last executing test programs: 13m0.823672654s ago: executing program 0 (id=2891): prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r0 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r1 = dup(r0) write$6lowpan_enable(r1, &(0x7f0000000000)='0', 0xfffffd2c) r2 = syz_io_uring_setup(0x4bb3, &(0x7f0000000740)={0x0, 0xb1e9, 0x10100, 0x0, 0x0, 0x0, r1}, 0x0, &(0x7f00000001c0)=0x0) syz_io_uring_submit(0x0, r3, &(0x7f0000000040)=@IORING_OP_POLL_ADD={0x6, 0x2, 0x0, @fd=r0, 0x0, 0x0, 0x0, {}, 0x1}) io_uring_enter(r2, 0x2ded, 0xef92, 0x0, 0x0, 0x0) r4 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) sendto(r4, 0x0, 0x0, 0x0, &(0x7f0000000300)=@caif=@dbg={0x25, 0x0, 0x4e}, 0x80) r5 = syz_open_dev$sg(&(0x7f00000060c0), 0x0, 0x8002) ioctl$SG_SET_FORCE_PACK_ID(r5, 0x227b, 0x0) readv(r5, &(0x7f0000000000)=[{&(0x7f0000000100)=""/54, 0x36}], 0x1) 12m56.37726035s ago: executing program 0 (id=2899): r0 = socket$kcm(0x10, 0x2, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) r2 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000240)={0x18, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="1800000000000006000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000004c0)='contention_begin\x00', r2}, 0x10) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f00000004c0)=@raw={'raw\x00', 0x8, 0x3, 0x460, 0xf0, 0xffffffff, 0xffffffff, 0xf0, 0xffffffff, 0x390, 0xffffffff, 0xffffffff, 0x390, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00', {}, {}, 0x2f, 0x0, 0x3}, 0x0, 0xa8, 0xf0}, @common=@inet=@TEE={0x48, 'TEE\x00', 0x1, {@ipv4=@local, 'nicvf0\x00', {0x3f66}}}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x3d}}, [0xffffffff], [], 'wg1\x00', 'gre0\x00', {}, {0xff}}, 0x0, 0x258, 0x2a0, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x563e4515, 0x0, 0x7, 0x3fc, 0x20}}}, @common=@inet=@hashlimit3={{0x158}, {'veth0_vlan\x00', {0x3, 0x0, 0x48, 0x0, 0x15ab, 0x1000, 0x6, 0x5}}}]}, @common=@unspec=@LED={0x48, 'LED\x00', 0x0, {'syz0\x00', 0x2, 0x5, {0x6}}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x4c0) sendmsg$kcm(r0, 0x0, 0x8040) 12m54.830985943s ago: executing program 0 (id=2906): r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r1 = syz_usb_connect(0x0, 0x3f, &(0x7f0000000080)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f00020000000905050200000000100905"], 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000000)={0x1, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) syz_usb_control_io(r1, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000001a80)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r2 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) ioctl$FS_IOC_GETVERSION(r2, 0xc0145b0e, &(0x7f0000000040)) close_range(r0, 0xffffffffffffffff, 0x0) 12m47.87078903s ago: executing program 0 (id=2927): r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r1, 0x0, 0x0) bind$inet(r0, &(0x7f0000000100)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x17}}, 0x10) setsockopt$sock_int(r0, 0x1, 0x6, &(0x7f0000000000)=0x4, 0x4) socket(0x10, 0x803, 0x0) openat$nullb(0xffffffffffffff9c, 0x0, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000040)={0x8, 0x8b}, 0x0) r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = dup(r2) ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f0000000040)) read$FUSE(r3, &(0x7f0000000a00)={0x2020}, 0x2020) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) ioctl$TIOCOUTQ(0xffffffffffffffff, 0x5411, 0xfffffffffffffffd) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r4 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r4, &(0x7f0000019680)=""/102392, 0x18ff8) socket$nl_generic(0x10, 0x3, 0x10) bind$bt_hci(r3, &(0x7f0000000140)={0x1f, 0x1, 0x2}, 0x6) syz_open_dev$radio(&(0x7f0000000000), 0x0, 0x2) r5 = openat(0xffffffffffffff9c, 0x0, 0x143042, 0x0) lseek(r5, 0xe, 0x3) ioctl$VIDIOC_SUBDEV_S_DV_TIMINGS(0xffffffffffffffff, 0xc0845657, &(0x7f0000000040)={0x0, @bt={0xa00, 0x63c, 0x1, 0x1, 0xd59f83, 0x19f5, 0x43, 0x7, 0x3, 0x7, 0x27ff, 0x2800, 0x2, 0xba2, 0x0, 0x3e, {0x8, 0xffffffff}, 0xd4, 0x9}}) getsockopt$inet_buf(0xffffffffffffffff, 0x6, 0x29, 0x0, 0x0) r6 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r6, 0xc01064b5, &(0x7f0000000100)={0x0}) ioctl$DRM_IOCTL_MODE_GETPLANE(r6, 0xc02064b6, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) connect$inet(r0, &(0x7f0000000280)={0x2, 0x0, @broadcast}, 0x10) sendmmsg$inet(r0, &(0x7f0000004d00)=[{{0x0, 0x6000, 0x0, 0x0, 0x0, 0x0, 0x30000}}], 0x300, 0xf00) 12m42.94067324s ago: executing program 0 (id=2936): r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r1 = syz_usb_connect(0x0, 0x3f, &(0x7f0000000080)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f00020000000905050200000000100905"], 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000000)={0x1, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) syz_usb_control_io(r1, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000001a80)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r2 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) ioctl$FS_IOC_GETVERSION(r2, 0xc0145b0e, &(0x7f0000000040)) close_range(r0, 0xffffffffffffffff, 0x0) 12m37.276948951s ago: executing program 0 (id=2949): r0 = socket$kcm(0x10, 0x2, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) r2 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000240)={0x18, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="1800000000000006000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000004c0)='contention_begin\x00', r2}, 0x10) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f00000004c0)=@raw={'raw\x00', 0x8, 0x3, 0x460, 0xf0, 0xffffffff, 0xffffffff, 0xf0, 0xffffffff, 0x390, 0xffffffff, 0xffffffff, 0x390, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00', {}, {}, 0x2f, 0x0, 0x3}, 0x0, 0xa8, 0xf0}, @common=@inet=@TEE={0x48, 'TEE\x00', 0x1, {@ipv4=@local, 'nicvf0\x00', {0x3f66}}}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x3d}}, [0xffffffff], [], 'wg1\x00', 'gre0\x00', {}, {0xff}}, 0x0, 0x258, 0x2a0, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x563e4515, 0x0, 0x7, 0x3fc, 0x20}}}, @common=@inet=@hashlimit3={{0x158}, {'veth0_vlan\x00', {0x3, 0x0, 0x48, 0x0, 0x15ab, 0x1000, 0x6, 0x5}}}]}, @common=@unspec=@LED={0x48, 'LED\x00', 0x0, {'syz0\x00', 0x2, 0x5, {0x6}}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x4c0) sendmsg$kcm(r0, &(0x7f0000000940)={0x0, 0x0, 0x0}, 0x8040) 12m21.888774745s ago: executing program 32 (id=2949): r0 = socket$kcm(0x10, 0x2, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) r2 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000240)={0x18, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="1800000000000006000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000004c0)='contention_begin\x00', r2}, 0x10) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f00000004c0)=@raw={'raw\x00', 0x8, 0x3, 0x460, 0xf0, 0xffffffff, 0xffffffff, 0xf0, 0xffffffff, 0x390, 0xffffffff, 0xffffffff, 0x390, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00', {}, {}, 0x2f, 0x0, 0x3}, 0x0, 0xa8, 0xf0}, @common=@inet=@TEE={0x48, 'TEE\x00', 0x1, {@ipv4=@local, 'nicvf0\x00', {0x3f66}}}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x3d}}, [0xffffffff], [], 'wg1\x00', 'gre0\x00', {}, {0xff}}, 0x0, 0x258, 0x2a0, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x563e4515, 0x0, 0x7, 0x3fc, 0x20}}}, @common=@inet=@hashlimit3={{0x158}, {'veth0_vlan\x00', {0x3, 0x0, 0x48, 0x0, 0x15ab, 0x1000, 0x6, 0x5}}}]}, @common=@unspec=@LED={0x48, 'LED\x00', 0x0, {'syz0\x00', 0x2, 0x5, {0x6}}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x4c0) sendmsg$kcm(r0, &(0x7f0000000940)={0x0, 0x0, 0x0}, 0x8040) 15.563262808s ago: executing program 4 (id=5250): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000008c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r1 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x400000000000041, 0x0) sched_setaffinity(r1, 0x8, &(0x7f0000000240)=0x2) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) futex(0x0, 0xc, 0x1, 0x0, &(0x7f0000048000)=0x2, 0x0) r4 = socket$netlink(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r4, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000001200)={&(0x7f00000004c0)={0x10, 0x1403, 0x1, 0x70bd2d}, 0x10}, 0x1, 0x0, 0x0, 0x854}, 0x0) socket$inet_smc(0x2b, 0x1, 0x0) r5 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) ioctl$FBIOPUT_VSCREENINFO(r5, 0x4601, &(0x7f0000000100)={0x400, 0x300, 0x10, 0x800, 0xbbbe, 0x0, 0x18, 0x0, {0x0, 0x0, 0x1}, {0x7, 0xfffffffd, 0xfffffffe}, {0x0, 0xffff0000}, {0x1000000}, 0x0, 0x3f0, 0x0, 0xd613, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}) r6 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000002c0), 0x40a00, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) gettid() timer_create(0x0, 0x0, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, 0x0, 0x0) ioctl$TIOCMIWAIT(r6, 0x545c, 0x0) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000300)={{0x14}, [@NFT_MSG_NEWRULE={0x7c, 0x6, 0xa, 0x40b, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x50, 0x4, 0x0, 0x1, [{0x24, 0x1, 0x0, 0x1, @socket={{0xb}, @val={0x14, 0x2, 0x0, 0x1, [@NFTA_SOCKET_DREG={0x8, 0x2, 0x1, 0x0, 0x3}, @NFTA_SOCKET_KEY={0x8, 0x1, 0x1, 0x0, 0x2}]}}}, {0x28, 0x1, 0x0, 0x1, @nat={{0x8}, @val={0x1c, 0x2, 0x0, 0x1, [@NFTA_NAT_TYPE={0x8, 0x1, 0x1, 0x0, 0x1}, @NFTA_NAT_REG_ADDR_MAX={0x8, 0x4, 0x1, 0x0, 0x10}, @NFTA_NAT_REG_ADDR_MIN={0x8, 0x3, 0x1, 0x0, 0x3}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0xa4}}, 0x0) 11.88954878s ago: executing program 4 (id=5263): r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0) r1 = socket$nl_crypto(0x10, 0x3, 0x15) sendmsg$netlink(r1, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000380)=[{&(0x7f0000000440)=ANY=[@ANYBLOB="e00000001000090500c100000000000008004300ff030000a90000000b0e13e735a3184f123d6d92f1accfdaee2dd2b184b27db1f3ea7767bf0004003dd93d00000000001dcedf5966bd8b85b01b5f44e4ce28712d5f28"], 0xe0}], 0x1, 0x0, 0x0, 0x4000011}, 0x200480c2) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000300)={0x0, 0x18, 0xfa00, {0x803, &(0x7f0000000040)={0xffffffffffffffff}, 0x2, 0x3}}, 0x20) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000040)=0x100000001, 0x76dc) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000001c0)=@newqdisc={0x2c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {0xffe0, 0x4}, {0xfff1, 0xffff}, {0x10, 0xfff2}}, [@qdisc_kind_options=@q_drr={0x8}]}, 0x2c}}, 0x0) ppoll(&(0x7f00000000c0)=[{}, {}], 0x20000000000000dc, 0x0, 0x0, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000001c0)=@gettclass={0x24, 0x2a, 0x129, 0x70bd2d, 0x4, {0x0, 0x0, 0x0, 0x0, {0xe, 0x3}, {0x6, 0xf}, {0xd, 0xb}}}, 0x24}, 0x1, 0x0, 0x0, 0x4080}, 0x40004) r4 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)=ANY=[@ANYBLOB="340000003e000900000000000008000003000000040004001c000180180010"], 0x34}, 0x1, 0xfdff}, 0x84) r5 = mq_open(&(0x7f00000005c0)='eth0\x00#\x13\xaeu\xe0\xfb\x050*\xf3\x11i\xdd\xd9\xc6\x87\xde\xbf_\xa0\xf6\xdfk\xbf.\"\xa6\xc0#p\xcd\x1c/\xa6\xf2\xbcyL\x85a\xb5\xbb~+>\xbc\x93\xf8\xab\x9a3\x85l\x1d\x15\x11\x1a{@!2\xb6!\x19\xf1\xcce\xab\x80M\xc9\xcf\xaeR\xb69k\x90\x88\v8I$\xfdQ\x1d\x90=r\xd8\xc0\xd8\t/\x8dv\xb8\x93\xc3\xff\a\x00\x00\xd1T\xdd\x14\xd3\xe1\xbe_$A=z\xee\xbd/X\xbemOX)s\x94\xde\xbe_\v\x01\xbe\xeb\xbb\x91\x11z\xc2|d\x1b\x04\xd2\xf9yx\xb2\x1b\bLTrw\x88\x9e0\t\xc6\xe2\x9c\xed\\\xd8[\xc8\x04 \xf3\xac]V\x1d:\xfc\xc3\x9e\x02\aY\xef\xfe\x1c.TT\xcf\xbf\xf5\x80a%\xdcQ\xb3Cs\xb2\a\xfe\xb3j*\xad\x18I\xcc\xe9\x96{]\xef\xb7\xf2\xee*\xf95\bJt\xd0s\xc4\xaa\xc8\x13~\xb2\xf20\xbdf\xdb\xaeG\xe3\xfb\xef\x94\xef:Q\x1b\xe3\xa3\xa4}\xef`e\xcdL\x03\x00\x00\x00y\x9fg1\xf4\t\x18i/!\x13\xf1,\x8cu\xaa\xbf~)\x94\x1b2\x93\x86\xe7\x9a\xf2j\xa8\x96\xa6\x8e\xfcN\x81\xafTh\xb3\x1bo:\xe8\vq7S\xe4H\xf3L\xa0\x9c\x97B\x12\x10\x9d\xaa\x7fq\x06\xb9\xb3\x83\x1c\x83\xb1J\xec\x926\xb5a0\xa0B\xae|c\xf3\x8b\xc2E\x00\x00\x00\x00\x00\x00', 0x42, 0x0, 0x0) r6 = syz_open_dev$cec(&(0x7f0000000000), 0x0, 0x12b001) ioctl$CEC_ADAP_S_LOG_ADDRS(r6, 0xc05c6104, &(0x7f0000000140)={"524ebce3", 0x3, 0x5, 0x81, 0x3, 0x16dc, "0d0767fcf850456f2290e729cf77f1", "2eb4fea5", "44b4dd9e", "ad2e21d3", ["d4150c57d062e240fbe214a9", "850f3d04d42a166156600360", "82621ecad17be13010ccc10d", "6631cbd8c92f5461e2ea90f9"]}) ioctl$CEC_TRANSMIT(r6, 0xc0386105, &(0x7f00000003c0)={0x0, 0xffffffffffffffff, 0x6, 0x6, 0xe30, 0x3ff, "c2a0da871813beebb98f6cd3bde10363", 0x8, 0x9, 0x9, 0x2, 0x0, 0x0, 0xfc}) r7 = syz_io_uring_setup(0xd2, &(0x7f0000000880)={0x0, 0xdff9, 0x800, 0x1000}, &(0x7f0000000000)=0x0, &(0x7f0000000080)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r8, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r8, r9, &(0x7f0000000200)=@IORING_OP_CLOSE={0x13, 0x4e3b947d338dce40, 0x0, r5, 0x0, 0x0, 0x0, 0x0, 0x1}) io_uring_enter(r7, 0x47ba, 0x0, 0x0, 0x0, 0x0) connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @rand_addr, 0x2}, 0x1c) setsockopt$inet6_tcp_TCP_ULP(r3, 0x6, 0x1f, &(0x7f00000002c0), 0x4) r10 = fcntl$dupfd(r3, 0x0, r3) r11 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$IP6T_SO_SET_REPLACE(r11, 0x29, 0x40, &(0x7f0000000000)=@filter={'filter\x00', 0x4, 0x4, 0x490, 0xffffffff, 0x0, 0x218, 0xe8, 0xfeffffff, 0xffffffff, 0x3c0, 0x3c0, 0x3c0, 0xffffffff, 0x4, 0x0, {[{{@ipv6={@empty, @mcast1, [0xff, 0xff, 0xff, 0xff000000], [0x0, 0xff, 0xff, 0xffffff00], 'macvtap0\x00', 'veth1_to_hsr\x00', {}, {}, 0x3c, 0x6, 0x4, 0x30}, 0x2f2, 0xa8, 0xe8}, @common=@unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz1\x00', 0x2, 0x5, {0x7}}}}, {{@ipv6={@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @empty, [0x0, 0xff000000], [], 'wg2\x00', 'batadv_slave_1\x00'}, 0x0, 0xf0, 0x130, 0x0, {}, [@common=@dst={{0x48}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xfffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2]}}]}, @common=@unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz1\x00', 0x2, 0x57, {0x2000000}}}}, {{@ipv6={@empty, @mcast1, [], [0x0, 0xffffff00], 'ip6tnl0\x00', 'dvmrp0\x00', {}, {}, 0x0, 0x0, 0x0, 0x40}, 0x0, 0x180, 0x1a8, 0x0, {}, [@common=@dst={{0x48}, {0x1, 0x0, 0x0, [0x5, 0x1, 0xfff, 0x5, 0x6, 0x9, 0x81, 0x2, 0xe0, 0xfffc, 0x10, 0x3, 0x1, 0x0, 0x4, 0x6]}}, @common=@srh1={{0x90}, {0x0, 0x0, 0x0, 0x0, 0x0, @loopback, @local, @private1, [0x0, 0x0, 0xff000000], [0xffffff00, 0x0, 0xffffff00], [], 0x843, 0x1420}}]}, @REJECT={0x28}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x4f0) sendmsg$IPVS_CMD_GET_CONFIG(r10, &(0x7f00000001c0)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000180)=ANY=[], 0x14}}, 0x4000) write$UHID_CREATE2(r10, &(0x7f0000001640)=ANY=[], 0x1b6) sendmsg$WG_CMD_GET_DEVICE(r10, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000002e80)={&(0x7f0000000340)=ANY=[], 0x2b08}}, 0x4004006) setsockopt$inet6_tcp_TLS_TX(r10, 0x11a, 0x2, &(0x7f0000000100)=@ccm_128={{0x304}, "2697312e4e898ca7", "35e23ca3a988def7dfbd438c536346cd", "11398f4a", "50cc97386065eda9"}, 0x28) ioctl$KVM_CAP_SPLIT_IRQCHIP(r10, 0x4068aea3, &(0x7f0000000080)={0x79, 0x0, 0x6c7}) write$RDMA_USER_CM_CMD_RESOLVE_IP(r0, &(0x7f00000003c0)={0x3, 0x40, 0xfa02, {{0x6000000, 0x4e23, 0x0, @mcast2, 0x3}, {0xa, 0x0, 0x7, @private0={0xfc, 0x0, '\x00', 0x1}, 0xffffffff}, r2, 0x4}}, 0x48) 9.852342387s ago: executing program 5 (id=5271): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1805000000000000000000004b64ffec850000007d000000850000002a00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000080)='sched_switch\x00', r0}, 0x10) bpf$PROG_LOAD(0x5, 0x0, 0x0) r1 = syz_open_procfs(0x0, 0x0) getdents(r1, 0x0, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x48) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x31, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0}) r2 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r2, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r2, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_GETPLANE(r2, 0xc02064b6, &(0x7f00000001c0)={r3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) ioctl$DRM_IOCTL_MODE_GET_LEASE(r2, 0xc01064c8, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000200)}) ioctl$DRM_IOCTL_MODE_OBJ_GETPROPERTIES(r2, 0xc02064b9, &(0x7f00000002c0)={&(0x7f0000000240)=[0x0, 0x0], 0x0, 0x2, r4}) ioctl$DRM_IOCTL_MODE_ATOMIC(r2, 0xc03864bc, &(0x7f0000000380)={0x200, 0x1, &(0x7f0000000440)=[r4], &(0x7f0000000200), &(0x7f0000000300)=[r5], &(0x7f0000000340)}) ppoll(&(0x7f00000000c0)=[{}, {}], 0x20000000000000dc, 0x0, 0x0, 0x0) sendto$packet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) r6 = msgget$private(0x0, 0x0) r7 = fsopen(&(0x7f0000000000)='cgroup2\x00', 0x0) fsconfig$FSCONFIG_SET_BINARY(r7, 0x6, 0x0, 0x0, 0x0) r8 = fsmount(r7, 0x0, 0x0) r9 = openat$cgroup_subtree(r8, &(0x7f0000000100), 0x2, 0x0) write$cgroup_subtree(r9, &(0x7f0000000300)=ANY=[@ANYBLOB='-cpu '], 0x5) write$cgroup_subtree(r9, &(0x7f0000000480)={[{0x2b, 'hugetlb'}, {0x2b, 'rdma'}]}, 0xf) msgrcv(r6, &(0x7f0000001080)={0x0, ""/1}, 0x2000, 0x2, 0x3000) socket$inet_udplite(0x2, 0x2, 0x88) ppoll(&(0x7f00000003c0)=[{r0, 0x48}], 0x1, &(0x7f0000000400)={0x77359400}, &(0x7f0000000440)={[0x80]}, 0x8) 9.24734983s ago: executing program 4 (id=5273): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000008c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r1 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x400000000000041, 0x0) sched_setaffinity(r1, 0x8, &(0x7f0000000240)=0x2) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) futex(0x0, 0xc, 0x1, 0x0, &(0x7f0000048000)=0x2, 0x0) r4 = socket$netlink(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r4, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000001200)={&(0x7f00000004c0)={0x10, 0x1403, 0x1, 0x70bd2d}, 0x10}, 0x1, 0x0, 0x0, 0x854}, 0x0) socket$inet_smc(0x2b, 0x1, 0x0) r5 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) ioctl$FBIOPUT_VSCREENINFO(r5, 0x4601, &(0x7f0000000100)={0x400, 0x300, 0x10, 0x800, 0xbbbe, 0x0, 0x18, 0x0, {0x0, 0x0, 0x1}, {0x7, 0xfffffffd, 0xfffffffe}, {0x0, 0xffff0000}, {0x1000000}, 0x0, 0x3f0, 0x0, 0xd613, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}) r6 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000002c0), 0x40a00, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) gettid() timer_create(0x0, 0x0, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, 0x0, 0x0) ioctl$TIOCMIWAIT(r6, 0x545c, 0x0) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000300)={{0x14}, [@NFT_MSG_NEWRULE={0x7c, 0x6, 0xa, 0x40b, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x50, 0x4, 0x0, 0x1, [{0x24, 0x1, 0x0, 0x1, @socket={{0xb}, @val={0x14, 0x2, 0x0, 0x1, [@NFTA_SOCKET_DREG={0x8, 0x2, 0x1, 0x0, 0x3}, @NFTA_SOCKET_KEY={0x8, 0x1, 0x1, 0x0, 0x2}]}}}, {0x28, 0x1, 0x0, 0x1, @nat={{0x8}, @val={0x1c, 0x2, 0x0, 0x1, [@NFTA_NAT_TYPE={0x8, 0x1, 0x1, 0x0, 0x1}, @NFTA_NAT_REG_ADDR_MAX={0x8, 0x4, 0x1, 0x0, 0x10}, @NFTA_NAT_REG_ADDR_MIN={0x8, 0x3, 0x1, 0x0, 0x3}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0xa4}}, 0x0) 8.141929324s ago: executing program 4 (id=5276): r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e23, @local}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, 0x0, 0x0) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) sendto$inet(r0, &(0x7f00000012c0)="09268a92", 0x4, 0x11, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x12, &(0x7f0000000000)=0x4, 0x4) syz_usb_connect(0x0, 0x46, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0xcc, 0x73, 0x9f, 0x20, 0x4a4, 0x14, 0xc957, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x34, 0x1, 0x0, 0x0, 0x80, 0x0, [{{0x9, 0x4, 0x13, 0x0, 0x3, 0x4, 0xce, 0x10, 0x0, [], [{{0x9, 0x5, 0x0, 0xc, 0x40, 0xa4, 0x8, 0x8}}, {{0x9, 0x5, 0x5, 0x2, 0x10, 0x3, 0xfc, 0x1, [@generic={0x7, 0x5, "910e3a85ea"}]}}, {{0x9, 0x5, 0x8, 0x3, 0x10, 0x7, 0x1}}]}}]}}]}}, 0x0) socket$inet(0x2, 0x4000000000000001, 0x0) (async) bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e23, @local}, 0x10) (async) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, 0x0, 0x0) (async) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) (async) sendto$inet(r0, &(0x7f00000012c0)="09268a92", 0x4, 0x11, 0x0, 0x0) (async) setsockopt$sock_int(r0, 0x1, 0x12, &(0x7f0000000000)=0x4, 0x4) (async) syz_usb_connect(0x0, 0x46, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0xcc, 0x73, 0x9f, 0x20, 0x4a4, 0x14, 0xc957, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x34, 0x1, 0x0, 0x0, 0x80, 0x0, [{{0x9, 0x4, 0x13, 0x0, 0x3, 0x4, 0xce, 0x10, 0x0, [], [{{0x9, 0x5, 0x0, 0xc, 0x40, 0xa4, 0x8, 0x8}}, {{0x9, 0x5, 0x5, 0x2, 0x10, 0x3, 0xfc, 0x1, [@generic={0x7, 0x5, "910e3a85ea"}]}}, {{0x9, 0x5, 0x8, 0x3, 0x10, 0x7, 0x1}}]}}]}}]}}, 0x0) (async) 8.086873311s ago: executing program 5 (id=5277): prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) syz_init_net_socket$rose(0xb, 0x5, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f00000003c0), 0x101a02, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f00000000c0)={'vcan0\x00', 0x0}) r6 = socket$can_raw(0x1d, 0x3, 0x1) bind$can_raw(r6, &(0x7f0000000000)={0x1d, r5}, 0x10) ioctl$IOMMU_IOAS_ALLOC(0xffffffffffffffff, 0x3b81, &(0x7f0000000040)={0xc}) close_range(r3, 0xffffffffffffffff, 0x0) 8.039532732s ago: executing program 2 (id=5278): r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000280)={0x26, 'hash\x00', 0x0, 0x0, 'sha384-ssse3\x00'}, 0x58) r1 = accept4(r0, 0x0, 0x0, 0x0) recvmmsg$unix(r1, &(0x7f0000003700)=[{{0x0, 0x700, 0x0, 0x0, 0x0, 0x500}}], 0x600, 0x0, 0x0) r2 = socket$inet6(0xa, 0x2, 0x0) setsockopt$sock_int(r2, 0x1, 0x21, &(0x7f00000000c0)=0x4, 0x4) bind$inet6(r2, &(0x7f0000f5dfe4)={0xa, 0x4e20}, 0x1c) r3 = socket$kcm(0x10, 0x2, 0x4) close(r3) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r4 = socket$can_j1939(0x1d, 0x2, 0x7) ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000140)={'vcan0\x00', 0x0}) bind$can_j1939(r4, &(0x7f0000000100)={0x1d, r5}, 0x18) connect$can_j1939(r4, &(0x7f0000000080)={0x1d, r5, 0x0, {0x0, 0x1, 0x2}, 0xfe}, 0x18) sendmsg$can_j1939(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)='.', 0x1a000}}, 0x0) sendmsg$inet(r3, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f00c00e}, 0x0) syz_emit_ethernet(0xbe, &(0x7f0000000300)=ANY=[@ANYBLOB="aaaaaaaaaaaa0180c20000000800450000b0000000000011907864010101ac14142100004e20009c907801000000000000007b4b143b7461fd777b1c012bd14efb9f49fcdb8f080c26a04883ad5c8c82b8af584cbf2649a50f2dbc43efa869a8fa871c51852e4451b57d037ad3c045942824251d7d17b5191584cdd4fbe40a27424dbcfd56f1373669caaa2f19935e6996c7096ffe4f3a4745a8f762b9649a3bfbc1f39cb307b3472eb9cdb042d2643fcbb2c5a57df67d544af6e8dafe0974a6eaa4621c53d988df60"], 0x0) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) r6 = socket$packet(0x11, 0x2, 0x300) setsockopt$packet_fanout(r6, 0x107, 0x12, &(0x7f0000000140)={0x3, 0x6}, 0x4) r7 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r7, 0x0) setsockopt$packet_fanout_data(r6, 0x107, 0x16, &(0x7f0000000100)={0x0, 0x0}, 0x10) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000480)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='syzkaller\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0xfffffffffffffcc6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) unshare(0x6a040000) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=@newlink={0x3c, 0x10, 0x401, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x137b}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @geneve={{0xb}, {0x4}}}, @IFLA_NUM_TX_QUEUES={0x8, 0x1f, 0x9}]}, 0x3c}}, 0x0) 7.075162321s ago: executing program 5 (id=5282): sendmsg$ETHTOOL_MSG_LINKINFO_SET(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000000)=ANY=[], 0x3c}, 0x1, 0x0, 0x0, 0x20009005}, 0x2000c000) socket$inet6(0x10, 0x3, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c000000190001000000000000000000021800000000fd000000ed0008000100ac141400"], 0x2c}}, 0x0) r0 = syz_init_net_socket$llc(0x1a, 0x2, 0x0) connect$llc(r0, &(0x7f0000000180)={0x1a, 0x0, 0x0, 0x8, 0x0, 0x0, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, 0x10) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000300)={0x8, 0x8b}, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) sendmsg$nl_generic(0xffffffffffffffff, 0x0, 0x5fe7ae19249375cf) getsockopt$inet6_IPV6_FLOWLABEL_MGR(0xffffffffffffffff, 0x29, 0x20, &(0x7f0000000100)={@ipv4={'\x00', '\xff\xff', @local}, 0x2, 0x2, 0x3, 0x0, 0x0, 0x4}, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x1, &(0x7f0000003500)={0x0, 0x3938700}) r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x3) clock_gettime(0x0, 0x0) setsockopt$IP_VS_SO_SET_ADD(0xffffffffffffffff, 0x0, 0x482, &(0x7f0000000040)={0x84, @empty, 0x4e20, 0x3, 'ovf\x00', 0x1, 0x2, 0x6f}, 0x2c) setsockopt$IP_VS_SO_SET_ADDDEST(0xffffffffffffffff, 0x0, 0x487, 0x0, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r3, 0x800448d7, 0x0) ioctl$FS_IOC_GETFSLABEL(r2, 0x400452c8, &(0x7f0000000100)) 6.587498108s ago: executing program 1 (id=5285): syz_open_dev$usbfs(&(0x7f0000000040), 0x20000007d, 0x0) read$watch_queue(0xffffffffffffffff, 0x0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0xa, 0x6, &(0x7f0000000000)=ANY=[@ANYBLOB="050000000000731535"], 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x6, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='cpuacct.usage_percpu_user\x00', 0x275a, 0x0) write$binfmt_script(r2, &(0x7f0000000000), 0x208e24b) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000003, 0x28011, r2, 0x0) preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x1, 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x44, 0x0, 0x0) ioctl$KVM_SET_FPU(r2, 0x41a0ae8d, &(0x7f0000000240)={'\x00', 0x4, 0x9, 0x99, 0x0, 0x0, 0x10000, 0x2, '\x00', 0xc94}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 5.986992641s ago: executing program 1 (id=5286): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000008c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r1 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x400000000000041, 0x0) sched_setaffinity(r1, 0x8, &(0x7f0000000240)=0x2) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) futex(0x0, 0xc, 0x1, 0x0, &(0x7f0000048000)=0x2, 0x0) r4 = socket$netlink(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r4, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000001200)={&(0x7f00000004c0)={0x10, 0x1403, 0x1, 0x70bd2d}, 0x10}, 0x1, 0x0, 0x0, 0x854}, 0x0) socket$inet_smc(0x2b, 0x1, 0x0) r5 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) ioctl$FBIOPUT_VSCREENINFO(r5, 0x4601, &(0x7f0000000100)={0x400, 0x300, 0x10, 0x800, 0xbbbe, 0x0, 0x18, 0x0, {0x0, 0x0, 0x1}, {0x7, 0xfffffffd, 0xfffffffe}, {0x0, 0xffff0000}, {0x1000000}, 0x0, 0x3f0, 0x0, 0xd613, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}) r6 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000002c0), 0x40a00, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) gettid() timer_create(0x0, 0x0, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, 0x0, 0x0) ioctl$TIOCMIWAIT(r6, 0x545c, 0x0) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000300)={{0x14}, [@NFT_MSG_NEWRULE={0x60, 0x6, 0xa, 0x40b, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x34, 0x4, 0x0, 0x1, [{0x30, 0x1, 0x0, 0x1, @nat={{0x8}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_NAT_FAMILY={0x8, 0x2, 0x1, 0x0, 0x2}, @NFTA_NAT_TYPE={0x8, 0x1, 0x1, 0x0, 0x1}, @NFTA_NAT_REG_ADDR_MAX={0x8, 0x4, 0x1, 0x0, 0x10}, @NFTA_NAT_REG_ADDR_MIN={0x8, 0x3, 0x1, 0x0, 0x3}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x88}}, 0x0) 5.887645872s ago: executing program 4 (id=5287): unshare(0x22020600) r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) bind$bt_sco(r0, &(0x7f0000000000), 0x8) listen(r0, 0x0) socket$nl_xfrm(0x10, 0x3, 0x6) r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r2 = openat$cgroup_procs(r1, &(0x7f0000000140)='tasks\x00', 0x2, 0x0) sendmsg$NL80211_CMD_START_AP(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0) r3 = syz_init_net_socket$nfc_llcp(0x27, 0x2, 0x1) bind$bt_hci(r3, &(0x7f0000000000)={0x27}, 0x74) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r3, 0x118, 0x1, 0x0, 0x0) mknod$loop(&(0x7f0000000180)='./file0\x00', 0x6000, 0x0) r4 = creat(&(0x7f0000000000)='./file0\x00', 0x0) syz_genetlink_get_family_id$batadv(&(0x7f0000000040), r4) semget$private(0x0, 0x3, 0x555) r5 = semget$private(0x0, 0x0, 0x587) semop(r5, 0x0, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4) sched_setaffinity(0x0, 0xfffffdca, &(0x7f0000000200)=0x400000bce) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) r6 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r6, &(0x7f0000019680)=""/102392, 0x18ff8) ioctl$IOMMU_HWPT_ALLOC$TEST(0xffffffffffffffff, 0x3b89, &(0x7f00000002c0)={0x28, 0x3, 0x0, 0x0, 0x0, 0x0, 0xdead, 0x0, 0x0}) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='nfsd\x00', 0x10, 0x0) io_uring_enter(0xffffffffffffffff, 0x2d3e, 0x0, 0x0, 0x0, 0x0) ioctl$BLKTRACESTART(r4, 0x1274, 0x0) write$cgroup_pid(r2, &(0x7f0000000100), 0x12) connect$bt_sco(r0, &(0x7f0000000100)={0x1f, @none}, 0x8) 4.907588311s ago: executing program 1 (id=5288): bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x3, 0xc, &(0x7f0000000000)=ANY=[@ANYBLOB="184fcc85b50000000000232c10f539b25727d162f0000000000000000000008500000061000000180100002020732500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703"], &(0x7f00000001c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0x13, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000180)={{0x1, 0x1, 0x18, r1, {0x2}}, './file0\x00'}) socket$netlink(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x1, 0x0, 0x0) mknodat$loop(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x6000, 0x0) stat(&(0x7f0000000100)='./file0\x00', &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0}) setreuid(r2, 0xee01) bpf$BPF_BTF_LOAD(0x12, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r3 = getpid() sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r4, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r5, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r4, &(0x7f00000000c0), 0x10106, 0x2, 0x0) ioctl$PPPIOCSMRU(0xffffffffffffffff, 0x40047452, &(0x7f0000000040)=0x800) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x3, 0x3, &(0x7f0000000000)=@framed={{0x5, 0x0, 0x0, 0x0, 0x0, 0x73, 0x11, 0x9b}, [], {0x95, 0x0, 0x5a5}}, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x6, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) ioctl$VIDIOC_G_FMT(0xffffffffffffffff, 0xc0d05604, &(0x7f0000000680)={0x1, @pix={0x9, 0x6, 0x3234564e, 0x0, 0x7, 0x10001, 0x9, 0x0, 0x1, 0x9485f96dc9548d5d, 0x0, 0x6}}) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f00000000c0)={r3, 0xffffffffffffffff, 0x0, 0x4, &(0x7f0000000080)='\x00\x00\b\x00'}, 0x30) r6 = openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0) bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000380)={@cgroup=r6, 0x2, 0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, 0x0, 0x0, 0x0}, 0x40) modify_ldt$write(0x1, &(0x7f0000000280)={0x1001}, 0x10) sendmsg$nl_generic(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000440)={&(0x7f00000007c0)=ANY=[@ANYBLOB="280300002d00090027bd70000000000004000000130317"], 0x328}}, 0x84) preadv(0xffffffffffffffff, &(0x7f0000000300)=[{&(0x7f0000000500)=""/136, 0x88}, {&(0x7f00000005c0)=""/93, 0x5d}], 0x2, 0x200000, 0x0) bpf$TOKEN_CREATE(0x24, &(0x7f00000002c0)={0x0, r0}, 0x8) 4.761438234s ago: executing program 2 (id=5289): socket$nl_xfrm(0x10, 0x3, 0x6) keyctl$instantiate(0xc, 0x0, &(0x7f0000000700)=ANY=[@ANYRESOCT], 0x2d, 0xfffffffffffffff9) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x11, 0x4, &(0x7f0000000100)=ANY=[@ANYBLOB="1a99b0e73ec2f29f1e2588881567d002c0f975faac92f5e92fd0a4651a117026af97b0f32c7e8ac3eacd8560cee3b8dea0948a62dc04856c508e"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x37, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', r0}, 0x18) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x101010, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r3, &(0x7f000057eff8)=@file={0x0, './file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'}, 0x6e) setpriority(0x1, 0xffffffffffffffff, 0x4) syz_open_dev$amidi(&(0x7f0000000140), 0x2, 0x182) prlimit64(0x0, 0xe, &(0x7f00000007c0)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r4 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r4, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) ioperm(0x7, 0x81, 0x2) r5 = gettid() timer_create(0x7, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r5}, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) r6 = open(&(0x7f00009e1000)='./file0\x00', 0x60840, 0x1d2) fcntl$setlease(r6, 0x400, 0x0) truncate(&(0x7f0000000040)='./file0\x00', 0x1000000) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) creat(&(0x7f0000000580)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0) 3.666129916s ago: executing program 2 (id=5292): mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x2, 0x31, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x409c884, &(0x7f0000000240)={0xa, 0x4e20, 0x0, @local}, 0x1c) sendto$inet6(r0, &(0x7f0000000780), 0x0, 0x6d91fb6102d8d9cc, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x5, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000100)=0x2) sched_setaffinity(0x0, 0x8, &(0x7f0000000200)=0x400000bce) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000002000)=""/102400, 0x19000) chown(0x0, 0x0, 0xee01) creat(0x0, 0x0) r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000002c0)='/sys/power/resume', 0x141a82, 0x0) r3 = semget$private(0x0, 0x6, 0x0) semop(r3, &(0x7f00000000c0)=[{0x0, 0xc63e, 0x1000}, {0x4, 0x1}], 0x2) semctl$GETPID(r3, 0x3, 0xb, 0x0) write$cgroup_int(r2, &(0x7f0000000040)=0x900, 0x12) r4 = syz_io_uring_setup(0x85e, 0x0, &(0x7f0000000380)=0x0, 0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r5, 0x4, &(0x7f0000000300)=0xfffffffc, 0x0, 0x4) io_uring_enter(r4, 0x47bc, 0x0, 0x0, 0x0, 0x0) prlimit64(0x0, 0x7, &(0x7f0000000080), 0x0) migrate_pages(0x0, 0x5, 0x0, 0x0) ioctl$PTP_SYS_OFFSET(0xffffffffffffffff, 0xc0403d08, 0xffffffffffffffff) sendto$inet6(r0, &(0x7f0000000000)='I', 0x1, 0x0, 0x0, 0x0) 3.571596926s ago: executing program 3 (id=5293): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000009c0)=ANY=[@ANYBLOB="18010000000000000000000000000000850000006d00000095"], &(0x7f0000000300)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', r0}, 0x18) bpf$PROG_LOAD(0x5, &(0x7f00002a0fb8)={0x7, 0x4, &(0x7f0000000080)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x9e, 0x7b, 0xa, 0xff00}, [@call={0x71, 0x0, 0x18}, @exit, @map_fd, @jmp]}, &(0x7f0000000140)='GPL\x00', 0x2, 0xffa0, &(0x7f0000000180)=""/149, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, 0x0, 0x1e, 0x10, 0x0, 0x1e, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x2d) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x7) r1 = syz_open_dev$vbi(&(0x7f0000000000), 0x0, 0x2) ioctl$VIDIOC_REQBUFS(r1, 0xc0145608, &(0x7f0000000100)={0x1, 0x4, 0x3}) r2 = getpid() sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbee2, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r3, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x4e24}, 0x6e) sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r5 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000180)={'veth0_macvtap\x00', 0x0}) prctl$PR_SET_SECUREBITS(0x1c, 0x10) r7 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r7, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000001140)={&(0x7f0000000380)=ANY=[@ANYBLOB="8400000010000305000000040000000000000000", @ANYRES32=0x0, @ANYBLOB="1546010000000000540012800c0001006d6163766c616e0044000280060002000100000008000100010000000800030003000000080007000500000008000100100000000600020001000000100009800aef0400aaaaaaaaaa2e000008000500", @ANYRES32=r6], 0x84}}, 0x20008040) sendmsg$RDMA_NLDEV_CMD_STAT_SET(r7, &(0x7f00000003c0)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000380)={&(0x7f0000000340)={0x18, 0x1410, 0x400, 0x70bd29, 0x25dfdbff, "", [@RDMA_NLDEV_ATTR_STAT_COUNTER_ID={0x8}]}, 0x18}, 0x1, 0x0, 0x0, 0x4000800}, 0x4) r8 = socket$can_bcm(0x1d, 0x2, 0x2) ioctl$ifreq_SIOCGIFINDEX_vcan(r8, 0x8933, &(0x7f0000000100)={'vcan0\x00', 0x0}) connect$can_bcm(r8, &(0x7f00000000c0)={0x1d, r9}, 0x10) sendmsg$can_bcm(r8, &(0x7f0000001680)={0x0, 0x0, &(0x7f0000001640)={&(0x7f00000015c0)={0x1, 0x6, 0x8000, {}, {}, {0x1, 0x0, 0x1}, 0x1, @can={{0x1, 0x0, 0x1, 0x1}, 0x6, 0x2, 0x0, 0x0, "4a4faa7920a000ad"}}, 0x48}, 0x1, 0x0, 0x0, 0x4000}, 0x20008000) sendmsg$can_bcm(r8, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000340)={&(0x7f00000003c0)={0x1, 0x0, 0x0, {0x0, 0x2710}, {0x77359400}, {}, 0x1, @can={{}, 0x0, 0x0, 0x0, 0x0, "a5976ac6acd41fd8"}}, 0x48}}, 0x0) sendmsg$can_bcm(r8, &(0x7f0000003f40)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000001840)=ANY=[@ANYBLOB="01000000290b0000ffffffff00000000", @ANYRES64=0x0, @ANYRES64=0x0, @ANYRES64=0x0, @ANYRES64=0x0, @ANYBLOB="0100004001"], 0x80}}, 0x0) syz_open_dev$usbfs(&(0x7f0000000100), 0x76, 0x101b01) socket$nl_route(0x10, 0x3, 0x0) socket$packet(0x11, 0x2, 0x300) 2.53313817s ago: executing program 3 (id=5294): socket$inet_tcp(0x2, 0x1, 0x0) (async, rerun: 32) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) (rerun: 32) bind$inet6(r0, &(0x7f0000000180)={0xa, 0x4e22, 0x0, @loopback}, 0x58) (async) r1 = socket$igmp6(0xa, 0x3, 0x2) r2 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(r2, 0x3b81, &(0x7f00000000c0)={0xc, 0x0, 0x0}) ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r2, 0x3ba0, &(0x7f0000000100)={0x48, 0x2, r3}) ioctl$IOMMU_IOAS_MAP$PAGES(r2, 0x3b85, &(0x7f00000006c0)={0x28, 0x4, r3, 0x0, &(0x7f0000ffc000/0x2000)=nil, 0x2000, 0xfffffffffffffefe}) (async, rerun: 32) ioctl$IOMMU_IOAS_MAP$PAGES(r2, 0x3b85, &(0x7f0000000000)={0x28, 0x4, r3, 0x0, &(0x7f0000ffd000/0x1000)=nil, 0x1000, 0x8}) (async, rerun: 32) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000180)=@raw={'raw\x00', 0x8, 0x3, 0x4a8, 0x0, 0xffffffff, 0xffffffff, 0x150, 0xffffffff, 0x3d8, 0xffffffff, 0xffffffff, 0x3d8, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0x128, 0x150, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@inet=@hashlimit1={{0x58}, {'bond_slave_1\x00', {0x41, 0x1ff, 0x6, 0xb0e2, 0x10001, 0x84e, 0xfffffffb, 0x18, 0x8}, {0x1}}}]}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x508) syz_emit_ethernet(0x4a, &(0x7f0000000940)={@local, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x12}, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "cb653e", 0x14, 0x3a, 0xff, @dev={0xfe, 0x80, '\x00', 0xff}, @private1={0xfc, 0x1, '\x00', 0x1}, {[], @ndisc_ns={0x87, 0x0, 0x0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}}}}}}, 0x0) openat$fuse(0xffffffffffffff9c, 0x0, 0x2, 0x0) (async) listen(r0, 0x5) (async, rerun: 64) mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0xa6) (async, rerun: 64) mount$tmpfs(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f00000001c0), 0xc00, &(0x7f0000000700)=ANY=[@ANYBLOB="717500318deddb3a14b5756f74a7ce95380201615f696e6f64655f686172646c696d69743d372c00334c64b1cf8883ae818fe85c2658f57d8d59878473a6be3ddab31e0214e4307791dfa17667106a79292b4a96eab3a882efc10d"]) (async) accept4(r0, &(0x7f0000000240)=@x25, 0x0, 0x80800) r4 = socket$inet6_tcp(0xa, 0x1, 0x0) sendto$inet6(r4, 0x0, 0x0, 0x24040014, &(0x7f0000000000)={0xa, 0x4e22, 0x5, @empty}, 0x1c) r5 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r5, 0x6, 0x13, &(0x7f0000000040)=0x100000001, 0x4) (async) connect$inet6(r5, &(0x7f0000000080)={0xa, 0x0, 0xe0, @ipv4={'\x00', '\xff\xff', @remote}, 0xfffffffe}, 0x1c) r6 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r6, &(0x7f0000000140)=[{&(0x7f0000000900)="580000001400192340834b80040d8c560a066e0202ff000000010000000058000b4824ca945f64009400ff0325010ebc000000000000008000f0fffeffe809005300fff5dd00000010000200060c10000000010000000000", 0x58}], 0x1) socket$nl_generic(0x10, 0x3, 0x10) (async) mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0) mknodat$loop(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x6004, 0x1) (async) mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file1/file3\x00', 0x1c2) (async, rerun: 64) r7 = landlock_create_ruleset(&(0x7f00000002c0)={0x6581}, 0x18, 0x0) (rerun: 64) landlock_restrict_self(r7, 0x0) (async) renameat2(0xffffffffffffff9c, &(0x7f0000000480)='./file1/file3\x00', 0xffffffffffffff9c, &(0x7f00000004c0)='./file0\x00', 0x2) 2.430022059s ago: executing program 5 (id=5295): r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$sock_int(r0, 0x1, 0x3c, &(0x7f0000000040)=0x1, 0xfff0) setsockopt$inet_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f0000000100)=0x1, 0x4) connect$inet(r0, &(0x7f00000006c0)={0x2, 0x0, @empty}, 0x10) setsockopt$inet_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f0000000900)=0xffffffffffffffff, 0x4) sendmmsg$inet(r0, &(0x7f0000000940)=[{{0x0, 0xf2ff, &(0x7f00000002c0)=[{&(0x7f00000004c0)="c8", 0x1}], 0x1, &(0x7f0000000240)=ANY=[@ANYBLOB="1000"], 0x10}}], 0x1, 0x4000c50) 2.419234143s ago: executing program 2 (id=5296): mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.net/syz0\x00', 0x1ff) r0 = creat(&(0x7f00000002c0)='./file0\x00', 0x0) r1 = open$dir(&(0x7f0000000080)='./file0\x00', 0x0, 0x0) mmap$xdp(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x0, 0x12, r1, 0x0) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x2, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="180000000300000000000000fe020010850000000700000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x100, 0x70, '\x00', 0x0, @fallback=0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) r3 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'syz_tun\x00', 0x0}) sendmsg$nl_route_sched(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000340)=@newqdisc={0x60, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r4, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x34, 0x2, [@TCA_TBF_PARMS={0x28, 0x1, {{0x4, 0x2, 0x0, 0x0, 0x7, 0x8}, {0x12, 0x3, 0x0, 0x1, 0x8001, 0x400}, 0xa5, 0x4, 0x10000000}}, @TCA_TBF_BURST={0x8, 0x6, 0x8057}]}}]}, 0x60}}, 0x44080) socket$nl_xfrm(0x10, 0x3, 0x6) r5 = socket$inet6(0xa, 0x80002, 0x0) connect$inet6(r5, &(0x7f0000000080)={0xa, 0x4e23, 0x400, @ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x3b}}}, 0x1c) setsockopt$sock_linger(r5, 0x1, 0x3c, &(0x7f0000000180)={0x200000000000001}, 0x8) sendmmsg$inet6(r5, &(0x7f0000003cc0)=[{{0x0, 0x0, &(0x7f0000003980), 0x171}}], 0x400000000000172, 0x4001c00) write$qrtrtun(r0, &(0x7f0000000300)="05c164fd53fcb2e8", 0x8) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000005c0)={r2, 0x0, 0x30, 0x0, @val=@uprobe_multi={&(0x7f0000000140)='./file0\x00', &(0x7f00000001c0)=[0x7], 0x0, 0x0, 0x1}}, 0x40) r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='cpu.stat\x00', 0x275a, 0x0) gettid() timer_create(0x7, &(0x7f0000533fa0)={0x0, 0x800010, 0x800000000004, @thr={&(0x7f00000003c0), &(0x7f0000000400)="9b07dc4c118baf649e5fda459ed1418befe1cc19bcfa9e6269cefc727fc4b4f3da7c1a35c4e9d5baad2ebe4023e105174efff482d141d5bc68b1e5a67738a5eee6d7364858374bf576e972c70af6af5fe310aa76575a1afef5f8807bcac436061235cb18178ac79d3de1435d279ea3849653e6bdec6dd394ca41f6d2dff5b011440f026930d19fa335f86882076a241e7cea870fa63c7fe65701a99e4c85eeb6e7df0d17497b121e3ba4bb7ea6defe34085b7a3c844ba1d279bbaa11ba0c375d226da114d937d4956d8551dbdf266a83f700"/220}}, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) futex_waitv(&(0x7f0000001080)=[{0x3, &(0x7f0000001040)=0x3, 0x82}], 0x1, 0x0, &(0x7f0000001100)={0x77359400}, 0x1) mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1, 0x10012, r6, 0x10000) syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) r7 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) ioctl$KVM_CREATE_VM(r7, 0xae01, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x4c831, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000000000/0x9000)=nil, 0x600600, 0x200000, 0x3, &(0x7f0000a00000/0x600000)=nil) r8 = syz_open_dev$tty1(0xc, 0x4, 0x1) ioctl$KDSKBLED(r8, 0x4b65, 0x6) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) 2.147821798s ago: executing program 5 (id=5297): r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000080), 0x4000000002a82, 0x0) r1 = dup(r0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000006, 0x28011, r1, 0x0) r2 = socket$rds(0x15, 0x5, 0x0) ioctl$sock_proto_private(r2, 0x89e1, &(0x7f0000001080)) (fail_nth: 1) 2.079503463s ago: executing program 3 (id=5298): r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f00000002c0)='/proc/sys/net/ipv4/vs/secure_tcp\x00', 0x2, 0x0) write$cgroup_int(r0, &(0x7f00000003c0)=0x2, 0x12) socket$inet6_sctp(0xa, 0x1, 0x84) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) bind$inet6(r0, &(0x7f00000002c0)={0xa, 0x4e23, 0x4, @initdev={0xfe, 0x88, '\x00', 0x5, 0x0}, 0x8}, 0x1c) listen(0xffffffffffffffff, 0x4) setsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(r1, 0x84, 0x76, &(0x7f0000000140)={0x0, 0x5}, 0x8) r2 = socket$unix(0x1, 0x1, 0x0) bind$unix(r2, &(0x7f0000000180)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) listen(r2, 0x0) r3 = creat(&(0x7f0000000200)='./file1\x00', 0x12e) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)) r4 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b405000000000000711035000000000015000000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, &(0x7f00000000c0), 0x366, 0x10, &(0x7f0000000000), 0x2b2, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x39) r5 = socket$packet(0x11, 0x3, 0x300) setsockopt$sock_attach_bpf(r5, 0x1, 0x32, &(0x7f0000000040)=r4, 0x4) syz_emit_ethernet(0x5e, &(0x7f0000000400)=ANY=[@ANYBLOB="000000000000aaaaaaaaaabb86dd6000000000283afffe800000000000000002d57b033470fd13be77db0000000000bbfc010000000000000000d409000000008900907800000000fe8000000000000000000000000000bb20010000000000000000000000000001cc9ddf24ea694c6a7ed2b61e5752eeacbd340c31f70a6b09eb91264d59ce6fc6b1efcb4b1939aafa4c1f5b762bb90a76a010d36a521a3bbfbfab14ab6d4370dee7c53cd71ae0fb56316ac131f184077fc0950ef5e4f45342b8abb616f04f4afb1adee43ece9bdb3f85a4fc3fbb7053148cfd95f9c38b7f02f7bd06a6993274aa634acb30c4dcf17d3b60214a79dc4e572f16916644c6c2fe6b1d3b51f0c8a47f3bf53b05dad11290d88e672c737c16ad3c6be3109224e721c91b5ee28aa3b7999ddad4ea77e007c1c2"], 0x0) r6 = socket$unix(0x1, 0x1, 0x0) r7 = landlock_create_ruleset(&(0x7f0000000040)={0x0, 0x3}, 0x10, 0x0) landlock_create_ruleset(&(0x7f0000000080)={0x9008, 0x1}, 0x18, 0x0) landlock_restrict_self(r7, 0x0) connect$unix(r6, &(0x7f0000000080)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) getsockopt$inet_sctp6_SCTP_STATUS(r0, 0x84, 0xe, &(0x7f0000000180)={0x0, 0xe, 0x7, 0x1, 0x140, 0x0, 0x2, 0xc, {0x0, @in={{0x2, 0x4e21, @broadcast}}, 0x10000, 0xe, 0x1, 0x7, 0x5}}, &(0x7f00000000c0)=0xb0) syz_io_uring_setup(0xfb, &(0x7f00000003c0)={0x0, 0x0, 0x10100}, &(0x7f00000000c0), &(0x7f0000000100)) pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) vmsplice(r9, &(0x7f0000000bc0)=[{&(0x7f0000000c00)="6e80000000000100000000000000000000000c812b3e15a4a16f9874c94d1a20a6e5ebd8b1c39b0bd4374167ff128e02061915a3d62755f3", 0x38}], 0x1, 0xb) r10 = socket$inet(0x2, 0x3, 0x7f) bind$inet(r10, &(0x7f0000000000)={0x2, 0x0, @local}, 0x10) setsockopt$inet_int(r3, 0x0, 0x3, &(0x7f0000000080)=0xc8, 0x4) connect$inet(r10, &(0x7f0000000040)={0x2, 0x3, @multicast1}, 0x10) splice(r8, 0x0, r10, 0x0, 0x8000, 0x0) 1.564578418s ago: executing program 3 (id=5299): openat$drirender128(0xffffffffffffff9c, &(0x7f0000000100), 0x200, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(0xffffffffffffffff, 0xc06864a1, &(0x7f0000000180)={&(0x7f0000000140)=[0x0, 0x0, 0x0, 0x0], 0x4}) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(0xffffffffffffffff, 0xc00c642e, &(0x7f0000000200)) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, &(0x7f0000000240)) socket$kcm(0x29, 0x5, 0x0) mkdirat(0xffffffffffffff9c, 0x0, 0x0) mkdirat(0xffffffffffffffff, 0x0, 0x0) memfd_secret(0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4) sched_setaffinity(0x0, 0xfffffdca, &(0x7f0000000200)=0x400000bce) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, 0x0, 0x0) read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8) r1 = socket$inet6_sctp(0xa, 0x1, 0x84) socket$nl_xfrm(0x10, 0x3, 0x6) r2 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r2, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000280)=ANY=[@ANYBLOB="fc00000019000100000000000000000000000000000000000000000000000000fc01000000000000000000000000000000000000000000000a00000000000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000b93760000000000000000000000000000000000000000000200000000000000010000000000000044000500ac141400000000000000000000000000000000003c00000000000000000000000000000000000000000000000000000001"], 0xfc}, 0x1, 0x0, 0x0, 0x24008040}, 0x20040000) sendto$inet6(r1, &(0x7f0000000240)="8a", 0x1, 0x51, &(0x7f0000000080)={0xa, 0x3, 0x1, @local, 0x9}, 0x1c) 1.511756419s ago: executing program 5 (id=5300): sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000040)={0x14, 0x3e, 0x107, 0xfffffffe, 0x0, {0x1, 0x7c}}, 0x14}, 0x1, 0x0, 0x0, 0x4048011}, 0xc000) r0 = socket$l2tp(0x2, 0x2, 0x73) r1 = syz_usb_connect(0x0, 0x5a, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000060f94d100d05020027230102030109024840020000000009047d04031d5abf0009050400005539000009050b00000000000009050200000005000009047d01013481af0009a00e00230000690009047dbe"], 0x0) syz_usb_control_io$uac1(r1, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r1, 0x0, 0x0) syz_usb_control_io(r1, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r1, 0x0, &(0x7f0000000380)={0x1c, &(0x7f00000001c0)={0x0, 0xc}, 0x0, 0x0}) r2 = socket(0x10, 0x3, 0x0) bind$inet6(r2, &(0x7f0000000100)={0xa, 0x4e20, 0x8, @empty, 0x1}, 0x1c) setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f00000001c0)={0x5813}, 0x10) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000002c0)=ANY=[@ANYBLOB="240000001e008d2a2abd7000fbdbdf250a0000", @ANYRES32=0x0, @ANYBLOB="00000006"], 0x24}}, 0x0) bind$inet(r0, &(0x7f0000000080)={0x2, 0x0, @multicast1}, 0x10) r3 = socket$kcm(0x2, 0x2, 0x73) bind$inet(r3, &(0x7f00000000c0)={0x2, 0x4e22, @broadcast}, 0x10) r4 = socket$kcm(0x2, 0x2, 0x73) bind$inet(r4, &(0x7f0000000040)={0x2, 0x4e22, @empty=0xffffffff}, 0x10) 1.329752999s ago: executing program 3 (id=5301): syz_usb_control_io(0xffffffffffffffff, 0x0, &(0x7f0000001740)={0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)={0x40, 0x19, 0x2, "0200"}, 0x0, 0x0, 0x0, 0x0}) bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x3, 0x16, &(0x7f0000000780)=ANY=[@ANYBLOB="61154f000000000061138c0000000000bfa00000000000001503000008004e002d3501000000000095004100000000006916000000000000bf67000000000000350605000fff07206706000005000000160302000ee60060bf500000000000000f650000000000006507f9ff0100000007070000cddfffff1e75000000000000bf54000000000000070400000400f9ffbd4301000000000095000000000000001500000000000000950000000000000032ed3c12dc8c27df8ecf264e0f84f9f17d3c30e32f1754558f2278af6d71d79a5e12814cb1d8a5d4601d295c45a6a0b9bdb7dd3997f9c9c4f6f3be4b369289aa6812b8e007e733a9a4f1b0af3dda82ee45a010fb94fe9de57b9d8a814261bdb94a05000000c6c60bf70d742a81762bab8395fa64810b5b40d893ea8fe01c5473d51b546cad3f1d5ab2af27546e7c955ccefa1f6ab689b555202da2e0ec2871b4a7e65836429a527dc47ebe84a423b6c8d345dc8da3085b0ab71ca1b901627b562ed04ae76002d4519af619e3cca4d69e88158f0200000000c8fb730a5c1bf2b2bb71a629361997a75fd552bdc2300000008ac86d8a297dff0445a15f21dce4de9f29eff65aadc841848c9b562a31e56723888fb126a163f16f920ae2fb494059bba8e3b680324a188076ebae3f55c4e9b2ad9bc1172ba7cbebe174aba210d739a018f9bbec63222d20cecac4d03723f1c932b33e0f32f1ad2e99e0e67ab93716d20000009fbb0f53acbb40b4f8e2738270b31562ed834f2af97787f696649a462e7ee4bcf8b07a10d6735154beb4000000000000000000000000004000bc00f679629709e7e78f4ddc211bc3ebe6bd9d42ca0140a7afaab43176e65ec1118d50d1e827f3472f4445d253880800000000000000690884f800031e03a651bb96589a7e2e509bcc1d161347623cb5e7ac4629c8ab04871bc47287cd31cc43010000207b40407d000000210000000000000000005f37d83f84e98a523d80bd970d703f37ca364a601ae899a56715a0a62a34c6c94cce6994521629ab028acfc1d926a0f6a5489af8dc2f17923f3cd3cedd01fdc59589ea6bacde1e40dfd1970a55c22fe3a5ac000000f4000000000000000000000000c1eb2d91fb79ea00000000000000bb0d00000000000000000000e4007be511fe32fbc90e2364a55e9bb66ac64423d2d00fea2594e190deae46e26c596f84eba9000000000000003cc3aa39ee4b1386bab561cda886fa642994cacd473b543ccb5f0d7b63924f17c67b13631d22a11dc3c6939628950000000000000001c7205a6b068fff496d2da7d632bd1f61b007e1ff5f1be1969a1ba791ad46d800000000c7f26a0337302f3b41eae59809fd05d12f6186f117b062df67d3a63f3265dd1410eea68208a3f26b2989b832d8b34a34a4f08b34b30410856e858d27adee7daf32903d3fc78700d429a2d4c8b6d803eb83eecfe4c7ff9e6ab5a52e83d089dad7a8710e0254f1b11cced7bc3c8da0c44d2ebf9f6f3ff3be4d1458077c2253b0c7c7a0a9fdd63bf910dc20e5cb2a88e59febc47f1212a21f631dbaa74f22bad050e9856b48ae3a03a497c37758537650fe6db88aa3c41fdc3d78e046f6160e1741299e8dc29906870e6431ed1eab5d067a183f064b060a8ec12725d42e3a74863d66bee966b1574f8e01b3f34a267ff0afa1e1c758a0079b747067312e9815a21cb3f1f8150d999d788535a4d3114dbc7e2bf2402a75fd7a55733360040855ed5d1c0d634fb9fb38f84d9d87b27f8a5d91217b728f13e3ee20e69e0ffb2780b1a7af137ff7b4ff010404faf0a4da65396174b4563d54b52f06c870edf0c5d744b5272b44c23488b2bdbff947c4dfa108cbb88202ee1192b81f428a5b3c299848649e1a6bff52f657a67463d7dbf85ae9321fc2b517dc4a29b9b5a8ded5de8206c812439ab129ae818837ee1562078fc524b3baf49a0be9bb7d958d5e87c6c09bf71a894bad62934782cc308e936d7637e07c4a2a3bc87b0da23c00d9ef418cf19e7a8c4c328be0ce95798adc2dca871073f6bd61dc18402cde8b0100010000000000abc86b94f8cbde4d470667bee722a6a2af483ad0d3415ed0f9db059acaba9eaea93f811d434e00000000000000000000d154ba10a8e51489a614e69722bac30000000000000000000000000000c5dfd188ff555285b9743d3aac000583f42d168613151d681a2f71373f20d92c9048407c91fabecfe8b3f2d5454d127edab14ba61ba1cfc4336324c86f3dcb43e9a58208077e90f6ec1c7a7216f61dcc372cdd30b82507489f0bbfbd3c3f21752e81319c0161e154ceb16e00bc7f5a6962dff317f4d014786e432817064874d69a39cb0da31bcc5f81894d8a80756447322207b4007dff12eb95066cc6bc256f0a12282224d718b06ca80b57aa183dd0c3eee45891441f2b89b4c67aa9882281393954972046974f18df232cd7fca610e33f51c2d062020f403d85ff36c26e2f6bd1d82f4d3ceb3472d9a77e0057a3bfe697d9ab7585f4a1b381343d2cf855689232f4fc5135790662dc1419a374be9d7b3e5be2886d23add90d862f1a682ff11c798e338af3e5bb0f9d3952b15bf3e0c618c89d20ca1e18a031397693bf3cfbd8417e5b55e641c898c280356f2da222d5d68919d98158578dcf18efa404e508bcbbb8cfcf70086821ebdf34c9a1dff45af873df904c2bdbef81f246d26f4b40df949e12bdac18533d4e11c608cc31d60cb591c40a7b386fa1c753336d7220a35118d4919b45eff32aab684e62c6691de14e97aa7e9dc8ecf0cd50540246d2b746e41e5b4e2c095039dfe0f71db6265f7580d098be40ef36faee5d1695830d4242a23e541e6ce9fa1998d8961cf4fe3c8e8fbb566f148c8befc229614a4b7f80d237b8abc6fd0407de31d6e5532f360d379f20f054692b47207922fe6c14eba96c9a7ae906abc1ae1ae8c4fae92883cfa1978a04bbff4bbe00000000000000000000000000fdba1133066c4a21a7149f32"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0xffffffffffffffd2, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48) add_key(&(0x7f0000000000)='asymmetric\x00', 0x0, &(0x7f0000000080)="dfd9", 0x2, 0xfffffffffffffffb) r0 = socket(0x2a, 0x2, 0x0) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, 0x0) r1 = syz_usb_connect$printer(0x2, 0x36, &(0x7f0000000080)={{0x12, 0x1, 0x310, 0x0, 0x0, 0x0, 0x40, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xfd, 0x0, 0x2, [{{0x9, 0x4, 0x0, 0x8, 0x1, 0x7, 0x1, 0x2, 0xfa, "", {{{0x9, 0x5, 0x1, 0x2, 0x10, 0x2, 0x1, 0x5}}, [{{0x9, 0x5, 0x82, 0x2, 0x200, 0xa5, 0xbf, 0x2}}]}}}]}}]}}, &(0x7f00000004c0)={0xa, &(0x7f00000000c0)={0xa, 0x6, 0x110, 0x2, 0x81, 0x81, 0x8, 0x40}, 0x19, &(0x7f0000000100)={0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x1, "060dd1002bd589e484d4467f5cd5f690"}]}, 0x9, [{0x4, &(0x7f0000000140)=@lang_id={0x4, 0x3, 0x425}}, {0x4, &(0x7f0000000180)=@lang_id={0x4, 0x3, 0x280a}}, {0x4, &(0x7f00000001c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x50, &(0x7f0000000200)=@string={0x50, 0x3, "71441b89f310d52a6b231a82c7b2b7ad3f4e9e1e378d7b28e087f32417cf12f8d89affeab85c18c8041eb912e2f84a08d707b1252fc6c5ec061cff7a37a4cc3476fc3474d57f5dbf81fd13d2890a"}}, {0x4, &(0x7f0000000280)=@lang_id={0x4, 0x3, 0x380a}}, {0xf0, &(0x7f00000002c0)=@string={0xf0, 0x3, "d51052b39f4bfff5db1d430bb590797c93dccf56cf430ca4450cfe2c9e7e2cc0091be6b7f7200a172de0542756693bff3e1099183face77647f74695b017545c6569fec6fb67d30d901b7db5e9e8361924489a7919d1639f96da16eca365fe73e61dd2afb8105145f719296b7c70d9d50cfb611e0ad044a68235186aa51ba021787e20164afec20202ebc1a1dd22c7b613bb10d7306a8217a026b9552ac18ee018f868f4357012bfe7e0447c3d695463efcbf49853e2a2cda6e8973a77bb8648deee9bdcefe9b8b0679e91f1c109edd88e7b3e1cf27b25292e226f699dc0eced3bf2ba04c9cc2d33911a1657ce8c"}}, {0x1d, &(0x7f00000003c0)=ANY=[@ANYBLOB="1d86b7113e0fe6790046d848b3b78f746a93ddc5c3"]}, {0x4, &(0x7f0000000400)=@lang_id={0x4, 0x3, 0x807}}, {0x73, &(0x7f0000000440)=@string={0x73, 0x3, "6c81afcb88ed8f013d6472631cb65eb4516324cd27cb7b78c9529cd6ff8e228ff50f803d8cb2eb5fc06145793207dfdefcc5ffbad38d1e540291ea80bbe991840589c2823de4abe403db69e9d600cb8b1c447cd04db9770cd5f43ddcc60ea627f74b5abbaf26ef09fae39292d923fc7896"}}]}) r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$netlbl_mgmt(&(0x7f0000000780), r2) sendmsg$NLBL_MGMT_C_ADD(r2, &(0x7f0000000d80)={0x0, 0x0, &(0x7f0000000d40)={&(0x7f00000005c0)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r3, @ANYBLOB="0100000040000000000001000000080008000a010100080007000a01010105000100000000000800020005"], 0x34}}, 0x0) syz_usb_control_io$printer(r1, &(0x7f0000000640)={0x14, &(0x7f0000000dc0)=ANY=[@ANYBLOB="00214200000042011ad054e565e0b3cb5a07ea902567c4ef89894de953d69f8cebd0e9e94fbedb7ecebb0c39399c32ba457860a31bda6ec48c3949425c3a79cf3e1f9798036c8b9c22b4da2dffe5d5e8"], &(0x7f0000000600)={0x0, 0x3, 0x8, @string={0x8, 0x3, "56518a616002"}}}, &(0x7f0000000900)={0x34, &(0x7f0000000680)={0x0, 0x11, 0xbe, "11e94b7dccaa56f5955995208c3ccebf59eaed64eedb219215a241044ee510e511605b10666e3db3b832fcfc50e86327656f14ab7eca645949cb73a5ec190569901d2e9957ff5a3a2c7e4dfb413eb658b8d57ac5c65b2a867c7100886bbd80e3428d0591eaad5c6708b1e4603228d7a13d335b34917ae1a6058ef274256096b8383fa644d83061517bfceb38a4cdde0f2493bd2eb03e252caee2058f2b0838f42bab18cfe4efdeb5d208ac1deb3a07379a63248b7908fa8677d0f1d2c73f"}, &(0x7f0000000780)={0x0, 0xa, 0x1, 0x10}, &(0x7f00000007c0)={0x0, 0x8, 0x1, 0x81}, &(0x7f0000000800)={0x20, 0x0, 0x4b, {0x49, "507d741c8a7e944ce4b1f4d17cf1e66926ab441a8702bcaee8a8c5b33825e40abd38fed9ef01e8c0aa287e5512f16a0c9a39906ca517ed4b0d58d7157c521f64b2051fbb8f8b923739"}}, &(0x7f0000000880)={0x20, 0x1, 0x1, 0xe}, &(0x7f00000008c0)={0x20, 0x0, 0x1, 0x8}}) r4 = syz_open_dev$evdev(&(0x7f0000000000), 0x0, 0x0) r5 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$nl802154(&(0x7f0000000b40), r2) ioctl$sock_SIOCGIFINDEX_802154(r2, 0x8933, &(0x7f0000000b80)={'wpan0\x00', 0x0}) ioctl$sock_SIOCGIFINDEX_802154(r2, 0x8933, &(0x7f0000000bc0)={'wpan3\x00', 0x0}) sendmsg$NL802154_CMD_NEW_SEC_LEVEL(r5, &(0x7f0000000cc0)={&(0x7f0000000b00)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000c80)={&(0x7f0000000c00)={0x44, r6, 0x400, 0x70bd2d, 0x25dfdbfc, {}, [@NL802154_ATTR_IFINDEX={0x8, 0x3, r7}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_IFINDEX={0x8, 0x3, r8}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x200000002}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x300000003}]}, 0x44}, 0x1, 0x0, 0x0, 0x40010}, 0x40000) syz_usb_disconnect(r4) syz_usb_connect(0x4, 0x1b, &(0x7f0000000200)=ANY=[], 0x0) ioctl$EVIOCRMFF(r4, 0xc0085508, &(0x7f0000000040)=0x3) rt_sigaction(0x6, &(0x7f00000009c0)={&(0x7f0000000940)="c4c19854510e8fa818871a54c4018967e9dac4c46203f768452ef30fae75f2c4414f5f338f897880f2c4a121deb10f000000c482ed90442a32", 0x80000000, &(0x7f0000000980)="c4e125670343f615f2ffff7f66410fd2afe7070000c4e1fd2b9affefffff4598c4e11ded7000c402fd2026c4a2298c8cd658000000660f1ac0c4624d0be9", {[0x6]}}, &(0x7f0000000a80)={&(0x7f0000000a00)="c481b173d30bf30f5a44a30e0f71e300f0470fbb5500c4417d6fc767f0f71fc4c279339e00000000c442a1ad617c3e36f390c4412d5436", 0x0, &(0x7f0000000a40)="f0468003ffc4617d73d000f26fc423fd09a6001000024965f20f11b56600d32a660f66338f49c801c866440f47340cc481e15e6df9c4233506606afe"}, 0x8, &(0x7f0000000ac0)) 1.313526401s ago: executing program 2 (id=5302): r0 = socket(0x2a, 0x2, 0xffffffff) getsockname$packet(r0, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, 0x0}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000080)=@newtfilter={0x2c, 0x2c, 0xd27, 0x70bf29, 0x0, {0x0, 0x0, 0x0, r1, {}, {}, {0x2}}, [@TCA_RATE={0x6, 0x5, {0x8, 0x9}}]}, 0x2c}}, 0x4) socket$netlink(0x10, 0x3, 0x0) socket$packet(0x11, 0x2, 0x300) r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/power/pm_trace', 0x260102, 0x81) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$BTRFS_IOC_RM_DEV(0xffffffffffffffff, 0x5000940b, &(0x7f0000000a80)={{}, "fad7b9428d93038f63c4dafa1da7e07527fe756bde6d960d81bfd34ba5cca803ad5bdebe227152d43a607faa0dc407fc189b0d7e7468ab55f146ff0337aed82849987da5e1ab963dda992d377e4eacce0e342581ab9962694df4a98aef6d7813fb8b796948ff95415e9d71a47ede207b1794f624b034487af5832e243034017f4f93e15abf71e2dc1e26f97de375b5a1f1a24f98467d2d07d33c06c55c3f89c8d5282a18faedb7595cdedc33c345c89deca5b925cf8467200094111705e71154b451ed8407d1c89255b27d9b243d3a333b099595c33db04682ac22a418c49f5c39a0918c015e8393d2cb7c20feb2c54c82b6387812412e3237e938369453e1e8030d49fcd1c91bf36f2422d1a72f49b31ec3889ebc0d28c929b0c6736f00b53b9ccfd3934a7d933a8202fd2bdb2a8b0d58d6180c1a69b7fb41255ce92795786d10a8c7d9e4f680517f4e34b1e8f884e81e09bd5ec5ecf38b7b8f1637afb0aee0e708c4074eec24e3141b9e12ced6b4beaedec6d55dbae69d5a63142b3e81997458d7151a84d0d7cd4ebd25d24f3d2a3b4c403ab707fe38aa61cab1b070d4730625f76dc37f201e8698204637fe62fe52ed11ae0d8f98f69d4f92762bcba03b8b42feeca7a9fa9300ca4759ff9d7e9162479f954b1316775fcbfc6640b91dd1cb976ceaf2f9f28040ecfdc0e28bb9705a1b985274c7d08bd96aacd6a00f865f3a22f86ef2ace146c4f40bb20798e0bc2db4ce62f0873c09a85e7892729489a7b9c8c9a2939812595942b1ca2d3260315bc723ac2edf24d88f0f49d586a8065817ad936dc8161e438eb5b845df96b2c9a56eb7535ee9e255f41def5d9e9720857fbfd84b4bf1c97c574f568933df8f25d6df5d74a374e4f9a6a2e76644df77da621a8c9ce947af8f20feda0e22ef467eb210665589823025c9144ec05d80276574d3cae61c639d3b12438e012ffe1ca3823b4b79185ce1896b7a41aa36a47776fade667af70c25d9543bc036f40aec1c521f39239cdbf2748883f86b89349ffee1f528f955bdf6f29686c57a49b66ebfc26ee604316f27f9547cf3c21c221581458246b04d627e29e8b846e099e5d8234ce0db1d3e77130147580622b8eeaa34707ea25369c250ce5f5adc14b7afcfbce3c25e5e65d04858dc056456e2f2d2bd6afb59afae8d63b7ab5b8b6ad3386d52dbcee60c7f0945517a77edeeda33789acdb3b7b3242704d6c51940c004cde1d3a342477607581a92a50716caf93495cbc1a6b2f1be20081f7ba8a013416e6b8433383299b752feabd1455bc336b868b38f5ad73f397f0381a51748ffa8550510837d9128ab095629b7a159c6b0dfadfd8a8bff53c80481c59d861954790c593524d8a53cd8b2f2c234b850ec7576a46074293453a86cb3c0c346a8cbbac65eda4a2130e00053f5a054603776ea1d2975e4badbaa83518dad9274c22ac17f20686f56315340e5581c787a2f71ab3a2063664bcc82c7380a13cc8eb106c036800c7b0f14ed667f39af9a5cc01dcdd5809b534fad505858508845d9c547e19c632cd8024ecd777e193c2258312b7a5998a875d33dd8b861500946852af487bbefa54e9b16a83b6131ac343eacb2558e759a9b6ce5db0f1ab173d457d144fd5a65f092e553e1d0e3f9972ec57d27bb48c78332c7a6fab0d5958c61898b3a5ae8810e2246ae36291cd5f79f9475e697c9da84d05cc8dc197485ad790d2a8da5400583dce8ffa3c8adfe276884ed5d33f0e7bc4fb1748e83884213c10ec673dbbbf55670da7fbdd6d8927cd41106064ce22cd2ae14084c439e8f07e4e261667507c0acb03033f30665dbf928d31ff9cf38f61a46d6d1286065bfad5839b0247c975673839f6f685ebaad9396c5f93b3a5f346202a40969ab5c72d0355fd609d33b9443093a53dfbf8052a405389ce269f71da8ae1fb39b30f6a701f56838ca11527de58850f17b4fcc6397614da8e2e331f06024f1ee7f6a8b2f910711526361244a585dfacb4bab57738d7938adb436cf17cfeceb95016e339aa5f2ba30515f289ba35118d32504f52710044e78666dd2834fc2d9fad35e2df29b10e0557ab4789c7dc718d2d03434062bb58fd824c13a0bc6298ed9bdc3d0cc79d008972fcc9f751af4824b2be0823313581cd2fd2b436f84b14719b93dd95a38941c11af5b51f3b0503f3db3569ac847a93ea9124622044b37b083fcf8882a788041289905296e1bf2eb12aadb5228f366a925269a20f7ca9db7f317d5117a70d93f90b402993a7f84328409bda0fdc6306dd5c126fdb179fde4e4d7314d2ee419c8635e62895f8dffdf73f38188121f7b24dae40531b6e43054d3b9b459df2f2613536819643e6b7038de55ffa43bc9edc72e2038e2bf9da70a4a24a3fce0b8673f7f8f5099fcf0d23ab90c7f8770bdfd23e6aaabf7d110768ff08c8754ff6d962e43ff215d78d2ebd882353490da27dabd92ab08291338eaacf3e1ebe6a7da8286d3d57e272b9eac7c70a9a1bd67fb3f4e3052779422a7e19b7cfb01760f949ce4562ce5ad5292cb607e42d513d1facd0903a87836d5c30c181b5728db474154d3cb4e524ba5e03336534ca9f6b093fd6d9e5b89ede5becc677996321d65e9022d1c00e2907767a51c75c9f0688e4e82e045dc972e6be8948c7fc8a84ca8e1a992d44ac8e7a962a931d8eb3d0c4756b838c1339758a4a563d108d35940366b582c48567b5ca539839fbd327361ed76f4204f8ec84ec6401079a189b271747129c3d0025ccc25c9d7fbea0aa4f6a0e5f10422e9866e42ab0f86d6e9022688652536eef7fd28dc5961670a4058eaec61ba3e11273111be9cc3da57edc16321e1382d20f4cf52827032b5f79e395e742113303b0aa595f7188a417ddfdc3b6259b56f9f8f7b133774bfb5c181f1288713e3144ac4ff69fc146cc633dc70c8aee1da2384b72115b49cdbdfe9508b2e06fcd02df78d895e12cf6f0cf4171c7570809b949c6bfbff07da4018935a186630be06d42a4844521428afbed6b3a34aa0226a948fa12e8bdfbb27d13fd5627093511f52a51a6dcd33e0122d2dd1736885c797e1d1c65c06739790767be42582349c147d52e377732742f176b79243edd2c6b585d5512702ce4a7395835e2ab038a5deff84f7ff0d4622aebcd31c58d2dbbaad54638473e5fb428b827a577215460489001af429b40d0dae3521be9a381913740ea72a8b707d2ed4a12f5791fc2d0ea9674d59d68ff02a7b7dda9b9a1917db6093bf8ba4a186c952434dfd664cf9607d9b194b874c24ad03b04148d6f1951d4127146b22783be7eceefc686c4bef899e6cce8ce1344e9e49cfc0d43633098983a40276b4b4fcbe4ce0b695d58471afcfcce714ff1da6e975bd1494d127fbcda25c0110f596e4e0882e01acc674446d2c6e3d08d8034eebd4432968b1aab2e825eba0f76612ae6617667ad6c823fb8234363d5bb341c440fe0a0cad018b6c36ca317e3473eedbcc5f6740a7fad23b55a6fb626d8093ea62d6f35d2babd391e138b24a4ddfa86fef5487a710289f2994f36e87fadd178a5e139455d398a8809e30d2569650ceee90ad6b68942087ae0e33c49c6f7952b08da8762be2c9066e56d27a69a926fc58c82565877e913bff08e0827c45f9e74c964f282d5023efb21e976b93177464a686150ef09a32c352505c534e467ce014fec144dbbdcc8e2d28b6bf619ddf63a48054406dfa33aa541cb9beafa70cabcd8600cabf93d138de261f6f5b63273691669e363e06bc583bdee1ed210179f2ab50a6bc0a727475551e90b0265e1e8ca02acabe93b596b7a782151d792a5679e21e730b7e964c38a49717d0a1385bbb1b0459916424133149720bf47ac38687178a8b351ae3f29bf4a6ea369c90f85f4f123416c8c09c3f25b133ddcdb71b1289821d81581b78ae66c075c535e30151ae1bd48e787b55cc45951c83b5ce097711df0764feab81f24d63940915c471479c24222bd5569201ac4c56577168b76c1f0684f981df516cf5ac5d4307ef2bf429d818c9809f6669f43b1eb160bdcb817154bc36cd8bd24cd6c75e037edab6fa0fe9a0f19b6dbaf99dd68f0318382ccf8d20fe2fdc08134a86b5b0794a534992751fca4ec726dfca985cc239bae2b04ce49416e07e14f752767d05f6584479b5da973fa22477be64fef48b5f3c07936c2be9fa8b92c9e8a0412a2718932edf53382efe2aa1531bbde87363fee5a15501a490c16d26354c0ffeeccf0d05705a6b68a0b88de1e15736092014273f7494474a24555e7e7a6b4e274a9dd4d534cac979a0e99758203f74309af7b221e925c592ad25e13c7907c1030fc79bb728bce4437047470cf97ebc48f45ef67695585caa73178057802a24e3e4fea0a55111275c738d2b09aa7e7a00e91be43ee507b6533c6c6e9d1848e708240d7547b08bb9121fc024caed12805a0a8bfb72f72c6787b760ccd3657328507050f8ad3e348597b38685ad6d44125266382dbf433a9628c548f89eea1691e92fc755502e4656d2faa2077ab1d749a3d2d0543cd5248db49cdb1a60f006ec8cb5b3ecfc1b6b38ed802a6885c6733dbdfbe9d6c0a0daacda38f9bdbd728bfae407e2be620cd8e66743c70073e38e87ede0daf00e7e6205bc0f5cc3ff5657ad559ad13a865d01357215e2e813153212d13d6817ff2badace7edac682ea459e30b476b98ea7ca540c9ec3f8a0550ab51340e04425e3eb0d36fcfa6612bfe947263322afb876ef4a86edf8adf41f4bf4fd617c2cc57c0639baa79f4e6468258e53b76ae51c83f37b6d128cbe4eaf3e58e7d24a7c24451289c991984bed04ce060e4ee13a0c0e43fc98baae2352366672075a6c8c26165aa538b1bac0765ffda39bfafaa401cea38646e418fc99704540acd08e128121bb0b8ab8e316f924cfdae1002d54e2ef3cf3477558d77881beaa3c31cb9cc2429eaf858ebaf06709910faf26d7433290a3250cca586c0e49c3d2456a6409da11259bc7b7e2345146a360404f3d7333487343d9dfbb2813bbeba56a1e1f90d421aca2d1e6ca075b1fcb5733df856fc45de7fe5dbe6174ebc4a6241576e46503a3f7e4ad18b5965c0525faa3d031b09b2b9aa1874285c874382359e93775a69701bb63fccc33d095aac42e79a74ec9700218add3c93114c0686f6897f3228cf3bee05ca63f709075df1b5e89e44c05feb00356c0de06190b84e09285443e58a361840e93da22a3ab64d8a4a0474466d13738c07c71847b6b2e47adb22db94e92524a08ca0dbb02de2e0eb5c2edb7e29d89ed5c2d76bb2fc5da5cd57b89bfd47465b5a57ebd72261ddfb443a141415670a59ae82acde715d73b4ab62602b9a347764a05a15159d25abfa2e26531efc90cce8692bb61d859ef6ecb4d9d6d44813085915e8d97916127241aa470b55cdf629ad52b7ad48d4253b2539726f26cf169c208a591ed4a3d4c0474446493a2da85d1226e58d988bcd484ed94d8b18f3298815be6627d1eb5bde9a2f8a3864b2e0c772502854afab501e8cbf1425028bebc3aece71cae8fc40f1606902d0ebcb124be02fcfb6a2810f580942e9f6a2871f9e9bd4a43bb3428c8e4cc16c5b7f3f6cf92bc0aec8c7826c2e759d6062c7409e2e770e3780bbff8e390bc9b551d12c5d295dda72b46cbf9a20c76f6881d69ec27a003b6edb5b2983483d06b246cc3cbd2c8524e601ce0d45c7441bb9e1dcd676ccb5ac3a9e59e6d65c4eee6b120b6bb71eafc80f9ca5de3529ff04fc2f3546"}) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) add_key$user(&(0x7f0000000080), 0x0, 0x0, 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f00000000c0)={0x10201, 0x2, 0x2, 0x2000, &(0x7f0000016000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000040)=[@text64={0x40, 0x0}], 0x1, 0x11, 0x0, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) r5 = socket$inet6_sctp(0xa, 0x5, 0x84) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r7 = dup(0xffffffffffffffff) ioctl$KVM_SET_MSRS(r7, 0xc008ae88, &(0x7f00000007c0)=ANY=[@ANYBLOB="3b00000000000000800500"]) r8 = socket$inet6(0xa, 0x3, 0x8000000003c) connect$inet6(r8, &(0x7f0000000140)={0xa, 0x0, 0x0, @empty, 0x8}, 0x1c) setsockopt$IP6T_SO_SET_REPLACE(r5, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x408, 0xd0, 0xffffffff, 0xffffffff, 0xd0, 0xffffffff, 0x338, 0xffffffff, 0xffffffff, 0x338, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'dvmrp0\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00', {}, {}, 0x0, 0x0, 0x0, 0x30}, 0x0, 0x238, 0x268, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@rt={{0x138}, {0xf, [0xd, 0x4], 0x0, 0x4, 0x6, [@empty, @private0, @loopback, @ipv4={'\x00', '\xff\xff', @loopback}, @initdev={0xfe, 0x88, '\x00', 0x1, 0x0}, @empty, @mcast2, @empty, @dev={0xfe, 0x80, '\x00', 0x2d}, @mcast2, @mcast2, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @mcast1, @loopback, @loopback, @mcast2], 0xa}}]}, @common=@unspec=@CONNMARK={0x30, 'CONNMARK\x00', 0x1, {0x0, 0x200}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x468) sendmsg(r8, &(0x7f00000000c0)={0x0, 0x9588, &(0x7f0000000100)=[{&(0x7f0000000000)="2c10", 0xffd8}], 0x1, 0x0, 0x0, 0x2c}, 0x44004) (fail_nth: 2) ioctl$SIOCX25GDTEFACILITIES(r2, 0x89ea, 0x0) 639.958214ms ago: executing program 1 (id=5303): r0 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000080), 0x141402) syz_open_dev$sndpcmp(&(0x7f00000001c0), 0x2, 0xed81) pipe2$watch_queue(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80) getsockname$packet(r1, 0x0, 0x0) bpf$BPF_MAP_LOOKUP_AND_DELETE_ELEM(0x15, &(0x7f0000000040)={r1, &(0x7f0000000000)="0e852241c767e04da8537cddaf2c41ec39d4459026598e5c7d6b0a7d7a292fcd2d0f8b09d6efac7b983a13c28df3", &(0x7f00000000c0)=""/152, 0x127a04150f27fc06}, 0x20) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0xc0505405, &(0x7f0000000280)={0x3}) 628.826484ms ago: executing program 1 (id=5304): r0 = socket(0x2, 0x80805, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x10, &(0x7f0000001100)=[@in={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}]}, &(0x7f0000000180)=0x10) getsockopt$inet_sctp_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000001080)=0x8) getsockopt$inet_sctp_SCTP_PEER_AUTH_CHUNKS(r0, 0x84, 0x1a, &(0x7f0000000040)={r1}, &(0x7f00000000c0)=0x8) ioctl$AUTOFS_DEV_IOCTL_PROTOVER(0xffffffffffffffff, 0xc0189372, &(0x7f0000000080)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x4787}}, './file0\x00'}) r3 = openat$iommufd(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(r3, 0x3b81, &(0x7f0000000400)={0xc, 0x0, 0x0}) ioctl$IOMMU_IOAS_MAP$PAGES(r3, 0x3b85, &(0x7f0000000140)={0x28, 0x6, r4, 0x0, &(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x800}) ioctl$IOMMU_IOAS_MAP$PAGES(r3, 0x3b85, &(0x7f0000000000)={0x28, 0x4, r4, 0x0, &(0x7f00004f9000/0x3000)=nil, 0x3000}) ioctl$IOMMU_IOAS_COPY(r3, 0x3b83, &(0x7f0000000040)={0x28, 0x5, r4, r4, 0x3, 0xfffffffffffffffa, 0x3fff}) ioctl$IOMMU_IOAS_MAP(r3, 0x3b85, &(0x7f0000000180)={0x28, 0x6, r4, 0x0, &(0x7f0000000100)='W', 0x1, 0x7a}) ioctl$IOMMU_IOAS_MAP(r3, 0x3b85, &(0x7f00000001c0)={0x28, 0x2, r4, 0x0, &(0x7f0000000440)='O', 0x1, 0x6}) ioctl$IOMMU_IOAS_MAP(r3, 0x3b85, &(0x7f0000000080)={0x28, 0x4, r4, 0x0, &(0x7f0000000200)="0f", 0x1, 0x7}) ioctl$IOMMU_IOAS_MAP$PAGES(r3, 0x3b85, &(0x7f0000000240)={0x28, 0x6, r4, 0x0, &(0x7f00004f9000/0x4000)=nil, 0x4000, 0x7fff}) ioctl$IOMMU_IOAS_MAP$PAGES(r2, 0x3b85, &(0x7f0000000100)={0x28, 0x1, r4, 0x0, &(0x7f0000ffe000/0x2000)=nil, 0x2000, 0x9}) 607.960496ms ago: executing program 2 (id=5305): syz_init_net_socket$bt_rfcomm(0x1f, 0x1, 0x3) mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) prlimit64(0x0, 0xe, &(0x7f0000000040)={0x8, 0x20000008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) getpid() r0 = socket$inet6(0xa, 0x3, 0xfe) setsockopt$inet6_IPV6_RTHDRDSTOPTS(r0, 0x29, 0x37, &(0x7f0000000200)={0x29}, 0x8) r1 = openat$nvram(0xffffffffffffff9c, &(0x7f00000000c0), 0x8882, 0x0) r2 = socket$kcm(0x29, 0x5, 0x0) sendmmsg$inet(r2, 0x0, 0x0, 0x40) prlimit64(0x0, 0xe, &(0x7f00000007c0)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r3 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r3, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) ioctl$AUTOFS_DEV_IOCTL_FAIL(r1, 0xc0189377, 0x0) socket$nl_generic(0x10, 0x3, 0x10) r4 = openat$vimc1(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0) ioctl$VIDIOC_G_CROP(r4, 0xc014563b, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff}) r6 = socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$batadv(&(0x7f0000000040), 0xffffffffffffffff) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r5, 0x8933, &(0x7f0000000240)={'batadv0\x00', 0x0}) sendmsg$BATADV_CMD_SET_MESH(r6, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000280)={0x2c, r7, 0x1, 0x40000000, 0x0, {}, [@BATADV_ATTR_MESH_IFINDEX={0x8, 0x3, r8}, @BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED={0x5}, @BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED={0x5}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4004801}, 0x0) 534.789699ms ago: executing program 4 (id=5306): sendmsg$ETHTOOL_MSG_LINKINFO_SET(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000000)=ANY=[], 0x3c}, 0x1, 0x0, 0x0, 0x20009005}, 0x2000c000) socket$inet6(0x10, 0x3, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c000000190001000000000000000000021800000000fd000000ed0008000100ac141400"], 0x2c}}, 0x0) r0 = syz_init_net_socket$llc(0x1a, 0x2, 0x0) connect$llc(r0, &(0x7f0000000180)={0x1a, 0x0, 0x0, 0x8, 0x0, 0x0, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, 0x10) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f00000000c0)=0x7) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8) sendmsg$nl_generic(0xffffffffffffffff, 0x0, 0x5fe7ae19249375cf) getsockopt$inet6_IPV6_FLOWLABEL_MGR(0xffffffffffffffff, 0x29, 0x20, &(0x7f0000000100)={@ipv4={'\x00', '\xff\xff', @local}, 0x2, 0x2, 0x3, 0x0, 0x0, 0x4}, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x1, &(0x7f0000003500)={0x0, 0x3938700}) r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x3) clock_gettime(0x0, 0x0) setsockopt$IP_VS_SO_SET_ADD(0xffffffffffffffff, 0x0, 0x482, &(0x7f0000000040)={0x84, @empty, 0x4e20, 0x3, 'ovf\x00', 0x1, 0x2, 0x6f}, 0x2c) setsockopt$IP_VS_SO_SET_ADDDEST(0xffffffffffffffff, 0x0, 0x487, 0x0, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r3, 0x800448d7, 0x0) ioctl$FS_IOC_GETFSLABEL(r2, 0x400452c8, &(0x7f0000000100)) 139.765913ms ago: executing program 1 (id=5307): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) ioprio_set$pid(0x1, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae03, 0xbb) r2 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/crypto\x00', 0x0, 0x0) sendfile(r1, r2, 0x0, 0x4000000000010042) r3 = socket(0xa, 0x3, 0x3a) r4 = openat$ipvs(0xffffffffffffff9c, &(0x7f000000ac40)='/proc/sys/net/ipv4/vs/sync_qlen_max\x00', 0x2, 0x0) read$FUSE(r4, 0x0, 0x0) setsockopt$inet6_int(r3, 0x29, 0xcf, 0x0, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x40001, 0x0) r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) ioctl$KVM_SET_MEMORY_ATTRIBUTES(r6, 0x4020aed2, &(0x7f00000001c0)={0xeeee0000, 0x10000}) syz_genetlink_get_family_id$mptcp(&(0x7f0000000040), r2) connect$rxrpc(r3, &(0x7f0000000000)=@in6={0x21, 0x0, 0x2, 0x1c, {0xa, 0x4e24, 0x9, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}}, 0x24) 0s ago: executing program 3 (id=5308): r0 = creat(&(0x7f00000002c0)='./file0\x00', 0x0) write$qrtrtun(r0, &(0x7f0000000600)="001a000000000000", 0x8) getsockopt$inet_sctp_SCTP_STATUS(0xffffffffffffffff, 0x84, 0xe, &(0x7f00000001c0)={0x0, 0x26eb, 0x0, 0xbc7d, 0x94, 0x2, 0x101, 0x2, {0x0, @in={{0x2, 0x4e24, @multicast2}}, 0x4, 0xfffffc00, 0x9, 0x8, 0x6}}, &(0x7f0000000140)=0xb0) getsockopt$inet_sctp_SCTP_GET_PEER_ADDR_INFO(r0, 0x84, 0xf, &(0x7f00000003c0)={r1, @in6={{0xa, 0x4e23, 0x3, @private0={0xfc, 0x0, '\x00', 0x1}, 0x93a}}, 0x8, 0x2, 0x6, 0x6, 0x9}, &(0x7f00000002c0)=0x98) r2 = socket(0x40000000015, 0x5, 0x0) r3 = gettid() timer_create(0x0, &(0x7f0000000040)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc)=0x0) timer_settime(r4, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) r5 = semget$private(0x0, 0x6, 0x0) semtimedop(r5, &(0x7f0000000180)=[{0x0, 0xfff}], 0x1, 0x0) semtimedop(r5, &(0x7f0000000040)=[{}, {}], 0x2, 0x0) connect$inet(r2, &(0x7f0000000040)={0x2, 0x4e20, @loopback}, 0x10) bind$inet(r2, &(0x7f0000000340)={0x2, 0x4e20, @loopback}, 0x57) r6 = socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$wireguard(&(0x7f0000000380), r6) sendmsg$WG_CMD_SET_DEVICE(r6, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000680)=ANY=[@ANYBLOB="c8010000", @ANYRES16=r7, @ANYBLOB="0100000000000000000001000000060006000000000024000300a0cb879a47f5bc644c0e693fa6d031c74a1553b6e901b9ff2f518c78042fb5426c010880f4000080060005000180000024000100dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff240002001bc715ee4868b12a49f4df11bc05475489f6a27c4d6483ad2fa5e45903b0ce8514000400e76a686bac1414aa00000000000000008c00098028000080060001000a00000014000200ff020000000000000000000000000001050003000000000028000080060001000a000000140002000000000000000000000000000000000105000300030000001c000080060001000200da0008000200e000000105000300000000001c000080060001000200000008000200ac141400050003000000000074000080200004000a004e2200000000fc0000000000000000000000000000000400000024000100dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff080003000100000024000200cde20bc0d9b90ac13642d7b66459dd9db5e20b4b16d3d23f2cb03a8aa417dce6080007000000000014000200776730"], 0x1c8}}, 0x0) sendmsg$xdp(r2, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4080}, 0x0) r8 = socket(0x15, 0x5, 0x0) getsockopt(r8, 0x200000000114, 0x271e, 0x0, &(0x7f0000000100)) socket$nl_netfilter(0x10, 0x3, 0xc) socket$nl_netfilter(0x10, 0x3, 0xc) landlock_create_ruleset(&(0x7f0000000080)={0x40, 0x0, 0x2}, 0x18, 0x0) sendmsg$IPCTNL_MSG_CT_GET(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000040)=ANY=[], 0x44}}, 0x24008020) kernel console output (not intermixed with test programs): ack_lvl+0x189/0x250 [ 1521.381520][T21383] ? __pfx____ratelimit+0x10/0x10 [ 1521.381544][T21383] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1521.381567][T21383] ? __pfx__printk+0x10/0x10 [ 1521.381605][T21383] ? __pfx___might_resched+0x10/0x10 [ 1521.381628][T21383] ? fs_reclaim_acquire+0x7d/0x100 [ 1521.381655][T21383] should_fail_ex+0x414/0x560 [ 1521.381682][T21383] should_failslab+0xa8/0x100 [ 1521.381705][T21383] __kmalloc_noprof+0xcb/0x4f0 [ 1521.381721][T21383] ? iter_file_splice_write+0x1cb/0x1000 [ 1521.381745][T21383] iter_file_splice_write+0x1cb/0x1000 [ 1521.381786][T21383] ? __pfx_iter_file_splice_write+0x10/0x10 [ 1521.381805][T21383] ? rcu_read_lock_any_held+0xb3/0x120 [ 1521.381827][T21383] ? __pfx_rcu_read_lock_any_held+0x10/0x10 [ 1521.381856][T21383] ? __pfx_iter_file_splice_write+0x10/0x10 [ 1521.381876][T21383] direct_splice_actor+0xfe/0x160 [ 1521.381897][T21383] splice_direct_to_actor+0x5a8/0xcc0 [ 1521.381931][T21383] ? __pfx_direct_splice_actor+0x10/0x10 [ 1521.381949][T21383] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 1521.381968][T21383] ? preempt_schedule_irq+0xde/0x150 [ 1521.381998][T21383] ? __pfx_preempt_schedule_irq+0x10/0x10 [ 1521.382028][T21383] do_splice_direct+0x181/0x270 [ 1521.382052][T21383] ? __pfx_do_splice_direct+0x10/0x10 [ 1521.382073][T21383] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 1521.382102][T21383] ? rw_verify_area+0x258/0x650 [ 1521.382125][T21383] do_sendfile+0x4da/0x7e0 [ 1521.382158][T21383] ? __pfx_do_sendfile+0x10/0x10 [ 1521.382191][T21383] __se_sys_sendfile64+0xd9/0x190 [ 1521.382215][T21383] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 1521.382235][T21383] ? rcu_is_watching+0x15/0xb0 [ 1521.382262][T21383] ? do_syscall_64+0xbe/0x3b0 [ 1521.382282][T21383] do_syscall_64+0xfa/0x3b0 [ 1521.382298][T21383] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1521.382314][T21383] ? asm_sysvec_reschedule_ipi+0x1a/0x20 [ 1521.382330][T21383] ? clear_bhb_loop+0x60/0xb0 [ 1521.382350][T21383] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1521.382366][T21383] RIP: 0033:0x7f3f9ad8e929 [ 1521.382383][T21383] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1521.382398][T21383] RSP: 002b:00007f3f9bbec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 1521.382418][T21383] RAX: ffffffffffffffda RBX: 00007f3f9afb5fa0 RCX: 00007f3f9ad8e929 [ 1521.382431][T21383] RDX: 0000200000000080 RSI: 0000000000000005 RDI: 0000000000000005 [ 1521.382443][T21383] RBP: 00007f3f9bbec090 R08: 0000000000000000 R09: 0000000000000000 [ 1521.382454][T21383] R10: 0000000000007f03 R11: 0000000000000246 R12: 0000000000000002 [ 1521.382465][T21383] R13: 0000000000000000 R14: 00007f3f9afb5fa0 R15: 00007ffdf50b8f88 [ 1521.382494][T21383] [ 1523.037838][T16587] usb 3-1: new full-speed USB device number 64 using dummy_hcd [ 1523.065702][T21401] netlink: 'syz.5.4610': attribute type 1 has an invalid length. [ 1523.210155][T16587] usb 3-1: config 0 has an invalid interface number: 176 but max is 2 [ 1523.234118][T16587] usb 3-1: config 0 has an invalid interface number: 3 but max is 2 [ 1525.277974][T16587] usb 3-1: config 0 has no interface number 0 [ 1526.210873][T16587] usb 3-1: config 0 has no interface number 1 [ 1526.217653][T16587] usb 3-1: too many endpoints for config 0 interface 3 altsetting 255: 255, using maximum allowed: 30 [ 1526.229013][T16587] usb 3-1: config 0 interface 3 altsetting 255 has 0 endpoint descriptors, different from the interface descriptor's value: 255 [ 1526.247701][T16587] usb 3-1: config 0 interface 3 has no altsetting 0 [ 1526.254675][T16587] usb 3-1: New USB device found, idVendor=05c6, idProduct=9205, bcdDevice=29.ac [ 1526.263839][T16587] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1526.412068][T16587] usb 3-1: config 0 descriptor?? [ 1527.384855][T16587] usb 3-1: can't set config #0, error -71 [ 1527.423114][T16587] usb 3-1: USB disconnect, device number 64 [ 1533.860009][T21468] netlink: 12 bytes leftover after parsing attributes in process `syz.4.4631'. [ 1534.207572][T21468] netlink: 8 bytes leftover after parsing attributes in process `syz.4.4631'. [ 1534.227153][T21468] netlink: 16 bytes leftover after parsing attributes in process `syz.4.4631'. [ 1535.618190][T21491] netlink: 'syz.5.4635': attribute type 1 has an invalid length. [ 1536.434684][T21498] cifs: Unknown parameter 'mode' [ 1538.093894][T21519] 9pnet_fd: Insufficient options for proto=fd [ 1539.133509][ T5831] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci1/hci1:201' [ 1539.143495][ T5831] CPU: 1 UID: 0 PID: 5831 Comm: kworker/u9:3 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1539.143522][ T5831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1539.143535][ T5831] Workqueue: hci1 hci_rx_work [ 1539.143565][ T5831] Call Trace: [ 1539.143574][ T5831] [ 1539.143582][ T5831] dump_stack_lvl+0x189/0x250 [ 1539.143612][ T5831] ? kernfs_path_from_node+0x2c/0x260 [ 1539.143638][ T5831] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1539.143663][ T5831] ? __pfx__printk+0x10/0x10 [ 1539.143685][ T5831] ? kernfs_path_from_node+0x2c/0x260 [ 1539.143707][ T5831] ? kernfs_path_from_node+0x2c/0x260 [ 1539.143734][ T5831] ? kernfs_path_from_node+0x22c/0x260 [ 1539.143756][ T5831] ? kernfs_path_from_node+0x2c/0x260 [ 1539.143783][ T5831] sysfs_create_dir_ns+0x259/0x280 [ 1539.143811][ T5831] ? __pfx_sysfs_create_dir_ns+0x10/0x10 [ 1539.143838][ T5831] ? do_raw_spin_unlock+0x122/0x240 [ 1539.143863][ T5831] kobject_add_internal+0x59f/0xb40 [ 1539.143892][ T5831] kobject_add+0x155/0x220 [ 1539.143916][ T5831] ? __pfx_kobject_add+0x10/0x10 [ 1539.143936][ T5831] ? _raw_spin_unlock+0x28/0x50 [ 1539.143963][ T5831] ? get_device_parent+0x366/0x3a0 [ 1539.143988][ T5831] device_add+0x408/0xb50 [ 1539.144012][ T5831] hci_conn_add_sysfs+0xd5/0x1e0 [ 1539.144040][ T5831] le_conn_complete_evt+0xc3a/0x1220 [ 1539.144075][ T5831] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 1539.144097][ T5831] ? __mutex_unlock_slowpath+0x1cd/0x700 [ 1539.144120][ T5831] ? __asan_memcpy+0x40/0x70 [ 1539.144148][ T5831] ? __pfx___mutex_lock+0x10/0x10 [ 1539.144173][ T5831] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 1539.144199][ T5831] ? skb_pull_data+0xfb/0x200 [ 1539.144230][ T5831] hci_le_conn_complete_evt+0x187/0x450 [ 1539.144259][ T5831] hci_event_packet+0x78c/0x1200 [ 1539.144288][ T5831] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 1539.144310][ T5831] ? __pfx_hci_event_packet+0x10/0x10 [ 1539.144337][ T5831] ? kcov_remote_start+0x4d3/0x7f0 [ 1539.144359][ T5831] ? lockdep_hardirqs_on+0x20/0x150 [ 1539.144386][ T5831] ? hci_send_to_monitor+0xe2/0x570 [ 1539.144411][ T5831] hci_rx_work+0x46a/0xe80 [ 1539.144447][ T5831] ? process_scheduled_works+0x9ef/0x17b0 [ 1539.144474][ T5831] process_scheduled_works+0xade/0x17b0 [ 1539.144531][ T5831] ? __pfx_process_scheduled_works+0x10/0x10 [ 1539.144575][ T5831] worker_thread+0x8a0/0xda0 [ 1539.144630][ T5831] kthread+0x70e/0x8a0 [ 1539.144653][ T5831] ? __pfx_worker_thread+0x10/0x10 [ 1539.144678][ T5831] ? __pfx_kthread+0x10/0x10 [ 1539.144699][ T5831] ? _raw_spin_unlock_irq+0x23/0x50 [ 1539.144722][ T5831] ? lockdep_hardirqs_on+0x9c/0x150 [ 1539.144744][ T5831] ? __pfx_kthread+0x10/0x10 [ 1539.144764][ T5831] ret_from_fork+0x3f9/0x770 [ 1539.144791][ T5831] ? __pfx_ret_from_fork+0x10/0x10 [ 1539.144821][ T5831] ? __switch_to_asm+0x39/0x70 [ 1539.144838][ T5831] ? __switch_to_asm+0x33/0x70 [ 1539.144853][ T5831] ? __pfx_kthread+0x10/0x10 [ 1539.144874][ T5831] ret_from_fork_asm+0x1a/0x30 [ 1539.144908][ T5831] [ 1539.144939][ T5831] kobject: kobject_add_internal failed for hci1:201 with -EEXIST, don't try to register things with the same name in the same directory. [ 1539.453882][ T5831] Bluetooth: hci1: failed to register connection device [ 1539.542136][T21537] netlink: 5128 bytes leftover after parsing attributes in process `syz.1.4648'. [ 1539.615514][T21537] netlink: 5128 bytes leftover after parsing attributes in process `syz.1.4648'. [ 1539.656848][T21537] netlink: 584 bytes leftover after parsing attributes in process `syz.1.4648'. [ 1539.899005][ T5964] usb 2-1: new high-speed USB device number 69 using dummy_hcd [ 1540.088647][ T5964] usb 2-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 1540.132138][ T5964] usb 2-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 1540.232190][ T5964] usb 2-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00 [ 1540.274430][ T5964] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3 [ 1541.071018][ T5964] usb 2-1: SerialNumber: syz [ 1541.309575][ T5964] usb 2-1: 0:2 : does not exist [ 1541.349380][ T5964] usb 2-1: unit 255 not found! [ 1541.366670][ T5964] usb 2-1: 5:0: cannot get min/max values for control 2 (id 5) [ 1541.411935][ T5964] usb 2-1: USB disconnect, device number 69 [ 1541.638348][ T6034] Bluetooth: (null): Invalid header checksum [ 1541.671657][ T6034] Bluetooth: (null): Invalid header checksum [ 1542.177730][T19574] Bluetooth: (null): Invalid header checksum [ 1542.245717][T19574] Bluetooth: (null): Invalid header checksum [ 1542.270998][T19574] Bluetooth: (null): Invalid header checksum [ 1542.305904][T19574] Bluetooth: (null): Invalid header checksum [ 1542.324799][T19574] Bluetooth: (null): Invalid header checksum [ 1542.354230][T19574] Bluetooth: (null): Invalid header checksum [ 1542.637530][T21571] netlink: 60 bytes leftover after parsing attributes in process `syz.2.4658'. [ 1542.647301][T21567] netlink: 60 bytes leftover after parsing attributes in process `syz.2.4658'. [ 1542.664372][T21567] netlink: 60 bytes leftover after parsing attributes in process `syz.2.4658'. [ 1542.886875][ T5964] usb 4-1: new high-speed USB device number 63 using dummy_hcd [ 1543.622930][T21577] overlayfs: upperdir is in-use as upperdir/workdir of another mount, accessing files from both mounts will result in undefined behavior. [ 1543.666251][T21577] overlayfs: workdir is in-use as upperdir/workdir of another mount, accessing files from both mounts will result in undefined behavior. [ 1543.775798][T21071] usb 2-1: new high-speed USB device number 70 using dummy_hcd [ 1543.837095][ T5964] usb 4-1: config 1 has an invalid descriptor of length 255, skipping remainder of the config [ 1543.889197][ T5964] usb 4-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 1544.074605][ T5964] usb 4-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00 [ 1544.118487][T21580] netlink: 32 bytes leftover after parsing attributes in process `syz.4.4661'. [ 1544.145793][T21580] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4661'. [ 1544.155982][T21071] usb 2-1: Using ep0 maxpacket: 16 [ 1544.198507][ T5964] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3 [ 1544.199733][T21071] usb 2-1: config 1 contains an unexpected descriptor of type 0x2, skipping [ 1544.208300][ T5964] usb 4-1: SerialNumber: syz [ 1544.270664][T21071] usb 2-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 1544.301635][T21071] usb 2-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 1544.318558][T21071] usb 2-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 1544.334977][T21071] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1544.358432][T21071] usb 2-1: Product: syz [ 1544.362780][T21071] usb 2-1: Manufacturer: syz [ 1544.362780][ T30] audit: type=1326 audit(1750515967.315:492): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21582 comm="syz.4.4663" exe="/root/syz-executor" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f647278e929 code=0x0 [ 1544.394869][T21071] usb 2-1: SerialNumber: syz [ 1544.568403][ T7674] tipc: Subscription rejected, illegal request [ 1544.593832][ T5964] usb 4-1: 0:2 : does not exist [ 1544.608793][ T5964] usb 4-1: unit 255 not found! [ 1544.628192][ T5964] usb 4-1: USB disconnect, device number 63 [ 1544.645842][T21586] Invalid source name [ 1544.649880][T21586] UBIFS error (pid: 21586): cannot open "./file0", error -22 [ 1544.652122][T21586] binder: 21584:21586 ioctl 40046210 0 returned -14 [ 1544.719056][T21589] netlink: 4 bytes leftover after parsing attributes in process `syz.5.4662'. [ 1545.008501][T21569] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1545.040251][T21569] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1545.052795][T21071] usb 2-1: 0:2 : does not exist [ 1545.073895][T21071] usb 2-1: USB disconnect, device number 70 [ 1545.677908][T15307] Bluetooth: hci1: command 0x0406 tx timeout [ 1545.802010][T21602] netlink: 'syz.3.4666': attribute type 4 has an invalid length. [ 1545.809927][T21602] netlink: 17 bytes leftover after parsing attributes in process `syz.3.4666'. [ 1546.125236][ T1301] ieee802154 phy0 wpan0: encryption failed: -22 [ 1546.131780][ T1301] ieee802154 phy1 wpan1: encryption failed: -22 [ 1546.175687][ T24] usb 3-1: new high-speed USB device number 65 using dummy_hcd [ 1546.360705][T21598] net_ratelimit: 7 callbacks suppressed [ 1546.360723][T21598] A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. [ 1546.436623][ T30] audit: type=1326 audit(1750515969.405:493): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1546.485544][ T30] audit: type=1326 audit(1750515969.405:494): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1546.666988][ T30] audit: type=1326 audit(1750515969.435:495): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=444 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1546.773842][ T30] audit: type=1326 audit(1750515969.435:496): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1546.951473][ T30] audit: type=1326 audit(1750515969.435:497): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1547.225156][ T30] audit: type=1326 audit(1750515969.435:498): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=157 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1547.247497][ T30] audit: type=1326 audit(1750515969.495:499): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1547.270976][ T30] audit: type=1326 audit(1750515969.495:500): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1547.418913][ T30] audit: type=1326 audit(1750515969.545:501): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=21607 comm="syz.3.4670" exe="/root/syz-executor" sig=0 arch=c000003e syscall=42 compat=0 ip=0x7f634b58e929 code=0x7ffc0000 [ 1547.521270][ T24] usb 3-1: unable to get BOS descriptor or descriptor too short [ 1547.530345][ T24] usb 3-1: unable to read config index 0 descriptor/start: -71 [ 1547.538461][ T24] usb 3-1: can't read configurations, error -71 [ 1548.064154][T21627] ubi31: attaching mtd0 [ 1548.084932][T21627] ubi31: scanning is finished [ 1548.090102][T21627] ubi31: empty MTD device detected [ 1548.688822][T21627] ubi31: attached mtd0 (name "mtdram test device", size 0 MiB) [ 1548.696413][T21627] ubi31: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes [ 1548.703700][T21627] ubi31: min./max. I/O unit sizes: 1/64, sub-page size 1 [ 1548.711446][T21627] ubi31: VID header offset: 64 (aligned 64), data offset: 128 [ 1548.718914][T21627] ubi31: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 [ 1548.725772][T21627] ubi31: user volume: 0, internal volumes: 1, max. volumes count: 23 [ 1548.733819][T21627] ubi31: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 253377373 [ 1548.743801][T21627] ubi31: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 [ 1548.780030][T21634] ubi31: background thread "ubi_bgt31d" started, PID 21634 [ 1549.735684][T21647] binder: 21640:21647 ioctl 40046210 0 returned -14 [ 1549.858112][T21648] netlink: 4 bytes leftover after parsing attributes in process `syz.2.4676'. [ 1552.069686][T16587] usb 6-1: new low-speed USB device number 26 using dummy_hcd [ 1552.794898][T16587] usb 6-1: Invalid ep0 maxpacket: 32 [ 1552.904740][T21694] overlay: filesystem on ./bus not supported [ 1552.941821][T21694] overlayfs: upper fs does not support tmpfile. [ 1552.954905][T16587] usb 6-1: new low-speed USB device number 27 using dummy_hcd [ 1553.250026][T16587] usb 6-1: Invalid ep0 maxpacket: 32 [ 1553.444051][T16587] usb usb6-port1: attempt power cycle [ 1553.828905][T16587] usb 6-1: new low-speed USB device number 28 using dummy_hcd [ 1553.875521][T16587] usb 6-1: Invalid ep0 maxpacket: 32 [ 1553.994924][ T24] usb 5-1: new high-speed USB device number 108 using dummy_hcd [ 1554.012864][T16587] usb 6-1: new low-speed USB device number 29 using dummy_hcd [ 1554.119658][T16587] usb 6-1: Invalid ep0 maxpacket: 32 [ 1554.133382][T16587] usb usb6-port1: unable to enumerate USB device [ 1554.319770][ T24] usb 5-1: Using ep0 maxpacket: 8 [ 1554.343806][ T24] usb 5-1: config 0 has no interfaces? [ 1554.371858][ T24] usb 5-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1554.381308][ T24] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1554.389681][ T24] usb 5-1: Product: syz [ 1554.393997][ T24] usb 5-1: Manufacturer: syz [ 1554.398807][ T24] usb 5-1: SerialNumber: syz [ 1554.416112][ T24] usb 5-1: config 0 descriptor?? [ 1555.053032][T21714] binder: 21706:21714 ioctl 40046210 0 returned -14 [ 1555.265009][T21716] netlink: 4 bytes leftover after parsing attributes in process `syz.3.4692'. [ 1555.625146][ T24] usb 5-1: USB disconnect, device number 108 [ 1556.540630][T21734] vivid-000: disconnect [ 1556.562736][T21725] vivid-000: reconnect [ 1556.859718][T21742] netlink: 304 bytes leftover after parsing attributes in process `syz.2.4702'. [ 1558.591578][T21760] netlink: 'syz.4.4706': attribute type 4 has an invalid length. [ 1558.599472][T21760] netlink: 17 bytes leftover after parsing attributes in process `syz.4.4706'. [ 1559.008480][T21762] netlink: 'syz.3.4705': attribute type 4 has an invalid length. [ 1559.016375][T21762] netlink: 17 bytes leftover after parsing attributes in process `syz.3.4705'. [ 1560.765629][T21774] syz.4.4709: attempt to access beyond end of device [ 1560.765629][T21774] loop4: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1560.779510][T21774] EXT4-fs (loop4): unable to read superblock [ 1562.077360][ T5828] hid-generic 0000:0000:0000.0017: unknown main item tag 0x0 [ 1562.094621][ T5828] hid-generic 0000:0000:0000.0017: hidraw0: HID v0.00 Device [syz1] on syz0 [ 1562.095480][T21790] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1562.125689][T21790] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1562.176841][T21795] netlink: 48 bytes leftover after parsing attributes in process `syz.2.4716'. [ 1562.334467][ T24] usb 2-1: new high-speed USB device number 71 using dummy_hcd [ 1562.416178][ C0] vxcan1: j1939_tp_rxtimer: 0xffff8880586ef000: rx timeout, send abort [ 1562.917730][ C0] vxcan1: j1939_tp_rxtimer: 0xffff88806b511c00: rx timeout, send abort [ 1562.926404][ C0] vxcan1: j1939_tp_rxtimer: 0xffff8880586ef000: abort rx timeout. Force session deactivation [ 1563.064465][ T24] usb 2-1: Using ep0 maxpacket: 16 [ 1563.394427][ T24] usb 2-1: config 0 has an invalid interface number: 16 but max is 0 [ 1563.408800][ T24] usb 2-1: config 0 has no interface number 0 [ 1563.415858][ T24] usb 2-1: config 0 interface 16 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 1563.426121][ C0] vxcan1: j1939_tp_rxtimer: 0xffff88806b511c00: abort rx timeout. Force session deactivation [ 1563.501070][ T24] usb 2-1: New USB device found, idVendor=22d4, idProduct=1503, bcdDevice= 0.00 [ 1563.501277][T16587] usb 5-1: new high-speed USB device number 109 using dummy_hcd [ 1563.513582][ T24] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1564.157006][ T24] usb 2-1: config 0 descriptor?? [ 1564.379710][T16587] usb 5-1: config 0 has an invalid interface number: 49 but max is 0 [ 1564.388098][T16587] usb 5-1: config 0 has no interface number 0 [ 1564.946724][ T24] usbhid 2-1:0.16: can't add hid device: -71 [ 1564.957548][ T24] usbhid 2-1:0.16: probe with driver usbhid failed with error -71 [ 1564.971218][ T24] usb 2-1: USB disconnect, device number 71 [ 1564.984612][T16587] usb 5-1: too many endpoints for config 0 interface 49 altsetting 50: 56, using maximum allowed: 30 [ 1564.999547][T16587] usb 5-1: config 0 interface 49 altsetting 50 has 0 endpoint descriptors, different from the interface descriptor's value: 56 [ 1565.013034][T16587] usb 5-1: config 0 interface 49 has no altsetting 0 [ 1565.020087][T16587] usb 5-1: New USB device found, idVendor=046d, idProduct=0870, bcdDevice=61.47 [ 1565.103778][T16587] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1565.124787][T16587] usb 5-1: config 0 descriptor?? [ 1565.341025][T16587] usb 5-1: string descriptor 0 read error: -32 [ 1565.352969][T16587] gspca_main: STV06xx-2.14.0 probing 046d:0870 [ 1565.971864][T21806] 9pnet_fd: Insufficient options for proto=fd [ 1566.040702][T16587] usb 5-1: USB disconnect, device number 109 [ 1566.553838][T21841] Bluetooth: hci0: Opcode 0x0401 failed: -4 [ 1568.259496][T15307] Bluetooth: hci0: command 0x0405 tx timeout [ 1568.335676][T21861] use of bytesused == 0 is deprecated and will be removed in the future, [ 1568.351412][T21861] use the actual size instead. [ 1568.748886][T21868] overlay: filesystem on ./bus not supported [ 1569.188906][T21874] overlayfs: upper fs does not support tmpfile. [ 1570.548602][T21887] Bluetooth: hci0: Opcode 0x0401 failed: -4 [ 1571.530092][T21911] FAULT_INJECTION: forcing a failure. [ 1571.530092][T21911] name failslab, interval 1, probability 0, space 0, times 0 [ 1571.553388][T21911] CPU: 0 UID: 0 PID: 21911 Comm: syz.5.4751 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1571.553415][T21911] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1571.553427][T21911] Call Trace: [ 1571.553442][T21911] [ 1571.553450][T21911] dump_stack_lvl+0x189/0x250 [ 1571.553480][T21911] ? __pfx____ratelimit+0x10/0x10 [ 1571.553504][T21911] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1571.553527][T21911] ? __pfx__printk+0x10/0x10 [ 1571.553551][T21911] ? __pfx___might_resched+0x10/0x10 [ 1571.553574][T21911] ? fs_reclaim_acquire+0x7d/0x100 [ 1571.553602][T21911] should_fail_ex+0x414/0x560 [ 1571.553628][T21911] should_failslab+0xa8/0x100 [ 1571.553651][T21911] __kmalloc_noprof+0xcb/0x4f0 [ 1571.553669][T21911] ? kfree+0x4d/0x440 [ 1571.553684][T21911] ? tomoyo_realpath_from_path+0xe3/0x5d0 [ 1571.553715][T21911] tomoyo_realpath_from_path+0xe3/0x5d0 [ 1571.553740][T21911] ? tomoyo_domain+0xda/0x130 [ 1571.553769][T21911] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 1571.553790][T21911] tomoyo_path_number_perm+0x1e8/0x5a0 [ 1571.553814][T21911] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 1571.553853][T21911] ? __lock_acquire+0xab9/0xd20 [ 1571.553895][T21911] ? __fget_files+0x2a/0x420 [ 1571.553920][T21911] ? __fget_files+0x2a/0x420 [ 1571.553939][T21911] ? __fget_files+0x3a0/0x420 [ 1571.553957][T21911] ? __fget_files+0x2a/0x420 [ 1571.553983][T21911] security_file_ioctl+0xcb/0x2d0 [ 1571.554008][T21911] __se_sys_ioctl+0x47/0x170 [ 1571.554029][T21911] do_syscall_64+0xfa/0x3b0 [ 1571.554044][T21911] ? lockdep_hardirqs_on+0x9c/0x150 [ 1571.554068][T21911] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1571.554086][T21911] ? clear_bhb_loop+0x60/0xb0 [ 1571.554107][T21911] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1571.554124][T21911] RIP: 0033:0x7f3f82f8e929 [ 1571.554141][T21911] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1571.554155][T21911] RSP: 002b:00007f3f80df6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1571.554174][T21911] RAX: ffffffffffffffda RBX: 00007f3f831b5fa0 RCX: 00007f3f82f8e929 [ 1571.554188][T21911] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 [ 1571.554199][T21911] RBP: 00007f3f80df6090 R08: 0000000000000000 R09: 0000000000000000 [ 1571.554210][T21911] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1571.554221][T21911] R13: 0000000000000000 R14: 00007f3f831b5fa0 R15: 00007fff8b54b818 [ 1571.554251][T21911] [ 1571.554259][T21911] ERROR: Out of memory at tomoyo_realpath_from_path. [ 1571.610289][T15307] Bluetooth: hci0: command 0x0405 tx timeout [ 1571.673240][T16587] usb 4-1: new high-speed USB device number 64 using dummy_hcd [ 1571.676331][ T24] usb 5-1: new high-speed USB device number 110 using dummy_hcd [ 1571.731328][T21914] program syz.1.4753 is using a deprecated SCSI ioctl, please convert it to SG_IO [ 1571.777660][T21915] ip6gretap0: entered promiscuous mode [ 1571.851322][T21915] macsec1: entered allmulticast mode [ 1571.875444][T16587] usb 4-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 1571.886942][T16587] usb 4-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 1571.899769][T21915] ip6gretap0: entered allmulticast mode [ 1571.911256][T21915] ip6gretap0: left allmulticast mode [ 1571.917000][T21915] ip6gretap0: left promiscuous mode [ 1571.923309][ T24] usb 5-1: Using ep0 maxpacket: 16 [ 1571.932948][ T24] usb 5-1: config 1 has an invalid descriptor of length 97, skipping remainder of the config [ 1571.941114][T16587] usb 4-1: New USB device found, idVendor=0079, idProduct=1846, bcdDevice= 0.00 [ 1571.966340][ T24] usb 5-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 1571.980336][T16587] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1571.983425][ T24] usb 5-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 1572.007419][T16587] usb 4-1: config 0 descriptor?? [ 1572.013999][ T24] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1572.024362][ T24] usb 5-1: Product: syz [ 1572.028551][ T24] usb 5-1: Manufacturer: syz [ 1572.034839][ T24] usb 5-1: SerialNumber: syz [ 1572.064458][T21920] netlink: 10 bytes leftover after parsing attributes in process `syz.5.4755'. [ 1572.285944][ T24] usb 5-1: 0:2 : does not exist [ 1572.317056][ T24] usb 5-1: 5:0: failed to get current value for ch 0 (-22) [ 1572.487308][T21925] netlink: 24 bytes leftover after parsing attributes in process `syz.2.4754'. [ 1572.499932][T21924] ubi31: detaching mtd0 [ 1572.518245][T21924] ubi31: mtd0 is detached [ 1572.569380][ T24] usb 5-1: USB disconnect, device number 110 [ 1573.569025][ T24] usb 5-1: new high-speed USB device number 111 using dummy_hcd [ 1573.995423][T21940] Bluetooth: hci0: Opcode 0x0401 failed: -4 [ 1574.043484][ T24] usb 5-1: Using ep0 maxpacket: 8 [ 1574.070639][ T24] usb 5-1: config 0 has no interfaces? [ 1574.111445][ T24] usb 5-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1574.162959][ T24] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1574.194172][ T24] usb 5-1: Product: syz [ 1574.198387][ T24] usb 5-1: Manufacturer: syz [ 1574.228283][ T24] usb 5-1: SerialNumber: syz [ 1574.248160][ T24] usb 5-1: config 0 descriptor?? [ 1574.749533][ T5964] usb 5-1: USB disconnect, device number 111 [ 1574.771102][T16587] usbhid 4-1:0.0: can't add hid device: -71 [ 1574.846902][T15307] Bluetooth: hci0: command 0x0405 tx timeout [ 1574.858998][T16587] usbhid 4-1:0.0: probe with driver usbhid failed with error -71 [ 1574.942688][T16587] usb 4-1: USB disconnect, device number 64 [ 1575.094097][T21967] binder_alloc: 21965: binder_alloc_buf, no vma [ 1575.103168][T21966] binder: 21965:21966 ioctl 401870c8 200000000100 returned -22 [ 1575.464029][T21981] FAULT_INJECTION: forcing a failure. [ 1575.464029][T21981] name failslab, interval 1, probability 0, space 0, times 0 [ 1575.491276][T21981] CPU: 1 UID: 0 PID: 21981 Comm: syz.3.4772 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1575.491304][T21981] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1575.491315][T21981] Call Trace: [ 1575.491323][T21981] [ 1575.491331][T21981] dump_stack_lvl+0x189/0x250 [ 1575.491360][T21981] ? __pfx____ratelimit+0x10/0x10 [ 1575.491384][T21981] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1575.491407][T21981] ? __pfx__printk+0x10/0x10 [ 1575.491432][T21981] ? __pfx___might_resched+0x10/0x10 [ 1575.491459][T21981] should_fail_ex+0x414/0x560 [ 1575.491485][T21981] ? seq_read_iter+0x1fd/0xe10 [ 1575.491501][T21981] should_failslab+0xa8/0x100 [ 1575.491524][T21981] __kvmalloc_node_noprof+0x161/0x5f0 [ 1575.491546][T21981] ? seq_read_iter+0x1fd/0xe10 [ 1575.491563][T21981] ? __mutex_trylock_common+0x153/0x260 [ 1575.491593][T21981] seq_read_iter+0x1fd/0xe10 [ 1575.491621][T21981] ? kernfs_fop_read_iter+0x13f/0x640 [ 1575.491649][T21981] vfs_read+0x4cd/0x980 [ 1575.491678][T21981] ? __pfx_vfs_read+0x10/0x10 [ 1575.491709][T21981] ? __fget_files+0x2a/0x420 [ 1575.491742][T21981] ksys_read+0x145/0x250 [ 1575.491764][T21981] ? __pfx_ksys_read+0x10/0x10 [ 1575.491781][T21981] ? rcu_is_watching+0x15/0xb0 [ 1575.491811][T21981] ? do_syscall_64+0xbe/0x3b0 [ 1575.491830][T21981] do_syscall_64+0xfa/0x3b0 [ 1575.491845][T21981] ? lockdep_hardirqs_on+0x9c/0x150 [ 1575.491867][T21981] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1575.491885][T21981] ? clear_bhb_loop+0x60/0xb0 [ 1575.491906][T21981] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1575.491921][T21981] RIP: 0033:0x7f634b58e929 [ 1575.491937][T21981] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1575.491951][T21981] RSP: 002b:00007f634c480038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 1575.491970][T21981] RAX: ffffffffffffffda RBX: 00007f634b7b5fa0 RCX: 00007f634b58e929 [ 1575.491984][T21981] RDX: 0000000000002020 RSI: 0000200000000c00 RDI: 0000000000000005 [ 1575.491996][T21981] RBP: 00007f634c480090 R08: 0000000000000000 R09: 0000000000000000 [ 1575.492007][T21981] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1575.492018][T21981] R13: 0000000000000000 R14: 00007f634b7b5fa0 R15: 00007ffdaaaa5a28 [ 1575.492056][T21981] [ 1575.718325][ C1] vkms_vblank_simulate: vblank timer overrun [ 1576.139361][T21987] overlay: filesystem on ./bus not supported [ 1576.162346][T21987] overlayfs: upper fs does not support tmpfile. [ 1576.738625][T21992] Bluetooth: hci0: Opcode 0x0401 failed: -4 [ 1577.191440][ T6034] Bluetooth: (null): Invalid header checksum [ 1577.245948][ T6034] Bluetooth: (null): Invalid header checksum [ 1577.279655][T22011] Bluetooth: (null): Too short H5 packet [ 1577.317416][ T7674] Bluetooth: (null): Invalid header checksum [ 1578.052635][T15307] Bluetooth: hci0: command 0x0405 tx timeout [ 1578.872520][ T5828] usb 6-1: new high-speed USB device number 30 using dummy_hcd [ 1579.032526][ T5828] usb 6-1: Using ep0 maxpacket: 8 [ 1579.055917][ T5828] usb 6-1: config 0 has no interfaces? [ 1579.450773][ T5828] usb 6-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1579.473575][ T5828] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1579.492461][ T5828] usb 6-1: Product: syz [ 1579.506645][ T5828] usb 6-1: Manufacturer: syz [ 1579.519069][ T5828] usb 6-1: SerialNumber: syz [ 1579.548247][ T5828] usb 6-1: config 0 descriptor?? [ 1579.670092][T22028] Bluetooth: hci0: Opcode 0x0401 failed: -4 [ 1579.797945][T16587] usb 6-1: USB disconnect, device number 30 [ 1579.803821][T22043] overlay: filesystem on ./bus not supported [ 1579.818960][T22043] overlay: filesystem on ./file1 not supported [ 1579.942586][ T10] usb 4-1: new high-speed USB device number 65 using dummy_hcd [ 1580.003760][T22047] --map-set only usable from mangle table [ 1580.125839][ T10] usb 4-1: Using ep0 maxpacket: 16 [ 1580.147496][ T10] usb 4-1: config 0 has an invalid interface number: 251 but max is 0 [ 1580.169562][ T10] usb 4-1: config 0 has no interface number 0 [ 1580.187098][ T10] usb 4-1: config 0 interface 251 altsetting 0 bulk endpoint 0x4 has invalid maxpacket 16 [ 1580.238041][ T10] usb 4-1: config 0 interface 251 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 64 [ 1580.285600][ T6548] Bluetooth: (null): Invalid header checksum [ 1580.300259][ T30] kauditd_printk_skb: 47 callbacks suppressed [ 1580.300274][ T30] audit: type=1326 audit(1750516003.268:549): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1580.302117][ T10] usb 4-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=f7.f4 [ 1580.312724][ T30] audit: type=1326 audit(1750516003.268:550): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1580.359028][ T6548] Bluetooth: (null): Invalid header checksum [ 1580.403915][T19528] Bluetooth: (null): Invalid header checksum [ 1580.422320][ T10] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1580.481102][ T10] usb 4-1: Product: syz [ 1580.494802][ T30] audit: type=1326 audit(1750516003.268:551): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=253 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1580.501337][ T10] usb 4-1: Manufacturer: syz [ 1580.526937][T19574] Bluetooth: (null): Invalid header checksum [ 1580.561927][ T10] usb 4-1: SerialNumber: syz [ 1580.572438][ T30] audit: type=1326 audit(1750516003.268:552): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1580.618330][ T10] usb 4-1: config 0 descriptor?? [ 1580.634651][T19574] Bluetooth: (null): Invalid header checksum [ 1580.653921][T22039] raw-gadget.1 gadget.3: fail, usb_ep_enable returned -22 [ 1580.661193][T22039] raw-gadget.1 gadget.3: fail, usb_ep_enable returned -22 [ 1580.677476][ T30] audit: type=1326 audit(1750516003.268:553): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1581.026535][T15307] Bluetooth: hci0: command 0x0405 tx timeout [ 1581.225598][T22039] raw-gadget.1 gadget.3: fail, usb_ep_enable returned -22 [ 1581.239164][T15765] Bluetooth: (null): Invalid header checksum [ 1581.257516][T15765] Bluetooth: (null): Invalid header checksum [ 1581.274382][ T30] audit: type=1326 audit(1750516003.268:554): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1581.292513][T22039] raw-gadget.1 gadget.3: fail, usb_ep_enable returned -22 [ 1581.296905][T15765] Bluetooth: (null): Invalid header checksum [ 1581.334061][T15765] Bluetooth: (null): Invalid header checksum [ 1581.355514][T15765] Bluetooth: (null): Invalid header checksum [ 1581.377413][ T30] audit: type=1326 audit(1750516003.288:555): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=10 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1581.433136][T15765] Bluetooth: (null): Invalid header checksum [ 1581.444055][T15765] Bluetooth: (null): Invalid header checksum [ 1581.473088][ T30] audit: type=1326 audit(1750516003.288:556): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1581.511134][T22056] Bluetooth: (null): Too short H5 packet [ 1581.518573][ T30] audit: type=1326 audit(1750516003.288:557): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1581.540694][ T30] audit: type=1326 audit(1750516003.288:558): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22051 comm="syz.4.4794" exe="/root/syz-executor" sig=0 arch=c000003e syscall=430 compat=0 ip=0x7f647278e929 code=0x7ffc0000 [ 1581.578382][T22039] netlink: 8 bytes leftover after parsing attributes in process `syz.3.4790'. [ 1581.625559][T22039] netlink: 'syz.3.4790': attribute type 1 has an invalid length. [ 1581.672285][T22039] netlink: 'syz.3.4790': attribute type 2 has an invalid length. [ 1581.802735][T22069] netlink: 8 bytes leftover after parsing attributes in process `syz.3.4790'. [ 1582.636220][ T10] asix 4-1:0.251 (unnamed net_device) (uninitialized): Failed to read reg index 0x0000: -71 [ 1583.240145][ T10] asix 4-1:0.251 (unnamed net_device) (uninitialized): Failed to read MAC address: -71 [ 1583.282387][ T10] asix 4-1:0.251: probe with driver asix failed with error -5 [ 1583.455739][ T10] usb 4-1: USB disconnect, device number 65 [ 1583.668852][T22084] netlink: 68 bytes leftover after parsing attributes in process `syz.3.4800'. [ 1584.003638][T22088] No source specified [ 1584.391578][T22081] Bluetooth: hci0: Opcode 0x0401 failed: -4 [ 1584.412199][T16587] usb 6-1: new high-speed USB device number 31 using dummy_hcd [ 1584.429656][T22100] netlink: 20 bytes leftover after parsing attributes in process `syz.2.4808'. [ 1584.449227][T22100] netlink: 20 bytes leftover after parsing attributes in process `syz.2.4808'. [ 1584.591989][T16587] usb 6-1: Using ep0 maxpacket: 8 [ 1584.604499][T16587] usb 6-1: config 0 has no interfaces? [ 1584.618575][T16587] usb 6-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1584.621668][T22106] bond_slave_0: entered promiscuous mode [ 1584.633868][T22106] bond_slave_1: entered promiscuous mode [ 1584.637305][T16587] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1584.645800][T22106] macsec1: entered allmulticast mode [ 1584.656944][T22106] bond0: entered allmulticast mode [ 1584.660606][T16587] usb 6-1: Product: syz [ 1584.666450][T22106] bond_slave_0: entered allmulticast mode [ 1584.676013][T22106] bond_slave_1: entered allmulticast mode [ 1584.680999][T16587] usb 6-1: Manufacturer: syz [ 1584.691310][T22106] bond0: left allmulticast mode [ 1584.694053][T16587] usb 6-1: SerialNumber: syz [ 1584.697150][T22106] bond_slave_0: left allmulticast mode [ 1584.711450][T22106] bond_slave_1: left allmulticast mode [ 1584.718165][T22106] bond_slave_0: left promiscuous mode [ 1584.721532][T16587] usb 6-1: config 0 descriptor?? [ 1584.723642][T22106] bond_slave_1: left promiscuous mode [ 1584.812130][T14653] usb 2-1: new full-speed USB device number 72 using dummy_hcd [ 1585.246153][T14653] usb 2-1: config 1 has an invalid interface number: 128 but max is 1 [ 1585.327007][T14653] usb 2-1: config 1 has an invalid descriptor of length 255, skipping remainder of the config [ 1585.351211][T21071] usb 6-1: USB disconnect, device number 31 [ 1585.383942][T14653] usb 2-1: config 1 has 1 interface, different from the descriptor's value: 2 [ 1585.433645][T14653] usb 2-1: config 1 has no interface number 0 [ 1585.458848][T14653] usb 2-1: config 1 interface 128 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 1 [ 1585.498434][T14653] usb 2-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 1585.524267][T14653] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1585.541876][T14653] usb 2-1: Product: syz [ 1585.549647][T14653] usb 2-1: Manufacturer: syz [ 1585.562826][T14653] usb 2-1: SerialNumber: syz [ 1585.581586][T14653] cdc_wdm 2-1:1.128: skipping garbage [ 1585.598950][T14653] cdc_wdm 2-1:1.128: probe with driver cdc_wdm failed with error -22 [ 1585.647026][T15307] Bluetooth: hci0: command 0x0405 tx timeout [ 1587.609214][T22130] ALSA: mixer_oss: invalid OSS volume 'LI' [ 1587.677073][T21071] usb 2-1: USB disconnect, device number 72 [ 1588.247761][T22143] program syz.5.4819 is using a deprecated SCSI ioctl, please convert it to SG_IO [ 1588.794072][T22154] netlink: 'syz.4.4821': attribute type 4 has an invalid length. [ 1588.801975][T22154] netlink: 17 bytes leftover after parsing attributes in process `syz.4.4821'. [ 1589.281026][T21071] usb 3-1: new full-speed USB device number 67 using dummy_hcd [ 1589.452806][T21071] usb 3-1: device descriptor read/64, error -71 [ 1589.515315][T22163] xt_hashlimit: size too large, truncated to 1048576 [ 1589.831522][T21071] usb 3-1: new full-speed USB device number 68 using dummy_hcd [ 1589.901019][T22175] vivid-000: disconnect [ 1589.912496][T22175] vivid-000: reconnect [ 1589.920162][ T5949] usb 2-1: new high-speed USB device number 73 using dummy_hcd [ 1590.011658][T21071] usb 3-1: device descriptor read/64, error -71 [ 1590.131875][ T5949] usb 2-1: Using ep0 maxpacket: 8 [ 1590.222547][T21071] usb usb3-port1: attempt power cycle [ 1590.264739][ T5949] usb 2-1: config 0 has no interfaces? [ 1590.364414][ T5949] usb 2-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1590.375599][T22176] kvm_intel: set kvm_intel.dump_invalid_vmcs=1 to dump internal KVM state. [ 1590.386746][ T5949] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1590.395194][ T5949] usb 2-1: Product: syz [ 1590.399507][ T5949] usb 2-1: Manufacturer: syz [ 1590.404393][ T5949] usb 2-1: SerialNumber: syz [ 1590.413670][ T5949] usb 2-1: config 0 descriptor?? [ 1590.501498][T22178] syz.5.4831: attempt to access beyond end of device [ 1590.501498][T22178] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1590.638007][ T5949] usb 2-1: USB disconnect, device number 73 [ 1590.655252][T21071] usb 3-1: new full-speed USB device number 69 using dummy_hcd [ 1590.685817][T21071] usb 3-1: device descriptor read/8, error -71 [ 1591.293667][T21071] usb 3-1: new full-speed USB device number 70 using dummy_hcd [ 1591.372159][T21071] usb 3-1: device descriptor read/8, error -71 [ 1591.510707][T22186] Bluetooth: hci1: Opcode 0x0c1a failed: -4 [ 1591.527604][T21071] usb usb3-port1: unable to enumerate USB device [ 1591.551735][T22186] Bluetooth: hci1: Opcode 0x0406 failed: -4 [ 1591.563161][T22196] netlink: 24 bytes leftover after parsing attributes in process `syz.1.4835'. [ 1591.577482][T22186] Bluetooth: hci1: Opcode 0x0406 failed: -4 [ 1591.583743][T22196] fuse: Bad value for 'fd' [ 1591.603726][T22186] Bluetooth: hci5: Opcode 0x0c1a failed: -4 [ 1591.611597][T22186] Bluetooth: hci5: Opcode 0x0406 failed: -4 [ 1591.619053][T22186] Bluetooth: hci3: Opcode 0x0c1a failed: -4 [ 1591.629742][T22186] Bluetooth: hci3: Opcode 0x0406 failed: -4 [ 1591.651569][T22186] Bluetooth: hci4: Opcode 0x0c1a failed: -4 [ 1591.800886][T22186] Bluetooth: hci4: Opcode 0x0406 failed: -4 [ 1592.410636][T22186] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 1592.423195][T22186] Bluetooth: hci0: Opcode 0x0406 failed: -4 [ 1593.405296][T15307] Bluetooth: hci1: command 0x0406 tx timeout [ 1593.631375][T14653] usb 2-1: new high-speed USB device number 74 using dummy_hcd [ 1593.651666][T15307] Bluetooth: hci3: command 0x0406 tx timeout [ 1593.659583][T15307] Bluetooth: hci5: command 0x0406 tx timeout [ 1593.721829][T15307] Bluetooth: hci4: command 0x0406 tx timeout [ 1594.481043][ T5831] Bluetooth: hci0: command 0x0405 tx timeout [ 1594.777654][T22233] overlayfs: upper fs does not support tmpfile. [ 1594.981273][ T5949] usb 4-1: new high-speed USB device number 66 using dummy_hcd [ 1595.161567][ T5949] usb 4-1: Using ep0 maxpacket: 8 [ 1595.175736][T22243] 9pnet_fd: Insufficient options for proto=fd [ 1595.176194][ T5949] usb 4-1: config 0 has no interfaces? [ 1595.199482][ T5949] usb 4-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1595.218339][ T5949] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1595.227531][ T5949] usb 4-1: Product: syz [ 1595.238704][ T5949] usb 4-1: Manufacturer: syz [ 1595.244417][ T5949] usb 4-1: SerialNumber: syz [ 1595.263086][ T5949] usb 4-1: config 0 descriptor?? [ 1595.481090][ T5831] Bluetooth: hci1: command 0x0406 tx timeout [ 1595.489885][ T5949] usb 4-1: USB disconnect, device number 66 [ 1595.721546][T15307] Bluetooth: hci3: command 0x0406 tx timeout [ 1595.727651][ T5831] Bluetooth: hci5: command 0x0406 tx timeout [ 1595.804559][ T5831] Bluetooth: hci4: command 0x0406 tx timeout [ 1595.926282][T22248] overlayfs: upper fs does not support tmpfile. [ 1596.008352][T22251] syz.4.4853: attempt to access beyond end of device [ 1596.008352][T22251] loop4: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1596.023348][T22251] EXT4-fs (loop4): unable to read superblock [ 1596.530898][ T5831] Bluetooth: hci0: command 0x0405 tx timeout [ 1597.600942][ T5831] Bluetooth: hci1: command 0x0406 tx timeout [ 1597.977567][T22280] netlink: 40 bytes leftover after parsing attributes in process `syz.1.4862'. [ 1598.003138][T22284] syz.5.4861: attempt to access beyond end of device [ 1598.003138][T22284] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1598.219376][T22291] netlink: 36 bytes leftover after parsing attributes in process `syz.2.4863'. [ 1598.229427][T22291] netlink: 16 bytes leftover after parsing attributes in process `syz.2.4863'. [ 1598.238673][T22291] netlink: 36 bytes leftover after parsing attributes in process `syz.2.4863'. [ 1598.258397][T22291] netlink: 36 bytes leftover after parsing attributes in process `syz.2.4863'. [ 1598.423714][T22295] overlay: Unknown parameter '/' [ 1598.760875][ T10] usb 3-1: new high-speed USB device number 71 using dummy_hcd [ 1598.948581][T22303] syz.3.4867: attempt to access beyond end of device [ 1598.948581][T22303] loop3: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1598.962397][T22303] EXT4-fs (loop3): unable to read superblock [ 1598.970749][ T10] usb 3-1: Using ep0 maxpacket: 8 [ 1599.101309][T22302] syz.5.4866: attempt to access beyond end of device [ 1599.101309][T22302] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1599.276201][ C0] vcan0: j1939_tp_rxtimer: 0xffff88807b136800: rx timeout, send abort [ 1599.284737][ C0] vcan0: j1939_xtp_rx_abort_one: 0xffff88807b136800: 0x20100: (3) A timeout occurred and this is the connection abort to close the session. [ 1599.752363][ T10] usb 3-1: config 0 has no interfaces? [ 1599.772630][ T10] usb 3-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1599.782733][ T10] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1599.790794][ T10] usb 3-1: Product: syz [ 1599.795151][ T10] usb 3-1: Manufacturer: syz [ 1599.800956][ T10] usb 3-1: SerialNumber: syz [ 1599.839315][ T10] usb 3-1: config 0 descriptor?? [ 1600.336895][T14653] usb 3-1: USB disconnect, device number 71 [ 1600.900057][T14653] usb 5-1: new full-speed USB device number 112 using dummy_hcd [ 1601.147914][T14653] usb 5-1: unable to get BOS descriptor or descriptor too short [ 1601.221468][T14653] usb 5-1: not running at top speed; connect to a high speed hub [ 1601.315928][T14653] usb 5-1: config 54 has an invalid interface number: 116 but max is 0 [ 1601.374404][T14653] usb 5-1: config 54 has an invalid descriptor of length 0, skipping remainder of the config [ 1601.399381][T14653] usb 5-1: config 54 has no interface number 0 [ 1601.410626][ T10] usb 4-1: new high-speed USB device number 67 using dummy_hcd [ 1601.419336][T14653] usb 5-1: config 54 interface 116 altsetting 224 has 0 endpoint descriptors, different from the interface descriptor's value: 2 [ 1601.528456][T14653] usb 5-1: config 54 interface 116 has no altsetting 0 [ 1601.546883][T14653] usb 5-1: New USB device found, idVendor=16d5, idProduct=6501, bcdDevice=9f.f4 [ 1601.565134][T14653] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1601.571714][ T10] usb 4-1: config 1 has an invalid descriptor of length 255, skipping remainder of the config [ 1601.573224][T14653] usb 5-1: Product: syz [ 1601.592321][T14653] usb 5-1: Manufacturer: syz [ 1601.596994][T14653] usb 5-1: SerialNumber: syz [ 1602.002022][ T10] usb 4-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 1602.020146][ T10] usb 4-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00 [ 1602.029596][ T10] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3 [ 1602.037903][ T10] usb 4-1: SerialNumber: syz [ 1602.754273][T14653] usb-storage 5-1:54.116: USB Mass Storage device detected [ 1602.937512][T14653] usb 5-1: USB disconnect, device number 112 [ 1602.946813][ T992] tipc: Subscription rejected, illegal request [ 1602.969993][ T10] usb 4-1: 0:2 : does not exist [ 1603.014257][ T10] usb 4-1: unit 255 not found! [ 1603.039016][ T10] usb 4-1: USB disconnect, device number 67 [ 1603.128127][T22343] syz.5.4877: attempt to access beyond end of device [ 1603.128127][T22343] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1603.140690][ T6548] Bluetooth: (null): Invalid header checksum [ 1603.163613][ T6548] Bluetooth: (null): Invalid header checksum [ 1603.346158][ T78] Bluetooth: (null): Invalid header checksum [ 1603.366349][ T78] Bluetooth: (null): Invalid header checksum [ 1603.490292][ T78] Bluetooth: (null): Invalid header checksum [ 1603.601444][T22352] sp0: Synchronizing with TNC [ 1603.622412][ T4098] Bluetooth: (null): Invalid header checksum [ 1603.694375][ T6548] Bluetooth: (null): Invalid header checksum [ 1603.718663][T22340] Bluetooth: (null): Too short H5 packet [ 1604.007903][ T12] Bluetooth: (null): Invalid header checksum [ 1604.026520][ T12] Bluetooth: (null): Invalid header checksum [ 1604.440421][ T10] usb 6-1: new high-speed USB device number 32 using dummy_hcd [ 1604.893664][ T10] usb 6-1: New USB device found, idVendor=2770, idProduct=9052, bcdDevice=15.f5 [ 1604.907475][ T10] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1604.917568][ T10] usb 6-1: Product: syz [ 1604.927316][ T10] usb 6-1: Manufacturer: syz [ 1604.937550][ T10] usb 6-1: SerialNumber: syz [ 1604.961770][ T10] usb 6-1: config 0 descriptor?? [ 1605.092910][ T10] gspca_main: sq905c-2.14.0 probing 2770:9052 [ 1605.996319][T22373] Invalid source name [ 1606.000468][T22373] UBIFS error (pid: 22373): cannot open "./file0", error -22 [ 1606.051554][T22373] binder: 22365:22373 ioctl 40046210 0 returned -14 [ 1606.080669][ T10] gspca_sq905c: sq905c_command: usb_control_msg failed (-110) [ 1606.088168][ T10] sq905c 6-1:0.0: Get version command failed [ 1606.151138][T22376] netlink: 4 bytes leftover after parsing attributes in process `syz.4.4883'. [ 1606.516334][T16587] usb 3-1: new low-speed USB device number 72 using dummy_hcd [ 1606.534779][ T10] sq905c 6-1:0.0: probe with driver sq905c failed with error -110 [ 1606.750621][T16587] usb 3-1: device descriptor read/64, error -71 [ 1607.522592][ T1301] ieee802154 phy0 wpan0: encryption failed: -22 [ 1607.529152][ T1301] ieee802154 phy1 wpan1: encryption failed: -22 [ 1607.610288][T16587] usb 3-1: new low-speed USB device number 73 using dummy_hcd [ 1607.709555][T22385] netlink: 16 bytes leftover after parsing attributes in process `syz.5.4881'. [ 1607.742134][T22385] netlink: 16 bytes leftover after parsing attributes in process `syz.5.4881'. [ 1608.278078][T22399] kAFS: unparsable volume name [ 1609.374426][T22410] FAULT_INJECTION: forcing a failure. [ 1609.374426][T22410] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 1609.413592][T22410] CPU: 1 UID: 0 PID: 22410 Comm: syz.2.4893 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1609.413630][T22410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1609.413642][T22410] Call Trace: [ 1609.413651][T22410] [ 1609.413659][T22410] dump_stack_lvl+0x189/0x250 [ 1609.413690][T22410] ? __pfx____ratelimit+0x10/0x10 [ 1609.413721][T22410] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1609.413744][T22410] ? __pfx__printk+0x10/0x10 [ 1609.413775][T22410] should_fail_ex+0x414/0x560 [ 1609.413802][T22410] _copy_to_user+0x31/0xb0 [ 1609.413824][T22410] simple_read_from_buffer+0xe1/0x170 [ 1609.413850][T22410] proc_fail_nth_read+0x1df/0x250 [ 1609.413878][T22410] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 1609.413904][T22410] ? rw_verify_area+0x258/0x650 [ 1609.413924][T22410] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 1609.413949][T22410] vfs_read+0x200/0x980 [ 1609.413974][T22410] ? __pfx___mutex_lock+0x10/0x10 [ 1609.413999][T22410] ? __pfx_vfs_read+0x10/0x10 [ 1609.414020][T22410] ? __fget_files+0x2a/0x420 [ 1609.414047][T22410] ? __fget_files+0x3a0/0x420 [ 1609.414068][T22410] ? __fget_files+0x2a/0x420 [ 1609.414099][T22410] ksys_read+0x145/0x250 [ 1609.414121][T22410] ? __pfx_ksys_read+0x10/0x10 [ 1609.414137][T22410] ? rcu_is_watching+0x15/0xb0 [ 1609.414167][T22410] ? do_syscall_64+0xbe/0x3b0 [ 1609.414186][T22410] do_syscall_64+0xfa/0x3b0 [ 1609.414202][T22410] ? lockdep_hardirqs_on+0x9c/0x150 [ 1609.414225][T22410] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1609.414242][T22410] ? clear_bhb_loop+0x60/0xb0 [ 1609.414264][T22410] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1609.414280][T22410] RIP: 0033:0x7f3f9ad8d33c [ 1609.414298][T22410] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 93 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 48 89 44 24 08 e8 ef 93 02 00 48 [ 1609.414312][T22410] RSP: 002b:00007f3f9bbec030 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 1609.414332][T22410] RAX: ffffffffffffffda RBX: 00007f3f9afb5fa0 RCX: 00007f3f9ad8d33c [ 1609.414346][T22410] RDX: 000000000000000f RSI: 00007f3f9bbec0a0 RDI: 0000000000000003 [ 1609.414357][T22410] RBP: 00007f3f9bbec090 R08: 0000000000000000 R09: 0000000000000000 [ 1609.414368][T22410] R10: 9999999999999999 R11: 0000000000000246 R12: 0000000000000001 [ 1609.414379][T22410] R13: 0000000000000000 R14: 00007f3f9afb5fa0 R15: 00007ffdf50b8f88 [ 1609.414409][T22410] [ 1609.649596][ C1] vkms_vblank_simulate: vblank timer overrun [ 1609.880232][T22412] netlink: 68 bytes leftover after parsing attributes in process `syz.1.4894'. [ 1610.084456][ T992] Bluetooth: (null): Invalid header checksum [ 1610.139744][ T992] Bluetooth: (null): Invalid header checksum [ 1610.718283][ T992] Bluetooth: (null): Invalid header checksum [ 1610.738222][ T992] Bluetooth: (null): Invalid header checksum [ 1611.279563][ T992] Bluetooth: (null): Invalid header checksum [ 1611.280550][T21071] usb 6-1: USB disconnect, device number 32 [ 1611.285947][ T992] Bluetooth: (null): Invalid header checksum [ 1611.328203][ T992] Bluetooth: (null): Invalid header checksum [ 1611.493950][ T992] Bluetooth: (null): Invalid header checksum [ 1611.975977][ T992] Bluetooth: (null): Invalid header checksum [ 1612.010375][ T992] Bluetooth: (null): Invalid header checksum [ 1612.021081][ T992] Bluetooth: (null): Invalid header checksum [ 1612.046906][ T992] Bluetooth: (null): Invalid header checksum [ 1612.092383][ T992] Bluetooth: (null): Invalid header checksum [ 1612.118800][ T992] Bluetooth: (null): Invalid header checksum [ 1612.144039][ T992] Bluetooth: (null): Invalid header checksum [ 1612.180294][ T992] Bluetooth: (null): Invalid header checksum [ 1612.278282][ T992] Bluetooth: (null): Invalid header checksum [ 1612.299716][ T992] Bluetooth: (null): Invalid header checksum [ 1612.311602][ T992] Bluetooth: (null): Invalid header checksum [ 1612.337987][ T992] Bluetooth: (null): Invalid header checksum [ 1612.363920][ T992] Bluetooth: (null): Invalid header checksum [ 1612.395448][ T992] Bluetooth: (null): Invalid header checksum [ 1612.426358][ T992] Bluetooth: (null): Invalid header checksum [ 1612.729580][ T992] Bluetooth: (null): Invalid header checksum [ 1613.010347][T22446] syz.4.4901: attempt to access beyond end of device [ 1613.010347][T22446] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1613.027976][ T992] Bluetooth: (null): Invalid header checksum [ 1613.039397][ T992] Bluetooth: (null): Invalid header checksum [ 1613.617978][ T992] Bluetooth: (null): Invalid header checksum [ 1613.675055][ T992] Bluetooth: (null): Invalid header checksum [ 1613.712744][ T992] Bluetooth: (null): Invalid header checksum [ 1613.728922][T22453] Bluetooth: (null): Too short H5 packet [ 1613.747043][ T6119] Bluetooth: (null): Invalid header checksum [ 1613.756293][ T6119] Bluetooth: (null): Invalid header checksum [ 1613.762746][ T6119] Bluetooth: (null): Invalid header checksum [ 1613.769170][ T6119] Bluetooth: (null): Invalid header checksum [ 1613.866749][ T6119] Bluetooth: (null): Invalid header checksum [ 1613.872951][ T6119] Bluetooth: (null): Invalid header checksum [ 1614.231556][T22465] random: crng reseeded on system resumption [ 1614.260296][T22461] netlink: 'syz.1.4906': attribute type 10 has an invalid length. [ 1614.297042][T22461] bridge0: port 3(gretap0) entered disabled state [ 1614.303722][T22461] bridge0: port 2(bridge_slave_1) entered disabled state [ 1614.311069][T22461] bridge0: port 1(bridge_slave_0) entered disabled state [ 1614.323935][T22469] fuse: Bad value for 'fd' [ 1614.329516][T22468] netlink: 4 bytes leftover after parsing attributes in process `syz.1.4906'. [ 1614.428668][T22461] bridge0: port 3(gretap0) entered blocking state [ 1614.436652][T22461] bridge0: port 3(gretap0) entered forwarding state [ 1614.443641][T22461] bridge0: port 2(bridge_slave_1) entered blocking state [ 1614.450854][T22461] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1614.458355][T22461] bridge0: port 1(bridge_slave_0) entered blocking state [ 1614.465599][T22461] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1614.494817][T22461] bond0: (slave bridge0): Enslaving as an active interface with an up link [ 1614.508931][T22468] gretap0: left allmulticast mode [ 1614.523681][T22468] gretap0: left promiscuous mode [ 1614.955582][T22468] bridge0: port 3(gretap0) entered disabled state [ 1615.000429][T22468] bridge_slave_1: left allmulticast mode [ 1615.030428][T22468] bridge_slave_1: left promiscuous mode [ 1615.036221][T22468] bridge0: port 2(bridge_slave_1) entered disabled state [ 1615.069624][T22468] bridge_slave_0: left allmulticast mode [ 1615.076698][T22468] bridge_slave_0: left promiscuous mode [ 1615.098976][T22468] bridge0: port 1(bridge_slave_0) entered disabled state [ 1615.155157][T22468] bond0: (slave bridge0): Releasing backup interface [ 1615.246260][T22491] netlink: 2384 bytes leftover after parsing attributes in process `syz.4.4913'. [ 1615.779423][T22505] syz.1.4918: attempt to access beyond end of device [ 1615.779423][T22505] loop1: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1615.792940][T22505] EXT4-fs (loop1): unable to read superblock [ 1616.815875][T22513] netlink: 104 bytes leftover after parsing attributes in process `syz.3.4922'. [ 1616.850453][T14653] usb 3-1: new high-speed USB device number 74 using dummy_hcd [ 1617.479442][T14653] usb 3-1: Using ep0 maxpacket: 8 [ 1617.497799][T14653] usb 3-1: config 0 has no interfaces? [ 1617.542672][T14653] usb 3-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1617.564572][T14653] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1617.594726][T14653] usb 3-1: Product: syz [ 1617.627565][T14653] usb 3-1: Manufacturer: syz [ 1617.643088][T14653] usb 3-1: SerialNumber: syz [ 1617.663703][T14653] usb 3-1: config 0 descriptor?? [ 1618.166006][T22536] syz.4.4927: attempt to access beyond end of device [ 1618.166006][T22536] loop4: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1618.179474][T22536] EXT4-fs (loop4): unable to read superblock [ 1618.994613][T21071] usb 3-1: USB disconnect, device number 74 [ 1619.083828][T22538] input: syz1 as /devices/virtual/input/input32 [ 1619.471712][T22552] ecryptfs: Unknown parameter '³(' [ 1619.641312][T22550] overlayfs: upper fs does not support tmpfile. [ 1620.882487][T22558] PKCS7: Unknown OID: [4] 0.38.35.34.956032.117(bad) [ 1620.959568][T22558] PKCS7: Only support pkcs7_signedData type [ 1620.995596][T15307] Bluetooth: hci1: unknown advertising packet type: 0x82 [ 1620.995634][T15307] Bluetooth: hci1: Dropping invalid advertising data [ 1621.010175][T15307] Bluetooth: hci1: unknown advertising packet type: 0xf2 [ 1621.010199][T15307] Bluetooth: hci1: Malformed LE Event: 0x02 [ 1622.989412][T22577] netlink: 512 bytes leftover after parsing attributes in process `syz.3.4939'. [ 1623.531987][T22584] Bluetooth: MGMT ver 1.23 [ 1624.393563][T22591] delete_channel: no stack [ 1626.023061][T14653] usb 6-1: new full-speed USB device number 33 using dummy_hcd [ 1626.224327][T14653] usb 6-1: config 0 has no interfaces? [ 1626.520914][T14653] usb 6-1: New USB device found, idVendor=28bd, idProduct=0935, bcdDevice= 0.00 [ 1626.556504][T14653] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1626.588461][T14653] usb 6-1: config 0 descriptor?? [ 1626.817738][T22620] dummy0: entered promiscuous mode [ 1626.823608][T22620] vlan2: entered promiscuous mode [ 1628.147498][ T5964] usb 6-1: USB disconnect, device number 33 [ 1628.222806][T22643] FAULT_INJECTION: forcing a failure. [ 1628.222806][T22643] name failslab, interval 1, probability 0, space 0, times 0 [ 1628.275903][T22643] CPU: 1 UID: 0 PID: 22643 Comm: syz.4.4962 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1628.275931][T22643] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1628.275942][T22643] Call Trace: [ 1628.275950][T22643] [ 1628.275959][T22643] dump_stack_lvl+0x189/0x250 [ 1628.275987][T22643] ? __pfx____ratelimit+0x10/0x10 [ 1628.276012][T22643] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1628.276035][T22643] ? __pfx__printk+0x10/0x10 [ 1628.276059][T22643] ? __pfx___might_resched+0x10/0x10 [ 1628.276081][T22643] ? fs_reclaim_acquire+0x7d/0x100 [ 1628.276108][T22643] should_fail_ex+0x414/0x560 [ 1628.276133][T22643] should_failslab+0xa8/0x100 [ 1628.276157][T22643] kmem_cache_alloc_noprof+0x73/0x3c0 [ 1628.276177][T22643] ? ep_insert+0x272/0x1a00 [ 1628.276200][T22643] ep_insert+0x272/0x1a00 [ 1628.276226][T22643] ? __mutex_unlock_slowpath+0x1cd/0x700 [ 1628.276253][T22643] ? epoll_mutex_lock+0x4d/0x60 [ 1628.276275][T22643] ? __pfx_ep_insert+0x10/0x10 [ 1628.276321][T22643] do_epoll_ctl+0x7f4/0xe90 [ 1628.276351][T22643] __x64_sys_epoll_ctl+0x163/0x1a0 [ 1628.276374][T22643] ? __pfx___x64_sys_epoll_ctl+0x10/0x10 [ 1628.276392][T22643] ? rcu_is_watching+0x15/0xb0 [ 1628.276422][T22643] ? do_syscall_64+0xbe/0x3b0 [ 1628.276443][T22643] do_syscall_64+0xfa/0x3b0 [ 1628.276458][T22643] ? lockdep_hardirqs_on+0x9c/0x150 [ 1628.276481][T22643] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1628.276499][T22643] ? clear_bhb_loop+0x60/0xb0 [ 1628.276527][T22643] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1628.276548][T22643] RIP: 0033:0x7f647278e929 [ 1628.276564][T22643] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1628.276578][T22643] RSP: 002b:00007f6473555038 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 1628.276597][T22643] RAX: ffffffffffffffda RBX: 00007f64729b5fa0 RCX: 00007f647278e929 [ 1628.276610][T22643] RDX: 0000000000000007 RSI: 0000000000000001 RDI: 0000000000000004 [ 1628.276621][T22643] RBP: 00007f6473555090 R08: 0000000000000000 R09: 0000000000000000 [ 1628.276632][T22643] R10: 0000200000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1628.276644][T22643] R13: 0000000000000000 R14: 00007f64729b5fa0 R15: 00007ffffbdca028 [ 1628.276674][T22643] [ 1628.500330][ C1] vkms_vblank_simulate: vblank timer overrun [ 1630.328461][T22673] netlink: 'syz.4.4970': attribute type 4 has an invalid length. [ 1630.336301][T22673] netlink: 17 bytes leftover after parsing attributes in process `syz.4.4970'. [ 1630.716821][T22658] Bluetooth: hci0: Opcode 0x0401 failed: -4 [ 1631.222241][T15307] Bluetooth: hci0: command 0x0405 tx timeout [ 1631.932077][T22684] syz.4.4971: attempt to access beyond end of device [ 1631.932077][T22684] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1632.237620][T22689] FAULT_INJECTION: forcing a failure. [ 1632.237620][T22689] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 1632.281112][T22689] CPU: 0 UID: 0 PID: 22689 Comm: syz.1.4974 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1632.281139][T22689] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1632.281150][T22689] Call Trace: [ 1632.281158][T22689] [ 1632.281166][T22689] dump_stack_lvl+0x189/0x250 [ 1632.281195][T22689] ? __pfx____ratelimit+0x10/0x10 [ 1632.281220][T22689] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1632.281243][T22689] ? __pfx__printk+0x10/0x10 [ 1632.281274][T22689] should_fail_ex+0x414/0x560 [ 1632.281300][T22689] strncpy_from_user+0x36/0x290 [ 1632.281324][T22689] getname_flags+0xf3/0x540 [ 1632.281351][T22689] do_sys_openat2+0xbc/0x1c0 [ 1632.281379][T22689] ? __pfx_do_sys_openat2+0x10/0x10 [ 1632.281404][T22689] ? ksys_write+0x22a/0x250 [ 1632.281425][T22689] ? __pfx_ksys_write+0x10/0x10 [ 1632.281442][T22689] ? rcu_is_watching+0x15/0xb0 [ 1632.281469][T22689] __x64_sys_openat+0x138/0x170 [ 1632.281499][T22689] do_syscall_64+0xfa/0x3b0 [ 1632.281513][T22689] ? lockdep_hardirqs_on+0x9c/0x150 [ 1632.281536][T22689] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1632.281554][T22689] ? clear_bhb_loop+0x60/0xb0 [ 1632.281574][T22689] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1632.281591][T22689] RIP: 0033:0x7f097078e929 [ 1632.281607][T22689] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1632.281622][T22689] RSP: 002b:00007f097165c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 1632.281641][T22689] RAX: ffffffffffffffda RBX: 00007f09709b5fa0 RCX: 00007f097078e929 [ 1632.281655][T22689] RDX: 000000000000275a RSI: 00002000000005c0 RDI: ffffffffffffff9c [ 1632.281668][T22689] RBP: 00007f097165c090 R08: 0000000000000000 R09: 0000000000000000 [ 1632.281679][T22689] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1632.281690][T22689] R13: 0000000000000000 R14: 00007f09709b5fa0 R15: 00007ffc5b92ad08 [ 1632.281719][T22689] [ 1633.152388][T22711] netlink: 12 bytes leftover after parsing attributes in process `syz.3.4980'. [ 1633.204929][T22713] vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(10) [ 1633.211584][T22713] vhci_hcd vhci_hcd.0: devid(0) speed(4) speed_str(wireless) [ 1633.264637][T22713] vhci_hcd vhci_hcd.0: Device attached [ 1633.277511][T22718] vhci_hcd vhci_hcd.0: pdev(4) rhport(1) sockfd(13) [ 1633.284139][T22718] vhci_hcd vhci_hcd.0: devid(0) speed(1) speed_str(low-speed) [ 1633.335917][T22713] vhci_hcd vhci_hcd.0: pdev(4) rhport(2) sockfd(12) [ 1633.342535][T22713] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) [ 1633.377819][T22718] vhci_hcd vhci_hcd.0: Device attached [ 1633.423891][T22723] vhci_hcd vhci_hcd.0: pdev(4) rhport(3) sockfd(18) [ 1633.430542][T22723] vhci_hcd vhci_hcd.0: devid(0) speed(4) speed_str(wireless) [ 1633.805185][T22723] vhci_hcd vhci_hcd.0: Device attached [ 1633.877544][ T5964] vhci_hcd: vhci_device speed not set [ 1633.918732][T22713] vhci_hcd vhci_hcd.0: Device attached [ 1633.954274][T22727] vhci_hcd vhci_hcd.0: pdev(4) rhport(4) sockfd(15) [ 1633.960896][T22727] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) [ 1634.516857][ T5964] usb 41-1: new full-speed USB device number 3 using vhci_hcd [ 1634.541443][T22713] vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN [ 1634.561921][T22727] vhci_hcd vhci_hcd.0: Device attached [ 1634.591685][T22713] vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN [ 1634.651336][T22713] vhci_hcd vhci_hcd.0: pdev(4) rhport(7) sockfd(20) [ 1634.657954][T22713] vhci_hcd vhci_hcd.0: devid(0) speed(3) speed_str(high-speed) [ 1634.689894][T22713] vhci_hcd vhci_hcd.0: Device attached [ 1634.870784][T22741] syz.2.4985: attempt to access beyond end of device [ 1634.870784][T22741] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1635.270410][T22713] vhci_hcd vhci_hcd.0: port 0 already used [ 1635.316259][T22724] vhci_hcd: connection closed [ 1635.316326][T22731] vhci_hcd: connection closed [ 1635.321487][ T4098] vhci_hcd: stop threads [ 1635.330940][T22736] vhci_hcd: connection closed [ 1635.333123][T22721] vhci_hcd: connection closed [ 1635.334572][T22719] vhci_hcd: connection closed [ 1635.342677][T22714] vhci_hcd: connection reset by peer [ 1635.380413][ T4098] vhci_hcd: release socket [ 1635.402996][ T4098] vhci_hcd: disconnect device [ 1635.425357][ T4098] vhci_hcd: stop threads [ 1635.571415][ T4098] vhci_hcd: release socket [ 1635.579560][ T4098] vhci_hcd: disconnect device [ 1635.594422][ T4098] vhci_hcd: stop threads [ 1635.605109][ T4098] vhci_hcd: release socket [ 1635.609929][ T4098] vhci_hcd: disconnect device [ 1635.615859][ T4098] vhci_hcd: stop threads [ 1635.621310][ T4098] vhci_hcd: release socket [ 1635.625875][ T4098] vhci_hcd: disconnect device [ 1635.737723][ T9] usb 3-1: new high-speed USB device number 75 using dummy_hcd [ 1636.143223][ T4098] vhci_hcd: stop threads [ 1636.147614][ T4098] vhci_hcd: release socket [ 1636.152560][ T4098] vhci_hcd: disconnect device [ 1636.160106][ T4098] vhci_hcd: stop threads [ 1636.225598][ T4098] vhci_hcd: release socket [ 1636.233199][ T4098] vhci_hcd: disconnect device [ 1636.317320][ T9] usb 3-1: Using ep0 maxpacket: 16 [ 1636.328032][ T9] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 1636.345960][ T9] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 1636.357922][ T9] usb 3-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 1636.377160][ T9] usb 3-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 [ 1636.394749][ T9] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1636.405790][ T9] usb 3-1: config 0 descriptor?? [ 1636.467451][ T5948] usb 5-1: new high-speed USB device number 113 using dummy_hcd [ 1636.637530][ T5948] usb 5-1: Using ep0 maxpacket: 8 [ 1636.646117][ T5948] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 1636.657317][ T5948] usb 5-1: config 0 has no interfaces? [ 1636.671272][ T5948] usb 5-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1636.681504][ T5948] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1636.689764][ T5948] usb 5-1: Product: syz [ 1636.694115][ T5948] usb 5-1: Manufacturer: syz [ 1636.699156][ T5948] usb 5-1: SerialNumber: syz [ 1636.718827][ T5948] usb 5-1: config 0 descriptor?? [ 1636.849775][T22734] delete_channel: no stack [ 1637.093163][ T9] usbhid 3-1:0.0: can't add hid device: -71 [ 1637.104808][T22754] netlink: 'syz.4.4988': attribute type 12 has an invalid length. [ 1637.131843][ T9] usbhid 3-1:0.0: probe with driver usbhid failed with error -71 [ 1637.299977][ T5828] usb 5-1: USB disconnect, device number 113 [ 1637.501341][ T9] usb 3-1: USB disconnect, device number 75 [ 1637.620806][T22765] _ÐZ`Ô€@: entered promiscuous mode [ 1638.784738][T22780] overlayfs: cannot append lower layer [ 1639.054131][T22785] netlink: 8 bytes leftover after parsing attributes in process `syz.5.4995'. [ 1639.719358][ T5964] vhci_hcd: vhci_device speed not set [ 1639.887481][T14653] usb 2-1: new high-speed USB device number 75 using dummy_hcd [ 1640.077048][T14653] usb 2-1: Using ep0 maxpacket: 32 [ 1640.128687][T14653] usb 2-1: New USB device found, idVendor=0c72, idProduct=000d, bcdDevice=27.9b [ 1640.159203][ T5948] usb 6-1: new full-speed USB device number 34 using dummy_hcd [ 1640.159261][T14653] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1640.176025][T14653] usb 2-1: Product: syz [ 1640.187965][T14653] usb 2-1: Manufacturer: syz [ 1640.192581][T14653] usb 2-1: SerialNumber: syz [ 1640.217760][T14653] usb 2-1: config 0 descriptor?? [ 1640.329044][ T5948] usb 6-1: config 0 has an invalid interface number: 105 but max is 0 [ 1640.352825][ T5948] usb 6-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 1640.381820][ T5948] usb 6-1: config 0 has no interface number 0 [ 1640.404767][ T5948] usb 6-1: New USB device found, idVendor=046c, idProduct=14e8, bcdDevice= b.28 [ 1640.425261][ T5948] usb 6-1: New USB device strings: Mfr=5, Product=2, SerialNumber=3 [ 1640.442801][ T5948] usb 6-1: Product: syz [ 1640.453212][ T5948] usb 6-1: Manufacturer: syz [ 1640.463824][ T5948] usb 6-1: SerialNumber: syz [ 1640.483661][ T5948] usb 6-1: config 0 descriptor?? [ 1640.598993][ T5948] usb 6-1: Found UVC 0.00 device syz (046c:14e8) [ 1641.382096][T14653] peak_usb 2-1:0.0 can0: unable to request usb[type=0 value=0] err=-71 [ 1641.518220][T14653] peak_usb 2-1:0.0: unable to read PCAN-USB Pro bootloader info (err -71) [ 1641.640402][ T5948] uvcvideo 6-1:0.105: Entity type for entity Output 1 was not initialized! [ 1641.657874][ T5948] usb 6-1: Failed to create links for entity 1 [ 1641.664068][ T5948] usb 6-1: Failed to register entities (-22). [ 1641.828604][ T5948] usb 6-1: USB disconnect, device number 34 [ 1641.887522][T14653] peak_usb 2-1:0.0: probe with driver peak_usb failed with error -71 [ 1641.926476][T14653] usb 2-1: USB disconnect, device number 75 [ 1642.521635][T22823] syz.4.5012: attempt to access beyond end of device [ 1642.521635][T22823] loop4: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1642.535408][T22823] EXT4-fs (loop4): unable to read superblock [ 1643.686678][T14653] usb 3-1: new full-speed USB device number 76 using dummy_hcd [ 1644.173282][T14653] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 10 [ 1644.256637][T14653] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 1644.318258][T14653] usb 3-1: New USB device found, idVendor=256c, idProduct=006d, bcdDevice= 0.00 [ 1644.388770][T14653] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1644.538728][T14653] usb 3-1: config 0 descriptor?? [ 1645.336194][T14653] usb 3-1: string descriptor 0 read error: -22 [ 1646.333592][T22837] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1646.345678][T22837] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1646.554562][ T30] audit: type=1326 audit(1750516069.454:559): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=22831 comm="syz.5.5015" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3f82f8e929 code=0x7fc00000 [ 1646.603898][T14653] input: HID 256c:006d as /devices/platform/dummy_hcd.2/usb3/3-1/3-1:0.0/0003:256C:006D.0018/input/input33 [ 1646.851079][T14653] uclogic 0003:256C:006D.0018: input,hidraw0: USB HID v0.00 Device [HID 256c:006d] on usb-dummy_hcd.2-1/input0 [ 1646.916656][T22842] syz.4.5018: attempt to access beyond end of device [ 1646.916656][T22842] loop4: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1646.929872][T22842] EXT4-fs (loop4): unable to read superblock [ 1646.983315][T14653] usb 3-1: USB disconnect, device number 76 [ 1647.066321][ T5964] usb 2-1: new high-speed USB device number 76 using dummy_hcd [ 1647.236571][ T5964] usb 2-1: Using ep0 maxpacket: 32 [ 1648.017271][ T5964] usb 2-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xFF, changing to 0x8F [ 1648.032092][T22848] syz.2.5021: attempt to access beyond end of device [ 1648.032092][T22848] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1648.077279][ T5964] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x8F has an invalid bInterval 255, changing to 11 [ 1648.148634][ T5964] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x8F has invalid maxpacket 59391, setting to 1024 [ 1648.194882][ T5964] usb 2-1: New USB device found, idVendor=046d, idProduct=c314, bcdDevice= 0.40 [ 1648.215968][ T5964] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1648.650662][ T5964] usb 2-1: config 0 descriptor?? [ 1648.660528][T22840] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 1648.684961][ T5964] hub 2-1:0.0: USB hub found [ 1649.455271][ T5964] hub 2-1:0.0: 2 ports detected [ 1649.516955][T22879] IPVS: length: 71 != 24 [ 1650.466474][T22889] netlink: 20 bytes leftover after parsing attributes in process `syz.1.5017'. [ 1652.138040][ T5964] usb 2-1: USB disconnect, device number 76 [ 1652.537460][T22931] Invalid source name [ 1652.541542][T22931] UBIFS error (pid: 22931): cannot open "./file0", error -22 [ 1652.552612][T22931] binder: 22925:22931 ioctl 40046210 0 returned -14 [ 1652.651330][T22933] netlink: 4 bytes leftover after parsing attributes in process `syz.1.5039'. [ 1657.274189][T22993] overlayfs: failed to clone upperpath [ 1657.399945][T22996] Invalid source name [ 1657.404589][T22996] UBIFS error (pid: 22996): cannot open "./file0", error -22 [ 1657.663141][T22996] binder: 22980:22996 ioctl 40046210 0 returned -14 [ 1657.830552][T22999] netlink: 4 bytes leftover after parsing attributes in process `syz.5.5056'. [ 1660.575108][T21071] usb 3-1: new high-speed USB device number 77 using dummy_hcd [ 1660.855665][T21071] usb 3-1: Using ep0 maxpacket: 8 [ 1660.902245][T21071] usb 3-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 1661.032794][T21071] usb 3-1: config 0 has no interfaces? [ 1661.116084][T21071] usb 3-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1661.144524][T21071] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1661.167999][T21071] usb 3-1: Product: syz [ 1661.175286][T21071] usb 3-1: Manufacturer: syz [ 1661.185020][T21071] usb 3-1: SerialNumber: syz [ 1661.217794][T21071] usb 3-1: config 0 descriptor?? [ 1662.166651][T23020] netlink: 'syz.2.5063': attribute type 11 has an invalid length. [ 1662.228840][T22814] usb 3-1: USB disconnect, device number 77 [ 1662.475087][T23057] Invalid source name [ 1662.479197][T23057] UBIFS error (pid: 23057): cannot open "./file0", error -22 [ 1662.489293][T23057] binder: 23050:23057 ioctl 40046210 0 returned -14 [ 1662.765080][T23059] netlink: 4 bytes leftover after parsing attributes in process `syz.1.5070'. [ 1669.021286][ T1301] ieee802154 phy0 wpan0: encryption failed: -22 [ 1669.035989][ T1301] ieee802154 phy1 wpan1: encryption failed: -22 [ 1669.149071][T23107] FAULT_INJECTION: forcing a failure. [ 1669.149071][T23107] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 1669.162236][T23107] CPU: 1 UID: 0 PID: 23107 Comm: syz.4.5085 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1669.162258][T23107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1669.162270][T23107] Call Trace: [ 1669.162277][T23107] [ 1669.162285][T23107] dump_stack_lvl+0x189/0x250 [ 1669.162313][T23107] ? __pfx____ratelimit+0x10/0x10 [ 1669.162336][T23107] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1669.162357][T23107] ? __pfx__printk+0x10/0x10 [ 1669.162384][T23107] should_fail_ex+0x414/0x560 [ 1669.162408][T23107] _copy_to_user+0x31/0xb0 [ 1669.162426][T23107] simple_read_from_buffer+0xe1/0x170 [ 1669.162452][T23107] proc_fail_nth_read+0x1df/0x250 [ 1669.162486][T23107] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 1669.162511][T23107] ? rw_verify_area+0x258/0x650 [ 1669.162528][T23107] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 1669.162553][T23107] vfs_read+0x200/0x980 [ 1669.162577][T23107] ? __pfx___mutex_lock+0x10/0x10 [ 1669.162601][T23107] ? __pfx_vfs_read+0x10/0x10 [ 1669.162622][T23107] ? __fget_files+0x2a/0x420 [ 1669.162646][T23107] ? __fget_files+0x3a0/0x420 [ 1669.162666][T23107] ? __fget_files+0x2a/0x420 [ 1669.162695][T23107] ksys_read+0x145/0x250 [ 1669.162712][T23107] ? __fget_files+0x3a0/0x420 [ 1669.162733][T23107] ? __pfx_ksys_read+0x10/0x10 [ 1669.162756][T23107] ? do_syscall_64+0xbe/0x3b0 [ 1669.162774][T23107] do_syscall_64+0xfa/0x3b0 [ 1669.162788][T23107] ? lockdep_hardirqs_on+0x9c/0x150 [ 1669.162810][T23107] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1669.162827][T23107] ? clear_bhb_loop+0x60/0xb0 [ 1669.162848][T23107] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1669.162865][T23107] RIP: 0033:0x7f647278d33c [ 1669.162882][T23107] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 93 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 48 89 44 24 08 e8 ef 93 02 00 48 [ 1669.162897][T23107] RSP: 002b:00007f6473555030 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 1669.162915][T23107] RAX: ffffffffffffffda RBX: 00007f64729b5fa0 RCX: 00007f647278d33c [ 1669.162928][T23107] RDX: 000000000000000f RSI: 00007f64735550a0 RDI: 0000000000000003 [ 1669.162939][T23107] RBP: 00007f6473555090 R08: 0000000000000000 R09: 0000000000000000 [ 1669.162950][T23107] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1669.162961][T23107] R13: 0000000000000000 R14: 00007f64729b5fa0 R15: 00007ffffbdca028 [ 1669.162988][T23107] [ 1669.694267][T22814] usb 6-1: new high-speed USB device number 35 using dummy_hcd [ 1670.520800][T23116] netlink: 'syz.1.5088': attribute type 4 has an invalid length. [ 1670.529150][T23116] netlink: 17 bytes leftover after parsing attributes in process `syz.1.5088'. [ 1671.911533][T23123] netlink: 'syz.4.5089': attribute type 4 has an invalid length. [ 1671.919431][T23123] netlink: 17 bytes leftover after parsing attributes in process `syz.4.5089'. [ 1672.163171][T22814] usb 6-1: Using ep0 maxpacket: 8 [ 1672.215339][T22814] usb 6-1: device descriptor read/all, error -71 [ 1672.766855][T23129] kvm: kvm [23127]: vcpu0, guest rIP: 0x18e Unhandled WRMSR(0xc2) = 0xe000 [ 1672.980531][T23129] kvm: kvm [23127]: vcpu0, guest rIP: 0x1b8 Unhandled WRMSR(0xc2) = 0xe000 [ 1673.015341][T23129] kvm: kvm [23127]: vcpu0, guest rIP: 0x18e Unhandled WRMSR(0x11e) = 0x0 [ 1673.024153][T23129] kvm: kvm [23127]: vcpu0, guest rIP: 0x1b8 Unhandled WRMSR(0x11e) = 0x0 [ 1673.039486][T23129] kvm: kvm [23127]: vcpu0, guest rIP: 0x18e Unhandled WRMSR(0x187) = 0x2600 [ 1673.048621][T23129] kvm: kvm [23127]: vcpu0, guest rIP: 0x1b8 Unhandled WRMSR(0x187) = 0x2600 [ 1674.150078][T23148] Cannot find add_set index 3 as target [ 1674.649675][T23160] netlink: 10 bytes leftover after parsing attributes in process `syz.1.5099'. [ 1675.064076][T21071] usb 2-1: new high-speed USB device number 77 using dummy_hcd [ 1675.437856][T23180] syz.5.5107: attempt to access beyond end of device [ 1675.437856][T23180] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1675.466965][T21071] usb 2-1: Using ep0 maxpacket: 8 [ 1675.479884][T21071] usb 2-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 1675.528356][T21071] usb 2-1: config 0 has no interfaces? [ 1675.954334][T23184] syz.4.5108: attempt to access beyond end of device [ 1675.954334][T23184] loop4: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1676.896489][T23184] EXT4-fs (loop4): unable to read superblock [ 1676.969574][T21071] usb 2-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1676.993673][T21071] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1677.001738][T21071] usb 2-1: Product: syz [ 1677.010183][T21071] usb 2-1: Manufacturer: syz [ 1677.014903][T21071] usb 2-1: SerialNumber: syz [ 1677.024495][T21071] usb 2-1: config 0 descriptor?? [ 1677.238693][T23195] netlink: 52 bytes leftover after parsing attributes in process `syz.5.5111'. [ 1677.242371][T23166] netlink: 'syz.1.5103': attribute type 12 has an invalid length. [ 1677.299869][ T5948] usb 2-1: USB disconnect, device number 77 [ 1678.925328][T23220] syz.5.5119: attempt to access beyond end of device [ 1678.925328][T23220] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1679.638680][ T30] audit: type=1326 audit(1750516102.617:560): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23223 comm="syz.2.5121" exe="/root/syz-executor" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f3f9ad8e929 code=0x0 [ 1679.684544][T23227] netlink: 8 bytes leftover after parsing attributes in process `syz.5.5122'. [ 1679.876087][T23230] input: syz0 as /devices/virtual/input/input34 [ 1679.892667][T23230] input: failed to attach handler leds to device input34, error: -6 [ 1679.969548][ T5948] usb 6-1: new full-speed USB device number 37 using dummy_hcd [ 1680.021236][T23232] wg2: entered promiscuous mode [ 1680.039968][T23232] wg2: entered allmulticast mode [ 1680.053535][T23237] netlink: 276 bytes leftover after parsing attributes in process `syz.4.5125'. [ 1680.266458][ T5948] usb 6-1: unable to get BOS descriptor or descriptor too short [ 1680.284807][ T5948] usb 6-1: not running at top speed; connect to a high speed hub [ 1680.526869][ T5948] usb 6-1: too many endpoints for config 1 interface 0 altsetting 3: 65, using maximum allowed: 30 [ 1680.545511][ T5948] usb 6-1: config 1 interface 0 altsetting 3 has 1 endpoint descriptor, different from the interface descriptor's value: 65 [ 1680.573023][ T5948] usb 6-1: config 1 interface 0 has no altsetting 0 [ 1680.618592][ T5948] usb 6-1: New USB device found, idVendor=0525, idProduct=a4a8, bcdDevice= 0.40 [ 1680.644021][ T5948] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1680.673408][ T5948] usb 6-1: Product: syz [ 1680.691714][ T5948] usb 6-1: Manufacturer: syz [ 1680.702003][ T5948] usb 6-1: SerialNumber: syz [ 1680.953681][ T5948] usb 6-1: USB disconnect, device number 37 [ 1681.313404][T14653] usb 5-1: new high-speed USB device number 114 using dummy_hcd [ 1681.463138][T14653] usb 5-1: Using ep0 maxpacket: 8 [ 1681.476120][T14653] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 1681.493541][T14653] usb 5-1: config 0 has no interfaces? [ 1681.503577][T14653] usb 5-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1681.518282][T14653] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1681.526434][T14653] usb 5-1: Product: syz [ 1681.530626][T14653] usb 5-1: Manufacturer: syz [ 1681.548403][T14653] usb 5-1: SerialNumber: syz [ 1681.562553][T23257] netlink: 8 bytes leftover after parsing attributes in process `syz.2.5132'. [ 1681.578874][T14653] usb 5-1: config 0 descriptor?? [ 1681.804270][T23250] netlink: 'syz.4.5129': attribute type 12 has an invalid length. [ 1681.823151][ T5948] usb 3-1: new full-speed USB device number 78 using dummy_hcd [ 1682.365839][T23261] overlayfs: "xino=on" is useless with all layers on same fs, ignore. [ 1682.454274][ T5964] usb 5-1: USB disconnect, device number 114 [ 1682.560325][ T30] audit: type=1326 audit(1750516105.538:561): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=39 compat=0 ip=0x7f634b5858e7 code=0x7ffc0000 [ 1682.631382][ T5948] usb 3-1: device descriptor read/all, error -71 [ 1682.642650][ T30] audit: type=1326 audit(1750516105.568:562): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=15 compat=0 ip=0x7f634b52ab19 code=0x7ffc0000 [ 1682.693041][ T30] audit: type=1326 audit(1750516105.568:563): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=39 compat=0 ip=0x7f634b5858e7 code=0x7ffc0000 [ 1682.735422][ T30] audit: type=1326 audit(1750516105.568:564): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=15 compat=0 ip=0x7f634b52ab19 code=0x7ffc0000 [ 1682.761363][T23268] FAULT_INJECTION: forcing a failure. [ 1682.761363][T23268] name failslab, interval 1, probability 0, space 0, times 0 [ 1682.774854][T23268] CPU: 0 UID: 0 PID: 23268 Comm: syz.1.5134 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1682.774879][T23268] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1682.774890][T23268] Call Trace: [ 1682.774898][T23268] [ 1682.774907][T23268] dump_stack_lvl+0x189/0x250 [ 1682.774936][T23268] ? __pfx____ratelimit+0x10/0x10 [ 1682.774961][T23268] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1682.774992][T23268] ? __pfx__printk+0x10/0x10 [ 1682.775017][T23268] ? __pfx___might_resched+0x10/0x10 [ 1682.775046][T23268] should_fail_ex+0x414/0x560 [ 1682.775072][T23268] ? alloc_netdev_mqs+0xa8b/0x11e0 [ 1682.775094][T23268] should_failslab+0xa8/0x100 [ 1682.775118][T23268] __kvmalloc_node_noprof+0x161/0x5f0 [ 1682.775140][T23268] ? alloc_netdev_mqs+0xa8b/0x11e0 [ 1682.775168][T23268] alloc_netdev_mqs+0xa8b/0x11e0 [ 1682.775199][T23268] ppp_ioctl+0x634/0x19a0 [ 1682.775221][T23268] ? __pfx_smack_file_ioctl+0x10/0x10 [ 1682.775246][T23268] ? __pfx_ppp_ioctl+0x10/0x10 [ 1682.775272][T23268] ? __fget_files+0x2a/0x420 [ 1682.775293][T23268] ? __fget_files+0x3a0/0x420 [ 1682.775313][T23268] ? __fget_files+0x2a/0x420 [ 1682.775338][T23268] ? bpf_lsm_file_ioctl+0x9/0x20 [ 1682.775361][T23268] ? __pfx_ppp_ioctl+0x10/0x10 [ 1682.775382][T23268] __se_sys_ioctl+0xfc/0x170 [ 1682.775403][T23268] do_syscall_64+0xfa/0x3b0 [ 1682.775418][T23268] ? lockdep_hardirqs_on+0x9c/0x150 [ 1682.775442][T23268] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1682.775460][T23268] ? clear_bhb_loop+0x60/0xb0 [ 1682.775481][T23268] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1682.775499][T23268] RIP: 0033:0x7f097078e929 [ 1682.775515][T23268] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1682.775530][T23268] RSP: 002b:00007f097165c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1682.775549][T23268] RAX: ffffffffffffffda RBX: 00007f09709b5fa0 RCX: 00007f097078e929 [ 1682.775562][T23268] RDX: 0000200000000140 RSI: 00000000c004743e RDI: 0000000000000004 [ 1682.775573][T23268] RBP: 00007f097165c090 R08: 0000000000000000 R09: 0000000000000000 [ 1682.775583][T23268] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1682.775594][T23268] R13: 0000000000000000 R14: 00007f09709b5fa0 R15: 00007ffc5b92ad08 [ 1682.775622][T23268] [ 1683.004917][ T30] audit: type=1326 audit(1750516105.568:565): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=39 compat=0 ip=0x7f634b5858e7 code=0x7ffc0000 [ 1683.026674][ T30] audit: type=1326 audit(1750516105.568:566): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=15 compat=0 ip=0x7f634b52ab19 code=0x7ffc0000 [ 1683.049317][ T30] audit: type=1326 audit(1750516105.568:567): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=39 compat=0 ip=0x7f634b5858e7 code=0x7ffc0000 [ 1683.087677][ T30] audit: type=1326 audit(1750516105.568:568): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=15 compat=0 ip=0x7f634b52ab19 code=0x7ffc0000 [ 1683.109503][ T30] audit: type=1326 audit(1750516105.568:569): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23264 comm="syz.3.5133" exe="/root/syz-executor" sig=0 arch=c000003e syscall=39 compat=0 ip=0x7f634b5858e7 code=0x7ffc0000 [ 1683.396826][T23278] Bluetooth: hci0: Opcode 0x0c03 failed: -112 [ 1683.403486][ T24] usb 2-1: new high-speed USB device number 78 using dummy_hcd [ 1683.518158][T23287] netlink: 8 bytes leftover after parsing attributes in process `syz.5.5141'. [ 1683.563475][ T24] usb 2-1: Using ep0 maxpacket: 32 [ 1683.570411][ T24] usb 2-1: config 0 has an invalid interface number: 184 but max is 0 [ 1683.585544][ T24] usb 2-1: config 0 has no interface number 0 [ 1683.599583][ T24] usb 2-1: config 0 interface 184 has no altsetting 0 [ 1683.625656][ T24] usb 2-1: New USB device found, idVendor=0424, idProduct=7500, bcdDevice=69.ee [ 1683.643913][ T24] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1683.651986][ T24] usb 2-1: Product: syz [ 1683.656874][ T24] usb 2-1: Manufacturer: syz [ 1683.676492][ T24] usb 2-1: SerialNumber: syz [ 1683.693135][ T24] usb 2-1: config 0 descriptor?? [ 1683.700818][ T24] smsc75xx v1.0.0 [ 1683.782958][ T5949] usb 6-1: new full-speed USB device number 38 using dummy_hcd [ 1683.900582][T23270] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1683.923623][T23270] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1684.043023][ T5948] usb 3-1: new high-speed USB device number 80 using dummy_hcd [ 1684.205619][ T5948] usb 3-1: config 1 has an invalid descriptor of length 255, skipping remainder of the config [ 1684.223810][ T5948] usb 3-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 1684.242638][ T5948] usb 3-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00 [ 1684.260462][ T5948] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3 [ 1684.268921][ T5948] usb 3-1: SerialNumber: syz [ 1684.294935][ T5949] usb 6-1: unable to get BOS descriptor or descriptor too short [ 1684.304417][ T5949] usb 6-1: not running at top speed; connect to a high speed hub [ 1684.320866][ T5949] usb 6-1: too many endpoints for config 1 interface 0 altsetting 3: 65, using maximum allowed: 30 [ 1684.332704][ T5949] usb 6-1: config 1 interface 0 altsetting 3 has 1 endpoint descriptor, different from the interface descriptor's value: 65 [ 1684.346491][ T24] smsc75xx 2-1:0.184 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000040: -32 [ 1684.512728][ T5949] usb 6-1: config 1 interface 0 has no altsetting 0 [ 1684.524143][ T24] smsc75xx 2-1:0.184 (unnamed net_device) (uninitialized): Error reading E2P_CMD [ 1684.538975][ T5949] usb 6-1: New USB device found, idVendor=0525, idProduct=a4a8, bcdDevice= 0.40 [ 1684.552986][ T5949] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1684.556281][ T5948] usb 3-1: 0:2 : does not exist [ 1684.561170][ T5949] usb 6-1: Product: syz [ 1684.592960][ T5949] usb 6-1: Manufacturer: syz [ 1684.597604][ T5949] usb 6-1: SerialNumber: syz [ 1684.618395][ T5948] usb 3-1: unit 255 not found! [ 1684.654581][ T5948] usb 3-1: USB disconnect, device number 80 [ 1684.694804][T23304] netlink: 'syz.4.5147': attribute type 18 has an invalid length. [ 1684.840922][ T24] smsc75xx 2-1:0.184 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000014: -71 [ 1684.853736][ T24] smsc75xx 2-1:0.184 (unnamed net_device) (uninitialized): Failed to read PMT_CTL: -71 [ 1684.863728][ T24] smsc75xx 2-1:0.184 (unnamed net_device) (uninitialized): device not ready in smsc75xx_reset [ 1684.878797][ T5949] usb 6-1: USB disconnect, device number 38 [ 1684.884776][ T24] smsc75xx 2-1:0.184 (unnamed net_device) (uninitialized): smsc75xx_reset error -71 [ 1684.900525][ T24] smsc75xx 2-1:0.184: probe with driver smsc75xx failed with error -71 [ 1685.319031][ T24] usb 2-1: USB disconnect, device number 78 [ 1685.512836][T15307] Bluetooth: hci0: Opcode 0x0c1a failed: -110 [ 1685.650994][T23322] netlink: 'syz.3.5150': attribute type 4 has an invalid length. [ 1685.658876][T23322] netlink: 17 bytes leftover after parsing attributes in process `syz.3.5150'. [ 1685.903020][ T24] usb 2-1: new high-speed USB device number 79 using dummy_hcd [ 1686.312747][ T24] usb 2-1: Using ep0 maxpacket: 8 [ 1686.333770][ T24] usb 2-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 1686.349524][ T24] usb 2-1: config 0 has no interfaces? [ 1686.376772][ T24] usb 2-1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice=c5.b9 [ 1686.396112][ T24] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1686.413025][T23329] autofs: Bad value for 'fd' [ 1686.442638][ T24] usb 2-1: Product: syz [ 1686.447206][ T24] usb 2-1: Manufacturer: syz [ 1686.452868][T23329] overlayfs: failed to clone upperpath [ 1686.474627][ T24] usb 2-1: SerialNumber: syz [ 1686.522268][ T24] usb 2-1: config 0 descriptor?? [ 1686.760002][T23313] netlink: 'syz.1.5149': attribute type 12 has an invalid length. [ 1686.778874][T21071] usb 2-1: USB disconnect, device number 79 [ 1686.797549][T23341] netlink: 22 bytes leftover after parsing attributes in process `syz.4.5157'. [ 1686.941125][T23347] netlink: 8 bytes leftover after parsing attributes in process `syz.3.5161'. [ 1688.759510][T23374] netlink: 8 bytes leftover after parsing attributes in process `syz.1.5167'. [ 1688.846625][T23383] usb usb8: usbfs: process 23383 (syz.4.5172) did not claim interface 0 before use [ 1688.925175][T23387] netlink: 8 bytes leftover after parsing attributes in process `syz.4.5174'. [ 1688.962480][ T24] usb 6-1: new high-speed USB device number 39 using dummy_hcd [ 1689.433077][ T24] usb 6-1: Using ep0 maxpacket: 16 [ 1689.441426][ T24] usb 6-1: config 0 has no interfaces? [ 1689.451322][ T24] usb 6-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 1689.460782][ T24] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1689.470182][ T24] usb 6-1: Product: syz [ 1689.476492][ T24] usb 6-1: Manufacturer: syz [ 1689.477853][T23391] FAULT_INJECTION: forcing a failure. [ 1689.477853][T23391] name failslab, interval 1, probability 0, space 0, times 0 [ 1689.481563][ T24] usb 6-1: SerialNumber: syz [ 1689.506783][ T24] usb 6-1: config 0 descriptor?? [ 1689.507683][T23391] CPU: 0 UID: 0 PID: 23391 Comm: syz.1.5175 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1689.507706][T23391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1689.507716][T23391] Call Trace: [ 1689.507725][T23391] [ 1689.507733][T23391] dump_stack_lvl+0x189/0x250 [ 1689.507762][T23391] ? __pfx____ratelimit+0x10/0x10 [ 1689.507787][T23391] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1689.507810][T23391] ? __pfx__printk+0x10/0x10 [ 1689.507834][T23391] ? __pfx___might_resched+0x10/0x10 [ 1689.507854][T23391] ? fs_reclaim_acquire+0x7d/0x100 [ 1689.507883][T23391] should_fail_ex+0x414/0x560 [ 1689.507909][T23391] should_failslab+0xa8/0x100 [ 1689.507932][T23391] kmem_cache_alloc_noprof+0x73/0x3c0 [ 1689.507951][T23391] ? security_inode_alloc+0x39/0x330 [ 1689.507972][T23391] security_inode_alloc+0x39/0x330 [ 1689.507991][T23391] inode_init_always_gfp+0x9ed/0xdc0 [ 1689.508019][T23391] ? __pfx_sock_alloc_inode+0x10/0x10 [ 1689.508041][T23391] alloc_inode+0x82/0x1b0 [ 1689.508062][T23391] __sock_create+0x12d/0x9f0 [ 1689.508096][T23391] udp_sock_create4+0xbe/0x4b0 [ 1689.508125][T23391] ? __pfx_udp_sock_create4+0x10/0x10 [ 1689.508153][T23391] ? __pfx___nla_validate_parse+0x10/0x10 [ 1689.508184][T23391] fou_nl_add_doit+0x16c/0x690 [ 1689.508205][T23391] ? __pfx_fou_nl_add_doit+0x10/0x10 [ 1689.508244][T23391] ? genl_family_rcv_msg_attrs_parse+0x1c9/0x2a0 [ 1689.508277][T23391] genl_family_rcv_msg_doit+0x212/0x300 [ 1689.508307][T23391] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 1689.508349][T23391] ? bpf_lsm_capable+0x9/0x20 [ 1689.508371][T23391] ? security_capable+0x7e/0x2e0 [ 1689.508402][T23391] genl_rcv_msg+0x60e/0x790 [ 1689.508431][T23391] ? __pfx_genl_rcv_msg+0x10/0x10 [ 1689.508450][T23391] ? ref_tracker_free+0x63a/0x7d0 [ 1689.508470][T23391] ? __pfx_fou_nl_add_doit+0x10/0x10 [ 1689.508490][T23391] ? __pfx_ref_tracker_free+0x10/0x10 [ 1689.508522][T23391] netlink_rcv_skb+0x205/0x470 [ 1689.508542][T23391] ? __pfx_genl_rcv_msg+0x10/0x10 [ 1689.508565][T23391] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 1689.508602][T23391] ? down_read+0x1ad/0x2e0 [ 1689.508622][T23391] genl_rcv+0x28/0x40 [ 1689.508642][T23391] netlink_unicast+0x758/0x8d0 [ 1689.508671][T23391] netlink_sendmsg+0x805/0xb30 [ 1689.508700][T23391] ? __pfx_netlink_sendmsg+0x10/0x10 [ 1689.508728][T23391] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 1689.508747][T23391] ? __pfx_netlink_sendmsg+0x10/0x10 [ 1689.508766][T23391] __sock_sendmsg+0x219/0x270 [ 1689.508793][T23391] ____sys_sendmsg+0x505/0x830 [ 1689.508819][T23391] ? __pfx_____sys_sendmsg+0x10/0x10 [ 1689.508848][T23391] ? import_iovec+0x74/0xa0 [ 1689.508869][T23391] ___sys_sendmsg+0x21f/0x2a0 [ 1689.508892][T23391] ? __pfx____sys_sendmsg+0x10/0x10 [ 1689.508950][T23391] ? __fget_files+0x2a/0x420 [ 1689.508970][T23391] ? __fget_files+0x3a0/0x420 [ 1689.509002][T23391] __x64_sys_sendmsg+0x19b/0x260 [ 1689.509026][T23391] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 1689.509056][T23391] ? __pfx_ksys_write+0x10/0x10 [ 1689.509072][T23391] ? rcu_is_watching+0x15/0xb0 [ 1689.509100][T23391] ? do_syscall_64+0xbe/0x3b0 [ 1689.509120][T23391] do_syscall_64+0xfa/0x3b0 [ 1689.509133][T23391] ? lockdep_hardirqs_on+0x9c/0x150 [ 1689.509155][T23391] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1689.509172][T23391] ? clear_bhb_loop+0x60/0xb0 [ 1689.509192][T23391] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1689.509209][T23391] RIP: 0033:0x7f097078e929 [ 1689.509226][T23391] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1689.509239][T23391] RSP: 002b:00007f097165c038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 1689.509258][T23391] RAX: ffffffffffffffda RBX: 00007f09709b5fa0 RCX: 00007f097078e929 [ 1689.509271][T23391] RDX: 0000000000000000 RSI: 0000200000000280 RDI: 0000000000000003 [ 1689.509282][T23391] RBP: 00007f097165c090 R08: 0000000000000000 R09: 0000000000000000 [ 1689.509293][T23391] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1689.509304][T23391] R13: 0000000000000000 R14: 00007f09709b5fa0 R15: 00007ffc5b92ad08 [ 1689.509337][T23391] [ 1689.509391][T23391] socket: no more sockets [ 1689.552552][T21071] usb 5-1: new full-speed USB device number 115 using dummy_hcd [ 1689.743950][T23394] netlink: 16 bytes leftover after parsing attributes in process `syz.1.5176'. [ 1689.868201][T23396] kvm_intel: set kvm_intel.dump_invalid_vmcs=1 to dump internal KVM state. [ 1689.884832][T23395] netlink: 16 bytes leftover after parsing attributes in process `syz.1.5176'. [ 1689.900927][ T5949] usb 6-1: USB disconnect, device number 39 [ 1690.043417][T21071] usb 5-1: unable to get BOS descriptor or descriptor too short [ 1690.054396][T21071] usb 5-1: not running at top speed; connect to a high speed hub [ 1690.071821][T21071] usb 5-1: too many endpoints for config 1 interface 0 altsetting 3: 65, using maximum allowed: 30 [ 1690.120324][T21071] usb 5-1: config 1 interface 0 altsetting 3 has 1 endpoint descriptor, different from the interface descriptor's value: 65 [ 1690.161786][T21071] usb 5-1: config 1 interface 0 has no altsetting 0 [ 1690.303016][T21071] usb 5-1: New USB device found, idVendor=0525, idProduct=a4a8, bcdDevice= 0.40 [ 1690.377463][T21071] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1690.433685][T21071] usb 5-1: Product: syz [ 1690.468316][T21071] usb 5-1: Manufacturer: syz [ 1690.475279][T21071] usb 5-1: SerialNumber: syz [ 1690.854293][T21071] usb 5-1: USB disconnect, device number 115 [ 1690.912104][T23414] netlink: 8 bytes leftover after parsing attributes in process `syz.2.5182'. [ 1691.023881][T23419] FAULT_INJECTION: forcing a failure. [ 1691.023881][T23419] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 1691.079548][T23419] CPU: 0 UID: 0 PID: 23419 Comm: syz.1.5183 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1691.079578][T23419] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1691.079590][T23419] Call Trace: [ 1691.079598][T23419] [ 1691.079606][T23419] dump_stack_lvl+0x189/0x250 [ 1691.079635][T23419] ? __pfx____ratelimit+0x10/0x10 [ 1691.079666][T23419] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1691.079689][T23419] ? __pfx__printk+0x10/0x10 [ 1691.079720][T23419] should_fail_ex+0x414/0x560 [ 1691.079748][T23419] _copy_from_user+0x2d/0xb0 [ 1691.079766][T23419] __copy_msghdr+0x3c5/0x5b0 [ 1691.079795][T23419] ___sys_sendmsg+0x1a5/0x2a0 [ 1691.079822][T23419] ? __pfx____sys_sendmsg+0x10/0x10 [ 1691.079886][T23419] ? __fget_files+0x2a/0x420 [ 1691.079912][T23419] ? __fget_files+0x3a0/0x420 [ 1691.079948][T23419] __sys_sendmmsg+0x227/0x430 [ 1691.079975][T23419] ? __pfx___sys_sendmmsg+0x10/0x10 [ 1691.079993][T23419] ? __mutex_unlock_slowpath+0x1cd/0x700 [ 1691.080044][T23419] ? ksys_write+0x22a/0x250 [ 1691.080074][T23419] ? __pfx_ksys_write+0x10/0x10 [ 1691.080091][T23419] ? rcu_is_watching+0x15/0xb0 [ 1691.080122][T23419] __x64_sys_sendmmsg+0xa0/0xc0 [ 1691.080145][T23419] do_syscall_64+0xfa/0x3b0 [ 1691.080159][T23419] ? lockdep_hardirqs_on+0x9c/0x150 [ 1691.080182][T23419] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1691.080204][T23419] ? clear_bhb_loop+0x60/0xb0 [ 1691.080225][T23419] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1691.080242][T23419] RIP: 0033:0x7f097078e929 [ 1691.080257][T23419] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1691.080272][T23419] RSP: 002b:00007f097165c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 1691.080291][T23419] RAX: ffffffffffffffda RBX: 00007f09709b5fa0 RCX: 00007f097078e929 [ 1691.080304][T23419] RDX: 0000000000000001 RSI: 00002000000027c0 RDI: 0000000000000003 [ 1691.080316][T23419] RBP: 00007f097165c090 R08: 0000000000000000 R09: 0000000000000000 [ 1691.080331][T23419] R10: 0000000000000800 R11: 0000000000000246 R12: 0000000000000001 [ 1691.080342][T23419] R13: 0000000000000000 R14: 00007f09709b5fa0 R15: 00007ffc5b92ad08 [ 1691.080372][T23419] [ 1691.298914][ C0] vkms_vblank_simulate: vblank timer overrun [ 1692.437124][ C1] vcan0: j1939_tp_rxtimer: 0xffff8880583fa000: rx timeout, send abort [ 1692.452264][ C1] vcan0: j1939_xtp_rx_abort_one: 0xffff8880583fa000: 0x20100: (3) A timeout occurred and this is the connection abort to close the session. [ 1693.221531][ T9] usb 2-1: new high-speed USB device number 80 using dummy_hcd [ 1693.655315][T23451] netlink: 8 bytes leftover after parsing attributes in process `syz.3.5195'. [ 1693.797889][ T9] usb 2-1: Using ep0 maxpacket: 16 [ 1693.814956][ T9] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x3 has invalid wMaxPacketSize 0 [ 1693.852867][ T9] usb 2-1: New USB device found, idVendor=0b57, idProduct=2bbd, bcdDevice=e7.cc [ 1693.870537][ T9] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1693.888946][ T9] usb 2-1: Product: syz [ 1693.893333][ T5964] usb 3-1: new full-speed USB device number 81 using dummy_hcd [ 1693.902240][ T9] usb 2-1: Manufacturer: syz [ 1693.912104][ T9] usb 2-1: SerialNumber: syz [ 1693.928802][ T9] usb 2-1: config 0 descriptor?? [ 1693.941449][ T9] usbhid 2-1:0.0: couldn't find an input interrupt endpoint [ 1694.066620][ T5964] usb 3-1: config 0 has an invalid interface number: 37 but max is 1 [ 1694.075276][ T5964] usb 3-1: config 0 has no interface number 1 [ 1694.094236][ T5964] usb 3-1: New USB device found, idVendor=03f0, idProduct=581d, bcdDevice=20.a3 [ 1694.112001][ T5964] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1694.856809][ T5949] usb 2-1: USB disconnect, device number 80 [ 1694.904772][T23456] netlink: 10 bytes leftover after parsing attributes in process `syz.4.5197'. [ 1694.912802][ T5964] usb 3-1: Product: syz [ 1694.917922][ T5964] usb 3-1: Manufacturer: syz [ 1694.927085][ T5964] usb 3-1: SerialNumber: syz [ 1694.934744][ T5964] usb 3-1: config 0 descriptor?? [ 1694.993301][T22892] Bluetooth: hci3: unexpected event for opcode 0x1005 [ 1695.048980][T23465] netlink: 212376 bytes leftover after parsing attributes in process `syz.3.5201'. [ 1695.143078][T23449] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1695.152074][T23449] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1695.161590][ T5949] usb 3-1: USB disconnect, device number 81 [ 1697.040358][T23488] syz.1.5207: attempt to access beyond end of device [ 1697.040358][T23488] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1701.419988][T23540] syz.4.5222: attempt to access beyond end of device [ 1701.419988][T23540] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1702.512176][ T9] usb 3-1: new high-speed USB device number 82 using dummy_hcd [ 1702.681761][ T9] usb 3-1: Using ep0 maxpacket: 8 [ 1702.727954][ T9] usb 3-1: unable to get BOS descriptor or descriptor too short [ 1702.756586][ T9] usb 3-1: config 4 interface 0 has no altsetting 0 [ 1702.858977][ T9] usb 3-1: string descriptor 0 read error: -22 [ 1702.873512][ T9] usb 3-1: New USB device found, idVendor=058f, idProduct=6610, bcdDevice=48.05 [ 1702.887342][ T9] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1702.905078][ T9] usb 3-1: dvb_usb_v2: found a 'Sigmatek DVB-110' in warm state [ 1702.930181][ T9] usb 3-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer [ 1702.948154][ T9] dvbdev: DVB: registering new adapter (Sigmatek DVB-110) [ 1702.955379][ T9] usb 3-1: media controller created [ 1703.001296][ T5949] usb 2-1: new high-speed USB device number 81 using dummy_hcd [ 1703.093806][ T9] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 1703.141455][ T9] zl10353_read_register: readreg error (reg=127, ret==0) [ 1703.166115][ T5949] usb 2-1: Using ep0 maxpacket: 32 [ 1703.183484][ T5949] usb 2-1: config 1 has an invalid interface number: 237 but max is 1 [ 1703.196619][ T9] usb 3-1: USB disconnect, device number 82 [ 1703.200633][ T5949] usb 2-1: config 1 has an invalid interface number: 129 but max is 1 [ 1703.211554][ T5949] usb 2-1: config 1 has an invalid descriptor of length 36, skipping remainder of the config [ 1703.223089][ T5949] usb 2-1: config 1 has no interface number 0 [ 1703.244449][ T5949] usb 2-1: config 1 has no interface number 1 [ 1703.250576][ T5949] usb 2-1: config 1 interface 237 has no altsetting 0 [ 1703.271209][ T5949] usb 2-1: config 1 interface 129 has no altsetting 0 [ 1703.281867][ T5949] usb 2-1: New USB device found, idVendor=0bfd, idProduct=000f, bcdDevice=99.7c [ 1703.307947][ T5949] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1703.323644][ T5949] usb 2-1: Product: syz [ 1703.328089][ T5949] usb 2-1: Manufacturer: syz [ 1703.335820][ T5949] usb 2-1: SerialNumber: syz [ 1703.505234][T21071] usb 6-1: new low-speed USB device number 40 using dummy_hcd [ 1703.567410][T23574] netlink: 'syz.4.5233': attribute type 4 has an invalid length. [ 1703.575433][T23574] netlink: 17 bytes leftover after parsing attributes in process `syz.4.5233'. [ 1703.674484][T21071] usb 6-1: New USB device found, idVendor=1557, idProduct=7720, bcdDevice=b7.eb [ 1703.684992][T21071] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1703.697344][T21071] usb 6-1: config 0 descriptor?? [ 1703.715653][T23576] netlink: 'syz.2.5234': attribute type 1 has an invalid length. [ 1703.761803][T23576] 8021q: adding VLAN 0 to HW filter on device bond1 [ 1703.956755][T23576] netlink: 'syz.2.5234': attribute type 2 has an invalid length. [ 1704.000312][T23578] vlan2: entered allmulticast mode [ 1704.016609][T23578] netdevsim netdevsim2 netdevsim0: entered allmulticast mode [ 1704.045891][T23578] bond1: (slave vlan2): making interface the new active one [ 1704.065217][T23578] bond1: (slave vlan2): Enslaving as an active interface with an up link [ 1704.670795][ T5949] kvaser_usb 2-1:1.237: error -ENODEV: Cannot get usb endpoint(s) [ 1704.742123][ T5949] kvaser_usb 2-1:1.129: error -ENODEV: Cannot get usb endpoint(s) [ 1705.657559][ T5949] usb 2-1: USB disconnect, device number 81 [ 1705.776938][ T30] kauditd_printk_skb: 61 callbacks suppressed [ 1705.776956][ T30] audit: type=1326 audit(1750516128.760:631): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23586 comm="syz.2.5237" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3f9ad8e929 code=0x7ffc0000 [ 1705.867698][ T30] audit: type=1326 audit(1750516128.800:632): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=23586 comm="syz.2.5237" exe="/root/syz-executor" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3f9ad8e929 code=0x7ffc0000 [ 1705.894911][T23592] openvswitch: netlink: Flow actions attr not present in new flow. [ 1706.222255][T23598] netlink: 'syz.2.5240': attribute type 1 has an invalid length. [ 1706.951013][T23598] 8021q: adding VLAN 0 to HW filter on device bond2 [ 1707.376667][T23616] netlink: 'syz.1.5246': attribute type 4 has an invalid length. [ 1707.380241][T23620] autofs: Unknown parameter '0x0000000000000000' [ 1707.387747][T23616] netlink: 17 bytes leftover after parsing attributes in process `syz.1.5246'. [ 1707.486954][T23624] netlink: 28 bytes leftover after parsing attributes in process `syz.3.5249'. [ 1708.304756][T23632] binder: 23631:23632 ioctl 4018620d 0 returned -22 [ 1708.380781][T21071] asix 6-1:0.0 (unnamed net_device) (uninitialized): Failed to write reg index 0x0000: -71 [ 1708.444571][T21071] asix 6-1:0.0 (unnamed net_device) (uninitialized): Failed to send software reset: ffffffb9 [ 1709.162053][T23643] syz.5.5253: attempt to access beyond end of device [ 1709.162053][T23643] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1709.173285][T21071] asix 6-1:0.0: probe with driver asix failed with error -71 [ 1709.214288][T21071] usb 6-1: USB disconnect, device number 40 [ 1710.687501][ C1] vcan0: j1939_tp_rxtimer: 0xffff88805a0dc400: rx timeout, send abort [ 1710.700507][ C1] vcan0: j1939_xtp_rx_abort_one: 0xffff88805a0dc400: 0x20100: (3) A timeout occurred and this is the connection abort to close the session. [ 1710.980960][T23663] FAULT_INJECTION: forcing a failure. [ 1710.980960][T23663] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 1711.051694][T23663] CPU: 0 UID: 0 PID: 23663 Comm: syz.5.5259 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1711.051723][T23663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1711.051735][T23663] Call Trace: [ 1711.051743][T23663] [ 1711.051751][T23663] dump_stack_lvl+0x189/0x250 [ 1711.051785][T23663] ? __pfx____ratelimit+0x10/0x10 [ 1711.051810][T23663] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1711.051831][T23663] ? __pfx__printk+0x10/0x10 [ 1711.051849][T23663] ? __might_fault+0xb0/0x130 [ 1711.051880][T23663] should_fail_ex+0x414/0x560 [ 1711.051907][T23663] _copy_from_user+0x2d/0xb0 [ 1711.051925][T23663] snd_seq_oss_write+0x515/0x930 [ 1711.051966][T23663] ? __pfx_snd_seq_oss_write+0x10/0x10 [ 1711.051999][T23663] ? security_file_permission+0x75/0x290 [ 1711.052024][T23663] odev_write+0x5a/0x80 [ 1711.052048][T23663] vfs_writev+0x4b3/0x960 [ 1711.052073][T23663] ? __pfx_odev_write+0x10/0x10 [ 1711.052098][T23663] ? __pfx_vfs_writev+0x10/0x10 [ 1711.052135][T23663] ? __fget_files+0x2a/0x420 [ 1711.052162][T23663] ? __fget_files+0x3a0/0x420 [ 1711.052182][T23663] ? __fget_files+0x2a/0x420 [ 1711.052213][T23663] __x64_sys_pwritev+0x197/0x2a0 [ 1711.052238][T23663] ? __pfx___x64_sys_pwritev+0x10/0x10 [ 1711.052257][T23663] ? rcu_is_watching+0x15/0xb0 [ 1711.052286][T23663] ? do_syscall_64+0xbe/0x3b0 [ 1711.052307][T23663] do_syscall_64+0xfa/0x3b0 [ 1711.052322][T23663] ? lockdep_hardirqs_on+0x9c/0x150 [ 1711.052343][T23663] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1711.052361][T23663] ? clear_bhb_loop+0x60/0xb0 [ 1711.052383][T23663] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1711.052400][T23663] RIP: 0033:0x7f3f82f8e929 [ 1711.052415][T23663] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1711.052430][T23663] RSP: 002b:00007f3f80df6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000128 [ 1711.052449][T23663] RAX: ffffffffffffffda RBX: 00007f3f831b5fa0 RCX: 00007f3f82f8e929 [ 1711.052462][T23663] RDX: 0000000000000002 RSI: 0000200000000000 RDI: 0000000000000003 [ 1711.052474][T23663] RBP: 00007f3f80df6090 R08: 0000000000000005 R09: 0000000000000000 [ 1711.052485][T23663] R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000001 [ 1711.052496][T23663] R13: 0000000000000000 R14: 00007f3f831b5fa0 R15: 00007fff8b54b818 [ 1711.052526][T23663] [ 1712.798212][T23674] syz.5.5261: attempt to access beyond end of device [ 1712.798212][T23674] loop5: rw=4096, sector=2, nr_sectors = 2 limit=0 [ 1712.811446][T23674] EXT4-fs (loop5): unable to read superblock [ 1712.836410][T23686] openvswitch: netlink: VXLAN extension 0 has unexpected len 4 expected 0 [ 1713.397618][T21071] usb 3-1: new full-speed USB device number 83 using dummy_hcd [ 1713.571982][T21071] usb 3-1: config 0 has an invalid interface number: 133 but max is 0 [ 1713.584987][T21071] usb 3-1: config 0 has no interface number 0 [ 1713.599463][T21071] usb 3-1: New USB device found, idVendor=06cd, idProduct=0121, bcdDevice=dd.3d [ 1713.639275][T21071] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1714.078149][T21071] usb 3-1: Product: syz [ 1714.089028][T21071] usb 3-1: Manufacturer: syz [ 1714.093974][T21071] usb 3-1: SerialNumber: syz [ 1714.103164][T21071] usb 3-1: config 0 descriptor?? [ 1714.514591][T23690] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1714.560433][T23690] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1715.144880][T23729] netlink: 44 bytes leftover after parsing attributes in process `syz.2.5275'. [ 1715.207317][T21071] keyspan 3-1:0.133: Keyspan 1 port adapter converter detected [ 1715.235309][T21071] keyspan 3-1:0.133: found no endpoint descriptor for endpoint 81 [ 1715.250565][T21071] keyspan 3-1:0.133: found no endpoint descriptor for endpoint 1 [ 1715.264529][T21071] keyspan 3-1:0.133: found no endpoint descriptor for endpoint 2 [ 1715.281678][T21071] usb 3-1: Keyspan 1 port adapter converter now attached to ttyUSB0 [ 1715.327189][T21071] usb 3-1: USB disconnect, device number 83 [ 1715.355725][T21071] keyspan_1 ttyUSB0: Keyspan 1 port adapter converter now disconnected from ttyUSB0 [ 1715.378093][T21071] keyspan 3-1:0.133: device disconnected [ 1716.256216][ T9] usb 5-1: new high-speed USB device number 116 using dummy_hcd [ 1716.311508][T23749] overlayfs: missing 'lowerdir' [ 1716.452221][ T9] usb 5-1: Using ep0 maxpacket: 32 [ 1716.481303][ T9] usb 5-1: config 0 has an invalid interface number: 19 but max is 0 [ 1716.535518][ T9] usb 5-1: config 0 has no interface number 0 [ 1716.573579][ T9] usb 5-1: config 0 interface 19 altsetting 0 has an invalid descriptor for endpoint zero, skipping [ 1716.640331][ T9] usb 5-1: config 0 interface 19 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 16 [ 1716.677875][ T9] usb 5-1: config 0 interface 19 altsetting 0 has an endpoint descriptor with address 0x91, changing to 0x81 [ 1716.720276][ T9] usb 5-1: config 0 interface 19 altsetting 0 endpoint 0x81 has invalid maxpacket 34106, setting to 1024 [ 1716.786301][ T9] usb 5-1: config 0 interface 19 altsetting 0 bulk endpoint 0x81 has invalid maxpacket 1024 [ 1716.801961][ C0] vcan0: j1939_tp_rxtimer: 0xffff888032d06400: rx timeout, send abort [ 1716.810529][ C0] vcan0: j1939_xtp_rx_abort_one: 0xffff888032d06400: 0x20100: (3) A timeout occurred and this is the connection abort to close the session. [ 1716.848882][ T9] usb 5-1: config 0 interface 19 altsetting 0 has 4 endpoint descriptors, different from the interface descriptor's value: 3 [ 1716.898898][ T9] usb 5-1: New USB device found, idVendor=04a4, idProduct=0014, bcdDevice=c9.57 [ 1716.917130][ T9] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1716.943693][ T9] usb 5-1: Product: syz [ 1716.955915][ T9] usb 5-1: Manufacturer: syz [ 1716.978217][ T9] usb 5-1: SerialNumber: syz [ 1717.026669][ T9] usb 5-1: config 0 descriptor?? [ 1717.050649][T23739] raw-gadget.0 gadget.4: fail, usb_ep_enable returned -22 [ 1717.071432][T23739] raw-gadget.0 gadget.4: fail, usb_ep_enable returned -22 [ 1717.109609][ T9] ipaq 5-1:0.19: PocketPC PDA converter detected [ 1717.192867][ T9] usb 5-1: active config #0 != 1 ?? [ 1717.418164][T22814] usb 5-1: USB disconnect, device number 116 [ 1720.166160][T23796] syz.2.5292: attempt to access beyond end of device [ 1720.166160][T23796] md0: rw=2048, sector=0, nr_sectors = 8 limit=0 [ 1720.268681][T23797] netlink: 8 bytes leftover after parsing attributes in process `syz.3.5293'. [ 1720.277874][T23797] netlink: 'syz.3.5293': attribute type 9 has an invalid length. [ 1720.375383][T23797] macvlan2: entered allmulticast mode [ 1720.380994][T23797] veth0_macvtap: entered allmulticast mode [ 1720.892890][T23799] netlink: 'syz.1.5288': attribute type 23 has an invalid length. [ 1721.342366][T23816] FAULT_INJECTION: forcing a failure. [ 1721.342366][T23816] name failslab, interval 1, probability 0, space 0, times 0 [ 1721.404904][T23816] CPU: 0 UID: 0 PID: 23816 Comm: syz.5.5297 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1721.404933][T23816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1721.404950][T23816] Call Trace: [ 1721.404958][T23816] [ 1721.404966][T23816] dump_stack_lvl+0x189/0x250 [ 1721.404995][T23816] ? __pfx____ratelimit+0x10/0x10 [ 1721.405020][T23816] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1721.405043][T23816] ? __pfx__printk+0x10/0x10 [ 1721.405067][T23816] ? __pfx___might_resched+0x10/0x10 [ 1721.405091][T23816] ? fs_reclaim_acquire+0x7d/0x100 [ 1721.405119][T23816] should_fail_ex+0x414/0x560 [ 1721.405146][T23816] should_failslab+0xa8/0x100 [ 1721.405170][T23816] __kmalloc_noprof+0xcb/0x4f0 [ 1721.405189][T23816] ? kfree+0x4d/0x440 [ 1721.405204][T23816] ? tomoyo_realpath_from_path+0xe3/0x5d0 [ 1721.405234][T23816] tomoyo_realpath_from_path+0xe3/0x5d0 [ 1721.405260][T23816] ? tomoyo_domain+0xda/0x130 [ 1721.405290][T23816] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 1721.405310][T23816] tomoyo_path_number_perm+0x1e8/0x5a0 [ 1721.405334][T23816] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 1721.405374][T23816] ? __lock_acquire+0xab9/0xd20 [ 1721.405417][T23816] ? __fget_files+0x2a/0x420 [ 1721.405442][T23816] ? __fget_files+0x2a/0x420 [ 1721.405460][T23816] ? __fget_files+0x3a0/0x420 [ 1721.405480][T23816] ? __fget_files+0x2a/0x420 [ 1721.405506][T23816] security_file_ioctl+0xcb/0x2d0 [ 1721.405531][T23816] __se_sys_ioctl+0x47/0x170 [ 1721.405554][T23816] do_syscall_64+0xfa/0x3b0 [ 1721.405569][T23816] ? lockdep_hardirqs_on+0x9c/0x150 [ 1721.405591][T23816] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1721.405608][T23816] ? clear_bhb_loop+0x60/0xb0 [ 1721.405629][T23816] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1721.405643][T23816] RIP: 0033:0x7f3f82f8e929 [ 1721.405658][T23816] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1721.405671][T23816] RSP: 002b:00007f3f80dd5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1721.405688][T23816] RAX: ffffffffffffffda RBX: 00007f3f831b6080 RCX: 00007f3f82f8e929 [ 1721.405700][T23816] RDX: 0000200000001080 RSI: 00000000000089e1 RDI: 0000000000000005 [ 1721.405711][T23816] RBP: 00007f3f80dd5090 R08: 0000000000000000 R09: 0000000000000000 [ 1721.405720][T23816] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1721.405730][T23816] R13: 0000000000000000 R14: 00007f3f831b6080 R15: 00007fff8b54b818 [ 1721.405759][T23816] [ 1721.405767][T23816] ERROR: Out of memory at tomoyo_realpath_from_path. [ 1722.212064][T22814] usb 6-1: new high-speed USB device number 41 using dummy_hcd [ 1722.228732][T23829] FAULT_INJECTION: forcing a failure. [ 1722.228732][T23829] name failslab, interval 1, probability 0, space 0, times 0 [ 1722.273964][T23829] CPU: 1 UID: 0 PID: 23829 Comm: syz.2.5302 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1722.273992][T23829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1722.274004][T23829] Call Trace: [ 1722.274011][T23829] [ 1722.274020][T23829] dump_stack_lvl+0x189/0x250 [ 1722.274049][T23829] ? __pfx____ratelimit+0x10/0x10 [ 1722.274074][T23829] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1722.274098][T23829] ? __pfx__printk+0x10/0x10 [ 1722.274122][T23829] ? __pfx___might_resched+0x10/0x10 [ 1722.274150][T23829] should_fail_ex+0x414/0x560 [ 1722.274177][T23829] should_failslab+0xa8/0x100 [ 1722.274201][T23829] kmem_cache_alloc_node_noprof+0x76/0x3c0 [ 1722.274223][T23829] ? __alloc_skb+0x112/0x2d0 [ 1722.274246][T23829] __alloc_skb+0x112/0x2d0 [ 1722.274269][T23829] __ip6_append_data+0x2b8c/0x3de0 [ 1722.274307][T23829] ? __lock_acquire+0xab9/0xd20 [ 1722.274331][T23829] ? __pfx_raw6_getfrag+0x10/0x10 [ 1722.274378][T23829] ? ip6_mtu+0x7d/0x3f0 [ 1722.274402][T23829] ? __pfx___ip6_append_data+0x10/0x10 [ 1722.274422][T23829] ? __pfx_ip6_mtu+0x10/0x10 [ 1722.274452][T23829] ip6_append_data+0x1c4/0x380 [ 1722.274479][T23829] ? __pfx_raw6_getfrag+0x10/0x10 [ 1722.274505][T23829] rawv6_sendmsg+0x124b/0x17f0 [ 1722.274544][T23829] ? __pfx_rawv6_sendmsg+0x10/0x10 [ 1722.274564][T23829] ? __lock_acquire+0xab9/0xd20 [ 1722.274592][T23829] ? __pfx_smack_socket_sendmsg+0x10/0x10 [ 1722.274640][T23829] ? sock_rps_record_flow+0x19/0x410 [ 1722.274667][T23829] ? inet_sendmsg+0x2f4/0x370 [ 1722.274681][T23829] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 1722.274705][T23829] __sock_sendmsg+0x19c/0x270 [ 1722.274734][T23829] ____sys_sendmsg+0x505/0x830 [ 1722.274761][T23829] ? __pfx_____sys_sendmsg+0x10/0x10 [ 1722.274792][T23829] ? import_iovec+0x74/0xa0 [ 1722.274813][T23829] ___sys_sendmsg+0x21f/0x2a0 [ 1722.274836][T23829] ? __pfx____sys_sendmsg+0x10/0x10 [ 1722.274902][T23829] ? __fget_files+0x2a/0x420 [ 1722.274922][T23829] ? __fget_files+0x3a0/0x420 [ 1722.274956][T23829] __x64_sys_sendmsg+0x19b/0x260 [ 1722.274979][T23829] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 1722.275010][T23829] ? __pfx_ksys_write+0x10/0x10 [ 1722.275027][T23829] ? rcu_is_watching+0x15/0xb0 [ 1722.275057][T23829] ? do_syscall_64+0xbe/0x3b0 [ 1722.275076][T23829] do_syscall_64+0xfa/0x3b0 [ 1722.275091][T23829] ? lockdep_hardirqs_on+0x9c/0x150 [ 1722.275115][T23829] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1722.275133][T23829] ? clear_bhb_loop+0x60/0xb0 [ 1722.275155][T23829] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1722.275172][T23829] RIP: 0033:0x7f3f9ad8e929 [ 1722.275190][T23829] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1722.275205][T23829] RSP: 002b:00007f3f9bbcb038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 1722.275225][T23829] RAX: ffffffffffffffda RBX: 00007f3f9afb6080 RCX: 00007f3f9ad8e929 [ 1722.275238][T23829] RDX: 0000000000044004 RSI: 00002000000000c0 RDI: 000000000000000c [ 1722.275250][T23829] RBP: 00007f3f9bbcb090 R08: 0000000000000000 R09: 0000000000000000 [ 1722.275262][T23829] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 1722.275273][T23829] R13: 0000000000000001 R14: 00007f3f9afb6080 R15: 00007ffdf50b8f88 [ 1722.275302][T23829] [ 1722.594658][ C1] vkms_vblank_simulate: vblank timer overrun [ 1722.741317][T22814] usb 6-1: Using ep0 maxpacket: 16 [ 1722.748269][T22814] usb 6-1: config index 0 descriptor too short (expected 16456, got 72) [ 1722.762707][T22814] usb 6-1: config 0 has an invalid interface number: 125 but max is 1 [ 1722.795214][T22814] usb 6-1: config 0 has an invalid interface number: 125 but max is 1 [ 1722.829616][T22814] usb 6-1: config 0 has an invalid interface number: 125 but max is 1 [ 1723.419599][T22814] usb 6-1: config 0 has 1 interface, different from the descriptor's value: 2 [ 1723.421224][T23843] [ 1723.430819][T23843] ====================================================== [ 1723.437816][T23843] WARNING: possible circular locking dependency detected [ 1723.444819][T23843] 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 Not tainted [ 1723.451905][T23843] ------------------------------------------------------ [ 1723.458909][T23843] syz.1.5307/23843 is trying to acquire lock: [ 1723.464957][T23843] ffff888031fec9e0 (&p->lock){+.+.}-{4:4}, at: seq_read_iter+0xb7/0xe10 [ 1723.473296][T23843] [ 1723.473296][T23843] but task is already holding lock: [ 1723.480637][T23843] ffff888032d2dc68 (&pipe->mutex){+.+.}-{4:4}, at: splice_file_to_pipe+0x2e/0x440 [ 1723.489838][T23843] [ 1723.489838][T23843] which lock already depends on the new lock. [ 1723.489838][T23843] [ 1723.500225][T23843] [ 1723.500225][T23843] the existing dependency chain (in reverse order) is: [ 1723.509215][T23843] [ 1723.509215][T23843] -> #4 (&pipe->mutex){+.+.}-{4:4}: [ 1723.516587][T23843] lock_acquire+0x120/0x360 [ 1723.521599][T23843] __mutex_lock+0x182/0xe80 [ 1723.526607][T23843] iter_file_splice_write+0x1e6/0x1000 [ 1723.532570][T23843] do_splice+0xc76/0x1660 [ 1723.537401][T23843] __se_sys_splice+0x2e1/0x460 [ 1723.542666][T23843] do_syscall_64+0xfa/0x3b0 [ 1723.547670][T23843] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1723.554064][T23843] [ 1723.554064][T23843] -> #3 (sb_writers#5){.+.+}-{0:0}: [ 1723.561434][T23843] lock_acquire+0x120/0x360 [ 1723.566445][T23843] sb_start_write+0x4d/0x1c0 [ 1723.571540][T23843] mnt_want_write+0x41/0x90 [ 1723.576547][T23843] ovl_create_object+0xfc/0x310 [ 1723.581900][T23843] path_openat+0x14f1/0x3830 [ 1723.586998][T23843] do_filp_open+0x1fa/0x410 [ 1723.592017][T23843] do_sys_openat2+0x121/0x1c0 [ 1723.597200][T23843] __x64_sys_open+0x11e/0x150 [ 1723.602382][T23843] do_syscall_64+0xfa/0x3b0 [ 1723.607385][T23843] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1723.613790][T23843] [ 1723.613790][T23843] -> #2 (&ovl_i_mutex_dir_key[depth]){++++}-{4:4}: [ 1723.622469][T23843] lock_acquire+0x120/0x360 [ 1723.627483][T23843] down_read+0x46/0x2e0 [ 1723.632142][T23843] lookup_slow+0x46/0x70 [ 1723.636886][T23843] walk_component+0x2d2/0x400 [ 1723.642075][T23843] path_lookupat+0x163/0x430 [ 1723.647175][T23843] filename_lookup+0x212/0x570 [ 1723.652446][T23843] kern_path+0x35/0x50 [ 1723.657023][T23843] lookup_bdev+0xc0/0x280 [ 1723.661856][T23843] resume_store+0x169/0x460 [ 1723.666858][T23843] kernfs_fop_write_iter+0x375/0x4f0 [ 1723.672643][T23843] vfs_write+0x548/0xa90 [ 1723.677388][T23843] ksys_write+0x145/0x250 [ 1723.682220][T23843] do_syscall_64+0xfa/0x3b0 [ 1723.687223][T23843] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1723.693619][T23843] [ 1723.693619][T23843] -> #1 (&of->mutex){+.+.}-{4:4}: [ 1723.701159][T23843] lock_acquire+0x120/0x360 [ 1723.706167][T23843] __mutex_lock+0x182/0xe80 [ 1723.711175][T23843] kernfs_seq_start+0x55/0x3c0 [ 1723.716442][T23843] traverse+0x15f/0x570 [ 1723.721098][T23843] seq_read_iter+0xcfe/0xe10 [ 1723.726187][T23843] vfs_read+0x4cd/0x980 [ 1723.730844][T23843] __x64_sys_pread64+0x193/0x220 [ 1723.736287][T23843] do_syscall_64+0xfa/0x3b0 [ 1723.741291][T23843] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1723.747683][T23843] [ 1723.747683][T23843] -> #0 (&p->lock){+.+.}-{4:4}: [ 1723.754700][T23843] validate_chain+0xb9b/0x2140 [ 1723.759975][T23843] __lock_acquire+0xab9/0xd20 [ 1723.765171][T23843] lock_acquire+0x120/0x360 [ 1723.770176][T23843] __mutex_lock+0x182/0xe80 [ 1723.775181][T23843] seq_read_iter+0xb7/0xe10 [ 1723.780182][T23843] proc_reg_read_iter+0x1b7/0x280 [ 1723.785707][T23843] copy_splice_read+0x54f/0x9b0 [ 1723.791057][T23843] splice_file_to_pipe+0x270/0x440 [ 1723.796672][T23843] do_sendfile+0x475/0x7e0 [ 1723.801596][T23843] __se_sys_sendfile64+0x13e/0x190 [ 1723.807209][T23843] do_syscall_64+0xfa/0x3b0 [ 1723.812211][T23843] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1723.818603][T23843] [ 1723.818603][T23843] other info that might help us debug this: [ 1723.818603][T23843] [ 1723.828811][T23843] Chain exists of: [ 1723.828811][T23843] &p->lock --> sb_writers#5 --> &pipe->mutex [ 1723.828811][T23843] [ 1723.840698][T23843] Possible unsafe locking scenario: [ 1723.840698][T23843] [ 1723.848127][T23843] CPU0 CPU1 [ 1723.853473][T23843] ---- ---- [ 1723.858816][T23843] lock(&pipe->mutex); [ 1723.862953][T23843] lock(sb_writers#5); [ 1723.869629][T23843] lock(&pipe->mutex); [ 1723.876281][T23843] lock(&p->lock); [ 1723.880070][T23843] [ 1723.880070][T23843] *** DEADLOCK *** [ 1723.880070][T23843] [ 1723.888197][T23843] 1 lock held by syz.1.5307/23843: [ 1723.893283][T23843] #0: ffff888032d2dc68 (&pipe->mutex){+.+.}-{4:4}, at: splice_file_to_pipe+0x2e/0x440 [ 1723.902923][T23843] [ 1723.902923][T23843] stack backtrace: [ 1723.908793][T23843] CPU: 1 UID: 0 PID: 23843 Comm: syz.1.5307 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) [ 1723.908808][T23843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 1723.908814][T23843] Call Trace: [ 1723.908820][T23843] [ 1723.908825][T23843] dump_stack_lvl+0x189/0x250 [ 1723.908844][T23843] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1723.908857][T23843] ? __pfx__printk+0x10/0x10 [ 1723.908867][T23843] ? print_lock_name+0xde/0x100 [ 1723.908883][T23843] print_circular_bug+0x2ee/0x310 [ 1723.908899][T23843] check_noncircular+0x134/0x160 [ 1723.908914][T23843] validate_chain+0xb9b/0x2140 [ 1723.908929][T23843] ? __page_table_check_zero+0x406/0x530 [ 1723.908941][T23843] ? __page_table_check_zero+0xba/0x530 [ 1723.908954][T23843] ? look_up_lock_class+0x74/0x170 [ 1723.908978][T23843] ? register_lock_class+0x51/0x320 [ 1723.908996][T23843] __lock_acquire+0xab9/0xd20 [ 1723.909008][T23843] ? seq_read_iter+0xb7/0xe10 [ 1723.909017][T23843] lock_acquire+0x120/0x360 [ 1723.909028][T23843] ? seq_read_iter+0xb7/0xe10 [ 1723.909040][T23843] __mutex_lock+0x182/0xe80 [ 1723.909054][T23843] ? seq_read_iter+0xb7/0xe10 [ 1723.909065][T23843] ? __pfx_get_page_from_freelist+0x10/0x10 [ 1723.909078][T23843] ? seq_read_iter+0xb7/0xe10 [ 1723.909088][T23843] ? __pfx___mutex_lock+0x10/0x10 [ 1723.909102][T23843] ? __alloc_frozen_pages_noprof+0x1d6/0x370 [ 1723.909116][T23843] ? __pfx___alloc_frozen_pages_noprof+0x10/0x10 [ 1723.909130][T23843] seq_read_iter+0xb7/0xe10 [ 1723.909140][T23843] ? set_page_refcounted+0x76/0x160 [ 1723.909153][T23843] ? alloc_pages_bulk_noprof+0x570/0x710 [ 1723.909167][T23843] proc_reg_read_iter+0x1b7/0x280 [ 1723.909177][T23843] copy_splice_read+0x54f/0x9b0 [ 1723.909191][T23843] ? splice_file_to_pipe+0x2e/0x440 [ 1723.909202][T23843] ? __pfx_copy_splice_read+0x10/0x10 [ 1723.909225][T23843] ? __pfx_copy_splice_read+0x10/0x10 [ 1723.909243][T23843] splice_file_to_pipe+0x270/0x440 [ 1723.909262][T23843] do_sendfile+0x475/0x7e0 [ 1723.909276][T23843] ? lockdep_hardirqs_on+0x9c/0x150 [ 1723.909290][T23843] ? __pfx_do_sendfile+0x10/0x10 [ 1723.909303][T23843] ? __se_sys_futex+0x36f/0x400 [ 1723.909314][T23843] __se_sys_sendfile64+0x13e/0x190 [ 1723.909327][T23843] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 1723.909339][T23843] ? rcu_is_watching+0x15/0xb0 [ 1723.909353][T23843] ? do_syscall_64+0xbe/0x3b0 [ 1723.909363][T23843] do_syscall_64+0xfa/0x3b0 [ 1723.909371][T23843] ? lockdep_hardirqs_on+0x9c/0x150 [ 1723.909383][T23843] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1723.909393][T23843] ? clear_bhb_loop+0x60/0xb0 [ 1723.909404][T23843] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1723.909418][T23843] RIP: 0033:0x7f097078e929 [ 1723.909430][T23843] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 1723.909438][T23843] RSP: 002b:00007f097165c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 1723.909450][T23843] RAX: ffffffffffffffda RBX: 00007f09709b5fa0 RCX: 00007f097078e929 [ 1723.909457][T23843] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 [ 1723.909464][T23843] RBP: 00007f0970810b39 R08: 0000000000000000 R09: 0000000000000000 [ 1723.909470][T23843] R10: 4000000000010042 R11: 0000000000000246 R12: 0000000000000000 [ 1723.909476][T23843] R13: 0000000000000000 R14: 00007f09709b5fa0 R15: 00007ffc5b92ad08 [ 1723.909487][T23843] [ 1724.316051][T22814] usb 6-1: config 0 has no interface number 0 [ 1724.326304][T22814] usb 6-1: config 0 interface 125 altsetting 4 endpoint 0x4 has invalid maxpacket 21760, setting to 64 [ 1724.350653][T22814] usb 6-1: config 0 interface 125 altsetting 4 endpoint 0xB has invalid wMaxPacketSize 0 [ 1724.361784][T22814] usb 6-1: config 0 interface 125 altsetting 4 endpoint 0x2 has invalid wMaxPacketSize 0 [ 1724.372045][T22814] usb 6-1: config 0 interface 125 altsetting 1 has 0 endpoint descriptors, different from the interface descriptor's value: 1 [ 1724.398537][T22814] usb 6-1: config 0 interface 125 has no altsetting 0 [ 1724.411855][T22814] usb 6-1: config 0 interface 125 has no altsetting 2 [ 1724.424828][T22814] usb 6-1: New USB device found, idVendor=050d, idProduct=0002, bcdDevice=23.27 [ 1724.436119][T22814] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1724.445774][T22814] usb 6-1: Product: syz [ 1724.451415][T22814] usb 6-1: Manufacturer: syz [ 1724.456196][T22814] usb 6-1: SerialNumber: syz [ 1724.462455][T22814] usb 6-1: config 0 descriptor?? [ 1724.471933][T22814] usb 6-1: selecting invalid altsetting 2 [ 1725.479590][T21071] usb 6-1: USB disconnect, device number 41 [ 1730.042329][ T1301] ieee802154 phy0 wpan0: encryption failed: -22 [ 1730.048639][ T1301] ieee802154 phy1 wpan1: encryption failed: -22