37e5b4710b6eb78d27c7c2dc02c81b6899b92b85a83d45b655272061b0f4df637070dd9333b9826baf797207b6f33360fcdfa93166ab3e605e39a4cb65026c76ccdcc57e15d8ed2ff48bfe590d65de71bdcf821feb6118f82ab430c6a193fb59a831002067ef79a0b523ebf001b2bc", @ANYRES32=r7, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) 07:11:08 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:08 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xcb000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1116.207516][T24273] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1116.224405][T24273] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:08 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:08 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xec03, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:08 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1116.449903][ T27] audit: type=1804 audit(1586329868.302:1392): pid=24286 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1783/bus" dev="sda1" ino=16644 res=1 07:11:08 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:08 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1116.609693][T24296] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:08 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xcc000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1116.709214][T24311] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1116.727946][T24311] ref_ctr decrement failed for inode: 0x4104 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:08 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:08 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x20, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:08 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1116.791725][T24311] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1116.812342][T24311] ref_ctr decrement failed for inode: 0x4104 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:08 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xcd000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1116.965453][ T27] audit: type=1804 audit(1586329868.812:1393): pid=24314 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1784/bus" dev="sda1" ino=16530 res=1 07:11:08 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f2, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:08 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:08 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf201, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:09 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:09 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:09 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:09 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) r6 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_NEW_DAEMON(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000fc0)={0x44, r6, 0x1, 0x0, 0x0, {}, [@IPVS_CMD_ATTR_DAEMON={0x30, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'ip6gre0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e20}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8}]}]}, 0x44}}, 0x0) sendmsg$IPVS_CMD_GET_SERVICE(0xffffffffffffffff, &(0x7f0000000b80)={&(0x7f0000000400)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000640)={&(0x7f0000000ac0)={0x9c, r6, 0x800, 0x70bd2b, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_SERVICE={0x60, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x1c}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x54}, @IPVS_SVC_ATTR_PORT={0x6, 0x4, 0x4e22}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x3}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x4, 0x1a}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x2b}, @IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@rand_addr=0x8}, @IPVS_SVC_ATTR_FWMARK={0x8}]}, @IPVS_CMD_ATTR_SERVICE={0x28, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@local}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x1c}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x3b}]}]}, 0x9c}, 0x1, 0x0, 0x0, 0x10}, 0x800) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1117.376298][T24362] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1117.404025][T24362] ref_ctr decrement failed for inode: 0x4323 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1117.422435][T24362] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1117.432617][T24362] ref_ctr decrement failed for inode: 0x4323 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:09 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xce000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:09 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3fa, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:09 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:09 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1117.619606][T24362] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1117.643991][T24362] ref_ctr decrement failed for inode: 0x4323 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:09 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:09 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xcf000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:09 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:09 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf203, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:09 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:09 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(0xffffffffffffffff, 0x801) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r1, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYRES16=r5, @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x3}}, 0x0) sendmsg$nl_route_sched(r2, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r6, @ANYBLOB="0000666c1f00657200000c0002000400018004005580"], 0x3c}}, 0x0) dup(0xffffffffffffffff) setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f0000000040)={&(0x7f0000000580)=""/242, 0x8000, 0x1000, 0x8, 0x1}, 0x20) 07:11:09 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:09 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1118.149383][T24405] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1118.169736][T24405] ref_ctr decrement failed for inode: 0x4324 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:10 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x85ffffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1118.222928][T24405] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1118.237294][T24405] ref_ctr decrement failed for inode: 0x4324 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:10 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd0000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1118.329925][T24416] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:10 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb5000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1118.413540][T24428] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:10 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x400200) ioctl$KDFONTOP_COPY(r5, 0x4b72, &(0x7f0000000040)={0x3, 0x1, 0x10, 0x2, 0x9c, &(0x7f00000006c0)}) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00006866736300000004000002c50000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="3c0000fd2c00270d4ebc5c7d185bbcfd00000000", @ANYRES32=r7, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) 07:11:10 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xec000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:10 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:10 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:10 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf400, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:10 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:10 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd1000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1118.772667][T24444] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. [ 1118.810538][ T27] kauditd_printk_skb: 1 callbacks suppressed [ 1118.810559][ T27] audit: type=1804 audit(1586329870.662:1395): pid=24442 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1788/bus" dev="sda1" ino=17188 res=1 07:11:10 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:10 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1118.940001][T24451] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:10 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffff000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1118.980810][T24451] ref_ctr decrement failed for inode: 0x4092 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b [ 1119.013299][T24451] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1119.057368][T24451] ref_ctr decrement failed for inode: 0x4092 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b [ 1119.092608][T24461] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:11 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd2000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:11 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockopt$bt_hci(0xffffffffffffffff, 0x0, 0x1, &(0x7f0000000580)=""/84, &(0x7f00000000c0)=0x54) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) r7 = openat$nvram(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nvram\x00', 0x0, 0x0) ioctl$KVM_SET_MSRS(r7, 0x4008ae89, &(0x7f0000000480)={0x5, 0x0, [{0x874, 0x0, 0xfffffffffffffffd}, {0x9a3, 0x0, 0x487}, {0xa58, 0x0, 0xfffffffeffffffff}, {0x805, 0x0, 0x1}, {0x580, 0x0, 0xffff}]}) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0xb, &(0x7f0000000280)={&(0x7f0000000300)=@gettaction={0x0, 0x32, 0x300, 0x70bd2b, 0x25dfdbfc, {}, [@action_dump_flags=@TCA_ROOT_FLAGS={0x0, 0x2, {0x0, 0x1}}, @action_dump_flags=@TCA_ROOT_TIME_DELTA={0x0, 0x4, 0x66}, @action_gd=@TCA_ACT_TAB={0x0, 0x1, [{0x0, 0xb, 0x0, 0x0, @TCA_ACT_KIND={0x0, 0x1, 'sample\x00'}}, {0x0, 0x11, 0x0, 0x0, @TCA_ACT_INDEX}, {0x0, 0x0, 0x0, 0x0, @TCA_ACT_INDEX={0x0, 0x3, 0xffff}}]}, @action_dump_flags=@TCA_ROOT_FLAGS={0x0, 0x2, {0x0, 0x1}}]}, 0x40}}, 0x0) 07:11:11 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffff85}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1119.239425][ T27] audit: type=1804 audit(1586329871.092:1396): pid=24469 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1789/bus" dev="sda1" ino=17191 res=1 07:11:11 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa00, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:11 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf402, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:11 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:11 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:11 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:11 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd3000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1119.623232][ T27] audit: type=1804 audit(1586329871.472:1397): pid=24490 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1790/bus" dev="sda1" ino=16531 res=1 07:11:11 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000040)=@newtfilter={0x3c, 0x2c, 0x100, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1119.667508][T24495] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1119.682283][T24495] ref_ctr decrement failed for inode: 0x4101 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 [ 1119.705061][T24495] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:11 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb00, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:11 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x2}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1119.728327][T24495] ref_ctr decrement failed for inode: 0x4101 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:11:11 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x3}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:11 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x1}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1120.021494][ T27] audit: type=1804 audit(1586329871.872:1398): pid=24522 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1791/bus" dev="sda1" ino=17416 res=1 07:11:11 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd4000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:11 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf803, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:11 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:11 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc01, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:12 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x4}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:12 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x5}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1120.447809][T24555] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1120.459638][ T27] audit: type=1804 audit(1586329872.312:1399): pid=24541 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1792/bus" dev="sda1" ino=17427 res=1 07:11:12 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd5000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:12 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1400, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:12 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) syz_open_dev$loop(&(0x7f00000001c0)='/dev/loop#\x00', 0x0, 0x105084) r7 = memfd_create(&(0x7f0000000600)='\x00\x00\x00\x00\x8c\x00'/15, 0x1) pwritev(r7, &(0x7f0000f50f90)=[{&(0x7f0000000100)="a8", 0x1}], 0x1, 0x81003) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYPTR=&(0x7f0000000340)=ANY=[@ANYRES32, @ANYPTR, @ANYRESHEX=r7, @ANYRESOCT, @ANYRESOCT, @ANYRESHEX], @ANYRES32], 0x3}}, 0x22008909) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1120.487466][T24555] ref_ctr decrement failed for inode: 0x4419 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 [ 1120.556252][T24555] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:12 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:12 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x6}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1120.600233][T24555] ref_ctr decrement failed for inode: 0x4419 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:11:12 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x7}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1120.707328][T24555] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1120.732983][T24555] ref_ctr decrement failed for inode: 0x4419 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:11:12 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0xa}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1120.889140][ T27] audit: type=1804 audit(1586329872.742:1400): pid=24566 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1793/bus" dev="sda1" ino=17422 res=1 07:11:12 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfa03, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:12 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1803, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:12 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0xc}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:12 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd6000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:12 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f0000000000)={0x0, 0x9, 0x20, 0x4, 0x3}, 0x0) getsockopt$inet_sctp_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f00000000c0)=@sack_info={0x0, 0x8000, 0x7}, &(0x7f0000000300)=0xc) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) ioctl$PPPIOCGIDLE(r1, 0x8010743f, &(0x7f0000000040)) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:13 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:13 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x10}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1121.227369][T24593] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1121.238429][T24593] ref_ctr decrement failed for inode: 0x4324 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 [ 1121.258266][T24593] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1121.266302][T24593] ref_ctr decrement failed for inode: 0x4324 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:11:13 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd7000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:13 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x18}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:13 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd8000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:13 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1c00, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:13 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) socket$vsock_stream(0x28, 0x1, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) openat$apparmor_thread_exec(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/attr/exec\x00', 0x2, 0x0) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) lsetxattr$security_evm(&(0x7f00000000c0)='./bus\x00', &(0x7f0000000300)='security.evm\x00', &(0x7f00000006c0)=ANY=[@ANYBLOB="0300048000000000d751e3d68ec8b425c84b95ebca2a35c3f8bbc608720dba0650afe8349b72d8b24d9b9eec3352066844b28f2fb49b1d7a43e104a47017d719a8cea133e37175d16d0b611091dc62b21da99e3c9257186a631dfebc7f4ad8f2de17ff39a689d99c1a1e3f5c3b680ec0009dd5ea22979cb3326f40bb78b0eaf815b08f44dada58b4284107ad0c440d3ee56d93a273dc9b3d05d08b9fae9cbe2e45a183d25f3fd949a09115bb3b916580ab7082ca7829c00000591835cffdc0536ed90ba6a36bdd4a9683d6d5151f76d31aa1041a06aa40bc67ced8a5a75c9e88cea6"], 0xe0, 0x1) 07:11:13 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfc03, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:13 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x48}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:13 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd6000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:13 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x4c}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:13 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) mmap$IORING_OFF_CQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x9, 0x111, r0, 0x8000000) r1 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r1) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r1, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1121.987779][T24651] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1121.999264][ T27] audit: type=1804 audit(1586329873.852:1401): pid=24644 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1795/bus" dev="sda1" ino=17438 res=1 07:11:13 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1d00, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:13 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x68}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1122.036840][T24651] ref_ctr decrement failed for inode: 0x441c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:11:13 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xd9000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:14 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x6c}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1122.139996][T24651] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:14 executing program 3: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) r6 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_NEW_DAEMON(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000fc0)={0x44, r6, 0x1, 0x0, 0x0, {}, [@IPVS_CMD_ATTR_DAEMON={0x30, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'ip6gre0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e20}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8}]}]}, 0x44}}, 0x0) sendmsg$IPVS_CMD_GET_SERVICE(0xffffffffffffffff, &(0x7f0000000b80)={&(0x7f0000000400)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000640)={&(0x7f0000000ac0)={0x9c, r6, 0x800, 0x70bd2b, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_SERVICE={0x60, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x1c}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x54}, @IPVS_SVC_ATTR_PORT={0x6, 0x4, 0x4e22}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x3}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x4, 0x1a}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x2b}, @IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@rand_addr=0x8}, @IPVS_SVC_ATTR_FWMARK={0x8}]}, @IPVS_CMD_ATTR_SERVICE={0x28, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@local}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x1c}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x3b}]}]}, 0x9c}, 0x1, 0x0, 0x0, 0x10}, 0x800) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1122.219763][T24651] ref_ctr decrement failed for inode: 0x441c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:11:14 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x74}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:14 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000400)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000000380)={&(0x7f0000000300)=@newtclass={0x4c, 0x28, 0x800, 0x70bd2d, 0x25dfdbfb, {0x0, 0x0, 0x0, 0x0, {0xa, 0x5}, {0x10, 0x8}, {0x6, 0xd}}, [@TCA_RATE={0x6, 0x5, {0x4, 0x3}}, @TCA_RATE={0x6, 0x5, {0x81, 0x1}}, @tclass_kind_options=@c_red={0x8, 0x1, 'red\x00'}, @TCA_RATE={0x6, 0x5, {0x81, 0x9}}, @tclass_kind_options=@c_cbs={0x8, 0x1, 'cbs\x00'}]}, 0x4c}, 0x1, 0x0, 0x0, 0xecb97c3f1d720d30}, 0x46890) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0x6c, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1122.420079][ T27] audit: type=1804 audit(1586329874.272:1402): pid=24666 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1796/bus" dev="sda1" ino=17185 res=1 [ 1122.420123][ T21] attempt to access beyond end of device [ 1122.527696][ T21] loop4: rw=1, want=130, limit=63 [ 1122.536453][ T21] Buffer I/O error on dev loop4, logical block 129, lost async page write [ 1122.561838][ T21] attempt to access beyond end of device [ 1122.570847][ T21] loop4: rw=1, want=131, limit=63 07:11:14 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfe03, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:14 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x7a}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:14 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1e00, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:14 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket(0x10, 0x803, 0x0) r3 = dup(r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f0000000100)="f20f07ea070000004900b9800200c00f3235000800000f3066baf80cb845f7c583ef66bafc0cec64672e0f015b00b8010000000f01c10f0059000f01c2c4c1f97f7523", 0x43}], 0x1, 0x61, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 07:11:14 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xda000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1122.579288][ T21] Buffer I/O error on dev loop4, logical block 130, lost async page write [ 1122.611624][ T21] attempt to access beyond end of device [ 1122.652907][T12579] attempt to access beyond end of device [ 1122.660900][ T21] loop4: rw=1, want=132, limit=63 [ 1122.675119][T12579] loop3: rw=1, want=78, limit=63 [ 1122.683497][T12579] Buffer I/O error on dev loop3, logical block 77, lost async page write [ 1122.687524][ T21] Buffer I/O error on dev loop4, logical block 131, lost async page write 07:11:14 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0xb5}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1122.706655][ T21] attempt to access beyond end of device [ 1122.716065][ T21] loop4: rw=1, want=133, limit=63 [ 1122.724662][ T21] Buffer I/O error on dev loop4, logical block 132, lost async page write [ 1122.744338][ T21] attempt to access beyond end of device [ 1122.752966][ T21] loop4: rw=1, want=142, limit=63 [ 1122.762268][ T21] Buffer I/O error on dev loop4, logical block 141, lost async page write [ 1122.791331][ T27] audit: type=1804 audit(1586329874.642:1403): pid=24692 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1797/bus" dev="sda1" ino=17437 res=1 [ 1122.816684][T24701] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:14 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2602, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1122.854276][T24701] ref_ctr decrement failed for inode: 0x4424 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 [ 1122.895769][T24701] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1122.907231][T24701] ref_ctr decrement failed for inode: 0x4424 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:11:14 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0xec}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1122.985501][T24708] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:14 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xdb000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1123.037388][T24701] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1123.046194][T24701] ref_ctr decrement failed for inode: 0x4424 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000085786c98 07:11:15 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0xff}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:15 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c00, 0xffffffffffffffff) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x102000003) getsockopt$sock_buf(0xffffffffffffffff, 0x1, 0x37, &(0x7f0000000040)=""/24, &(0x7f00000000c0)=0x18) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB='<\x00\'\r\x00'/20, @ANYRES32=r6, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) [ 1123.211037][ T27] audit: type=1804 audit(1586329875.062:1404): pid=24715 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1798/bus" dev="sda1" ino=17441 res=1 07:11:15 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:15 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2603, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:15 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xdc000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:15 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:15 executing program 3: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000400)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000000380)={&(0x7f0000000300)=@newtclass={0x4c, 0x28, 0x800, 0x70bd2d, 0x25dfdbfb, {0x0, 0x0, 0x0, 0x0, {0xa, 0x5}, {0x10, 0x8}, {0x6, 0xd}}, [@TCA_RATE={0x6, 0x5, {0x4, 0x3}}, @TCA_RATE={0x6, 0x5, {0x81, 0x1}}, @tclass_kind_options=@c_red={0x8, 0x1, 'red\x00'}, @TCA_RATE={0x6, 0x5, {0x81, 0x9}}, @tclass_kind_options=@c_cbs={0x8, 0x1, 'cbs\x00'}]}, 0x4c}, 0x1, 0x0, 0x0, 0xecb97c3f1d720d30}, 0x46890) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0x6c, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:15 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x2}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:15 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) write$USERIO_CMD_REGISTER(r1, &(0x7f0000000040)={0x0, 0x6}, 0x2) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) r6 = openat$zero(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/zero\x00', 0x80, 0x0) ioctl$KVM_SET_ONE_REG(r6, 0x4010aeac, &(0x7f0000000380)={0x46c, 0x8000}) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="000100000000000000c90d18274674499e035ca191f5000000124c80a3ab"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000300)=ANY=[@ANYBLOB='<\x00\x00\x00,\x00\'\r\x00'/20, @ANYRES32=r7, @ANYBLOB="00000000000000000000666c6f77657200000c000d774f8d06c0e64da7ef4a6a0200040054800400558000000000000068831b681ed0eb16c3c75bc664f53872ad475f287380767d96d7a9f402665d9b2fa7520a822c4f"], 0x3c}}, 0x0) 07:11:15 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xdd000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1123.659918][T24739] ref_ctr_offset mismatch. inode: 0x42d1 offset: 0x0 ref_ctr_offset(old): 0x40004 ref_ctr_offset(new): 0x4 07:11:15 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x3}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1123.735814][T24758] ref_ctr_offset mismatch. inode: 0x42d1 offset: 0x0 ref_ctr_offset(old): 0x40004 ref_ctr_offset(new): 0x4 07:11:15 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2801, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:15 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38c90, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1123.900665][T24774] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:15 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x4}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1123.994769][T24780] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'. [ 1124.024435][T24766] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. [ 1124.071041][T24784] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. [ 1124.107505][T24779] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:16 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2803, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:16 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xde000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:16 executing program 3: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f2, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1124.119951][ T27] kauditd_printk_skb: 1 callbacks suppressed [ 1124.120001][ T27] audit: type=1804 audit(1586329875.972:1406): pid=24777 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1800/bus" dev="sda1" ino=17436 res=1 07:11:16 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="c18f00000000000b00001100000027009900000000000000000008000100d5ff0000"], 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1124.173832][T24779] ref_ctr decrement failed for inode: 0x442e offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b [ 1124.186002][T12579] attempt to access beyond end of device [ 1124.193973][T12579] loop3: rw=1, want=78, limit=63 [ 1124.199746][T12579] Buffer I/O error on dev loop3, logical block 77, lost async page write [ 1124.231283][T24779] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1124.245230][ T2524] attempt to access beyond end of device [ 1124.251727][ T2524] loop4: rw=1, want=130, limit=63 07:11:16 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x5}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1124.273547][T24779] ref_ctr decrement failed for inode: 0x442e offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x000000006e641f3b 07:11:16 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x6}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1124.510811][ T27] audit: type=1804 audit(1586329876.362:1407): pid=24790 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1801/bus" dev="sda1" ino=17445 res=1 07:11:16 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x7}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:16 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xdf000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:16 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3000, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:16 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38ce8, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:16 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xde000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:16 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xa}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:16 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) prctl$PR_GET_TSC(0x19, &(0x7f0000000040)) r5 = socket(0x10, 0x803, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x102000003) ioctl$sock_SIOCGIFBR(0xffffffffffffffff, 0x8940, &(0x7f0000000300)=@add_del={0x2, &(0x7f00000000c0)='vlan0\x00'}) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:16 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xc}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1124.907642][T24836] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1124.924516][T24836] ref_ctr decrement failed for inode: 0x4426 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1124.947035][T24836] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:16 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x10}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:16 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3401, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1124.964993][ T27] audit: type=1804 audit(1586329876.812:1408): pid=24822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1802/bus" dev="sda1" ino=17437 res=1 [ 1124.987968][T24836] ref_ctr decrement failed for inode: 0x4426 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:16 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe0000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:17 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) sched_setscheduler(0x0, 0x5, &(0x7f0000000380)) ioctl$DRM_IOCTL_GET_CLIENT(r1, 0xc0286405, &(0x7f0000000040)={0x80000000, 0x8, {0x0}, {0xffffffffffffffff}, 0x9, 0x7400}) ptrace$getsig(0x4202, r5, 0x401, &(0x7f0000000300)) r6 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r7 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r7, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r7, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r6, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r8, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=ANY=[@ANYBLOB="3c0000002c00270d000000000000fe0000e8d6d30814a253d30f3633abaf0000000615586c4ca83828290ea24679b82d90a716051577335fe1064c95f6daf962774dc2687753a40c0f0feb37e57eb7d9ec40bfe0801a310ef9a218ab49079e7883c4265e3d5607f7cc938f13c86fd944a698fe9f6b44e12365d5de2dfb22c1fa3ae95ea5001a38a027a5b6cb6b8c6c0f1ad669280e807806893b5fb2c2b7d2568945094b03c6c97a9ea1e8fdb63492a7de5dda5f62544b3a1653219a9ab211a16601f5ad3849064171a9dca1c74052f9defaf323c9a139e982f2f6cce8071188fb", @ANYRES32=r8, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) 07:11:17 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x18}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1125.148715][T24836] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1125.180514][T24836] ref_ctr decrement failed for inode: 0x4426 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:17 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x7}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:17 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38d60, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:17 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:17 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3e00, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:17 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe1000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1125.434964][T24858] netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:17 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x48}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:17 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5000000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1125.537302][T24868] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1125.573065][T24868] ref_ctr decrement failed for inode: 0x42d2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1125.631120][T24868] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:17 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x4c}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1125.694617][T24868] ref_ctr decrement failed for inode: 0x42d2 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:17 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xc9000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:17 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) syz_genetlink_get_family_id$nl80211(&(0x7f0000000040)='nl80211\x00') r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(r3, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r4, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r4, 0xab9535e9a6578fbd, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0xc}, @NL80211_ATTR_IFINDEX={0x8}]}, 0x28}}, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) r6 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r7 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r7, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r7, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r6, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYPTR64=&(0x7f0000000a80)=ANY=[@ANYRESDEC=r5, @ANYRESHEX, @ANYRESDEC=0x0, @ANYRESDEC, @ANYRES32=r5, @ANYBLOB="7a855639a4ed0438d5c1aa45d0ff8734f404407a5fcc97b92679a23a075255654ea836741eb40515b92665593f3f8a7a2dfee08d86d8626cdb266ca6afbbc4d2bce28b481072ba280488a6ebbd1b821304b756f2947a61", @ANYRES32, @ANYPTR64=&(0x7f0000000940)=ANY=[@ANYPTR64, @ANYPTR64, @ANYRESOCT=r7, @ANYPTR64, @ANYBLOB="f3292d129eb7d1c11a6d1a2441d895dc94e08990c51dad99f18965c9e5210028cf9f9a7499bceb8f83b1e4fa40aca9ba8547b613a7b16e35ecd2f1b67ecb90c2c261be87e9222c91408964181b30ee750c2c151de662ee0638954a6d0127eb63cea556cc7b53c88fd6498af39aad3ceb3df66dce2a028ed231e3d6c2092fc92557e531fb6bed6fdf7c1bc511f4f2464f910a31b27090039b0a41e14643ae3efa8447946b218bbeef97e151b0c865f41d59796df7ab690af3e70fd9e5c37bf5c3b411562a50689e50913f559f3f1e484f887c68c87799cf6dc70a7c8e64fcdc2e6c18a56dc685cd4d9e", @ANYPTR64, @ANYRESOCT=r1], @ANYRESOCT, @ANYBLOB="3332e294b20d1527da2a9fdedc71a864141bfaba3ad02e9aeaa779fb0c7d02322599f7f766d8212486c13544a0cd44d879025cbeeaa8f31a986850f87f6a6a843203e3c7dc68611c7fcc6677654044b5e4e507f54eee85de1312750b27383b90b9ce888f9536b7061f234ebd865254c8c357ff77e7b462a432"], @ANYRES32=r8, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x3}}, 0x0) sendmsg$nl_route_sched(r5, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="3c0000002c00270d002506cbfc34a1de571d2000", @ANYRES32=r8, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) 07:11:17 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe2000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:17 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0ffff}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:17 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x68}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1125.932949][ T27] audit: type=1804 audit(1586329877.782:1409): pid=24888 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1804/bus" dev="sda1" ino=17464 res=1 07:11:17 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38db8, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:17 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f00, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:18 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x6c}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:18 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1126.186327][T24899] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:18 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe3000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1126.266477][T24920] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. 07:11:18 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x74}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1126.311024][ T27] audit: type=1804 audit(1586329878.162:1410): pid=24915 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1805/bus" dev="sda1" ino=17465 res=1 07:11:18 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:18 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:18 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYRES32], 0x3}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1126.364982][T24917] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1126.381170][T24917] ref_ctr decrement failed for inode: 0x4428 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de [ 1126.427310][T24917] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1126.453603][T24917] ref_ctr decrement failed for inode: 0x4428 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de [ 1126.570049][T24941] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1126.582915][T24941] ref_ctr decrement failed for inode: 0x4428 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:18 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x7a}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:18 executing program 3: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) syz_genetlink_get_family_id$nl80211(&(0x7f0000000040)='nl80211\x00') r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(r3, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r4, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r4, 0xab9535e9a6578fbd, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0xc}, @NL80211_ATTR_IFINDEX={0x8}]}, 0x28}}, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) r6 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r7 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r7, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r7, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r6, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYPTR64=&(0x7f0000000a80)=ANY=[@ANYRESDEC=r5, @ANYRESHEX, @ANYRESDEC=0x0, @ANYRESDEC, @ANYRES32=r5, @ANYBLOB="7a855639a4ed0438d5c1aa45d0ff8734f404407a5fcc97b92679a23a075255654ea836741eb40515b92665593f3f8a7a2dfee08d86d8626cdb266ca6afbbc4d2bce28b481072ba280488a6ebbd1b821304b756f2947a61", @ANYRES32, @ANYPTR64=&(0x7f0000000940)=ANY=[@ANYPTR64, @ANYPTR64, @ANYRESOCT=r7, @ANYPTR64, @ANYBLOB="f3292d129eb7d1c11a6d1a2441d895dc94e08990c51dad99f18965c9e5210028cf9f9a7499bceb8f83b1e4fa40aca9ba8547b613a7b16e35ecd2f1b67ecb90c2c261be87e9222c91408964181b30ee750c2c151de662ee0638954a6d0127eb63cea556cc7b53c88fd6498af39aad3ceb3df66dce2a028ed231e3d6c2092fc92557e531fb6bed6fdf7c1bc511f4f2464f910a31b27090039b0a41e14643ae3efa8447946b218bbeef97e151b0c865f41d59796df7ab690af3e70fd9e5c37bf5c3b411562a50689e50913f559f3f1e484f887c68c87799cf6dc70a7c8e64fcdc2e6c18a56dc685cd4d9e", @ANYPTR64, @ANYRESOCT=r1], @ANYRESOCT, @ANYBLOB="3332e294b20d1527da2a9fdedc71a864141bfaba3ad02e9aeaa779fb0c7d02322599f7f766d8212486c13544a0cd44d879025cbeeaa8f31a986850f87f6a6a843203e3c7dc68611c7fcc6677654044b5e4e507f54eee85de1312750b27383b90b9ce888f9536b7061f234ebd865254c8c357ff77e7b462a432"], @ANYRES32=r8, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x3}}, 0x0) sendmsg$nl_route_sched(r5, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=ANY=[@ANYBLOB="3c0000002c00270d002506cbfc34a1de571d2000", @ANYRES32=r8, @ANYBLOB="0000000000000000090000000b000100666c6f77657200000c0002000400548004005580"], 0x3c}}, 0x0) 07:11:18 executing program 4: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) getresuid(&(0x7f0000000380), &(0x7f0000000400), &(0x7f0000000740)=0x0) syz_mount_image$tmpfs(&(0x7f0000000040)='tmpfs\x00', &(0x7f00000000c0)='./file0\x00', 0x4, 0x4, &(0x7f00000006c0)=[{&(0x7f0000000300)="8df8940678263130eac51ba122f0a5b377f85318420c3078", 0x18, 0x1dd17123}, {&(0x7f0000000340)="c6a0c4ff94fd79e3ed41527c06896125c97ec406f8b6bdf0ba1ebd74e20bf5e608ba5470c4ae3a091eec622073023893a4", 0x31, 0x100}, {&(0x7f0000000580)="c6a7cde961ba4901e38629d78c31a5a3d0f1d70a82ce0d15c5a9abf6ab353d255338e779d0d20392a743991be9eafd455028b7164f1362141326bed044ec02308e5c75a4ff02f023f38ded2ee38b7ce11976191ccddab811dd6423c96e932cca65d64ab24a1e64f3f93e6d15ffdf71e23ccb68e6d5fb4c5142a034ef7b51afa13f767812960d41187d9d35fa3db89621c1804e2f85b5a0bbf67a7b9999428eee33fe237ec634f34140baa4df23da32378a11ec42925ba412805a4e5d1e47ec4acb7f4da3797c113a276515a44965a8561afa74cc5f9533ff75d4d5ab88b109aec00f5f88e21a987003", 0xe9, 0x8}, {&(0x7f0000000480)="9cd9a82f832e6eabe10ba38ceb67092942a14f49a416359939ec7cdddc78e5c5e732a5a0b8fc98567b10b173023ab89235494592a1c00838ded5f680869616e7fe52db04cfaedddb0bfcfd38b48617f3f3bfe746560f54e1b38fa14393a1feb4f0795668e5246f912df4fbe071189dca33026ad5ed4611f723bf5efeca5bd9", 0x7f, 0x1}], 0x80000, &(0x7f0000000780)={[{@huge_never={'huge=never', 0x3d, 'vfat\x00'}}, {@mpol={'mpol', 0x3d, {'local', '=static', @val={0x3a, [0x32, 0x2c, 0x32, 0x2d]}}}}, {@size={'size', 0x3d, [0x32, 0x25, 0x36, 0x32]}}, {@nr_blocks={'nr_blocks', 0x3d, [0x25, 0x67, 0x70, 0x36, 0x18, 0x78]}}, {@size={'size', 0x3d, [0x25, 0x33, 0x31]}}, {@nr_blocks={'nr_blocks', 0x3d, [0x0, 0x38, 0x78, 0x28, 0x37, 0x36, 0x36, 0x33]}}], [{@seclabel='seclabel'}, {@dont_hash='dont_hash'}, {@fsmagic={'fsmagic', 0x3d, 0xfff}}, {@euid_lt={'euid<', r1}}]}) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r2 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r2, 0x804) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r3, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r6 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r7, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1126.689981][ T27] audit: type=1804 audit(1586329878.542:1411): pid=24937 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1806/bus" dev="sda1" ino=17454 res=1 07:11:18 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:18 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe4000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:18 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xb5}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:18 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4401, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1126.916561][T24953] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'. 07:11:18 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xec}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:18 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1127.061076][ T21] attempt to access beyond end of device [ 1127.069088][ T21] loop3: rw=1, want=78, limit=63 [ 1127.079590][ T21] Buffer I/O error on dev loop3, logical block 77, lost async page write 07:11:18 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xf0}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1127.101275][ T27] audit: type=1804 audit(1586329878.952:1412): pid=24965 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1807/bus" dev="sda1" ino=17436 res=1 [ 1127.187307][T24979] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:19 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4403, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1127.230795][T24979] ref_ctr decrement failed for inode: 0x4439 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1127.256853][T24979] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:19 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:19 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe5000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:19 executing program 4: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb9010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:19 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x300}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1127.304379][T24979] ref_ctr decrement failed for inode: 0x4439 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1127.514307][ T27] audit: type=1804 audit(1586329879.362:1413): pid=24991 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1808/bus" dev="sda1" ino=17105 res=1 07:11:19 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:19 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xb9010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:19 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x500}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:19 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4700, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:19 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe6000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:19 executing program 4: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x170, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:19 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x600}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:19 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x500}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:19 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x700}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1127.872679][ T27] audit: type=1804 audit(1586329879.722:1414): pid=25014 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1809/bus" dev="sda1" ino=17453 res=1 07:11:19 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4801, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1127.928073][T25016] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1127.956966][T25016] ref_ctr decrement failed for inode: 0x42d3 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:19 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xa00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1127.999785][T25016] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1128.026527][T25016] ref_ctr decrement failed for inode: 0x42d3 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:19 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xae000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:20 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:20 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe7000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:20 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xc00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:20 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=@newtfilter={0x2ac, 0x2c, 0xd27, 0x0, 0x25dfdbfd, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_route={{0xa, 0x1, 'route\x00'}, {0x27c, 0x2, [@TCA_ROUTE4_TO={0x8, 0x2, 0x64}, @TCA_ROUTE4_FROM={0x8, 0x3, 0x93}, @TCA_ROUTE4_FROM={0x8, 0x3, 0xbb}, @TCA_ROUTE4_ACT={0x248, 0x6, [@m_mpls={0xb8, 0x5, 0x0, 0x0, {{0x9, 0x1, 'mpls\x00'}, {0xc, 0x2, 0x0, 0x1, [@TCA_MPLS_LABEL={0x8, 0x5, 0x14b05}]}, {0x9b, 0x6, "e3c481941badc29b081a19042ed161d994ae7bfe108804aec25dbe3f26a0bbd85db58019759ebefff6f210dbac58a6076ec3847cfa88039816523200d3c4994ac24c97e1afec0aa351c67c643e2e71fc320d923346ba343897a4fad97cb299f7f8955a93c828e0edc43794489087c6eeb0498140334fae17d19877f3e27d53771aec1884f5191eee169ce4c1335fa9502128be05074eac"}}}, @m_nat={0x40, 0xb, 0x0, 0x0, {{0x8, 0x1, 'nat\x00'}, {0x2c, 0x2, 0x0, 0x1, [@TCA_NAT_PARMS={0x28, 0x1, {{0x9, 0x1, 0xd, 0x700000, 0x5}, @empty, @multicast1, 0xffffff00, 0x1}}]}, {0x8, 0x6, "f6b60b68"}}}, @m_ipt={0xb4, 0x0, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x4c, 0x2, 0x0, 0x1, [@TCA_IPT_TABLE={0x24, 0x1, 'security\x00'}, @TCA_IPT_TABLE={0x24, 0x1, 'nat\x00'}]}, {0x5c, 0x6, "6f3b6bb92067c9590dbe2d259b28761eb2aca49b8d02a812c8dfe93d793a846a397bcb9e0ffb75783cda9210155167f62a9654f63c18570fc0998ead0fd5e64068e12d2d732326fbc678b01c74756aba1e5d0182fd550eca"}}}, @m_ipt={0x98, 0xf, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x54, 0x2, 0x0, 0x1, [@TCA_IPT_TABLE={0x24, 0x1, 'filter\x00'}, @TCA_IPT_HOOK={0x8, 0x2, 0x2}, @TCA_IPT_TABLE={0x24, 0x1, 'mangle\x00'}]}, {0x37, 0x6, "3e38b307110547bcd981b73a12c07324ca59189f86a640d79cf664d5ac6b1c96533ca8e50d0164a795913bf458e2bb8e5e0f9d"}}}]}, @TCA_ROUTE4_FROM={0x8, 0x3, 0xb8}, @TCA_ROUTE4_CLASSID={0x8, 0x1, {0x8, 0xffe0}}, @TCA_ROUTE4_IIF={0x8}]}}]}, 0x2ac}}, 0x0) 07:11:20 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xad000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:20 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4901, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:20 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x1800}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:20 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x2000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1128.564020][T25056] attempt to access beyond end of device [ 1128.570885][T25056] loop4: rw=2049, want=78, limit=63 [ 1128.588475][T25056] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:20 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xac010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:20 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x4000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1128.627720][T25066] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1128.634741][ T27] audit: type=1804 audit(1586329880.482:1415): pid=25063 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1811/bus" dev="sda1" ino=17442 res=1 [ 1128.642582][T25066] ref_ctr decrement failed for inode: 0x443c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:20 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=@newtfilter={0x2ac, 0x2c, 0xd27, 0x0, 0x25dfdbfd, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_route={{0xa, 0x1, 'route\x00'}, {0x27c, 0x2, [@TCA_ROUTE4_TO={0x8, 0x2, 0x64}, @TCA_ROUTE4_FROM={0x8, 0x3, 0x93}, @TCA_ROUTE4_FROM={0x8, 0x3, 0xbb}, @TCA_ROUTE4_ACT={0x248, 0x6, [@m_mpls={0xb8, 0x5, 0x0, 0x0, {{0x9, 0x1, 'mpls\x00'}, {0xc, 0x2, 0x0, 0x1, [@TCA_MPLS_LABEL={0x8, 0x5, 0x14b05}]}, {0x9b, 0x6, "e3c481941badc29b081a19042ed161d994ae7bfe108804aec25dbe3f26a0bbd85db58019759ebefff6f210dbac58a6076ec3847cfa88039816523200d3c4994ac24c97e1afec0aa351c67c643e2e71fc320d923346ba343897a4fad97cb299f7f8955a93c828e0edc43794489087c6eeb0498140334fae17d19877f3e27d53771aec1884f5191eee169ce4c1335fa9502128be05074eac"}}}, @m_nat={0x40, 0xb, 0x0, 0x0, {{0x8, 0x1, 'nat\x00'}, {0x2c, 0x2, 0x0, 0x1, [@TCA_NAT_PARMS={0x28, 0x1, {{0x9, 0x1, 0xd, 0x700000, 0x5}, @empty, @multicast1, 0xffffff00, 0x1}}]}, {0x8, 0x6, "f6b60b68"}}}, @m_ipt={0xb4, 0x0, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x4c, 0x2, 0x0, 0x1, [@TCA_IPT_TABLE={0x24, 0x1, 'security\x00'}, @TCA_IPT_TABLE={0x24, 0x1, 'nat\x00'}]}, {0x5c, 0x6, "6f3b6bb92067c9590dbe2d259b28761eb2aca49b8d02a812c8dfe93d793a846a397bcb9e0ffb75783cda9210155167f62a9654f63c18570fc0998ead0fd5e64068e12d2d732326fbc678b01c74756aba1e5d0182fd550eca"}}}, @m_ipt={0x98, 0xf, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x54, 0x2, 0x0, 0x1, [@TCA_IPT_TABLE={0x24, 0x1, 'filter\x00'}, @TCA_IPT_HOOK={0x8, 0x2, 0x2}, @TCA_IPT_TABLE={0x24, 0x1, 'mangle\x00'}]}, {0x37, 0x6, "3e38b307110547bcd981b73a12c07324ca59189f86a640d79cf664d5ac6b1c96533ca8e50d0164a795913bf458e2bb8e5e0f9d"}}}]}, @TCA_ROUTE4_FROM={0x8, 0x3, 0xb8}, @TCA_ROUTE4_CLASSID={0x8, 0x1, {0x8, 0xffe0}}, @TCA_ROUTE4_IIF={0x8}]}}]}, 0x2ac}}, 0x0) 07:11:20 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c02, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1128.740472][T25066] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1128.769859][T25066] ref_ctr decrement failed for inode: 0x443c offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:20 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:20 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x87000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:20 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe8000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:20 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x4800}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:20 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c03, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:20 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x4c00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1129.084693][T25085] attempt to access beyond end of device [ 1129.099799][T25085] loop4: rw=2049, want=78, limit=63 [ 1129.109950][T25085] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:21 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x6800}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:21 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000006c0)=@newtfilter={0x2ac, 0x2c, 0xd27, 0x0, 0x25dfdbfd, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_route={{0xa, 0x1, 'route\x00'}, {0x27c, 0x2, [@TCA_ROUTE4_TO={0x8, 0x2, 0x64}, @TCA_ROUTE4_FROM={0x8, 0x3, 0x93}, @TCA_ROUTE4_FROM={0x8, 0x3, 0xbb}, @TCA_ROUTE4_ACT={0x248, 0x6, [@m_mpls={0xb8, 0x5, 0x0, 0x0, {{0x9, 0x1, 'mpls\x00'}, {0xc, 0x2, 0x0, 0x1, [@TCA_MPLS_LABEL={0x8, 0x5, 0x14b05}]}, {0x9b, 0x6, "e3c481941badc29b081a19042ed161d994ae7bfe108804aec25dbe3f26a0bbd85db58019759ebefff6f210dbac58a6076ec3847cfa88039816523200d3c4994ac24c97e1afec0aa351c67c643e2e71fc320d923346ba343897a4fad97cb299f7f8955a93c828e0edc43794489087c6eeb0498140334fae17d19877f3e27d53771aec1884f5191eee169ce4c1335fa9502128be05074eac"}}}, @m_nat={0x40, 0xb, 0x0, 0x0, {{0x8, 0x1, 'nat\x00'}, {0x2c, 0x2, 0x0, 0x1, [@TCA_NAT_PARMS={0x28, 0x1, {{0x9, 0x1, 0xd, 0x700000, 0x5}, @empty, @multicast1, 0xffffff00, 0x1}}]}, {0x8, 0x6, "f6b60b68"}}}, @m_ipt={0xb4, 0x0, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x4c, 0x2, 0x0, 0x1, [@TCA_IPT_TABLE={0x24, 0x1, 'security\x00'}, @TCA_IPT_TABLE={0x24, 0x1, 'nat\x00'}]}, {0x5c, 0x6, "6f3b6bb92067c9590dbe2d259b28761eb2aca49b8d02a812c8dfe93d793a846a397bcb9e0ffb75783cda9210155167f62a9654f63c18570fc0998ead0fd5e64068e12d2d732326fbc678b01c74756aba1e5d0182fd550eca"}}}, @m_ipt={0x98, 0xf, 0x0, 0x0, {{0x8, 0x1, 'ipt\x00'}, {0x54, 0x2, 0x0, 0x1, [@TCA_IPT_TABLE={0x24, 0x1, 'filter\x00'}, @TCA_IPT_HOOK={0x8, 0x2, 0x2}, @TCA_IPT_TABLE={0x24, 0x1, 'mangle\x00'}]}, {0x37, 0x6, "3e38b307110547bcd981b73a12c07324ca59189f86a640d79cf664d5ac6b1c96533ca8e50d0164a795913bf458e2bb8e5e0f9d"}}}]}, @TCA_ROUTE4_FROM={0x8, 0x3, 0xb8}, @TCA_ROUTE4_CLASSID={0x8, 0x1, {0x8, 0xffe0}}, @TCA_ROUTE4_IIF={0x8}]}}]}, 0x2ac}}, 0x0) 07:11:21 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e01, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1129.267590][T25109] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1129.282382][ T27] kauditd_printk_skb: 1 callbacks suppressed [ 1129.282402][ T27] audit: type=1804 audit(1586329881.132:1417): pid=25096 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1813/bus" dev="sda1" ino=17459 res=1 07:11:21 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xe9000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:21 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x4000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1129.327647][T25109] ref_ctr decrement failed for inode: 0x4254 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1129.351544][T25109] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1129.370912][T25109] ref_ctr decrement failed for inode: 0x4254 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1129.487360][T25109] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:21 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x6c00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1129.527686][T25109] ref_ctr decrement failed for inode: 0x4254 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1129.610080][T25121] attempt to access beyond end of device [ 1129.630807][T25121] loop4: rw=2049, want=78, limit=63 [ 1129.669796][T25121] Buffer I/O error on dev loop4, logical block 77, lost async page write [ 1129.724713][ T27] audit: type=1804 audit(1586329881.572:1418): pid=25122 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1814/bus" dev="sda1" ino=17459 res=1 07:11:21 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:21 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x7400}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:21 executing program 3: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffff5, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:21 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e02, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:21 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xea000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:21 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r5, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) 07:11:21 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x7a00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1129.951738][T25138] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1129.984367][T25138] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000da850e0e 07:11:21 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xb500}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1130.019871][T25138] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1130.037212][T25138] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000da850e0e [ 1130.053514][T25151] attempt to access beyond end of device [ 1130.062133][T25151] loop4: rw=2049, want=78, limit=63 [ 1130.067483][T25151] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:21 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r5, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) 07:11:22 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xeb000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:22 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x84000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:22 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xec00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1130.211550][ T27] audit: type=1804 audit(1586329882.062:1419): pid=25147 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1815/bus" dev="sda1" ino=17448 res=1 [ 1130.221260][T25157] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1130.258967][T25157] ref_ctr decrement failed for inode: 0x4432 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1130.303708][T25157] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1130.337246][T25157] ref_ctr decrement failed for inode: 0x4432 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e [ 1130.385017][T25168] attempt to access beyond end of device [ 1130.399395][T25168] loop4: rw=2049, want=78, limit=63 [ 1130.418624][T25168] Buffer I/O error on dev loop4, logical block 77, lost async page write [ 1130.487360][T25179] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1130.501002][T25179] ref_ctr decrement failed for inode: 0x4432 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000028c9181e 07:11:22 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xf000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:22 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5202, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:22 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r5, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) 07:11:22 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xec000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:22 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:22 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x14, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:22 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xff00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:22 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x80010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1130.771780][T25192] attempt to access beyond end of device [ 1130.782601][T25192] loop4: rw=2049, want=78, limit=63 [ 1130.795577][T25192] Buffer I/O error on dev loop4, logical block 77, lost async page write [ 1130.850181][T25202] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1130.878461][T25202] ref_ctr decrement failed for inode: 0x4443 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de [ 1130.890540][ T27] audit: type=1804 audit(1586329882.742:1420): pid=25191 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1816/bus" dev="sda1" ino=17448 res=1 [ 1130.937266][T25202] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:22 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r5, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) [ 1130.945381][T25202] ref_ctr decrement failed for inode: 0x4443 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:22 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5900, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:22 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xed000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:22 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0xffff}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:22 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x7f000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1131.150031][T25202] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:23 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1131.203868][T25202] ref_ctr decrement failed for inode: 0x4443 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:23 executing program 3: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf4000000, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:23 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xee000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:23 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:23 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r4 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r4, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r5, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) 07:11:23 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x2}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:23 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5902, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1131.410629][ T27] audit: type=1804 audit(1586329883.262:1421): pid=25221 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1817/bus" dev="sda1" ino=17482 res=1 07:11:23 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x3}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1131.718930][T25254] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1131.737691][T25254] ref_ctr decrement failed for inode: 0x4447 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de [ 1131.748952][T25254] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1131.760841][T25251] attempt to access beyond end of device 07:11:23 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xef000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:23 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x4}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:23 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) [ 1131.761289][T25254] ref_ctr decrement failed for inode: 0x4447 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de [ 1131.776491][T25251] loop4: rw=2049, want=78, limit=63 [ 1131.791335][T25251] Buffer I/O error on dev loop4, logical block 77, lost async page write [ 1131.851915][T25255] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1131.866172][T25255] ref_ctr decrement failed for inode: 0x4440 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c0f70d04 07:11:23 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf0000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:23 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x5}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1131.940561][T25255] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1131.960834][T25255] ref_ctr decrement failed for inode: 0x4440 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c0f70d04 [ 1132.103968][T25271] attempt to access beyond end of device [ 1132.114012][ T27] audit: type=1804 audit(1586329883.962:1422): pid=25250 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1818/bus" dev="sda1" ino=17483 res=1 07:11:24 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x4}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:24 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x6}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1132.162876][T25271] loop4: rw=2049, want=78, limit=63 [ 1132.168371][T25271] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:24 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6203, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:24 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:24 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x7}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:24 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf0ffffff, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:24 executing program 3: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x81000000) 07:11:24 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) 07:11:24 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xa}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1132.509886][T25298] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1132.517976][ T27] audit: type=1804 audit(1586329884.362:1423): pid=25292 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1819/bus" dev="sda1" ino=17458 res=1 [ 1132.552941][T25298] ref_ctr decrement failed for inode: 0x4447 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1132.600768][T25298] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1132.631883][T25298] ref_ctr decrement failed for inode: 0x4447 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:24 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xc}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:24 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6400, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1132.651641][T25308] attempt to access beyond end of device [ 1132.668917][T25308] loop4: rw=2049, want=78, limit=63 [ 1132.681853][T25308] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:24 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000180)=[@textreal={0x8, &(0x7f0000000280)="baf80c432c9187f01766efbafc0cb8bd00ef0f320f624e10bad104ec26660ff85f50361b0f20c0663502000080f26eb800088ec00fae470b", 0x39}], 0x32, 0x51, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x0) sendmsg$IPSET_CMD_HEADER(r4, &(0x7f0000000100)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000080)={&(0x7f0000000040)={0x1c, 0xc, 0x6, 0x201, 0x0, 0x0, {0x2, 0x0, 0x4}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x44895}, 0x4000) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 07:11:24 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf1000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1132.787452][ T2524] attempt to access beyond end of device [ 1132.793637][ T2524] loop3: rw=1, want=78, limit=63 07:11:24 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) socket(0x10, 0x803, 0x0) 07:11:24 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c02, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1132.830356][ T27] audit: type=1804 audit(1586329884.682:1424): pid=25315 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1820/bus" dev="sda1" ino=16978 res=1 [ 1132.867202][ T2524] Buffer I/O error on dev loop3, logical block 77, lost async page write 07:11:24 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:24 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x10}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:24 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf2000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:25 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x18}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1133.138382][T25334] attempt to access beyond end of device [ 1133.149277][T25334] loop4: rw=2049, want=78, limit=63 [ 1133.210961][ T27] audit: type=1804 audit(1586329885.062:1425): pid=25331 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1821/bus" dev="sda1" ino=17477 res=1 07:11:25 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) 07:11:25 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf3000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1133.275763][T25338] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:25 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6d03, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:25 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x48}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1133.351899][T25338] ref_ctr decrement failed for inode: 0x4451 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:25 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:25 executing program 3: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) socket(0x10, 0x803, 0x0) 07:11:25 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x4c}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1133.679528][T25367] attempt to access beyond end of device [ 1133.685323][T25367] loop3: rw=2049, want=78, limit=63 [ 1133.690780][T25367] buffer_io_error: 1 callbacks suppressed [ 1133.690793][T25367] Buffer I/O error on dev loop3, logical block 77, lost async page write 07:11:25 executing program 3: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) socket(0x10, 0x803, 0x0) 07:11:25 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) 07:11:25 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x68}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:25 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf4000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:25 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6e02, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1133.837435][T25372] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1133.849943][T25372] ref_ctr decrement failed for inode: 0x445a offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1133.863039][T25372] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1133.873475][T25372] ref_ctr decrement failed for inode: 0x445a offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:25 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x6c}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1134.009597][T25384] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1134.027377][T25384] ref_ctr decrement failed for inode: 0x445a offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x74}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:26 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf5000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1134.173038][T25390] attempt to access beyond end of device [ 1134.226181][ T27] audit: type=1804 audit(1586329886.072:1426): pid=25381 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1823/bus" dev="sda1" ino=17457 res=1 [ 1134.230154][T25387] attempt to access beyond end of device 07:11:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x7a}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1134.286176][T25390] loop4: rw=2049, want=78, limit=63 [ 1134.304046][T25387] loop3: rw=2049, want=78, limit=63 [ 1134.324016][T25390] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:26 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1134.327109][T25387] Buffer I/O error on dev loop3, logical block 77, lost async page write 07:11:26 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7001, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xb5}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:26 executing program 3: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x13000000) 07:11:26 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) 07:11:26 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf5ffffff, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xec}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1134.557312][T25414] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1134.567614][T25414] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b [ 1134.586184][T25414] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1134.606659][T25414] ref_ctr decrement failed for inode: 0x4251 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b [ 1134.719911][T25423] attempt to access beyond end of device [ 1134.725739][T25423] loop4: rw=2049, want=78, limit=63 [ 1134.731561][T25423] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:26 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) [ 1134.772587][ T27] audit: type=1804 audit(1586329886.622:1427): pid=25417 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1824/bus" dev="sda1" ino=17480 res=1 07:11:26 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7003, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xf0}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:26 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:26 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf6000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:26 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x300}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1135.110727][T25446] attempt to access beyond end of device [ 1135.116402][T25446] loop4: rw=2049, want=78, limit=63 [ 1135.128771][T25446] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:27 executing program 3: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) [ 1135.150266][ T27] audit: type=1804 audit(1586329887.002:1428): pid=25449 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1825/bus" dev="sda1" ino=17483 res=1 07:11:27 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7203, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1135.234292][ T21] attempt to access beyond end of device [ 1135.246381][ T21] loop3: rw=1, want=78, limit=63 07:11:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x500}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:27 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) [ 1135.281870][ T21] Buffer I/O error on dev loop3, logical block 77, lost async page write [ 1135.347658][T25465] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1135.358845][T25465] ref_ctr decrement failed for inode: 0x4454 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:27 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf7000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1135.396397][T25465] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1135.414761][T25465] ref_ctr decrement failed for inode: 0x4454 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 07:11:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x600}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1135.614696][ T27] audit: type=1804 audit(1586329887.462:1429): pid=25466 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1826/bus" dev="sda1" ino=17472 res=1 07:11:27 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7800, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:27 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1135.713571][T25480] attempt to access beyond end of device [ 1135.722114][T25475] attempt to access beyond end of device [ 1135.730555][T25480] loop4: rw=2049, want=78, limit=63 [ 1135.735915][T25480] Buffer I/O error on dev loop4, logical block 77, lost async page write [ 1135.750955][T25475] loop3: rw=2049, want=78, limit=63 07:11:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x700}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1135.756693][T25475] Buffer I/O error on dev loop3, logical block 77, lost async page write 07:11:27 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') 07:11:27 executing program 3: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe88c0300, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:27 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf8000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1135.885956][ T27] audit: type=1804 audit(1586329887.732:1430): pid=25489 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1827/bus" dev="sda1" ino=16979 res=1 07:11:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xa00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:27 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8002, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:27 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xc00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1136.058548][T25495] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1136.100231][T25495] ref_ctr decrement failed for inode: 0x4445 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:28 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') [ 1136.152353][T25495] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1136.166400][T25495] ref_ctr decrement failed for inode: 0x4445 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000a9f0b0de 07:11:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x1800}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1136.290125][T25504] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1136.302718][T25504] ref_ctr decrement failed for inode: 0x4447 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000b6fddbdf [ 1136.325771][T25504] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:28 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xf9000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1136.335168][T25504] ref_ctr decrement failed for inode: 0x4447 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000b6fddbdf 07:11:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x2000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1136.469376][T25527] attempt to access beyond end of device [ 1136.484122][T25527] loop4: rw=2049, want=78, limit=63 [ 1136.496874][T25527] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:28 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe020000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:28 executing program 3: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe88c0300, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:28 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) [ 1136.600546][ T27] audit: type=1804 audit(1586329888.452:1431): pid=25516 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1828/bus" dev="sda1" ino=16524 res=1 07:11:28 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8403, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x4000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x4800}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1136.822906][T25547] attempt to access beyond end of device [ 1136.845777][T25547] loop4: rw=2049, want=78, limit=63 [ 1136.873630][T25547] Buffer I/O error on dev loop4, logical block 77, lost async page write [ 1136.895562][T25542] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:28 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xfa000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1136.899464][ T27] audit: type=1804 audit(1586329888.742:1432): pid=25553 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1829/bus" dev="sda1" ino=17505 res=1 [ 1136.923396][T25542] ref_ctr decrement failed for inode: 0x4442 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000b6fddbdf 07:11:28 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8600, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:28 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) ftruncate(0xffffffffffffffff, 0x804) 07:11:28 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x4c00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1136.965367][T25542] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1136.992480][T25542] ref_ctr decrement failed for inode: 0x4442 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000b6fddbdf [ 1137.080300][T25552] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x6800}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1137.121944][T25552] ref_ctr decrement failed for inode: 0x4460 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1137.153893][T25552] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:29 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x4000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1137.165687][T25552] ref_ctr decrement failed for inode: 0x4460 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000c6026093 [ 1137.341701][ T27] audit: type=1804 audit(1586329889.192:1433): pid=25566 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1830/bus" dev="sda1" ino=17501 res=1 07:11:29 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:29 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xfb000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x6c00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:29 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8601, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:29 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) ftruncate(0xffffffffffffffff, 0x804) 07:11:29 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x3, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x7400}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:29 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) ftruncate(0xffffffffffffffff, 0x804) [ 1137.628996][T25603] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1137.637058][T25603] ref_ctr decrement failed for inode: 0x445d offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b [ 1137.648885][T25603] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1137.657128][T25603] ref_ctr decrement failed for inode: 0x445d offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x0000000038fbdc3b 07:11:29 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x6c00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1137.702748][ T27] audit: type=1804 audit(1586329889.552:1434): pid=25586 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1831/bus" dev="sda1" ino=16978 res=1 07:11:29 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xfc000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:29 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8800, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x7a00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:29 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x14000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:29 executing program 3: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x11000000) 07:11:29 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xb500}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:29 executing program 3: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1138.084965][ T21] attempt to access beyond end of device [ 1138.092611][ T21] loop3: rw=1, want=78, limit=63 07:11:30 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8803, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:30 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) [ 1138.111529][ T27] audit: type=1804 audit(1586329889.962:1435): pid=25624 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1832/bus" dev="sda1" ino=16705 res=1 07:11:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xec00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1138.264145][T25636] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1138.277240][T25636] ref_ctr decrement failed for inode: 0x4191 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f 07:11:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xf000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1138.311420][T25636] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1138.340904][T25636] ref_ctr decrement failed for inode: 0x4191 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000bcf7ed9f 07:11:30 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xfcffffff, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xff00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1138.449698][T25646] attempt to access beyond end of device [ 1138.473657][T25646] loop4: rw=2049, want=78, limit=63 [ 1138.487736][T25644] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1138.504216][ T27] audit: type=1804 audit(1586329890.352:1436): pid=25641 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1833/bus" dev="sda1" ino=16577 res=1 [ 1138.513058][T25644] ref_ctr decrement failed for inode: 0x4111 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000cce00af3 07:11:30 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xfd000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:30 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e02, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1138.558443][T25644] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1138.586542][T25644] ref_ctr decrement failed for inode: 0x4111 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000cce00af3 07:11:30 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x16000000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:30 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) 07:11:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x200000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:30 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xfcffffff, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:30 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e03, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:30 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) r0 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r0, 0x804) [ 1138.838618][T25672] attempt to access beyond end of device [ 1138.850907][T25672] loop4: rw=2049, want=78, limit=63 [ 1138.860186][T25672] buffer_io_error: 2 callbacks suppressed [ 1138.860200][T25672] Buffer I/O error on dev loop4, logical block 77, lost async page write 07:11:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xf0ffff}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:30 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xfe000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:30 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x1000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1139.057523][T25684] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1139.091257][T25684] ref_ctr decrement failed for inode: 0x40e1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:11:30 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9001, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:31 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) r0 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r0, 0x804) 07:11:31 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xec00}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1139.146003][T25684] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1139.175426][T25684] ref_ctr decrement failed for inode: 0x40e1 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:11:31 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18020000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x2000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:31 executing program 3: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) fchdir(r0) creat(&(0x7f0000000000)='./file1\x00', 0x10) ioctl$RTC_EPOCH_SET(r0, 0x4008700e, 0x7) r1 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r1, 0x804) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00') sendmsg$NL80211_CMD_GET_SCAN(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x28, r2, 0xab9535e9a6578fc1, 0x0, 0x0, {0x11}, [@NL80211_ATTR_WDEV={0x27}, @NL80211_ATTR_WIPHY={0x8}]}, 0x28}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route_sched(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r6, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x11000000) 07:11:31 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9c02, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:31 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xff000000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:31 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) open(&(0x7f0000000440)='./file0\x00', 0x0, 0x0) r0 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r0, 0x804) 07:11:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x3000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1139.663248][T25726] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:31 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) fchdir(0xffffffffffffffff) r0 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r0, 0x804) 07:11:31 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x4000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) [ 1139.702631][T25726] ref_ctr decrement failed for inode: 0x4112 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca [ 1139.729588][T25726] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1139.787438][T25726] ref_ctr decrement failed for inode: 0x4112 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:11:31 executing program 3: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x3000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:31 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xffffa888, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) 07:11:31 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) fchdir(0xffffffffffffffff) r0 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r0, 0x804) [ 1139.970244][T25752] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 [ 1139.978317][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 1139.978338][ T27] audit: type=1804 audit(1586329891.822:1439): pid=25732 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1837/bus" dev="sda1" ino=16657 res=1 [ 1140.035973][T25752] ref_ctr decrement failed for inode: 0x4112 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca 07:11:32 executing program 0: r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x2, 0x2812, r0, 0x0) r1 = open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = dup2(r2, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x0, 0x2812, r1, 0x0) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000140)=ANY=[@ANYRES64], 0x8) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1c0a0000, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:32 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x5000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:32 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa001, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:32 executing program 3: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb600, 0x0, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 07:11:32 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x6000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:32 executing program 4: syz_mount_image$vfat(&(0x7f0000000040)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x7fff, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x4010, 0x0) fchdir(0xffffffffffffffff) r0 = creat(&(0x7f0000000680)='./bus\x00', 0x0) ftruncate(r0, 0x804) 07:11:32 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0x7000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:32 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0xffffdd86, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1140.403024][ T27] audit: type=1804 audit(1586329892.252:1440): pid=25771 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir838277530/syzkaller.tVGJ5f/1838/bus" dev="sda1" ino=16658 res=1 [ 1140.442546][T25781] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:32 executing program 1: open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000240)='./bus\x00', 0x141042, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa002, 0x0, @perf_bp, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 1140.460343][T25781] ref_ctr decrement failed for inode: 0x40e3 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca [ 1140.486733][T25781] ref_ctr going negative. vaddr: 0x20002004, curr val: 0, delta: -1 07:11:32 executing program 5: r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="9feb010018000000000000000c0000000c000000020000000000000000000004020000000000"], 0x0, 0x26}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x4, 0x6, &(0x7f0000000040)=@framed={{}, [@exit={0x95, 0x0, 0x0, 0xa000000}, @call, @func={0x85, 0x0, 0x1, 0x0, 0xfffffffffffffffe}]}, &(0x7f00000000c0)='GPL\x00', 0x5, 0xb6, &(0x7f0000000400)=""/182, 0x0, 0x0, [], 0x0, 0x0, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000140), 0x2}, 0x70) 07:11:32 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) r3 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x2a9, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32=r4, @ANYBLOB="000000000000000028001200090001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB="0000b20000000000"], 0x48}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000003c0)=ANY=[@ANYBLOB="38000000240007050000004007a2a30005000000", @ANYRES32=r4, @ANYBLOB="00000000ffffffff000000000900010068667363000000000800020000000000"], 0x38}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={0x0, 0x77010000, &(0x7f0000000280)={&(0x7f0000000540)=@newtfilter={0x3c, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {}, {0x9}}, [@filter_kind_options=@f_flower={{0xb, 0x1, 'flower\x00'}, {0xc, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}, @TCA_FLOWER_KEY_ENC_OPTS_MASK={0x4}]}}]}, 0x3c}}, 0x0) [ 1140.505384][T25781] ref_ctr decrement failed for inode: 0x40e3 offset: 0x0 ref_ctr_offset: 0x4 of mm: 0x00000000020ba2ca [ 1140.586947][ T7759] ================================================================== [ 1140.595068][ T7759] BUG: KCSAN: data-race in iput / other_inode_match [ 1140.601630][ T7759] [ 1140.603941][ T7759] write to 0xffff8881290f25f8 of 8 bytes by task 32233 on cpu 0: [ 1140.611638][ T7759] iput+0x2e6/0x4d0 [ 1140.615427][ T7759] dentry_unlink_inode+0x272/0x2e0 [ 1140.620528][ T7759] d_delete+0xca/0xe0 [ 1140.624507][ T7759] vfs_rmdir+0x2d3/0x2f0 [ 1140.628741][ T7759] do_rmdir+0x2e9/0x320 [ 1140.632879][ T7759] __x64_sys_rmdir+0x2c/0x40 [ 1140.637457][ T7759] do_syscall_64+0xc7/0x390 [ 1140.642004][ T7759] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1140.647870][ T7759] [ 1140.650199][ T7759] read to 0xffff8881290f25f8 of 8 bytes by task 7759 on cpu 1: [ 1140.657855][ T7759] other_inode_match+0x6a/0x570 [ 1140.662704][ T7759] find_inode_nowait+0x12f/0x160 [ 1140.667634][ T7759] ext4_mark_iloc_dirty+0x123c/0x1500 [ 1140.673214][ T7759] ext4_mark_inode_dirty+0xe6/0x420 [ 1140.678404][ T7759] ext4_mkdir+0x56e/0x820 [ 1140.682858][ T7759] vfs_mkdir+0x281/0x390 [ 1140.687372][ T7759] do_mkdirat+0x1b5/0x200 [ 1140.691688][ T7759] __x64_sys_mkdir+0x3d/0x50 [ 1140.696437][ T7759] do_syscall_64+0xc7/0x390 [ 1140.700925][ T7759] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1140.706792][ T7759] [ 1140.709103][ T7759] Reported by Kernel Concurrency Sanitizer on: [ 1140.715246][ T7759] CPU: 1 PID: 7759 Comm: syz-executor.5 Not tainted 5.6.0-rc1-syzkaller #0 [ 1140.723809][ T7759] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1140.733965][ T7759] ================================================================== [ 1140.742009][ T7759] Kernel panic - not syncing: panic_on_warn set ... [ 1140.748608][ T7759] CPU: 1 PID: 7759 Comm: syz-executor.5 Not tainted 5.6.0-rc1-syzkaller #0 [ 1140.757179][ T7759] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1140.767224][ T7759] Call Trace: [ 1140.770511][ T7759] dump_stack+0x11d/0x187 [ 1140.774828][ T7759] panic+0x210/0x640 [ 1140.778722][ T7759] ? vprintk_func+0x89/0x13a [ 1140.783411][ T7759] kcsan_report.cold+0xc/0xf [ 1140.788016][ T7759] kcsan_setup_watchpoint+0x3fb/0x440 [ 1140.793392][ T7759] other_inode_match+0x6a/0x570 [ 1140.798240][ T7759] ? __ext4_get_inode_loc+0x27a/0x990 [ 1140.803617][ T7759] ? ext4_inode_csum_set+0x1c0/0x1c0 [ 1140.808897][ T7759] find_inode_nowait+0x12f/0x160 [ 1140.813830][ T7759] ext4_mark_iloc_dirty+0x123c/0x1500 [ 1140.819202][ T7759] ext4_mark_inode_dirty+0xe6/0x420 [ 1140.824395][ T7759] ext4_mkdir+0x56e/0x820 [ 1140.828754][ T7759] vfs_mkdir+0x281/0x390 [ 1140.832984][ T7759] do_mkdirat+0x1b5/0x200 [ 1140.837301][ T7759] __x64_sys_mkdir+0x3d/0x50 [ 1140.841923][ T7759] do_syscall_64+0xc7/0x390 [ 1140.846422][ T7759] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1140.852311][ T7759] RIP: 0033:0x45bca7 [ 1140.856200][ T7759] Code: 1f 40 00 b8 5a 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d c2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5d c2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1140.876051][ T7759] RSP: 002b:00007ffda23a7148 EFLAGS: 00000206 ORIG_RAX: 0000000000000053 [ 1140.884454][ T7759] RAX: ffffffffffffffda RBX: 00000000001166dc RCX: 000000000045bca7 [ 1140.892413][ T7759] RDX: 00007ffda23a7196 RSI: 00000000000001ff RDI: 00007ffda23a7190 [ 1140.900374][ T7759] RBP: 00000000000013af R08: 0000000000000000 R09: 0000000000000006 [ 1140.908358][ T7759] R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000002 [ 1140.916319][ T7759] R13: 00007ffda23a7180 R14: 00000000001166bc R15: 00007ffda23a7190 [ 1140.925744][ T7759] Kernel Offset: disabled [ 1140.930268][ T7759] Rebooting in 86400 seconds..