last executing test programs:

15.606119647s ago: executing program 3 (id=71):
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x6, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x2)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sched_setaffinity(0x0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_RECVRCVINFO(0xffffffffffffffff, 0x84, 0x20, 0x0, 0x0)
r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8)
sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x20088004, &(0x7f0000000280)={0xa, 0x4e20, 0x0, @empty, 0x20000007}, 0x1c)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000480)={{}, &(0x7f0000000340), &(0x7f0000000440)}, 0x20)
sendmsg(0xffffffffffffffff, &(0x7f0000000440)={0x0, 0x0, 0x0}, 0x40051)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$inet6_mptcp(0xa, 0x1, 0x106)
timer_create(0x2, 0x0, 0x0)
timer_create(0x2, 0x0, &(0x7f0000000080)=<r1=>0x0)
timer_delete(r1)
r2 = add_key$keyring(&(0x7f0000000000), &(0x7f0000000100)={'syz', 0x1}, 0x0, 0x0, 0xfffffffffffffffe)
keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, r2, &(0x7f00000000c0)='asymmetric\x00', &(0x7f0000000280)=@chain)
setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x84, 0x25, 0x0, 0x0)

14.935551171s ago: executing program 3 (id=72):
r0 = syz_usb_connect(0x6, 0x0, 0x0, 0x0)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', r1}, 0x10)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000480)={0x0, 0x0, 0x0}, 0x0)
socket$nl_xfrm(0x10, 0x3, 0x6)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r2 = getpid()
sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=@encrypted_load={'load ', 'default', 0x20, 'trusted:', 's}z', 0x20, 0xfcd}, 0x2f, 0xfffffffffffffffa)
syz_open_dev$sndctrl(0x0, 0x3, 0x404002)
r5 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000300)="d8000000180081054e81f782db4cb904021d080406037c09e8fe55a10a0015400400142603600e122f00160006000400a8000600200003400700027c035c0461c1d67f6f94007134cf6efb8000a007a290457f0189b316277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee4ce1b14d6d930dfe1d9d322fe7c9f8775730d16a4683f5aeb4edbb57a5025ccca9e00360db798262f3d40fad95667e006dcdf63951f215ce3bb9ad809d5e1cace81ed0bffece0b42a9ecbee5de6ccd40dd6e4edef3d93452a92954b43370e9703", 0xd2}], 0x1, 0x0, 0x0, 0x4a0f0000}, 0xc000)
syz_usb_control_io$printer(r0, 0x0, 0x0)

11.411270846s ago: executing program 3 (id=80):
syz_usb_connect(0x0, 0x2d, &(0x7f00000003c0)=ANY=[@ANYBLOB="120100009ac0b620110f211066865578ac0109029c000100000400090400bf900b64ea00090587033b"], 0x0)
r0 = syz_open_dev$char_usb(0xc, 0xb4, 0x0)
writev(r0, &(0x7f0000002580)=[{&(0x7f0000000400)="b4", 0x1}], 0x1)

7.478264724s ago: executing program 1 (id=88):
r0 = syz_usb_connect(0x6, 0x0, 0x0, 0x0)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', r1}, 0x10)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000480)={0x0, 0x0, 0x0}, 0x0)
socket$nl_xfrm(0x10, 0x3, 0x6)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r2 = getpid()
sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=@encrypted_load={'load ', 'default', 0x20, 'trusted:', 's}z', 0x20, 0xfcd}, 0x2f, 0xfffffffffffffffa)
syz_open_dev$sndctrl(0x0, 0x3, 0x404002)
r5 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000300)="d8000000180081054e81f782db4cb904021d080406037c09e8fe55a10a0015400400142603600e122f00160006000400a8000600200003400700027c035c0461c1d67f6f94007134cf6efb8000a007a290457f0189b316277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee4ce1b14d6d930dfe1d9d322fe7c9f8775730d16a4683f5aeb4edbb57a5025ccca9e00360db798262f3d40fad95667e006dcdf63951f215ce3bb9ad809d5e1cace81ed0bffece0b42a9ecbee5de6ccd40dd6e4edef3d93452a92954b43370e9703", 0xd2}], 0x1, 0x0, 0x0, 0x4a0f0000}, 0xc000)
syz_usb_control_io$printer(r0, 0x0, 0x0)

7.366267754s ago: executing program 0 (id=89):
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x6, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x2)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sched_setaffinity(0x0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_RECVRCVINFO(0xffffffffffffffff, 0x84, 0x20, 0x0, 0x0)
r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8)
syz_open_procfs(0x0, 0x0)
r1 = socket$inet6(0xa, 0x80002, 0x0)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)=@base={0x12, 0x4, 0x4, 0x12}, 0x48)
bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000040)=ANY=[@ANYRES32=r2, @ANYRES32, @ANYBLOB='&'], 0x10)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000480)={{r2}, &(0x7f0000000340), &(0x7f0000000440)=r1}, 0x20)
sendmsg(r1, &(0x7f0000000440)={0x0, 0x0, 0x0}, 0x40051)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$inet6_mptcp(0xa, 0x1, 0x106)
timer_create(0x2, 0x0, 0x0)
timer_create(0x2, 0x0, &(0x7f0000000080)=<r3=>0x0)
timer_delete(r3)
r4 = add_key$keyring(&(0x7f0000000000), &(0x7f0000000100)={'syz', 0x1}, 0x0, 0x0, 0xfffffffffffffffe)
r5 = add_key$keyring(0x0, &(0x7f0000000140)={'syz', 0x1}, 0x0, 0x0, 0xffffffffffffffff)
keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, r5, &(0x7f0000000240)='asymmetric\x00', &(0x7f00000001c0)=@keyring={'key_or_keyring:', r4})
keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, r4, &(0x7f00000000c0)='asymmetric\x00', &(0x7f0000000280)=@chain={'key_or_keyring:', r5})
setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x84, 0x25, 0x0, 0x0)

7.112225124s ago: executing program 2 (id=90):
r0 = socket$inet(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00'})
socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x1, 0x803, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
r3 = socket(0x10, 0x803, 0x0)
bind$netlink(r3, &(0x7f0000000100)={0x10, 0x0, 0x25dfdbfa, 0x400000}, 0xc)
getsockname$packet(r3, 0x0, &(0x7f0000000080))
sendmsg$nl_route(r2, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000040)=ANY=[@ANYBLOB="3c00000010000d042abd70000000000000000000", @ANYRES32, @ANYBLOB="01001400000000001c00128009000100626f6e64000000000c0002800500010004"], 0x3c}, 0x1, 0x0, 0x0, 0x40040}, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000300)={'bond0\x00'})
r4 = socket$nl_route(0x10, 0x3, 0x0)
r5 = socket(0x11, 0x80a, 0x0)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000300)={'bond0\x00', <r6=>0x0})
sendmsg$nl_route(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000006c0)={&(0x7f0000000380)=ANY=[@ANYBLOB="3c0000001000010400"/20, @ANYRES32=r6, @ANYBLOB="00000000000000001c00128009000100626f6e64000000000c0002800800070003"], 0x3c}}, 0x0)
r7 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r7, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000300)}], 0x1}, 0x0)

5.471198557s ago: executing program 0 (id=91):
connect$unix(0xffffffffffffffff, &(0x7f0000000300)=@abs, 0x6e)
recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sendmsg(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x8800)
sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x2, 0x0, 0x0, 0x2, 0x9, 0x6, 0x800, 0x7}, 0x0)
rseq(&(0x7f0000000400), 0x20, 0x0, 0x0)
syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0)
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000001740), 0x101042, 0x0)
ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, 0x0)
ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000080)={0x2, &(0x7f00000000c0)=[{0x48, 0x8, 0xfe, 0x8}, {0x6, 0x0, 0x0, 0x8eb6}]})
syz_open_procfs(0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x40000000000, 0x5, &(0x7f0000006680))

5.318183589s ago: executing program 2 (id=92):
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = socket$nl_rdma(0x10, 0x3, 0x14)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
socket$inet_sctp(0x2, 0x5, 0x84)
socket$inet6_mptcp(0xa, 0x1, 0x106)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x9}, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000280)=ANY=[@ANYBLOB="440000003e000701feffffff00000000017c0000040042800c00018006000600894f0000200002"], 0x44}, 0x1, 0x0, 0x0, 0x40040c0}, 0xc000)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
write$binfmt_script(0xffffffffffffffff, &(0x7f0000000000)={'#! ', './file0', [{0x20, 'axA\x9b^\xfb^$\r\'uij\r\xd9\xef\xd2Et^Q\v\x9fOFL\x95`Z\xae\xc3a\xfe%\x94\x1a\xebt\xc6\x06\x8fD,\xf7\xae#\x80\x80\xdf\xa3\xcaO\xc6\x8a\x91\x90\xadR\aW\xe1\xf3n\xca\xa3\x8f\xd6F\x03\x0e\x9b\xe5yb\xfc\xa19wUs\x83\xf1{&\n\x1d\x8e\x82y\x1a.B\x0e\xea\x17\xc7\xe7H\xa9\xd4\x8e\xe7 gD\x89*\xb5c<d\x1f\\\x10$o\x93\x02\x9c@\x9ddt\x8c\x875\xf7@\x9aM\xa3j\xfa\x1f\xe5\x81\xc9u<\xf0?w8P>\xc5\x8a\xe6R\xe5YGq\xf5\xb6\x95\xbc\x112\x9bno\xc8\x06\xb6\b\xcc\x03{Sn\x94G\x01\xb4\xffJQ8t\x99vY\xaaf\xc7,\x9f\xbb\x15G\x1cr\x19\xef\xab\n\xa8\xbc\xbd\xa2E\x16\x1cm\xbd=\x98\x7fU\xcbg\x15%\x95\xb11\x017\x83*\x14\xcbt\xc2\xcb\x04\x1e~?\xb9j\x18\x96\x84EA\xeaB\a\x83\xba\xdco<\x00'/256}]}, 0x10c)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r3, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x3}, 0x6, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
socket(0x2, 0x80805, 0x0)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
connect$rose(r4, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c)
connect$rose(r4, &(0x7f0000000100)=@full={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x0, [@null, @null, @null, @default, @bcast, @default]}, 0x40)
sendmsg$RDMA_NLDEV_CMD_RES_PD_GET(r1, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000001c0)=ANY=[@ANYRES64=r3], 0x18}, 0x1, 0x0, 0x0, 0x4000040}, 0x0)
setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000380)={0x0, 0x0, 0x10}, 0xc)

5.30489473s ago: executing program 0 (id=93):
bpf$BPF_RAW_TRACEPOINT_OPEN_UNNAMED(0x11, 0x0, 0x0)
mount$overlay(0x0, 0x0, &(0x7f0000000080), 0x0, 0x0)
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = socket(0x40000000015, 0x5, 0x0)
recvmmsg(r1, &(0x7f0000003c40)=[{{0x0, 0x0, 0x0}, 0x80000000}], 0x1, 0x60010002, 0x0)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r2 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r2, 0x0, 0x0)

5.245285975s ago: executing program 3 (id=94):
r0 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101)
r1 = dup(r0)
write$6lowpan_enable(r1, &(0x7f0000000000)='0', 0xfffffd2c)
r2 = syz_io_uring_setup(0x239, &(0x7f0000000740)={0x0, 0x1c2a, 0x10100, 0x0, 0x0, 0x0, r1}, &(0x7f0000000180)=<r3=>0x0, &(0x7f00000001c0)=<r4=>0x0)
syz_io_uring_submit(r3, r4, &(0x7f0000000040)=@IORING_OP_POLL_ADD={0x6, 0x2, 0x0, @fd=r0, 0x0, 0x0, 0x0, {}, 0x1})
io_uring_enter(r2, 0x2ded, 0xef92, 0x0, 0x0, 0x0)
pipe(&(0x7f0000000000)={<r5=>0xffffffffffffffff})
vmsplice(r5, &(0x7f0000000180), 0x0, 0x8)

4.294055242s ago: executing program 3 (id=95):
r0 = socket$inet_smc(0x2b, 0x1, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x161642, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x0)
setsockopt$TIPC_DEST_DROPPABLE(0xffffffffffffffff, 0x10f, 0x81, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
r2 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r5 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x11, 0x8, &(0x7f0000000a80)=ANY=[@ANYBLOB="620af8ffa1dc0021bfa100000000000007010000f8ffffffb702000007000000bd120000000000008500000010000000b70000000000000095000000000000003faf4f2aa3d9b18ed812a2e2c49e8020a6f4e0e4a9446c7670568982b4e020f698393aa0f3881f9c24561f1b2607995daa56f151905ea23c22624c9f87f9793f50bb546040677b0c5077da80fb982c1e9400e693146cea484a415b76966118b64b751a0f241b072e90080008002d75593a286cecc93e64c227c95aa0b784625704f07372c29184ff7f4a7c0000070000006056feb4cc664c0af9360a1f7a5e6b607130c89f18c0c1088d8b8588d72ec29c48f0af5f2d9f51c4b45e0000000000000401d01aa27ae8b09e00e79ab20b0b8ed8fb7a68af2ad0810000000000006fa03c6468978089b302d7ff6023cdcedb5e0125ebbcebdde510cb2364149215108337719acd97cfa107d40224edc5465ad32b77a74e802a0dc6bf25cca242bc6099ad2300000480006ef6c1ff0900000000000010c63a949e8b7955394ffaff03000000000000ab87b1bfeda7be586602d985430cea080000000000000126abfb0767042361448279b05d96a703a660581eecdbf5bcd3de227a167ca17a0faf60fd6ad9b97aa5fa68480366c9c6fd6fa5043aa3926b81e3b59c9b081d6a08000000ea2b1a52496dfcaf99431412fd134a996382a1a04d5bb924cfe5f3185418d605ffff9c4d2ec7c32f2095e63c80aff9fa740b6c7632d5933a1c1fa5605bd7603f2ba2a790d62d6faec2fed44da4928b30142ba1fde5c5d50b83bae645ffa4997da9c77af4c0cb97fca585ec6bf58351d578be00d952aab9c71764b0a8a7583c90b3433b809bdb9fbd48fc877505ebf6c9d13330ca006bce1a84521f14518c9b476fccbd6c712016219848624b87cec2dbe98223d8d9e86c5ea06d108d8f80a0eb4fa39f6b5c02e6d6d90756ff578f57000000009700cf0b4b8bc229413300000000000000000003000000000000000000000000001000000000559711e6e8fcffffffffffffffb2d02edc3e01dd271c896249ed85b980680b09000000000f0000169cdcacc413b48dafb7a2c8cb482bac0ac502d9ba96ffffffd897ef3b7cda42f93d53046da21b40216e14ba2d6af8656b01e17addaedab25b30002abbba7fa725f38400be7c1fb8f72cd317902f19e385be9e48dccf1f9f3282830689da6b53b263339863297771d74732d400003341bf4a00fc9fec2271ff01589646efd1cf870cd7bb2366fde4a594290c405ff870ce5dfd3467decb05cfd9fcb32c8ed1dbd9d30a64c108285e71b5565b1768ee58969c41595229df17bcad70fb4021428ce970275d13b78249788f11f761038b75d4fe32b561d46ea3abe0fa7956488bef241875f3b4b6ab7929a57affe760e797724f4fce1093b62d7e8c7123d890decacec55bf404e4e1f74b7eed82571be54c72d978cf906df0042e36acd37d7f9e109f2c06f815312e0cfe222a06f56dd022c074eb8a322fb0bf47c0a8d154b405c37feaf3dd95f6ef2acd1fe582786105c70600000000000000b7561301bb997316dbf17866fb84d4173731efe895ff2e1c5560926e90109b598502d3e959efc71f665c542c9062ece84c99a061887a20639b41c8c12ee86c50804042b3eac1f870b136345cf67ca3fb5aac518a75f9e7d7101da841735e186c489b3a06fb99e0347f23a054de2f4d92d6bd72ee2c9fdc75aaaf1e3e483b4ad05573af403269b4a39ce40293947d9a631bcbf3583784acbda216550d7aec6b79e30cbd128f91e358c3b377327ac9ecc34f24c9ae153ec60ac0694da85bff9f5f4df90400000000000000d6b2c5ea1393fdf24285bf16b99c9cc0ad1857216f1a985f369191ae954febb3df464bfe0f7f3ee9afe7befb89d2777399f5874c553aeb3729cffe86e669261192899d4562db0e22d564ae09bb6d163118e401e024fd452277c3887d6116c6cc9d8046c216c1f895778cb26e22a2a998de44aeadea2a40da8daccf080842a486721737390cbf3acb2003016f154772f514216bdf57d2a40d40b51ab67903ec8485b3b8a8c9ae3d14f93100c2e0893862eef552fcde2981f48c482bde8a168c3f5db2fea6f26e4a4304e50c349f4f9ecee27defc93871c5f99a3594191e104d417e60fc3541a2c905a1a95e9571bf38ae1981c4238ecaee6f75cd0a6881bd1594e32409e2a3bce109b6000000000000a1fec9000000d694210d7560eb92d6a97a27602b81f76386f1535bef1497f92186086e29c6bc5a1fad6ec9a31137ab79a404abde7750898b59270bb29b81367ac91bd627e87306703be8672d70d1ab57075228a9f46ed9bd1f00fb8191bbab2dc591dda61f0868afc4294859323e7a45319f18101288a0268893373750d1a8fe64680b0a3fc22dd704e4214d00000000d6c98cd1a9fbe1e7d58c08acaf30065b928a31d2eca55f74a23641f61f2d5b308cf0d031b0c7f0ce21d69993e9960ff5f76015e6009756237badf4e7965bbe2777e808fcba821a00e8c5c39609ff854356cb490000000000c1fee30a3f7a85d1b29e58c77685efc0ceb1c8e5729c66018d169fc03aa188546b3ad2a182068e1e3a0e2505bc7f41019645466ac96e0d0b3bc19faa5449209b085f3c334b47f067bbab40743b2a428f1da1f68df75cf43f8ecc8d3726602111b40e761fd21081920382f14d12ca3c471c784ae7da7eaa69eb7f7f80572fdd11bb1d070080fbc22bf73468788df51710eb0b428ee751c47d8e894f745a868404a0bf35f0121008b722b1eaa6aedfa1bf2e7ccb2d61d5d76331ff5e20fa26b8471d42645288d7226bbd9c9e9e1cc9eb3d541e407cc2dae5e690cd628ab84875f2c50ba830d3f474b079b407000000deff000040430a537a395dc73bda367bf12cb7d81691a5fe8c47be395656a297e9df0e71b967ce7daac4be290159f6bcd75f0dda9de5532e66ae9e48b0ed1254a81faae79b6af6fbb869604d51de44c4e0973171ad47d6c00ebc7603093f000000fdec30cd6db49a47613808bad959719c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f15d6533f78a1f4e2df4ca23d867693fd42de9b49a1b36d48a44ba6a4530e59bec53e876dc660dd63bed8d31c31c37a373d4efd89f0000377b1b1292a893a516dab183ee65744fb8fc4f9ce2242e0f0059161c5e0000000000000000000057d77480e0345effff6413258d1f6eb190aa28cbb4bafe34124172e436b176c7ed4b132fb805d5edd9d188daf28d89c014c3ecca10ae55704544673e1fa03b84f63e022fe755f4007a4a899eaf52c4f491d8e97c862e29e457060000007ac691faee1e0c8fe056a07474e6e5490a7d3c3402000000b60600d837c6befc63ddf2f594ad7cbc56a1e44d218c956a5392a995f1fae8e9f206efbb33854dc70104ebc1581848f9745cb796da2dfb714a0500000000000000faed94fc39acfb3fd25dfa8116a154cd1226e1bb72b59fed817072a0da60160761fd3dffda0f7c592eabd8ab68334d2a1693cb187539049e331272bf5135044df8161400211b8012b6eb1ed5656e83f65509bb4b323c5bd61bff949d3bade2f6ffda1360c2786e16937ab61d6dcafed319c716357d0885f9c6d1f442954c167dd9b4acd9468ce3674c82bbb2e31389179b025dbe063b7f906217b2cf8410c7023aa3e5cc3ba1000000000000000000000000000000006ae6301a2da44394275c582a6516bb92ea1980a0a659f2f1811c8b281c209647c4241f292b20508b215dde27bb2487a6e2b5e4a8ccfab90c23827ef06cbe364073005f8a6d1456aaeb85ffb7858f24eced67a67ab825e863928ed64c83f62ffdaa997657335b63c6b4163aff094059e626766845fd779c9e6cdbbd64c24936615ee68538e8fddd0d90f3a7579579a142c0f7b318264d5c13c31cf475829528267ead38523cab7e1664e8426ca85e82ccf821c8a02a7e7d954d05b68a9c28f79429b09e2bb3681ae2b831e27c735123361c193d66ed4d71f19b199d371ec6bfada7cd370e3fdd3cd980fa1e145fd3f3e96b1feb53c865e1ad6acf5d16ed652ee0c7f45352222692fbd679212c225d097aa90f7e1fb1f983415f43e75a19ecf7fd21bfa150ef563aa72ba1c43c5f3d9be128ec26b691f31f9cab931631606a81622f120675c962be2d3b5e95f74f0b209e42e6bdd76e6e725295b1d78d928f6f63c41cbde2ba66ad81168070c8c6e18a6e452a31bdc4a60d637545ed4c8a1c649c3ce54ad3e16304d06a234f5f9311ef0f78924b68dbb4712efdb6974667bdb54f16fd2061b9ba93638dd177227e94e4ebd0ec1d437db948062bf41742000000000000000000305f70dd02fa0c61d5fe6d8ff35389246037e18d34c1375ae04f44f0c2543c772c5ccb137be7dc1874c5140200000054d77d4ea5ed144a648257f4a0301067bbcd9b91072659d872f26b796e2b81025edb5f45f785e2c2602b248ecdd80f019ca659be7e8ae953325a27564f33c9d458a60be3dab38baab7eb1a66ab1ffd6308f7fd51beb356fe75eb985b7581bb5584c53984ba9c7340f97e8d3825681c53de5f554e595b00000000000000006a8fa9f05d64c4be42f981f00051a3bc38613067dbd1427e01bfec016e51844cefa8a855bf23ac887b4a88eed6d9443857242f28e31a41d20105fbf3394ff910e734b4d9101265ff729c426e01c1ab13dda8c388b9e6626f19eecb87e39175e85e17000000000000000000009431807e43886903526074e6b40244c938a4c68a38c25ddd7c143b3f14eafe4b28ec66815cf8d1f56aa1424bc9b5d58790298e5b310969e50c222563b54e60854e1bfeef448aca8c5ccbf5546ce4c3cd5a733fec25fb94e1e0f966bcbd28a4d8fe4f556eaa1104a793006619700798354c6ae0040965e3083562bfa20968c04007d21dc02c9fd1f75e1ff40f439bdde4e784012e52049b483f02f81b88f5f57816b3fecec79cfca8d37203e769759d6b6a56b7605ced8ee18475a77ff0963a565fb6021d216c01b1098e40550a1cfd80e9180100000000000000654cd76ca61fe5ad8a31ec558fdbfa706d5e738bceae81fe777c307d5bc72183a4c2d35732e74dd690c57bdfdc1f069f9491bca7a8c59363799be70018c25ece5ad7307dc7a95c51bc25a8bbe2cf5ddf6aa161693782b0e7feb8a768f391b49d4c978c96dbb52f21c122eba9f17c8bed10591958cf06321a248b5f76ceedfe0d080d6aeadc11b237b3326dd04b86ac37c0d131544888db9e128d059761ad9a393e96c3b41c13c5a381bff187a75de560ba6eb3faa5ff8d2bb3c88f8de5efc2fb2200cfda6d07ceae22577064334fbf76a23e62e6059211d995b879f6b7d3f7fcf03652b81e6b7cdeff947ad185d3c6269ca247b429c3b872a8f1ef60407d29a874f4ec31c9effed55543a65a6b4d778cebcd43b7905f3960140bd783540a7353014bda8e9c7a34a5f428fd1f8eb11e837dd9d586487fdebcb1ecd3a003ff0fda4be617fecf1ff0ef2cdfb7fea73ca18874664d60a4b9423f3297bc8eb91b4ee1d73272ab28a7d7ab055a8eb58fe379de85338304e26e3620941b463e9049fd105c74c91cc4d71b0f76e2c2e4825106aa7ce2a3adbbc7a0443ece98c077b358e752b439132a0f27080ece2a94c320b002c77f82662675a7713c7067081cac15994698c41ff4754268ae2676384ff799783f55d7e5a1a092a01b965dc99cb7a9d98440c355927629f2bcf9dc2396eb2f5d25829715b24327642ac48f1201014a95e0e65e12cdf27e19043e3c5d3e798375cead35b9a93190a52cdecaaccc854a1d41ef365303f0e9b4fc969c9dab6df5e8a795b140fcc09e8a7b694d12932917facd8ceaa4e2d0d16bb0b95387fcd5ff136d8abddf94daf442bbff744591931872a36cf921ad69f2127386e8b0f9afee4da8d3fbec809fbb3ca0fded2859cf25d4c6155d396c5b9bd1a928923123f63f4c40688eae69990a9419456247bbaeb7948de84d2ff875414883bb1e503d4bfebc01bc12a53ea06bf38e571157bd642dac25dbee7832c58378374a39483d6721eec96c28911db21c0c006b42afc90000000000000000000000700000000000000000008ce4ea442c1a207108b35511186c5e860278f6463f52f3990ce08b1bfccc3cff4b5ae27b610aa9ba11b47d4f94c439e055cdbb2b12c983885c93ea4ab4ca1e02d831ae162ee104"], &(0x7f0000000100)='GPL\x00'}, 0x41)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000001d40)={&(0x7f00000009c0)='sched_switch\x00', r5}, 0x10)
pwritev(0xffffffffffffffff, &(0x7f0000001500)=[{0x0}], 0x1, 0x2, 0x2)
sendmsg(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000000100)}], 0x1}, 0x48000)
syz_emit_ethernet(0xfc, &(0x7f0000000000)=ANY=[], 0x0)
bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0xd, 0x3, &(0x7f0000001300)=@framed, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0xf}, 0x94)
request_key(&(0x7f00000003c0)='ceph\x00', 0x0, 0x0, 0xfffffffffffffffe)
ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setsockopt$IP_VS_SO_SET_STARTDAEMON(r0, 0x0, 0x48b, &(0x7f0000000000)={0x1, 'veth0_virt_wifi\x00', 0x2000000}, 0x18)

4.293273472s ago: executing program 1 (id=96):
creat(&(0x7f0000000280)='./file0\x00', 0xe5)
syz_open_dev$video4linux(&(0x7f0000000140), 0x106, 0x40440)
r0 = syz_io_uring_setup(0x1e1e, &(0x7f0000000200)={0x0, 0x86f7, 0x10100}, &(0x7f0000002000)=<r1=>0x0, &(0x7f0000000000)=<r2=>0x0)
syz_io_uring_submit(r1, r2, &(0x7f00000001c0)=@IORING_OP_READ=@pass_buffer={0x16, 0x0, 0x0, @fd_index=0x3, 0x4, 0x0, 0x0, 0x22})
io_uring_enter(r0, 0x48ed, 0x0, 0x2, 0x0, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
ioctl$KVM_CREATE_IRQCHIP(r4, 0xae60)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_syzos_vm$x86(r4, &(0x7f0000bff000/0x400000)=nil)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x6, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x3)
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='numa_maps\x00')
sched_setaffinity(0x0, 0x8, &(0x7f00000000c0)=0xa)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r6 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r6, &(0x7f0000019680)=""/102392, 0x18ff8)
r7 = openat$proc_mixer(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/card0/oss_mixer\x00', 0x2002, 0x0)
sendmsg$AUDIT_TTY_GET(0xffffffffffffffff, 0x0, 0x4010)
write$proc_mixer(r7, &(0x7f0000000180)=ANY=[@ANYBLOB="5245434c45560a50484f4e454f55540a535045414b455220274344272030303030303030303030303030303030303030300a4449474954414c32202706006e652043"], 0xb8)
r8 = openat$proc_mixer(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/asound/card0/oss_mixer\x00', 0x0, 0x0)
dup3(r8, r7, 0x0)
ioctl$KVM_SET_MSRS(r5, 0x4008ae89, &(0x7f0000000040)=ANY=[])
ioctl$KVM_SET_LAPIC(r5, 0x4400ae8f, &(0x7f0000000100)={"b46474f815e8d5535f0887c44335cc824dc6121bc72a77f532ff5dad4d643a9cab29d2310e04be14eb26c0af4985fe45e3b3b0680b3ec92725d74b9716e0f7c3119a2c9a0ae65ff4772e2e12733cb013c4308fe40863480747c0a7ddb9361b1578015ca1bb2c1677ebae096f08345476f567443842946ed946434c75916d1db83fe305920de65bfaf9bd940672216846cb16b8ae67cd3affc61375381f91b3b9f1cc5e38cafe5239aee71dcd481fbe1ecd2547ffbaad4469a74697c28fb9beefa6a5d736712a55eb9110c2cf7964062ba8cbc1c038e84f0f5db7fc7053118bf5221e3efa6fc3edb5d0ca3cde7054dd0751a332520aa8478b1775d552c5cc24d3c2df9eb333e5ca3aa06c1c2cf8526714f5caff2f55b41976fc20b64f1fc61d5b44f50953582a1825d32130a31abfeafd1987317879e29ac51b93c9659e023fff3ddb5e39dd19cc3ef1d883c78b9e073d08a9197fb3717df238b9831831214b186693be9dd2568bb77272e80df5dfed03e8c467627bedfbd93359a9f79a3aa37e873dc1357b37b43d813ea85267b0dc8b1c4cc51bd985328833beb2679b7fb762555bbea2da936b36f8f1673fd5f606b2b6eb23b72bf947206e8dbfeb40ca6f265a3485c8446e0f0da652860b88328073d2282c14b48a7774e62754a968b60e92205e8fafcdd70a55c3c4d1a4821ff44e6e3681f15ae091262e3a3290a24d8ceae30ebbf9d24287bb8a5d73c608d47d287f9e716cf02b4796a83fb0c05e45b89de9ef8bce834e6d7a0be6e30d2c66cb6e640cb01898454ad361bc0701d8fe56113335ae6adec59300db04691cc4a689034272a8e086a32ce7061b4f79fa8afbb48a6ce4b62bdc44af013d78980457e1fa61eb9204818606f4c3b03c0f33cd2a841ac9bc2b73151a96e31ab99e6ec969b5f2c3edd5f9abc69845e487af992758ba445368da93dae1d44360d52a534a88276b8aaf349841d8a4788c60408618437c442308dbf70efeda2e54e9b9e4fe5f76997c9dcb945a26bd75748c85d19ca8b99264dce50580e8d4dbda401dad7df31e9a7a6a3a83bfbdfb5394abd581ac0824fbcd75d2f5205c0b7c9188e6f26bfd97734d9a20433f6cdba9d14a5f32a4d97a57f4603b21146fd1aebf082e863d463c224ad623c17d8043d3bf083f0322408dd6ead6915ac6a4222ab51480eb6e11a8913348219515170d9df90d72d7363bbda3e327d19f98c0a856f98076380e788e602e8a2ae0a1930786874dc21a2e99abda15f35457cf1dcb440c4b41350d0eda352aad7f57a0adc8a6914da06460635ed21c4c11cd1a8ec778064c9f62efba2927828b23f94b16619a5520731c2c40ab8583c9f2e73233d74b84f4877ce6b35bb1180300"})
r9 = socket(0x10, 0x3, 0x0)
socket$packet(0x11, 0x3, 0x300)
sendmsg$nl_route_sched(r9, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000200)=@newqdisc={0x44, 0x24, 0x3fe3aa0262d8c583, 0x0, 0x2, {0x0, 0x0, 0x0, 0x0, {0x0, 0x1}, {0xffff, 0x3}}, [@qdisc_kind_options=@q_red={{0x8}, {0x18, 0x2, [@TCA_RED_PARMS={0x14, 0x1, {0x200, 0x3b, 0xfffffffd, 0x2, 0x1f, 0x18, 0x7}}]}}]}, 0x44}}, 0x26000894)
ioctl$KVM_RUN(r5, 0xae80, 0x0)
socket$pptp(0x18, 0x1, 0x2)

4.264475034s ago: executing program 0 (id=97):
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
sendmsg(r1, 0x0, 0x0)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bpf$PROG_LOAD(0x5, &(0x7f00000002c0)={0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, '\x00', 0x0, @fallback=0x2b, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
r3 = socket$netlink(0x10, 0x3, 0x10)
setsockopt$sock_int(r3, 0x1, 0x8, &(0x7f0000000000), 0x4)
setsockopt$netlink_NETLINK_BROADCAST_ERROR(r3, 0x10e, 0x4, &(0x7f0000000100)=0x1800, 0x4)
syz_genetlink_get_family_id$nl80211(0x0, r3)
ioctl$FS_IOC_GETFSMAP(0xffffffffffffffff, 0xc0c0583b, &(0x7f0000000540)={0x0, 0x0, 0x5, 0x0, '\x00', [{0x7, 0x88, 0x5, 0x6, 0xfffffffffffffff3, 0x1}, {0x9, 0xffff7fff, 0x8, 0xc, 0x8000000000000001}], ['\x00', '\x00', '\x00', '\x00', '\x00']})
sendto$inet6(r2, 0x0, 0x0, 0x20004041, 0x0, 0x0)
connect$inet6(r2, &(0x7f0000000280)={0xa, 0x0, 0x0, @dev={0xfe, 0x80, '\x00', 0x19}, 0x7}, 0x1c)
syz_genetlink_get_family_id$mptcp(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_ADD_ADDR(0xffffffffffffffff, &(0x7f0000000480)={0x0, 0x0, 0x0}, 0x0)
r4 = syz_io_uring_setup(0x95, &(0x7f0000000140), &(0x7f0000000240)=<r5=>0x0, &(0x7f0000000100)=<r6=>0x0)
syz_io_uring_submit(r5, r6, &(0x7f00000002c0)=@IORING_OP_OPENAT2={0x1c, 0x0, 0x0, 0xffffffffffffff9c, &(0x7f00000004c0)={0x24102}, &(0x7f0000000500)='./file0\x00', 0x18})
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000500), 0x101, 0x0)
io_uring_enter(r4, 0x47f6, 0xbacc, 0x0, 0x0, 0x0)

4.221489568s ago: executing program 2 (id=98):
r0 = bpf$PROG_LOAD(0x5, 0x0, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, 0x0, &(0x7f0000000040))
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000440)='xprtrdma_op_set_cto\x00', r0, 0x0, 0x81}, 0x18)
r2 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000540), 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r3 = syz_open_dev$loop(&(0x7f0000000000), 0x4, 0x88000)
ioctl$IOC_PR_PREEMPT(r3, 0x401870cb, 0x0)
r4 = getpid()
sched_setscheduler(r4, 0x2, &(0x7f0000000200)=0x4)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000200)={<r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff})
sendmmsg$unix(r6, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r5, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r7 = bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0xffffffffffffff1d)
socket$nl_route(0x10, 0x3, 0x0)
r8 = socket(0x2, 0x80805, 0x0)
setsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r8, 0x84, 0xa, &(0x7f0000000200), 0x20)
bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000400)={r7, &(0x7f00000005c0)="e95015e07c5ecb4b1637c768a6b3ffd9e8b2a26c6be65e0f9ee49a09033331929544383e7822e5d6b4f00a97bb9bbb7d253286f29b6685", &(0x7f00000006c0)=""/174}, 0x20)
ioctl$AUTOFS_IOC_FAIL(r2, 0x4c80, 0xffffffffffffffb6)
unshare(0x40000000)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a03000000000000000000070000040900010073797a300000000088000000090a010400000000000000000700000308000a40000000000900020073797a30000000000900010073797a3000000000080005400000000d44001280200001800e000100636f6e6e6c696d69740000000c0002800800014000000008200001800e000100636f6e6e6c696d69740000000c000280080001400000e41f08000340000001201400000010000100000000000000000000840300"], 0xd0}}, 0x20050800)
remap_file_pages(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x1000000, 0xb, 0x20)
bpf$PROG_LOAD(0x5, &(0x7f0000000480)={0x2, 0xb, &(0x7f0000000040)=ANY=[@ANYRESHEX], &(0x7f0000000180)='GPL\x00', 0x5, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0xa, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x990}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x0, 0x0, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

2.846547619s ago: executing program 1 (id=99):
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x6, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x2)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sched_setaffinity(0x0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_RECVRCVINFO(0xffffffffffffffff, 0x84, 0x20, 0x0, 0x0)
r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8)
syz_open_procfs(0x0, 0x0)
r1 = socket$inet6(0xa, 0x80002, 0x0)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)=@base={0x12, 0x4, 0x4, 0x12}, 0x48)
bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000040)=ANY=[@ANYRES32=r2, @ANYRES32, @ANYBLOB='&'], 0x10)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000480)={{r2}, &(0x7f0000000340), &(0x7f0000000440)=r1}, 0x20)
sendmsg(r1, &(0x7f0000000440)={0x0, 0x0, 0x0}, 0x40051)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$inet6_mptcp(0xa, 0x1, 0x106)
timer_create(0x2, 0x0, 0x0)
timer_create(0x2, 0x0, &(0x7f0000000080)=<r3=>0x0)
timer_delete(r3)
r4 = add_key$keyring(&(0x7f0000000000), &(0x7f0000000100)={'syz', 0x1}, 0x0, 0x0, 0xfffffffffffffffe)
r5 = add_key$keyring(0x0, &(0x7f0000000140)={'syz', 0x1}, 0x0, 0x0, 0xffffffffffffffff)
keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, r5, &(0x7f0000000240)='asymmetric\x00', &(0x7f00000001c0)=@keyring={'key_or_keyring:', r4})
keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, r4, &(0x7f00000000c0)='asymmetric\x00', &(0x7f0000000280)=@chain={'key_or_keyring:', r5})
setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x84, 0x25, 0x0, 0x0)

2.046143794s ago: executing program 2 (id=100):
r0 = socket$inet(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00'})
socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x1, 0x803, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
r3 = socket(0x10, 0x803, 0x0)
bind$netlink(r3, &(0x7f0000000100)={0x10, 0x0, 0x25dfdbfa, 0x400000}, 0xc)
getsockname$packet(r3, 0x0, &(0x7f0000000080))
sendmsg$nl_route(r2, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000040)=ANY=[@ANYBLOB="3c00000010000d042abd70000000000000000000", @ANYRES32, @ANYBLOB="01001400000000001c00128009000100626f6e64000000000c0002800500010004"], 0x3c}, 0x1, 0x0, 0x0, 0x40040}, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000300)={'bond0\x00'})
r4 = socket$nl_route(0x10, 0x3, 0x0)
r5 = socket(0x11, 0x80a, 0x0)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000300)={'bond0\x00', <r6=>0x0})
sendmsg$nl_route(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000006c0)={&(0x7f0000000380)=ANY=[@ANYBLOB="3c0000001000010400"/20, @ANYRES32=r6, @ANYBLOB="00000000000000001c00128009000100626f6e64000000000c0002800800070003"], 0x3c}}, 0x0)
r7 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r7, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000300)}], 0x1}, 0x0)

1.890593436s ago: executing program 1 (id=101):
connect$unix(0xffffffffffffffff, &(0x7f0000000300)=@abs, 0x6e)
recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sendmsg(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x8800)
sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x2, 0x0, 0x0, 0x2, 0x9, 0x6, 0x800, 0x7}, 0x0)
rseq(&(0x7f0000000400), 0x20, 0x0, 0x0)
syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0)
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000001740), 0x101042, 0x0)
ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, 0x0)
ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000080)={0x2, &(0x7f00000000c0)=[{0x48, 0x8, 0xfe, 0x8}, {0x6, 0x0, 0x0, 0x8eb6}]})
syz_open_procfs(0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x40000000000, 0x5, &(0x7f0000006680))

1.746325458s ago: executing program 2 (id=102):
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
r0 = syz_open_dev$char_usb(0xc, 0xb4, 0x0)
writev(r0, &(0x7f0000002580)=[{&(0x7f0000000400)="b4", 0x1}], 0x1)

1.686598133s ago: executing program 1 (id=103):
r0 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101)
r1 = dup(r0)
write$6lowpan_enable(r1, &(0x7f0000000000)='0', 0xfffffd2c)
r2 = syz_io_uring_setup(0x239, &(0x7f0000000740)={0x0, 0x1c2a, 0x10100, 0x0, 0x0, 0x0, r1}, &(0x7f0000000180)=<r3=>0x0, &(0x7f00000001c0)=<r4=>0x0)
syz_io_uring_submit(r3, r4, &(0x7f0000000040)=@IORING_OP_POLL_ADD={0x6, 0x2, 0x0, @fd=r0, 0x0, 0x0, 0x0, {}, 0x1})
io_uring_enter(r2, 0x2ded, 0xef92, 0x0, 0x0, 0x0)
pipe(&(0x7f0000000000)={<r5=>0xffffffffffffffff})
vmsplice(r5, &(0x7f0000000180), 0x0, 0x8)

1.492387029s ago: executing program 0 (id=104):
r0 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0)
r1 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0)
ioctl$DRM_IOCTL_WAIT_VBLANK(r1, 0xc018643a, &(0x7f00000000c0)={0x4000001, 0x71, 0x200000009})
r2 = syz_io_uring_setup(0x66e, &(0x7f0000000240)={0x0, 0x0, 0x10100}, &(0x7f0000000380)=<r3=>0x0, &(0x7f0000000200)=<r4=>0x0)
syz_io_uring_submit(r3, r4, &(0x7f0000000180)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, 0x0})
io_uring_enter(r2, 0x567, 0x0, 0x0, 0x0, 0x0)
ioctl$DRM_IOCTL_SET_CLIENT_CAP(r0, 0x4010640d, &(0x7f0000000000)={0x3, 0x2})
ioctl$DRM_IOCTL_MODE_GETPLANE(r0, 0xc02064b6, &(0x7f0000000300)={0x0, <r5=>0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$DRM_IOCTL_MODE_SETCRTC(r0, 0xc06864a2, &(0x7f0000000400)={0x0, 0x0, r5, 0x0, 0x0, 0x1f5, 0x0, 0x0, {0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, "b4bc323ef77d1f000071849800000000dfff00"}})

1.262908607s ago: executing program 0 (id=105):
r0 = syz_usb_connect(0x6, 0x0, 0x0, 0x0)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', r1}, 0x10)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000480)={0x0, 0x0, 0x0}, 0x0)
socket$nl_xfrm(0x10, 0x3, 0x6)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r2 = getpid()
sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=@encrypted_load={'load ', 'default', 0x20, 'trusted:', 's}z', 0x20, 0xfcd}, 0x2f, 0xfffffffffffffffa)
syz_open_dev$sndctrl(0x0, 0x3, 0x404002)
r5 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000300)="d8000000180081054e81f782db4cb904021d080406037c09e8fe55a10a0015400400142603600e122f00160006000400a8000600200003400700027c035c0461c1d67f6f94007134cf6efb8000a007a290457f0189b316277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee4ce1b14d6d930dfe1d9d322fe7c9f8775730d16a4683f5aeb4edbb57a5025ccca9e00360db798262f3d40fad95667e006dcdf63951f215ce3bb9ad809d5e1cace81ed0bffece0b42a9ecbee5de6ccd40dd6e4edef3d93452a92954b43370e9703920723", 0xd5}], 0x1, 0x0, 0x0, 0x4a0f0000}, 0xc000)
syz_usb_control_io$printer(r0, 0x0, 0x0)

906.160366ms ago: executing program 2 (id=106):
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = socket$nl_rdma(0x10, 0x3, 0x14)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
socket$inet_sctp(0x2, 0x5, 0x84)
socket$inet6_mptcp(0xa, 0x1, 0x106)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x9}, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000280)=ANY=[@ANYBLOB="440000003e000701feffffff00000000017c0000040042800c00018006000600894f0000200002"], 0x44}, 0x1, 0x0, 0x0, 0x40040c0}, 0xc000)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0)
writev(0xffffffffffffffff, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
write$binfmt_script(0xffffffffffffffff, &(0x7f0000000000)={'#! ', './file0', [{0x20, 'axA\x9b^\xfb^$\r\'uij\r\xd9\xef\xd2Et^Q\v\x9fOFL\x95`Z\xae\xc3a\xfe%\x94\x1a\xebt\xc6\x06\x8fD,\xf7\xae#\x80\x80\xdf\xa3\xcaO\xc6\x8a\x91\x90\xadR\aW\xe1\xf3n\xca\xa3\x8f\xd6F\x03\x0e\x9b\xe5yb\xfc\xa19wUs\x83\xf1{&\n\x1d\x8e\x82y\x1a.B\x0e\xea\x17\xc7\xe7H\xa9\xd4\x8e\xe7 gD\x89*\xb5c<d\x1f\\\x10$o\x93\x02\x9c@\x9ddt\x8c\x875\xf7@\x9aM\xa3j\xfa\x1f\xe5\x81\xc9u<\xf0?w8P>\xc5\x8a\xe6R\xe5YGq\xf5\xb6\x95\xbc\x112\x9bno\xc8\x06\xb6\b\xcc\x03{Sn\x94G\x01\xb4\xffJQ8t\x99vY\xaaf\xc7,\x9f\xbb\x15G\x1cr\x19\xef\xab\n\xa8\xbc\xbd\xa2E\x16\x1cm\xbd=\x98\x7fU\xcbg\x15%\x95\xb11\x017\x83*\x14\xcbt\xc2\xcb\x04\x1e~?\xb9j\x18\x96\x84EA\xeaB\a\x83\xba\xdco<\x00'/256}]}, 0x10c)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r3, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x3}, 0x6, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
socket(0x2, 0x80805, 0x0)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
connect$rose(r4, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c)
connect$rose(r4, &(0x7f0000000100)=@full={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x0, [@null, @null, @null, @default, @bcast, @default]}, 0x40)
sendmsg$RDMA_NLDEV_CMD_RES_PD_GET(r1, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000001c0)=ANY=[@ANYRES64=r3], 0x18}, 0x1, 0x0, 0x0, 0x4000040}, 0x0)
setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000380)={0x0, 0x0, 0x10}, 0xc)

72.172384ms ago: executing program 1 (id=107):
socket$nl_generic(0x10, 0x3, 0x10)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
r3 = syz_usbip_server_init(0x4)
syz_usb_connect(0x1, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="120100001ddf8208c00712152230000000010902"], 0x0)
write$usbip_server(r3, &(0x7f0000000040)=ANY=[@ANYBLOB="000000030000000100000000000000010000000800000fff000000000f0000340000000300000001000000000000000000000002000000050000000200005961000000017fffffff000000070000000800000006000000000000"], 0x60)
syz_emit_ethernet(0xfdef, &(0x7f0000000000)={@broadcast, @dev, @void, {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x1, @local, @empty, @empty, @local}}}}, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000180)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0}, 0x48)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'netdevsim0\x00'})
sendmsg$ETHTOOL_MSG_PAUSE_SET(r4, &(0x7f00000000c0)={0x0, 0x0, 0x0}, 0x80)
r5 = bpf$PROG_LOAD(0x5, &(0x7f00000003c0)={0x11, 0x0, 0x0, &(0x7f0000001dc0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x21, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000080)='sched_switch\x00', r5}, 0x2d)
r6 = socket$netlink(0x10, 0x3, 0xc)
setsockopt$netlink_NETLINK_BROADCAST_ERROR(r6, 0x10e, 0x4, &(0x7f0000000140)=0x6, 0x4)
socket$nl_netfilter(0x10, 0x3, 0xc)

0s ago: executing program 3 (id=108):
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = socket$nl_rdma(0x10, 0x3, 0x14)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
socket$inet_sctp(0x2, 0x5, 0x84)
socket$inet6_mptcp(0xa, 0x1, 0x106)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x9}, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000280)=ANY=[@ANYBLOB="440000003e000701feffffff00000000017c0000040042800c00018006000600894f0000200002"], 0x44}, 0x1, 0x0, 0x0, 0x40040c0}, 0xc000)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0)
r2 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r2, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x3}, 0x6, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
socket(0x2, 0x80805, 0x0)
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
connect$rose(r5, &(0x7f0000000040)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @default}, 0x1c)
connect$rose(r5, &(0x7f0000000100)=@full={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x0, [@null, @null, @null, @default, @bcast, @default]}, 0x40)
sendmsg$RDMA_NLDEV_CMD_RES_PD_GET(r1, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000001c0)=ANY=[@ANYRES64=r4], 0x18}, 0x1, 0x0, 0x0, 0x4000040}, 0x0)
setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000380)={0x0, 0x0, 0x10}, 0xc)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.61' (ED25519) to the list of known hosts.
[   74.952121][ T5773] cgroup: Unknown subsys name 'net'
[   75.091544][ T5773] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   76.792543][ T5773] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   78.886416][   T50] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   78.896304][ T5788] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   78.905581][ T5790] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   78.914296][ T5790] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   78.921983][ T5790] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   78.929403][ T5790] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   78.957709][ T5788] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   78.965809][ T5101] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   78.966885][ T5788] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   78.975232][ T5101] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   78.981131][ T5788] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   78.987841][ T5101] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   79.002384][ T5101] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   79.005406][ T5788] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   79.010306][ T5101] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   79.017425][ T5788] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   79.023933][ T5101] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   79.030935][ T5788] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   79.063542][ T5784] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   79.071582][ T5784] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   79.079364][ T5784] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   79.087551][ T5784] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   79.095400][ T5784] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   79.103046][ T5784] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   79.524644][ T5782] chnl_net:caif_netlink_parms(): no params data found
[   79.663597][ T5787] chnl_net:caif_netlink_parms(): no params data found
[   79.801549][ T5786] chnl_net:caif_netlink_parms(): no params data found
[   79.812243][ T5782] bridge0: port 1(bridge_slave_0) entered blocking state
[   79.819982][ T5782] bridge0: port 1(bridge_slave_0) entered disabled state
[   79.827484][ T5782] bridge_slave_0: entered allmulticast mode
[   79.835041][ T5782] bridge_slave_0: entered promiscuous mode
[   79.844451][ T5782] bridge0: port 2(bridge_slave_1) entered blocking state
[   79.851584][ T5782] bridge0: port 2(bridge_slave_1) entered disabled state
[   79.858785][ T5782] bridge_slave_1: entered allmulticast mode
[   79.866350][ T5782] bridge_slave_1: entered promiscuous mode
[   79.873904][ T5793] chnl_net:caif_netlink_parms(): no params data found
[   79.913978][ T5787] bridge0: port 1(bridge_slave_0) entered blocking state
[   79.921147][ T5787] bridge0: port 1(bridge_slave_0) entered disabled state
[   79.928378][ T5787] bridge_slave_0: entered allmulticast mode
[   79.935641][ T5787] bridge_slave_0: entered promiscuous mode
[   79.976901][ T5782] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   79.987119][ T5787] bridge0: port 2(bridge_slave_1) entered blocking state
[   79.994502][ T5787] bridge0: port 2(bridge_slave_1) entered disabled state
[   80.001696][ T5787] bridge_slave_1: entered allmulticast mode
[   80.009964][ T5787] bridge_slave_1: entered promiscuous mode
[   80.049499][ T5782] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   80.109429][ T5787] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   80.143580][ T5787] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   80.177731][ T5782] team0: Port device team_slave_0 added
[   80.232333][ T5782] team0: Port device team_slave_1 added
[   80.253352][ T5787] team0: Port device team_slave_0 added
[   80.269979][ T5786] bridge0: port 1(bridge_slave_0) entered blocking state
[   80.277812][ T5786] bridge0: port 1(bridge_slave_0) entered disabled state
[   80.285487][ T5786] bridge_slave_0: entered allmulticast mode
[   80.292379][ T5786] bridge_slave_0: entered promiscuous mode
[   80.314551][ T5787] team0: Port device team_slave_1 added
[   80.321337][ T5782] batman_adv: batadv0: Adding interface: batadv_slave_0
[   80.328719][ T5782] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   80.354994][ T5782] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   80.367803][ T5793] bridge0: port 1(bridge_slave_0) entered blocking state
[   80.375230][ T5793] bridge0: port 1(bridge_slave_0) entered disabled state
[   80.382395][ T5793] bridge_slave_0: entered allmulticast mode
[   80.389514][ T5793] bridge_slave_0: entered promiscuous mode
[   80.397306][ T5786] bridge0: port 2(bridge_slave_1) entered blocking state
[   80.404623][ T5786] bridge0: port 2(bridge_slave_1) entered disabled state
[   80.411805][ T5786] bridge_slave_1: entered allmulticast mode
[   80.419629][ T5786] bridge_slave_1: entered promiscuous mode
[   80.438417][ T5782] batman_adv: batadv0: Adding interface: batadv_slave_1
[   80.445411][ T5782] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   80.471418][ T5782] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   80.482601][ T5793] bridge0: port 2(bridge_slave_1) entered blocking state
[   80.489792][ T5793] bridge0: port 2(bridge_slave_1) entered disabled state
[   80.497302][ T5793] bridge_slave_1: entered allmulticast mode
[   80.504339][ T5793] bridge_slave_1: entered promiscuous mode
[   80.575616][ T5786] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   80.588965][ T5786] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   80.599736][ T5787] batman_adv: batadv0: Adding interface: batadv_slave_0
[   80.607132][ T5787] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   80.633288][ T5787] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   80.646025][ T5787] batman_adv: batadv0: Adding interface: batadv_slave_1
[   80.653118][ T5787] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   80.679462][ T5787] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   80.746812][ T5786] team0: Port device team_slave_0 added
[   80.767973][ T5793] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   80.780758][ T5793] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   80.792547][ T5786] team0: Port device team_slave_1 added
[   80.815165][ T5782] hsr_slave_0: entered promiscuous mode
[   80.821866][ T5782] hsr_slave_1: entered promiscuous mode
[   80.864216][ T5786] batman_adv: batadv0: Adding interface: batadv_slave_0
[   80.871273][ T5786] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   80.897839][ T5786] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   80.938875][ T5787] hsr_slave_0: entered promiscuous mode
[   80.945494][ T5787] hsr_slave_1: entered promiscuous mode
[   80.951636][ T5787] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[   80.959616][ T5787] Cannot create hsr debugfs directory
[   80.966680][ T5786] batman_adv: batadv0: Adding interface: batadv_slave_1
[   80.974262][ T5786] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   81.001051][ T5786] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   81.001633][ T5784] Bluetooth: hci0: command tx timeout
[   81.022138][ T5793] team0: Port device team_slave_0 added
[   81.073188][ T5784] Bluetooth: hci2: command tx timeout
[   81.073287][   T50] Bluetooth: hci1: command tx timeout
[   81.079825][ T5793] team0: Port device team_slave_1 added
[   81.152851][   T50] Bluetooth: hci3: command tx timeout
[   81.178725][ T5793] batman_adv: batadv0: Adding interface: batadv_slave_0
[   81.185822][ T5793] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   81.211815][ T5793] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   81.245650][ T5786] hsr_slave_0: entered promiscuous mode
[   81.252139][ T5786] hsr_slave_1: entered promiscuous mode
[   81.258577][ T5786] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[   81.266692][ T5786] Cannot create hsr debugfs directory
[   81.292935][ T5793] batman_adv: batadv0: Adding interface: batadv_slave_1
[   81.299925][ T5793] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   81.326071][ T5793] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   81.507005][ T5793] hsr_slave_0: entered promiscuous mode
[   81.514728][ T5793] hsr_slave_1: entered promiscuous mode
[   81.520956][ T5793] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[   81.529320][ T5793] Cannot create hsr debugfs directory
[   81.706130][ T5782] netdevsim netdevsim1 netdevsim0: renamed from eth0
[   81.741038][ T5782] netdevsim netdevsim1 netdevsim1: renamed from eth1
[   81.759490][ T5782] netdevsim netdevsim1 netdevsim2: renamed from eth2
[   81.807234][ T5782] netdevsim netdevsim1 netdevsim3: renamed from eth3
[   81.870183][ T5787] netdevsim netdevsim2 netdevsim0: renamed from eth0
[   81.889550][ T5787] netdevsim netdevsim2 netdevsim1: renamed from eth1
[   81.913331][ T5787] netdevsim netdevsim2 netdevsim2: renamed from eth2
[   81.927031][ T5787] netdevsim netdevsim2 netdevsim3: renamed from eth3
[   82.031119][ T5786] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   82.043227][ T5786] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   82.089594][ T5786] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   82.100780][ T5786] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   82.177676][ T5793] netdevsim netdevsim3 netdevsim0: renamed from eth0
[   82.189147][ T5793] netdevsim netdevsim3 netdevsim1: renamed from eth1
[   82.223983][ T5793] netdevsim netdevsim3 netdevsim2: renamed from eth2
[   82.236296][ T5793] netdevsim netdevsim3 netdevsim3: renamed from eth3
[   82.312534][ T5782] 8021q: adding VLAN 0 to HW filter on device bond0
[   82.430736][ T5782] 8021q: adding VLAN 0 to HW filter on device team0
[   82.460667][ T5787] 8021q: adding VLAN 0 to HW filter on device bond0
[   82.485971][  T744] bridge0: port 1(bridge_slave_0) entered blocking state
[   82.493426][  T744] bridge0: port 1(bridge_slave_0) entered forwarding state
[   82.532055][ T5787] 8021q: adding VLAN 0 to HW filter on device team0
[   82.561323][   T58] bridge0: port 2(bridge_slave_1) entered blocking state
[   82.568492][   T58] bridge0: port 2(bridge_slave_1) entered forwarding state
[   82.594266][   T58] bridge0: port 1(bridge_slave_0) entered blocking state
[   82.601386][   T58] bridge0: port 1(bridge_slave_0) entered forwarding state
[   82.626294][  T744] bridge0: port 2(bridge_slave_1) entered blocking state
[   82.633514][  T744] bridge0: port 2(bridge_slave_1) entered forwarding state
[   82.664216][ T5786] 8021q: adding VLAN 0 to HW filter on device bond0
[   82.674902][ T5793] 8021q: adding VLAN 0 to HW filter on device bond0
[   82.777126][ T5786] 8021q: adding VLAN 0 to HW filter on device team0
[   82.801690][   T12] bridge0: port 1(bridge_slave_0) entered blocking state
[   82.808884][   T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[   82.825802][ T5793] 8021q: adding VLAN 0 to HW filter on device team0
[   82.850930][  T744] bridge0: port 2(bridge_slave_1) entered blocking state
[   82.858153][  T744] bridge0: port 2(bridge_slave_1) entered forwarding state
[   82.900647][  T744] bridge0: port 1(bridge_slave_0) entered blocking state
[   82.907878][  T744] bridge0: port 1(bridge_slave_0) entered forwarding state
[   82.950017][  T744] bridge0: port 2(bridge_slave_1) entered blocking state
[   82.957241][  T744] bridge0: port 2(bridge_slave_1) entered forwarding state
[   83.090112][   T50] Bluetooth: hci0: command tx timeout
[   83.153883][   T50] Bluetooth: hci2: command tx timeout
[   83.154147][ T5784] Bluetooth: hci1: command tx timeout
[   83.235339][ T5784] Bluetooth: hci3: command tx timeout
[   83.307331][ T5782] 8021q: adding VLAN 0 to HW filter on device batadv0
[   83.361500][ T5787] 8021q: adding VLAN 0 to HW filter on device batadv0
[   83.489746][ T5787] veth0_vlan: entered promiscuous mode
[   83.514769][ T5782] veth0_vlan: entered promiscuous mode
[   83.545435][ T5782] veth1_vlan: entered promiscuous mode
[   83.558647][ T5787] veth1_vlan: entered promiscuous mode
[   83.591637][ T5793] 8021q: adding VLAN 0 to HW filter on device batadv0
[   83.608212][ T5786] 8021q: adding VLAN 0 to HW filter on device batadv0
[   83.639811][ T5782] veth0_macvtap: entered promiscuous mode
[   83.651687][ T5782] veth1_macvtap: entered promiscuous mode
[   83.685498][ T5787] veth0_macvtap: entered promiscuous mode
[   83.703592][ T5782] batman_adv: batadv0: Interface activated: batadv_slave_0
[   83.734867][ T5782] batman_adv: batadv0: Interface activated: batadv_slave_1
[   83.748670][ T5782] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   83.758163][ T5782] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   83.767941][ T5782] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   83.776757][ T5782] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   83.788101][ T5787] veth1_macvtap: entered promiscuous mode
[   83.822349][ T5793] veth0_vlan: entered promiscuous mode
[   83.882375][ T5793] veth1_vlan: entered promiscuous mode
[   83.897535][ T5786] veth0_vlan: entered promiscuous mode
[   83.911369][ T5786] veth1_vlan: entered promiscuous mode
[   83.942277][ T5787] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[   83.958759][ T5787] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   83.974411][ T5787] batman_adv: batadv0: Interface activated: batadv_slave_0
[   84.018341][ T5793] veth0_macvtap: entered promiscuous mode
[   84.028344][ T5787] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[   84.040761][   T42] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   84.051285][   T42] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   84.056346][ T5787] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.070353][ T5787] batman_adv: batadv0: Interface activated: batadv_slave_1
[   84.084962][ T5793] veth1_macvtap: entered promiscuous mode
[   84.105585][ T5787] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   84.115170][ T5787] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   84.124253][ T5787] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   84.133406][ T5787] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   84.175254][   T11] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   84.189841][   T11] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   84.190774][ T5786] veth0_macvtap: entered promiscuous mode
[   84.228847][ T5793] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[   84.241492][ T5793] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.251880][ T5793] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[   84.263558][ T5793] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.275527][ T5793] batman_adv: batadv0: Interface activated: batadv_slave_0
[   84.306623][ T5786] veth1_macvtap: entered promiscuous mode
[   84.330534][ T5793] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[   84.345253][ T5793] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.356932][ T5793] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[   84.367503][ T5793] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.379409][ T5793] batman_adv: batadv0: Interface activated: batadv_slave_1
[   84.417746][ T1122] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   84.435052][ T1122] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   84.447596][ T5793] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   84.459143][ T5793] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   84.470332][ T5793] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   84.482172][ T5793] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   84.557292][ T5786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[   84.569017][ T5786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.579910][ T5786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[   84.599735][ T5786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.610067][ T5786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[   84.627901][ T5786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.640325][ T5786] batman_adv: batadv0: Interface activated: batadv_slave_0
[   84.691121][ T5786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[   84.701807][ T5786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.712492][ T5786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[   84.723470][ T5786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.735785][ T5786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[   84.746583][ T5786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[   84.760389][ T5786] batman_adv: batadv0: Interface activated: batadv_slave_1
[   84.773883][   T48] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   84.782776][   T48] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   84.808323][ T5786] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   84.843402][ T5786] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   84.858018][ T5786] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   84.867139][ T5786] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   84.977701][   T42] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   85.016630][   T42] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   85.087562][ T5877] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
[   85.100112][   T11] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   85.114199][   T11] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   85.152858][ T5784] Bluetooth: hci0: command tx timeout
[   85.238014][ T5784] Bluetooth: hci1: command tx timeout
[   85.245981][ T5784] Bluetooth: hci2: command tx timeout
[   85.302213][ T5882] IPVS: sync thread started: state = MASTER, mcast_ifn = veth0_virt_wifi, syncid = 33554432, id = 0
[   85.315733][   T50] Bluetooth: hci3: command tx timeout
[   85.377445][   T48] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   85.417477][   T48] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   86.132208][ T1122] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   86.156246][ T1122] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   86.454870][ T5888] vhci_hcd vhci_hcd.0: pdev(3) rhport(0) sockfd(6)
[   86.461621][ T5888] vhci_hcd vhci_hcd.0: devid(0) speed(4) speed_str(wireless)
[   86.470687][ T5888] vhci_hcd vhci_hcd.0: Device attached
[   86.692986][ T5850] vhci_hcd: vhci_device speed not set
[   86.705087][ T5872] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   86.758933][ T1203] cfg80211: failed to load regulatory.db
[   86.772914][ T5850] usb 39-1: new full-speed USB device number 2 using vhci_hcd
[   86.803633][ T5829] usb 4-1: new low-speed USB device number 2 using dummy_hcd
[   86.930826][ T5872] usb 1-1: New USB device found, idVendor=1a86, idProduct=7522, bcdDevice=35.36
[   86.942258][ T5872] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   86.953485][ T5872] usb 1-1: Product: syz
[   86.958156][ T5872] usb 1-1: Manufacturer: syz
[   86.963087][ T5872] usb 1-1: SerialNumber: syz
[   87.038102][ T5829] usb 4-1: config 0 has no interfaces?
[   87.094283][ T5872] usb 1-1: config 0 descriptor??
[   87.113150][ T5829] usb 4-1: New USB device found, idVendor=07c0, idProduct=1512, bcdDevice=30.22
[   87.140952][ T5872] ch341 1-1:0.0: ch341-uart converter detected
[   87.165446][ T5829] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   87.200243][ T5829] usb 4-1: config 0 descriptor??
[   87.225308][   T42] bond0: (slave bond_slave_0): interface is now down
[   87.233480][   T50] Bluetooth: hci0: command tx timeout
[   87.241478][   T42] bond0: (slave bond_slave_1): interface is now down
[   87.255656][ T5898] Zero length message leads to an empty skb
[   87.263690][   T12] bond0: (slave bond_slave_0): interface is now down
[   87.270481][   T12] bond0: (slave bond_slave_1): interface is now down
[   87.280449][   T12] bond0: now running without any active interface!
[   87.313406][   T50] Bluetooth: hci2: command tx timeout
[   87.319202][ T5784] Bluetooth: hci1: command tx timeout
[   87.369893][ T5872] usb 1-1: failed to receive control message: -121
[   87.377185][ T5872] ch341-uart: probe of ttyUSB0 failed with error -121
[   87.410706][   T50] Bluetooth: hci3: command tx timeout
[   87.523245][ T5891] vhci_hcd: unknown pdu 2
[   87.596000][  T744] vhci_hcd: stop threads
[   87.623715][ T5850] vhci_hcd: vhci_device speed not set
[   87.779286][  T744] vhci_hcd: release socket
[   88.766829][  T744] vhci_hcd: disconnect device
[   88.826669][ T5850] usb 39-1: device descriptor read/64, error -71
[   89.214005][ T5850] vhci_hcd: vhci_device speed not set
[   89.263246][ T5875] usb 4-1: USB disconnect, device number 2
[   89.633027][    T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!!
[   89.945075][    T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!!
[   90.047455][    T0] NOHZ tick-stop error: local softirq work is pending, handler #140!!!
[   90.113856][    T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!!
[   90.151868][ T5918] bpq0: entered allmulticast mode
[   90.193193][    T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!!
[   90.252246][    T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!!
[   90.283318][    T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!!
[   90.353516][    T0] NOHZ tick-stop error: local softirq work is pending, handler #08!!!
[   90.362611][    T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!!
[   90.559469][    T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!!
[   90.826596][ T5875] usb 1-1: USB disconnect, device number 2
[   90.836865][ T5875] ch341 1-1:0.0: device disconnected
[   93.078996][ T5943] IPVS: sync thread started: state = MASTER, mcast_ifn = veth0_virt_wifi, syncid = 33554432, id = 0
[   94.648612][   T42] bond0: (slave bond_slave_0): interface is now down
[   94.674184][   T42] bond0: (slave bond_slave_1): interface is now down
[   94.698624][   T42] bond0: now running without any active interface!
[   96.023954][ T5875] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[   96.700358][ T5875] usb 1-1: New USB device found, idVendor=1a86, idProduct=7522, bcdDevice=35.36
[   96.712776][ T5875] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   96.720810][ T5875] usb 1-1: Product: syz
[   96.725212][ T5875] usb 1-1: Manufacturer: syz
[   96.743881][ T5875] usb 1-1: SerialNumber: syz
[   96.937276][ T5875] usb 1-1: config 0 descriptor??
[   97.159579][ T5875] ch341 1-1:0.0: ch341-uart converter detected
[   97.344200][ T5875] usb 1-1: failed to receive control message: -121
[   97.352053][ T5875] ch341-uart: probe of ttyUSB0 failed with error -121
[   98.592956][    T9] usb 1-1: USB disconnect, device number 3
[   98.609085][    T9] ch341 1-1:0.0: device disconnected
[  100.922708][    C0] hrtimer: interrupt took 72071 ns
[  101.729185][ T6017] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=2142054965 (4284109930 ns) > initial count (2850433972 ns). Using initial count to start timer.
[  104.332761][ T5822] usb 4-1: new high-speed USB device number 3 using dummy_hcd
[  104.532866][ T5822] usb 4-1: Using ep0 maxpacket: 32
[  104.746569][ T5822] usb 4-1: config index 0 descriptor too short (expected 156, got 27)
[  104.779649][ T5822] usb 4-1: too many endpoints for config 0 interface 0 altsetting 191: 144, using maximum allowed: 30
[  104.875949][ T6046] mmap: syz.2.46 (6046) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[  104.899183][ T5822] usb 4-1: config 0 interface 0 altsetting 191 endpoint 0x87 has an invalid bInterval 0, changing to 7
[  104.976137][ T5822] usb 4-1: config 0 interface 0 altsetting 191 has 1 endpoint descriptor, different from the interface descriptor's value: 144
[  105.080972][ T5822] usb 4-1: config 0 interface 0 has no altsetting 0
[  105.154513][ T5822] usb 4-1: New USB device found, idVendor=0f11, idProduct=1021, bcdDevice=86.66
[  105.188722][ T5822] usb 4-1: New USB device strings: Mfr=85, Product=120, SerialNumber=172
[  105.221244][ T5822] usb 4-1: Product: syz
[  105.385862][ T5822] usb 4-1: Manufacturer: syz
[  105.406419][ T5822] usb 4-1: SerialNumber: syz
[  105.441410][ T5822] usb 4-1: config 0 descriptor??
[  105.620565][ T5822] ldusb 4-1:0.0: Interrupt out endpoint not found (using control endpoint instead)
[  106.525981][ T5822] ldusb 4-1:0.0: LD USB Device #0 now attached to major 180 minor 0
[  106.605060][    T9] usb 4-1: USB disconnect, device number 3
[  106.651869][    T9] ldusb 4-1:0.0: LD USB Device #0 now disconnected
[  106.937200][ T6057] IPVS: sync thread started: state = MASTER, mcast_ifn = veth0_virt_wifi, syncid = 33554432, id = 0
[  110.143827][ T6084] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=2142054965 (4284109930 ns) > initial count (2850433972 ns). Using initial count to start timer.
[  111.880384][    T9] usb 4-1: new high-speed USB device number 4 using dummy_hcd
[  112.252737][    T9] usb 4-1: Using ep0 maxpacket: 32
[  112.269927][    T9] usb 4-1: config index 0 descriptor too short (expected 156, got 27)
[  112.990335][    T9] usb 4-1: too many endpoints for config 0 interface 0 altsetting 191: 144, using maximum allowed: 30
[  113.064754][    T9] usb 4-1: config 0 interface 0 altsetting 191 endpoint 0x87 has an invalid bInterval 0, changing to 7
[  113.089700][    T9] usb 4-1: config 0 interface 0 altsetting 191 has 1 endpoint descriptor, different from the interface descriptor's value: 144
[  113.109056][    T9] usb 4-1: config 0 interface 0 has no altsetting 0
[  113.125398][    T9] usb 4-1: New USB device found, idVendor=0f11, idProduct=1021, bcdDevice=86.66
[  113.152248][    T9] usb 4-1: New USB device strings: Mfr=85, Product=120, SerialNumber=172
[  113.186769][    T9] usb 4-1: Product: syz
[  113.203008][    T9] usb 4-1: Manufacturer: syz
[  113.207667][    T9] usb 4-1: SerialNumber: syz
[  113.228593][    T9] usb 4-1: config 0 descriptor??
[  113.251073][    T9] ldusb 4-1:0.0: Interrupt out endpoint not found (using control endpoint instead)
[  113.263602][    T9] ldusb 4-1:0.0: LD USB Device #0 now attached to major 180 minor 0
[  116.645472][ T6133] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=2142054965 (4284109930 ns) > initial count (2850433972 ns). Using initial count to start timer.
[  118.523932][ T6094] ldusb 4-1:0.0: Couldn't submit HID_REQ_SET_REPORT -110
[  118.562792][ T6003] usb 4-1: USB disconnect, device number 4
[  118.589287][ T6003] ldusb 4-1:0.0: LD USB Device #0 now disconnected
[  122.890023][   T42] bond0: (slave bond_slave_0): interface is now down
[  122.942793][   T42] bond0: (slave bond_slave_1): interface is now down
[  123.012738][   T12] bond0: (slave bond_slave_0): interface is now down
[  123.030238][   T12] bond0: (slave bond_slave_1): interface is now down
[  123.054900][   T42] bond0: (slave bond_slave_0): interface is now down
[  123.114506][   T42] bond0: (slave bond_slave_1): interface is now down
[  123.155372][ T1132] bond0: (slave bond_slave_0): interface is now down
[  123.162771][ T1132] bond0: (slave bond_slave_1): interface is now down
[  123.174530][ T1132] bond0: now running without any active interface!
[  123.252806][    T9] usb 4-1: new high-speed USB device number 5 using dummy_hcd
[  123.432867][    T9] usb 4-1: Using ep0 maxpacket: 32
[  123.444312][    T9] usb 4-1: config index 0 descriptor too short (expected 156, got 27)
[  123.460526][    T9] usb 4-1: too many endpoints for config 0 interface 0 altsetting 191: 144, using maximum allowed: 30
[  123.474788][    T9] usb 4-1: config 0 interface 0 altsetting 191 endpoint 0x87 has an invalid bInterval 0, changing to 7
[  123.488942][    T9] usb 4-1: config 0 interface 0 altsetting 191 has 1 endpoint descriptor, different from the interface descriptor's value: 144
[  123.506417][    T9] usb 4-1: config 0 interface 0 has no altsetting 0
[  123.518509][    T9] usb 4-1: New USB device found, idVendor=0f11, idProduct=1021, bcdDevice=86.66
[  123.546984][    T9] usb 4-1: New USB device strings: Mfr=85, Product=120, SerialNumber=172
[  123.567843][    T9] usb 4-1: Product: syz
[  123.581382][    T9] usb 4-1: Manufacturer: syz
[  123.589519][    T9] usb 4-1: SerialNumber: syz
[  123.600713][    T9] usb 4-1: config 0 descriptor??
[  123.616654][    T9] ldusb 4-1:0.0: Interrupt out endpoint not found (using control endpoint instead)
[  123.631810][    T9] ldusb 4-1:0.0: LD USB Device #0 now attached to major 180 minor 0
[  125.587748][ T6213] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=2142054965 (4284109930 ns) > initial count (2850433972 ns). Using initial count to start timer.
[  128.750445][ T5968] bond0: (slave bond_slave_0): interface is now down
[  128.763897][ T5968] bond0: (slave bond_slave_1): interface is now down
[  128.787169][ T5968] bond0: (slave bond_slave_0): interface is now down
[  128.794316][ T5968] bond0: (slave bond_slave_1): interface is now down
[  128.804037][ T5968] bond0: now running without any active interface!
[  128.833314][ T6188] ldusb 4-1:0.0: Couldn't submit HID_REQ_SET_REPORT -110
[  128.933656][ T5822] usb 4-1: USB disconnect, device number 5
[  128.954239][ T5822] ldusb 4-1:0.0: LD USB Device #0 now disconnected
[  130.573789][ T6253] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=2142054965 (4284109930 ns) > initial count (2850433972 ns). Using initial count to start timer.
[  131.521414][ T6268] IPVS: sync thread started: state = MASTER, mcast_ifn = veth0_virt_wifi, syncid = 33554432, id = 0
[  132.836470][ T1286] ieee802154 phy0 wpan0: encryption failed: -22
[  132.843393][ T1286] ieee802154 phy1 wpan1: encryption failed: -22
[  134.429540][ T6294] vhci_hcd vhci_hcd.0: pdev(1) rhport(0) sockfd(6)
[  134.436132][ T6294] vhci_hcd vhci_hcd.0: devid(0) speed(4) speed_str(wireless)
[  134.443987][ T6294] vhci_hcd vhci_hcd.0: Device attached
[  134.506155][ T6300] bpq0: entered promiscuous mode
[  134.511311][ T6300] bpq0: left allmulticast mode
[  134.742745][ T5822] usb 2-1: new low-speed USB device number 2 using dummy_hcd
[  135.236004][ T6301] ==================================================================
[  135.244117][ T6301] BUG: KASAN: slab-use-after-free in rose_transmit_link+0x5ba/0x740
[  135.252111][ T6301] Read of size 1 at addr ffff8880303efc32 by task syz.3.108/6301
[  135.259821][ T6301] 
[  135.262154][ T6301] CPU: 0 PID: 6301 Comm: syz.3.108 Not tainted 6.6.101-syzkaller #0
[  135.270124][ T6301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[  135.280172][ T6301] Call Trace:
[  135.283455][ T6301]  <TASK>
[  135.286402][ T6301]  dump_stack_lvl+0x16c/0x230
[  135.291094][ T6301]  ? __lock_acquire+0x7c80/0x7c80
[  135.296116][ T6301]  ? show_regs_print_info+0x20/0x20
[  135.301316][ T6301]  ? load_image+0x3b0/0x3b0
[  135.305827][ T6301]  ? _raw_spin_lock_irqsave+0xb4/0xf0
[  135.311210][ T6301]  ? __virt_addr_valid+0x18c/0x540
[  135.316326][ T6301]  ? __virt_addr_valid+0x469/0x540
[  135.321436][ T6301]  print_report+0xac/0x220
[  135.325873][ T6301]  ? rose_transmit_link+0x5ba/0x740
[  135.331077][ T6301]  kasan_report+0x117/0x150
[  135.335579][ T6301]  ? kmem_cache_alloc_node+0x17f/0x330
[  135.341043][ T6301]  ? rose_transmit_link+0x5ba/0x740
[  135.346248][ T6301]  rose_transmit_link+0x5ba/0x740
[  135.351276][ T6301]  ? skb_put+0x11b/0x210
[  135.355540][ T6301]  rose_write_internal+0x11d1/0x1ab0
[  135.360857][ T6301]  ? rose_validate_nr+0x120/0x120
[  135.365906][ T6301]  ? __timer_delete+0x6b/0x290
[  135.370692][ T6301]  ? skb_queue_purge_reason+0x6c/0x1c0
[  135.376175][ T6301]  rose_release+0x24e/0x510
[  135.380700][ T6301]  sock_close+0xbd/0x230
[  135.384969][ T6301]  ? sock_mmap+0xa0/0xa0
[  135.389239][ T6301]  __fput+0x234/0x970
[  135.393251][ T6301]  task_work_run+0x1ce/0x250
[  135.397872][ T6301]  ? task_work_cancel+0x240/0x240
[  135.402942][ T6301]  get_signal+0x1235/0x1400
[  135.407485][ T6301]  ? task_work_add+0x3a3/0x440
[  135.412284][ T6301]  ? __ia32_sys_pidfd_getfd+0x90/0x90
[  135.417686][ T6301]  ? wake_bit_function+0x200/0x200
[  135.422818][ T6301]  ? security_socket_connect+0x79/0xa0
[  135.428296][ T6301]  arch_do_signal_or_restart+0x96/0x780
[  135.433874][ T6301]  ? __sys_connect+0x240/0x420
[  135.438669][ T6301]  ? get_sigframe_size+0x20/0x20
[  135.443646][ T6301]  ? exit_to_user_mode_loop+0x3b/0x110
[  135.449125][ T6301]  exit_to_user_mode_loop+0x70/0x110
[  135.454436][ T6301]  exit_to_user_mode_prepare+0xb1/0x140
[  135.459992][ T6301]  syscall_exit_to_user_mode+0x1a/0x50
[  135.465461][ T6301]  do_syscall_64+0x61/0xb0
[  135.469891][ T6301]  ? clear_bhb_loop+0x40/0x90
[  135.474567][ T6301]  ? clear_bhb_loop+0x40/0x90
[  135.479269][ T6301]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[  135.485176][ T6301] RIP: 0033:0x7fd492b8ebe9
[  135.489605][ T6301] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  135.509208][ T6301] RSP: 002b:00007fd493a76038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  135.517638][ T6301] RAX: fffffffffffffe00 RBX: 00007fd492db6180 RCX: 00007fd492b8ebe9
[  135.525616][ T6301] RDX: 0000000000000040 RSI: 0000200000000100 RDI: 0000000000000010
[  135.533585][ T6301] RBP: 00007fd492c11e19 R08: 0000000000000000 R09: 0000000000000000
[  135.541557][ T6301] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  135.549532][ T6301] R13: 00007fd492db6218 R14: 00007fd492db6180 R15: 00007ffd3e0b9108
[  135.557524][ T6301]  </TASK>
[  135.560569][ T6301] 
[  135.562939][ T6301] Allocated by task 5918:
[  135.567266][ T6301]  kasan_set_track+0x4e/0x70
[  135.571863][ T6301]  __kasan_kmalloc+0x8f/0xa0
[  135.576470][ T6301]  rose_add_node+0x23a/0xdd0
[  135.581071][ T6301]  rose_rt_ioctl+0xa42/0xfb0
[  135.585670][ T6301]  rose_ioctl+0x3cf/0x8b0
[  135.590005][ T6301]  sock_do_ioctl+0xd7/0x2f0
[  135.594517][ T6301]  sock_ioctl+0x623/0x7a0
[  135.598854][ T6301]  __se_sys_ioctl+0xfd/0x170
[  135.603463][ T6301]  do_syscall_64+0x55/0xb0
[  135.607891][ T6301]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[  135.613794][ T6301] 
[  135.616115][ T6301] Freed by task 6300:
[  135.620092][ T6301]  kasan_set_track+0x4e/0x70
[  135.624680][ T6301]  kasan_save_free_info+0x2e/0x50
[  135.629709][ T6301]  ____kasan_slab_free+0x126/0x1e0
[  135.634818][ T6301]  slab_free_freelist_hook+0x130/0x1b0
[  135.640271][ T6301]  __kmem_cache_free+0xba/0x1f0
[  135.645127][ T6301]  rose_rt_device_down+0x43d/0x490
[  135.650241][ T6301]  rose_device_event+0x604/0x690
[  135.655178][ T6301]  notifier_call_chain+0x197/0x390
[  135.660289][ T6301]  __dev_notify_flags+0x18e/0x2e0
[  135.665317][ T6301]  dev_change_flags+0xe8/0x1a0
[  135.670088][ T6301]  dev_ifsioc+0x6a7/0xe20
[  135.674411][ T6301]  dev_ioctl+0x7e2/0x1170
[  135.678742][ T6301]  sock_do_ioctl+0x226/0x2f0
[  135.683351][ T6301]  sock_ioctl+0x623/0x7a0
[  135.687692][ T6301]  __se_sys_ioctl+0xfd/0x170
[  135.692297][ T6301]  do_syscall_64+0x55/0xb0
[  135.696716][ T6301]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[  135.702627][ T6301] 
[  135.704952][ T6301] The buggy address belongs to the object at ffff8880303efc00
[  135.704952][ T6301]  which belongs to the cache kmalloc-512 of size 512
[  135.719005][ T6301] The buggy address is located 50 bytes inside of
[  135.719005][ T6301]  freed 512-byte region [ffff8880303efc00, ffff8880303efe00)
[  135.732721][ T6301] 
[  135.735045][ T6301] The buggy address belongs to the physical page:
[  135.741467][ T6301] page:ffffea0000c0fb00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x303ec
[  135.751625][ T6301] head:ffffea0000c0fb00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  135.760553][ T6301] anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[  135.768981][ T6301] page_type: 0xffffffff()
[  135.773309][ T6301] raw: 00fff00000000840 ffff888017841c80 0000000000000000 dead000000000001
[  135.781893][ T6301] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[  135.790475][ T6301] page dumped because: kasan: bad access detected
[  135.797032][ T6301] page_owner tracks the page as allocated
[  135.802749][ T6301] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4371, tgid 4371 (kworker/u4:2), ts 21402562426, free_ts 0
[  135.823238][ T6301]  post_alloc_hook+0x1cd/0x210
[  135.828019][ T6301]  get_page_from_freelist+0x195c/0x19f0
[  135.833579][ T6301]  __alloc_pages+0x1e3/0x460
[  135.838174][ T6301]  alloc_slab_page+0x5d/0x170
[  135.842866][ T6301]  new_slab+0x87/0x2e0
[  135.846981][ T6301]  ___slab_alloc+0xc6d/0x12f0
[  135.851712][ T6301]  __kmem_cache_alloc_node+0x1a2/0x260
[  135.857176][ T6301]  kmalloc_trace+0x2a/0xe0
[  135.861598][ T6301]  alloc_bprm+0x56/0x9c0
[  135.865848][ T6301]  kernel_execve+0x98/0x9c0
[  135.870377][ T6301]  call_usermodehelper_exec_async+0x20b/0x350
[  135.876492][ T6301]  ret_from_fork+0x48/0x80
[  135.880921][ T6301]  ret_from_fork_asm+0x11/0x20
[  135.885713][ T6301] page_owner free stack trace missing
[  135.891083][ T6301] 
[  135.893408][ T6301] Memory state around the buggy address:
[  135.899041][ T6301]  ffff8880303efb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  135.907108][ T6301]  ffff8880303efb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  135.915167][ T6301] >ffff8880303efc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  135.923227][ T6301]                                      ^
[  135.928853][ T6301]  ffff8880303efc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  135.936910][ T6301]  ffff8880303efd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  135.944970][ T6301] ==================================================================
[  135.978137][ T6290] ------------[ cut here ]------------
[  135.984324][ T6290] ODEBUG: assert_init not available (active state 0) object: ffff8880303efc90 object type: timer_list hint: rose_t0timer_expiry+0x0/0x350
[  135.998838][ T6290] WARNING: CPU: 1 PID: 6290 at lib/debugobjects.c:518 debug_print_object+0x163/0x1d0
[  136.008365][ T6290] Modules linked in:
[  136.012283][ T6290] CPU: 1 PID: 6290 Comm: syz.2.106 Not tainted 6.6.101-syzkaller #0
[  136.020271][ T6290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[  136.031063][ T6290] RIP: 0010:debug_print_object+0x163/0x1d0
[  136.037155][ T6290] Code: 08 4c 89 ff e8 8e 87 b7 fd 4d 8b 0f 48 c7 c7 40 71 fc 8a 48 8b 34 24 4c 89 ea 89 e9 4d 89 f0 41 54 e8 b1 b6 2a fd 48 83 c4 08 <0f> 0b ff 05 95 65 25 0a 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d
[  136.056829][ T6290] RSP: 0018:ffffc9000bbe7818 EFLAGS: 00010286
[  136.062969][ T6290] RAX: a9939ea4cc911600 RBX: dffffc0000000000 RCX: 0000000000080000
[  136.070937][ T6290] RDX: ffffc9000d0cc000 RSI: 00000000000087e0 RDI: 00000000000087e1
[  136.079067][ T6290] RBP: 0000000000000000 R08: ffffc9000bbe7407 R09: 1ffff9200177ce80
[  136.087068][ T6290] R10: dffffc0000000000 R11: fffff5200177ce81 R12: ffffffff89661080
[  136.095079][ T6290] R13: ffffffff8afc7300 R14: ffff8880303efc90 R15: ffffffff8aac9d80
[  136.103084][ T6290] FS:  00007f23980556c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
[  136.112034][ T6290] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  136.118662][ T6290] CR2: 0000200000005000 CR3: 000000001b7d9000 CR4: 00000000003506e0
[  136.126677][ T6290] Call Trace:
[  136.130593][ T6290]  <TASK>
[  136.133560][ T6290]  debug_object_assert_init+0x255/0x2f0
[  136.139119][ T6290]  __timer_delete+0x3f/0x290
[  136.143759][ T6290]  rose_transmit_link+0x4d1/0x740
[  136.148806][ T6290]  rose_write_internal+0x11d1/0x1ab0
[  136.154241][ T6290]  ? rose_validate_nr+0x120/0x120
[  136.159286][ T6290]  ? __timer_delete+0x6b/0x290
[  136.164088][ T6290]  ? skb_queue_purge_reason+0x6c/0x1c0
[  136.169554][ T6290]  rose_release+0x24e/0x510
[  136.174126][ T6290]  sock_close+0xbd/0x230
[  136.178399][ T6290]  ? sock_mmap+0xa0/0xa0
[  136.182696][ T6290]  __fput+0x234/0x970
[  136.186712][ T6290]  task_work_run+0x1ce/0x250
[  136.191309][ T6290]  ? task_work_cancel+0x240/0x240
[  136.196390][ T6290]  get_signal+0x1235/0x1400
[  136.200900][ T6290]  ? task_work_add+0x3a3/0x440
[  136.205721][ T6290]  ? __ia32_sys_pidfd_getfd+0x90/0x90
[  136.211126][ T6290]  ? wake_bit_function+0x200/0x200
[  136.216284][ T6290]  ? __might_fault+0xaa/0x120
[  136.220971][ T6290]  arch_do_signal_or_restart+0x96/0x780
[  136.226565][ T6290]  ? __sys_connect+0x240/0x420
[  136.231993][ T6290]  ? get_sigframe_size+0x20/0x20
[  136.236990][ T6290]  ? exit_to_user_mode_loop+0x3b/0x110
[  136.242480][ T6290]  exit_to_user_mode_loop+0x70/0x110
[  136.247829][ T6290]  exit_to_user_mode_prepare+0xb1/0x140
[  136.253428][ T6290]  syscall_exit_to_user_mode+0x1a/0x50
[  136.258930][ T6290]  do_syscall_64+0x61/0xb0
[  136.263388][ T6290]  ? clear_bhb_loop+0x40/0x90
[  136.268088][ T6290]  ? clear_bhb_loop+0x40/0x90
[  136.272842][ T6290]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[  136.278778][ T6290] RIP: 0033:0x7f239718ebe9
[  136.283240][ T6290] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  136.302944][ T6290] RSP: 002b:00007f2398055038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  136.311400][ T6290] RAX: fffffffffffffe00 RBX: 00007f23973b5fa0 RCX: 00007f239718ebe9
[  136.319625][ T6290] RDX: 0000000000000040 RSI: 0000200000000100 RDI: 000000000000000f
[  136.327684][ T6290] RBP: 00007f2397211e19 R08: 0000000000000000 R09: 0000000000000000
[  136.336332][ T6290] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  136.344364][ T6290] R13: 00007f23973b6038 R14: 00007f23973b5fa0 R15: 00007ffe3ea42b98
[  136.352345][ T6290]  </TASK>
[  136.355405][ T6290] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  136.362765][ T6290] CPU: 1 PID: 6290 Comm: syz.2.106 Not tainted 6.6.101-syzkaller #0
[  136.370735][ T6290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[  136.380786][ T6290] Call Trace:
[  136.384074][ T6290]  <TASK>
[  136.387000][ T6290]  dump_stack_lvl+0x16c/0x230
[  136.391681][ T6290]  ? show_regs_print_info+0x20/0x20
[  136.396882][ T6290]  ? load_image+0x3b0/0x3b0
[  136.401415][ T6290]  panic+0x2c0/0x710
[  136.405323][ T6290]  ? bpf_jit_dump+0xd0/0xd0
[  136.409855][ T6290]  __warn+0x2e0/0x470
[  136.413834][ T6290]  ? debug_print_object+0x163/0x1d0
[  136.419032][ T6290]  ? debug_print_object+0x163/0x1d0
[  136.424245][ T6290]  report_bug+0x2be/0x4f0
[  136.428608][ T6290]  ? debug_print_object+0x163/0x1d0
[  136.433817][ T6290]  ? debug_print_object+0x163/0x1d0
[  136.439020][ T6290]  ? debug_print_object+0x165/0x1d0
[  136.444225][ T6290]  handle_bug+0xcf/0x120
[  136.448471][ T6290]  exc_invalid_op+0x1a/0x50
[  136.452988][ T6290]  asm_exc_invalid_op+0x1a/0x20
[  136.457840][ T6290] RIP: 0010:debug_print_object+0x163/0x1d0
[  136.463652][ T6290] Code: 08 4c 89 ff e8 8e 87 b7 fd 4d 8b 0f 48 c7 c7 40 71 fc 8a 48 8b 34 24 4c 89 ea 89 e9 4d 89 f0 41 54 e8 b1 b6 2a fd 48 83 c4 08 <0f> 0b ff 05 95 65 25 0a 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d
[  136.483342][ T6290] RSP: 0018:ffffc9000bbe7818 EFLAGS: 00010286
[  136.489424][ T6290] RAX: a9939ea4cc911600 RBX: dffffc0000000000 RCX: 0000000000080000
[  136.497402][ T6290] RDX: ffffc9000d0cc000 RSI: 00000000000087e0 RDI: 00000000000087e1
[  136.505428][ T6290] RBP: 0000000000000000 R08: ffffc9000bbe7407 R09: 1ffff9200177ce80
[  136.513441][ T6290] R10: dffffc0000000000 R11: fffff5200177ce81 R12: ffffffff89661080
[  136.521408][ T6290] R13: ffffffff8afc7300 R14: ffff8880303efc90 R15: ffffffff8aac9d80
[  136.529388][ T6290]  ? rose_transmit_link+0x740/0x740
[  136.534614][ T6290]  ? rose_transmit_link+0x740/0x740
[  136.539832][ T6290]  debug_object_assert_init+0x255/0x2f0
[  136.545406][ T6290]  __timer_delete+0x3f/0x290
[  136.550025][ T6290]  rose_transmit_link+0x4d1/0x740
[  136.555051][ T6290]  rose_write_internal+0x11d1/0x1ab0
[  136.560337][ T6290]  ? rose_validate_nr+0x120/0x120
[  136.565357][ T6290]  ? __timer_delete+0x6b/0x290
[  136.570121][ T6290]  ? skb_queue_purge_reason+0x6c/0x1c0
[  136.575584][ T6290]  rose_release+0x24e/0x510
[  136.580083][ T6290]  sock_close+0xbd/0x230
[  136.584334][ T6290]  ? sock_mmap+0xa0/0xa0
[  136.588601][ T6290]  __fput+0x234/0x970
[  136.592615][ T6290]  task_work_run+0x1ce/0x250
[  136.597222][ T6290]  ? task_work_cancel+0x240/0x240
[  136.602252][ T6290]  get_signal+0x1235/0x1400
[  136.606761][ T6290]  ? task_work_add+0x3a3/0x440
[  136.611520][ T6290]  ? __ia32_sys_pidfd_getfd+0x90/0x90
[  136.616897][ T6290]  ? wake_bit_function+0x200/0x200
[  136.622003][ T6290]  ? __might_fault+0xaa/0x120
[  136.626684][ T6290]  arch_do_signal_or_restart+0x96/0x780
[  136.632260][ T6290]  ? __sys_connect+0x240/0x420
[  136.637044][ T6290]  ? get_sigframe_size+0x20/0x20
[  136.641997][ T6290]  ? exit_to_user_mode_loop+0x3b/0x110
[  136.647510][ T6290]  exit_to_user_mode_loop+0x70/0x110
[  136.652824][ T6290]  exit_to_user_mode_prepare+0xb1/0x140
[  136.658373][ T6290]  syscall_exit_to_user_mode+0x1a/0x50
[  136.663846][ T6290]  do_syscall_64+0x61/0xb0
[  136.668259][ T6290]  ? clear_bhb_loop+0x40/0x90
[  136.672936][ T6290]  ? clear_bhb_loop+0x40/0x90
[  136.677612][ T6290]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[  136.683514][ T6290] RIP: 0033:0x7f239718ebe9
[  136.687941][ T6290] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  136.707663][ T6290] RSP: 002b:00007f2398055038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  136.716095][ T6290] RAX: fffffffffffffe00 RBX: 00007f23973b5fa0 RCX: 00007f239718ebe9
[  136.724069][ T6290] RDX: 0000000000000040 RSI: 0000200000000100 RDI: 000000000000000f
[  136.732035][ T6290] RBP: 00007f2397211e19 R08: 0000000000000000 R09: 0000000000000000
[  136.740089][ T6290] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  136.748062][ T6290] R13: 00007f23973b6038 R14: 00007f23973b5fa0 R15: 00007ffe3ea42b98
[  136.756047][ T6290]  </TASK>
[  136.759438][ T6290] Kernel Offset: disabled
[  136.763823][ T6290] Rebooting in 86400 seconds..