last executing test programs: 6.429506902s ago: executing program 2 (id=3305): readlink(&(0x7f00000000c0)='./cgroup\x00', 0x0, 0x0) socket$nl_xfrm(0x10, 0x3, 0x6) r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)=@updpolicy={0xc4, 0x19, 0x1, 0x0, 0x0, {{@in=@broadcast, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x0, 0x0, 0x0, 0x400000000000000, 0x0, 0xe816}}, [@mark={0xc, 0x15, {0x0, 0xffff}}]}, 0xc4}, 0x1, 0x0, 0x0, 0x20008880}, 0x0) 6.381765919s ago: executing program 3 (id=3306): ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(0xffffffffffffffff, 0xc08c5332, 0x0) ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8914, 0x0) write$sndseq(0xffffffffffffffff, &(0x7f0000000000), 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) prctl$PR_SET_TAGGED_ADDR_CTRL(0x37, 0x1) ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x3, 0x0, 0x6, 0x4, "2a000c000100"}) r1 = syz_open_pts(r0, 0x141601) fcntl$setstatus(r1, 0x4, 0x102800) write(r1, &(0x7f0000000280)="f873147b552f358b2bfe4d96f547d70da5ceda4d1e757a37185f2900f785ca64ad2889b4f36ac968c82ab5148c58d8e983baf9faf3f7e73de7a920518a6b13489f32b067eb00abc6c5c0e3cbd2c80f9454f83194573aa7d1dce8002e7b6253089709c66292a9ad4f6fc822a61d78133cfa7ae1fb3bcb45d60b0486c0e694295ace057c8b6570d0477b534947a3307275aafb401f095a90b8fffafd9f274d0e7bf0baf56a932e4b529117e65d8d52d73e72054664d58acc17d78c96e1826547ca0058c2e86901de6eafe6fd1198097b005f313d3f5f69144f4ff429118b07b0c4ca4a60a053524993363d2992c88de26379afa3662c02c01754de5e795b85246eeed81bc0c3cf47d9ce67dba916dd0874fe68de7d3b9eaaee6e27ecdaaf0539051d47520bc5bb7452b3ff56f0774c61a0e5ddc19ee210b05b235920881060a67c6ccaa38a646674b2fd2f2fbfab6071c79720897d8a9f6941d993d6a5f89c97e0feb864f36c81b3da5c8e0cc2da51a9db1e12f051f11077f26f31c2d1005cbf77dc07855ec54edd2df0", 0x189) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000500)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x3, 0x0, 0x0, {0x7}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWSET={0x70, 0x9, 0xa, 0x401, 0x0, 0x0, {0x7}, [@NFTA_SET_ID={0x8, 0xa, 0x1, 0x0, 0x7000000}, @NFTA_SET_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_KEY_LEN={0x8, 0x5, 0x1, 0x0, 0x21}, @NFTA_SET_EXPR={0x34, 0x11, 0x0, 0x1, @limit={{0xa}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_LIMIT_UNIT={0xc, 0x2, 0x1, 0x0, 0x3}, @NFTA_LIMIT_RATE={0xc, 0x1, 0x1, 0x0, 0x101}, @NFTA_LIMIT_TYPE={0x8, 0x4, 0x1, 0x0, 0x1}]}}}]}, @NFT_MSG_NEWSETELEM={0x3c, 0xc, 0xa, 0x101, 0x0, 0x0, {0x7}, [@NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_ELEM_LIST_ELEMENTS={0x10, 0x3, 0x0, 0x1, [{0xc, 0x0, 0x0, 0x1, [@NFTA_SET_ELEM_FLAGS={0x8, 0x3, 0x1, 0x0, 0x2}]}]}]}], {0x14, 0x10, 0x1, 0x0, 0x0, {0x0, 0x84}}}, 0xf4}}, 0x4000) ioctl$TCFLSH(r0, 0x540b, 0x0) 6.27748627s ago: executing program 2 (id=3307): r0 = syz_io_uring_setup(0x16d2, &(0x7f0000000080)={0x0, 0x0, 0x10100}, &(0x7f0000000040)=0x0, &(0x7f0000000100)=0x0) io_uring_setup(0x3f6b, &(0x7f0000000180)={0x0, 0x65f, 0x0, 0x10000001, 0x0, 0x0, r0}) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpu.stat\x00', 0x275a, 0x0) write$UHID_CREATE2(r3, &(0x7f00000001c0)=ANY=[@ANYBLOB='\t'], 0x118) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x5, 0x12, r3, 0x0) syz_io_uring_submit(r1, r2, &(0x7f0000000000)=@IORING_OP_MKDIRAT={0x25, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0}) io_uring_enter(r0, 0x82d3a, 0x0, 0x0, 0x0, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000180)=@newlink={0x48, 0x10, 0x49920d862a92153b, 0x0, 0x25dfdbfb, {0x0, 0x0, 0x0, 0x0, 0x21011, 0x15001}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @geneve={{0xb}, {0x18, 0x2, 0x0, 0x1, [@IFLA_GENEVE_REMOTE6={0x14, 0x7, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}]}}}]}, 0x48}}, 0x24044094) 6.273796433s ago: executing program 3 (id=3308): r0 = syz_usb_connect(0x2, 0x24, &(0x7f0000000640)=ANY=[@ANYBLOB="12010000d972a440b72040155ab7010203010902120001000000000904800000ff"], 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000980)={0x2c, &(0x7f0000000780)={0x20, 0x18, 0x1, "e6"}, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_SREGS(0xffffffffffffffff, 0x4138ae84, &(0x7f0000000100)={{0xffff0000, 0x0, 0xf000, 0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, {0x0, 0x0, 0x3, 0x0, 0x0, 0x7, 0xf9}, {0xeeef0000, 0x0, 0x10, 0x8, 0x0, 0x0, 0x81, 0x0, 0x44, 0xe, 0x0, 0x3}, {0x8080000, 0x0, 0x4}, {0x11000, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0, 0x1a}, {0x100000, 0xd000, 0x0, 0x0, 0x0, 0x8f, 0x0, 0x0, 0x0, 0x0, 0x84}, {0xeeee8000, 0x80a0000, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff}, {0x8080000, 0x0, 0x0, 0xf9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x6000}, {0x1, 0xfffe}, 0x0, 0x0, 0x6000, 0x0, 0x0, 0x0, 0x900, [0x0, 0x0, 0x0, 0x3]}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = eventfd2(0x2, 0x801) ioctl$KVM_IOEVENTFD(r2, 0x4040ae79, &(0x7f00000000c0)={0x7, 0x2, 0x2, r3, 0xb}) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x2) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x6, 0xfffffffffffffffd, 0x2, 0x5, 0x0, 0x4002004c4, 0x1000, 0x0, 0x0, 0x9, 0x0, 0x0, 0x2], 0x8080000, 0x1144}) ioctl$KVM_RUN(r4, 0xae80, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000580)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB="401308"], 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000300)={0x1c, &(0x7f00000001c0)={0x20, 0x1, 0x1, "f0"}, 0x0, 0x0}) 6.044197952s ago: executing program 2 (id=3309): socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) syz_usb_connect$hid(0x5, 0x3f, &(0x7f0000000300)=ANY=[@ANYBLOB="12010102000000106a05d30040000102030109022d00"], 0x0) mkdir(&(0x7f0000000080)='./file1\x00', 0x0) utimes(&(0x7f0000000280)='./file1\x00', &(0x7f0000000340)) openat$binfmt(0xffffffffffffff9c, 0x0, 0x41, 0x1ff) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r2, &(0x7f000000c2c0)={0x0, 0x0, 0x0}, 0x0) sendmsg$NFT_BATCH(r2, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)={{0x14}, [@NFT_MSG_NEWSET={0x3c, 0x12, 0xa, 0x201, 0x0, 0x0, {0x2}, [@NFTA_SET_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_KEY_TYPE={0x8}, @NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_FLAGS={0x8, 0x3, 0x1, 0x0, 0x1}]}], {0x14}}, 0x64}, 0x1, 0x0, 0x0, 0x890}, 0x0) sendmsg$NFT_MSG_GETOBJ(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000400)={0x20, 0x13, 0xa, 0x101, 0x0, 0x0, {0x2}, [@NFTA_OBJ_TABLE={0x9, 0x1, 'syz0\x00'}]}, 0x20}}, 0x4040040) socket$can_raw(0x1d, 0x3, 0x1) setsockopt$inet6_IPV6_DSTOPTS(0xffffffffffffffff, 0x29, 0x3b, 0x0, 0xa8) setsockopt$ALG_SET_KEY(0xffffffffffffffff, 0x117, 0x1, &(0x7f0000000300)="c9", 0x1) socketpair$unix(0x1, 0x5, 0x0, 0x0) socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f0000000000)) timer_delete(0x0) syz_open_dev$evdev(&(0x7f00000000c0), 0x1, 0x80) 4.77217896s ago: executing program 1 (id=3312): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000240)=ANY=[@ANYBLOB="140000001000010000000000000000000500000a28000000000a030000000000000000000a00000708000240000000020900010073797a31000000002c000000030a010100000000000000000a0000070900010073797a31000000000900030073797a320000000014000000110001"], 0x7c}, 0x1, 0x0, 0x0, 0x4000}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000002c0)=@newtfilter={0x40, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {}, {0xd}}, [@filter_kind_options=@f_basic={{0xa}, {0x10, 0x2, [@TCA_BASIC_EMATCHES={0xc, 0x2, 0x0, 0x1, [@TCA_EMATCH_TREE_HDR={0x8, 0x1, {0xffff}}]}]}}]}, 0x40}}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000009b40)={0x0, 0x0, &(0x7f0000009b00)={&(0x7f0000002100)=ANY=[@ANYBLOB="140000001000010000000000000000000500000a5c000000090a010400000000000000000a0000040900010073797a310000000008000540000000040900020073797a310000000008000a40fffffffc200011800e000100636f6e6e6c696d69740000000c00028008000140fffff27414000000110001"], 0x84}, 0x1, 0x0, 0x0, 0x4000850}, 0x40) sendmsg$NFT_MSG_GETSETELEM(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000002c0)=ANY=[@ANYBLOB="800000000d0a010800000000000000200a0000010900020073797a31000000000900010073797a310000000054000380500000803e0001"], 0x80}}, 0x8000) 4.599747181s ago: executing program 1 (id=3314): socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) r2 = syz_io_uring_setup(0x110, &(0x7f00000003c0)={0x0, 0xfad6, 0x800, 0x1, 0x3}, &(0x7f00000000c0)=0x0, &(0x7f0000000100)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd_index=0x3}) io_uring_enter(r2, 0x133d, 0x0, 0x8, 0x0, 0x0) io_uring_register$IORING_REGISTER_SYNC_CANCEL(r2, 0x18, &(0x7f0000000000)={0x0, 0xffffffffffffffff, 0x1, {0x6, 0x6d4}, 0xf0}, 0x1) syz_emit_ethernet(0x72, &(0x7f0000000080)={@local, @empty, @void, {@ipv6={0x86dd, @tipc_packet={0x0, 0x6, '3\'q', 0x3c, 0x6, 0xff, @rand_addr=' \x01\x00', @mcast2, {[@fragment={0x67, 0x0, 0xf2, 0x1, 0x0, 0x9, 0x64}, @fragment={0x99, 0x0, 0x0, 0x1, 0x0, 0x3, 0x65}], @payload_mcast={{{{{{0x2c, 0x0, 0x0, 0x1, 0x1, 0xb, 0x1, 0x2, 0x5, 0x0, 0xec58ce011bc5c89a, 0x4, 0x2, 0x1, 0x7, 0x2, 0x1, 0x4e21, 0x4e21}, 0x1, 0x2}}}}}}}}}}, 0x0) r5 = socket(0x10, 0x80002, 0x0) sendmsg$nl_route(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000000c0)=ANY=[@ANYBLOB="1c0000005e00679a3601ff81000000000000000000be7ba9bd"], 0x1c}}, 0x0) recvmmsg$unix(r5, &(0x7f0000000640)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, 0x0}}, {{0x0, 0x0, &(0x7f0000000840)=[{&(0x7f0000000300)=""/151, 0x97}, {&(0x7f00000009c0)=""/4096, 0x1000}, {&(0x7f0000000740)=""/254, 0xfe}], 0x3}}, {{0x0, 0x0, 0x0}}], 0x4, 0x0, 0x0) bind$inet6(r5, &(0x7f0000000000)={0xa, 0x4e22, 0x2, @remote, 0x4}, 0x1c) r6 = fsmount(0xffffffffffffffff, 0x1, 0xe3) write$tun(r6, &(0x7f0000000100)={@val={0x0, 0x88ed36e8e5761236}, @void, @x25={0x3, 0xac, 0xf, "b2fed058e891dbbbb6c76e0f6c3cea19a19b9a01fdc1745e92b46b04c822f4cf67e845cef531bf2e04fdb36e19aa4c67261c38d42a807a3ce5d5feac0f2d767c1baba45dc9b4ded30afb188d8957b60437f8dc5748e90c752ef9eefa551987b059afc2fc8ac4cabfcc933ef334cc9c9453fd532e1c72185ee28047cc0044a293fca691d691c61542e87d8e10373a74cc5077d1f00bdbc75bc2f94e2f988a676a34a37849d60c7290d68d6eb03bd76e863a6e68d217c8d395fd9dc5bbcc096628eb92bfae21db1b1e74d9f83702488c95193f0f0fe2b39088f55e4e4a210174e39551adaba0a6ee2c11"}}, 0xf0) 4.524642138s ago: executing program 0 (id=3315): openat(0xffffffffffffff9c, &(0x7f000000c380)='./file0\x00', 0x40, 0x1) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r0, &(0x7f0000000540)=[{{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4008054}}, {{&(0x7f00000000c0)=@file={0x1, './file0/file3\x00'}, 0x6e, 0x0, 0x0, 0x0, 0x0, 0x40080}}], 0x2, 0x0) (fail_nth: 10) 4.357629009s ago: executing program 4 (id=3316): r0 = openat$dlm_plock(0xffffff9c, &(0x7f0000000040), 0x20000, 0x0) bpf$BPF_MAP_LOOKUP_AND_DELETE_ELEM(0x15, &(0x7f00000000c0)={r0, 0x0, 0x0}, 0xffffffffffffffc0) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000580), 0xffffffffffffffff) openat$nvram(0xffffffffffffff9c, &(0x7f00000014c0), 0x141080, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000004c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_JOIN_MESH(r2, &(0x7f0000000400)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB='L\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="010000000000000000004400000008000300", @ANYRES32=r3, @ANYBLOB="08002700851600000a00180000000000000000001c005a8018000180140003"], 0x4c}}, 0x4000804) 3.845306526s ago: executing program 0 (id=3317): syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff) r0 = socket$tipc(0x1e, 0x2, 0x0) socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f0000000300)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000cc0)=[{{&(0x7f0000000400)=@file={0x0, './file0\x00'}, 0x6e, &(0x7f00000000c0)=[{&(0x7f00000004c0)="70e35fa0e91a9ac4410226c8f822873897d148c6558dfd53db02f96d2338c1334f1bf22e3b15c70b23050e54e217a34620aa443561040b13d1600b0458d1c17c3ace1d5e03b8e47bd7df204ca7ecba8dbd9c18eaf69307", 0x57}], 0x1, 0x0, 0x0, 0x4004}}, {{0x0, 0x0, &(0x7f0000000200)=[{&(0x7f0000000540)="a7fd78ff79bce255fae6d48c403bcbdd46db04e054114d518ac78aafe93a64b2d6f8c5e51c72bac8fe683e286456e3f3618886b168b176987bd69b98a5706226d7ad9d8c0a5250a9e6cf13ba80a603d0e4e74efe45fcff626e27a66f82b979d113dce1181b464127ac", 0x69}], 0x1, &(0x7f0000000640)=ANY=[@ANYBLOB="140000000100000001000000", @ANYRES32, @ANYRES32=r0, @ANYBLOB="3c00000001ed000000000000", @ANYRES32=r2, @ANYRES32=r0, @ANYRES32, @ANYRES32], 0x30, 0x40880}}, {{&(0x7f0000000680)=@file={0x1, './file0\x00'}, 0x6e, &(0x7f0000000a80)=[{&(0x7f00000005c0)="94e66bbff75d96657317dcaa4ff70a72668a9d64e5e4fbf350f1850897701c", 0x1f}, {&(0x7f0000000740)="c61fb0a363021e53fce075c0886d99380302f76c9b82f85f35a3d298ef1a8d05108bafcdc6d35ff5e0ea0a1af7376803a9a9de633e1279e8159548a5640fb61f", 0x40}, {&(0x7f0000000780)="84f27e22624dd90110c9f35745ae99dfbfd3449ab540bf07d099cb92b4edc15a1ceb", 0x22}, {&(0x7f00000007c0)="c352ab23943985805613935870168898ab832c25d3e3386837f085ca8e4b", 0x1e}, {&(0x7f0000000800)="98f6662791825672d47fc113b5f9b786511dcd8125489d6e4eeb4ea0680c1647bead5abf8ebd207156deaca662df0cecc5fb50433b51fb0b946d239ea0e5365d3951f1f9bff19b4deab7c847d66cd11e13b281100e10587f6be2d13a06a3f2cf31195b2fac4e6e1ac4ff6dd0bb3f65dbaeaacc9bd1272c398b24b49e3dae9d02f5283bf57ac8ca25e1", 0x89}, {&(0x7f00000008c0)="dc97709b776d932ef20d2b5ba8e6ea8baf0d4b472650289c7e915275de66ef727078e69c682298108c1ccbfb91e60910d7d633e8d876032ed994d6ae838bc54cc75f7734a206807c6b5412666f227da4f4b1cef126436f68826fd254970691bfbcfb7711e76d93ad10888546d32cfaacd19ab195b8bf9b2f12e2a71e802f1a849ad7f08a6aa7d34d9c6343d82516893d570c70d4dd8312cfa32e384b6636bff4bf6462342d382c818dd3b6145cf412708a8d80af38d9a5023fc17ae460df43117bc09647d25ce4d1ffd4361593b545ff10ba876d1fd2f4e6d558b3468451857bf62d65ddddb05ca67e3a884b50cd69", 0xef}, {&(0x7f00000009c0)="f7ed941bb020a62c8f5c09f8f2aad23a373a9875ea4948de8373163b65146d1e66965ecf46774df4310a18d26c9d6df61bf705dd243ed02bade65b4a25e7d007dd5ab444cde708978e32852f4aeef5d2ca83da5e9272271a5bf55e27eec76b1a5c57aa638fee15a358145edbbe009d54e672c3bf3289f688805e0364cd641eb1dc621c0165cb1613322f24376a0c26baaf46de5d24aae532671141052199a7fc24ca8b7b70c6a5e212dcb8e5e9cdd70d4c2fdcad1cde61581bfa", 0xba}], 0x7, &(0x7f0000000c80)=[@rights={{0x14, 0x1, 0x1, [r1, r1]}}, @cred={{0x18}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff, r0]}}], 0x40}}], 0x3, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) socket$nl_route(0x10, 0x3, 0x0) ioctl$VIDIOC_G_EXT_CTRLS(0xffffffffffffffff, 0xc0205649, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x0, 0x10, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x0, 0x0, 0x200000, 0x0, 0xb49, 0x9, 0x8, 0x3, 0x3}, 0x0) r3 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000040), 0x12802) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r3, 0xc08c5332, 0x0) sendmsg$NL80211_CMD_RADAR_DETECT(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000180)={0x0, 0x48}, 0x1, 0x0, 0x0, 0x20048801}, 0x8000) write$sndseq(r3, &(0x7f0000000000)=[{0x84, 0x77, 0x0, 0x0, @tick, {}, {}, @raw32}], 0xffc8) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r3, 0x4040534e, &(0x7f00000002c0)={0x10f, @time={0xf2ee}}) ioctl$F2FS_IOC_WRITE_CHECKPOINT(r1, 0xf507, 0x0) ioctl$TIOCMSET(0xffffffffffffffff, 0x5418, &(0x7f0000000140)=0xfffffdfb) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$batadv(&(0x7f00000001c0), r4) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r4, 0x8933, &(0x7f0000000140)={'batadv0\x00', 0x0}) sendmsg$BATADV_CMD_GET_NEIGHBORS(r4, &(0x7f0000004340)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000002c0)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="310300000000000020000800000008000300", @ANYRES32=r6, @ANYBLOB="080006"], 0x24}}, 0x0) openat$vimc0(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0) unshare(0x64020700) openat$kvm(0xffffffffffffff9c, &(0x7f0000000480), 0x6b9baa709c74be5b, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) r7 = openat$proc_mixer(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/card2/oss_mixer\x00', 0x8d2c96d7d1bc7a59, 0x0) fcntl$dupfd(r7, 0x2, 0xffffffffffffffff) r8 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r8, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000380)=ANY=[@ANYBLOB="4c00000002060108000034e40000000000000000050001000600000005000400000000000900020073797a3100000080050005000200000011000300686173683a69702c706f7274"], 0x4c}}, 0x2) 3.609179533s ago: executing program 4 (id=3318): bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="18000000700000000000000000000200630140000000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) 3.406281543s ago: executing program 4 (id=3319): openat$nullb(0xffffffffffffff9c, &(0x7f0000000780), 0x81, 0x0) openat$adsp1(0xffffffffffffff9c, 0x0, 0x0, 0x0) pipe(&(0x7f0000000380)) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x4e20}, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) syz_open_dev$swradio(&(0x7f0000000140), 0x0, 0x2) write$RDMA_USER_CM_CMD_CREATE_ID(r1, 0x0, 0x0) sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x1, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0xfffffffc, 0x3}, 0x0) socket$netlink(0x10, 0x3, 0xa) r2 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_inet_SIOCSIFPFLAGS(0xffffffffffffffff, 0x8934, &(0x7f0000000040)={'wlan0\x00', 0xfffffffe}) ioctl(r2, 0x8b21, &(0x7f0000000040)) r3 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$IPT_SO_SET_REPLACE(r3, 0x0, 0x40, 0x0, 0x0) r4 = open(0x0, 0x1850c2, 0x14c) writev(r3, &(0x7f00000002c0)=[{0x0}, {&(0x7f0000000500)="922a35c0ba11e3689b7a89fa83215a702aaa0da45ce5862c4a7eaa", 0x1b}], 0x2) openat$kvm(0xffffffffffffff9c, 0x0, 0x80141, 0x0) ftruncate(r4, 0x200004) r5 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x48) syz_emit_ethernet(0x46, 0x0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x1, 0x21, &(0x7f00000007c0)=ANY=[@ANYBLOB="1800f8ffffffffffffff00000000000018110000", @ANYRES32=r5, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf090000000000005509010000000000950000000000000018110000", @ANYRES32=r5, @ANYBLOB="0000000000000000b7080000030000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000001000000850000008200000018110000", @ANYRES32=r5, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000082000000bf91000000000000b70200000000000085000000ff000000b7000000000000009500000000000000ddf1172d7b3a1ac1c590d8aad0e34a51621bc3fc9972d80c8e4a4b2e8ad59aaaa8fa476147cbd320cdf4aaa9c47772dc625e8b65b2ffc2e49e311daf5aa4dd6bcf104222de90fece47386647e2370a65430281f4830214afbb3277a1b03a0b275a78761fcde153e3"], &(0x7f0000000000)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x31, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) 3.120549326s ago: executing program 0 (id=3320): r0 = openat$iommufd(0xffffff9c, &(0x7f0000000000), 0x10800, 0x0) r1 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000080), 0x28002, 0x0) ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f00000000c0)={0xc, 0x0, 0x0}) ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r1, 0x3ba0, &(0x7f0000000100)={0x48, 0x2, r2, 0x0, 0x0, 0x0, 0x0}) ioctl$IOMMU_HWPT_ALLOC$NONE(r1, 0x3b89, &(0x7f0000000180)={0x28, 0x1, r3, r2, 0x0, 0x0, 0x0, 0x0, &(0x7f00000001c0)}) ioctl$IOMMU_HWPT_ALLOC$TEST(r1, 0x3b89, &(0x7f0000000200)={0x28, 0x0, r3, r4, 0x0, 0x0, 0xdead, 0x4, &(0x7f0000000240)}) ioctl$IOMMU_HWPT_INVALIDATE$TEST(r1, 0x3b8d, &(0x7f0000000280)={0x20, r5, &(0x7f00000002c0)=[{}], 0xdeadbeef, 0x8, 0x1}) ioctl$IOMMU_DESTROY$hwpt(r1, 0x3b80, &(0x7f0000000300)={0x8, r5}) (async, rerun: 32) ioctl$IOMMU_DESTROY$hwpt(r1, 0x3b80, &(0x7f0000000340)={0x8, r4}) (rerun: 32) ioctl$IOMMU_HWPT_GET_DIRTY_BITMAP(r0, 0x3b8c, &(0x7f00000000c0)={0x30, r4, 0x1, 0x0, 0x4, 0x3, 0x1c00000000000000, &(0x7f0000000040)=""/126}) (async) r6 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$NL80211_CMD_REQ_SET_REG(r6, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000440)={&(0x7f0000000400)=ANY=[@ANYRES64=r2, @ANYBLOB="5445c0a80b81cdce68cc69a405f792cbbd589e30e82c8a5a737fd5bac43cd82b"], 0xc0}, 0x1, 0x0, 0x0, 0x1}, 0x80) r7 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000100)='net_prio.prioidx\x00', 0x275a, 0x0) write$binfmt_script(r7, &(0x7f0000000180), 0xfefc) (async) mkdir(&(0x7f00000001c0)='./file0\x00', 0x12) (async) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1000004, 0x10012, r7, 0x0) (async, rerun: 32) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000140)={&(0x7f0000002000/0x3000)=nil, &(0x7f0000ffa000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000262000/0x1000)=nil, &(0x7f0000260000/0x4000)=nil, &(0x7f0000008000/0x3000)=nil, &(0x7f0000947000/0x1000)=nil, &(0x7f0000002000/0x1000)=nil, &(0x7f0000ffa000/0x4000)=nil, &(0x7f0000663000/0x1000)=nil, &(0x7f000000c000/0x2000)=nil, 0x0}, 0x68) (rerun: 32) 2.829392469s ago: executing program 0 (id=3321): socket$inet6_icmp_raw(0xa, 0x3, 0x3a) r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000240)=ANY=[@ANYBLOB="140000001000010000000000000000000500000a28000000000a030000000000000000000a00000708000240000000020900010073797a31000000002c000000030a010100000000000000000a0000070900010073797a31000000000900030073797a320000000014000000110001"], 0x7c}, 0x1, 0x0, 0x0, 0x4000}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000009b40)={0x0, 0x0, &(0x7f0000009b00)={&(0x7f0000000100)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x5}}, [@NFT_MSG_NEWSET={0x5c, 0x9, 0xa, 0x401, 0x0, 0x0, {0xa, 0x0, 0x4}, [@NFTA_SET_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_SET_KEY_LEN={0x8, 0x5, 0x1, 0x0, 0x2}, @NFTA_SET_NAME={0x9, 0x2, 'syz2\x00'}, @NFTA_SET_ID={0x8, 0xa, 0x1, 0x0, 0xfffffffc}, @NFTA_SET_EXPR={0x20, 0x11, 0x0, 0x1, @connlimit={{0xe}, @val={0xc, 0x2, 0x0, 0x1, [@NFTA_CONNLIMIT_COUNT={0x8, 0x1, 0x1, 0x0, 0xfffff274}]}}}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x1}}}, 0x84}, 0x1, 0x0, 0x0, 0x4000850}, 0x40) syz_emit_ethernet(0x146, &(0x7f0000000780)=ANY=[@ANYBLOB="ffffffffffff9800da07fc0b86dd6100000001103aff20010000000040000000000000000002fe8000000000000000000000000000aa"], 0x0) 2.77964328s ago: executing program 0 (id=3322): syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00'}) openat$vmci(0xffffffffffffff9c, &(0x7f0000000740), 0x2, 0x0) syz_open_dev$cec(&(0x7f0000000480), 0x0, 0x80) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) syz_emit_ethernet(0x7a, &(0x7f0000000000)={@local, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x15}, @void, {@ipv6={0x86dd, @gre_packet={0x0, 0x6, "5f1060", 0x44, 0x2f, 0x0, @private0={0xfc, 0x0, '\x00', 0x2}, @mcast2, {[], {{0x0, 0x0, 0x1, 0x0, 0x2, 0x0, 0x0, 0x1, 0x8100, 0x0, 0x2}, {0x0, 0x0, 0x0, 0x0, 0x100}, {}, {0x8, 0x88be, 0x86ddffff}, {0x8, 0x22eb, 0x0, {{}, 0x2, {0x20000000}}}}}}}}}, 0x0) sendmsg(r1, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0) sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x0, 0x0, 0xb49, 0x6, 0x8, 0x0, 0x3}, 0x0) execveat(0xffffffffffffff9c, 0x0, 0x0, 0x0, 0x1000) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000001c0)=@gettaction={0x48, 0x32, 0x400, 0x70bd2a, 0x25cfdbfd, {}, [@action_dump_flags=@TCA_ROOT_FLAGS={0xc, 0x2, {0x1}}, @action_gd=@TCA_ACT_TAB={0x28, 0x1, [{0xc, 0x85, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x9}}, {0xc, 0x2, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x81f7}}, {0xc, 0x1f, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x4}}]}]}, 0x48}, 0x1, 0x0, 0x0, 0x4008000}, 0x4040090) r2 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bond0\x00', 0x0}) sendmsg$nl_route(r2, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000580)={&(0x7f00000001c0)=ANY=[@ANYBLOB="5c000000100003040000d9ffffffea0000000400", @ANYRES32=r3, @ANYBLOB="60bc010004a701003c00128009000100626f6e64000000002c"], 0x5c}, 0x1, 0x0, 0x0, 0x11}, 0x4000044) 2.365146349s ago: executing program 2 (id=3323): r0 = socket$can_bcm(0x1d, 0x2, 0x2) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000100)={'vcan0\x00', 0x0}) socket$inet_mptcp(0x2, 0x1, 0x106) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file1\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x400000000000041, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) writev(0xffffffffffffffff, &(0x7f0000000300)=[{0x0}], 0x1) r4 = socket$netlink(0x10, 0x3, 0x0) writev(r4, &(0x7f00000003c0)=[{&(0x7f0000000180)="390000001300034700bb65e1c3e4ffff01000000010000005600000025000000190004000400000007fd17e5ffff0800040000000000000000", 0x39}], 0x1) writev(r4, &(0x7f0000000300)=[{&(0x7f0000000040)="390000001300034700bb5be1c3e4feff06000000010000004500000025000000190004000400ad000d00000000000006040000000000f93132", 0x39}], 0x1) r5 = openat$vimc1(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) ioctl$VIDIOC_G_FMT(r5, 0xc0d05604, &(0x7f0000000380)={0x8, @vbi={0x97, 0x3, 0x101, 0x32314142, [0x6, 0x3], [0x3, 0x80], 0x1}}) r6 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$IP6T_SO_SET_REPLACE(r6, 0x29, 0x40, &(0x7f00000006c0)=@mangle={'mangle\x00', 0x1d, 0x6, 0x558, 0x0, 0x280, 0x368, 0x1b0, 0x0, 0x488, 0x488, 0x488, 0x488, 0x488, 0x6, 0x0, {[{{@ipv6={@mcast2, @private1, [], [], 'macvlan1\x00', 'erspan0\x00'}, 0x0, 0xa8, 0xd0, 0x0, {0x7a00000000000000}}, @HL={0x28}}, {{@uncond, 0x0, 0xa8, 0xe0}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0xffffffffffffffff}, {}, 0x203}}}, {{@ipv6={@ipv4={'\x00', '\xff\xff', @multicast2}, @remote, [], [], '\x00', 'bond_slave_0\x00'}, 0x0, 0xa8, 0xd0, 0x48000000}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xa8, 0xe8}, @common=@inet=@TCPOPTSTRIP={0x40}}, {{@uncond, 0x0, 0xf8, 0x120, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@eui64={{0x28}}]}, @unspec=@CHECKSUM={0x28}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x5b8) ioprio_set$uid(0x3, 0x0, 0x0) syz_genetlink_get_family_id$nl80211(&(0x7f0000000000), r4) r7 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/netlink\x00') preadv(r7, &(0x7f0000000580)=[{&(0x7f0000000100)=""/212, 0xd4}], 0x1, 0x1fe, 0x12) r8 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r8, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000980)={0x2c, 0x3e, 0x107, 0x70bd2d, 0x25dfdbfc, {0x4, 0x7c}, [@typed={0x4}, @nested={0x14, 0x1, 0x0, 0x1, [@typed={0x6, 0x6, 0x0, 0x0, @str='\x80\n'}, @typed={0x8, 0x15, 0x0, 0x0, @u32=0x7fffffff}]}]}, 0x2c}}, 0x0) connect$can_bcm(r0, &(0x7f00000000c0)={0x1d, r1}, 0x10) sendmsg$can_bcm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000001600)=ANY=[@ANYBLOB="0100"/16, @ANYRES64=0x0, @ANYRES64=0x0, @ANYRES64=0x0, @ANYRES64=0x0, @ANYBLOB="0000000001"], 0x48}, 0x1, 0x0, 0x0, 0x20000001}, 0x0) 2.364891258s ago: executing program 3 (id=3324): r0 = socket$nl_generic(0x10, 0x3, 0x10) socket$nl_xfrm(0x10, 0x3, 0x6) r1 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x120002) read(r1, &(0x7f0000000040)=""/46, 0x2e) ioctl$SNDRV_TIMER_IOCTL_SELECT(r1, 0x40345410, &(0x7f00000083c0)={{0x1}}) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(r1, 0x54a2) bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x11, 0xf, &(0x7f0000000340)=@ringbuf={{}, {}, {}, [], {{}, {}, {0x85, 0x0, 0x0, 0x84}}}, &(0x7f0000000080)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1e, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040)={0x200000, 0x200000, 0x0, 0x0, 0x10000}) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0xc008ae88, &(0x7f0000000000)=ANY=[@ANYBLOB="01000000000000000f478ef8ed"]) r2 = openat$kvm(0xffffff9c, &(0x7f00000000c0), 0x800, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x2, 0x9, 0xfffffffffffffffd, 0x0, 0x2, 0x0, 0x4002004c4, 0x1004, 0xffffffffffffffff, 0xc595, 0x0, 0x1, 0xffffffffffffffff, 0x2000000000000000, 0x80000004000000, 0x8d], 0xeeee8000, 0x2010d3}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r5, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r6, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r5, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0x0) r7 = socket$kcm(0x29, 0x2, 0x0) r8 = memfd_create(&(0x7f0000000000)='e\xf4E\x88-\x00', 0x0) pwritev(r8, &(0x7f0000000040)=[{&(0x7f0000000480)="db", 0x1}], 0x1, 0x4000001, 0x0) sendfile(r7, r8, 0x0, 0x8000fb00) r9 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000280), 0xffffffffffffffff) sendmsg$L2TP_CMD_SESSION_GET(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000540)={&(0x7f00000004c0)={0x14, r9, 0x1, 0x70bd25, 0x25dfdbfb}, 0x14}, 0x1, 0x0, 0x0, 0x20004089}, 0x4000) openat$binder_debug(0xffffff9c, &(0x7f0000000140)='/sys/kernel/debug/binder/transaction_log\x00', 0x0, 0x0) 2.056781229s ago: executing program 1 (id=3325): r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r1 = syz_io_uring_setup(0xa0, &(0x7f0000000240)={0x0, 0x89b8, 0x8, 0x0, 0x133}, &(0x7f0000000040)=0x0, &(0x7f00000000c0)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r2, r3, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd=r0, 0xc000000, &(0x7f0000000000), 0x0, 0x12}) io_uring_enter(r1, 0x847ba, 0x0, 0xe, 0x0, 0x0) (fail_nth: 7) 1.649722965s ago: executing program 1 (id=3326): r0 = socket(0x10, 0x802, 0x0) write(r0, &(0x7f0000000140)="fc00000018000703ab092500090007000a07ffffa88800060000369321000700ff2500000005d00000000000000398996c92773411419da79bb94b46fe000000bc00020000036c6c256f1a272f2e117c22ebc205214000000000008934d07302ad031720d7d5bbc91a3e2e80772c05defd5a32e280fc83ab82f605f70c9ddefefe082038f4f8b29d3ef3d92c83170e5bba4a463ae4f5566f91cf190201ded815b2ccd243f295ed94e0ad91bd0734babc7c3f2eeb57d43dd16b17e583df150c3b880f411f46a6b567b4d5715587e658a1ad0a4f01731d05b0350b0041f0d48f6f0000080548deac270e33429fd3000175e63fb8d38a873cf1587c3b41", 0xfc) 1.506820084s ago: executing program 4 (id=3327): r0 = socket(0x840000000002, 0x3, 0x100) sendmmsg$inet(r0, &(0x7f0000000900)=[{{&(0x7f0000000280)={0x2, 0x4e24, @multicast2}, 0x10, 0x0, 0x0, &(0x7f0000000540)=[@ip_retopts={{0xc}}, @ip_ttl={{0x10, 0x0, 0x2, 0x7}}, @ip_pktinfo={{0x18, 0x0, 0x8, {0x0, @dev={0xac, 0x14, 0x14, 0x2a}, @initdev={0xac, 0x1e, 0x0, 0x0}}}}], 0x34}}], 0x1, 0x4004) (async) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2}) (async) ioctl$TUNSETTXFILTER(r1, 0x400454d1, 0x0) 1.420887356s ago: executing program 1 (id=3328): r0 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r0, &(0x7f0000000100)={0x3, 0x0, &(0x7f0000000080)={&(0x7f0000000600)={0x2, 0x3, 0x0, 0x2, 0x10, 0x0, 0x0, 0x0, [@sadb_key={0x2, 0x8, 0x8, 0x0, 'f'}, @sadb_address={0x5, 0x6, 0x0, 0x0, 0x0, @in6={0xa, 0x0, 0x0, @loopback, 0x1}}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x0, 0xfd}, @sadb_address={0x5, 0x5, 0x0, 0x0, 0x0, @in6={0xa, 0x0, 0x0, @local, 0xff80}}]}, 0x80}, 0x1, 0x7}, 0x0) 1.252104155s ago: executing program 3 (id=3329): r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYBLOB="18000000240001030000000000000000010000000400ae"], 0x18}, 0x1, 0x0, 0x0, 0x8001}, 0x4000) recvmmsg(r0, &(0x7f0000000600)=[{{0x0, 0x0, 0x0}, 0x200001}, {{0x0, 0x0, 0x0}, 0x2046}, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x900}, 0x10001}, {{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000800)=""/197, 0xc5}, {&(0x7f0000000900)=""/242, 0xf2}, {&(0x7f0000001a00)=""/4098, 0x1002}, {&(0x7f0000000440)=""/234, 0xea}, {&(0x7f0000000000)=""/26, 0x1a}], 0x5}, 0xfff}, {{0x0, 0x0, 0x0}, 0x80001}, {{0x0, 0x0, 0x0}, 0x409}, {{0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000000540)=""/130, 0x82}, {&(0x7f0000001900)=""/229, 0xe5}, {&(0x7f0000002e00)=""/4094, 0xffe}, {&(0x7f0000006080)=""/4069, 0xfe5}, {&(0x7f00000003c0)=""/124, 0x7c}, {&(0x7f0000000340)=""/113, 0x71}], 0x6}, 0x4db}, {{0x0, 0x0, 0x0}, 0x8}], 0x8, 0x40010020, 0x0) 1.185865144s ago: executing program 4 (id=3330): mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x1000006, 0x4132, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x4000, 0x3, &(0x7f0000005000/0x4000)=nil) mremap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x4000, 0x0, &(0x7f0000001000/0x4000)=nil) r0 = socket(0x10, 0x3, 0x0) mkdir(&(0x7f0000000000)='./file\x00', 0x0) mkdir(&(0x7f00000000c0)='./file/file0\x00', 0x0) open$dir(&(0x7f0000000080)='./file/file0/../\x00', 0x10000, 0x131) r1 = syz_open_dev$vim2m(&(0x7f0000000580), 0x407, 0x2) io_setup(0x9, &(0x7f0000000b80)=0x0) r3 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0xff, 0x0, 0xc12}]}) io_getevents(0x0, 0x6, 0x0, 0x0, 0x0) io_submit(r2, 0x1, &(0x7f00000002c0)=[&(0x7f0000000000)={0x0, 0x0, 0x0, 0x5, 0x0, r3, 0x0}]) ioctl$vim2m_VIDIOC_S_FMT(r1, 0xc0d05605, &(0x7f0000000000)={0x0, @pix={0x8, 0x6, 0x44495658, 0x9, 0x86, 0x4, 0x2, 0xdd4, 0x1, 0x3, 0x1, 0x2}}) r4 = socket$inet_udp(0x2, 0x2, 0x0) getsockopt$sock_cred(r4, 0x1, 0x11, &(0x7f00000001c0)={0x0, 0x0}, &(0x7f0000000200)=0xc) quotactl$Q_QUOTAOFF(0xffffffff80000301, &(0x7f0000000180)=@rnullb, r5, 0x0) setsockopt$inet_IP_XFRM_POLICY(r4, 0x0, 0x11, &(0x7f0000000080)={{{@in=@loopback, @in=@rand_addr=0x64010101, 0x0, 0xdbc, 0xfffe, 0x0, 0x2}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, {0x0, 0x1, 0x0, 0x1000000000000000}, 0x400, 0x0, 0x1}, {{@in=@empty, 0x20000000, 0x32}, 0x2, @in6=@loopback, 0x3507, 0x4, 0x0, 0xb7, 0x0, 0x0, 0xfffffffe}}, 0xe4) sendto$inet6(r0, &(0x7f0000000100)="c10e000018001f06b9409b0dffff110d0207be040205060506100a044300040018000000fac8388827a685a168d9a44604094565360c648dcaaf6c26c291214549932fde4a460c89b6ec0cff3959547f509058ba86c902fc3a10004a320c0400160009000a00000000000000000000080756ede4ccbe5880", 0xec1, 0x0, 0x0, 0x9e5e111c47e3504f) 1.184748993s ago: executing program 1 (id=3331): r0 = socket$tipc(0x1e, 0x2, 0x0) io_setup(0x800, &(0x7f0000000500)=0x0) io_submit(r1, 0x1, &(0x7f00000004c0)=[&(0x7f00000005c0)={0x0, 0x0, 0x0, 0x5, 0x0, r0, 0x0}]) r2 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000), 0x42, 0x0) futex(0x0, 0x2, 0x0, 0x0, 0x0, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) socket$inet6_mptcp(0xa, 0x1, 0x106) r3 = socket$inet_mptcp(0x2, 0x1, 0x106) r4 = socket$nl_xfrm(0x10, 0x3, 0x6) bind$netlink(r4, &(0x7f0000000140)={0x10, 0x0, 0x25dfdbfb, 0x10000000}, 0xc) sendmmsg(r3, &(0x7f0000002840)=[{{0x0, 0x0, 0x0}}], 0x1, 0x20044000) sendmsg$inet(r3, &(0x7f00000003c0)={&(0x7f0000000080)={0x2, 0xa, @local}, 0x10, &(0x7f00000001c0)}, 0x20000084) connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000740), 0xffffffffffffffff) sendmsg$MPTCP_PM_CMD_FLUSH_ADDRS(r5, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000040)=ANY=[@ANYBLOB="ffb5c4291d3902", @ANYRES16=r6, @ANYBLOB="01002cbd7000ffdbdf2504000000"], 0x14}, 0x1, 0x0, 0x0, 0x2000c810}, 0x800) ioctl$SNDCTL_DSP_STEREO(r2, 0xc0045003, &(0x7f0000000080)=0x1) clock_settime(0x100000000000000, &(0x7f0000000040)={0x8000000000000802, 0xfffffffffffffffe}) r7 = syz_io_uring_setup(0x241d, &(0x7f0000000180)={0x0, 0xabb6, 0x13090, 0x1, 0x11b}, &(0x7f0000000100), &(0x7f0000000440)) io_uring_register$IORING_REGISTER_PERSONALITY(r7, 0x9, 0x20, 0x0) r8 = syz_usb_connect(0x2, 0x24, &(0x7f0000000240)=ANY=[@ANYRESHEX=r7, @ANYRES64=r6, @ANYRESHEX], 0x0) r9 = socket(0x400000000010, 0x3, 0x0) ioctl$sock_SIOCETHTOOL(r9, 0x89f0, &(0x7f0000000340)={'gre0\x00', &(0x7f0000000200)=@ethtool_ringparam={0x10, 0x80000001, 0x3, 0x1, 0xd, 0xefe, 0x0, 0x0, 0x8}}) syz_usb_connect(0x0, 0x4bc, &(0x7f00000004c0)=ANY=[@ANYRES16=r8, @ANYRESHEX=0x0, @ANYRES16=r2, @ANYBLOB="5e68d63877c887e14e9d56e2d61e48ff276a74d1874ae37fca7011d3b0340fe64e0a63e6f044143bef694d8b3555769efec5cd71da69304f6d82682db450029c6afe85d94cd4411fc3a472ec0c6207f5aadfab301390ca1290a5353b7f1400eaf273c15e3bd8f8ac2b8f0730d59b78f717e39419828bc83ad770ed68d91dc4243147ce72f6eac60c0c1be3749b5156ca368ea808fb48"], 0x0) 623.433577ms ago: executing program 0 (id=3332): openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) getpgrp(0x0) add_key$user(&(0x7f00000003c0), &(0x7f0000000440), 0x0, 0x0, 0xfffffffffffffffd) chdir(&(0x7f0000000540)='./cgroup\x00') r0 = openat$dir(0xffffff9c, &(0x7f0000000240)='./cgroup\x00', 0x2002, 0x2) mkdirat(r0, &(0x7f0000000200)='./file0\x00', 0x33455aed6cbf4c1b) r1 = open(&(0x7f0000000000)='./file0\x00', 0x20000, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x80, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) socket$packet(0x11, 0x3, 0x300) socket$nl_route(0x10, 0x3, 0x0) syz_open_dev$usbfs(&(0x7f0000000100), 0x77, 0x101301) openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff}) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='memory.swap.events\x00', 0x275a, 0x0) setsockopt$sock_attach_bpf(r2, 0x1, 0x41, 0x0, 0x0) umount2(&(0x7f0000000280)='./file0\x00', 0xc) r3 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0) syz_mount_image$fuse(&(0x7f0000000040), &(0x7f0000000000)='./file0\x00', 0x0, &(0x7f0000002280)={{'fd', 0x3d, r3}, 0x2c, {'rootmode', 0x3d, 0x4000}}, 0x0, 0x0, 0x0) r4 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) move_mount(r4, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0) open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x9801) mount$fuseblk(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x24000, 0x0) open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) fcntl$notify(r1, 0x402, 0x8000003d) lsetxattr$security_capability(&(0x7f0000000040)='./file0\x00', &(0x7f0000000080), 0x0, 0x0, 0x1) 623.274026ms ago: executing program 3 (id=3333): r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001440), 0x2202, 0x0) io_setup(0x104, &(0x7f0000000180)=0x0) io_submit(r1, 0x3, &(0x7f0000000200)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x1, 0x4, r0, &(0x7f0000000340)="12", 0x1, 0x7fff}, 0x0, 0x0]) r2 = openat2$dir(0xffffff9c, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x181880, 0x1a4, 0x14}, 0x18) statx(r2, &(0x7f0000000100)='./file0\x00', 0x1000, 0x40, &(0x7f0000000240)) 387.183289ms ago: executing program 3 (id=3334): socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) io_uring_enter(0xffffffffffffffff, 0xdb4, 0x0, 0x0, 0x0, 0x0) r2 = syz_open_dev$ttys(0xc, 0x2, 0x0) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) setsockopt$netlink_NETLINK_ADD_MEMBERSHIP(r3, 0x10e, 0x1, &(0x7f0000000040)=0x8, 0x4) prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000180)={0x1, &(0x7f0000000040)=[{0x200000000006, 0x0, 0x0, 0x7ffc0002}]}) r4 = syz_open_dev$sg(&(0x7f00000060c0), 0x0, 0x8002) ioctl$SG_IO(r4, 0x2285, 0x0) r5 = fcntl$dupfd(r4, 0x0, r4) write$sndseq(r5, &(0x7f0000000180)=[{0x0, 0x0, 0x0, 0x0, @tick, {}, {}, @raw32}, {0x0, 0x0, 0x0, 0x0, @time, {}, {}, @quote}], 0x38) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, &(0x7f0000000080)={0x200d}) epoll_pwait(0xffffffffffffffff, &(0x7f0000000040)=[{}], 0x1, 0xfffffff3, 0x0, 0x0) r6 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, r6, &(0x7f0000000300)={0x200f}) write$6lowpan_control(r6, &(0x7f00000000c0)='connect aa:aa:aa:aa:aa:11 0', 0x1b) write$sndseq(r5, &(0x7f0000000200)=[{0x0, 0x0, 0x0, 0x0, @time={0x1, 0x81}, {}, {}, @raw32}, {0x0, 0x0, 0x0, 0x0, @time={0xfffffff9, 0x1005}, {}, {}, @raw8={"13e661fefa8c7d0d9a4be91e"}}, {0x0, 0x3f, 0x0, 0x0, @tick, {0x10}, {}, @time}, {0x0, 0x0, 0x0, 0x10, @time={0xbf9e}, {}, {}, @raw8={"448cc880fe353ca0f2c2e953"}}, {0x0, 0x3, 0x0, 0x0, @time, {0x0, 0x1f}, {}, @control={0x0, 0x8000, 0x4ee8}}], 0x8c) ioctl$SG_GET_REQUEST_TABLE(r5, 0x2286, &(0x7f00000018c0)) set_mempolicy(0x6, &(0x7f0000000180)=0x472, 0x9) r7 = gettid() timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r7}, &(0x7f0000bbdffc)) futex(&(0x7f000000cffc)=0x4, 0x80000000000b, 0xfffffffe, &(0x7f0000000100)={0x0, 0x989680}, &(0x7f0000048000)=0x1, 0x10000) timer_settime(0x0, 0x1, &(0x7f00000002c0)={{0x0, 0x989680}, {0x0, 0x3938700}}, 0x0) ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000000)=0x15) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xf, 0x4008032, 0xffffffffffffffff, 0x0) userfaultfd(0x80801) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) 314.621996ms ago: executing program 2 (id=3335): r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)=ANY=[@ANYBLOB="bc010000190001000000000001003300fe880000000000000000000000000101ac1414bb00000000000000000000000000000000000000070200000000000000", @ANYRES32=0x0, @ANYRES32, @ANYBLOB="00000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000008000000000000000004010500fe8000000000000000000000000000bb000000003300"], 0x1bc}, 0x1, 0x0, 0x0, 0x8011}, 0x0) 25.018831ms ago: executing program 2 (id=3336): r0 = socket$netlink(0x10, 0x3, 0x4) r1 = open(&(0x7f00009e1000)='./file0\x00', 0x60840, 0x0) fcntl$setsig(r1, 0xa, 0x13) fcntl$setlease(r1, 0x400, 0x0) timer_create(0x0, &(0x7f00000000c0)={0x0, 0x12}, &(0x7f0000000280)) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$MAP_CREATE(0xe4ffffff00000000, &(0x7f0000004440)=@base={0x4, 0x4, 0x4, 0x40007, 0x16, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x1}, 0x50) syz_clone(0x60001600, 0x0, 0x0, 0x0, 0x0, 0x0) r3 = getpid() ioctl$TUNSETCARRIER(r1, 0x400454e2, &(0x7f0000000000)=0x1) fcntl$setownex(r2, 0xf, &(0x7f0000000100)={0x2, r3}) ioctl$sock_FIOGETOWN(r2, 0x8903, &(0x7f00000001c0)=0x0) fcntl$setown(r1, 0x8, r4) timer_settime(0x0, 0x0, &(0x7f0000000180)={{0x0, 0x989680}, {0x0, 0x1c9c380}}, 0x0) truncate(&(0x7f0000000040)='./file0\x00', 0x0) close_range(r0, 0xffffffffffffffff, 0x0) 0s ago: executing program 4 (id=3337): ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, 0x0) syz_open_dev$video4linux(&(0x7f0000000000), 0x0, 0x0) mlock(&(0x7f0000ffa000/0x3000)=nil, 0x3000) openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000), 0x20081, 0x0) r0 = openat$sndseq(0xffffffffffffff9c, 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) quotactl$Q_QUOTAOFF(0xffffffff80000300, &(0x7f0000000180)=@loop={'/dev/loop', 0x0}, 0x0, 0x0) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r2, 0x0, 0x0) sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x1, 0x4, 0x5, 0x0, 0xfffffffffffffffe, 0xfffffffc}, 0x0) r3 = socket(0x15, 0x5, 0x0) getsockopt(r3, 0x200000000114, 0x2710, &(0x7f0000000600)=""/102389, &(0x7f0000000000)=0x18ff5) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r4, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000009c0)=ANY=[@ANYBLOB="2400000001040102000000c9fd0000000000000008000340000100000500010001"], 0x24}, 0x1, 0x0, 0x0, 0x4000000}, 0x0) r5 = socket$kcm(0x10, 0x2, 0x0) sendmsg$NFULNL_MSG_CONFIG(r4, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000240)={0x1c, 0x1, 0x4, 0x5, 0x0, 0x0, {0x3}, [@NFULA_CFG_CMD={0x5, 0x1, 0x2}]}, 0x1c}, 0x1, 0x0, 0x0, 0x9af33139c2c4eaae}, 0x20) unshare(0x62040200) r6 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r6, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000001f40)={&(0x7f00000004c0)=@updpolicy={0xf8, 0x19, 0x1, 0x0, 0x0, {{@in6=@rand_addr=' \x01\x00', @in=@local, 0x0, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff}, {0x0, 0xe9, 0x0, 0x0, 0x0, 0xffffffffffffffff}, {0x0, 0xa00, 0x40800000000000, 0x800000000000000}, 0x81f}, [@tmpl={0x44, 0x5, [{{@in=@multicast1, 0x0, 0x3c}, 0x0, @in=@broadcast, 0x0, 0x0, 0x3}]}]}, 0xf8}}, 0x0) r7 = socket$nl_xfrm(0x10, 0x3, 0x6) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), r3) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000003c0)={'wlan1\x00'}) sendmsg$NL80211_CMD_SET_BSS(r3, &(0x7f0000019600)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x210822a}, 0xc, &(0x7f00000005c0)={&(0x7f0000019680)={0x4c, 0x0, 0x200, 0x70bd2d, 0x25dfdbfd, {{}, {@void, @void}}, [@NL80211_ATTR_P2P_OPPPS={0x5, 0xa3, 0x1}, @NL80211_ATTR_AP_ISOLATE={0x5, 0x60, 0xd}, @NL80211_ATTR_P2P_CTWINDOW={0x5, 0xa2, 0x3}, @NL80211_ATTR_BSS_SHORT_SLOT_TIME={0x5, 0x1e, 0x5}, @NL80211_ATTR_BSS_SHORT_PREAMBLE={0x5, 0x1d, 0xfb}, @NL80211_ATTR_BSS_CTS_PROT={0x5, 0x1c, 0x40}, @NL80211_ATTR_BSS_CTS_PROT={0x5}]}, 0x4c}, 0x1, 0x0, 0x0, 0x4081}, 0x8) sendmsg$nl_xfrm(r7, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={&(0x7f00000009c0)=@migrate={0xa0, 0x21, 0x1, 0x0, 0x4, {{@in6=@mcast1, @in6=@private2, 0x0, 0x0, 0x0, 0x0, 0xa}}, [@migrate={0x50, 0x11, [{@in6=@mcast2, @in=@private=0xa010100, @in6=@private1={0xfc, 0x1, '\x00', 0x1}, @in=@private=0xa010100, 0x3c, 0x0, 0x0, 0xfffffffd, 0xa, 0xa}]}]}, 0xa0}, 0x1, 0x0, 0x0, 0x4090}, 0x0) setsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r3, 0x84, 0x13, &(0x7f0000000040)=0x6, 0x4) sendmsg$NL80211_CMD_SET_MAC_ACL(r3, &(0x7f00000197c0)={&(0x7f0000019640)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000019780)={&(0x7f0000019900)={0x144, r8, 0x800, 0x70bd2a, 0xa5dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_ACL_POLICY={0x8, 0xa5, 0x2}, @NL80211_ATTR_MAC_ADDRS={0x70, 0xa6, 0x0, 0x1, [{0xa, 0x6, @device_b}, {0xa, 0x6, @broadcast}, {0xa, 0x6, @device_b}, {0xa, 0x6, @broadcast}, {0xa}, {0xa, 0x6, @device_b}, {0xa, 0x6, @broadcast}, {0xa}, {0xa, 0x6, @device_b}]}, @NL80211_ATTR_ACL_POLICY={0x8}, @NL80211_ATTR_MAC_ADDRS={0x10, 0xa6, 0x0, 0x1, [{0xa}]}, @NL80211_ATTR_MAC_ADDRS={0x4}, @NL80211_ATTR_ACL_POLICY={0x8}, @NL80211_ATTR_MAC_ADDRS={0x40, 0xa6, 0x0, 0x1, [{0xa, 0x6, @device_b}, {0xa}, {0xa, 0x6, @device_b}, {0xa, 0x6, @device_b}, {0xa}]}, @NL80211_ATTR_MAC_ADDRS={0x4c, 0xa6, 0x0, 0x1, [{0xa}, {0xa, 0x6, @broadcast}, {0xa}, {0xa, 0x6, @device_b}, {0xa, 0x6, @device_b}, {0xa, 0x6, @broadcast}]}, @NL80211_ATTR_ACL_POLICY={0x8, 0xa5, 0x1}]}, 0x144}, 0x1, 0x0, 0x0, 0x4000}, 0x8800) kernel console output (not intermixed with test programs): DC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 903.944190][T15929] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 903.988559][T15707] veth0_macvtap: entered promiscuous mode [ 904.036351][T15707] veth1_macvtap: entered promiscuous mode [ 904.123568][T15707] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 904.200662][T15707] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 904.271607][ T12] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 904.306119][ T12] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 904.349589][ T12] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 904.367374][ T12] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 904.600957][ T10] usb 5-1: USB disconnect, device number 82 [ 904.825867][ T1338] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 904.855533][ T1338] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 904.945002][T12673] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 904.964761][T12673] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 905.387028][T15954] netlink: 20 bytes leftover after parsing attributes in process `syz.1.2902'. [ 905.434690][ T30] audit: type=1326 audit(1754901931.133:2732): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 905.728217][ T30] audit: type=1326 audit(1754901931.133:2733): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=231 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 905.750514][ C0] vkms_vblank_simulate: vblank timer overrun [ 905.854285][T15705] Bluetooth: hci3: command 0x0c1a tx timeout [ 905.894152][ T30] audit: type=1326 audit(1754901931.133:2734): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 905.922142][ T30] audit: type=1326 audit(1754901931.133:2735): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=172 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 905.981448][ T9] usb 4-1: new high-speed USB device number 59 using dummy_hcd [ 905.989543][ T30] audit: type=1326 audit(1754901931.133:2736): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 906.081693][ T30] audit: type=1326 audit(1754901931.133:2737): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 906.149723][ T30] audit: type=1326 audit(1754901931.133:2738): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=295 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 906.201392][ T9] usb 4-1: Using ep0 maxpacket: 16 [ 906.434241][ T30] audit: type=1326 audit(1754901931.133:2739): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=54 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 906.761746][ T30] audit: type=1326 audit(1754901931.133:2740): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=54 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 906.862126][ T30] audit: type=1326 audit(1754901931.143:2741): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=15943 comm="syz.3.2847" exe="/root/syz-executor" sig=0 arch=40000003 syscall=54 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 907.387451][T15982] netlink: 4 bytes leftover after parsing attributes in process `syz.1.2908'. [ 907.415702][T15982] netlink: 4 bytes leftover after parsing attributes in process `syz.1.2908'. [ 907.554727][T15982] netlink: 104 bytes leftover after parsing attributes in process `syz.1.2908'. [ 907.580422][T15982] netlink: 104 bytes leftover after parsing attributes in process `syz.1.2908'. [ 907.988337][T15995] netlink: 8 bytes leftover after parsing attributes in process `syz.2.2913'. [ 908.395704][ T9] usb 4-1: unable to get BOS descriptor or descriptor too short [ 908.414580][ T9] usb 4-1: unable to read config index 0 descriptor/start: -71 [ 908.437691][ T9] usb 4-1: can't read configurations, error -71 [ 908.481465][ T5864] usb 2-1: new high-speed USB device number 84 using dummy_hcd [ 908.646102][ T5864] usb 2-1: Using ep0 maxpacket: 32 [ 908.687531][ T5864] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 908.819271][ T5864] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 908.872033][ T5864] usb 2-1: New USB device found, idVendor=1e7d, idProduct=2d5a, bcdDevice= 0.00 [ 908.894586][ T5864] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 908.915364][ T5864] usb 2-1: config 0 descriptor?? [ 909.030772][T16014] hfs: unable to load iocharset "io#harsmt" [ 909.185861][ T5864] savu 0003:1E7D:2D5A.001A: hiddev0,hidraw0: USB HID v0.00 Device [HID 1e7d:2d5a] on usb-dummy_hcd.1-1/input0 [ 909.422806][T16001] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 909.433977][T16001] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 909.469470][ T5864] usb 2-1: USB disconnect, device number 84 [ 910.059354][T16026] fido_id[16026]: Failed to open report descriptor at '/sys/devices/platform/dummy_hcd.1/usb2/2-1/report_descriptor': No such file or directory [ 910.123746][T16035] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 910.156985][T16035] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 910.360792][ T24] usb 3-1: new high-speed USB device number 71 using dummy_hcd [ 910.710051][T16050] netlink: 8 bytes leftover after parsing attributes in process `syz.3.2923'. [ 910.740421][T16050] netlink: 4 bytes leftover after parsing attributes in process `syz.3.2923'. [ 910.981683][T16058] netlink: 20 bytes leftover after parsing attributes in process `syz.4.2919'. [ 911.921324][ T30] kauditd_printk_skb: 65 callbacks suppressed [ 911.921346][ T30] audit: type=1326 audit(1754901937.613:2807): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 911.949648][ C0] vkms_vblank_simulate: vblank timer overrun [ 912.061485][ T30] audit: type=1326 audit(1754901937.613:2808): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=231 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 912.083690][ C0] vkms_vblank_simulate: vblank timer overrun [ 912.152545][ T9] usb 2-1: new high-speed USB device number 85 using dummy_hcd [ 912.160442][ T30] audit: type=1326 audit(1754901937.613:2809): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 912.182538][ C0] vkms_vblank_simulate: vblank timer overrun [ 912.261580][ T30] audit: type=1326 audit(1754901937.613:2810): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 912.283745][ C0] vkms_vblank_simulate: vblank timer overrun [ 912.400251][ T9] usb 2-1: Using ep0 maxpacket: 16 [ 912.481425][ T30] audit: type=1326 audit(1754901937.613:2811): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=172 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 912.504031][ C0] vkms_vblank_simulate: vblank timer overrun [ 912.513787][ T30] audit: type=1326 audit(1754901937.613:2812): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 912.535979][ C0] vkms_vblank_simulate: vblank timer overrun [ 912.691379][ T30] audit: type=1326 audit(1754901937.613:2813): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 913.084624][ T30] audit: type=1326 audit(1754901937.613:2814): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=295 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 913.130993][ T30] audit: type=1326 audit(1754901937.613:2815): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=54 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 913.169196][T16095] netlink: 20 bytes leftover after parsing attributes in process `syz.0.2932'. [ 913.196071][ T30] audit: type=1326 audit(1754901937.613:2816): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16070 comm="syz.1.2928" exe="/root/syz-executor" sig=0 arch=40000003 syscall=54 compat=1 ip=0xf7fc5539 code=0x7ffc0000 [ 915.482608][ T9] usb 2-1: unable to get BOS descriptor or descriptor too short [ 915.503529][T16119] netlink: 28 bytes leftover after parsing attributes in process `syz.2.2940'. [ 915.618877][ T9] usb 2-1: unable to read config index 0 descriptor/start: -71 [ 915.654525][T16119] netlink: 28 bytes leftover after parsing attributes in process `syz.2.2940'. [ 915.726460][ T9] usb 2-1: can't read configurations, error -71 [ 917.133357][ T24] usb 3-1: new high-speed USB device number 72 using dummy_hcd [ 917.332085][ T24] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x7 has invalid wMaxPacketSize 0 [ 917.374680][ T24] usb 3-1: config 0 interface 0 altsetting 0 bulk endpoint 0x7 has invalid maxpacket 0 [ 917.421506][ T24] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x89 has invalid wMaxPacketSize 0 [ 917.567893][ T24] usb 3-1: config 0 interface 0 altsetting 0 bulk endpoint 0x89 has invalid maxpacket 0 [ 917.601514][ T24] usb 3-1: New USB device found, idVendor=2040, idProduct=4900, bcdDevice=4d.8b [ 917.621255][ T24] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 917.673271][ T24] usb 3-1: config 0 descriptor?? [ 917.821541][ T9] usb 5-1: new high-speed USB device number 83 using dummy_hcd [ 917.887209][ T1338] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 917.983466][ T9] usb 5-1: Using ep0 maxpacket: 16 [ 918.006150][ T9] usb 5-1: New USB device found, idVendor=1604, idProduct=8007, bcdDevice=af.a6 [ 918.025980][ T9] usb 5-1: New USB device strings: Mfr=1, Product=23, SerialNumber=3 [ 918.054347][ T9] usb 5-1: Product: syz [ 918.068906][ T9] usb 5-1: Manufacturer: syz [ 918.082440][ T9] usb 5-1: SerialNumber: syz [ 918.090440][ T1338] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 918.110289][ T9] usb 5-1: config 0 descriptor?? [ 918.232162][ T5875] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 918.242465][ T5875] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 918.260920][ T5875] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 918.283412][ T1338] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 918.291633][ T5864] usb 4-1: new high-speed USB device number 61 using dummy_hcd [ 918.304855][ T5875] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 918.315435][ T5875] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 918.379744][ T10] usb 5-1: USB disconnect, device number 83 [ 918.455198][ T5864] usb 4-1: Using ep0 maxpacket: 8 [ 918.465210][ T5864] usb 4-1: config index 0 descriptor too short (expected 301, got 45) [ 918.474539][ T5864] usb 4-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 918.486953][ T5864] usb 4-1: config 16 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 918.499687][ T1338] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 918.512853][ T5864] usb 4-1: config 16 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 32 [ 918.522978][ T5864] usb 4-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 918.537033][ T5864] usb 4-1: New USB device found, idVendor=ee8d, idProduct=db1e, bcdDevice=61.23 [ 918.550733][ T5864] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 918.786007][ T5864] usb 4-1: usb_control_msg returned -32 [ 918.794803][ T5864] usbtmc 4-1:16.0: can't read capabilities [ 919.145766][T16166] usbtmc 4-1:16.0: usb_control_msg returned -32 [ 919.252202][ T1338] bridge_slave_1: left allmulticast mode [ 919.260350][ T1338] bridge_slave_1: left promiscuous mode [ 919.272811][ T928] usb 4-1: USB disconnect, device number 61 [ 919.377677][ T1338] bridge0: port 2(bridge_slave_1) entered disabled state [ 919.668003][ T1338] bridge_slave_0: left allmulticast mode [ 919.713138][ T24] hdpvr 3-1:0.0: unexpected answer of status request, len -71 [ 919.763538][ T1338] bridge_slave_0: left promiscuous mode [ 919.786266][ T24] hdpvr 3-1:0.0: device init failed [ 919.799242][ T24] hdpvr 3-1:0.0: probe with driver hdpvr failed with error -12 [ 919.827994][ T24] usb 3-1: USB disconnect, device number 72 [ 919.834253][ T1338] bridge0: port 1(bridge_slave_0) entered disabled state [ 920.034163][ T1338] vlan2: left promiscuous mode [ 920.038998][ T1338] bridge0: left promiscuous mode [ 920.088554][ T1338] bridge3: port 1(vlan2) entered disabled state [ 920.098001][T16172] netlink: 12 bytes leftover after parsing attributes in process `syz.2.2955'. [ 920.148466][T16172] netlink: 12 bytes leftover after parsing attributes in process `syz.2.2955'. [ 920.161582][T16172] netlink: 50 bytes leftover after parsing attributes in process `syz.2.2955'. [ 920.411482][T15705] Bluetooth: hci2: command tx timeout [ 920.711656][ T24] usb 3-1: new low-speed USB device number 73 using dummy_hcd [ 920.882535][ T24] usb 3-1: Invalid ep0 maxpacket: 64 [ 921.041535][ T24] usb 3-1: new low-speed USB device number 74 using dummy_hcd [ 921.211723][T16194] netlink: 'syz.4.2963': attribute type 10 has an invalid length. [ 921.221374][ T24] usb 3-1: Invalid ep0 maxpacket: 64 [ 921.227085][ T24] usb usb3-port1: attempt power cycle [ 921.576167][ T24] usb 3-1: new low-speed USB device number 75 using dummy_hcd [ 921.615590][ T24] usb 3-1: Invalid ep0 maxpacket: 64 [ 921.751454][ T24] usb 3-1: new low-speed USB device number 76 using dummy_hcd [ 921.803842][ T24] usb 3-1: Invalid ep0 maxpacket: 64 [ 921.816182][ T24] usb usb3-port1: unable to enumerate USB device [ 922.013995][ T1338] bond0 (unregistering): left promiscuous mode [ 922.021477][ T1338] bond_slave_0: left promiscuous mode [ 922.030704][ T1338] bond_slave_1: left promiscuous mode [ 922.040878][ T1338] team0: left promiscuous mode [ 922.046659][ T1338] team_slave_0: left promiscuous mode [ 922.061634][ T1338] team_slave_1: left promiscuous mode [ 922.457165][ T1338] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 922.472718][ T1338] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 922.487992][ T1338] bond0 (unregistering): (slave team0): Releasing backup interface [ 922.491517][T15705] Bluetooth: hci2: command tx timeout [ 922.506596][ T1338] bond0 (unregistering): Released all slaves [ 922.676627][ T1338] bond1 (unregistering): (slave vlan0): Releasing active interface [ 922.687540][ T1338] bond1 (unregistering): Released all slaves [ 922.843363][ T1338] bond2 (unregistering): Released all slaves [ 922.890569][T16197] netlink: 'syz.1.2964': attribute type 12 has an invalid length. [ 922.915378][T16197] netlink: 132 bytes leftover after parsing attributes in process `syz.1.2964'. [ 923.040546][T16203] FAULT_INJECTION: forcing a failure. [ 923.040546][T16203] name failslab, interval 1, probability 0, space 0, times 0 [ 923.063737][ T1338] tipc: Disabling bearer [ 923.064358][T16203] CPU: 0 UID: 0 PID: 16203 Comm: syz.3.2966 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 923.064383][T16203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 923.064395][T16203] Call Trace: [ 923.064403][T16203] [ 923.064411][T16203] dump_stack_lvl+0x189/0x250 [ 923.064440][T16203] ? __pfx____ratelimit+0x10/0x10 [ 923.064465][T16203] ? __pfx_dump_stack_lvl+0x10/0x10 [ 923.064486][T16203] ? __pfx__printk+0x10/0x10 [ 923.064517][T16203] ? __pfx___might_resched+0x10/0x10 [ 923.064540][T16203] should_fail_ex+0x414/0x560 [ 923.064569][T16203] should_failslab+0xa8/0x100 [ 923.064597][T16203] kmem_cache_alloc_node_noprof+0x76/0x3c0 [ 923.064623][T16203] ? __alloc_skb+0x112/0x2d0 [ 923.064654][T16203] __alloc_skb+0x112/0x2d0 [ 923.064684][T16203] netlink_sendmsg+0x5c6/0xb30 [ 923.064719][T16203] ? __pfx_netlink_sendmsg+0x10/0x10 [ 923.064748][T16203] ? __import_iovec+0x5d4/0x7f0 [ 923.064777][T16203] ? aa_sock_msg_perm+0xf1/0x1d0 [ 923.064806][T16203] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 923.064826][T16203] ? __pfx_netlink_sendmsg+0x10/0x10 [ 923.064852][T16203] __sock_sendmsg+0x21c/0x270 [ 923.064879][T16203] ____sys_sendmsg+0x505/0x830 [ 923.064904][T16203] ? __pfx_____sys_sendmsg+0x10/0x10 [ 923.064939][T16203] ___sys_sendmsg+0x21f/0x2a0 [ 923.064960][T16203] ? __pfx____sys_sendmsg+0x10/0x10 [ 923.065015][T16203] ? __fget_files+0x2a/0x420 [ 923.065032][T16203] ? __fget_files+0x3a0/0x420 [ 923.065059][T16203] __sys_sendmsg+0x164/0x220 [ 923.065080][T16203] ? __pfx___sys_sendmsg+0x10/0x10 [ 923.065115][T16203] ? lockdep_hardirqs_on+0x9c/0x150 [ 923.065143][T16203] __do_fast_syscall_32+0xb6/0x2b0 [ 923.065170][T16203] ? lockdep_hardirqs_on+0x9c/0x150 [ 923.065197][T16203] do_fast_syscall_32+0x34/0x80 [ 923.065223][T16203] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 923.065245][T16203] RIP: 0023:0xf7f98539 [ 923.065261][T16203] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 923.065277][T16203] RSP: 002b:00000000f54b655c EFLAGS: 00000206 ORIG_RAX: 0000000000000172 [ 923.065298][T16203] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000080000080 [ 923.065311][T16203] RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000000000000 [ 923.065323][T16203] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 923.065333][T16203] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 923.065344][T16203] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 923.065372][T16203] [ 923.132930][T16205] netlink: 16 bytes leftover after parsing attributes in process `syz.4.2967'. [ 923.139806][ T1338] tipc: Left network mode [ 923.216356][T16205] netlink: 3 bytes leftover after parsing attributes in process `syz.4.2967'. [ 923.396927][T16158] chnl_net:caif_netlink_parms(): no params data found [ 923.901427][T16234] netlink: 4 bytes leftover after parsing attributes in process `syz.2.2976'. [ 923.953932][T16158] bridge0: port 1(bridge_slave_0) entered blocking state [ 923.961151][T16158] bridge0: port 1(bridge_slave_0) entered disabled state [ 924.007560][T16158] bridge_slave_0: entered allmulticast mode [ 924.017870][T16235] kvm_intel: set kvm_intel.dump_invalid_vmcs=1 to dump internal KVM state. [ 924.045421][T16158] bridge_slave_0: entered promiscuous mode [ 924.100749][T16158] bridge0: port 2(bridge_slave_1) entered blocking state [ 924.137701][T16158] bridge0: port 2(bridge_slave_1) entered disabled state [ 924.165040][T16158] bridge_slave_1: entered allmulticast mode [ 924.187773][T16158] bridge_slave_1: entered promiscuous mode [ 924.411244][T16158] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 924.460483][T16250] netlink: 12 bytes leftover after parsing attributes in process `syz.4.2980'. [ 924.539071][T16158] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 924.575948][T15705] Bluetooth: hci2: command tx timeout [ 924.703782][T16158] team0: Port device team_slave_0 added [ 924.865442][T16158] team0: Port device team_slave_1 added [ 924.995026][T16272] netlink: 12 bytes leftover after parsing attributes in process `syz.1.2987'. [ 925.296774][T16272] 8021q: adding VLAN 0 to HW filter on device bond2 [ 925.393203][T16277] vcan0: entered promiscuous mode [ 925.412925][T16277] 8021q: adding VLAN 0 to HW filter on device bond2 [ 925.431872][T16277] bond2: (slave vcan0): The slave device specified does not support setting the MAC address [ 925.448875][T16277] bond2: (slave vcan0): Error -95 calling set_mac_address [ 925.490969][T16158] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 925.508410][T16158] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 925.537920][T16158] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 925.554257][T16158] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 925.561511][T16158] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 925.598984][T16158] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 926.117432][ T1338] veth1_macvtap: left promiscuous mode [ 926.123266][ T1338] veth0_macvtap: left allmulticast mode [ 926.148657][ T1338] veth0_macvtap: left promiscuous mode [ 926.159309][ T1338] veth1_vlan: left promiscuous mode [ 926.164839][ T1338] veth0_vlan: left promiscuous mode [ 926.511635][T16300] netlink: 36 bytes leftover after parsing attributes in process `syz.2.2994'. [ 926.524743][T16301] FAULT_INJECTION: forcing a failure. [ 926.524743][T16301] name failslab, interval 1, probability 0, space 0, times 0 [ 926.561589][T16301] CPU: 1 UID: 0 PID: 16301 Comm: syz.1.2993 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 926.561625][T16301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 926.561638][T16301] Call Trace: [ 926.561647][T16301] [ 926.561656][T16301] dump_stack_lvl+0x189/0x250 [ 926.561686][T16301] ? __pfx____ratelimit+0x10/0x10 [ 926.561715][T16301] ? __pfx_dump_stack_lvl+0x10/0x10 [ 926.561739][T16301] ? __pfx__printk+0x10/0x10 [ 926.561781][T16301] ? __pfx___might_resched+0x10/0x10 [ 926.561802][T16301] ? fs_reclaim_acquire+0x7d/0x100 [ 926.561838][T16301] should_fail_ex+0x414/0x560 [ 926.561870][T16301] should_failslab+0xa8/0x100 [ 926.561900][T16301] __kmalloc_noprof+0xcb/0x4f0 [ 926.561926][T16301] ? tomoyo_encode+0x28b/0x550 [ 926.561951][T16301] tomoyo_encode+0x28b/0x550 [ 926.561977][T16301] tomoyo_realpath_from_path+0x58d/0x5d0 [ 926.562010][T16301] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 926.562038][T16301] tomoyo_path_number_perm+0x1e8/0x5a0 [ 926.562068][T16301] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 926.562116][T16301] ? __lock_acquire+0xab9/0xd20 [ 926.562169][T16301] ? __fget_files+0x2a/0x420 [ 926.562194][T16301] ? __fget_files+0x3a0/0x420 [ 926.562211][T16301] ? __fget_files+0x2a/0x420 [ 926.562234][T16301] security_file_ioctl_compat+0xcb/0x2d0 [ 926.562261][T16301] __ia32_compat_sys_ioctl+0x128/0x840 [ 926.562287][T16301] ? __pfx___ia32_compat_sys_ioctl+0x10/0x10 [ 926.562310][T16301] ? __fget_files+0x3a0/0x420 [ 926.562335][T16301] ? fput+0xa0/0xd0 [ 926.562356][T16301] ? ksys_write+0x22a/0x250 [ 926.562392][T16301] ? lockdep_hardirqs_on+0x9c/0x150 [ 926.562423][T16301] __do_fast_syscall_32+0xb6/0x2b0 [ 926.562453][T16301] ? lockdep_hardirqs_on+0x9c/0x150 [ 926.562484][T16301] do_fast_syscall_32+0x34/0x80 [ 926.562511][T16301] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 926.562534][T16301] RIP: 0023:0xf7fc5539 [ 926.562551][T16301] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 926.562569][T16301] RSP: 002b:00000000f54e655c EFLAGS: 00000206 ORIG_RAX: 0000000000000036 [ 926.562591][T16301] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000004605 [ 926.562606][T16301] RDX: 0000000080000180 RSI: 0000000000000000 RDI: 0000000000000000 [ 926.562618][T16301] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 926.562629][T16301] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 926.562640][T16301] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 926.562671][T16301] [ 926.562724][T16301] ERROR: Out of memory at tomoyo_realpath_from_path. [ 926.724678][T15705] Bluetooth: hci2: command tx timeout [ 926.772214][ C0] vkms_vblank_simulate: vblank timer overrun [ 927.323781][ T10] usb 2-1: new full-speed USB device number 87 using dummy_hcd [ 927.491433][ T10] usb 2-1: config 0 has an invalid interface number: 20 but max is 0 [ 927.499879][ T10] usb 2-1: config 0 has no interface number 0 [ 927.511562][ T10] usb 2-1: config 0 interface 20 altsetting 0 endpoint 0x6 has invalid maxpacket 1023, setting to 64 [ 927.551699][ T10] usb 2-1: config 0 interface 20 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 927.635600][T16314] netlink: 'syz.3.2995': attribute type 4 has an invalid length. [ 927.696406][T16315] netlink: 'syz.3.2995': attribute type 4 has an invalid length. [ 927.734062][ T10] usb 2-1: New USB device found, idVendor=04e6, idProduct=0003, bcdDevice= 1.00 [ 927.743478][ T10] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 927.769884][ T10] usb 2-1: Product: syz [ 927.785928][ T10] usb 2-1: Manufacturer: syz [ 927.825401][ T10] usb 2-1: SerialNumber: syz [ 927.909522][ T10] usb 2-1: config 0 descriptor?? [ 927.916473][T16309] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 927.932368][ T10] ums-sddr09 2-1:0.20: USB Mass Storage device detected [ 927.936577][T16318] openvswitch: netlink: Unexpected mask (mask=200040, allowed=10048) [ 928.187424][ T1338] team0 (unregistering): Port device team_slave_1 removed [ 928.199039][ T10] ums-sddr09 2-1:0.20: probe with driver ums-sddr09 failed with error -22 [ 928.301034][ T1338] team0 (unregistering): Port device team_slave_0 removed [ 929.088112][T16300] macvlan0: entered promiscuous mode [ 929.095281][T16300] macvlan0: entered allmulticast mode [ 929.101017][T16300] veth1_vlan: entered allmulticast mode [ 929.117656][T16309] netlink: 'syz.1.2996': attribute type 12 has an invalid length. [ 929.133093][T16309] netlink: 132 bytes leftover after parsing attributes in process `syz.1.2996'. [ 929.188738][ T928] usb 2-1: USB disconnect, device number 87 [ 929.205709][T16158] hsr_slave_0: entered promiscuous mode [ 929.239959][T16158] hsr_slave_1: entered promiscuous mode [ 929.287263][T16158] debugfs: 'hsr0' already exists in 'hsr' [ 929.313318][T16158] Cannot create hsr debugfs directory [ 929.785564][T16342] netlink: 'syz.3.3000': attribute type 5 has an invalid length. [ 930.015065][T16342] ip6erspan0: entered promiscuous mode [ 930.196777][ T1338] IPVS: stop unused estimator thread 0... [ 930.796083][T16359] netlink: 32 bytes leftover after parsing attributes in process `syz.4.3004'. [ 931.348393][T16367] netlink: 12 bytes leftover after parsing attributes in process `syz.4.3006'. [ 931.441440][ T928] usb 2-1: new high-speed USB device number 88 using dummy_hcd [ 931.583762][ T928] usb 2-1: device descriptor read/64, error -71 [ 931.867376][ T1305] ieee802154 phy0 wpan0: encryption failed: -22 [ 931.869637][ T928] usb 2-1: new high-speed USB device number 89 using dummy_hcd [ 931.874079][ T1305] ieee802154 phy1 wpan1: encryption failed: -22 [ 932.032608][ T928] usb 2-1: device descriptor read/64, error -71 [ 932.181770][ T928] usb usb2-port1: attempt power cycle [ 932.290917][T16158] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 932.318201][T16158] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 932.321185][T16158] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 932.325143][T16158] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 932.402969][T16383] tipc: Enabled bearer , priority 0 [ 932.420607][T16383] syzkaller0: entered promiscuous mode [ 932.432688][T16383] syzkaller0: entered allmulticast mode [ 932.521840][T16383] tipc: Resetting bearer [ 932.538100][T16382] tipc: Resetting bearer [ 932.554870][T16382] tipc: Disabling bearer [ 932.561400][ T928] usb 2-1: new high-speed USB device number 90 using dummy_hcd [ 932.844647][ T928] usb 2-1: device descriptor read/8, error -71 [ 932.947964][T16158] 8021q: adding VLAN 0 to HW filter on device bond0 [ 933.091805][ T928] usb 2-1: new high-speed USB device number 91 using dummy_hcd [ 933.112106][ T928] usb 2-1: device descriptor read/8, error -71 [ 933.184163][T16401] netlink: 'syz.3.3009': attribute type 6 has an invalid length. [ 933.192572][T16401] netlink: 'syz.3.3009': attribute type 1 has an invalid length. [ 933.200785][T16401] netlink: 193500 bytes leftover after parsing attributes in process `syz.3.3009'. [ 933.222110][ T928] usb usb2-port1: unable to enumerate USB device [ 933.354689][T16409] netlink: 8 bytes leftover after parsing attributes in process `syz.4.3012'. [ 933.370821][T16158] 8021q: adding VLAN 0 to HW filter on device team0 [ 933.437190][T16410] netlink: 'syz.3.3009': attribute type 3 has an invalid length. [ 933.448190][T16410] netlink: 8 bytes leftover after parsing attributes in process `syz.3.3009'. [ 933.490340][ T1338] bridge0: port 1(bridge_slave_0) entered blocking state [ 933.497636][ T1338] bridge0: port 1(bridge_slave_0) entered forwarding state [ 933.542157][ T1155] bridge0: port 2(bridge_slave_1) entered blocking state [ 933.549393][ T1155] bridge0: port 2(bridge_slave_1) entered forwarding state [ 934.260123][T16158] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 934.613654][T16158] veth0_vlan: entered promiscuous mode [ 934.648944][T16158] veth1_vlan: entered promiscuous mode [ 934.800214][T16158] veth0_macvtap: entered promiscuous mode [ 935.031973][T16440] fuse: Bad value for 'fd' [ 935.066002][ T5875] Bluetooth: hci2: command 0x0405 tx timeout [ 935.144974][T16158] veth1_macvtap: entered promiscuous mode [ 935.366316][T16158] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 935.466008][T15705] Bluetooth: hci0: command 0x0406 tx timeout [ 935.615391][T16399] Bluetooth: hci0: Opcode 0x0c1a failed: -110 [ 935.666638][T16158] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 935.812485][T16399] Bluetooth: hci1: Opcode 0x0c1a failed: -4 [ 935.874084][ T1146] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 935.883545][T16399] Bluetooth: hci4: Opcode 0x0c1a failed: -4 [ 935.969330][T16444] hfs: unable to load iocharset "io#harsmt" [ 936.007367][ T1146] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 936.045794][T16399] Bluetooth: hci3: Opcode 0x0c1a failed: -4 [ 936.075999][T16399] Bluetooth: hci2: Opcode 0x0c1a failed: -4 [ 936.132742][T16399] Bluetooth: hci2: Opcode 0x0406 failed: -4 [ 936.205920][ T1146] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 936.244703][ T1146] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 936.266239][T16399] Bluetooth: hci2: Opcode 0x0406 failed: -4 [ 936.955411][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 937.000170][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 937.008325][T16462] netlink: 4 bytes leftover after parsing attributes in process `syz.4.3018'. [ 937.061825][T16462] netlink: 4 bytes leftover after parsing attributes in process `syz.4.3018'. [ 937.103175][T16462] netlink: 104 bytes leftover after parsing attributes in process `syz.4.3018'. [ 937.120568][ T12] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 937.134026][T16462] netlink: 104 bytes leftover after parsing attributes in process `syz.4.3018'. [ 937.139115][ T12] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 937.176467][T16464] netlink: 16 bytes leftover after parsing attributes in process `syz.3.3019'. [ 937.311017][T16464] bond1: entered promiscuous mode [ 937.318066][T16464] bond1: entered allmulticast mode [ 937.342770][T16464] 8021q: adding VLAN 0 to HW filter on device bond1 [ 937.461576][ T928] usb 2-1: new high-speed USB device number 92 using dummy_hcd [ 937.636850][ T928] usb 2-1: Using ep0 maxpacket: 32 [ 937.654433][ T928] usb 2-1: unable to read config index 0 descriptor/start: -61 [ 937.674325][ T928] usb 2-1: can't read configurations, error -61 [ 937.748211][T16485] FAULT_INJECTION: forcing a failure. [ 937.748211][T16485] name failslab, interval 1, probability 0, space 0, times 0 [ 937.777596][T16485] CPU: 0 UID: 0 PID: 16485 Comm: syz.2.3024 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 937.777628][T16485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 937.777653][T16485] Call Trace: [ 937.777662][T16485] [ 937.777671][T16485] dump_stack_lvl+0x189/0x250 [ 937.777702][T16485] ? __pfx____ratelimit+0x10/0x10 [ 937.777730][T16485] ? __pfx_dump_stack_lvl+0x10/0x10 [ 937.777754][T16485] ? __pfx__printk+0x10/0x10 [ 937.777789][T16485] ? do_raw_spin_lock+0x121/0x290 [ 937.777817][T16485] should_fail_ex+0x414/0x560 [ 937.777851][T16485] should_failslab+0xa8/0x100 [ 937.777882][T16485] kmem_cache_alloc_node_noprof+0x76/0x3c0 [ 937.777909][T16485] ? __alloc_skb+0x112/0x2d0 [ 937.777943][T16485] __alloc_skb+0x112/0x2d0 [ 937.777977][T16485] xfrm_send_policy_notify+0x29d/0x1bb0 [ 937.778004][T16485] ? __lock_acquire+0xab9/0xd20 [ 937.778039][T16485] ? __pfx_xfrm_send_policy_notify+0x10/0x10 [ 937.778065][T16485] ? km_policy_notify+0x28/0x200 [ 937.778097][T16485] ? km_policy_notify+0x28/0x200 [ 937.778119][T16485] ? __pfx_xfrm_send_policy_notify+0x10/0x10 [ 937.778142][T16485] km_policy_notify+0x121/0x200 [ 937.778162][T16485] ? km_policy_notify+0x28/0x200 [ 937.778188][T16485] xfrm_add_policy+0x4c7/0x800 [ 937.778219][T16485] ? __pfx_xfrm_add_policy+0x10/0x10 [ 937.778250][T16485] ? __nla_parse+0x40/0x60 [ 937.778285][T16485] xfrm_user_rcv_msg+0x7a0/0xab0 [ 937.778316][T16485] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 [ 937.778382][T16485] ? __pfx___mutex_trylock_common+0x10/0x10 [ 937.778411][T16485] ? rcu_is_watching+0x15/0xb0 [ 937.778432][T16485] ? trace_contention_end+0x39/0x120 [ 937.778455][T16485] ? __mutex_lock+0x335/0x1360 [ 937.778492][T16485] netlink_rcv_skb+0x208/0x470 [ 937.778523][T16485] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 [ 937.778548][T16485] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 937.778594][T16485] ? netlink_deliver_tap+0x2e/0x1b0 [ 937.778621][T16485] ? netlink_deliver_tap+0x2e/0x1b0 [ 937.778664][T16485] xfrm_netlink_rcv+0x79/0x90 [ 937.778687][T16485] netlink_unicast+0x82c/0x9e0 [ 937.778724][T16485] ? __pfx_netlink_unicast+0x10/0x10 [ 937.778752][T16485] ? netlink_sendmsg+0x642/0xb30 [ 937.778778][T16485] ? skb_put+0x11b/0x210 [ 937.778811][T16485] netlink_sendmsg+0x805/0xb30 [ 937.778851][T16485] ? __pfx_netlink_sendmsg+0x10/0x10 [ 937.778883][T16485] ? __import_iovec+0x5d4/0x7f0 [ 937.778903][T16485] ? aa_sock_msg_perm+0xf1/0x1d0 [ 937.778936][T16485] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 937.778959][T16485] ? __pfx_netlink_sendmsg+0x10/0x10 [ 937.778988][T16485] __sock_sendmsg+0x21c/0x270 [ 937.779018][T16485] ____sys_sendmsg+0x505/0x830 [ 937.779047][T16485] ? __pfx_____sys_sendmsg+0x10/0x10 [ 937.779089][T16485] ___sys_sendmsg+0x21f/0x2a0 [ 937.779114][T16485] ? __pfx____sys_sendmsg+0x10/0x10 [ 937.779180][T16485] ? __fget_files+0x2a/0x420 [ 937.779198][T16485] ? __fget_files+0x3a0/0x420 [ 937.779229][T16485] __sys_sendmsg+0x164/0x220 [ 937.779253][T16485] ? __pfx___sys_sendmsg+0x10/0x10 [ 937.779295][T16485] ? lockdep_hardirqs_on+0x9c/0x150 [ 937.779326][T16485] __do_fast_syscall_32+0xb6/0x2b0 [ 937.779356][T16485] ? lockdep_hardirqs_on+0x9c/0x150 [ 937.779387][T16485] do_fast_syscall_32+0x34/0x80 [ 937.779415][T16485] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 937.779439][T16485] RIP: 0023:0xf7fc5539 [ 937.779459][T16485] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 937.779477][T16485] RSP: 002b:00000000f54e655c EFLAGS: 00000206 ORIG_RAX: 0000000000000172 [ 937.779501][T16485] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000080000180 [ 937.779516][T16485] RDX: 0000000020004800 RSI: 0000000000000000 RDI: 0000000000000000 [ 937.779530][T16485] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 937.779542][T16485] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 937.779555][T16485] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 937.779588][T16485] [ 938.193865][ T928] usb 2-1: new high-speed USB device number 93 using dummy_hcd [ 938.201413][T15705] Bluetooth: hci2: command 0x0405 tx timeout [ 938.207604][T15705] Bluetooth: hci3: command 0x0c1a tx timeout [ 938.217314][T15705] Bluetooth: hci1: command 0x0406 tx timeout [ 938.223561][T15705] Bluetooth: hci4: command 0x0406 tx timeout [ 938.301382][ T24] usb 4-1: new high-speed USB device number 62 using dummy_hcd [ 938.324396][T16491] Invalid option length (64407) for dns_resolver key [ 938.602782][ T928] usb 2-1: Using ep0 maxpacket: 32 [ 938.623517][ T24] usb 4-1: config 0 interface 0 altsetting 0 endpoint 0x85 has an invalid bInterval 0, changing to 7 [ 938.647506][ T928] usb 2-1: unable to read config index 0 descriptor/start: -61 [ 938.656156][ T24] usb 4-1: config 0 interface 0 altsetting 0 endpoint 0x7 has invalid wMaxPacketSize 0 [ 938.675524][ T928] usb 2-1: can't read configurations, error -61 [ 938.681448][ T24] usb 4-1: New USB device found, idVendor=2040, idProduct=1605, bcdDevice= a.94 [ 938.691702][ T928] usb usb2-port1: attempt power cycle [ 938.709993][ T24] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 938.733891][ T24] usb 4-1: config 0 descriptor?? [ 938.846524][T16506] netlink: 'syz.0.3026': attribute type 5 has an invalid length. [ 938.889809][T16506] ip6erspan0: entered promiscuous mode [ 939.057095][ T928] usb 2-1: new high-speed USB device number 94 using dummy_hcd [ 939.089987][ T928] usb 2-1: Using ep0 maxpacket: 32 [ 939.126485][ T928] usb 2-1: unable to read config index 0 descriptor/start: -61 [ 939.134420][ T928] usb 2-1: can't read configurations, error -61 [ 939.311466][ T928] usb 2-1: new high-speed USB device number 95 using dummy_hcd [ 939.888817][ T928] usb 2-1: Using ep0 maxpacket: 32 [ 939.990512][ T928] usb 2-1: unable to read config index 0 descriptor/start: -61 [ 940.251873][ T5875] Bluetooth: hci2: command 0x0405 tx timeout [ 940.318253][ T928] usb 2-1: can't read configurations, error -61 [ 940.318690][ T928] usb usb2-port1: unable to enumerate USB device [ 941.321424][ T24] usb 1-1: new high-speed USB device number 72 using dummy_hcd [ 941.512115][ T24] usb 1-1: config 0 has an invalid interface number: 197 but max is 0 [ 941.531527][ T24] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 941.577153][ T24] usb 1-1: config 0 has no interface number 0 [ 941.606932][ T24] usb 1-1: config 0 interface 197 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 8 [ 941.628956][ T24] usb 1-1: config 0 interface 197 altsetting 0 endpoint 0xC has invalid wMaxPacketSize 0 [ 941.639589][ T24] usb 1-1: config 0 interface 197 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 941.640143][T15705] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 941.665882][T15705] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 941.674703][T15705] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 941.687825][T15705] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 941.695607][T15705] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 941.732413][ T24] usb 1-1: New USB device found, idVendor=03f0, idProduct=581d, bcdDevice=bb.42 [ 941.821419][ T24] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 941.883188][ T24] usb 1-1: Product: syz [ 941.887417][ T24] usb 1-1: Manufacturer: syz [ 941.902285][ T24] usb 1-1: SerialNumber: syz [ 941.920242][ T24] usb 1-1: config 0 descriptor?? [ 941.940710][T16535] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 941.975114][T15920] usb 4-1: USB disconnect, device number 62 [ 942.261481][ T10] usb 3-1: new high-speed USB device number 77 using dummy_hcd [ 942.331414][T15705] Bluetooth: hci2: command 0x0405 tx timeout [ 942.445262][ T10] usb 3-1: device descriptor read/64, error -71 [ 942.563482][T16556] netlink: 20 bytes leftover after parsing attributes in process `syz.0.3031'. [ 942.661527][T16556] openvswitch: netlink: Either Ethernet header or EtherType is required. [ 942.687371][T16558] netlink: 20 bytes leftover after parsing attributes in process `syz.0.3031'. [ 942.742689][ T10] usb 3-1: new high-speed USB device number 78 using dummy_hcd [ 942.901466][ T10] usb 3-1: device descriptor read/64, error -71 [ 943.039174][ T10] usb usb3-port1: attempt power cycle [ 943.309936][T16546] chnl_net:caif_netlink_parms(): no params data found [ 943.382963][T16568] fuse: Unknown parameter '' [ 943.401464][ T10] usb 3-1: new high-speed USB device number 79 using dummy_hcd [ 943.445900][ T10] usb 3-1: device descriptor read/8, error -71 [ 943.711602][ T10] usb 3-1: new high-speed USB device number 80 using dummy_hcd [ 943.752507][ T10] usb 3-1: device descriptor read/8, error -71 [ 943.772594][T15705] Bluetooth: hci5: command tx timeout [ 943.871980][ T10] usb usb3-port1: unable to enumerate USB device [ 944.868001][ T12] bond0 (unregistering): (slave vlan3): Releasing active interface [ 944.876816][ T12] bond0 (unregistering): Released all slaves [ 945.018087][ T12] bond1 (unregistering): Released all slaves [ 945.221179][ T12] bond2 (unregistering): Released all slaves [ 945.252115][T16593] netlink: 'syz.2.3038': attribute type 5 has an invalid length. [ 945.323667][ T10] usb 4-1: new full-speed USB device number 63 using dummy_hcd [ 945.399466][T15920] usb 1-1: USB disconnect, device number 72 [ 945.544064][ T10] usb 4-1: config 5 has an invalid interface number: 123 but max is 0 [ 945.552519][ T10] usb 4-1: config 5 has no interface number 0 [ 945.558701][ T10] usb 4-1: config 5 interface 123 altsetting 7 has an endpoint descriptor with address 0xEB, changing to 0x8B [ 945.581535][ T10] usb 4-1: config 5 interface 123 altsetting 7 endpoint 0x4 has invalid maxpacket 1023, setting to 64 [ 945.592769][ T10] usb 4-1: config 5 interface 123 has no altsetting 0 [ 945.600947][ T12] tipc: Left network mode [ 945.631351][ T10] usb 4-1: New USB device found, idVendor=3923, idProduct=718a, bcdDevice=d8.d7 [ 945.641696][ T10] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 945.649837][ T10] usb 4-1: Product: syz [ 945.654342][ T10] usb 4-1: Manufacturer: syz [ 945.658983][ T10] usb 4-1: SerialNumber: syz [ 945.783285][T16546] bridge0: port 1(bridge_slave_0) entered blocking state [ 945.790697][T16546] bridge0: port 1(bridge_slave_0) entered disabled state [ 945.805505][T16589] raw-gadget.1 gadget.3: fail, usb_ep_enable returned -22 [ 945.817184][T16546] bridge_slave_0: entered allmulticast mode [ 945.827926][T16546] bridge_slave_0: entered promiscuous mode [ 945.861464][T15705] Bluetooth: hci5: command tx timeout [ 945.884621][T16546] bridge0: port 2(bridge_slave_1) entered blocking state [ 946.410360][ T928] usb 1-1: new high-speed USB device number 73 using dummy_hcd [ 946.430858][T16546] bridge0: port 2(bridge_slave_1) entered disabled state [ 946.480413][T16546] bridge_slave_1: entered allmulticast mode [ 946.665077][T16546] bridge_slave_1: entered promiscuous mode [ 946.695121][ T928] usb 1-1: Using ep0 maxpacket: 16 [ 946.822107][T16588] delete_channel: no stack [ 946.976238][ T10] comedi comedi5: driver 'ni6501' has successfully auto-configured 'ni6501'. [ 947.027364][T16546] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 947.125500][T16546] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 947.135680][ T10] usb 4-1: USB disconnect, device number 63 [ 947.561685][T16546] team0: Port device team_slave_0 added [ 947.777869][T16546] team0: Port device team_slave_1 added [ 947.931919][T15705] Bluetooth: hci5: command tx timeout [ 948.170405][ T12] dummy0: left promiscuous mode [ 948.229336][ T12] team0: left promiscuous mode [ 948.571910][ T12] team_slave_0: left promiscuous mode [ 948.593025][ T12] team_slave_1: left promiscuous mode [ 948.823889][T16637] fuse: Bad value for 'fd' [ 948.928783][ T12] hsr_slave_0: left promiscuous mode [ 949.017502][ T12] hsr_slave_1: left promiscuous mode [ 950.060711][T15705] Bluetooth: hci5: command tx timeout [ 950.590062][ T928] usb 1-1: unable to get BOS descriptor or descriptor too short [ 950.624367][ T928] usb 1-1: unable to read config index 0 descriptor/start: -71 [ 950.670244][ T928] usb 1-1: can't read configurations, error -71 [ 952.082761][T16659] netlink: 8 bytes leftover after parsing attributes in process `syz.4.3050'. [ 952.585122][ T12] team0 (unregistering): Port device team_slave_1 removed [ 952.664752][ T12] team0 (unregistering): Port device team_slave_0 removed [ 954.088887][T16674] netlink: 32 bytes leftover after parsing attributes in process `syz.3.3053'. [ 954.663784][T16546] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 954.670900][T16546] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 954.702107][T16546] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 955.277403][T16546] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 955.316514][T16546] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 955.342458][ C1] vkms_vblank_simulate: vblank timer overrun [ 955.811996][T16701] netlink: 'syz.2.3058': attribute type 5 has an invalid length. [ 955.869998][T16546] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 957.455652][T16546] hsr_slave_0: entered promiscuous mode [ 957.473019][T16546] hsr_slave_1: entered promiscuous mode [ 957.479073][T16546] debugfs: 'hsr0' already exists in 'hsr' [ 957.536635][T16546] Cannot create hsr debugfs directory [ 958.185660][T16725] netlink: 12 bytes leftover after parsing attributes in process `syz.3.3063'. [ 958.393752][ T12] IPVS: stop unused estimator thread 0... [ 959.153329][ T30] kauditd_printk_skb: 65 callbacks suppressed [ 959.153351][ T30] audit: type=1326 audit(1754901984.873:2882): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16755 comm="syz.0.3071" exe="/root/syz-executor" sig=31 arch=40000003 syscall=240 compat=1 ip=0xf708e539 code=0x0 [ 959.616833][T15920] usb 5-1: new high-speed USB device number 84 using dummy_hcd [ 959.791232][T16546] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 959.874522][T16546] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 960.352421][T15920] usb 5-1: config 0 has an invalid descriptor of length 1, skipping remainder of the config [ 960.419926][T16546] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 960.427375][T15920] usb 5-1: config 0 has 0 interfaces, different from the descriptor's value: 1 [ 960.452041][T15920] usb 5-1: New USB device found, idVendor=10c4, idProduct=ea90, bcdDevice= 0.00 [ 960.471438][T15920] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 960.511189][T15920] usb 5-1: config 0 descriptor?? [ 960.516794][T16546] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 961.112847][T16760] qrtr: Invalid version 97 [ 961.142462][T16760] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 961.161909][T16760] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 961.288162][T16546] 8021q: adding VLAN 0 to HW filter on device bond0 [ 961.311514][ T10] usb 4-1: new high-speed USB device number 64 using dummy_hcd [ 961.770308][ T10] usb 4-1: New USB device found, idVendor=0af0, idProduct=7a05, bcdDevice= 0.00 [ 961.779748][ T10] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 961.794141][ T10] usb 4-1: Product: syz [ 961.798354][ T10] usb 4-1: Manufacturer: syz [ 961.803630][ T10] usb 4-1: SerialNumber: syz [ 961.833925][ T10] usb 4-1: config 0 descriptor?? [ 961.847348][T16546] 8021q: adding VLAN 0 to HW filter on device team0 [ 961.979894][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 961.987309][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 962.066604][ T10] hso 4-1:0.0: Failed to find INT IN ep [ 962.073411][ T10] usb-storage 4-1:0.0: USB Mass Storage device detected [ 962.086891][ T1338] bridge0: port 2(bridge_slave_1) entered blocking state [ 962.099512][ T1338] bridge0: port 2(bridge_slave_1) entered forwarding state [ 962.312561][ T9] usb 3-1: new full-speed USB device number 81 using dummy_hcd [ 962.442208][T16783] ip6erspan0: left promiscuous mode [ 962.448531][T16783] bond1: left promiscuous mode [ 962.578890][T16546] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 962.589998][T16546] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 962.627419][ T9] usb 3-1: unable to get BOS descriptor or descriptor too short [ 962.637808][ T9] usb 3-1: not running at top speed; connect to a high speed hub [ 962.681224][ T9] usb 3-1: config 129 has an invalid interface number: 114 but max is 0 [ 962.692354][ T9] usb 3-1: config 129 has no interface number 0 [ 962.741216][ T9] usb 3-1: config 129 interface 114 has no altsetting 0 [ 962.770865][ T9] usb 3-1: New USB device found, idVendor=1293, idProduct=0002, bcdDevice=3a.3a [ 962.794806][ T9] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 962.824150][ T9] usb 3-1: Product: syz [ 962.843212][ T9] usb 3-1: Manufacturer: syz [ 962.907618][ T9] usb 3-1: SerialNumber: syz [ 962.976637][T16546] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 963.170109][T16546] veth0_vlan: entered promiscuous mode [ 963.245883][T16546] veth1_vlan: entered promiscuous mode [ 963.385790][T16546] veth0_macvtap: entered promiscuous mode [ 963.640830][T16546] veth1_macvtap: entered promiscuous mode [ 963.713893][T16546] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 963.820437][T16546] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 963.894197][ T1146] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 963.935034][ T1146] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 964.003092][ T5864] usb 1-1: new high-speed USB device number 75 using dummy_hcd [ 964.025392][ T1146] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 964.031640][ T9] usb 3-1: USB disconnect, device number 81 [ 964.077172][ T1146] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 964.196220][ T5864] usb 1-1: New USB device found, idVendor=055f, idProduct=c230, bcdDevice=b6.ac [ 964.229098][ T5864] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 964.303680][ T5864] usb 1-1: Product: syz [ 964.341930][ T5864] usb 1-1: Manufacturer: syz [ 964.402487][ T5864] usb 1-1: SerialNumber: syz [ 964.427481][ T1146] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 964.443329][ T1146] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 964.450875][T15920] usb 5-1: string descriptor 0 read error: -71 [ 964.460234][T15920] usb 5-1: USB disconnect, device number 84 [ 964.496895][ T5864] usb 1-1: config 0 descriptor?? [ 964.516733][ T5864] gspca_main: sunplus-2.14.0 probing 055f:c230 [ 964.613232][T16812] netlink: 'syz.4.3080': attribute type 10 has an invalid length. [ 964.679183][T16814] netlink: 14 bytes leftover after parsing attributes in process `syz.2.3079'. [ 964.691632][T16812] syz_tun: left allmulticast mode [ 964.726357][ T12] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 964.795883][ T12] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 964.818747][ T9] usb 4-1: USB disconnect, device number 64 [ 964.829257][ T5864] gspca_sunplus: reg_r err -71 [ 964.866352][ T5864] sunplus 1-1:0.0: probe with driver sunplus failed with error -71 [ 964.959836][ T5864] usb 1-1: USB disconnect, device number 75 [ 965.025790][T16825] netlink: 8 bytes leftover after parsing attributes in process `syz.4.3082'. [ 965.112449][T16826] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 965.128880][T16826] Bluetooth: hci1: Opcode 0x0c1a failed: -4 [ 965.154985][T16826] Bluetooth: hci3: Opcode 0x0c1a failed: -4 [ 965.169037][T16826] Bluetooth: hci2: Opcode 0x0c1a failed: -4 [ 965.188994][T16826] Bluetooth: hci5: Opcode 0x0c1a failed: -4 [ 965.202814][T16826] Bluetooth: hci5: Opcode 0x0406 failed: -4 [ 965.232291][ T10] usb 3-1: new high-speed USB device number 82 using dummy_hcd [ 965.266757][T16826] Bluetooth: hci5: Opcode 0x0406 failed: -4 [ 965.465530][T16845] netlink: 'syz.0.3084': attribute type 5 has an invalid length. [ 965.641573][ T5954] usb 2-1: new high-speed USB device number 96 using dummy_hcd [ 965.837474][ T5954] usb 2-1: config 0 has no interfaces? [ 965.843079][ T5954] usb 2-1: New USB device found, idVendor=0582, idProduct=0014, bcdDevice=bb.9d [ 965.863011][ T5954] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 966.027132][T16853] netlink: 'syz.4.3087': attribute type 6 has an invalid length. [ 966.044394][ T5954] usb 2-1: config 0 descriptor?? [ 967.142967][T15705] Bluetooth: hci1: command 0x0406 tx timeout [ 967.143058][ T5875] Bluetooth: hci0: command 0x0406 tx timeout [ 967.212317][T15705] Bluetooth: hci5: command 0x0c1a tx timeout [ 967.218942][T15705] Bluetooth: hci2: command 0x0405 tx timeout [ 967.226376][T15705] Bluetooth: hci3: command 0x0c1a tx timeout [ 967.236499][T15705] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 967.257340][T15705] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 967.273729][T15705] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 967.283525][T15705] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 967.293971][T15705] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 967.643817][T16867] chnl_net:caif_netlink_parms(): no params data found [ 968.207746][ T5954] usb 2-1: USB disconnect, device number 96 [ 968.545995][T16886] netlink: 4 bytes leftover after parsing attributes in process `syz.4.3093'. [ 968.623886][T16886] netlink: 4 bytes leftover after parsing attributes in process `syz.4.3093'. [ 968.732053][T16886] netlink: 104 bytes leftover after parsing attributes in process `syz.4.3093'. [ 968.843718][T16886] netlink: 104 bytes leftover after parsing attributes in process `syz.4.3093'. [ 969.093196][T16867] bridge0: port 1(bridge_slave_0) entered blocking state [ 969.112341][T16867] bridge0: port 1(bridge_slave_0) entered disabled state [ 969.140146][T16867] bridge_slave_0: entered allmulticast mode [ 969.190829][T16867] bridge_slave_0: entered promiscuous mode [ 969.301514][ T5875] Bluetooth: hci5: command 0x0c1a tx timeout [ 969.371897][ T5875] Bluetooth: hci4: command tx timeout [ 969.529729][ T36] netdevsim netdevsim2 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 969.727665][T16867] bridge0: port 2(bridge_slave_1) entered blocking state [ 969.801086][T16867] bridge0: port 2(bridge_slave_1) entered disabled state [ 969.872377][T16867] bridge_slave_1: entered allmulticast mode [ 969.934163][T16867] bridge_slave_1: entered promiscuous mode [ 969.994269][T16902] @: renamed from vlan0 (while UP) [ 970.462072][ T36] netdevsim netdevsim2 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 971.381533][ T5875] Bluetooth: hci5: command 0x0c1a tx timeout [ 971.451502][ T5875] Bluetooth: hci4: command tx timeout [ 971.824690][ T36] netdevsim netdevsim2 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 971.871527][T15920] usb 2-1: new full-speed USB device number 97 using dummy_hcd [ 971.977460][T16867] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 972.112788][T15920] usb 2-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 972.154651][T15920] usb 2-1: config 0 has 1 interface, different from the descriptor's value: 2 [ 972.187941][T15920] usb 2-1: New USB device found, idVendor=05d8, idProduct=810a, bcdDevice=92.b8 [ 972.218521][T15920] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 972.239185][T16867] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 972.248159][T15920] usb 2-1: config 0 descriptor?? [ 972.315696][T15920] dvb-usb: found a 'Artec T1 USB2.0' in warm state. [ 972.405669][T15920] dvb-usb: bulk message failed: -22 (3/0) [ 972.484578][T16938] dibusb: i2c wr: len=61 is too big! [ 972.484578][T16938] [ 972.500758][T16938] netlink: 'syz.1.3100': attribute type 7 has an invalid length. [ 972.522124][T15920] dvb-usb: will use the device's hardware PID filter (table count: 16). [ 972.541359][T16938] netlink: 'syz.1.3100': attribute type 8 has an invalid length. [ 972.644854][T15920] dvbdev: DVB: registering new adapter (Artec T1 USB2.0) [ 972.662578][ T36] netdevsim netdevsim2 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 972.687468][T15920] usb 2-1: media controller created [ 972.706605][T15920] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 972.717160][T16952] netlink: 32 bytes leftover after parsing attributes in process `syz.3.3102'. [ 972.807447][T15920] dvb-usb: bulk message failed: -22 (6/0) [ 972.862568][T15920] dvb-usb: no frontend was attached by 'Artec T1 USB2.0' [ 972.954561][T16867] team0: Port device team_slave_0 added [ 972.983990][T15920] input: IR-receiver inside an USB DVB receiver as /devices/platform/dummy_hcd.1/usb2/2-1/input/input52 [ 973.009583][T16867] team0: Port device team_slave_1 added [ 973.105001][T15920] dvb-usb: schedule remote query interval to 150 msecs. [ 973.214622][T15920] dvb-usb: Artec T1 USB2.0 successfully initialized and connected. [ 973.383451][T15920] dvb-usb: bulk message failed: -22 (1/0) [ 973.415562][T15920] dvb-usb: error while querying for an remote control event. [ 973.532265][ T5875] Bluetooth: hci4: command tx timeout [ 973.631407][T15920] dvb-usb: bulk message failed: -22 (1/0) [ 973.643565][T15920] dvb-usb: error while querying for an remote control event. [ 973.680933][T16867] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 973.797075][T16867] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 973.870923][ T24] dvb-usb: bulk message failed: -22 (1/0) [ 973.889354][ T24] dvb-usb: error while querying for an remote control event. [ 973.914961][ T982] usb 2-1: USB disconnect, device number 97 [ 973.974782][T16867] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 974.174687][T16978] netlink: 'syz.1.3106': attribute type 5 has an invalid length. [ 974.408810][ T9] usb 1-1: new full-speed USB device number 76 using dummy_hcd [ 974.425233][T16867] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 974.451074][T16867] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 974.453851][ T982] dvb-usb: Artec T1 USB2.0 successfully deinitialized and disconnected. [ 974.751176][ T9] usb 1-1: unable to get BOS descriptor or descriptor too short [ 975.141480][ T9] usb 1-1: not running at top speed; connect to a high speed hub [ 975.206961][T16867] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 975.332591][ T9] usb 1-1: config 17 has an invalid interface number: 8 but max is 1 [ 975.340882][ T9] usb 1-1: config 17 has 1 interface, different from the descriptor's value: 2 [ 975.371744][ T9] usb 1-1: config 17 has no interface number 0 [ 975.421496][ T9] usb 1-1: config 17 interface 8 altsetting 6 endpoint 0x3 has an invalid bInterval 0, changing to 4 [ 975.558622][T16978] ip6erspan0: entered promiscuous mode [ 975.581558][ T9] usb 1-1: config 17 interface 8 has no altsetting 0 [ 975.625751][ T5875] Bluetooth: hci4: command tx timeout [ 975.702050][ T9] usb 1-1: New USB device found, idVendor=0763, idProduct=2001, bcdDevice=2c.ff [ 975.711147][ T9] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 975.771215][ T9] usb 1-1: Product: syz [ 975.778211][ T9] usb 1-1: Manufacturer: syz [ 975.783090][ T9] usb 1-1: SerialNumber: syz [ 976.630235][T16867] hsr_slave_0: entered promiscuous mode [ 976.674857][T16867] hsr_slave_1: entered promiscuous mode [ 976.740625][T16867] debugfs: 'hsr0' already exists in 'hsr' [ 976.787095][T16867] Cannot create hsr debugfs directory [ 977.585732][ T36] bridge_slave_1: left allmulticast mode [ 977.609031][ T36] bridge_slave_1: left promiscuous mode [ 977.667562][ T36] bridge0: port 2(bridge_slave_1) entered disabled state [ 977.747119][ T36] bridge_slave_0: left allmulticast mode [ 977.762798][ T9] usb 1-1: selecting invalid altsetting 0 [ 977.787799][ T36] bridge_slave_0: left promiscuous mode [ 977.795150][ T9] usb 1-1: 8:6 : no UAC_FORMAT_TYPE desc [ 977.815564][ T9] usb 1-1: selecting invalid altsetting 0 [ 977.826587][T17015] netlink: 'syz.1.3111': attribute type 5 has an invalid length. [ 977.851709][ T36] bridge0: port 1(bridge_slave_0) entered disabled state [ 977.960413][ T9] usb 1-1: USB disconnect, device number 76 [ 978.122873][T16688] udevd[16688]: error opening ATTR{/sys/devices/platform/dummy_hcd.0/usb1/1-1/1-1:17.8/sound/card3/controlC3/../uevent} for writing: No such file or directory [ 978.140102][T17023] netlink: 4 bytes leftover after parsing attributes in process `syz.4.3114'. [ 978.169116][T17023] netlink: 4 bytes leftover after parsing attributes in process `syz.4.3114'. [ 978.201599][T17023] netlink: 104 bytes leftover after parsing attributes in process `syz.4.3114'. [ 978.227057][T17025] netlink: 'syz.0.3113': attribute type 1 has an invalid length. [ 978.256186][T17023] netlink: 104 bytes leftover after parsing attributes in process `syz.4.3114'. [ 979.429900][ T36] bond0 (unregistering): left promiscuous mode [ 979.436414][ T36] vlan2: left promiscuous mode [ 979.443832][ T36] veth1: left promiscuous mode [ 979.770370][ T36] bond0 (unregistering): (slave vlan2): Releasing active interface [ 979.789428][ T36] bond0 (unregistering): Released all slaves [ 979.926988][ T36] bond1 (unregistering): (slave vlan0): Releasing active interface [ 979.937091][ T36] bond1 (unregistering): Released all slaves [ 979.952296][ T36] bond2 (unregistering): (slave veth3): Releasing active interface [ 979.962152][ T36] bond2 (unregistering): Released all slaves [ 980.006940][T17017] netlink: 'syz.3.3112': attribute type 12 has an invalid length. [ 980.026269][T17017] netlink: 132 bytes leftover after parsing attributes in process `syz.3.3112'. [ 980.062431][T17025] workqueue: Failed to create a rescuer kthread for wq "bond1": -EINTR [ 980.072451][T17026] vlan0: entered allmulticast mode [ 980.123369][T17026] macvtap0: entered allmulticast mode [ 980.128836][T17026] veth0_macvtap: entered allmulticast mode [ 980.219888][ T36] tipc: Left network mode [ 980.226933][T17038] netlink: 32 bytes leftover after parsing attributes in process `syz.1.3116'. [ 980.462208][T17049] netlink: 4 bytes leftover after parsing attributes in process `syz.4.3120'. [ 980.851738][T15920] usb 2-1: new full-speed USB device number 98 using dummy_hcd [ 981.048829][T15920] usb 2-1: config 0 has an invalid interface number: 128 but max is 0 [ 981.066468][T15920] usb 2-1: config 0 has no interface number 0 [ 981.084399][T15920] usb 2-1: New USB device found, idVendor=20b7, idProduct=1540, bcdDevice=b7.5a [ 981.120655][T15920] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 981.201330][T15920] usb 2-1: Product: syz [ 981.205650][T15920] usb 2-1: Manufacturer: syz [ 981.226400][T15920] usb 2-1: SerialNumber: syz [ 981.238922][T15920] usb 2-1: config 0 descriptor?? [ 982.395399][T15920] usb 2-1: non-Atmel transceiver xxxx00e6 [ 982.597717][T15920] usb 2-1: Firmware version (0.0) predates our first public release. [ 982.631623][T15920] usb 2-1: Please update to version 0.2 or newer [ 982.658021][T15920] usb 2-1: atusb_probe: initialization failed, error = -19 [ 982.742338][T15920] usb 2-1: USB disconnect, device number 98 [ 982.971217][T17078] netlink: 'syz.4.3123': attribute type 4 has an invalid length. [ 983.089801][T17083] netlink: 'syz.4.3123': attribute type 4 has an invalid length. [ 983.256884][T17085] netlink: 'syz.3.3125': attribute type 5 has an invalid length. [ 983.535191][ T36] dummy0: left promiscuous mode [ 983.549281][ T36] team0: left promiscuous mode [ 983.605639][T17092] openvswitch: netlink: Unexpected mask (mask=200040, allowed=10048) [ 983.627806][ T36] team_slave_0: left promiscuous mode [ 983.665000][ T36] team_slave_1: left promiscuous mode [ 984.079366][ T36] veth1_macvtap: left promiscuous mode [ 984.095250][ T36] veth0_macvtap: left allmulticast mode [ 984.136337][ T36] veth0_macvtap: left promiscuous mode [ 984.163818][ T36] veth1_vlan: left allmulticast mode [ 984.185713][ T36] veth1_vlan: left promiscuous mode [ 984.224118][ T36] veth0_vlan: left promiscuous mode [ 984.959917][T17105] hfs: unable to load iocharset "io#harsmt" [ 985.027255][ T36] pim6reg (unregistering): left allmulticast mode [ 985.551337][T17116] netlink: 'syz.0.3132': attribute type 5 has an invalid length. [ 986.456916][ T36] team0 (unregistering): Port device team_slave_1 removed [ 986.509351][ T36] team0 (unregistering): Port device team_slave_0 removed [ 986.943014][T16867] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 986.999362][T16867] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 987.077468][T16867] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 987.219018][T16867] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 987.491359][ T24] usb 4-1: new low-speed USB device number 65 using dummy_hcd [ 987.698075][ T24] usb 4-1: device descriptor read/64, error -71 [ 987.767940][T16867] 8021q: adding VLAN 0 to HW filter on device bond0 [ 987.874827][T16867] 8021q: adding VLAN 0 to HW filter on device team0 [ 987.969344][ T1146] bridge0: port 1(bridge_slave_0) entered blocking state [ 987.969460][ T1146] bridge0: port 1(bridge_slave_0) entered forwarding state [ 987.969790][ T24] usb 4-1: new low-speed USB device number 66 using dummy_hcd [ 988.041523][T16192] bridge0: port 2(bridge_slave_1) entered blocking state [ 988.041650][T16192] bridge0: port 2(bridge_slave_1) entered forwarding state [ 988.121468][ T24] usb 4-1: device descriptor read/64, error -71 [ 988.256409][ T24] usb usb4-port1: attempt power cycle [ 988.329509][T16867] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 988.532162][T16867] veth0_vlan: entered promiscuous mode [ 988.547236][T16867] veth1_vlan: entered promiscuous mode [ 988.661613][ T24] usb 4-1: new low-speed USB device number 67 using dummy_hcd [ 988.693871][ T24] usb 4-1: device descriptor read/8, error -71 [ 988.743023][T16867] veth0_macvtap: entered promiscuous mode [ 989.417672][T16867] veth1_macvtap: entered promiscuous mode [ 989.431395][ T24] usb 4-1: new low-speed USB device number 68 using dummy_hcd [ 989.477755][ T24] usb 4-1: device descriptor read/8, error -71 [ 989.480813][T17160] FAULT_INJECTION: forcing a failure. [ 989.480813][T17160] name failslab, interval 1, probability 0, space 0, times 0 [ 989.497290][T17160] CPU: 0 UID: 0 PID: 17160 Comm: syz.1.3138 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 989.497309][T17160] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 989.497318][T17160] Call Trace: [ 989.497323][T17160] [ 989.497330][T17160] dump_stack_lvl+0x189/0x250 [ 989.497350][T17160] ? __pfx____ratelimit+0x10/0x10 [ 989.497368][T17160] ? __pfx_dump_stack_lvl+0x10/0x10 [ 989.497382][T17160] ? __pfx__printk+0x10/0x10 [ 989.497398][T17160] ? rhashtable_lookup+0x667/0x6b0 [ 989.497417][T17160] ? __pfx_xfrm_pol_bin_cmp+0x10/0x10 [ 989.497431][T17160] ? __pfx_rhashtable_lookup+0x10/0x10 [ 989.497448][T17160] should_fail_ex+0x414/0x560 [ 989.497467][T17160] should_failslab+0xa8/0x100 [ 989.497485][T17160] __kmalloc_cache_noprof+0x70/0x3d0 [ 989.497502][T17160] ? xfrm_policy_inexact_alloc_bin+0x3a5/0x15b0 [ 989.497517][T17160] ? xfrm_policy_inexact_alloc_bin+0x1a5/0x15b0 [ 989.497533][T17160] ? xfrm_policy_inexact_alloc_bin+0x1a5/0x15b0 [ 989.497547][T17160] xfrm_policy_inexact_alloc_bin+0x3a5/0x15b0 [ 989.497562][T17160] ? register_lock_class+0x51/0x320 [ 989.497583][T17160] ? __lock_acquire+0xab9/0xd20 [ 989.497604][T17160] ? __pfx_xfrm_policy_inexact_alloc_bin+0x10/0x10 [ 989.497621][T17160] ? __get_hash_thresh+0x10e/0x420 [ 989.497637][T17160] ? policy_hash_bysel+0x108/0x6e0 [ 989.497651][T17160] xfrm_policy_inexact_insert+0x1e/0x180 [ 989.497665][T17160] xfrm_policy_insert+0x116/0x940 [ 989.497682][T17160] xfrm_add_policy+0x2e2/0x800 [ 989.497700][T17160] ? __pfx_xfrm_add_policy+0x10/0x10 [ 989.497716][T17160] ? __nla_parse+0x40/0x60 [ 989.497736][T17160] xfrm_user_rcv_msg+0x7a0/0xab0 [ 989.497753][T17160] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 [ 989.497786][T17160] ? __pfx___mutex_trylock_common+0x10/0x10 [ 989.497802][T17160] ? rcu_is_watching+0x15/0xb0 [ 989.497815][T17160] ? trace_contention_end+0x39/0x120 [ 989.497828][T17160] ? __mutex_lock+0x335/0x1360 [ 989.497848][T17160] netlink_rcv_skb+0x208/0x470 [ 989.497867][T17160] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 [ 989.497881][T17160] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 989.497905][T17160] ? netlink_deliver_tap+0x2e/0x1b0 [ 989.497921][T17160] ? netlink_deliver_tap+0x2e/0x1b0 [ 989.497938][T17160] xfrm_netlink_rcv+0x79/0x90 [ 989.497952][T17160] netlink_unicast+0x82c/0x9e0 [ 989.497971][T17160] ? __pfx_netlink_unicast+0x10/0x10 [ 989.497987][T17160] ? netlink_sendmsg+0x642/0xb30 [ 989.498003][T17160] ? skb_put+0x11b/0x210 [ 989.498022][T17160] netlink_sendmsg+0x805/0xb30 [ 989.498044][T17160] ? __pfx_netlink_sendmsg+0x10/0x10 [ 989.498062][T17160] ? __import_iovec+0x5d4/0x7f0 [ 989.498080][T17160] ? aa_sock_msg_perm+0xf1/0x1d0 [ 989.498101][T17160] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 989.498114][T17160] ? __pfx_netlink_sendmsg+0x10/0x10 [ 989.498131][T17160] __sock_sendmsg+0x21c/0x270 [ 989.498149][T17160] ____sys_sendmsg+0x505/0x830 [ 989.498170][T17160] ? __pfx_____sys_sendmsg+0x10/0x10 [ 989.498191][T17160] ___sys_sendmsg+0x21f/0x2a0 [ 989.498205][T17160] ? __pfx____sys_sendmsg+0x10/0x10 [ 989.498237][T17160] ? __fget_files+0x2a/0x420 [ 989.498247][T17160] ? __fget_files+0x3a0/0x420 [ 989.498264][T17160] __sys_sendmsg+0x164/0x220 [ 989.498277][T17160] ? __pfx___sys_sendmsg+0x10/0x10 [ 989.498297][T17160] ? lockdep_hardirqs_on+0x9c/0x150 [ 989.498316][T17160] __do_fast_syscall_32+0xb6/0x2b0 [ 989.498334][T17160] ? lockdep_hardirqs_on+0x9c/0x150 [ 989.498351][T17160] do_fast_syscall_32+0x34/0x80 [ 989.498368][T17160] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 989.498382][T17160] RIP: 0023:0xf70ee539 [ 989.498394][T17160] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 989.498406][T17160] RSP: 002b:00000000f54de55c EFLAGS: 00000206 ORIG_RAX: 0000000000000172 [ 989.498420][T17160] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000080000180 [ 989.498430][T17160] RDX: 0000000020004800 RSI: 0000000000000000 RDI: 0000000000000000 [ 989.498437][T17160] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 989.498445][T17160] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 989.498452][T17160] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 989.498469][T17160] [ 989.912579][ C0] vkms_vblank_simulate: vblank timer overrun [ 989.950027][T16867] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 989.962386][T16867] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 990.087814][ T24] usb usb4-port1: unable to enumerate USB device [ 990.098498][ T1338] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 990.107328][ T1338] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 990.116909][ T1338] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 990.126082][ T1338] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 990.345843][ T1338] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 990.354532][T12673] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 990.355810][ T1338] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 990.399436][T12673] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 990.527884][T17170] Invalid option length (64407) for dns_resolver key [ 990.541584][ T36] IPVS: stop unused estimator thread 0... [ 990.966726][ T24] usb 5-1: new high-speed USB device number 85 using dummy_hcd [ 991.042467][T17184] netlink: 8 bytes leftover after parsing attributes in process `syz.3.3144'. [ 991.056671][T17184] netlink: 4 bytes leftover after parsing attributes in process `syz.3.3144'. [ 991.249902][ T24] usb 5-1: Using ep0 maxpacket: 32 [ 991.507661][ T24] usb 5-1: config 0 interface 0 altsetting 128 has 1 endpoint descriptor, different from the interface descriptor's value: 2 [ 991.507687][ T24] usb 5-1: config 0 interface 0 has no altsetting 0 [ 991.507710][ T24] usb 5-1: New USB device found, idVendor=1b1c, idProduct=1c0d, bcdDevice= 0.00 [ 991.507725][ T24] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 991.509927][ T24] usb 5-1: config 0 descriptor?? [ 992.182044][T17193] IPVS: set_ctl: invalid protocol: 0 172.20.20.187:20004 [ 992.351506][ T982] usb 3-1: new high-speed USB device number 83 using dummy_hcd [ 992.428894][T17195] delete_channel: no stack [ 992.517460][ T982] usb 3-1: Using ep0 maxpacket: 8 [ 992.535924][ T982] usb 3-1: New USB device found, idVendor=0ccd, idProduct=10a3, bcdDevice=23.a2 [ 992.590885][ T982] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 992.621066][ T982] usb 3-1: Product: syz [ 992.627484][ T982] usb 3-1: Manufacturer: syz [ 992.633888][ T982] usb 3-1: SerialNumber: syz [ 992.650525][ T982] usb 3-1: config 0 descriptor?? [ 992.876174][ T982] usb 3-1: dvb_usb_v2: found a 'Terratec H7' in warm state [ 993.085394][T17206] netlink: 'syz.3.3149': attribute type 5 has an invalid length. [ 993.310885][ T1305] ieee802154 phy0 wpan0: encryption failed: -22 [ 993.324218][ T1305] ieee802154 phy1 wpan1: encryption failed: -22 [ 994.928702][ T24] usbhid 5-1:0.0: can't add hid device: -71 [ 994.936839][ T24] usbhid 5-1:0.0: probe with driver usbhid failed with error -71 [ 995.044761][ T24] usb 5-1: USB disconnect, device number 85 [ 995.154540][ T982] usb write operation failed. (-71) [ 995.163408][ T982] usb 3-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer [ 995.199336][ T982] dvbdev: DVB: registering new adapter (Terratec H7) [ 995.244073][ T982] usb 3-1: media controller created [ 995.264921][ T982] usb read operation failed. (-71) [ 995.270602][ T982] usb write operation failed. (-71) [ 995.302889][ T982] dvb_usb_az6007 3-1:0.0: probe with driver dvb_usb_az6007 failed with error -5 [ 995.410816][ T982] usb 3-1: USB disconnect, device number 83 [ 995.980057][T17236] sch_tbf: burst 0 is lower than device lo mtu (11337746) ! [ 997.201199][T17251] netlink: 8 bytes leftover after parsing attributes in process `syz.0.3163'. [ 997.309029][T17248] netlink: 4 bytes leftover after parsing attributes in process `syz.3.3161'. [ 997.349056][T17253] @: renamed from vlan0 (while UP) [ 997.434959][ T24] usb 2-1: new high-speed USB device number 99 using dummy_hcd [ 997.474009][T15705] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 997.513665][T15705] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 997.536767][ T12] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 997.549789][T15705] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 997.569737][T15705] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 997.590896][ T24] usb 2-1: device descriptor read/64, error -71 [ 997.597615][T15705] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 998.041392][ T24] usb 2-1: new high-speed USB device number 100 using dummy_hcd [ 998.095234][ T12] netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 998.181461][ T24] usb 2-1: device descriptor read/64, error -71 [ 998.862328][ T24] usb usb2-port1: attempt power cycle [ 998.891165][ T12] netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 998.917777][T17267] netlink: 'syz.0.3165': attribute type 5 has an invalid length. [ 999.050186][ T12] netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 999.224565][ T24] usb 2-1: new high-speed USB device number 101 using dummy_hcd [ 999.252050][ T24] usb 2-1: device descriptor read/8, error -71 [ 999.491569][ T24] usb 2-1: new high-speed USB device number 102 using dummy_hcd [ 999.533955][ T24] usb 2-1: device descriptor read/8, error -71 [ 999.661001][ T24] usb usb2-port1: unable to enumerate USB device [ 999.691835][T15705] Bluetooth: hci0: command tx timeout [ 999.717670][ T30] audit: type=1326 audit(1754902025.443:2883): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17273 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 999.790162][ T30] audit: type=1326 audit(1754902025.443:2884): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17273 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 999.815650][ T30] audit: type=1326 audit(1754902025.483:2885): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17273 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=120 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 1000.001980][ T30] audit: type=1326 audit(1754902025.583:2886): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17277 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=267 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 1000.100373][ T30] audit: type=1326 audit(1754902025.583:2887): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17273 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 1000.129531][ T30] audit: type=1326 audit(1754902025.583:2888): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17273 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 1000.151643][ C1] vkms_vblank_simulate: vblank timer overrun [ 1000.248404][ T30] audit: type=1326 audit(1754902025.593:2889): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17273 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=172 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 1000.383546][ T30] audit: type=1326 audit(1754902025.593:2890): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17273 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 1000.548176][ T30] audit: type=1326 audit(1754902025.593:2891): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17273 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 1000.611026][T17292] netlink: 4 bytes leftover after parsing attributes in process `syz.3.3172'. [ 1000.635228][ T30] audit: type=1326 audit(1754902025.733:2892): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17277 comm="syz.2.3168" exe="/root/syz-executor" sig=0 arch=40000003 syscall=1 compat=1 ip=0xf70fe539 code=0x7ffc0000 [ 1001.778258][T15705] Bluetooth: hci0: command tx timeout [ 1003.730313][T17336] netlink: 'syz.3.3179': attribute type 5 has an invalid length. [ 1003.861545][T15705] Bluetooth: hci0: command tx timeout [ 1004.736364][ T12] bond1 (unregistering): (slave vlan3): Releasing active interface [ 1004.784838][ T12] bond1 (unregistering): Released all slaves [ 1004.827649][T17343] netlink: 20 bytes leftover after parsing attributes in process `syz.2.3180'. [ 1004.990667][ T12] bond0 (unregistering): (slave vlan0): Releasing active interface [ 1005.000265][ T12] bond0 (unregistering): Released all slaves [ 1005.014384][ T12] bond2 (unregistering): Released all slaves [ 1005.230221][T17256] chnl_net:caif_netlink_parms(): no params data found [ 1005.270037][ T12] tipc: Disabling bearer [ 1005.285366][ T12] tipc: Left network mode [ 1005.695869][T17358] netlink: 4 bytes leftover after parsing attributes in process `syz.0.3182'. [ 1005.925874][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 1005.925895][ T30] audit: type=1326 audit(1754902031.653:2896): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17359 comm="syz.3.3184" exe="/root/syz-executor" sig=31 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x0 [ 1005.946023][T15705] Bluetooth: hci0: command tx timeout [ 1005.977335][T17256] bridge0: port 1(bridge_slave_0) entered blocking state [ 1005.999839][T17256] bridge0: port 1(bridge_slave_0) entered disabled state [ 1006.043471][ T30] audit: type=1800 audit(1754902031.763:2897): pid=17366 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.3.3184" name="SYSV00000000" dev="hugetlbfs" ino=0 res=0 errno=0 [ 1006.064135][ C1] vkms_vblank_simulate: vblank timer overrun [ 1006.096569][T17256] bridge_slave_0: entered allmulticast mode [ 1006.116219][T17256] bridge_slave_0: entered promiscuous mode [ 1006.142966][T17256] bridge0: port 2(bridge_slave_1) entered blocking state [ 1006.151804][T17256] bridge0: port 2(bridge_slave_1) entered disabled state [ 1006.159645][T17256] bridge_slave_1: entered allmulticast mode [ 1006.180635][T17256] bridge_slave_1: entered promiscuous mode [ 1006.350384][T17256] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1006.363099][T17256] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1006.583381][T17256] team0: Port device team_slave_0 added [ 1006.585899][T17256] team0: Port device team_slave_1 added [ 1007.015605][T17256] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1007.015622][T17256] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1007.015640][T17256] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1007.149151][T17256] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1007.149172][T17256] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1007.149202][T17256] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1008.152157][ T12] dummy0: left promiscuous mode [ 1008.152749][ T12] team0: left promiscuous mode [ 1008.152764][ T12] team_slave_0: left promiscuous mode [ 1008.152877][ T12] team_slave_1: left promiscuous mode [ 1008.211740][ T12] veth1_macvtap: left promiscuous mode [ 1008.211807][ T12] veth0_macvtap: left allmulticast mode [ 1008.211829][ T12] veth0_macvtap: left promiscuous mode [ 1009.940789][ T12] team0 (unregistering): Port device team_slave_1 removed [ 1010.064929][ T12] team0 (unregistering): Port device team_slave_0 removed [ 1010.375331][T17409] netlink: 4 bytes leftover after parsing attributes in process `syz.1.3192'. [ 1010.894424][T17256] hsr_slave_0: entered promiscuous mode [ 1010.926581][T17256] hsr_slave_1: entered promiscuous mode [ 1010.955884][T17256] debugfs: 'hsr0' already exists in 'hsr' [ 1010.976334][T17256] Cannot create hsr debugfs directory [ 1011.284649][T17419] netlink: 'syz.2.3195': attribute type 10 has an invalid length. [ 1011.880553][T17434] netlink: 'syz.2.3197': attribute type 5 has an invalid length. [ 1012.282273][T17434] ip6erspan0: entered promiscuous mode [ 1012.325548][ T12] IPVS: stop unused estimator thread 0... [ 1013.694015][T17452] bridge0: port 2(bridge_slave_1) entered disabled state [ 1013.701997][T17452] bridge0: port 1(bridge_slave_0) entered disabled state [ 1014.093712][T17466] netlink: 8 bytes leftover after parsing attributes in process `syz.2.3206'. [ 1014.265703][T17468] netlink: 'syz.3.3207': attribute type 27 has an invalid length. [ 1014.277972][ T10] usb 1-1: new full-speed USB device number 77 using dummy_hcd [ 1014.357510][T17475] netlink: 4 bytes leftover after parsing attributes in process `syz.2.3209'. [ 1014.405560][T17475] netlink: 4 bytes leftover after parsing attributes in process `syz.2.3209'. [ 1014.440727][T17475] netlink: 104 bytes leftover after parsing attributes in process `syz.2.3209'. [ 1014.456875][ T10] usb 1-1: device descriptor read/64, error -71 [ 1014.460996][T17475] netlink: 104 bytes leftover after parsing attributes in process `syz.2.3209'. [ 1014.711580][ T10] usb 1-1: new full-speed USB device number 78 using dummy_hcd [ 1014.830304][T17468] bridge0: port 2(bridge_slave_1) entered disabled state [ 1014.838248][T17468] bridge0: port 1(bridge_slave_0) entered disabled state [ 1014.846954][ T5864] usb 4-1: new high-speed USB device number 69 using dummy_hcd [ 1014.961672][ T10] usb 1-1: device descriptor read/64, error -71 [ 1015.051815][ T5864] usb 4-1: Using ep0 maxpacket: 8 [ 1015.064120][ T5864] usb 4-1: New USB device found, idVendor=0ccd, idProduct=00b3, bcdDevice=2d.ea [ 1015.080710][ T5864] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1015.096045][T17468] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 1015.104095][ T10] usb usb1-port1: attempt power cycle [ 1015.109459][ T5864] usb 4-1: Product: syz [ 1015.115165][ T5864] usb 4-1: Manufacturer: syz [ 1015.141390][ T5864] usb 4-1: SerialNumber: syz [ 1015.182008][ T5864] usb 4-1: config 0 descriptor?? [ 1015.198297][T17468] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 1015.468708][ T10] usb 1-1: new full-speed USB device number 79 using dummy_hcd [ 1015.575279][ T10] usb 1-1: device descriptor read/8, error -71 [ 1015.705302][T17468] bond1: left allmulticast mode [ 1015.815538][T17470] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1015.831750][ T10] usb 1-1: new full-speed USB device number 80 using dummy_hcd [ 1015.862129][ T10] usb 1-1: device descriptor read/8, error -71 [ 1015.880102][T17470] 8021q: adding VLAN 0 to HW filter on device team0 [ 1015.918899][T17470] A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. [ 1015.973419][ T1146] netdevsim netdevsim3 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1015.996084][ T1146] netdevsim netdevsim3 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1016.038467][ T10] usb usb1-port1: unable to enumerate USB device [ 1016.056282][ T1146] netdevsim netdevsim3 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1016.101051][ T1146] netdevsim netdevsim3 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1016.251830][ T5864] dvb_usb_rtl28xxu 4-1:0.0: chip type detection failed -110 [ 1016.260139][ T5864] dvb_usb_rtl28xxu 4-1:0.0: probe with driver dvb_usb_rtl28xxu failed with error -110 [ 1016.340687][T17256] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 1016.359063][T17256] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 1016.377188][T17256] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 1016.390202][T17256] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 1016.429037][T17493] hsr_slave_0: hsr_addr_subst_dest: Unknown node [ 1016.436123][T17493] hsr_slave_1: hsr_addr_subst_dest: Unknown node [ 1016.658569][T17256] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1016.734628][T17256] 8021q: adding VLAN 0 to HW filter on device team0 [ 1016.770980][ T36] bridge0: port 1(bridge_slave_0) entered blocking state [ 1016.778292][ T36] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1017.086075][ T9] usb 4-1: USB disconnect, device number 69 [ 1017.089459][ T36] bridge0: port 2(bridge_slave_1) entered blocking state [ 1017.099268][ T36] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1017.288016][T17509] sctp: [Deprecated]: syz.1.3215 (pid 17509) Use of struct sctp_assoc_value in delayed_ack socket option. [ 1017.288016][T17509] Use struct sctp_sack_info instead [ 1017.582872][T17256] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1017.987881][T17527] netlink: 8 bytes leftover after parsing attributes in process `syz.1.3219'. [ 1018.022555][T17256] veth0_vlan: entered promiscuous mode [ 1018.050366][T17256] veth1_vlan: entered promiscuous mode [ 1018.223106][T17256] veth0_macvtap: entered promiscuous mode [ 1018.249877][T17256] veth1_macvtap: entered promiscuous mode [ 1018.330903][T17256] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1018.376739][T17256] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1018.443160][ T36] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1018.515816][ T36] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1018.670496][T17547] FAULT_INJECTION: forcing a failure. [ 1018.670496][T17547] name failslab, interval 1, probability 0, space 0, times 0 [ 1018.683536][T17547] CPU: 0 UID: 0 PID: 17547 Comm: syz.3.3224 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 1018.683567][T17547] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 1018.683580][T17547] Call Trace: [ 1018.683589][T17547] [ 1018.683598][T17547] dump_stack_lvl+0x189/0x250 [ 1018.683629][T17547] ? __pfx____ratelimit+0x10/0x10 [ 1018.683657][T17547] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1018.683682][T17547] ? __pfx__printk+0x10/0x10 [ 1018.683718][T17547] ? __pfx___might_resched+0x10/0x10 [ 1018.683744][T17547] should_fail_ex+0x414/0x560 [ 1018.683777][T17547] should_failslab+0xa8/0x100 [ 1018.683809][T17547] kmem_cache_alloc_noprof+0x73/0x3c0 [ 1018.683836][T17547] ? __ksm_enter+0x34/0x4b0 [ 1018.683870][T17547] __ksm_enter+0x34/0x4b0 [ 1018.683912][T17547] ksm_madvise+0x303/0x3c0 [ 1018.683947][T17547] madvise_vma_behavior+0xb35/0x3af0 [ 1018.683988][T17547] ? __pfx_madvise_vma_behavior+0x10/0x10 [ 1018.684015][T17547] ? __page_table_check_zero+0x406/0x530 [ 1018.684042][T17547] ? __page_table_check_zero+0xba/0x530 [ 1018.684075][T17547] ? post_alloc_hook+0x253/0x2a0 [ 1018.684109][T17547] ? get_page_from_freelist+0x21e4/0x22c0 [ 1018.684161][T17547] ? mas_prev_node+0xb32/0xdb0 [ 1018.684196][T17547] ? mas_prev_slot+0xb31/0xbb0 [ 1018.684242][T17547] ? find_vma_prev+0xfc/0x170 [ 1018.684268][T17547] ? __pfx_find_vma_prev+0x10/0x10 [ 1018.684303][T17547] ? __might_fault+0xb0/0x130 [ 1018.684332][T17547] ? _parse_integer_limit+0x1ae/0x1f0 [ 1018.684368][T17547] madvise_walk_vmas+0x51c/0xa30 [ 1018.684417][T17547] ? __pfx_madvise_walk_vmas+0x10/0x10 [ 1018.684459][T17547] ? blk_start_plug+0x6f/0x1b0 [ 1018.684491][T17547] madvise_do_behavior+0x38e/0x550 [ 1018.684527][T17547] ? __pfx_madvise_do_behavior+0x10/0x10 [ 1018.684579][T17547] do_madvise+0x1bc/0x270 [ 1018.684609][T17547] ? __pfx_do_madvise+0x10/0x10 [ 1018.684661][T17547] ? ksys_write+0x22a/0x250 [ 1018.684702][T17547] __ia32_sys_madvise+0xa7/0xc0 [ 1018.684733][T17547] __do_fast_syscall_32+0xb6/0x2b0 [ 1018.684763][T17547] ? lockdep_hardirqs_on+0x9c/0x150 [ 1018.684794][T17547] do_fast_syscall_32+0x34/0x80 [ 1018.684823][T17547] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1018.684848][T17547] RIP: 0023:0xf7f98539 [ 1018.684867][T17547] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 1018.684885][T17547] RSP: 002b:00000000f54b655c EFLAGS: 00000206 ORIG_RAX: 00000000000000db [ 1018.684916][T17547] RAX: ffffffffffffffda RBX: 0000000080a93000 RCX: 0000000000004000 [ 1018.684931][T17547] RDX: 000000000000000c RSI: 0000000000000000 RDI: 0000000000000000 [ 1018.684944][T17547] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 1018.684956][T17547] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 1018.684969][T17547] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1018.685002][T17547] [ 1019.193185][ T13] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1019.289676][ T13] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1019.611536][ T5934] usb 3-1: new high-speed USB device number 84 using dummy_hcd [ 1019.772759][ T5934] usb 3-1: Using ep0 maxpacket: 8 [ 1019.785275][ T5934] usb 3-1: New USB device found, idVendor=10c4, idProduct=8244, bcdDevice=dc.00 [ 1019.811375][T15920] usb 4-1: new high-speed USB device number 70 using dummy_hcd [ 1019.829139][ T5934] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1019.887764][ T5934] usb 3-1: Product: syz [ 1019.897349][ T36] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1019.915478][ T5934] usb 3-1: Manufacturer: syz [ 1019.930432][ T5934] usb 3-1: SerialNumber: syz [ 1019.935416][ T36] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1019.972685][ T5934] usb 3-1: config 0 descriptor?? [ 1020.005444][ T5934] radio-usb-si4713 3-1:0.0: Si4713 development board discovered: (10C4:8244) [ 1020.116056][ T36] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1020.128676][ T36] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1020.439042][T17576] netlink: 8 bytes leftover after parsing attributes in process `syz.0.3232'. [ 1020.662100][T15920] usb 4-1: device descriptor read/64, error -71 [ 1021.147390][T15920] usb 4-1: new high-speed USB device number 71 using dummy_hcd [ 1021.180964][T17590] netlink: 4 bytes leftover after parsing attributes in process `syz.0.3234'. [ 1021.216702][T17590] netlink: 4 bytes leftover after parsing attributes in process `syz.0.3234'. [ 1021.265493][ T5934] radio-usb-si4713 3-1:0.0: probe with driver radio-usb-si4713 failed with error -32 [ 1021.416216][ T5934] usbhid 3-1:0.0: couldn't find an input interrupt endpoint [ 1021.431723][T17590] netlink: 104 bytes leftover after parsing attributes in process `syz.0.3234'. [ 1021.442180][T17590] netlink: 104 bytes leftover after parsing attributes in process `syz.0.3234'. [ 1021.465186][T15920] usb 4-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 1021.475624][T15920] usb 4-1: config 0 interface 0 altsetting 4 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 1021.517216][T15920] usb 4-1: config 0 interface 0 altsetting 4 endpoint 0x81 has invalid wMaxPacketSize 0 [ 1021.731486][T15920] usb 4-1: config 0 interface 0 has no altsetting 0 [ 1021.763393][T15920] usb 4-1: New USB device found, idVendor=0458, idProduct=5015, bcdDevice= 0.00 [ 1021.826941][T15920] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1021.850701][T15920] usb 4-1: config 0 descriptor?? [ 1022.049320][ T10] usb 3-1: USB disconnect, device number 84 [ 1022.107732][T15920] kye 0003:0458:5015.001B: tablet report size too small, or kye_tablet_rdesc unexpectedly large [ 1022.206632][T15920] kye 0003:0458:5015.001B: item fetching failed at offset 6/7 [ 1022.291351][T15920] kye 0003:0458:5015.001B: parse failed [ 1022.297046][T15920] kye 0003:0458:5015.001B: probe with driver kye failed with error -22 [ 1022.372431][T15920] usb 4-1: USB disconnect, device number 71 [ 1022.551700][ T982] usb 1-1: new high-speed USB device number 81 using dummy_hcd [ 1022.742015][ T982] usb 1-1: Using ep0 maxpacket: 16 [ 1022.749525][ T982] usb 1-1: config index 0 descriptor too short (expected 24576, got 27) [ 1022.766069][ T982] usb 1-1: config 65 has too many interfaces: 210, using maximum allowed: 32 [ 1022.839178][ T982] usb 1-1: config 65 has an invalid descriptor of length 197, skipping remainder of the config [ 1022.876536][ T982] usb 1-1: config 65 has 0 interfaces, different from the descriptor's value: 210 [ 1022.940079][ T982] usb 1-1: New USB device found, idVendor=2040, idProduct=0264, bcdDevice=4e.d1 [ 1022.954025][ T982] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1022.990320][ T982] usb 1-1: Product: syz [ 1023.000806][ T982] usb 1-1: Manufacturer: syz [ 1023.007466][ T982] usb 1-1: SerialNumber: syz [ 1023.427670][T17604] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1023.453983][T17604] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1023.568452][T15920] usb 1-1: USB disconnect, device number 81 [ 1025.548175][T17660] FAULT_INJECTION: forcing a failure. [ 1025.548175][T17660] name failslab, interval 1, probability 0, space 0, times 0 [ 1025.674919][T17660] CPU: 1 UID: 0 PID: 17660 Comm: syz.4.3248 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 1025.674950][T17660] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 1025.674963][T17660] Call Trace: [ 1025.674973][T17660] [ 1025.674983][T17660] dump_stack_lvl+0x189/0x250 [ 1025.675013][T17660] ? __pfx____ratelimit+0x10/0x10 [ 1025.675041][T17660] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1025.675066][T17660] ? __pfx__printk+0x10/0x10 [ 1025.675112][T17660] should_fail_ex+0x414/0x560 [ 1025.675145][T17660] should_failslab+0xa8/0x100 [ 1025.675176][T17660] __kmalloc_cache_noprof+0x70/0x3d0 [ 1025.675204][T17660] ? sctp_add_bind_addr+0x8c/0x370 [ 1025.675235][T17660] sctp_add_bind_addr+0x8c/0x370 [ 1025.675266][T17660] sctp_copy_local_addr_list+0x30b/0x4e0 [ 1025.675296][T17660] ? sctp_copy_local_addr_list+0x9b/0x4e0 [ 1025.675322][T17660] ? __pfx_sctp_copy_local_addr_list+0x10/0x10 [ 1025.675351][T17660] ? sctp_v6_is_any+0x64/0x80 [ 1025.675380][T17660] ? sctp_copy_one_addr+0x93/0x360 [ 1025.675409][T17660] sctp_bind_addr_copy+0xb3/0x3c0 [ 1025.675435][T17660] ? sctp_assoc_set_bind_addr_from_ep+0xa5/0x1a0 [ 1025.675463][T17660] sctp_connect_new_asoc+0x2e0/0x690 [ 1025.675497][T17660] ? __pfx_sctp_connect_new_asoc+0x10/0x10 [ 1025.675526][T17660] ? __local_bh_enable_ip+0x12d/0x1c0 [ 1025.675556][T17660] ? bpf_lsm_sctp_bind_connect+0x9/0x20 [ 1025.675579][T17660] ? security_sctp_bind_connect+0x7e/0x2e0 [ 1025.675610][T17660] sctp_sendmsg+0x155c/0x2810 [ 1025.675654][T17660] ? __pfx_sctp_sendmsg+0x10/0x10 [ 1025.675689][T17660] ? aa_sk_perm+0x81e/0x950 [ 1025.675724][T17660] ? __pfx_aa_sk_perm+0x10/0x10 [ 1025.675757][T17660] ? sock_rps_record_flow+0x19/0x410 [ 1025.675786][T17660] ? inet_sendmsg+0x2f4/0x370 [ 1025.675816][T17660] __sock_sendmsg+0x19c/0x270 [ 1025.675848][T17660] __sys_sendto+0x3bd/0x520 [ 1025.675881][T17660] ? __pfx___sys_sendto+0x10/0x10 [ 1025.675939][T17660] ? count_memcg_event_mm+0x21/0x260 [ 1025.675980][T17660] ? ksys_write+0x1e1/0x250 [ 1025.676020][T17660] __ia32_sys_sendto+0xdd/0x100 [ 1025.676055][T17660] __do_fast_syscall_32+0xb6/0x2b0 [ 1025.676085][T17660] ? lockdep_hardirqs_on+0x9c/0x150 [ 1025.676117][T17660] do_fast_syscall_32+0x34/0x80 [ 1025.676146][T17660] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1025.676170][T17660] RIP: 0023:0xf7f28539 [ 1025.676189][T17660] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 1025.676208][T17660] RSP: 002b:00000000f542555c EFLAGS: 00000206 ORIG_RAX: 0000000000000171 [ 1025.676232][T17660] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000080000180 [ 1025.676247][T17660] RDX: 0000000000034000 RSI: 0000000000000000 RDI: 0000000080000480 [ 1025.676261][T17660] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000 [ 1025.676274][T17660] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 1025.676287][T17660] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1025.676321][T17660] [ 1025.973384][ C1] vkms_vblank_simulate: vblank timer overrun [ 1027.185353][T17676] bridge0: port 2(bridge_slave_1) entered disabled state [ 1027.193331][T17676] bridge0: port 1(bridge_slave_0) entered disabled state [ 1028.199812][T17683] netlink: 'syz.3.3254': attribute type 4 has an invalid length. [ 1028.285349][T17676] bridge_slave_0: left allmulticast mode [ 1028.296537][T17709] netlink: 'syz.3.3254': attribute type 4 has an invalid length. [ 1028.321986][T17676] bridge_slave_0: left promiscuous mode [ 1028.328084][T17676] bridge0: port 1(bridge_slave_0) entered disabled state [ 1028.396110][T17676] bridge_slave_1: left allmulticast mode [ 1028.404232][T17676] bridge_slave_1: left promiscuous mode [ 1028.459489][T17711] openvswitch: netlink: Unexpected mask (mask=200040, allowed=10048) [ 1028.476073][T17676] bridge0: port 2(bridge_slave_1) entered disabled state [ 1028.497807][T17676] bond0: (slave bond_slave_0): Releasing backup interface [ 1028.741375][T15705] Bluetooth: hci3: command 0x0c1a tx timeout [ 1028.811578][T17674] Bluetooth: hci3: Opcode 0x0c1a failed: -110 [ 1028.823893][T17676] bond0: (slave bond_slave_1): Releasing backup interface [ 1028.877030][T17676] team0: Port device team_slave_0 removed [ 1028.892561][T17676] team0: Port device team_slave_1 removed [ 1028.925514][T17676] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 1028.992728][T17676] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 1029.016990][T17676] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 1029.038933][T17676] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 1029.198933][T17674] Bluetooth: hci2: Opcode 0x0c1a failed: -4 [ 1029.256124][T17674] Bluetooth: hci5: Opcode 0x0c1a failed: -4 [ 1029.315979][T17674] Bluetooth: hci4: Opcode 0x0c1a failed: -4 [ 1029.325385][T17674] Bluetooth: hci4: Opcode 0x0406 failed: -4 [ 1029.502506][T17674] Bluetooth: hci4: Opcode 0x0406 failed: -4 [ 1029.538981][T17674] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 1029.548078][T17674] Bluetooth: hci0: Opcode 0x0406 failed: -4 [ 1029.643522][T17674] Bluetooth: hci0: Opcode 0x0406 failed: -4 [ 1030.230385][T17676] ip6erspan0: left promiscuous mode [ 1030.489484][ T36] netdevsim netdevsim2 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1030.536143][ T36] netdevsim netdevsim2 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1030.745431][T17734] netlink: 'syz.0.3260': attribute type 27 has an invalid length. [ 1030.761732][ T36] netdevsim netdevsim2 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1030.808514][T17742] binder: 17738:17742 ioctl c0109428 80000040 returned -22 [ 1030.918460][T15705] Bluetooth: hci2: command 0x0405 tx timeout [ 1031.151601][ T5864] usb 1-1: new high-speed USB device number 82 using dummy_hcd [ 1031.187485][T17734] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 1031.235423][T17734] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 1031.309256][T15705] Bluetooth: hci5: command 0x0c1a tx timeout [ 1031.352181][ T5864] usb 1-1: Using ep0 maxpacket: 8 [ 1031.371703][T15705] Bluetooth: hci4: command 0x0c1a tx timeout [ 1031.389789][ T5864] usb 1-1: New USB device found, idVendor=0ccd, idProduct=00b3, bcdDevice=2d.ea [ 1031.455788][ T5864] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1031.510350][ T5864] usb 1-1: Product: syz [ 1031.528862][ T10] usb 5-1: new high-speed USB device number 86 using dummy_hcd [ 1031.530739][ T5864] usb 1-1: Manufacturer: syz [ 1031.546250][ T5864] usb 1-1: SerialNumber: syz [ 1031.566245][ T5864] usb 1-1: config 0 descriptor?? [ 1031.628010][T15705] Bluetooth: hci0: command 0x0c1a tx timeout [ 1031.732792][ T10] usb 5-1: Using ep0 maxpacket: 8 [ 1031.747936][ T10] usb 5-1: New USB device found, idVendor=0ccd, idProduct=00b3, bcdDevice=2e.04 [ 1031.759199][T17734] veth0_macvtap: left allmulticast mode [ 1031.766524][ T10] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1031.807163][ T10] usb 5-1: Product: syz [ 1031.855008][ T10] usb 5-1: Manufacturer: syz [ 1031.967328][T17734] ip6erspan0: left promiscuous mode [ 1031.979076][ T36] netdevsim netdevsim2 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1032.009973][T17762] netlink: 'syz.1.3266': attribute type 5 has an invalid length. [ 1032.032874][ T36] netdevsim netdevsim0 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1032.288635][T17736] 8021q: adding VLAN 0 to HW filter on device team0 [ 1032.339861][T17736] A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. [ 1032.431763][ T10] usb 5-1: SerialNumber: syz [ 1032.533607][ T10] usb 5-1: config 0 descriptor?? [ 1032.928443][ T36] netdevsim netdevsim0 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1032.947845][ T5864] dvb_usb_rtl28xxu 1-1:0.0: chip type detection failed -110 [ 1032.955398][ T36] netdevsim netdevsim0 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1032.970073][ T5864] dvb_usb_rtl28xxu 1-1:0.0: probe with driver dvb_usb_rtl28xxu failed with error -110 [ 1032.994943][ T36] netdevsim netdevsim0 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 1033.052467][ T10] usb 5-1: dvb_usb_v2: found a 'TerraTec NOXON DAB Stick' in warm state [ 1033.451523][T15705] Bluetooth: hci4: command 0x0c1a tx timeout [ 1033.600990][T17771] netlink: 'syz.2.3268': attribute type 11 has an invalid length. [ 1033.631616][T17771] binder: 17769:17771 unknown command 1074291478 [ 1033.673550][ T10] dvb_usb_rtl28xxu 5-1:0.0: probe with driver dvb_usb_rtl28xxu failed with error -71 [ 1033.685098][T17771] binder: 17769:17771 ioctl c0306201 80000540 returned -22 [ 1033.695111][T15705] Bluetooth: hci0: command 0x0c1a tx timeout [ 1033.724130][ T10] usb 5-1: USB disconnect, device number 86 [ 1034.121758][ T5864] usb 2-1: new high-speed USB device number 103 using dummy_hcd [ 1034.174251][T17783] netlink: 8 bytes leftover after parsing attributes in process `syz.2.3272'. [ 1034.214570][T17783] netlink: 4 bytes leftover after parsing attributes in process `syz.2.3272'. [ 1034.294503][ T5864] usb 2-1: Using ep0 maxpacket: 16 [ 1034.309424][ T5864] usb 2-1: unable to get BOS descriptor or descriptor too short [ 1034.323514][ T5864] usb 2-1: config 1 interface 0 altsetting 127 endpoint 0x81 has an invalid bInterval 39, changing to 9 [ 1034.348872][ T5864] usb 2-1: config 1 interface 0 altsetting 127 endpoint 0x81 has invalid maxpacket 1536, setting to 1024 [ 1034.412937][ T10] usb 1-1: USB disconnect, device number 82 [ 1034.415970][ T5864] usb 2-1: config 1 interface 0 altsetting 127 has 1 endpoint descriptor, different from the interface descriptor's value: 2 [ 1034.449856][ T5864] usb 2-1: config 1 interface 0 has no altsetting 0 [ 1034.512709][ T5864] usb 2-1: New USB device found, idVendor=05ac, idProduct=0242, bcdDevice= 0.40 [ 1034.527725][ T5864] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1034.538462][ T5864] usb 2-1: Product: syz [ 1034.548052][ T5864] usb 2-1: Manufacturer: syz [ 1034.548077][ T5864] usb 2-1: SerialNumber: syz [ 1034.557923][T17776] raw-gadget.1 gadget.1: fail, usb_ep_enable returned -22 [ 1035.614836][T15705] Bluetooth: hci4: command 0x0c1a tx timeout [ 1035.790872][T15705] Bluetooth: hci0: command 0x0c1a tx timeout [ 1036.526822][T17810] FAULT_INJECTION: forcing a failure. [ 1036.526822][T17810] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 1036.615668][T17810] CPU: 1 UID: 0 PID: 17810 Comm: syz.0.3279 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 1036.615702][T17810] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 1036.615715][T17810] Call Trace: [ 1036.615724][T17810] [ 1036.615734][T17810] dump_stack_lvl+0x189/0x250 [ 1036.615765][T17810] ? __pfx____ratelimit+0x10/0x10 [ 1036.615807][T17810] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1036.615832][T17810] ? __pfx__printk+0x10/0x10 [ 1036.615860][T17810] ? __might_fault+0xb0/0x130 [ 1036.615900][T17810] should_fail_ex+0x414/0x560 [ 1036.615933][T17810] _copy_from_iter+0x1db/0x16f0 [ 1036.615959][T17810] ? rcu_is_watching+0x15/0xb0 [ 1036.615983][T17810] ? kmem_cache_alloc_node_noprof+0x217/0x3c0 [ 1036.616012][T17810] ? __pfx__copy_from_iter+0x10/0x10 [ 1036.616036][T17810] ? __build_skb_around+0x257/0x3e0 [ 1036.616068][T17810] ? netlink_sendmsg+0x642/0xb30 [ 1036.616095][T17810] ? skb_put+0x11b/0x210 [ 1036.616128][T17810] netlink_sendmsg+0x6b2/0xb30 [ 1036.616167][T17810] ? __pfx_netlink_sendmsg+0x10/0x10 [ 1036.616198][T17810] ? __import_iovec+0x5d4/0x7f0 [ 1036.616218][T17810] ? aa_sock_msg_perm+0xf1/0x1d0 [ 1036.616251][T17810] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 1036.616273][T17810] ? __pfx_netlink_sendmsg+0x10/0x10 [ 1036.616302][T17810] __sock_sendmsg+0x21c/0x270 [ 1036.616331][T17810] ____sys_sendmsg+0x505/0x830 [ 1036.616359][T17810] ? __pfx_____sys_sendmsg+0x10/0x10 [ 1036.616397][T17810] ___sys_sendmsg+0x21f/0x2a0 [ 1036.616421][T17810] ? __pfx____sys_sendmsg+0x10/0x10 [ 1036.616484][T17810] ? __fget_files+0x2a/0x420 [ 1036.616501][T17810] ? __fget_files+0x3a0/0x420 [ 1036.616532][T17810] __sys_sendmsg+0x164/0x220 [ 1036.616555][T17810] ? __pfx___sys_sendmsg+0x10/0x10 [ 1036.616610][T17810] ? lockdep_hardirqs_on+0x9c/0x150 [ 1036.616641][T17810] __do_fast_syscall_32+0xb6/0x2b0 [ 1036.616670][T17810] ? lockdep_hardirqs_on+0x9c/0x150 [ 1036.616701][T17810] do_fast_syscall_32+0x34/0x80 [ 1036.616730][T17810] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1036.616753][T17810] RIP: 0023:0xf708e539 [ 1036.616772][T17810] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 1036.616790][T17810] RSP: 002b:00000000f547e55c EFLAGS: 00000206 ORIG_RAX: 0000000000000172 [ 1036.616823][T17810] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000080000180 [ 1036.616839][T17810] RDX: 0000000020004800 RSI: 0000000000000000 RDI: 0000000000000000 [ 1036.616853][T17810] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 1036.616864][T17810] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 1036.616877][T17810] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1036.616908][T17810] [ 1036.888143][ C1] vkms_vblank_simulate: vblank timer overrun [ 1037.685990][T17821] netlink: 'syz.2.3278': attribute type 4 has an invalid length. [ 1037.718921][T17821] netlink: 'syz.2.3278': attribute type 4 has an invalid length. [ 1038.402754][T17821] openvswitch: netlink: Unexpected mask (mask=200040, allowed=10048) [ 1038.559127][T17825] netlink: 20 bytes leftover after parsing attributes in process `syz.3.3283'. [ 1039.052760][T17830] netdevsim netdevsim4: Direct firmware load for . [ 1039.052760][T17830] failed with error -2 [ 1039.063865][T17830] netdevsim netdevsim4: Falling back to sysfs fallback for: . [ 1039.063865][T17830] [ 1039.213890][T17831] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1039.335718][T17831] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1039.458514][T17831] fuse: Bad value for 'fd' [ 1040.350893][ T5864] input: bcm5974 as /devices/platform/dummy_hcd.1/usb2/2-1/2-1:1.0/input/input53 [ 1040.435636][ T5864] bcm5974 2-1:1.0: could not read from device [ 1040.607727][ T5864] input: failed to attach handler mousedev to device input53, error: -5 [ 1040.630047][ T5218] bcm5974 2-1:1.0: could not read from device [ 1040.677328][T17843] netlink: 'syz.3.3286': attribute type 5 has an invalid length. [ 1040.753399][ T5218] bcm5974 2-1:1.0: could not read from device [ 1041.212154][T16687] bcm5974 2-1:1.0: could not read from device [ 1041.492665][ T5218] bcm5974 2-1:1.0: could not read from device [ 1041.609490][ T5218] bcm5974 2-1:1.0: could not read from device [ 1042.277066][T17863] netlink: 8 bytes leftover after parsing attributes in process `syz.0.3292'. [ 1042.321961][ T10] usb 4-1: new high-speed USB device number 72 using dummy_hcd [ 1043.038441][ T10] usb 4-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 1043.058333][ T10] usb 4-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 1043.081706][ T10] usb 4-1: New USB device found, idVendor=1038, idProduct=12b6, bcdDevice= 0.00 [ 1043.108068][T15920] usb 2-1: USB disconnect, device number 103 [ 1043.120059][ T10] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1043.151076][ T10] usb 4-1: config 0 descriptor?? [ 1043.551962][ T30] audit: type=1326 audit(1754902069.273:2898): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1043.752959][T17860] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1043.761116][ T30] audit: type=1326 audit(1754902069.273:2899): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1043.786833][ T30] audit: type=1326 audit(1754902069.273:2900): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=295 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1043.826994][ T30] audit: type=1326 audit(1754902069.273:2901): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1044.006586][T17860] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1044.051526][ T30] audit: type=1326 audit(1754902069.273:2902): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1044.111023][ T10] usbhid 4-1:0.0: can't add hid device: -71 [ 1044.141527][ T10] usbhid 4-1:0.0: probe with driver usbhid failed with error -71 [ 1044.251492][ T982] usb 5-1: new high-speed USB device number 87 using dummy_hcd [ 1044.319741][ T10] usb 4-1: USB disconnect, device number 72 [ 1044.376227][ T30] audit: type=1326 audit(1754902069.273:2903): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=3 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1044.461375][ T982] usb 5-1: Using ep0 maxpacket: 16 [ 1044.468596][ T982] usb 5-1: config 0 interface 0 altsetting 2 endpoint 0x81 has an invalid bInterval 103, changing to 10 [ 1044.480069][ T30] audit: type=1326 audit(1754902069.273:2904): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1044.502801][ T982] usb 5-1: config 0 interface 0 altsetting 2 endpoint 0x81 has invalid wMaxPacketSize 0 [ 1044.513271][ T982] usb 5-1: config 0 interface 0 has no altsetting 0 [ 1044.520404][ T982] usb 5-1: New USB device found, idVendor=227d, idProduct=0709, bcdDevice= 0.00 [ 1044.529550][ T30] audit: type=1326 audit(1754902069.273:2905): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1044.552143][ T982] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1044.568236][ T982] usb 5-1: config 0 descriptor?? [ 1044.577962][ T30] audit: type=1326 audit(1754902069.273:2906): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=449 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1044.735609][ T30] audit: type=1326 audit(1754902069.553:2907): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17875 comm="syz.4.3297" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f28539 code=0x7ffc0000 [ 1045.017374][ T982] usbhid 5-1:0.0: can't add hid device: -71 [ 1045.024696][ T982] usbhid 5-1:0.0: probe with driver usbhid failed with error -71 [ 1045.044113][ T982] usb 5-1: USB disconnect, device number 87 [ 1045.208939][T17893] netlink: 'syz.2.3296': attribute type 4 has an invalid length. [ 1045.235248][T17893] netlink: 'syz.2.3296': attribute type 4 has an invalid length. [ 1045.287868][T17893] openvswitch: netlink: Unexpected mask (mask=200040, allowed=10048) [ 1045.926347][T17897] netlink: 28 bytes leftover after parsing attributes in process `syz.4.3301'. [ 1045.935539][T17897] netlink: 28 bytes leftover after parsing attributes in process `syz.4.3301'. [ 1045.952429][T17897] dummy0: entered promiscuous mode [ 1045.968380][T17897] team0: entered promiscuous mode [ 1045.985544][T17897] team_slave_0: entered promiscuous mode [ 1045.992092][T17897] team_slave_1: entered promiscuous mode [ 1046.332112][ T982] usb 1-1: new high-speed USB device number 83 using dummy_hcd [ 1046.440803][T17906] netlink: 4 bytes leftover after parsing attributes in process `syz.2.3305'. [ 1046.485259][ T982] usb 1-1: config 128 has an invalid interface number: 173 but max is 1 [ 1046.494428][ T982] usb 1-1: config 128 has an invalid descriptor of length 93, skipping remainder of the config [ 1046.570374][T17912] netlink: 'syz.1.3298': attribute type 4 has an invalid length. [ 1046.581150][ T982] usb 1-1: config 128 has 1 interface, different from the descriptor's value: 2 [ 1046.617022][T17912] netlink: 'syz.1.3298': attribute type 4 has an invalid length. [ 1046.650020][T17912] openvswitch: netlink: Unexpected mask (mask=200040, allowed=10048) [ 1046.685610][ T982] usb 1-1: config 128 has no interface number 0 [ 1046.693827][ T982] usb 1-1: config 128 interface 173 altsetting 1 has 0 endpoint descriptors, different from the interface descriptor's value: 3 [ 1046.748998][ T982] usb 1-1: config 128 interface 173 has no altsetting 0 [ 1046.958367][T15920] usb 4-1: new full-speed USB device number 73 using dummy_hcd [ 1046.968311][ T982] usb 1-1: New USB device found, idVendor=047d, idProduct=5002, bcdDevice=7e.f4 [ 1046.977992][ T982] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1046.995224][ T982] usb 1-1: Product: syz [ 1046.999550][ T982] usb 1-1: Manufacturer: ᖪ܊耣潪䒁㥞ꇒ鵽⭜ؓꍳ஫箄끾ೢ럴钄抩오룦贁᝺偈虃ⳕ혩瓦죏ꘄ䲓ꆂ梐삂超ᕅ貨瘿糂⇃ฆꖅ꩑讀軔맞⏹틌匘坚ᒷ䴾洲៬弮඀ℚ⦒界䥐袀ꃠ쿱"礊孴姉캶⻮ൽ䢬눨결戔訋᜾腚犲↌鰀螗팒靌케౺뗉ឤ̯ㆰ⬡用쩏촸臥썦㿰़퉸잤ꬴ䊂됃ᇄ㼍ᨺ냊ʶ [ 1047.064740][ T982] usb 1-1: SerialNumber: syz [ 1047.114945][T15920] usb 4-1: config 0 has an invalid interface number: 128 but max is 0 [ 1047.125411][T15920] usb 4-1: config 0 has no interface number 0 [ 1047.155901][T15920] usb 4-1: New USB device found, idVendor=20b7, idProduct=1540, bcdDevice=b7.5a [ 1047.167616][T15920] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1047.225475][T15920] usb 4-1: Product: syz [ 1047.233079][T15920] usb 4-1: Manufacturer: syz [ 1047.237728][T15920] usb 4-1: SerialNumber: syz [ 1047.332869][T15920] usb 4-1: config 0 descriptor?? [ 1047.651612][ T10] usb 3-1: new high-speed USB device number 85 using dummy_hcd [ 1047.774209][ T982] gspca_main: se401-2.14.0 probing 047d:5002 [ 1047.951447][ T10] usb 3-1: Using ep0 maxpacket: 16 [ 1048.085776][T17927] netlink: 12 bytes leftover after parsing attributes in process `syz.1.3312'. [ 1048.117518][T17927] netlink: 12 bytes leftover after parsing attributes in process `syz.1.3312'. [ 1048.126929][T17927] netlink: 50 bytes leftover after parsing attributes in process `syz.1.3312'. [ 1048.246433][T17931] netlink: 12 bytes leftover after parsing attributes in process `syz.4.3313'. [ 1048.336142][T15920] usb 4-1: Firmware version (0.0) predates our first public release. [ 1048.418466][T15920] usb 4-1: Please update to version 0.2 or newer [ 1048.576442][T17936] FAULT_INJECTION: forcing a failure. [ 1048.576442][T17936] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 1048.591553][T17936] CPU: 0 UID: 0 PID: 17936 Comm: syz.0.3315 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 1048.591584][T17936] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 1048.591597][T17936] Call Trace: [ 1048.591606][T17936] [ 1048.591621][T17936] dump_stack_lvl+0x189/0x250 [ 1048.591652][T17936] ? __pfx____ratelimit+0x10/0x10 [ 1048.591692][T17936] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1048.591718][T17936] ? __pfx__printk+0x10/0x10 [ 1048.591759][T17936] should_fail_ex+0x414/0x560 [ 1048.591791][T17936] _copy_to_user+0x31/0xb0 [ 1048.591817][T17936] simple_read_from_buffer+0xe1/0x170 [ 1048.591849][T17936] proc_fail_nth_read+0x1b3/0x220 [ 1048.591875][T17936] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 1048.591900][T17936] ? rw_verify_area+0x2a6/0x4d0 [ 1048.591921][T17936] ? __lock_acquire+0xab9/0xd20 [ 1048.591946][T17936] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 1048.591969][T17936] vfs_read+0x200/0xa30 [ 1048.591993][T17936] ? fdget_pos+0x247/0x320 [ 1048.592015][T17936] ? __pfx___mutex_lock+0x10/0x10 [ 1048.592042][T17936] ? __pfx_vfs_read+0x10/0x10 [ 1048.592059][T17936] ? __fget_files+0x2a/0x420 [ 1048.592073][T17936] ? __fget_files+0x3a0/0x420 [ 1048.592083][T17936] ? __fget_files+0x2a/0x420 [ 1048.592101][T17936] ksys_read+0x145/0x250 [ 1048.592129][T17936] ? __pfx_ksys_read+0x10/0x10 [ 1048.592158][T17936] ? lockdep_hardirqs_on+0x9c/0x150 [ 1048.592187][T17936] __do_fast_syscall_32+0xb6/0x2b0 [ 1048.592209][T17936] ? lockdep_hardirqs_on+0x9c/0x150 [ 1048.592228][T17936] do_fast_syscall_32+0x34/0x80 [ 1048.592245][T17936] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1048.592262][T17936] RIP: 0023:0xf708e539 [ 1048.592280][T17936] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 1048.592298][T17936] RSP: 002b:00000000f547e590 EFLAGS: 00000206 ORIG_RAX: 0000000000000003 [ 1048.592320][T17936] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000f547e620 [ 1048.592333][T17936] RDX: 000000000000000f RSI: 00000000f73f4ff4 RDI: 0000000000000000 [ 1048.592346][T17936] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [ 1048.592356][T17936] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 1048.592363][T17936] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1048.592382][T17936] [ 1049.027004][ T982] gspca_se401: read req failed req 0x06 error -19 [ 1049.038027][ T982] usb 1-1: USB disconnect, device number 83 [ 1049.291070][T15920] usb 4-1: USB disconnect, device number 73 [ 1050.411144][ T10] usb 3-1: unable to get BOS descriptor or descriptor too short [ 1050.441362][ T10] usb 3-1: unable to read config index 0 descriptor/start: -71 [ 1050.449090][ T10] usb 3-1: can't read configurations, error -71 [ 1051.005268][T17969] netlink: 20 bytes leftover after parsing attributes in process `syz.0.3322'. [ 1051.049337][T17482] bond0: (slave bond_slave_0): link status definitely down, disabling slave [ 1051.068849][T17482] bond0: (slave bond_slave_1): link status definitely down, disabling slave [ 1051.227440][T17482] bond0: now running without any active interface! [ 1051.758705][T17984] netlink: 'syz.2.3323': attribute type 4 has an invalid length. [ 1051.785575][T17984] netlink: 'syz.2.3323': attribute type 4 has an invalid length. [ 1051.838507][T17984] openvswitch: netlink: Unexpected mask (mask=200040, allowed=10048) [ 1051.880158][ T30] kauditd_printk_skb: 9 callbacks suppressed [ 1051.880178][ T30] audit: type=1326 audit(1754902077.603:2917): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17979 comm="syz.4.3330" exe="/root/syz-executor" sig=31 arch=40000003 syscall=240 compat=1 ip=0xf7f28539 code=0x0 [ 1052.011378][ T5954] usb 2-1: new full-speed USB device number 104 using dummy_hcd [ 1052.136844][T17985] netlink: 'syz.4.3330': attribute type 4 has an invalid length. [ 1052.144932][T17985] netlink: 3657 bytes leftover after parsing attributes in process `syz.4.3330'. [ 1052.251451][ T5954] usb 2-1: device descriptor read/64, error -71 [ 1052.509780][T17995] netlink: 4 bytes leftover after parsing attributes in process `syz.2.3335'. [ 1052.527247][ T5954] usb 2-1: new full-speed USB device number 105 using dummy_hcd [ 1052.565119][ T30] audit: type=1326 audit(1754902078.273:2918): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1052.736360][ T30] audit: type=1326 audit(1754902078.273:2919): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1052.881103][ T5954] usb 2-1: device descriptor read/64, error -71 [ 1052.932379][ T30] audit: type=1326 audit(1754902078.273:2920): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=295 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1052.942996][T18002] [ 1052.956930][T18002] ===================================================== [ 1052.963886][T18002] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 1052.966655][ T30] audit: type=1326 audit(1754902078.273:2921): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1052.971353][T18002] 6.17.0-rc1-syzkaller #0 Not tainted [ 1052.971369][T18002] ----------------------------------------------------- [ 1052.971379][T18002] syz.2.3336/18002 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 1052.971402][T18002] ffffffff8de0c058 (tasklist_lock){.+.+}-{3:3}, at: send_sigio+0x101/0x370 [ 1052.994494][ T30] audit: type=1326 audit(1754902078.273:2922): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=54 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1052.999135][T18002] [ 1052.999135][T18002] and this task is already holding: [ 1052.999148][T18002] ffff88807c361c20 ( [ 1053.006551][ T30] audit: type=1326 audit(1754902078.283:2923): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1053.013886][T18002] &f_owner->lock){....}-{3:3}, at: send_sigio+0x38/0x370 [ 1053.013935][T18002] which would create a new lock dependency: [ 1053.013943][T18002] (&f_owner->lock){....}-{3:3} -> (tasklist_lock){.+.+}-{3:3} [ 1053.013991][T18002] [ 1053.013991][T18002] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 1053.014003][T18002] ( [ 1053.023456][ T30] audit: type=1326 audit(1754902078.283:2924): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=55 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1053.044783][T18002] &dev->event_lock#2){..-.}-{3:3} [ 1053.044810][T18002] [ 1053.044810][T18002] ... which became SOFTIRQ-irq-safe at: [ 1053.044829][T18002] lock_acquire+0x120/0x360 [ 1053.044861][T18002] _raw_spin_lock_irqsave+0xa7/0xf0 [ 1053.044885][T18002] input_event+0x76/0xe0 [ 1053.044905][T18002] atp_complete_geyser_3_4+0x11f2/0x1e80 [ 1053.044926][T18002] __usb_hcd_giveback_urb+0x41a/0x690 [ 1053.044952][T18002] dummy_timer+0x862/0x4550 [ 1053.044977][T18002] __hrtimer_run_queues+0x52c/0xc60 [ 1053.044996][T18002] hrtimer_run_softirq+0x187/0x2b0 [ 1053.045015][T18002] handle_softirqs+0x283/0x870 [ 1053.045034][T18002] __irq_exit_rcu+0xca/0x1f0 [ 1053.045052][T18002] irq_exit_rcu+0x9/0x30 [ 1053.045069][T18002] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 1053.045094][T18002] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 1053.045116][T18002] _raw_spin_unlock_irqrestore+0xa8/0x110 [ 1053.045141][T18002] dummy_urb_enqueue+0x58a/0x780 [ 1053.045165][T18002] usb_hcd_submit_urb+0x325/0x1aa0 [ 1053.056118][ T30] audit: type=1326 audit(1754902078.283:2925): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1053.056414][T18002] atp_open+0x63/0xc0 [ 1053.091364][ T30] audit: type=1326 audit(1754902078.283:2926): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=17991 comm="syz.3.3334" exe="/root/syz-executor" sig=0 arch=40000003 syscall=240 compat=1 ip=0xf7f98539 code=0x7ffc0000 [ 1053.099020][T18002] input_open_device+0x1d3/0x390 [ 1053.099051][T18002] mousedev_open_device+0xcc/0x150 [ 1053.099077][T18002] mousedev_open+0x2ec/0x4a0 [ 1053.291477][T18002] chrdev_open+0x4cc/0x5e0 [ 1053.295999][T18002] do_dentry_open+0x953/0x13f0 [ 1053.300861][T18002] vfs_open+0x3b/0x340 [ 1053.305019][T18002] path_openat+0x2ee5/0x3830 [ 1053.309701][T18002] do_filp_open+0x1fa/0x410 [ 1053.314298][T18002] do_sys_openat2+0x121/0x1c0 [ 1053.319157][T18002] __x64_sys_openat+0x138/0x170 [ 1053.324104][T18002] do_syscall_64+0xfa/0x3b0 [ 1053.328725][T18002] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1053.334701][T18002] [ 1053.334701][T18002] to a SOFTIRQ-irq-unsafe lock: [ 1053.341732][T18002] (tasklist_lock){.+.+}-{3:3} [ 1053.341763][T18002] [ 1053.341763][T18002] ... which became SOFTIRQ-irq-unsafe at: [ 1053.354394][T18002] ... [ 1053.354402][T18002] lock_acquire+0x120/0x360 [ 1053.361563][T18002] _raw_read_lock+0x36/0x50 [ 1053.366169][T18002] __do_wait+0xde/0x740 [ 1053.370429][T18002] do_wait+0x1f8/0x520 [ 1053.374608][T18002] kernel_wait+0xab/0x170 [ 1053.379287][T18002] call_usermodehelper_exec_work+0xbe/0x230 [ 1053.385272][T18002] process_scheduled_works+0xade/0x17b0 [ 1053.390906][T18002] worker_thread+0x8a0/0xda0 [ 1053.395642][T18002] kthread+0x70e/0x8a0 [ 1053.399803][T18002] ret_from_fork+0x3f9/0x770 [ 1053.404549][T18002] ret_from_fork_asm+0x1a/0x30 [ 1053.409409][T18002] [ 1053.409409][T18002] other info that might help us debug this: [ 1053.409409][T18002] [ 1053.419816][T18002] Chain exists of: [ 1053.419816][T18002] &dev->event_lock#2 --> &f_owner->lock --> tasklist_lock [ 1053.419816][T18002] [ 1053.432885][T18002] Possible interrupt unsafe locking scenario: [ 1053.432885][T18002] [ 1053.441196][T18002] CPU0 CPU1 [ 1053.446566][T18002] ---- ---- [ 1053.451922][T18002] lock(tasklist_lock); [ 1053.456166][T18002] local_irq_disable(); [ 1053.462906][T18002] lock(&dev->event_lock#2); [ 1053.470118][T18002] lock(&f_owner->lock); [ 1053.477219][T18002] [ 1053.480663][T18002] lock(&dev->event_lock#2); [ 1053.485594][T18002] [ 1053.485594][T18002] *** DEADLOCK *** [ 1053.485594][T18002] [ 1053.493820][T18002] 6 locks held by syz.2.3336/18002: [ 1053.499006][T18002] #0: ffff88806ef42428 (sb_writers#5){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 1053.508138][T18002] #1: ffffffff8e2a9bf0 (file_rwsem){.+.+}-{0:0}, at: __break_lease+0x37f/0x1620 [ 1053.517264][T18002] #2: ffff888078eefb18 (&ctx->flc_lock){+.+.}-{3:3}, at: __break_lease+0x387/0x1620 [ 1053.526733][T18002] #3: ffffffff8e139ee0 (rcu_read_lock){....}-{1:3}, at: kill_fasync+0x53/0x4d0 [ 1053.535770][T18002] #4: ffff8880775da600 (&new->fa_lock){....}-{3:3}, at: kill_fasync+0x199/0x4d0 [ 1053.544896][T18002] #5: ffff88807c361c20 (&f_owner->lock){....}-{3:3}, at: send_sigio+0x38/0x370 [ 1053.553940][T18002] [ 1053.553940][T18002] the dependencies between SOFTIRQ-irq-safe lock and the holding lock: [ 1053.564350][T18002] -> (&dev->event_lock#2){..-.}-{3:3} { [ 1053.570187][T18002] IN-SOFTIRQ-W at: [ 1053.574510][T18002] lock_acquire+0x120/0x360 [ 1053.581184][T18002] _raw_spin_lock_irqsave+0xa7/0xf0 [ 1053.588576][T18002] input_event+0x76/0xe0 [ 1053.595008][T18002] atp_complete_geyser_3_4+0x11f2/0x1e80 [ 1053.602817][T18002] __usb_hcd_giveback_urb+0x41a/0x690 [ 1053.610367][T18002] dummy_timer+0x862/0x4550 [ 1053.617074][T18002] __hrtimer_run_queues+0x52c/0xc60 [ 1053.624444][T18002] hrtimer_run_softirq+0x187/0x2b0 [ 1053.631729][T18002] handle_softirqs+0x283/0x870 [ 1053.638684][T18002] __irq_exit_rcu+0xca/0x1f0 [ 1053.645445][T18002] irq_exit_rcu+0x9/0x30 [ 1053.651876][T18002] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 1053.659790][T18002] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 1053.668045][T18002] _raw_spin_unlock_irqrestore+0xa8/0x110 [ 1053.675943][T18002] dummy_urb_enqueue+0x58a/0x780 [ 1053.683050][T18002] usb_hcd_submit_urb+0x325/0x1aa0 [ 1053.690335][T18002] atp_open+0x63/0xc0 [ 1053.696483][T18002] input_open_device+0x1d3/0x390 [ 1053.703584][T18002] mousedev_open_device+0xcc/0x150 [ 1053.710857][T18002] mousedev_open+0x2ec/0x4a0 [ 1053.717655][T18002] chrdev_open+0x4cc/0x5e0 [ 1053.724238][T18002] do_dentry_open+0x953/0x13f0 [ 1053.731161][T18002] vfs_open+0x3b/0x340 [ 1053.737387][T18002] path_openat+0x2ee5/0x3830 [ 1053.744238][T18002] do_filp_open+0x1fa/0x410 [ 1053.750930][T18002] do_sys_openat2+0x121/0x1c0 [ 1053.757790][T18002] __x64_sys_openat+0x138/0x170 [ 1053.764825][T18002] do_syscall_64+0xfa/0x3b0 [ 1053.771502][T18002] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1053.779586][T18002] INITIAL USE at: [ 1053.783837][T18002] lock_acquire+0x120/0x360 [ 1053.790425][T18002] _raw_spin_lock_irqsave+0xa7/0xf0 [ 1053.797704][T18002] input_inject_event+0xa5/0x340 [ 1053.804726][T18002] kbd_led_trigger_activate+0xbc/0x100 [ 1053.812279][T18002] led_trigger_set+0x52a/0x950 [ 1053.819159][T18002] led_trigger_set_default+0x260/0x2a0 [ 1053.826742][T18002] led_classdev_register_ext+0x73d/0x930 [ 1053.834489][T18002] input_leds_connect+0x517/0x790 [ 1053.841624][T18002] input_register_device+0xd00/0x1140 [ 1053.849205][T18002] atkbd_connect+0x72e/0xa00 [ 1053.855882][T18002] serio_driver_probe+0x7f/0xd0 [ 1053.862822][T18002] really_probe+0x26d/0x9e0 [ 1053.869404][T18002] __driver_probe_device+0x18c/0x2f0 [ 1053.876867][T18002] driver_probe_device+0x4f/0x430 [ 1053.884251][T18002] __driver_attach+0x452/0x700 [ 1053.891097][T18002] bus_for_each_dev+0x233/0x2b0 [ 1053.898145][T18002] serio_handle_event+0x1f9/0x8d0 [ 1053.905254][T18002] process_scheduled_works+0xade/0x17b0 [ 1053.912878][T18002] worker_thread+0x8a0/0xda0 [ 1053.919737][T18002] kthread+0x70e/0x8a0 [ 1053.925920][T18002] ret_from_fork+0x3f9/0x770 [ 1053.932596][T18002] ret_from_fork_asm+0x1a/0x30 [ 1053.939462][T18002] } [ 1053.942231][T18002] ... key at: [] input_allocate_device.__key.5+0x0/0x20 [ 1053.951625][T18002] -> (&client->buffer_lock){....}-{3:3} { [ 1053.957548][T18002] INITIAL USE at: [ 1053.961621][T18002] lock_acquire+0x120/0x360 [ 1053.968048][T18002] _raw_spin_lock_irqsave+0xa7/0xf0 [ 1053.975327][T18002] evdev_ioctl_handler+0x1969/0x1f10 [ 1053.982533][T18002] __ia32_compat_sys_ioctl+0x543/0x840 [ 1053.989905][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1053.997033][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.003798][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.012036][T18002] } [ 1054.014705][T18002] ... key at: [] evdev_open.__key.25+0x0/0x20 [ 1054.023021][T18002] ... acquired at: [ 1054.026981][T18002] lock_acquire+0x120/0x360 [ 1054.031652][T18002] _raw_spin_lock+0x2e/0x40 [ 1054.036332][T18002] evdev_pass_values+0xb9/0xbd0 [ 1054.041350][T18002] evdev_events+0x1e6/0x340 [ 1054.046031][T18002] input_pass_values+0x285/0x890 [ 1054.051137][T18002] input_event_dispose+0x330/0x6b0 [ 1054.056435][T18002] input_inject_event+0x1dd/0x340 [ 1054.061642][T18002] evdev_write+0x2fc/0x480 [ 1054.066276][T18002] vfs_write+0x27b/0xb30 [ 1054.070698][T18002] ksys_write+0x145/0x250 [ 1054.075291][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1054.080578][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.085626][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.092219][T18002] [ 1054.094558][T18002] -> (&new->fa_lock){....}-{3:3} { [ 1054.099759][T18002] INITIAL USE at: [ 1054.103729][T18002] lock_acquire+0x120/0x360 [ 1054.109975][T18002] _raw_write_lock_irq+0xa2/0xf0 [ 1054.116814][T18002] fasync_remove_entry+0xf1/0x1c0 [ 1054.123686][T18002] tty_fasync+0x13c/0x350 [ 1054.129741][T18002] __fput+0x8a2/0xa70 [ 1054.135452][T18002] task_work_run+0x1d4/0x260 [ 1054.141774][T18002] exit_to_user_mode_loop+0xec/0x110 [ 1054.148812][T18002] __do_fast_syscall_32+0x1f4/0x2b0 [ 1054.155740][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.162325][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.170537][T18002] INITIAL READ USE at: [ 1054.174946][T18002] lock_acquire+0x120/0x360 [ 1054.181618][T18002] _raw_read_lock_irqsave+0xaf/0x100 [ 1054.189086][T18002] kill_fasync+0x199/0x4d0 [ 1054.195759][T18002] lease_break_callback+0x26/0x30 [ 1054.202965][T18002] __break_lease+0x6a2/0x1620 [ 1054.209829][T18002] do_dentry_open+0x8b7/0x13f0 [ 1054.216763][T18002] vfs_open+0x3b/0x340 [ 1054.223004][T18002] dentry_open+0x61/0xa0 [ 1054.229433][T18002] do_mq_open+0x59e/0x780 [ 1054.235942][T18002] __ia32_compat_sys_mq_open+0x1f9/0x250 [ 1054.243933][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1054.251250][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.258405][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.266911][T18002] } [ 1054.269516][T18002] ... key at: [] fasync_insert_entry.__key+0x0/0x20 [ 1054.278723][T18002] ... acquired at: [ 1054.282615][T18002] lock_acquire+0x120/0x360 [ 1054.287295][T18002] _raw_read_lock_irqsave+0xaf/0x100 [ 1054.292768][T18002] kill_fasync+0x199/0x4d0 [ 1054.297442][T18002] evdev_pass_values+0x627/0xbd0 [ 1054.302549][T18002] evdev_events+0x1e6/0x340 [ 1054.307224][T18002] input_pass_values+0x285/0x890 [ 1054.312331][T18002] input_event_dispose+0x330/0x6b0 [ 1054.317608][T18002] input_inject_event+0x1dd/0x340 [ 1054.322797][T18002] evdev_write+0x2fc/0x480 [ 1054.327381][T18002] vfs_write+0x27b/0xb30 [ 1054.331801][T18002] ksys_write+0x145/0x250 [ 1054.336319][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1054.341604][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.346731][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.353247][T18002] [ 1054.355661][T18002] -> (&f_owner->lock){....}-{3:3} { [ 1054.360878][T18002] INITIAL USE at: [ 1054.364800][T18002] lock_acquire+0x120/0x360 [ 1054.370877][T18002] _raw_write_lock_irq+0xa2/0xf0 [ 1054.377472][T18002] __f_setown+0x67/0x370 [ 1054.383367][T18002] tty_fasync+0x2dc/0x350 [ 1054.389271][T18002] do_fcntl+0x1096/0x1910 [ 1054.395159][T18002] do_compat_fcntl64+0x477/0x720 [ 1054.401670][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1054.408461][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.414888][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.423010][T18002] INITIAL READ USE at: [ 1054.427428][T18002] lock_acquire+0x120/0x360 [ 1054.434015][T18002] _raw_read_lock_irqsave+0xaf/0x100 [ 1054.441301][T18002] send_sigio+0x38/0x370 [ 1054.447543][T18002] kill_fasync+0x24d/0x4d0 [ 1054.454124][T18002] lease_break_callback+0x26/0x30 [ 1054.461265][T18002] __break_lease+0x6a2/0x1620 [ 1054.468034][T18002] do_dentry_open+0x8b7/0x13f0 [ 1054.474916][T18002] vfs_open+0x3b/0x340 [ 1054.480976][T18002] dentry_open+0x61/0xa0 [ 1054.487206][T18002] do_mq_open+0x59e/0x780 [ 1054.493526][T18002] __ia32_compat_sys_mq_open+0x1f9/0x250 [ 1054.501168][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1054.508451][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.515303][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.523619][T18002] } [ 1054.526121][T18002] ... key at: [] file_f_owner_allocate.__key+0x0/0x20 [ 1054.534965][T18002] ... acquired at: [ 1054.538754][T18002] lock_acquire+0x120/0x360 [ 1054.543424][T18002] _raw_read_lock_irqsave+0xaf/0x100 [ 1054.549074][T18002] send_sigio+0x38/0x370 [ 1054.553478][T18002] kill_fasync+0x24d/0x4d0 [ 1054.558056][T18002] lease_break_callback+0x26/0x30 [ 1054.563248][T18002] __break_lease+0x6a2/0x1620 [ 1054.568094][T18002] do_dentry_open+0x8b7/0x13f0 [ 1054.573024][T18002] vfs_open+0x3b/0x340 [ 1054.577254][T18002] dentry_open+0x61/0xa0 [ 1054.581752][T18002] do_mq_open+0x59e/0x780 [ 1054.586269][T18002] __ia32_compat_sys_mq_open+0x1f9/0x250 [ 1054.592241][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1054.597536][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.602561][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.609064][T18002] [ 1054.611394][T18002] [ 1054.611394][T18002] the dependencies between the lock to be acquired [ 1054.611408][T18002] and SOFTIRQ-irq-unsafe lock: [ 1054.625009][T18002] -> (tasklist_lock){.+.+}-{3:3} { [ 1054.630138][T18002] HARDIRQ-ON-R at: [ 1054.634120][T18002] lock_acquire+0x120/0x360 [ 1054.640286][T18002] _raw_read_lock+0x36/0x50 [ 1054.646435][T18002] __do_wait+0xde/0x740 [ 1054.652239][T18002] do_wait+0x1f8/0x520 [ 1054.657970][T18002] kernel_wait+0xab/0x170 [ 1054.663944][T18002] call_usermodehelper_exec_work+0xbe/0x230 [ 1054.671583][T18002] process_scheduled_works+0xade/0x17b0 [ 1054.678887][T18002] worker_thread+0x8a0/0xda0 [ 1054.685205][T18002] kthread+0x70e/0x8a0 [ 1054.690937][T18002] ret_from_fork+0x3f9/0x770 [ 1054.697166][T18002] ret_from_fork_asm+0x1a/0x30 [ 1054.703664][T18002] SOFTIRQ-ON-R at: [ 1054.707635][T18002] lock_acquire+0x120/0x360 [ 1054.713799][T18002] _raw_read_lock+0x36/0x50 [ 1054.719943][T18002] __do_wait+0xde/0x740 [ 1054.725824][T18002] do_wait+0x1f8/0x520 [ 1054.731542][T18002] kernel_wait+0xab/0x170 [ 1054.737563][T18002] call_usermodehelper_exec_work+0xbe/0x230 [ 1054.745128][T18002] process_scheduled_works+0xade/0x17b0 [ 1054.752319][T18002] worker_thread+0x8a0/0xda0 [ 1054.758544][T18002] kthread+0x70e/0x8a0 [ 1054.764255][T18002] ret_from_fork+0x3f9/0x770 [ 1054.770490][T18002] ret_from_fork_asm+0x1a/0x30 [ 1054.776920][T18002] INITIAL USE at: [ 1054.780826][T18002] lock_acquire+0x120/0x360 [ 1054.787262][T18002] _raw_write_lock_irq+0xa2/0xf0 [ 1054.793767][T18002] copy_process+0x224f/0x3c00 [ 1054.800011][T18002] kernel_clone+0x21e/0x840 [ 1054.806085][T18002] user_mode_thread+0xdd/0x140 [ 1054.812440][T18002] rest_init+0x23/0x300 [ 1054.818242][T18002] start_kernel+0x3a9/0x410 [ 1054.824300][T18002] x86_64_start_reservations+0x24/0x30 [ 1054.831319][T18002] x86_64_start_kernel+0x143/0x1c0 [ 1054.837993][T18002] common_startup_64+0x13e/0x147 [ 1054.844487][T18002] INITIAL READ USE at: [ 1054.848816][T18002] lock_acquire+0x120/0x360 [ 1054.855417][T18002] _raw_read_lock+0x36/0x50 [ 1054.861916][T18002] __do_wait+0xde/0x740 [ 1054.868076][T18002] do_wait+0x1f8/0x520 [ 1054.874140][T18002] kernel_wait+0xab/0x170 [ 1054.880473][T18002] call_usermodehelper_exec_work+0xbe/0x230 [ 1054.888371][T18002] process_scheduled_works+0xade/0x17b0 [ 1054.895919][T18002] worker_thread+0x8a0/0xda0 [ 1054.902529][T18002] kthread+0x70e/0x8a0 [ 1054.908592][T18002] ret_from_fork+0x3f9/0x770 [ 1054.915171][T18002] ret_from_fork_asm+0x1a/0x30 [ 1054.921939][T18002] } [ 1054.924460][T18002] ... key at: [] tasklist_lock+0x18/0x40 [ 1054.932188][T18002] ... acquired at: [ 1054.936016][T18002] lock_acquire+0x120/0x360 [ 1054.940724][T18002] _raw_read_lock+0x36/0x50 [ 1054.945421][T18002] send_sigio+0x101/0x370 [ 1054.949925][T18002] kill_fasync+0x24d/0x4d0 [ 1054.954508][T18002] lease_break_callback+0x26/0x30 [ 1054.959924][T18002] __break_lease+0x6a2/0x1620 [ 1054.964888][T18002] vfs_truncate+0x428/0x520 [ 1054.969707][T18002] do_sys_truncate+0xdb/0x190 [ 1054.974580][T18002] __ia32_compat_sys_truncate+0x5b/0x70 [ 1054.980389][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1054.986203][T18002] do_fast_syscall_32+0x34/0x80 [ 1054.991236][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1054.997754][T18002] [ 1055.000087][T18002] [ 1055.000087][T18002] stack backtrace: [ 1055.005968][T18002] CPU: 1 UID: 0 PID: 18002 Comm: syz.2.3336 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(full) [ 1055.005986][T18002] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 1055.005995][T18002] Call Trace: [ 1055.006001][T18002] [ 1055.006007][T18002] dump_stack_lvl+0x189/0x250 [ 1055.006026][T18002] ? __pfx_dump_stack_lvl+0x10/0x10 [ 1055.006040][T18002] ? __pfx__printk+0x10/0x10 [ 1055.006058][T18002] validate_chain+0x1f05/0x2140 [ 1055.006077][T18002] __lock_acquire+0xab9/0xd20 [ 1055.006096][T18002] ? send_sigio+0x101/0x370 [ 1055.006109][T18002] lock_acquire+0x120/0x360 [ 1055.006125][T18002] ? send_sigio+0x101/0x370 [ 1055.006139][T18002] ? __pfx__raw_read_lock_irqsave+0x10/0x10 [ 1055.006155][T18002] ? _raw_read_lock_irqsave+0xbb/0x100 [ 1055.006170][T18002] _raw_read_lock+0x36/0x50 [ 1055.006184][T18002] ? send_sigio+0x101/0x370 [ 1055.006196][T18002] send_sigio+0x101/0x370 [ 1055.006209][T18002] kill_fasync+0x24d/0x4d0 [ 1055.006222][T18002] ? kill_fasync+0x53/0x4d0 [ 1055.006235][T18002] lease_break_callback+0x26/0x30 [ 1055.006252][T18002] __break_lease+0x6a2/0x1620 [ 1055.006270][T18002] ? __pfx___break_lease+0x10/0x10 [ 1055.006283][T18002] ? mnt_get_write_access+0x68/0x2a0 [ 1055.006297][T18002] ? mnt_get_write_access+0x223/0x2a0 [ 1055.006312][T18002] vfs_truncate+0x428/0x520 [ 1055.006328][T18002] ? lockdep_hardirqs_on+0x9c/0x150 [ 1055.006344][T18002] ? __pfx_vfs_truncate+0x10/0x10 [ 1055.006359][T18002] ? user_path_at+0x44/0x60 [ 1055.006374][T18002] do_sys_truncate+0xdb/0x190 [ 1055.006389][T18002] ? __pfx_do_sys_truncate+0x10/0x10 [ 1055.006406][T18002] ? syscall_enter_from_user_mode_prepare+0x8f/0x110 [ 1055.006424][T18002] __ia32_compat_sys_truncate+0x5b/0x70 [ 1055.006441][T18002] __do_fast_syscall_32+0xb6/0x2b0 [ 1055.006466][T18002] do_fast_syscall_32+0x34/0x80 [ 1055.006483][T18002] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 1055.006497][T18002] RIP: 0023:0xf70fe539 [ 1055.006510][T18002] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 1055.006521][T18002] RSP: 002b:00000000f54cd55c EFLAGS: 00000206 ORIG_RAX: 000000000000005c [ 1055.006537][T18002] RAX: ffffffffffffffda RBX: 0000000080000040 RCX: 0000000000000000 [ 1055.006546][T18002] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 1055.006553][T18002] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 1055.006589][T18002] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 1055.006597][T18002] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1055.006608][T18002] [ 1055.266708][ T1305] ieee802154 phy0 wpan0: encryption failed: -22 [ 1055.273392][ T1305] ieee802154 phy1 wpan1: encryption failed: -22 [ 1055.381471][ T5954] usb usb2-port1: attempt power cycle